Have decided to rejoin XDA after a while off to see what sort of response I get to this.
A browse of the forum tells me that there is no known way to unlock fastboot, I was wondering what methods had been explored in an attempt to do this?
More specifically there are 2 potential methods I'd like to ask about.
1: I have seen mentioned in a comment here a tool I stumbled across a few months ago while messing around with another device,
edl/README.md at master · bkerler/edl
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - edl/README.md at master · bkerler/edl
github.com
There is one option in particular that I think is of interest,
edl modules oemunlock enable -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2: After a quick browse of the disassembled Oppo deeptesting app I can see a number of references to a class that is only accessible via reflection 'android.engineer.OplusEngineerManager'
and it contains a method 'fastbootUnlock'. Has anyone tried to access this class and its methods at all?
Maybe none of these things will be of any use, but before I spend too much time exploring them, I was interested to hear if anyone else had explored these at all? If so what progress was or wasn't made?
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
User154 said:
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
Click to expand...
Click to collapse
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
daniml3 said:
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
Click to expand...
Click to collapse
Its great that someone else is looking at this! I hadn't posted another update as I haven't made a huge amount of progress, and I wasn't sure anybody would be interested.
The fastbootUnlock method returns a boolean and takes 2 parameters, a byte array and an int. From what I can see it is the only method of the OplusEngineerManager class that the deeptesting app calls. It contains 2 calls to the fastbootUnlock method. Once where it calls it with an empty byte array and the int is 1. I was actually able to invoke the method from my test app in this way and got a false return value (rather than just getting null like the other methods I tried to invoke). The second is contained within a method of the deeptesting app that takes a string as its parameter. It then converts this string to a byte array which it passes as the paramter for the fastbootUnlock method along with the int of 1.
Edit:
The second call to fastbootUnlock uses the length of the byte array as the int and not 1. Please forgive me it was late when I wrote this and I was not looking at the source.
Thats about as far as I am with it at the moment, the next task is to find out what that string it passes is exactly, and is it something that needs to be generated by Oppo.
I would imagine the realme framework woukd be similar, if you would like to compare I can provide the full list of methods from the OplusEngineerManager class?
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
xarf903 said:
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
Click to expand...
Click to collapse
Hi, thanks for your reply. At the moment there isn't too nuch to test, but if I do manage to find a way I will need plenty of testers, so thank you
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Edit:
I have looked into this more and it turns out most of this is wrong. The activity is started from within the deeptesting app and not the startup wizard
User154 said:
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Click to expand...
Click to collapse
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
daniml3 said:
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
Click to expand...
Click to collapse
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
User154 said:
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
Click to expand...
Click to collapse
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
daniml3 said:
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
Click to expand...
Click to collapse
I had a closer look at the logs and I can see that sadly I am getting the same SELinux error.
I can't see much of a way around it at the moment.
I have made a thread in general should anyone wish to discuss this further. Most of this is applicable to all Oppo devices and there are people that have looked at this in different ways and found different things out when trying to unlock fastboot on other devices. I think it would be useful to have somewhere to discuss unlocking fastboot on Oppo devices in general.
[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices
Admin: Please move/delete this thread if it is in the wrong place or against the rules. I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in...
forum.xda-developers.com
Related
MOD EDIT: Thread closed by OP's request.
If you have used reker's proxy, you will notice the "by @reker" entry on top of the list with search results. If we could do the same with the SamWP8 tool (and link his app to a similar app page), maybe we could bypass the interop unlock requirement (the error you receive if you try to sideload a app with interop capabilities on a non-interop unlocked phone) because apps installed in the store don't get this check (as compu829 demonstrated by saying the original Microsoft youtube app contained the ID_CAP_MEDIALIB_PHOTO_FULL entry in the WMAppManifest.xml, and how could you install this app on phones without having an interop-unlock, exactly : the app was installed through the store).
Correct me if I'm wrong, I'm still learning how the WP OS is build and how it functions.
To admins, I can't post this in the Windows Phone 8 Development and Hacking thread because I don't have the required 10 posts yet.
Seems like a feasible idea, I'll take a look on how the store works but I think the XAP's still need to be signed by a trusted root to this works.
I'll post any updates here as I can't post on dev section x.x
This idea is older than WP8, and it doesn't work. First of all, the apps themselves (as opposed to the data about them) are delivered over an encrypted channel that uses certificate pinning; we can't intercept or modify it. Second, the Store will only install Microsoft-signed (and probably only DRMed) apps. Unsigned apps failed to install through this channel back on WP7. Third, even if we could install the apps this way, hey would still be unsigned. The OS would thus treat them as developer apps. Developer apps on phones where the MaxUnsignedApp registry value is less than 300 are limited to the standard third-party app capabilities, meaning no INTEROPSERVICES or similar.
By all means, go ahead and poke at it - WP8 has surprised me before with weaknesses it has relative to WP7 - but don't expect this to work even if you get past the first issue (which *does* exist on WP8).
Did someone contact reker? We need to figure out how he did this. I can't tell if he succeeded into linking an app to the custom app page because when I click install, I get an error message : "This app is not available for your region", maybe I need to change my region to China and try again.
@GoodDayToDie : Won't the phone be tricked by the store installation, thinking it's an encrypted app? Does it matter whether the app is encrypted or not if someone manages to link an app to a custom app page, because Windows Phone app weren't always encrypted to my recollection (this may predate the WP8 era, if so we're screwed ). And if it matters, can we encrypt the app ourselves by using a encryption method like AES, SHA, MD5, ... ? Unlikely hypothesis, but if someone would succeed in doing all this, could the SamWP8 tool be used to increase the HKEY_Local_Machine\Software\Microsoft\DeviceReg\Install MaxUnsignedApp value beyond 300 to unlock interop capabilities? Are the EnableAllSideloading.xap and Bootstapper.xap also usable on other WP than Samsung or do they need to be recoded to work on WP of other manufacturers?
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
greenboxal said:
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
Click to expand...
Click to collapse
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
bruce142 said:
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
Click to expand...
Click to collapse
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
greenboxal said:
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
Click to expand...
Click to collapse
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
bruce142 said:
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
Click to expand...
Click to collapse
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
greenboxal said:
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
Click to expand...
Click to collapse
I can't post yet in your R&D thread because I don't have the met the 10 post requirement yet.
Edit : I can install reker's "by @ reker" app when changing the region to China, and this is interesting (pasted directly from his WMAppManifest.xml) :
<?xml version="1.0" encoding="UTF-8"?>
-<Deployment AppPlatformVersion="8.0" xmlns="http://schemas.microsoft.com/windowsphone/2012/deployment">
<DefaultLanguage xmlns="" code="zh-CN"/>
-<Languages xmlns="">
<Language code="zh-Hans"/>
</Languages>
-<App xmlns="" PublisherId="{9b1d1b5b-f206-4b27-a139-89659591061b}" IsBeta="false" PublisherID="{b259af64-2f7d-4a89-983f-836325480629}" Publisher="智机网_WPXAP" Description="智机市场官方版" Author="智机网_WPXAP" Genre="apps.normal" Version="2.0.0.0" RuntimeType="Silverlight" Title="智机市场" ProductID="{59bd999b-496e-4e05-afce-94b67ba6e862}">
<IconPath IsResource="false" IsRelative="true">Assets\ApplicationIcon.png</IconPath>
-<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE"/>
<Capability Name="ID_CAP_IDENTITY_USER"/>
<Capability Name="ID_CAP_NETWORKING"/>
<Capability Name="ID_CAP_PUSH_NOTIFICATION"/>
<Capability Name="ID_CAP_SENSORS"/>
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT"/>
<Capability Name="ID_CAP_APPOINTMENTS"/>
</Capabilities>
-<Tasks>
<DefaultTask Name="_default" ActivationPolicy="Resume" NavigationPage="MainPage.xaml"/>
</Tasks>
-<Tokens>
-<PrimaryToken TaskName="_default" TokenID="WpXapToken">
-<TemplateFlip>
<SmallImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileSmall.png</SmallImageURI>
<Count>0</Count>
<BackgroundImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileMedium.png</BackgroundImageURI>
<Title/>
<BackContent/>
<BackBackgroundImageURI/>
<BackTitle/>
<DeviceLockImageURI/>
<HasLarge/>
</TemplateFlip>
</PrimaryToken>
</Tokens>
-<Extensions>
<Protocol Name="wpxap" TaskID="_default" NavUriFragment="encodedLaunchUri=%s"/>
</Extensions>
-<ScreenResolutions>
<ScreenResolution Name="ID_RESOLUTION_WVGA"/>
<ScreenResolution Name="ID_RESOLUTION_WXGA"/>
<ScreenResolution Name="ID_RESOLUTION_HD720P"/>
</ScreenResolutions>
</App>
</Deployment>
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
GoodDayToDie said:
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
Click to expand...
Click to collapse
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
bruce142 said:
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
Click to expand...
Click to collapse
ID_CAP's aren't all Interop capabilities, most of them are available for every app, and the ones you posted are, afaik, normal ones that don't need and Interop Unlock.
GoodDayToDie is right. His answer is very detail.
You may replace a xap with homebrew one in theory, but phone will never launch a store app without MS signature. Every single dll is signed by MS, and phone will check it.
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
cevi said:
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
Click to expand...
Click to collapse
The signature is checked when running the application, every PE image on the device should have a valid digital signature.
You don't seem to understand how it works, the signature is any kind of hash, let's say, SHA256, of the entire file. This signature is encrypted with the signee private key. If you change one single bit of the file, the hash will change, and so the signature will be invalid.
There are few ways to exploit this kind of security, like generating a hash collision or breaking the private key, both would take million of years.
I do really don't understand the whole process I was just giving some noob suggestions.
It's strange for me that after the app is installed it doesn't require an active network to start.So I am wondering if it could be possible to trick the app to start somehow?
Sent from my Windows Phone 8S by HTC using Tapatalk
While suggestions are always welcome, you really should read up on digital signatures and how they work. @greenboxal's explanation seems like it might have gone over your head a bit... The fact that you didn't understand about ID_CAP_* also means you've probably never looked at WP development, or even looked at the manifest of a WP app, either; you may want to do some of that. Until you do so, it would be only by the sheerest crazy luck that you managed to hit on a solution, because you don't even know what you're actually trying to accomplish!
For example, it's pretty obvious why there's no need for a network connection to start an app, once it's installed. There's a license on WP apps, which is checked when the app is installed (requires Internet access) and is then valid for some time (never checked how long exactly, probably years though). The signatures are different. When the app is installed, the signing certificate (which contains the public key, but not the private key, of the keypair used to sign the app) is extracted from the app and checked to see whether it is trusted by Microsoft (the phone has Microsoft's certificates embedded in the OS; it doesn't need a network connection for this). When you try to launch the app, it checks to see whether the signatures on each binary (which are, as greenboxal mentioned, created by taking the cryptographically secure hash of the binary and then applying something like encryption to it using the private key) are valid (it applies the public key to the signature to get the signing hash back, and checks whether that hash still matches). We (developers) can't fake store signatures ourselves, because we don't have Microsoft's private keys. Therefore the phone wouldn't trust our signatures (make sure you read up on the concept of a "chain of trust" and the concepts of public key cryptography and public key infrastructure in general too) and would refuse to load the binaries. The process of verifying signatures is just a bunch of math once you've already got the public keys, and those are, as I said, extracted from the app at install (for individual apps) and stored in WP8 itself (for the Store-wide signing key); no need to access the network.
Thanks guys for clearing this up for me.I know that it`s not that simple as i say.Anyway, just keep up the good work.We the Noobs depend from you.
If you are not those who you really are i personally know that i will never buy a Windows Phone again.You are the reason for the MS`s profit.
Sorry again for jumping in into this "battle".
This thread is becoming way out of hand, question is asked and answered : adding a app via proxy which may interop-unlock other WP is not possible. Locking thread now.
PS : yay, ten posts.
There are many C++/CX codes in my Windows Phone 8 app so there might be many dangling pointers access which will cause AccessViolationException. Actually I know that __try & __except can catch them but I hope that my app can get notified like some callback function can get called while AccessViolationException raised that it's NOT surrounding by __try __except.
And I have tried Application.UnhandledException in C# code and ::SetUnhandledExceptionFilter(which is private API and I somehow successfully invoke it) but still failed to get called.
So is there any way to get notified while AccessViolationException is raised?
In case somebody has the same problem, I solve my problem by using _set_se_translator, a crt API
Ooh, details on that would be good (OK, I should just go read the docs...) but thanks for posting the solution! C++/CX has way too many modes of memory management; it's pretty easy to get it wrong if you try doing anything even vaguely outside the standard use cases. (Example: Do not malloc an array of Platform::String and then assign to it. Any non-nulls in the array (leftover data from prior allocations) will be treated as though they are valid strings that you are assigning over, which means the "old string's" reference count will be decremented, which may lead to memory corruption. Using calloc instead works, by the way, though it's still kind of a hack.) Anyhow, debugging that stuff is annoying, especially since you can only debug native *or* managed, not both.
(I am new and cannot post in dev forum, that's why I posted this here. Still hope someone will be able to help.)
Is there a way to get crash-dumps out of Windows Phone 8 during development time? I am after a file that is dumped similarly to when a normal Win32 app crashes. Or similar to what is saved on iOS devices at crash to be investigated at a later point.
My question is specifically about somehow retrieving this (or similar) file/info from the phone after a crash without me having to do anything in my code e.g. manually writing the stack trace to a file from an unhandled exception.
I am aware the option of getting "live" crash reports from a beta-submitted app but that is not what I am after.
Thanks!
Can Visual Studio's debugger generate crash dumps? I'd expect so (I know windbg can, but I haven't managed to attach windbg to a phone app) and that would be the obvious approach.
Not sure why you want a dump when you can do live debugging, though...
GoodDayToDie said:
Can Visual Studio's debugger generate crash dumps? I'd expect so (I know windbg can, but I haven't managed to attach windbg to a phone app) and that would be the obvious approach.
Not sure why you want a dump when you can do live debugging, though...
Click to expand...
Click to collapse
Hmmm, I never thought of using windbg because that never came up as a tool that is used with WP8.. Will give it a try and see if I get anywhere.
I need a crash dump because the crash does not happen when a debugger is attached.
I am trying other options to catch the issue: isolating the code the crash might happen, dump the stack trace into a log file, but a crash log would be the most obvious place to look at and I am shocked that it is not possible or at least this hard.
There's a way on the ATIV S to get crash dumps (without even crazy hacks, I mean; it's a hidden option in the Diagnosis application) but I think they're only for the OS, not for individual apps.
A crash that only happens without the debugger attached is a very irritating sort of crash!
GoodDayToDie said:
There's a way on the ATIV S to get crash dumps (without even crazy hacks, I mean; it's a hidden option in the Diagnosis application) but I think they're only for the OS, not for individual apps.
A crash that only happens without the debugger attached is a very irritating sort of crash!
Click to expand...
Click to collapse
Amazing, I have access to an Ativ S device so will give a try! Thanks!
I have got a confirmation directly from Windows Phone team: what I am asking for is not possible at the moment.
I have provided them feedback on what kind of situation this can put some developers, I hope they will consider it and look into doing something about it.
In the meantime your options are to manually dump the stack trace (along with any info you want) from an unhandled exception or to upload your app for beta testing and check the crashlogs on the dashboard of your developer account.
Yeah, sorry. I should have mentioned that my approach is to always implement a custom unhandled exception function (there's a stub for it in App.xaml.cs) and either present an error message or write an error file. It's not a true crash dump, but it's often enough to help you find the spot where the problem occurred.
Hmm... I wonder how hard it would be to write a native component that would generate a crash dump on demand. I mean, it *should* be possible to do it, since you have raw pointer access and file I/O. I've just never tried.
For my Xposed Module Play Store Chagenlog an update was released yesterday, this added a GUI as wel as some options. There have been quite a few reports about settings preferences not being applied. After some debugging, I found out that this XSharedPreferences simply doesn't have any entries and thus always returns the default values. I'm 100% sure the options are set (the preferences screen shows them correct and you can see them in the .xml) and the right file is being loaded. There are no errors in the Xposed Log or in the logcat.
I've found a workaround (only tested by me), unchecking and re-checking an option and then the preferences are read correctly. All my modules (actually most of all Xposed Modules) use this way to load an user's preferences, I have absolutely no clue what's causing this behaviour.
The source code is on GitHub, links to relevant files:
PlayStoreChangelog.java
SettingsActivity.java
SettingsFragment.java
settings.xml
For debugging purposes, I've added a snippet to dump the preferences beneath initializing XSharedPreferences. This says it loads the right file, the file exists but it contains no entries (size 0). So when trying to get values (getString, getBoolean etc), it only returns the default values.
Java:
sharedPreferences = new XSharedPreferences(BuildConfig.APPLICATION_ID);
XposedBridge.log(LOG_TAG + sharedPreferences.getFile().getAbsolutePath() + " exists: " + sharedPreferences.getFile().exists());
XposedBridge.log(LOG_TAG + " ---PREFS: " + sharedPreferences.getAll().size() + "---");
Map<String, ?> sortedKeys = new TreeMap<String, Object>(sharedPreferences.getAll());
for (Map.Entry<String, ?> entry : sortedKeys.entrySet()) {
XposedBridge.log(LOG_TAG + entry.getKey() + "=" + entry.getValue().toString());
}
Summary
The app uses a PreferenceFragment to set the preferences and XSharedPreferences to load them. The changes are written to the .xml file and shown in the GUI. The XSharedPreferences instance remains empty and does not contain any entries, thus it always returns the default value. I don't get why it doesn't work, I don't even get why the 'workaround' does work.
I'd really appreciate any help, I'm stuck on this one. No idea what causes it and whether it's a but in my code or something else.
I hope I gave enough information. Thanks in advance.
I'm really stuck on this one, I haven't got a clue what causes this. Maybe @rovo89, @MohammadAG, @GermainZ or @defim, you guys are the most experienced Xposed developers out here. Thanks in advance!
Could something like `sharedPreferences.makeWorldReadable();` (probably needs to be in initZygote) solve your issue? I can't personally think of any reason this might happen except a permission issue.
(Also make sure you're using the latest Xposed Bridge API. I remember there were some commits related to XSharedPreferences, although I can't remember what they were exactly and can't check right now.)
Permission problem sounds reasonable. PSC has for its xml file only set 660, so world readable is mission. After changing it by command line Play Store starts as expected. But i've to say that i use in no app the makeWorldReadable(), Xposed should do it by itself: http://forum.xda-developers.com/showpost.php?p=41976845&postcount=1586 But I also dont use settings fragment, which could cause it...
GermainZ said:
Could something like `sharedPreferences.makeWorldReadable();` (probably needs to be in initZygote) solve your issue? I can't personally think of any reason this might happen except a permission issue.
(Also make sure you're using the latest Xposed Bridge API. I remember there were some commits related to XSharedPreferences, although I can't remember what they were exactly and can't check right now.)
Click to expand...
Click to collapse
defim said:
Permission problem sounds reasonable. PSC has for its xml file only set 660, so world readable is mission. After changing it by command line Play Store starts as expected. But i've to say that i use in no app the makeWorldReadable(), Xposed should do it by itself: http://forum.xda-developers.com/showpost.php?p=41976845&postcount=1586 But I also dont use settings fragment, which could cause it...
Click to expand...
Click to collapse
First of al, both thanks you for your response, it's highly appreciated.
I've been testing with permissions, it indeed looks like a permission problem, because makeWorldReadable() solved it. I use the following line the SettingsFragment to make it World Readable, which has always worked, even though Context.MODE_WORLD_READABLE is officially deprecated because if security reasons:
Java:
getPreferenceManager().setSharedPreferencesMode(Context.MODE_WORLD_READABLE);
It creates a file with 660 permissions, with makeWorldReadable in initZygote it sets it to 664. This is my initZygote:
Java:
@Override
public void initZygote(StartupParam startupParam) throws Throwable {
sharedPreferences = new XSharedPreferences(BuildConfig.APPLICATION_ID);
XposedBridge.log(LOG_TAG + "Readable before: " + sharedPreferences.getFile().canRead());
sharedPreferences.makeWorldReadable();
XposedBridge.log(LOG_TAG + "Readable after: " + sharedPreferences.getFile().canRead());
}
The weird thing is, both readable before and after return true, which indicates it has the permission to read the file before makeWorldReadable(). But... it doesn't work without it
In the end, I created a snippet in SettingsFragment to solve it where the problem arises, instead of makeWorldReadable():
Code:
File sharedPrefsDir = new File(getActivity().getFilesDir(), "../shared_prefs");
File sharedPrefsFile = new File(sharedPrefsDir, getPreferenceManager().getSharedPreferencesName() + ".xml");
if (sharedPrefsFile.exists()) {
sharedPrefsFile.setReadable(true, false);
}
This still needs setSharedPreferencesMode(Context.MODE_WORLD_READABLE), otherwise the permissions will be reset to 660 when a preference changes, now they stay 664. So basically al it does it make it readable for others in addition to the setSharedPreferenceMode().
Thanks again for your replies, it really helped. I still think it's weird, especially since File.canRead() returns true, while it obviously can't read it. I hope it'll help others in the future.
I think I use the deprecated SettingsActivity for this reason. I can override getSharedPreferences so it always returns a world readable file, this avoids the permissions resetting when a preference changes.
Sent from my HTC One_M8 using Tapatalk
MohammadAG said:
I think I use the deprecated SettingsActivity for this reason. I can override getSharedPreferences so it always returns a world readable file, this avoids the permissions resetting when a preference changes.
Sent from my HTC One_M8 using Tapatalk
Click to expand...
Click to collapse
Thanks for your response, just checked out one of your modules, saw you were using getPreferenceManager().setSharedPreferencesMode(MODE_WORLD_READABLE); too. (and indeed SettingsActivity). This has always been sufficient for me using PreferenceFragment. To be sure it's world readable I now manually set the permissions on onPause as a workaround. Still weird because it has always worked flawless for me.
P1nGu1n_ said:
Thanks for your response, just checked out one of your modules, saw you were using getPreferenceManager().setSharedPreferencesMode(MODE_WORLD_READABLE); too. (and indeed SettingsActivity). This has always been sufficient for me using PreferenceFragment. To be sure it's world readable I now manually set the permissions on onPause as a workaround. Still weird because it has always worked flawless for me.
Click to expand...
Click to collapse
Yeah, I also override getSharedPreferences in PreferenceActivity, that allows it to stay world readable.
Sent from my HTC One_M8 using Tapatalk
Sam code works for me in XInstaller. Try check it out, it is open source.
Be aware that using XSharedPreferences will probably lead to problems on Lollipop caused by more stringent SELinux rules.
M66B said:
Be aware that using XSharedPreferences will probably lead to problems on Lollipop caused by more stringent SELinux rules.
Click to expand...
Click to collapse
Good point, but it's too early to say. I'll wait for Xposed to be compatible (hope it will), than I'll look into what changes it'll require. That's something almost every Xposed developer will face ;p
Sent from my phone, please forgive any tpyos.
Yes, I think also Xposed should then handle with LOL XResources properly
Breaking XSharedPreferences means that *almost* every module is not going to work on Lollipop.
I also migrated my project to use PreferenceFragment and getPreferenceManager().setSharedPreferencesMode(Context.MODE_WORLD_READABLE) pretty much does nothing. After I change any setting, prefs file lose "world available" mode.
I checked out P1ngu1n_'s implementation using PreferenceFragment, but it still doesn't work for me. Do any of you have an idea why?
Here is my source
The only difference I can see is that I don't have an xml file for the preferences and that I'm adding the keys in the fragment.
I even checked the permissions and they seem to be fine.
asdfasdfvful said:
I checked out P1ngu1n_'s implementation using PreferenceFragment, but it still doesn't work for me. Do any of you have an idea why?
Here is my source
The only difference I can see is that I don't have an xml file for the preferences and that I'm adding the keys in the fragment.
I even checked the permissions and they seem to be fine.
Click to expand...
Click to collapse
If the permissions seem to be fine, than what doesn't work?
P1nGu1n_ said:
If the permissions seem to be fine, than what doesn't work?
Click to expand...
Click to collapse
That's what confuses me. I have the xml file under shared_prefs and it definitely has values. However, xposed won't read it unless I open the app itself.
Sent from my Nexus 5 using Tapatalk
So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
I think you would also need the IMEIs and Serial Numbers as the unlock code most probably gets generated with them.
P-Chan80 said:
So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
Click to expand...
Click to collapse
Hello P-Chan80,
Did you success ?
I'm also thinking in brute forcing the unlocking oem code on my Honor 6c Pro.
In my case I can try as many code as I want without rebooting but I have to confirm the fastboot unlocking command by pressing Volume UP and Power on the phone. Do you have this procedure on your Huawei ? I was thinking if it is possible to automate it by opening the phone and sending electrical impulses where the buttons are (with an arduino or a raspberry pi for instance).
Hey. It's a very interesting idea - try to brute the code. BUT I think that it is irrational - as the wear of the phone buttons will cost more than the cost of paid methods of obtaining the code. The question is-how do these services get the codes? I can only assume two options: they take the codes from huawei's database or they know the code generation algorithm(If Huawei use one), because they only need the imei or serial numbe to get unlock code. Do you think it is possible to to find this algorithm too?(Having a data: Imei – unlock code)?
May be it's sounds silly, but what do you think about it?
P-Chan80 said:
So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
Click to expand...
Click to collapse
Did eventually worked?
Equivalent is winning the lottery. Considering the number of possible combinations it would take years to complete the whole sequence. Not practical at all.
It would help a lot if you get some sort of pattern but that would be hard to get unless all people with the unlock phones provide their IMEI and unlock codes.
If you get enough matching pairs you might be able to figure out the logic. Then should not be too hard to create a generator by putting together a small script (python/perl/php/bash/whatever). The hard bit is to get the pairs and then the script should not be too hard to create. I could try.
I ask this not knowing anything about the Android bootloader process. Is it possible to dump the bootloader of a locked or unlocked phone and analyse the code to identify where and how it identifies a valid unlock code? And then work backwards from there? Or are codes signed by Huawei using a private key and such an analysis would prove unfeasible?
If the unlock codes are signed, but dumping the bootloader is possible, could an analysis of the bootloader code from a dump allow for an exploit to be developed similar to the Amonet exploit used on the 5th, 7th and 9th gen Fire 7 tablets?
It seems someone is trying this method: https://github.com/SkyEmie/huawei-honor-unlock-bootloader
However no-one has confirmed if it actually works, but some users said it doesn't.
EDIT: Started the process 5 hours ago and it did like 1%. The Huawei M3 Lite I'm testing this on doesn't reboot ever. Not sure I'll keep it running for 20 days.
would it be possible to pause it and resume other time?
that would be great.
hfmls said:
would it be possible to pause it and resume other time?
that would be great.
Click to expand...
Click to collapse
Considering it's a command window, you can make a selection with the mouse and it will "block" / pause until you unselect. That should help run the whole thing to the end.
Are you sure the unlock codes are alphanumeric?
Can someone who have unlocked bootloader send me the code and IMEI in PM ? - I know that is private info, but Unlock code should be related to the IMEI
I do a little research today using this bootloader dump: https://forum.xda-developers.com/hu...rch-requesting-bootloader-dump-t3897062/page2
There are two interesting functions that are taking a param - I think it should be a unlock code, and then one of them is passing the code to other function:
void FUN_000be4e6(void)
{
undefined *puVar1;
undefined *puVar2;
undefined *in_pc;
longlong lVar3;
undefined4 in_cr5;
undefined auStack140 [140];
coprocessor_storelong(0xe,in_cr5,auStack140);
puVar1 = (undefined *)0x3e8;
puVar2 = (undefined *)0x3f0;
lVar3 = 8;
while( true ) {
*in_pc = *puVar1;
in_pc[1] = *puVar2;
in_pc = in_pc + 2;
lVar3 = lVar3 + -1;
if (lVar3 == 0) break;
puVar1 = puVar1 + 1;
puVar2 = puVar2 + 1;
}
/* WARNING: Bad instruction - Truncating control flow here */
halt_baddata();
}
Click to expand...
Click to collapse
I think it should be related because it is getting two elements at a time and the loop iterates 8 times - 8*2=16 - the length of the unlock code
Pretty sure that Huawei only asked for my serial, can't remember them asking for my IMEI, but then it has been a couple of years nearly.
Also seem to remember the code being numbers only, but again it's been a while.
dladz said:
Pretty sure that Huawei only asked for my serial, can't remember them asking for my IMEI, but then it has been a couple of years nearly.
Also seem to remember the code being numbers only, but again it's been a while.
Click to expand...
Click to collapse
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
borovaka said:
Are you sure the unlock codes are alphanumeric?
Can someone who have unlocked bootloader send me the code and IMEI in PM ? - I know that is private info, but Unlock code should be related to the IMEI
I do a little research today using this bootloader dump: https://forum.xda-developers.com/hu...rch-requesting-bootloader-dump-t3897062/page2
There are two interesting functions that are taking a param - I think it should be a unlock code, and then one of them is passing the code to other function:
I think it should be related because it is getting two elements at a time and the loop iterates 8 times - 8*2=16 - the length of the unlock code
Click to expand...
Click to collapse
I was the one who started that thread. I couldn't narrow down on any functions related to unlock code verification though in any of those dumps. Can you share some more light on how you identified that particular function? I'd be interested in taking this up again in my spare time too.
The reasons why I didn't purse it further at that time (as far as I remember) were:
1. There's no partition titled "boot" or "aboot" on atleast EMUI 9. I remember doing some more research on this but seemed to hit a dead-end.
2. Fastboot dump seems to be encrypted. This would make sense since the device has roots-of-trust implemented. Not sure if they only check & verify signatures or also if important sections are encrypted at rest. Didn't pursue this further due to lack of time.
Aodrulez said:
I was the one who started that thread. I couldn't narrow down on any functions related to unlock code verification though in any of those dumps. Can you share some more light on how you identified that particular function? I'd be interested in taking this up again in my spare time too.
Click to expand...
Click to collapse
I used ghidra with the image from the other post. With ARM CORTEX little endian profile
Rstment ^m^ said:
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
Click to expand...
Click to collapse
It was two years ago, can't remember giving my IMEI out, 100% my serial via the official Huawei bootloader unlock method, cannot remember if it was alpha it not.
Either way. Best of luck with this, would love to see someone crack this, could make a tonne of money if you did.
Or even better free
Did some more research on this & it turns out, on recent Huawei devices, the bootloader is named "xloader". The fastboot dump from my rooted phone is encrypted & so won't yield anything useful. It's also very rare to find references to detailed information on this "xloader" image/partition on the internet. Will dig some more when I get time.
Rstment ^m^ said:
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
Click to expand...
Click to collapse
P20 Pro, Huawei method..
Like I said it's been 2 years so may be remembering it wrong..
dladz said:
P20 Pro, Huawei method..
Like I said it's been 2 years so may be remembering it wrong..
Click to expand...
Click to collapse
I got myne from support so who knows, I didn't get a chance to use website