[Samuele1996]

Hi guys!

BB 10.2.1 seems is getting released, but there's all around a large number of leaks; then, my idea is a bit "leak-oriented"

Well, actually, I'd like to root (or at least to try it) the Android Runtime on BB 10.2.1 so we can remove app permissions (runtime is still unlocked, isn't it?).
Well, let's start from this old thread:
[BrainFart] Modify sys.android.bar for root and Google fw - BlackBerry Forums at CrackBerry.com
Their problem was: we cannot signing it. Maybe I have got the solution: we don't need to sign it again, just change SHA-512 hashes in /META-INF/AUTHOR.SF, /META-INF/MANIFEST.MF and /META-INF/RDK.SF (open Android Runtime .bar file with WinRAR o similar ). Would someone try it out? Now I can't because I'm working on another application (it will allow users to remotely-connect to their BB throught SSH, I am going to release it in a few days I hope) and I have no time left.

Let me know

Samuele

[tickerguy]

Uh, the signature has to match the file (or it won't work because the verification fails.)

The signing is asymmetric cryptography (public key.) BlackBerry has the private key. The phone's firmware loader knows the public key (it's public.) Unless you have the private key, you can't generate a valid signature that will verify with the public key.

That's the entire point of such a system -- to prevent the loading of corrupted firmware, whether the corruption happens accidentally or maliciously.

[senel]

Quite interesting idea!

You can try to call NSA or it's alternative and ask them for one copy.

I think that's not possible without key at this moment.

Posted via CB10

[Samuele1996]

I think it's worth trying it

Just try to modify the file, dump its SHA-256 again and override it in the three files

After all, that's the only bar file which we can edit, other bars are encrypted

Will someone try it out?

Thanks

Posted via CB10

[MoTmrD]

You can upload file

[Samuele1996]

Here it is the link
http://cdn.fs.sl.blackberry.com/fs/q...-v7+signed.bar

[MoTmrD]

change SHA-512 to ???

Or Upload Files Editor

[Samuele1996]

After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

Let me know and thank you

Posted via CB10

[John Vieira]

This is way over my head, but I'm interested in the progress.

I think the best use for this is to modify android app permissions. Maybe set them up to run headless?

via Z30 10.3.0.1337

[masterscarhead1]

Mate, you can't change any files in the bar file
The signature keeps a record of all the files and their size, etc....
It's simply not possible. We've tried this eons ago.
Author, manifest and RDK files are all "signed."
If they don't match each other, for example, if the date of the files are different than when it was built, then it will just detect an error
Seriously, this is a wild goose chase you are going on. I know you may have some computer background, but it seems you're relatively new to the forums.
Some of the most knowledgable have not been able to accomplish this. Short of hacking BlackBerry for the private key, you simply won't be able to accomplish signing a system file. Hell, even the android ports with _sys_android_rrr couldn't be signed. That's why the debug method was required.

[MoTmrD]

After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

Let me know and thank you

Posted via CB10

Thx 3>

[MoTmrD]

After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

Let me know and thank you



Posted via CB10

Please you have skype

[crazyyen]

http://forums.crackberry.com/bb10-ti...device-830490/ cant you use this as a guide and maybe mod it too your needs?

[masterscarhead1]

OMG you guys are so thick
No, you can't just load the file. Hell, you can't even modify it so it will install
Dumping the file and editing it = changing it. Even if you modify SHA it will still count as a change.
BB isn't stupid guys. Hell smarter guys have tried this (yes, I mean people who rooted BB before)
If you wanna waste your time, be my guest. Be sure to report back on the idiocrasy and how much time you wasted in

[Johny 5]

Changing the android environment while it's loaded within the environment would be the most effective (probably the only way without a key or brute force attack). Finding an exploit and patching the ram (within the environment) WOULD allow you to root the system until it was ran again.

Those saying it's IMPOSSIBLE... you're WRONG and don't know a thing about computer science... hacking something IS NEVER IMPOSSIBLE and if everyone thought the way they did we would never have new tech because it's "impossible".... such closed minded people frustrate me.

I've opened a thread like this and was completely shot down already by close minded people these kind of things should be encouraged and talked about. Not people making insults. Crackberry just isn't the place for that though... It's just a matter of doing it and someone having that much time and be that intelligent, that's another story.

Posted via CB10

[tickerguy]

Now wait a minute, to be fair there's no guarantee that there wasn't a loophole accidentally left. Remember that the original Playbook was rooted via such a loophole.

BlackBerry fixed it too though....

[Cobalt232]

I support hacking blackberry OS in many ways, but trying to modify the file, dump its SHA-256 again and override it in the three files is simply hilarious.

[Johny 5]

Yeah.. editing an encrypted file is NOT the way to go... some real methods would be trying to overflow buffers, finding exploitable bugs in the OS, etc... editing a file changes its parity rendering it useless. Trying to resign it would be like trying to figure out the combination to a dozen safes all in one shot. That's not the way to go.

Check out how android is rooted (although they do permanent root, we might not be able to do that because its all running in a sandbox that goes back to the "initial" state every time it's started). I'm not too familiar with cell phone rooting, but vulnerabilities can be found anywhere even if its not to do with Blackberry it's self.

For example multimedia has been an entry level for hacks and the vulnerability doesn't necessarily lie within the OS but with the maker and the way the multimedia is read. Like the libtiff hacks and pdf hacks. Blackberry reads both of those if someone can find a bug in the way pdf or tiff files (and/or MANY MANY other types of files) are read then code injection *could* be possible at a admin/ROOT level.

[Dunt Dunt Dunt]

Good luck guys!

You might want to start with all the other attempts that have been done ever since the PlayBook was released. I'm not saying it isn't possible to finds a hole in on of the past/current/future Android releases... Just that with the way that BB10 is locked down and that before running the Android Player it looks for "changes" (errors or hacks).

[stitch69]

What kind of sorcery is this? :/

Posted via CB10

[Samuele1996]

You guy may be right: actually, I didn't checked to see if files were "cross-signed". I've developed a tool that allows you to SSH and SFTP connect to the BlackBerry Device (QNX Layer): it would be still under beta testing, but I think I'm gonna release it however XD (I'll let you know )

Meanwhile, does someone of you know if there's a way for rooting Android (don't think about it into a sandbox, just Android) in "runtime"?

P.S.: yeah, actually I want to remove Android app permissions XD

Posted via CB10

[WJF84]

You guy may be right: actually, I didn't checked to see if files were "cross-signed". I've developed a tool that allows you to SSH and SFTP connect to the BlackBerry Device (QNX Layer): it would be still under beta testing, but I think I'm gonna release it however XD (I'll let you know )

Meanwhile, does someone of you know if there's a way for rooting Android (don't think about it into a sandbox, just Android) in "runtime"?

P.S.: yeah, actually I want to remove Android app permissions XD

Posted via CB10

It's been done...it's pointless...

Posted via CB10

[ArmedHitman]

Yeah.. editing an encrypted file is NOT the way to go... some real methods would be trying to overflow buffers, finding exploitable bugs in the OS, etc... editing a file changes its parity rendering it useless. Trying to resign it would be like trying to figure out the combination to a dozen safes all in one shot. That's not the way to go.

Check out how android is rooted (although they do permanent root, we might not be able to do that because its all running in a sandbox that goes back to the "initial" state every time it's started). I'm not too familiar with cell phone rooting, but vulnerabilities can be found anywhere even if its not to do with Blackberry it's self.

For example multimedia has been an entry level for hacks and the vulnerability doesn't necessarily lie within the OS but with the maker and the way the multimedia is read. Like the libtiff hacks and pdf hacks. Blackberry reads both of those if someone can find a bug in the way pdf or tiff files (and/or MANY MANY other types of files) are read then code injection *could* be possible at a admin/ROOT level.

For overflows and other exploits... Just read this.



I don't thinking hacking is impossible... Just needs to be done in the right way

Source: BlackBerry Documentation Page 95-96

P.S Read page 94... How the BlackBerry verifies every file with a BB private key and the bootROM too Btw when I first got my BlackBerry in Feb 2013... I noticed a request from my phone when it searched for updates, the phone would report back to BlackBerry servers saying if the BOOTROM is compromised. I'm sure they'll hunt you down :\

[anon8182988]

Signature is created using Hash of the message block (data) Using the signature a public key is generated at both ends (BlackBerry Signing Authority and device) So by changing the hash u compromise the integrity of the signature!!!

The signature is verified by the system on load using proprietary algorithm ( multiple stages of RSA and AES256)

The algorithm doesn't work this way!!!!! So OP don't bother!!!!



Posted via CB10

[ArmedHitman]

Signature is created using Hash of the message block (data) Using the signature a public key is generated at both ends (BlackBerry Signing Authority and device) So by changing the hash!!!!

The signature is verified by the system on load using proprietary algorithm ( multiple stages of RSA and AES256)

The algorithm doesn't work this way!!!!! So OP don't bother!!!!

Posted via CB10

Exactly! Says that in the book!