Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Method Found To Unlock Qualcomm Based Motorola Phones

Unknown Lamer posted about a year ago | from the take-that-qfuse dept.

Cellphones 21

FlatEric521 writes "In a blog post over at Azimuth Security, Dan Rosenberg explains how certain models of Motorola Android phones based on the Qualcomm MSM8960 chipset (including the Atrix HD, Razr HD, and Razr M) can be permanently unlocked. He writes, 'I will present my findings, which include details of how to exploit a vulnerability in the Motorola TrustZone kernel to permanently unlock the bootloaders on these phones.'" It's a long read, but interesting.

cancel ×


Sorry! There are no comments related to the filter you selected.

gg (0)

Anonymous Coward | about a year ago | (#43396073)

It's a long read, but interesting

Half right.

Re:gg (0)

Anonymous Coward | about a year ago | (#43396223)

Agreed, it's not long.

"Still, it is very neat." (2)

Impy the Impiuos Imp (442658) | about a year ago | (#43396083)

Thank god for freedom of speech. I can't blame companies for trying, but sometimes getting government in as "partners" to stop knowledge and analysis of technical issues gets a little close to the edge.

Re:"Still, it is very neat." (1)

drinkypoo (153816) | about a year ago | (#43400261)

I can't blame companies for trying,

Nor can I. A corporation is a legal fiction. I blame the humans, mostly the management, but also the stooges who carry out their evil orders.

Interesting, could influence my next phone purchas (1)

SpaceManFlip (2720507) | about a year ago | (#43396209)

I half-read that article, but it was interesting about the QFuses and stuff. Could not for certain decipher if he's exactly talking about a carrier unlock or OS / jailbreak kind of unlock or both. My current phone has both, but its hardware is gradually failing.....

Operator needs more sleep this Monderp to comprehend

Re:Interesting, could influence my next phone purc (3, Informative)

jonwil (467024) | about a year ago | (#43396253)

Its a bootloader unlock to let you run custom kernels and stuff.

Re:Interesting, could influence my next phone purc (1)

Anonymous Coward | about a year ago | (#43396279)

boatloader unlocking using a hardfuse attack, the only unlock that is more power-full is the recovery of the boot-loader signing keys.

Re:Interesting, could influence my next phone purc (1)

petermgreen (876956) | about a year ago | (#43399097)

This lets you unlock the bootloader so you can boot a firmware image with a custom kernel. From my reading of the article it seems like you already need to have obtained the ability to load kernel modules somehow before you can use this.

Re:Interesting, could influence my next phone purc (0)

Anonymous Coward | about a year ago | (#43406463)

No, you cannot state that using only the article as it is makes no such statement, it only state that he used the source to understand the Secure Monitor Calling convention but I did check in the ARM11 technical reference manual [] and just as you said it must be in a kernel module as the processor must be in a privileged mode to execute that instruction.

Re:Interesting, could influence my next phone purc (1)

petermgreen (876956) | about a year ago | (#43407837)

From TFA

"The Non-secure world may issue requests to the Secure world using the privileged SMC instruction."

Privilaged in this kind of context generally means "not available to regular user mode code".

Cool exploit (1)

Anonymous Coward | about a year ago | (#43396405)

Pretty naive memory copy algorithm from qualcomm however, especially since that code only runs with high privileges by design.

Re:Cool exploit (1)

viperidaenz (2515578) | about a year ago | (#43396431)

Maybe it was naive on purpose. They get a pat on the back from the carriers and such for locked boot loaders. They get surge in sales when its eventually hacked and people buy the phone to load their own firmware.

Re:Cool exploit (2)

phantomfive (622387) | about a year ago | (#43396479)

Really, there aren't very many companies that take security seriously. With Qualcomm, you'd be much better to vote for incompetence rather than malice.

Re: Cool exploit (0)

Anonymous Coward | about a year ago | (#43406437)

I think the memory exploit was found in the Motorola code not the Qualcomm code.

Re:Cool exploit (4, Informative)

Anonymous Coward | about a year ago | (#43397957)

Moto allows you to unlock the bootloader *on their consumer devices*. You just need to officially void the warranty at their site (which makes sense since it is so common to brick your device, unintentionally).

The only case where consumer devices cannot be unlocked is *when the carrier specifically requests this from Moto*. (I.e. the Droid branded versions that Verizon uses).

This exploit is technically interesting, but not necessary for most Moto devices.

Re:Cool exploit (2)

kwark (512736) | about a year ago | (#43399423)

"which makes sense since it is so common to brick your device, unintentionally"

I only had about 6 Android devices so far, all ran modded firmware and all (except a Desire Z) had a (pre)bootloader smart enough to recover the device from my mistakes (like flashing the wrong or a corrupt recovery image). The Desire Z was fixed by flashing the enginering bootloader to get fastboot support.

Re:Cool exploit (1)

Anonymous Coward | about a year ago | (#43399581)

Indeed, most of the 'brickings' I referred to, are not in fact, brickings, but overzealous-undercompentent types who get frustrated after screwing something up, and end up turning in the device for [warranty] service.

Thank you, sweet ${deity} (3, Funny)

Miamicanes (730264) | about a year ago | (#43397037)

Finally, I can pull my Photon out of the drawer I threw it into in a fit of rage almost a year ago, and let it have the useful Android afterlife denied to it by Motorola. The evil bastards at Moto gimped that poor phone so badly, it couldn't run ADK (despite theoretically having a sufficiently-new kernel... they went out of their way to exclude ADK support it from the kernel), and somehow managed to even have Issues(tm) with IOIO, which is probably the most compatible ADB-based hardware/io bridge you can GET for Android.

Motorola ruined it as a phone, but maybe it can at least be useful now as an embedded hardware controller with touchscreen and full complement of sensors. The sad thing is, had the MoPho been an open phone called the "Nexus M", I would have totally loved it, and lots of us would think Motorola was an awesome company instead of regarding them as the spawn of Satan, sitting at the right hand of Steve Jobs and playing footsie with Steve Ballmer under the table at a dinner party hosted by Verizon. ;-)

Re:Thank you, sweet ${deity} (1)

Miamicanes (730264) | about a year ago | (#43397535)

Whoops... it looks like the celebration might have been a bit premature, and the Photon/Electrify/Atrix2 might still be firmly under Motorola's evil thumb. Unless, of course, THIS exploit ends up inspiring the discover of something similar on the Tegra2 phones (which, AFAIK, *are* built around the MSM 8960 baseband chips, though apparently not in quite the same way as the phones in the referenced article).

Yuo fail It? (-1)

Anonymous Coward | about a year ago | (#43398269)

stupi3. To the not anymore. It's

Method!? (0)

Dahamma (304068) | about a year ago | (#43398843)

Frankly I'm surprised Method found the unlock. I always thought Redman was the brains of that group.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>