DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800
- Thread starter biktor_gj
- Start date
there is a different section for this..
http://xdaforums.com/showthread.php?t=1599401
please follow!
What kind of filesystem is /dev/sdx9? I'm able to mount a saved dump of /dev/sdx3, but non of the fstypes are operational on sdx9 dump. My aim is to have a closer look onto the backup/restore process with Zune.
Regards
Donpromillo
Regards
Donpromillo
The fs is WMStore, at least for the first part. I tried to find Fat/exfat fs for userdata but afaik everything is stored in that format...
Its not mountable as is, but you can try to disassemble it with osbuilder's Dump Tool and see if you can find your files in there...
Sent from my GT-I9100 using XDA
Its not mountable as is, but you can try to disassemble it with osbuilder's Dump Tool and see if you can find your files in there...
Sent from my GT-I9100 using XDA
Thanks biktor_gj,
my idea behind the question is the following, and I would to know, if my assumptions are logical:
I discovered, that in the backup process with zune all data sent between the phone and the zune-pc are scrambled before they reach the pc (I snooped the usb data stream and could find that the beginning of the usb data stream is the same as the beginning of the stored files in the zune backup folder)
So my assumption is, that scrampling the backup is done by phone. Furthermore, I can backup without any network connection, so all the things needed must be present on phone. If so, then if I'm able to identify the encryption process and it's parameters, I should be able to decrypt the stored files in zune backup folder too, provided, I were able to port that process to x86-procedures. And the last assumption: If I'm able to decrypt the backup files, it could be possible to edit these and re-encrypt the edited files. After that, they should be used to restore in normal restore process using zune.
Am I right?
DonPromillo
Yes, I think too thats there is a sort of signature. In the very first part of data.0.dat, you can find that Microsoft Primitive Provider with AES and SHA1 is used to create a CBC-Stream, which is stored by zune in the data.x.dat files. That means to me, either there is a static key used to crypt the CBC-Stream or a certificate. If a static key is used, it should be possible to find it, if a cert is used, the private key for this cert must be stored on phone, cause I do not need network to achieve a privatekey stored at MS-Sites to create a backup.
My first thought was, that the cert "zune-tuner://windowsphone/UUID... "in my private certstore on my PC is used, but my attempts to decrypt the backup-files weren't successful. But the explicit reference in the C:\Users\Myname\AppData\Local\Microsoft\Windows Phone Update\xxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxxx\Properties\properties.xml onto this cert must have a cause.
So if I'm able to identify the mechanism, either cert or static secret, and able to export either private key or used secret, I should be able to create a valid signature for edited files too.
Regards
Unfortunatly, OsBuilder latest failed to dump. I'll try with imgfstools.
DonPromillo
True, my guess is that it should be a static key, because you should be able to restore your phone with the backup. If the cert is on the phone and you made your phone in a unusable state the cert may be deleted as well and the backup is useless. Just some thoughts though.
I think this is just some sort of identifier for the device. If you look at the name of the node in the XML document it is called DeviceUrlId.
I found that the backup consists of blocks of 4194328 bytes (every .dat file has this size, except the last one). So it would be very difficult to change contents of the ROM, because it is just split into pieces and every piece has a hash (Data.x.dat.hash). If you'd want to change contents, you would have to be careful with the splitted data, and you would have to generate a new hash for each piece.
Then there is also the C:\Users\MyName\AppData\Local\Microsoft\Windows Phone Update\xxxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxx\RestorePoint\XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Data\Manifest.xml file which contains data about every Data.x.dat file. It contains the size, and the index in the ROM (every DAT has an index, as they are splitted into pieces). There is also an DibrVersion key for every Data.x.dat file, but I have no clue on what this could be...
Good thought!! As phone backups are unique to the phone that made it (you cannot restore a backup made on phone #1 and restore it to phone #2, even if both are, for example, Lumia 800's), i think there is no static certificate. Each phone stores it's own unique certificate to encrypt the data. It is true that zune only handles the encrypted stream of data, the phone does the encryption, i read that over here some while ago
. Best of luck!
The device unique certs are stored in the MY-store on the WP7-device. They are refreshed about once a month (when they expire). There is a total of 4 certs in the MY-store. They are for different device-unique purposes. One of them is a zune-tuner cert.
Ciao,
Heathcliff74
No, this is a certificate with a private key that could be used to encrypt something. Normaly the private key of that cert is not marked as exportable, so you can use this cert only on one computer, cause you cannot move the private key. I found a tool to export the private key as a first step. Now I'm on a search of information about the structure of the imgfs (which seems to be used in the backupfile and in the dump of sdx9 and how to extract that containers into a usable structure like direktories and files.
My attempts using OSBuilder and IMGFSTOOLS 2.1rc failed - any hints here?
http://xdaforums.com/showpost.php?p=4749679&postcount=1
http://xdaforums.com/showpost.php?p=21708282&postcount=1
Im put the 'cecompr_nt.dll' of FFUParttool_v.1.3.1 on the bin folder of xidump_v1.0_beta and the dump of the RM801_12w07_prod_euro1_FlashClean.ffu work see a lot file ... don't know if help you
Thanks, I tried this, but xidump crashes on my w7_x64. all other tools I tried weren't able to extract the imgfs-part from a dump of partition 9. I do not know, if its really neccessary to extract the dump, but thought, it would be easier to unterstand the file and folder organization on the phone and so being better prepared to discover the zune backup files.
Regards
---------- Post added at 04:56 PM ---------- Previous post was at 04:44 PM ----------
Hi Heathcliff74,
are the certs on the phone refreshed every month with a new private key or refreshed using the same private key. If the latter is correct, then there is a chance that a cert is part of the backup encryption. If the private key changes, then it would impact, thats this is not a part of backup encryption, cause every backup older than the actual certificate becomes undecryptable, when the private key changes and no "master key" exists.
Regards
DonPromillo
Does it mean that FullUnlock-os-new.nb does the trick and wipes SIM LOCK too?
My sister has its Lumia 800 SIMLOCKED to Orange T-Mobile UK and asks me to help with that problem.
Sorry to disturb you, you can answer me with PM. Thanks!
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
81UPDATE: First custom rom with Interop Unlock flashed succesfully. Requires hard reset after installing and an unlocked bootloader. See post for proof:
http://xdaforums.com/showpost.php?p=24818275&postcount=242
BIG THANK YOU TO ULTRASHOT!
Without you I couldn't have done it!
NOTICE: Testing full unlock (XIP unlock etc) with ultrashot. Will post new files as soon as I get a working build which doesn't get stucked on boot
Disclaimer:
I AM NOT RESPONSIBLE IF YOU LOOSE DATA, BREAK YOUR PHONE, OR SET YOUR HOUSE ON FIRE. DO THIS AT YOUR OWN RISK. BTW, REQUIRES A HARD RESET SO YOU WILL LOOSE ALL THE DATA IN YOUR PHONE BY FLASHING THIS. IF UNSURE, DON'T DO IT.
PLEASE STOP PM'ING ME FOR HELP, I CAN'T REPLY 20 PMS/HR. Please use the forum, maybe someone can create a discussion topic to help others and leave this for links and development. Thank you very much!
PLEASE STOP SENDING ME PMS ASKING FOR HELP AND USE THE DEDICATED THREAD
THIS THREAD IS FOR DEVELOPMENT ONLY, PLEASE RESPECT THAT AND USE THE Q&A THREAD FOR YOUR QUESTIONS.
LINKS:
Lumia 800: Full Unlock
New firmware: May 16, 2012 (removed foursquare and stuff)
sdb3.rar: Flash it to PARTITION #3. It contains 12070's amss & adsp. Not absolutely required but if you have an older version this should give you better battery life.
http://www.mediafire.com/?kwjladlgvq81rha
OS-NEW:
As always, flash it to PARTITION #9.
Part1: http://www.mediafire.com/?21by2oj7acnhkhw
Part2: http://www.mediafire.com/?wkeduvp9l4199qh
Part3: http://www.mediafire.com/?cnbkms40dy4y06z
Part4: http://www.mediafire.com/?rabunpmnaqclq3o
Complete Mediafire folder access: http://www.mediafire.com/?uo2dqcl34b9cy
___________________
Alternate ROM with Full Unlock + Some apps:
Part1: http://www.mediafire.com/?8gnqm418v32im3e
Part2: http://www.mediafire.com/?bgtg2t5infrnua1
Part3: http://www.mediafire.com/?l0sl5hbr0v9gfi1
Part4: http://www.mediafire.com/?emt2dfswdhn0z0w
Apps preinstalled:
DS Supertool
File Deployer
Metro Theme
WebServer
WinTT
WM Device Center
WP7 Root Tool
___________________
Lumia 710: Interop Unlock (no full unlock yet)
ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
http://www.mediafire.com/download.php?d3bj3dkfbffbakn
http://www.mediafire.com/download.php?l35zjaebdrsm315
http://www.mediafire.com/download.php?ys5bapu8ubezybo
http://www.mediafire.com/download.php?tnadd4uuoxhatv3
CAUTION: I don't have a 710, so these images AREN'T TESTED. Use at your own risk. Be careful, people are reporting problems with this rom.
Full Unlock Image for Lumia 710 by lucifer3006 -BE CAREFUL, IT HAS BUGS, FOR TESTING PURPOSES ONLY- (thanks ultrashot & lucifer3006): http://www.mediafire.com/?p3318y5l19abb
You have a mirror of all the stuff on mediafire on xdafil.es: http://xdafil.es
Thank you mousey_!
PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND.
If you are developing fixes for the bootloader 'problem', feel free to grab a copy of the rest of partitions and stuff I posted over this thread here: http://www.mediafire.com/?kknt4lnc3tn7w
INSTRUCTIONS:
Requires an unlocked bootloader (a.k.a. qualcomm development bootloader).
Easy to check: Turn the phone OFF, then press and hold VOLUME UP + POWER until you notice a short vibration. Plug in to the computer. If the phone turns up in disk mode (USB Mass Storage Device), then you have an unlocked bootloader. IF you're in Windows, it will ask if you want to format the disk. SAY NO OR IT WILL EXPLODE (it won't explode but you might break it)
If the device detected by the computer is Nokia DLOAD you have a locked bootloader and you're out of luck, at least for now.
I used 'dd' in Linux, I guess you can do it with Windows version too (http://www.chrysocome.net/dd) but it's more involved to find the appropiate partition:
dd if=./os-new.nb of=/dev/sdX9
Where X is the disk detected by your linux distribution.
After that, you'll need to hard reset the phone. Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate. After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds. This will trigger the hard reset.
Now time to play with bootloaders and try to get this to work for everyone!
If you like my work and want to donate for a beer (or two), follow this link22
Well, you can always make a backup and then restore via zune. The thing is the dumped OS is about 600Mb, the generated image is 378Mb. I don't know how it will reside on the flash, you could always check where the flash starts to get filled with zeros and clean it up before the first boot... If they had done it right and separated user data from the main OS we wouldn't have this problem...
INTEROP UNLOCK ACHIEVED!
Now time for a nice beeer
I'll put mediafire to work and upload the image I just did. Everyone who has an unlocked bootloader: after you flash this to the phone, DO A HARD RESET, otherwise it will get stucked on 'Installing Applications'12Hey everyone,
I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.
I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.
Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked8Btw, here is my DppImplant app.
Implants DPP partition with your stock Live Id to a custom rom.
Usage:
1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
"os-new.nb" will be patched.
4) Done.
P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.6Ok L710 fully unlocked
Those 2 parts are wrong. I used to narod.ru
---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
http://www.youtube.com/watch?v=-rQbFp7yasc
CAN WE KEEP THIS FOR DEVELOPMENT ONLY PLEEEEEEEEEEEEEASSSEEEEE?
Gift from our friends at Qualcomm:
Full AMSS firmware + Secboot Sources (Qualcomm loader)! Grab it while it's hot!
http://www.mediafire.com/?ir2h15f663ja6wc
New posts
-
-
[CLOSED] is there any possible to add a new language in TWRP Recovery- Latest: Oswald Boelcke
