Overview
Syllabus
Intro
Common Android Bootloader Protection Analysis of an unlock on the phone was performed using USBPCAP
Implementing Fastboot Easy to implement using standard USB libraries
Identifying A Potential Bootloader Weakness The "flash" command usually only flashes partitions on unlocked bootloaders
Unknown Memory Analysis Most opcodes, while valid operations, would not be the same as in the bootloader
Unlocking The Bootloader To unlock the bootloader, it was necessary to jump to the code after the RSA check
Patching Bootloader Unlock A single branch instruction was identified, which sent an error response or unlocked the bootloader, depending on whether the signature was accurate
Bootloader Firmware Update Protocol Unique to NXP chips
Hashing Process The first command contains a version number, SHA-256 hash, and signature of the hash
Bypassing Signature Verification Modified hashes could be written in the right portion of memory
Repairing the Firmware Using a dump of the working config, the new config could be hashed and written
Taught by
Black Hat