1

I am just getting into custom firmware and rooting phones.

I have a phone that appears to be unrootable for whatever reason due to a locked bootloader. The private key was never released and we only have access to the public key.

In order to flash install the firmware, verity keys have to match and the failure to match them results in a failed install.

Stock or factory editions have the correct public key and boot image, or recovery image, or OS image. Can this checksum based image of verification be copied and replace the signature image of a custom operating system image?

This would hopefully result in being able to trick the device into thinking it is installing factory firmware.

Or can I change the permanent file on the device itself to make the security checks go away? Like when on the internet sometimes it says security certificate untrusted proceed anyway.

Could we make the bootloader have like a one-time exemption click to allow non-verified image files to be uploaded?

hft
  • 4,910
  • 17
  • 32
Mark Santos
  • 11
  • 2
  • Sometimes you get better results if you just ask one question at a time. Easier for people to parse and give feedback. – hft Sep 06 '18 at 23:42

2 Answers2

1

Android devices with locked bootloaders and production mode ROMs have none such capabilities. Your first proposal of cloning the checksum would not work as the code signing identity is verified by the device before flashing or booting when the bootloader is locked. This is done in an effort to harden the devices against attackers and is an important part of any consumer product.

Depending on your device's firmware, there may be publicly known exploits which can gain you root however you'd have to craft the payloads yourself.

Allison
  • 3,975
  • 2
  • 13
  • 19
1

If the bootloader doesn't support unlocking, there's no way to flash custom images. Every partition is verified by Android Verified Boot. Verification data is stored in /vbmeta partition.

If you forcefully flash the partition, the root hash of its hashtree will not match with the one stored in vbmeta. Erasing vbmeta will brick the device. Modifying root hashes in vbmeta will fail signature check on vbmeta done by the bootloader which will also brick the device. Signature of vbmeta is stored in vbmeta image.

vbmeta is verified by public OEM key hardcoded in bootloader and bootloader is protected by secure boot of SoC. Secure boot in production SoCs is permanently enabled by blowing the eFUSE on board which is not reversible.

Android verified boot within the boot sequence

If /system partition is never encrypted (even in "full-disk" encryption), how is it protected?

defalt
  • 6,231
  • 2
  • 22
  • 37