• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

S10/S10+ Combination unlock (OEM Token Research)

Search This thread

kalexander7

Member
Mar 21, 2017
15
3
I figured after reading a few things on the new S10 (non-flashable) combinations we could open up a thread and see if we can crack this probem. To start with, and although I've only started my research on this, I have a unpacked S10+ (TMB) firmware, lz4 decompressing and unpacking as much as i can. Kernel will be unpacked the normal way, and all arm type will need to be reversed or at least analyzed. I figured I'd start with the strings "factory approval", "token", etc.
The token unlocking I've read about is supposedly done by very few people that request payment, but we can figure this out ourselves. They probably just have Samsung hookups. You can get the token message in download mode by flashing an empty steady.bin
or try in a linux terminal
$ truncate -s 1024 steady.bin && tar -H ustar -c steady.bin>test_token_failed.tar
or
$ dd if=/dev/urandom of=steady.bin bs=1 count=1024 (tried both with random and zero, and got the same failure codes, maybe another user will have better luck?)

May have to unpack all the APK's from the system image and disassemble in search of strings, and with strings we'll find functions. I'm really thinking it's going to be a code that you can write to steady.bin then flash and unlock. Steady.bin is 1024 bits in size on all the firmware's i've seen. Steady.bin is also associated widely with Reactivation locks (even the Samsung Watches)
Let's reverse these things and get back our repair firmware. I myself don't care about FRP, but for tool development and need combination firmware working!! This is sad, Samsung! :(
 
  • Like
Reactions: Puyuo

sergioheadache1

New member
Mar 7, 2020
2
0
I figured after reading a few things on the new S10 (non-flashable) combinations we could open up a thread and see if we can crack this probem. To start with, and although I've only started my research on this, I have a unpacked S10+ (TMB) firmware, lz4 decompressing and unpacking as much as i can. Kernel will be unpacked the normal way, and all arm type will need to be reversed or at least analyzed. I figured I'd start with the strings "factory approval", "token", etc.
The token unlocking I've read about is supposedly done by very few people that request payment, but we can figure this out ourselves. They probably just have Samsung hookups. You can get the token message in download mode by flashing an empty steady.bin
or try in a linux terminal
$ truncate -s 1024 steady.bin && tar -H ustar -c steady.bin>test_token_failed.tar
or
$ dd if=/dev/urandom of=steady.bin bs=1 count=1024 (tried both with random and zero, and got the same failure codes, maybe another user will have better luck?)

May have to unpack all the APK's from the system image and disassemble in search of strings, and with strings we'll find functions. I'm really thinking it's going to be a code that you can write to steady.bin then flash and unlock. Steady.bin is 1024 bits in size on all the firmware's i've seen. Steady.bin is also associated widely with Reactivation locks (even the Samsung Watches)
Let's reverse these things and get back our repair firmware. I myself don't care about FRP, but for tool development and need combination firmware working!! This is sad, Samsung! :(


any luck so far ?
sent pm
 

elliwigy

Forum Moderator / Recognized Dev / Dev Relations
Staff member
XDA App Taskforce
its actually quite easy to bypass and flash combo.. of course it requires certain files as well as theres a few tricks to it.. the files needed are also not free and hard to find but if u have them then u dont need to purchase factory tokens which can only be used a set number of times forcing you to have to purchase again if u need to...

from my research you cannot make a token aka steady.bin.. its tied to device id aka did.. the ppl that sell em get ur device info then they have access to servers most likely these are businesses that pay for a license with samsung who provides them with access and a signing cert so they can sign the token.. basically takes ur device info then send to server that then uses w.e security amd algorithms to create the token then signs it and sends it back..

steady.bin is then flashed in odin amd then allows factory binary to be flashed.

ive tried to create them with my device info replicating an actual token but it didnt work of course.

ENG tokens are rare and alot more money (probably in thousands) but are done the same way.

i have sold my s10+.

if anyone is interested send me a pm and maybe we can work something out.

I should be able to complete combo flash remotely for example. I do not feel comfortable releasing them to anyone nor the exact method since dont want it to get patched

I can also do some exynos models too but this is untested as i dont own exynos devices.

Shoot me a pm or hit me up on tgram.. should be same as my username on here...
 

kalexander7

Member
Mar 21, 2017
15
3
its actually quite easy to bypass and flash combo.. of course it requires certain files as well as theres a few tricks to it.. the files needed are also not free and hard to find but if u have them then u dont need to purchase factory tokens which can only be used a set number of times forcing you to have to purchase again if u need to...

from my research you cannot make a token aka steady.bin.. its tied to device id aka did.. the ppl that sell em get ur device info then they have access to servers most likely these are businesses that pay for a license with samsung who provides them with access and a signing cert so they can sign the token.. basically takes ur device info then send to server that then uses w.e security amd algorithms to create the token then signs it and sends it back..

steady.bin is then flashed in odin amd then allows factory binary to be flashed.

ive tried to create them with my device info replicating an actual token but it didnt work of course.

ENG tokens are rare and alot more money (probably in thousands) but are done the same way.

i have sold my s10+.

if anyone is interested send me a pm and maybe we can work something out.

I should be able to complete combo flash remotely for example. I do not feel comfortable releasing them to anyone nor the exact method since dont want it to get patched

I can also do some exynos models too but this is untested as i dont own exynos devices.

Shoot me a pm or hit me up on tgram.. should be same as my username on here...

Sure, let's schedule a time for this
 

elliwigy

Forum Moderator / Recognized Dev / Dev Relations
Staff member
XDA App Taskforce
  • Like
Reactions: Лицедец

harissiddiq

Member
Dec 16, 2015
22
2
i dont try but if you can wipe the stady partition with root by dd command or you can flash boot-loader of combination directly by dd or purchase one token of desire set flash it and then take a whole backup by twrp and flash it with twrp this is my thinking i dont know this can work but possible that could be
 

elliwigy

Forum Moderator / Recognized Dev / Dev Relations
Staff member
XDA App Taskforce
i dont try but if you can wipe the stady partition with root by dd command or you can flash boot-loader of combination directly by dd or purchase one token of desire set flash it and then take a whole backup by twrp and flash it with twrp this is my thinking i dont know this can work but possible that could be

huh lmao if u could do any of that then u dont need any token to begin with
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I figured after reading a few things on the new S10 (non-flashable) combinations we could open up a thread and see if we can crack this probem. To start with, and although I've only started my research on this, I have a unpacked S10+ (TMB) firmware, lz4 decompressing and unpacking as much as i can. Kernel will be unpacked the normal way, and all arm type will need to be reversed or at least analyzed. I figured I'd start with the strings "factory approval", "token", etc.
    The token unlocking I've read about is supposedly done by very few people that request payment, but we can figure this out ourselves. They probably just have Samsung hookups. You can get the token message in download mode by flashing an empty steady.bin
    or try in a linux terminal
    $ truncate -s 1024 steady.bin && tar -H ustar -c steady.bin>test_token_failed.tar
    or
    $ dd if=/dev/urandom of=steady.bin bs=1 count=1024 (tried both with random and zero, and got the same failure codes, maybe another user will have better luck?)

    May have to unpack all the APK's from the system image and disassemble in search of strings, and with strings we'll find functions. I'm really thinking it's going to be a code that you can write to steady.bin then flash and unlock. Steady.bin is 1024 bits in size on all the firmware's i've seen. Steady.bin is also associated widely with Reactivation locks (even the Samsung Watches)
    Let's reverse these things and get back our repair firmware. I myself don't care about FRP, but for tool development and need combination firmware working!! This is sad, Samsung! :(
    1
    I bought this solutiion from a website can anyone can try with g975x?
    https://mega.nz/file/LNoBSQbT

    key VjLG-O2fcKbQ1P2wAsreSLvWWoyWHTkVPxUagcQQsp8

    you bought it you can try it.. also g975x is LDU model