[Gp2mv3]

Hi,
I'm thinking about a root method (I don't know if it can be possible but I'm just asking). I'm aware of the limitations of the playbook (I mean what we can do without root) and I understand Unix and his security.
So I was thinking about some privilege escalation with process running on root. Because if there are critical issue in those process, maybe we can use it to gain root access.
I just tried to list those processus but didn't find anything with an outdated version or something obviously running on root...

Except the update process. It's clear that this needs to be executed under root to copy the files on the root of the playbook. So I'm simply asking, how does it works ?
Did someone trying to look at the update system ?
What is the type of file, I mean, yes it must be encrypted but, maybe it's only something like a big zip wich is simply extracted ? I don't know.

So, can someone provide me more informations ?
I'm not saying it's possible to root, juste asking how it works.

Thanks.

[pkcable]

Many are trying, but since the last updates to the PB root seems to be impossible. BUT folks are trying. Hopefully someone will be along to answer your question shortly.

[xsacha]

The type of the file is .bar. Yes, OS are installed as an app.
Inside the .bar is a .signed file. The .signed file is quite simply an information header + filesystem partition images + signatures (verifying the contents are from RIM).
The filesystem partition image is QNX6.

Basically the software update process checks the validity of the .bar signature to ensure it is from Research in Motion.
Then the firmware installation process checks the validity of the .signed signature to ensure it is from Research in Motion and the contents match what it was signed for. Then it overwrites /dev/hd1 (staging partition) with the partition contained in the .signed file.

Pretty simple really

[MikePembo951]

Is there anyway of faking the signatures? Surely there's a key somewhere? Occasionally stored in ram?
Could we somehow find/get the key?

I'm not very os-tech-savvy so forgive if this question sounds stupid.

[quackquack147]

Is there anyway of faking the signatures? Surely there's a key somewhere? Occasionally stored in ram?
Could we somehow find/get the key?

I'm not very os-tech-savvy so forgive if this question sounds stupid.

its inside the cpu? and that cpu is inside another cpu. i.e. its stored in iROM which is inside cortex-m3 CPU which inside omap4430 HS CPU.
not in the ram anyway. and this iROM is only ROZ or read only zero. ;-) questions. feel free to ask. i will be posting a link soon. you can read it and ask or understand whats in there.
thanks!
-paul

[Gp2mv3]

If it's crypted I'm pretty sure it's an asymetrical cryptography so it'll be almost impossible to modify the signature...
But I think it's an hash which is simply the same, without collision it's pretty impossible to match it...

The verification of the signature can't be client side ? I mean I hope (for the security) that the Playbook asks a BB server if the signature matches and if so, it returns the decrypt key to install it. No ?
If it's something like that, it will be difficult to pass over. Maybe with a fake server (a proxy ?)...

But I'm only stipulating, I'm not aware of the rel process.
The only question is: Why will it be in the CPU ? It's a public key, only to decrypt file, not for recrypt it...

[xsacha]

Is there anyway of faking the signatures? Surely there's a key somewhere? Occasionally stored in ram?
Could we somehow find/get the key?
I'm not very os-tech-savvy so forgive if this question sounds stupid.

No, there is no key stored anywhere on the device or the internet. It's on some internal server somewhere that no one has access to.
This is how keys work. They are very secure otherwise you couldn't do things like online banking.
You can usually work out the key through brute force but this can take anywhere from 50 years to 100000 years.

The verification of the signature can't be client side ? I mean I hope (for the security) that the Playbook asks a BB server if the signature matches and if so, it returns the decrypt key to install it. No ?

It's not crypted. So no need to decrypt.

The only question is: Why will it be in the CPU ? It's a public key, only to decrypt file, not for recrypt it...

It's not. Ignore him.

[Gp2mv3]

If it's not crypted, how is the signature generated?
I mean, it's an hash or something?
And if it's serverside, why don't try something like a man in the middle with wireshark to "intercept" the signature process?

Because I think, if we can break this process and act like the server to givr the green sign, we can do whatever we want...
Am I right?

Posted via CB10

[Gran PC]

And if it's serverside, why don't try something like a man in the middle with wireshark to "intercept" the signature process?

The serverside part is signing the file. The day you can get a MITM on BlackBerry, I think 'intercepting' the signature is going to be the least of your concerns.

[xsacha]

If it's not crypted, how is the signature generated?
I mean, it's an hash or something?
And if it's serverside, why don't try something like a man in the middle with wireshark to "intercept" the signature process?

Because I think, if we can break this process and act like the server to givr the green sign, we can do whatever we want...
Am I right?

The signing happens on their server at Blackberry. It's not communication, it can't be intercepted.
When signing an app, all you get back is the end result.
When getting a signed OS, it was signed before you got it.

If you don't understand how this stuff works, there are some pretty detailed articles on Google and Wikipedia. It's not Blackberry-specific, everything uses this security.

Posted via CB10

[Gp2mv3]

No ok, I understood that but, if the signature is sent in the bar file, there is a moment you must verify it right ?
So, how does it works, is it like a hash of the files and then it re-sign it to compare the two signatures (and if so, there is a key somewhere in the device) ?

If I were at BB, I would have build a signatur process in the client side but with something missing, like a decrypt key. When you receive the files, the device create the signature, according to the files received, then it send it to BB servers which compare it and if it's ok, give you the decrypt key to install everything.

It's pretty unbreakable. But if it's not like that, why don't we try to recreate the key used to sign ?
I don't know if I'm clear, I hope so.

[xsacha]

No ok, I understood that but, if the signature is sent in the bar file, there is a moment you must verify it right ?
So, how does it works, is it like a hash of the files and then it re-sign it to compare the two signatures (and if so, there is a key somewhere in the device) ?

If I were at BB, I would have build a signatur process in the client side but with something missing, like a decrypt key. When you receive the files, the device create the signature, according to the files received, then it send it to BB servers which compare it and if it's ok, give you the decrypt key to install everything.

It's pretty unbreakable. But if it's not like that, why don't we try to recreate the key used to sign ?
I don't know if I'm clear, I hope so.

Verifying it does not require the original key. This is how keys work.
The decrypt key is safe to share around.

It may take about 100-1000 years to crack the key using a very fast supercomputer.

Like I said, Google about how public and private keys work. It's very secure and everything uses this.

[Gp2mv3]

Ok but what I don't get is: To compare the signature you get from BB with the files in the bar, you'll have to sign the files and then compare the signature with that no ?
If so the key is somewhere...

[xsacha]

No, you have the method to check the signature and not the method to sign it.
A method that uses the same key to read and write would be entirely useless.

Posted via CB10

[Laforma]

perhaps you start reading here: Public-key cryptography - Wikipedia, the free encyclopedia

it describes the method of signing with a private key and decrypting with a public key.

[Gp2mv3]

Thanks, I'll read it.

Posted via CB10