Originally Posted by novox77
This thread applies to all existing HTC phones as of the date of this post.
Ever since mid-March, several sources online started to incite fear by reporting that someone discovered that the HTC Thunderbolt's bootloader was locked. Why would that be scary? Because we've all heard that Motorola's bootloaders are locked down, which severely limits how much you can do with a rooted phone, like flash custom ROMs. And Motorola has stated that it intends to do the same for all its future phones. Since the Thunderbolt's booloader is locked and signed, does this mean HTC is now headed down the same path?
No.
The first thing to understand is that the initial fear mongering was due to a huge lack of understanding about the nature of bootloaders. I'm going to explain it here in a clean thread and hope to counter all this misplaced concern for anyone looking for clarification.
What the authors of these reports failed to realize was that almost ALL phones' bootloaders come locked and signed. Always have. The Thunderbolt's bootloader security is no different than any of its HTC predecessors including the Droid Incredible, Evo 4G, and many others. They simply confused a "locked" bootloader to Motorola's bootloaders, which are also locked, but the key difference is the encryption layer that prevents the Moto bootloaders from being unlocked. There's a huge difference between being locked and being unlockable.
In a full root, one of the main objectives is to unlock the bootloader so you can flash custom ROMs. Here is a high-level overview of what happens during a full root:
1) find an exploit that tricks the phone in giving you temporary root privileges for that session. Typically some app has a vulnerability, and a root solution is available when a hacker finds an exploit.
2) Once a hacker has temp root, the superuser (su) binary is installed onto the system to make the root permanent. A user or app can simply call su to gain root privileges at will.
At this point, we've achieved a half-root. The phone is technically considered "root"ed. Now we move on to the juicy part of the root process: unlocking the bootloader.
3) The bootloader's stock firmware (HBOOT) can now be replaced with the pre-release Engineering version, which is a leaked HTC-signed image used when the phone firmware and OS was being developed. Since the image is properly signed, the bootloader accepts the firmware. The Engineering HBOOT comes with S-OFF, meaning it's unlocked by default (it makes sense that when the ROM is being developed, engineers wouldn't want to impose the lock on themselves). Once the bootloader is on the Engineering HBOOT, it is unlocked.
4) Now that the bootloader is unlocked (aka S-OFF, NAND unlocked), the factory recovery program is able to be replaced using the bootloader's fastboot flashing utility. Depending on the root method, you get either Clockworkmod or RA recovery, two widely available homebrew recovery programs.
5) with a custom recovery in place, you have the ability to flash images to various partitions that were previously protected by the bootloader, but now that the bootloader is unlocked, it essentially turns a blind eye to what the recovery image does.
Full root complete.
When the bootloader is encrypted, it means that it's expecting an HBOOT image to be encrypted with a very specific key. The problem is you can't generate the correct encryption on an Engineering HBOOT image without having the encryption key. So... no Eng HBOOT means S-ON remains (aka NAND locked, aka bootloader remains locked). Which means you can't ever have write access to key partitions of the filesystem that a custom kernel/ROM requires: /boot (kernel) and /system (Android OS). Furthermore, with Motorola bootloaders, there's something called an eFuse that checks to see if you've modified the bootloader. Assuming you do get the Eng HBOOT flashed, the eFuse may still kick in because of some checksum mismatch. Its job is to brick the phone when it detects that the bootloader has been tampered with. Ouch.
So will the Evo 3D come with a locked and signed bootloader? Most likely. But does that mean anything of consequence? No. The Engineering HBOOT will be inevitably leaked, a hacker will discover a root exploit, and the Evo 3D will be fully rooted shortly after.
Is there a possibility that HTC starts encrypting their bootloaders like Motorola? Yes. But the Thunderbolt's bootloader is not a valid reason to think that HTC is considering this. In fact, HTC has done nothing to indicate it may suddenly decide to change its existing policies. So relax. Chances are very good that the Evo 3D will be rooted quickly with little fanfare.
Hopefully word of this thread gets around and can clear up all the FUD surrounding this issue.
|