General EDL Flash Tool Leak

Search This thread

teknimen

New member
Dec 7, 2014
4
0
edirne
A guy that flashed remotely for me had to setup a specific mac address on my network adapter to work.
Can you share the mac ID address set for the network card? The secrecy autounlocker application that unlocks the engineering mode login is not working for about a month, maybe this mac ID address can run the secrecy autounlocker application again
 

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
I have just fixed my dead phone , you must make test point then i contacted with some person on Facebook he has 15k Followers and give him 16 $

Thanks god
Its for good to you but not for me becos i want doing experiment sometimes i need to use custom rom or switch from one custom to another one so during this process definitely have chance to brick device
So here the game begins
Why we need to pay for own device only flashing? Did samsung lg Huawei doing the same? No! Only this Chinese $hits doing this with us like Xiaomi oppo vivo and now oneplus too
Nop not agree even if they charge 1$
Why we pay again & again!
 
  • Like
Reactions: Diepie

gonetask

Member
Jul 27, 2022
27
12
photo_2022-10-12_15-52-52.jpg

Got this Realme tool for Flashing. It does work for Realme devices. As of now I dont have any OnePlus or Oppo device so cant check on those devices. Download Link Here No requirement free to use
 
  • Like
Reactions: metrixx02

Ph0nysk1nk

Senior Member
Jul 28, 2016
195
75
Does no one even bother to read threads anymore? This has been answered 2 millions times
 
Last edited by a moderator:

Top Liked Posts

  • 1
    ok... the broken flash completely broke the "Android Setup" app... heres what im gonna do... i am gonna use my good phone to record in real time, exactly what is happening. The gist of it is though... When you first boot a device, you get the "Welcome" screen... you hit welcome, then on the next screen accept OnePlus T&C... the next screen is selecting wifi.... followed by about 3 seconds of a circle while Google servers load... you then enter your gmail... yadda yadda. Well Android 12 & 13 took a page from Apple's IOS book, and it LOCKS the MTP protocol, so you cannot even access the phone via usb... it also DISABLES ALL of the apps on your device, pending your initial completion of the setup application. Once you hit the last screen you get that, "Your android is ready to use" screen, and then your launcher appears. When it hits that FINAL screen, a command is sent to the SYSTEM MANAGER saying... " Android.Config.Setup.Complete=1 " ... UNTIL that flag is sent, you have NO adb.... NO ability to run preloaded apps... and if you manage to get to the settings menu, when you tap on "Build Number" NOTHING HAPPENS... it does not unlock developer options... and because you cant get to developer options, you cannot enable USB Debugging.... No USB debugging = No ADB authorization. And because its coming from a full format, all your adb keys have been reset! .... MY setup is broken, and literally 7 seconds into the setup, the app crashes and loads a black screen.... you cant do ANYTHING ... so you cant complete setup... The video will show you. I have attempted RUNNING thru the setup skipping EVERYTHING, and on a perfect run i can make it to the Screen Lock setup... then it locks up.

    Video of Bugged UI

    {Mod edit: Inappropriate language in violation of rule no. 2 edited. Oswald Boelcke, Senior Moderator}
    Hello and good morning, @beatbreakee

    As you certainly know XDA is used by people of all ages. For this reason, the owners of this private website have the standards regarding language and members conduct set and expressed in the XDA Forum Rules. The last days, I've removed or edited inappropriate language in several of your posts including the above quoted one. I've always left a respective remark in your posts but have also informationed you about the edits by an edit notification/alert. Currently, it seems to me that you don't care about the rules, to which you agreed to adhere when you registered about 7 years ago.

    Please be aware that I'm going to delete every of your post that doesn't fully comply with the rules in future, even if legitimate information is contained. Other consequences to your account might also be possibile. Please re-check your language before you actually post! Thanks for your cooperation.
    is this guy reliable... the one who can flash? and what is his pricing like? If i even consider going thru him, I REALLY need to talk w/you and a couple others PRIOR to him doing a remote flash!
    Nothing wrong with above post but I just want to leave some information before the thread derails with possible consequences to a post's author.
    Links or references to commercial or paid services or the promotion of those are forbidden on XDA. I'd appreciate if nobody promotes one in reply to above post.
    13. Advertising and Income Generation

    Commercial advertising, advertising referral links, pay-per-click links, all forms of crypto-mining and other income generating methods are forbidden. Do not use XDA-Developers as a means to make money.
    (However, hosting sites that provide a small amount of income, are GPL compliant, have direct download links, and minimal ads are allowed contingent on XDA approval.)
    Regards
    Oswald Boelcke
    Senior Moderator
    1
    is this guy reliable... the one who can flash? and what is his pricing like? If i even consider going thru him, I REALLY need to talk w/you and a couple others PRIOR to him doing a remote flash!
    is this guy reliable... the one who can flash? and what is his pricing like? If i even consider going thru him, I REALLY need to talk w/you and a couple others PRIOR to him doing a remote flash!
    Well, someone in telegram referred me to his service, he sent me the flash files for my device plus msm tool

    About reliability, he seems fine, I asked him if he accept pay through PayPal he said yes but it will cost 20-25 USD, if you're going to pay with USDT(Cryptocurrency) it will cost 5-10 USD less, I saw much cheaper prices like 5$ for MSM login for 1 device but I don't know, as they only accept USDT only, and I don't have encrypted wallet, I trust the first guy more, I'm not paying him yet as I'm taking that as my last choice as I don't like paying for flashing my device, first I'll try flashing my device with QFIL tool, and try send my device to service center as they told me flashing is completely free as you have device's box and warranty card

    I already know XDA rules, they don't allow us to send any links, if you have a telegram, I'll send you his group in telegram in a private message.
  • 6
    ENOPTP000224
    M4Sl_j=zp_
    I don't know how long it will expire
    3
    100% does not matter dude, your device is still under warranty.
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    3
    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
    AFAIK having an unlocked bootloader has never been a problem with OnePlus assistance. However, I wouldn't be surprised if they changed their policy about this considering what they did with the MSM Tool.
    2
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    If you need to just contact them. I'm in the UK, I get my phone back in about 4-5 days.

    Not the end of the world... Screw paying for it
    2
    100% does not matter dude, your device is still under warranty.


    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
  • 16
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.


    flash.png
    12
    This tool seems to be intended for use with mediatek devices.
    I wouldn't bet on it working with this phone, but here's how to bypass the login screen anyway.

    Open DownloadTool.exe with a hex editor
    Find '74 4b 8d 45 d4'
    Replace '74 4b' with '90 90'
    Save, launch, enter any username/password/code and click login.
    If you go to 'Software Package Management', you can specify a folder where your .ofp is located.
    7
    I have a bricked OnePlus 10 Pro which I can put into EDL mode via testpoints. PM me.
    Screenshot_2022-09-27-01-30-39-519_com.miui.gallery.jpg
    6
    I almost figured out what is sent to the server during flashing. The flash tool sends "chip ID", "account token", and "Epoch timestamp" to server API which is server-domain/API/sign/ to query a signature for firehose and encrypt the query parameters with a public key. This info can be found in MSM download tool 2.0.6.9.

    If anyone want to see it yourself, simply get a debugger, such as, x64dbg with ScyllaHide plugin enabled, follow the assembly instructions to get to the OEP then dump PE from memory and fix import table to unpack it from VmProtect3.x. After unpacking the file, use a decompiler to run a PE static analysis, IDA Pro or Ghidra can both do it, search for "/API/sign/" from defined strings, from that you can locate the auth function for VIP signature. In that function, you can find a public key used to encrypt the queries, and also two variables, one is "account token", the other one is "Chip ID". Chip ID is unique for every device, which may be a issue.

    I haven't done a full analysis with the tool, not being sure if there's a timestamp protection on it. But I still strongly suggest who is able to flash with auth remember to capture the signature for your device, so you might not need a auth in future because your Chip ID is always yours.
    6
    I'm sorry for the late response. I was busy at work last week.
    Do you know who may have an example to go with? How long is the signature? There must be some form of checking within the msm tool to verify the signature is valid. Is it key based or algorithm based? If it's algorithm based, maybe we can use the validation function in the msm tool to figure out how it is checking and create valid signatures. Setting up a server locally to trick the device into thinking it's contacting OnePlus would be the easy part.

    Has anyone found examples of these logged signatures or know more about their calculation? HW serial based, HW ID based, device MAC based, IMEI based (unlikely)?

    Knowing what is sent to the server and what is received could also help. Does anyone have a full exchange of the https logs somewhere to go over?
    Yes, thanks to @hackslash, there's an example of the signature for ChipID: b73e685e(for the API authserver_domain/api/tools/sign)

    Code:
    {"Data":{"response":{"encrypt":"ct5/f+RsW/3p2vhIp2EduoMJ8kfKk2iNbF+eTExuGsOicfvILFTKY/+qF0WxSEcREt3m7YSABbEwCRU4aWaJqoppx2du60hW6OhTYbaL+51JXr5byRQjqqhtwJ1VfFZ66U3EuZXidJVW6TjV1u09fgt5MT11zSwZzbpkrBg1UQruJi8wGrjtMnq0mbgno1H01QRnMY+GKN9UqZVrXGAdCRJm8T8Ysn5P1mnIOVwhuJZSkq6z7WH9RhyM1oJuURquvZEt/TP9vQda1/fNn0txtzu+ZWkuuou23zYulXhkmtDTp5D4LtdZ8VlAkakq8UowHv3tlW7lZMb52fY8QjF/zw==","message":"0000","status":"0","unlock":"","isAllowDegraded":false}},"ErrorCode":0,"Message":null}

    If you use Ghidra to do a static analysis with unpacked downloadtool.exe(first use a debugger to unpack vmprotect3.x),locate the defined string data "/api/tools/sign", you'll find a public key hardcoded in the tool to encrypt the HTTPS query to the server. All the transmissions are encrypted, but I don't even want to think about decrypting them because there's a ChipID problem.


    The signature can be fed to the tool, but it doesn't work for other devices. For example, here's the download tool log for the device with the correct ChipID:

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20847_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3
    [COM51] Verify Data
    [COM51] Verify pass
    [COM51] Upload download result. chip id: b73e685e, result: -1, project: 20847
    [COM51] Upload download result failed.
    [COM51] Check the models and software
    [COM51] Start erase
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN1
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN5
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN4
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN2
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN0
    [COM51] Erasing the partition userdata
    [COM51] Download OCDT
    [COM51] brand is oplus, cdtdownloadstatus is 0, ufs = 1
    [COM51] Downloading ddr, zeros_5sectors.bin...
    ...

    And here's the download tool log for the device with the mismatch ChipID(using the obtained signature to feed another device) :

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20846_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:9d975a304cf3d7d1f9f7ed402297996d7c457aea71fd0a5c2dc6278b68cde27c
    [COM51] Verify Data
    [COM51] FirehoseCheckRSP is ERROR, hr=1
    [COM51] Rsp:
     <?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <log value="ERROR: verify failed." /></data><?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <response value="NAK" rawmode="false" /></data>
    [COM51] Verify pass
    [COM51] Current download task end,elapsed time:7s.
    [COM51] Upload download result. chip id: b73e685e, result: 1, project: 20846
    [COM51] Upload download result failed.
    [COM51] Close the serial device
    [COM51] Download failed
    [COM51] Determine whether to upload the download info
    [COM51] compress file, retry time is 4
    [COM51] compress file success
    [COM51] start to upload
    [COM51] upload success
    [COM51] Stop timer
    End log...

    As you can see, the device only accepts signed packets, and the signature is somehow related to ChipID. Anyone can simply use the hex-patched tool to try flashing your device, you'll see your ChipID in the log generated by the download tool.

    At this point, I think the only solution is that the user has to at least pay to flash their device once to capture the signature for their device. And here's the hardest point, a lot of sellers check for packet capture software during the session. Yes, this can be bypassed via a rootkit(If you don't know how to program a simple hooking rootkit with Microsoft Detours, you can simply find some rootkit source code from hackforums or buy some rootkit source code from the dark web hacker sellers, then modify the code and compile it yourself) I believe that most users will fail to capture their device signature for EDL after being detected by the remote tech due to the lack for specific knowledge. By the way, can the captured signature with the same ChipId be reused on the same device? Please be aware, this is still unconfirmed! But I think it is highly possible that it can work for the same device every time.


    But after seeing that @OppoTech123 is willing to help the community, I think maybe there's a chance that @OppoTech123 can help some developers to capture their device signature to boost the custom ROM development. But be aware that during the capture, the temporarily assigned token after logging in can also be captured, however, these tokens quickly expired in a short time. It doesn't expire for login but expires for querying signatures, not sure if it's related to OTP or if the account holder can log out from another place, be sure to protect your credits if querying a signature charge the tech some credits.


    Is there a way to alter the ID on the device? Even if it's temporary?
    I don't think so. Maybe there's an internal Qualcomm development tool that can do that, but I definitely don't have it.