Blackberry Key2 bootloader finally unlocked

For a long time it was considered that Blackerry security approaches and implementations are unbreakable. Especially if we talk about newest and last known Blackberry devices KEY2 and KEY2 LE. From year 2018 for 6 years key2 consumers suffered from Blackberry. RIM even did not release Android Pie on devices and ended support suddenly. Then Canadians did not gave oppotunity to community to run themselves any new operating systems (more secure and convinient). At the same time net is full of information, in which someone is showing unlocked device. All this information (excluding this article) is about few not-for-sale factory unlocked devices.

At this time specialists from Russian companies Aiterium-X (www.ai10.ru), Unlock Sevice (@unlock_service54) according to soul feelings of fairness managed to unlock bootloader of Blackberry Key2 (production/retail version). In result of that unlocking and in cooperation with group of international engeneers production device BB Key2 successfiully loaded custom linux operating system (Droidian). In result successful bootloader unlock is proven any operating system can be run at key2 and key2le, after community contributors successfully build one. Other consumers may have gain root access to existing BB Oreo OS or execute modern recovery software such as TWRP.

Technical information

Disclamer! Information is published in educational and security improvement reasons.

Fastboot app was exploited via Christopher Wade’s CVE-2021-1931

After successful exploiting fastboot command read buffer, modified ARM64 code of fastboot abl body was loaded into device ram and give as oppotunity to run any aarch64 code we like to. We’ve managed to get opensource abl code and decompile bb abl pe. While examining fastboot code we’ve found that it differs opensource fastboot sources due to lot of blackberry specific security checks and special boot images security verifications.

Qualcomm’s Trust of Chain stays unbreakable (while we did not exploited qcomm Sahara. Yet). Opening access to run fastboot flashing unlock and even changing Verity enabled flag did not give us oppotunity to run unsigned boot.img’s. It happened because of Blackberry specific boot images authentification code. At the same time Blackberry gave us some dubugging mechanics. This mechanics is activated by uploading debug_tokens. hlos_unsigned.tkn turns off authentification of boot images. This tokens are signed and authentificated by not accessible to us algo-s and as you understand we did not manage to use this oppotunity.

We decided to run flash recovery and boot commands without restart. But BB deleted boot fastboot command code from their abl version.

First successful run of custom unsigned boot.img was made by spoofing one of the available opened commands and forcing aarch64 function call of BootLinux. It was done by very dirty NOP hacks without unloading initialized by fastboot objects. It was a risk of further kernel-cmdline fails but we first time managed to run android-droidian-boot.img successfully. This way was not very convinient to our scientific needs, because after reboot unsigned image wont run.

Stable unsigned boot after reboot run was achieved by patching other aarch64 op-s. This method is very risky. Author of this article hard bricked device while doing experiments. Some device specific and signed partitoins were wiped without any possibility to recover. For this reason at this moment we can not make public this information. Success droidian boot is proven by video below.

Contributors regards

krab-ubica, Russia (Hardware keyboard software)
Bochenek, Poland
Jesus, Spain
Gasan Djalilov, Uzbekistan
Marsh, China
Mohammad Afaneh

Russia, Moscow 25/12/2024