5 replies to this topic

[septaric]

I know more about computers than I do phones so I need some educating. What does the boot loader do that keeps you from going back to an earlier OS? Why can't it just be formatted like your HD on your PC and start from fresh? Maybe you need to explain the function of the boot loader. Thanks.

[ibolski]

There's this thing called Google. It can help a lot. More so than I can explain. Sent from my DROID RAZR HD using Tapatalk

[SamuriHL]

I don't really NEED to explain anything.  Now I get you're asking to be educated and I appreciate that, but, the tone of how you posted it is really off putting and sounds almost as if I owe you an explanation.  Not to mention this information is out there, if only you actually searched for it instead of demanding to be spoon fed.

 

Please Login or Register to see this Hidden Content

 

Start there.  Once you've understood that, continue reading.

 

Modern phones have a trusted zone partition.  This partition is a security layer that sits between the kernel and the physical hardware.  That means any time the kernel wants to do something with the hardware, it has to go through the trusted zone.  The trusted zone on the HD and M at one point had a security hole which allowed a rooted phone to execute the code in the trusted zone that unlocks the device without needing a security token.  That hole, as we all know, was closed thus preventing unlocks from taking place.

 

What you asked about is how phones disallow downgrading.  The bootloader plays a very small part in that.  When a phone boots up, there's an "aboot" partition that loads first.  It determines if the device should boot in secure or unsecure mode.  How it determines that varies from device to device.  On the HD and M, it's checking to see if a particular eFuse is blown...the one that the trusted zone blows when the unlock function is called.  If the device is determined to be unlocked, then the security chain is skipped and you're allowed to flash almost anything to your device.  Almost.  We'll get to the limitations in a minute.  If the device is locked, it boots up with the secure chain.  Bootloader  disallows flashing and loading of unsigned code.  This is what prevents you from flashing a custom recovery on a locked device.  In both cases, the trusted zone is active, however.  There are lots of reasons for this, but, the biggest is to prevent someone from flashing unsigned radios.

 

So the trusted zone is always enabled, even on unlocked devices.  This means that even on an unlocked phone, you can't downgrade the trusted zone partition.  Once it's updated, it stays updated.  Next up is the aboot and gpt partitions.  The gpt is the partition table which determines the location of all the partitions.  This was recently changed on the kitkat builds, for example.  Aboot has a part to play on some phones in determining what can and can't be flashed.  Same with GPT.  They contain a "security version" for all the partitions.  I've been able to determine that for locked HD/M's, it works like this:

 

GPT or aboot is updated, security table is increased for each partition.  After that point, no partition with a lower security version can be flashed else you soft brick the phone and end up in AP Fastboot mode with a security error.  My research has shown that something else also happens which is disturbing to me, to be honest.  Let's say you skip flashing aboot, gpt, and tz and only flash the partitions themselves.  In theory you should be able to downgrade on a locked device. I had someone test this theory.  It doesn't work as expected.  The reason is that the partitions contain the security version.  Once you flash, let's say, boot from a higher version, it will never let you flash a lower version boot partition.  Again, this is controlled via the secure boot chain, so there's no circumventing it.  You're not going to "trick it".  You're not going to unlock it.  You're not going to "crack the signature so you can sign your own code". Or any other crazy idea you may think you have for getting around it.  They're using 128 bit encryption for their signatures.  GLWT.  

 

That, in a nutshell, is a long detailed answer to your question.  Short answer....because the security prevents it.

[Thach]

Sam, that's one of the best in a nutshell explanations I've ever read and I mean that. Its got me wanting to read more about all this, looks like I know when I'm doing today.

Sent from my Droid MAXX

[livinginkaos]

Pin it

Sent from my S-Offed One M8

[themrgoats]

Despite the way the question may have been presented. I found that an interesting read. Thanks!