Share this Story

Dan Rosenberg Unlocks Moto X Bootloader, Says Almost All Snapdragon Devices are Vulnerable (Updated)

The Blackhat 2014 conference is taking place this week in Las Vegas, a conference which Dan Rosenberg, the man responsible for exposing numerous security exploits on Android devices, is speaking at. You may recall his previous work that unlocked the bootloader of a number of Motorola DROID devices, something that developers had attempted for years to try and accomplish without success.

When Rosenberg (@djrbliss) first popped up on the list of Blackhat conference speakers with a topic that was to conclude by discussing an unpublished security exploit “including a live demonstration of using it to permanently unlock the bootloader of a major Android phone,” we were certainly interested. His talk happened last night, and according to those at the conference, he successfully unlocked the bootloader of the Moto X on stage. 

The security vulnerability was discovered in ARM’s TrustZone, which Qualcomm uses as a “system-wide approach to security” on devices using its Snapdragon processors. According to Rosenberg, this vulnerability exists in “all known Android devices that support TrustZone and utilize a Qualcomm Snapdragon SoC.” Well, except for the Galaxy S5 and HTC One (M8), both of which have been patched. Rosenberg also notes in a written report about the exploit that many more devices may have been patched by now through software updates. He first wrote this report up on July 1, but is only now showing it off a month later.

As for the Moto X being used to demonstrate his findings, this could mean that Motorola has yet to patch it. Then again, we have seen a number of updates arrive for Motorola devices within the last few weeks, most of which involve security on some level.

Other vulnerable devices specifically noted in this report include the Galaxy S4, Galaxy Note 3, Nexus 4, Nexus 5, G2, and original HTC One (M7).

So what does this mean for the future of unlocking your current phone? Well, it could mean nothing. As mentioned above, Dan wrote up his report on July 1, so manufacturers could have (likely have) seen it already. Since devices like the Galaxy S5 and One (M8) have been patched, it could mean that others will be patched (if they haven’t been already) before long. We would also need to Dan to release the full exploit and method, which I do not believe he has done, other than with a description of how it works. I sort of doubt that he is going to put together a 1-click button for making this happen. Instead, it will be up to other developers to take his findings and make some magic happen.

His report has been posted here.

Update:  Qualcomm reached out to us with the following statement–

“Qualcomm Technologies takes the security of its products very seriously and invests to identify and address security vulnerabilities in our software before it’s made available to customers. We’re aware of this issue and have already made available software updates for our impacted customers to address the reported vulnerabilities.”

Via:  Blackhat | reddit
Cheers Tristan and Bryan!
  • Thank you for this wonderful subject who advised me a lot
    best games for android

  • Sebastian Jena

    For the f*cks sake, how You can know that he WON’T release it? You guys wrote it as You had already known everything… At least You would allow to believe… I want to finally fully unlock my G2 without using old bootloader+loki, and that exploit is what I was waiting for. I You don’t know anything, then don’t write it. I have read on reddit that he’ll release it on weeks.

  • bigachx

    Dan is a freaking god! Someone give him a medal already!

  • Brandon

    Will this unlock the bootloader of the Note 3 but leave Knox at 0x0? Doesn’t matter to me because I tripped mine, just curious.

    • Christian Trevor Clauss

      You can’t use TriangleAway to reset it?

      • André Berry

        Nope, counter cannot be reset

      • Brandon

        Nope, sadly it’s not that easy. No one has figured out a way to do it so far, although it is possible to do because people have sent their phones in for repair with it tripped and gotten it back without it being tripped, same hardware.

  • Guest

    One more reason to go with IPhone, their bootloader’s are fully secured in addition to optimized OS & superior hardware.

    • chansterrrr

      Why are you even on this site if you are just going to spout your fanboyism?

      • Guest

        lol, you attack like this when you don’t have anything constructive to say

        • Mike

          There’s nothing to say, you’re trolling, why feed it?

        • chansterrrr

          When people start using certain diction such as “superior,” I know there is no discussion to be made. Whatever I say, you will just say something in return that is probably more of an opinion than fact. Then you will start throwing something about sales and finally end it with “bahaha, whatever, enjoy your inferior phone.”

  • Rodeojones000

    While manufactures may indeed send out OTA updates to patch this, many of us rooted users don’t take OTAs for that very reason.

    • Mike

      Exactly, as stupid as it sounds, avoiding security/OTA updates is your only way to guarantee unlocking your bootloader using this exploit, if it is ever released.

  • bboyairwreck

    Now about that Droid X… lol

    • Big EZ

      Even with just root that’s still my overall favorite device.

    • Detonation

      I’ve got CM11 on mine.

  • Chris Bice

    Please tell us it will work on ultra/MAXX… It should , since the phones are practically identical in the hardware sense

  • Luxferro

    There’s a PDF version of it here http://blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-On-Trusting-TrustZone-WP.pdf incase anyone was trying to read the images linked in the article.

  • kdub

    Verizon S4 still on MDK but would love to have s-off.

  • NorCalGuy

    No way an exploit to unlock the nexus 4 and 5…adb reboot bootloader….adb unlockbootloader…exploit complete

    • Mike

      You don’t understand the posting of this then. It’s a security flaw which could be used by hackers to unlock the bootloader on your phone to gain personal information. That’s why some of these guys do it, not to hack phones but to let company’s know to increase their security.

      • NorCalGuy

        I understand perfectly what i am saying is that reguardless of the hack or security flaw the ability to unlock the bootloader is alreay there and a majoity of the people who buy the nexus line of phones will be unlocking the phone anyways. So unless this hack can be accomplised ota then it is really no differnet than unlocking it yourself. Also unless this is the first unlock to not delete the contents of the phone i would be surprised so not sure what said hacker could gain except a piece of hardware

        • Mike

          Except when unlocking it yourself it completely blows away any personal data, therefor if you lose your Nexus and someone finds it but you have the proper security in place, adb unlock bootloader won’t allow them to see any of your data since it will be wiped. With an exploit like this they will have free roam to your data no matter what security you put in place. (Basically what you said in your last sentence except this wouldn’t wipe user data)

          And since you seem pretty intelligent, you should know that for best security you never unlock your bootloader.

  • Raven

    All your base are belong to us!

  • TheRunner024

    I’m glad I bought the Developer Edition.

    • needa

      too bad it could not be customized.

  • kevin

    Now let’s use this to open my note 3

  • objektiv_one

    LG G3? or did they patch it?

  • mcdonsco

    Along these lines (sort of), anyone know of a GOOD stock AOSP ROM for the G2 (VZW variant) that is STABLE and really works well?

    There are a ton out there, tried a few, all unstable in some way (even cm11, seems the caretaker for the vs980 went Mia and navigation doesn’t work and it locks up regularly so even CM suggest not using it right now).

    Just want STOCK RELIABLE GLITCH FREE 4.4.2 (or .3 / .4) on this thing!

    • Nate
    • j

      I’d like some more info here too. Just purchased a G2 and it will be rooted as soon as I open the box. Been running clean AOSP + gravitybox for far too long to change it up 🙂

    • needa

      the moto x was absolutely perfect, i mean perfect, on 4.2.2. then 4.4 ruined it. you might try to backtrack through posts and find one. if the g2 ever had 4.2.2.

    • Matt

      I’m using JackpotClavin’s CM11 build on mine. It’s based off of the 4.4 OTA, unlike the official CM11 nightlies, which are based off of 4.2. It’s been even more stable than Mahdi for me, and he keeps it updated pretty regularly.

  • bboyairwreck

    Oh Hey! I’d love some Cyanogen Mod on my Droid Maxx ^_^ But also I have been pretty happy with what Motorola has given me out of the box tho. Atleast… when it had 48 hour battery life. But props to Dan Rosenberg! Dan is the man! Anyone who thrives device security are heros.

    • mcdonsco

      Maxx is virtually stock to begin with? Only thing I would need/want on a maxx is root for hotspot.

      If it weren’t for the camera on the maxx id go back to it for the stock android on it now…but that damn camera.

      • bboyairwreck

        Yeah… that camera xD

  • DanSan

    this is pretty legit, especially if it works with more than just with the Moto X. i know there a bunch of S4 owners who are no longer on the MDK bootloader who are dying to unlock the bootloader.

    not sure why more haven’t done it but my brother got his verizon moto x bootloader unlocked a few months ago. there was a guy from china giving the unlock codes. I think he might have an inside source giving him the codes hence why there isn’t a tool to do it. guy emailed my brother a code, he put it in and boom completely unlocked and full root installed.

    • Mike

      Tried this with my Maxx but no devices from 2013 build dates will work, bought mine October of last year.

  • SamuriHL

    None of the Motorola 4.4.4 updates have updated the TZ. At least not in the FXZ’s for them. That includes the 2013 Droids and the VZW X update. We’ll see if the AT&T, Sprint, and T-Mobile 4.4.4 updates touch the TZ.

    • Mike

      It sounds like you did a lot more digging than I did, but on my Maxx on 4.4.4 (21.11.21 update), the build date was June 18th. In Dan’s paperwork (Dated July 1st), he states that all phones other than the S5 and HTC One should be exploitable without being patched.

      Either way, I could very soon be one happy Maxx owner.

      • SamuriHL

        I have a collection of FXZ’s kicking around for my tool development so I took a look. None of the FXZ’s contain the TZ partition at all, so, Moto doesn’t seem to have patched it. The TZ partition IS contained in some of the OTA’s but I have to believe it’s the same one that’s been in previous releases. I don’t know if Dan is going to release the exploit he created or not. Sounds like it was just a proof of what can be done. The details of his exploit are out there, though, so other devs are looking at it now.

  • mcdonsco

    Still waiting for the day someone takes this to court for devices purchased at full retail to be able to request and have the boot loader unlocked on the device they own.

    Of course OEM’s would then say “warranty would be void” but I’d be okay with that as I’m sure others would be too…most of the time if the phone works fine out of the gate it will continue to do so.

    One day maybe.

    Imagine being able to buy any android phone you want and IMMEDIATELY being able to run stock android on it that day…would be so nice.

    • sirmipsalot

      If this were to happen, the carriers wouldn’t necessarily have to allow the device on their network. (OK, Verizon probably would given the open-access requirements of the 700 MHz spectrum they use). So while it’s possible that you could get a ruling that the OEMs have to give you bootloader-unlock access to the device (if bought from the handset OEM, for example – thus, not subsidized), most of the carriers could at least theoretically turn around and have some onerous “security checkin” requirement on the device to continue accessing their network after initial handshake. I’d like to see such a ruling, but honestly, it’d probably just escalate the arms race.

      • Jason B

        Doubtful, as the Nexus phones/tablets are already allowed on U.S. carriers (but only the N7 2013 is usable in band 4 AWS Verizon areas) and various Dev Edition phones too.

        Basically, if it’s already been certified by the FCC for its usable radio frequencies and tested thoroughly, it shouldn’t be blocked from access. The wireless carriers are using OUR frequencies anyways.

        • sirmipsalot

          Licensing FCC spectrum does not have the open-access requirements you’re talking about, except in the notable exception of Verizon’s 700 MHz block. Just because it has been granted access in the past does not mean that it will always be that way. Nothing actually requires them to do this, legally. FCC certification of a device means absolutely nothing about whether a carrier has to accept it (or accept it ‘equally’) on to their network. If this was true, frequency-compliant CDMA devices would have to be granted access on to compatible CDMA networks, but of course that isn’t true. FCC device certification only means that it complies with FCC regs and is compatible with the networks it claims to be.
          There are various potential technical countermeasures to connecting a non-blessed device to a network, even on GSM – including traffic-shaping.

          • Jason B

            You’re thinking about it way too much. Basically, wireless carriers want to make money by providing their services. If they disallow bootloader unlocked devices and alienate customers, it wouldn’t be viable, especially as more and more people want control over the devices they rightfully own. So, sure, in the short-term, some could block access, but once that gets out, the company in question may permanently damage its reputation in the process after the small, but vocal minority speak out and request action.

            And CDMA is a closed-source technology, so that’s not a good analogy. GSM is open.

            While Verizon has an open access clause for C-block, it doesn’t disallow them from “certifying” devices and preventing you from registering said device on their network (unless you already have a SIM with an active account). The fiasco with the Nexus 7 LTE proved that.

          • sirmipsalot

            You’re overestimating how many customers even know what an unlocked bootloader is, and you’re vastly underestimating the track record of the carriers when it comes to asserting and attempting to maintain control of their networks.
            Thanks for bringing up the Verizon/N7 fiasco. The exact same situation could happen on any GSM carrier if they so chose, as could any variants thereof. GSM being an open technology means absolutely squat with respect to any carrier building additional software layering above it.
            The small but vocal minority you’re talking about has been railing against Verizon for how long? And yet these comments pages are full of people sticking with them and begging for their precious instead of speaking with their wallets. Even among this minority, there’s no actual impact on business practices.

          • hoosiercub88

            This has nothing to do with CDMA. Sprint allows the Nexus 5 on their network.

          • acras

            You keep bringing up the 700 MHz spectrum open access requirement and saying that is the exception, that Verizon has to allow access. Verizon specifically ignored that requirement with the LTE Nexus 7 for 6 months so they could push out their crappy 7″ tablet before “approving” the N7 for their network. Verizon will be the LAST carrier to allow unlocked devices on their network. Case in point, list the carriers that you can run the Nexus 5 on. Theres one missing…

          • sirmipsalot

            Verizon specifically was sued over the N7 LTE fiasco. But it’s a great example of how a carrier can technically comply with the regulations (even though it’s dragging things out) yet still be miserable for customers.

            And the N5 isn’t usable on Verizon because, among other things, Verizon also has a CDMA requirement in addition to its use of the regulated LTE block. The entire reason the N7 even could/would work on Verizon’s LTE is that it had no CDMA component at all, and its connectivity was *solely* on the (regulated) LTE block. Take that away, and there wouldn’t have been a Verizon-compatible N7, either. People are speculating that VoLTE will suddenly bring open-access of all devices to Verizon. That’s still a long way off, and the practicality of that (given that Verizon is also using less-regulated spectrum for LTE now, too) is unclear for customers.

  • d0min0

    damn dan is the man! he should have made a list of all the phones that was possible and told the romming community first so we can go out and snatch up the phone we want and be ready!

    • hoosiercub88

      By the time he actually released something, it’ll all be patched anyways.

      I’m on 4.4.4 on my Moto X and I’ve pretty well given up on ever having a simple, reliable root method.

  • j

    Just give us the friggen option. If you want to void our warranties, that’s fine.

  • chris_johns

    that droid hd was a sexy phone

    • Lucas Tanos

      I think its a great example of a phone made for last. The materials and the look was great, I hope motorola made another version.

  • PhoenixPath

    Wake me when I can S-Off my replacement HTC One M7.

    Cracked my screen and they sent me a new one (Yay HTC!), but I cannot for the life of me get this one to S-Off (Boo HTC!).

    My old one worked in one shot. My M8 was S-off just a few short minutes after I got it home. This one…is killing me.


    Cannot do a full conversion without S-Off… /frustrated.

    • Ralph Bretz

      Didn’t JCase send out a tweet today saying that SunShine would work on the M7?

      • PhoenixPath

        Linkage?? Hasn’t worked as recently as a week ago… Would gladly pay the $25 to unlock this thing.

  • chris_johns

    um…why not release to the roming community first before doing this :'(

    • j

      He’s parlaying his knowledge into bigger and better things by displaying it at the conference. ROM communities don’t pay. Mega corporations with security vulnerabilities do.

  • yummy

    Scary smart, scan that code!

  • stang68

    I just want to easily root my Verizon Moto X…

    • Nathan Borup

      Look into Pie root

      • chris_johns

        whats this?

      • imlip

        4.4.4 patched it.

      • Justtyn Hutcheson

        Doesn’t work for 4.4.4 (that’s the reason jcase released Pie; it was patched and thus rendered useless to him), so once you update you’re done. Looking at this, there is every possibility that 4.4.4 was patched against this vuln, which means we’re back to square 1.

        • Nathan Borup

          Yeah, but if you’re looking for root, you know you shouldn’t update…

        • hoosiercub88

          It didn’t work on Verizon 4.4.2 either.

    • sirmipsalot

      If you can easily unlock the bootloader, then you *can* easily root it.

      • stang68

        Yes, let’s hope he releases it!

    • tyguy829

      Not that I’m encouraging verizon’s terrible and hostile practices, but why didn’t you get the dev edition?

      • stang68

        Couldn’t pay the (I think) $600 it was at the time.

        • Gr8Ray

          Also, it’s an ugly phone.

          • C-Law

            No sir

    • Nathan Borup

      In case you are $45 desperate… I’ll just leave this here. http://forum.xda-developers.com/moto-x/general/china-middleman-t2751177
      I did this to my phone and have not regretted it since
      But now that a bootloader unlock exploit came out, you might want to be a little patient until it gets easy to do

      • funnyfarm299

        What about those that have a 2013 build?

    • haaris


    • Kevin

      You have the option if you’re on 4.4.2. If not then you lost your chance to root.

  • MichaelFranz

    Wonder if the HTC M8 and S5 are vulnerable if no updates have been taken?

    Dan is truly a genius. I wouldnt think the BL on the S5 would be cracked by this because of the huge bounty just on root alone, but then again he is paid way more probably then that bounty was even worth.

    • T4rd

      Well I’m pretty sure the M8 is still vulnerable to the Firewater exploit, at least if it’s still on 4.4.2, not sure about the unlocked and Sprint M8 that just got the 4.4.3 update. First think I did with my Verizon M8 was S-Off and unlock its bootloader. One of the big (and many) reasons I chose the M8 over the GS5.

    • Mike

      The S5 was patched out of the box for this, so no, it wouldn’t work on the S5 no matter what software version you have.

  • Greg Morgan

    The man is a magician…

    • Nathan Borup

      Seriously… he told everyone that he was done with the Moto X

      • Justtyn Hutcheson

        This exploit reaches far, far beyond that little guy. So, he wasn’t working on the Moto X specifically, he just used one as the best known, previously-uncracked bootloader. Motorola was renowned during its OMAP-using days for its nigh-impenetrable bootloaders, and with the exception of the Qualcomm-based exploits they have continued to be. So by showing off on a Motorola device, the credibility of the exploit existing on nearly all Snapdragon SoCs is increased, as any exploits are unlikely to be found in Motorola’s proprietary security measures.

        • Nathan Borup

          Yeah, I understand this. I just thought it was funny he used a moto X since he said he was done with it

    • josuearisty

      Anybody tried this for droid ultra?

      • Nathan Borup

        He hasn’t actually released an easy way to unlock. To do what Dan did, you need to know a ton…

      • HarvesterX

        Having an unlocked bootloader is a PLUS…Lol

    • Guest

      One more reason to go with IPhone, their bootloader’s are fully secured in addition to optimized OS & superior hardware

      • MJ

        Good try troll…get a job and a life.

        • Nathan Borup

          whoa what happened here??

          • MJ

            You new to the Internet? Don’t know what trolling is?

          • Nathan Borup

            You don’t get it… look at this pic

          • MJ

            What pic?

          • Nathan Borup

            Maybe its not showing anymore … I took a screenshot of what I saw. It was a disqus glitch

          • Tillmorn

            My vote is glitch. Guest is a pretty well-known troll on Droid Life.

          • Rob Dallara

            that damn ‘Guest’ guy is everywhere!

      • iPhones suck

        You can’t hack an iPhone, just asked the 20 something celebrities that have had their pictures stolen off their phones, i.e. naked scarlet johanson

        • iPhone’s suck

          Wish I had that iphone hack, would love to see alison brie’s pictures on her phone.

      • dazeone

        Jail breaking an iPhone has been done on every iPhone. IPhone is just as vulnerable. Where there is a will there is a way.