On Wednesday 11 June 2008 22:00:49 Daniel Ribeiro wrote: > Dmitriy Taychenachev escreveu: > >>>> I'm also trying to get a cheap Z6 my own for further testing. > >>> > >>> I can test stuff on a Z6 as long as it doesn't involve anything that > >>> could render the phone unusable as a phone or pose a risk of bricking > >>> the thing. (so no, I am not going to try and flash a new untried > >>> bootloader > >>> > >>> :) > >>> > >>> That's my position, too. BTW, you can't flash bootloader, it's digitaly > >> > >> signed. > > > > Of course, i'm not going to flash anything. But execution of code in > > supervisor mode can harm your phone too. I'm not going to do it, but it > > can happen, though :) > > I can test the dangerous stuff after i put my hands on a magx device. > But as it seems, with ROM code to check the signature on the bootloader > and all, we will end using kexec for OpenMAGX. > Anyway, ive seen non-linux phones with ROM code to validate flash > contents before, and people managed to break the protection too.
Yeah, there is possibility to break RSA checking in ROM code or mbmloader/mbm. We have done small analysis of irom/mbm, and didn't find old known or other vulns that could lead to RSA bypass. So, the better way now is kexec-like thing. Of course further analysis of irom or mbm code would be great.