So, now ASUS Transformer Prime has been out for a while and we decided it’s time to give a quick rundown of the security features in the Prime.
First, a quick list of security features:
- Secure Boot Key (SBK)
- Encrypted Bootloader (Same as ASUS Transformer)
- Hidden boot & recovery partitions (Same as ASUS Transformer)
- Cryptographically signed boot & recovery partitions (New)
- Cryptographically signed staging blobs (New)
1. Secure Boot Key (SBK)
The secure boot key is an AES-128 symmetric key that’s used to encrypt various partitions on the tegra2/3 (in particular the bootloader and “BCT” partition). It’s also used to encrypt & sign nvflash communication, which makes it extremely important. It’s stored securely deep inside the tegra SoC, so it’s not possible to extract it.
2. Encrypted Bootloader (Same as ASUS Transformer)
The encrypted bootloader is a standard Tegra2 & Tegra3 security feature. As soon as a Secure Boot Key is set, the bootloader is required to be encrypted. The fact that it’s encrypted is not really an issue.
3. Hidden boot & recovery partitions (Same as ASUS Transformer)
The boot and recovery partitions are placed on the flash memory outside of the regular partition table. This means it’s not directly visible from within Android. It’s still technically possible to read and write them by writing directly to the flash memory (using /dev/block/mmcblk0 directly), but it’s not recommended (see part 4).
4. Cryptographically signed boot & recovery partitions (New)
Now we’re getting to the good stuff With the Transformer Prime, ASUS added in cryptographic signing of the boot and recovery partitions. This signature is appended to the boot.img (last 256 bytes) and is used to verify integrity of the images. ASUS decided to use an RSA based solution, known to be extremely secure. They are using a 2048bit key which is essentially uncrackable (Background). The only possibility for bypassing this is either ASUS releasing a bootloader unlock as promised or someone finding a serious bug in their implementation.
5. Cryptographically signed staging blobs (New)
On ASUS Transformer, we used the staging method of flashing a blob, which the bootloader then flashed. This method worked around the hidden boot and recovery partitions in a nice and neat way. However, with Transformer Prime, a new feature was added: Cryptographically signed staging blobs. What this means is that the blob file has to be signed by an 2048bit RSA key (similar to boot & recovery). So, even if we can make blobs, they simply won’t be flashed without being signed by the correct key.
A quick warning for ASUS tegra2 devices lacking nvflash access
It’s a very real possibility that ASUS could decide to add number 4 and 5 from the above list to current ASUS Transformers. This would mean that even with temp root, flashing boot and recovery will not be possible anymore! For obvious reasons, this is not an issue with older TF101s where the SBK is known, but on all other Transformers, including 3G model and Slider, this could potentially be a big issue!
The only advice we can give if you are interested in keeping root is to not take any new OTA’s until they are confirmed working! Usually, a pre-rooted, fixed update is out on the major forums within a few days after release! You could potentially also use OTA rootkeeper to backup and unroot before taking an OTA, but be well aware that the OTA you take could format your /system, thereby also deleting your ‘root backup’.