Im on oct patch and still getting "device not support"
I had the same problem on my device (TA-1004), and decided to take a closer look at it. Running "adb logcat" while performing the steps in the app gives out multiple SELinux warnings and app exceptions related to opening the file "/proc/fver".
I also used a proxy to intercept and read the requests by the app to the HMD server.
I could prefectly open the file through "adb shell", and made the observation that the app probably tries to figure out which firmware the phone is running (NB1-488J-0-00WW-B01 for october patch). However, it seemed that october patch messed up the SELinux permissions
so every app that tries to access it gets blocked (shell works because it is some kind of elevated process I think, I vaguely recall that apps run in a different PID range). A side effect of that is that the app always reports the firmware as NB-1.0-0-00WW-B01 and gets
an error code that the version is not in the compatibility list.
As a next step I decided to take apart the apk itself and decompiled it into java code. The code is obfuscated (this means all elements are called a, b, c, d, etc. instead of the original names HMD uses) - so basically unreadable without lots of time,
but thankfully I had a starting point - the errors in the logcat included the spot where the code fails. Reading the file, I found that reading the firmware from /proc/fver is actually just a fallback, the prefered way is to read it from the "ro.build.odm.fver" property,
which, according to running "getprop ro.build.odm.fver" and just "getprop" to list all properties, does not exist.
What does this mean? Either the property never existed and HMD/Google/whoever broke accessing the /proc/fver file in the october patch, or the property existed on september patch, and they forgot to include it in the october patch as well.
(This seems more likely, since, for example, you also needed the september patch to run the app at all, even though they changed keys in august. That already indicates that they had to change something and forgot it now).
Is this solveable? Thats actually a good question. After I already had the code, I thought why not try to get it working.
The problem with that is that even though you can patch the app to stop erroring and force it to send a somewhat correct looking request, there are lots of security mechanisms put in place by HMD
- The app generates a hash of itself, and uses that to verify itself against the HMD server (solveable, SafetyNet just dumps those hashes into the logcat so I assigned them to their variables)
- The app seems to have some form of negotiation between itself and the HMD Server, I couldn't just resend a previous request. (Might be solveable, but hard without knowledge about the HMD server)
- The app does some work inside of a native library that cannot be decompiled. This is a problem.
That last point is important, because the whole body of the request is encrypted, with only a public key availabe in the apps files (public key is for encrypting, to read the data we would need the private key). It probably contains your IMEI numbers since they aren't anywhere else in the request.
Because we can neither decrypt the data to see whats actually sent, nor check out the code that generates the request, we are basically screwed. While you can edit the unencrypted version number in the request header, it did not work so far for me with the october patch version. I tried guessing the version number from september (I went straight from July to October due to having to reflash my device before sending it in for speaker repair, so I don't know the exact number), but it didn't work either.
I would be interested if anyone that is still running september patch could post the firmware version, so I can try that out. If it doesn't work we can say for sure that the firmware version is added a second time to the request body.
I would also be interested if this is a device specific issue. I have the dual-SIM version, maybe it works for the single SIM one?
Maybe it also never worked like it should on the dual-SIM one?
After writing such a long and probably hard to read post, I had a final thought: I wonder if the keys that are used to generate the unlock key are the same for all devices. If yes, and someone manages to figure out how to modify the request, it could be possible to have all different HMD phones (like Nokia 7 Plus for example) to identify with a Nokia 8 firmware and get an unlock key generated. But thats probably just a dream.