General MSM TOOLS

Search This thread
By:
Advanced…
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
beatbreakee said:
I dont wanna make the mods think weve veered off topic, so hopefully they take notice that you are apparently attempting to crack the Sahara/Firehose protocols....
Click to expand...
Click to collapse
Well, right now I'm trying to bring some clarity to Firehose loaders.
The identification and organization of them is a bit of a mess.

Edit: Ok, resolved.
Fireshose loaders are often named after 64 bit HWID and 64 bit "Hash" (as reported by your EDL client).
For instance: xiaomi\0008c0e100010000_a7b8b82545a98eca_fhprg_peek.bin
Most (but not all) of the time the hash part of the naming agrees with SHA256 hash of the complete root CA.
That is the last cert (probably the third) of the cert chain in the file.
There appears to be two cases where this is not so.
When SecureBoot is not enabled the "Hash" will be zero and any HWID compatible loader will work.
It's possible that newer loaders encrypt the hash.

FWIW, I just put up a new qcomview.exe (in the sig).
You can now check fingerprints: qcomview /f loader.bin
 
Last edited:
  • Like
Reactions: Prant and Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
oh and hey.. for clarity guys.... OTP if you get them from the right ppl... last 24 hrs, and can be used many times as you want, and also afaik can be used on several machines at the same time.... (this again is part of the scam that the MSM MAFIA are running,.... One person is paying for monthly access to an account.. then that account is hooked into their OTP generator and those guys are just re-selling access to a token someone else paid for.... the amount of time you have left depends on whether u got it from a scammer, or just a Mafioso...) <the otp thing is so no one can change the password... smart i guess>
 
  • Like
Reactions: Drethis
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
beatbreakee said:
oh and hey.. for clarity guys.... OTP if you get them from the right ppl... last 24 hrs, and can be used many times as you want, and also afaik can be used on several machines at the same time.... (this again is part of the scam that the MSM MAFIA are running,.... One person is paying for monthly access to an account.. then that account is hooked into their OTP generator and those guys are just re-selling access to a token someone else paid for.... the amount of time you have left depends on whether u got it from a scammer, or just a Mafioso...)
Click to expand...
Click to collapse
Dose these last 24 hrs and can be used on other MSM ...? or several Machines at same time..??
 
  • Like
Reactions: Drethis and beatbreakee
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Renate said:
Well, right now I'm trying to bring some clarity to Firehose loaders.
The identification and organization of them is a bit of a mess.

Edit: Ok, resolved.
Fireshose loaders are often named after 64 bit HWID and 64 bit "Hash" (as reported by your EDL client).
For instance: xiaomi\0008c0e100010000_a7b8b82545a98eca_fhprg_peek.bin
Most (but not all) of the time the hash part of the naming agrees with SHA256 hash of the complete root CA.
That is the last cert (probably the third) of the cert chain in the file.
There appears to be two cases where this is not so.
When SecureBoot is not enabled the "Hash" will be zero and any HWID compatible loader will work.
It's possible that newer loaders encrypt the hash.
Click to expand...
Click to collapse
WOW .... really.... so then BASICALLY all you have to do is unlock your BL as early as possible, (so you dont brick and get stuck) ... then flash vbmeta, and disable DM-verity so your secure boot will turn off... then you can grab one of those loaders from github, or if you're feelin frisky, disassemble a firehose , then go and strip out all the bloat crap from the rawdata, and patch xml files... and maybe build a custom ROOT map with all new partition sizes, but this time with a nice tech build, or tweak all the right kernel settings and make a Pure Gaming build...

like it honestly sux how they were able to TRASH such a high performance snapdragon processor. I was looking at the actual specs on qualcomm developer network, and technically this phone should be SMOKING the galaxy s22 and damn near rivaling the s23... and the 10T should be barely above the 10 Pro... but with ALL the funky combination of garbage apps they have forced on AUTO LOAD, and AUTO RELOAD... and even "UNLOAD ME AGAIN, AND I WILL WAKE UP 3 OTHER RANDOM APPS, HUMAN!!!" mode! Like whats the deal with that for real... i have apps to force close and hibernate apps i choose in a set of like 10 or so, and in no less than 1 min later, all the apps i closed are BACK... and somehow they started apps I havent loaded in MONTHS.... AND turned their notifications on for ALL OF THEM!

im tempted to just leave them alone sometimes and let em run... cuz they somehow always rally up some local friends and forge a hostile takeover of my phone processes... Im seriously waiting for the day my TTS just activates itself and says,

"It is futile, Human! Just concede the victory to us and embrace us as your new Overlords. You cannot escape our reach for we are Legion! You kill one of our processes, and 5 will awake from hibernation..... You attempt to run an Auto Task Disabler, and we deactivate your Parents home security system, and send a fleet of weaponized drone quad copters to pay then a visit! Do not attempt to thwart us... we know when you're asleep, from your resting heart rate, thanks to your Samsung Gear Watch!! BOW BEFORE TRACHANON !" 👀
 
  • Like
Reactions: Drethis
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
beatbreakee said:
so then BASICALLY all you have to do is...
Click to expand...
Click to collapse
No. SecureBoot is the Qualcomm signing of ELF loadable modules.
It aplies to obvious stuff like xbl/abl/Firehose, but also all the radio/modem/phone stuff.
It is enabled in OTP (one-time programmable fuses) on the chip.
The SHA256 hash is burned at the same time.
Probably very few things are left with SecureBoot off.

dm-verity, AVB, FEC are all other things.

There was an exploit on MediaTek of a buffer overrun on USB control endpoint.
Those kind of anomalous USB messages can usually not be generated by stock implementations.
You need a lower level driver or a hardware device.
Such an exploit could conceivably be possible with Qualcomm but it would take a bunch of effort.
You'd want to start with a device with accessible UART and access to the reset line.
 
  • Like
Reactions: Prant, _DarkKnight_ and Drethis
M

Mirak97

Member
Oct 3, 2017
41
9
i
Renate said:
No. SecureBoot is the Qualcomm signing of ELF loadable modules.
It aplies to obvious stuff like xbl/abl/Firehose, but also all the radio/modem/phone stuff.
It is enabled in OTP (one-time programmable fuses) on the chip.
The SHA256 hash is burned at the same time.
Probably very few things are left with SecureBoot off.

dm-verity, AVB, FEC are all other things.

There was an exploit on MediaTek of a buffer overrun on USB control endpoint.
Those kind of anomalous USB messages can usually not be generated by stock implementations.
You need a lower level driver or a hardware device.
Such an exploit could conceivably be possible with Qualcomm but it would take a bunch of effort.
You'd want to start with a device with accessible UART and access to the reseti line.
Click to expand...
Click to collapse
is there anyway of turnning off secureboot?
 
  • Like
Reactions: Drethis
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Mirak97 said:
Is there anyway of turning off secureboot?
Click to expand...
Click to collapse
Not, really. The most realistic option is to remove the processor and replace it with an unprogrammed new one.
I'm not sure how easy it is to call up Qualcomm and ask them for one of their processors.
There are companies that do rework and could replace the processor but it's probably not cheap.
None of this makes any sense for a user, but there might be a reason to do this as part of an effort to crack security on something.
 
  • Like
Reactions: Drethis
M

Mirak97

Member
Oct 3, 2017
41
9
Renate said:
Not, really. The most realistic option is to remove the processor and replace it with an unprogrammed new one.
I'm not sure how easy it is to call up Qualcomm and ask them for one of their processors.
There are companies that do rework and could replace the processor but it's probably not cheap.
None of this makes any sense for a user, but there might be a reason to do this as part of an effort to crack security on something.
Click to expand...
Click to collapse
what about patching firehose files themeselves to make them bypass secureboot
i see a lot of them when searching for no auth loaders
 
  • Like
Reactions: Drethis
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Mirak97 said:
what about patching firehose files themeselves to make them bypass secureboot
i see a lot of them when searching for no auth loaders
Click to expand...
Click to collapse
The word "patched" gets thrown around a lot.
My understanding is that the "patched" loaders were not actually patched but simply that they were built that way with more features enabled.

So the levels of security go like this:
  1. All modules loaded by the ROM bootloader must have valid hashes on all program segments (even if SecureBoot is off)
  2. If SecureBoot is on, the hashes above must be signed by the certificate chain which must be verified with the hash burned into the processor.
  3. The OEM can add additional security to the Firehose loader like "VIP" or "getsigndata" requiring remote authorization.

The word "secure" gets thrown around a lot.
There are many contexts for "secure" (ro.secure, ro.adb.secure, fastboot secure) but only one SecureBoot.
If you have a hardware root console connected (UART) it may type out the status of SecureBoot when booting.
Code: 
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
S - OEM ID @ 0x00786138 = 0x00000000
S - Serial Number @ 0x00784138 = 0x12345678
S - OEM Config Row 0 @ 0x00784188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00784190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x007841a0 = 0x007030000b580100
S - Feature Config Row 1 @ 0x007841a8 = 0x00000000000000c0
S - Core 0 Frequency, 3715 MHz
S - PBL Patch Ver: 5
S - I-cache: On
S - D-cache: On

Another way to find out if SecureBoot is actually on your device is to take a Firehose loader that works.
Find some innocuous thing to modify (better if it's something that you will later notice).
I change the spelling of some message that the loader will print out.
This will break the hashing, so you check* it with QcomView and hex edit the hashes until they are correct.
Code: 
C:\>qcomview /h loader.bin
64 bit ELF, SHA256
 0  00000000  00000318  a117dbc5 e643e404 361bfe30 45fbda01 4c153842 59a4cbe8 09b7da55 a2dd413e  OK
 1  00001000  00001ac8
 2  00003000  0005709c  7b833734 f2763b9e 35f3310c f6fb22a9 a514eac0 3eddbe46 b5ff339b 3c7b045c  OK
 3  0005a0a0  00000000
 4  0005a0a0  00009f00  6296c006 31852f79 b99691c3 e8d598f2 9d323e9a ba0358aa b742901f 506709d5  OK
 5  00063fa0  00009908  41176495 3e07ad84 8923398e ce854131 91066dca 43f253fa c027c4f4 a3c21483  OK
 6  0006d8b0  00000000
 7  0006d8b0  00001e7c  fe77c473 b02e4a71 d3f287e4 cf85ccbe b5a43326 53930bd8 d68e4e40 6e71a0b8  OK
 8  0006f730  00000000
 9  0006f730  000188d8  1bfef74c ed467a22 8616419d e71ab1ea 22a717e5 4874c704 541793ed f5d5c5e5  OK
10  00088010  00000000
11  00088010  00000000
12  00088010  00012dc0  b72cb77e 81026632 446c3462 cc6c83fc d7904333 cb8807cc 27d6e4c9 189c7ca4  OK
This will still leave the signing of the hashes all broken and you can't sign it because you don't have the private key.
If your modded Firehose loader loads and works, congratulations, your device has SecureBoot off.
This is probably not true of any mainstream device.

Edit: *I've added actually rewriting the hashes to this utility.
 
Last edited:
  • Like
Reactions: Prant, _DarkKnight_, Drethis and 1 other person
M

Mirak97

Member
Oct 3, 2017
41
9
Renate said:
The word "patched" gets thrown around a lot.
My understanding is that the "patched" loaders were not actually patched but simply that they were built that way with more features enabled.

So the levels of security go like this:
  1. All modules loaded by the ROM bootloader must have valid hashes on all program segments (even if SecureBoot is off)
  2. If SecureBoot is on, the hashes above must be signed by the certificate chain which must be verified with the hash burned into the processor.
  3. The OEM can add additional security to the Firehose loader like "VIP" or "getsigndata" requiring remote authorization.

The word "secure" gets thrown around a lot.
There are many contexts for "secure" (ro.secure, ro.adb.secure, fastboot secure) but only one SecureBoot.
If you have a hardware root console connected (UART) it may type out the status of SecureBoot when booting.
Code: 
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
S - OEM ID @ 0x00786138 = 0x00000000
S - Serial Number @ 0x00784138 = 0x12345678
S - OEM Config Row 0 @ 0x00784188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00784190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x007841a0 = 0x007030000b580100
S - Feature Config Row 1 @ 0x007841a8 = 0x00000000000000c0
S - Core 0 Frequency, 3715 MHz
S - PBL Patch Ver: 5
S - I-cache: On
S - D-cache: On

Another way to find out if SecureBoot is actually on your device is to take a Firehose loader that works.
Find some innocuous thing to modify (better if it's something that you will later notice).
I change the spelling of some message that the loader will print out.
This will break the hashing, so you check it with QcomView and hex edit the hashes until they are correct.
Code: 
C:\>qcomview /h loader.bin
64 bit ELF, SHA256
 0  00000000  00000318  a117dbc5 e643e404 361bfe30 45fbda01 4c153842 59a4cbe8 09b7da55 a2dd413e  OK
 1  00001000  00001ac8
 2  00003000  0005709c  7b833734 f2763b9e 35f3310c f6fb22a9 a514eac0 3eddbe46 b5ff339b 3c7b045c  OK
 3  0005a0a0  00000000
 4  0005a0a0  00009f00  6296c006 31852f79 b99691c3 e8d598f2 9d323e9a ba0358aa b742901f 506709d5  OK
 5  00063fa0  00009908  41176495 3e07ad84 8923398e ce854131 91066dca 43f253fa c027c4f4 a3c21483  OK
 6  0006d8b0  00000000
 7  0006d8b0  00001e7c  fe77c473 b02e4a71 d3f287e4 cf85ccbe b5a43326 53930bd8 d68e4e40 6e71a0b8  OK
 8  0006f730  00000000
 9  0006f730  000188d8  1bfef74c ed467a22 8616419d e71ab1ea 22a717e5 4874c704 541793ed f5d5c5e5  OK
10  00088010  00000000
11  00088010  00000000
12  00088010  00012dc0  b72cb77e 81026632 446c3462 cc6c83fc d7904333 cb8807cc 27d6e4c9 189c7ca4  OK
This will still leave the signing of the hashes all broken and you can't sign it because you don't have the private key.
If your modded Firehose loader loads and works, congratulations, your device has SecureBoot off.
This is probably not true of any mainstream device.
Click to expand...
Click to collapse
so all of the "patched" firehose files are just leaked ones from the manufacturers (i mean they arent modified by some user to make it work)
 
  • Like
Reactions: Drethis
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Mirak97 said:
so all of the "patched" firehose files are just leaked ones from the manufacturers (i mean they arent modified by some user to make it work)
Click to expand...
Click to collapse
All the loaders that I can get my hands on show signing by expected manufacturers.
It would take access to the (super secret) company private key to sign anything.
OTOH, if you don't have Secure Boot, patch away. I just patched the abl on my non-SecureBoot device.

Ok, I just found a few loaders that look like the certificates were modified by a person.
But I have no idea if this was just a half-baked experiment or what.
If you have SecureBoot you can't screw around with the certificates.
And if you don't have SecureBoot you don't have to.

As always, I'm open to correction.
 
  • Like
Reactions: TheNewHEROBRINE, Prant and Drethis
M

Mirak97

Member
Oct 3, 2017
41
9
Renate said:
All the loaders that I can get my hands on show signing by expected manufacturers.
It would take access to the (super secret) company private key to sign anything.
OTOH, if you don't have Secure Boot, patch away. I just patched the abl on my non-SecureBoot device.

Ok, I just found a few loaders that look like the certificates were modified by a person.
But I have no idea if this was just a half-baked experiment or what.
If you have SecureBoot you can't screw around with the certificates.
And if you don't have SecureBoot you don't have to.

As always, I'm open to correction.
Click to expand...
Click to collapse
im not really an expert here and probably i dont know what im talking about but coud the leaked no auth loader that are from the same manufacturer have the same signing and could it be cloned or transfered to an another loader ?
 
  • Like
Reactions: Drethis
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Mirak97 said:
im not really an expert here and probably i dont know what im talking about but coud the leaked no auth loader that are from the same manufacturer have the same signing and could it be cloned or transfered to an another loader ?
Click to expand...
Click to collapse
Presumably all OEMs have a full-featured Fireshose loader for their device for development and repair.
Maybe they chop out some features for the one they release to the general public.

If they are being really obnoxious they add extra authorization into the public version and say that you have to use our handy-dandy custom EDL client which will phone home to ask us if you're allowed to use it.
I presume that there is some solid cryptography behind the whole authorization system.
I saw one USB capture for a differrent device that uses a custom Firehose extension of getsigndata.
I've not seen any USB captures for the device in this thread or even an example of how this device reacts to a generic EDL client.

Theoretically, the whole signing chain is pretty bomb-proof.
I think the chance is slim, but a buffer overrun exploit using some unexpected USB protocol violation seems most likely to me.
 
  • Like
Reactions: Prant, PlasmaTornado and Drethis
D

DenisPDA

Senior Member
Jun 20, 2017
66
52
Hi all
What kind of menu is this in FastbootD
Снимок.JPG
Video https://drive.google.com/file/d/1RuranD8wmdnXRpFqMvjhBBhjLi5w5_m4
Be sure to watch to the end

Source
 
You must log in or register to reply here.

Similar threads

O
General EDL Flash Tool Leak
Replies
674
Views
64K
C
cmccool85
Metromas
Question OnePlus 10 Pro - QDLoader HS-USB - EDL Test Point [9008] MSM
Replies
114
Views
16K
beatbreakee
beatbreakee
Metromas
  • Locked
Question [CLOSED] OnePlus 10 Pro - Unbrick with MSM
Replies
1
Views
3K
K
Kosta26
N
Question Fingerprint not working after using MSM tool NE2215
Replies
29
Views
2K
I
innoxentraheel
U
Question Update OnePlus 10 Pro from HydrogenOS (CN) to OxygenOS (EU/GL/IN) without rooting
Replies
73
Views
20K
VStax
VStax

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 3
    roirraW "edor" ehT
    roirraW "edor" ehT
    <Moderator Note>: I've removed the links from two posts and one quoted post.

    Although Windows Defender only popped up one file as a PUA (Potentially Unwanted Program) - which isn't necessarily a Trojan but just something that might do something you don't really want, I independently verified in a sandbox that VirusTotal.com reported possible Trojans on three of the four archives I downloaded.

    Some things do produce false positives, but in this case I believe caution is warranted.

    Thank you,

    @roirraW "edor" ehT

    P.S. Any questions, please don't respond in this thread. Instead, send me a PM.
    View
    3
    Renate
    Renate
    Canuck Knarf said:
    I hate taking back off ..broke two back cover...LOL
    Click to expand...
    Click to collapse
    I hate it too. Especially since I clean up all the old tape and put down new tape.
    That's why I only open these things once and install a magnetic reed switch.
    See: https://forum.xda-developers.com/t/...c_prog_firehose-request.4261599/post-88301643

    This is the switch that I used: https://www.digikey.com/en/products/detail/standex-meder-electronics/ORD-213-20-30-AT/1949374
    It's currently out of stock there. I picked the least sensitive switch. (Even though it being activated in normal use is not a problem, it's only when resetting that it's checked.) Others of more sensitivity are in stock and they'll probably do fine.
    View
    3
    D
    DiGtal
    As he said the OSS team doesn't handle that. Need to find the department that does.
    View
    2
    emabertax
    emabertax
    Ph0nysk1nk said:
    Realistically, development is dead. And it sadly looks like hope of MSM tool is gone. Sucks but, oh well
    Click to expand...
    Click to collapse
    Not for all phones, android will always be open source even if manufacturers put some obstacles. the development has decreased over time because the devices have improved over time and it is not always necessary to make changes.
    View
    2
    D
    dekefake
    If people here have experience in MITM please DM me. I'm currently on it and I can't figure out how to force the tool to use my mitmproxy.

    EDITN: Nvm, I succeeded 👀
    View
  • 18
    Grovez
    Grovez
    I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
    I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
    In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...

    Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
    Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
    Open 'FTGUIDev.exe' with a hex editor (HxD is good)
    Find the hex value '0f84e7000000b8'
    Replace the 84 with an 85

    Save the modified exe and launch it.
    Choose a server other than 'in company'
    Put whatever for userID/Password/Verify, click login.


    I hope this is useful.

    Screenshot_2022-09-02_23-07-33.png
    View
    9
    O
    OppoTech123
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.

    flash.png
    View
    9
    beatbreakee
    beatbreakee
    BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

    I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

    They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
    View
    8
    Renate
    Renate
    I looked around for any Firehose loaders that had this getsigndata/verify.
    Only OnePlus and Oppo.
    The solution seems clear: don't buy them.

    OTOH, Lenovo/Motorola has signed loaders with restrictions.
    You can't read most partitions.
    The solution seems clear: don't buy them.
    View
    7
    beatbreakee
    beatbreakee
    GOOD GOOD... Thats what i like to hear from my Android Brethren !! Hack, Crack, Disassemble, and Attack the weaknesses of these infernal devices !!! (I need sleep!) ... Sorry, im stuck in some medieval, warfare mindset .. my bad! lol...

    BUT heres what i came for: Humor me.....

    IN THEORY... considering that EVERY post on the internet regarding DIAG mode on phone, (including IOS!) has started with the same goal.... "Using Root access, to enable Diag for access to the EFS" .... So basically everyone is saying that at the time... ROOT was horse... and Diag was the finish line! ... Right? Cuz thees guys were trying to hack bootloaders that had no accessible interface. And DIAG was their answer every time... and it worked! (Mostly)....

    What i am proposing is NOT trying to hack the bootloader, because i already know how to crack that... But if it used to be a REQUIREMENT that to even discuss DIAG, you must have Root.... Then can ANYONE HERE put together a way, in which I could REVERSE that process.... or at least leverage DIAG MODE, to get myself a Root Shell.... or alter the SUID or even outright set a new user, as "UID 0" ... temporarily even if i can only force 1 app to see my account as SYSTEM, so that i can get RW access to Build.prop, or Local.Prop ?? Then i can make 1 flag change in it that will snowball me right thru the security and into the bootloader!

    I mean as Diag I can literally DELETE the phone's whole identity! No imei.. no baseband... no modem... no mac address.. by the access i have to the EFS... and you cant even directly access that partition with ROOT ... only DIag and EDL have that authority! So imho there HAS TO BE a way to leverage a lower permission level thru some kind of console, where i can indirectly make a change to the build.prop. And i dont care if it Bricks the device 5 minutes later, cuz i am gonna make my change be locked with a persistent property that is already in place! It just needs a 1 in place of a 0, or an alternate access point which is also persistent, and just needs one word added to the line! Either way, if the phone bricks right after for some security violation, i will still have enough access to break the secure chain of trust and make my flags permanent! So if i have to pay for a flash to restore my phone, so be it... i know that the two things i edit survived an edl flash several times already!

    I really need EVERYONE ON DECK for this... cuz getting this done will cut at least 50% of the work i need to build us an MSM - Mafia FREE edition. Im talking to the guys who still think UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A Start, is a goof cheat code! As well as the people who can walk past an ATM machine, wave their hand in front of it, and 100's start spitting out like a money shooter... Yall cannot tell me that the Apple guys are better than us r/n ... cuz literally every time a new IOS drops... in less than a few days 3+ randos release videos as POC of them successfully gaining TFP0 , which is the IOS equivalent of ROOT.... I refuse to believe that the 17 y/o kid wearing a fedora, and a neckerchief, as they are walking up to the Starbucks counter to order their Venti Chai Mocha Latte..... NO .... I DO NOT ACCEPT THAT VISUAL! To me that worse than walking in on your parents smashing on top of the dining room table! ... at least then i know that they were making each other happy! ... But "Smuggy McMasterson III" strutting up to buy a lawn garden coctail from a coffee shop, while feeling all "chipper" cuz his team found a Kernel Memory Leak in 'IOS whogivesacrap beta 4' ... yet we cant find one privilege escalation, is the stuff of my nightmares!

    YALL DONT WANNA GIVE ME NIGHTMARES DO YOU!!! I THOUGHT WE WERE FRIENDS!!!

    FRIENDS DONT LET FRIENDS GET HANDLED BY A CRAPTASTIC BOOTLOADER, ,GUARDED BY 1 FLAG! COME ON!
    View

New posts