ivir | # 1 | 2014-02-06, 11:12 | Report

Hi,
Due I forgot device lock number I figured how you can ask on correct device lock or reset it.

For this purpose is there app /usr/lib/qt5/plugins/devicelock/encpartition

Arguments:
True/False are returned via exit code where 0 - success, 1 - fail
else as standard output.

Configuration is stored at directory /usr/share/lipstick/devicelock/ and encrypted/hash key is stored at /usr/share/lipstick/devicelock/.devicelock.enc, quite interesting are stored texts at binary file encpartition:
41414141, 42424241, 123456789012345 and /dev/block/platform/msm_sdcc.1/by-name/QOTP . More on http://www.onlinedisassembler.com/odaweb/4fDoTf/0

Unfortunately still don't know how reset device lock without sending to repair facility or brute-force.

Test all numbers with length 5 takes less than 3 hours on the phone with utilizing 20% of CPU.

Attached Files

FindDeviceLock.zip (14.9 KB, 293 views)

szopin | # 2 | 2014-02-06, 11:25 | Report

Boot while pressing volume down, telnet to the device and one of the options should allow you to wipe it clean/reset to factory settings

rainisto | # 3 | 2014-02-06, 16:41 | Report

Thanks for the bugreport. I'll have to implement slowdown between attempts to make brute force slower.

It's recomended to have 8-10 digit lockcode to make developer mode bruteforcing to take months untill fix arrives.

In the future we would appriciate that if you find weakness in system that you would contact security@jolla.com before posting it publically, so we would have time make a fix for it.

---

Last edited by rainisto; 2014-02-06 at 17:24.

ivir | # 4 | 2014-02-06, 17:12 | Report

Thank you, but reset to factory settings request devicelock code.

So even if I have enabled developer mode there isn't way to restore to factory state without devicelock. Latest update only increase number attemps from 3 to 5.

nieldk | # 5 | 2014-02-06, 17:12 | Report

--imei hmmm sounds interresting ......

szopin | # 6 | 2014-02-06, 17:26 | Report

Oh wow, that's a surprise. My understanding was that lock code is needed for extra features like unlocking bootloader and in cases of forgotten lock code you could still reset it back to factory state (with loss of data, so data protection is kinda in place). Thanks, good to know

rainisto | # 7 | 2014-02-06, 17:33 | Report

Its queried for anti-theft, so if your phone is stolen then they cannot just wipe it clean and start using it. So remembering your lockcode is quite important.

szopin | # 8 | 2014-02-06, 17:37 | Report

Is Jolla going to check every device that is sent to them for reflash in the european IMEI DB of stolen phones? Or users should inform Jolla about the theft? Is Jolla able to recover data, or just reflash?

rainisto | # 9 | 2014-02-06, 18:18 | Report

You report theft to your local police, and they will report imei to operators imei db, and they will use blocklist depending what country you are in.

szopin | # 10 | 2014-02-06, 18:23 | Report

Yeah, that's what usually happens and why stolen phones from europe end up in India and Africa (at least that's what I heard), it seems Jollas are going to make an extra step in Helsinki on the way there, are you going to utilise this occasion to return the Jollas to the owner?

edit: however interesting concept and actual anti-theft measure this looks like not really implementable, problems with identifying the real owner will get only bigger once second hand market revves up

---

Last edited by szopin; 2014-02-06 at 18:28.