Looking For EMTOKEN Example

Search This thread

_guru_

New member
Jul 30, 2021
4
2
I am looking for someone to share an example of an EMTOKEN (signed steady.bin). Most services where you purchase one require you to use a USB director so that they can load the token onto your phone themselves without providing you the token.

Now I can probably pay for this service and dump USB during the process to leak the token - or have them load it onto a rooted phone so i can dump the steady.bin myself afterwards. However I'm hoping someone here has it already.

I do not want one for a specific DID - simply a valid one that is properly signed for ANY DID. While S20 is nice i will actually accept any emtoken for any samsung model.
 
  • Like
Reactions: Jbro129

iBowToAndroid

Senior Member
Nov 9, 2010
5,499
1
1,752
Twin Cities MN
That's not how emtoken works haha. Each token is always unique based on the DID. There's no such thing as a token that works for every single device of one certain model, let alone one token file that works for ANY model
 

_guru_

New member
Jul 30, 2021
4
2
That's not how emtoken works haha. Each token is always unique based on the DID. There's no such thing as a token that works for every single device of one certain model, let alone one token file that works for ANY model
You misunderstand. I know there's no such thing as a global emtoken. I wanted a valid emtoken for an random DID. I didn't need one for any specific phone.

It was for research. I found what i needed anyway.
 

xori.eng

Member
Aug 30, 2012
33
16
BANDUNG
That's not how emtoken works haha. Each token is always unique based on the DID. There's no such thing as a token that works for every single device of one certain model, let alone one token file that works for ANY model
Dear iBowToAndroid,
I am badly need a Samsung certificate (Dev CA/Root CA) to sign the steady.bin file, let me know if it's available somewhere...
Regards,
xe
 

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Maybe somebody can help me... work together.

A
On GW4 it seems "possible" by accident/luckypunch to reach Allow FAC...

Device is Android 11... User told some fail on FOTA update and maybe Bootloader unlocked...
See Photo... DID removed with Paint...


B

Few stupid tests with parts of Combination Firmware... after patched vbmeta and Root via Magisk...

I am able to use boot.img and recovery.img by simple text edit:
instead fac... I change to mrk...

Tested only on SM-R870... GW4...


C

My steady.bin looks "weired"... no idea if because Knox 1...

I am scared to erase it... for stupid tests...

D

I am at the moment not smart enough to disable Security check in vbmeta_system.img

To play with super.img

Only as info.

And thanx for steady examples.

I was only able to see this Youtube Video before:

Only as info.

Best Regards

Edit 1.

My dumped steady.bin is 4 MB and contain 32 Byte bla bla... for MD5 first 00 seems wrong...
And human readable I see:
DEL

Maybe DELeted?

I have nothing to compare yet...
 

Attachments

  • allowFACv1.jpg
    allowFACv1.jpg
    56.4 KB · Views: 35
Last edited:
  • Like
Reactions: galaxys

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Short looked into token examples...

I see cer Cert... at end of file... so public key is visible inside...

Model Name is human readable in Cert...
SM-G960F1

Its "only" RSA 2048...

No idea if meanwhile somebody can compute this at home...

All 6 steady are from SM-G960... no idea why first 1 shorter in length...

And funny... I see DASEUL...
Boah so long ago I had this Tool...

Best Regards

Edit 1.

Example attached... if you know Cert *.cer begins with:
3082 HEX

You can find in these steady.bin...

I saw 1 Base64 encoded crap... could be MD5 from lengths... 32 Byte...
 

Attachments

  • DASEULCertPublic_v1.zip
    1.3 KB · Views: 33
Last edited:

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Meanwhile I have my second GW4 rooted. SM-R875F...

So I was able to compare steady.bin... dumped via ADB

Text String DEL is same...

32 Byte Block differ...

Hmmm...

No idea how this Steady looks before Root... before Knox 1...

Also no idea what happens if I erase steady or write steady.bin via Odin...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Aha...

Code:
#define EM_MAGIC_TOKEN                           "TOKE"
#define EM_MAGIC_TOKEN_VALIDATE                  "VALI"
#define EM_MAGIC_TOKEN_MODE                      "MODE"
#define EM_MAGIC_TOKEN_ISSUER                    "ISSU"
#define EM_MAGIC_TOKEN_DEVICE                    "DEVI"
#define EM_MAGIC_TOKEN_INTEGRITY                 "INTE"
#define EM_MAGIC_TOKEN_MODB                      "MODB"

#define EM_MAGIC_HEADER_PREFIX                   "ENG"
#define EM_MAGIC_HEADER_TYPE_REQ                 "REQ"
#define EM_MAGIC_HEADER_TYPE_TRQ                 "TRQ"
#define EM_MAGIC_HEADER_TYPE_RES                 "RES"
#define EM_MAGIC_HEADER_TYPE_ACK                 "ACK"
#define EM_MAGIC_HEADER_TYPE_ERR                 "ERR"

#define EM_MAGIC_LTS_INSTALLED                   "INS"
#define EM_MAGIC_LTS_DELETED                     "DEL"
#define EM_MAGIC_LTS_BROKEN                      "BRK"
#define EM_MAGIC_LTS_EXPIRED                     "EXP"
#define EM_MAGIC_LTS_UNKNOWN                     "UKN"

#define EM_MAGIC_OK                              "OK"
#define EM_MAGIC_NOK                             "NOK"

#define EM_MAGIC_USER_FUSE                       "11"

#define EM_MAGIC_GET_MODE_TOKENINZER             ","
#define EM_MAGIC_GET_MODE_FROM_TOKEN             "TOK"
#define EM_MAGIC_GET_MODE_FROM_DEV               "DEV"
#define EM_MAGIC_GET_MODE_NO_TOKEN               "NO_TOKEN"

Some changelog...

Code:
 * Version history.
 *
 * 30.0.0  - (20.08.25) [SWD] Initial commit(Support R OS)
 * 30.0.1  - (20.08.26) [SWD] Fix check provisioning return value
 *                            Add logic about checking core all zero
 * 30.0.2  - (20.08.31) [SWD] Fix return value of rpmb read function (Qualcomm)
 * 30.0.3  - (20.08.31) [SWD] Recovery error because parameter of making key function isn't normal
 * 30.0.4  - (20.08.31) [SWD] Add 'System' permission for Qualcomm
 * 30.0.5  - (20.09.02) [SWD] If esi isn't updated, return success without flag
 * 30.0.6  - (20.09.07) [SWD] Error value is duplicated
 * 30.0.7  - (20.09.07) [SWD] Add flag for recovery esi
 * 30.0.8  - (20.09.08) [SWD] Fixed logic coverting 'string UID' to 'integer UID'
 * 30.0.9  - (20.09.09) [SWD] Add missing file for 30.0.7
 * 30.0.10 - (20.09.16) [SWD] Enable kernel log for qualcomm
 * 30.0.11 - (20.09.28) [SWD] Change sign_run_type of engmode TA
 * 30.0.12 - (20.10.19) [SWD] Add condition for esi remove
 * 30.0.13 - (20.10.20) [SWD] Add kernel log for debugging
 * 30.0.14 - (20.10.20) [SWD] 1. Add logic to restore ESI using recovery counter in BL.
 *                            2. Change to sharing state only from emservice
 *                            3. Add logic to change DID
 *                            4. prevent issue
 *                            5. bootloader build error
 * 30.0.15 - (20.10.20) [SWD] Fix return value of get modes bit function (if mode is more than 32, incorrect value is returned)
 * 30.0.16 - (20.10.20) [SWD] DID of ESI isn't updated when DID is updated in BL
 * 30.0.17 - (20.10.21) [SWD] Support AT+ENGMODES=0,0,3,0 (Delete token - offline)
 * 30.0.18 - (20.10.21) [SWD] 1. Prevent issue
 *                            2. issue : token id is mismatched when fac token is installed
 *                            3. token isn't recognized when the DID is changed via em get modes bit
 * 30.0.19 - (20.10.23) [SWD] Support init core
 * 30.0.20 - (20.10.23) [SWD] 1. Apply EM TSTATE property
 *                            2. incorrect Get modes bit value
 * 30.0.21 - (20.10.23) [SWD] Prevent issue(critical)
 * 30.0.22 - (20.10.26) [SWD] Prevent issue(major)
 * 30.0.23 - (20.11.02) [SWD] Re-arrange codes for LSI LK
 * 30.0.24 - (20.11.02) [SWD] prevent issue (BL)
 * 30.0.25 - (20.11.02) [SWD] Fixed build error on R-OS QC projects
 * 30.0.26 - (20.11.02) [SWD] To prevent integer overflow when parsing token information
 * 30.0.27 - (20.11.02) [SWD] Change the context for parameters of all commands
 * 30.0.28 - (20.11.03) [SWD] Modify code by LSI LK checkpatch rule
 * 30.0.29 - (20.11.03) [SWD] Kinibi TA porting(9810)
 * 30.0.30 - (20.11.04) [SWD] For prevent overflow
 * 30.0.31 - (20.11.04) [SWD] Add missing files for 30.0.30
 * 30.0.32 - (20.11.04) [SWD] Reduce unnecessary writing esi
 *                            (When tuc table isn't updated, em data(esi, core) won't be updated)
 * 30.0.33 - (20.11.04) [SWD] prevent issue (BL)
 * 30.0.34 - (20.11.05) [SWD] Add new command to FILE type token names of installed token.
 * 30.0.35 - (20.11.05) [SWD] Add new command to get infomation of token
 * 30.0.36 - (20.11.09) [SWD] Add the debugging log for BL
 * 30.0.37 - (20.11.10) [SWD] Set dafult model and issuer whitin EM_CMD_GET_INFO's response
 * 30.0.38 - (20.11.10) [SWD] prevent issue (BL)
 * 30.0.39 - (20.11.10) [SWD] Fix checkpatch issue (LSI BL)
 * 30.0.40 - (20.11.10) [SWD] Change the error value of the ESS command
 * 30.0.41 - (20.11.11) [SWD] Delete unuse define value
 * 30.1.00 - (20.11.11) [SWD] Write em core after all operations are done
 * 30.2.00 - (20.11.11) [SWD] Fixed recovery error when RPMB is not provisioned
 * 30.2.01 - (20.11.13) [SWD] Fixed checkpatch issue (LSI BL)
 *                            Fixed some bugs on bootloader
 * 30.2.02 - (20.11.16) [SWD] Not set esi version on em_token_get_status
 * 30.2.03 - (20.11.16) [SWD] If server tuc == 0 && this mode isn't related to tuc,
 *                            then application can't recognized tuc of this mode
 * 30.2.04 - (20.11.17) [SWD] Memory leak when free esi item
 * 30.2.05 - (20.11.17) [SWD] Not set RETURN_TOKEN_REMOVE flag when parsing token is failed
 * 30.2.06 - (20.11.17) [SWD] Fix low/major prevent issue
 * 30.3.00 - (20.11.19) [SWD] 1. Added local variable to pass paremeter for LSI BL
 *                            2. Not check TUC if NO_COUNT flag is set (bug fix)
 *                            3. Add EM_TYPE_ESI_ITEM_RECOVERY_COUNTER_BL for recovering ESI by BL
 *                            4. Delete the logic clearing IIN in the ESI from the SHARED status (bug fix)
 *                            5. Increase size of buffer of priority date (9 -> 26)
 * 30.3.01 - (20.11.19) [SWD] 1. Fix checkpath issue(LSI BL)
 *                            2. Not set RETURN_TOKEN_REMOVE flag setting or getting expiry date without token
 * 30.3.02 - (20.11.20) [SWD] Enable engmode TA for MTK
 * 30.3.03 - (20.11.24) [SWD] Changed correct LTI type for recoverying ESI
 * 30.3.04 - (20.11.24) [SWD] ADD ESI meta check logic
 * 30.3.05 - (20.11.25) [SWD] Support lsec tok feature
 * 30.3.06 - (20.11.25) [SWD] Add LTS flag logic for BL
 * 30.3.07 - (20.11.25) [SWD] Change to MTK RPMB USER ID (9->10)
 * 30.3.08 - (20.11.30) [SWD] Update RPMB static lib for MTK
 * 30.3.09 - (20.12.02) [SWD] Arrange the code
 * 30.3.10 - (20.12.02) [SWD] Add log for analysis
 * 30.3.11 - (20.12.07) [SWD] MTK patch(Change to rpmb static lib)
 * 30.3.12 - (20.12.08) [SWD] MTK patch(Change to rpmb static lib)
 * 30.3.13 - (20.12.08) [SWD] MTK patch(Change to rpmb static lib)
 * 30.3.14 - (20.12.15) [SWD] MTK patch(Add to rpmb static lib for A32 LTE)
 * 30.3.15 - (20.12.23) [SWD] Store core data backup on RPMB
 * 30.4.00 - (21.01.06) [SWD] Refactoring codes (Remove alignment(1) of the structure)
 * 30.4.01 - (21.01.08) [SWD] Add the core init flag
 * 30.4.02 - (21.01.13) [SWD] 1. Add the shared esi counter item in ESI
 *                            2. Add init flag in core if init flag isn't set in core
 * 30.5.00 - (21.01.13) [SWD] Enhanced EM Token Certificate Validation
 * 30.5.01 - (21.01.15) [SWD] Enhanced EM Token Certificate Validation-2
 * 30.5.02 - (21.01.18) [SWD] stack buffer overflow when printing char array without '\0'
 * 30.5.03 - (21.01.18) [SWD] EM ta porting for BSP build chipset(SDM670)
 * 30.5.04 - (21.02.05) [SWD] 1. Add new error code for Teegris RPMB driver unavailable (since Teegris 4.2)
 *                            2. Add sync count to improve debugging
 * 30.5.05 - (21.03.17) [SWD] Fixed the wrong response for no token device
 * 30.6.00 - (21.04.13) [SWD/DAEMON] Increase buffer max size for ENGMODES command (10K -> 50K)
 * 30.6.01 - (21.04.23) [SWD] Move em_client_manager to common code
 * 30.6.02 - (21.06.01) [SWD] Apply common scrypto lib of confidential (CL#21865329)
 * 30.6.03 - (21.06.01) [SWD(QSEE)] Add linkflag for deterministic QSEE TA build
 * 30.8.00 - (21.06.08) [SWD/DAEMON] Support EM lite (Disable em core & esi)
 * 30.8.01 - (21.06.09) [SWD] Update did compare logic
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
More DASEUL "hints"...

hello guys. i have an mkopa samsung galaxy a13, -current binary Samsung official -KG state Active (01) -OEM lock On(L) -Eng mode Factory bin allowed (DASEUL) -Eng mode Atcmd allowed(DASEUL).............is it possible to flash its software....?????????? bootloader also locked

7 yearS old example how Tool DASEUL looks like...
 
Last edited:

Xtrememobiles

Member
Aug 2, 2017
5
1
Meanwhile I have my second GW4 rooted. SM-R875F...

So I was able to compare steady.bin... dumped via ADB

Text String DEL is same...

32 Byte Block differ...

Hmmm...

No idea how this Steady looks before Root... before Knox 1...

Also no idea what happens if I erase steady or write steady.bin via Odin...

Best Regards
i read steady partition before writing etoken via jtag.
its empty.
Model S21
 

Attachments

  • LUN0_steady_000002C00000_000003000000.bin
    4 MB · Views: 41
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
I have just for fun used for other DID eToken with my SM-R875F ... USB cable + Odin...

Code:
<ID:0/004> Added!!
<ID:0/004> Odin engine v(ID:3.1401)..
<ID:0/004> File analysis..
<ID:0/004> Total Binary size: 0 M
<ID:0/004> SetupConnection..
<ID:0/004> Initialzation..
<ID:0/004> Get PIT for mapping..
<ID:0/004> Firmware update start..
<ID:0/004> NAND Write Start!!
<ID:0/004> SingleDownload.
<ID:0/004> steady.bin
<ID:0/004> RQT_CLOSE !!
<ID:0/004>
<ID:0/004> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)


On SM-R875F I see this text:


DOWNLOADING TOKEN...


Failed to install : (0xf....)

bl_install_token error


After holding few seconds both Keys... I am in Upload Mode... becuae I set before Debug to HIGH...

Now dumping files with RDX and later will check if steady.bin I know changed...
Or only used to write data to RPMB partition...

For now I hope this was good idea....
:)

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Tried other steady from this thread...

Code:
#define EM_ERR_EM_CRYPTO_GET_SUBJECT_LEN                     0xF01B0013

I tried this:
200412335F326711_MODE_ENG_KERNEL,MODE_CUSTOM_KERNEL,MODE_FACTORY_BIN.tar

So sboot spit Error Codes... which I can find...

Interesting.

At the moment my SM-R875F still alive...

steady partition not changed... 1:1 same like before stupid attempts...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Few stupid attempts later...

netOdin not work for me with SM-R875F...

Code:
<ID:0/001> 192.168.49.1
<ID:0/001> Odin engine v(ID:1.0000)..
<ID:0/001> File analysis..
<ID:0/001> SetupConnection..
<ID:0/001> Initialzation..
<ID:0/001> Get PIT for mapping..
<ID:0/001> Get PIT Transmission
<ID:0/001> Firmware update start..
<ID:0/001> SingleDownload.
<ID:0/001> steady.bin
<ID:0/001> __XmitData_Write
<ID:0/001> XmitData
<ID:0/001> Complete(Write) operation failed.
<ID:0/001> Removed!!
<OSM> All threads completed. (succeed 0 / failed 1)
<ID:0/001> 192.168.49.1

Strange... with Original Filenames like:
Code:
200412335F326711_MODE_ENG_KERNEL,MODE_CUSTOM_KERNEL,MODE_FACTORY_BIN.tar

netOdin crashes... if I rename I can try...

netOdin nothing shows on SM-R875F... like I saw with cable and Odin...

So I tried to "erase" steady partition... just for fun...

Code:
D:\Android\ADBnew>adb push steady_empty00_v1.bin /sdcard
steady_empty00_v1.bin: 1 file pushed, 0 skipped. 136.4 MB/s (4194304 bytes in 0.029s)

D:\Android\ADBnew>adb shell
freshul:/ $ su
freshul:/ # dd if=/sdcard/steady_empty00_v1.bin of=/dev/block/mmcblk0p3
8192+0 records in
8192+0 records out
4194304 bytes (4.0 M) copied, 1.625481 s, 2.4 M/s
freshul:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/steady_dump2.bin
8192+0 records in
8192+0 records out
4194304 bytes (4.0 M) copied, 0.138186 s, 29 M/s
freshul:/ # exit
freshul:/ $ exit

D:\Android\ADBnew>adb pull /sdcard/steady_dump2.bin .\etoken
/sdcard/steady_dump2.bin: 1 file pulled, 0 skipped. 1.2 MB/s (4194304 bytes in 3.208s)

D:\Android\ADBnew>adb shell
freshul:/ $ su
freshul:/ # reboot


D:\Android\ADBnew>adb shell
freshul:/ $ su
freshul:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/steady_dump3.bin
8192+0 records in
8192+0 records out
4194304 bytes (4.0 M) copied, 0.193254 s, 21 M/s
freshul:/ # exit
freshul:/ $ exit

D:\Android\ADBnew>adb pull /sdcard/steady_dump3.bin .\etoken
/sdcard/steady_dump3.bin: 1 file pulled, 0 skipped. 2.1 MB/s (4194304 bytes in 1.918s)

SM-R875F still allive... I can not see sideeffects... steady still empty... all 00 Zeros...

Now I have setup with Phone...

Will check if steady still untouched...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
New day... new stupid attempt...

Code:
freshul:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/steady_dump.bin
8192+0 records in
8192+0 records out
4194304 bytes (4.0 M) copied, 0.138186 s, 29 M/s

From this dd dump I made steady,bin TAR and flashed with USB cable + Odin...

Code:
<ID:0/004> Added!!
<ID:0/004> Odin engine v(ID:3.1401)..
<ID:0/004> File analysis..
<ID:0/004> Total Binary size: 4 M
<ID:0/004> SetupConnection..
<ID:0/004> Initialzation..
<ID:0/004> Get PIT for mapping..
<ID:0/004> Firmware update start..
<ID:0/004> NAND Write Start!!
<ID:0/004> SingleDownload.
<ID:0/004> steady.bin
<ID:0/004> RQT_CLOSE !!
<ID:0/004>
<ID:0/004> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)

On the SM-R875F I see this:

Code:
TOKEN size is too big    4194304

4194304 seems exact filesize...


If we search in So.rce... for steady.bin... I can only find 1 file...

Code:
#endif
        }
    }

    if (!strcmp(ppi->filename, "steady.bin")) {
        if (filesize > EM_LEN_TOKEN) {
            lpr_err_dual("TOKEN size is too big %ld\n", filesize);
            decon_string_update();
            mdelay(1000);
            return DN_FAIL_TOKEN_SIZE_BIG;
        }
    }
#endif

Text String I can find in sboot.bin from SM-R875F...


So 4 MB is too big for steady...

Steady examples from here are much smaller...

Will Check if Steady is 1 MB or less...


Only for my tiny brain...

Best Regards

Edit 1.

Few stupid Flash attempts later... reserved space for steady seems between 64 KB and 100 KB...

My last attempt with 65536 Byte... maybe this is allready maximum...
Too lazy to check again with + 1

Edit 2.

Max. steady size is between 69 KB and 70 KB...

Edit 3.

69999 Byte is still too big...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,228
5,974
Samsung Galaxy Watch 4
Samsung Galaxy S22
Now trying to understand the Cert/RSA part...

Strange A

2 Certs found... but they are the same...

So only 1 Cert...

Strange B

It seems this RSA 2048 is used for few different Models...

So human readable text string SM-G960F inside steady.bin NOT tell us from which device taken...


I have now the 256 Byte Signature... IMHO

And from Cert I can take Public Key...
For now I have 270 Byte... I have to cut the ASN part and Modulus blabla...

For me it is few years ago... to play with RSA 2048...

More then 10 years since EF81, SXG75... BREW...

Best Regards

Edit 1.

270 Byte Copy and Paste from Cert - 9 Byte ASN Header...
Code:
3082010A0282010100

= 261 Byte...

- last 5 Byte
Code:
0203010001

Here IMHO Modulus inside... Little Endian...

So I have the 256 Byte public key... to decrypt 256 Sig... IMHO

Edit 2.

Looks like no additonal data info inside Signature... only the 32 Byte SHA256...

Sorry for mixed Modulus Exponent blabla... it is really long time ago...
 
Last edited:
  • Like
Reactions: galaxys

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    You misunderstand. I know there's no such thing as a global emtoken. I wanted a valid emtoken for an random DID. I didn't need one for any specific phone.

    It was for research. I found what i needed anyway.
    2
    Short looked into token examples...

    I see cer Cert... at end of file... so public key is visible inside...

    Model Name is human readable in Cert...
    SM-G960F1

    Its "only" RSA 2048...

    No idea if meanwhile somebody can compute this at home...

    All 6 steady are from SM-G960... no idea why first 1 shorter in length...

    And funny... I see DASEUL...
    Boah so long ago I had this Tool...

    Best Regards

    Edit 1.

    Example attached... if you know Cert *.cer begins with:
    3082 HEX

    You can find in these steady.bin...

    I saw 1 Base64 encoded crap... could be MD5 from lengths... 32 Byte...
    1
    I am looking for someone to share an example of an EMTOKEN (signed steady.bin). Most services where you purchase one require you to use a USB director so that they can load the token onto your phone themselves without providing you the token.

    Now I can probably pay for this service and dump USB during the process to leak the token - or have them load it onto a rooted phone so i can dump the steady.bin myself afterwards. However I'm hoping someone here has it already.

    I do not want one for a specific DID - simply a valid one that is properly signed for ANY DID. While S20 is nice i will actually accept any emtoken for any samsung model.
    1
    Maybe somebody can help me... work together.

    A
    On GW4 it seems "possible" by accident/luckypunch to reach Allow FAC...

    Device is Android 11... User told some fail on FOTA update and maybe Bootloader unlocked...
    See Photo... DID removed with Paint...


    B

    Few stupid tests with parts of Combination Firmware... after patched vbmeta and Root via Magisk...

    I am able to use boot.img and recovery.img by simple text edit:
    instead fac... I change to mrk...

    Tested only on SM-R870... GW4...


    C

    My steady.bin looks "weired"... no idea if because Knox 1...

    I am scared to erase it... for stupid tests...

    D

    I am at the moment not smart enough to disable Security check in vbmeta_system.img

    To play with super.img

    Only as info.

    And thanx for steady examples.

    I was only able to see this Youtube Video before:

    Only as info.

    Best Regards

    Edit 1.

    My dumped steady.bin is 4 MB and contain 32 Byte bla bla... for MD5 first 00 seems wrong...
    And human readable I see:
    DEL

    Maybe DELeted?

    I have nothing to compare yet...