Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's plenty room for bugs in mechanism like that. For example Motorola Droid (back in 2010) was locked and only accepted signed updates. There was a bug where you could bypass it by using authentic update and appending your payload at the end of that file.


Interesting, can you point me to a news article or link? Shouldn't that have been rejected as an improperly signed file as (update+payload) should have a different signature than (update)? I'm want to know whether I'm misinterpreting something, misunderstanding something, or the signatures were misimplemented.


The original forum where it was posted doesn't exist anymore and there doesn't seem to be archived copy.

Here's another page which is describing the steps: http://www.areacellphone.com/2009/12/motorola-droid-rooted-h...

Here is the commit with a bug fix: http://review.source.android.com/12807

and actual diff: https://android-review.googlesource.com/#/c/12807/1/verifier...


Only the header was signed – that was the issue. It was made to save computational power on the device.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: