Android. MDM9K Radio Patching trouble. - Page 2 - GSM-Forum

the_laser · 01-14-2014, 00:00

all access to DDR come via External Bus Interface and EBI have own MPU.
this MPU configured from trustzone application and can only be disabled on chip reset.

so here we are again came to finding exploit in trustzone application .
and here is perfectly documented example

0xC0FFEE · 01-15-2014, 17:48

I heard that the modem code is uploaded by the linux kernel during kernel boot, so if you can compile a custom kernel which uploads a patched modem image to the DSP, or does not send the "disable EBI" trustzone command (if there's such a call anyway).

But if it's the bootloader who loads the modem code, all this is impossible, since the BL is signed. (And I've found some Qcomm documentations which says its the HLOS, which checks and uploads the modem image to the DSP). In this case, yes you have to find TrustZone exploits. That's not impossible, I know 3 different exploits for the Nokia BB5 trustzone implementations, and that's a pretty secure platform.

E:V:A · 02-04-2014, 08:54

This is for sure possible as this device (if it is MDM9200) is using SecureBoot2. Since (as the_laser also mentioned) we have bypassed in both SecureBoot3 versions here:

Unlocking the Motorola Bootloader

Exploiting Samsung Galaxy S4 Secure Boot

However, if your device is using 9215/25 or 9615/25 I don't know what SecureBoot verion those are using, but you could easily find out. [lazy] In any case, unless you're running latest (last year) firmware, it is very unlikely to be patched.

qdbdavid · 11-24-2017, 13:34

Can you help me to unlock a sharp phone?

sjames11501 · 11-24-2017, 22:12

Quote:

Originally Posted by qdbdavid

Can you help me to unlock a sharp phone?

Aren't all of the newer GSM Sharp phones factory unlocked?

qdbdavid · 11-25-2017, 16:21

Quote:

Originally Posted by sjames11501

Aren't all of the newer GSM Sharp phones factory unlocked?

None of them is unlocked by factory..Do you know how to unlock it ?

01-14-2014, 00:00	#16 (permalink)
the_laser No Life Poster Join Date: Feb 2002 Location: Russia Age: 44 Posts: 2,681 Member: 9519 Status: Offline Thanks Meter: 2,150	all access to DDR come via External Bus Interface and EBI have own MPU. this MPU configured from trustzone application and can only be disabled on chip reset. so here we are again came to finding exploit in trustzone application . and here is perfectly documented example

01-15-2014, 17:48	#17 (permalink)
0xC0FFEE Junior Member Join Date: Sep 2012 Location: RAM: 0x77E60000 Posts: 25 Member: 1810861 Status: Offline Thanks Meter: 6	I heard that the modem code is uploaded by the linux kernel during kernel boot, so if you can compile a custom kernel which uploads a patched modem image to the DSP, or does not send the "disable EBI" trustzone command (if there's such a call anyway). But if it's the bootloader who loads the modem code, all this is impossible, since the BL is signed. (And I've found some Qcomm documentations which says its the HLOS, which checks and uploads the modem image to the DSP). In this case, yes you have to find TrustZone exploits. That's not impossible, I know 3 different exploits for the Nokia BB5 trustzone implementations, and that's a pretty secure platform.

02-04-2014, 08:54	#18 (permalink)
E:V:A Insane Poster Join Date: Apr 2012 Posts: 93 Member: 1750726 Status: Offline Thanks Meter: 16	This is for sure possible as this device (if it is MDM9200) is using SecureBoot2. Since (as the_laser also mentioned) we have bypassed in both SecureBoot3 versions here: Unlocking the Motorola Bootloader Exploiting Samsung Galaxy S4 Secure Boot However, if your device is using 9215/25 or 9615/25 I don't know what SecureBoot verion those are using, but you could easily find out. [lazy] In any case, unless you're running latest (last year) firmware, it is very unlikely to be patched.

11-24-2017, 13:34	#19 (permalink)
qdbdavid Freak Poster Join Date: Apr 2017 Location: china Posts: 100 Member: 2709982 Status: Offline Sonork: 100.1677638 Thanks Meter: 1	Can you help me to unlock a sharp phone?