General MSM TOOLS

Search This thread
By:
Advanced…
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
umm... ok..... so does anyone here have an OTP credit to spare for flashing? Like either you already purchased an OTP token, and have finished your repair but your token still has more time left!! Or preferred a brand new OTP so i can bust another 24nrs research into this tool. I gotta make something happen ASAP with this stupid phone, or Im selling it and the 10T this weekend and moving on. But i cannot continue owning a device that SOMEONE ELSE is in control of. Oppo... Oneplus... BBK.... or anyone else will NOT hold dominion over what and when i can or cannot do to a device i spent my cash on. NO ONE! I re-affirm my commitment to taking down this companies antiquated , 1860's rules which run similar to something abolished in 1865. Sorry for the bad comparison coming next, but im gonna borrow a familiar mantra to make my point.... "My phone... my right to choose what i do with it!" Until these LORD OF THE MOBILE PHONE industries, start GIVING US the phones , and THEY pay the monthly bill to our carriers, then they have ZERO RIGHT to tell me what i can do to my phone.

Would you go buy a new outfit is the store said, "Here you go.... now you cannot wear any under garments that are not _____ with these, and no shoes that arent _____ . If you do the outfit will just fall apart and you wont be able to fix it, unless you bring it back here, and we will make it work again, but bring the approved accessories only!"

What about if you bought a new Samsung tv, and the Best Buy employee said, "Thanks sir/ma'am, but there are a few stipulations you need to follow now that you bought this already. Absolutely NO comedy movies or anything with political humor is allowed to be watched. Period. You can ONLY watch SAMSUNG approved movies and tv shows that the CEO of Samsung, YOUR NEW LORD AND SAVIOR, has deemed acceptable. The big bang theory has been rated as unapproved and your tv will black out any attempt to watch shows with any of the original cast members in it. This is for your own safety, and if its discovered that you connected any unauthorized player device that allowed those or any other show, our lord does not approve of, we will deactivate your tv and you will then have to send it back to the factory IN CHINA, so we can decide of the fee to restore it back to default! .... All hail Samsung / Trachanon!"

Last time i checked there wasnt any car dealerships that said.... "Thanks, we hope you enjoy your new _____ SUV. Now remember No KIDS... Pets... High PDA couples, or ANY in-laws allowed inside. And you cant put plain ol Racetrac , Shell , Conoco , etc Gas in it. You MUST ONLY put gas from our dealership in it. Doesnt matter if its similar octane or whatever. OUR GAS, OIL, ACCESSORIES, approved patrons, and PARTS, that must be from OUR DEALERSHIP ONLY, or your car will die and we dont have to service it because our computer will show us that you ignored our orders! SWEAR YOUR ALLEGIANCE TO TRACHANON NOW HUMAN! And have a blessed day.... buh bye!"

TUCK FHIS! I am done letting anyone tell me what i am allowed to do with the thing i paid for, in full! And i refuse to go from ONE company with MAFIA LIKE control over its repair tool, right to ANOTHER person/company who parades control of my device over my head! ... I never signed any agreement giving this control, and for ANYONE who says, "thats what you get for buying Oneplus.... NAME ONE OTHER ONEPLUS SERIES OF PHONE PRIOR TO THE 10pro/T/R that had this overbearing, control on it? You CANT.... Every 9,8,7,6,5.... Nord..... ALL prior to 2022 have had both an MSM DOWNLOAD tool that you could use FOR FREE, to unbrick or interchange fw.... and EVERY ONE OF THEM had access to a normal Fastboot, bootloader that you could obtain an unlock for! Plus last time i checked, there STILL isnt a disclaimer on the 10 Pro/T/R sales listings that discloses, "No free repair software is available, and your ability to customize your phone outside of what we approve is forbidden and we removed your access to do so!"

So I ask again.... DOES ANYONE HAVE A SPARE OTP TOKEN CREDIT FOR THE MSM DOWNLOAD TOOL, THAT I MAY PLEASE USE WITH YOU? Once you have logged in, you can send me a dm with the Token, and it wont interrupt your access. But I need this for continued research in breaking the restrictions from the program. I have partially decrypted the signing algorithm, but my access to the program has been limited, and i MUST get either a Oppo Login / Password.... or an OTP to continue.

I will not leak your login details to anyone, and you can literally ask any member here if i have ever done so!

Building a working FREE tool is very time consuming, and if no one is willing to cooperate and pledge some form of assistance with gathering the data i can only acquire by doing full traces of complete flashes... then i will have to abandon this mission entirely and dump these Oneplus phones entirely. I dont wanna do that but i cannot continue being told how and when i can use the program. My time is MY TIME, and if someone WANTS something from me, then i need access to the program so i can work on this. So this might be my last post on this specific forum. I hope its not!

Snoochie Boochies
 
  • Like
Reactions: Dafelleant, Drethis and Kosta26
M

Mirak97

Member
Oct 3, 2017
41
9
beatbreakee said:
umm... ok..... so does anyone here have an OTP credit to spare for flashing? Like either you already purchased an OTP token, and have finished your repair but your token still has more time left!! Or preferred a brand new OTP so i can bust another 24nrs research into this tool. I gotta make something happen ASAP with this stupid phone, or Im selling it and the 10T this weekend and moving on. But i cannot continue owning a device that SOMEONE ELSE is in control of. Oppo... Oneplus... BBK.... or anyone else will NOT hold dominion over what and when i can or cannot do to a device i spent my cash on. NO ONE! I re-affirm my commitment to taking down this companies antiquated , 1860's rules which run similar to something abolished in 1865. Sorry for the bad comparison coming next, but im gonna borrow a familiar mantra to make my point.... "My phone... my right to choose what i do with it!" Until these LORD OF THE MOBILE PHONE industries, start GIVING US the phones , and THEY pay the monthly bill to our carriers, then they have ZERO RIGHT to tell me what i can do to my phone.

Would you go buy a new outfit is the store said, "Here you go.... now you cannot wear any under garments that are not _____ with these, and no shoes that arent _____ . If you do the outfit will just fall apart and you wont be able to fix it, unless you bring it back here, and we will make it work again, but bring the approved accessories only!"

What about if you bought a new Samsung tv, and the Best Buy employee said, "Thanks sir/ma'am, but there are a few stipulations you need to follow now that you bought this already. Absolutely NO comedy movies or anything with political humor is allowed to be watched. Period. You can ONLY watch SAMSUNG approved movies and tv shows that the CEO of Samsung, YOUR NEW LORD AND SAVIOR, has deemed acceptable. The big bang theory has been rated as unapproved and your tv will black out any attempt to watch shows with any of the original cast members in it. This is for your own safety, and if its discovered that you connected any unauthorized player device that allowed those or any other show, our lord does not approve of, we will deactivate your tv and you will then have to send it back to the factory IN CHINA, so we can decide of the fee to restore it back to default! .... All hail Samsung / Trachanon!"

Last time i checked there wasnt any car dealerships that said.... "Thanks, we hope you enjoy your new _____ SUV. Now remember No KIDS... Pets... High PDA couples, or ANY in-laws allowed inside. And you cant put plain ol Racetrac , Shell , Conoco , etc Gas in it. You MUST ONLY put gas from our dealership in it. Doesnt matter if its similar octane or whatever. OUR GAS, OIL, ACCESSORIES, approved patrons, and PARTS, that must be from OUR DEALERSHIP ONLY, or your car will die and we dont have to service it because our computer will show us that you ignored our orders! SWEAR YOUR ALLEGIANCE TO TRACHANON NOW HUMAN! And have a blessed day.... buh bye!"

TUCK FHIS! I am done letting anyone tell me what i am allowed to do with the thing i paid for, in full! And i refuse to go from ONE company with MAFIA LIKE control over its repair tool, right to ANOTHER person/company who parades control of my device over my head! ... I never signed any agreement giving this control, and for ANYONE who says, "thats what you get for buying Oneplus.... NAME ONE OTHER ONEPLUS SERIES OF PHONE PRIOR TO THE 10pro/T/R that had this overbearing, control on it? You CANT.... Every 9,8,7,6,5.... Nord..... ALL prior to 2022 have had both an MSM DOWNLOAD tool that you could use FOR FREE, to unbrick or interchange fw.... and EVERY ONE OF THEM had access to a normal Fastboot, bootloader that you could obtain an unlock for! Plus last time i checked, there STILL isnt a disclaimer on the 10 Pro/T/R sales listings that discloses, "No free repair software is available, and your ability to customize your phone outside of what we approve is forbidden and we removed your access to do so!"

So I ask again.... DOES ANYONE HAVE A SPARE OTP TOKEN CREDIT FOR THE MSM DOWNLOAD TOOL, THAT I MAY PLEASE USE WITH YOU? Once you have logged in, you can send me a dm with the Token, and it wont interrupt your access. But I need this for continued research in breaking the restrictions from the program. I have partially decrypted the signing algorithm, but my access to the program has been limited, and i MUST get either a Oppo Login / Password.... or an OTP to continue.

I will not leak your login details to anyone, and you can literally ask any member here if i have ever done so!

Building a working FREE tool is very time consuming, and if no one is willing to cooperate and pledge some form of assistance with gathering the data i can only acquire by doing full traces of complete flashes... then i will have to abandon this mission entirely and dump these Oneplus phones entirely. I dont wanna do that but i cannot continue being told how and when i can use the program. My time is MY TIME, and if someone WANTS something from me, then i need access to the program so i can work on this. So this might be my last post on this specific forum. I hope its not!

Snoochie Boochies
Click to expand...
Click to collapse
i guess you need more people that know what they're doing to help you
 
M

Mirak97

Member
Oct 3, 2017
41
9
beatbreakee said:
umm... ok..... so does anyone here have an OTP credit to spare for flashing? Like either you already purchased an OTP token, and have finished your repair but your token still has more time left!! Or preferred a brand new OTP so i can bust another 24nrs research into this tool. I gotta make something happen ASAP with this stupid phone, or Im selling it and the 10T this weekend and moving on. But i cannot continue owning a device that SOMEONE ELSE is in control of. Oppo... Oneplus... BBK.... or anyone else will NOT hold dominion over what and when i can or cannot do to a device i spent my cash on. NO ONE! I re-affirm my commitment to taking down this companies antiquated , 1860's rules which run similar to something abolished in 1865. Sorry for the bad comparison coming next, but im gonna borrow a familiar mantra to make my point.... "My phone... my right to choose what i do with it!" Until these LORD OF THE MOBILE PHONE industries, start GIVING US the phones , and THEY pay the monthly bill to our carriers, then they have ZERO RIGHT to tell me what i can do to my phone.

Would you go buy a new outfit is the store said, "Here you go.... now you cannot wear any under garments that are not _____ with these, and no shoes that arent _____ . If you do the outfit will just fall apart and you wont be able to fix it, unless you bring it back here, and we will make it work again, but bring the approved accessories only!"

What about if you bought a new Samsung tv, and the Best Buy employee said, "Thanks sir/ma'am, but there are a few stipulations you need to follow now that you bought this already. Absolutely NO comedy movies or anything with political humor is allowed to be watched. Period. You can ONLY watch SAMSUNG approved movies and tv shows that the CEO of Samsung, YOUR NEW LORD AND SAVIOR, has deemed acceptable. The big bang theory has been rated as unapproved and your tv will black out any attempt to watch shows with any of the original cast members in it. This is for your own safety, and if its discovered that you connected any unauthorized player device that allowed those or any other show, our lord does not approve of, we will deactivate your tv and you will then have to send it back to the factory IN CHINA, so we can decide of the fee to restore it back to default! .... All hail Samsung / Trachanon!"

Last time i checked there wasnt any car dealerships that said.... "Thanks, we hope you enjoy your new _____ SUV. Now remember No KIDS... Pets... High PDA couples, or ANY in-laws allowed inside. And you cant put plain ol Racetrac , Shell , Conoco , etc Gas in it. You MUST ONLY put gas from our dealership in it. Doesnt matter if its similar octane or whatever. OUR GAS, OIL, ACCESSORIES, approved patrons, and PARTS, that must be from OUR DEALERSHIP ONLY, or your car will die and we dont have to service it because our computer will show us that you ignored our orders! SWEAR YOUR ALLEGIANCE TO TRACHANON NOW HUMAN! And have a blessed day.... buh bye!"

TUCK FHIS! I am done letting anyone tell me what i am allowed to do with the thing i paid for, in full! And i refuse to go from ONE company with MAFIA LIKE control over its repair tool, right to ANOTHER person/company who parades control of my device over my head! ... I never signed any agreement giving this control, and for ANYONE who says, "thats what you get for buying Oneplus.... NAME ONE OTHER ONEPLUS SERIES OF PHONE PRIOR TO THE 10pro/T/R that had this overbearing, control on it? You CANT.... Every 9,8,7,6,5.... Nord..... ALL prior to 2022 have had both an MSM DOWNLOAD tool that you could use FOR FREE, to unbrick or interchange fw.... and EVERY ONE OF THEM had access to a normal Fastboot, bootloader that you could obtain an unlock for! Plus last time i checked, there STILL isnt a disclaimer on the 10 Pro/T/R sales listings that discloses, "No free repair software is available, and your ability to customize your phone outside of what we approve is forbidden and we removed your access to do so!"

So I ask again.... DOES ANYONE HAVE A SPARE OTP TOKEN CREDIT FOR THE MSM DOWNLOAD TOOL, THAT I MAY PLEASE USE WITH YOU? Once you have logged in, you can send me a dm with the Token, and it wont interrupt your access. But I need this for continued research in breaking the restrictions from the program. I have partially decrypted the signing algorithm, but my access to the program has been limited, and i MUST get either a Oppo Login / Password.... or an OTP to continue.

I will not leak your login details to anyone, and you can literally ask any member here if i have ever done so!

Building a working FREE tool is very time consuming, and if no one is willing to cooperate and pledge some form of assistance with gathering the data i can only acquire by doing full traces of complete flashes... then i will have to abandon this mission entirely and dump these Oneplus phones entirely. I dont wanna do that but i cannot continue being told how and when i can use the program. My time is MY TIME, and if someone WANTS something from me, then i need access to the program so i can work on this. So this might be my last post on this specific forum. I hope its not!

Snoochie Boochies
Click to expand...
Click to collapse
isnt there anyway to sniff the traffic going between your pc and the phone? maybe something like usb sniffer or something
 
Canuck Knarf

Canuck Knarf

Senior Member
Dec 19, 2015
563
159
Google Pixel 6 Pro
OnePlus 10 Pro
beatbreakee said:
umm... ok..... so does anyone here have an OTP credit to spare for flashing? Like either you already purchased an OTP token, and have finished your repair but your token still has more time left!! Or preferred a brand new OTP so i can bust another 24nrs research into this tool. I gotta make something happen ASAP with this stupid phone, or Im selling it and the 10T this weekend and moving on. But i cannot continue owning a device that SOMEONE ELSE is in control of. Oppo... Oneplus... BBK.... or anyone else will NOT hold dominion over what and when i can or cannot do to a device i spent my cash on. NO ONE! I re-affirm my commitment to taking down this companies antiquated , 1860's rules which run similar to something abolished in 1865. Sorry for the bad comparison coming next, but im gonna borrow a familiar mantra to make my point.... "My phone... my right to choose what i do with it!" Until these LORD OF THE MOBILE PHONE industries, start GIVING US the phones , and THEY pay the monthly bill to our carriers, then they have ZERO RIGHT to tell me what i can do to my phone.

Would you go buy a new outfit is the store said, "Here you go.... now you cannot wear any under garments that are not _____ with these, and no shoes that arent _____ . If you do the outfit will just fall apart and you wont be able to fix it, unless you bring it back here, and we will make it work again, but bring the approved accessories only!"

What about if you bought a new Samsung tv, and the Best Buy employee said, "Thanks sir/ma'am, but there are a few stipulations you need to follow now that you bought this already. Absolutely NO comedy movies or anything with political humor is allowed to be watched. Period. You can ONLY watch SAMSUNG approved movies and tv shows that the CEO of Samsung, YOUR NEW LORD AND SAVIOR, has deemed acceptable. The big bang theory has been rated as unapproved and your tv will black out any attempt to watch shows with any of the original cast members in it. This is for your own safety, and if its discovered that you connected any unauthorized player device that allowed those or any other show, our lord does not approve of, we will deactivate your tv and you will then have to send it back to the factory IN CHINA, so we can decide of the fee to restore it back to default! .... All hail Samsung / Trachanon!"

Last time i checked there wasnt any car dealerships that said.... "Thanks, we hope you enjoy your new _____ SUV. Now remember No KIDS... Pets... High PDA couples, or ANY in-laws allowed inside. And you cant put plain ol Racetrac , Shell , Conoco , etc Gas in it. You MUST ONLY put gas from our dealership in it. Doesnt matter if its similar octane or whatever. OUR GAS, OIL, ACCESSORIES, approved patrons, and PARTS, that must be from OUR DEALERSHIP ONLY, or your car will die and we dont have to service it because our computer will show us that you ignored our orders! SWEAR YOUR ALLEGIANCE TO TRACHANON NOW HUMAN! And have a blessed day.... buh bye!"

TUCK FHIS! I am done letting anyone tell me what i am allowed to do with the thing i paid for, in full! And i refuse to go from ONE company with MAFIA LIKE control over its repair tool, right to ANOTHER person/company who parades control of my device over my head! ... I never signed any agreement giving this control, and for ANYONE who says, "thats what you get for buying Oneplus.... NAME ONE OTHER ONEPLUS SERIES OF PHONE PRIOR TO THE 10pro/T/R that had this overbearing, control on it? You CANT.... Every 9,8,7,6,5.... Nord..... ALL prior to 2022 have had both an MSM DOWNLOAD tool that you could use FOR FREE, to unbrick or interchange fw.... and EVERY ONE OF THEM had access to a normal Fastboot, bootloader that you could obtain an unlock for! Plus last time i checked, there STILL isnt a disclaimer on the 10 Pro/T/R sales listings that discloses, "No free repair software is available, and your ability to customize your phone outside of what we approve is forbidden and we removed your access to do so!"

So I ask again.... DOES ANYONE HAVE A SPARE OTP TOKEN CREDIT FOR THE MSM DOWNLOAD TOOL, THAT I MAY PLEASE USE WITH YOU? Once you have logged in, you can send me a dm with the Token, and it wont interrupt your access. But I need this for continued research in breaking the restrictions from the program. I have partially decrypted the signing algorithm, but my access to the program has been limited, and i MUST get either a Oppo Login / Password.... or an OTP to continue.

I will not leak your login details to anyone, and you can literally ask any member here if i have ever done so!

Building a working FREE tool is very time consuming, and if no one is willing to cooperate and pledge some form of assistance with gathering the data i can only acquire by doing full traces of complete flashes... then i will have to abandon this mission entirely and dump these Oneplus phones entirely. I dont wanna do that but i cannot continue being told how and when i can use the program. My time is MY TIME, and if someone WANTS something from me, then i need access to the program so i can work on this. So this might be my last post on this specific forum. I hope its not!

Snoochie Boochies
Click to expand...
Click to collapse
I sent you credit buds
 
  • Like
  • Love
Reactions: slapman, Daniha, Drethis and 3 others
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Ok ... To rehash on the original idea of packet sniffing... This method was already put into action which spawned this nightmare thread. 1st question: "can we use packet sniffer to capture the login/auth token?"
A:. Yes you can use it to capture the Login token and then replay that with fiddler ... Or similar BUT HERES THE CAVEAT. The msmtool that was authored originally by Qualcomm has been disgustingly re-written by BBK (Oppo, realme, Xiaomi, OnePlus...) .. they took the original and added ANOTHER authentication check for authorization. <=== This IS NOT able to be replayed or spoofed. it is calculated ON THE FLY by a combination of the timestamp from the internal servers at Oppo, the authenticated Mac address of that server... (Remember the special "Address" that was needed for the secrecy.exe, engineering mode unlock tool. That just stopped working and gave 'error invalid signature' around October-ish... That was a Mac address) .... So those 2 variables are then sent into an algorithm along with YOUR computers Mac address... Time stamp, and the checksum of the firmware you're flashing which has weaknesses ... But so far not exploitable!

If you use the packet capture or even the USB capture from the previously authorized flash, it will fail! Thus the 3% error that has been the blockade for now. I have attacked it every way possible and because of my vocal account of doing so, I was in turn snitched on by an xda member, and sent a cease and desist letter from BBK/OPPO. But I am WAYYYYY past that now.

THIS is the algorithm that I am currently attempting to break, with permission granted by a Qualcomm Principal Engineer. As long as I follow responsible disclosure guidelines. This is the whole reason of the inherent silence as to specific tactics I've employed in breaking thru. I cannot reveal what has been successful or necessarily failed, if it has ties to the vulnerable weak points of the signature check. But one thing I can disclose is that the Oppo auth token, and the Qualcomm VIP Auth token are NOT related!

The msmtool as we know it now, does not use the built in Sahara firehose that is included in the firmware zip. That is in my best guess a decoy! The reason I say this is because it has been verified to me at Qualcomm, that they insisted to BBK, Samsung and others that they no longer include their firehose programmers, inside their official firmware packages. This is because as of the OnePlus 10 series, OPPO/OnePlus will NO LONGER be supplying FULL FIRMWARE packages to download via system restore or ANY OTHER official channels.

You all may THINK or ASSUME that you have found a "Full firmware" link....but I strongly contest those claims as I have over 200 firmware packages for the 2210,2211,2213,2215,2217 , 2413,2415,2417,2419 models which covers EVERY VERSION of our 10 Pro as well as the 10T... Ranging from 11_a
04 up to 12_c.23. ... I have unreleased firmware packs as well. I have OFP, ZIP, OPS, and PAYLOAD.BIN in my collection... This is an almost 7tb collection of the firmwares that are accessible thru Chinese, Russian, Indian, EU, North American, Korean, Singapore, and Indonesian servers... Some are directly plucked from Oppo's, once weakly secured server. (Now using a stronger firewall)

You can test this theory yourself on any package you claim is an actual FULL BUILD.
1. If it's any kind of a zip with a Payload.bin file... It's 100% an OTA fw.

2. If the zip package contains an already unzipped folder of firmware files, it is 75% guaranteed to be an OTA Incremental Update uncompressed. <Full fw will come only as .OFP or .OPS files which are not true file extensions... They are identifiers that are created by a specially encoded file generated by 7z after being downloaded from Oppo servers. There's no use trying to find something else that can build or encrypt a working firmware for the OFP format. 7z has been contracted thru Oppo to be licensed as their official encryption provider, and the signature used for the encryption mapping exist only on Oppo servers. 7z pulls the signature during official downloads, and then uses the mapping data to make the MsM flash able OFP file! Either way, this file is technically garbage because once uncompressed, the signature is broken and the MsM tool will perform a 3rd validation and verification check at the 19% marker!> That 3rd check fails almost 50% of the time on OFFICIAL OTA packages so again this is not an avenue worth walking. Mainly because to get here you have to have already broken the 1st signature, which will usually trigger a fail!
(Check this by entering the "Manifest" folder whatever they renamed it.... ie MyHeytapp_Manifest or just Manifest... And if there's 1- build.prop , and 2 or 3 more build.prop_xxxxxxxx files also like build.prop_10100011 and similar, This is an Incremental Update)

3. If you have located an .OFP file... Note that this isn't very hard to find. Most of the firmware links you find on the net will be "ne221x_export________.zip". Or "OnePlus10Pro-ne221x_Full_xxxxxxxxxxxxx.zip" and once you enter whoever... AlzsredGsm...GemFlash...GsmMafia.. Ncrom.com.... Romfirmware.com.... "ThisIsAlreadyYourFirstClue.com" that you are accessing an already altered download! Oppo did not give GSMMafia or anyone for that matter, a link to a FULL OEM build of their firmware, that they were authorized to REPACK into a password protected archive that you must perform any action besides clicking on EXTRACT. This breaks the mfg guidelines for sharing files used for repair of their devices. So someone has already downloaded... Decrypted.... And therefore broken the signature of the original archive.... Then they rezipped it into a package with their own password needed to open it.

^=== These packages are renamed, and rebranded 100's of times by everything including malicious hackers who will add auto executing scripts to them, as well as garbage spammers who literally put nothing even related to our phones, inside a second zip package that they make you follow steps to "obtain the zip password"... But no matter how many times you complete the steps, the password is never provided. (These are the most common links being found now cuz these garbage people now understand how valuable a FULL BUILD fw package is to the mod communities) make no mistake. I'm sure a few of these ACTUALLY DO have a true full build... Because most of them are Oppo employees... So they will provide videos showing the contents of the zip... But I promise you that THIS is not the real file!

Oppo has a ZERO tolerance policy regarding the distribution of any proprietary software used to develop their devices operating systems. (I challenge ANY OF YOU to provide me with an actually, "Oppo/Heytapp SDK". ... Heytapp is their official builds for ColorOs which is becoming the standard for all future Oppo/OnePlus phones.... We will have Google if outside China... They will have Heytapp... Both will be based off ColorOs. We are all using a Hybrid ColorOs/Oxygen build on the 10 series! ... So if you really think ANY Oppo employee is going to risk their career and possibly their freedom by sharing or risking the file they are showing in the video, to the public... You obviously have never broken a law inside china mainland or worked for a telecom company in India. In China, YES these guidelines are enforceable by LAWS! Against providing classified or copy protected information to an unauthorized source.

<My father is Senior Director of Sales & Marketing for T-Mobile... HE CANNOT GET ME ANY INFORMATION REGARDING THE FIRMWARE FOR OPPO/ONEPLUS or any other manufacturer of Chinese or Korean origin, and he was the IT and Engineering teams director as recently as 3 years ago>

.... So if you think AlzharedGSM or whoever has unearthed these VALUABLE files, and are willing to give to you for free... You were also probably waiting for DJT to be re-instated as POTUS on those specially announced dates! (Spoiler.... It didn't happen) 😸

Now an explanation. An "Incremental Update" package does not have authorized programmers that can erase/modify/repair the EFS and NV partitions/files, locked in the critical partitions of your phones... They just don't have that permission, nor the offset info to locate and overwrite the files in those memory addresses. THESE ADDRESSES contain the OEM manifest identifier (10100011 etc) that YOUR phone was programmed with! These 8 digit numbers each pertain to the ALLOWED manifest that has the entire list of files which are to be sent to your phone. PERIOD!... manipulating these will at best , fail the verification check thus saving you from the, WORST: Deleting your NV or EFS file system, and erasing your IMEI, Mac Address, Baseband, and Device Policy, meaning your phone will NEVER connect to another cellular ..wifi... Or any network connection without an external network adapter.

I have seen some $750 offline gaming and mp3 players born from ppl who thought they could outsmart the Manifest identifier...but mostly I've seen unresponsive devices that took opening the phone up and performing several wake up gestures, then a reflash of the ORIGINAL Carrier or OEM firmware of the exact same build you had just previously tried to escape.

(Keep in mind that 80% of the users who are in need of an MSM flash, are because of improper methods being attempted to gain some form of unauthorized fw change.) OTA being flashed by the internal 'system update' process are almost 99% impossible to brick your device. The system update running inside your un-altered firmware, performs up to 4 or 5 compatibility checks on the files inside it before allowing the update to proceed. So if youre bricked and in need of an MSM repair, then it's most likely because you forgot to return to full stock before locking your bootloader.... Flashed some janky mod that promised to make your phone become a handheld time machine.... Or zombies were attacking at your door right when you were applying a special "region swapping" method, and you missed a vital step, so now the damn zombies made you brick your phone! <I hate zombies for that!!!>. But in most of these cases, having to disassemble your phone, and then pay someone to connect to your computer to send the exact same firmware you were trying to escape from, seems like a facepalm moment!

So back to the topic... The firehose programmers in these Incremental Update packages, cannot access the file systems to really change your Boot.img... recovery.img....Build.prop... or Region/Carrier lock files, because they are protected in the Efs partition. So no matter what name the "official fw" zip you downloaded is showing...flashing EVERY ONE OF THESE PACKAGES, Is the same as flashing an OTA for your current model. You can flash 2211 over your 2217 phone and yes, some of the APP packages will change, along with the Numerical model number in your About Phone section ... But nothing that is device specific will be changed ... At most this is a cosmetic alteration.

------ Now comes my prior instructional thread explaining how to region swap. I have many many users who will verify that my method WAS infallible... And did have a super high success rate.... If you have THE EXACT FILES that were used by us to do so.... This was because at the time, Oppo had unknowingly released rollback packages signed with DEVELOPER KEYS .. your build said USER still... But the keys were actually the developer ones which are capable of changing ANYTHING inside your phones file system. These original files were linked for exactly 2 1/2 days, then once I identified the process and disclosed it here, Oppo took them down... Edited some minor details, and resigned them with USER KEYS. Then uploaded them under the exact same file names , and reactivated the links, so that everyone who downloaded the new rollback packs would brick if they used different regions! (Sinister huh?)

13 beta 2 and 13 stable removed the necessity of these changes because they added new region security checks into the updates.
-------+++++++++++++++++++++++---------

Full circle to here. If I can break the signing algorithm of the initial 3% authentication check, then I can create a generic signature that will validate when replayed by anyone.

Under current status though, and with ALOT of specially set conditions , along with a full valid, ENTIRE capture of YOUR successful prior flash... You could reflash your phone with about a 10% success rate. Requirements:. The rollback of your computers exact date and time (to the minute... Not seconds) that your flash began... The exact same firmware package you had flashed then... Your phone opened and disconnected from the battery, then the Test Pads shorted for EDL.... And possibly some real fairy dust and maybe a leprechaun for luck... Plus the same exact phone you had using this flash.... <--- has a 10% success rate .. and that's out of maybe 150 attempts I have performed!

This is why I need my 10T bootloader unlocked...because I have crafted a few files that need to be placed into the system/bin folder which will help me identify the garbage of the signature... And also the device specific parts ....these need to be removed precisely , in order for me to submit an exact set of identifiers to someone who can decipher the algorithm used to make the sigs. No number of 10Pro phones in production will help me isolate the data I need. I need a DIFFERENT MODEL using the same board and chipset such as the 10T... Both Qualcomm... Both Taro.... One is Wapio... Other is Cape.... One is snapdragon 8450 other is 8475. These are 2 brothers who will get me closer to the DNA of the signature..

Responsible disclosure won't even let me share how I got this far because I already reported partially to Qualcomm so I'm now on their radar. But no one is willing to SHARE the POC of the exploit that was fully verified to have dropped a root shell on a phone using my exact same kernel .... The process took all of 3 seconds... I can't re link the video but several posts back, I supplied it. The technique was dubbed dirty cred and it's a vulnerability in EVERY Qualcomm phone with a range a kernels.... With a working build of this Escalation exploit, I can edit my build.prop and force my bootloader to unlock via that file or the Local.prop, or even System props....

This is ALL I NEED to complete the submission and then report to Qualcomm, and because it's an internal flaw, it's only a 30 day NDA, then I can release every bit of what I did, and employ whoever wants to join , in the task of making our own MSM style application that will no longer have an Auth packet, nor a login requirement. And you can flash until your phone disintegrates for all I care!

So I can't link DirtyCred again... But here's the OFFICIAL OnePlus Support link to the page for the In Depth Testing APK for the Singapore OnePlus 10T ... Please whoever ... Find a way to pull THAT FILE linked on this site... It seems dead ... But further research shows it's is there... But times out due to some unknown block... But after 3 hours on the phone with 4 different techs at OnePlus... It is confirmed that this file still exists....albeit with absolutely ZERO chance they will help me obtain it!

Here ya go.... :. Either this or a working she'll exploit to get me r/w access to my build.prop, is all I need to get this completed!


Search Detail

service.oneplus.com service.oneplus.com


Pluhhease don't make me type all that again... Anytime someone asks about why we can't get MSM tool working... Just point them to this post! Thank you!!






Grp95 said:
@DenisPDA Did it worked for flashing? or any problem occured?
Click to expand...
Click to collapse
 
  • Like
Reactions: fozzy056, _DarkKnight_, Drethis and 2 others
Ph0nysk1nk

Ph0nysk1nk

Senior Member
Jul 28, 2016
232
118
beatbreakee said:
Ok ... To rehash on the original idea of packet sniffing... This method was already put into action which spawned this nightmare thread. 1st question: "can we use packet sniffer to capture the login/auth token?"
A:. Yes you can use it to capture the Login token and then replay that with fiddler ... Or similar BUT HERES THE CAVEAT. The msmtool that was authored originally by Qualcomm has been disgustingly re-written by BBK (Oppo, realme, Xiaomi, OnePlus...) .. they took the original and added ANOTHER authentication check for authorization. <=== This IS NOT able to be replayed or spoofed. it is calculated ON THE FLY by a combination of the timestamp from the internal servers at Oppo, the authenticated Mac address of that server... (Remember the special "Address" that was needed for the secrecy.exe, engineering mode unlock tool. That just stopped working and gave 'error invalid signature' around October-ish... That was a Mac address) .... So those 2 variables are then sent into an algorithm along with YOUR computers Mac address... Time stamp, and the checksum of the firmware you're flashing which has weaknesses ... But so far not exploitable!

If you use the packet capture or even the USB capture from the previously authorized flash, it will fail! Thus the 3% error that has been the blockade for now. I have attacked it every way possible and because of my vocal account of doing so, I was in turn snitched on by an xda member, and sent a cease and desist letter from BBK/OPPO. But I am WAYYYYY past that now.

THIS is the algorithm that I am currently attempting to break, with permission granted by a Qualcomm Principal Engineer. As long as I follow responsible disclosure guidelines. This is the whole reason of the inherent silence as to specific tactics I've employed in breaking thru. I cannot reveal what has been successful or necessarily failed, if it has ties to the vulnerable weak points of the signature check. But one thing I can disclose is that the Oppo auth token, and the Qualcomm VIP Auth token are NOT related!

The msmtool as we know it now, does not use the built in Sahara firehose that is included in the firmware zip. That is in my best guess a decoy! The reason I say this is because it has been verified to me at Qualcomm, that they insisted to BBK, Samsung and others that they no longer include their firehose programmers, inside their official firmware packages. This is because as of the OnePlus 10 series, OPPO/OnePlus will NO LONGER be supplying FULL FIRMWARE packages to download via system restore or ANY OTHER official channels.

You all may THINK or ASSUME that you have found a "Full firmware" link....but I strongly contest those claims as I have over 200 firmware packages for the 2210,2211,2213,2215,2217 , 2413,2415,2417,2419 models which covers EVERY VERSION of our 10 Pro as well as the 10T... Ranging from 11_a
04 up to 12_c.23. ... I have unreleased firmware packs as well. I have OFP, ZIP, OPS, and PAYLOAD.BIN in my collection... This is an almost 7tb collection of the firmwares that are accessible thru Chinese, Russian, Indian, EU, North American, Korean, Singapore, and Indonesian servers... Some are directly plucked from Oppo's, once weakly secured server. (Now using a stronger firewall)

You can test this theory yourself on any package you claim is an actual FULL BUILD.
1. If it's any kind of a zip with a Payload.bin file... It's 100% an OTA fw.

2. If the zip package contains an already unzipped folder of firmware files, it is 75% guaranteed to be an OTA Incremental Update uncompressed. <Full fw will come only as .OFP or .OPS files which are not true file extensions... They are identifiers that are created by a specially encoded file generated by 7z after being downloaded from Oppo servers. There's no use trying to find something else that can build or encrypt a working firmware for the OFP format. 7z has been contracted thru Oppo to be licensed as their official encryption provider, and the signature used for the encryption mapping exist only on Oppo servers. 7z pulls the signature during official downloads, and then uses the mapping data to make the MsM flash able OFP file! Either way, this file is technically garbage because once uncompressed, the signature is broken and the MsM tool will perform a 3rd validation and verification check at the 19% marker!> That 3rd check fails almost 50% of the time on OFFICIAL OTA packages so again this is not an avenue worth walking. Mainly because to get here you have to have already broken the 1st signature, which will usually trigger a fail!
(Check this by entering the "Manifest" folder whatever they renamed it.... ie MyHeytapp_Manifest or just Manifest... And if there's 1- build.prop , and 2 or 3 more build.prop_xxxxxxxx files also like build.prop_10100011 and similar, This is an Incremental Update)

3. If you have located an .OFP file... Note that this isn't very hard to find. Most of the firmware links you find on the net will be "ne221x_export________.zip". Or "OnePlus10Pro-ne221x_Full_xxxxxxxxxxxxx.zip" and once you enter whoever... AlzsredGsm...GemFlash...GsmMafia.. Ncrom.com.... Romfirmware.com.... "ThisIsAlreadyYourFirstClue.com" that you are accessing an already altered download! Oppo did not give GSMMafia or anyone for that matter, a link to a FULL OEM build of their firmware, that they were authorized to REPACK into a password protected archive that you must perform any action besides clicking on EXTRACT. This breaks the mfg guidelines for sharing files used for repair of their devices. So someone has already downloaded... Decrypted.... And therefore broken the signature of the original archive.... Then they rezipped it into a package with their own password needed to open it.

^=== These packages are renamed, and rebranded 100's of times by everything including malicious hackers who will add auto executing scripts to them, as well as garbage spammers who literally put nothing even related to our phones, inside a second zip package that they make you follow steps to "obtain the zip password"... But no matter how many times you complete the steps, the password is never provided. (These are the most common links being found now cuz these garbage people now understand how valuable a FULL BUILD fw package is to the mod communities) make no mistake. I'm sure a few of these ACTUALLY DO have a true full build... Because most of them are Oppo employees... So they will provide videos showing the contents of the zip... But I promise you that THIS is not the real file!

Oppo has a ZERO tolerance policy regarding the distribution of any proprietary software used to develop their devices operating systems. (I challenge ANY OF YOU to provide me with an actually, "Oppo/Heytapp SDK". ... Heytapp is their official builds for ColorOs which is becoming the standard for all future Oppo/OnePlus phones.... We will have Google if outside China... They will have Heytapp... Both will be based off ColorOs. We are all using a Hybrid ColorOs/Oxygen build on the 10 series! ... So if you really think ANY Oppo employee is going to risk their career and possibly their freedom by sharing or risking the file they are showing in the video, to the public... You obviously have never broken a law inside china mainland or worked for a telecom company in India. In China, YES these guidelines are enforceable by LAWS! Against providing classified or copy protected information to an unauthorized source.

<My father is Senior Director of Sales & Marketing for T-Mobile... HE CANNOT GET ME ANY INFORMATION REGARDING THE FIRMWARE FOR OPPO/ONEPLUS or any other manufacturer of Chinese or Korean origin, and he was the IT and Engineering teams director as recently as 3 years ago>

.... So if you think AlzharedGSM or whoever has unearthed these VALUABLE files, and are willing to give to you for free... You were also probably waiting for DJT to be re-instated as POTUS on those specially announced dates! (Spoiler.... It didn't happen) 😸

Now an explanation. An "Incremental Update" package does not have authorized programmers that can erase/modify/repair the EFS and NV partitions/files, locked in the critical partitions of your phones... They just don't have that permission, nor the offset info to locate and overwrite the files in those memory addresses. THESE ADDRESSES contain the OEM manifest identifier (10100011 etc) that YOUR phone was programmed with! These 8 digit numbers each pertain to the ALLOWED manifest that has the entire list of files which are to be sent to your phone. PERIOD!... manipulating these will at best , fail the verification check thus saving you from the, WORST: Deleting your NV or EFS file system, and erasing your IMEI, Mac Address, Baseband, and Device Policy, meaning your phone will NEVER connect to another cellular ..wifi... Or any network connection without an external network adapter.

I have seen some $750 offline gaming and mp3 players born from ppl who thought they could outsmart the Manifest identifier...but mostly I've seen unresponsive devices that took opening the phone up and performing several wake up gestures, then a reflash of the ORIGINAL Carrier or OEM firmware of the exact same build you had just previously tried to escape.

(Keep in mind that 80% of the users who are in need of an MSM flash, are because of improper methods being attempted to gain some form of unauthorized fw change.) OTA being flashed by the internal 'system update' process are almost 99% impossible to brick your device. The system update running inside your un-altered firmware, performs up to 4 or 5 compatibility checks on the files inside it before allowing the update to proceed. So if youre bricked and in need of an MSM repair, then it's most likely because you forgot to return to full stock before locking your bootloader.... Flashed some janky mod that promised to make your phone become a handheld time machine.... Or zombies were attacking at your door right when you were applying a special "region swapping" method, and you missed a vital step, so now the damn zombies made you brick your phone! <I hate zombies for that!!!>. But in most of these cases, having to disassemble your phone, and then pay someone to connect to your computer to send the exact same firmware you were trying to escape from, seems like a facepalm moment!

So back to the topic... The firehose programmers in these Incremental Update packages, cannot access the file systems to really change your Boot.img... recovery.img....Build.prop... or Region/Carrier lock files, because they are protected in the Efs partition. So no matter what name the "official fw" zip you downloaded is showing...flashing EVERY ONE OF THESE PACKAGES, Is the same as flashing an OTA for your current model. You can flash 2211 over your 2217 phone and yes, some of the APP packages will change, along with the Numerical model number in your About Phone section ... But nothing that is device specific will be changed ... At most this is a cosmetic alteration.

------ Now comes my prior instructional thread explaining how to region swap. I have many many users who will verify that my method WAS infallible... And did have a super high success rate.... If you have THE EXACT FILES that were used by us to do so.... This was because at the time, Oppo had unknowingly released rollback packages signed with DEVELOPER KEYS .. your build said USER still... But the keys were actually the developer ones which are capable of changing ANYTHING inside your phones file system. These original files were linked for exactly 2 1/2 days, then once I identified the process and disclosed it here, Oppo took them down... Edited some minor details, and resigned them with USER KEYS. Then uploaded them under the exact same file names , and reactivated the links, so that everyone who downloaded the new rollback packs would brick if they used different regions! (Sinister huh?)

13 beta 2 and 13 stable removed the necessity of these changes because they added new region security checks into the updates.
-------+++++++++++++++++++++++---------

Full circle to here. If I can break the signing algorithm of the initial 3% authentication check, then I can create a generic signature that will validate when replayed by anyone.

Under current status though, and with ALOT of specially set conditions , along with a full valid, ENTIRE capture of YOUR successful prior flash... You could reflash your phone with about a 10% success rate. Requirements:. The rollback of your computers exact date and time (to the minute... Not seconds) that your flash began... The exact same firmware package you had flashed then... Your phone opened and disconnected from the battery, then the Test Pads shorted for EDL.... And possibly some real fairy dust and maybe a leprechaun for luck... Plus the same exact phone you had using this flash.... <--- has a 10% success rate .. and that's out of maybe 150 attempts I have performed!

This is why I need my 10T bootloader unlocked...because I have crafted a few files that need to be placed into the system/bin folder which will help me identify the garbage of the signature... And also the device specific parts ....these need to be removed precisely , in order for me to submit an exact set of identifiers to someone who can decipher the algorithm used to make the sigs. No number of 10Pro phones in production will help me isolate the data I need. I need a DIFFERENT MODEL using the same board and chipset such as the 10T... Both Qualcomm... Both Taro.... One is Wapio... Other is Cape.... One is snapdragon 8450 other is 8475. These are 2 brothers who will get me closer to the DNA of the signature..

Responsible disclosure won't even let me share how I got this far because I already reported partially to Qualcomm so I'm now on their radar. But no one is willing to SHARE the POC of the exploit that was fully verified to have dropped a root shell on a phone using my exact same kernel .... The process took all of 3 seconds... I can't re link the video but several posts back, I supplied it. The technique was dubbed dirty cred and it's a vulnerability in EVERY Qualcomm phone with a range a kernels.... With a working build of this Escalation exploit, I can edit my build.prop and force my bootloader to unlock via that file or the Local.prop, or even System props....

This is ALL I NEED to complete the submission and then report to Qualcomm, and because it's an internal flaw, it's only a 30 day NDA, then I can release every bit of what I did, and employ whoever wants to join , in the task of making our own MSM style application that will no longer have an Auth packet, nor a login requirement. And you can flash until your phone disintegrates for all I care!

So I can't link DirtyCred again... But here's the OFFICIAL OnePlus Support link to the page for the In Depth Testing APK for the Singapore OnePlus 10T ... Please whoever ... Find a way to pull THAT FILE linked on this site... It seems dead ... But further research shows it's is there... But times out due to some unknown block... But after 3 hours on the phone with 4 different techs at OnePlus... It is confirmed that this file still exists....albeit with absolutely ZERO chance they will help me obtain it!

Here ya go.... :. Either this or a working she'll exploit to get me r/w access to my build.prop, is all I need to get this completed!


Search Detail

service.oneplus.com service.oneplus.com


Pluhhease don't make me type all that again... Anytime someone asks about why we can't get MSM tool working... Just point them to this post! Thank you!!
Click to expand...
Click to collapse
1675546806030.png


Here is what I learned. There are two Obox hosts one with S and one with O. I believe the S is for Singapore. SLighlty changing the URL I get this page.

So, perhaps there is URL changes for the new APK.
1675546898503.png




1675559916148.png

Is this worth anything? FOund on Obox servers 4 hours download

@beatbreakee

If you manage to get in contact with Ous techs again, see if you can directly ask them what their url "code". It is simply pointing a DL to the wrong directon.

There entire Box/Sbox operations use the same links except for the code. That points it's to that specific file only. They probably have a diffrients active code.
 
Last edited:
  • Like
Reactions: Rehanshaikh786rehan, Drethis and JPower123
ues_t

ues_t

Senior Member
Jul 16, 2022
114
38
POST https://service-sg.myoppo.com/api/tools/login HTTP/1.1
Host: service-sg.myoppo.com
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 885

app_id=TOOL&timestamp=1675585175&sign=acd3a6815fefbcda2bad6d5729d07f47&s_msg=BSqAqmze%2FCgxJJtYdOuE0zy4nMWIxwu59jE2RWkJKZ%2B97uV6CNth%2FlrpKGywMtun%0AfAI%2BHFft2uOvtrMlySptKodtCmUS7XwIGP%2BFmyxxZ1djz03aELw6txb2wloZj96S%0A7sxZf5H483YHcvw0Dn6lq2FYvZqAgBOvXigefuFz4f6Jz1DolbERUMRKvK99xDIe%0AWiefoZ5Y8%2B6%2BuLASCNLrkzofTvheHJk7Cqui9AgpTL8YKOKFumrthhJoHEJuo7DW%0ACzEss0WMboh%2F82pklIBfh5iS30kiWLIsU1iPkLMZx5gTDnzo2flyfIR1RTRiw%2Bj4%0AHGhv1krathtLq6pVAI0kbW%2FTvzLYR8sWS21CsxBGeb9R8C2lccxWlI0Atqmn%2BCqV%0AUyoPPmeeAqKLnc9f7fEv7YvqxjNoA4%2BO0hfyui%2BcfvgWaYmE5RCYn7V6166UEFyO%0ARgsN2kuQDIDb5Mjp9fSLa4yHAvvYeblnd1OZy4C5IYtrx89l0m4T86V5MeWctyNC%0AqPRR0QHvxx%2FhVfmPJYndeBu4JJe0Puluv1FbHY45OOpWjtf2EWOw8kN0ir1akIjA%0A%2BZyIbPRTcue%2FzCiHS7%2BS%2BxetSLPkGFVJOzmyoZvV5pYBxITznQecMrS7X0%2B%2BgJTJ%0A%2BWi%2FLJLrMUam2d%2FDaqzaMc%2Fjl8aIsGiyxdDSolVyVKc%3D&s_msg_md_5=3b48c25ea4afb5b93d88c5b86fe3501f
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 521
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
Date: Sun, 05 Feb 2023 08:19:36 GMT

{"Data":{"response":{"message":"0000","token":"78a18cdc-0a1a-47a3-8e00-f02ae76fe8a7","status":"0","countryname":"EG","usertype":"7","signData":"DtStgb8TWMqCvjrbE3XgUodPSAkc/l5CQHWNsZRtW4ZX1vLPT1BCXrEtu0MCVIO3qkLr1d5C689a/EtYmYvqtiWaOzLKlsS2BhV7nfTGwMWu3gLzjXi3U98iy97c0l83i+GGKA77SoZPrhoUcau5tskQJRr6PZ+hEPL0/xTUVKdwX0kk7RKBk9dbwZ0fiIH53g2m/ixeT37vGZ+wn6E2zAiKuLwxsnqSN1Wl+d3tH55in3mzwfa57BP4tMb2SNb8bkKJ1p9AKXR7Zm/pNkmcGCm7RwmN7HoIQBMOx22dBZJUrAfCCk5PlyYoNyUYLNDrrZzGG1mTeL/2+9jUYMeg4Q=="}},"ErrorCode":0,"Message":null}
 
M

Mirak97

Member
Oct 3, 2017
41
9
beatbreakee said:
Ok ... To rehash on the original idea of packet sniffing... This method was already put into action which spawned this nightmare thread. 1st question: "can we use packet sniffer to capture the login/auth token?"
A:. Yes you can use it to capture the Login token and then replay that with fiddler ... Or similar BUT HERES THE CAVEAT. The msmtool that was authored originally by Qualcomm has been disgustingly re-written by BBK (Oppo, realme, Xiaomi, OnePlus...) .. they took the original and added ANOTHER authentication check for authorization. <=== This IS NOT able to be replayed or spoofed. it is calculated ON THE FLY by a combination of the timestamp from the internal servers at Oppo, the authenticated Mac address of that server... (Remember the special "Address" that was needed for the secrecy.exe, engineering mode unlock tool. That just stopped working and gave 'error invalid signature' around October-ish... That was a Mac address) .... So those 2 variables are then sent into an algorithm along with YOUR computers Mac address... Time stamp, and the checksum of the firmware you're flashing which has weaknesses ... But so far not exploitable!

If you use the packet capture or even the USB capture from the previously authorized flash, it will fail! Thus the 3% error that has been the blockade for now. I have attacked it every way possible and because of my vocal account of doing so, I was in turn snitched on by an xda member, and sent a cease and desist letter from BBK/OPPO. But I am WAYYYYY past that now.

THIS is the algorithm that I am currently attempting to break, with permission granted by a Qualcomm Principal Engineer. As long as I follow responsible disclosure guidelines. This is the whole reason of the inherent silence as to specific tactics I've employed in breaking thru. I cannot reveal what has been successful or necessarily failed, if it has ties to the vulnerable weak points of the signature check. But one thing I can disclose is that the Oppo auth token, and the Qualcomm VIP Auth token are NOT related!

The msmtool as we know it now, does not use the built in Sahara firehose that is included in the firmware zip. That is in my best guess a decoy! The reason I say this is because it has been verified to me at Qualcomm, that they insisted to BBK, Samsung and others that they no longer include their firehose programmers, inside their official firmware packages. This is because as of the OnePlus 10 series, OPPO/OnePlus will NO LONGER be supplying FULL FIRMWARE packages to download via system restore or ANY OTHER official channels.

You all may THINK or ASSUME that you have found a "Full firmware" link....but I strongly contest those claims as I have over 200 firmware packages for the 2210,2211,2213,2215,2217 , 2413,2415,2417,2419 models which covers EVERY VERSION of our 10 Pro as well as the 10T... Ranging from 11_a
04 up to 12_c.23. ... I have unreleased firmware packs as well. I have OFP, ZIP, OPS, and PAYLOAD.BIN in my collection... This is an almost 7tb collection of the firmwares that are accessible thru Chinese, Russian, Indian, EU, North American, Korean, Singapore, and Indonesian servers... Some are directly plucked from Oppo's, once weakly secured server. (Now using a stronger firewall)

You can test this theory yourself on any package you claim is an actual FULL BUILD.
1. If it's any kind of a zip with a Payload.bin file... It's 100% an OTA fw.

2. If the zip package contains an already unzipped folder of firmware files, it is 75% guaranteed to be an OTA Incremental Update uncompressed. <Full fw will come only as .OFP or .OPS files which are not true file extensions... They are identifiers that are created by a specially encoded file generated by 7z after being downloaded from Oppo servers. There's no use trying to find something else that can build or encrypt a working firmware for the OFP format. 7z has been contracted thru Oppo to be licensed as their official encryption provider, and the signature used for the encryption mapping exist only on Oppo servers. 7z pulls the signature during official downloads, and then uses the mapping data to make the MsM flash able OFP file! Either way, this file is technically garbage because once uncompressed, the signature is broken and the MsM tool will perform a 3rd validation and verification check at the 19% marker!> That 3rd check fails almost 50% of the time on OFFICIAL OTA packages so again this is not an avenue worth walking. Mainly because to get here you have to have already broken the 1st signature, which will usually trigger a fail!
(Check this by entering the "Manifest" folder whatever they renamed it.... ie MyHeytapp_Manifest or just Manifest... And if there's 1- build.prop , and 2 or 3 more build.prop_xxxxxxxx files also like build.prop_10100011 and similar, This is an Incremental Update)

3. If you have located an .OFP file... Note that this isn't very hard to find. Most of the firmware links you find on the net will be "ne221x_export________.zip". Or "OnePlus10Pro-ne221x_Full_xxxxxxxxxxxxx.zip" and once you enter whoever... AlzsredGsm...GemFlash...GsmMafia.. Ncrom.com.... Romfirmware.com.... "ThisIsAlreadyYourFirstClue.com" that you are accessing an already altered download! Oppo did not give GSMMafia or anyone for that matter, a link to a FULL OEM build of their firmware, that they were authorized to REPACK into a password protected archive that you must perform any action besides clicking on EXTRACT. This breaks the mfg guidelines for sharing files used for repair of their devices. So someone has already downloaded... Decrypted.... And therefore broken the signature of the original archive.... Then they rezipped it into a package with their own password needed to open it.

^=== These packages are renamed, and rebranded 100's of times by everything including malicious hackers who will add auto executing scripts to them, as well as garbage spammers who literally put nothing even related to our phones, inside a second zip package that they make you follow steps to "obtain the zip password"... But no matter how many times you complete the steps, the password is never provided. (These are the most common links being found now cuz these garbage people now understand how valuable a FULL BUILD fw package is to the mod communities) make no mistake. I'm sure a few of these ACTUALLY DO have a true full build... Because most of them are Oppo employees... So they will provide videos showing the contents of the zip... But I promise you that THIS is not the real file!

Oppo has a ZERO tolerance policy regarding the distribution of any proprietary software used to develop their devices operating systems. (I challenge ANY OF YOU to provide me with an actually, "Oppo/Heytapp SDK". ... Heytapp is their official builds for ColorOs which is becoming the standard for all future Oppo/OnePlus phones.... We will have Google if outside China... They will have Heytapp... Both will be based off ColorOs. We are all using a Hybrid ColorOs/Oxygen build on the 10 series! ... So if you really think ANY Oppo employee is going to risk their career and possibly their freedom by sharing or risking the file they are showing in the video, to the public... You obviously have never broken a law inside china mainland or worked for a telecom company in India. In China, YES these guidelines are enforceable by LAWS! Against providing classified or copy protected information to an unauthorized source.

<My father is Senior Director of Sales & Marketing for T-Mobile... HE CANNOT GET ME ANY INFORMATION REGARDING THE FIRMWARE FOR OPPO/ONEPLUS or any other manufacturer of Chinese or Korean origin, and he was the IT and Engineering teams director as recently as 3 years ago>

.... So if you think AlzharedGSM or whoever has unearthed these VALUABLE files, and are willing to give to you for free... You were also probably waiting for DJT to be re-instated as POTUS on those specially announced dates! (Spoiler.... It didn't happen) 😸

Now an explanation. An "Incremental Update" package does not have authorized programmers that can erase/modify/repair the EFS and NV partitions/files, locked in the critical partitions of your phones... They just don't have that permission, nor the offset info to locate and overwrite the files in those memory addresses. THESE ADDRESSES contain the OEM manifest identifier (10100011 etc) that YOUR phone was programmed with! These 8 digit numbers each pertain to the ALLOWED manifest that has the entire list of files which are to be sent to your phone. PERIOD!... manipulating these will at best , fail the verification check thus saving you from the, WORST: Deleting your NV or EFS file system, and erasing your IMEI, Mac Address, Baseband, and Device Policy, meaning your phone will NEVER connect to another cellular ..wifi... Or any network connection without an external network adapter.

I have seen some $750 offline gaming and mp3 players born from ppl who thought they could outsmart the Manifest identifier...but mostly I've seen unresponsive devices that took opening the phone up and performing several wake up gestures, then a reflash of the ORIGINAL Carrier or OEM firmware of the exact same build you had just previously tried to escape.

(Keep in mind that 80% of the users who are in need of an MSM flash, are because of improper methods being attempted to gain some form of unauthorized fw change.) OTA being flashed by the internal 'system update' process are almost 99% impossible to brick your device. The system update running inside your un-altered firmware, performs up to 4 or 5 compatibility checks on the files inside it before allowing the update to proceed. So if youre bricked and in need of an MSM repair, then it's most likely because you forgot to return to full stock before locking your bootloader.... Flashed some janky mod that promised to make your phone become a handheld time machine.... Or zombies were attacking at your door right when you were applying a special "region swapping" method, and you missed a vital step, so now the damn zombies made you brick your phone! <I hate zombies for that!!!>. But in most of these cases, having to disassemble your phone, and then pay someone to connect to your computer to send the exact same firmware you were trying to escape from, seems like a facepalm moment!

So back to the topic... The firehose programmers in these Incremental Update packages, cannot access the file systems to really change your Boot.img... recovery.img....Build.prop... or Region/Carrier lock files, because they are protected in the Efs partition. So no matter what name the "official fw" zip you downloaded is showing...flashing EVERY ONE OF THESE PACKAGES, Is the same as flashing an OTA for your current model. You can flash 2211 over your 2217 phone and yes, some of the APP packages will change, along with the Numerical model number in your About Phone section ... But nothing that is device specific will be changed ... At most this is a cosmetic alteration.

------ Now comes my prior instructional thread explaining how to region swap. I have many many users who will verify that my method WAS infallible... And did have a super high success rate.... If you have THE EXACT FILES that were used by us to do so.... This was because at the time, Oppo had unknowingly released rollback packages signed with DEVELOPER KEYS .. your build said USER still... But the keys were actually the developer ones which are capable of changing ANYTHING inside your phones file system. These original files were linked for exactly 2 1/2 days, then once I identified the process and disclosed it here, Oppo took them down... Edited some minor details, and resigned them with USER KEYS. Then uploaded them under the exact same file names , and reactivated the links, so that everyone who downloaded the new rollback packs would brick if they used different regions! (Sinister huh?)

13 beta 2 and 13 stable removed the necessity of these changes because they added new region security checks into the updates.
-------+++++++++++++++++++++++---------

Full circle to here. If I can break the signing algorithm of the initial 3% authentication check, then I can create a generic signature that will validate when replayed by anyone.

Under current status though, and with ALOT of specially set conditions , along with a full valid, ENTIRE capture of YOUR successful prior flash... You could reflash your phone with about a 10% success rate. Requirements:. The rollback of your computers exact date and time (to the minute... Not seconds) that your flash began... The exact same firmware package you had flashed then... Your phone opened and disconnected from the battery, then the Test Pads shorted for EDL.... And possibly some real fairy dust and maybe a leprechaun for luck... Plus the same exact phone you had using this flash.... <--- has a 10% success rate .. and that's out of maybe 150 attempts I have performed!

This is why I need my 10T bootloader unlocked...because I have crafted a few files that need to be placed into the system/bin folder which will help me identify the garbage of the signature... And also the device specific parts ....these need to be removed precisely , in order for me to submit an exact set of identifiers to someone who can decipher the algorithm used to make the sigs. No number of 10Pro phones in production will help me isolate the data I need. I need a DIFFERENT MODEL using the same board and chipset such as the 10T... Both Qualcomm... Both Taro.... One is Wapio... Other is Cape.... One is snapdragon 8450 other is 8475. These are 2 brothers who will get me closer to the DNA of the signature..

Responsible disclosure won't even let me share how I got this far because I already reported partially to Qualcomm so I'm now on their radar. But no one is willing to SHARE the POC of the exploit that was fully verified to have dropped a root shell on a phone using my exact same kernel .... The process took all of 3 seconds... I can't re link the video but several posts back, I supplied it. The technique was dubbed dirty cred and it's a vulnerability in EVERY Qualcomm phone with a range a kernels.... With a working build of this Escalation exploit, I can edit my build.prop and force my bootloader to unlock via that file or the Local.prop, or even System props....

This is ALL I NEED to complete the submission and then report to Qualcomm, and because it's an internal flaw, it's only a 30 day NDA, then I can release every bit of what I did, and employ whoever wants to join , in the task of making our own MSM style application that will no longer have an Auth packet, nor a login requirement. And you can flash until your phone disintegrates for all I care!

So I can't link DirtyCred again... But here's the OFFICIAL OnePlus Support link to the page for the In Depth Testing APK for the Singapore OnePlus 10T ... Please whoever ... Find a way to pull THAT FILE linked on this site... It seems dead ... But further research shows it's is there... But times out due to some unknown block... But after 3 hours on the phone with 4 different techs at OnePlus... It is confirmed that this file still exists....albeit with absolutely ZERO chance they will help me obtain it!

Here ya go.... :. Either this or a working she'll exploit to get me r/w access to my build.prop, is all I need to get this completed!


Search Detail

service.oneplus.com service.oneplus.com


Pluhhease don't make me type all that again... Anytime someone asks about why we can't get MSM tool working... Just point them to this post! Thank you!!
Click to expand...
Click to collapse
wont older testing apps work?
 
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
4,449
2,048
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Not that it tells us a whole lot more, but the signData of @ues_t is 256 bytes, base64 encoded:
Code: 
00  0e d4 ad 81 bf 13 58 ca 82 be 3a db 13 75 e0 52
10  87 4f 48 09 1c fe 5e 42 40 75 8d b1 94 6d 5b 86
20  57 d6 f2 cf 4f 50 42 5e b1 2d bb 43 02 54 83 b7
30  aa 42 eb d5 de 42 eb cf 5a fc 4b 58 99 8b ea b6
40  25 9a 3b 32 ca 96 c4 b6 06 15 7b 9d f4 c6 c0 c5
50  ae de 02 f3 8d 78 b7 53 df 22 cb de dc d2 5f 37
60  8b e1 86 28 0e fb 4a 86 4f ae 1a 14 71 ab b9 b6
70  c9 10 25 1a fa 3d 9f a1 10 f2 f4 ff 14 d4 54 a7
80  70 5f 49 24 ed 12 81 93 d7 5b c1 9d 1f 88 81 f9
90  de 0d a6 fe 2c 5e 4f 7e ef 19 9f b0 9f a1 36 cc
a0  08 8a b8 bc 31 b2 7a 92 37 55 a5 f9 dd ed 1f 9e
b0  62 9f 79 b3 c1 f6 b9 ec 13 f8 b4 c6 f6 48 d6 fc
c0  6e 42 89 d6 9f 40 29 74 7b 66 6f e9 36 49 9c 18
d0  29 bb 47 09 8d ec 7a 08 40 13 0e c7 6d 9d 05 92
e0  54 ac 07 c2 0a 4e 4f 97 26 28 37 25 18 2c d0 eb
f0  ad 9c c6 1b 59 93 78 bf f6 fb d8 d4 60 c7 a0 e1
Presumably this is the response directly from the device to the EDL <getsigndata/> query.

This is the more interesting base64 decoded data from that 700 Meg USB capture from earlier here:
Code: 
000  4f 53 49 47 00 00 00 00 30 00 00 00 00 00 00 00  OSIG....0.......
010  64 33 32 37 37 30 63 65 00 00 00 00 00 00 00 00  d32770ce........
020  47 37 67 76 65 5a 72 63 70 32 36 4c 72 51 6c 34  G7gveZrcp26LrQl4
030  74 61 72 6f 00 00 00 00 00 00 00 00 00 00 00 00  taro............
040  31 30 30 31 30 31 31 31 00 00 00 00 00 00 00 00  10010111........
050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
060  81 64 29 64 ed 5f ba 1b 76 e5 bd 3a 45 01 5a 09  .d)d._..v..:E.Z.
070  1f 50 0d bd f3 d0 13 d4 05 1a 33 fd 0b 4b f1 1f  .P........3..K..
080  b9 69 e4 22 03 de cd 1d 2e 75 35 b1 f9 43 42 2d  .i.".....u5..CB-
090  67 c4 86 56 00 1f 8c bd 1d b4 d0 56 da fb 85 19  g..V.......V....
0a0  c2 d1 64 3c 88 61 8e 9d 0f 6c 78 5d cd 6c 94 57  ..d<.a...lx].l.W
0b0  81 33 1d 10 db b5 53 c3 b7 7e 39 15 d7 0b e4 67  .3....S..~9....g
0c0  bc d6 f0 1f c9 42 3f 5f 22 06 e8 65 88 63 a7 12  .....B?_"..e.c..
0d0  9b c1 b9 c6 da f2 35 36 04 03 b9 ba 06 f5 5b b8  ......56......[.
0e0  b5 f5 da 43 0f dc 65 19 16 e2 d9 85 da 5d d0 f7  ...C..e......]..
0f0  ad 22 35 14 40 cc 51 cb 01 a3 ae a6 e1 50 07 54  ."[email protected]
100  fd c3 f1 dc e0 58 f4 a7 c6 b1 c6 f4 f1 03 a0 f1  .....X..........
110  3b 19 8e de dc 00 06 2d 69 82 2f d0 48 fa 7d da  ;......-i./.H.}.
120  aa 4a f0 e1 b6 ad f4 33 d6 37 de 59 3d 3e c4 54  .J.....3.7.Y=>.T
130  bf a6 f3 d0 cb 70 26 69 b2 ec f6 ed c8 e2 90 cb  .....p&i........
140  de 09 90 02 08 db 14 c8 b2 7d 32 92 81 5f 82 c9  .........}2.._..
150  e3 07 d1 d0 b8 f6 07 05 bd fa e6 96 ec e8 bb 54  ...............T
This is 256 bytes with 96 byte header added. Notice that 8 bit binary "10010111".

So, stupid question: Why has nobody tried a generic EDL client and run the <getsigndata/>?
Just run the darn thing twice and confirm that it returns different data each time.
Just use whatever Firehose loader you have and the "xml" option with the Python EDL client.
 
  • Like
Reactions: Prant
ues_t

ues_t

Senior Member
Jul 16, 2022
114
38
Renate said:
Not that it tells us a whole lot more, but the signData of @ues_t is 256 bytes, base64 encoded:
Code: 
00  0e d4 ad 81 bf 13 58 ca 82 be 3a db 13 75 e0 52
10  87 4f 48 09 1c fe 5e 42 40 75 8d b1 94 6d 5b 86
20  57 d6 f2 cf 4f 50 42 5e b1 2d bb 43 02 54 83 b7
30  aa 42 eb d5 de 42 eb cf 5a fc 4b 58 99 8b ea b6
40  25 9a 3b 32 ca 96 c4 b6 06 15 7b 9d f4 c6 c0 c5
50  ae de 02 f3 8d 78 b7 53 df 22 cb de dc d2 5f 37
60  8b e1 86 28 0e fb 4a 86 4f ae 1a 14 71 ab b9 b6
70  c9 10 25 1a fa 3d 9f a1 10 f2 f4 ff 14 d4 54 a7
80  70 5f 49 24 ed 12 81 93 d7 5b c1 9d 1f 88 81 f9
90  de 0d a6 fe 2c 5e 4f 7e ef 19 9f b0 9f a1 36 cc
a0  08 8a b8 bc 31 b2 7a 92 37 55 a5 f9 dd ed 1f 9e
b0  62 9f 79 b3 c1 f6 b9 ec 13 f8 b4 c6 f6 48 d6 fc
c0  6e 42 89 d6 9f 40 29 74 7b 66 6f e9 36 49 9c 18
d0  29 bb 47 09 8d ec 7a 08 40 13 0e c7 6d 9d 05 92
e0  54 ac 07 c2 0a 4e 4f 97 26 28 37 25 18 2c d0 eb
f0  ad 9c c6 1b 59 93 78 bf f6 fb d8 d4 60 c7 a0 e1
Presumably this is the response directly from the device to the EDL <getsigndata/> query.

This is the more interesting base64 decoded data from that 700 Meg USB capture from earlier here:
Code: 
000  4f 53 49 47 00 00 00 00 30 00 00 00 00 00 00 00  OSIG....0.......
010  64 33 32 37 37 30 63 65 00 00 00 00 00 00 00 00  d32770ce........
020  47 37 67 76 65 5a 72 63 70 32 36 4c 72 51 6c 34  G7gveZrcp26LrQl4
030  74 61 72 6f 00 00 00 00 00 00 00 00 00 00 00 00  taro............
040  31 30 30 31 30 31 31 31 00 00 00 00 00 00 00 00  10010111........
050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
060  81 64 29 64 ed 5f ba 1b 76 e5 bd 3a 45 01 5a 09  .d)d._..v..:E.Z.
070  1f 50 0d bd f3 d0 13 d4 05 1a 33 fd 0b 4b f1 1f  .P........3..K..
080  b9 69 e4 22 03 de cd 1d 2e 75 35 b1 f9 43 42 2d  .i.".....u5..CB-
090  67 c4 86 56 00 1f 8c bd 1d b4 d0 56 da fb 85 19  g..V.......V....
0a0  c2 d1 64 3c 88 61 8e 9d 0f 6c 78 5d cd 6c 94 57  ..d<.a...lx].l.W
0b0  81 33 1d 10 db b5 53 c3 b7 7e 39 15 d7 0b e4 67  .3....S..~9....g
0c0  bc d6 f0 1f c9 42 3f 5f 22 06 e8 65 88 63 a7 12  .....B?_"..e.c..
0d0  9b c1 b9 c6 da f2 35 36 04 03 b9 ba 06 f5 5b b8  ......56......[.
0e0  b5 f5 da 43 0f dc 65 19 16 e2 d9 85 da 5d d0 f7  ...C..e......]..
0f0  ad 22 35 14 40 cc 51 cb 01 a3 ae a6 e1 50 07 54  ."[email protected]
100  fd c3 f1 dc e0 58 f4 a7 c6 b1 c6 f4 f1 03 a0 f1  .....X..........
110  3b 19 8e de dc 00 06 2d 69 82 2f d0 48 fa 7d da  ;......-i./.H.}.
120  aa 4a f0 e1 b6 ad f4 33 d6 37 de 59 3d 3e c4 54  .J.....3.7.Y=>.T
130  bf a6 f3 d0 cb 70 26 69 b2 ec f6 ed c8 e2 90 cb  .....p&i........
140  de 09 90 02 08 db 14 c8 b2 7d 32 92 81 5f 82 c9  .........}2.._..
150  e3 07 d1 d0 b8 f6 07 05 bd fa e6 96 ec e8 bb 54  ...............T
This is 256 bytes with 96 byte header added. Notice that 8 bit binary "10010111".

So, stupid question: Why has nobody tried a generic EDL client and run the <getsigndata/>?
Just run the darn thing twice and confirm that it returns different data each time.
Just use whatever Firehose loader you have and the "xml" option with the Python EDL client.
Click to expand...
Click to collapse
No, this is just the login information for the msmtool tool
 
M

Mirak97

Member
Oct 3, 2017
41
9
beatbreakee said:
Ok ... To rehash on the original idea of packet sniffing... This method was already put into action which spawned this nightmare thread. 1st question: "can we use packet sniffer to capture the login/auth token?"
A:. Yes you can use it to capture the Login token and then replay that with fiddler ... Or similar BUT HERES THE CAVEAT. The msmtool that was authored originally by Qualcomm has been disgustingly re-written by BBK (Oppo, realme, Xiaomi, OnePlus...) .. they took the original and added ANOTHER authentication check for authorization. <=== This IS NOT able to be replayed or spoofed. it is calculated ON THE FLY by a combination of the timestamp from the internal servers at Oppo, the authenticated Mac address of that server... (Remember the special "Address" that was needed for the secrecy.exe, engineering mode unlock tool. That just stopped working and gave 'error invalid signature' around October-ish... That was a Mac address) .... So those 2 variables are then sent into an algorithm along with YOUR computers Mac address... Time stamp, and the checksum of the firmware you're flashing which has weaknesses ... But so far not exploitable!

If you use the packet capture or even the USB capture from the previously authorized flash, it will fail! Thus the 3% error that has been the blockade for now. I have attacked it every way possible and because of my vocal account of doing so, I was in turn snitched on by an xda member, and sent a cease and desist letter from BBK/OPPO. But I am WAYYYYY past that now.

THIS is the algorithm that I am currently attempting to break, with permission granted by a Qualcomm Principal Engineer. As long as I follow responsible disclosure guidelines. This is the whole reason of the inherent silence as to specific tactics I've employed in breaking thru. I cannot reveal what has been successful or necessarily failed, if it has ties to the vulnerable weak points of the signature check. But one thing I can disclose is that the Oppo auth token, and the Qualcomm VIP Auth token are NOT related!

The msmtool as we know it now, does not use the built in Sahara firehose that is included in the firmware zip. That is in my best guess a decoy! The reason I say this is because it has been verified to me at Qualcomm, that they insisted to BBK, Samsung and others that they no longer include their firehose programmers, inside their official firmware packages. This is because as of the OnePlus 10 series, OPPO/OnePlus will NO LONGER be supplying FULL FIRMWARE packages to download via system restore or ANY OTHER official channels.

You all may THINK or ASSUME that you have found a "Full firmware" link....but I strongly contest those claims as I have over 200 firmware packages for the 2210,2211,2213,2215,2217 , 2413,2415,2417,2419 models which covers EVERY VERSION of our 10 Pro as well as the 10T... Ranging from 11_a
04 up to 12_c.23. ... I have unreleased firmware packs as well. I have OFP, ZIP, OPS, and PAYLOAD.BIN in my collection... This is an almost 7tb collection of the firmwares that are accessible thru Chinese, Russian, Indian, EU, North American, Korean, Singapore, and Indonesian servers... Some are directly plucked from Oppo's, once weakly secured server. (Now using a stronger firewall)

You can test this theory yourself on any package you claim is an actual FULL BUILD.
1. If it's any kind of a zip with a Payload.bin file... It's 100% an OTA fw.

2. If the zip package contains an already unzipped folder of firmware files, it is 75% guaranteed to be an OTA Incremental Update uncompressed. <Full fw will come only as .OFP or .OPS files which are not true file extensions... They are identifiers that are created by a specially encoded file generated by 7z after being downloaded from Oppo servers. There's no use trying to find something else that can build or encrypt a working firmware for the OFP format. 7z has been contracted thru Oppo to be licensed as their official encryption provider, and the signature used for the encryption mapping exist only on Oppo servers. 7z pulls the signature during official downloads, and then uses the mapping data to make the MsM flash able OFP file! Either way, this file is technically garbage because once uncompressed, the signature is broken and the MsM tool will perform a 3rd validation and verification check at the 19% marker!> That 3rd check fails almost 50% of the time on OFFICIAL OTA packages so again this is not an avenue worth walking. Mainly because to get here you have to have already broken the 1st signature, which will usually trigger a fail!
(Check this by entering the "Manifest" folder whatever they renamed it.... ie MyHeytapp_Manifest or just Manifest... And if there's 1- build.prop , and 2 or 3 more build.prop_xxxxxxxx files also like build.prop_10100011 and similar, This is an Incremental Update)

3. If you have located an .OFP file... Note that this isn't very hard to find. Most of the firmware links you find on the net will be "ne221x_export________.zip". Or "OnePlus10Pro-ne221x_Full_xxxxxxxxxxxxx.zip" and once you enter whoever... AlzsredGsm...GemFlash...GsmMafia.. Ncrom.com.... Romfirmware.com.... "ThisIsAlreadyYourFirstClue.com" that you are accessing an already altered download! Oppo did not give GSMMafia or anyone for that matter, a link to a FULL OEM build of their firmware, that they were authorized to REPACK into a password protected archive that you must perform any action besides clicking on EXTRACT. This breaks the mfg guidelines for sharing files used for repair of their devices. So someone has already downloaded... Decrypted.... And therefore broken the signature of the original archive.... Then they rezipped it into a package with their own password needed to open it.

^=== These packages are renamed, and rebranded 100's of times by everything including malicious hackers who will add auto executing scripts to them, as well as garbage spammers who literally put nothing even related to our phones, inside a second zip package that they make you follow steps to "obtain the zip password"... But no matter how many times you complete the steps, the password is never provided. (These are the most common links being found now cuz these garbage people now understand how valuable a FULL BUILD fw package is to the mod communities) make no mistake. I'm sure a few of these ACTUALLY DO have a true full build... Because most of them are Oppo employees... So they will provide videos showing the contents of the zip... But I promise you that THIS is not the real file!

Oppo has a ZERO tolerance policy regarding the distribution of any proprietary software used to develop their devices operating systems. (I challenge ANY OF YOU to provide me with an actually, "Oppo/Heytapp SDK". ... Heytapp is their official builds for ColorOs which is becoming the standard for all future Oppo/OnePlus phones.... We will have Google if outside China... They will have Heytapp... Both will be based off ColorOs. We are all using a Hybrid ColorOs/Oxygen build on the 10 series! ... So if you really think ANY Oppo employee is going to risk their career and possibly their freedom by sharing or risking the file they are showing in the video, to the public... You obviously have never broken a law inside china mainland or worked for a telecom company in India. In China, YES these guidelines are enforceable by LAWS! Against providing classified or copy protected information to an unauthorized source.

<My father is Senior Director of Sales & Marketing for T-Mobile... HE CANNOT GET ME ANY INFORMATION REGARDING THE FIRMWARE FOR OPPO/ONEPLUS or any other manufacturer of Chinese or Korean origin, and he was the IT and Engineering teams director as recently as 3 years ago>

.... So if you think AlzharedGSM or whoever has unearthed these VALUABLE files, and are willing to give to you for free... You were also probably waiting for DJT to be re-instated as POTUS on those specially announced dates! (Spoiler.... It didn't happen) 😸

Now an explanation. An "Incremental Update" package does not have authorized programmers that can erase/modify/repair the EFS and NV partitions/files, locked in the critical partitions of your phones... They just don't have that permission, nor the offset info to locate and overwrite the files in those memory addresses. THESE ADDRESSES contain the OEM manifest identifier (10100011 etc) that YOUR phone was programmed with! These 8 digit numbers each pertain to the ALLOWED manifest that has the entire list of files which are to be sent to your phone. PERIOD!... manipulating these will at best , fail the verification check thus saving you from the, WORST: Deleting your NV or EFS file system, and erasing your IMEI, Mac Address, Baseband, and Device Policy, meaning your phone will NEVER connect to another cellular ..wifi... Or any network connection without an external network adapter.

I have seen some $750 offline gaming and mp3 players born from ppl who thought they could outsmart the Manifest identifier...but mostly I've seen unresponsive devices that took opening the phone up and performing several wake up gestures, then a reflash of the ORIGINAL Carrier or OEM firmware of the exact same build you had just previously tried to escape.

(Keep in mind that 80% of the users who are in need of an MSM flash, are because of improper methods being attempted to gain some form of unauthorized fw change.) OTA being flashed by the internal 'system update' process are almost 99% impossible to brick your device. The system update running inside your un-altered firmware, performs up to 4 or 5 compatibility checks on the files inside it before allowing the update to proceed. So if youre bricked and in need of an MSM repair, then it's most likely because you forgot to return to full stock before locking your bootloader.... Flashed some janky mod that promised to make your phone become a handheld time machine.... Or zombies were attacking at your door right when you were applying a special "region swapping" method, and you missed a vital step, so now the damn zombies made you brick your phone! <I hate zombies for that!!!>. But in most of these cases, having to disassemble your phone, and then pay someone to connect to your computer to send the exact same firmware you were trying to escape from, seems like a facepalm moment!

So back to the topic... The firehose programmers in these Incremental Update packages, cannot access the file systems to really change your Boot.img... recovery.img....Build.prop... or Region/Carrier lock files, because they are protected in the Efs partition. So no matter what name the "official fw" zip you downloaded is showing...flashing EVERY ONE OF THESE PACKAGES, Is the same as flashing an OTA for your current model. You can flash 2211 over your 2217 phone and yes, some of the APP packages will change, along with the Numerical model number in your About Phone section ... But nothing that is device specific will be changed ... At most this is a cosmetic alteration.

------ Now comes my prior instructional thread explaining how to region swap. I have many many users who will verify that my method WAS infallible... And did have a super high success rate.... If you have THE EXACT FILES that were used by us to do so.... This was because at the time, Oppo had unknowingly released rollback packages signed with DEVELOPER KEYS .. your build said USER still... But the keys were actually the developer ones which are capable of changing ANYTHING inside your phones file system. These original files were linked for exactly 2 1/2 days, then once I identified the process and disclosed it here, Oppo took them down... Edited some minor details, and resigned them with USER KEYS. Then uploaded them under the exact same file names , and reactivated the links, so that everyone who downloaded the new rollback packs would brick if they used different regions! (Sinister huh?)

13 beta 2 and 13 stable removed the necessity of these changes because they added new region security checks into the updates.
-------+++++++++++++++++++++++---------

Full circle to here. If I can break the signing algorithm of the initial 3% authentication check, then I can create a generic signature that will validate when replayed by anyone.

Under current status though, and with ALOT of specially set conditions , along with a full valid, ENTIRE capture of YOUR successful prior flash... You could reflash your phone with about a 10% success rate. Requirements:. The rollback of your computers exact date and time (to the minute... Not seconds) that your flash began... The exact same firmware package you had flashed then... Your phone opened and disconnected from the battery, then the Test Pads shorted for EDL.... And possibly some real fairy dust and maybe a leprechaun for luck... Plus the same exact phone you had using this flash.... <--- has a 10% success rate .. and that's out of maybe 150 attempts I have performed!

This is why I need my 10T bootloader unlocked...because I have crafted a few files that need to be placed into the system/bin folder which will help me identify the garbage of the signature... And also the device specific parts ....these need to be removed precisely , in order for me to submit an exact set of identifiers to someone who can decipher the algorithm used to make the sigs. No number of 10Pro phones in production will help me isolate the data I need. I need a DIFFERENT MODEL using the same board and chipset such as the 10T... Both Qualcomm... Both Taro.... One is Wapio... Other is Cape.... One is snapdragon 8450 other is 8475. These are 2 brothers who will get me closer to the DNA of the signature..

Responsible disclosure won't even let me share how I got this far because I already reported partially to Qualcomm so I'm now on their radar. But no one is willing to SHARE the POC of the exploit that was fully verified to have dropped a root shell on a phone using my exact same kernel .... The process took all of 3 seconds... I can't re link the video but several posts back, I supplied it. The technique was dubbed dirty cred and it's a vulnerability in EVERY Qualcomm phone with a range a kernels.... With a working build of this Escalation exploit, I can edit my build.prop and force my bootloader to unlock via that file or the Local.prop, or even System props....

This is ALL I NEED to complete the submission and then report to Qualcomm, and because it's an internal flaw, it's only a 30 day NDA, then I can release every bit of what I did, and employ whoever wants to join , in the task of making our own MSM style application that will no longer have an Auth packet, nor a login requirement. And you can flash until your phone disintegrates for all I care!

So I can't link DirtyCred again... But here's the OFFICIAL OnePlus Support link to the page for the In Depth Testing APK for the Singapore OnePlus 10T ... Please whoever ... Find a way to pull THAT FILE linked on this site... It seems dead ... But further research shows it's is there... But times out due to some unknown block... But after 3 hours on the phone with 4 different techs at OnePlus... It is confirmed that this file still exists....albeit with absolutely ZERO chance they will help me obtain it!

Here ya go.... :. Either this or a working she'll exploit to get me r/w access to my build.prop, is all I need to get this completed!


Search Detail

service.oneplus.com service.oneplus.com


Pluhhease don't make me type all that again... Anytime someone asks about why we can't get MSM tool working... Just point them to this post! Thank you!!
Click to expand...
Click to collapse
btw have you tried this tool
 
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
We've LOOONG bypassed the sign in data... See the pic? Look at my username.. we've cracked it to where u can literally enter ANYTHING into the user id and pword fields and get signed in... That's not the problem.. the problem comes at 3% ... There is a direct communication from the app to the Oppo MSM server that requests an AUTH packet.... THIS packet consists of all that stuff I mentioned earlier.... MSM server timestamp, currently authorized Mac address, plus your PC Mac address, login details, and the checksum of the firmware you're trying to validate! THERE IS NO WAY AROUND THIS! it is an almost GUARANTEED FAIL....

#1. Because if you use SPOOFED LOGIN data , That's an instant fail. Since early august all Oppo employees use DAILY EXPIRING passwords... No password has lasted 2 days since! So you end up replaying an old login to get into the software... Sure ... You're in.... But when that data is sent by the REAL TIME check into whatever algorithm , IT WILL NOT PASS! because the login info is not valid anymore. But even worse... No one knows the Mac address nor the new switching scheme employed by Oppo to keep it changing. This was the outcome of the Oppo people that put the secrecy unlock videos up, with the KM-Loopback adapter.... Oppo does not like when they are humiliated... ALL OF THIS is because of how oneplus was made to look like a fool in 2017 when someone found that ONLY OnePlus phones had a secret backdoor build into the engineering app, that had a password directly taken from the Mr. Robot tv series. It made them look like fools cuz all I had to do was access one screen of engineering, type ANGELA for the pword, and you were immediately given. "#" root shell. FULL BLOWN SYSTEM ACCESS with a gag for a password! In 2018 MSM tool began hardening, and Oppo started full takeover of OnePlus..... Y'all don't get it but the Chinese manufacturers have VERY LARGE EGOS... And take ANY blow to their ego as an active threat! Supposedly this is the cannonball that sunk the original Oneplus head's ship... Now the head of Oppo is the head of OnePlus, and anyone here who knows Oppo phones, know that THEY DO NOT PLAY when it comes to locking their crap down! Well, now WE have that guy!
 
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
410
Frisco
Samsung Galaxy S10
Oh... So again... NO we are past being able to log in to the app.... We are at the Authentication packets being requested from the server at the 3% mark... You cannot skip it cuz using x64 or x32 dbg (depending on which download tool.exe you're editing) trying to simply jump the authorization to an authorized response, will make an immediate "package validation timeout" response in the app... Spoofing an older authorization will fail cuz without valid login info, the timestamp, and the correct server Mac address will return an invalid signature to the app.... Thus my previous point where I have a total of 164 Attempts..... (Y'all are really making me retype this crap after I asked specifically not to! Killing me!).

164 attempts - Change internal computer clock back to exact time indicated in the captured info + opening the phone to disconnect from battery (otherwise the internal timestamp will fail due to not matching with the computer) + shorting out the test points to enter EDL + loading the EXACT SAME fw package as sent during the capture + spoofing the login at the exact time that it was captured ... Along with a leprechaun and some fairy dust, HAD A 10% SUCCESS RATE! ....... 10% .... THAT MEANS THAT I LITERALLY HAD 17 PASSES OUT OF 164 ATTEMPTS! ... <===== This would help absolutely NONE of you, because you do not have MY COMPUTER Mac address.... Timestamp... My phone (which is not confirmed but being that it can make the timestamp fail, I would bet that it has some value in the signature) .... And the full capture data from my successful flash..... While many of you MIGHT think that's no biggie... I am willing to bet that less than 1% of you will be willing to publicly disclose your personal computers, Mac address, and ip address right here right now! ..... Secondly of those who might be willing to share such data, how many of you have a successful full flash capture saved to share with the group/public?

See the problems??? Until I crack that damn algorithm there is slightly less than the odds of finding a genie, that someone else will crack the tool... Mainly because I have put almost 5 weeks @ 10-12 hrs A DAY into breaking this.... All the way to the point that it has jeopardized my personal life, because of the amount of time invested killing alot of my work time... So bills have stacked up. Some ppl are oblivious to the amount of effort that goes into making these kind of mods, hacks, custom built roms, or other things we develop for you all, FOR FREE! .... I want a free MSM tool just as bad as you all do... (Actually probably much more considering how hard I've been working on it) but there are limitations as to what can just be produced....

You all should thank the heck out of. Canuck Knarf , cuz he has literally been the backbone of this research.... He has bought me nearly 15 OTP tokens at $8 each, plus purchased an MSM Oppo account from a sketchy dude @ $1400! (Don't know if I was to share that bro... But I did... Sorry!). All of this is the only reason I have been able to gain all of this research! Cuz without him, only 1 other person has been able to provide me an authorized login to the Oppo MSM server and that's Akayamishurui.. who got me my 1st OTP token .. there's no simple website that provides you instant login tokens with a trusted payment source.... There are back alley, sketchy websites requesting crypto payments or cash app, to an obviously fake user account... Then waiting patiently as they hopefully email you or telegram you the token details. This is a plague ppl... But this is what the MsM tool has become under this new Oppo leader! ... And after threats by Qualcomm to Oppo, as well as full blown disclosure blogs posted by me on OnePlus main community pages ... They are doing NOTHING to stop it.

Your current best chance to stop it??
Beatbreakee 👈 cuz I bucked their "cease and desist" order.... And got Qualcomm approval to hack their tool as it belongs to Qualcomm not Oppo! (You all know Qualcomm right? The multi billion dollar corporation that make the chips in Iphones... Samsung... LG...Huweii...OnePlus...Oppo....Xiaomi....steamdeck....Nvidia handhelds... And a ton of other expensive electronic devices.....). <=== Yes THEY made the MsM tool.... So there is a mega BILLION DOLLAR corporation backing the security of these devices, as well as the program that is used to flash them!

If this was AT ALL easy... Do you think they would have so many billion dollar security contracts?

Why u think MTK has become PARTNERS with Qualcomm... Aren't they in the same industry.... ?? Yes.... But even MTK realized their own devices were being hacked DAILY so they turned to Qualcomm to help beef up their own devices which some now have MTK and Qualcomm programmers used to flash them!

Back to topic:. Whether there's 1 or 1 million OnePlus 10Pro devices that have FULL FLASH CAPTURES available ... There is an incessantly mind numbing amount of garbage data included into the Auth signature that is needed to even begin the flashing! All 1 million phones would have the exact same structure of garbage data padded in the signature... Therefore isolating the garbage to remove it would require 200 Adderall addicted mensa members to go on 3 week benders , to isolate necessary bits, from garbage.... The necessary bits ARE WHAT IS NEEDED to even begin reverse engineering the algorithm from that data!

I need A DIFFERENT PHONE with the EXACT SAME architecture in order to match and pull the data. There are 2 ... The OnePlus 10t .... And the OnePlus 10R .... The 10t is the BROTHER of the 10pro.... Same board (taro). Same chipset... Snapdragon 8450 vs 8475.... And same fw builds! ... You can almost substitute the build.prop file on either and the phone will still boot!

<====== I have this phone... In my hand .... Right now.... Typing on it!.... ======>

But to keep me from needing an additional 200+ flash captured from it, as well as 100 mensa addicts .... I crafted TESTED code to be placed into files in the /system/bin folder ... Which are called during the flash process... And those files will light up the garbage packets like a beacon... So that I can compare and removes the similar bits from the 10 pro signature as well.. then I will have 2 VALID, pre authorized signatures that I can then submit to my nerd colleagues ... Who are here btw... Lol sorry y'all... Just waiting til they see something productive mentioned and then they will crack the algorithm for me.....

But in order to write to these /system/bin files I need ROOT access ... And my 10t has the all new COLOROS bootloader lock.... Which removes access to Fastboot! I can get to FastbootD... But nothing can be done there....

There is either a custom FastbootD command or a specially encoded file that must be sent to FastbootD which tells the phone to UNLOCK FASTBOOT MODE.

there are 2 ways at this..... 1. A cve disclosed in October named "DirtyCred" ... Like dirtypipe , it flushed unprivileged credentials and gives privileged access to the user... A uid=1000 shell which is capable to write to any system partition! It works on ANY Linux kernel from 5.8 up to 5.16.... the POC was performed on a Google Pixel 6 using the EXACT SAME KERNEL and Security patch that I have stranded my 10T on.... Meaning if that POC can be built by some Linux/android genius here... Which I know there are several of you.....I CAN USE IT AN WRITE THE NEEDED FILES TO MY 10T.....

Once that is done... I will have the algorithm in under a week... And submit the report to Qualcomm... Which will get me a kinda small bug bounty but enough to rescue me from the personal financial devastation I'm in..... As well as

**Start a 30 day timer, until I can release all the data right here and we can build a NO AUTH, NO LOGIN. MSM tool for our phones!**

and the data will most likely be compatible with other Oppo phones as well... But that's not guaranteed ... Just a theory...

The 2nd method is to locate that "IN DEPTH TESTING APK" because it is the one used on the OnePlus 10t....

Now to answer the question earlier....

No... The op us techs will NOT provide me a single clue to the new server ... Why? Because the op us techs stated that "THIS IS NOT ON THE NA PHONES" and "WE DONT DIRECTLY PROVIDE SUPPOORT FOR TMOBILE MODELS" ... As directed by T-Mobile....

Tmobile will not help....my dad's contacts and prior subordinates at TMobile won't help... Because this is a career ending disclosure if they do... Oppo has STRICT zero tolerance policies which stream all the way down the telecom lines!

But the very fact that that website is still publicly viewable and still active on OnePlus supports server means that it has not been junked ... And the US techs verified that... It's just the file is only available to Singapore customers.... Vpn didn't help.... I tried... If you click the link it isn't a 404... It's a TIMED OUT response... Which lots of times comes from a firewall that did not receive sufficient response to allow access..

But SOMEWHERE.... SOMEWAY... THAT FILE can be accessed.... I have seen ppl enter a URL with a few additional things into their browser And up pops a directory listing like looking at their own computer .....even thru password protected sites ..... YOU are the people I need right now.... Because if you can do that to this site... It will most likely have the pointers leading to the new file... And boom... Download

(Never typing any of that again... That took almost an hour and several brain cells... ).

Happy hunting.... I'll be waiting anxiously;
 
  • Like
Reactions: _DarkKnight_, Dafelleant and Prant
You must log in or register to reply here.

Similar threads

O
General EDL Flash Tool Leak
Replies
674
Views
64K
C
cmccool85
Metromas
Question OnePlus 10 Pro - QDLoader HS-USB - EDL Test Point [9008] MSM
Replies
114
Views
16K
beatbreakee
beatbreakee
Metromas
  • Locked
Question [CLOSED] OnePlus 10 Pro - Unbrick with MSM
Replies
1
Views
3K
K
Kosta26
N
Question Fingerprint not working after using MSM tool NE2215
Replies
29
Views
2K
I
innoxentraheel
U
Question Update OnePlus 10 Pro from HydrogenOS (CN) to OxygenOS (EU/GL/IN) without rooting
Replies
73
Views
20K
VStax
VStax

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 3
    roirraW "edor" ehT
    roirraW "edor" ehT
    <Moderator Note>: I've removed the links from two posts and one quoted post.

    Although Windows Defender only popped up one file as a PUA (Potentially Unwanted Program) - which isn't necessarily a Trojan but just something that might do something you don't really want, I independently verified in a sandbox that VirusTotal.com reported possible Trojans on three of the four archives I downloaded.

    Some things do produce false positives, but in this case I believe caution is warranted.

    Thank you,

    @roirraW "edor" ehT

    P.S. Any questions, please don't respond in this thread. Instead, send me a PM.
    View
    3
    Renate
    Renate
    Canuck Knarf said:
    I hate taking back off ..broke two back cover...LOL
    Click to expand...
    Click to collapse
    I hate it too. Especially since I clean up all the old tape and put down new tape.
    That's why I only open these things once and install a magnetic reed switch.
    See: https://forum.xda-developers.com/t/...c_prog_firehose-request.4261599/post-88301643

    This is the switch that I used: https://www.digikey.com/en/products/detail/standex-meder-electronics/ORD-213-20-30-AT/1949374
    It's currently out of stock there. I picked the least sensitive switch. (Even though it being activated in normal use is not a problem, it's only when resetting that it's checked.) Others of more sensitivity are in stock and they'll probably do fine.
    View
    3
    D
    DiGtal
    As he said the OSS team doesn't handle that. Need to find the department that does.
    View
    2
    emabertax
    emabertax
    Ph0nysk1nk said:
    Realistically, development is dead. And it sadly looks like hope of MSM tool is gone. Sucks but, oh well
    Click to expand...
    Click to collapse
    Not for all phones, android will always be open source even if manufacturers put some obstacles. the development has decreased over time because the devices have improved over time and it is not always necessary to make changes.
    View
    2
    D
    dekefake
    If people here have experience in MITM please DM me. I'm currently on it and I can't figure out how to force the tool to use my mitmproxy.

    EDITN: Nvm, I succeeded 👀
    View
  • 18
    Grovez
    Grovez
    I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
    I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
    In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...

    Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
    Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
    Open 'FTGUIDev.exe' with a hex editor (HxD is good)
    Find the hex value '0f84e7000000b8'
    Replace the 84 with an 85

    Save the modified exe and launch it.
    Choose a server other than 'in company'
    Put whatever for userID/Password/Verify, click login.


    I hope this is useful.

    Screenshot_2022-09-02_23-07-33.png
    View
    9
    O
    OppoTech123
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.

    flash.png
    View
    9
    beatbreakee
    beatbreakee
    BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

    I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

    They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
    View
    8
    Renate
    Renate
    I looked around for any Firehose loaders that had this getsigndata/verify.
    Only OnePlus and Oppo.
    The solution seems clear: don't buy them.

    OTOH, Lenovo/Motorola has signed loaders with restrictions.
    You can't read most partitions.
    The solution seems clear: don't buy them.
    View
    7
    beatbreakee
    beatbreakee
    GOOD GOOD... Thats what i like to hear from my Android Brethren !! Hack, Crack, Disassemble, and Attack the weaknesses of these infernal devices !!! (I need sleep!) ... Sorry, im stuck in some medieval, warfare mindset .. my bad! lol...

    BUT heres what i came for: Humor me.....

    IN THEORY... considering that EVERY post on the internet regarding DIAG mode on phone, (including IOS!) has started with the same goal.... "Using Root access, to enable Diag for access to the EFS" .... So basically everyone is saying that at the time... ROOT was horse... and Diag was the finish line! ... Right? Cuz thees guys were trying to hack bootloaders that had no accessible interface. And DIAG was their answer every time... and it worked! (Mostly)....

    What i am proposing is NOT trying to hack the bootloader, because i already know how to crack that... But if it used to be a REQUIREMENT that to even discuss DIAG, you must have Root.... Then can ANYONE HERE put together a way, in which I could REVERSE that process.... or at least leverage DIAG MODE, to get myself a Root Shell.... or alter the SUID or even outright set a new user, as "UID 0" ... temporarily even if i can only force 1 app to see my account as SYSTEM, so that i can get RW access to Build.prop, or Local.Prop ?? Then i can make 1 flag change in it that will snowball me right thru the security and into the bootloader!

    I mean as Diag I can literally DELETE the phone's whole identity! No imei.. no baseband... no modem... no mac address.. by the access i have to the EFS... and you cant even directly access that partition with ROOT ... only DIag and EDL have that authority! So imho there HAS TO BE a way to leverage a lower permission level thru some kind of console, where i can indirectly make a change to the build.prop. And i dont care if it Bricks the device 5 minutes later, cuz i am gonna make my change be locked with a persistent property that is already in place! It just needs a 1 in place of a 0, or an alternate access point which is also persistent, and just needs one word added to the line! Either way, if the phone bricks right after for some security violation, i will still have enough access to break the secure chain of trust and make my flags permanent! So if i have to pay for a flash to restore my phone, so be it... i know that the two things i edit survived an edl flash several times already!

    I really need EVERYONE ON DECK for this... cuz getting this done will cut at least 50% of the work i need to build us an MSM - Mafia FREE edition. Im talking to the guys who still think UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A Start, is a goof cheat code! As well as the people who can walk past an ATM machine, wave their hand in front of it, and 100's start spitting out like a money shooter... Yall cannot tell me that the Apple guys are better than us r/n ... cuz literally every time a new IOS drops... in less than a few days 3+ randos release videos as POC of them successfully gaining TFP0 , which is the IOS equivalent of ROOT.... I refuse to believe that the 17 y/o kid wearing a fedora, and a neckerchief, as they are walking up to the Starbucks counter to order their Venti Chai Mocha Latte..... NO .... I DO NOT ACCEPT THAT VISUAL! To me that worse than walking in on your parents smashing on top of the dining room table! ... at least then i know that they were making each other happy! ... But "Smuggy McMasterson III" strutting up to buy a lawn garden coctail from a coffee shop, while feeling all "chipper" cuz his team found a Kernel Memory Leak in 'IOS whogivesacrap beta 4' ... yet we cant find one privilege escalation, is the stuff of my nightmares!

    YALL DONT WANNA GIVE ME NIGHTMARES DO YOU!!! I THOUGHT WE WERE FRIENDS!!!

    FRIENDS DONT LET FRIENDS GET HANDLED BY A CRAPTASTIC BOOTLOADER, ,GUARDED BY 1 FLAG! COME ON!
    View

New posts