General MSM TOOLS

Search This thread

the_rooter

Senior Member
Aug 3, 2014
2,136
556
Olean
So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.

 

DenisPDA

Senior Member
Jun 20, 2017
65
47
So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.

It works partially
There's another problem
It is related to VIP Programming (prog_firehose_ddr.elf)
 

Kosta26

Senior Member
Nov 5, 2013
200
57
30
Zelenokumsk
OnePlus 9
OnePlus 9 Pro
So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.

does not work.
 

Mr Hassan

Account currently disabled
Feb 14, 2016
934
62
OnePlus 10 Pro
So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.

this site is fully of Sh*ts admin is just super copy paster
 

$cronos_

Senior Member
Sep 21, 2021
321
100
This situation sucks buck the sketchy world of android flashing is interesting as hell.

Sites interesting. I can buy an account for 7 days and flash till then? Ok, fine easy.

I just wonder if we use this to our advantage somehow?

Great find
would it count as warez if we cracked this android flashing thing made by scummy developers trying to extract every penny out of our wallets
 

Ph0nysk1nk

Senior Member
Jul 28, 2016
228
110
would it count as warez if we cracked this android flashing thing made by scummy developers trying to extract every penny out of our wallets
No not warez. But certainly funny as hell.

I've tried to reach these fools from multiple angles but have never heard a peep back. I also don't feel like throwing money into a black hole right now.
 
  • Like
Reactions: dladz

Top Liked Posts

  • 2
    Oh... So again... NO we are past being able to log in to the app.... We are at the Authentication packets being requested from the server at the 3% mark... You cannot skip it cuz using x64 or x32 dbg (depending on which download tool.exe you're editing) trying to simply jump the authorization to an authorized response, will make an immediate "package validation timeout" response in the app... Spoofing an older authorization will fail cuz without valid login info, the timestamp, and the correct server Mac address will return an invalid signature to the app.... Thus my previous point where I have a total of 164 Attempts..... (Y'all are really making me retype this crap after I asked specifically not to! Killing me!).

    164 attempts - Change internal computer clock back to exact time indicated in the captured info + opening the phone to disconnect from battery (otherwise the internal timestamp will fail due to not matching with the computer) + shorting out the test points to enter EDL + loading the EXACT SAME fw package as sent during the capture + spoofing the login at the exact time that it was captured ... Along with a leprechaun and some fairy dust, HAD A 10% SUCCESS RATE! ....... 10% .... THAT MEANS THAT I LITERALLY HAD 17 PASSES OUT OF 164 ATTEMPTS! ... <===== This would help absolutely NONE of you, because you do not have MY COMPUTER Mac address.... Timestamp... My phone (which is not confirmed but being that it can make the timestamp fail, I would bet that it has some value in the signature) .... And the full capture data from my successful flash..... While many of you MIGHT think that's no biggie... I am willing to bet that less than 1% of you will be willing to publicly disclose your personal computers, Mac address, and ip address right here right now! ..... Secondly of those who might be willing to share such data, how many of you have a successful full flash capture saved to share with the group/public?

    See the problems??? Until I crack that damn algorithm there is slightly less than the odds of finding a genie, that someone else will crack the tool... Mainly because I have put almost 5 weeks @ 10-12 hrs A DAY into breaking this.... All the way to the point that it has jeopardized my personal life, because of the amount of time invested killing alot of my work time... So bills have stacked up. Some ppl are oblivious to the amount of effort that goes into making these kind of mods, hacks, custom built roms, or other things we develop for you all, FOR FREE! .... I want a free MSM tool just as bad as you all do... (Actually probably much more considering how hard I've been working on it) but there are limitations as to what can just be produced....

    You all should thank the heck out of. Canuck Knarf , cuz he has literally been the backbone of this research.... He has bought me nearly 15 OTP tokens at $8 each, plus purchased an MSM Oppo account from a sketchy dude @ $1400! (Don't know if I was to share that bro... But I did... Sorry!). All of this is the only reason I have been able to gain all of this research! Cuz without him, only 1 other person has been able to provide me an authorized login to the Oppo MSM server and that's Akayamishurui.. who got me my 1st OTP token .. there's no simple website that provides you instant login tokens with a trusted payment source.... There are back alley, sketchy websites requesting crypto payments or cash app, to an obviously fake user account... Then waiting patiently as they hopefully email you or telegram you the token details. This is a plague ppl... But this is what the MsM tool has become under this new Oppo leader! ... And after threats by Qualcomm to Oppo, as well as full blown disclosure blogs posted by me on OnePlus main community pages ... They are doing NOTHING to stop it.

    Your current best chance to stop it??
    Beatbreakee 👈 cuz I bucked their "cease and desist" order.... And got Qualcomm approval to hack their tool as it belongs to Qualcomm not Oppo! (You all know Qualcomm right? The multi billion dollar corporation that make the chips in Iphones... Samsung... LG...Huweii...OnePlus...Oppo....Xiaomi....steamdeck....Nvidia handhelds... And a ton of other expensive electronic devices.....). <=== Yes THEY made the MsM tool.... So there is a mega BILLION DOLLAR corporation backing the security of these devices, as well as the program that is used to flash them!

    If this was AT ALL easy... Do you think they would have so many billion dollar security contracts?

    Why u think MTK has become PARTNERS with Qualcomm... Aren't they in the same industry.... ?? Yes.... But even MTK realized their own devices were being hacked DAILY so they turned to Qualcomm to help beef up their own devices which some now have MTK and Qualcomm programmers used to flash them!

    Back to topic:. Whether there's 1 or 1 million OnePlus 10Pro devices that have FULL FLASH CAPTURES available ... There is an incessantly mind numbing amount of garbage data included into the Auth signature that is needed to even begin the flashing! All 1 million phones would have the exact same structure of garbage data padded in the signature... Therefore isolating the garbage to remove it would require 200 Adderall addicted mensa members to go on 3 week benders , to isolate necessary bits, from garbage.... The necessary bits ARE WHAT IS NEEDED to even begin reverse engineering the algorithm from that data!

    I need A DIFFERENT PHONE with the EXACT SAME architecture in order to match and pull the data. There are 2 ... The OnePlus 10t .... And the OnePlus 10R .... The 10t is the BROTHER of the 10pro.... Same board (taro). Same chipset... Snapdragon 8450 vs 8475.... And same fw builds! ... You can almost substitute the build.prop file on either and the phone will still boot!

    <====== I have this phone... In my hand .... Right now.... Typing on it!.... ======>

    But to keep me from needing an additional 200+ flash captured from it, as well as 100 mensa addicts .... I crafted TESTED code to be placed into files in the /system/bin folder ... Which are called during the flash process... And those files will light up the garbage packets like a beacon... So that I can compare and removes the similar bits from the 10 pro signature as well.. then I will have 2 VALID, pre authorized signatures that I can then submit to my nerd colleagues ... Who are here btw... Lol sorry y'all... Just waiting til they see something productive mentioned and then they will crack the algorithm for me.....

    But in order to write to these /system/bin files I need ROOT access ... And my 10t has the all new COLOROS bootloader lock.... Which removes access to Fastboot! I can get to FastbootD... But nothing can be done there....

    There is either a custom FastbootD command or a specially encoded file that must be sent to FastbootD which tells the phone to UNLOCK FASTBOOT MODE.

    there are 2 ways at this..... 1. A cve disclosed in October named "DirtyCred" ... Like dirtypipe , it flushed unprivileged credentials and gives privileged access to the user... A uid=1000 shell which is capable to write to any system partition! It works on ANY Linux kernel from 5.8 up to 5.16.... the POC was performed on a Google Pixel 6 using the EXACT SAME KERNEL and Security patch that I have stranded my 10T on.... Meaning if that POC can be built by some Linux/android genius here... Which I know there are several of you.....I CAN USE IT AN WRITE THE NEEDED FILES TO MY 10T.....

    Once that is done... I will have the algorithm in under a week... And submit the report to Qualcomm... Which will get me a kinda small bug bounty but enough to rescue me from the personal financial devastation I'm in..... As well as

    **Start a 30 day timer, until I can release all the data right here and we can build a NO AUTH, NO LOGIN. MSM tool for our phones!**

    and the data will most likely be compatible with other Oppo phones as well... But that's not guaranteed ... Just a theory...

    The 2nd method is to locate that "IN DEPTH TESTING APK" because it is the one used on the OnePlus 10t....

    Now to answer the question earlier....

    No... The op us techs will NOT provide me a single clue to the new server ... Why? Because the op us techs stated that "THIS IS NOT ON THE NA PHONES" and "WE DONT DIRECTLY PROVIDE SUPPOORT FOR TMOBILE MODELS" ... As directed by T-Mobile....

    Tmobile will not help....my dad's contacts and prior subordinates at TMobile won't help... Because this is a career ending disclosure if they do... Oppo has STRICT zero tolerance policies which stream all the way down the telecom lines!

    But the very fact that that website is still publicly viewable and still active on OnePlus supports server means that it has not been junked ... And the US techs verified that... It's just the file is only available to Singapore customers.... Vpn didn't help.... I tried... If you click the link it isn't a 404... It's a TIMED OUT response... Which lots of times comes from a firewall that did not receive sufficient response to allow access..

    But SOMEWHERE.... SOMEWAY... THAT FILE can be accessed.... I have seen ppl enter a URL with a few additional things into their browser And up pops a directory listing like looking at their own computer .....even thru password protected sites ..... YOU are the people I need right now.... Because if you can do that to this site... It will most likely have the pointers leading to the new file... And boom... Download

    (Never typing any of that again... That took almost an hour and several brain cells... ).

    Happy hunting.... I'll be waiting anxiously;
    2
    I get it. You're trying to hack between the OnePlus tool and the backend.
    I'm just interested in the other side, between the tool and the device.
    If you ever want to get completely rid of the tool you'll have to know that bit too.
    So far nobody has said, "Yeah, we know that 100% already. Here's a link."
    2
    I get it. You're trying to hack between the OnePlus tool and the backend.
    I'm just interested in the other side, between the tool and the device.
    If you ever want to get completely rid of the tool you'll have to know that bit too.
    So far nobody has said, "Yeah, we know that 100% already. Here's a link."
    Actually it was partially disclosed in an earlier post ... One of the methods for removing the login requirement ....


    I didn't use this one... I edited further into the Hex and made it so I can enter anything into the user id, and password and 00000 for authentication code... But there's a few posts about this in this exact thread ... Just they are so short most ppl miss them. Also the trick in the post above only works on that version... But it should be enough to get you moving if you wanna follow that route. I just know that once you click start to flash, ANOTHER request goes out to an OPPO auth server and the Mac address/server details are obfuscated so without that, you can never generate a valid AUTH packet, and it will fail at the 3% marker every time!.... If you get lucky enough to confuse the server, which I did thru some exhausting measures, you will be met with a 3rd and 4th authentication request at 19% and 97%....

    They set up some pretty good backup security in this tool just for ppl like us!

    (Give yourself a pat on the back Oppo, cuz that's the one and only compliment you will EVER get from me! ... The next time you see me mention your name and the tool security , will be when I announce that I've cracked it! Cheers!)
    2
    can you send me the edited msm tool? Thanks
    I do not think that will happen, nor do I advise it... While we CAN disclose the offsets that need to be changed for access... To publicly or even privately host a reverse engineered, copyrighted application not only violates XDA rules, but I'm fairly sure that can also land the host or person sharing it, in some legal trouble....

    Im not 100% sure of that but I do know that asking or publishing this will definitely get u in some hot water with the xda mods! Fair warning...

    There are a TON of free hex editors for windows ... Mac... And Linux that are all simple to use....download one, plus the MsM version described and linked in earlier posts... Then make the alteration yourself and voila... No trouble and you learn 1 more crafty tool!
    1
    Sorry .. pic wasn't attached here's pic and link.
    Link to prior post

    Screenshot_2023-02-05-16-35-32-09_40deb401b9ffe8e1df2f1cc5ba480b12.jpg
  • 7
    so heres what the OTP guys are doing...

    Be prepared... this is a VERY long detailed post...

    so what they are basically doing is....

    they are running their own "last pass" kind of server from AWS... Where they are daily logging in to their amazon web server account, and updating the MSM TOOL login, so that it refreshes every time one of them needs to pull an OTP. But its up to whoever admins the account as to how long tokens last for.

    then they created (or cloned) that GA_Login tool, which is just a general purpose login tool which can be made to work with any app. It comes with modified code so that you can attach it to any program written under a certain language. (different versions of the login tool for different program languages) Then the tool officially has access to manipulate the login values of whatever app.

    I believe the tool has legit licenses with the companies otherwise they would be violating the reverse engineering laws, and everyone who is profiting from it would be subject to an arresting offense! That would depend on the companies to press charges. But its easy to gain permission from a company for this purpose because you arent altering the code, only adding further security to mask passwords!

    So the OTP being generated, are just a valid login that is masked by a secure password masking system. Unfortunately it is unable to be decrypted due to mitigations involved with packet capture and the login relies on an internet connection. Now unfortunately thru further inspection, the OFP flashing app DOES maintain a secure check of the VIP Authentication signature, and that signature is verified on the phone itself through a command called by the Linux Library "Libqmi" ... this can be built and programmed by anyone, but the actual procedure for JUST doing a VIP Auth signature, is not detailed on how to perform this.

    THIS is what the QFIL application is doing when the sahara programmer is called.... the sahara programmer has a heavily encrypted HASHING ALGORITHM which sends one value to your phone, and then your phone verifies and calculates a response to send back to the Sahara.... The sahara already knows the correct answer even though it sits waiting, and if a single character is off, then sahara shuts down the communication portal, and sends us back an error. At that time, the phone is stuck in perpetual FAILED mode, and needs to be reset in order to try again.

    The problem with this is that during a FULL BRICK state, meaning no communication without shorting the Test Points, while the battery is disconnected, then there is no way to get a valid time stamp from your device. The timestamp is part of the sahara's calculation. Thus this is why manually flashing thru QFIL continues to fail. The PATCHED Firehose loaders, simply have the TIMESTAMP requirement removed from the calculation, so that the only thing verified is the devices SOC and board information.

    The MSM ONLINE tool, does its own timestamp calculations and intercepts the communication of the Sahara, then injects the current valid timestamp in real time, which then gives the approved signature to the sahara, and authorizes your flash.

    Conclusion: Someone who has .elf file coding skills needs to completely disassemble the loader, which can be pulled from ANY OP 10series.... or actually ANY Snapdragon 845 r 1, based phone, and compare that to several other loaders of recent related chipsets... ie Snapdragon 845 r 2, or possibly even Snapdragon 865... but if they are fluent enough working with elf files, they should be able to locate the instruction code that requests a timestamp, as part of the signature, and delete/disable that requirement. THEN recompile that loader and we will have the file needed from OFFLINE flashes via the patched MSM Tool, or Qfil.

    The login is the ONLY requirement of the MSMTool!
    It is the sahara firehose itself that is killing our ability to continue flashing once the login is bypassed. Whether the phone is in brickstate or not has no value to the value being submitted to the sahara. OPPO programmed our phones to interrupt communication thru the USB, on a BUTTON, or ADB request to enter EDL mode. This is why when connecting via the command line, or thru the recovery mode shortcut, there is a slight 3-5 second delay until your phone is detected in 9008 mode.

    1. When entering by holding the VOL buttons and plugging the usb in, the phone loses communication to the TIMESTAMP function, which makes the sahara fail offline, due to no MSM Tool server intervention. (remember the MSM server is not maintained by OPPO, but is actually built by Qualcomm... they just provide access to OPPO for repair functions.)

    ^^This will cause QFIL to fail, because a valid VIP cant be generated without the timestamp! ... But the MSM server can interject the correct timestamp being that its online and always in sync^^

    2. When entering EDL via cli, the phone is SUPPOSED to go straight into QCOMM DOWNLOAD MODE... with no interruption, but OPPO amended a "Reboot" command into the opperand forcing the usb to lose connection to the board and breaking the sync, and thus forcing the timestamp to be invalid once the connection is made again with the programmer.

    ^^This is why COLOROS is a game changer... Because they pushed their own, RECOVERY, and FASTBOOT protocols as overlays of the REAL Qcomm Recovery and Fastboot. Recovery and Fastboot are requirements of Qcomm/Android devices. But HOW they are laid out to us are completely up to the manufacturers. The ColorOS Recovery, and Fastboot (D) that is made by OPPO, alters the timestamp being generated, to force a standard 12hr format instead of 24hr ... Sahara doesnt know wtf AM, or PM is... so anything from ColorOS is gibberish in the timestamp.

    THERE IS ONE CAVEAT...

    All androids with altered Fastboot and Recovery protocols, ,MUST include a "Debug Boot Image". These actually communicate to the Qualcomm diagnostic function. Although atm i have no idea how to BOOT into these images, as they are not the same as the normal .img files we use for everything else. Calling on one of these images, is a process completely different than standard android boot.img ... so again i believe this to be one of the functions of LIBQMI .... this library makes a connection to the device over usb but more importantly the SERIAL communicator console on the board. Once this communication is connected, you have full control over all partitions/filesystems inside the entire device, without regulation. You could technically tell your smartphone it is now a smart TOASTER, (but this would certainly crash immediately without the proper functions being built into the chipset.)

    So now i task ANYONE who might have decent Linux knowledge to research QMI and how it communicates, to find the proper commands/access to call upon the Debug.img , which you can pull our of any downloaded fw.

    I will still be working on alternate methods, but as of now QMI seems to be our only answer.

    And final statement. OTP cannot be spoofed in any method to gain authorized MSM access, anymore than you being able to spoof authentication into a "last pass" account to gain control over someones password collection. They both maintain about the same level of encryption.

    I hope thats detailed enough to get to everyones thoughts, as i probably wont be able to answer anything much deeper for the time being. I have personally put myself into a financial situation, by the amount of time i have devoted to this, and now need to create a miracle or 2 in order to recover from the domino effect that i hadnt realized i triggered until today. Sorry i couldnt do a hell of a lot more... if i had the financial resources to not worry about bills for a month or two i could totally crack this thing wide open, and probably put a devastating hurt on OPPO in the process... but Electricity, Rent, Car, Insurance, Food, and general living, all factor in to the amount of time i can spend on this. (which sucks because bounties are upwards of 50K or more for the discovery of holes in the functions i was working on, and according to Qcomm i was very close to a pretty high critical cve being declared!) 😖
    7
    GOOD GOOD... Thats what i like to hear from my Android Brethren !! Hack, Crack, Disassemble, and Attack the weaknesses of these infernal devices !!! (I need sleep!) ... Sorry, im stuck in some medieval, warfare mindset .. my bad! lol...

    BUT heres what i came for: Humor me.....

    IN THEORY... considering that EVERY post on the internet regarding DIAG mode on phone, (including IOS!) has started with the same goal.... "Using Root access, to enable Diag for access to the EFS" .... So basically everyone is saying that at the time... ROOT was horse... and Diag was the finish line! ... Right? Cuz thees guys were trying to hack bootloaders that had no accessible interface. And DIAG was their answer every time... and it worked! (Mostly)....

    What i am proposing is NOT trying to hack the bootloader, because i already know how to crack that... But if it used to be a REQUIREMENT that to even discuss DIAG, you must have Root.... Then can ANYONE HERE put together a way, in which I could REVERSE that process.... or at least leverage DIAG MODE, to get myself a Root Shell.... or alter the SUID or even outright set a new user, as "UID 0" ... temporarily even if i can only force 1 app to see my account as SYSTEM, so that i can get RW access to Build.prop, or Local.Prop ?? Then i can make 1 flag change in it that will snowball me right thru the security and into the bootloader!

    I mean as Diag I can literally DELETE the phone's whole identity! No imei.. no baseband... no modem... no mac address.. by the access i have to the EFS... and you cant even directly access that partition with ROOT ... only DIag and EDL have that authority! So imho there HAS TO BE a way to leverage a lower permission level thru some kind of console, where i can indirectly make a change to the build.prop. And i dont care if it Bricks the device 5 minutes later, cuz i am gonna make my change be locked with a persistent property that is already in place! It just needs a 1 in place of a 0, or an alternate access point which is also persistent, and just needs one word added to the line! Either way, if the phone bricks right after for some security violation, i will still have enough access to break the secure chain of trust and make my flags permanent! So if i have to pay for a flash to restore my phone, so be it... i know that the two things i edit survived an edl flash several times already!

    I really need EVERYONE ON DECK for this... cuz getting this done will cut at least 50% of the work i need to build us an MSM - Mafia FREE edition. Im talking to the guys who still think UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A Start, is a goof cheat code! As well as the people who can walk past an ATM machine, wave their hand in front of it, and 100's start spitting out like a money shooter... Yall cannot tell me that the Apple guys are better than us r/n ... cuz literally every time a new IOS drops... in less than a few days 3+ randos release videos as POC of them successfully gaining TFP0 , which is the IOS equivalent of ROOT.... I refuse to believe that the 17 y/o kid wearing a fedora, and a neckerchief, as they are walking up to the Starbucks counter to order their Venti Chai Mocha Latte..... NO .... I DO NOT ACCEPT THAT VISUAL! To me that worse than walking in on your parents smashing on top of the dining room table! ... at least then i know that they were making each other happy! ... But "Smuggy McMasterson III" strutting up to buy a lawn garden coctail from a coffee shop, while feeling all "chipper" cuz his team found a Kernel Memory Leak in 'IOS whogivesacrap beta 4' ... yet we cant find one privilege escalation, is the stuff of my nightmares!

    YALL DONT WANNA GIVE ME NIGHTMARES DO YOU!!! I THOUGHT WE WERE FRIENDS!!!

    FRIENDS DONT LET FRIENDS GET HANDLED BY A CRAPTASTIC BOOTLOADER, ,GUARDED BY 1 FLAG! COME ON!
    6
    The thing I don't understand is HOW you recover the phone after bricking it? :)))
    Isn't this the point of all this efforts? To find a FREE way to flash the bricks?
    i dont recover THAT phone.... i have 2... a 10 Pro, and a 10T.... building the FREE version of the msmtool requires a TON of full captures of all the usb data being passed from device to software, to weed out the BS, and isolate the signature itself, then decrypt or find a way to spoof it.... But testing the method over and over on the exact same device does not produce me enough variables to know if my findings are valid FOR ME... which will help no one... or if they are valid for ALL ... and for that I need the data which my 10T will provide.

    the 10Pro uses the Snapdragon 8450... the 10T uses the Snapdragon 8475 ....

    BOTH models use the same board config, TARO..... the only big difference is the cameras....

    ive completely eliminated the sign on necessity for the tool... so far my mods have successfully patched out the entire login script. So on the newest MSMTool... mine opens right up to the choose your device screen, ... but there are 3 major verification checks that happen during the flag.... 3% a VIP or AUTH token is requested by the app... I think i have isolated the process on the phone that generates the validated response..... (1st good find... because that means if the next 2 are also generated BY the phone.... I can trash the hell out of the programming inside the MSM tool, that sends ANY KIND of network request!.... If all the tool needs the net for is the LOGIN, and everything else is validated by the phone, it proves the EDL flash can be completed offline! Tag in the LOOPBACK adapter again to fool MSM into thinking it is still online.... remove the login segment of the tool.... drop in a few shell commands to trigger the intents that i believe the AUTH signature are coming from.... and if that all goes well on 2 DIFFERENT devices, then i know it will work on ALL in the 10 series..... capice?

    oh, and HOW i keep recovering my 10 Pro is thanks to a buddy who you have spoken with in the past few replies.... Canuck ... he is supplying me with OTP credits he purchased to help me do this research... each token lasts 24 hrs... which gives me around 2 - 300 flashes... IF i needed that many... but i usually pull about 10-12 ... i have captures of over 500 successful flashes and now have started finding REPEATED DATA overlapping thru several captures.... meaning none of that data is part of the encrypted AUTH signature... In my 27 years of programming... and 14 specifically with android... I have NEVER seen a truly encrypted Hash value EVER repeat the same sequence of an entire row of encrypted code... let alone even 64 characters..... well i have about 90 pages that have this in common! so that makes the amount of data i have to isolate even smaller..... more flashes.... more eliminations..... more repeating crypto segments overlapping on other flash captures, more characters i get to delete from my control group....

    you see... THIS is old school hash calculating by reversing the code.... eventually you will have several lines of code which are 100% different on every full capture.... THAT CODE, is then used as a kind of reverse captain crrunch decoder ring..... you plug in some common fixed variables.... until you locate a set or maybe 10 sets that all produce the same exact "value tables" as i call them.... but more formally, the ALGORITHM that when applied , generates the exact number of characters required in a valid AUTH token, and then you plug that result into a blanked pre-formed response packet then replay or inject it via a script with the timing set for the correct intervals... and PRAY that you didnt miss some little variable way earlier which breaks your entire data set!.... (normally this doesnt happen.... but 9 out of 10 times i also dont have to work this hard to strip the tables from the encrypted packet. I usually have SEVERAL different attack platforms... or devices... game consoles.... files.... whatever it is that all are locked by the same apparatus, so i can generate much less collections of the info being sent between the Challenge and the Response packets.

    think of it like this.... if you have to pick a barrel lock, but rather than force it open and damaging it, you instead opt to forge a master key...

    to do this you would either need a model of the working key.... (like having the signature given to you... which isnt gonna happen...) OR you would need to get as many different keys that FIT the lock, as you can find...

    Once you have a solid control set, ( copies of all of the keys that engaged at least 1 pin inside the tumbler without twisting or manipulation.... all of the tumblers pins MUST be engaged for the key to spin the lock to OPEN)

    If you have 20 keys that all engage at least 1 pin... then you group them off by which pin they set... and now you have the ability to compare those in each group and find the matching cuts in the key. The more you have , the more you have to examine! The more you examine, the more you will find keys that overlap into other groups because some keys will engage more than 1 pin ..... now you get to eliminate ENTIRE GROUPS cuz u only need the one that matches 1 pin in multiple sets....

    the goal is to get at least 10 grooves / cuts identified, so you can record the location and measurement of each working pin setting... depth... size and width of the groove... ( on lets say a Coke machine, it has a barrel (tumbler) lock that protects the money collector. Those usually have 10-set cuts in the barrel key ... you need all 10 cuts to be precise or the lock wont budge. BUT if you have 10 keys that each engage 1 different pin in the lock, you can map out the position, depth, and cut needed for each pin, and forge them onto a blank uncut barrel key using nothing more than a rotary tool and a diamond tip engraving bit.

    once all your results are transferred onto the blank then you should be able to push it in the lock and turn the key with ease!

    well the EXACT same idea structure works when cracking mathematical algorithms ...

    in this case, having NOTHING but hundreds of copies of the same key will not help, as you need MORE different keys to isolate perfect segments, and eliminate garbage. well i actually have 2 keys... but 1 of them is being blocked from testing, by an immortal bouncer named T-Mobile Bootloader Lock!

    ( i dont know if humor helps other ppl relate to something, but it works wonderfully for me!)
    6
    umm... ok..... so does anyone here have an OTP credit to spare for flashing? Like either you already purchased an OTP token, and have finished your repair but your token still has more time left!! Or preferred a brand new OTP so i can bust another 24nrs research into this tool. I gotta make something happen ASAP with this stupid phone, or Im selling it and the 10T this weekend and moving on. But i cannot continue owning a device that SOMEONE ELSE is in control of. Oppo... Oneplus... BBK.... or anyone else will NOT hold dominion over what and when i can or cannot do to a device i spent my cash on. NO ONE! I re-affirm my commitment to taking down this companies antiquated , 1860's rules which run similar to something abolished in 1865. Sorry for the bad comparison coming next, but im gonna borrow a familiar mantra to make my point.... "My phone... my right to choose what i do with it!" Until these LORD OF THE MOBILE PHONE industries, start GIVING US the phones , and THEY pay the monthly bill to our carriers, then they have ZERO RIGHT to tell me what i can do to my phone.

    Would you go buy a new outfit is the store said, "Here you go.... now you cannot wear any under garments that are not _____ with these, and no shoes that arent _____ . If you do the outfit will just fall apart and you wont be able to fix it, unless you bring it back here, and we will make it work again, but bring the approved accessories only!"

    What about if you bought a new Samsung tv, and the Best Buy employee said, "Thanks sir/ma'am, but there are a few stipulations you need to follow now that you bought this already. Absolutely NO comedy movies or anything with political humor is allowed to be watched. Period. You can ONLY watch SAMSUNG approved movies and tv shows that the CEO of Samsung, YOUR NEW LORD AND SAVIOR, has deemed acceptable. The big bang theory has been rated as unapproved and your tv will black out any attempt to watch shows with any of the original cast members in it. This is for your own safety, and if its discovered that you connected any unauthorized player device that allowed those or any other show, our lord does not approve of, we will deactivate your tv and you will then have to send it back to the factory IN CHINA, so we can decide of the fee to restore it back to default! .... All hail Samsung / Trachanon!"

    Last time i checked there wasnt any car dealerships that said.... "Thanks, we hope you enjoy your new _____ SUV. Now remember No KIDS... Pets... High PDA couples, or ANY in-laws allowed inside. And you cant put plain ol Racetrac , Shell , Conoco , etc Gas in it. You MUST ONLY put gas from our dealership in it. Doesnt matter if its similar octane or whatever. OUR GAS, OIL, ACCESSORIES, approved patrons, and PARTS, that must be from OUR DEALERSHIP ONLY, or your car will die and we dont have to service it because our computer will show us that you ignored our orders! SWEAR YOUR ALLEGIANCE TO TRACHANON NOW HUMAN! And have a blessed day.... buh bye!"

    TUCK FHIS! I am done letting anyone tell me what i am allowed to do with the thing i paid for, in full! And i refuse to go from ONE company with MAFIA LIKE control over its repair tool, right to ANOTHER person/company who parades control of my device over my head! ... I never signed any agreement giving this control, and for ANYONE who says, "thats what you get for buying Oneplus.... NAME ONE OTHER ONEPLUS SERIES OF PHONE PRIOR TO THE 10pro/T/R that had this overbearing, control on it? You CANT.... Every 9,8,7,6,5.... Nord..... ALL prior to 2022 have had both an MSM DOWNLOAD tool that you could use FOR FREE, to unbrick or interchange fw.... and EVERY ONE OF THEM had access to a normal Fastboot, bootloader that you could obtain an unlock for! Plus last time i checked, there STILL isnt a disclaimer on the 10 Pro/T/R sales listings that discloses, "No free repair software is available, and your ability to customize your phone outside of what we approve is forbidden and we removed your access to do so!"

    So I ask again.... DOES ANYONE HAVE A SPARE OTP TOKEN CREDIT FOR THE MSM DOWNLOAD TOOL, THAT I MAY PLEASE USE WITH YOU? Once you have logged in, you can send me a dm with the Token, and it wont interrupt your access. But I need this for continued research in breaking the restrictions from the program. I have partially decrypted the signing algorithm, but my access to the program has been limited, and i MUST get either a Oppo Login / Password.... or an OTP to continue.

    I will not leak your login details to anyone, and you can literally ask any member here if i have ever done so!

    Building a working FREE tool is very time consuming, and if no one is willing to cooperate and pledge some form of assistance with gathering the data i can only acquire by doing full traces of complete flashes... then i will have to abandon this mission entirely and dump these Oneplus phones entirely. I dont wanna do that but i cannot continue being told how and when i can use the program. My time is MY TIME, and if someone WANTS something from me, then i need access to the program so i can work on this. So this might be my last post on this specific forum. I hope its not!

    Snoochie Boochies
    I sent you credit buds
    5
    Don't sweat it y'all... I thought about it and it just made me remember how bummed I was when someone who was doing some serious work, trying to break the bootloader of the Samsung Note 8, had an encounter like this and he walked away like I was gonna .. then sure enough later when he broke it, he let his close buds have it, but everyone else was in the dark for a CPL months. Being that I know how that feels, I am just not that person.

    But I will let it be known that YES I understand the business principle of it... But EVENTUALLY it's gonna get even worse than it is now. I knew at least 5 indian guys who were doing remotes, and also selling otp tokens... And now 2 weeks later they don't even reply on the telegram room THEY made! So no one is making "f.u. money" off this ... And hell... Even the WEBSITES that sell them aren't responding. Business cannot be that great cuz no one is trying to get a sale! Either the well has dried up, or everyone has listened to our warnings here and on the sites that link us, and they are all doing Official updates only. And I've heard the OP11 rollout in China is FLOPPING!... (NICE) the 11 seems just as locked down as my 10T! So I'm still in Oppo hating mode .. I will work on this, but for now I am stuck, cuz I can't get a valid login... And something has changed again , (which I was expecting)... Because the Oppo sites are not even providing a new InDeptTest app for Android 12 or 13!.. so Oppo is targeting Developers, cuz if NO android 12 or 13 Oppo phones can get the bootloader unlock app, and they are hitting all the recent phones with this, then that is a direct hit on developers!

    They seriously need a leadership change... But whatever. I need access to the MSM hopefully soon, cuz I think they are about to pull the plug on Remote flashing, and off site logins.
    But I was informed I can share a few screens with y'all... So gimme an hr to look at the ones I can't share, and I'll post some pics ... Maybe seeing them will activate a few more of you, in trying to pick apart this phone...

    Bear in mind the pics are all from a 10T.. but the intents exist on both models!...

    TBC..
  • 18
    I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
    I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
    In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...

    Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
    Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
    Open 'FTGUIDev.exe' with a hex editor (HxD is good)
    Find the hex value '0f84e7000000b8'
    Replace the 84 with an 85

    Save the modified exe and launch it.
    Choose a server other than 'in company'
    Put whatever for userID/Password/Verify, click login.


    I hope this is useful.

    Screenshot_2022-09-02_23-07-33.png
    9
    BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

    I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

    They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
    9
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.

    flash.png
    8
    I looked around for any Firehose loaders that had this getsigndata/verify.
    Only OnePlus and Oppo.
    The solution seems clear: don't buy them.

    OTOH, Lenovo/Motorola has signed loaders with restrictions.
    You can't read most partitions.
    The solution seems clear: don't buy them.
    7
    GOOD GOOD... Thats what i like to hear from my Android Brethren !! Hack, Crack, Disassemble, and Attack the weaknesses of these infernal devices !!! (I need sleep!) ... Sorry, im stuck in some medieval, warfare mindset .. my bad! lol...

    BUT heres what i came for: Humor me.....

    IN THEORY... considering that EVERY post on the internet regarding DIAG mode on phone, (including IOS!) has started with the same goal.... "Using Root access, to enable Diag for access to the EFS" .... So basically everyone is saying that at the time... ROOT was horse... and Diag was the finish line! ... Right? Cuz thees guys were trying to hack bootloaders that had no accessible interface. And DIAG was their answer every time... and it worked! (Mostly)....

    What i am proposing is NOT trying to hack the bootloader, because i already know how to crack that... But if it used to be a REQUIREMENT that to even discuss DIAG, you must have Root.... Then can ANYONE HERE put together a way, in which I could REVERSE that process.... or at least leverage DIAG MODE, to get myself a Root Shell.... or alter the SUID or even outright set a new user, as "UID 0" ... temporarily even if i can only force 1 app to see my account as SYSTEM, so that i can get RW access to Build.prop, or Local.Prop ?? Then i can make 1 flag change in it that will snowball me right thru the security and into the bootloader!

    I mean as Diag I can literally DELETE the phone's whole identity! No imei.. no baseband... no modem... no mac address.. by the access i have to the EFS... and you cant even directly access that partition with ROOT ... only DIag and EDL have that authority! So imho there HAS TO BE a way to leverage a lower permission level thru some kind of console, where i can indirectly make a change to the build.prop. And i dont care if it Bricks the device 5 minutes later, cuz i am gonna make my change be locked with a persistent property that is already in place! It just needs a 1 in place of a 0, or an alternate access point which is also persistent, and just needs one word added to the line! Either way, if the phone bricks right after for some security violation, i will still have enough access to break the secure chain of trust and make my flags permanent! So if i have to pay for a flash to restore my phone, so be it... i know that the two things i edit survived an edl flash several times already!

    I really need EVERYONE ON DECK for this... cuz getting this done will cut at least 50% of the work i need to build us an MSM - Mafia FREE edition. Im talking to the guys who still think UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A Start, is a goof cheat code! As well as the people who can walk past an ATM machine, wave their hand in front of it, and 100's start spitting out like a money shooter... Yall cannot tell me that the Apple guys are better than us r/n ... cuz literally every time a new IOS drops... in less than a few days 3+ randos release videos as POC of them successfully gaining TFP0 , which is the IOS equivalent of ROOT.... I refuse to believe that the 17 y/o kid wearing a fedora, and a neckerchief, as they are walking up to the Starbucks counter to order their Venti Chai Mocha Latte..... NO .... I DO NOT ACCEPT THAT VISUAL! To me that worse than walking in on your parents smashing on top of the dining room table! ... at least then i know that they were making each other happy! ... But "Smuggy McMasterson III" strutting up to buy a lawn garden coctail from a coffee shop, while feeling all "chipper" cuz his team found a Kernel Memory Leak in 'IOS whogivesacrap beta 4' ... yet we cant find one privilege escalation, is the stuff of my nightmares!

    YALL DONT WANNA GIVE ME NIGHTMARES DO YOU!!! I THOUGHT WE WERE FRIENDS!!!

    FRIENDS DONT LET FRIENDS GET HANDLED BY A CRAPTASTIC BOOTLOADER, ,GUARDED BY 1 FLAG! COME ON!