Global Sources
EE Times-India
Stay in touch with EE Times India
EE Times-India > Embedded

Comprehend phone and embedded security (Part 2)

Posted: 26 Jul 2012     Print Version  Bookmark and Share

Keywords:rooting  real time OS  flash bootloader 

One way to fool or trick the phone is to make the ROM bootloader think that it has an empty flash bootloader (by cutting a PCB track or short-circuiting flash power to ground—via Testpoint). This temporarily disrupts power to the flash chip, allowing ROM bootloader to run an external bootloader on the phone. This bypasses any security checks allowing complete visibility of almost everything including ESN and IMEI, as well as EEPROM and any valid keys. Now you have all you need. One can read and write the entire phone memory, replace security blocks and do pretty much anything, including removing the service provider lock.

The reason one needs the testpoint is that the flash bootloader won't let you download and run anything without a proper digital signature (and this signing uses complex encryption which is not easy to crack). So, it's easier to disable the bootloader than to try and forge the signature for an external bootloader. Unlike older generation phones, the latest phones have this protection and thus need a testpoint to be able to bypass this security. Part III of the series will focus on signed and locked bootloaders.

Unlock code
As mentioned before, unlocking is the act of persuading the firmware to no longer enforce carrier-specific restriction. It's a feature of the phone's firmware, designed to allow the owner to use their phone on whatever carrier's network they want. Locking is typically done by entering a "magic" number (or so called unlock code) into the phone's user interface, in a special screen that is usually accessed through an obscure, hidden or hard to find menu.

For the majority of cases, to find a working unlock code, one needs the following information:
 • Brand and Model number
 • Network: Network phone is locked to.
 • IMEI number: Unique number given to all mobile phones.

Then there are lot of websites that allow you to use the above information and provide an "unlock code." Some phones' unlock code is generated by a simple algorithm based on IMEI number (don't even use a) and b)) while some phones "unlock codes" are cryptographically derived from the phone's IMEI along with a secret or random code using asymmetric cipher, with the idea that the carrier (and the phone) knows the shared secret and so only the carrier can generate the unlock code upon request (i.e., expiry of the term). Some phones even go further (Blackberry in particular) and have a deeper level of locking that requires connection between the phone and a special piece of hardware to unlock.

There are even lots of apps like "SIM unlock" app on the Android market that allow one to enter an IMEI number and directly unlock the phone. However this may not work for all phones. Some phones just have signed and locked bootloader and are too hard to unlock. One way is to break into the phone hardware and bypass the bootloader that checks the signature (see previous section).

It is important to understand the concept of a signed, locked and encrypted bootloader that will be described in Part 3, and is also the basis of next-generation security platforms for embedded devices, which is covered in Part 4.

About the author
Mohit Arora is a Sr. Systems engineer and Security Architect at Freescale Semiconductor. He is responsible for product and architecture definition for 32bit industrial and general-purpose parts. "Embedded Security" is one of his main expertise and focus areas and he also leads the Security IP Asset team in AISG (Automotive Industrial and Solution Group). He holds more than 35 publications and is also the author of the book "The Art of Hardware Architecture."

To download the PDF version of this article, click here.

 First Page Previous Page 1 • 2 • 3

Comment on "Comprehend phone and embedded securi..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top