MotoMAGX Security
The Z6 has the following known security measures that are currently preventing progress with the hacking of the device. This stuff applies to the v8 and u9 also as far as I can tell. There may be other security measures not documented here that have yet to be discovered.
Contents |
Digital signatures
On the Z6, several key components of the system (including the ramdownloader, root filesystem, kernel and bootloaders) are digitally signed. New versions of these components cannot be loaded unless they are signed with the Motorola Z6 RSA private key that only Motorola have. The signature checks are somewhere in the bootloaders.
At the end of each signed code group is a signature block. Groups that do not have this signature are not checked, and a table exists in code group 31 (MEM_MAP) that holds which groups should be checked (i.e. removing the signature block does not stop the check.)
| Code Group | Signed? | Name (Mem Map) | Contents |
|---|---|---|---|
| 30 | Yes | mbm.img | Motorola Boot Manager (MBM) |
| 31(a) | Yes | mbmloader.img | Ramloader |
| 31(b) | Yes | cdt.bin | MEM_MAP (see below) |
| 32 | Yes | Baseband Bootloader | |
| 34 | Yes | lbl | Linux Boot Loader |
| 35 | Yes | zImage | Kernel |
| 36 | Yes | rootfs.img | Squashfs image mounted as / (root) |
| 37 | No | userfs.img | Jffs2 image mounted as /ezxlocal |
| 38 | No | pdsfs.img | Yaffs2 image mounted as /etc/pds |
| 41 | Yes | atags.img | Kernel boot parameters |
| 42 | No | logo.bin | Boot Logo |
| 43 | No | setup.img | Squashfs image mounted as /usr/setup |
| 44 | Yes | securesetup.img | Squashfs image mounted as /usr/securesetup |
| 45 | Yes | gsm_scmall_build.bin | Baseband software |
| 46 | Yes | language.img | Squashfs image mounted as /usr/language |
| 48 | No | mass_storage.img | Yaffs2 image mounted as /mnt/msc_int0
Contains a vfat img loop mounted as /ezxlocal/download/mystuff |
| 49 | Yes | usb_firm.bin | USB Firmware |
| 52 | No | resource.img | Squashfs image mounted as /usr/data_resource |
| 53 | No | kpanic | kernel panic dump |
| 54 | No | rsv | |
| 55 | No | mbmbackup.img | (Motorola Boot Manager backup?) |
| 56 | No | bploader.img | Baseband software boot loader |
MEM_MAP (Code Group 31)
Code group 31 holds a table referred to by the bootloader as MEM_MAP. For each codegroup, this table contains: code group number, name, start address, end address, signature type, signature start address. Both the Bootloader and Ramdownloader appear to check this table.
The Signature block appears to have a header and two similar sections approximately 388 bytes each. The first section looks related to the code group, that is, it the same for a code group regardless of content. The second differs between all code group files. Where there are differences between these blocks, they are only in 128-byte sections (the signature).
Allowed mounts
On the Z6, once the Motorola security module has initialized, only certain mounts can be triggered with the mount command, these are:
/dev/mmca1 /mmc/mmca1 vfat /dev/loop/0 /ezxlocal/download/mystuff vfat /dev/mtdblock/mass_storage /mnt/msc_int0 yaffs /dev/mtdblock/mass_storage /mnt/msc_int0 yaffs2 devpts /dev/pts devpts
This means you cannot remount the root filesystem (for example). Note that mounting the /dev/pts file for telnet purposes IS allowed, as is remounting the memory card and the ezxlocal mass storage areas with noexec disabled (i.e. you can then run apps from memcard and /ezxlocal/download/mystuff)
Some MTD mounting protection is hard-coded into the MTD drivers in the kernel, but there is a list of allowed mounts in the file /etc/allowed_mounts. This file is read by the /etc/initservices/services/mot_security.sh file and fed (via cat) to the motsecurity_sysfs.ko module (which provides a sysfs interface to the motsecurity driver in /security/motsecurity.c in the kernel source). Once mot_security.sh feeds the list of allowed mounts to motsecurity.c it sends a flag (via echo 1 > /sys/security/mounts_locked) to lock the allowed mounts list, preventing anyone else from updating it further. The lock can be read by manually inserting the module /lib/modules/motsecurity_sysfs.ko, but can not yet be set after the initial lock at startup.
This feature is controlled by CONFIG_MOT_SECURE_MOUNT in the kernel config.
Protected files, directories and apps
On the Z6, there are certain files & directories that can only be accessed by certain privileged apps (e.g. the apps for doing Windows Media DRM). The protected items are:
/etc/pds/janus/hashsdidmap.dat /etc/pds/janus/hashsdidmap.bak /etc/pds/security/ivtcounter.dat /etc/pds/security/ivtcounter.bak /etc/pds/security/ivtkey.dat /etc/pds/security/ivtkey.bak /etc/pds/security/keyring.dat /etc/pds/security/keyring.bak /etc/pds/security/keymaptable.dat /etc/pds/security/keymaptable.bak /etc/pds/security/janusCertTemplate.dat /etc/pds/security/janusCertTemplate.bak /etc/pds/security/janusDeviceCert.dat /etc/pds/security/janusDeviceCert.bak /etc/pds/security/ivt.dat /etc/pds/security/ivt.bak /ezxlocal/etc/tpa/bctr.dat /ezxlocal/etc/tpa/ivt.dat /ezxlocal/etc/tpa/ivt.temp /ezxlocal/etc/tpa/ivt.lock /ezxlocal/etc/tpa/keymgr.lock /ezxlocal/etc/tpa/tpa.log /ezxlocal/etc/tpa/persistent /ezxlocal/etc/tpa/persistent/ivtcounter.lock /ezxlocal/etc/tpa/persistent/ivtkey.lock /ezxlocal/etc/tpa/persistent/janusTimeStamp.dat /ezxlocal/etc/tpa/persistent/janusTimeStamp.bak /ezxlocal/etc/tpa/persistent/simPinStore.dat /ezxlocal/etc/tpa/persistent/simPinStore.bak /ezxlocal/etc/tpa/persistent/keyring.lock /ezxlocal/etc/tpa/persistent/keymaptable.lock /ezxlocal/etc/tpa/persistent/janusCertTemplate.lock /ezxlocal/etc/tpa/persistent/janusDeviceCert.lock /ezxlocal/etc/tpa/persistent/janusTimeStamp.lock /ezxlocal/etc/tpa/persistent/simPinStore.lock /ezxlocal/etc/tpa/persistent/ivt.lock /ezxlocal/etc/tpa/persistent/secclkJanusOffset.dat /ezxlocal/etc/tpa/persistent/secclkNitzOffset.dat /ezxlocal/etc/tpa/persistent/secclkAlarm.dat /ezxlocal/etc/tpa/persistent/secclkDrift.dat /ezxlocal/etc/tpa/persistent/secclkLastRtcVal.dat /ezxlocal/etc/tpa/persistent/secclkOMA2DRMOffset.dat /ezxlocal/etc/tpa/persistent/secclkUserOffset.dat /ezxlocal/etc/tpa/persistent/secclkJanusOffset.lock /ezxlocal/etc/tpa/persistent/secclkNitzOffset.lock /ezxlocal/etc/tpa/persistent/secclkAlarm.lock /ezxlocal/etc/tpa/persistent/secclkDrift.lock /ezxlocal/etc/tpa/persistent/secclkLastRtcVal.lock /ezxlocal/etc/tpa/persistent/secclkOMA2DRMOffset.lock /ezxlocal/etc/tpa/persistent/secclkUserOffset.lock /ezxlocal/etc/tpa/persistent/secclkJanusOffset.bak /ezxlocal/etc/tpa/persistent/secclkNitzOffset.bak /ezxlocal/etc/tpa/persistent/secclkAlarm.bak /ezxlocal/etc/tpa/persistent/secclkDrift.bak /ezxlocal/etc/tpa/persistent/secclkLastRtcVal.bak /ezxlocal/etc/tpa/persistent/secclkOMA2DRMOffset.bak /ezxlocal/etc/tpa/persistent/secclkUserOffset.bak /etc/pds/janus /etc/pds/security /ezxlocal/etc/tpa
The apps that have access to some or all of these files are:
/usr/local/bin/secclkd /bin/tcmd /bin/modem_services /usr/local/bin/generate_ivt /usr/bin/mediaplayer /usr/SYSqtapp/mediaplayer/mediaplayer /usr/bin/mfmsp/mfmsp /usr/SYSqtapp/mystuff/mystuff /usr/SYSjava/kvm /usr/SYSqtapp/mtp/mtpmgr /usr/SYSqtapp/messaging/messaging /usr/SYSqtapp/motosync/motosync /usr/SYSqtapp/email/email /usr/SYSqtapp/calendar/calendar
This is covered by /security/motsecurity.c in the kernel source and by CONFIG_MOT_FEAT_SECURE_CLOCK and CONFIG_MOT_FEAT_SECURE_DRM in the kernel config. It seems to be intended as a way to protect files related to the Windows Media DRM (including controlling who can set the "secure clock" so that DRM files that limit how long you can play them before they expire cant be tampered with)
Kernel module protection
On the Z6, the kernel module load code will only load a module if its SHA1 hash is in /etc/modules.hash. There is also code to make sure that it only works if /etc/modules.hash is on the root filesystem (to prevent use of chroot) /kernel/module.c has the code for this feature and CONFIG_MOT_FEAT_MODULE controls it.
