Buku Perilaku Organisasi Edisi 16 Pdf

0 views

Skip to first unread message

Shari Alvine

unread,

Aug 4, 2024, 4:37:45 PM8/4/24

to viaracirmi

Acouple of days ago, I got an error on my phone (Motorola Razr HD xt925) saying that it cannot load the home screen. So, I restarted it in order to resolve the issue. However, it didn't reboot and since then it has been stuck in the Motorola logo.Acouple of days ago, I got an error on my phone (Motorola Razr HD xt925) saying that it cannot load the home screen. So, I restarted it in order to resolve the issue. However, it didn't reboot and since then it has been stuck in the Motorola logo.

This step is not necessary just leave it and continue other steps if more steps fails then you should use your lastly updated ROM version... You can't flash lollipop ROM on marshmallow bootloader...flash stock marshmallow ROM or your current rom using mfastboot v2...????

This happens to phones that have had water damage or something else and a way that might make it work is to take the battery out for no more than 60 seconds and put it back in and push the *,# and power buttons at the same time and if the blue screen comes up, while on the screen push the buttons and hold them until it goes normal. it worked for me

Anyway, the second step is to flash the phone. According to this question, I should be able to do that. However, when I am running the command fastboot flash partition gpt.bin, I am getting the following result:Pressing 'power' and # and * at the same time will start the phone in this boot mode. It is used for preparing a phone for new software to be uploaded. If your phone is doing this the software is probably corrupted and you will not be able to recover. You may be able to have it flashed with new software at the store. (You can flash it yourself with a usb cable and some software found online if you are brave)

Pressing 'power' and # and * at the same time will start the phone in this boot mode. It is used for preparing a phone for new software to be uploaded. If your phone is doing this the software is probably corrupted and you will not be able to recover. You may be able to have it flashed with new software at the store. (You can flash it yourself with a usb cable and some software found online if you are brave)

My free verizon motorola w755 did this after I dropped it in the pool. I was not ever expecting to get the phone to work again and had already gone back to my old razr when I noticed this thread on howard forums: =11659206

I flashed the phone, which I guess basically puts the OS/firmware back on there. All works fine now. Re-activated through account online and dialed *228. Sweet!

I recently spent some time dissecting the bootloader used on Motorola's latest Android devices, the Atrix HD, Razr HD, and Razr M. The consumer editions of these devices ship with a locked bootloader, which prevents booting kernel and system images not signed by Motorola or a carrier. In this blog post, I will present my findings, which include details of how to exploit a vulnerability in the Motorola TrustZone kernel to permanently unlock the bootloaders on these phones.

These three devices are the first Motorola Android phones to utilize the Qualcomm MSM8960 chipset, a break from a long tradition of OMAP-based Motorola devices. Additionally, these three devices were released in both "consumer" and "developer" editions. The developer editions of these models support bootloader unlocking, allowing the user to voluntarily void the manufacturer warranty to allow installation of custom kernels and system images not signed by authorized parties. However, the consumer editions ship with a locked bootloader, preventing these types of modifications.

Supported Bootloader UnlockingFrom the perspective of the user, unlocking the bootloader on a developer edition device is fairly straightforward. The user must boot into "bootloader mode" using a hardware key combination (usually Vol Up + Vol Down + Power) at boot. Next, the standard "fastboot" utility can be used to issue the following command:

fastboot oem get_unlock_dataIn response to this command, an ASCII blob will be returned to the user. The user must then submit this blob to the Motorola bootloader unlock website ( -global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a). If the user's device is supported by the bootloader unlocking program (i.e. if it's a developer edition device), the website will provide a 20-character "unlock token".

To complete the process, the user issues a final fastboot command:

fastboot oem unlock [token]At this point, the bootloader unlocks, and the user may use fastboot to flash custom kernel and system images that have not been signed by Motorola or the carrier.

QFuses and Trusted BootMuch of Qualcomm's security architecture is implemented using QFuses, which are software-programmable fuses that allow one-time configuration of device settings and cryptographic materials such as hashes or keys. Because of their physical nature, once a QFuse has been blown, it is impossible to "unblow" it to revert its original value.

If the FORCE_TRUSTED_BOOT QFuse is blown, as is the case on all production Motorola devices, each stage of the boot chain is cryptographically verified to ensure only authorized bootloader stages may be run. In particular, the PBL ("Primary Bootloader"), which resides in mask ROM, verifies the integrity of the SBL1 ("Secondary Bootloader") via a SHA1 hash. Each stage of the boot chain verifies the next stage using RSA signatures, until finally Motorola's APPSBL ("Application Secondary Bootloader"), "MBM", is loaded and run.Checking the Bootloader StatusThe entirety of the Android OS signature verification and bootloader unlocking process is implemented in MBM. To study the implementation, I examined the "emmc_appsboot.mbn" binary included in a leaked SBF update package for the Motorola Atrix HD. It's also possible to pull this partition directly from a device via the /dev/block/mmcblk0p5 block device.

To start, because the binary blob is an undocumented format, I assisted IDA Pro in identifying entry points for disassembly. Next, I searched for cross-references to strings referring to unlocking the bootloader. After getting my bearings, I identified the function responsible for handling the "fastboot oem unlock" command. The reverse engineered pseudocode looks something like this:int handle_fboot_oem_unlock(char *cmd) char *token; if ( is_unlocking_allowed() != 0xff ) print_console("INFO", "fastboot oem unlock disabled!"); return 3; if ( is_device_locked() != 0xff ) print_console("INFO", "Device already unlocked!"); return 3; token = cmd + 12; /* offset of token in "oem unlock [token]" */ if ( strnlen(token, 21) - 1 > 19) print_console("INFO", "fastboot oem unlock [ unlock code ]"); return 0; if ( !validate_token_and_unlock(token) ) print_console("INFO", "OEM unlock failure!"); return 3; return 0;Of particular note are the is_unlocking_allowed() and is_device_locked() functions. Further reversing revealed that these functions query values stored in particular QFuses by accessing the QFPROM region, which represents the contents of the QFuses, memory-mapped at physical address 0x700000. In particular, these two functions invoke another function I called get_mot_qfuse_value(), which queries the value stored in a specific QFuse register.

Having reversed this behavior, the implementation of is_unlocking_allowed() is simple: it returns the "success" value (0xff) if get_mot_qfuse_value(0x85) returns zero, indicating the value in the QFuse Motorola identifies with 0x85 is zero (this register happens to be mapped to physical address 0x700439). In other words, by blowing this particular QFuse, unlocking may be permanently disabled on these devices. Fortunately, this has not been performed on any of the consumer editions of these devices.

The logic behind is_device_locked() is a bit more complex. It invokes a function I called get_lock_status(), which queries a series of QFuse values to determine the status of the device. Among others, it checks the QFuse values for identifiers 0x85 ("is unlocking disabled?") and 0x7b ("is the Production QFuse blown?"). If the Production bit isn't set, get_lock_status() returns a value indicating an unlocked bootloader, but this QFuse has been blown on all released models. Otherwise, if unlocking hasn't been permanently disabled, the result is based on two additional conditions.

If the QFuse with identifier 0x84, which is mapped to physical address 0x700438, hasn't been blown, the status is returned as "locked". It turns out this is the QFuse we're looking for, since blowing it will result in unlocking the bootloader! If this QFuse has been blown, there is one final condition that must be satisfied before get_lock_status() will return an "unlocked" status: there must not be a signed token in the SP partition of the phone. Further investigation revealed that this token is only added when the user re-locks their bootloader using "fastboot oem lock", so it does not pose any obstacle when trying to unlock the bootloader.

Token ValidationIf the bootloader has not already been unlocked, MBM will attempt to validate the token provided by the user. More reversing revealed that the following logic is used:The CID partition is read from the device.

A digital signature on the CID partition is verified using a certificate stored in the CID partition.

The authenticity of the certificate is verified by validating a trust chain rooted in cryptographic values stored in blown QFuses.

The user-provided token is hashed together with a key blown into the QFuses using a variant of SHA-1.

This hash is compared against a hash in the CID partition, and if it matches, success is returned.

As a result, there is no way for a user to generate his or her own valid unlock token without either breaking RSA to violate the integrity of the CID partition, or by performing a pre-image attack against SHA-1, both of which are computationally infeasible in a reasonable amount of time.

Edit: The original post claimed the algorithm used was MD4. I mistakenly identified the algorithm because MD4 and SHA-1 evidently share some of the same constant values used during initialization. Thanks to Tom Ritter, Melissa Elliott, and Matthew Green for discussing this and inspiring me to take another look.Introducing TrustZoneHaving run into this dead-end, I examined what actually takes place when a successful unlock token is provided. We already know that MBM must somehow blow the QFuse with Motorola identifier 0x84 in order to mark the bootloader as "unlocked".