The thing I don't understand is HOW you recover the phone after bricking it?
))
Isn't this the point of all this efforts? To find a FREE way to flash the bricks?
i dont recover THAT phone.... i have 2... a 10 Pro, and a 10T.... building the FREE version of the msmtool requires a TON of full captures of all the usb data being passed from device to software, to weed out the BS, and isolate the signature itself, then decrypt or find a way to spoof it.... But testing the method over and over on the exact same device does not produce me enough variables to know if my findings are valid FOR ME... which will help no one... or if they are valid for ALL ... and for that I need the data which my 10T will provide.
the 10Pro uses the Snapdragon 8450... the 10T uses the Snapdragon 8475 ....
BOTH models use the same board config, TARO..... the only big difference is the cameras....
ive completely eliminated the sign on necessity for the tool... so far my mods have successfully patched out the entire login script. So on the newest MSMTool... mine opens right up to the choose your device screen, ... but there are 3 major verification checks that happen during the flag.... 3% a VIP or AUTH token is requested by the app... I think i have isolated the process on the phone that generates the validated response..... (1st good find... because that means if the next 2 are also generated BY the phone.... I can trash the hell out of the programming inside the MSM tool, that sends ANY KIND of network request!.... If all the tool needs the net for is the LOGIN, and everything else is validated by the phone, it proves the EDL flash can be completed offline! Tag in the LOOPBACK adapter again to fool MSM into thinking it is still online.... remove the login segment of the tool.... drop in a few shell commands to trigger the intents that i believe the AUTH signature are coming from.... and if that all goes well on 2 DIFFERENT devices, then i know it will work on ALL in the 10 series..... capice?
oh, and HOW i keep recovering my 10 Pro is thanks to a buddy who you have spoken with in the past few replies.... Canuck ... he is supplying me with OTP credits he purchased to help me do this research... each token lasts 24 hrs... which gives me around 2 - 300 flashes... IF i needed that many... but i usually pull about 10-12 ... i have captures of over 500 successful flashes and now have started finding REPEATED DATA overlapping thru several captures.... meaning none of that data is part of the encrypted AUTH signature... In my 27 years of programming... and 14 specifically with android... I have NEVER seen a truly encrypted Hash value EVER repeat the same sequence of an entire row of encrypted code... let alone even 64 characters..... well i have about 90 pages that have this in common! so that makes the amount of data i have to isolate even smaller..... more flashes.... more eliminations..... more repeating crypto segments overlapping on other flash captures, more characters i get to delete from my control group....
you see... THIS is old school hash calculating by reversing the code.... eventually you will have several lines of code which are 100% different on every full capture.... THAT CODE, is then used as a kind of reverse captain crrunch decoder ring..... you plug in some common fixed variables.... until you locate a set or maybe 10 sets that all produce the same exact "value tables" as i call them.... but more formally, the ALGORITHM that when applied , generates the exact number of characters required in a valid AUTH token, and then you plug that result into a blanked pre-formed response packet then replay or inject it via a script with the timing set for the correct intervals... and PRAY that you didnt miss some little variable way earlier which breaks your entire data set!.... (normally this doesnt happen.... but 9 out of 10 times i also dont have to work this hard to strip the tables from the encrypted packet. I usually have SEVERAL different attack platforms... or devices... game consoles.... files.... whatever it is that all are locked by the same apparatus, so i can generate much less collections of the info being sent between the Challenge and the Response packets.
think of it like this.... if you have to pick a barrel lock, but rather than force it open and damaging it, you instead opt to forge a master key...
to do this you would either need a model of the working key.... (like having the signature given to you... which isnt gonna happen...) OR you would need to get as many different keys that FIT the lock, as you can find...
Once you have a solid control set, ( copies of all of the keys that engaged at least 1 pin inside the tumbler without twisting or manipulation.... all of the tumblers pins MUST be engaged for the key to spin the lock to OPEN)
If you have 20 keys that all engage at least 1 pin... then you group them off by which pin they set... and now you have the ability to compare those in each group and find the matching cuts in the key. The more you have , the more you have to examine! The more you examine, the more you will find keys that overlap into other groups because some keys will engage more than 1 pin ..... now you get to eliminate ENTIRE GROUPS cuz u only need the one that matches 1 pin in multiple sets....
the goal is to get at least 10 grooves / cuts identified, so you can record the location and measurement of each working pin setting... depth... size and width of the groove... ( on lets say a Coke machine, it has a barrel (tumbler) lock that protects the money collector. Those usually have 10-set cuts in the barrel key ... you need all 10 cuts to be precise or the lock wont budge. BUT if you have 10 keys that each engage 1 different pin in the lock, you can map out the position, depth, and cut needed for each pin, and forge them onto a blank uncut barrel key using nothing more than a rotary tool and a diamond tip engraving bit.
once all your results are transferred onto the blank then you should be able to push it in the lock and turn the key with ease!
well the EXACT same idea structure works when cracking mathematical algorithms ...
in this case, having NOTHING but hundreds of copies of the same key will not help, as you need MORE different keys to isolate perfect segments, and eliminate garbage. well i actually have 2 keys... but 1 of them is being blocked from testing, by an immortal bouncer named T-Mobile Bootloader Lock!
( i dont know if humor helps other ppl relate to something, but it works wonderfully for me!)
Dont worry... I didnt come this far just to ruin my rep.... The video does not require downloading anything! You can view it directly from the shared folder! Ill upload another one here shortly of me locking my phone up, on the FASTBOOT MODE screen...
this is correct... in fact its the ONLY msmtool capable of flashing the 10T... because the 10 T does not have the build instructions in the meta folder for 7z to make it into an "ofp" file... and not one other msm download build is capable of flashing ANYTHING other than .ofp files. but 4.1.7.2 will open zip files
