General MSM TOOLS

Search This thread
By:
Advanced…
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,444
2,041
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Well, yeah, of course.
Any system that you can get a toehold in can progress from there.

I've seen the endpoints, from DeepTesting to PersistDataBlockService, but I haven't dived into the middle part where it checks the byte array.
The thing is, there are checks for UID too, so even if we knew what SHA-256 or whatever would enable fastboot unlocking, without being (somewhat) privileged it won't happen.

I jumped on this bandwagon because I was interested in the EDL aspects of it. I don't even own one of these!
I just wanted resolution on the "Oh, you can only program these with this sacred software."
Ok, that may be, but I'd sure like to know what are the road blocks are to using generic software (EDL clients)?

Now, the killer exploit would be to find an exploit on the PBL burned into the chips.
There would be no remediation.
 
  • Like
  • Love
Reactions: Prant and Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
one more thing... as to what you had just previously stated Renate.... i dont believe that one flag will have any beneficial gain by triggering. according to this:
Screenshot 2023-01-26 123324.png


editing that will just disable the flag "get_unlock_ability" ... and if thats disabled, then the ability to correctly lock or unlock the bootloader will be broken! By what im reading im assuming that this actually is a bad flag to mess with... I may be completely mistaken... so please forgive me if i just dont understand what that one flag alters in the phones functionality.

i believe that once you have properly taken the steps to unlock via fastboot commands, then this will change to a zero on its own, by way of other validations . But inherently the general thought being conveyed in the above reference is that they DO have access to the Fastboot protocol. As right now i do not.

My phone is completely capable of reaching fastboot.... first because it has the coloros version of FASTBOOTD ..... which let me state, is not the actual FASTBOOTD built by google. It is a stripped down and altered hybrid of fastboot and recovery. FastbootD still had a menu, and this does not... it has the exact same options as ColorOS recovery... Format, and Reboot.... and thats it. But i can lock my phone up on the FASTBOOT MODE screen, thus proving that it is there... just it has an additional instruction added to the actual operand "bootloader" telling it to immediately rebooot.

which would look something along the lines of:

fastboot reboot bootloaderr reboot continue

all being sent by me only typing "fastboot reboot bootloader"

gimme a minute and i will upload a video from my other phone of exactly what my 10T does... we cant post videos here, so i gotta record it and host it on my G-drive then upload the link... check back in about 15 min ...
 
  • Like
Reactions: lucy1983 and Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Renate said:
Well, yeah, of course.
Any system that you can get a toehold in can progress from there.

I've seen the endpoints, from DeepTesting to PersistDataBlockService, but I haven't dived into the middle part where it checks the byte array.
The thing is, there are checks for UID too, so even if we knew what SHA-256 or whatever would enable fastboot unlocking, without being (somewhat) privileged it won't happen.

I jumped on this bandwagon because I was interested in the EDL aspects of it. I don't even own one of these!
I just wanted resolution on the "Oh, you can only program these with this sacred software."
Ok, that may be, but I'd sure like to know what are the road blocks are to using generic software (EDL clients)?

Now, the killer exploit would be to find an exploit on the PBL burned into the chips.
There would be no remediation.
Click to expand...
Click to collapse
i totally get where youre coming from, and please believe i am grateful for your joining this ongoing battle....

the reason this has kinda ventured off topic, is because I have accidentally opened the doorway which put me on the radar at Qualcomm, and thus the "responsible disclosure" aspect of the whole EDL operation. So i am limited in what i can share with everyone regarding security holes that will bypass the EDL, VIP auth signature check mitigated through the Firehose required by QFIL .... MSM DOWNLOAD is a program written by Qualcomm to communicate with the phones at the mfg level, for repairing broken file structs resulting in a brick. MSM Download leverages many of the same processes that QFIL does, but in a user friendly method, im sure to protect Qualcomms security interests.
So in order to break into the newly super password/login protected MSM flashing function, i am having to exploit security functions built by qualcomm.... which the loop begins and i cant ask, share, or disclose to anyone else, unless im willing to violate the disclosure rules. I have an actual letterhead with written permission granted by qualcomm to use whatever means necessary to circumvent these security holes, and gain access AS LONG AS i follow the responsible disclosure guidelines. This letter was issued as a direct response to some A-hole, or holes who have infiltrated XDA's membership, and filed false reports to both OPPO and QUALCOMM that i was specifically reverse engineering, illegally downloaded programs that interfere with the phones security.... These fake reports acually got me 2 separate "Cease and Desist" letters sent to UNPUBLISHED email addresses, owned by me.... meaning someone with good reach, actually investigated me! No one and i mean NO ONE knows these email addresses, and they have absolutely ZERO ties to any forum or account i access online for chats, discussions, or membership. They are my Banking, IRS, and Medical records ONLY email addresses. I dont even get light spam in them... i have on average 5-10 junk mail per week sent to them, and all of those are things that i know the origin of....

So , in trying to follow the rules of RD, i need more than 1 specific device to actually test the findings that i am getting, to make sure that i didnt find a "my phone only" MSM bypass flash method.... or a "this device model only" method which also sucks because we have a region restriction hidden in all our 10 Pro models which will render the phone unresponsive if the wrong set of files accidently gets flashed via fastboot or local update. So having 4 different model numbers and manifest configs guided by region, this too would be not exactly the best outcome... but if i have discovered a method that is interchangeable within an entire series of phones,... ie Oneplus 10Pro - 10T - 10R which all have the TARO config board... then BINGO ... we will have a working tool, which i can do the proper reveal to qualcomm, and 30 days later release to everyone here, kneecapping the MSM MAFIA!

But i dont have a couple Thousand... let alone HUNDRED dollars to go out and buy an UNLOCKED 10T for testing... what i DO have is my T-Mobile... Unlocked by network .... 10T , which has an all new (as of 8-8-22) bootloader locking scheme which is preventing me from being able to test anything. because all the oppo flash tools require OFP firmware files, and the 10T does not have ANY of those.... the only way i can safely brick and recover my phone is if i can get the bootloader unlocked which is how we got to herer
 
  • Like
Reactions: Dafelleant and _DarkKnight_
lucy1983

lucy1983

Senior Member
Mar 24, 2022
103
48
39
OnePlus 8 Pro
Realme GT
beatbreakee said:
Link to video on my G-Drive... 👉Bootloader by Adb Command 👈Dont worry... I didnt come this far just to ruin my rep.... The video does not require downloading anything! You can view it directly from the shared folder! Ill upload another one here shortly of me locking my phone up, on the FASTBOOT MODE screen...
Click to expand...
Click to collapse
Exactly the same thing happens with my Realme GT2. Question: in fastbootD mode we cannot do anything related to unlocking the bootloader? Because it enters fastbootD mode by typing the "adb reboot FASTBOOT" command.
Question 2: how did you unbrick your device (you said so) considering that your bootloader is locked and we don't have a functional edl tool?
 
  • Like
Reactions: Drethis
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
beatbreakee said:
Link to video on my G-Drive... 👉Bootloader by Adb Command 👈Dont worry... I didnt come this far just to ruin my rep.... The video does not require downloading anything! You can view it directly from the shared folder! Ill upload another one here shortly of me locking my phone up, on the FASTBOOT MODE screen...
Click to expand...
Click to collapse
Thats the same as my oppo find x5 pro...if i use " adb reboot bootloader " it just quickly go to bootloader and just reboots...buds try this and see if it goes to fastbootd ... ' adb reboot fastboot '
 

Attachments

  • IMG20230126223243.jpg
    IMG20230126223243.jpg
    2 MB · Views: 25
  • IMG20230126223249.jpg
    IMG20230126223249.jpg
    2 MB · Views: 26
  • Like
Reactions: Drethis and lucy1983
lucy1983

lucy1983

Senior Member
Mar 24, 2022
103
48
39
OnePlus 8 Pro
Realme GT
Canuck Knarf said:
Thats the same as my oppo find x5 pro...if i use " adb reboot bootloader " it just quickly go to bootloader and just reboots...buds try this and see if it goes to fastbootd ... ' adb reboot fastboot '
Click to expand...
Click to collapse
It goes to fastbootD mode by typing that command, but it is not the original Google fastbootD mode for me. It has the same interface as the stock recovery but it labels fastbootD mode and the phone is recognized by the PC being in fastboot when I type "fastboot devices".
 
  • Like
Reactions: Drethis and Canuck Knarf
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
  • Like
Reactions: lestatab and Drethis
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
lucy1983 said:
It goes to fastbootD mode by typing that command, but it is not the original Google fastbootD mode for me. It has the same interface as the stock recovery but it labels fastbootD mode and the phone is recognized by the PC being in fastboot when I type "fastboot devices".
Click to expand...
Click to collapse
When its in that fastbootd...mode...open up fastbootd program and it see it in fastbootd already as well (no need to reboot phone to fastbootd )
 
  • Like
Reactions: Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Negative ghost rider.... i am in the same shoes as lucy1983 .... this aint FastbootD...

its a bastardized hybrid of recovery and fastboot.... it accepts SOME fastboot commands, but none that can flash or oem anything... most commands just say unable to be performed in default mode. That fastboot rom wont even budge... cuz it uses the FLASH ALL command, which as i stated, does not work. This fastboot aint nothing more than coloros Recovery with a different title, and instead of adb, it takes SOME FBoot commands. Other than that its pretty worthless. And besides.... I need EDL mode flashing, because to get rid of the Tmobile provisioning and carrier policy i need to be able to wipe the EFS, and when i do that the partition sizes will be lost so an EDL package is the only thing that will have the map and manifest to rebuild. This is why the new bricks happen with region swapping. When i first performed it, and i tried to get everyone to download all those Rollback packages, I KNEW Oppo was gonna pull something.. and they did.... they pulled all those rollback packages and replaced them with ones that dont have the manifest and partition maps signed with the developer keys.... the old ones did, which is why i can still use them to hop regions..... cuz i downloaded them prior to announcing how to do it.


PRE THINKING!

heres the Fastbood video..... :
👉FastbootD Coloros style 👈
 
  • Like
Reactions: enjoy_life, Drethis, _DarkKnight_ and 1 other person
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
beatbreakee said:
Negative ghost rider.... i am in the same shoes as lucy1983 .... this aint FastbootD...

its a bastardized hybrid of recovery and fastboot.... it accepts SOME fastboot commands, but none that can flash or oem anything... most commands just say unable to be performed in default mode. That fastboot rom wont even budge... cuz it uses the FLASH ALL command, which as i stated, does not work. This fastboot aint nothing more than coloros Recovery with a different title, and instead of adb, it takes SOME FBoot commands. Other than that its pretty worthless. And besides.... I need EDL mode flashing, because to get rid of the Tmobile provisioning and carrier policy i need to be able to wipe the EFS, and when i do that the partition sizes will be lost so an EDL package is the only thing that will have the map and manifest to rebuild. This is why the new bricks happen with region swapping. When i first performed it, and i tried to get everyone to download all those Rollback packages, I KNEW Oppo was gonna pull something.. and they did.... they pulled all those rollback packages and replaced them with ones that dont have the manifest and partition maps signed with the developer keys.... the old ones did, which is why i can still use them to hop regions..... cuz i downloaded them prior to announcing how to do it.


PRE THINKING!

heres the Fastbood video..... :
👉FastbootD Coloros style 👈
Click to expand...
Click to collapse
Fxckes...lol
 
  • Like
Reactions: Drethis and lucy1983
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Oh yeah but, that is also why fastboot roms will fail for me... Since the flashing command doesnt work, the deletion of the COW files under Fastboot Enhance also doesnt work. I tried... i click delete... the file stays right there on the screen.... but it says completed on it;.. yet i unplug and plug back in, and the files are still right there.

If you flash ANY payload file with FB Enhance, and you dont delete the COW files.... you will brick due to running out of space in the partitions.... Ive done that too... EVERYTHING points back to the same problem/solution..... I need to unlock my bootloader.

Speaking of which... is there nobody SERIOUSLY who is going to even attempt to build me a working version of the DirtyCred exploit? One of the videos posted a few pages back, i showed you it was a google pixel 6 that he popped open a root shell on..... and his kernel was the EXACT same as mine..... I NEEEEEEEEED THAT POC!... and i might be willing to pay for it... surely you people are motivated by money, if not the sheer idea of helping someone out whos actively bricking their own phone on purpose in order to keep trying to crack the msm tool so you can all use it free....

hmm... wheres the camaraderie that used to be so strong on XDA?? oh well
 
  • Like
Reactions: Drethis and lucy1983
lucy1983

lucy1983

Senior Member
Mar 24, 2022
103
48
39
OnePlus 8 Pro
Realme GT
beatbreakee said:
Oh yeah but, that is also why fastboot roms will fail for me... Since the flashing command doesnt work, the deletion of the COW files under Fastboot Enhance also doesnt work. I tried... i click delete... the file stays right there on the screen.... but it says completed on it;.. yet i unplug and plug back in, and the files are still right there.

If you flash ANY payload file with FB Enhance, and you dont delete the COW files.... you will brick due to running out of space in the partitions.... Ive done that too... EVERYTHING points back to the same problem/solution..... I need to unlock my bootloader.

Speaking of which... is there nobody SERIOUSLY who is going to even attempt to build me a working version of the DirtyCred exploit? One of the videos posted a few pages back, i showed you it was a google pixel 6 that he popped open a root shell on..... and his kernel was the EXACT same as mine..... I NEEEEEEEEED THAT POC!... and i might be willing to pay for it... surely you people are motivated by money, if not the sheer idea of helping someone out whos actively bricking their own phone on purpose in order to keep trying to crack the msm tool so you can all use it free....

hmm... wheres the camaraderie that used to be so strong on XDA?? oh well
Click to expand...
Click to collapse
The thing I don't understand is HOW you recover the phone after bricking it? :)))
Isn't this the point of all this efforts? To find a FREE way to flash the bricks?
 
  • Like
Reactions: Drethis and Canuck Knarf
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
lucy1983 said:
The thing I don't understand is HOW you recover the phone after bricking it? :)))
Isn't this the point of all this efforts? To find a FREE way to flash the bricks?
Click to expand...
Click to collapse
i dont recover THAT phone.... i have 2... a 10 Pro, and a 10T.... building the FREE version of the msmtool requires a TON of full captures of all the usb data being passed from device to software, to weed out the BS, and isolate the signature itself, then decrypt or find a way to spoof it.... But testing the method over and over on the exact same device does not produce me enough variables to know if my findings are valid FOR ME... which will help no one... or if they are valid for ALL ... and for that I need the data which my 10T will provide.

the 10Pro uses the Snapdragon 8450... the 10T uses the Snapdragon 8475 ....

BOTH models use the same board config, TARO..... the only big difference is the cameras....

ive completely eliminated the sign on necessity for the tool... so far my mods have successfully patched out the entire login script. So on the newest MSMTool... mine opens right up to the choose your device screen, ... but there are 3 major verification checks that happen during the flag.... 3% a VIP or AUTH token is requested by the app... I think i have isolated the process on the phone that generates the validated response..... (1st good find... because that means if the next 2 are also generated BY the phone.... I can trash the hell out of the programming inside the MSM tool, that sends ANY KIND of network request!.... If all the tool needs the net for is the LOGIN, and everything else is validated by the phone, it proves the EDL flash can be completed offline! Tag in the LOOPBACK adapter again to fool MSM into thinking it is still online.... remove the login segment of the tool.... drop in a few shell commands to trigger the intents that i believe the AUTH signature are coming from.... and if that all goes well on 2 DIFFERENT devices, then i know it will work on ALL in the 10 series..... capice?

oh, and HOW i keep recovering my 10 Pro is thanks to a buddy who you have spoken with in the past few replies.... Canuck ... he is supplying me with OTP credits he purchased to help me do this research... each token lasts 24 hrs... which gives me around 2 - 300 flashes... IF i needed that many... but i usually pull about 10-12 ... i have captures of over 500 successful flashes and now have started finding REPEATED DATA overlapping thru several captures.... meaning none of that data is part of the encrypted AUTH signature... In my 27 years of programming... and 14 specifically with android... I have NEVER seen a truly encrypted Hash value EVER repeat the same sequence of an entire row of encrypted code... let alone even 64 characters..... well i have about 90 pages that have this in common! so that makes the amount of data i have to isolate even smaller..... more flashes.... more eliminations..... more repeating crypto segments overlapping on other flash captures, more characters i get to delete from my control group....

you see... THIS is old school hash calculating by reversing the code.... eventually you will have several lines of code which are 100% different on every full capture.... THAT CODE, is then used as a kind of reverse captain crrunch decoder ring..... you plug in some common fixed variables.... until you locate a set or maybe 10 sets that all produce the same exact "value tables" as i call them.... but more formally, the ALGORITHM that when applied , generates the exact number of characters required in a valid AUTH token, and then you plug that result into a blanked pre-formed response packet then replay or inject it via a script with the timing set for the correct intervals... and PRAY that you didnt miss some little variable way earlier which breaks your entire data set!.... (normally this doesnt happen.... but 9 out of 10 times i also dont have to work this hard to strip the tables from the encrypted packet. I usually have SEVERAL different attack platforms... or devices... game consoles.... files.... whatever it is that all are locked by the same apparatus, so i can generate much less collections of the info being sent between the Challenge and the Response packets.

think of it like this.... if you have to pick a barrel lock, but rather than force it open and damaging it, you instead opt to forge a master key...

to do this you would either need a model of the working key.... (like having the signature given to you... which isnt gonna happen...) OR you would need to get as many different keys that FIT the lock, as you can find...

Once you have a solid control set, ( copies of all of the keys that engaged at least 1 pin inside the tumbler without twisting or manipulation.... all of the tumblers pins MUST be engaged for the key to spin the lock to OPEN)

If you have 20 keys that all engage at least 1 pin... then you group them off by which pin they set... and now you have the ability to compare those in each group and find the matching cuts in the key. The more you have , the more you have to examine! The more you examine, the more you will find keys that overlap into other groups because some keys will engage more than 1 pin ..... now you get to eliminate ENTIRE GROUPS cuz u only need the one that matches 1 pin in multiple sets....

the goal is to get at least 10 grooves / cuts identified, so you can record the location and measurement of each working pin setting... depth... size and width of the groove... ( on lets say a Coke machine, it has a barrel (tumbler) lock that protects the money collector. Those usually have 10-set cuts in the barrel key ... you need all 10 cuts to be precise or the lock wont budge. BUT if you have 10 keys that each engage 1 different pin in the lock, you can map out the position, depth, and cut needed for each pin, and forge them onto a blank uncut barrel key using nothing more than a rotary tool and a diamond tip engraving bit.

once all your results are transferred onto the blank then you should be able to push it in the lock and turn the key with ease!

well the EXACT same idea structure works when cracking mathematical algorithms ...

in this case, having NOTHING but hundreds of copies of the same key will not help, as you need MORE different keys to isolate perfect segments, and eliminate garbage. well i actually have 2 keys... but 1 of them is being blocked from testing, by an immortal bouncer named T-Mobile Bootloader Lock!

( i dont know if humor helps other ppl relate to something, but it works wonderfully for me!)
 
  • Like
Reactions: Drethis, jeffsga88, _DarkKnight_ and 3 others
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,444
2,041
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
This is completely off topic, but do you know how the SHA-256 hash on the public key of the Root CA is calculated?
I've seen other uses (banking) that use SHA-256(text(exponent)+" "+text(modulus))
I've tried hashing the entire ASN1 of the certificate or the ASN1 of just modulus/exponent or just...
I haven't hit it yet.
I'm talking about the "Hash" that Sahara reports and the cert chains in XBL/ABL/Firehose.

Edit: I just checked 466,095 subranges of the whole Root CA (as ASN1). Nope.
 
Last edited:
  • Like
Reactions: Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Canuck Knarf said:
Dose anyone have the MSM Loader v4.1.7.2...?...I think thats the loader needed for op 10t
Click to expand...
Click to collapse
☝️this is correct... in fact its the ONLY msmtool capable of flashing the 10T... because the 10 T does not have the build instructions in the meta folder for 7z to make it into an "ofp" file... and not one other msm download build is capable of flashing ANYTHING other than .ofp files. but 4.1.7.2 will open zip files
 
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Renate said:
This is completely off topic, but do you know how the SHA-256 hash on the public key of the Root CA is calculated?
I've seen other uses (banking) that use SHA-256(text(exponent)+" "+text(modulus))
I've tried hashing the entire ASN1 of the certificate or the ASN1 of just modulus/exponent or just...
I haven't hit it yet.
I'm talking about the "Hash" that Sahara reports and the cert chains in XBL/ABL/Firehose.

Edit: I just checked 466,095 subranges of the whole Root CA (as ASN1). Nope.
Click to expand...
Click to collapse
oh and sorry Renate... i wasnt ignoring you... i was actually putting SERIOUS thought to this question. and unfortunately working with the tables involved with breaking that level of cipher, i must always divest that level of process to either one of my EX - cohorts who is a math MAGICIAN , and also one of the 60k (ish) Mensans. And while i tried to reach out to him twice in the last few days, his wife made it very clear that he is quite possibly not going to be available for quite a while! It seems that she was visited by 2 Interpol ... agents i guess thats what they're called?? i have no clue... ive managed to stay off their radar and will continue doing so by keeping my head locked into trivial things like this stupid phone, lol. Ive had my massive legal scare at the hands of "M-soft" in 2003 under threat of a looooong prison sentence, coupled with a fine/restitution that i would be paying well into my 90's. All over an unfounded accusation regarding the original Xbox. BUT enough about that....

Umm... no i am not at all very savvy when it comes to cryptography. As i kinda hinted at earlier, I push most of my hash calcs thru eliminating the padded data around identified values... then from there i employ one of several of the online toolsets made just for that kind of infrastructure... but when you get to sha 256, even they may not be much use.... heres a few of them,,,, I dont wanna make the mods think weve veered off topic, so hopefully they take notice that you are apparently attempting to crack the Sahara/Firehose protocols....

ASN1

ASN1 - 2

i dont know if these might help you, but maybe they offer u some resource. unfortunately with cryptography you are a few leagues ahead of me in that ocean...


oh... and seriously .... NO ONE??? I mean i even offered to possibly offer a monetized incentive for a working POC of one of these root escalation cve that are floating around. sheesh..... well can ANYONE HERE, tell me if the Samsung TTS vulnerability , which was recent;y blasted all over the internet, something that existed in ALL TTS on android?? Cuz samsung makes it seem like it was a Google TTS flaw... which means that some versions of google tts could be retooled and then applied the same way.... because i found it to be 100% as easy as stated, and also part of my galaxy s10's current fw. I was able to extract the TTS app.... resign it to force it onto my OP 10T, and every step of the process works up to the shell spawning. It opens but with standard uid - 2000, vs the uid - 1000 on samsung, and im sure that is mainly because the original TTS app sits in the system / priv apps on a samsung cuz its native.... so if i could force a downgrade of google tts, to a vulnerable version, then i can pull the same trigger, and blast a System shell.... and thats enough to change the flags i need on my props. ***** my second question is: considering how ALL these mfg are identifying the "Google Downgrade" function that is being used by so many exploits because Google left a special app Downgrade function in their system... could anyone clue me in on how/whether i could employ this to downgrade the Oplus Engineering App, to a version thats say.... 5 years old??? if i have it.... which i do.... cuz if thats possible BY ANY MEANS, then i can just load the Engineering Apk with the built in Root Shell ! problem solved....

please commence with the barn-storming cuz someone here knows how this can be performed....
 
  • Like
  • Wow
Reactions: Drethis and Prant
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
and just an fyi...ii meant for that tid bit of detail to leak out. 1st because i am in ho way ashamed of being on M-soft's hit list 20 yrs ago, for something that they were never able to prove i had any involvement in... ill stop there. But technically that actually was a rather nice ego boost, which i can carry for years.... minus the whole jail/fine threat. But lessons learned!.... Now as far as the mentioning of the other person... Ill just say this...

While its all fun, and challenging doing stuff like this... THIS is what XDA was all about, and still is, albeit a touch more censored, and less def-con than the early days... its still a well respected and diverse environment to share what weve learned or need to learn more! And yes while i take much enjoyment with finding new ways to make various mfg take notice that no matter how hard they push to restrict us... we will push back HARDER because we dont like being told how we CANT use something we paid $1,000 for! Ive dedicated countless Days.. now Weeks on this problem alone, and thats all good, cuz its us vs the establishment! When its all said and done, no one got hurt and some companies end up having to work harder to make their devices better!

But what the person i vaguely mentioned in the prev post is being accused of, is something i despise more than anything... and thats STEALING from the wallets, pockets, and bank accounts of everyday ppl like you & me. Corporations have BIG insurance policies that step in and keep companies afloat... like Binance... Coinbase.... both took massive losses over the years from bad players, but weeks later they were barely limping. But when you're involved in ANY way with a crypto-currency scam...on a personal level, and what you presented ppl, was nothing more than lies, false hope, and inflated numbers.... you are THE WORST kind of person! Thousands of ppl found that out the wrong way & for what it's worth... I hope he is caught soon, and answers for it. Dude was a bonafied Mensa member, and i knew him... Crappy attitude, but still a genius, like a younger Stephen Hawking. I was scammed by a girl like him. No details, but i had my nft wallet stolen and a Mutant Bayc Nft, along with 31 other tokens worth just under $107k taken under a false threat on her life.... which i later found out that SHE was the one who came up with the idea and the planning of it!
I never got justice... but i truly hope those people he victimized all do!

Sorry... off topic mods, so if you delete the post i totally understand, but i wanted to clear that up. I dont go spreading other ppl's dirty laundry carelessly like that.... I did it on purpose so i hope he reads this before they take it down! What a POS...

Sorry yall... didnt mean to drop a life rant, post. My bad!:cautious:
 
  • Like
  • Wow
Reactions: Drethis, Prant and lucy1983
You must log in or register to reply here.

Similar threads

O
General EDL Flash Tool Leak
Replies
674
Views
64K
C
cmccool85
Metromas
Question OnePlus 10 Pro - QDLoader HS-USB - EDL Test Point [9008] MSM
Replies
114
Views
15K
beatbreakee
beatbreakee
Metromas
  • Locked
Question [CLOSED] OnePlus 10 Pro - Unbrick with MSM
Replies
1
Views
3K
K
Kosta26
N
Question Fingerprint not working after using MSM tool NE2215
Replies
29
Views
2K
I
innoxentraheel
U
Question Update OnePlus 10 Pro from HydrogenOS (CN) to OxygenOS (EU/GL/IN) without rooting
Replies
73
Views
20K
VStax
VStax

Top Liked Posts

24 Hours 30 Days All time
  • 1
    AkayamiShurui
    AkayamiShurui
    beatbreakee said:
    so heres what the OTP guys are doing...

    Be prepared... this is a VERY long detailed post...

    so what they are basically doing is....

    they are running their own "last pass" kind of server from AWS... Where they are daily logging in to their amazon web server account, and updating the MSM TOOL login, so that it refreshes every time one of them needs to pull an OTP. But its up to whoever admins the account as to how long tokens last for.

    then they created (or cloned) that GA_Login tool, which is just a general purpose login tool which can be made to work with any app. It comes with modified code so that you can attach it to any program written under a certain language. (different versions of the login tool for different program languages) Then the tool officially has access to manipulate the login values of whatever app.

    I believe the tool has legit licenses with the companies otherwise they would be violating the reverse engineering laws, and everyone who is profiting from it would be subject to an arresting offense! That would depend on the companies to press charges. But its easy to gain permission from a company for this purpose because you arent altering the code, only adding further security to mask passwords!

    So the OTP being generated, are just a valid login that is masked by a secure password masking system. Unfortunately it is unable to be decrypted due to mitigations involved with packet capture and the login relies on an internet connection. Now unfortunately thru further inspection, the OFP flashing app DOES maintain a secure check of the VIP Authentication signature, and that signature is verified on the phone itself through a command called by the Linux Library "Libqmi" ... this can be built and programmed by anyone, but the actual procedure for JUST doing a VIP Auth signature, is not detailed on how to perform this.

    THIS is what the QFIL application is doing when the sahara programmer is called.... the sahara programmer has a heavily encrypted HASHING ALGORITHM which sends one value to your phone, and then your phone verifies and calculates a response to send back to the Sahara.... The sahara already knows the correct answer even though it sits waiting, and if a single character is off, then sahara shuts down the communication portal, and sends us back an error. At that time, the phone is stuck in perpetual FAILED mode, and needs to be reset in order to try again.

    The problem with this is that during a FULL BRICK state, meaning no communication without shorting the Test Points, while the battery is disconnected, then there is no way to get a valid time stamp from your device. The timestamp is part of the sahara's calculation. Thus this is why manually flashing thru QFIL continues to fail. The PATCHED Firehose loaders, simply have the TIMESTAMP requirement removed from the calculation, so that the only thing verified is the devices SOC and board information.

    The MSM ONLINE tool, does its own timestamp calculations and intercepts the communication of the Sahara, then injects the current valid timestamp in real time, which then gives the approved signature to the sahara, and authorizes your flash.

    Conclusion: Someone who has .elf file coding skills needs to completely disassemble the loader, which can be pulled from ANY OP 10series.... or actually ANY Snapdragon 845 r 1, based phone, and compare that to several other loaders of recent related chipsets... ie Snapdragon 845 r 2, or possibly even Snapdragon 865... but if they are fluent enough working with elf files, they should be able to locate the instruction code that requests a timestamp, as part of the signature, and delete/disable that requirement. THEN recompile that loader and we will have the file needed from OFFLINE flashes via the patched MSM Tool, or Qfil.

    The login is the ONLY requirement of the MSMTool!
    It is the sahara firehose itself that is killing our ability to continue flashing once the login is bypassed. Whether the phone is in brickstate or not has no value to the value being submitted to the sahara. OPPO programmed our phones to interrupt communication thru the USB, on a BUTTON, or ADB request to enter EDL mode. This is why when connecting via the command line, or thru the recovery mode shortcut, there is a slight 3-5 second delay until your phone is detected in 9008 mode.

    1. When entering by holding the VOL buttons and plugging the usb in, the phone loses communication to the TIMESTAMP function, which makes the sahara fail offline, due to no MSM Tool server intervention. (remember the MSM server is not maintained by OPPO, but is actually built by Qualcomm... they just provide access to OPPO for repair functions.)

    ^^This will cause QFIL to fail, because a valid VIP cant be generated without the timestamp! ... But the MSM server can interject the correct timestamp being that its online and always in sync^^

    2. When entering EDL via cli, the phone is SUPPOSED to go straight into QCOMM DOWNLOAD MODE... with no interruption, but OPPO amended a "Reboot" command into the opperand forcing the usb to lose connection to the board and breaking the sync, and thus forcing the timestamp to be invalid once the connection is made again with the programmer.

    ^^This is why COLOROS is a game changer... Because they pushed their own, RECOVERY, and FASTBOOT protocols as overlays of the REAL Qcomm Recovery and Fastboot. Recovery and Fastboot are requirements of Qcomm/Android devices. But HOW they are laid out to us are completely up to the manufacturers. The ColorOS Recovery, and Fastboot (D) that is made by OPPO, alters the timestamp being generated, to force a standard 12hr format instead of 24hr ... Sahara doesnt know wtf AM, or PM is... so anything from ColorOS is gibberish in the timestamp.

    THERE IS ONE CAVEAT...

    All androids with altered Fastboot and Recovery protocols, ,MUST include a "Debug Boot Image". These actually communicate to the Qualcomm diagnostic function. Although atm i have no idea how to BOOT into these images, as they are not the same as the normal .img files we use for everything else. Calling on one of these images, is a process completely different than standard android boot.img ... so again i believe this to be one of the functions of LIBQMI .... this library makes a connection to the device over usb but more importantly the SERIAL communicator console on the board. Once this communication is connected, you have full control over all partitions/filesystems inside the entire device, without regulation. You could technically tell your smartphone it is now a smart TOASTER, (but this would certainly crash immediately without the proper functions being built into the chipset.)

    So now i task ANYONE who might have decent Linux knowledge to research QMI and how it communicates, to find the proper commands/access to call upon the Debug.img , which you can pull our of any downloaded fw.

    I will still be working on alternate methods, but as of now QMI seems to be our only answer.

    And final statement. OTP cannot be spoofed in any method to gain authorized MSM access, anymore than you being able to spoof authentication into a "last pass" account to gain control over someones password collection. They both maintain about the same level of encryption.

    I hope thats detailed enough to get to everyones thoughts, as i probably wont be able to answer anything much deeper for the time being. I have personally put myself into a financial situation, by the amount of time i have devoted to this, and now need to create a miracle or 2 in order to recover from the domino effect that i hadnt realized i triggered until today. Sorry i couldnt do a hell of a lot more... if i had the financial resources to not worry about bills for a month or two i could totally crack this thing wide open, and probably put a devastating hurt on OPPO in the process... but Electricity, Rent, Car, Insurance, Food, and general living, all factor in to the amount of time i can spend on this. (which sucks because bounties are upwards of 50K or more for the discovery of holes in the functions i was working on, and according to Qcomm i was very close to a pretty high critical cve being declared!) 😖
    Click to expand...
    Click to collapse
    Made a couple posts on how to communicate with qmi message me in pm I'll share
    View
  • 6
    O
    ogutolopes
    DO NOT BUY ONEPLUS 10 PRO THEY DO NOT PROVIDE ANY TOOLS FROM UNBRICK
    View
    3
    Renate
    Renate
    Canuck Knarf said:
    I hate taking back off ..broke two back cover...LOL
    Click to expand...
    Click to collapse
    I hate it too. Especially since I clean up all the old tape and put down new tape.
    That's why I only open these things once and install a magnetic reed switch.
    See: https://forum.xda-developers.com/t/...c_prog_firehose-request.4261599/post-88301643

    This is the switch that I used: https://www.digikey.com/en/products/detail/standex-meder-electronics/ORD-213-20-30-AT/1949374
    It's currently out of stock there. I picked the least sensitive switch. (Even though it being activated in normal use is not a problem, it's only when resetting that it's checked.) Others of more sensitivity are in stock and they'll probably do fine.
    View
    3
    roirraW "edor" ehT
    roirraW "edor" ehT
    <Moderator Note>: I've removed the links from two posts and one quoted post.

    Although Windows Defender only popped up one file as a PUA (Potentially Unwanted Program) - which isn't necessarily a Trojan but just something that might do something you don't really want, I independently verified in a sandbox that VirusTotal.com reported possible Trojans on three of the four archives I downloaded.

    Some things do produce false positives, but in this case I believe caution is warranted.

    Thank you,

    @roirraW "edor" ehT

    P.S. Any questions, please don't respond in this thread. Instead, send me a PM.
    View
    3
    D
    DiGtal
    As he said the OSS team doesn't handle that. Need to find the department that does.
    View
    2
    Ph0nysk1nk
    Ph0nysk1nk
    Realistically, development is dead. And it sadly looks like hope of MSM tool is gone. Sucks but, oh well
    View
  • 18
    Grovez
    Grovez
    I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
    I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
    In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...

    Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
    Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
    Open 'FTGUIDev.exe' with a hex editor (HxD is good)
    Find the hex value '0f84e7000000b8'
    Replace the 84 with an 85

    Save the modified exe and launch it.
    Choose a server other than 'in company'
    Put whatever for userID/Password/Verify, click login.


    I hope this is useful.

    Screenshot_2022-09-02_23-07-33.png
    View
    9
    O
    OppoTech123
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.

    flash.png
    View
    9
    beatbreakee
    beatbreakee
    BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

    I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

    They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
    View
    8
    Renate
    Renate
    I looked around for any Firehose loaders that had this getsigndata/verify.
    Only OnePlus and Oppo.
    The solution seems clear: don't buy them.

    OTOH, Lenovo/Motorola has signed loaders with restrictions.
    You can't read most partitions.
    The solution seems clear: don't buy them.
    View
    7
    beatbreakee
    beatbreakee
    GOOD GOOD... Thats what i like to hear from my Android Brethren !! Hack, Crack, Disassemble, and Attack the weaknesses of these infernal devices !!! (I need sleep!) ... Sorry, im stuck in some medieval, warfare mindset .. my bad! lol...

    BUT heres what i came for: Humor me.....

    IN THEORY... considering that EVERY post on the internet regarding DIAG mode on phone, (including IOS!) has started with the same goal.... "Using Root access, to enable Diag for access to the EFS" .... So basically everyone is saying that at the time... ROOT was horse... and Diag was the finish line! ... Right? Cuz thees guys were trying to hack bootloaders that had no accessible interface. And DIAG was their answer every time... and it worked! (Mostly)....

    What i am proposing is NOT trying to hack the bootloader, because i already know how to crack that... But if it used to be a REQUIREMENT that to even discuss DIAG, you must have Root.... Then can ANYONE HERE put together a way, in which I could REVERSE that process.... or at least leverage DIAG MODE, to get myself a Root Shell.... or alter the SUID or even outright set a new user, as "UID 0" ... temporarily even if i can only force 1 app to see my account as SYSTEM, so that i can get RW access to Build.prop, or Local.Prop ?? Then i can make 1 flag change in it that will snowball me right thru the security and into the bootloader!

    I mean as Diag I can literally DELETE the phone's whole identity! No imei.. no baseband... no modem... no mac address.. by the access i have to the EFS... and you cant even directly access that partition with ROOT ... only DIag and EDL have that authority! So imho there HAS TO BE a way to leverage a lower permission level thru some kind of console, where i can indirectly make a change to the build.prop. And i dont care if it Bricks the device 5 minutes later, cuz i am gonna make my change be locked with a persistent property that is already in place! It just needs a 1 in place of a 0, or an alternate access point which is also persistent, and just needs one word added to the line! Either way, if the phone bricks right after for some security violation, i will still have enough access to break the secure chain of trust and make my flags permanent! So if i have to pay for a flash to restore my phone, so be it... i know that the two things i edit survived an edl flash several times already!

    I really need EVERYONE ON DECK for this... cuz getting this done will cut at least 50% of the work i need to build us an MSM - Mafia FREE edition. Im talking to the guys who still think UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A Start, is a goof cheat code! As well as the people who can walk past an ATM machine, wave their hand in front of it, and 100's start spitting out like a money shooter... Yall cannot tell me that the Apple guys are better than us r/n ... cuz literally every time a new IOS drops... in less than a few days 3+ randos release videos as POC of them successfully gaining TFP0 , which is the IOS equivalent of ROOT.... I refuse to believe that the 17 y/o kid wearing a fedora, and a neckerchief, as they are walking up to the Starbucks counter to order their Venti Chai Mocha Latte..... NO .... I DO NOT ACCEPT THAT VISUAL! To me that worse than walking in on your parents smashing on top of the dining room table! ... at least then i know that they were making each other happy! ... But "Smuggy McMasterson III" strutting up to buy a lawn garden coctail from a coffee shop, while feeling all "chipper" cuz his team found a Kernel Memory Leak in 'IOS whogivesacrap beta 4' ... yet we cant find one privilege escalation, is the stuff of my nightmares!

    YALL DONT WANNA GIVE ME NIGHTMARES DO YOU!!! I THOUGHT WE WERE FRIENDS!!!

    FRIENDS DONT LET FRIENDS GET HANDLED BY A CRAPTASTIC BOOTLOADER, ,GUARDED BY 1 FLAG! COME ON!
    View

New posts