08
Apr
new-razr-backs

If you own a RAZR HD, RAZR MAXX HD, RAZR M, or Atrix HD, and you've been waiting for the day when sweet bootloader-unlocking goodness arrives, wait no more: Dan Rosenberg has come to the rescue yet again.

Dan just published a tool that will allow you to unlock any of the above-mentioned Moto devices, assuming you have root access on your phone. Just have a working superuser app on your device, download the tool, connect to your PC with USB debugging enabled, and run the included script. From there, follow the instructions.

There are a few catches. First, you must be rooted - some 4.1.2 builds for the supported devices do not yet have a working root method. If you can't roll back to an older build, you're out of luck for the moment. Second, only these devices will ever be supported with this exploit, because this tool relies on an exploit specific to Qualcomm devices. That means OMAP / Tegra-powered Motorola phones will never be able to use this same method to achieve bootloader unlock (eg, RAZR / MAXX, Bionic, Atrix, Atrix 2, any of the QWERTY DROIDs). The RAZR i is also not eligible for this method, as it uses an Intel processor.

Regardless, hats off to Dan for another brilliant exploit, the details of which you can read about here.

VulnFactory.org

David Ruddock
David's phone is an HTC One. He is an avid writer, and enjoys playing devil's advocate in editorials, imparting a legal perspective on tech news, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Scott

    I was starting to think this wasn't going to be published :P

  • madmike318

    Still a TON to do before we see ROMs. too much still happening behind closed doors.

    • Scott

      I'd like to know if the process is reversible.

      • madmike318

        No its not. it blows a fuse in the phone. well - technically yes you can relock, but you cant undue to blown fuse.

        • Scott

          So you can't undo the blown fuse, but you can relock the bootloader? Is that what you're saying?

          • Michael Pahl

            yes - for my understanding you can relock even the Dev edition.

          • Scott

            So how do you relock the bootloader? I take it it's not the general "fastboot oem lock" command?

          • http://twitter.com/Telanis_ Telanis

            It should be.

      • madmike318

        In Dan's own words "Much of Qualcomm's security architecture is implemented using QFuses, which are software-programmable fuses that allow one-time configuration of device settings and cryptographic materials such as hashes or keys. Because of their physical nature, once a QFuse has been blown, it is impossible to "unblow" it to revert its original value.

        If the FORCE_TRUSTED_BOOT QFuse is blown, as is the case on all production Motorola devices, each stage of the boot chain is cryptographically verified to ensure only authorized bootloader stages may be run. In particular, the PBL ("Primary Bootloader"), which resides in mask ROM, verifies the integrity of the SBL1 ("Secondary Bootloader") via a SHA1 hash. Each stage of the boot chain verifies the next stage using RSA signatures, until finally Motorola's APPSBL ("Application Secondary Bootloader"), "MBM", is loaded and run."

  • http://twitter.com/manicsocratic Adan H.

    I don't even have a Snapdragon S4 Moto device and I want to donate to this guy. Just reading the insanity involved in the exploit makes me wonder how he even came up with a way to probe at it in the first place. Moto devices since the Droid X wouldn't have been nearly as fun without some of Dan Rosenberg's contributions. He deserves everyone throwing cash at him for being totally amazing.

  • Tyler

    I used this worked perfectly 20 seconds and bootloader was unlocked