The San Diego hacking topic - root progress etc.

[Guest shootomanUK]

People say in this thread that paul has an engineering bootloader, but i cant find in this forum a link with him actually saying he has one ?

could someone point me in the right direction please.......

Thanks

^_^

Edited August 5, 2012 by shootomanUK

[Guest]

Been doing a little searching and apparently a zip file can be altered and retaining the checksum? Not found how to do it yet, but it seems there are ways.lol. Just thinking if we can put su binary in update and retain all the checksums, md5, SHA-1 or whatever ones are used, we would be able to flash the update with su.

Anyone heard of any method of retaining/restoring checksums?

edit: after further investigation, it seems you can crack a md5 hash for things I am not going to talk about for obvious reasons, let's just say more criminal side of things. But as for editing an archive while retaining/restoring the original md5 sum, well I hit a brick wall there.

Edited August 5, 2012 by Guest

[Guest rickywyatt]

only if xolo would leak there cer and key then we would be able to do what we what

[Guest rickywyatt]

we need something like this

http://forum.xda-developers.com/showthread.php?t=1515720

[Guest brit07]

there must be a way to find what the key is from looking in the update.zip from xolo ? surly it has to be there? and dont all android roms sign in a similar fashion?

[Guest]

Is a checksum based on the bytes of files in an achive ?

If the answer is yes, lets say I could find exactly 0.93mb to remove from the archive, the exact size of su binary, would that not = same checksum?

Also, is it a checksum as in md5 or is this signature some sort of hash password?

It seems the only logical way we can root this device is if we can crack/fool the signature, surely not an impossible task ? greater things have been cracked.

This looks interesting: http://forum.xda-dev...ad.php?t=961648

cert extracted from mmcblk0p10.img?

Edited August 5, 2012 by Guest

[Guest rickywyatt]

I think the recovery is looking at this part of the key

Android recovery1 H [email protected]

120130041656Z

331225041656Z010

[Guest rickywyatt]

even if you change 1 bite it will break so wont install if you look at CERT.SF you'll see

Signature-Version: 1.0

Created-By: 1.0 (Android SignApk)

SHA1-Digest-Manifest: +4g7oZXBmfypibfV7SB1y/HdZ40=

Name: system/lib/libOMXVideoEncoderMPEG4.so

SHA1-Digest: 1vqkXc8P0tpUPNDRnUji0wv3Qjg=

Name: system/lib/libassd.so

SHA1-Digest: rlSMzBEaovyIlhR2mQ82MegPmAI=

Name: system/bin/netd

SHA1-Digest: FIS0Suy0R5XpyTHjeYJyszkIR+w=

Name: system/etc/permissions/android.hardware.sensor.accelerometer.xml

SHA1-Digest: 2wEa/9FPcNbDmbsyKNJp5TwVgOE=

[Guest]

I get the impression paul is back tuesday, hopefully with your current progress he can throw in a few tips that may lead to new things :)

He says back tuesday to seb404, so I can only assume he means back to uk/modaco.

Edited August 5, 2012 by Guest

[Guest rickywyatt]

we need someone at intel orange or xolo to release there key and password then we would be able to install what we like

[Guest]

So basically we are screwed :lol:

[Guest shootomanUK]

even if you change 1 bite it will break so wont install if you look at CERT.SF you'll see

Signature-Version: 1.0

Created-By: 1.0 (Android SignApk)

SHA1-Digest-Manifest: +4g7oZXBmfypibfV7SB1y/HdZ40=

Name: system/lib/libOMXVideoEncoderMPEG4.so

SHA1-Digest: 1vqkXc8P0tpUPNDRnUji0wv3Qjg=

Name: system/lib/libassd.so

SHA1-Digest: rlSMzBEaovyIlhR2mQ82MegPmAI=

Name: system/bin/netd

SHA1-Digest: FIS0Suy0R5XpyTHjeYJyszkIR+w=

Name: system/etc/permissions/android.hardware.sensor.accelerometer.xml

SHA1-Digest: 2wEa/9FPcNbDmbsyKNJp5TwVgOE=

Ricky can i ask where you found the CERT.SF file ?

cheers

its ok i found it lol

but where is the osd ics leak ?

cheers

Edited August 5, 2012 by shootomanUK

[Guest The Soup Thief]

we need someone at intel orange or xolo to release there key and password then we would be able to install what we like

Attention all disgruntled Intel, Orange and Lava employees - become Modaco legends in one easy leak...

reckon that should do it... [waits] ;)

[Guest rickywyatt]

Ricky can i ask where you found the CERT.SF file ?

cheers

its ok i found it lol

but where is the osd ics leak ?

cheers

right here but don't flash the recovery.bin from it

[Guest rickywyatt]

Is a checksum based on the bytes of files in an achive ?

If the answer is yes, lets say I could find exactly 0.93mb to remove from the archive, the exact size of su binary, would that not = same checksum?

Also, is it a checksum as in md5 or is this signature some sort of hash password?

It seems the only logical way we can root this device is if we can crack/fool the signature, surely not an impossible task ? greater things have been cracked.

This looks interesting: http://forum.xda-dev...ad.php?t=961648

cert extracted from mmcblk0p10.img?

no good to us as we cant dump any of the dev/block/ without root

[Guest rickywyatt]

did anyone find the old update from xolo

[Guest rickywyatt]

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

[Guest shootomanUK]

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

i just get permission denied :huh:

[Guest rickywyatt]

Same as me lol

[Guest shootomanUK]

i think we need to wait for ICS now and have a bash at that, it seems them chinese rooted ICS but not GB so i think we might have a chance

[Guest]

Also, gingerbread exploits are well known but ics ones are not, I doubt they can block them all as they will not know them.

[Guest]

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

Even without using adb it is clear there is no access to data, just download xplore from market, it allows access to all system even without root. And I can access all folders with xplore except one, yep you guessed it, data folder lol

Also, when you say they need to give us there KEY and password, do you mean testkey ? The reason I ask is in system/etc/security/otacerts.zip is a file called testkey.x509.pem with a rather large amount of text which looks like a password?

It is possible there are answers in the system we have on our devices. They overlooked the fact that apps like xplore can access all root directories and even view inside zips in those directories or read text without root.lol

Edited August 5, 2012 by Guest

[Guest scuzzbucket]

Is their a small chance that the method used for 2011 Xperia devices on ICS might be useful at all. The "android emulator trick" was used. Not sure exactly what that is, and someones probably tried it, but might be another angle?

Edited August 5, 2012 by scuzzbucket

[Guest rickywyatt]

No I mean there release keys with is stored in res/keys in the kernel so no way to get hold of them lol I use root explorer without the root lol I can set the home page to

/data/fota

/data/system

/data/local/tmp

And see all that's inside them folders with the orange rom I could remove ipth-muc.prop from data/fota but not with the xolo

So by the looks of it xolo saw a hole there and blocked it

[Guest]

So xolo are worse than orange :o why else wold they block acess to data?