Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- (09:36:46 PM) agrabren: Ok, so let me start with an off-topic.
- (09:37:10 PM) agrabren: I'm actually in a call right now for work, which is why I can be sitting at my computer instead of cleaning the mess that is my downstairs.
- (09:37:31 PM) agrabren: So I'm leaning on some team members of #teamwin to help me out here.
- (09:37:40 PM) agrabren: So there are a couple of big questions, and sadly, a few we can't answer yet.
- (09:38:37 PM) agrabren: (and I give up getting Empathy to record this) :)
- (09:39:07 PM) agrabren: Getting some info real quick. ;)
- (09:39:56 PM) agrabren: Ok, so let's start with the known crap. :)
- (09:40:05 PM) agrabren: Yes, I called it fre3vo. In tribute to Shift. ;)
- (09:40:52 PM) agrabren: It utilizes a hole we found in the software on the EVO 3D.
- (09:41:31 PM) agrabren: The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
- (09:41:41 PM) agrabren: It's a serious security vulnerability, beyond the scope of getting root.
- (09:42:05 PM) agrabren: As for the "violent" nature of it, we found a hole and tossed in a grenade.
- (09:42:09 PM) agrabren: Blew my phone to shit. :)
- (09:42:37 PM) agrabren: But in blowing it to shit, we confirmed that we had, in fact, found a way in that we could exploit.
- (09:43:04 PM) agrabren: After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* fuck you up)
- (09:43:16 PM) agrabren: We stepped back into the hole with flashlights.
- (09:43:45 PM) agrabren: After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
- (09:44:11 PM) agrabren: What devices will this work on? Well, the EVO 3D. :) We believe it will work on the Sensation 4G.
- (09:44:23 PM) agrabren: I don't believe this particular hole will work on the old sense 1.0 devices.
- (09:47:04 PM) agrabren: Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
- (09:47:34 PM) agrabren: The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
- (09:47:38 PM) agrabren: We're talking days at most.
- (09:48:24 PM) agrabren: The topic in this channel is wrong. ;)
- (09:48:44 PM) agrabren: It should apply to some other devices, but there will be work on a device-by-device basis.
- (09:49:31 PM) agrabren: We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
- (09:51:12 PM) agrabren: We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
- (09:51:17 PM) jcase: agrabren, congrats, have you tried contacts kmdm/IEF? I know they have a nice package system dont already (with unrevoke)
- (09:51:32 PM) jcase: to attempt to hide what is going on
- (09:52:06 PM) joshua_: yes, again, please let me or any of the other unrevoked guys know... we've some good anti-static analysis stuff
- (09:52:51 PM) agrabren: We haven't talked with anyone about this stuff yet.
- (09:53:22 PM) agrabren: I do actually have a real job, as well as a family. ;)
- (09:53:57 PM) joshua_: (I will be working for your employer on the chip team in just over a week ;) )
- (09:54:26 PM) agrabren: Nice! Congrats! Which location?
- (09:54:32 PM) joshua_: Santa Clara
- (09:54:44 PM) agrabren: Awww. :( I don't get out there much anymore.
- (09:54:56 PM) agrabren: But nobody came here to talk about NVIDIA. ;)
- (09:54:59 PM) joshua_: yes ;)
- (09:55:03 PM) myndwire: hehe
- (09:55:04 PM) agrabren: So, let's go ahead with questions...
- (09:55:34 PM) momentdroid: i'll ask the question basically everyone wants to hear, eta? lol
- (09:55:56 PM) agrabren: The ETA is likely this weekend. Probably late weekend.
- (09:56:49 PM) joshua_: Anyone who would like to ask a question can speak, and only ops will hear you.
- (09:56:59 PM) haus|work: Are there any side effects with this one like there was with gingerbreak?
- (09:56:59 PM) onicrom: agrabren: we're going to celebrate independence from htc and the BRITS!?
- (09:57:01 PM) mirk: hmm... s-off is a radio hack that disables the NAND security. The status of this can be seen from the bootloader (boot with volume down held) at the top of the screen.
- (09:57:05 PM) joeykrim: lol wow
- (09:57:05 PM) joshua_: (Ops, please repeat the question.)
- (09:57:08 PM) agrabren: Holy crap. :-)
- (09:57:33 PM) agrabren: Ok, one sec. :)
- (09:57:58 PM) joshua_: ruckus asked what happens if HTC opens it up before we get a chance to release. Obviously we'll see how their strategy works and decide then :)
- (09:57:59 PM) onicrom: lets give time to answer the questions asked
- (09:58:01 PM) agrabren: Will this exploit cause damage: No. I don't like dangerous.
- (09:58:18 PM) joshua_: (I shouldn't say "we", because agrabren's the one with the sploit, to do with as he likes ;) )
- (09:58:27 PM) agrabren: Currently, we're looking for a way to make root sticky.
- (09:58:37 PM) agrabren: If HTC opens up the device, they open up the device. :)
- (09:59:02 PM) onicrom: < ax0r-3D> Is the method through adb, or will it be some sort of script?
- (09:59:13 PM) OtisFeelgood: o_0
- (09:59:13 PM) onicrom: < Berger_> I am very curious if you guy actually found a hole in the Linux Kernel?
- (09:59:19 PM) onicrom: < jka3588> will this be an exe file or something we can run via ADB?
- (09:59:23 PM) onicrom: < wake69_> will this have s-off?
- (09:59:46 PM) agrabren: It involves using adb and some software installed on the phone itself.
- (09:59:59 PM) agrabren: We are making no comments on whether this is a ROM or Kernel exploit.
- (10:00:05 PM) joshua_: (We'd be happy to work with you to package up a 'one-click' on the desktop.)
- (10:00:09 PM) onicrom: agrabren: lemme know when you want to reopen for qs
- (10:00:34 PM) agrabren: (I'm scared of reopening it, my screen went nuts with scrolls)
- (10:00:35 PM) OtisFeelgood: 414 ppl in here....damn
- (10:00:59 PM) agrabren: Ok, another good question came in (but please stop PMing me, I can't catch them all)
- (10:01:07 PM) joshua_: With regards to S-OFF: I suspect (but don't know for sure -- agrabren can answer for sure) that this exploit will not get us S-OFF yet.
- (10:01:25 PM) agrabren: Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
- (10:01:38 PM) agrabren: When we get to perm root, that will also be reversable.
- (10:01:48 PM) agrabren: Shinzul is the man in charge of S-OFF right now.
- (10:02:00 PM) agrabren: My next work is to help unlock the device.
- (10:02:13 PM) agrabren: One sec.
- (10:03:59 PM) agrabren: Ok, next question? (sorry, I'm in a call too)
- (10:04:06 PM) joshua_: I'm going to open it up for questions again briefly.
- (10:04:47 PM) agrabren: We don't believe it will work on the EVO 4G.
- (10:05:10 PM) eyeballer: i think ZanzDroid confirmed that it doesn't but i'm not 100% sure
- (10:05:25 PM) eyeballer: he might chime in if he's still around
- (10:05:43 PM) agrabren: The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
- (10:06:51 PM) agrabren: Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
- (10:07:00 PM) agrabren: Otherwise, it will happen after the EVO 3D one comes out.
- (10:07:24 PM) joshua_: IEF and kmdm will be happy to provide you with a shell, probably.
- (10:07:52 PM) agrabren: Any platform that supports adb will work.
- (10:07:59 PM) agrabren: Unless someone knows of an adb client for android. ;)
- (10:08:37 PM) agrabren: I'm going to hand the answering over to joshua_ for a moment. ;)
- (10:08:42 PM) joshua_: Sure.
- (10:08:48 PM) joshua_: Let me read up what yinz have got to say.
- (10:09:01 PM) agrabren: He can explain, likely better than I, about the difference between root, s-off, recoveries, etc...
- (10:09:09 PM) joshua_: will it be published: That's up to agrabren; looks like he intends to publish, yes.
- (10:09:24 PM) joshua_: different versions of hardware: I don't know for sure, but it's usually too early by now.
- (10:09:37 PM) joshua_: hboot: This is soft root and does not require hboot yet.
- (10:09:50 PM) agrabren: Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like. :)
- (10:10:08 PM) agrabren: Short of "where are we at for s-off".
- (10:10:24 PM) joshua_: Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
- (10:10:52 PM) joshua_: I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
- (10:11:04 PM) joshua_: I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
- (10:11:36 PM) joshua_: Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
- (10:11:54 PM) joshua_: eMMC has different types of write protection that we haven't worked with before.
- (10:12:20 PM) agrabren: And we plan to work together to solve some of these issues. :)
- (10:13:36 PM) joshua_: Someone mentioned WPthis: The bug that WPthis exploits has been closed after the Desire Z.
- (10:13:56 PM) jcase: wpthis was closed i believe jan10th
- (10:14:05 PM) joshua_: (We've all been working pretty closely on this, including scotty.)
- (10:14:26 PM) agrabren: you think this particular exploit will eventually lead to s-off, or is it too early to tell?
- (10:14:34 PM) agrabren: (Sending this one to joshua_
- (10:14:52 PM) joshua_: agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
- (10:15:14 PM) agrabren: (that was someone else's question) :)
- (10:15:36 PM) joshua_: so I guess the short answer is "yes, this will pave the way, but no guarantees"
- (10:15:47 PM) joshua_: "it doesn't directly make it possible, but it makes it not impossible" :)
- (10:15:57 PM) joshua_: I'll open the floor up for more questions in a moment. Please try to keep them related.
- (10:15:58 PM) agrabren: Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
- (10:16:17 PM) eyeballer: agrabren: seems to be the question of the day =P
- (10:16:44 PM) joshua_: Someone asked whether you can flash the ENG hboot with temp root: everyone will be investigating that in the days to come.
- (10:17:51 PM) eyeballer: #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
- (10:18:22 PM) agrabren: (I'm off my call)
- (10:18:34 PM) eyeballer: we believe in close controlled testing and then will public release so we'll probably follow a similar method here
- (10:18:36 PM) agrabren: The exploit will come, with or without more stuff.
- (10:19:16 PM) joshua_: dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
- (10:19:22 PM) agrabren: As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
- (10:20:23 PM) joshua_: Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
- (10:20:54 PM) agrabren: If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
- (10:21:06 PM) agrabren: Any changes to /system at this time will definitely revert.
- (10:21:23 PM) agrabren: News on the new recovery: Wrong discussion. :-D
- (10:21:36 PM) agrabren: I'm not at liberty to reveal the work of other TeamWin developers. ;)
- (10:21:53 PM) joshua_: It's very possible that it could be packed up in a one-click root-on-boot, like the original unrevoked.
- (10:21:58 PM) agrabren: Joshua: whats the difference between unlocked and s-off?
- (10:22:29 PM) joshua_: S-OFF, unlocked, etc are fuzzy terms, especially now that we are on eMMC.
- (10:22:44 PM) joshua_: S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
- (10:22:49 PM) joshua_: (It also would refer to an ENG hboot.)
- (10:22:56 PM) joshua_: On eMMC, that state no longer exists.
- (10:22:59 PM) agrabren: OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
- (10:24:01 PM) joshua_: unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a different carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
- (10:24:07 PM) joshua_: (I think that's needed for Cyanogen.)
- (10:24:27 PM) agrabren: LOL: And for the flowers...
- (10:24:39 PM) agrabren: Umm... It was more a joke than anything else. The cats eat the flowers.
- (10:24:54 PM) joshua_: (and then throw up all over the floor, I'd bet!)
- (10:24:55 PM) agrabren: My wife is a bit upset, as I've been glued to my phone and computer for 3 days now.
- (10:25:01 PM) agrabren: Exactly.
- (10:25:21 PM) agrabren: Fun note: I didn't *start* this work until this week. I was on a beautiful vacation in the South Padre Islands last week when I got my phone.
- (10:25:28 PM) agrabren: So it didn't even take us a week. :-D
- (10:25:45 PM) joshua_: (past performance doe snot guarantee future results: the next exploit may take a lot longer!)
- (10:25:53 PM) eyeballer: [23:26:28] <lowetax> any malware concerns with this hole ?
- (10:26:01 PM) joshua_: Yes.
- (10:27:10 PM) agrabren: Yes. Any security hole that gives a user elevated permissions is a malware concern.
- (10:27:11 PM) ariel_: you said you get system access then it reverts on reboot, this is just the root access if you deposit a new file in there does it stick or does the emmc erases the file?
- (10:27:22 PM) eyeballer: oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
- (10:27:32 PM) eyeballer: with just temp root, no
- (10:28:06 PM) eyeballer: unless you try to mess with those things yourself
- (10:28:07 PM) joshua_: agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
- (10:29:00 PM) agrabren: This was a non-intentional hole.
- (10:29:30 PM) joshua_: Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
- (10:29:44 PM) joshua_: We'd love to be able to do the responsible disclosure thing, but this is an arms race...
- (10:29:50 PM) zule: htc created the arms race, we just fight fair
- (10:30:16 PM) joshua_: (on the 'really bad' things, we do indeed do responsible disclosure instead)
- (10:31:06 PM) agrabren: Ok, I'm getting serious wife aggro...
- (10:31:25 PM) agrabren: So if I don't go clean up my mess downstairs, I'll be sleeping outside. And my computer is *not* outside. ;)
- (10:31:41 PM) agrabren: Hopefully, we've answered the majority of questions people keep asking.
- (10:31:58 PM) joshua_: Please don't ask for more details beyond what agrabren's provided so far.
- (10:32:14 PM) joshua_: I'm going to open the channel up again in a moment. any last thoughts?
- (10:32:37 PM) agrabren: We promise, info will be flowing. :) But we wanted to let people know, it has happened.
- (10:32:48 PM) agrabren: Thanks for everyone's time, and making me feel special. :)
- (10:33:06 PM) agrabren: I appreciate all the positive responses we've gotten! #teamwin!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement