Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory. I assume the DDR is used for a buffer for the CPU and the memory in the CPU is for storing the bootloader . so hoping the TSOP is where the firmware is stored. If we were able to write the firmware there would we be able to achieve our needed root, or would the current firmware on the chip be useful for finding an exploit to root?
Would think unless we are changing the bootloader when we root the unit now at low serial numbers I would think it would be the same as is writing a ROM to a phone and using a factory bootloader.
Correct me if I am all messed up here please.
1080xt root 12.15.15
rekids said:
Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory. I assume the DDR is used for a buffer for the CPU and the memory in the CPU is for storing the bootloader . so hoping the TSOP is where the firmware is stored. If we were able to write the firmware there would we be able to achieve our needed root, or would the current firmware on the chip be useful for finding an exploit to root?
Would think unless we are changing the bootloader when we root the unit now at low serial numbers I would think it would be the same as is writing a ROM to a phone and using a factory bootloader.
Correct me if I am all messed up here please.
1080xt root 12.15.15
Click to expand...
Click to collapse
That pretty much what FlashCast did until Google plugged the hole that would let you hijack the boot process....
I don't know how diligently some have been looking but since Google plugged that hole there seems to be no way into the CCast anyone can find.
rekids said:
Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory.
Click to expand...
Click to collapse
It was written elsewhere that the gtvhacker team found the JTAG pins are disabled at the hardware level.
There was also mention that there may be a device-specific encryption, but no confirmation on that. Someone with an eeprom programmer and soldering station who can swap chips would have to confirm.
That I have (chip programmer and soldering station) just have not decided if it was stored on the 48 pin TSOP as that is the easiest to gain access to. This one of couple of things I would need to know or at least have a good idea about before tearing my noon rooted unit apart for.
IF ... The firmware is stored there and I had an image of the Eureka firmware that needs to be on the TSOP then tearing it apart is worth the test. I don't see the software being encrypted to the device since JTAG has been disabled seams like a lot of work and keys needed for a simple device and low cost but I could be wrong. The other thing I would need to do is go through the data sheet on the TSOP to see if it has a write once area or a locked portion that would require a key from CPU to allow writing, but kinda doubt that.
So if some one has info on the actual image preferably a .bin image of eureka in the correct data location would be great.
My thought is if it is that simple then ISP maybe possible for the average tinker with a simple chip programmer or even make it possible for some one to program on a larger scale for a small fee of like $5 or $10 instead of $100 on EBay or finding the last few with old software out there.
1080xt root 12.15.15
I like this thread hopefully it will be cracked open...just like the ps3 was miraculously despite many theories that it was impossible to hack even after sony plugged the holes again and again
Sent from my Nexus 5 using Tapatalk
Just a small update. Removed the TSOP and went to read it using factory default settings and found the first 141 bocks are invalid and the rest of the chip was blank "FF". Changed the settings to not skip over the 141 blocks and got a 2 gig data file. Not sure if this a good thing yet need to sort through to see if any of the data is intact valid. My Chromecast is using current firmware. The TSOP does hold 16gigs of data. Only data seen so far is up to data block 3F3C000 then blank from that point on.
Could really use another TSOP from another Chromecast even a dead one for comparison.
1080xt root 12.15.15
Not sure, but maybe @Team-Eureka has a dead CCast they can donate/lend to your effort...
Need some help from some one who knows a few things about the Chromecast.
What I able to do right now is read and write what ever is stored on the 16 gig TSOP that is in the Chromecast. As far as I can see this is where the firmware should be stored.
The idea is to write the firmware that is desired to the TSOP and have the Chromecast boot that software instead.
Problem ... The data that is recovered from my Chromecast that is up to date has about 200-500 MB of data towards the beginning of the blocks and a few more MB just before the end of the blocks. The total .bin file is about 2.2 gigs. When viewing the contents of the .bin there is no readable text (example "Google , version, build" and so forth) and there is usually at least something in text format when viewed in WinHex of other devices that I have read and written to in the past.
What I don't know is where exactly is the TSOP the firmware begins or ends, location of checksum (s) and an image of Eureka firmware as it is written on the TSOP.
Possible solution is a TSOP that has had the firmware already loaded or an image of that TSOP or possibly even the rootable firmware image.
Any help is great. I have been on the IRC channel of Eureka and Gtvhacker and asked there but had no response.
The programmer I have is an older Dataman 48pro (newer version is more efficient and does multiple chips at once) it is very reliable and takes about 20 minutes for a complete read of the 16 gig TSOP. The chip does need to be removed and placed in the adapter to read since ICP is not spotted by the TSOP and from my research the JTAG or UART has been disabled I suspect with in the processor.
Any one with info or even idea would be great.
Thanks
Rekids
Team Eureka hangs out in #team-eureka though they've been busy lately... Wish I knew more but hardware is my weakness.
bhiga said:
Team Eureka hangs out in #team-eureka though they've been busy lately... Wish I knew more but hardware is my weakness.
Click to expand...
Click to collapse
we are here, we are just quiet NAND dump was sent his way.
Thank you and yes understand being busy, I work 40+ them got stuff I do at home with 4 kids and the wife not to mention I do a few things out of town each week.
I did get a full NAND image just got to compare with the read I got and see if there online with each other as to location and type of code in case it is different after it passes through the CPU.
Will keep you posted, as to findings.
1080xt root 12.15.15
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
rekids said:
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
Click to expand...
Click to collapse
Wow, great work [emoji3][emoji106]
Although, this is a method what only few users might use, I'm glad to see someone doing this kind of stuff.
Eagerly waiting to hear if you manage to pull it together and eventually root your device [emoji2]
Sent from my Nexus 4
Can't wait to hear your upcoming updates either. Good work
Sent from my Nexus 5 using Tapatalk
rekids said:
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
Click to expand...
Click to collapse
lots of us are following.
this is great news.
but yes only for advanced users. but once it is perfected a clip could probally be made like the ps3/360 nand clips
Just to be sure every one is aware all thanks goes to those who really deserve it Gtvhackers for the original and only exploit that we have, and every one at Team Eureka, and above all else a very helpful and encouraging person who has helped with the vital info that was needed and willing to spend time helping me out and not knowing a thing about me (just a noob)
Thanks ddggttff3, for the help so much.
1080xt
Could this be used to flash the tsop without desoldering?
http://www.ic2005.com/shop/product.php?productid=137&cat=0&featured=Y
I've been out of the modding scene for years and haven't kept up.
Sent from my Nexus 4 using Tapatalk
Looks like more a way to connect while mounted then a way to program. The NAND requires a particular set instructions to do anything really. The way I understand what needs to happen to program and write are a couple of things,
1 connection to the right pins (obtain with the item you mentioned our to place in a adapter with individual connections for each pin)
2 uninterrupted communication (may have issue with resistors, caps, CPU and any other items on board connected to NAND)
3 instruction set for communication to the NAND to have it do what you want.
I have not come across anything as of yet suggesting in In circuit programming is possible out side of the use of the UART or JTAG. And since as far as I can find the correct set of UART pins are not connected and the JTAG is either disabled or not connected makes in circuit programming not possible as of right now.
A data sheet on the 88DE3005 has not been found by me as of now. Marvell seams to keep that info unavailable to us.
A map out of the armada mini would be great and a pin out of the board connections would help to see if that would be possible in the future.
1080xt 4.4
So got my stuff to remount the NAND with the changed bootloader to the exploitable one and .. no boot. Not sure what exactly went wrong got a sneaky feeling it may have died during the attempt to remount before I got my stuff with a big fat solding iron. Gonna go get another and try again.
It is definitely easier to remount when you use liquid flux and not just trying to hit each leg with solding iron.
Any news? Have we found a hardware method of rooting?
Related
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
TVRemoteExploit said:
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
Click to expand...
Click to collapse
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you. I'm no developer, so i don't even know if that kind of hack would even be possible. I did download the cast app for windows and it has a button for factory reset. Would it be possible to hack that chromecast program and change the factory reset to use a hacked pulled firmware?
scarygood536 said:
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you.
Click to expand...
Click to collapse
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
I tried tacking commands onto the tail of the netflix commands like this:
Code:
curl ****192.168.1.126:8008/apps/Netflix -X POST -d "intent=play&titleid=***%3A%2F%2Fapi.netflix.com%2Fcatalog%2Ftitles%2Fmovies%2F70138593;reboot"
, however I can't see the log file without root.
tchebb said:
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
Click to expand...
Click to collapse
so is our best bet to find a vulnerability within the hardware level we could utilize and wouldn't have the chance of being patched?
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
ddggttff3 said:
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
Click to expand...
Click to collapse
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
jamcar said:
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
Click to expand...
Click to collapse
Just to let you know, a permanent jump to pin 26 will cause the device to not boot, at all. It causes a read interrupt to the EMMC, so if jumped permanently the device will not see the flash, so it wouldn't even load the bootloader. Jumping the pin should ONLY be used if the standard button hold boot process does not work.
jamcar said:
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
This wouldn't work with any post-12072 bootloader, since the USB image's signature is still checked. The signature verification would simply fail and the device would fail to boot, same as if.you tried to boot from USB with a button press.
Apparently the ONLY version of Android that is vulnerable to Heartbleed is 4.1.1. I ran a check on my phone, and sure enough I'm running that version, and heartbeats are definitely enabled. I used the Lookout security app to verify this. Is there a way I can patch my system myself and somehow disable the heartbeats feature without having to wait another 3 years for Motorola to come out with a fix? My phone is rooted, but something tells me that OpenSSL probably needs to be essentially recompiled with a flag set to disable heartbeats?
I was hoping there would be a quick config file for OpenSSL that can be modified, but I'm not usually lucky. Based on everything I've seen thus far, a recompile with a flag set is the only way to fix this. Figured i'd give it a shot and ask on here.
I've been thinking about the same thing.
If memory was encrypted that could solve all or part of the problem.
If the Chrome https browser cache were turned off, which I think requires an APK edit there would not be any clear text data in the browser cache.
What do you think?
dosmac said:
Apparently the ONLY version of Android that is vulnerable to Heartbleed is 4.1.1. I ran a check on my phone, and sure enough I'm running that version, and heartbeats are definitely enabled. I used the Lookout security app to verify this. Is there a way I can patch my system myself and somehow disable the heartbeats feature without having to wait another 3 years for Motorola to come out with a fix? My phone is rooted, but something tells me that OpenSSL probably needs to be essentially recompiled with a flag set to disable heartbeats?
I was hoping there would be a quick config file for OpenSSL that can be modified, but I'm not usually lucky. Based on everything I've seen thus far, a recompile with a flag set is the only way to fix this. Figured i'd give it a shot and ask on here.
Click to expand...
Click to collapse
Yep, 4.1.1 is vulnerable to this. 4.1.2 has the no heartbeat fix added in and 4.1.1 took the update that was bugged. That said, we DO have TWO 4.1.2 Stock roms, Mexican Retail and Bell are both 4.1.2 and should have that fix -- needs confirmation. Our Stock ICS roms are all from before this bug was added in and are safe. In reality, only stock, locked AT&T Atrix HD's are vulnerable to this since all the other roms* have this fix.
Normally I'd say something around the lines of give me a few days and I'll look into this more, but I've been busy lately, and when I'm not busy I'm either tired or sore; did some heavy lifting a few weeks ago and my back is still sore from that day.
*Our 4.1.2 roms are untested, but 4.1.2 AOSP has the fix so our 4.1.2 stocks should too
I was just thinking that ther eis no such thing as security. Security is achieved by being harder to exploit than the other computers. Even 3-DES can be cracked with enough computing power.
So encrypting memory and stopping https caching would close two big holes. I'm now wondering what holes would remain to be exploited by the heartbeat exploit on a 4.1.1 device if this were done?
stevep2007 said:
I was just thinking that ther eis no such thing as security. Security is achieved by being harder to exploit than the other computers. Even 3-DES can be cracked with enough computing power.
So encrypting memory and stopping https caching would close two big holes. I'm now wondering what holes would remain to be exploited by the heartbeat exploit on a 4.1.1 device if this were done?
Click to expand...
Click to collapse
If I was on a stock phone running 4.1.1 and I was that worried about heartbleed, I'd unlock the bootloader and install Bell or Mex Retail because both are 4.1.2. I might even be possible to just swap the exploited binaries with the ones in our 4.1.2 roms, that's something someone else worried about this can do. Hell, it might even be possible to run the 4.1.2 roms with safestrap and the AT&T kernel...again, that's a someone else thing...I have no intention of dicking with SSR.
Think about Wifi being hacked....when it first came out a crappy password like 12345678 was good enough because computing power wasn't that good for consumers yet; nowadays, a basic gaming laptop can check 500,000 wpa2 passwords a second, a decent desktop with multiple GPU's can do over a million a second. All wpa2 hacking is sniffing out the verification md5*, then the tools generate passwords and their md5 and compare it against the sniffed out one, eventually you'll find one that matches, especially so if the password sucks. If you know how certain telecoms set up their wifi passwords, you can shorten the amount of time taken by limiting to the characters they use -- for example, AT&T U-Verse** uses 10 digit numeric passwords, so all you'd have to do is limit the tools to use numbers and start with 10 digits....hint: there are only 1 million codes if you use 10 numbers only....10 to the power of 10 and all....
That isn't a wifi hacking tutorial, just an example of how overtime good security unchanged becomes very bad security and how eventually an exploit will be found and security compromised, like how wpa2 for a split second sends out a the verification md5 unencrypted.
*not sure if WPA2 uses md5, but most of us know what md5's are
**last time I read about that service that's what I saw...and I read that a few months ago
I've been doing research and experimenting for the past few days, with only 6 hours of sleep in the last 48 hours. Long story short, I had a Droid TURBO on Verizon, loved it, the best phone I've ever had hands down. A month or so into having my Turbo, my family switched to Sprint, rendering my Turbo completely useless as a phone Skip a few more months ahead to 11/15 when I broke my Samsung S6. I was looking for an excuse to figure out how to do this, I'd done a few hours of research, but never really had a reason to attempt what I have been. My goal is to allow my droid turbo to call/text with my sprint number and plan. My first idea was to simply open up some bands, maybe change some APN settings, BOY was I in for a trip. I'm currently running the 5.1 OTA of Lollipop on my Turbo, which means I have a locked bootloader, however I've gotten as far as getting temporary root access on 5.1 OTA (SU3TL-39). I wasn't sure how temporary root worked at first so of course, I was trying to get "XPOSED" working with this temporary root, then I could modify the phones information and trick Sprint into thinking that my Droid Turbo, is actually my old phone. I attempted to change the IMEI swap the two different IMEI's however it was soon after that, that I found out that my temporary root doesn't actually save after a boot, or even in-between roots. Kingroot seems to have to keep re-rooting itself in order to keep it's temporary root alive. Anyways, I've been up all night, and I've got to get to Uni. I'd like to see what other ideas you all might have. At this point I've gotten invested in attempting to find my own method to rooting, or flashing a modified firmware of some type. I'd really like some guidance in these fields even if my Turbo will never work with Sprint. I appreciate those of you who read the post entirely.
EDIT: I've gotten many different theories, but the only way I see myself doing this is by somehow downgrading and starting from complete scratch, maybe even rebuilding the OS just to miss the security update? (All of these things are probably impossible, but I'd really like to think that we can figure something out together instead of letting the TURBO die.)
EDIT 2: ****, I really need to leave, but I had one last idea as I walked out the door, I'm sure it's out of the question, but maybe there's some way to physically modify the TURBO, or even modify the IMEI that the SIM card is looking for in the first place, but all just theories, will come back later with more ideas!
Tabrune said:
I've been doing research and experimenting for the past few days, with only 6 hours of sleep in the last 48 hours. Long story short, I had a Droid TURBO on Verizon, loved it, the best phone I've ever had hands down. A month or so into having my Turbo, my family switched to Sprint, rendering my Turbo completely useless as a phone Skip a few more months ahead to 11/15 when I broke my Samsung S6. I was looking for an excuse to figure out how to do this, I'd done a few hours of research, but never really had a reason to attempt what I have been. My goal is to allow my droid turbo to call/text with my sprint number and plan. My first idea was to simply open up some bands, maybe change some APN settings, BOY was I in for a trip. I'm currently running the 5.1 OTA of Lollipop on my Turbo, which means I have a locked bootloader, however I've gotten as far as getting temporary root access on 5.1 OTA (SU3TL-39). I wasn't sure how temporary root worked at first so of course, I was trying to get "XPOSED" working with this temporary root, then I could modify the phones information and trick Sprint into thinking that my Droid Turbo, is actually my old phone. I attempted to change the IMEI swap the two different IMEI's however it was soon after that, that I found out that my temporary root doesn't actually save after a boot, or even in-between roots. Kingroot seems to have to keep re-rooting itself in order to keep it's temporary root alive. Anyways, I've been up all night, and I've got to get to Uni. I'd like to see what other ideas you all might have. At this point I've gotten invested in attempting to find my own method to rooting, or flashing a modified firmware of some type. I'd really like some guidance in these fields even if my Turbo will never work with Sprint. I appreciate those of you who read the post entirely.
EDIT: I've gotten many different theories, but the only way I see myself doing this is by somehow downgrading and starting from complete scratch, maybe even rebuilding the OS just to miss the security update? (All of these things are probably impossible, but I'd really like to think that we can figure something out together instead of letting the TURBO die.)
EDIT 2: ****, I really need to leave, but I had one last idea as I walked out the door, I'm sure it's out of the question, but maybe there's some way to physically modify the TURBO, or even modify the IMEI that the SIM card is looking for in the first place, but all just theories, will come back later with more ideas!
Click to expand...
Click to collapse
There are two problems that you're up against:
1. The /system partition is write protected. Even with temp root (or permanent root, for that matter), /system cannot be modified. To use anything via the xposed framework, the framework must be installed, which requires writing to /system, which is impossible. The only way around this is the moforoot exploit, which allows flashing of pre-modified /system images, eliminating the need to modify /system while the phone is running. However, this does not work on the 5.1 bootloader, which you have.
2. As you correctly state, the bootloader is locked. That means no downgrading and no flashing of modified firmwares using official flashing methods (fastboot, mfastboot) or non-mofo unofficial methods (TWRP, FlashFire).
This thread discusses hardware modifications. It's way above my head, so I'm not sure how useful it is: http://forum.xda-developers.com/droid-turbo/development/rd-turbo-jtag-emmc-direct-hardware-t3162558.
Hope this is at least moderately helpful.
I suppose there's no way to disguise an exploit within some of the core system files? Since all of these files are signature checked, but how exactly does signature checking work with the Lollipop, I doubt that it would be easy to trick, but maybe some reverse engineering of it? Trick it into thinking that everything is okay even though an exploit is riding alongside a system file.
Tabrune said:
I suppose there's no way to disguise an exploit within some of the core system files? Since all of these files are signature checked, but how exactly does signature checking work with the Lollipop, I doubt that it would be easy to trick, but maybe some reverse engineering of it? Trick it into thinking that everything is okay even though an exploit is riding alongside a system file.
Click to expand...
Click to collapse
Even if that were possible, it would not help you, since that would require being able to write a file to where the core system files are stored (/system). As for how signature checking works, I think it is enforced by whatever is stored on the /boot partition, but I'm not sure about that. A locked bootloader will not allow flashing modified images to /boot, and there are no known ways to bypass this.
When I get home, I'm going to do some experimenting on attempting to strip down and down grade to KK. I know that it most likely won't work, but I will gain some knowledge about it at least.
TheSt33v said:
Even if that were possible, it would not help you, since that would require being able to write a file to where the core system files are stored (/system). As for how signature checking works, I think it is enforced by whatever is stored on the /boot partition, but I'm not sure about that. A locked bootloader will not allow flashing modified images to /boot, and there are no known ways to bypass this.
Click to expand...
Click to collapse
Yep, the boot partition is what would have to be bypassed or unlocked in order to be able to write to system. That is where all the sig checks are locked in, right in the boot partition.
Well, we had a BL Unlock coming to us in a few days, maybe a week or two. With that, you can flash what you need to attempt to use with sprint possibly, depending on the bands the Turbo has
I've gotten the phone to work to an extent, I'm hoping if the BL unlock happens that it will open up lots of opportunity.
Hello,
I'm a bit of desperate and I come here to XDA with the hope to find some useful advide. :crying:
I know you probably have read many posts like these, but if you will read mine I hope you will find it different because there are some technical things to be explained (interesting at least for me).
I've lost 99% of my photos and videos taken in July on my phone (64 GB Memory model).
I know I know I should have implemented some sort of backups whatsoever in the cloud or with a home NAS, but unfortunately for me I'm not that kind of guy. The Android built-in backup is also disabled.
What has really happened here I think that probably somehow my daughter has grabbed my phone and has played with it and has deleted about hundreds of photos and videos taken in July. Of her mainly! Never underestimate the damage capabilities of a toddler.
In the meanwhile I've taken lots of photos in August and used a phone a lot and also got the OTA update to Oxygen 4.1.7 / Android 7.1.1
Now I have found that most of July media files are missing!!!!
At the moment there are 25 GB used out of the whole 54 in the Internal Archive Memory as it seen on the Phone Setup.
I have bought DiskDigger Pro for Android but somehow it cannot find the right files all it finds are Whatsapp Images and other files. Does not really find the missing files which I suspect have been somehow deleted.
I think it needs root privileged to dig deeper but I don't understand why, in theory the files should be recoverable on the same partition as the DCIM folder. To my understanding the files should be marked as "deleted" in the same partition as where the DCIM folder is. But there is also this TRIM mechanism on the newer phones flash memories that confuses me.
Q1) Can you please clarify why this and all other media files recovery programs which seem to be a bit serious need root to recover missing media files?
So given as assumption that I need to root, I've read here and there and it seems that sometime ago for OP One that was the possibility to root without unlocking the boot loader. But if I unlock somehow all the data will be wiped. And I fear this will make any further software base recovery method like diskdigger or photorec hopeless even with elevated root privileges.
Q2) Can you confirm that I cannot root without unlocking the bootloader and therefore without wiping the device?
For your information I have also bought tonight a 100 USD root + files recovery package one oneclickroot but the agent promised to refund me after I told her the model of my phone (scary!).
Q3) I know a couple of things in Linux, do you think is it possible without root to create a raw image of the internal phone memory or the proper partitions with a tool such as "dd" ? Then I would process those raw images on a Windows or linux PC with file recovery software.
Q4) Do you think that the wiping caused by the bootloader unlocking will render any possible further diskdigger like solution without hope? Or should I go that way because the wiping is not so deep after all?
I don't know what to think, the fact that the phone is also encrypted makes me fear the worst. Maybe after the wiping it will get re-encrypted over.
Q5) Any advice in general before contacting kroll on track and pay thousands of dollar with the hope to recover?
Thanks a lot for any useful reply! I hope this topic will bring a definitive guide on how to recover files on unrooted oneplus 3t!
I can't answer all your questions here, however I can say with 100% confidence that you cannot root without unlocking bootloader. Some people claim of other methods, but keep away from them.
And there is nothing to be scared of when rooting OnePlus 3T if you follow the correct steps.
Are you sure that your daughter deleted those photos? How can she specifically delete photos taken in July? Do you have Google photos installed?
Aneejian said:
I can't answer all your questions here, however I can say with 100% confidence that you cannot root without unlocking bootloader. Some people claim of other methods, but keep away from them.
And there is nothing to be scared of when rooting OnePlus 3T if you follow the correct steps.
Are you sure that your daughter deleted those photos? How can she specifically delete photos taken in July? Do you have Google photos installed?
Click to expand...
Click to collapse
Thanks for your answer.
I'm not scared of rooting, as I have rooted other phones in the past. I'm ready to spend 1000USD and maybe even more to recover these media files and therefore I'm not really scared of rooting or bricking the device. What really scares me is that by
unlocking bootloader -> wiping -> rooting -> (new encryption of the filesystem ?)
I will render the deleted missing files completely unrecoverable.
I don't have google photos and I'm not 100% sure that my daughter has deleted the files. Maybe I've done a cut & paste which has not worked correctly on the phone as I've only 1 or 2 days of the beginning of July in my external hard drive. But it's more likely that my daughter has played with the gallery application on the phone.
I don't have a lock gesture or pin and my screen can be unlocked just by sliding, however it seems my phone is encrypted.
This encryption I don't know how it works and how it relates with the bootloader unlocking, if someone have more information I would be glad to hear.
And also I've done some more research and it seems impossible to perform a "dd" command of the partitions without first being superuser / root. ;-(
Regards,
Claudio
Did you try connecting your phone to the pc and use the programm recuva?
I managed to restore my files with it once
I can feel your pain of loosing those valuable moments of your daughter. I feel sorry that I can help you much with this.
In future, I suggest you to use Google photos which can automatically backup all your photos for free.
StarShoot97 said:
Did you try connecting your phone to the pc and use the programm recuva?
I managed to restore my files with it once
Click to expand...
Click to collapse
I don't think that recuva can do anything here. I am not allowed to past links here but as explained here
ht*ps://forums.androidcentral.com/ambassador-guides-tips-how-tos/500142-guide-recovering-deleted-files.html
and here
ht*ps://forum.xda-developers.com/galaxy-nexus/general/guide-internal-memory-data-recovery-yes-t1994705
Recuva can't do anything for internal memory.
But thanks for the hint!
Aneejian said:
I can feel your pain of loosing those valuable moments of your daughter. I feel sorry that I can help you much with this.
In future, I suggest you to use Google photos which can automatically backup all your photos for free.
Click to expand...
Click to collapse
One of the most affordable options I'm considering is this:
1) get another oneplus 3t
2) take some pictures and videos on it
3) delete those pictures and videos
4) root it
5) Install diskdigger to check if he can find anything after the wipe
I feel huge pain, my wife is also kindly pushing me. ^^
The problem ought to be that since this phone is force encrypted per default, unlocking the bootloader will destroy the encryption key for the previous installation won't it? Isn't that they point as to avoid anyone accessing your data by simply doing a factory restore and still keep the data in the internal storage. At least that's what I though, else where's the security of someone steals your phone.
Without that, any recovery software will just see rubbish when trying to recovery anything since it's encrypted.
pitrus- said:
The problem ought to be that since this phone is force encrypted per default, unlocking the bootloader will destroy the encryption key for the previous installation won't it? Isn't that they point as to avoid anyone accessing your data by simply doing a factory restore and still keep the data in the internal storage. At least that's what I though, else where's the security of someone steals your phone.
Without that, any recovery software will just see rubbish when trying to recovery anything since it's encrypted.
Click to expand...
Click to collapse
Thanks a lot, eventually some technical info on xda
If I lose my phone someone can use it and read everything because there is no lock, no pin, no gesture nothing. I would try a remote wipe via google android devices or something like that. Life is too short to unlock your phone every time you look at it even if it is via finger print!
This being said I've read year
ht*ps://source.android.com/security/encryption/full-disk
this paragraph among the others is not clear to me
Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The default password is: "default_password" However, the resultant hash is also signed through a TEE (such as TrustZone), which uses a hash of the signature to encrypt the master key.
You can find the default password defined in the Android Open Source Project cryptfs.c file.
When the user sets the PIN/pass or password on the device, only the 128-bit key is re-encrypted and stored. (ie. user PIN/pass/pattern changes do NOT cause re-encryption of userdata.) Note that managed device may be subject to PIN, pattern, or password restrictions.
Does this paragraph give me hope or not?
Thanks a lot for your interest! Sleepless nights go on here.
lallissimo said:
I know I know I should have implemented some sort of backups whatsoever in the cloud or with a home NAS, but unfortunately for me I'm not that kind of guy.
Click to expand...
Click to collapse
This is a really weak excuse. If the photos were that valuable to you, you should have been backing them up. There really is no excuse. Backup options are available that are effective, free, and require hardly any action on your part (aside form the initial setup - you've done more by disabling the default backup options).
Recovering deleted data is always a hit-or-miss proposition, at best. The longer you have the phone on, the higher the chance those memory sectors will be over-written. May have already happened.
---------- Post added at 10:53 AM ---------- Previous post was at 10:46 AM ----------
lallissimo said:
I'm not really scared of rooting or bricking the device. What really scares me is that by
unlocking bootloader -> wiping -> rooting -> (new encryption of the filesystem ?)
I will render the deleted missing files completely unrecoverable.
I don't have a lock gesture or pin and my screen can be unlocked just by sliding, however it seems my phone is encrypted.
This encryption I don't know how it works and how it relates with the bootloader unlocking, if someone have more information I would be glad to hear.
Click to expand...
Click to collapse
It doesn't matter. Unlocking the bootloader wipes all data on the phone by definition, regardless of whether it is encrypted or not. At least that is how it worked on previous Android devices I've owned, that did not have encryption by default. So I'd be willing to bet the same is try on the 3T.
lallissimo said:
I'm not 100% sure that my daughter has deleted the files. Maybe I've done a cut & paste which has not worked correctly on the phone as I've only 1 or 2 days of the beginning of July in my external hard drive. But it's more likely that my daughter has played with the gallery application on the phone.
Click to expand...
Click to collapse
I find it a little unlikely your daughter deleted all the photos. I don't see an easy way she could have done that to hundreds of photos, without an improbable number of screen taps. I'd use a good file explorer, and just keep digging. They might just be moved somewhere odd.
redpoint73 said:
This is a really weak excuse. If the photos were that valuable to you, you should have been backing them up. There really is no excuse. Backup options are available that are effective, free, and require hardly any action on your part (aside form the initial setup - you've done more by disabling the default backup options).
Recovering deleted data is always a hit-or-miss proposition, at best. The longer you have the phone on, the higher the chance those memory sectors will be over-written. May have already happened.
Click to expand...
Click to collapse
Thank you for the interest in my thread I really appreciate it.
I know a things or two about backups and I see your point. There is an ancient Chinese proverb saying something like this: Backup is that thing that should have done before.
However, being on xda I'd like to keep the discussion on a technical level if possible.
If you have any information or links on the way the internal memory is managed at physical level I'd like to discuss about it. As far as I know in order to extend the duration of this solid state memories the system makes his best to write on the blocks the least possible. I don't think I have already overwritten all the blocks of the internal memory. We'll see.
It doesn't matter. Unlocking the bootloader wipes all data on the phone by definition, regardless of whether it is encrypted or not. At least that is how it worked on previous Android devices I've owned, that did not have encryption by default. So I'd be willing to bet the same is try on the 3T.
Click to expand...
Click to collapse
I'm almost sure that the wiping does not scrape the memory with all 0 and 1. That would take really a lot of time and also that would reduce the duration of the memory.
Take a look here for example
h*tps://www.krollontrack.co.uk/blog//top-tips/what-you-need-to-know-about-androids-factory-reset-function/
so my real enemy here is encryption.
I find it a little unlikely your daughter deleted all the photos. I don't see an easy way she could have done that to hundreds of photos, without an improbable number of screen taps. I'd use a good file explorer, and just keep digging. They might just be moved somewhere odd.
Click to expand...
Click to collapse
You could be right, still I need to be root to dig deeper.
lallissimo said:
I'm almost sure that the wiping does not scrape the memory with all 0 and 1. That would take really a lot of time and also that would reduce the duration of the memory.
Take a look here for example
h*tps://www.krollontrack.co.uk/blog//top-tips/what-you-need-to-know-about-androids-factory-reset-function/
so my real enemy here is encryption.
Click to expand...
Click to collapse
This is just wishful thinking. That article sounds really paranoid to me. Whatever method the system is using to "scramble" the data is going to put it out of the realm of the cheap, consumer data retrieval tools (as you've pretty much already experienced). The article states:
A recovery is possible by looking at the data structures from a low-level and using specialist tools to recreate the data into a useable format
We aren't talking about free or $5 Android apps here. We're probably talking about specialist software that costs thousands of dollars. Yes, technically data is almost always retrievable. Law enforcement has tools that can retrieve "ghost" data images even after being overwritten multiple times. But such tools are feasible for consumers from a cost/benefit standpoint.
redpoint73 said:
This is a really weak excuse. If the photos were that valuable to you, you should have been backing them up. There really is no excuse. Backup options are available that are effective, free, and require hardly any action on your part (aside form the initial setup - you've done more by disabling the default backup options).
Recovering deleted data is always a hit-or-miss proposition, at best. The longer you have the phone on, the higher the chance those memory sectors will be over-written. May have already happened.
---------- Post added at 10:53 AM ---------- Previous post was at 10:46 AM ----------
It doesn't matter. Unlocking the bootloader wipes all data on the phone by definition, regardless of whether it is encrypted or not. At least that is how it worked on previous Android devices I've owned, that did not have encryption by default. So I'd be willing to bet the same is try on the 3T.
I find it a little unlikely your daughter deleted all the photos. I don't see an easy way she could have done that to hundreds of photos, without an improbable number of screen taps. I'd use a good file explorer, and just keep digging. They might just be moved somewhere odd.
Click to expand...
Click to collapse
redpoint73 said:
This is just wishful thinking. That article sounds really paranoid to me. Whatever method the system is using to "scramble" the data is going to put it out of the realm of the cheap, consumer data retrieval tools (as you've pretty much already experienced). The article states:
A recovery is possible by looking at the data structures from a low-level and using specialist tools to recreate the data into a useable format
We aren't talking about free or $5 Android apps here. We're probably talking about specialist software that costs thousands of dollars. Yes, technically data is almost always retrievable. Law enforcement has tools that can retrieve "ghost" data images even after being overwritten multiple times. But such tools are feasible for consumers from a cost/benefit standpoint.
Click to expand...
Click to collapse
If someone has more technical information about the encryption part I'll gladly look at it.
As far as wiping is concerned I have given a quick look at the source code, so for example here:
https://www.pentestpartners.com/sec...ta-from-wiped-android-devices-a-how-to-guide/
and if this is still what's inside my android phone I'm sure that mkfs.ext4 is nothing to fear when you need to recover data.
Problem for me is encryption, but yest I'm considering expensive solutions too. Just for the sake of the technical satisfaction, of course.
Problem:
My mum has an Android-based Samsung phone and unfortunately, when the main folder with photos ("Camera") was moved from the Phone to PC via USB cable, it was made using Cut and Paste. By accident the files were pasted into Recycle Bin and we received warning "Files will be permanently deleted. Do you wish to proceed?". We pressed "No" to abandon this process and undo the mistake. Nevertheless, the entire folder "Camera" has already disappeared from the window of DCIM folder on the phone (as viewed from PC). Similarly, the folder appears to have been deleted when viewed from within the phone. (also the phone now has 150 Gb free, while before the process it had 110 Gb free, so it appears 40 Gb of photos have been deleted....
Attempts to fix:
Standard photo / data recovery services failed to bring results (searching hidden folders using Windows Explorer, Total Commander and Ultdata Android).
We then tried two professional software solutions (Cellebrite UFED and Oxygen Forensic Device Extractor -- Android Agent), which also did not manage to locate photos on the device.
It appears as if they were completely deleted.
The same person who used the two prof software solutions above has access to PC-3000, but he claims it's not suitable for Android data recovery (?)
We have already spent 2 days and hundreds of dollars on consultations, which unfortunately still have not brought any results, while the emotional weight of deleted memories is haunting us. Thus, we appeal to help of this forum.
Current thoughts:
#1 All other methods suggested require rooting the phone, which apparently will wipe the whole and make recovery of that specific folder even less likely (correct me if I'm wrong).
#2 All suggestions to make back-up of the phone / clone the entire memory are not relevant, as the only files that are of importance here are the files in the deleted folder, and those files are not hidden and therefore will not copy into this back-up anyway (correct me if I'm wrong).
#3 One person told us to ask Samsung customer service, but their response was that they don't do data recovery and that they only can restore if there was Samsung cloud backup activated.
Questions:
Q1: What is our best course of action? It seems, rooting is one way or another, inevitable. What rooting method would be best to use here, given the situation and my phone specifications? I understand that there is no 100% guarantee to recover the erased photos, but we would like to at least give it a try with maximum chances of success.
Q2: Given that the files we want to back-up are already deleted and not visible, is it even worth it to try to make any back-ups? or will it be in vain, and should we just proceed to rooting and further recovery attempts?
Q3: IF, we successfully root, what is the best way to access the hidden data? Do we need help of this expert who has PC-3000 and specialized software, or is it going to be accessible using our own PC+USB cable + extra downloaded software?
Phone:
Samsung S21 Ultra (G998B). Android 12. No cloud, no backup. Phone not used for now. New data is not copied onto the phone. Phone not rooted.
Thank you for all your help. I do hope to find some solution. We are down hundreds of dollars, many hours of talking to consultants, many of whom appear to just google potential solutions and offer us some basic things, while the pain of cherished memories potentially lost forever is the worst, much worse than money lost. Any help or constructive feedback would be appreciated!
BTW if someone offers a working solution, I can offer consultancy fee for time and success fee in case of recovery.
Root probably won't be possible without unlocking the bootloader, and unlocking the bootloader factory resets the phone, which formats the internal storage and permanently deletes everything. I've used root apps to recover deleted photos and videos before but that only works if the phone was already rooted, or if there's a way to do it without wiping the phone. When I joined XDA almost a decade ago it was relatively common to see root methods that used exploits, and didn't require you to wipe the phone but that's not really a thing today. All this is to say that root is almost certainly not a viable option.
Have you checked for professional forensics services that can disassemble the phone and connect wires directly to the storage chips?
I've seen Youtube videos like this, where they get into the guts of the electronics and use solder and wiring. Sorry I don't know more specifics, but perhaps you can find them online and mail your phone for professional forensics recovery.
Maybe you can download a folder files of camera for the S21 Ultra :U
KingFatty said:
Have you checked for professional forensics services that can disassemble the phone and connect wires directly to the storage chips?
I've seen Youtube videos like this, where they get into the guts of the electronics and use solder and wiring. Sorry I don't know more specifics, but perhaps you can find them online and mail your phone for professional forensics recovery.
Click to expand...
Click to collapse
^this^ Your best shot. With this you may only get one shot especially if you cause more damage by misadventure...
Others here have gone this route and gotten good results. $400-800 for non rush service is in the ballpark.
KingFatty said:
Have you checked for professional forensics services that can disassemble the phone and connect wires directly to the storage chips?
I've seen Youtube videos like this, where they get into the guts of the electronics and use solder and wiring. Sorry I don't know more specifics, but perhaps you can find them online and mail your phone for professional forensics recovery.
Click to expand...
Click to collapse
blackhawk said:
^this^ Your best shot. With this you may only get one shot especially if you cause more damage by misadventure...
Others here have gone this route and gotten good results. $400-800 for non rush service is in the ballpark.
Click to expand...
Click to collapse
Thank you. I have come across some websites mentioning this, but could not find any agency of repute in my region offering such a solution. And especially if I can only get one shot with this, I definitely want to pick the best agency to try it out. The photos inside are worth it for me to shell out hundreds of dollars if necessary...
I wonder also, if we can reasonably expect technical progress to be able to solve this situation. I don't mean some stuff like quantum computing, but for instance I'm aware that PS3 has recently been cracked , a few years after it came out. Can I reasonably expect something similar to happen to Android 12 that what's not breakable/crackable today, may become so in 1-2 or maybe 3-4 years? While I'd hate to have to wait for 2-3 years, there's nothing time-sensitive in those photos; just family moments that I would like to be able to revisit 10 years later, so if I only will be able to access them later on, that's fine, I can just put my phone in a drawer for a few years and wait. As long as this wait is not in vain. Definitely don't need false hope.
Thanks for your feedback!
samsungs21 said:
Thank you. I have come across some websites mentioning this, but could not find any agency of repute in my region offering such a solution. And especially if I can only get one shot with this, I definitely want to pick the best agency to try it out. The photos inside are worth it for me to shell out hundreds of dollars if necessary...
I wonder also, if we can reasonably expect technical progress to be able to solve this situation. I don't mean some stuff like quantum computing, but for instance I'm aware that PS3 has recently been cracked , a few years after it came out. Can I reasonably expect something similar to happen to Android 12 that what's not breakable/crackable today, may become so in 1-2 or maybe 3-4 years? While I'd hate to have to wait for 2-3 years, there's nothing time-sensitive in those photos; just family moments that I would like to be able to revisit 10 years later, so if I only will be able to access them later on, that's fine, I can just put my phone in a drawer for a few years and wait. As long as this wait is not in vain. Definitely don't need false hope.
Thanks for your feedback!
Click to expand...
Click to collapse
There's a thread here I posted on going 4-8 months. He had hid data recovered from a Samsung for $1200 rush job vs the usual $800 charge). I've tried to find it, but you see my post count. Usually that works in my favor but not always He shipped it to them if I recall correctly.
Try these guys. That may be the company he used. Been too long and it was of passing interest to me. If you do recover the data please report back. Many posters here have asked for this.
Due to the way those files were lost they may not be recoverable. Personally I would've written them off. However only a recovery specialist can say for sure.
blackhawk said:
There's a thread here I posted on going 4-8 months. He had hid data recovered from a Samsung for $1200 rush job vs the usual $800 charge). I've tried to find it, but you see my post count. Usually that works in my favor but not always He shipped it to them if I recall correctly.
Try these guys. That may be the company he used. Been too long and it was of passing interest to me. If you do recover the data please report back. Many posters here have asked for this.
Due to the way those files were lost they may not be recoverable. Personally I would've written them off. However only a recovery specialist can say for sure.
Click to expand...
Click to collapse
reached out to the guys you recommended, though their website / social media have not been updated since 2020... Will report back on the progress.
samsungs21 said:
reached out to the guys you recommended, though their website / social media have not been updated since 2020... Will report back on the progress.
Click to expand...
Click to collapse
I'm not sure that's who he used and I know only what I read on their site. Just saying...
Can't you just plug the phone to a PC and use a recovery tool like DiskDrill, or something?
Flash the original firmware
Samarimama said:
Flash the original firmware
Click to expand...
Click to collapse
That would do nothing except complicate the issue.
RSGI said:
Can't you just plug the phone to a PC and use a recovery tool like DiskDrill, or something?
Click to expand...
Click to collapse
tried that. The phone is not considered a hard drive, hence neither appears on the list of hard drives on Disk Drill, nor can be selected as folder/destination to run it on...
samsungs21 said:
tried that. The phone is not considered a hard drive, hence neither appears on the list of hard drives on Disk Drill, nor can be selected as folder/destination to run it on...
Click to expand...
Click to collapse
I should mention that even if the jpegs can be recovered their exif data is not able to be associated with the jpeg. The folder structure is lost as well. A sea of jpegs with no time stamp or original image name. A daunting task in itself to sort these out.
Make a factory reset
Samarimama said:
Make a factory reset
Click to expand...
Click to collapse
That would overwrite the lost data potentially making it impossible to recover as if it's not already bad enough.
It was a simple data transfer that went bad (this can happen), nothing indicates the user partition or rom are corrupted... throwing rocks at it doesn't help.
samsungs21 said:
tried that. The phone is not considered a hard drive, hence neither appears on the list of hard drives on Disk Drill, nor can be selected as folder/destination to run it on...
Click to expand...
Click to collapse
Try an app called "Disk Digger". Its on the playstore. It might belp.
RSGI said:
Try an app called "Disk Digger". Its on the playstore. It might belp.
Click to expand...
Click to collapse
If you're not going to use a professional recovery service, go for it.
Otherwise using the device risks overwriting the now unallocated data... once overwritten recovery is completely impossible on a flash drive.
blackhawk said:
That would overwrite the lost data potentially making it impossible to recover as if it's not already bad enough.
It was a simple data transfer that went bad (this can happen), nothing indicates the user partition or rom are corrupted... throwing rocks at it doesn't he
Click to expand...
Click to collapse
Samarimama said:
Make a factory reset
Click to expand...
Click to collapse
That would definitely ruin his chances of any recovery... just avoid making any writing on the storage, cause if the data you want to recover is overwrite, it's definitely gone... at least intact...