Tweets from CopperheadOS, a security-centric Android-based distribution, are a good source of Android security news, since they’re stretching the boundaries of the open source android release.
Liberating Bootloaders and Cellular Modem Firmware of MediaTek Phones
As a community project, and one that encourages contributors to work on what they like, we have attracted people with a broad range of interests and skill levels. Recently a small hacking group #postmarketOS-lowlevel has emerged, and its masterminds @McBitter and @unrznbl are eager to introduce you to the madness that awaits when digging deeper and deeper in the embedded hardware and software stack. But before we get started, please keep in mind that these are moon shots. So while there is some little progress, it’s mostly about letting fellow hackers know what we’ve tried and what we’re up to, in the hopes of attracting more interested talent to our cause. After all, our philosophy is to keep the community informed and engaged during the development phase! For those new to postmarketOS, we are a group of developers, hackers, and hobbyists who have come together with a common goal of giving a ten year life cycle to mobile phones. This is accomplished by using a simple and sustainable architecture borrowed from typical Linux distributions, instead of using Android’s build system. The project is at an early stage and isn’t useful for most people at this point. Check out the newly-updated front page for more information, the previous blog post for recent achievements, and the closed pull requests to be informed about what’s going on up to the current minute. Let’s dive in!
Noticed a new document on Slideshare on U-Boot and AVB:
oppo_decrypt – Oppo/Oneplus .ops Firmware decrypter
Tested with “MSMDownloadTool V4.0” for Oneplus 5, Frida 10.4 and Windoze
backdoor.py : Enables hidden “readback” functionality
decrypt.py : Decrypts any part of the firmware
Based on Frida.re and python 3.6
Windows only, sorry folks !
Oneplus 5 QD-Loader decryption: ‘python decrypt.py “MsmDownloadTool V4.0.exe” 0 0x92880’
Enable readback mode: ‘python backdoor.py “MsmDownloadTool V4.0.exe”‘
Dump/Verify Android Verified Boot Signature Hash
For researching Android Verified Boot issues
To exploit TZ image verification 🙂
python verify_signature.py boot.img
Issues: Might not work with AVB Version 2.0 or higher