Hacking Android phone. How deep the rabbit hole goes.

The rabbit hole goes a bit deeper: to QFPROM :)

There is a chain:

ABOOT ignores kernel signature errors if SMEM var 0x201 != “SBON”

var 0x201 is passed from SBL1 in SMEM 0x88 block

SBL1 sets var 0x201 (and DNAND field(0x18, 0) also) to “SBON” — secure / ”SBOF” — nonsecure / “E_RF” — fuse read error (ok for us too) based on QFPROM value at 0xFC4B83F8 (tested with 0x202020 mask — any bit set is “SBON”).

Like what you read? Give Zanzamar a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.