Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 19:36 -!- mode/#htc-evo-3d [+m] by eyeballer
- 19:36 <@eyeballer> go agrabren :)
- 19:37 <@agrabren> Ok, so let me start with an off-topic.
- 19:37 <@agrabren> I'm actually in a call right now for work, which is why I can be sitting at my computer instead of cleaning the mess that is my downstairs.
- 19:37 <@agrabren> So I'm leaning on some team members of #teamwin to help me out here.
- 19:37 <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
- 19:38 <@agrabren> (and I give up getting Empathy to record this) :)
- 19:39 <@agrabren> Getting some info real quick. ;)
- 19:39 <@hkrs_n_blow> Yea, if you need me... you know where to find me. :P
- 19:40 <@agrabren> Ok, so let's start with the known crap. :)
- 19:40 <@agrabren> Yes, I called it fre3vo. In tribute to Shift. ;)
- 19:41 <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
- 19:41 <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
- 19:41 <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
- 19:42 <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
- 19:42 <@agrabren> Blew my phone to shit. :)
- 19:42 <@agrabren> But in blowing it to shit, we confirmed that we had, in fact, found a way in that we could exploit.
- 19:43 <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* fuck you up)
- 19:43 <@agrabren> We stepped back into the hole with flashlights.
- 19:44 <@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
- 19:44 <@agrabren> What devices will this work on? Well, the EVO 3D. :) We believe it will work on the Sensation 4G.
- 19:44 <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
- 19:47 <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
- 19:47 <@joshua_> agrabren, evening! I heard you've got something exciting. If this could apply to many phones, please let us know before you ship it? We have exciting stuff for you too, perhaps.
- 19:47 <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
- 19:47 <@agrabren> We're talking days at most.
- 19:48 <@agrabren> The topic in this channel is wrong. ;)
- 19:49 <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
- 19:49 <@eyeballer> i know.. i want porn too
- 19:49 <@eyeballer> >_>
- 19:49 <@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
- 19:51 <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
- 19:51 <+jcase> agrabren, congrats, have you tried contacts kmdm/IEF? I know they have a nice package system dont already (with unrevoke)
- 19:51 <+jcase> to attempt to hide what is going on
- 19:52 <@joshua_> yes, again, please let me or any of the other unrevoked guys know... we've some good anti-static analysis stuff
- 19:53 <@agrabren> We haven't talked with anyone about this stuff yet.
- 19:53 <@agrabren> I do actually have a real job, as well as a family. ;)
- 19:54 <@joshua_> (I will be working for your employer on the chip team in just over a week ;) )
- 19:54 <@agrabren> Nice! Congrats! Which location?
- 19:54 <@joshua_> Santa Clara
- 19:55 <@agrabren> Awww. :( I don't get out there much anymore.
- 19:55 <@agrabren> But welcome aboard!
- 19:55 <@agrabren> But nobody came here to talk about NVIDIA. ;)
- 19:55 <@joshua_> yes ;)
- 19:55 <@myndwire> hehe
- 19:55 <@agrabren> So, let's go ahead with questions...
- 19:55 <@joshua_> Hmm. freenode has a "moderated forum" mode
- 19:55 <@onicrom> does that mean -m?
- 19:55 <@joshua_> should we enable that?
- 19:55 <+momentdroid> i'll ask the question basically everyone wants to hear, eta? lol
- 19:55 <@joshua_> lemme look up the mode
- 19:56 <@agrabren> The ETA is likely this weekend. Probably late weekend.
- 19:56 <+jcase> +m is moderated
- 19:56 <@eyeballer> that's what we're in
- 19:56 <@joshua_> gimem a sec, I will set forum mode
- 19:57 <@joshua_> Anyone who would like to ask a question can speak, and only ops will hear you.
- 19:57 <+haus|work> Are there any side effects with this one like there was with gingerbreak?
- 19:57 <@onicrom> agrabren: we're going to celebrate independence from htc and the BRITS!?
- 19:57 <@mirk> hmm... s-off is a radio hack that disables the NAND security. The status of this can be seen from the bootloader (boot with volume down held) at the top of the screen.
- 19:57 <@joeykrim> lol wow
- 19:57 <@joshua_> (Ops, please repeat the question.)
- 19:57 <@agrabren> Holy crap. :-)
- 19:57 <@agrabren> Ok, one sec. :)
- 19:58 <@joshua_> ruckus asked what happens if HTC opens it up before we get a chance to release. Obviously we'll see how their strategy works and decide then :)
- 19:58 <@onicrom> lets give time to answer the questions asked
- 19:58 <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
- 19:58 <@joshua_> (I shouldn't say "we", because agrabren's the one with the sploit, to do with as he likes ;) )
- 19:58 <@agrabren> Currently, we're looking for a way to make root sticky.
- 19:58 <@agrabren> If HTC opens up the device, they open up the device. :)
- 19:59 <@onicrom> < ax0r-3D> Is the method through adb, or will it be some sort of script?
- 19:59 <+OtisFeelgood> o_0
- 19:59 <@onicrom> < Berger_> I am very curious if you guy actually found a hole in the Linux Kernel?
- 19:59 <@onicrom> < jka3588> will this be an exe file or something we can run via ADB?
- 19:59 <@onicrom> < wake69_> will this have s-off?
- 20:00 <@agrabren> It involves using adb and some software installed on the phone itself.
- 20:00 <@agrabren> We are making no comments on whether this is a ROM or Kernel exploit.
- 20:00 <@joshua_> (We'd be happy to work with you to package up a 'one-click' on the desktop.)
- 20:00 <@onicrom> agrabren: lemme know when you want to reopen for qs
- 20:00 <@agrabren> (I'm scared of reopening it, my screen went nuts with scrolls)
- 20:00 <+OtisFeelgood> 414 ppl in here....damn
- 20:01 <@agrabren> Ok, another good question came in (but please stop PMing me, I can't catch them all)
- 20:01 <@joshua_> With regards to S-OFF: I suspect (but don't know for sure -- agrabren can answer for sure) that this exploit will not get us S-OFF yet.
- 20:01 <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
- 20:01 <@agrabren> When we get to perm root, that will also be reversable.
- 20:02 <@agrabren> Shinzul is the man in charge of S-OFF right now.
- 20:02 <@agrabren> My next work is to help unlock the device.
- 20:02 <@agrabren> One sec.
- 20:04 <@agrabren> Ok, next question? (sorry, I'm in a call too)
- 20:04 <@joshua_> I'm going to open it up for questions again briefly.
- 20:05 <@agrabren> We don't believe it will work on the EVO 4G.
- 20:05 <@eyeballer> i think ZanzDroid confirmed that it doesn't but i'm not 100% sure
- 20:05 <@eyeballer> he might chime in if he's still around
- 20:06 <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
- 20:07 <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
- 20:07 <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
- 20:07 <@joshua_> IEF and kmdm will be happy to provide you with a shell, probably.
- 20:08 <@agrabren> Any platform that supports adb will work.
- 20:08 <@agrabren> Unless someone knows of an adb client for android. ;)
- 20:08 <@agrabren> I'm going to hand the answering over to joshua_ for a moment. ;)
- 20:08 <@joshua_> Sure.
- 20:09 <@joshua_> Let me read up what yinz have got to say.
- 20:09 <@agrabren> He can explain, likely better than I, about the difference between root, s-off, recoveries, etc...
- 20:09 <@joshua_> will it be published: That's up to agrabren; looks like he intends to publish, yes.
- 20:09 <@joshua_> different versions of hardware: I don't know for sure, but it's usually too early by now.
- 20:09 <@joshua_> hboot: This is soft root and does not require hboot yet.
- 20:10 <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like. :)
- 20:10 <@agrabren> Short of "where are we at for s-off".
- 20:10 <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
- 20:11 <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
- 20:11 <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
- 20:11 <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
- 20:12 <@joshua_> eMMC has different types of write protection that we haven't worked with before.
- 20:12 <@agrabren> And we plan to work together to solve some of these issues. :)
- 20:13 <@joshua_> Someone mentioned WPthis: The bug that WPthis exploits has been closed after the Desire Z.
- 20:14 <+jcase> wpthis was closed i believe jan10th
- 20:14 <@joshua_> (We've all been working pretty closely on this, including scotty.)
- 20:14 <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
- 20:14 <@agrabren> (Sending this one to joshua_
- 20:15 <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
- 20:15 <@agrabren> (that was someone else's question) :)
- 20:15 <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
- 20:16 <@joshua_> "it doesn't directly make it possible, but it makes it not impossible" :)
- 20:16 <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
- 20:16 <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
- 20:16 <@eyeballer> agrabren: seems to be the question of the day =P
- 20:17 <@joshua_> Someone asked whether you can flash the ENG hboot with temp root: everyone will be investigating that in the days to come.
- 20:18 <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
- 20:18 <@mirk> Regulator: pas de quoi
- 20:18 <@agrabren> (I'm off my call)
- 20:18 <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
- 20:18 <@agrabren> The exploit will come, with or without more stuff.
- 20:19 <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
- 20:19 <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
- 20:20 <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
- 20:21 <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
- 20:21 <@agrabren> Any changes to /system at this time will definitely revert.
- 20:21 <@agrabren> News on the new recovery: Wrong discussion. :-D
- 20:21 <@agrabren> I'm not at liberty to reveal the work of other TeamWin developers. ;)
- 20:22 <@joshua_> It's very possible that it could be packed up in a one-click root-on-boot, like the original unrevoked.
- 20:22 <@agrabren> Joshua: whats the difference between unlocked and s-off?
- 20:22 <@joshua_> S-OFF, unlocked, etc are fuzzy terms, especially now that we are on eMMC.
- 20:23 <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
- 20:23 <@joshua_> (It also would refer to an ENG hboot.)
- 20:23 <@joshua_> On eMMC, that state no longer exists.
- 20:23 <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
- 20:24 <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
- 20:24 <@joshua_> (I think that's needed for Cyanogen.)
- 20:24 <@agrabren> LOL: And for the flowers...
- 20:24 <@agrabren> Umm... It was more a joke than anything else. The cats eat the flowers.
- 20:25 <@joshua_> (and then throw up all over the floor, I'd bet!)
- 20:25 <@agrabren> My wife is a bit upset, as I've been glued to my phone and computer for 3 days now.
- 20:25 <@agrabren> Exactly.
- 20:25 <@agrabren> Fun note: I didn't *start* this work until this week. I was on a beautiful vacation in the South Padre Islands last week when I got my phone.
- 20:25 <@agrabren> So it didn't even take us a week. :-D
- 20:26 <@joshua_> (past performance doe snot guarantee future results: the next exploit may take a lot longer!)
- 20:26 <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
- 20:26 <@joshua_> Yes.
- 20:27 <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
- 20:27 <@ariel_> you said you get system access then it reverts on reboot, this is just the root access if you deposit a new file in there does it stick or does the emmc erases the file?
- 20:27 <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
- 20:27 <@eyeballer> with just temp root, no
- 20:28 <@eyeballer> unless you try to mess with those things yourself
- 20:28 <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
- 20:29 <@agrabren> This was a non-intentional hole.
- 20:29 <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
- 20:30 <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
- 20:30 <@zule> htc created the arms race, we just fight fair
- 20:30 <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
- 20:31 <@agrabren> Ok, I'm getting serious wife aggro...
- 20:31 <@agrabren> So if I don't go clean up my mess downstairs, I'll be sleeping outside. And my computer is *not* outside. ;)
- 20:31 <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
- 20:32 <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
- 20:32 <@joshua_> I'm going to open the channel up again in a moment. any last thoughts?
- 20:32 <@agrabren> We promise, info will be flowing. :) But we wanted to let people know, it has happened.
- 20:33 <@agrabren> Thanks for everyone's time, and making me feel special. :)
- 20:33 <@mirk> no worries, agrabren
- 20:33 <@joshua_> haha stupid fucking bot
- 20:33 <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
- 20:33 <@joeykrim> :)
- 20:34 * eyeballer braces
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement