[SUCCESS] Interop-Unlocking LUMIA - with JTAG

Search This thread

pete_es

Member
Nov 18, 2007
46
15
Great, it's good to see people trying this :)

Are you dumping the whole MainOS partition?
How are you mounting the *.bin file?
I used a freeware called OSFMount, works great.

Yes, the whole flash from phone. Then I use OSFMount to mount partitions as drive with associated drive letter.

Since there are rumors about direct unlocking (Simlock) of Lumia WP8 via USB there might be a security hole we don't know at this time.

I have several 520 to test. So I can play with WP8, WP 8.1 etc.
 
  • Like
Reactions: lordmaxey

chinitopex

Senior Member
Jul 24, 2010
276
48
Guatemala
hi guys
have a doubt about this cause my phone is lumia 520 model
so.. i can unlock for use anything sim cards network?
how much?
 

EnZl

Senior Member
Jan 2, 2012
86
6
Most
Can interop unlock help with notification delay? E.g. facebook or whatsapp message notification

Sent from my GT-N7100 using XDA Free mobile app
 

_wook_

Senior Member
Jul 15, 2008
104
14
rajvoSa
Lumia 1020 wp 8.1 (registry kept after update)
 

Attachments

  • Untitled.jpg
    Untitled.jpg
    19.5 KB · Views: 548

megasounds

Senior Member
May 7, 2007
317
121
No.

Sure you could repack it, or even just modify a update package direcly but the phone would reject it because the signature is broken...



OK is this an idea ??
try to flash the nokia phone with the original package ...but just seconds before flashing replace it with the "repacked" version
will this work ??

m
 

tfBullet

Senior Member
Sep 6, 2013
58
23
OK is this an idea ??
try to flash the nokia phone with the original package ...but just seconds before flashing replace it with the "repacked" version
will this work ??

m

No, the phone checks the signature, before anything is written to the storage

By useing JTAG we write more or less direclty to the flash storeage, therefor the phone has no chance to check anything,
This isn't anything like a normal software update you do by nokia care suite...
Please do a google search for JTAG, and take a look at the last post of the achievments topic
It might give you an idea...

I'm having exams right now, but i'm working out a cheap and easy way atm...
 

ceesheim

Retired Forum Moderator
Jun 11, 2009
3,457
2,287
No Android Fanboys Please !!!
No, the phone checks the signature, before anything is written to the storage

By useing JTAG we write more or less direclty to the flash storeage, therefor the phone has no chance to check anything,
This isn't anything like a normal software update you do by nokia care suite...
Please do a google search for JTAG, and take a look at the last post of the achievments topic
It might give you an idea...

I'm having exams right now, but i'm working out a cheap and easy way atm...

correction, the phone still check signature of everything, just remove the sig of a file(.exe or spl or EFI ) and you will see it will be a non boot for you.
only things you could edit are .reg files and some .xml files
 

tfBullet

Senior Member
Sep 6, 2013
58
23
correction, the phone still check signature of everything, just remove the sig of a file(.exe or spl or EFI ) and you will see it will be a non boot for you.
only things you could edit are .reg files and some .xml files

Exactly, i refered to the update/install verification checks,
the boot time checks aren't touched/affected at all
Sorry for the confusion :)
 
  • Like
Reactions: ceesheim

-W_O_L_F-

Senior Member
Jul 10, 2010
1,030
940
Moscow
OK is this an idea ??
try to flash the nokia phone with the original package ...but just seconds before flashing replace it with the "repacked" version
will this work ??

m
All exe, dll, kernel, bootloader files are signed. And signature is verified before every start up of those files. You can't change them if SecureBoot is enabled, otherwise OS won't boot.
 
  • Like
Reactions: myst02

fonix232

Senior Member
Jun 20, 2009
1,202
718
London
Just an idea, and please don't scoff me if it was already thought upon, but...
Why not just modify the signature key storage? I mean, wouldn't it be easier to patch that area, have a generic key inserted, grant it OEM level, and play further with that?

By my understanding, there are multiple levels of key storage, detailed HERE. Say, we patch the PK, to a custom, public one (I do understand the threat of this, having a public key, BUT. It could be worked around if a tool was to be used, which would generate a PK replacement before flashing, so that it would be a one-time use key only). Then any application signed with that key, any modified firmware anything can be easily installed, in theory. I do understand that it's a bit further thinking than working with registry hives, but after all, this would be the ultimate goal: unlocking our phones so it can load any app, firmware, etc. we want on it.
 

hillbeast

Inactive Recognized Developer
Feb 9, 2011
2,719
6,790
Dunedin
Just an idea, and please don't scoff me if it was already thought upon, but...
Why not just modify the signature key storage? I mean, wouldn't it be easier to patch that area, have a generic key inserted, grant it OEM level, and play further with that?

By my understanding, there are multiple levels of key storage, detailed HERE. Say, we patch the PK, to a custom, public one (I do understand the threat of this, having a public key, BUT. It could be worked around if a tool was to be used, which would generate a PK replacement before flashing, so that it would be a one-time use key only). Then any application signed with that key, any modified firmware anything can be easily installed, in theory. I do understand that it's a bit further thinking than working with registry hives, but after all, this would be the ultimate goal: unlocking our phones so it can load any app, firmware, etc. we want on it.

It's all a chain of trust that goes all the way back to the first boot loader, and the chain of trust is started up by the internal ROM built into the SoC, and secure boot is fused making it impossible to disable it, so the only way to get out of the chain of trust is to find an exploit somewhere in the chain that would allow higher level access to the hardware, say a bootloader exploit, and considering software is designed quite well these days, you'll be lucky to find an exploit any time soon.

You'd have more like trying to sign your own code with the private key, which could take thousands and thousands of years to brute force.
 
  • Like
Reactions: ngame

fonix232

Senior Member
Jun 20, 2009
1,202
718
London
It's all a chain of trust that goes all the way back to the first boot loader, and the chain of trust is started up by the internal ROM built into the SoC, and secure boot is fused making it impossible to disable it, so the only way to get out of the chain of trust is to find an exploit somewhere in the chain that would allow higher level access to the hardware, say a bootloader exploit, and considering software is designed quite well these days, you'll be lucky to find an exploit any time soon.

You'd have more like trying to sign your own code with the private key, which could take thousands and thousands of years to brute force.

You are right, but there must be a way to change certificates. Just to mention, the Nokia-Microsoft ownership change should have triggered a certificate replacement (as sending the original keys over any kind of medium would've been quite stupid). And I'm pretty sure Microsoft has a backup plan in case the certificates are leaked - because then they need to replace them on ALL phones, some way. And they can't just discard all the current stock, sold and unsold, and reprogram all SOCs in all phones.

I know it's a quite unlikely scenario, but Microsoft isn't the company that does not have any plan B-Z's for almost any occasion.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 29
    Hi there:)

    Well, as we really need Interop Unlock for our Lumia phones, i decided to check this out myself.
    As i already have ATF Box for a long time, i decided to buy JTAG activation and dolphin clip + lumia jigs, that i do not have to solder my phone.
    Also i have ordered a Lumia 520 testing phone on ebay.

    So, as the ATF Team made an awesome JTAG software update, i'm trying to interop unlock that Lumia 520 the hardware way, as just software seems to be too tough...

    Well, what i did so far:
    1. Freshly flashed Lumia 520 RM-914 with latest stock rom
    2. Did the setup/beginning after turning it on for 1st time
    3. developer unlocked it with SDK on PC
    4. Made Full Dump with JTAG from dev-unlocked phone
    5. Mounted MainOS partition of dump with program "OSFMount" (-->appears as Local harddisk example drive E: )
    6.Loaded the SOFTWARE hive with regedit on PC from "E:\Windows\System32\config"
    7. Edited the following values:
    PortalUrlInt = http://127.0.0.1
    PortalUrlProd = http://127.0.0.1
    MaxUnsignedApp = 10003
    8. unloaded SOFTWARE hive
    9. unmounted dump-image
    10. wrote image back via jtag

    I thought it might be a good Idea to dev-unlock the phone before messing with the registry, to make sure "DeveloperUnlockState = 1" gets written the "legal" way, as the key is not available in registry before.
    Maybe it's better to just modify an existing key, than adding a new one...


    Well, long story short: The result is not totally satisfying.:(

    After writing the modified image back to the EMMC, the phone is booting up, but i can NOT deploy homebrew apps that require interop unlock, like @GoodDayToDies "EnableAllSideloading.xap" for example.
    But i can deploy "nomal" apps like @cpuguys "Toastlauncher" and @GoodDayToDies "Webserver"

    The weird thing: If i check the reg-values via WebServer on the Phone, i can see my edited values.
    So the changes ARE written to the phone. The phone just doesn't use them...

    So, the good thing: phone is booting with modified rom :good:
    But, the bad thing: Changes are not working. :confused:


    EDIT:

    SUCCESS!!!
    After adding
    ID_CAP_DEVELOPERUNLOCK_API.jpg

    i could successfully sideload "EnableAllSideloading.xap"

    After executing enableallsideloading i could sideload latest WPHTweaks build.

    Now i have 3rd tile row enabled! :)
    Lumia_520_3rd_tile_row.jpg


    awesome!


    Also member @myst02 is working on interop-unlocking the lumia phones. So we decided to make this a together-project.
    See his achievements here: http://forum.xda-developers.com/showthread.php?t=2713098&page=10
    :good:
    15
    Ok - i finally received my AT&T Lumia 520 (RM-915) from ebay :)

    So - as i don't really need 2 520s, i'm willing to donate my interop unlocked RM-914 phone - the one with the broken screen - to a clever developer ;)
    So, i first though about @GoodDayToDie: Would you like to have my Rm-914 Lumia 520?
    Maybe this would help you researching the not-working EnableAllSideloading on 8.1...

    So, if you would like to have it, i'd be happy to send it to you.
    I just need to know, if it's better to give it interop unlock on GDR3 or 8.1 to you.

    Just let me know if you're interested or name another dev who might need the phone.
    15
    Interop-unlocked Lumia 520 has arrived! I haven't had time to hack on it yet, but I've got plans. HUGE thanks to @lordmaxey for this!
    12
    Sorry, chinese guys were doing this for ages and hit news multiple times with it :D
    Also, I was constantly reminding everyone that unlock via JTAG is possible ;)

    There is one *bad* point in making this method public: according to docs, JTAG must be disabled. But Nokia doesn't really disable it the way Microsoft wants everyone to follow. I wouldn't tell you what can happen after this becoming public.



    Hi,

    Just some info about JTAG on Nokia Lumias...

    Nokia Disables it in the QFUSE, but there is a bug/hole in Qualcomm SOCs that enables you to still use JTAG Debugging by using unorthodox ways of HALTING (Entrer DEBUG Mode).

    This bug/hole was already rectified starting Snapdragon 800 (MSM8974 and its "family members), that is why there is currently no 3rd Party JTAG Box that can support these new SOCs if the Device Manufaturer sets the correct JTAG disable bits in QFUSE. I heard it is still possible via SWD but will very limited memory access. This holds true not only for Nokia, but for all other Manufacturers as well (Samsung, LG, HTC etc). Anything below Snapdragon 800 (with very few exceptions) can be debugged via JTAG even if the Manufacturer disables all JTAG bits in the QFUSE.

    For Snapdragon 800, not all is lost. One can still use ISP for the eMMC if the CLK, CMD, DATA0 lines are exposed on the PCB (which is usually the case because of external pull-up resistors to VccQ).

    Now as this method (Interop Unlock via JTAG) might be frowned upon because of the "hardware-approach" nature of the hack, it may still prove to be useful for developers who still want to explore a software-approach hack. I mean the developer will have more control "exploring" the possibilities when he is working on an already "unlocked" device.


    Anyway, I am willing to donate my Engineering Lumia 925 with "z" apps to any Senior Developer who is determined to find a "software only" hack.

    I will also provide a complimentary JTAG Box + Complete set of JIGS to allow "solderless" JTAG connection for the Lumia 925 (Just in case the Developer needs to revive the phone or if he wants to perform the hardware-method interop unlock on it).


    The reason for my generosity is nothing sinister. I simply have no practical use for this phone anymore and I am always a big supporter to anything Nokia...



    Best Regards,
    ATF Developer
    10
    SUCCESS!!

    SUCCESS!!!
    After adding
    ID_CAP_DEVELOPERUNLOCK_API.jpg

    i could successfully sideload "EnableAllSideloading.xap"

    After executing enableallsideloading i could sideload latest WPHTweaks build.

    Now i have 3rd tile row enabled! :)
    Lumia_520_3rd_tile_row.jpg


    awesome!