Related
http://forum.gsmhosting.com/vbb/f606/acer-liquide-unlock-solution-100-working-1092894/
I am confused because the OS update from the global Acer site doesn't create a folder called "qcn" or "01" or "03."
If anyone knows how to get this free unlock working, please educate us. I'd rather not pay for an unlock.
I did not try, but I downloaded the file, and translated the french, not sure what to make of it, I think it could be dangerous if it's for liquid and not liquid e, although, writing nv items on most similar devices should be the same
French to English translation
Flasher / unlocked his Liquid AMSS in Fashion
Render unto Caesar what belong to Caesar:
I would like to thank DNA without him if he was not mistaken in the keys that I have given him, I'd still be looking!
Right now the heart of the matter ...
The Acer software to reverse mode AMSS Tools uses to flash the baseband before flashing the rest of the liquid, you could just put up this system, those with Maleza recovery or at worst by fastboot.
But in any case we could touch the baseband, much less dream of désimlockage its Liquid!
The method I'll suggest is as dangerous as a flash! In fact it is one! So be very careful, no hurry, because even if it is recovered through this method, about 10 minutes of flash is a long time anyway!
With this, any liquid is recovered even those whose method fastboot can not walk alone are not such that the light at all, unfortunately, more vibration and hopelessly lost!
If you still have access to your phone, do a backup!
Otherwise:
0 Download this-> http://www.mcboydesign.fr/media/acer_liquid/amss_mode/amss_mode.zip and unzip it!
1 Turn off your phone if it is not already the case!
IMPORTANT: The drive must be disconnected!
Volume 2 Make (and not-as Volume Recovery!) Picture Power, all at the same time, the liquid will vibrate twice, but nothing appears on the screen!
3 Plug the USB into Liquid on your phone, I do not explain here how to ask the drivers, there is enough explanation on the Forum!
If you're curious, you'll see in your device manager in "port COM & LTP" a port whose name appeared is quite explicit!
4 Open Acer Tool!
IMPORTANT: If you're running Vista and Seven, do not forget to right click on the icon of acer tools and do "Run as administrator", if not crash!
5 You will see that you are logged in AMMS (connected (AMSS)), with "Browse" go get your bin, select "Select QCN File Manually" and START!
6 A window appeared, press "Yes"
7 And there does not touch anything, the flash is short, about 10 minutes or more depending on the PC!
...
8 A window is opened again, select the file I give you (desimlock.xml) And be open,,,
9 Do not worry your Flash will be a long shot, as if he walked over, wait (almost a minute!)
10 Do not touch anything now as you do not "Process Finished, You Can remove USB" Acer Tools!
11 Enjoy! Finished!
This method replaces fastboot and serves also unlocked
Small Tip: In another flash, Acer Tools has detected a former NAQ, and my re-simlocker Liquid, Think A1_QCN delete the directory at the root of C: (or save it elsewhere if you prefer!)
I hope this will help everyone!!
Remains for me to figure out how to manually send files to other AMSS and not having to use Acer Tools!
dan-htc-touch said:
I did not try, but I downloaded the file, and translated the french, not sure what to make of it, I think it could be dangerous if it's for liquid and not liquid e, although, writing nv items on most similar devices should be the same
French to English translation
Flasher / unlocked his Liquid AMSS in Fashion
Render unto Caesar what belong to Caesar:
I would like to thank DNA without him if he was not mistaken in the keys that I have given him, I'd still be looking!
Right now the heart of the matter ...
The Acer software to reverse mode AMSS Tools uses to flash the baseband before flashing the rest of the liquid, you could just put up this system, those with Maleza recovery or at worst by fastboot.
But in any case we could touch the baseband, much less dream of désimlockage its Liquid!
The method I'll suggest is as dangerous as a flash! In fact it is one! So be very careful, no hurry, because even if it is recovered through this method, about 10 minutes of flash is a long time anyway!
With this, any liquid is recovered even those whose method fastboot can not walk alone are not such that the light at all, unfortunately, more vibration and hopelessly lost!
If you still have access to your phone, do a backup!
Otherwise:
0 Download this-> http://www.mcboydesign.fr/media/acer_liquid/amss_mode/amss_mode.zip and unzip it!
1 Turn off your phone if it is not already the case!
IMPORTANT: The drive must be disconnected!
Volume 2 Make (and not-as Volume Recovery!) Picture Power, all at the same time, the liquid will vibrate twice, but nothing appears on the screen!
3 Plug the USB into Liquid on your phone, I do not explain here how to ask the drivers, there is enough explanation on the Forum!
If you're curious, you'll see in your device manager in "port COM & LTP" a port whose name appeared is quite explicit!
4 Open Acer Tool!
IMPORTANT: If you're running Vista and Seven, do not forget to right click on the icon of acer tools and do "Run as administrator", if not crash!
5 You will see that you are logged in AMMS (connected (AMSS)), with "Browse" go get your bin, select "Select QCN File Manually" and START!
6 A window appeared, press "Yes"
7 And there does not touch anything, the flash is short, about 10 minutes or more depending on the PC!
...
8 A window is opened again, select the file I give you (desimlock.xml) And be open,,,
9 Do not worry your Flash will be a long shot, as if he walked over, wait (almost a minute!)
10 Do not touch anything now as you do not "Process Finished, You Can remove USB" Acer Tools!
11 Enjoy! Finished!
This method replaces fastboot and serves also unlocked
Small Tip: In another flash, Acer Tools has detected a former NAQ, and my re-simlocker Liquid, Think A1_QCN delete the directory at the root of C: (or save it elsewhere if you prefer!)
I hope this will help everyone!!
Remains for me to figure out how to manually send files to other AMSS and not having to use Acer Tools!
Click to expand...
Click to collapse
i tried ur method bro, but when i choice desimlock.xml file, Acer tool show Sever connection fail, and phone stuck at recovery mode...plz help bro
Turkeys' ULTIMATE Guide to Rooting v42.1.2
Note: It does not work on 2.2.1 Wildfire's (i.e. - Any bought after Feb - March 2011)
Like this guide? Hit the thanks button at the bottom left of this post
Before You Start
This is a new type of guide, an experiment if you like. The whole point is to get you with a fully functioning, rooted phone. But also to teach you something. Each step first tells you what you're going to do before you do it. By the end not only should you have a rooted phone but you will hopefully have priceless knowlege of how Android works.
Enjoy.
Need Help?
If at any point during this guide you need help, something's gone wrong or you need some extra clarification. Hit the help button.
The help button will link you to the #rootmydroid IRC help chat channel, where you can ask questions or get walked through the whole thing if you really need to. We have experts on hand to help you out.
PLEASE NOTE: At peak times our experts may be busy so please be patient.
So, Mr. Turkeys, what have you got for us today?
Root Guide
Post 1 - Intro
Post 2 - UnrEVOked (Rooting)
Post 3 - Flashing a ROM
Post 4 - Flashing a new Radio
Other Guides
Unroot
A2SD
More Coming Soon... Stay tuned!
So, click a link to the guide you want and get cracking, enjoy!
Donate
Should you feel the crazy need to donate to me, you can do so below.
GBP
EUR
USD
So, you wanna root?
Rooting is not easy like some people make it out to be. All these 1 click Noob-Proof tools can actually go wrong. And they do.
But lets get this clear, IT'S ALMOST impossible to brick. I'd put the odds on about a 99.9% chance you will not brick beyond repair. However, things probably will go wrong, which is why you will need to follow the instructions very carefully.
Pre-Root Info
I want to make sure the rooting process goes well for as many as you as possible, so get ready to read lots of information that will turn you from a Noob into a lean, mean rooting machine.
And for those of you who like to slack off and think "I cba to read all that crap", I've made it so you have to answer a question to get the download links. Aren't I nice. Seriously though, it really will be a lot easier for you if you read all of this, you will thank me for it one day.
Pro users who know what HBOOT is, how to flash a ROM and can use ADB can safely skip this step
Android Glossary
This page is probably the most valuble bit of information you will ever need during your rooted life. Behold, the VillainROM Android Glossary. (Cheers Pulser )
http://bit.ly/9HtICk
Read it. Read it ALL. No questions asking for these terms will be tolerated in this thread and you will be teased so much you will want to die. So please, read it carefully.
Downloads
Now, for the bit you've been dreading. 2 downloads. 2 questions. One answer will link you to the download. The other two will link you to a humorous fail picture. (And for all you sneaky cheaters out there, I've bit.ly'd the links. Take that.)
Question 1 - UnrEVOked download
What do you use to flash a ROM?
A) UnrEVOked
B) ADB
C) Recovery
Question 2 - Other Stuff Download (We may ask you to use this on the help channel)
What is a RUU?
A) A tool to root your phone
B) A tool to return your phone to 'stock' (unroot)
C) A tool to flash a ROM
You can also get countless lulz from adding a + to the end of those links and comparing the wrong answers to the correct ones. Yes people really don't read the information.
OK, I've talked enough now, let's get down to business...
So, hopefully you now know all the terms, which makes my life a lot easier as I don't have to explain everything. Let's begin.
Root Guide - Pt. 2 - UnrEVOked
1) Ensure you have downloaded and extracted the first download in the above post to somewhere you can remember and access easily. For the purpose of this guide, I will refer to that folder as the 'Root Pack'.
Next, we are going to prepare the UnrEVOked program to run. If you are a Windows user, this means installing the drivers, if you use Linux or Mac you just have to run the app as mentioned later. We have to install HTC Sync to get adb drivers and we have to uninstall it again as it interferes with UnrEVOked. The drivers however remain which is why you need to install it.
2) (Windows Only) If you have not already, download HTC Sync and install it. Then uninstall HTC Sync as well as any other software that may interfere such as doubletwist. Next, follow this guide to set up the hacked HBOOT drivers. Make sure you reboot your PC after doing this.
Next, we need to prepare your phone. We will make sure USB Debugging is on as UnrEVOked needs this to send adb commands to the phone. We also need to enable Unknown Sources so that UnrEVOked can push busybox and SuperUser Permissions apps to the phone.
3) With your phone go to Settings > Connect to PC > Default connection type > Charge Only and untick Ask Me. Then go to Settings > Applications > Development > Make sure USB Debugging is ticked. Then go back to Applications and make sure Unknown Sources is ticked.
Next, we're going to run UnrEVOked. What it does is reboot into HBOOT mode, and use an exploit to gain a temporary NAND unlock. Then it uses fastboot to flash a recovery image, and then pushes the su files required for root.
4) WINDOWS USERS: Right click on the 'unrevoked.exe' file (Or something similar) in the Root Pack and click 'Run as Admin' (Not required for XP)
LINUX USERS: Right click the 'ClickHereToRoot.sh' file and UnrEVOked will start. (Make sure you chmod 755'd it first)
MAC USERS:
mattbeef said:
Unrevoked, if your a mac user like myself then drag the app inside the dmg to the desktop and run it from there. Most mac users are lazy and will try to run it from the dmg.
Click to expand...
Click to collapse
GETTING A MISC RELATED ERROR? See post eight.
Your phone should now reboot and then congratulations! Your phone is rooted. However, the root that UnrEVOked gives you is basic. No ROMs or good stuff. So you must read on to the next post to flash a custom ROM...
Now you've rooted, let's flash a ROM. We will backup all your apps then flash a ROM then restore your apps. Ready?
Pt. 3 - Flashing Your First ROM
**NOTE: You can repeat Pt. 3 every time you want to flash a new ROM or update
Next we're going to download and use Titanium Backup to backup all your apps as we will have to wipe your phone to install the ROM. You can use the same method if you ever want to backup/restore in the future too.
1) Download & Install Titanium Backup from the market. Open it and hit the 'Problems' button to download busybox, a suite of commands for rooted phones.
Then hit menu then batch, and tap the button next to Backup All User Apps + System Data. Let it complete before moving on to the next step.
Next we're going to reboot into recovery mode to flash the ROM. You can use this if you ever need to get into recovery in the future.
2) Turn your phone off and turn it on again holding POWER + VOL DOWN to enter HBOOT mode. Wait a few seconds while it checks for images before using the VOLUME KEYS to scroll and POWER to select Recovery. Your phone will now vibrate and reboot into recovery mode!
Next we're going to do a full backup of your phone using Nandroid. This will backup the entire state of your phone in case you ever
want to go back. You should really do this every time you flash a new ROM.
3) Use the TRACKBALL to scroll down to where it says Backup or Nandroid or Backup / Restore. Then select Backup and wait for it to finish.
Now we need to wipe your phone. Whenever you flash a different ROM you should Always do this, when you are updating the ROM you should check on the release thread for information.
4) If you are not on the Main Menu in recovery, hit back a couple of times to get there. Then, use the TRACKBALL to navigate down to 'Wipe Data / Factory Reset' and accept the scary warning to wipe your phone.
Now we can flash the ROM! Ensure you have downloaded a ROM and it is on the root (Not in any folders) of your SD card. The flashing process may take a few minutes.
5) From the Main Menu, scroll down to and select Install zip from SD Card and then select Choose zip from SD Card then select where you put your ROM and wait for it to complete. Then, select Reboot System Now to reboot into your shiny new ROM!
Your phone will now reboot, it may take a while to reboot as it's rebuilding the Dalvik Cache. If it still doesn't boot up after 10mins, pull the battery and consult the ROM thread for troubleshooting.
Now we're going to restore that Titanium Backup you made before starting Pt. 3. It will restore all your apps back but not system data. (ie Settings) You can use Titanium Backup any time you want to backup/restore your phone.
6) Download & Install Titanium Backup again and tap Menu Button > Batch > Restore Missing apps + data. It should prompt you to reinstall every app again.
--------
Congratulations, you have qualified with a rooted phone from the Turkeh Root School!
(Unless you're reading this without having actually done any of this guide)
So, go off and ask questions, answer questions, and contribute to the community! We'd also really appreciate it if you could hang out in the help channel to help other people trying to root too.
Thanks for rooting! You can also follow some of the other guides to install all apps on the SD card, Unroot & S-OFF
Pt. 4 - Flashing a New Radio
Flashing a Radio
The radio is the lowest part of your phone. (ie It's the very first thing that loads when you turn your phone on.
Most ROMs will have a required radio version, but most will agree that it's best to be on the latest as they often improve battery life etc.
You can downgrade your radio and you can find your radio version by going to Settings > About Phone > Software Information > Baseband Version.
Your ROM should tell you on it's thread what the recommended radio version is, so download it, transfer it to the root of your SD card as you did in Pt. 3 then follow this.
Now we're going to reboot into recovery mode as we did in Pt. 3 to flash the new radio. There is also an app on the market called 'Quick Boot' which you can use to quickly get into recovery. The next step will assume you have this.
1) Open Quick Bootand tap Recovery then tap Allow on the SuperUser permissions prompt.
Note: The SuperUser Permissions app will prompt you whenever an app is requesting to use root. You should look over which app is requesting this before you allow it.
Next, we need to flash the radio. You do this exactly the same way as you flash a ROM, which you did in Pt. 3.
2) Use the same method you flashed the new ROM in Pt. 3 to flash the radio. You do not need to Nandroid backup or wipe to do this, just flash the zip.
Note: Your phone may reboot a couple of times and will show a picture of the Android Robot while it is flashing the radio. It has NOT crashed, it is flashing it. DO NOT pull the battery, it will reboot when it is done.
Your new radio has now flashed!
A2SD
Note: It has come to my attention that doing this with ROM Manager doesn't work most of the time. If you have problems please partition your card another way. (I recommend GParted - There is a Live CD if you don't have Linux)
First, we need to partition your SD card with ROM Manager. This will wipe all the data on your SD card so please backup before continuing.
1) Open ROM Manager (Download it from the Market if you don't have it - Although you will need the Market Mod to show all apps) and press Menu > Manually Override Recovery **Not sure exactly what it says, pls could someone help me out here** Then scroll down to Partition SD Card. Choose the ext size you want for your apps to be installed on, then tap 0 for swap size, then tap OK to reboot into recovery and start partitioning!
Note: While it's partitioning it will show a picture of an Android. You can press (Power?) to see what it's actually doing and if there's any errors.
Now, you need to check the ROM thread for info. Most ROMs activate it automatically when it detects an ext partition on your phone. On some others you need to flash a special update.zip. If you are unsure hit the help button on post 1 and we'll help you out.
Congratulations, you now have Apps2SD! Exactly what you will have (dalvik2sd etc) will vary between ROMs.
Unroot
These RUU programs that you use to unroot are Windows only, but fortunatley I wrote a tool for Linux called OpenRUU so you can flash them on there. If you are a Mac user, take a moment to ask yourself 'Why am I using a Steve Jobs product?' as there is no way for you to run the RUUs.
First, we are going to identify what RUU you need to download and flash then download it. (Bravo is the codename for Desire, all RUUs use this name)
1) Go to shipped-roms.com, click on the Android Robot then click on Buzz. Now, you need to recall what version of Android you were on before you rooted. If you had a carrier supplied device you should also get the one that is applicable, but if you are unsure or your carrier is not listed go for one that says WWE. (World Wide English - All Languages) Or come on our IRC channel for advice.
Note: HTC Sync must be installed before continuing. The next step will also wipe all your apps + settings!
Next we're going to run the RUU, this should take around 5-10mins. DO NOT touch your phone during the flashing process!
2) Double click on the RUU file you downloaded in step 1, read the readme, and click to start the flashing process.
After it's done! Your phone now should be completley back to stock status!
If you get an error during the flashing process, try again and then come on our IRC help channel for assistance if it persists.
Fixing the Annoying unrEVOked Backup CID Missing errors
NEW, EASY METHOD
I managed to find unrEVOked 3.2. If you want to use that as a fast-track then that's fine, but please read the following carefully:
Code:
[B]DISCLAIMER:[/B]
Please be aware that this build was pulled from unrevoked.com because it was not safe.
USE AT YOUR OWN RISK!
If it ****s up and you point the finger at me, I will laugh at you.
This is only for 'Backup CID Missing' errors. if you use this on any other type of misc error it might brick.
Download. Run in replace of unrEVOked 3.21 in the standard guide.
You can still use the old, misc editing guide below:
(Guide edited from http://home.kennynet.co.uk/~kenny/bcid-fix.txt to be more noob-friendly)
This fixes:
Backup CID Missing
Unfortunately, because a couple of people corrupted their misc partitions during the testing of unrEVOked 3.2, they brought in a load of stupid, annoying safety features that included checking the misc partition on your phone.
/rant
What is misc?
Misc is a partition on your phone. It holds various switches and stuff, such as your:
Official HTC ROM Version
Your CID (Which tells the phone what carrier/region your phone is)
However, sometimes, the CID is not in misc or your misc is corrupted. This process will add in the CID to misc and reflash misc. (which may fix other misc related errors but probably wont)
Warning! Misc is quite an important part of your phone. If it gets severely corrupted you may loose USB access. Me or anyone on our IRC help channel take no responsibility if you **** up somehow.
This guide is designed for Windoze, Linux users use common sense adapting the instructions and can use a Linux hex editor like ghex. (Works just the same)
Please ensure you have downloaded the other stuff file on the second post before continuing and have extracted it to C:\root.
First, we need to use adb to grab misc off your phone. We will get temporary root then grab misc.
1) Open a command prompt on your computer by going to Start > Run and typing cmd then pressing enter. Now type the following pressing enter on each line. (Make sure your phone is connected and you have the drivers installed.)
Code:
cd \
cd root\adb
adb-windows devices <---- Make sure it finds your phone before continuing
adb-windows shell <----- You should see a $
$ /system/__unrevoked_su <---- Getting temp root
# cat /dev/mtd/mtd0 > /sdcard/misc.img <---- Copying misc to your SD Card
# getprop ro.cid <----- This is your CID. Remember what this says, it should say something like HTC_000 or 1111111 if you have a goldcard
# exit
adb-windows pull /sdcard/misc.img misc.img <---- Getting the misc we copied before
You should now have a file called misc.img in the C:\root\adb folder.
Now come on to the IRC help channel here. We will stick the CID into the misc.img so you can carry on as it really is complicated. You can also post here if nobody is avalible and I will sort it ASAP.
(If you've done hex editing before, all you do is put the CID you got above in at position 0 then add a 00 at the end so the hex string looks something like "48 54 43 5F 5F 30 30 31 00")
Make sure you save the file that we give you back to C:\root\adb overwriting the original misc.img file.
Next we're going to push misc back on to the phone using a similar method to step 1. Have open a command prompt and cd to the correct directory as in step 1 before proceeding.
2) Type the following in the command prompt:
Code:
adb push misc.img /sdcard/new-misc.img <---- Pushing misc back to your SD card
adb-windows shell
$ /system/__unrevoked_su <---- getting temp root again
# /data/local/flash_image misc /sdcard/new-misc.img <---- Using flash_image to flash the new misc
# exit
Now rerun unrEVOked and everything should be as shiny as the plastic Samsung use to make their phones.
Click to expand...
Click to collapse
Reserved for good measure.
I'm sure this will help many people. Should be sticky'd
HCDR.Jacob said:
I'm sure this will help many people. Should be sticky'd
Click to expand...
Click to collapse
Good Idea!!!
For the rru you need to click on the windows mobile section and select buzz NOT bravo
Added A2SD guides, misc fix & unroot guide. Bump to v42.1.2
Many Thanks,
Helps loads confirm my thinking after a couple of days reading, I just have to grow some balls n take the plunge
My main concern is my WF is a UK Voda PAYG which I believe is locked n I'm unsure whether I should get n unlock code before doing anything.
I did read in a Desire thread that updating a stock rom without a sim could unlock, but haven't seen any other refs to unlocking WF other than code.
Note: Unroot section still refers to Desire Bravo not WF Buzz
Thanks agin
PanGalactic said:
Many Thanks,
Helps loads confirm my thinking after a couple of days reading, I just have to grow some balls n take the plunge
My main concern is my WF is a UK Voda PAYG which I believe is locked n I'm unsure whether I should get n unlock code before doing anything.
I did read in a Desire thread that updating a stock rom without a sim could unlock, but haven't seen any other refs to unlocking WF other than code.
Note: Unroot section still refers to Desire Bravo not WF Buzz
Thanks agin
Click to expand...
Click to collapse
You shouldn't need to unlock or anything.
Thanks, I'll change that bit now
42turkeys said:
You shouldn't need to unlock or anything.
Thanks, I'll change that bit now
Click to expand...
Click to collapse
And buzz is under windows mobile for some reason
The guide really great....but the shipped rom website don't have RUU for Buzz
coltrain said:
The guide really great....but the shipped rom website don't have RUU for Buzz
Click to expand...
Click to collapse
Look under windows mobile - who put it there? Those files do work.
This thread still not stickied?
Piece of art already. Should be stickied for sure.
I thought a bit about 'reporting' the thread to make a mod notice it but it said specifically what report was to be used for , so i didn't do it , i guess we'll have to bump it up so it gets stickied. Great post !!
Hi folks,
we have some lucky users among us with a generic (Dev) IMEI - some of these are able to get OTA updates, thought for testusers and/or developers from Samsung, after they install latest Test firmware XXLSA from sammobile....some got updates up to XXLSC and already provided a dump. Others got updates up to XXLSD (and maybe higher in future - who knows, where the journey ends...), but don't know what to do to share this firmware with us 'Flashaholics' here on xda and other forums...
Now, as more and more people asking me (why ever me...) how to make a system dump from Stock Firmware, I decided to write a short 'HowTo for Dummies'. So if you know about someone, who has a unknown Test Firmware installed, or YOU are the chosen one, just follow this tutorial and make us happy
This is just one way of several to do this - but as I think, it is the easiest way for newbies (without having to use Android SDK and adb shell on PC --> that's what experienced would do )
Prerequisites:
- at least 1,4 GB free space on internal SDcard
- a brain (and above 80 IQ-points...)!!!!!
Step 1) Rooting your Stock Firmware (thx to Phil for the steps, I just copy/pasted them) --> if you already have Root + busybox installed, go to Step 2) directly
download this Root_Superuser_3.1.3_Busybox_1.20.2-Update1-signed.zip and this cwm-non-touch-6.0.1.4-i9100.zip
Put the previously downloaded cwm-non-touch-6.0.x.x-i9100.zip file on your external sd card
Copy the Root_XXX.zip file you downloaded to internal or external sd card
Boot into stock recovery (volume up+home+power), and select "apply update from external storage". Now select the cwm-non-touch-6.x.x.x-i9100.zip file you copied in previous step (this step gives a temporary flash that will disappear after reboot)
You get CWM recovery interface (this custom recovery is temporary, not permanent)
Inside CWM, select "install zip from sdcard". Then, select "choose zip from sdcard". Now, scroll down to the "Root_XXX.zip" file and hit power button to install it.
It will add SuperSU or Superuser last version apk to system/app, last superuser binary (su) to system/xbin and busybox last version to system/xbin, all with correct file permissions.
Reboot and you get permanent root + busybox installed on your stock kernel.
(You can easily unroot your device afterwards...it is also described in Phils thread, where I took all these from: [20 Sep 2012][ICS]Universal Rooting for most ICS phones, Any ROM, now with CWM6 )
Step 2) Making a complete System Dump of Stock Firmware:
Install 'Terminal Emulator' from Playstore
Open Terminal Emulator
type 'su' with your internal keyboard and press return button
grant Superuser access on upcoming popup window
now type the following line and press return button after finished typing:
Code:
dd if=/dev/block/mmcblk0p8 of=/sdcard/modem.bin
==> this will generate 'modem.bin' (= Modem) on your internal SDcard (will be finished after a few seconds)
now type the following line and press return button after finished typing:
Code:
dd if=/dev/block/mmcblk0p5 of=/sdcard/zImage
==> this will generate 'zImage' (= Kernel) on your internal SDcard (will be finished after a few seconds)
now type the following line and press return button after finished typing:
Code:
dd if=/dev/block/mmcblk0p12 of=/sdcard/hidden.img
==> this will generate 'hidden.img' (= preload partition) on your internal SDcard (will be finished after a few minutes, as it is more then 300 mb!)
now type the following line and press return button after finished typing:
Code:
dd if=/dev/block/mmcblk0p9 of=/sdcard/factoryfs.img
==> this will generate 'factoryfs.img' (= system partition) on your internal SDcard (will be finished after a few minutes, as it is more then 800 mb!)
Now you have the following output / files on your internal SDcard:
modem.bin
zImage
hidden.img
factoryfs.img
==> zip these 4 together and upload them to a hoster ==> post the link here and devs can start building a new ROM (Stock + CustomROMs) and kernel devs (now we luckily have Phil for that) can preroot the kernel + put in CWM recovery.
That's all and really very very easy....
Disclaimer:
I am not responsible for any damages - it is your risk (though it is not a dangerous thing to do!)
hope this will be a very good guide in getting the new leaked rom from sammy
Nicely done my friend this should ease up on some of the users (the ones who get updates for us XD)
Congratulations on this, now you see why community loves you soooo. liebe endet nie !!
es ein vergnugen es zu lesen. gute arbeit eybee :good:
Thank very much boss
Hope you will be one of the prof when xda university will open.
Thank you very much
Hope now when we will see LS(any letter) it will be with the links of the dump
Envoyé depuis mon GT-N7000 avec Tapatalk
Funny
Envoyé depuis mon GT-N7000 avec Tapatalk
Cool bro thanks but you can use the supersu.zip and the busybox.zip from stock recovery
Tapatalking on my n7000
msedek said:
Cool bro thanks but you can use the supersu.zip and the busybox.zip from stock recovery
Tapatalking on my n7000
Click to expand...
Click to collapse
It was easy copy paste for me in the rooting part....you can root and install busybox in 567 different ways...in the end the result counts
Clicked for Newsworthy article. :thumbup:
Sounds really simple for someone who doesn't have the second prerequisite.
Back uped the info.
Sent from my GT-N7000 using Tapatalk 2
Sharing your valuable knowledge and experience is priceless for those who are interested. Well, me, I simply follow pros like you.
Sent from my GT-N7000 using xda premium
In addition to Step 2:
I made the dumps from my PC with a connected device with "adb", so I could copy them to the harddisk directly.
"adb devices" for checking if connection is established, "adb shell" switching to the device, "su" for root access, and then the commands eybee1970 explained in detail.
After that I fetched the files in my file manager from the connected device.
I prefer to work with terminal windows on the PC and not on the device.
With this you do not need Step 1 - because I didn't
another great one from eyebee
great guide for learners like me
thanks
ThaiDai said:
In addition to Step 2:
I made the dumps from my PC with a connected device with "adb", so I could copy them to the harddisk directly.
"adb devices" for checking if connection is established, "adb shell" switching to the device, "su" for root access, and then the commands eybee1970 explained in detail.
After that I fetched the files in my file manager from the connected device.
I prefer to work with terminal windows on the PC and not on the device.
With this you do not need Step 1 - because I didn't
Click to expand...
Click to collapse
That's why I said 'for Dummies'....no PC, no Android SDK, no adb shell...just the device
This is a superb guide! cheers eybee
Deleted
Sent from my GT-N7000 using xda app-developers app
Now the history rolls back...
as people raced to create their own custom roms.
The chosen ones with their great knowledge was kind enough to uncover about the custom rom things and shared it with some tutorials here in xda-dev for people who needed it.
Just like the old time...when WinMo has a bright future here.
Thanks a million for devs and chefs at xda-dev who always spread the lights.
ZacDerbyshire said:
Great guide. A little off topic but I don't know where else to ask and you are an expert in ROM making. How do I put things like all multiwindow apps and 4 way reboot in the ROM build before it goes on the phone? Sorry again for it being in here, can't find anywhere else to ask.
Sent from my GT-N7000 using xda app-developers app
Click to expand...
Click to collapse
4Way reboot mod is at the system/framwork/ directory "android.policy.jar" file is responsible for this stuff....
as for all multi apps after an investigation it appeared it looked for a certain statement to know whether its a sammy app patching that code to the launcher and editting the policy for this feature too gets you all apps access (almost all) as some just dont work....
there are plenty of guides and tutorials over the internet and forums... on different phones mostly but with a little time you can manage everything as you want to so READ some enjoy!
i'am guessing we need to start writing more tutorials in the N7000 section in here we have no knowledge sharing mostly developing and some new guys are ready to try their own so we have to share everything it started with eybee (thanks to him) and hopefully will continue with all other guys who do mods.... no matter how small it can be usefull.
believe it or not but even devs assist each other with mods its not like each one was born with all that OP-Code in his head
Ah...good guide eybee.Let me see if i can make a shell script to dump the partitions and make odin roms out of it.I already have scripts to dump and make odin rom for /system,/data partitions.will add preload,kernel and modem to the script.Let me see how my time permits today.Hope the script will help people.But the only drawback is it will work only on linux.Users may use cygwin too for it
Sent from my GT-N7000 using xda app-developers app
eybee1970 said:
That's why I said 'for Dummies'....no PC, no Android SDK, no adb shell...just the device
Click to expand...
Click to collapse
For my case adb shell was not succeed. Device reboots unexpectedly while dumping factoryfs. Maybe file size is too big. Thus I had to use terminal emulator though pc keyboard is much more convenience
Great tutorial!
Sent from my GT-N7000 using xda app-developers app
Two remarks:
Typing something like "dd if=/dev/block/mmcblk0p9 of=/sdcard/factoryfs.img" is never something I would call easy. If you do not have Linux shell commands knowledge, than these are about "50 characters without meaning" that you have to type (on the keyboard of your device - which is even more error-prone).
PC or Note: it is never dummy-simple.
Making a batch wich automatically generates an ROM installable with ODIN (so the result are tars) is dangerous.
The difference between "dump" and "dumb" isn't so big - as I just proved myself.
When you make a batch with a complete process from dumping, copying, building to a "blob" installable with Odin there will be no step in the process for quality control.
Example (hurts to write this): If there's something in the original Rom you are dumping that couldn't be shared then it makes its way through the process in to the final Rom. And the dummy user of these scripts will never know or can protect himself from it.
Only pro from this: after learning this the hard way you don't feel like a dummy user anymore.
So it happened day before yesterday, 8-22-17 @ ~5:50 PM, my Verizon S6 Edge (G925VZKE [64GB]) bricked out. No LED Light, nothing on Screen, nothing as if actually Hard Bricked. No booting, No download Mode, nothing. But it's not fully hard bricked actually. When I plug the device into my PC, Windows will either pop and say the device malfunctioned or it will read as "Exynos7420". I'm not quite sure what to do about it at the moment, I've read [a little] about what to do with phones in this mode using a "USB_Down_Load_32bit"/Multidownloader. I believe it to be stuck in a Diagnostic Mode I'm not versed in. This all happened while I was in the ADB Root Shell (su:s0) while the device was powered off and charging.
I am making this thread here for any devs you would want to use the knowledge and files here, to take the project further. As I cannot currently use my device at all. And I won't be getting a replacement S6 Edge for at least a month, maybe two. I love the S6, and will still choose it over most devices. I've been dedicated to researching and posting about the Samsung Exynos7420 Hardware since September 2016. That was when I came up with the plan for The Greyhat Root Project. You may recall my other thread once in the Original Development Forum & now in General. If you search "Greyhat Root" in google. My thread will be the first result. It gained a lot of traction, very very quickly. But is now dead, and the mods probably hate me for making a new thread. But I'm not trying to put new news out there this time.
It focused on how to use Kali Linux and Metasploit. It also focused on the articles at the time that was new exploit & malware research, that boasted of the possibilities we've now come to know as the Vault7 leaks. There's probably a reason I was a victim of the malware myself and I took down most of the posts. Most of the good file and resources I posted to that thread were either flagged by end users or removed by google. The real treasure of that thread is lost to the internet now, as that was the only backup I had of some of the critical files needed for the process. If you actually look through my individual posts all over, you will find some juicy tidbits of knowledge spread around this site that I've not compiled into one. A lot of it is still over my head as it was then, and partly why I took it down then. But I've been chipping away at that knowledge base everday for 10 months going on a year now. It's possible to root this device if One can take the knowledge of how to leverage the news worthy exploits from the past 2 years into a single repo/application. "Android-InsecureBankv2" is one example of such a platform. But as a teaching platform, it is not configured to provide a SuperSu Root Solution out of the box. It would still require modification of someone else's codebase w/Learning Curve.
No I have not managed to find a way to unlock the bootloader because I do not have a copy of IDA Pro or the Hex Rays Decompiler, and if I did, I still wouldn't know to use them fully. But I have managed to find quite a number of very possible attack vectors, if I can get some serious developers to take my sentiments seriously. I proved that when the posts about dirtycow were largely ignored due to device interest, and then @droidvoider helped make some of my ideas possible with the "Greyhat Root Console" he made. Realistically at this point I only wish I were an Assembler. I'm only one guy trying to poke at a Hardware/Software Package created by multiple departments of people in a conglomerate corporation. I only bring people together. I do know that in order to disassemble the Exynos7420 sboot, you're going to need to understand U-Boot on Arm64. A Uboot version dating back to either January 2016 or August 2015. I say those two dates because, The 4BOG7 files on my device date to August 2015, the 4AOJ1 files, to January 2016. Project Zero (who does a lot of tests on the G925v btw), posted in February 2017 about they found a way to bypass the KASLR feature of the stock kernel. A Kernel I do believe we can still flash to the device. It didn't gain much attention I don't think at the time because it was only one piece to the puzzle. That exploit wasn't patched until January. I know it sounds bad when I say it like this but, what this device truly needs is a friendly Botnet-C&C-Style rootkit that has it's client and server controlled by a User-Controlled, SuperSu-Style management application. Yes, it would be a rootkit you would never want to have someone else in control of. But if SuperSu were controlled by someone else other than the end user at the time, it would be just as bad. It's just a different approach to a yet unpublished methodology.
*
** The Device I refer to is currently flashed with:
******
** Full 4 File Firmware: COMBINATION_VZW_FA50_G925VVRU4AOJ1_VZW4AOJ1_CL5133452_QB6486176_REV02_user_mid_noship.tar
** BL: G925VVRU4AOJ1 ENG sboot.bin
** AP Kernel: G925VVRU4BOG7 ENG Kernel
** TrustZone Type: t-base-tui (Filenames suggesting Mobicore present as well)
******
Trying to enter Recovery Mode with the Combo firmware, in my experience, typically sends the device into a Panic and boots into "Upload Mode" if it does not simply reboot. The combination firmware does not supply a recovery.img that I've found. And inorder to recover the ENG Combination Recovery, you would have to disassemble the OJ1 ENG sboot.bin in IDA Pro and pull it out.
During the initial boot the device will enter its own recovery mode for a moment while it does its erasing stage. I used "nand erase all, re-partition, F.Reset Time, Phone Bootloader Update options in ODIN. During this breif moment with the "Erasing..." text on-screen, the phone is available in ADB Devices and shows up in recovery mode. Meaning ADB Shell should be accesible in recovery. If that's possible that means the device keystore should be accessible as well. The Recovery images tend to be bigger because the signatures are stored in the recovery from what I've read. Can't dirtycow patch anything it can see if your shell can't change it?
Using those files, I have full su authority anytime I am in ADB Shell, the shell runs within the "su:s0" context, and not the "shell:s0" context. Any and All changes are possible through the shell. Writing a new partition Table to '/dev/block/platform/15570000.ufs/sdb' using the "partx" tool, is probably what broke my phone. So in theory installing SuperSu in System Mode should work much the same as it did on G95x S8/Plus I'm gathering. @dragoodwael was correct in supposing "sdb" to be the bootloader overall, as I do now too. Once the reboot command was issued, I lost the ability to do anything at all. All thats possible now, is to find a tool that will communicate with the driver my PC's Device Manager loaded for my phone.
Every boot.img I've unpacked using Android Image Kitchen specified that a signature of "SEAndroid Type was found". BUT, the only boot.img/Kernel that did not specify that it was an "SEAndroid Type" while being unpacked, is the Stock boot.img from the 4AOJ1 Combination Firmware. Out of the 7 boot images I've unpacked, AIK determined the OJ1 Combination boot.img did NOT have an SEAndroid Signature on it.
boot.imgs I've unpacked:
1. N920A - PB2 Eng boot.img
2. N920A - FA51 Combi - PH1 boot.img
3. N920A - FA51 Combi - PL1 boot.img
4. G925V - FA50 Combi - OG2 boot.img
5. G925V - FA50 Combi - OJ1 boot.img
6. G925V - OG7 Stock boot.img
7. G925V - OG7 ENG boot.img
I'm not quite sure what that means yet, but I do know that the zip file I have that contains the 4AOJ1 factory Binary is not a tar.md5 like usual, it is just a normal .tar. What I'd LOVE to know is, can the 4AOJ1 stock boot.img be unpacked, then repacked, and retain its flashable characteristic. Because AIK does not register a standard signature. Does that mean the Oj1 boot.img uses a different mechanism for signature verification than a standard user binary, or is it simply signed with publicly available signing keys? It's a good question, what is different about its signature compared to other stock signatures. Even if we don't understand the signatures fully.
I'm also aware of the fact, that the Combination firmware doesn't actually contain a recovery.img to flash. Probably why the Device goes into Upload Mode and Panics when trying to boot recovery after using "nand flash all" and/or "re-partition" in ODIN. But if there were a Recovery Image for the OJ1 firmware, I imagine it would not have an SEAndroid signature on it as well. So there must be something to that.
I wonder what would happen if you tried to flash the OJ1 boot.img to the recovery partition as recovery.img like in the "EasyRecowvery" project, while using the full factory binary.
Is it possible that the newer "ustar" tar format used by Samsung in ODIN packages, could be using the custom fields available in a ustar header block to hold at least part of the signing mechanism? I believe so. And I say it because on my Device, it runs the Odin3 Engine (v1.1203), which looks an aweful lot like ODIN v1.12.3. Besides the naming conventions used there, ODIN expects to send/receive images within tar archives. Specifically USTAR format tar archives. So if the ODIN Engine on the phone is anything like the PC Client application, it expects USTAR format Tar archives as well. If it expects to read in a USTAR Header block, there are custom fields possible in known locations of the official tar files. Which when parsed correctly, should lead to finding the extra data after the payload 7-Zip refers to when the tar.md5 files are extracted. I'm of the mind the "Star" utility and not the the "Tar" utility is what we should be using to create and modify ODIN firmware the way our OEM's do. That is hypothesis on my part yes, but I don't think I'm very far off base.
Here is a man page on the "ustar" utility I found interesting and extremely in-depth: ustar(1) - unique standard tape archiver - Linux man page
If you want to see a list of files involved in all of this research, please refer to this folder here: https://drive.google.com/open?id=0B_EcHdXbjhT_dDRneE56WUg3Mlk
It contains all the files I've mentioned except for the OJ1 Firmware itself. This is all I'm posting for today, it's a sad day indeed. But I have to gather the bookmarks again to post the links to articles.
Hello everyone, I found a recovery tool on the open spaces of the Chinese Internet. This tool is for NE2210 only. It's in Chinese, but I don't think there should be any problems using it. Write who used.
Unbrick
The Msm tool is missing the FTLibBase.dll file it wont work. Just to let you know.
Canuck Knarf said:
The Msm tool is missing the FTLibBase.dll file it wont work. Just to let you know.
Click to expand...
Click to collapse
what is the file responsible for FTLibBase.dll ??
For me. I'm using win 11 and the Msm tools will not open .??? Maybe it a win 11 thing. It starts to open but then errors pop up missing the dill file . Did you install it by an exe file.
I want to try it ...lol...I have one more boot loop / dead battery 10 plus pro
I have been trying this fast boot command to get battery up enough to load boot file, vender_boot and vbmeta file. But after it dose a factory wipe ...kills battery wont reboot.
Using this command i started out with 6708 volts of battery took running command in fastboot 30 minutes to get to 6762 volts. So command dose work .
@Echo off
:start
fastboot getvar battery-voltage
fastboot reboot-bootloader
ping /n 6 localhost >nul
goto start
I need the command to just keep repeating by itself...i can leave it sit there for hours...Can you help ?
Canuck Knarf said:
For me. I'm using win 11 and the Msm tools will not open .??? Maybe it a win 11 thing. It starts to open but then errors pop up missing the dill file . Did you install it by an exe file.
Click to expand...
Click to collapse
I have w11, program starts normal, but not connected server.(((
VovaHouse said:
what is the file responsible for FTLibBase.dll ??
Click to expand...
Click to collapse
Can't you replace this file with OnePlus 9 pro msm tool i don't know where it's for but as long you get the msm tool work then it shouldn't be a problem ain't it ?
bir çözüm buldun mu? Aynı hata bende de var
Did you find a solution? i have the same error
Buyukturk said:
Did you find a solution? i have the same error
Click to expand...
Click to collapse
yeah....MSM and pay
Canuck Knarf said:
yeah....MSM and pay
Click to expand...
Click to collapse
unfortunately i couldn't find it
Canuck Knarf said:
evet.... MSM ve ödeme
Click to expand...
Click to collapse
nasıl çözdün bana yardımcı olurmusun
Buyukturk said:
unfortunately i couldn't find it
Click to expand...
Click to collapse
You can find it in the www
Prob is the msm Tool need a auth. (Acc)
DO NOT BUY ONEPLUS 10 PRO THEY DO NOT PROVIDE ANY TOOLS FROM UNBRICK
DO NOT BUY ONEPLUS 10 PRO THEY DO NOT PROVIDE ANY TOOLS FROM UNBRICK
Sorry for the delayed absence .... lol.. its been a trivial one. But I have been working DILIGENTLY on Oneplus Tools, and ONLY Oneplus Tools... (CanuckKnarf can verify this...)
Ok without breaking "responsible disclosure" guidelines... I can hopefully either clear up some of the chatter ive read up til now, as well as provide some important info which may inspire someone here with a new avenue as to how to attack this thing head on.
Let me start with the most recent statements about the missing files first.
If you have Windows (doesnt matter which version) and you have been running ANY of the official builds of the MSM Tool... (Official releases show an icon like pictured here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
#1
unofficial (repacked for whatever reason) look like this:
#2
Now while there is no inherent threat to either version... the ones of the LATTER style, MAY OR MAY NOT run, when attempting to execute them. This is because the person who packaged it, MIGHT NOT have been doing so from the actual applications data folder in windows. Allow me to explain:
When you run #1 , that file unpacks itself and generates a folder inside your "/users/appdata/local/" folder and its usually along the lines of "OPPO Flash Tool Series 4.1" .... or a variant of that. IN THIS FOLDER is the actual files for which your MSMTOOL loads all of its config, dll, and other run codes from.
--Now this folder might not be generated if you are already running from a complete msmtool build. a complete build should have several dll's, several folders, and the actual program that is being called, 'FTGUIDev.exe" <-- This is your flash loader! .. This is the Alpha and the Omega so to speak of the MSM TOOL... #2, is the MSM equivalent of a Windows Installer REPACK. I have seen these range from 4mb all the way up to 9gb ... this is because some authors choose to repack the EXACT FW build that is to be used with it! (*** Important note!*** The version of the MSM Tool you are using plays a definitive roll as to whether you have a successful flash, or a fail!. OPPO HAS PLAYED THE SNEAKY ROLE AGAIN, AND IN CERTAIN RELEASES OF THE OTA FW FILES THAT ARE DISTRIBUTED, THEY MAKE A SMALL CHANGE TO ONE OR MORE FILES, WHICH WILL THROW OFF THE FIRMWARE INTEGRITY CHECK!.... BUT INSTEAD OF THE ERROR READING "INTEGRITY FAIL", YOU WILL GET .... PHONE MISMATCH... INVALID HANDLE.... VALIDATION FAIL... OR MAYBE FAIL INTEGRITY.... <----- These errors USED to have individual meaning, but OPPO choose to use them to provide misdirection as to what actually occurred. (( I have found a way to FORGE a passing INTEGRITY CHECK... but i cant disclose that yet, sry)) So now they do not want you to actually have the identifier as to what exactly went wrong that blocked your flash... the validation check is INSTANT... the whole 15 second pause is purely for dramatical effect. The very moment your phone connects in the msmtool and it hits 3%, it has already either PASSED or FAILED the AUTH SIGN requirement... which is LIGHT YEARS down the line from the Integrity Check.
Anyways my point is: If you go to you "appdata/local" msm folder, you shouold be able to pull ANY DLL that is being requested by your programs. The entire library is is locked exclusively to the GENERATION of flash tool available... ie version 4.1 folder will have DLL's for any 4.1.x.x msmtool ... same with version 5.1 => 5.1.x.x. While this is not a perfect science... it is a start, so if you run into any MSM tools that you download and are not able to run, it is because you dont have a full build from that series already installed on your machine. When these guys repack, they might not understand that by NOT packing up all the files DIRECTLY from that Appdata folder, and including ALL of the other folders, they are handicapping those who download them. Easier explanation to offer is this: Beatbreakee has been running Flash Tool v 4.1.7.2 on his machine, and it is the full build being launched from the APPDATA folder... CHRIS has been running 4.1.5.1 and its from an alternate location that DOES have the proper dll files, but they are already registered in his system from usage, and he does not realize that the alternate location is merely a shadow copy and that actual file is linking to his appdata folder.: A new HACKED msm tool comes out, but its a repack and lets say 4.2.0.1 (this is all fake... dont go looking for this hacked version , it dont exist) .... Now the repack is missing some vital DLL files, much like some of you are experiencing. The reason SOME can load and SOME cannot, is because they may have ran a FULL tool from the generation that the repack comes from.... if you have, then windows has already registered the correct DLL files, so it will load like normal.... if you HAVE NOT, you will get missing DLL errors. BUT BEWARE... There is a HIDDEN verification that is of the actual msmtool itself. It will cause you to fail , if the check does not pass, and when altering any portion of the msmtool, i have seen EVERY mod fail this check.
Oppo is smart... they placed PLAIN TEXT files that give the exact FILENAME, CRC, and SIG data for EVERY file that MSM will interact with INCLUDING ITSELF. But these plain text files are backdoor checked by encrypted SIGNED verification files, that check for any modifications to the plain text or xml files. If you alter one of the files or replace it... IT FAILS INSTANTLY... sha doesnt match... if you touch one of the SIG checker files it fails... MSMTool knows the SIG checkers, SIG... kinda a DOUBLE check... but they did this on purpose because they knew ppl would take the bait, and by doing so, thinking they will circumvent the CHECKS... they are actually making the checks work PERFECTLY. The ONLY way around this is through SOMEONE , who is great with DLL and EXE files... and can physically REMOVE or PATCH OUT the 2 checks for the application, as well as the fw integrity. Both validations work to ensure the OTHERS security as well... so if you bypass one validation, the other will fail you for "No validation" of the other file! (make any sense?) They watch each other when getting validated to see if any funny business is going on... any "Malarkey" and they will fail themselves to protect the package. You need to Remove, or patch out BOTH of these checks, which is slightly above my pay grade. If you can remove both of those, and it works, you will be able to have an MSM Tool that can have its config altered to remove model match, project id, and much more, as well as a tool that will accept ANY fw package as long as its in the correct structure. (That is where my info stops because saying more will put me in violation for now) ....
The SECOND bit of info is this:
The 'AUTH SIGN' is not a file generated from any server.... the connection to the server is simply to have it send a PING response back to the application from your phone. That is literally ALL the AUTH SIGN is... now its far more complex than im making it sound because i have yet to generate a valid AUTH but i am working on it. IT COMES from an APK Intent on your phone.... ( a hint is its one of the hidden QTI apk's) .... this apk responds to the PING request, with all of the info that is required as the AUTH .... Now dont get this confused with the MSM AUTH from the application.... The AUTH i am discussing is the one that says "YES" or "NO" when you ask the app to flash your fw.. An invalid response will trigger a NO... because the PING is an IRL stamp that cant be captured and replayed, as its literally specific to the millisecond... But again it is YOUR PHONE that is generating it.... so the MSM TOOL requires an AUTHENTICATED login, before it will communicate to the OPPO server, and tell it to send a PING request to your phone, which then gets sent via USB to your computer. What we have to do is figure out HOW to generate that PING request ourselves.... If we can somehow open a secondary command window, and freeze the process as soon as it requests the AUTH SIGN... then have the command to request the PING, already typed and ready to go in that second window.... and UNFREEZE at the exact same time as we send the command... we should be able to generate the request before the MSM Tool can revalidate itself, which it does before it makes the request. As long as the request is completed BEFORE the OFFICIAL request is made by the server, then it should ignore any other response.... 1st come 1st served.
Thats really all i can say... but sorry to all of you who have wondered if OPPO has made me disappear , or sent a wetwork agent after me... lol
I am just working round the clock on this as well as my normal life.... so i will be sporadic, but as i make breakthroughs i will update... so i hope SOME of that clears SOME things up.. but i leave you with this:
{ "d:193] [E2DBA579] [COM5] <COMMAND> <?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<data>\n<getsigndata value=\"ping\" />\n</data>\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> INFO: Calling handler for getsigndata\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> WARN: format error, i=0\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> ERROR: cannot get oplusreserve1/opporeserve1. i" }
Its the actual full data from the application attempting to get the AUTH SIGN.... maybe looking over it you might find some insight.
***back to the caves.... see yall in a bit!****
(and btw.. if you attempt to bypass the LOGIN, you will automatically fail the SW integrity check... you need to find a way to REMOVE this completely, and not with a hex editor... the actual instruction must be removed, and then the subsequent request must be removed again from the actual FLASH function called during the AUTH SIGN request, because IT checks for the valid login again. Remove both and you will have an MSM TOOL with a blank slate. The tools themselves are NOT bundled with the individual FW digest data... they simply follow the instructions given in the packages. If you know what files you can and cannot alter, plus you replace the CRC in the checker file, with the NEW valid crc for the edited file, and you make sure to change the metadata of the files you altered , so that they match again with the other files besides them, you can FOOL the Package validation... <--- a key point in being able to flash altered firmware!... Package Validation Fail = Flash Fail!... Stay Vigilant"
beatbreakee said:
Sorry for the delayed absence .... lol.. its been a trivial one. But I have been working DILIGENTLY on Oneplus Tools, and ONLY Oneplus Tools... (CanuckKnarf can verify this...)
Ok without breaking "responsible disclosure" guidelines... I can hopefully either clear up some of the chatter ive read up til now, as well as provide some important info which may inspire someone here with a new avenue as to how to attack this thing head on.
Let me start with the most recent statements about the missing files first.
If you have Windows (doesnt matter which version) and you have been running ANY of the official builds of the MSM Tool... (Official releases show an icon like pictured here View attachment 5855327 #1
unofficial (repacked for whatever reason) look like this: View attachment 5855329 #2
Now while there is no inherent threat to either version... the ones of the LATTER style, MAY OR MAY NOT run, when attempting to execute them. This is because the person who packaged it, MIGHT NOT have been doing so from the actual applications data folder in windows. Allow me to explain:
When you run #1 , that file unpacks itself and generates a folder inside your "/users/appdata/local/" folder and its usually along the lines of "OPPO Flash Tool Series 4.1" .... or a variant of that. IN THIS FOLDER is the actual files for which your MSMTOOL loads all of its config, dll, and other run codes from.
--Now this folder might not be generated if you are already running from a complete msmtool build. a complete build should have several dll's, several folders, and the actual program that is being called, 'FTGUIDev.exe" <-- This is your flash loader! .. This is the Alpha and the Omega so to speak of the MSM TOOL... #2, is the MSM equivalent of a Windows Installer REPACK. I have seen these range from 4mb all the way up to 9gb ... this is because some authors choose to repack the EXACT FW build that is to be used with it! (*** Important note!*** The version of the MSM Tool you are using plays a definitive roll as to whether you have a successful flash, or a fail!. OPPO HAS PLAYED THE SNEAKY ROLE AGAIN, AND IN CERTAIN RELEASES OF THE OTA FW FILES THAT ARE DISTRIBUTED, THEY MAKE A SMALL CHANGE TO ONE OR MORE FILES, WHICH WILL THROW OFF THE FIRMWARE INTEGRITY CHECK!.... BUT INSTEAD OF THE ERROR READING "INTEGRITY FAIL", YOU WILL GET .... PHONE MISMATCH... INVALID HANDLE.... VALIDATION FAIL... OR MAYBE FAIL INTEGRITY.... <----- These errors USED to have individual meaning, but OPPO choose to use them to provide misdirection as to what actually occurred. (( I have found a way to FORGE a passing INTEGRITY CHECK... but i cant disclose that yet, sry)) So now they do not want you to actually have the identifier as to what exactly went wrong that blocked your flash... the validation check is INSTANT... the whole 15 second pause is purely for dramatical effect. The very moment your phone connects in the msmtool and it hits 3%, it has already either PASSED or FAILED the AUTH SIGN requirement... which is LIGHT YEARS down the line from the Integrity Check.
Anyways my point is: If you go to you "appdata/local" msm folder, you shouold be able to pull ANY DLL that is being requested by your programs. The entire library is is locked exclusively to the GENERATION of flash tool available... ie version 4.1 folder will have DLL's for any 4.1.x.x msmtool ... same with version 5.1 => 5.1.x.x. While this is not a perfect science... it is a start, so if you run into any MSM tools that you download and are not able to run, it is because you dont have a full build from that series already installed on your machine. When these guys repack, they might not understand that by NOT packing up all the files DIRECTLY from that Appdata folder, and including ALL of the other folders, they are handicapping those who download them. Easier explanation to offer is this: Beatbreakee has been running Flash Tool v 4.1.7.2 on his machine, and it is the full build being launched from the APPDATA folder... CHRIS has been running 4.1.5.1 and its from an alternate location that DOES have the proper dll files, but they are already registered in his system from usage, and he does not realize that the alternate location is merely a shadow copy and that actual file is linking to his appdata folder.: A new HACKED msm tool comes out, but its a repack and lets say 4.2.0.1 (this is all fake... dont go looking for this hacked version , it dont exist) .... Now the repack is missing some vital DLL files, much like some of you are experiencing. The reason SOME can load and SOME cannot, is because they may have ran a FULL tool from the generation that the repack comes from.... if you have, then windows has already registered the correct DLL files, so it will load like normal.... if you HAVE NOT, you will get missing DLL errors. BUT BEWARE... There is a HIDDEN verification that is of the actual msmtool itself. It will cause you to fail , if the check does not pass, and when altering any portion of the msmtool, i have seen EVERY mod fail this check.
Oppo is smart... they placed PLAIN TEXT files that give the exact FILENAME, CRC, and SIG data for EVERY file that MSM will interact with INCLUDING ITSELF. But these plain text files are backdoor checked by encrypted SIGNED verification files, that check for any modifications to the plain text or xml files. If you alter one of the files or replace it... IT FAILS INSTANTLY... sha doesnt match... if you touch one of the SIG checker files it fails... MSMTool knows the SIG checkers, SIG... kinda a DOUBLE check... but they did this on purpose because they knew ppl would take the bait, and by doing so, thinking they will circumvent the CHECKS... they are actually making the checks work PERFECTLY. The ONLY way around this is through SOMEONE , who is great with DLL and EXE files... and can physically REMOVE or PATCH OUT the 2 checks for the application, as well as the fw integrity. Both validations work to ensure the OTHERS security as well... so if you bypass one validation, the other will fail you for "No validation" of the other file! (make any sense?) They watch each other when getting validated to see if any funny business is going on... any "Malarkey" and they will fail themselves to protect the package. You need to Remove, or patch out BOTH of these checks, which is slightly above my pay grade. If you can remove both of those, and it works, you will be able to have an MSM Tool that can have its config altered to remove model match, project id, and much more, as well as a tool that will accept ANY fw package as long as its in the correct structure. (That is where my info stops because saying more will put me in violation for now) ....
The SECOND bit of info is this:
The 'AUTH SIGN' is not a file generated from any server.... the connection to the server is simply to have it send a PING response back to the application from your phone. That is literally ALL the AUTH SIGN is... now its far more complex than im making it sound because i have yet to generate a valid AUTH but i am working on it. IT COMES from an APK Intent on your phone.... ( a hint is its one of the hidden QTI apk's) .... this apk responds to the PING request, with all of the info that is required as the AUTH .... Now dont get this confused with the MSM AUTH from the application.... The AUTH i am discussing is the one that says "YES" or "NO" when you ask the app to flash your fw.. An invalid response will trigger a NO... because the PING is an IRL stamp that cant be captured and replayed, as its literally specific to the millisecond... But again it is YOUR PHONE that is generating it.... so the MSM TOOL requires an AUTHENTICATED login, before it will communicate to the OPPO server, and tell it to send a PING request to your phone, which then gets sent via USB to your computer. What we have to do is figure out HOW to generate that PING request ourselves.... If we can somehow open a secondary command window, and freeze the process as soon as it requests the AUTH SIGN... then have the command to request the PING, already typed and ready to go in that second window.... and UNFREEZE at the exact same time as we send the command... we should be able to generate the request before the MSM Tool can revalidate itself, which it does before it makes the request. As long as the request is completed BEFORE the OFFICIAL request is made by the server, then it should ignore any other response.... 1st come 1st served.
Thats really all i can say... but sorry to all of you who have wondered if OPPO has made me disappear , or sent a wetwork agent after me... lol
I am just working round the clock on this as well as my normal life.... so i will be sporadic, but as i make breakthroughs i will update... so i hope SOME of that clears SOME things up.. but i leave you with this:
{ "d:193] [E2DBA579] [COM5] <COMMAND> <?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<data>\n<getsigndata value=\"ping\" />\n</data>\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> INFO: Calling handler for getsigndata\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> WARN: format error, i=0\n[2023/03/06 07:24:12][0x34c4][QCFirehose::resolveLogs:55] [E2DBA579] [COM5] <DEVICE LOG> ERROR: cannot get oplusreserve1/opporeserve1. i" }
Its the actual full data from the application attempting to get the AUTH SIGN.... maybe looking over it you might find some insight.
***back to the caves.... see yall in a bit!****
(and btw.. if you attempt to bypass the LOGIN, you will automatically fail the SW integrity check... you need to find a way to REMOVE this completely, and not with a hex editor... the actual instruction must be removed, and then the subsequent request must be removed again from the actual FLASH function called during the AUTH SIGN request, because IT checks for the valid login again. Remove both and you will have an MSM TOOL with a blank slate. The tools themselves are NOT bundled with the individual FW digest data... they simply follow the instructions given in the packages. If you know what files you can and cannot alter, plus you replace the CRC in the checker file, with the NEW valid crc for the edited file, and you make sure to change the metadata of the files you altered , so that they match again with the other files besides them, you can FOOL the Package validation... <--- a key point in being able to flash altered firmware!... Package Validation Fail = Flash Fail!... Stay Vigilant"
Click to expand...
Click to collapse
Thanks for all of the work you have been putting in! I will not give up hope lol, sorry I'm not a dev smart enough to help but I wish everyone luck...
beatbreakee said:
-snip-
Click to expand...
Click to collapse
Glad to see you still around, I was definitely in the boat of thinking someone shut ya down for good. Keep it up man, I'm sure as we rally we'll get there eventually.