Related
Quick question to the community here – could someone post or direct me to some information on the architecture of the phone / hardware? What I’m referring to is:
There is a primary boot loader, secondary programming boot loader, the core OS image, the external storage, over the air updates etc…. Then looking into the software information section of the EVO, I see firmware version , baseband version, kernel version, build number, software number, browser version, PRI and PRL version.
Kernel, build, software number and browser version are self-explanatory. However, firmware and baseband are a bit unclear, also PRI / PRL – what exactly are those?
When OTA update is initiated, which elements can be updated?
I have rooted my phone by following the instructions, what I don’t fully understand is what exactly transpired while it was being rooted, and what will happen during the next (2.2) update.
Today I have 0.72 engineering build hboot (which acronym does it fit comparing to all of the text above?). So, if I were (yes, I know, I should not) update the phone over the air, would the very first bootloader be replaced with the newer version or would be out of scope and only the software/build number would change?
Along the way, I’m planning to try to write some code for the android platform and see where it takes me (good with C , fluent in .NET, can read java code, ok with linux [gentoo], fluent in networking and other IT R&D components) – any development pointers that anyone can offer?
this should probably be in q and a
and, you should probably change the title of your thread to reflect exactly what it is that you want, lol
and, you can google or wiki most of the things you want to know about.
Thread moved to Q&A.
timothydonohue said:
this should probably be in q and a
and, you can google or wiki most of the things you want to know about.
Click to expand...
Click to collapse
Suggestions to google for something are always useful, I'm not sure why you 'd assume I didn't
for exampel , -- the primary and secondary boot/application loaders, -- most of the information available is about rooting phones, not too much ont he theory on how it works.
I'm still figuring out a lot of this, but I think it is more like boot loader with an os on top of it, like a pc. In a normal boot the white screen with no animation (just the htc logo) is kinda like bios, self test and stuff. Then once you see the animated sprint 4g screen, the bios is done and the loaded rom is running.
Booting into recovery isn't a separate boot loader, it is just another partition in the nand.
I wish there was a little more information about this out there. I kinda feel like there aren't good resources for this. The developers that know this kind of stuff don't hang out in q&a or general, but this kind of question isn't really appropriate for the development section.
I think one of the best things would be to grab the aosp source and build android, I just don't have much time right now.
Sent from my PC36100 using XDA App
laydros said:
I'm still figuring out a lot of this, but I think it is more like boot loader with an os on top of it, like a pc. In a normal boot the white screen with no animation (just the htc logo) is kinda like bios, self test and stuff. Then once you see the animated sprint 4g screen, the bios is done and the loaded rom is running.
Booting into recovery isn't a separate boot loader, it is just another partition in the nand.
I wish there was a little more information about this out there. I kinda feel like there aren't good resources for this. The developers that know this kind of stuff don't hang out in q&a or general, but this kind of question isn't really appropriate for the development section.
I think one of the best things would be to grab the aosp source and build android, I just don't have much time right now.
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
The recovery image seems to be stored on SD card and not in non volatile memory. So between HBOOT, Primary loader and secondary loader, and (what indicated on the phone as) firmware: is HBOOT is the same as the primary loader and secondary loader loads up the firmware that pulls the image?
HBOOT seems to be similar to bios
SPL seems to be the thing that bootstraps the device (i.e. lilo, grub etc...)
What exactly is the firmware then? if SPL is a secondary software loader, is HBOOT = Primary Loader?
this is a good place to start http://tjworld.net/wiki/Android
I'm sure a year later this was resolved, I'll even go out on a limb and say it was resolved before your join date.
blizzard1017 said:
I'm sure a year later this was resolved, I'll even go out on a limb and say it was resolved before your join date.
Click to expand...
Click to collapse
That's a really good way to discourage people trying to help, especially when they are actually helpful. This forum is getting a bad rap for comments like that (and "google it" being the default answer). I do tech support and understand how aggravating it is to deal with people who don't get it, but without people a forum is an empty place... and largely useless.
AllanonMage said:
That's a really good way to discourage people trying to help, especially when they are actually helpful. This forum is getting a bad rap for comments like that (and "google it" being the default answer). I do tech support and understand how aggravating it is to deal with people who don't get it, but without people a forum is an empty place... and largely useless.
Click to expand...
Click to collapse
Actually the bad rap is from people that over analyze things and start going off the handle about it. It was a joke, obviously a joke. He/she pulled up a thread from exactly a year ago that I assume was misread as current. I don't think I barraged them with belittling comments or suggestions of selling their phone and pc and moving to a cave did I. If you care to hit my little name and then tap on that little post history you'll see I actually help. I think I have in ONE thread actually called someone an ass and they actually deserved it based on the other 100+ post doing so as well.
"Sense of humor" google it lol
Hello,
Im not sure if anyone was aware, but the source code for the kernel is available from the Acer website. Im not sure if this would help with the dev of roms or cracking the bootloader. Thought I would throw it out there.
Its available on the Acer support page under the A100, and is around 100mb
mvan4310 said:
Hello,
Im not sure if anyone was aware, but the source code for the kernel is available from the Acer website. Im not sure if this would help with the dev of roms or cracking the bootloader. Thought I would throw it out there.
Its available on the Acer support page under the A100, and is around 100mb
Click to expand...
Click to collapse
Yeah, I saw that. Doesn't make a difference though, we need a unlocked bootloader before a custom kernel we can make with that is useful.
Back in my Xperia x10 days they were able to find a way to crash the stock kernel and were able to load custom kernels with a locked bootloader. Its probably not feasible considering it was a much older kernel version and from a different manufacturer...but one can only hope right? lol
Don't know if it helps, but the thunderbolt also came with a locked bootloader and devs figured out how to flash a custom kernel. The custom was also locked but supported what they needed it to. It was flashed with the same process as our flashing updates manually. Maybe some of the tbolt devs could help?
Sent from my A100 using Tapatalk
We could do a custom rom that through 2nd-init, but so far its been an uphill battle trying to figure it out. I'm not a kernel developer, but I've done some work modifying and working with cm7 kernels but nothing to this scale.
I do know that we wouldnt be able to change the kernel on this device or a modified recovery because there's some checking going on with the checksum of the disk images.
@crossix
Have you seen this thread in the Nook Tablet forums?
They found a way around the the bootloader problem.
I was thinking the above. Maybe we can make a work around through the kernal code. I havnt done programming on this low of a level but can scan through to see if and what checks there are and if there are any loopholes... I like to think they have a backdoor somewhere in there...
Excuse me, I was wrong. The tbolt with its locked bootloader was solved a little differently. I think what they did was flash an entirely different bootloader to it. One that was still encrypted but unlocked. Don't know if that's possible in this case but thought it was something to mention.
Sent from my LG-VM670 using Tapatalk
Maybe we should talk to nemith and fattire and they may have some suggestions. I am no where shilled at this level of development to talk intelligently to them. My development skills lie in the .Net field and at the application level. So I am not much help.
@painter... i have been looking through the nook forums that you referred to and i certyainly think that this is possible route to go with the a100. this is also way above my skillset, however i will be more than happy to do what i can if there are any developers interested. i have been doing alot of research into the locked bootloader and this is the most promising news that i have heard so far. I wish we could get more devs interested in this little tablet because it has great potential if we could get past the bootloader.
What Ill do later is download the code again, had before, but accidentally deleted it, and look through some of the more important code to see what can be found. Why would Acer put up the source code if there isnt a way to alter the kernel? Seems counter-intuitive to put it up without a purpose...
here is some info on 2nd init, if anyone smarter than me is interested in having a look.....good luck!..... http://cvpcs.org/blog/2011-06-14/2nd-init._what_it_is_and_how_it_works
mvan4310 said:
What Ill do later is download the code again, had before, but accidentally deleted it, and look through some of the more important code to see what can be found. Why would Acer put up the source code if there isnt a way to alter the kernel? Seems counter-intuitive to put it up without a purpose...
Click to expand...
Click to collapse
Because they have to, its required by gpl to make the source public. Just because they make it public, doesnt mean that it'll compile properly though. But, in this case it does compile cleanly and with it we could probably take bits and pieces of cwm for the a500 and get it to work (their gpl version not thor's recovery). How to do that tough with our current encrypted recovery I dunno.
I looked at the thread and it definitely looks like something doable but what offset would we use and how would we tell the boot partition to go look for a custom recovery when we cant even open it to alter its contents since it and the recovery partitions are both encrypted.
If you make a image of either partition using dd and try to mount it and read its contents you see gibberish rather then editable files in the images. might be able to poke at it with a hex editor, but that's beyond my skill level.
Sent from my MB860 using XDA App
Im still in the extraction process, and it is a rather large image. Its around 500mb compressed. I can take a look into it, but cant make any promises that Ill find anything at all. I understand the gpl and whatnot, and the partitions being encrypted, and am just hoping that somewhere in the kernel is a clue as to what is being done that can help us along the way to cracking this thing.
I didnt think of this until now, but is the newer A500 encrypted? If s, maybe we can find the difference between the older and the newer version somehow and see what they are using. Just a thought, could be completely wrong.
from what I understood (I could be completely wrong though) one of the newest updates that brought the a500 up to 3.2.1 changed their encryption method so itsmagic (their security hole) no longer worked. The work around for that was to downgrade to 3.2 and install cwm / itsmagic and them flash a recovery 3.2.1 image.
Sent from my MB860 using XDA App
Hmm, Not sure. Ill look around. Im still trying to root my tab, have been unsuccessful thus far, and about 3 hours into trying..
is there any benefit in opening the device and sniffing around? I know the bootloader's encrypted but some of it might not be? That's how GeoHot found the first iPhone unlock exploit; by shorting two pins or something?
I also know it's possible to read NAND chips with an Arduino to some extent. I dunno, just talking out loud...
Never thought of finding a way through the hardware itself. I have never opened my Acer, probably wont. I have a Chromebook and they only way to install another OS on it was to flip a switch and pop the cover off, since it has a button thats enabled with the case on that prevents writing to specific portions and whatnot... Good thought. Maybe someone will look into this further.
A100 teardown
http://www.techrepublic.com/blog/it...eardown-lots-of-tech-crammed-into-7-case/3028
Sent from my PG86100 using Tapatalk
I think its very nifty that it has an expansion slot for a cellular chip. All the specs I can find on the 3g a101 show it as having half the RAM. Wonder what it would take to pop a 3g chip in there and get it working. :-\ You would probably have to flash the firmware from the 101 to get it to see the chip...
***This is not a bootloader unlock. This is only a discussion about a possible bootloader unlock***
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. any kind of feedback is appreciated.
Hello @madushan1000,
Here seemed an appropriate place to reply to your PM
Some points to consider:
- Safestrap doesn't use kexec, it uses 2nd init which hijacks the boot process to load a different ramdisk
- Therefore you won't be able to use anything from Safestrap including 2nd init to enable loading a new kernel
- Also note kexec is not enabled on stock kernel builds so at least the exec part is out the window.
- I checked the aboot of 3.5.x and 4.6.1 and noted that the exploit used on the Kindle HDX tabs to bypass/unlock the bootloader have been patched up.
- Other than that: It seems the bootloader is going to remain locked on our devices - Though I hope I am wrong.
More info on the trustzoon exploit can be found in the posts I linked above.
Anyway, I don't think we can use HDX bugs even if the aboot bug was present because there is no unlock partition found on the device and flashing to any kind of partition is absolutely prohibited.
We are going to do what described in this post (http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html) using the trustzoon exploit.
As per kexec, there is a kexec kernel module developed at Xperia forums, I can try to port it to fire phone. Probably wouldn't be too hard because it was built for msms8974 kernel too.
Anyway, Does anyone had gone back to 3.6.2 from 4.6.1 without bricking the device?
Wow, I just found out you can't load unsigned kernel modules too.
madushan1000 said:
***This is not a bootloader unlock. This is only a discussion about a possible bootloader unlock***
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. any kind of feedback is appreciated.
Click to expand...
Click to collapse
How do you know there's a bit in the QFPROM dedicated to unlocking the bootloader? Doesn't that seem kind of like an oversight since there's one you blow to lock it in the first place? Blowing a random fuse will just brick your phone and I'll tell you right now there's no bit to unlock it. The bug has been patched for quite a while and even if it did work, I'm doubtful you'd find what you're looking for.
Well, I don't know. That's why this is still work in progress. But still, As pointed out in the original post, the is one qfuse which is blown after first factory flash to mark the device as bootloader locked. Then there is another one (which is not blown in almost all the msm chipsets in case vendor change their mind and offer a unlock in the future) which mark the device as permanently unlockable. Even if this fuse is blown, by gaining arbitrary code execution in trustzoon we might be able to trick the bootloader in to thinking device is unlocked.
Don't worry, I'm not going to start blowing qfuses up blindly. First I'm going to identify if there is such a qfuse at all by looking at the aboot drassembly. Then try reading their values first to verify it is in fact not blown. Then I'm going to blow stuff up when I can afford a new phone
Even before that, I have to find a way to downgrade trustzoon and find a way to load unsigned kernel modules. I have no illusions, I'm very very far away from unlocking this thing.
And which bug you are referring to? The new trustzoon bug I mentioned or the previous trustzoon bug?
kaboom away
madushan1000 said:
Don't worry, I'm not going to start blowing qfuses up blindly. First I'm going to identify if there is such a qfuse at all by looking at the aboot drassembly. Then try reading their values first to verify it is in fact not blown. Then I'm going to blow stuff up when I can afford a new phone
Click to expand...
Click to collapse
With the current fire sale on these phones, you can probably afford to blow up as many as you want. I cannot believe the prices on these babies right now, that is, if you are into Prime, or don't mind reselling the Prime. I am almost ready to buy a third one.
LNRrgB said:
With the current fire sale on these phones, you can probably afford to blow up as many as you want. I cannot believe the prices on these babies right now, that is, if you are into Prime, or don't mind reselling the Prime. I am almost ready to buy a third one.
Click to expand...
Click to collapse
The sad thing is, Amazon prime is not available, let alone fire sales I would definitely love to get my hands on few more.
madushan1000 said:
The sad thing is, Amazon prime is not available, let alone fire sales I would definitely love to get my hands on few more.
Click to expand...
Click to collapse
it's $124.99 in ebay, brand new, prime and warranty.
Yup, ebay has the 32GB and the 64GB for sale right now, with Prime ! Seller is qualitycellz .
litan1106 said:
it's $124.99 in ebay, brand new, prime and warranty.
Click to expand...
Click to collapse
Now $119
Perhaps, after all stock containing Prime is depleted, we will get a bootloader unlock...
Wow, If I only had the money. Wish the stock will hold untill I graduate next month and get a job.
Hey!
I want to start developing on an old Sony smartphone, the Xperia Miro st23i (Mesona).
Why this device? It isn't expensive to buy a new mainboard in case I break it and for reasons of sentimentality
I have already compiled kernels for Desktop Linux for various reasons.
Now to my question:
There are CM10 sources and some 2.5-ish TWRP available which I intended to upgrade.
Can I break access to fastboot by flashing a kernel that doesn't work at all?
This always happens every now and then when trying something. But on my Thinkpad, I could always swap the hdd when I've messed things totally up... Here, I can't do that.
Same question for TWRP, can I break fastboot?
Can a messed up partition layout break fastboot?
How could I break fastboot?
I think my questions applies to more or less every Sony phone.
I couldn't find any information useful to me by Google or Xda search because the results are so full of questions how to get into fastboot...
I absolutely don't know how the fastboot mode works and what it depends on.
I just want to know what major mistakes I could do before I do them. Maybe I can prevent to be in need of a JTAG Interface by asking in advance
Thanks for any useful answer!
PS: Please don't discuss the fact I'm gonna develop on this device. The amount of thanks given in case I'm successful will be like 4 and the device will be sluggish as hell on Marshmallow or Nougat because it has only a few MBs of RAM and only 1GHz CPU. I know that! But I don't want to start developing on a device that's so expensive that I can't afford to break it.
You wouldn't let a newbie "try to learn something" at your new Prius. You would give him your old 1992 car that you don't need anyway, regardless of its top speed -
Kaffeetrinker said:
Hey!
I want to start developing on an old Sony smartphone, the Xperia Miro st23i (Mesona).
Why this device? It isn't expensive to buy a new mainboard in case I break it and for reasons of sentimentality
I have already compiled kernels for Desktop Linux for various reasons.
Now to my question:
There are CM10 sources and some 2.5-ish TWRP available which I intended to upgrade.
Can I break access to fastboot by flashing a kernel that doesn't work at all?
This always happens every now and then when trying something. But on my Thinkpad, I could always swap the hdd when I've messed things totally up... Here, I can't do that.
Same question for TWRP, can I break fastboot?
Can a messed up partition layout break fastboot?
How could I break fastboot?
I think my questions applies to more or less every Sony phone.
I couldn't find any information useful to me by Google or Xda search because the results are so full of questions how to get into fastboot...
I absolutely don't know how the fastboot mode works and what it depends on.
I just want to know what major mistakes I could do before I do them. Maybe I can prevent to be in need of a JTAG Interface by asking in advance
Thanks for any useful answer!
PS: Please don't discuss the fact I'm gonna develop on this device. The amount of thanks given in case I'm successful will be like 4 and the device will be sluggish as hell on Marshmallow or Nougat because it has only a few MBs of RAM and only 1GHz CPU. I know that! But I don't want to start developing on a device that's so expensive that I can't afford to break it.
You wouldn't let a newbie "try to learn something" at your new Prius. You would give him your old 1992 car that you don't need anyway, regardless of its top speed -
Click to expand...
Click to collapse
Sony devices can use flashtool which is different from fastboot and provides the ability to reflash the full firmware - which helps you get out of most issues you may encounter.
hypertrack said:
Sony devices can use flashtool which is different from fastboot and provides the ability to reflash the full firmware - which helps you get out of most issues you may encounter.
Click to expand...
Click to collapse
Thanks for trying to answer my question, but that's not it.
I've already unbricked like 50 phones by exactly following tutorials and reading everything I could find.
In the end, I just want to know what flashmode or fastboot mode depend on. I want to know which partitions I may mess up and which I may not mess up.
My guess is I may do everything as long as I don't reflash the bootloader partition.
Kaffeetrinker said:
Thanks for trying to answer my question, but that's not it.
I've already unbricked like 50 phones by exactly following tutorials and reading everything I could find.
In the end, I just want to know what flashmode or fastboot mode depend on. I want to know which partitions I may mess up and which I may not mess up.
My guess is I may do everything as long as I don't reflash the bootloader partition.
Click to expand...
Click to collapse
Ahh ok - so I bet @Bin4ry would be able to answer that question - either him or @Androxyde
@Kaffeetrinker
This thread by @munjeni used to contain much more detailed info about the S1 bootloader, but most of it can't be accessed right now.
Titokhan said:
@Kaffeetrinker
This thread by @munjeni used to contain much more detailed info about the S1 bootloader, but most of it can't be accessed right now.
Click to expand...
Click to collapse
Thank you very much! This thread gave me some words to google. Doing so, I found the information I needed
As soon as summer's over, the project can start.
To answer my own question in short: you can't hardbrick a Sony device as long as you don't mess with the bootloader.
Fota recoveries are completely seperated from the actual ROM (although they can be updated together).
Fastboot does neither rely on Fota kernel nor does it on the system kernel.
As long as you do only regular rom developing and don't change the partition layout or mess in any other way with the bootloader partition, nothing should go wrong.
If you create an unbootable system kernel, you still can use your twrp. And if you create an unbootable TWRP, you can still get into the system.
If you mess up both, you still habe got fastboot.
Hi
I'm new to the forum but have been doing a fair amount of research. I am stuck now though and would like a bit of help.
My situation is that I have a Xperia XA1 ultra (I know I should post in that device specific forum but not much seems to be happening there) I have a very specific problem that I have treated like a forensics problem.
The phone is locked by a pattern which has been guessed by another person so many times that the gatekeeper only allows one entry per day provided the phone is charged otherwise the timer resets.
It has not been rooted and ADB is disabled.
I have connected to it through fastboot and what I can gather is that it is running Android Oreo.
The system details are as follows:
Product: XA1 Ultra G3221
Build Number: 48.1.A.0.129
Chipset: Mediatek MT6757 Helio P20
Bootloader: Locked
My research has led me to the possibility of loading a recovery image into the RAM of the phone and accessing ADB that way. I tried this with a TWRP image but obviously it didn't work. There is a company called Cellebrite that claims to be able to load it's own boot/recovery image into the bootloader and gain entry that way, however the license is something like £10,000. I'm definitely not a commercial customer.
The final option for me would be to dump the memory via JTAG or chipoff, the contents would be encrypted but I found a blog where somebody had managed to find the location of the gesture.key file while the system was encrypted. I can't remember what the site was called though, it took me ages to find last time.
My main questions are does Sony sign the boot image with it's own keys or does it use the standard Android Verified Boot?
Does Sony reuse the same keys for signing across devices? Likely not but maybe
Is there a way to send specific instructions to the RAM via fastboot?
Does anybody know of an exploit that could be used?
Is there a way to extract the boot.img and recover the Sony keys?
If there any other docs, resources or ways to get the data that could help, I will gladly read and/or try them. I think this forum is probably the biggest resource one though but after a while the specific information needed gets harder to find.
The main thing is that I don't unlock the bootloader and flash anything. It's all got to be live and non data damaging.
I tried MTPwn on the off chance that it would work but nope, it was a no go.
If there was a way to utilise the mediatek exploit to gain entry from fastboot that would be excellent, or to use fastboot to dump the memory.
Thanks for reading, I hope someone can help.
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
XDHx86 said:
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
Click to expand...
Click to collapse
Thanks for getting back to me, yes I realise it is asking for the impossible. I'll have a research around that article and see if I can find some information on how to write the program to dump the contents over USB. I tried Dr Fone but that only gave me the option of a hard reset.
My current line of attack is an exploit over USB called OATmeal, whereby a Raspberry Pi is used over OTG with a filesystem label of "../../data", it allows the filesystem of the phone to be mounted and data written off. It is a little complex and so I am struggling a bit with getting it to work. The team over at Project Zero have a good write-up of it so I'm following that and the POC at exploit-db to guide me through it.
I think I will be able to get the USB part to work but I'm not sure if I have to write a Java file to automatically run when /data is mounted, or if that's even possible.
Forenzo said:
My current line of attack is an exploit over USB called OATmeal
Click to expand...
Click to collapse
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
XDHx86 said:
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
Click to expand...
Click to collapse
Fortunately the device hasn't been updated since around 2-2018 or 3-2018 so any exploit I can find from then onwards that I can use will be great. I really do get that the only realistic option is to unlock the bootloader and flash the recovery but the data needs to be recovered and I absolutely don't want to wipe it.
If I can't do it then it will gather dust until the end of time...
It seems that no matter what I say you won't realize the situation you are in.
I can only suggest to NEVER mess with the phone circuits or the motherboard. No matter which stupid yoututbe tutorial you saw. Those guys are douchebags who only know how to get views and don't care for whatever you/they do to your device.
Needless to say messing with the circuits or the motherboard require dexterity and experience which I'm positive you don't have.
As I said before if you send it to an authorized service center, then they can help you with it without memory loss.
Sending you device to a service center isn't an insult or an act of low self esteem. Service centers exist for a reason, and they're basically geeks who are too passionate about electronics and decided to make a living out of it.
Or maybe you can somehow use the EDL mode on the phone.
In Qualcomm devices the EDL mode is locked and can only be accessed by an authorized person who have the security code of your device. I don't know if it even exist in MTK devices.
Should you actually manage to boot into EDL mode - Assuming it exists and is unlocked - then BEWARE: EDL mode is very low level and any command can directly affect the kernel or compromise the system. Don't use commands you're not sure what do they do.
You can use EDL mode to recover the data from the phone then wipe it clean, then restore the data.
You cannot access memory with EDL mode, but you can access the current image on your device. And from which you can get the key file.
EDL mode is a very very powerful tool (Much more powerful than debugging, fastboot, or anything you may know of) as it doesn't need unlocked bootloader to use it and through which you can do anything to your device including flashing other ROMs.
Good luck on your impossible quest. Make sure to post updates should you find yourself stuck.