DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

Search This thread

donpromillo

Senior Member
Nov 26, 2011
74
16
I searched a bit in rom-files and found OEM_7x30_MODEM.cab. It contains a file "modem" which seems interesting in 2 ways.

First:

I'm a lazy man and enthusiast of analogism and think, that developers at microsoft are lazy too and reuse code : Is it possible, that the procedure to pack the data for modem into one file and encrypting it is the same then in backup procedure? Look at the file which starts with a xml part, describing the crypting algorithm for the payload.


Code:
<?xml version="1.0" encoding="UTF-8"?>
<SSD_METADATA>
<MD_SIGN>
    <MD_VERSION>1.3</MD_VERSION>
    <MFG_ID></MFG_ID>
    <SW_VERSION></SW_VERSION>
    <IEK_ENC_INFO>
        <IEK_ENC_METHOD>RSA-1024</IEK_ENC_METHOD>
        <IEK_ENC_PADDING_TYPE>PKCS#1-V1.5</IEK_ENC_PADDING_TYPE>
        <IEK_ENC_PUB_KEY_ID>NFam5Ryq2eM2EQ04EqlMEm2sppaxqh2kbc68ggJmfdM=</IEK_ENC_PUB_KEY_ID>
        [COLOR="Red"]<IEK_CIPHER_VALUE>Ci8igrQ69DQ/CqfRenEqrqrJHLU5dUgNMolOQS3irzQjuHY9CdybeWy+ThIafiok1ZD5qgsbb4n96lR13c3k+NkYAbnd7xi5sib1aIbqLOg2AKHH5rtclTp8GGzessaflPivkQH3AVoEL5fMfYpJYPULCFVOn1EwaKQBt/SFY4E=</IEK_CIPHER_VALUE>[/COLOR]
    </IEK_ENC_INFO>
    <IMG_ENC_INFO>
        <IMG_ENC_METHOD>AES-128-ENCRYPT</IMG_ENC_METHOD>
        <IMG_ENC_PADDING_TYPE>RFC_2630</IMG_ENC_PADDING_TYPE>
        <IMG_ENC_OPERATION_MODE>CBC_MODE</IMG_ENC_OPERATION_MODE>
        [COLOR="Red"]<IMG_ENC_IV>2ZQOB2U6lZ9ky84o7qOW0w==</IMG_ENC_IV>[/COLOR]
        <IMG_ENC_IMG_SIZE>23112352</IMG_ENC_IMG_SIZE>
    </IMG_ENC_INFO>
    <IMG_HASH_INFO>
        <IMG_HASH_METHOD>SHA-256</IMG_HASH_METHOD>
        <IMG_HASH_VALUE>V8G3czcnj/2wd5ZejWtsgQto+4qX2zQ77iWFBKEja1A=</IMG_HASH_VALUE>
    </IMG_HASH_INFO>
    <MD_SIG_INFO>
        <MD_SIG_DGST_METHOD>SHA-256</MD_SIG_DGST_METHOD>
        <MD_SIG_METHOD>RSA-1024</MD_SIG_METHOD>
        <MD_SIG_PADDING_TYPE>PKCS#1-V1.5</MD_SIG_PADDING_TYPE>
        <MD_SIG_OEM_PUB_KEY_ID>XKCYyiLufvHyG1NqylHXl/rwfPecv57Q/8r4qvrfB60=</MD_SIG_OEM_PUB_KEY_ID>
    </MD_SIG_INFO>
</MD_SIGN>
<MD_SIGNATURE>j0F3B6ERPOg8olsz9rhM2ypdRZYxwcWgtN+X4FSLZFB9Trhsq9irpuAxkXWignKMGC0T5iJ3dEnd1S02SHucUI6wCmOkbzecvvbWIubotptMC4Xi6llaS9odtkZyLPH7ujDxe3c/iURyiIyF0qg7ivUP4fD5qpsPfFCuQiHL7sc=</MD_SIGNATURE>
</SSD_METADATA>


Second (is a guess, inspired by the ver.ver file which has a 7.35.00 in it, exactly like the bootloader version ):

the packed and crypted parts of "modem" are unpacked to partition sdx3 on Lumia as adsp.mbn, amss.mbn and emmcboot.mbn, which could be the bootmodes called when a backup/restore runs.
So my question is: Could someone with a full unlocked lumia search through the files on the phone for a similar xml file, containing configuration for image encryption and what programs or processes call them?
 
  • Like
Reactions: Briefcase

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Hi Heathcliff74,

are the certs on the phone refreshed every month with a new private key or refreshed using the same private key. If the latter is correct, then there is a chance that a cert is part of the backup encryption. If the private key changes, then it would impact, thats this is not a part of backup encryption, cause every backup older than the actual certificate becomes undecryptable, when the private key changes and no "master key" exists.
Regards

DonPromillo

I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74
 
  • Like
Reactions: Briefcase

Briefcase

Senior Member
Nov 10, 2009
185
43
I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74

A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Thanks biktor_gj,

my idea behind the question is the following, and I would to know, if my assumptions are logical:

I discovered, that in the backup process with zune all data sent between the phone and the zune-pc are scrambled before they reach the pc (I snooped the usb data stream and could find that the beginning of the usb data stream is the same as the beginning of the stored files in the zune backup folder)
So my assumption is, that scrampling the backup is done by phone. Furthermore, I can backup without any network connection, so all the things needed must be present on phone. If so, then if I'm able to identify the encryption process and it's parameters, I should be able to decrypt the stored files in zune backup folder too, provided, I were able to port that process to x86-procedures. And the last assumption: If I'm able to decrypt the backup files, it could be possible to edit these and re-encrypt the edited files. After that, they should be used to restore in normal restore process using zune.

Am I right?

DonPromillo

I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74

A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?

donpromillo,

Are you sure you can do this without network? I'm pretty sure this is not possible. Maybe you had Wifi and 3G disabled. But you say you were snooping the USB connection while you were making a backup. At that moment, the phone uses your PC to get an internet connection too. :p

So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

Ciao,
Heathcliff74
 
  • Like
Reactions: donpromillo

tjramage

Senior Member
Dec 19, 2011
150
25
So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???

Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??
 

voluptuary

Senior Member
Dec 29, 2010
960
753
Mukwonago
So, I've built ROM's for the Samsung Focus and for the HTC HD2. Both of these have flashing tools to allow us to flash the fancy new ROM's we built to our phones. If we have the unlocked bootloader can't we just rebuild the esco and flash that with QPST? Or is there something I am missing? Building the Lumia ROM in OSBuilder seems to be the same as other devices. So if I just take the .nb that is built and rename it boot.img then add that to a zip and then rename that zip bla_bla_rom.esco will that not work? Or is there something more? Does the Qualcomm bootloader still need signed files of some sort? I ask this becuase if we can do it this way then we won't have the Live services activation issues as well ass the other odd problems plus it is just way more end user friendly.
 
Last edited:

tjramage

Senior Member
Dec 19, 2011
150
25
Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??

Good point. But I figured there is a possibility someone may not have a data connection and need to create a backup... If it was me, I wouldn't disallow people in those circumstances to backup their phone... But maybe Microsoft is different.

The backup is done in SCDL so wifi and 3G of the device would be disabled anyway

I may be wrong, but I think Heathcliff74's point is that the cert-checking is done before the phone enters this mode.
 

donpromillo

Senior Member
Nov 26, 2011
74
16
donpromillo,

Are you sure you can do this without network? I'm pretty sure this is not possible. Maybe you had Wifi and 3G disabled. But you say you were snooping the USB connection while you were making a backup. At that moment, the phone uses your PC to get an internet connection too. :p

So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

Ciao,
Heathcliff74

Hi Heathcliff74

you are correct, I forgot to disable the wlan on phone, so at the start of WP7EaSYbackup, it was able to connect to MSFT. If I disable all, even 3g/2G Connections, then Easybackup stopps working, in the logfile you can see that it could not connect to the updateserver. Nevertheless, I'll investigate soon, what the Updateprocess is talking to MSFT.

Regards

Donpromillo
 
  • Like
Reactions: Briefcase

donpromillo

Senior Member
Nov 26, 2011
74
16
Hi Heathcliff74

Nevertheless, I'll investigate soon, what the Updateprocess is talking to MSFT.

Now I'm a little bit confused. I sniffed the network traffic from my pc when backup of my wp7 runs (phone is in Airplan-mode, only PC is connect to network, wp7easybackup as backupprogram).
2 things I see so far:
1. if my pc is fresh rebooted, then the only traffic to ms is retrieving revocation lists, but this request are made after the phone reboots in backup mode and before the icon with the phone and the pc is shown and the backup itself has started. In the whole session there was no https traffic, all request are plain http. No traffic is sniffed before the WP7EasyBackup boots the phone. On the other hand, if I disable all network connections (phone and pc), I get the error, that update servers could not be connected, before the phone reboots
2. If I repeat the backup process without rebooting the pc, no crl-requests are send and no other traffic other then local network and broadcast are sniffed.

Can somebody confirm this? If it is true, then there is no private key certificate from MS involved, and then the encryption parameters (either private key or secret) must be on the phone.

Regards

DonPromillo
 
  • Like
Reactions: Briefcase

ombadboy

Senior Member
Oct 11, 2008
318
31
London
So, I've built ROM's for the Samsung Focus and for the HTC HD2. Both of these have flashing tools to allow us to flash the fancy new ROM's we built to our phones. If we have the unlocked bootloader can't we just rebuild the esco and flash that with QPST? Or is there something I am missing? Building the Lumia ROM in OSBuilder seems to be the same as other devices. So if I just take the .nb that is built and rename it boot.img then add that to a zip and then rename that zip bla_bla_rom.esco will that not work? Or is there something more? Does the Qualcomm bootloader still need signed files of some sort? I ask this becuase if we can do it this way then we won't have the Live services activation issues as well ass the other odd problems plus it is just way more end user friendly.

I am not sure if that would work, maybe someone could give it a shot, but ultrashot posted a small little app that bypasses the Live activation problem

Btw, here is my DppImplant app.
Implants DPP partition with your stock Live Id to a custom rom.
Usage:
1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
"os-new.nb" will be patched.
4) Done.

P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.
 

biktor_gj

Senior Member
Jan 25, 2008
1,408
7,008
HeathCliff, Im trying (hard) to run native executables in system mode. Im trying to make haret run in system mode to be able to run telnetd and do some hardware digging. So far I was able to autorun it when the phone boots, got to replace the search button to be another start button (i think you can get four or five touch buttons if you want) but I cant find a way to run the damn thing with permissions. I know you were looking into it to code into your root tools, but I was wondering, do you know anyway to patch it somehow on the registry, or on policies db, just to make it work, at least once? I need to find mddi regs and gpio config for this phone...

Sent from my GT-I9100 using XDA
 
Last edited:
  • Like
Reactions: Briefcase

Faruk88

Senior Member
Mar 20, 2010
160
20
I'll second this question too.
I also do have a north American version (dubbed as RM-809) and when I tried the bootloader upgrade, it failed - so I panicked and didn't try again.

Maybe you already have the Qualcomm bootloader and that's why the update process failed?

I have the RM-809 from Rogers, and I'm running the Indian RM-803 ROM. Now I have the Qualcomm bootloader, so I'm no longer able to update through NCS.

Any updates on what voluptuary mentioned on the previous page?

So, I've built ROM's for the Samsung Focus and for the HTC HD2. Both of these have flashing tools to allow us to flash the fancy new ROM's we built to our phones. If we have the unlocked bootloader can't we just rebuild the esco and flash that with QPST? Or is there something I am missing? Building the Lumia ROM in OSBuilder seems to be the same as other devices. So if I just take the .nb that is built and rename it boot.img then add that to a zip and then rename that zip bla_bla_rom.esco will that not work? Or is there something more? Does the Qualcomm bootloader still need signed files of some sort? I ask this becuase if we can do it this way then we won't have the Live services activation issues as well ass the other odd problems plus it is just way more end user friendly.
 
Last edited:

ombadboy

Senior Member
Oct 11, 2008
318
31
London
Maybe you already have the Qualcomm bootloader and that's why the update process failed?

I have the RM-809 from Rogers, and I'm running the Indian RM-803 ROM. Now I have the Qualcomm bootloader, so I'm no longer able to update through NCS.

Any updates on what voluptuary mentioned on the previous page?

I could give it a shot, but I cant even get my partitions backed up.. Tried dd /dev/sdX1,2,3,4 to a folder of my liking, but for some reason nothing is 'stored' in those folders..

Also, another concern I have is that I've noticed people cant flash using NCS after custom ROM, whereas was this possible on normal ROM (with Qualcomm bootloader) beforehand?
 

Briefcase

Senior Member
Nov 10, 2009
185
43
I could give it a shot, but I cant even get my partitions backed up.. Tried dd /dev/sdX1,2,3,4 to a folder of my liking, but for some reason nothing is 'stored' in those folders..

Also, another concern I have is that I've noticed people cant flash using NCS after custom ROM, whereas was this possible on normal ROM (with Qualcomm bootloader) beforehand?

As far as I know, NCS refuses to flash phones with the Qualcomm loader, it only flashs if your phone has Nokia DLOAD. Not entirely sure though.
 

ombadboy

Senior Member
Oct 11, 2008
318
31
London
As far as I know, NCS refuses to flash phones with the Qualcomm loader, it only flashs if your phone has Nokia DLOAD. Not entirely sure though.

That is true, but was that true even before we put the custom bootloaders?

Because IF one had a Qualcomm bootloader and then flashed and got a NOKIA DLOAD, then most probably it was done using NCS. Unless the only way to 'lock' you Qualcomm bootloader is by actually flashing a NOKIA DLOAD ROM using QPST for the first time, and then NCS would work thereafter
 
  • Like
Reactions: Briefcase

Top Liked Posts

  • There are no posts matching your filters.
  • 81
    UPDATE: First custom rom with Interop Unlock flashed succesfully. Requires hard reset after installing and an unlocked bootloader. See post for proof:
    http://xdaforums.com/showpost.php?p=24818275&postcount=242
    BIG THANK YOU TO ULTRASHOT!
    Without you I couldn't have done it!
    NOTICE: Testing full unlock (XIP unlock etc) with ultrashot. Will post new files as soon as I get a working build which doesn't get stucked on boot ;)

    Disclaimer:
    I AM NOT RESPONSIBLE IF YOU LOOSE DATA, BREAK YOUR PHONE, OR SET YOUR HOUSE ON FIRE. DO THIS AT YOUR OWN RISK. BTW, REQUIRES A HARD RESET SO YOU WILL LOOSE ALL THE DATA IN YOUR PHONE BY FLASHING THIS. IF UNSURE, DON'T DO IT.
    PLEASE STOP PM'ING ME FOR HELP, I CAN'T REPLY 20 PMS/HR. Please use the forum, maybe someone can create a discussion topic to help others and leave this for links and development. Thank you very much!

    PLEASE STOP SENDING ME PMS ASKING FOR HELP AND USE THE DEDICATED THREAD
    THIS THREAD IS FOR DEVELOPMENT ONLY, PLEASE RESPECT THAT AND USE THE Q&A THREAD FOR YOUR QUESTIONS.
    LINKS:
    Lumia 800: Full Unlock
    New firmware: May 16, 2012 (removed foursquare and stuff)
    sdb3.rar: Flash it to PARTITION #3. It contains 12070's amss & adsp. Not absolutely required but if you have an older version this should give you better battery life.
    http://www.mediafire.com/?kwjladlgvq81rha
    OS-NEW:
    As always, flash it to PARTITION #9.
    Part1: http://www.mediafire.com/?21by2oj7acnhkhw
    Part2: http://www.mediafire.com/?wkeduvp9l4199qh
    Part3: http://www.mediafire.com/?cnbkms40dy4y06z
    Part4: http://www.mediafire.com/?rabunpmnaqclq3o
    Complete Mediafire folder access: http://www.mediafire.com/?uo2dqcl34b9cy
    ___________________
    Alternate ROM with Full Unlock + Some apps:
    Part1: http://www.mediafire.com/?8gnqm418v32im3e
    Part2: http://www.mediafire.com/?bgtg2t5infrnua1
    Part3: http://www.mediafire.com/?l0sl5hbr0v9gfi1
    Part4: http://www.mediafire.com/?emt2dfswdhn0z0w
    Apps preinstalled:
    DS Supertool
    File Deployer
    Metro Theme
    WebServer
    WinTT
    WM Device Center
    WP7 Root Tool

    ___________________
    Lumia 710: Interop Unlock (no full unlock yet)
    ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
    Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
    http://www.mediafire.com/download.php?d3bj3dkfbffbakn
    http://www.mediafire.com/download.php?l35zjaebdrsm315
    http://www.mediafire.com/download.php?ys5bapu8ubezybo
    http://www.mediafire.com/download.php?tnadd4uuoxhatv3
    CAUTION: I don't have a 710, so these images AREN'T TESTED. Use at your own risk. Be careful, people are reporting problems with this rom.
    Full Unlock Image for Lumia 710 by lucifer3006 -BE CAREFUL, IT HAS BUGS, FOR TESTING PURPOSES ONLY- (thanks ultrashot & lucifer3006): http://www.mediafire.com/?p3318y5l19abb

    You have a mirror of all the stuff on mediafire on xdafil.es: http://xdafil.es
    Thank you mousey_!

    PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND.
    If you are developing fixes for the bootloader 'problem', feel free to grab a copy of the rest of partitions and stuff I posted over this thread here: http://www.mediafire.com/?kknt4lnc3tn7w


    INSTRUCTIONS:
    Requires an unlocked bootloader (a.k.a. qualcomm development bootloader).
    Easy to check: Turn the phone OFF, then press and hold VOLUME UP + POWER until you notice a short vibration. Plug in to the computer. If the phone turns up in disk mode (USB Mass Storage Device), then you have an unlocked bootloader. IF you're in Windows, it will ask if you want to format the disk. SAY NO OR IT WILL EXPLODE (it won't explode but you might break it)
    If the device detected by the computer is Nokia DLOAD you have a locked bootloader and you're out of luck, at least for now.

    I used 'dd' in Linux, I guess you can do it with Windows version too (http://www.chrysocome.net/dd) but it's more involved to find the appropiate partition:
    dd if=./os-new.nb of=/dev/sdX9
    Where X is the disk detected by your linux distribution.
    After that, you'll need to hard reset the phone. Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate. After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds. This will trigger the hard reset.

    Now time to play with bootloaders and try to get this to work for everyone!

    If you like my work and want to donate for a beer (or two), follow this link
    22
    I'd suggest renaming on of the colors. Would be great if it was possible to interop the phone without losing data.

    Well, you can always make a backup and then restore via zune. The thing is the dumped OS is about 600Mb, the generated image is 378Mb. I don't know how it will reside on the flash, you could always check where the flash starts to get filled with zeros and clean it up before the first boot... If they had done it right and separated user data from the main OS we wouldn't have this problem...

    INTEROP UNLOCK ACHIEVED!

    Now time for a nice beeer ;)
    I'll put mediafire to work and upload the image I just did. Everyone who has an unlocked bootloader: after you flash this to the phone, DO A HARD RESET, otherwise it will get stucked on 'Installing Applications'
    12
    Hey everyone,

    I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

    I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

    Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
    8
    Btw, here is my DppImplant app.
    Implants DPP partition with your stock Live Id to a custom rom.
    Usage:
    1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
    2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
    3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
    "os-new.nb" will be patched.
    4) Done.

    P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.
    6
    Ok L710 fully unlocked :)
    Those 2 parts are wrong. I used to narod.ru

    ---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
    http://www.youtube.com/watch?v=-rQbFp7yasc


    CAN WE KEEP THIS FOR DEVELOPMENT ONLY PLEEEEEEEEEEEEEASSSEEEEE?

    Gift from our friends at Qualcomm:

    Full AMSS firmware + Secboot Sources (Qualcomm loader)! Grab it while it's hot!

    http://www.mediafire.com/?ir2h15f663ja6wc