/ phone

brute_force_OEM_UNLOCK_BOOTLOADER_motoX-2014.cmd

while searching for something else, i found an old misguided attempt at unlocking my previous phone: the motorola x - 2014 edition. it is protected by a rather lengthy 20-digit alphanumeric password that can only be unlocked by first turning off your phone completely, then: holding down the volume down button and the power button at the same time. once your phone starts you will see a mostly black screen that indicates you've arrived at the bootloader interface. be careful what you do here as you can potentially erase your entire phone (especially if the oem_unlock code works, which won't be the case 99.999% of the time if you are using this script!)

C:\> motox_bootloader_bruteforce.cmd

REM this script requires adb and fastboot 
REM download from https://androiddatahost.com/bnjkh
:generator
@ECHO Off
Setlocal EnableDelayedExpansion
Set _RNDLength=20
Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Set _Str=%_Alphanumeric%987654321
:_LenLoop
IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop
SET _tmp=%_Str:~9,1%
SET /A _Len=_Len+_tmp
Set _count=0
SET _RndAlphaNum=
:_Fix
Set /a _count = 0
Set /a _RndAlphaNum = 0
Set /a _RndAlphaNum = 
Set _RND= 
goto _loop
:_loop
Set /a _count+=1
SET _RND=%Random%
Set /A _RND=_RND%%%_Len%
SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%, 1!
If !_count! lss %_RNDLength% goto _loop
set _RndAlphaNum = %_RndAlphaNum:~-20%
fastboot oem unlock %_RndAlphaNum:~-20%
If NOT !_count! lss %_RNDLength% goto _Fix
goto generator

open notepad and paste the script above into an file and save it as: C:\motox_bootloader_bruteforce.cmd (requires: minimal adb fastboot)

i eventually abandoned this misguided attempt after discovering that there was some shady vendor in asia that was selling unrestricted access to the moto x (all editions) unlock codes in exchange for sending them $20 via a paypal, your current imei and waiting 24-hours for them to crack the unlock code and send it to you.

this is when i first had the idea to attempt to solve this with a good old fashioned software bruteforce of the unlock code string, as i imagined the asian vendor's method must have done in someway. i soon realized however that it was much much too slow (like, orders of magnitude slower than needed) to work effectively within human time scales.

so i wen't back to the drawing board. i ran the simulations in my head.. what kind of access would i require to unlock the bootloader? companies get hacked all the time (mr robot anyone?) and rarely, if ever, do they report the event unless the persons responsable are succesfully located and the story can be spun in the companies favor. as expected, as all sovergn nations (and by extension corporations, boards and other buisnesses) will always act in their own best interests and more often than not the companies best interests are to just cover it up, deny all knowledge and hire some private blue team netsec guys to figure it out on the super low low.. like sign this NDA before we proceed low low.

so, i thought, the vendor in asia must either have leaked documents from motorola or had access to the kind of insight into the bootloader that only a developer of it would have.. potentionally even both. this is the path of least resistance in this scenario as i see it: someone leaked the documents (by intentionally or negligence) and someone who knew what they were got their hands on them and used them to reverse engineer a method to generate valid bootloader unlock codes. probabily got their hands on a developer/test private key or found some software vulnerability in the documents. yes, i'd say that this has the higest probabability of being very close to what actually went down to be able to sell oem_unlock keys for my motorola phone but there are still many other potential ways to get to this same point.

another would involve no special access or knowledge. it could be that some engineer or developer who specialized in mobile phone bootloaders commonly used by android phones (perhaps even someone who contributes to the open source community that these propritary bootloaders are often share code bases with) was tinkering with some code and discovered a serious vulnerability in it. or (more commonly) they found a few nests of smaller vulnerabilites that, when chained together, can be combined in such a way as to create a much more serious flaw that turns out to be greater than the sum of it's parts in ways.

using this method they reverse engineered a way to flash arbitrary imei's onto multiple motorola phones. they then designed a flashing / cracking software system that a sturdy gaming-level desktop pc or dedicated server could run at an efficent speed in hashes/sec. then, as i imagine the slowest part of the process is the phone's themselves (there's an arbitrary wait peroid cooked in to each attempt) they connected a max of 127 phones to the desktop and ran 127 instances of the distributed cracking program: one for each android phone connected over usb. after around 24 hours of this: out pops a valid oem_unlock code. again, this is just one of many possibilities.

as i write this i thought of another, perhaps easier (in some ways depending on vuln) path to accomplishing this same feat.

perhaps instead of defeating the code in parallel they defeated it by exploiting the rate limit the bootloader enforces on each password attempt. if you can emulate the bootloader you could potentionally accomplish this task but bootloaders aren't often happy about being emulated when they have to verify sensitive information. perhaps the asian vendor gained access to developer phone that did not have this restriction and just used that.. or perhaps they did indeed defeat the rate limit by exploiting some vulerablity in the code. we may never know.

another path would be that they gained access to the motorola support portal web app which has access to the system which unlocks valid developer phone's by imei. they could have accomplished this by spear phishing, a vuln in the platform they are using, bought the password on darkweb.. too many ways really. then they got their hands on a valid login and passwords to an account that is authorized to unlock any phone and.... the rest is history. this is also very likely as social engineering is unbelievably effective sometimes.

mxx-1

anyway, later still, motorola was bought from google by lenovo (1/2014, lenovo was formerly dell) and in all of the confusion the support staff for the website that used to give out codes to those people who payed the extra $150 for the "unlocked" developer edition.. well, they seemingly started to give out unlock codes to anyone who asked in the forums and eventually (i assume as a cost cutting measure to their support people) they just allowed anyone with an imei to any of their phones to request an unlock code.. and i know because i asked..and recieved. even later, this is where i unlocked my refurbished moto x generation 2 and gen 3 phones (i'm so clumsy when i've had a few).

nick giotis

nick giotis

linux sysadmin/devops w/occasional moonlighting into netsec & full stack development 💯✝️🇺🇸🇬🇷🇮🇪🏴

Read More