# fre3vo: IRC with @agrabren and #teamwin



## liquidjesus

Here is a pretty good transcript of what was discussed tonight. Some stuff is missing, full transcript may be posted later.

[19:38] <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
[19:40] <@agrabren> Yes, I called it fre3vo. In tribute to Shift.
[19:41] <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
[19:42] <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
[19:42] <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
[19:42] <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
[19:42] <@agrabren> Blew my phone to s***.
[19:43] <@agrabren> But in blowing it to s***, we confirmed that we had, in fact, found a way in that we could exploit.
[19:43] <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* f*** you up)
[19:44] <@agrabren> We stepped back into the hole with flashlights.
[19:44]<@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
[19:44] <@agrabren> What devices will this work on? Well, the EVO 3D. We believe it will work on the Sensation 4G.
[19:45] <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
[19:47] <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
[19:48] <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
[19:48] <@agrabren> We're talking days at most.
[19:49] <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
[19:50]<@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
[19:51] <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
[19:53] <@agrabren> We haven't talked with anyone about this stuff yet.
[19:54] <@agrabren> I do actually have a real job, as well as a family.
[19:55] <@agrabren> So, let's go ahead with questions...
[19:56] <+momentdroid> i'll ask the question basically everyone wants to hear, eta? lol
[19:56] <@agrabren> The ETA is likely this weekend. Probably late weekend.
[19:58] <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
[20:02] <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
[20:02] <@agrabren> When we get to perm root, that will also be reversable.
[20:02] <@agrabren> My next work is to help unlock the device.
[20:05] <@agrabren> We don't believe it will work on the EVO 4G.
[20:06] <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
[20:07] <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
[20:07] <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
[20:10] <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like.
[20:10] <@agrabren> Short of "where are we at for s-off".
[20:11] <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
[20:11] <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
[20:11] <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
[20:12] <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
[20:12] <@joshua_> eMMC has different types of write protection that we haven't worked with before.
[20:13] <@agrabren> And we plan to work together to solve some of these issues.
[20:15] <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
[20:15] <@agrabren> (Sending this one to joshua_
[20:15] <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
[20:16] <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
[20:16] <@joshua_> "it doesn't directly make it possible, but it makes it not impossible"
[20:16] <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
[20:16] <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
[20:17] <@eyeballer> agrabren: seems to be the question of the day =P
[20:18] <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
[20:19] <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
[20:19] <@agrabren> The exploit will come, with or without more stuff.
[20:20] <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
[20:20] <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
[20:21] <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
[20:21] <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
[20:21] <@agrabren> Any changes to /system at this time will definitely revert.
[20:22] <@agrabren> Joshua: whats the difference between unlocked and s-off?
[20:23] <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
[20:23] <@joshua_> (It also would refer to an ENG hboot.)
[20:23] <@joshua_> On eMMC, that state no longer exists.
[20:23] <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
[20:24] <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
[20:24] <@joshua_> (I think that's needed for Cyanogen.)
[20:26] <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
[20:26] <@joshua_> Yes.
[20:27] <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
[20:28] <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
[20:28] <@eyeballer> with just temp root, no
[20:28] <@eyeballer> unless you try to mess with those things yourself
[20:28] <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
[20:29] <@agrabren> This was a non-intentional hole.
[20:30] <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@zule> htc created the arms race, we just fight fair
[20:31] <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
[20:32] <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
[20:32] <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
[20:33] <@agrabren> We promise, info will be flowing. But we wanted to let people know, it has happened.
[20:33] <@agrabren> Thanks for everyone's time, and making me feel special.
[20:33] <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!


----------

