The following was a Q&A session with the TeamWin developer agrabren on IRC Server Freenode, channel #htc-evo-3d on June 30, 2011 at 10:30pm EDT. He explained the new root exploit he found and answered some questions. I bolded stuff that I thought would be most useful for people to know, so they could skim this if they chose.
[22:37] <@agrabren> Ok, so let me start with an off-topic.
[22:37] <@agrabren> I'm actually in a call right now for work, which is why I can be sitting at my computer instead of cleaning the mess that is my downstairs.
[22:38] <@agrabren> So I'm leaning on some team members of #teamwin to help me out here.
[22:38] <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
[22:39] <@agrabren> (and I give up getting Empathy to record this)
[22:39] <@agrabren> Getting some info real quick.
[22:40] <@agrabren> Ok, so let's start with the known crap.
[22:41] <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
[22:42] <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
[22:42] <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
[22:42] <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
[22:42] <@agrabren> Blew my phone to shit.
[22:43] <@agrabren> But in blowing it to shit, we confirmed that we had, in fact, found a way in that we could exploit.
[22:43] <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* **** you up)
[22:43] <@agrabren> We stepped back into the hole with flashlights.
[22:44] <@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
[22:44] <@agrabren> What devices will this work on? Well, the EVO 3D. We believe it will work on the Sensation 4G.
[22:45] <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
[22:47] <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
[22:48] <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
[22:48] <@agrabren> We're talking days at most.
[22:49] <@agrabren> The topic in this channel is wrong.
[22:49] <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
[22:50] <@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
[22:51] <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
[22:51] <+jcase> agrabren, congrats, have you tried contacts kmdm/IEF? I know they have a nice package system dont already (with unrevoke)
[22:52] <+jcase> to attempt to hide what is going on
[22:52] <@joshua_> yes, again, please let me or any of the other unrevoked guys know... we've some good anti-static analysis stuff
[22:53] <@agrabren> We haven't talked with anyone about this stuff yet.
[22:54] <@agrabren> I do actually have a real job, as well as a family.
[22:54] <@joshua_> (I will be working for your employer on the chip team in just over a week )
[22:55] <@agrabren> Nice! Congrats! Which location?
[22:55] <@joshua_> Santa Clara
[22:55] <@agrabren> Awww.
I don't get out there much anymore.
[22:55] <@agrabren> But welcome aboard!
[22:55] <@agrabren> But nobody came here to talk about NVIDIA.
[22:55] <@joshua_> yes
[22:55] <@agrabren> So, let's go ahead with questions...
[22:56] <@agrabren> The ETA is likely this weekend. Probably late weekend.
[22:57] <@joshua_> Anyone who would like to ask a question can speak, and only ops will hear you.
[22:57] <+haus|work> Are there any side effects with this one like there was with gingerbreak?
[22:57] <@onicrom> agrabren: we're going to celebrate independence from htc and the BRITS!?
[22:57] <@mirk> hmm... s-off is a radio hack that disables the NAND security. The status of this can be seen from the bootloader (boot with volume down held) at the top of the screen.
[22:57] <@joeykrim> lol wow
[22:57] <@joshua_> (Ops, please repeat the question.)
[22:57] <@agrabren> Holy crap.
(they must have gotten swamped with a ton of questions all at once)
[22:58] <@agrabren> Ok, one sec.
[22:58] <@joshua_> ruckus asked what happens if HTC opens it up before we get a chance to release. Obviously we'll see how their strategy works and decide then
[22:58] <@onicrom> lets give time to answer the questions asked
[22:58] <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
[22:58] <@joshua_> (I shouldn't say "we", because agrabren's the one with the sploit, to do with as he likes )
[22:59] <@agrabren> Currently, we're looking for a way to make root sticky.
[22:59] <@agrabren> If HTC opens up the device, they open up the device.
[22:59] <@onicrom> < ax0r-3D> Is the method through adb, or will it be some sort of script?
[22:59] <@onicrom> < Berger_> I am very curious if you guy actually found a hole in the Linux Kernel?
[22:59] <@onicrom> < jka3588> will this be an exe file or something we can run via ADB?
[23:00] <@onicrom> < wake69_> will this have s-off?
[23:00] <@agrabren> It involves using adb and some software installed on the phone itself.
[23:00] <@agrabren> We are making no comments on whether this is a ROM or Kernel exploit.
[23:00] <@joshua_> (We'd be happy to work with you to package up a 'one-click' on the desktop.)
[23:00] <@onicrom> agrabren: lemme know when you want to reopen for qs
[23:01] <@agrabren> (I'm scared of reopening it, my screen went nuts with scrolls)
[23:01] <+OtisFeelgood> 414 ppl in here....damn
[23:01] <@agrabren> Ok, another good question came in (but please stop PMing me, I can't catch them all)
[23:01] <@joshua_> With regards to S-OFF: I suspect (but don't know for sure -- agrabren can answer for sure) that this exploit will not get us S-OFF yet.
[23:02] <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
[23:02] <@agrabren> When we get to perm root, that will also be reversable.
[23:02] <@agrabren> Shinzul is the man in charge of S-OFF right now.
[23:02] <@agrabren> My next work is to help unlock the device.
[23:02] <@agrabren> One sec.
[23:04] <@agrabren> Ok, next question? (sorry, I'm in a call too)
[23:04] <@joshua_> I'm going to open it up for questions again briefly.
[23:05] <@agrabren> We don't believe it will work on the EVO 4G.
[23:05] <@eyeballer> i think ZanzDroid confirmed that it doesn't but i'm not 100% sure
[23:06] <@eyeballer> he might chime in if he's still around
[23:06] <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
[23:07] <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
[23:07] <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
[23:08] <@joshua_> IEF and kmdm will be happy to provide you with a shell, probably.
[23:08] <@agrabren> Any platform that supports adb will work.
[23:08] <@agrabren> Unless someone knows of an adb client for android.
[23:09] <@agrabren> I'm going to hand the answering over to joshua_ for a moment.
[23:09] <@joshua_> Sure.
[23:09] <@joshua_> Let me read up what yinz have got to say.
[23:09] <@agrabren> He can explain, likely better than I, about the difference between root, s-off, recoveries, etc...
[23:09] <@joshua_> will it be published: That's up to agrabren; looks like he intends to publish, yes.
[23:10] <@joshua_> different versions of hardware: I don't know for sure, but it's usually too early by now.
[23:10] <@joshua_> hboot: This is soft root and does not require hboot yet.
[23:10] <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like.
[23:10] <@agrabren> Short of "where are we at for s-off".
[23:11] <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
[23:11] <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
[23:11] <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
[23:12] <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
[23:12] <@joshua_> eMMC has different types of write protection that we haven't worked with before.
[23:12] <@agrabren> And we plan to work together to solve some of these issues.
[23:14] <@joshua_> Someone mentioned WPthis: The bug that WPthis exploits has been closed after the Desire Z.
[23:14] <+jcase> wpthis was closed i believe jan10th
[23:14] <@joshua_> (We've all been working pretty closely on this, including scotty.)
[23:15] <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
[23:15] <@agrabren> (Sending this one to joshua_
[23:15] <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
[23:15] <@agrabren> (that was someone else's question)
[23:16] <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
[23:16] <@joshua_> "it doesn't directly make it possible, but it makes it not impossible"
[23:16] <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
[23:16] <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
[23:16] <@eyeballer> agrabren: seems to be the question of the day =P
[23:17] <@joshua_> Someone asked whether you can flash the ENG hboot with temp root: everyone will be investigating that in the days to come.
[23:18] <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
[23:18] <@mirk> Regulator: pas de quoi
[23:19] <@agrabren> (I'm off my call)
[23:19] <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
[23:19] <@agrabren> The exploit will come, with or without more stuff.
[23:19] <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
[23:20] <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
[23:21] <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
[23:21] <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
[23:21] <@agrabren> Any changes to /system at this time will definitely revert.
[23:22] <@agrabren> News on the new recovery: Wrong discussion. :-D
[23:22] <@agrabren> I'm not at liberty to reveal the work of other TeamWin developers.
[23:22] <@joshua_> It's very possible that it could be packed up in a one-click root-on-boot, like the original unrevoked.
[23:22] <@agrabren> Joshua: whats the difference between unlocked and s-off?
[23:23] <@joshua_> S-OFF, unlocked, etc are fuzzy terms, especially now that we are on eMMC.
[23:23] <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
[23:23] <@joshua_> (It also would refer to an ENG hboot.)
[23:23] <@joshua_> On eMMC, that state no longer exists.
[23:23] <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
[23:24] <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
[23:24] <@joshua_> (I think that's needed for Cyanogen.)
[23:25] <@agrabren> LOL: And for the flowers...
[23:25] <@agrabren> Umm... It was more a joke than anything else. The cats eat the flowers.
[23:25] <@joshua_> (and then throw up all over the floor, I'd bet!)
[23:25] <@agrabren> My wife is a bit upset, as I've been glued to my phone and computer for 3 days now.
[23:25] <@agrabren> Exactly.
[23:25] <@agrabren> Fun note: I didn't *start* this work until this week. I was on a beautiful vacation in the South Padre Islands last week when I got my phone.
[23:26] <@agrabren> So it didn't even take us a week. :-D
[23:26] <@joshua_> (past performance doe snot guarantee future results: the next exploit may take a lot longer!)
[23:26] <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
[23:26] <@joshua_> Yes.
[23:27] <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
[23:27] <@ariel_> you said you get system access then it reverts on reboot, this is just the root access if you deposit a new file in there does it stick or does the emmc erases the file?
[23:28] <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
[23:28] <@eyeballer> with just temp root, no
[23:28] <@eyeballer> unless you try to mess with those things yourself
[23:28] <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
[23:29] <@agrabren> This was a non-intentional hole.
[23:30] <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
[23:30] <@zule> htc created the arms race, we just fight fair
[23:30] <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
[23:31] <@agrabren> Ok, I'm getting serious wife aggro...
[23:32] <@agrabren> So if I don't go clean up my mess downstairs, I'll be sleeping outside. And my computer is *not* outside.
[23:32] <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
[23:32] <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
[23:32] <@joshua_> I'm going to open the channel up again in a moment. any last thoughts?
[23:33] <@agrabren> We promise, info will be flowing. But we wanted to let people know, it has happened.
[23:33] <@agrabren> Thanks for everyone's time, and making me feel special.
[23:33] <@mirk> no worries, agrabren
[23:33] <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
.
[22:37] <@agrabren> Ok, so let me start with an off-topic.
[22:37] <@agrabren> I'm actually in a call right now for work, which is why I can be sitting at my computer instead of cleaning the mess that is my downstairs.
[22:38] <@agrabren> So I'm leaning on some team members of #teamwin to help me out here.
[22:38] <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
[22:39] <@agrabren> (and I give up getting Empathy to record this)
[22:39] <@agrabren> Getting some info real quick.
[22:40] <@agrabren> Ok, so let's start with the known crap.
[22:41] <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
[22:42] <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
[22:42] <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
[22:42] <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
[22:42] <@agrabren> Blew my phone to shit.
[22:43] <@agrabren> But in blowing it to shit, we confirmed that we had, in fact, found a way in that we could exploit.
[22:43] <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* **** you up)
[22:43] <@agrabren> We stepped back into the hole with flashlights.
[22:44] <@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
[22:44] <@agrabren> What devices will this work on? Well, the EVO 3D.
We believe it will work on the Sensation 4G.[22:45] <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
[22:47] <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
[22:48] <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
[22:48] <@agrabren> We're talking days at most.
[22:49] <@agrabren> The topic in this channel is wrong.
[22:49] <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
[22:50] <@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
[22:51] <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
[22:51] <+jcase> agrabren, congrats, have you tried contacts kmdm/IEF? I know they have a nice package system dont already (with unrevoke)
[22:52] <+jcase> to attempt to hide what is going on
[22:52] <@joshua_> yes, again, please let me or any of the other unrevoked guys know... we've some good anti-static analysis stuff
[22:53] <@agrabren> We haven't talked with anyone about this stuff yet.
[22:54] <@agrabren> I do actually have a real job, as well as a family.
[22:54] <@joshua_> (I will be working for your employer on the chip team in just over a week
)[22:55] <@agrabren> Nice! Congrats! Which location?
[22:55] <@joshua_> Santa Clara
[22:55] <@agrabren> Awww.
I don't get out there much anymore.[22:55] <@agrabren> But welcome aboard!
[22:55] <@agrabren> But nobody came here to talk about NVIDIA.
[22:55] <@joshua_> yes
[22:55] <@agrabren> So, let's go ahead with questions...
[22:56] <@agrabren> The ETA is likely this weekend. Probably late weekend.
[22:57] <@joshua_> Anyone who would like to ask a question can speak, and only ops will hear you.
[22:57] <+haus|work> Are there any side effects with this one like there was with gingerbreak?
[22:57] <@onicrom> agrabren: we're going to celebrate independence from htc and the BRITS!?
[22:57] <@mirk> hmm... s-off is a radio hack that disables the NAND security. The status of this can be seen from the bootloader (boot with volume down held) at the top of the screen.
[22:57] <@joeykrim> lol wow
[22:57] <@joshua_> (Ops, please repeat the question.)
[22:57] <@agrabren> Holy crap.
(they must have gotten swamped with a ton of questions all at once)
[22:58] <@agrabren> Ok, one sec.
[22:58] <@joshua_> ruckus asked what happens if HTC opens it up before we get a chance to release. Obviously we'll see how their strategy works and decide then
[22:58] <@onicrom> lets give time to answer the questions asked
[22:58] <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
[22:58] <@joshua_> (I shouldn't say "we", because agrabren's the one with the sploit, to do with as he likes
)[22:59] <@agrabren> Currently, we're looking for a way to make root sticky.
[22:59] <@agrabren> If HTC opens up the device, they open up the device.
[22:59] <@onicrom> < ax0r-3D> Is the method through adb, or will it be some sort of script?
[22:59] <@onicrom> < Berger_> I am very curious if you guy actually found a hole in the Linux Kernel?
[22:59] <@onicrom> < jka3588> will this be an exe file or something we can run via ADB?
[23:00] <@onicrom> < wake69_> will this have s-off?
[23:00] <@agrabren> It involves using adb and some software installed on the phone itself.
[23:00] <@agrabren> We are making no comments on whether this is a ROM or Kernel exploit.
[23:00] <@joshua_> (We'd be happy to work with you to package up a 'one-click' on the desktop.)
[23:00] <@onicrom> agrabren: lemme know when you want to reopen for qs
[23:01] <@agrabren> (I'm scared of reopening it, my screen went nuts with scrolls)
[23:01] <+OtisFeelgood> 414 ppl in here....damn
[23:01] <@agrabren> Ok, another good question came in (but please stop PMing me, I can't catch them all)
[23:01] <@joshua_> With regards to S-OFF: I suspect (but don't know for sure -- agrabren can answer for sure) that this exploit will not get us S-OFF yet.
[23:02] <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
[23:02] <@agrabren> When we get to perm root, that will also be reversable.
[23:02] <@agrabren> Shinzul is the man in charge of S-OFF right now.
[23:02] <@agrabren> My next work is to help unlock the device.
[23:02] <@agrabren> One sec.
[23:04] <@agrabren> Ok, next question? (sorry, I'm in a call too)
[23:04] <@joshua_> I'm going to open it up for questions again briefly.
[23:05] <@agrabren> We don't believe it will work on the EVO 4G.
[23:05] <@eyeballer> i think ZanzDroid confirmed that it doesn't but i'm not 100% sure
[23:06] <@eyeballer> he might chime in if he's still around
[23:06] <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
[23:07] <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
[23:07] <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
[23:08] <@joshua_> IEF and kmdm will be happy to provide you with a shell, probably.
[23:08] <@agrabren> Any platform that supports adb will work.
[23:08] <@agrabren> Unless someone knows of an adb client for android.
[23:09] <@agrabren> I'm going to hand the answering over to joshua_ for a moment.
[23:09] <@joshua_> Sure.
[23:09] <@joshua_> Let me read up what yinz have got to say.
[23:09] <@agrabren> He can explain, likely better than I, about the difference between root, s-off, recoveries, etc...
[23:09] <@joshua_> will it be published: That's up to agrabren; looks like he intends to publish, yes.
[23:10] <@joshua_> different versions of hardware: I don't know for sure, but it's usually too early by now.
[23:10] <@joshua_> hboot: This is soft root and does not require hboot yet.
[23:10] <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like.
[23:10] <@agrabren> Short of "where are we at for s-off".
[23:11] <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
[23:11] <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
[23:11] <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
[23:12] <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
[23:12] <@joshua_> eMMC has different types of write protection that we haven't worked with before.
[23:12] <@agrabren> And we plan to work together to solve some of these issues.
[23:14] <@joshua_> Someone mentioned WPthis: The bug that WPthis exploits has been closed after the Desire Z.
[23:14] <+jcase> wpthis was closed i believe jan10th
[23:14] <@joshua_> (We've all been working pretty closely on this, including scotty.)
[23:15] <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
[23:15] <@agrabren> (Sending this one to joshua_
[23:15] <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
[23:15] <@agrabren> (that was someone else's question)
[23:16] <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
[23:16] <@joshua_> "it doesn't directly make it possible, but it makes it not impossible"
[23:16] <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
[23:16] <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
[23:16] <@eyeballer> agrabren: seems to be the question of the day =P
[23:17] <@joshua_> Someone asked whether you can flash the ENG hboot with temp root: everyone will be investigating that in the days to come.
[23:18] <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
[23:18] <@mirk> Regulator: pas de quoi
[23:19] <@agrabren> (I'm off my call)
[23:19] <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
[23:19] <@agrabren> The exploit will come, with or without more stuff.
[23:19] <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
[23:20] <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
[23:21] <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
[23:21] <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
[23:21] <@agrabren> Any changes to /system at this time will definitely revert.
[23:22] <@agrabren> News on the new recovery: Wrong discussion. :-D
[23:22] <@agrabren> I'm not at liberty to reveal the work of other TeamWin developers.
[23:22] <@joshua_> It's very possible that it could be packed up in a one-click root-on-boot, like the original unrevoked.
[23:22] <@agrabren> Joshua: whats the difference between unlocked and s-off?
[23:23] <@joshua_> S-OFF, unlocked, etc are fuzzy terms, especially now that we are on eMMC.
[23:23] <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
[23:23] <@joshua_> (It also would refer to an ENG hboot.)
[23:23] <@joshua_> On eMMC, that state no longer exists.
[23:23] <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
[23:24] <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
[23:24] <@joshua_> (I think that's needed for Cyanogen.)
[23:25] <@agrabren> LOL: And for the flowers...
[23:25] <@agrabren> Umm... It was more a joke than anything else. The cats eat the flowers.
[23:25] <@joshua_> (and then throw up all over the floor, I'd bet!)
[23:25] <@agrabren> My wife is a bit upset, as I've been glued to my phone and computer for 3 days now.
[23:25] <@agrabren> Exactly.
[23:25] <@agrabren> Fun note: I didn't *start* this work until this week. I was on a beautiful vacation in the South Padre Islands last week when I got my phone.
[23:26] <@agrabren> So it didn't even take us a week. :-D
[23:26] <@joshua_> (past performance doe snot guarantee future results: the next exploit may take a lot longer!)
[23:26] <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
[23:26] <@joshua_> Yes.
[23:27] <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
[23:27] <@ariel_> you said you get system access then it reverts on reboot, this is just the root access if you deposit a new file in there does it stick or does the emmc erases the file?
[23:28] <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
[23:28] <@eyeballer> with just temp root, no
[23:28] <@eyeballer> unless you try to mess with those things yourself
[23:28] <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
[23:29] <@agrabren> This was a non-intentional hole.
[23:30] <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
[23:30] <@zule> htc created the arms race, we just fight fair
[23:30] <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
[23:31] <@agrabren> Ok, I'm getting serious wife aggro...
[23:32] <@agrabren> So if I don't go clean up my mess downstairs, I'll be sleeping outside. And my computer is *not* outside.
[23:32] <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
[23:32] <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
[23:32] <@joshua_> I'm going to open the channel up again in a moment. any last thoughts?
[23:33] <@agrabren> We promise, info will be flowing.
But we wanted to let people know, it has happened.[23:33] <@agrabren> Thanks for everyone's time, and making me feel special.
[23:33] <@mirk> no worries, agrabren
[23:33] <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
.
