Hovatek Forum DEVELOPMENT Android Hisense A5 Pro/Pro CC Bootloader Unlock/Private Key Thread
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


Hisense A5 Pro/Pro CC Bootloader Unlock/Private Key Thread

Hisense A5 Pro/Pro CC Bootloader Unlock/Private Key Thread

Pages (4): 1 2 3 4 Next
ahmouse
ahmouse
ahmouse
Junior Member
16
06-08-2021, 06:07 PM
#1



Hello, there is a similar post about unlocking the bootloader on the HLTE203T, however the conclusion was that a different private key was used to lock the bootloader on this phone than most Spreadtrum-based phones. So I would like to make a post where everyone interested can post possible private keys that may work, such as leaked keys, or any other information that could be used to break/bypass the encryption.

Here is a list of information that I would like to find to help unlock this phone:
Ciphertext encrypted with the Hisense private key (from a successful unlock or a leak?)
Hisense public key
The size and padding scheme of the Hisense keys
RSA encryption breaking methods
Whether the key, or any ciphertext from the key, is stored anywhere on the device or in memory

One thing I would like to try is the ROBOT Attack, which is based on Bleichenbacher's Million message attack. Depending on the padding scheme used, we might be able to use this to recover the private key. One thing to note is that this attack will only work if the phone gives us a sign that the padding size is correct, such as having a longer delay to send back the "FAILED" message. (Will require lots of testing)

Feel free to add anything else that may be useful

P.S. I will edit the post below this one with all the information gathered from this thread
ahmouse
ahmouse
ahmouse
Junior Member
16
06-08-2021, 06:10 PM
#2
Solution: Will be posted here once found

I just got an Infinity Box CM2 dongle, so if you find a PAC or FDLs from any phone that's also on the Unisoc Tiger T610 SoC, then be sure to send it to me

D̶o̶e̶s̶n̶'̶t̶ ̶w̶o̶r̶k
If there's a Big Grin next to an item it partially works/may lead to a full solution

Tested:
V̶B̶M̶e̶t̶a̶ ̶t̶e̶s̶t̶ ̶k̶e̶y̶
F̶D̶L̶s̶ ̶f̶r̶o̶m̶ ̶G̶e̶n̶e̶r̶a̶l̶ ̶M̶o̶b̶i̶l̶e̶ ̶E̶-̶T̶a̶b̶ ̶2̶0̶
F̶D̶L̶s̶ ̶f̶r̶o̶m̶ ̶M̶i̶c̶r̶o̶m̶a̶x̶ ̶I̶N̶2̶b̶̶
F̶D̶L̶s̶ ̶f̶r̶o̶m̶ ̶R̶e̶a̶l̶m̶e̶ ̶C̶2̶1̶Y̶

Untested:
FDLs/PAC from any device listed here
https://www.kimovil.com/en/list-smartpho...tiger-t610
This post was last modified: 07-10-2021, 12:16 AM by ahmouse.
X3non
X3non
X3non
Recognized Contributor
22,062
07-08-2021, 09:18 PM
#3
(06-08-2021, 06:07 PM)ahmouse ...
P.S. I will edit the post below this one with all the information gathered from this thread

avbtool info_image on your stock vbmeta should give info about the type algorithm i.e RSA****
in general, it'll most likely be 4096 or 2048
a little research though will tell how difficult it is to decode an rsa4096 key
the modulus of the rsa key is usually within vbmeta

in general, you might be better of getting another device
This post was last modified: 07-08-2021, 09:19 PM by X3non.
ahmouse
ahmouse
ahmouse
Junior Member
16
08-08-2021, 06:17 AM
#4
(07-08-2021, 09:18 PM)X3non
(06-08-2021, 06:07 PM)ahmouse ...
P.S. I will edit the post below this one with all the information gathered from this thread

avbtool info_image on your stock vbmeta should give info about the type algorithm i.e RSA****
in general, it'll most likely be 4096 or 2048
a little research though will tell how difficult it is to decode an rsa4096 key
the modulus of the rsa key is usually within vbmeta

in general, you might be better of getting another device
Thank you for the reply, this is one the few forums where I can detailed, accurate info from people who know exactly what they're doing!

avbtool reports the alogrithm as SHA256_RSA4096, does this mean SHA hashing is used somewhere along with encryption?
If the modulus is in vbmeta, I'm assuming the entire public key is there, right? If so, is there a simple way to find it inside an extracted vbmeta.img?

Also, you're probably right, getting a different phone is probably easier, but I love the challenge of unlocking a never-before-unlocked device
This post was last modified: 08-08-2021, 06:46 AM by ahmouse.
hovatek
hovatek
hovatek
Administrator
49,570
09-08-2021, 04:42 PM
#5



(08-08-2021, 06:17 AM)ahmouse Thank you for the reply, this is one the few forums where I can detailed, accurate info from people who know exactly what they're doing!

avbtool reports the alogrithm as SHA256_RSA4096, does this mean SHA hashing is used somewhere along with encryption?
If the modulus is in vbmeta, I'm assuming the entire public key is there, right? If so, is there a simple way to find it inside an extracted vbmeta.img?

Also, you're probably right, getting a different phone is probably easier, but I love the challenge of unlocking a never-before-unlocked device

Its the private key (not public keys in vbmeta) that's the key to unlocking bootloader with this method. Its down to a leaked engineer BL file or a different exploit. I have a theory but the factory pac file is required

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
ahmouse
ahmouse
ahmouse
Junior Member
16
09-08-2021, 06:53 PM
#6
(09-08-2021, 04:42 PM)hovatek
(08-08-2021, 06:17 AM)ahmouse Thank you for the reply, this is one the few forums where I can detailed, accurate info from people who know exactly what they're doing!

avbtool reports the alogrithm as SHA256_RSA4096, does this mean SHA hashing is used somewhere along with encryption?
If the modulus is in vbmeta, I'm assuming the entire public key is there, right? If so, is there a simple way to find it inside an extracted vbmeta.img?

Also, you're probably right, getting a different phone is probably easier, but I love the challenge of unlocking a never-before-unlocked device

Its the private key (not public keys in vbmeta) that's the key to unlocking bootloader with this method. Its down to a leaked engineer BL file or a different exploit. I have a theory but the factory pac file is required
I see, however I have a (somewhat crazy) plan for the public key, based on https://algorithmsoup.wordpress.com/2019...1-the-hack
With that said, do you know if there is any place to get the public key?

If it was possible to get a PAC file using the CM2, would that work as well? The last person to try the CM2 (timo.helfer) was unable to, but that was back in March, so things may have changed.

I don't wanna leave any stone unturned, I really wanna try to port a custom rom over and hopefully port the eink features as well
hovatek
hovatek
hovatek
Administrator
49,570
10-08-2021, 07:14 PM
#7
(09-08-2021, 06:53 PM)ahmouse I see, however I have a (somewhat crazy) plan for the public key, based on https://algorithmsoup.wordpress.com/2019...1-the-hack
With that said, do you know if there is any place to get the public key?

If it was possible to get a PAC file using the CM2, would that work as well? The last person to try the CM2 (timo.helfer) was unable to, but that was back in March, so things may have changed.

I don't wanna leave any stone unturned, I really wanna try to port a custom rom over and hopefully port the eink features as well

CM2 still doesn't work for this model
for public keys, https://www.hovatek.com/forum/thread-32667.html

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
ahmouse
ahmouse
ahmouse
Junior Member
16
13-08-2021, 07:30 AM
#8
(10-08-2021, 07:14 PM)hovatek
(09-08-2021, 06:53 PM)ahmouse I see, however I have a (somewhat crazy) plan for the public key, based on https://algorithmsoup.wordpress.com/2019...1-the-hack
With that said, do you know if there is any place to get the public key?

If it was possible to get a PAC file using the CM2, would that work as well? The last person to try the CM2 (timo.helfer) was unable to, but that was back in March, so things may have changed.

I don't wanna leave any stone unturned, I really wanna try to port a custom rom over and hopefully port the eink features as well

CM2 still doesn't work for this model
for public keys, https://www.hovatek.com/forum/thread-32667.html

EDIT: NEVERMIND! I was able to decode and extract the modulus, and the public exponent is always 65537 in vbmeta public keys, so I was able to generate a proper PEM public key using openssl. I could cleanup and release the python script if you or someone else is curious/wants it

Original post:
Thanks, I was are to extract the public key, however its encoded in what seems to be an AVB-specific way. Do you know of a way to decode the public keys into a usable format? I've spent hours trying to reverse the encoding however I've only been able to get the modulus of one key (idk what its used for, but its not a partition key). Partition keys are handled differently, unfortunately, so they seem to be much harder to reverse.
This post was last modified: 14-08-2021, 09:34 AM by ahmouse.
hovatek
hovatek
hovatek
Administrator
49,570
14-08-2021, 10:43 AM
#9
(13-08-2021, 07:30 AM)ahmouse EDIT: NEVERMIND! I was able to decode and extract the modulus, and the public exponent is always 65537 in vbmeta public keys, so I was able to generate a proper PEM public key using openssl. I could cleanup and release the python script if you or someone else is curious/wants it

Original post:
Thanks, I was are to extract the public key, however its encoded in what seems to be an AVB-specific way. Do you know of a way to decode the public keys into a usable format? I've spent hours trying to reverse the encoding however I've only been able to get the modulus of one key (idk what its used for, but its not a partition key). Partition keys are handled differently, unfortunately, so they seem to be much harder to reverse.

That would be nice

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
ahmouse
ahmouse
ahmouse
Junior Member
16
14-08-2021, 11:41 AM
#10



(14-08-2021, 10:43 AM)hovatek
(13-08-2021, 07:30 AM)ahmouse EDIT: NEVERMIND! I was able to decode and extract the modulus, and the public exponent is always 65537 in vbmeta public keys, so I was able to generate a proper PEM public key using openssl. I could cleanup and release the python script if you or someone else is curious/wants it

Original post:
Thanks, I was are to extract the public key, however its encoded in what seems to be an AVB-specific way. Do you know of a way to decode the public keys into a usable format? I've spent hours trying to reverse the encoding however I've only been able to get the modulus of one key (idk what its used for, but its not a partition key). Partition keys are handled differently, unfortunately, so they seem to be much harder to reverse.

That would be nice

Okay here's the script and a small readme, took me about 8 hours of reading avbtool.py to figure out the key formatting, so I hope someone else here needs it lol. I only tested it with my phone that has a 4096 bit key, but it should work with any size as well. Getting the modulus is a big step for me, now I can get to work achieving the impossible Smile
This post was last modified: 14-08-2021, 11:44 AM by ahmouse.
Attached Files
.zip
pem_from_vbmeta.zip
Size: 2.33 KB / Downloads: 27
Pages (4): 1 2 3 4 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram