A conversation with Justin Case of Sunshine S-OFF
If you’re looking to S-OFF your HTC phone chances are you’ve run into the commercial product Sunshine, which is a tool that exploits flaws in HTC (and Motorola) software to set a security flag somewhere in the deep recesses of the phone. S-OFF allows you to flash unsigned code to protected partitions and generally do some low level things the average rooted phone can’t and probably doesn’t need to.
Currently the main benefits of having S-OFF over just a rooted phone are you can flash other carrier’s firmware, or jump back and forth between radio versions. As far as I can tell unless you’re planning to superCID, flash to another carrier, roll back a radio firmware, or attempt to SIM unlock a device, everything is doable with an unlocked bootloader and one extra step.
At I was moving to the HTC One M9 and wanted S-OFF before HTC figures out how to patch it I went searching for how to do it and Sunshine is currently the option, although there’s nothing stopping other developers from stepping forward with their unlock tools.
You can read about what Sunshine is and how it works here, and read more on for a short interview with Justin Case, one of the developers of the tool.
Why the name SunShine?
It’s a play on beaup’s previous names, particularly “moonshine”. It is a step outside the alcohol based naming scheme he previously used.
How does it work?
This is one of those questions that I can’t answer without jeopardizing the work and research of everyone that worked on it, sorry.
What are some previous exploits that you’ve worked on, what was your favorite?
I’ve probably released over 50 for android alone, and have written over 200 as part of my job. So this is a big question.
I guess CVE-2013-3741 . It was a chain of bugs. First it pretty much gained all packagemanager installation related permissions, was able to install apps that behaved like they were on the system partition, as in they couldn’t be uninstalled and could get system only permissions. It installed an app that way, used a system only permission to become part of the “system group”. It then patched the dalvik-cache, which had not been seen publicly before for escalation, to alter the code of any application, in this case it targeted some application that ran as the system user (pretty much one step down from root on Android, easy to reach root from it).
It gained little or no attention from anyone, because I didn’t release it in a way that would work with more than on carrier’s particular firmware, but it really had potential for abuse (to gain root, or really it would have been a “good” (bad) thing for malware authors to use to keep malware on the device).
I know you can’t reveal what you’re doing with Sunshine, but can you give an example of an exploit you worked on that’s no longer viable.
Weaksauce was part of sunshine internally at one point, while I didn’t publicly discuss how it worked, another researcher did, I will let him explain.
Why is the M9 not SIM unlockable at this point, and if you release an update that allows for SIM unlocking in the future can it be applied again?
Because all the ones we bought were SIM unlocked out of box, we were not thinking ahead. We will have to buy some simlocked to research and test on.
Have you been contacted by HTC or their lawyers and asked to quit it?
No, we did meet some of HTC’s Security team in San Diego during the May 1st weekend, we did not discuss how anything worked, just met them and said hi.
Who all is on the Sunshine team?
Beaups, myself and people who wish to be unnamed.
Are you considered pariahs in the open source community for not immediately sharing your S-OFF code, and what are the reasons for not sharing.
I don’t believe anyone with an actual grasp of open source believes this. I have contributed to AOSP myself, and through work many times. I have also open sourced more Android exploits than anyone. Those who complain rarely have any real open contributions.
What’s the difference in a regular and developer phone?
Developer phones do not ship s-off, they ship unlocked. Developer phones tend to get updates faster than our US carrier based devices, and have less “bloat” than carrier devices.
Has Sunshine bricked anything?
We are unaware of any customer devices bricked by SunShine. I do know some people that have done silly things like write a kernel over the bootloader after using SunShine, but those were not caused by SunShine, but by someone being careless. We have a good number of devices bricked in development and testing, but that is what they were for. To ensure everything works safely, before release.
Do you have any competition in the S-OFF HTC world?
Yes, many shops are capable of using jtag to s-off devices, this brings risks of physical and software damage to the device if not done right, and costs more than SunShine. Javacards also exist, but again cost more than SunShine, and rely on technology stolen from HTC. I can’t bring myself to ship a $700 phone to some repair shop that I don’t know.
Do you have a publically available list of devices that are supported?
The google doc list is public, we try to build SunShine to be fairly dynamic, so its pretty hard to know for us what all it will work on. Those on the list are tested working. Any 32 bit Qualcomm HTC capable of running SunShine (it takes a lot of memory and cpu power), HTC M9 series, and 2013 Motorolas on 4.4.3 or less should all work with SunShine. 64 bit devices like the M9 are new, we are testing and adding them as we can, so far m9 is the only one released.
Who are your main customers? Developers, root users, cell shops looking to flash phones from one carrier to another?
Honestly, I don’t know. I would assume power users who like root, ROMs and freedom.
Who’d win in a volleyball match, you or the HTC security team?
We are fat and old, they would smoke us.
What’s you favorite wine?
I really enjoy 7 deadly Zins, great zinfandel!
Got anything you’d like to say to the readers?
We see a lot of people complain about having to pay for it, but please realize the amount of money and time invested to create this. This took multiple people working for a very long time. It would be great if everything in life was free, but it is not. The phones, the tools, the time are all costly. As Android and OEMs mature, these things also become much harder and expensive to do(this isn’t 2011 anymore, this isn’t an afternoon project).