General MSM TOOLS

Search This thread
By:
Advanced…
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
And for everyone saying Fastboot bricked their phone after flashing a fw directly ... You are PARTIALLY right... What actually happened is that EACH region's fw, has a specific manifest file (looks like "10001011" which cues which partiioning scheme to use for flashing. Using the 2213 .... 2211.... 2215 FULL Fw package has literally no bearing on what is going to be installed on your phone.... Other than Cosmetic, as in when you go to About Phone, your model and build details will all reflect whatever you think you flashed... But then taking the phone into DIag Mode, and reading the EFS partition with the ACTUAL fw information that is installed on your phone, will have at least 4 (all ive located so far) different files hidden in plain sight, but odd locations like 8 blank folders that only have another blank folder in them.... 8 levels deep, then 1 single TXT file that has NOTHING in it but your FACTORY BUILD DATA from when it was programmed at factory.... then a few details later, the EXACT Region, Model, Imei, and ESN that your phone is supposed to be running.... and flags that clearly state "FALSE" on every fw related line where it shows that the phone checks whether or not you have permission to do any modifications or replace those files. THAT IS YOUR BRICK!.... It shows permission to change ALL of these files, as FALSE.... so your phone is set to do all actions quietly... so when these files FAIL to get changed by the FW you just flashed... it is an instant device conflict the moment you press power.... Cuz you have mismatched Region specific code and files missing.

abl
cpucp
dtbo
engineering_cdt
modem
my_engineering
my_manifest
my_region
odm
recovery
vbmeta
xbl
xbl_ramdump

I might have missed 1 or 2, but it EXPLICITLY states <Permission_Granted>False<....
next to all of these files in a config file that is hidden in at least 4 different places in the EFS. It would be a NIGHTMARE chasing down the instruction that assigns the location of those conf files, so that you could either delete the entire instruction, or what i did... which was to use Android AGAINST ITSELF....

When i realized they could hide these conf files ANYWHERE and then drop instructions in any part of the Initrc, secure trust zone, bootloader, recovery ... ANYWHERE... then write one instruction somewhere that tells the phone to verif the hash of those files before proceeding..... i knew that was a losing strategy! I found copies of that SAME files content, WORD FOR WORD, in random "db folder" but were named without an extension at all.... same 1st name, but no extension.... adding txt did not let me open them either, except to a bunch of glyphs that looked like hundreds of characters stacked over each other, Like if you wrote a word, then used a darker pen and wrote something else.... then again... and again... and again.... but using some windows apps i was able to find what program was needed to read that file, and when i installed it, and renamed the extension to whatever it sad to, then the file opened and looked EXACTLY like the plain text ones i found in other places.

Wanna know the WEIRDEST PART??? ALL OF THESE FILES... EVERY ONE already has FULL RWX permissions granted to the folder and the files themselves!.... why go to ALL THIS CRAZY , with hiding... renaming....forcing special tools.... and duplicating, if you are just gonna make the files RWX by default to ANYONE? Im sorry but i think Oneplus/Oppo called every place they have an office/development facility, and broke the whole Oxy 12 into like 20 different sections, then gave each office 1 section and said "Complete your section... dont worry about building the OS.... just make sure your part works in an emulator.... then once complete send your completed data to the main office. They will BANDAID all the sections together, so that there is not 1 single center who knows WTH is really going on with this fw... then theres no leaks.... security breaches... nothing will matter because itll look so retarded that EVERY developer or highly technical user, will take one look and give up when they see then level of disorganization, and abnormal data structures we "Frankenstein'd" together to break their creative thought process!" --- OPPO CEO


tl'dr - device will still respond to ISP Pinout/Touch Point connection, WITHOUT the battery connected. You can proceed to have someone remote flash you
once jumpered and connected. Use windows and keep "Device Manager"
open. You will be able to watch and know when EDL becomes ready, and if the jumper becomes disconnected. Total flash time is about 7 minutes!

hope that shed a little more light on whats happening!

cheers
 
  • Love
  • Like
Reactions: Metromas and Prant
Ph0nysk1nk

Ph0nysk1nk

Senior Member
Jul 28, 2016
238
126
I
beatbreakee said:
And for everyone saying Fastboot bricked their phone after flashing a fw directly ... You are PARTIALLY right... What actually happened is that EACH region's fw, has a specific manifest file (looks like "10001011" which cues which partiioning scheme to use for flashing. Using the 2213 .... 2211.... 2215 FULL Fw package has literally no bearing on what is going to be installed on your phone.... Other than Cosmetic, as in when you go to About Phone, your model and build details will all reflect whatever you think you flashed... But then taking the phone into DIag Mode, and reading the EFS partition with the ACTUAL fw information that is installed on your phone, will have at least 4 (all ive located so far) different files hidden in plain sight, but odd locations like 8 blank folders that only have another blank folder in them.... 8 levels deep, then 1 single TXT file that has NOTHING in it but your FACTORY BUILD DATA from when it was programmed at factory.... then a few details later, the EXACT Region, Model, Imei, and ESN that your phone is supposed to be running.... and flags that clearly state "FALSE" on every fw related line where it shows that the phone checks whether or not you have permission to do any modifications or replace those files. THAT IS YOUR BRICK!.... It shows permission to change ALL of these files, as FALSE.... so your phone is set to do all actions quietly... so when these files FAIL to get changed by the FW you just flashed... it is an instant device conflict the moment you press power.... Cuz you have mismatched Region specific code and files missing.

abl
cpucp
dtbo
engineering_cdt
modem
my_engineering
my_manifest
my_region
odm
recovery
vbmeta
xbl
xbl_ramdump

I might have missed 1 or 2, but it EXPLICITLY states <Permission_Granted>False<....
next to all of these files in a config file that is hidden in at least 4 different places in the EFS. It would be a NIGHTMARE chasing down the instruction that assigns the location of those conf files, so that you could either delete the entire instruction, or what i did... which was to use Android AGAINST ITSELF....

When i realized they could hide these conf files ANYWHERE and then drop instructions in any part of the Initrc, secure trust zone, bootloader, recovery ... ANYWHERE... then write one instruction somewhere that tells the phone to verif the hash of those files before proceeding..... i knew that was a losing strategy! I found copies of that SAME files content, WORD FOR WORD, in random "db folder" but were named without an extension at all.... same 1st name, but no extension.... adding txt did not let me open them either, except to a bunch of glyphs that looked like hundreds of characters stacked over each other, Like if you wrote a word, then used a darker pen and wrote something else.... then again... and again... and again.... but using some windows apps i was able to find what program was needed to read that file, and when i installed it, and renamed the extension to whatever it sad to, then the file opened and looked EXACTLY like the plain text ones i found in other places.

Wanna know the WEIRDEST PART??? ALL OF THESE FILES... EVERY ONE already has FULL RWX permissions granted to the folder and the files themselves!.... why go to ALL THIS CRAZY , with hiding... renaming....forcing special tools.... and duplicating, if you are just gonna make the files RWX by default to ANYONE? Im sorry but i think Oneplus/Oppo called every place they have an office/development facility, and broke the whole Oxy 12 into like 20 different sections, then gave each office 1 section and said "Complete your section... dont worry about building the OS.... just make sure your part works in an emulator.... then once complete send your completed data to the main office. They will BANDAID all the sections together, so that there is not 1 single center who knows WTH is really going on with this fw... then theres no leaks.... security breaches... nothing will matter because itll look so retarded that EVERY developer or highly technical user, will take one look and give up when they see then level of disorganization, and abnormal data structures we "Frankenstein'd" together to break their creative thought process!" --- OPPO CEO


tl'dr - device will still respond to ISP Pinout/Touch Point connection, WITHOUT the battery connected. You can proceed to have someone remote flash you
once jumpered and connected. Use windows and keep "Device Manager"
open. You will be able to watch and know when EDL becomes ready, and if the jumper becomes disconnected. Total flash time is about 7 minutes!

hope that shed a little more light on whats happening!

cheers
Click to expand...
Click to collapse
I really hope you are able to pull off your Frankenstein MSM and end this insanity
 
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
These ALL come inside EVERY OFP firmware you download,. Only official OPPO signed OFP will flash from MSM, or QFIL (if you have the authorized VIP addon) , so it does not matter WHAT you think youre flashing to your phone. It will say whatever in the about phone, and in the phones identifiers.... but checking the EFS folders data afterwards will say exactly what REAL region your phone uses... what fw is supposed to be instlaled, and how many times you have flashed NON AUTHORIZED fw packages to it. (That is if youre lucky enough to pull off a region change without bricking or infinite bootloop.) EVERY phone i have changed the fw on for my friends/local customers, has had 100% success .... The only brick i had that was NOT done on purpose by me, was the very 1st brick i had that killed my phone completely.... after that using the exact instructions i posted in other threads, i have had 0 hangups, and a perfect flash each time. Be warned though... you are going to always end up on a LOW revision of Android 12 , if you want to be able to still use your phone after the region swap!

Something that was programmed in to all the fw released after July 2022 have some "Region Control" policy lying in wait like a Tiger waiting to attack.... the moment you put a sim from a different region/carier into your phone AFTER changing the region, and then updating to more current fw. To have a fully functional device you HAVE TO STAY on the rollback package detailed in my instructions... i cannot express this enough. I have spent MONTHS now trying to break the policy, or circumvent the security, and it just isnt possible r/n in my eyes, because it is a policy written DIRECTLY into the critical functions of Android 12 late builds and android 13 all! A custom rom is about the only thing i think that would MAYBE break thru. But im sure ALOT will not pay any attention, then will msg me over and over asking for my help fixing whatever they broke. My instructions AS THEY STAND NOW work flawlessly on 10 Pro Tmobile to any region , and 10T T-mobile to any region.... but failure to follow step by step or skip any process will DEFINITELY end in bootloop or unresponsive. ADVICE: Just wait... i am fully confident someone will BREAK this whole MSM/Device Policy junk in the next 1-2 months. it will happen!

Screenshot 2022-12-24 225138.png
oplfw.png
 
  • Like
  • Love
Reactions: westruk, Prant and kouzelnik3
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
Ph0nysk1nk said:
I

I really hope you are able to pull off your Frankenstein MSM and end this insanity
Click to expand...
Click to collapse
i wont lie man... its looking bleak... 1st off the people who can get guest logins or shared info to the Authorized MSM tool are just not willing to share with me... If i cannot get access to the real authentication, and signature packets for a few different flashes, then i cannot put together the partially broken responses needed to allow anyone to load in their machine. As of right now, I can load and flash my Oneplus 10Pro as many times as i want from MSM... but the moment i switch to a different phone, it breaks the authentication and signature, and shows as expired. So i am not providing a GENERIC enough response yet to fool the server, so i need about 2 or 3 more brick - restores from an authorized account, so i can diff the data and see about ripping enough to push the package forward, but not enough so that it is looking for a specific device... or that will do yall no good. BUT IM TRYING! i just meed more cooperation from a couple ppl who can capture the login info during a remote repair, so i can log in with REAL info....

waiting patiently!
 
  • Like
  • Love
Reactions: Prant, forever_lol and kouzelnik3
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
6,663
2,918
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
beatbreakee said:
...set a jumper on the Test Points, (And it has to stay in place the whole time in EDL)...
Click to expand...
Click to collapse
I don't have a One Plus, but I dive pretty deep into EDL. I've never seen that the ROM bootloader reacts any differently when the "EDL test points" are shorted constantly vs. just shorted at the instant of the reset. I use magnetic reed switches on a few devices and I don't see any difference when I leave the magnet on them. I also had a device with a slide switch.

I'm interested in "VIP". I see that built into about a third of the Firehose loaders that I've checked. Still, I haven't chased that down at all.

I do have Lenovo/Motorola Firehose loaders that have "range restricted" based on a secure setting. It appears to be set in OTP fuses?

Any words of wisdom? You can PM me too.
 
  • Like
Reactions: Drethis, Prant and metrixx02
F

forever_lol

Senior Member
Mar 18, 2013
993
377
beatbreakee said:
Been in your EXACT same state bro... Too bad you already RMA... your device is just in what Qualcomm calls "Deep Sleep" . It is a mode to protect the volatile file system from further corruption, after attempting to flash a firmware that had Size/Compatibility/Manifest conflicts that would have otherwise been NON-recoverable if the system had went ahead and allowed the "Newly flashed" fw to finish processing. Basically it goes to sleep to prevent a hard brick!

BUT if you open the back of the phone, and set a jumper on the Test Points, (And it has to stay in place the whole time in EDL) Your phone will be recognized in 9008 Downloader mode ,,,, BUT WITHOUT THE BATTERY CONNECTED. Then after 10 sec in DL mode, if you have a QPST server window open, and you click connect, but dont flash anything, your device will auto change over to DIAG mode, for interaction with EFS File Explorer.

Theres ALOT of work that needs to be done (several files and conf in the EFS that you need to either delete, or change some info, and one particular
"CarrierPolicy.xml" which needs to be refined, and then your phone would allow you to reboot back to normal powered state. and send you automatically into Fastnoot. (I have tested and whittled down to exactly what needs to be edited, and purposely bricked my 10Pro about 15 times to make sure my technique worked)

I wont disclose publicly because of a "Cease and Desist" Order i received from BBK/Oppo ... as they have threatened in letter #3 to push Qualcomm to also invoke the "Reverse Engineering Clause" as i use Authorized QXDM and QPST programs that are modified to remove license checks. But what i can say in public is that "It does not matter WHAT STATE YOUR PHONE IS IN... Bricked.... Unresponsive...... Looped..... as long as you are willing and can access the main board of any Qualcomm phone...... You can bring it back to life, with these tools! In extreme curcumstances, all you need is someone with an authorized MSM account, and once you short the ISP Pinout /Test Point connectors. your phone skips ALL layers of the Android file system, and goes into a special "Security Free" emergency download instance of 9008 Download mode.... Both appear similar... but normal EDL by buttons, or ADB commands, has "Secure Trust Zone, and Secure Boot" both active and on guard to make sure you have the permissions authorized by Qualcomm. Using the Test Points only activates 1 security, which is Qualcomm's VIP mode. That is THEIR protection against catastrophic damage to the filesystem. If you DONT have a QUALCOMM Signed Loader/Programmer, you will fail VIP Auth, and the flash will crash. But in this EDL someone can MSMTool flash your phone remotely with no problem!

Cheers
Click to expand...
Click to collapse
Thank you for your thorough reply mate. Wow that’s actually the most informative reply i’ve ever received here on xda :) if i didn’t already register rma i would certainly follow your guide.
 
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
Renate said:
I don't have a One Plus, but I dive pretty deep into EDL. I've never seen that the ROM bootloader reacts any differently when the "EDL test points" are shorted constantly vs. just shorted at the instant of the reset. I use magnetic reed switches on a few devices and I don't see any difference when I leave the magnet on them. I also had a device with a slide switch.

I'm interested in "VIP". I see that built into about a third of the Firehose loaders that I've checked. Still, I haven't chased that down at all.

I do have Lenovo/Motorola Firehose loaders that have "range restricted" based on a secure setting. It appears to be set in OTP fuses?

Any words of wisdom? You can PM me too.
Click to expand...
Click to collapse
ok... its just basic qualcomm science.... when you activate QDLOADER 9008 (EDL) by holding the Vol +, and Vol - buttons, you are allowing the phones PRELOADER to send the signal to boot into EDL mode. By doing this you run into security that can be set by the manufacturer as well as the carrier. (This is 100% validated in the T-Mobile variants of the 10Pro and 10T... as both models have a bit set by the pre-loader which forces the phone to NOT allow changes to several hidden files, which are the exact reason why attempting to flash ANYTHING over a Tmobile fw, even if the device is sim unlocked and bootloader unlocked, the phone will bootloop because of the security function of a single bit, inside the preloader. And if you flash reaching the bootloop stage, and then you continue attempting to force flash additional roms trying to get out of the bootloop, the RPMB Fuse will blow and that is what then triggers the unresponsive state.

(Read ANY of my past threads and you will easily find that most everyone on here KNOW that i have extensive knowledge of what i am speaking of here. I literally am prob one of the more Expert persons here in regards to THIS DEVICE, and the 10T when it comes to everything EDL/Brick/Unbrick. I have the ENTIRE QXDM suite of 44 applications all that work intricately in one or more of the 9 protocols that qualcomm tools perform specific functions to edit EDL, DIAG, QDSS, RMNET, DPL, SERIAL, QDSS_MDM, or ADB accessed parameters in our devices.)

now without wasting further time on my qualifications.... my point is that:

1. When the phone is connected to the battery, and then EDL is activated thru the BUTTONS, then it must go thru the initial security in the preloader. This is just plain sense, because the button configs used to access Fastboot, Edl, or Recovery mode, are controlled by the ABL, and can be removed, changed, or outright disabled by the OS providers. In example... i have a Tmobile Oneplus 10T, and it does NOT have fastboot mode AT ALL... not accessible, and when i pull the ABL partition, and use binwalk, and Ida pro to decompile and read the functions that are available, the FASTBOOT_HAL is not present at all... Tmobile did this to the 10T that were shipped after July this year.

2. When accessing EDL via Test Points... THE TRUE WAY, is to disconnect the battery connectors to the board. THEN place a jumper on the test points, and once set then plug the phone into your computer.
THIS METHOD bypasses the preloader, and goes directly into a deep or low level flash mode. You can tell the difference by simply pressing the Vol +, Vol - , and Power buttons - 1 time... like press them all together once... dont hold them, while the phone is already booted into EDL (9008) mode. If you have QPST open when you do this, your phone will automatically switch to DIAG, and run a built in DUMP command without any interaction by you. (the purpose of the dump created , i havent figured out, but this is part of the LOW LEVEL access function of EDL) Yes the VIP is still enabled, because that is Qualcomm's security feature... but in this EDL state, you can go straight into EFS Explorer, and read/write directly to the entire EFS partition. This is where Device policies, carrier policies, imei, nv, boot configs, simlocks, and much more can be altered, without any way for the phone to refuse your changes.

(It is not widely known, nor promoted because you can SEVERELY F' YOUR DEVICE UP, in this state. It is direct EFS writing, without any safety mechanisms to fix whatever you break. Change or delete the wrong file / config here, and you can turn your $600 phone into a REAL paperweight! As in, WILL NOT EVER FUNCTION AGAIN. I know of 3 different XML files in this folder which if deleted, or altered with invalid data, will DISABLE the 9008 protocol completely, and forever lock your phone in a perpetual deep sleep. The ONLY way out of it is to remove the SOC and replace it. These files cannot be edited, or even parsed when connected thru normal means either via "adb reboot edl", or button config. Those 2 methods each have their own level of restriction built in... but Test Point access removes every security other than the Sahara Firehose, and VIP Sign ... other than QFIL, and MSM, only certain Qualcomm programs can communicate in these modes, and the programs all require either a QXDM license, or the QPST server running, in order to launch the apps.)
 
  • Like
Reactions: westruk, aieromon, Drethis and 2 others
Metromas

Metromas

Senior Member
Oct 20, 2019
77
22
26
Turkey
metromas.com
beatbreakee said:
ok... its just basic qualcomm science.... when you activate QDLOADER 9008 (EDL) by holding the Vol +, and Vol - buttons, you are allowing the phones PRELOADER to send the signal to boot into EDL mode. By doing this you run into security that can be set by the manufacturer as well as the carrier. (This is 100% validated in the T-Mobile variants of the 10Pro and 10T... as both models have a bit set by the pre-loader which forces the phone to NOT allow changes to several hidden files, which are the exact reason why attempting to flash ANYTHING over a Tmobile fw, even if the device is sim unlocked and bootloader unlocked, the phone will bootloop because of the security function of a single bit, inside the preloader. And if you flash reaching the bootloop stage, and then you continue attempting to force flash additional roms trying to get out of the bootloop, the RPMB Fuse will blow and that is what then triggers the unresponsive state.

(Read ANY of my past threads and you will easily find that most everyone on here KNOW that i have extensive knowledge of what i am speaking of here. I literally am prob one of the more Expert persons here in regards to THIS DEVICE, and the 10T when it comes to everything EDL/Brick/Unbrick. I have the ENTIRE QXDM suite of 44 applications all that work intricately in one or more of the 9 protocols that qualcomm tools perform specific functions to edit EDL, DIAG, QDSS, RMNET, DPL, SERIAL, QDSS_MDM, or ADB accessed parameters in our devices.)

now without wasting further time on my qualifications.... my point is that:

1. When the phone is connected to the battery, and then EDL is activated thru the BUTTONS, then it must go thru the initial security in the preloader. This is just plain sense, because the button configs used to access Fastboot, Edl, or Recovery mode, are controlled by the ABL, and can be removed, changed, or outright disabled by the OS providers. In example... i have a Tmobile Oneplus 10T, and it does NOT have fastboot mode AT ALL... not accessible, and when i pull the ABL partition, and use binwalk, and Ida pro to decompile and read the functions that are available, the FASTBOOT_HAL is not present at all... Tmobile did this to the 10T that were shipped after July this year.

2. When accessing EDL via Test Points... THE TRUE WAY, is to disconnect the battery connectors to the board. THEN place a jumper on the test points, and once set then plug the phone into your computer.
THIS METHOD bypasses the preloader, and goes directly into a deep or low level flash mode. You can tell the difference by simply pressing the Vol +, Vol - , and Power buttons - 1 time... like press them all together once... dont hold them, while the phone is already booted into EDL (9008) mode. If you have QPST open when you do this, your phone will automatically switch to DIAG, and run a built in DUMP command without any interaction by you. (the purpose of the dump created , i havent figured out, but this is part of the LOW LEVEL access function of EDL) Yes the VIP is still enabled, because that is Qualcomm's security feature... but in this EDL state, you can go straight into EFS Explorer, and read/write directly to the entire EFS partition. This is where Device policies, carrier policies, imei, nv, boot configs, simlocks, and much more can be altered, without any way for the phone to refuse your changes.

(It is not widely known, nor promoted because you can SEVERELY F' YOUR DEVICE UP, in this state. It is direct EFS writing, without any safety mechanisms to fix whatever you break. Change or delete the wrong file / config here, and you can turn your $600 phone into a REAL paperweight! As in, WILL NOT EVER FUNCTION AGAIN. I know of 3 different XML files in this folder which if deleted, or altered with invalid data, will DISABLE the 9008 protocol completely, and forever lock your phone in a perpetual deep sleep. The ONLY way out of it is to remove the SOC and replace it. These files cannot be edited, or even parsed when connected thru normal means either via "adb reboot edl", or button config. Those 2 methods each have their own level of restriction built in... but Test Point access removes every security other than the Sahara Firehose, and VIP Sign ... other than QFIL, and MSM, only certain Qualcomm programs can communicate in these modes, and the programs all require either a QXDM license, or the QPST server running, in order to launch the apps.)
Click to expand...
Click to collapse
Is it possible to create tools for 10 pro if I run authorized account? I have used many 10 pro devices for a long time and still no tool has come out all this time..
Even the real account holder pays money. When we get it for use, we have to spend. so it cannot be shared publicly. If it is shared publicly, the company will notice this account. (Requires verification.) Unfortunately, there is no way, as it will end badly, don't be angry with me.
 
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
6,663
2,918
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Thanks @beatbreakee for your response.
I do know that button activation of EDL and even "EDL mode USB cables" is dependent somewhere on other software.
Still, I'm pretty sure that a hard reset with high (1.8V) asserted on GPIO57 (on this particular device) will always get me to 9008.
Now, there may be OTP fuses that can ruin this for me, but there can't be anything in flash, because I can just disable flash too. Maybe the files are checked and can blow an OTP. That seems a risky thing for a manufacturer to do.
Sahara has to work without any flash or any RAM.
 
  • Like
Reactions: Drethis and Prant
Ph0nysk1nk

Ph0nysk1nk

Senior Member
Jul 28, 2016
238
126
Metromas said:
Is it possible to create tools for 10 pro if I run authorized account? I have used many 10 pro devices for a long time and still no tool has come out all this time..
Even the real account holder pays money. When we get it for use, we have to spend. so it cannot be shared publicly. If it is shared publicly, the company will notice this account. (Requires verification.) Unfortunately, there is no way, as it will end badly, don't be angry with me.
Click to expand...
Click to collapse
Just out I'm sure curiosity, are those account holders independent repair shops who work out a deal with OPPO?

Or can only authorized OPPO centers hold accounts.
 
  • Like
Reactions: Prant
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
 
  • Like
  • Love
Reactions: DrakenFX, aieromon, Drethis and 6 others
Ph0nysk1nk

Ph0nysk1nk

Senior Member
Jul 28, 2016
238
126
beatbreakee said:
BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
Click to expand...
Click to collapse
MVP of the year
 
  • Like
Reactions: Drethis and Prant
Metromas

Metromas

Senior Member
Oct 20, 2019
77
22
26
Turkey
metromas.com
beatbreakee said:
BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
Click to expand...
Click to collapse
I have forwarded the relevant issue to the system technician registered user owner. I hope they allow it.

Ph0nysk1nk said:
Just out I'm sure curiosity, are those account holders independent repair shops who work out a deal with OPPO?

Or can only authorized OPPO centers hold accounts.
Click to expand...
Click to collapse
I think it is done with fraudulent applications that are used without permission from oppo, making money. But no one is helping because it saves money for the goddamn tool. I think most likely employees are secretly using their accounts.

beatbreakee said:
BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
Click to expand...
Click to collapse
ss1.jpg
The information I get is limited to this. Is there any place to apply? if so where?.. In order for the account to be transmitted as it is, OTP verification, which is a separate query, is also required.
 
Last edited by a moderator:
  • Like
Reactions: Drethis, Prant and Ph0nysk1nk
G

gllark

Senior Member
Mar 1, 2015
402
203
Munich
OnePlus Nord
Xiaomi Pad 5 Pro
Hi everybody, I´m reading this thread for a few days now and would love to support the progress of @beatbreakee to get a tool which could bring us nearer to the development of custom roms. If he only needs a few flashes to get things done, why don´t we finance him with a few donations to buy these flashes? My first 10 bucks would be in if he names us a paypal account for it. Come on guys, this should be not so hard!
 
  • Like
Reactions: aieromon, Drethis, Prant and 2 others
D

Daniha

Account currently disabled
Nov 25, 2022
105
41
OnePlus 9
if i arrange remote season is there anyway to note PW? i mean if he copy paste
then which is the best way to capture this PW? after i think i can share pw with beatbreakee
 
  • Like
Reactions: Prant
Metromas

Metromas

Senior Member
Oct 20, 2019
77
22
26
Turkey
metromas.com
gllark said:
Hi everybody, I´m reading this thread for a few days now and would love to support the progress of @beatbreakee to get a tool which could bring us nearer to the development of custom roms. If he only needs a few flashes to get things done, why don´t we finance him with a few donations to buy these flashes? My first 10 bucks would be in if he names us a paypal account for it. Come on guys, this should be not so hard!
Click to expand...
Click to collapse
ME TOO.
@beatbreakee
i spent $30 on someone to get new information. Downloaded 1 driver file and xloader, then started msm program and ran xloader. however, he installed the 9008 driver and when he was done, he DELETED the driver. There must be something to it, especially since you wiped the drive.

INFO: installed file is: NE2210domestic_11_A.07_2022011114400122.ofp
Program: Msm DownloadTool v2.0.72 +++ XLoader-Realme +++ Qualcomm Driver

Files: https://mega.nz/folder/0k5E0IIJ#Y1mBk2vNEMt7DcLo9SO68Q

Screenshot 2023-01-02 180429.png
 
  • Like
Reactions: kh.v, ketogeno, aieromon and 2 others
Renate

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
6,663
2,918
Boston
www.temblast.com
Nexus 7 (2013)
Moto G Power (2021)
Metromas said:
He installed the 9008 driver and when he was done, he DELETED the driver.
Click to expand...
Click to collapse
Huh? I thought that the stupid virtual Com port drivers were just an obtuse way to turn perfectly usable USB bulk endpoints into a com port for applications and people who are stuck in the 1990's.

I use EDL a whole bunch. I just connect directly to the USB interface using WinUSB. Ok, everything in Windows needs a driver and for WinUSB I use the generic Zadig driver installer. Both the Python EDL client and my own can connect just fine without a com port.

If the problem is that you have to use a com port because the tools you have only work with them then it would be a good idea to snoop the USB to see what undocumented/unknown thing it is doing so that they may be implemented on non-com port EDL clients.
 
  • Like
Reactions: Metromas and Drethis
beatbreakee

beatbreakee

Senior Member
Aug 10, 2015
287
420
Frisco
Samsung Galaxy S10
Daniha said:
if i arrange remote season is there anyway to note PW? i mean if he copy paste
then which is the best way to capture this PW? after i think i can share pw with beatbreakee
Click to expand...
Click to collapse
running a personal proxy server, and a packet capture app like Fiddler, pr Winpcap. You wont necessarily get the actual USERID and PW.... but instead you will get the authentication tokens. But thats only for extreme circumstances like where they paste their info. In more common cases just attatch a keylogger to your os.
 
  • Like
Reactions: Prant and PlasmaTornado
You must log in or register to reply here.

Similar threads

O
General EDL Flash Tool Leak
Replies
759
Views
120K
A
AlekseiZevskyy
Metromas
Question OnePlus 10 Pro - QDLoader HS-USB - EDL Test Point [9008] MSM
Replies
114
Views
23K
S
sahilali
Metromas
  • Locked
Question [CLOSED] OnePlus 10 Pro - Unbrick with MSM
Replies
1
Views
5K
K
Kosta26
Canuck Knarf
General One Time Free log in to MSM only for Oneplus 10 pro
Replies
30
Views
4K
A
Austin2125
N
Question Fingerprint not working after using MSM tool NE2215
Replies
29
Views
3K
I
innoxentraheel

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 18
    Grovez
    Grovez
    I found out how to bypass the login prompt. Whether or not the tool will actually work is yet to be determined.
    I don't have a oneplus 10 pro, but would be really curious if this works for anyone.
    In order to avoid potential legal issues, and so you don't have to trust any files I upload, here are the instructions to crack the msm login...

    Using a download from the previously-linked rar, you should have a copy of 'MsmDownloadTool.exe'
    Use 7-zip to open the exe as an archive, and extract all the files into a new folder.
    Open 'FTGUIDev.exe' with a hex editor (HxD is good)
    Find the hex value '0f84e7000000b8'
    Replace the 84 with an 85

    Save the modified exe and launch it.
    Choose a server other than 'in company'
    Put whatever for userID/Password/Verify, click login.


    I hope this is useful.

    Screenshot_2022-09-02_23-07-33.png
    View
    9
    O
    OppoTech123
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.

    flash.png
    View
    9
    beatbreakee
    beatbreakee
    BTW... I am STILL in need of someone to share me access to a MSM Tool account that is active... Again... i dont care if its a guest account... or regular. You can change your password 12 hours after you give me the login info.... I am VERY close to being able to spoof an authentication, and signature response back to the phone in order to allow generic flashing of the 2213, 2215, and 2217. I just need to do about 2, maybe 3 more flashes, an hour between each, so i can decipher the algorithm that generates the token for the response. I have 9... i need 12, as they are partially calculated by a timestamp. So ANYONE who can help me with an account that is active, and maybe it is close to expiring anyways, please DM me, with the info to gain access.

    I am working under an authenticated letterhead, permissions document sent to me by Qualcomm, which completely supercedes ANY legal action brought forth by Oneplus/Oppo/BBK. The letter expressly provides me permission to use any of the tools/functions which are originated/derived from a Qualcomm Tool in any fashion. MSM is written and designed by qualcomm. I am permitted to use whatever, in the "Research, and Penetration Testing, of any and all protocols called upon by a function of any process that begins in a device with a qualcomm chipset.!"

    They make the MSM Tool... but access to the servers which are used to flash each qualcomm device is controlled by their respective manufacturers.
    View
    8
    beatbreakee
    beatbreakee
    so heres what the OTP guys are doing...

    Be prepared... this is a VERY long detailed post...

    so what they are basically doing is....

    they are running their own "last pass" kind of server from AWS... Where they are daily logging in to their amazon web server account, and updating the MSM TOOL login, so that it refreshes every time one of them needs to pull an OTP. But its up to whoever admins the account as to how long tokens last for.

    then they created (or cloned) that GA_Login tool, which is just a general purpose login tool which can be made to work with any app. It comes with modified code so that you can attach it to any program written under a certain language. (different versions of the login tool for different program languages) Then the tool officially has access to manipulate the login values of whatever app.

    I believe the tool has legit licenses with the companies otherwise they would be violating the reverse engineering laws, and everyone who is profiting from it would be subject to an arresting offense! That would depend on the companies to press charges. But its easy to gain permission from a company for this purpose because you arent altering the code, only adding further security to mask passwords!

    So the OTP being generated, are just a valid login that is masked by a secure password masking system. Unfortunately it is unable to be decrypted due to mitigations involved with packet capture and the login relies on an internet connection. Now unfortunately thru further inspection, the OFP flashing app DOES maintain a secure check of the VIP Authentication signature, and that signature is verified on the phone itself through a command called by the Linux Library "Libqmi" ... this can be built and programmed by anyone, but the actual procedure for JUST doing a VIP Auth signature, is not detailed on how to perform this.

    THIS is what the QFIL application is doing when the sahara programmer is called.... the sahara programmer has a heavily encrypted HASHING ALGORITHM which sends one value to your phone, and then your phone verifies and calculates a response to send back to the Sahara.... The sahara already knows the correct answer even though it sits waiting, and if a single character is off, then sahara shuts down the communication portal, and sends us back an error. At that time, the phone is stuck in perpetual FAILED mode, and needs to be reset in order to try again.

    The problem with this is that during a FULL BRICK state, meaning no communication without shorting the Test Points, while the battery is disconnected, then there is no way to get a valid time stamp from your device. The timestamp is part of the sahara's calculation. Thus this is why manually flashing thru QFIL continues to fail. The PATCHED Firehose loaders, simply have the TIMESTAMP requirement removed from the calculation, so that the only thing verified is the devices SOC and board information.

    The MSM ONLINE tool, does its own timestamp calculations and intercepts the communication of the Sahara, then injects the current valid timestamp in real time, which then gives the approved signature to the sahara, and authorizes your flash.

    Conclusion: Someone who has .elf file coding skills needs to completely disassemble the loader, which can be pulled from ANY OP 10series.... or actually ANY Snapdragon 845 r 1, based phone, and compare that to several other loaders of recent related chipsets... ie Snapdragon 845 r 2, or possibly even Snapdragon 865... but if they are fluent enough working with elf files, they should be able to locate the instruction code that requests a timestamp, as part of the signature, and delete/disable that requirement. THEN recompile that loader and we will have the file needed from OFFLINE flashes via the patched MSM Tool, or Qfil.

    The login is the ONLY requirement of the MSMTool!
    It is the sahara firehose itself that is killing our ability to continue flashing once the login is bypassed. Whether the phone is in brickstate or not has no value to the value being submitted to the sahara. OPPO programmed our phones to interrupt communication thru the USB, on a BUTTON, or ADB request to enter EDL mode. This is why when connecting via the command line, or thru the recovery mode shortcut, there is a slight 3-5 second delay until your phone is detected in 9008 mode.

    1. When entering by holding the VOL buttons and plugging the usb in, the phone loses communication to the TIMESTAMP function, which makes the sahara fail offline, due to no MSM Tool server intervention. (remember the MSM server is not maintained by OPPO, but is actually built by Qualcomm... they just provide access to OPPO for repair functions.)

    ^^This will cause QFIL to fail, because a valid VIP cant be generated without the timestamp! ... But the MSM server can interject the correct timestamp being that its online and always in sync^^

    2. When entering EDL via cli, the phone is SUPPOSED to go straight into QCOMM DOWNLOAD MODE... with no interruption, but OPPO amended a "Reboot" command into the opperand forcing the usb to lose connection to the board and breaking the sync, and thus forcing the timestamp to be invalid once the connection is made again with the programmer.

    ^^This is why COLOROS is a game changer... Because they pushed their own, RECOVERY, and FASTBOOT protocols as overlays of the REAL Qcomm Recovery and Fastboot. Recovery and Fastboot are requirements of Qcomm/Android devices. But HOW they are laid out to us are completely up to the manufacturers. The ColorOS Recovery, and Fastboot (D) that is made by OPPO, alters the timestamp being generated, to force a standard 12hr format instead of 24hr ... Sahara doesnt know wtf AM, or PM is... so anything from ColorOS is gibberish in the timestamp.

    THERE IS ONE CAVEAT...

    All androids with altered Fastboot and Recovery protocols, ,MUST include a "Debug Boot Image". These actually communicate to the Qualcomm diagnostic function. Although atm i have no idea how to BOOT into these images, as they are not the same as the normal .img files we use for everything else. Calling on one of these images, is a process completely different than standard android boot.img ... so again i believe this to be one of the functions of LIBQMI .... this library makes a connection to the device over usb but more importantly the SERIAL communicator console on the board. Once this communication is connected, you have full control over all partitions/filesystems inside the entire device, without regulation. You could technically tell your smartphone it is now a smart TOASTER, (but this would certainly crash immediately without the proper functions being built into the chipset.)

    So now i task ANYONE who might have decent Linux knowledge to research QMI and how it communicates, to find the proper commands/access to call upon the Debug.img , which you can pull our of any downloaded fw.

    I will still be working on alternate methods, but as of now QMI seems to be our only answer.

    And final statement. OTP cannot be spoofed in any method to gain authorized MSM access, anymore than you being able to spoof authentication into a "last pass" account to gain control over someones password collection. They both maintain about the same level of encryption.

    I hope thats detailed enough to get to everyones thoughts, as i probably wont be able to answer anything much deeper for the time being. I have personally put myself into a financial situation, by the amount of time i have devoted to this, and now need to create a miracle or 2 in order to recover from the domino effect that i hadnt realized i triggered until today. Sorry i couldnt do a hell of a lot more... if i had the financial resources to not worry about bills for a month or two i could totally crack this thing wide open, and probably put a devastating hurt on OPPO in the process... but Electricity, Rent, Car, Insurance, Food, and general living, all factor in to the amount of time i can spend on this. (which sucks because bounties are upwards of 50K or more for the discovery of holes in the functions i was working on, and according to Qcomm i was very close to a pretty high critical cve being declared!) 😖
    View
    8
    Renate
    Renate
    I looked around for any Firehose loaders that had this getsigndata/verify.
    Only OnePlus and Oppo.
    The solution seems clear: don't buy them.

    OTOH, Lenovo/Motorola has signed loaders with restrictions.
    You can't read most partitions.
    The solution seems clear: don't buy them.
    View

New posts