The previous oneplus phones does not have this problem, it does not connect to anything and just runs
General MSM TOOLS
- Thread starter tap77
- Start date
So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.
www.droidwin.com
MSM Download Tool for OnePlus 10 Pro: The Final Nail in the Coffin
In this guide, we will show you the steps to download the MSM Download Tool for OnePlus 10 Pro and then unbrick your device using this tool.
It works partiallySo was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.
MSM Download Tool for OnePlus 10 Pro: The Final Nail in the Coffin
In this guide, we will show you the steps to download the MSM Download Tool for OnePlus 10 Pro and then unbrick your device using this tool.
There's another problem
It is related to VIP Programming (prog_firehose_ddr.elf)
does not work.So was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.
MSM Download Tool for OnePlus 10 Pro: The Final Nail in the Coffin
In this guide, we will show you the steps to download the MSM Download Tool for OnePlus 10 Pro and then unbrick your device using this tool.
this site is fully of Sh*ts admin is just super copy pasterSo was just browsing on the Internet and came across this. Now normally I don't usually trust anything unless from xda, but I know some people are bricked and need a way to get back to their phones.. this was updated 6 days ago, and said to have worked.
MSM Download Tool for OnePlus 10 Pro: The Final Nail in the Coffin
In this guide, we will show you the steps to download the MSM Download Tool for OnePlus 10 Pro and then unbrick your device using this tool.
D
Deleted member 11818907
Guest
Yes most sites like these are one told me to put a fire tablet into download mode and flash in odin
Of course. I read some of it and I did look promising, but like I mentioned in my earlier post that if it's not at xda I find hard time to trust it.
just got my replacement from google for my pixel 6 pro free of charge and oneplus sent me 3 emails with no shipping label.Same here!
Feeling that I just burned 1000 USD
dont you just go into developer settings and turn off oem unlocking? i know with custom roms it was ungreyed but i dant recall on 10 pro. if not try these with fastboot.
fastboot oem lock
OR
fastboot flashing lock
D
Deleted member 11818907
Guest
D
Deleted member 11818907
Guest
would it count as warez if we cracked this android flashing thing made by scummy developers trying to extract every penny out of our wallets
Not to me... I hope everyone benefiting financially from this gets malware in their next meal, then poops malware until they die.
EtherealRemnant
Senior Member
No, there have been talks about, and tools posted for, circumventing manufacturer limitations on this site for many years.
No not warez. But certainly funny as hell.
I've tried to reach these fools from multiple angles but have never heard a peep back. I also don't feel like throwing money into a black hole right now.
D
Deleted member 10740347
Guest
I bricked my 10 on accident. Got pixel 6a and NEVER EVER looking back. Oneplus and Oppo can crash and burn
D
Deleted member 10740347
Guest
Nothing too bad (yet). I'm on the latest QPR and the FP scanner is now pretty nice
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
18I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...
Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
Open 'FTGUIDev.exe' with a hex editor (HxD is good)
Find the hex value '0f84e7000000b8'
Replace the 84 with an 85
Save the modified exe and launch it.
Choose a server other than 'in company'
Put whatever for userID/Password/Verify, click login.
I hope this is useful.
9Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)
I wish you luck bypassing this login and fixing your phones.
9BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.
I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"
They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.8so heres what the OTP guys are doing...
Be prepared... this is a VERY long detailed post...
so what they are basically doing is....
they are running their own "last pass" kind of server from AWS... Where they are daily logging in to their amazon web server account, and updating the MSM TOOL login, so that it refreshes every time one of them needs to pull an OTP. But its up to whoever admins the account as to how long tokens last for.
then they created (or cloned) that GA_Login tool, which is just a general purpose login tool which can be made to work with any app. It comes with modified code so that you can attach it to any program written under a certain language. (different versions of the login tool for different program languages) Then the tool officially has access to manipulate the login values of whatever app.
I believe the tool has legit licenses with the companies otherwise they would be violating the reverse engineering laws, and everyone who is profiting from it would be subject to an arresting offense! That would depend on the companies to press charges. But its easy to gain permission from a company for this purpose because you arent altering the code, only adding further security to mask passwords!
So the OTP being generated, are just a valid login that is masked by a secure password masking system. Unfortunately it is unable to be decrypted due to mitigations involved with packet capture and the login relies on an internet connection. Now unfortunately thru further inspection, the OFP flashing app DOES maintain a secure check of the VIP Authentication signature, and that signature is verified on the phone itself through a command called by the Linux Library "Libqmi" ... this can be built and programmed by anyone, but the actual procedure for JUST doing a VIP Auth signature, is not detailed on how to perform this.
THIS is what the QFIL application is doing when the sahara programmer is called.... the sahara programmer has a heavily encrypted HASHING ALGORITHM which sends one value to your phone, and then your phone verifies and calculates a response to send back to the Sahara.... The sahara already knows the correct answer even though it sits waiting, and if a single character is off, then sahara shuts down the communication portal, and sends us back an error. At that time, the phone is stuck in perpetual FAILED mode, and needs to be reset in order to try again.
The problem with this is that during a FULL BRICK state, meaning no communication without shorting the Test Points, while the battery is disconnected, then there is no way to get a valid time stamp from your device. The timestamp is part of the sahara's calculation. Thus this is why manually flashing thru QFIL continues to fail. The PATCHED Firehose loaders, simply have the TIMESTAMP requirement removed from the calculation, so that the only thing verified is the devices SOC and board information.
The MSM ONLINE tool, does its own timestamp calculations and intercepts the communication of the Sahara, then injects the current valid timestamp in real time, which then gives the approved signature to the sahara, and authorizes your flash.
Conclusion: Someone who has .elf file coding skills needs to completely disassemble the loader, which can be pulled from ANY OP 10series.... or actually ANY Snapdragon 845 r 1, based phone, and compare that to several other loaders of recent related chipsets... ie Snapdragon 845 r 2, or possibly even Snapdragon 865... but if they are fluent enough working with elf files, they should be able to locate the instruction code that requests a timestamp, as part of the signature, and delete/disable that requirement. THEN recompile that loader and we will have the file needed from OFFLINE flashes via the patched MSM Tool, or Qfil.
The login is the ONLY requirement of the MSMTool!
It is the sahara firehose itself that is killing our ability to continue flashing once the login is bypassed. Whether the phone is in brickstate or not has no value to the value being submitted to the sahara. OPPO programmed our phones to interrupt communication thru the USB, on a BUTTON, or ADB request to enter EDL mode. This is why when connecting via the command line, or thru the recovery mode shortcut, there is a slight 3-5 second delay until your phone is detected in 9008 mode.
1. When entering by holding the VOL buttons and plugging the usb in, the phone loses communication to the TIMESTAMP function, which makes the sahara fail offline, due to no MSM Tool server intervention. (remember the MSM server is not maintained by OPPO, but is actually built by Qualcomm... they just provide access to OPPO for repair functions.)
^^This will cause QFIL to fail, because a valid VIP cant be generated without the timestamp! ... But the MSM server can interject the correct timestamp being that its online and always in sync^^
2. When entering EDL via cli, the phone is SUPPOSED to go straight into QCOMM DOWNLOAD MODE... with no interruption, but OPPO amended a "Reboot" command into the opperand forcing the usb to lose connection to the board and breaking the sync, and thus forcing the timestamp to be invalid once the connection is made again with the programmer.
^^This is why COLOROS is a game changer... Because they pushed their own, RECOVERY, and FASTBOOT protocols as overlays of the REAL Qcomm Recovery and Fastboot. Recovery and Fastboot are requirements of Qcomm/Android devices. But HOW they are laid out to us are completely up to the manufacturers. The ColorOS Recovery, and Fastboot (D) that is made by OPPO, alters the timestamp being generated, to force a standard 12hr format instead of 24hr ... Sahara doesnt know wtf AM, or PM is... so anything from ColorOS is gibberish in the timestamp.
THERE IS ONE CAVEAT...
All androids with altered Fastboot and Recovery protocols, ,MUST include a "Debug Boot Image". These actually communicate to the Qualcomm diagnostic function. Although atm i have no idea how to BOOT into these images, as they are not the same as the normal .img files we use for everything else. Calling on one of these images, is a process completely different than standard android boot.img ... so again i believe this to be one of the functions of LIBQMI .... this library makes a connection to the device over usb but more importantly the SERIAL communicator console on the board. Once this communication is connected, you have full control over all partitions/filesystems inside the entire device, without regulation. You could technically tell your smartphone it is now a smart TOASTER, (but this would certainly crash immediately without the proper functions being built into the chipset.)
So now i task ANYONE who might have decent Linux knowledge to research QMI and how it communicates, to find the proper commands/access to call upon the Debug.img , which you can pull our of any downloaded fw.
I will still be working on alternate methods, but as of now QMI seems to be our only answer.
And final statement. OTP cannot be spoofed in any method to gain authorized MSM access, anymore than you being able to spoof authentication into a "last pass" account to gain control over someones password collection. They both maintain about the same level of encryption.
I hope thats detailed enough to get to everyones thoughts, as i probably wont be able to answer anything much deeper for the time being. I have personally put myself into a financial situation, by the amount of time i have devoted to this, and now need to create a miracle or 2 in order to recover from the domino effect that i hadnt realized i triggered until today. Sorry i couldnt do a hell of a lot more... if i had the financial resources to not worry about bills for a month or two i could totally crack this thing wide open, and probably put a devastating hurt on OPPO in the process... but Electricity, Rent, Car, Insurance, Food, and general living, all factor in to the amount of time i can spend on this. (which sucks because bounties are upwards of 50K or more for the discovery of holes in the functions i was working on, and according to Qcomm i was very close to a pretty high critical cve being declared!)
