Root for J7 Crown (S767VL)? Straight Talk/Tracfone/Total Wireless phone.

[Deleted member 10802473]

Obviously, it will require quite a good camera, otherwise, when you zoom in, you will lose resolution/clarity.

You would be surprised what this trick can reveal when viewing old physical photos, depending on the quality of the photo and the materials used to capture/develop/print.

Yes of course.

Edit: Well, I actually found out that my magnifying glass comes tomorrow so i'll just wait

 

[Deleted member 10802473]

I give up

I tried and I don't think it's possible
The glue wouldn't stick because it's such a small amount and the glue wouldn't stay apart from the other pins. The only way would be to use a nano probe station which I don't want to buy.

I just don't think it's worth it to buy $300+ dollars worth of equipment to root a $50 phone...

I sold my 2 J7 crown's and the JTAG box, I am thinking about getting a Pixel 3 or another device that I can actually unlock the bootloader and root.

I wish you guys luck on getting this thing rooted!

 

[Droidriven]

I give up

I tried and I don't think it's possible
The glue wouldn't stick because it's such a small amount and the glue wouldn't stay apart from the other pins. The only way would be to use a nano probe station which I don't want to buy. [emoji14]

I just don't think it's worth it to buy $300+ dollars worth of equipment to root a $50 phone...

I sold my 2 J7 crown's and the JTAG box, I am thinking about getting a Pixel 3 or another device that I can actually unlock the bootloader and root.

I wish you guys luck on getting this thing rooted!

Well, it may have been worth a try, win some, lose some.

If a root method is ever created for this device, by the time that happens, it will be time to upgrade to a new device anyway....

Sent from my SM-S767VL using Tapatalk

 

[ZafotheNinja]

I give up

I tried and I don't think it's possible
The glue wouldn't stick because it's such a small amount and the glue wouldn't stay apart from the other pins. The only way would be to use a nano probe station which I don't want to buy.

I just don't think it's worth it to buy $300+ dollars worth of equipment to root a $50 phone...

I sold my 2 J7 crown's and the JTAG box, I am thinking about getting a Pixel 3 or another device that I can actually unlock the bootloader and root.

I wish you guys luck on getting this thing rooted!

Shucks, I was happy to have a partner in hardware

There is the possibility that easier probe points could be found, that is my current project. Alas, it looks like any hardware root would be just to satisfy my own curiosity at this point.

---------- Post added at 02:01 PM ---------- Previous post was at 01:50 PM ----------

Well, it may have been worth a try, win some, lose some.

If a root method is ever created for this device, by the time that happens, it will be time to upgrade to a new device anyway....

Sent from my SM-S767VL using Tapatalk

By chance is the password known for the engineering apps to reboot the phone?

 

[Droidriven]

Shucks, I was happy to have a partner in hardware



There is the possibility that easier probe points could be found, that is my current project. Alas, it looks like any hardware root would be just to satisfy my own curiosity at this point.

---------- Post added at 02:01 PM ---------- Previous post was at 01:50 PM ----------





By chance is the password known for the engineering apps to reboot the phone?

Password? I don't know exactly what you are referring to.

Sent from my SM-S767VL using Tapatalk

 

[Deleted member 10802473]

Password? I don't know exactly what you are referring to.

Sent from my SM-S767VL using Tapatalk

The one on the engineering firmware, for the apps.

---------- Post added at 11:08 PM ---------- Previous post was at 11:04 PM ----------

Shucks, I was happy to have a partner in hardware

There is the possibility that easier probe points could be found, that is my current project. Alas, it looks like any hardware root would be just to satisfy my own curiosity at this point.

---------- Post added at 02:01 PM ---------- Previous post was at 01:50 PM ----------



By chance is the password known for the engineering apps to reboot the phone?

Yeah, I couldn't do it, but I hope you can.

I think it will be better for me just to get a different device...

Also, I don't know how you would find out those passwords, maybe it could be stored inside the engineering firmware?

 

[ZafotheNinja]

Password? I don't know exactly what you are referring to.

Sent from my SM-S767VL using Tapatalk

Most of the apps are opening, but when I hit anything that can reboot the phone into whatever mode, it hits me with a password prompt.

I have yet to try the combo you found for download mode, but I did get into it with adb. Alas, it just says "Downloading" nothing about bl status.

 

[Deleted member 10802473]

Most of the apps are opening, but when I hit anything that can reboot the phone into whatever mode, it hits me with a password prompt.

I have yet to try the combo you found for download mode, but I did get into it with adb. Alas, it just says "Downloading" nothing about bl status.

I think that is because when you use adb to boot into Download mode it won't show any text in the corner.

 

[Droidriven]

Most of the apps are opening, but when I hit anything that can reboot the phone into whatever mode, it hits me with a password prompt.

I have yet to try the combo you found for download mode, but I did get into it with adb. Alas, it just says "Downloading" nothing about bl status.

No, I do not know the password, if I did, I would have posted it already.

I think that is because when you use adb to boot into Download mode it won't show any text in the corner.

Yes, that is the download mode that you get when you use reboot bootloader.

Sent from my SM-S767VL using Tapatalk

 

[ZafotheNinja]

No, I do not know the password, if I did, I would have posted it already. Yes, that is the download mode that you get when you use reboot bootloader.

Sent from my SM-S767VL using Tapatalk

Oops, there I go asking answered questions again. I just found your method on page 14, same post you mentioned not having the password. :silly:

 

[Ma77man]

A friend I gave me a J7 Crown model number S767VL That was FRP locked. So I checked IMEI to make sure it wasnt stolen and it came back clean but the information that also came back was telling me it is a J7 Top, not J7 Crown. So after about a month of searching i found a combination file that i successfully flashed and bypassed the FRP. Then in my attempt to unlock verizon bootloader, I made a combination file from the combination file i used to bypass the FRP, and the phones firmware. I flashed the sad excuse of a "combination file" that i made, and in odin i received a "Pass". With my false accomplishment feeling, i powered on the phone. I Learned about "Kernel Panic Upload Mode". Everything i know about android I've learned by researching online and my own trial and error, but with this I need some help. How can i undo my mistake and make this phone usable again? It wont boot into the system and will not boot into download mode. I can boot into recovery, but when i try to get into download mode I'm greated with Kernel panic Upload mode everytime.

Thank you for any assistance

 

[Droidriven]

A friend I gave me a J7 Crown model number S767VL That was FRP locked. So I checked IMEI to make sure it wasnt stolen and it came back clean but the information that also came back was telling me it is a J7 Top, not J7 Crown. So after about a month of searching i found a combination file that i successfully flashed and bypassed the FRP. Then in my attempt to unlock verizon bootloader, I made a combination file from the combination file i used to bypass the FRP, and the phones firmware. I flashed the sad excuse of a "combination file" that i made, and in odin i received a "Pass". With my false accomplishment feeling, i powered on the phone. I Learned about "Kernel Panic Upload Mode". Everything i know about android I've learned by researching online and my own trial and error, but with this I need some help. How can i undo my mistake and make this phone usable again? It wont boot into the system and will not boot into download mode. I can boot into recovery, but when i try to get into download mode I'm greated with Kernel panic Upload mode everytime.



Thank you for any assistance

Yes, the 767vl is a rebranded version of the Verizon device, you should have used the 767vl combination firmware but you might be fine.

If you read a few pages back in this thread, you'll see a conversation between myself and @timba123 about our various attempts at rooting this device, in this conversation, we encountered the same issue that you are having. In that conversation, you will see where we discuss the specific method we used to boot into download mode(not the normal method to boot into download mode) to solve this issue. The method involves critical timing and pressing the buttons in the correct sequence. If you time it correctly, it will boot into download mode.

Sent from my SM-S767VL using Tapatalk

 

[stevenpoland2002]

Could this work

Signing boot images for Android Verified Boot (AVB) [v8]

Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally...

forum.xda-developers.com

 

[ZafotheNinja]

I know what you're talking about, you can get to download mode from there, I had to figure out myself. I'm not sure exactly which part of this is what made it work, but, what I did was:


1) With the device powered off, connect the device to PC with Odin open on the desktop, let the charging animation do its thing until it reappears showing how much charge it has.

2) boot into the unknown power reset screen, with the device still connected to PC(with Odin open), then press and hold volume down+power for 7 seconds as it describes on the power reset screen

3) when the 7 seconds pass and it triggers the reboot(timing is critical on this next step) as soon as the screen goes black, immediately release the power button and immediately press and hold the home button but continue to hold volume down without letting go. You will press and hold the volume down button the whole time in the process, you just need to switch your fingers immediately from releasing power button to immediately pressing and holding the home button at the very moment the screen blacks out to reboot, while connected to PC.

Did that make sense? If you get it, you will boot into download mode as soon as you press the home button after releasing the power button.

Then you can flash the stock firmware.
Sent from my SM-S767VL using Tapatalk

Looking into the software side of this again, I read through several pages back and didn't get a clear answer. Did it matter if there was no line showing RMM/KG state in download mode? I tried on my daily driver as well as on an eng fw test device, neither showing anything about rmm/kg, where it would be is "SYSTEM STATUS: Official". On a 3rd device I see KG state as Prenormal on stock fw.

Reading around for other samsung devices, not showing a line in some cases means that it was disabled. If that is the case, what twrp would be the best to test it out?

Also, I played around with a variable resistor for a few hours but couldn't get the download mode to trigger on the eng fw (didn't try on stock), just ordered a cheap decade box, we'll see if that does anything.

Also also, sys.oem_unlock_allowed is by default 1 on my eng fw? even after reboot sys.oem_unlock_allowed = 1

Also, also, also? What about Wrongzone? I couldn't find it compiled anywhere but I found this which seems to be a poc https://github.com/QuestEscape/exploit/tree/master/CVE-2018-9568_WrongZone

This should work on oreo, the release slides also mentioned it working on pie but I'm not sure this code would. Theoretically all we need to do is compile it?

---Previous Trursday 7:56 PM -- Next Tuesday Jan 19 10:27AM---

So I ran across an app called "Shortcut Master Lite" that automatically finds dialer codes otherwise known as hidden or USSD codes. Got bored and decided to try them all and see what worked on our 767vl. So here is a list of all that I've found so far while testing the "*#code#", "*#code", "#code#" and "##code#" formats. Still to test are the "*#code*#", "*#*#code*#*#" and "*#*#code#*#*" formats as well as any others I can find. This is by no means an exhaustive list, but it has several interesting menus and possibly some codes that other lists dont. Again, these are all personally tested and at least do somthing when entered.

Spoiler: Codes

com.sec.android.RilServiceModeApp: *#2222# (service mode)
com.sec.android.app.hwmoduletest: *#0*# (test menu)
com.sec.android.RilServiceModeApp: *#0011# (service mode)
com.sec.android.app.factorykeystring: *#0228# (BatteryStatus)
com.sec.android.app.factorykeystring: *#0283# (loopback test)
com.sec.android.app.servicemodeapp: *#06# (imei)
com.sec.usbsettings: *#0808# (usb settings)
com.sec.android.app.factorykeystring: *#1106# (Grip Sensor)
com.sec.android.RilServiceModeApp: *#1111# (service mode)
com.sec.android.app.factorykeystring: *#1234# (version)
com.sec.android.app.factorykeystring: *#159874# (color balance test*)
com.sec.android.app.factorykeystring: *#22228378# (cabc test)
com.sec.android.app.servicemodeapp: *#22558463# (resettotalcalltime)
com.sec.factory.camera: *#34971539# (CameraFirmware Standard)
com.sec.android.app.factorykeystring: *#35789# (Green?)
com.sec.android.app.factorykeystring: *#4562580# (unknown)
com.sec.android.RilServiceModeApp: *#622# (unknown)
com.samsung.android.app.omcagent: *#6628378# (omc imformation)
com.samsung.android.app.omcagent: *#66283782# (omc test)
com.sec.android.app.servicemodeapp: *#66336# (CP Debug Level)
com.android.server.telecom: *#7277# (Reciever call mode)
com.android.server.telecom: *#727728# (reciever call mode)
com.sec.android.app.factorykeystring: *#7676# (SampleManagment SN)
com.samsung.advp.imssettings: *#77467# (IMS Settings)
com.sec.android.app.factorykeystring: *#87976633# (unknown)
com.sec.android.app.samsungapps: *#88277*633# (GalaxyApps TestMode off)
com.sec.android.app.samsungapps: *#88277*66# (GalaxyApps TestMode on)
com.sec.android.RilServiceModeApp: *#9090# (ServiceMode)
com.sec.android.app.servicemodeapp: *#9900# (SysDump)
com.sec.hiddenmenu: ##DATA# (Data)
com.sec.android.app.tfunlock: #83865625# (TF UNLOCK MENU)
unknown: *#7353#

*this code only worked the first time I entered it.

What lead me on this path is trying do access the IOTHiddenMenu which according to SML has a KERNELUNLOCK activity, which could be very interesting as well as a SerialMode, SerialPort and TerminalMode. Accessing the full menu would definitely open up a lot of settings to the user, possibly including a way to root.

--- Previous Tuesday Jan 19 10:27AM - Next Friday, Jan 22 ---

Well, I found download mode with the Decade box. Oddly enough it was 304k for me, not 301k. Also, just a resistor doesnt do it, you need to supply power as well. No message of any values being reset or cleared. Shuts down immediately when power is removed. Also kinda finicky, but that could just be my setup.

Edit: Gosh it must be my setup, now it is triggering on 301k and 300k, 304k still seems to be the most reliable tho.

 

[ZafotheNinja]

So I got a j7 with a binary of 1, theoretically this will allow me to use any exploit made after June 2018.

With this one that makes;

1x binary 1
2x binary 2 (and one motherboard that I may be able to get working again.)
1x binary 4
1x binary 5

If I update one of the binary 2's, I will be able to test software exploits on any firmware released for this phone. (I think? It may go up to bin 7)

If I can figure out direct flashing to EMMC, I may be able to downgrade binary versions.

I got the probe station and built a sd card breakout board for reading the emmc.

There is still the possibility that the soc would mess with flashing on the board, but hopefully I can find which trace/s to cut to make that possible.

 

[eduardvi995]

like J737u may be cross compatible with our J7 crown. Maybe patched Odin can do it. Any thoughts? 3ASD2 is the J737u. Ours is 3ASC2. I'm thinki

So I got a j7 with a binary of 1, theoretically this will allow me to use any exploit made after June 2018.

With this one that makes;

1x binary 1
2x binary 2 (and one motherboard that I may be able to get working again.)
1x binary 4
1x binary 5

If I update one of the binary 2's, I will be able to test software exploits on any firmware released for this phone. (I think? It may go up to bin 7)

If I can figure out direct flashing to EMMC, I may be able to downgrade binary versions.

I got the probe station and built a sd card breakout board for reading the emmc.

There is still the possibility that the soc would mess with flashing on the board, but hopefully I can find which trace/s to cut to make that possible.

I read all these pages trying to understand the proccess you guys are going through.

Seems like the only available software-based choice (No JTAG) to root this device is actually get in touch with samsung,trackphone or verizon support and ask for any method available. Some devices got bootloader-unlocked doing this. I've been using this device for a while and it's quite similar to the J7 star ( Tj737), so i thought it's worth to be given another try.

Sadly, i cant afford to get JTAG or buying a specific eng boot file for this phone as someone above said, so i have to rely on trying to port old rooting tools as an additional method.

Those of you who are still interested of getting some development on this device please report.

 

[ZafotheNinja]

I read all these pages trying to understand the proccess you guys are going through.

Seems like the only available software-based choice (No JTAG) to root this device is actually get in touch with samsung,trackphone or verizon support and ask for any method available. Some devices got bootloader-unlocked doing this. I've been using this device for a while and it's quite similar to the J7 star ( Tj737), so i thought it's worth to be given another try.

Sadly, i cant afford to get JTAG or buying a specific eng boot file for this phone as someone above said, so i have to rely on trying to port old rooting tools as an additional method.

Those of you who are still interested of getting some development on this device please report.

I have a probe station and a hacked up sd card reader to dump the emmc but work picked up and I haven't had time to mess with it unfortunately. Once I get a bit of time and get a workspace set up then I'll try at it again. Once I get that set up, it should allow me to directly place magisk or su where it needs to go, still kinda fuzzy on that whole process.

 

[Nootboot64]

I read all these pages trying to understand the proccess you guys are going through.

Seems like the only available software-based choice (No JTAG) to root this device is actually get in touch with samsung,trackphone or verizon support and ask for any method available. Some devices got bootloader-unlocked doing this. I've been using this device for a while and it's quite similar to the J7 star ( Tj737), so i thought it's worth to be given another try.

Sadly, i cant afford to get JTAG or buying a specific eng boot file for this phone as someone above said, so i have to rely on trying to port old rooting tools as an additional method.

Those of you who are still interested of getting some development on this device please report.

I'm absolutely interested in development, pardon my french but I'm really pissed off about the one official OTA update I got, I'm just hoping there's going to be a bootloader unlock method in my lifetime so I can flash a GSI. Thank you for whatever help you're working on.

 

[lehmancurtis]

A friend I gave me a J7 Crown model number S767VL That was FRP locked. So I checked IMEI to make sure it wasnt stolen and it came back clean but the information that also came back was telling me it is a J7 Top, not J7 Crown. So after about a month of searching i found a combination file that i successfully flashed and bypassed the FRP. Then in my attempt to unlock verizon bootloader, I made a combination file from the combination file i used to bypass the FRP, and the phones firmware. I flashed the sad excuse of a "combination file" that i made, and in odin i received a "Pass". With my false accomplishment feeling, i powered on the phone. I Learned about "Kernel Panic Upload Mode". Everything i know about android I've learned by researching online and my own trial and error, but with this I need some help. How can i undo my mistake and make this phone usable again? It wont boot into the system and will not boot into download mode. I can boot into recovery, but when i try to get into download mode I'm greated with Kernel panic Upload mode everytime.

Thank you for any assistance

Hey I got one stuck on frp. Mine has android 9. Any idea where I could find a combo file?

 

[PimpinAintEasy]

I have a SM-J737R4 on Android 9 that took me over a year to root the device without bootlooping, freezing on boot, or countless other modifying side effects.
Screenshots below

Note:
I also found it odd that the SM-J737R4 returns as Samsung Galaxy J7 Top SM-J737R4
Even www.samfw.com shows as J7 Top
Mine is a J7 Aura with the same model # SM-J737R4. I can't recall ever seeing two model numbers exactly the same, yet from different carriers.