Method Found To Unlock Qualcomm Based Motorola Phones

FlatEric521 writes "In a blog post over at Azimuth Security, Dan Rosenberg explains how certain models of Motorola Android phones based on the Qualcomm MSM8960 chipset (including the Atrix HD, Razr HD, and Razr M) can be permanently unlocked. He writes, 'I will present my findings, which include details of how to exploit a vulnerability in the Motorola TrustZone kernel to permanently unlock the bootloaders on these phones.'" It's a long read, but interesting.

"Still, it is very neat."

[Impy the Impiuos Imp]

Thank god for freedom of speech. I can't blame companies for trying, but sometimes getting government in as "partners" to stop knowledge and analysis of technical issues gets a little close to the edge.

Re:

[drinkypoo]

I can't blame companies for trying,

Nor can I. A corporation is a legal fiction. I blame the humans, mostly the management, but also the stooges who carry out their evil orders.

Interesting, could influence my next phone purchas

[SpaceManFlip]

I half-read that article, but it was interesting about the QFuses and stuff. Could not for certain decipher if he's exactly talking about a carrier unlock or OS / jailbreak kind of unlock or both. My current phone has both, but its hardware is gradually failing.....

Operator needs more sleep this Monderp to comprehend

Re:Interesting, could influence my next phone purc

[jonwil]

Its a bootloader unlock to let you run custom kernels and stuff.

Re:

[Anonymous Coward]

boatloader unlocking using a hardfuse attack, the only unlock that is more power-full is the recovery of the boot-loader signing keys.

Re:

[petermgreen]

This lets you unlock the bootloader so you can boot a firmware image with a custom kernel. From my reading of the article it seems like you already need to have obtained the ability to load kernel modules somehow before you can use this.

Re:

[petermgreen]

From TFA

"The Non-secure world may issue requests to the Secure world using the privileged SMC instruction."

Privilaged in this kind of context generally means "not available to regular user mode code".

Cool exploit

[Anonymous Coward]

Pretty naive memory copy algorithm from qualcomm however, especially since that code only runs with high privileges by design.

Re:

[viperidaenz]

Maybe it was naive on purpose. They get a pat on the back from the carriers and such for locked boot loaders. They get surge in sales when its eventually hacked and people buy the phone to load their own firmware.

Re:

[phantomfive]

Really, there aren't very many companies that take security seriously. With Qualcomm, you'd be much better to vote for incompetence rather than malice.

Re:Cool exploit

[Anonymous Coward]

Moto allows you to unlock the bootloader *on their consumer devices*. You just need to officially void the warranty at their site (which makes sense since it is so common to brick your device, unintentionally).

The only case where consumer devices cannot be unlocked is *when the carrier specifically requests this from Moto*. (I.e. the Droid branded versions that Verizon uses).

This exploit is technically interesting, but not necessary for most Moto devices.

Re:

[kwark]

"which makes sense since it is so common to brick your device, unintentionally"

I only had about 6 Android devices so far, all ran modded firmware and all (except a Desire Z) had a (pre)bootloader smart enough to recover the device from my mistakes (like flashing the wrong or a corrupt recovery image). The Desire Z was fixed by flashing the enginering bootloader to get fastboot support.

Re:

[Anonymous Coward]

Indeed, most of the 'brickings' I referred to, are not in fact, brickings, but overzealous-undercompentent types who get frustrated after screwing something up, and end up turning in the device for [warranty] service.

Thank you, sweet ${deity}

[Miamicanes]

Finally, I can pull my Photon out of the drawer I threw it into in a fit of rage almost a year ago, and let it have the useful Android afterlife denied to it by Motorola. The evil bastards at Moto gimped that poor phone so badly, it couldn't run ADK (despite theoretically having a sufficiently-new kernel... they went out of their way to exclude ADK support it from the kernel), and somehow managed to even have Issues(tm) with IOIO, which is probably the most compatible ADB-based hardware/io bridge you can GET for Android.

Motorola ruined it as a phone, but maybe it can at least be useful now as an embedded hardware controller with touchscreen and full complement of sensors. The sad thing is, had the MoPho been an open phone called the "Nexus M", I would have totally loved it, and lots of us would think Motorola was an awesome company instead of regarding them as the spawn of Satan, sitting at the right hand of Steve Jobs and playing footsie with Steve Ballmer under the table at a dinner party hosted by Verizon. ;-)

Re:

[Miamicanes]

Whoops... it looks like the celebration might have been a bit premature, and the Photon/Electrify/Atrix2 might still be firmly under Motorola's evil thumb. Unless, of course, THIS exploit ends up inspiring the discover of something similar on the Tegra2 phones (which, AFAIK, *are* built around the MSM 8960 baseband chips, though apparently not in quite the same way as the phones in the referenced article).

Method!?

[Dahamma]

Frankly I'm surprised Method found the unlock. I always thought Redman was the brains of that group.