MBM backup attack

From MILEDROPEDIA
Jump to: navigation, search
Mbm backup Attack

According to the cdt table and the boot chain The mbm_backup is not signed.

Hypothesis

If we could modify the mbm_backup and let the mbm_loader to boot it correctly, then we could try to rewrite our own mbm_backup and make it to not check the cdt partition for the boot and recovery images.

Edit: Static code analysis by yakk has found this hypothesis to be flawed. In his own words, "mbmloader loads both mbm and mbmbackup to check their security versions, in order to upgrade mbmbackup if it's version is lower, or to restore mbm if its security version was lowered. this doesn't allow to downgrade mbm. and mbmloader knows nothing about cdt and always tries to load mbm or mbmbackup from fixed adresses and check signature." It seems Motorola trusted their ability to prevent users from gaining root, thereby preventing both mbm and mbmbackup being downgraded at the same time (which would succeed at downgrading mbm).

Problems

Mbm_backup cloning issue

According to [mbm] (not the partition but the user on #milestone-modding ) he got an ota update which updated his mbm. Right now he checked his mbm_backup and it's equal to the mbm partition ( Even though the ota update didn't touch it ).

Why did it happen ?

We think ( this has not been checked !! ) the mbm_loader would do these things (to read from left to right ) if the mbm is not valid:

There must be something that checks if mbm is valid; if yes, it seems to copy the mbm over to the mbm_backup (only if they're different?).

Questions:

  • Does the "something" copy the mbm to mbm_backup only if the mbm and mbm_backup are different?
  • Does the "something" copy the mbm to mbm_backup only if mbm isn't working?

How to modify the mbm_backup

We need to modify the mbm_backup in order to get the mbm_backup to load our unsigned boot/recovery images.

Ideas:

  1. We could find the mbm_backup routine which checks the signature based on the cdt and make it always return "true"
  2. We could find the boot.img & recovery.img checks and let the code to not call the previous mentioned routine

Problems:

  1. If we modify the mbm_backup in order to arrange our needs, we could probably have a brick if the mbm_backup is wrong.

How to tell mbm_loader to boot mbm_backup

We need to find a way which mbm_loader would call mbm_backup instead of mbm.

Ideas:

  1. Write some kind of trash on mbm

Problems:

  1. No one knows how mbm_loader works and if it would really call mbm_backup if mbm is unsigned properly. ( We need an arm asm expert :P )