I am a student at the University of South Australia, in the Computer Science Honours program. Part of that degree program requires students to undertake 2 x 5 month research placements. My second placement was with a computer security and digital forensics focused research lab. During my time with them, I unlocked the secure bootloader of the Nexus 4 Android phone, using a minimally intrusive technique.
The goal of this project was to use whatever means necessary to get the phone to boot a custom bootloader to enable the forensic recovery of data. Other methods of forensic acquisition include JTAG and storage device imaging. The JTAG method is usable for some devices, however it can be very time consuming with transfer times in the order of tens of hours to extract an image of the storage device. Storage device imaging is a method by which the device under investigation is dismantled and the memory device attached to a dedicated controller designed to extract the contents, this is impractical in many cases due to the cost and destructive nature.
The target phone, the LG Nexus 4, has a previously identified security flaw that allows the bootloader unlock to be performed without the accompanying data wipe, which was patched by the manufacturer. Knowing that it was possible at some point, I started to research the solution to the data wiping problem. After a short while, I discovered this thread on XDA Developers where software had been developed to unlock the bootloader, without wiping the data (the first step towards ‘rooting’). By reverse engineering the software and following various posts on the XDA Developers forums, I was able to determine the change that was being written to the storage system. Step 1 complete, I knew what needed to change.
In the mean time, I researched methods of modifying the storage in the least intrusive ways possible, which lead me to the Riff Box, a proven JTAG black box primarily designed for repairing phones. Step 2 complete, I knew what to use to make the change.
Putting it all together, was not quite as straight forward as it could have been. Due to the way the storage device is written over JTAG vs how it is accessed in software, I required a final puzzle piece - the partition to storage address mapping. Luckily, this was able to be read from the phone via the software included with the Riff Box. With a small amount of testing, I was able to confirm the offset in memory and create a simple to follow guide to allow any forensic investigator to unlock and boot custom firmware on the device. Unfortunately, that is where my placement ended, a single successful project, I would have liked to continue working and extend the method to more devices. Looking back, it would have been good to publish this research, however that did not happen.