|
XDA BootloaderThe XDA is a Pocket PC device with a built-in GSM module. The device was manufactured by HTC and is similar to the earlier iPaq. Although Pocket PC has several security features, such as a start-up PIN or password, these are useless with an insecure bootloader. The bootloader was disected more in depth by the XDA Developers at their Wallaby bootloader page. Part of their research led to the discovery that the bootloader will happly load code from an SD card and start executing it. This feature is used in their Wallaby Patch Tool, which is needed to flash ROMs with bootloader version 5.17. The feature that was used above was extended to allow examination of the RAM of the currently active Windows CE. It was discovered that the whole PIN/Password protection of the device was laid down in two bits that are directly accessible from the bootloader mode. One bit signifies that the start-up password is active, the other bit is set to one if a password is configured. The password itself is stored as an MD5 hash. The modification was submitted to the CVS at the XDA Developers site. A demonstration of this fact was created by modifying the Wallaby Patch Tool to include the possibility to change the two bits for the password protection. To use this, a SD card is needed that can be written to with a PC. Currently writing from the XDA is not yet supported. The XDARit tool can be used to write an *.nb2 file. The source and images can be found here: Source code (arm compiler needed)
wallabypatch-v1.3.tgz
|