Decompiling boot.img and recovery.img

Moderator: Revue Mod

Post Reply
joedeveloper
1.5 Cupcake
Posts: 62
Joined: Tue Aug 02, 2011 9:22 am

Decompiling boot.img and recovery.img

Post by joedeveloper »

Appears this isn't going to go so well. Previous version were easily decompiled via unsquashing the boot.img and removing some junk from the recovery.img and then unsquashing it to get the files.

Looks like boot.img and recovery.img are now encrypted or in a format I don't recognize because I can't unpackage them.

Lets see what we can figure it if anyone wants to go at it.
Itsjusttim
Android 1.0
Posts: 22
Joined: Mon Aug 01, 2011 9:33 pm

Re: Decompiling boot.img and recovery.img

Post by Itsjusttim »

Thank you for the update. Hopefully someone will have better luck with it.
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Decompiling boot.img and recovery.img

Post by Chinpokomon »

It occurs to me, while researching the CE4150, that maybe this is an understated capability of the "Secure Boot" feature of the CE4150. Maybe the CE4150 is decrypting the boot and recovery images on the fly using its built-in RAM. If so, that leaves little exposure for us to actually crack what is going on. Even when the system is up to speed and running, we wouldn't be able to decrypt the images, because the public keys are never revealed external to the SoC. Of course, the private keys are kept to Logitech, so we have little hope of discovering those and signing/encrypting our own images.

This is one tough nut to crack.
User avatar
danger-rat
Contributor
Posts: 45
Joined: Thu Jul 28, 2011 9:49 pm

Re: Decompiling boot.img and recovery.img

Post by danger-rat »

Taking a look at the 3.1 update zip, and more specifically the install script, about midway into the install there are the following lines:

assert(package_extract_file(logitech_ka5.cefdk, /tmp/cefdk5.img, package_extract_file("recovery.img", "/tmp/recovery.img"));

It appears to me that this step is extracting images from the listed files?
Would it be possible to take a look at the extracted files?

I know the images probably get deleted after install (couldn't see anything in the update script), but since rooted UART enabled devices can install unsigned zips, wouldn't it be possible to package an update zip that extracted these files and then stopped, leaving the extracted files intact in the /tmp folder?

Just a thought...?
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Decompiling boot.img and recovery.img

Post by Chinpokomon »

danger-rat wrote:Taking a look at the 3.1 update zip, and more specifically the install script, about midway into the install there are the following lines:

assert(package_extract_file(logitech_ka5.cefdk, /tmp/cefdk5.img, package_extract_file("recovery.img", "/tmp/recovery.img"));

It appears to me that this step is extracting images from the listed files?
Would it be possible to take a look at the extracted files?
Well, that sort of confirms things... from this source: http://www.aminocom.com/download.php?6f ... 439435363/
 At the reset, the secured CEFDK program is activated. CEFDK is a small software module very similar to a BIOS on a PC.
 The phase one of the CEFDK is validated by the security processor of the SoC before execution. This phase is executed entirely in the RAM of the secured processor. If this phase fails, the SoC stops booting otherwise the entire RAM is cleaned and the integrity of the phase 2 of CEFDK is checked before loading.
 Validated phase 2 of the secured CEFDK is then activated. This configures the various hardware and activates the extra security feature of the SoC, although this is only possible if phase 1 has not previously locked the security sub system. The integrity of the next phase boot loader – Redboot - is verified before loading and activating it.
 Redboot is a boot loader widely used in the embedded world to extend the capability of the CEFDK to support a recovery Linux automatic load and activation.
...
 The secured Redboot checks the availability and the integrity of a valid Linux default kernel and a recovery kernel on the hard-drive or Flash memory. Any other file integrity checks are done by the loaded Linux kernel.

If a valid default kernel is found, it is launched otherwise the valid recovery kernel is launched. The recovery kernel is only capable of reinstalling a standard default kernel from a pre-defined known source.
This leads me to conclude that logitech_ka5.cefdk is the boot image, and secured by the CE4150.
Post Reply