Signed Flash - Page 2 - GSM-Forum

merwin · 01-05-2005, 21:21

RSA key can be bruteforce? That's news to me.

SFlood · 01-06-2005, 09:03

Quote:

Originally Posted by Invisible

anyway RSA key for sign flash can be bruteforce like Fighter did so long..

Really?

Fighter team can bruteforce 1024 bit RSA keys?
Wow, maybe they are aliens or time travellers from the distant future?

evan_silbert · 01-06-2005, 17:04

RSA remove is done by partial flashing away the RSA portion.

That means that if we are able to read the flash from an RSA protected AVR phone, we must boot it first and thereby must have RSA removed. Then we can not flash that to a phone again because we don't have any data to fill the empty RSA area- signed or not.

The phone will not power on with that.

The only way to read it would be either through some JTAG like solution that reads it without using the phone's boot structure, or using SE's authentication to bypass RSA without removing it. I think NEMESIS uses some sort of bypass similar to this...

What would be better and easier though would be if Fighter team would just get these flashes from EMMAII and convert them for us and add them to support

Odia The Ultimate · 01-06-2005, 17:24

Quote:

Originally Posted by evan_silbert

RSA remove is done by partial flashing away the RSA portion.

I hope you mean partial erasing and not flashing!!!

Odia.

evan_silbert · 01-06-2005, 17:51

Flashing with emptiness = erasing

Invisible · 01-07-2005, 10:59

Quote:

Originally Posted by evan_silbert

RSA remove is done by partial flashing away the RSA portion.

That means that if we are able to read the flash from an RSA protected AVR phone, we must boot it first and thereby must have RSA removed. Then we can not flash that to a phone again because we don't have any data to fill the empty RSA area- signed or not.

The phone will not power on with that.

Sure, 100% agree,

@SFlood:

how do you think they get the flashes signed?,
what about signed ufs flashes?
do you think SE people at hund signing that flashes for them?

best regards
Invisible

merwin · 01-07-2005, 18:36

@Invisible
Very simple... EMMA smart card authentication will boot the phone (providing the necessary RSA validation) and allow you to read a signed flash without problem.

Invisible · 01-07-2005, 18:39

hi

this will solve mistery about signed flashes but what about new cid loaders?,
are this signed too?
btw, good point merwin

best regards
Invisible

merwin · 01-07-2005, 18:53

I believe that the new phone loaders are exploiting a vulnerability in the security that lets them "inject" code into the signed loaders. ie: trojan virus :-)

evan_silbert · 01-07-2005, 19:24

The real question still remains though.

Why can't Fighter/Cruiser team just release the flashes?

They should be on SE's servers like the other flashes they have provided in the past. There is no need to read them from phones.

Do you think they read phones with every single version and region on them in the past? ...

MG77 · 01-07-2005, 19:38

Quote:

Originally Posted by evan_silbert

The real question still remains though.

Why can't Fighter/Cruiser team just release the flashes?

They should be on SE's servers like the other flashes they have provided in the past. There is no need to read them from phones.

Do you think they read phones with every single version and region on them in the past? ...

There are busy trying to get Cruiser on the feet and therefore Fighter has stood in the shade. V 4.33 just "killed" a customers phone and I tried to fix it with Div LPT without any success. See thread

evan_silbert · 01-07-2005, 21:34

How did it kill a phone? I have never killed any SE phone by Fighter.

MG77 · 01-07-2005, 23:11

It worked perfectly fine before flashing and now it isn't responding when flashing with Div LPT. It gives script error (see different thread). It's strange if the phone has hardware failure when flashing successfully with Div. Anyway it doesn't start up no matter what I do.

anlog · 01-08-2005, 06:40

Quote:

Originally Posted by MG77

It worked perfectly fine before flashing and now it isn't responding when flashing with Div LPT. It gives script error (see different thread). It's strange if the phone has hardware failure when flashing successfully with Div. Anyway it doesn't start up no matter what I do.

Calm down. The GDFS probably got corrupted or partially overwritten. Just do a full GDFS (or full AVR) backup from a good Z600, and flash it to the bad one. Don't forget to flash the matching firmware version to the ARM, rebuild the security zone, and finalize the GDFS.

While I personally don't have one, I'm sure someone here can get you a Z600 AVR backup...

merwin · 01-08-2005, 07:28

@evan
There is another software that has been made that will decrypt encrypted SE flash files via an EMMA smart card. That's how they get the official files. What I was mentioning was a method to read it from the phone if you so wish.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
N95 vibrate then cutoff after flash [SOLVED - Thanks Crazy Ratata]	jus_chillin	Cyclonebox	19	03-29-2010 11:57
Please Help, just need few flashing/unlocking answers - P520	lomna	Samsung Flashers, Software, Firmware.	3	02-03-2009 23:42
Where can I find the LGE signed flashes for FlashRW ?	N/East Unlocker	LG	0	05-22-2007 16:27
What is the signed flashes for ?	rjsoo7	Cruiser Suite	3	05-22-2005 07:43

01-05-2005, 21:21	#16 (permalink)
merwin No Life Poster Join Date: Dec 2003 Location: Seattle, WA USA Age: 43 Posts: 615 Member: 47173 Status: Offline Thanks Meter: 3	RSA key can be bruteforce? That's news to me.

01-06-2005, 17:04	#18 (permalink)
evan_silbert No Life Poster Join Date: Feb 2003 Location: Boston Posts: 5,027 Member: 21920 Status: Offline Thanks Meter: 10	RSA remove is done by partial flashing away the RSA portion. That means that if we are able to read the flash from an RSA protected AVR phone, we must boot it first and thereby must have RSA removed. Then we can not flash that to a phone again because we don't have any data to fill the empty RSA area- signed or not. The phone will not power on with that. The only way to read it would be either through some JTAG like solution that reads it without using the phone's boot structure, or using SE's authentication to bypass RSA without removing it. I think NEMESIS uses some sort of bypass similar to this... What would be better and easier though would be if Fighter team would just get these flashes from EMMAII and convert them for us and add them to support

01-06-2005, 17:51	#20 (permalink)
evan_silbert No Life Poster Join Date: Feb 2003 Location: Boston Posts: 5,027 Member: 21920 Status: Offline Thanks Meter: 10	Flashing with emptiness = erasing

01-07-2005, 18:36	#22 (permalink)
merwin No Life Poster Join Date: Dec 2003 Location: Seattle, WA USA Age: 43 Posts: 615 Member: 47173 Status: Offline Thanks Meter: 3	@Invisible Very simple... EMMA smart card authentication will boot the phone (providing the necessary RSA validation) and allow you to read a signed flash without problem.

01-07-2005, 18:39	#23 (permalink)
Invisible No Life Poster Join Date: Apr 2001 Location: รำมว&# Posts: 2,461 Member: 3956 Status: Offline Sonork: galletto3 rules :D Thanks Meter: 55	hi this will solve mistery about signed flashes but what about new cid loaders?, are this signed too? btw, good point merwin best regards Invisible

01-07-2005, 18:53	#24 (permalink)
merwin No Life Poster Join Date: Dec 2003 Location: Seattle, WA USA Age: 43 Posts: 615 Member: 47173 Status: Offline Thanks Meter: 3	I believe that the new phone loaders are exploiting a vulnerability in the security that lets them "inject" code into the signed loaders. ie: trojan virus :-)

01-07-2005, 19:24	#25 (permalink)
evan_silbert No Life Poster Join Date: Feb 2003 Location: Boston Posts: 5,027 Member: 21920 Status: Offline Thanks Meter: 10	The real question still remains though. Why can't Fighter/Cruiser team just release the flashes? They should be on SE's servers like the other flashes they have provided in the past. There is no need to read them from phones. Do you think they read phones with every single version and region on them in the past? ...

01-07-2005, 21:34	#27 (permalink)
evan_silbert No Life Poster Join Date: Feb 2003 Location: Boston Posts: 5,027 Member: 21920 Status: Offline Thanks Meter: 10	How did it kill a phone? I have never killed any SE phone by Fighter.

01-07-2005, 23:11	#28 (permalink)
MG77 No Life Poster Join Date: Jul 2004 Posts: 1,191 Member: 72567 Status: Offline Thanks Meter: 8	It worked perfectly fine before flashing and now it isn't responding when flashing with Div LPT. It gives script error (see different thread). It's strange if the phone has hardware failure when flashing successfully with Div. Anyway it doesn't start up no matter what I do.

01-08-2005, 07:28	#30 (permalink)
merwin No Life Poster Join Date: Dec 2003 Location: Seattle, WA USA Age: 43 Posts: 615 Member: 47173 Status: Offline Thanks Meter: 3	@evan There is another software that has been made that will decrypt encrypted SE flash files via an EMMA smart card. That's how they get the official files. What I was mentioning was a method to read it from the phone if you so wish.