document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. 19:36 -!- mode/#htc-evo-3d [+m] by eyeballer
  2. 19:36 <@eyeballer> go agrabren :)
  3. 19:37 <@agrabren> Ok, so let me start with an off-topic.
  4. 19:37 <@agrabren> I'm actually in a call right now for work, which is why I can be sitting at my computer instead of cleaning the mess that is my downstairs.
  5. 19:37 <@agrabren> So I'm leaning on some team members of #teamwin to help me out here.
  6. 19:37 <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
  7. 19:38 <@agrabren> (and I give up getting Empathy to record this) :)
  8. 19:39 <@agrabren> Getting some info real quick. ;)
  9. 19:39 <@hkrs_n_blow> Yea, if you need me... you know where to find me. :P
  10. 19:40 <@agrabren> Ok, so let's start with the known crap. :)
  11. 19:40 <@agrabren> Yes, I called it fre3vo. In tribute to Shift. ;)
  12. 19:41 <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
  13. 19:41 <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
  14. 19:41 <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
  15. 19:42 <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
  16. 19:42 <@agrabren> Blew my phone to shit. :)
  17. 19:42 <@agrabren> But in blowing it to shit, we confirmed that we had, in fact, found a way in that we could exploit.
  18. 19:43 <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* fuck you up)
  19. 19:43 <@agrabren> We stepped back into the hole with flashlights.
  20. 19:44 <@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
  21. 19:44 <@agrabren> What devices will this work on? Well, the EVO 3D. :) We believe it will work on the Sensation 4G.
  22. 19:44 <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
  23. 19:47 <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
  24. 19:47 <@joshua_> agrabren, evening! I heard you've got something exciting. If this could apply to many phones, please let us know before you ship it? We have exciting stuff for you too, perhaps.
  25. 19:47 <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
  26. 19:47 <@agrabren> We're talking days at most.
  27. 19:48 <@agrabren> The topic in this channel is wrong. ;)
  28. 19:49 <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
  29. 19:49 <@eyeballer> i know.. i want porn too
  30. 19:49 <@eyeballer> >_>
  31. 19:49 <@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
  32. 19:51 <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
  33. 19:51 <+jcase> agrabren, congrats, have you tried contacts kmdm/IEF? I know they have a nice package system dont already (with unrevoke)
  34. 19:51 <+jcase> to attempt to hide what is going on
  35. 19:52 <@joshua_> yes, again, please let me or any of the other unrevoked guys know... we've some good anti-static analysis stuff
  36. 19:53 <@agrabren> We haven't talked with anyone about this stuff yet.
  37. 19:53 <@agrabren> I do actually have a real job, as well as a family. ;)
  38. 19:54 <@joshua_> (I will be working for your employer on the chip team in just over a week ;) )
  39. 19:54 <@agrabren> Nice! Congrats! Which location?
  40. 19:54 <@joshua_> Santa Clara
  41. 19:55 <@agrabren> Awww. :( I don't get out there much anymore.
  42. 19:55 <@agrabren> But welcome aboard!
  43. 19:55 <@agrabren> But nobody came here to talk about NVIDIA. ;)
  44. 19:55 <@joshua_> yes ;)
  45. 19:55 <@myndwire> hehe
  46. 19:55 <@agrabren> So, let's go ahead with questions...
  47. 19:55 <@joshua_> Hmm. freenode has a "moderated forum" mode
  48. 19:55 <@onicrom> does that mean -m?
  49. 19:55 <@joshua_> should we enable that?
  50. 19:55 <+momentdroid> i'll ask the question basically everyone wants to hear, eta? lol
  51. 19:55 <@joshua_> lemme look up the mode
  52. 19:56 <@agrabren> The ETA is likely this weekend. Probably late weekend.
  53. 19:56 <+jcase> +m is moderated
  54. 19:56 <@eyeballer> that's what we're in
  55. 19:56 <@joshua_> gimem a sec, I will set forum mode
  56. 19:57 <@joshua_> Anyone who would like to ask a question can speak, and only ops will hear you.
  57. 19:57 <+haus|work> Are there any side effects with this one like there was with gingerbreak?
  58. 19:57 <@onicrom> agrabren: we're going to celebrate independence from htc and the BRITS!?
  59. 19:57 <@mirk> hmm... s-off is a radio hack that disables the NAND security. The status of this can be seen from the bootloader (boot with volume down held) at the top of the screen.
  60. 19:57 <@joeykrim> lol wow
  61. 19:57 <@joshua_> (Ops, please repeat the question.)
  62. 19:57 <@agrabren> Holy crap. :-)
  63. 19:57 <@agrabren> Ok, one sec. :)
  64. 19:58 <@joshua_> ruckus asked what happens if HTC opens it up before we get a chance to release. Obviously we'll see how their strategy works and decide then :)
  65. 19:58 <@onicrom> lets give time to answer the questions asked
  66. 19:58 <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
  67. 19:58 <@joshua_> (I shouldn't say "we", because agrabren's the one with the sploit, to do with as he likes ;) )
  68. 19:58 <@agrabren> Currently, we're looking for a way to make root sticky.
  69. 19:58 <@agrabren> If HTC opens up the device, they open up the device. :)
  70. 19:59 <@onicrom> < ax0r-3D> Is the method through adb, or will it be some sort of script?
  71. 19:59 <+OtisFeelgood> o_0
  72. 19:59 <@onicrom> < Berger_> I am very curious if you guy actually found a hole in the Linux Kernel?
  73. 19:59 <@onicrom> < jka3588> will this be an exe file or something we can run via ADB?
  74. 19:59 <@onicrom> < wake69_> will this have s-off?
  75. 20:00 <@agrabren> It involves using adb and some software installed on the phone itself.
  76. 20:00 <@agrabren> We are making no comments on whether this is a ROM or Kernel exploit.
  77. 20:00 <@joshua_> (We'd be happy to work with you to package up a 'one-click' on the desktop.)
  78. 20:00 <@onicrom> agrabren: lemme know when you want to reopen for qs
  79. 20:00 <@agrabren> (I'm scared of reopening it, my screen went nuts with scrolls)
  80. 20:00 <+OtisFeelgood> 414 ppl in here....damn
  81. 20:01 <@agrabren> Ok, another good question came in (but please stop PMing me, I can't catch them all)
  82. 20:01 <@joshua_> With regards to S-OFF: I suspect (but don't know for sure -- agrabren can answer for sure) that this exploit will not get us S-OFF yet.
  83. 20:01 <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
  84. 20:01 <@agrabren> When we get to perm root, that will also be reversable.
  85. 20:02 <@agrabren> Shinzul is the man in charge of S-OFF right now.
  86. 20:02 <@agrabren> My next work is to help unlock the device.
  87. 20:02 <@agrabren> One sec.
  88. 20:04 <@agrabren> Ok, next question? (sorry, I'm in a call too)
  89. 20:04 <@joshua_> I'm going to open it up for questions again briefly.
  90. 20:05 <@agrabren> We don't believe it will work on the EVO 4G.
  91. 20:05 <@eyeballer> i think ZanzDroid confirmed that it doesn't but i'm not 100% sure
  92. 20:05 <@eyeballer> he might chime in if he's still around
  93. 20:06 <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
  94. 20:07 <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
  95. 20:07 <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
  96. 20:07 <@joshua_> IEF and kmdm will be happy to provide you with a shell, probably.
  97. 20:08 <@agrabren> Any platform that supports adb will work.
  98. 20:08 <@agrabren> Unless someone knows of an adb client for android. ;)
  99. 20:08 <@agrabren> I'm going to hand the answering over to joshua_ for a moment. ;)
  100. 20:08 <@joshua_> Sure.
  101. 20:09 <@joshua_> Let me read up what yinz have got to say.
  102. 20:09 <@agrabren> He can explain, likely better than I, about the difference between root, s-off, recoveries, etc...
  103. 20:09 <@joshua_> will it be published: That's up to agrabren; looks like he intends to publish, yes.
  104. 20:09 <@joshua_> different versions of hardware: I don't know for sure, but it's usually too early by now.
  105. 20:09 <@joshua_> hboot: This is soft root and does not require hboot yet.
  106. 20:10 <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like. :)
  107. 20:10 <@agrabren> Short of "where are we at for s-off".
  108. 20:10 <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
  109. 20:11 <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
  110. 20:11 <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
  111. 20:11 <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
  112. 20:12 <@joshua_> eMMC has different types of write protection that we haven't worked with before.
  113. 20:12 <@agrabren> And we plan to work together to solve some of these issues. :)
  114. 20:13 <@joshua_> Someone mentioned WPthis: The bug that WPthis exploits has been closed after the Desire Z.
  115. 20:14 <+jcase> wpthis was closed i believe jan10th
  116. 20:14 <@joshua_> (We've all been working pretty closely on this, including scotty.)
  117. 20:14 <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
  118. 20:14 <@agrabren> (Sending this one to joshua_
  119. 20:15 <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
  120. 20:15 <@agrabren> (that was someone else's question) :)
  121. 20:15 <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
  122. 20:16 <@joshua_> "it doesn't directly make it possible, but it makes it not impossible" :)
  123. 20:16 <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
  124. 20:16 <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
  125. 20:16 <@eyeballer> agrabren: seems to be the question of the day =P
  126. 20:17 <@joshua_> Someone asked whether you can flash the ENG hboot with temp root: everyone will be investigating that in the days to come.
  127. 20:18 <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
  128. 20:18 <@mirk> Regulator: pas de quoi
  129. 20:18 <@agrabren> (I'm off my call)
  130. 20:18 <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
  131. 20:18 <@agrabren> The exploit will come, with or without more stuff.
  132. 20:19 <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
  133. 20:19 <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
  134. 20:20 <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
  135. 20:21 <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
  136. 20:21 <@agrabren> Any changes to /system at this time will definitely revert.
  137. 20:21 <@agrabren> News on the new recovery: Wrong discussion. :-D
  138. 20:21 <@agrabren> I'm not at liberty to reveal the work of other TeamWin developers. ;)
  139. 20:22 <@joshua_> It's very possible that it could be packed up in a one-click root-on-boot, like the original unrevoked.
  140. 20:22 <@agrabren> Joshua: whats the difference between unlocked and s-off?
  141. 20:22 <@joshua_> S-OFF, unlocked, etc are fuzzy terms, especially now that we are on eMMC.
  142. 20:23 <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
  143. 20:23 <@joshua_> (It also would refer to an ENG hboot.)
  144. 20:23 <@joshua_> On eMMC, that state no longer exists.
  145. 20:23 <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
  146. 20:24 <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
  147. 20:24 <@joshua_> (I think that's needed for Cyanogen.)
  148. 20:24 <@agrabren> LOL: And for the flowers...
  149. 20:24 <@agrabren> Umm... It was more a joke than anything else. The cats eat the flowers.
  150. 20:25 <@joshua_> (and then throw up all over the floor, I'd bet!)
  151. 20:25 <@agrabren> My wife is a bit upset, as I've been glued to my phone and computer for 3 days now.
  152. 20:25 <@agrabren> Exactly.
  153. 20:25 <@agrabren> Fun note: I didn't *start* this work until this week. I was on a beautiful vacation in the South Padre Islands last week when I got my phone.
  154. 20:25 <@agrabren> So it didn't even take us a week. :-D
  155. 20:26 <@joshua_> (past performance doe snot guarantee future results: the next exploit may take a lot longer!)
  156. 20:26 <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
  157. 20:26 <@joshua_> Yes.
  158. 20:27 <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
  159. 20:27 <@ariel_> you said you get system access then it reverts on reboot, this is just the root access if you deposit a new file in there does it stick or does the emmc erases the file?
  160. 20:27 <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
  161. 20:27 <@eyeballer> with just temp root, no
  162. 20:28 <@eyeballer> unless you try to mess with those things yourself
  163. 20:28 <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
  164. 20:29 <@agrabren> This was a non-intentional hole.
  165. 20:29 <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
  166. 20:30 <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
  167. 20:30 <@zule> htc created the arms race, we just fight fair
  168. 20:30 <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
  169. 20:31 <@agrabren> Ok, I'm getting serious wife aggro...
  170. 20:31 <@agrabren> So if I don't go clean up my mess downstairs, I'll be sleeping outside. And my computer is *not* outside. ;)
  171. 20:31 <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
  172. 20:32 <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
  173. 20:32 <@joshua_> I'm going to open the channel up again in a moment. any last thoughts?
  174. 20:32 <@agrabren> We promise, info will be flowing. :) But we wanted to let people know, it has happened.
  175. 20:33 <@agrabren> Thanks for everyone's time, and making me feel special. :)
  176. 20:33 <@mirk> no worries, agrabren
  177. 20:33 <@joshua_> haha stupid fucking bot
  178. 20:33 <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
  179. 20:33 <@joeykrim> :)
  180. 20:34 * eyeballer braces
');