Enterprising hacker William “nenolod” Pitcock has been hard at work on the Motorola signed bootloader issue and has now posted a method that can be used to obtain the private key for the “sholes” platform. Vulnerable devices include the Droid, Milestone, Droid X, Droid 2, and CHARM. Having the private key allows custom ROM images to be signed and accepted by the bootloader to flash to the device. It is currently unknown if the same vulnerability applies to recent and upcoming devices such as the Atrix or Bionic.
Motorola was notified about the vulnerability privately three times prior to the attack being made public with no response, as far back as December 20, 2010. The private key for the Milestone was posted for a short time, but Motorola’s legal team was quick to respond and issue a cease and desist letter to compel the hacker to remove it. Motorola’s bootloader security stood the test of time, with the Droid having been released in 2009.
Custom ROMs and kernels would be deployed via RSD Lite, in a signed .sbf file. To the bootloader, it would appear as if the files were signed directly by Motorola, and allowed to flash to the device. It should be noted that Motorola could change the keys in use and plug the security vulnerability with a future update, so any users wanting to deploy custom ROMs may want to avoid letting the system automatically update.