04-16-14 07:18 PM
100 123 ...
tools
  1. Samuele1996's Avatar
    Hi guys!

    BB 10.2.1 seems is getting released, but there's all around a large number of leaks; then, my idea is a bit "leak-oriented"

    Well, actually, I'd like to root (or at least to try it) the Android Runtime on BB 10.2.1 so we can remove app permissions (runtime is still unlocked, isn't it?).
    Well, let's start from this old thread:
    [BrainFart] Modify sys.android.bar for root and Google fw - BlackBerry Forums at CrackBerry.com
    Their problem was: we cannot signing it. Maybe I have got the solution: we don't need to sign it again, just change SHA-512 hashes in /META-INF/AUTHOR.SF, /META-INF/MANIFEST.MF and /META-INF/RDK.SF (open Android Runtime .bar file with WinRAR o similar ). Would someone try it out? Now I can't because I'm working on another application (it will allow users to remotely-connect to their BB throught SSH, I am going to release it in a few days I hope) and I have no time left.

    Let me know

    Samuele
    richjhewitt likes this.
    01-24-14 01:07 PM
  2. tickerguy's Avatar
    Uh, the signature has to match the file (or it won't work because the verification fails.)

    The signing is asymmetric cryptography (public key.) BlackBerry has the private key. The phone's firmware loader knows the public key (it's public.) Unless you have the private key, you can't generate a valid signature that will verify with the public key.

    That's the entire point of such a system -- to prevent the loading of corrupted firmware, whether the corruption happens accidentally or maliciously.
    Mecca EL and Kris Simundson like this.
    01-24-14 03:27 PM
  3. senel's Avatar
    Quite interesting idea!

    You can try to call NSA or it's alternative and ask them for one copy.

    I think that's not possible without key at this moment.

    Posted via CB10
    01-24-14 03:31 PM
  4. Samuele1996's Avatar
    I think it's worth trying it

    Just try to modify the file, dump its SHA-256 again and override it in the three files

    After all, that's the only bar file which we can edit, other bars are encrypted

    Will someone try it out?

    Thanks

    Posted via CB10
    jmscountry likes this.
    01-25-14 12:13 AM
  5. MoTmrD's Avatar
    You can upload file
    01-25-14 09:55 AM
  6. Samuele1996's Avatar
    01-25-14 10:12 AM
  7. MoTmrD's Avatar
    change SHA-512 to ???

    Or Upload Files Editor
    01-25-14 10:18 AM
  8. Samuele1996's Avatar
    After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

    Let me know and thank you

    Posted via CB10
    01-25-14 10:51 AM
  9. John Vieira's Avatar
    This is way over my head, but I'm interested in the progress.

    I think the best use for this is to modify android app permissions. Maybe set them up to run headless?

    via Z30 10.3.0.1337
    01-25-14 10:53 AM
  10. masterscarhead1's Avatar
    Mate, you can't change any files in the bar file
    The signature keeps a record of all the files and their size, etc....
    It's simply not possible. We've tried this eons ago.
    Author, manifest and RDK files are all "signed."
    If they don't match each other, for example, if the date of the files are different than when it was built, then it will just detect an error
    Seriously, this is a wild goose chase you are going on. I know you may have some computer background, but it seems you're relatively new to the forums.
    Some of the most knowledgable have not been able to accomplish this. Short of hacking BlackBerry for the private key, you simply won't be able to accomplish signing a system file. Hell, even the android ports with _sys_android_rrr couldn't be signed. That's why the debug method was required.
    01-25-14 10:57 AM
  11. MoTmrD's Avatar
    After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

    Let me know and thank you

    Posted via CB10
    Thx 3>
    01-25-14 10:58 AM
  12. MoTmrD's Avatar
    After you have modified the file you should SHA-256 dump it again and change the SHA-256 value to the new one

    Let me know and thank you



    Posted via CB10
    Please you have skype
    Last edited by MoTmrD; 01-25-14 at 11:30 AM.
    01-25-14 11:12 AM
  13. crazyyen's Avatar
    http://forums.crackberry.com/bb10-ti...device-830490/ cant you use this as a guide and maybe mod it too your needs?
    01-25-14 11:14 AM
  14. masterscarhead1's Avatar
    OMG you guys are so thick
    No, you can't just load the file. Hell, you can't even modify it so it will install
    Dumping the file and editing it = changing it. Even if you modify SHA it will still count as a change.
    BB isn't stupid guys. Hell smarter guys have tried this (yes, I mean people who rooted BB before)
    If you wanna waste your time, be my guest. Be sure to report back on the idiocrasy and how much time you wasted in
    01-25-14 11:17 AM
  15. Johny 5's Avatar
    Changing the android environment while it's loaded within the environment would be the most effective (probably the only way without a key or brute force attack). Finding an exploit and patching the ram (within the environment) WOULD allow you to root the system until it was ran again.

    Those saying it's IMPOSSIBLE... you're WRONG and don't know a thing about computer science... hacking something IS NEVER IMPOSSIBLE and if everyone thought the way they did we would never have new tech because it's "impossible".... such closed minded people frustrate me.

    I've opened a thread like this and was completely shot down already by close minded people these kind of things should be encouraged and talked about. Not people making insults. Crackberry just isn't the place for that though... It's just a matter of doing it and someone having that much time and be that intelligent, that's another story.

    Posted via CB10
    senel likes this.
    01-25-14 11:50 AM
  16. tickerguy's Avatar
    Now wait a minute, to be fair there's no guarantee that there wasn't a loophole accidentally left. Remember that the original Playbook was rooted via such a loophole.

    BlackBerry fixed it too though....
    Johny 5 likes this.
    01-25-14 11:50 AM
  17. Cobalt232's Avatar
    I support hacking blackberry OS in many ways, but trying to modify the file, dump its SHA-256 again and override it in the three files is simply hilarious.
    Johny 5, geodorn, eldricho and 1 others like this.
    01-25-14 12:27 PM
  18. Johny 5's Avatar
    Yeah.. editing an encrypted file is NOT the way to go... some real methods would be trying to overflow buffers, finding exploitable bugs in the OS, etc... editing a file changes its parity rendering it useless. Trying to resign it would be like trying to figure out the combination to a dozen safes all in one shot. That's not the way to go.

    Check out how android is rooted (although they do permanent root, we might not be able to do that because its all running in a sandbox that goes back to the "initial" state every time it's started). I'm not too familiar with cell phone rooting, but vulnerabilities can be found anywhere even if its not to do with Blackberry it's self.

    For example multimedia has been an entry level for hacks and the vulnerability doesn't necessarily lie within the OS but with the maker and the way the multimedia is read. Like the libtiff hacks and pdf hacks. Blackberry reads both of those if someone can find a bug in the way pdf or tiff files (and/or MANY MANY other types of files) are read then code injection *could* be possible at a admin/ROOT level.
    NinjaB likes this.
    01-25-14 03:14 PM
  19. anon1727506's Avatar
    Good luck guys!

    You might want to start with all the other attempts that have been done ever since the PlayBook was released. I'm not saying it isn't possible to finds a hole in on of the past/current/future Android releases... Just that with the way that BB10 is locked down and that before running the Android Player it looks for "changes" (errors or hacks).
    01-25-14 03:35 PM
  20. stitch69's Avatar
    What kind of sorcery is this? :/

    Posted via CB10
    Mecca EL likes this.
    01-25-14 03:43 PM
  21. Samuele1996's Avatar
    You guy may be right: actually, I didn't checked to see if files were "cross-signed". I've developed a tool that allows you to SSH and SFTP connect to the BlackBerry Device (QNX Layer): it would be still under beta testing, but I think I'm gonna release it however XD (I'll let you know )

    Meanwhile, does someone of you know if there's a way for rooting Android (don't think about it into a sandbox, just Android) in "runtime"?

    P.S.: yeah, actually I want to remove Android app permissions XD

    Posted via CB10
    01-25-14 04:04 PM
  22. WJF84's Avatar
    You guy may be right: actually, I didn't checked to see if files were "cross-signed". I've developed a tool that allows you to SSH and SFTP connect to the BlackBerry Device (QNX Layer): it would be still under beta testing, but I think I'm gonna release it however XD (I'll let you know )

    Meanwhile, does someone of you know if there's a way for rooting Android (don't think about it into a sandbox, just Android) in "runtime"?

    P.S.: yeah, actually I want to remove Android app permissions XD

    Posted via CB10
    It's been done...it's pointless...

    Posted via CB10
    Mecca EL likes this.
    01-25-14 04:17 PM
  23. ArmedHitman's Avatar
    Yeah.. editing an encrypted file is NOT the way to go... some real methods would be trying to overflow buffers, finding exploitable bugs in the OS, etc... editing a file changes its parity rendering it useless. Trying to resign it would be like trying to figure out the combination to a dozen safes all in one shot. That's not the way to go.

    Check out how android is rooted (although they do permanent root, we might not be able to do that because its all running in a sandbox that goes back to the "initial" state every time it's started). I'm not too familiar with cell phone rooting, but vulnerabilities can be found anywhere even if its not to do with Blackberry it's self.

    For example multimedia has been an entry level for hacks and the vulnerability doesn't necessarily lie within the OS but with the maker and the way the multimedia is read. Like the libtiff hacks and pdf hacks. Blackberry reads both of those if someone can find a bug in the way pdf or tiff files (and/or MANY MANY other types of files) are read then code injection *could* be possible at a admin/ROOT level.
    For overflows and other exploits... Just read this.

    10.2.1 - Root Android Runtime-blackberry.png

    I don't thinking hacking is impossible... Just needs to be done in the right way

    Source: BlackBerry Documentation Page 95-96

    P.S Read page 94... How the BlackBerry verifies every file with a BB private key and the bootROM too Btw when I first got my BlackBerry in Feb 2013... I noticed a request from my phone when it searched for updates, the phone would report back to BlackBerry servers saying if the BOOTROM is compromised. I'm sure they'll hunt you down :\
    Johny 5, Mecca EL and NinjaB like this.
    01-25-14 04:21 PM
  24. anon8182988's Avatar
    Signature is created using Hash of the message block (data) Using the signature a public key is generated at both ends (BlackBerry Signing Authority and device) So by changing the hash u compromise the integrity of the signature!!!

    The signature is verified by the system on load using proprietary algorithm ( multiple stages of RSA and AES256)

    The algorithm doesn't work this way!!!!! So OP don't bother!!!!



    Posted via CB10
    Mecca EL, Javid Gozalov and Uzi like this.
    01-25-14 04:29 PM
  25. ArmedHitman's Avatar
    Signature is created using Hash of the message block (data) Using the signature a public key is generated at both ends (BlackBerry Signing Authority and device) So by changing the hash!!!!

    The signature is verified by the system on load using proprietary algorithm ( multiple stages of RSA and AES256)

    The algorithm doesn't work this way!!!!! So OP don't bother!!!!

    Posted via CB10
    Exactly! Says that in the book!
    01-25-14 04:31 PM
100 123 ...

Similar Threads

  1. trakt.tv app for BlackBerry 10
    By alopix in forum BlackBerry 10 Apps
    Replies: 40
    Last Post: 10-16-15, 01:47 PM
  2. Replies: 28
    Last Post: 02-14-14, 06:15 PM
  3. 10.2.1.1925 Upgrade Bars
    By SirJes in forum BlackBerry 10 OS
    Replies: 206
    Last Post: 02-05-14, 07:58 AM
  4. Verizon begins rolling out OS 10.2.1
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 2
    Last Post: 01-24-14, 02:46 PM
  5. Verizon has dropped the official 10.2.1.537 update
    By W Hoa in forum General BlackBerry Discussion
    Replies: 3
    Last Post: 01-24-14, 12:45 PM
LINK TO POST COPIED TO CLIPBOARD