Better Mobile App

SE Update Engine

Watching the Sony Ericsson PC Application on a repair today I noticed that it was downloading and installing an update engine.
Maybe I'm day dreaming but I believe this will hold the key to the bootloader issues. This engine should be what's controlling the bootloader while loading to OS image to the Qualcomm chip.
So my hypothesis is that if we can pull this update engine out of the application by removing the rest of the application we can use the tools and UI from any of the DEV or HTC ROM loader applications to control said engine. Basically what we'd be doing is taking their tool and wrapping a new shell around it to control what we need and are legally entitled to make our devices do.
Thoughts?
--------------------------------------------------------------------------------------------------
============================================================================
--------------------------------------------------------------------------------------------------
FOLLOWING TWO PAGES OF YOUR RESPONSES:
Okay guys. The secret to the bootloader is actually inside of the PC Companion application with SEUS. We need to figure out how to wrap a different Windows UI around this. Basically take all the critical guts and use the RUU loader found on device sites like Rhodium, HD2, etc... and only use it's UI. So to get this is there a way to watch in real time what files PC Companion and SEUS are downloading while in the repair stages of operation?
If this is not possible we need to remember that SE develops a lot more Symbian than Android. Some of the chip security could be the same found in those devices. I've included a link that may help guide us. I haven't wrapped my head 100% around this concept but at least I have a strong grasp on solutions!
http:// developer. symbian. org/wiki/index.php/What_are_the_product_development_kits%3F
This product development kit is geared towards hardware and if you scroll down some will see details on accessing the Kernel Taster Kit which is a subset of the PDK which enables the creation of new baseports and device drivers. Because SE is probably using a BIOS designed for Symbian this could likely help us with our quest. Or ultimately give us a big FU to Sony and give us Symbian 3^ on our Xperia... so basically one hell of a sweet as Vivaz. The Mini Pro could replicate the Vivaz Pro.

Hey, the idea is nice. But Basically thats what was done with X10flash. X10flash is based on SEUS, it takes all update functions out of SEUS and lets us flash what we want to.
The Problem is that there is no function for flashing the Bootloader.
We have the loader.sin which controls the flashing on phone itself. What is needed is a loader.sin which unlocks Bootloader or or or
So the idea is not bad but was there before And X10flash is the result
Regards
Bin4ry

Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?

Thol said:
Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?
Click to expand...
Click to collapse
Flashing with a DeviceID would be tricky since you need to know what hardware the program should speak with. SEUS probably finds out the ID automatically while we have to find it manually.

then who had work about this problem ?
i want to help him... i want to know what ways are already searched... to don't loose my time in theses bad way ...

So now I have a question...
If we need to change the bootloader in order to get new roms, then why do Sony not need that?
An other thing, how is the bootloader locked, is it a des-key or what?
I am just trying to understand the problems here...
Sent from my X10i using XDA App

Thol said:
Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?
Click to expand...
Click to collapse
SEUS has an automatic detection, but is is tricky to find, because we can only decompile the java JAR's which are located in plugins folder. If you decompile them you get only function names like a b c d e f g etc. And because of this its very hard to follow these.
So DeviceID is the minior Problem we have, so we don't spent time in automatic detection as we have a method with decon, grep and cut. (I think this is totally okay for now) If we have finally a way around BL we can spent more time in making the flashin Process with X10flash more cute.
pshdo said:
If we need to change the bootloader in order to get new roms, then why do Sony not need that?
Click to expand...
Click to collapse
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry

had you try to switch the X10 BL with an another device with same specs ?

Bin4ry said:
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry
Click to expand...
Click to collapse
Any luck on disassembling the BL? If we're insanely lucky then all that sets the retail loader apart from the dev loader is a debug flag or something. It would seem counterintuitive to write a complete separate bootloader just for development when the standard qualcomm should work just fine.
Even if we don't have access to the unsigned loader from SE we could perhaps compare the X10 bootloader with the stock one from Qualcomm's SDK and if those look similar. If the SE one is a modified version of the reference BL we might be able to figure out what bits to flip in order to enable debug-mode.

Bin4ry said:
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry
Click to expand...
Click to collapse
So if I understand correct (I probably don't), then the more updates Sony put out, the more likely it is that we can figure out how the lock works ?
All the updates from Sony should pass that lock in order to work, right?
Sent from my X10i using XDA App

Thol said:
had you try to switch the X10 BL with an another device with same specs ?
Click to expand...
Click to collapse
Tryed and failed (Was one of the first thing we tryed )
ddewbofh said:
Any luck on disassembling the BL? If we're insanely lucky then all that sets the retail loader apart from the dev loader is a debug flag or something. It would seem counterintuitive to write a complete separate bootloader just for development when the standard qualcomm should work just fine.
Even if we don't have access to the unsigned loader from SE we could perhaps compare the X10 bootloader with the stock one from Qualcomm's SDK and if those look similar. If the SE one is a modified version of the reference BL we might be able to figure out what bits to flip in order to enable debug-mode.
Click to expand...
Click to collapse
Yep thats what i'm trying. The original Qualcomm does not load, but we must have some value which can be set on S1Loader because if you take a look with a simple hexeditor then you see some normal strings which are about Debug etc.
So feel free to help me pushing the Loader through IDA or smth. to find a way to do smth.
I think if we can manage to find the DBG value we could be lucky and get the S1Loader switch our normal BL to DEV or DBG mode.
Worth a try
pshdo said:
So if I understand correct (I probably don't), then the more updates Sony put out, the more likely it is that we can figure out how the lock works ?
All the updates from Sony should pass that lock in order to work, right?
Sent from my X10i using XDA App
Click to expand...
Click to collapse
No sorry. There is no way to crack the key. Its to hard encoded, with actual power of Computers you will calculate the key for approx 10^27 years
Even if you have 1000 updates :/
Regards
Bin4ry

Bin4ry we believe in your mathematic scientic powers!
Go go go ! You will have pscychological support from us !!!
Everybody.. support our team !
GO GO crack the boot you can do it ! The people believe in you !!!! I believe in you ! My wife believe in you
We love you man !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Bin4ry said:
No sorry. There is no way to crack the key. Its to hard encoded, with actual power of Computers you will calculate the key for approx 10^27 years
Even if you have 1000 updates :/
Regards
Bin4ry
Click to expand...
Click to collapse
Thank you for the answer...
Someone have cracked lots of other stuff in the past, eg satellite and a lot other things, so if someone can setup a search engine, perhaps we can all help... it COULD be hard, but no one know for sure...
But that offcource means that we need to know exactly what we are looking for...
Is it kind of a management key or?
Not that I know anything about searching offcource...
Sent from my X10i using XDA App

Hello Binary,
When you try to flash a new boot loader does it check that you're flashing a valid loader or will it let you flash anything you want? And if you were to flash anything you want (even just a whole load of 0s) would that mean that your phone would be destroyed or is there a recovery method? Can you simply write back over it with a good loader?
Also, has anyone read out the SE loader? And if so can it be disassembled? And if that has been done, roughly how many lines of assembly code is it?
Sorry about all the questions but I'm interested in this stuff but it's awkward to find a good starting point.
Sent from my X10i using XDA App

[dev] bl1 bl2 bl3

Q: S5PC110/V210是否支持eMMC启动模式?
A: 支持eMMC4.4设备的eMMC4.3和SDMMC(ver.4.2)启动。不支持eMMC4.4启动.
支持8-bit SDR, 但不支持8-bit DDR.

Q: S5PC110如何使用secure booting?
A: 1) General Policy
Only secured Chip with single key will be made. Secure booting is default mode.
Even though customer wants to use non-secure booting, they have to secure booting
up to bootloader(BL2).
2) General Consensus
- Customer have to make there's own public key and private key with CodeSigner(PC software).
- To make secure-BL1(bootloader1), customer has to send their public key to SYS.LSI.
- SYS.LSI will release secure-BL1 with customers public key.

Q: S5PV210如何使用secure booting?
A: 1) General Policy
Non-secured Chip with no key will be made
2) General Consensus
- Customer have to make there's own public key and private key with CodeSigner(PC software).
- To make secure-BL1(bootloader1), customer has to send their public key to SYS.LSI.
- SYS.LSI will release secure-BL1 with customers public key.

Q: Can programming tool be released according to booting device (C110)?
A: C110 has programming tool using SDMMC card to OneNAND and SDMMC.

Q: Can programming tool be released according to booting device (V210)?
A: V210 has programming tool using SDMMC card to NAND and SDMMC.

Q: What is E-fuse fusing status (C110)?
A: Secure - O, Unique ID - X, HDCP - O

Q: What is E-fuse fusing status (V210)?
 A: Secure - X, Unique ID - X, HDCP - O

Q: BL0, BL1, BL2和BL3是什么意思?
A: - BL0 - It is embedded boot loader on the internal ROM of AP for the purpose of booting
- BL1 - It is 4Kbyte sized boot loader provided from Samsung S.LSI to customer
- BL2 - It is 8Kbyte sized, customized boot loader made by customer.
It has the function of hardware initialization and loading BL3 or next phase booting image.
In Linux and Android, the first 8Kbyte U-boot is split and is called BL2 normally.
- BL3 - It is customized boot loader made by customer. BL3 has no limit in its size because
BL2 can define the BL3 size. In firmware, BL3 may not be needed. In Linux and Android,
BL3 is called U-Boot.

Q: 在启动设备中BL1和BL2的写入地址是多少?
A: - 如果是OneNAND (Page size = 2KB)
BL1(4KB) : Block 0, Page 0~1
BL2(8KB) : Block 0, Page 2~5
- 如果是OneNAND (Page size = 4KB)
BL1(4KB) : Block 0, Page 0
BL2(8KB) : Block 0, Page 1~2
-如果是SD/MMC (1Block=512Byte)
BL1(4KB) : Block 1~8
BL2(8KB) : Block 9~24
- For your reference, in case of BL3 and non-OS code, its size is flexible since BL2 does
not define the size.

Q: 在启动模式支持多少位NAND ECC?
A: C110/V210支持8bit ECC和16bit ECC在NAND启动模式.
Booting NAND image named BL1 and BL2 can be referred to iROM application note.
Normally, booting NAND images are located to Block 0. The blocks where BL1 and BL2 are located
can be set to 8bit ECC, and the other blocks can be set to other bit ECC.
But because 1bit ECC per 512bytes is needed according to Toshiba NAND flash datasheet,
8bit ECC will be needed for 2KB page.

Thank you! How did you get it?
Too bad we have know all of these already. But for cost of few months long research. :\

Rebellos said:
Thank you! How did you get it?
Too bad we have know all of these already. But for cost of few months long research. :\
Click to expand...
Click to collapse
Also i flashed bootfile from other samsung mobile and the bootfile works well !!!
Its samsung Pixon 12 M8910 :
https://rapidshare.com/files/399029625/BOOTFILES.zip
Its verry intersting cause its litlle bootfile boot_loader.mbn 287Ko !!! dbl.mbn 156Ko !!!
Other thing Qualcomm last years i work for HD2 porting and remeber the B after de name its seems revision for low voltage QSC6270"B"
Last one ive got maybe QDART...maybe

Its samsung Pixon 12 M8910
Click to expand...
Click to collapse
Nice posts.
Thanx.
About Boot I'll try soon... as I have JTAG for repair...
Best Regards
Edit 1...
Firmware for research... M8910XWIK3.rar
http://darkforestgroup.com/forum/in...ml?PHPSESSID=68b8f61d60bc636d974246bb761c07ae
http://netload.in/dateivYopHGNKPk/M8910XWIK3.rar.htm
Edit 2...
First attempt with ML 5.67...
failed...
Boot is not written...
How and with what you have successfully written?
ML 5.60 ?
Because not crypted files...

adfree said:
Nice posts.
Thanx.
About Boot I'll try soon... as I have JTAG for repair...
Best Regards
Edit 1...
Firmware for research... M8910XWIK3.rar
http://darkforestgroup.com/forum/in...ml?PHPSESSID=68b8f61d60bc636d974246bb761c07ae
http://netload.in/dateivYopHGNKPk/M8910XWIK3.rar.htm
Edit 2...
First attempt with ML 5.67...
failed...
Boot is not written...
How and with what you have successfully written?
ML 5.60 ?
Because not crypted files...
Click to expand...
Click to collapse
5.67 got problem i use 5.65 im in bada 2
Strange arent *? Cause its not same driver for boot.... I look on boot_loader and there's verry different but works...
Maybe it not touch anything can you explain ?

Failed again...
Tried
5.60
5.62
5.64
5.67
Not 5.65... maybe my fault...
I'm on bada 1.x Boot JEE...
Can you please exact FW Version... the latest?
KH3 ?
S8500 or S8530 ?
Thanx.
Best Regards

adfree said:
Failed again...
Tried
5.60
5.62
5.64
5.67
Not 5.65... maybe my fault...
I'm on bada 1.x Boot JEE...
Can you please exact FW Version... the latest?
KH3 ?
S8500 or S8530 ?
Thanx.
Best Regards
Click to expand...
Click to collapse
Yes S8530 KH3
But maybe its work just with S8530 cause i can flash it with bada 1.2
Then iv tested with 5.67 its work well too....

I have also S8530... maybe later I'll try.
Maybe S8500 KH3 work... I'll check it later.
Maybe Boot unsecured... in bada 2.0 Beta....
Thanx.
Best Regards

adfree said:
I have also S8530... maybe later I'll try.
Maybe S8500 KH3 work... I'll check it later.
Maybe Boot unsecured... in bada 2.0 Beta....
Thanx.
Best Regards
Click to expand...
Click to collapse
Ah not BL3 there maybe cause its not customer firmware you right !!!
But in boot_loader its seem for s3c6410 and after boot loader show sp5pc110 then ist not realy flash it in nand....

then ist not realy flash it in nand....
Click to expand...
Click to collapse
I can confirm...
S8500 KH3 Boot... Multiloader message "success", but in handset ignored...
No changes...
Bootloader checks integrity of new Boot data... and then write into NAND...
But its okay. Maybe I can find these written data somewhere via JTAG...
No idea if Boot is first temporary stored into RAM...
We will see...
Best Regards

adfree said:
I can confirm...
S8500 KH3 Boot... Multiloader message "success", but in handset ignored...
No changes...
Bootloader checks integrity of new Boot data... and then write into NAND...
But its okay. Maybe I can find these written data somewhere via JTAG...
No idea if Boot is first temporary stored into RAM...
We will see...
Best Regards
Click to expand...
Click to collapse
Yes something strange
Also ive got verry nice news for S8500 Android ive found QSC6270B datasheet
Ist complete datasheet with revision difference
Muhahahaaa

Kernel its in AMSS ad AMSs from 8910 its not crypted. You can fla**** too but of course wave reboot after logo
Ok there's new way :
Phone off usb in you can take qualcomm driver to comunicate
Fast download mode :
Phone off hold voldown hold together then plug usb

Bootloader checks integrity of new Boot data... and then write into NAND...
But its okay. Maybe I can find these written data somewhere via JTAG...
No idea if Boot is first temporary stored into RAM...

vernon98 said:
Bootloader checks integrity of new Boot data... and then write into NAND...
But its okay. Maybe I can find these written data somewhere via JTAG...
No idea if Boot is first temporary stored into RAM...
Click to expand...
Click to collapse
Then ???

[Q] unlocking bootloader software backdoor

i would like to have more information about this:
http://forum.xda-developers.com/showpost.php?p=17384177&postcount=3
it is reported to be a backdoor. is this a false positive and why is that so ?
what is a debug bridge ?
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
Click to expand...
Click to collapse

also, s1tool is reported to contain a trojan horse..whx is that so ?

like people said already, it's a false positive. Just ignore it.
Also, use this instead, it packages everything nicely together:
http://forum.xda-developers.com/showthread.php?t=1462278
I just got my xperia x10 mini pro today and unlocked bootloader, flashed custom kernel & rom all within 20 minutes. Easy enough.

it is actually a backdoor or exploit to open up or to gain access to your phone which is not officially supported by SE. a trojan so changes it can be pushed successfully to the phone.
Backdoor to gain entry and trojan to enter unofficially.
False positives in both no worries.

[Q] Rooting the Samsung Stratosphere II?

Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!

Holy mother of humanity, these threads get buried QUICKLY!

I have the same phone and have looked everyone trying to find a way to root it

fltbosn said:
I have the same phone and have looked everyone trying to find a way to root it
Click to expand...
Click to collapse
I mean, I know it's a relatively new phone and all, but surely someone with some development knowledge has one by now...
... I'd try to figure it out, but I think it might be a little over my head.

Okay, the problem with the available rooting procedures is that they all try to install things to /data/, which is inaccessible (not even read-only); I've been looking and trying to ask around, but can't find any alternative procedures.
How hard is it to root a phone from scratch? Is it possible to use exploit bases from other phones that use the same SoC and Android version? Any devs able to chime in?

What is it about this Verizon implementation of 4.0.4 that doesn't allow access to /data/, which is what every standard root procedure uses? Do any other Verizon phones use 4.0.4 that don'e have access to the /data/ folder?
(I really, REALLY hate to keep bumping my own thread)

I got this phone too. A root method would be great so I can remove the bloatware.

ShaneRitz said:
I got this phone too. A root method would be great so I can remove the bloatware.
Click to expand...
Click to collapse
I am from Bulgaria and I have bought this phone too and we still can not make it working even with Verizon Wireless SIM card.
The problem probably (not sure) is that it was never turned on or registered so in Bulgarian when I put Verizon Wireless SIM card it can't recognize its home network of Verizon to start the setup.
It seems that it need Verizon network to make first registration and activation of device or I am missing something? The only thing that pop up is Wizard of Verizon that want to set up my phone and account and I can't do it because no Verizon Network connectivity...
Any suggestions?

Trying and failing
WetLlama said:
Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!
Click to expand...
Click to collapse
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.

TheHierophant said:
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.
Click to expand...
Click to collapse
You're a much braver man than I, I'll tell you that much.
I've been considering attempting to flash a T-mobile Samsung Relay 4G recovery since the phones are almost identical (with the exception of the radios, of course), but I'm afraid of totally borking it because I have no backup. If you're up for it and haven't tried that one yet, maybe editing some settings in the build.prop of the Relay's stock ROM would work (I don't know really; I'm a hardware guy, not a developer... )?
http://forum.xda-developers.com/showthread.php?t=2117436
There's all of the stuff for it so far, and if you do decide to give it a shot, let me know and I'll try to provide whatever help I can.

Hidden Menu results
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
"You have obtained the key for unlocking the bootloader to install custom OS. In order to unlock the bootloader, you must read and accept the following terms and conditions. By clicking on the “I Agree” button, you acknowledge and agree to the terms and conditions. If you change your mind, you may click on the “Cancel” button, which will stop the process.
1. The unlocking of the bootloader voids and invalidates the warranty of your device. As result of the unlocking, certain functions of your device may cease to function and physical injuries or material damage may occur, for example, due to the phone overheating. You take full responsibility for any and all consequences that may arise from the unlocking of the bootloader. Samsung will not be liable for any damages that such unlocking may cause, and you waive any rights in connection with the unlocking.
2. You will not be able to recover the device to its original state. Even if the device’s setting is restored, the warranty will remain voided and invalid.
3. As result of the unlocking, you may lose certain contents that you have stored on your device, for example, through the malfunction of the DRM functions.
4. You agree that your attempt to unauthorized kernel download from the default setting or without the authorization key will lead to blocking of the device, which may permanently disable the device. Samsung will not be responsible for any damages or injuries that result from such attempt. For downloading of custom kernel, you need to follow through a special installation process as set forth in the device manual.
5. You agree to comply with all applicable laws and regulations as well as any contractual obligations that you may have with your wireless carrier in using the unlocked devices. In particular, you will not operate the unlocked device on any wireless carrier’s network unless such wireless carrier approves of the operation of such unlocked device on its network.
6. You agree not to resell your unlocked devices to other parties without first explaining the content of the terms and conditions herein.
"
Click to expand...
Click to collapse
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.

TheHierophant said:
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.
Click to expand...
Click to collapse
Wow man, that's awesome; I'd mucked around with some of the dialer codes, but never got to that point. I wish I could help at all, but you've blown way past my usefulness at this point -- unless you want a tester.

What about trying various decode methods on that key? It looks like it could be maybe base64.

Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.

Thanks for the suggestions...
Nardholio said:
Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.
Click to expand...
Click to collapse
I'll give these a try, have been busy with other things, but have a couple evenings free to experiment. Thank you for the ideas.

Did you get anywhere?
I dissassembled the HiddenMenu.apk and found the same code. When I entered it I got an error saying that the application stopped working.
I ran the string through base64 --decode, but it was full on non-printable characters. I'm wondering if it's encrypted.
I've also tried various methods that symlink data but keep getting permission denied errors. I haven't found a copy of a stock firmware to mess with.

I also have a stratosphere two, and i'm more then happy to help out in anyway possible, even if it means sending my phones to one of you guys trusted hands.

You guys suck. To get the stock firmware for your phone if it's not on sammobile or samfirmware you can trick Kies into downloading it and then intercept the file from your Windows temp folder while it's flashing to your phone (3-4 minute window)
http://forum.xda-developers.com/showthread.php?t=2088809
Then you can transfer it to a linux box to convert it to a mountable file system to root it, before repackaging it as an odin tar. From there you should be able to flash it.
Sent from my SGH-T699 using xda premium

apparently the sch i415 does not support kies

i just checked for a software update on my wife's Stratosphere II SCH-i415 and there is one. I live in NC the update was under settings/about device/ software update. its form Verizon size 506.6 MB. is there a way to pull it before it installs? maybe a root method. I installed it. could not wait. well its jellybean went from 4.0.4 to 4.1.2 baseband 1415vrlj2 to i415vrbma3 kernel was 3.0.8-1157001 to 3.0.31-947060

Sonim XP8 (Root?)

Finally got tired of the Pixel 2 XL after the third one. Now I have this super rugged handset that I can actually hold on to! Great loud audio too!
The Sonim XP8 comes with a seemingly near stock Android 7.1.1 ROM. OEM unlocking is available in the developer options. I have it enabled. Does anyone know how to use the ADB/Fastboot tools to unlock it? The standard commands do not work. My unit is personal and not under any "enterprise" restrictions. Thanks for any help fellow hackers ... some TWRP would be awesome.

ctradio said:
Does anyone know how to use the ADB/Fastboot tools to unlock it? The standard commands do not work. My unit is personal and not under any "enterprise" restrictions. Thanks for any help fellow hackers ... some TWRP would be awesome.
Click to expand...
Click to collapse
(Im)patiently waiting for this too. I don't care if it is single touch or long drawn out process involving a cauldron, hermetic circle, and a full moon. Root is sorely needed...

Phuhque said:
(Im)patiently waiting for this too. I don't care if it is single touch or long drawn out process involving a cauldron, hermetic circle, and a full moon. Root is sorely needed...
Click to expand...
Click to collapse
Good luck! Still nothing. It looks like we might be able to sign up as a developer on their page .... fwiw. I find the interface on that device to be awful and am in the early stages of fighting AT&T for my money back. That device and another one with the same stupid issues and an admitted software problem that I'd have to wait for the carrier to decide to release. Awesone idea for a device, absolutely rushed to market with god awful software that was new in '16 or so.

ctradio said:
I find the interface on that device to be awful and am in the early stages of fighting AT&T for my money back. .
Click to expand...
Click to collapse
I am on T-Mobile and found the factory unlocked version with no bloatware (obtainable directly from the) to be rather refreshing, even if it did set me back an extra $100. I suggest do getting the refund, then turning around and getting the "clean" version. It may be more expensive, but considering how much it costs for monthly insurance, the overall price becomes somewhat more competitive with the 3 year "comprehensive" warranty...

Phuhque said:
I am on T-Mobile and found the factory unlocked version with no bloatware (obtainable directly from the) to be rather refreshing, even if it did set me back an extra $100. I suggest do getting the refund, then turning around and getting the "clean" version. It may be more expensive, but considering how much it costs for monthly insurance, the overall price becomes somewhat more competitive with the 3 year "comprehensive" warranty...
Click to expand...
Click to collapse
I was told there was no carrier unlocked variant of this thing. Didyou get it from Sonim? Also, any problems at all with it? I had two with touch issues along the right side of the screen (it perceives a light constant touch in various areas and it gets worse the longer the screen is on). The units would eventually start selecting things on its own and even deleting contacts. Also, the speaker phone is useless and the UI is horribly laggy at times (my mind operates fast and it screws with me). I presented them with a "laundry list" of the issues.

ctradio said:
I was told there was no carrier unlocked variant of this thing. Didyou get it from Sonim? Also, any problems at all with it? I had two with touch issues along the right side of the screen (it perceives a light constant touch in various areas and it gets worse the longer the screen is on). The units would eventually start selecting things on its own and even deleting contacts. Also, the speaker phone is useless and the UI is horribly laggy at times (my mind operates fast and it screws with me). I presented them with a "laundry list" of the issues.
Click to expand...
Click to collapse
Someone flat out lied to you. Go here: https://store.sonimtech.com/products/sonim-xp8-blk-nam
Well, maybe not lied at the time you were told... I waited several months for them to post it on their store page. In response to your concerns....
No issues with it going all AI on me. Speaker PHONE portion leaves a bit to be desired, but for audio books, this thing is damned awesome and really loud. Not sure how to reference the lag. My previous phone was a Note 4 with issues.
My own complaints. The lock screen is a pain. The default music program is broken in my opinion. I am suffering through with Musicolet for my books.
What sold me on this is that is is one of the last phones made today that has a removable battery (really my only requirement in a new phone), has both gps an glonass, and in a pinch I can use is an a hurled object to an opponents head. Someone complained about the camera, but it seems fine to me. Wouldn't matter much as I am partially colorblind and won't see any difference.
I have only had mine for a week, and am still tweaking the settings to how I want them. Honestly, I like it.

I would really love to see some support for this phone. Especially since the monsters at Telus have disabled the 2nd sim slot for no good reason. I have tried everything but without Root I am out of luck getting the dual sim feature to function. Is there anything I can provide to assist someone more knowledgeable in getting a root solution for this phone? Please let me know.

mertin said:
I would really love to see some support for this phone. Especially since the monsters at Telus have disabled the 2nd sim slot for no good reason. I have tried everything but without Root I am out of luck getting the dual sim feature to function. Is there anything I can provide to assist someone more knowledgeable in getting a root solution for this phone? Please let me know.
Click to expand...
Click to collapse
Hello,
I just bought this phone. I use 2 sim cards at the same time but it does not work properly: I can receive and make calls, but I can not send or review sms / mms on 1 operator. I use the xp8800 in France, it is a Att model unlocked. to have the 2 sim cards at the same time I rebooted several times, cut the data, without really understanding how I did . is there a way to restart the network part of Android ?
Thanks
Pascal S

I take it we are still coming up snake-eyes when it comes to someone being able to root the XP8. I am rather surprised with the fact it is on 7.1.1. Is this still an unbeatable task to overcome?

The thread is closed, this is the tested version of the firmware
Unlock fastboot
Step 1, open the developer mode
Go to “Settings” → “About Phone” and click “Version Number” 7 times to open Developer mode.
Step 2, open oemlock
Go to “Settings” → “Other Settings” → “Developer Mode” and open the OEM to unlock;
3 START mode
flash <partition> [ <filename> ] Write a file to a flash partition.
flashing lock Locks the device. Prevents flashing.
flashing unlock Unlocks the device. Allows flashing
any partition except
bootloader-related partitions.
flashing lock_critical Prevents flashing bootloader-related
partitions.
flashing unlock_critical Enables flashing bootloader-related
partitions.
flashing get_unlock_ability Queries bootloader to see if the
device is unlocked.
flashing get_unlock_bootloader_nonce Queries the bootloader to get the
unlock nonce.
flashing unlock_bootloader <request> Issue unlock bootloader using request.
flashing lock_bootloader Locks the bootloader to prevent
bootloader version rollback.
erase <partition> Erase a flash partition.

Firmware update soon.. ??
In May, I sent of another email to Sonim Tech support asking about firmware. I did get a response back. Granted it was rather vague, but it was an answer. Further granted, is is now mid June and no updates in sight including one that allows the viewing of PDF's. grrrr.
The support guy did mention that AT&T is going to be one of the first providers to get the update. That sucks for me because I got my unit direct. He also said the month of May was a non-official time frame.
So still waiting and no success story yet posted of anyone unlocking this little beastie.

https://www.att.com/devicehowto/tutorial.html#!/stepbystep/id/stepbystep_KM1259507?make=Sonim&model=XP8XP8800
No idea how to update manually, though...

Phuhque said:
In May, I sent of another email to Sonim Tech support asking about firmware. I did get a response back. Granted it was rather vague, but it was an answer. Further granted, is is now mid June and no updates in sight including one that allows the viewing of PDF's. grrrr.
The support guy did mention that AT&T is going to be one of the first providers to get the update. That sucks for me because I got my unit direct. He also said the month of May was a non-official time frame.
So still waiting and no success story yet posted of anyone unlocking this little beastie.
Click to expand...
Click to collapse
No idea how to update manually, though...[/QUOTE]
Thanks for the news , but no working to ATT from France , until in OTA .
Wait and see if dual sim working clean ....

Has anyone seen this video? There's a part in the video where as the guy turns it on, and there is a prompt to re-lock the bootloader(which, of course, implies that the bootloader is unlocked); I don't know how this really helps, but it might give someone more experienced than I something to grab at. I should mention that it is mentioned as a pre-production model of the Sonim XP8, so it probably won't apply to models that most people have, but it's something to look at.

Sonim XP8
I know that Verizon is now selling the Sonim XP8. Does anybody happen to know if it is possible to use both SIM card slots with this device after it is unlocked?
Being able to use BOTH AT&T AND Verizon would be a huge benefit to me.

is there any root yet ive tried about every root apps i cant even find working drivers for this phone

Thecctech said:
is there any root yet ive tried about every root apps i cant even find working drivers for this phone
Click to expand...
Click to collapse
Drivers are not an issue.. It's using Qualcomm reference designs from the S660 dev kit where most generic Qualcomm drivers should work with minimal modification.
This is a good thing! Most of the root apps are using a collection of known exploits where only vulnerable devices would fall victim. You would have to use an exploit that's more recent then the security patch level installed but you also have to remember - if you can do it that easily then an attacker can do it just as easily too! I personally believe that the association between root and device/firmware level vulnerabilities is the reason why most see root in a negative context today.
As far as I'm concerned - we only have 2 "correct" ways to achieve root.
1. Obtain (or compile) either a Debug or Engineering firmware variant from AT&T that includes the native su packages for adb root. This is usually not an option for us individuals.
2. Unlock the bootloader and use a patched boot image.. Works great! To unlock the bootloader takes a bit of work though and flashing still requires EDL so with that I have not been able to make a public instruction set yet.
Could be in the next few days.. Could be in the next few months.. I'm honestly not sure. Mostly just a matter of collecting images, testing, and finding time.

Enjoy!
XP8 Android Root Theory - DEBUG or Magisk over EDL
EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.
One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
or
Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.
Recommend method ..
It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.
Disclaimer
-Devices with locked bootloaders will display a custom OS warning at boot
-Tested on AT&T branded devices only - please provide system dump for validation on other builds
-I have not identified any JTAG procedures and I can not help if you hard brick your device!
-This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
-Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!
Magisk Root
Step 1 - Pull Boot.img
We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
1. Create an XML file with the data below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot to EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Backup boot.img using the following command
Code:
fh_loader.exe --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0 --memoryname=emmc --noprompt --reset
Or visit the XP8 carrier firmware thread for full system backup steps.
https://forum.xda-developers.com/showpost.php?p=80465045&postcount=6
Step 2 - Magisk Patch
1. ADB push boot.img /storage/self/primary/Download/
2. Install Magisk Manager and apply patch to boot.img
2a. Download from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
2b. Extract and run adb install magisk.apk
2c. Open Magisk app and apply patch to boot.img
3. ADB pull /storage/self/primary/Download/magisk_patched.img
Step 3 - Restore
1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot back into EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Apply magisk_patched.img using the following command
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0 --memoryname=emmc --noprompt --reset
USERDEBUG Flash
Step 1 - Backup
1. Boot to EDL mode and load firehose programmer
2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
Example: GPTConsole 19
3. Initiate backup
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0 --memoryname=emmc --noprompt --reset
4. Wipe all partitions
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0 --memoryname=emmc --noprompt --reset
5. Restore new image
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0 --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
// rawprogram0_unsparse.xml for some images
Images and OTA Files
Full 8.1 System Image
XP8A_ATT_user_8A.0.5-11-8.1.0-10.54.00
XP8A_ATT-user-8A.0.5-10-8.1.0-10.49.00
USERDEBUG Images
XP8A_ATT_userdebug_8A.0.5-11-8.1.0-10.54.00
XP8A_ACG-userdebug-8A.0.0-00-7.1.1-32.00.12
XP8A_USC-userdebug-8A.0.0-00-7.1.1-34.00.10
(ATT 7.1 pending upload. Please check back or use other links available further in thread.)
OTA Updates
XP8_ATT_user_N10.01.75-O10.49.00
XP8_ATT_user_O10.49.00-O10.54.00
XP8_TEL_user_N12.00.24-O12.23.00
Flash Tools - programmer (elf) file provided by eleotk!
XP8 Drivers
Firmware Carrier Codes
Code:
None = 0,
ATT = 10
Bell = 11
Telus = 12
Sasktel = 13
Harris = 14
Verizon = 15
Ecom = 16
NAM = 17
Rogers = 18
T_Mobile = 19
EU_Generic = 20
MSI = 21
CISCO = 22
NAM_Public_Safety = 23
Vodafone_Global = 24
Orange = 25
Southern_Linc = 26
OPTIO = 27
India = 28
SPRINT = 29
JVCK = 30
AUS = 31
ACG = 32
CSPIRE = 33
USC = 34
SB = 35
Multi = 99
Automatic OTA without AT&T service:
Purchase a blank AT&T SIM card ($5)
Start online prepaid activation - complete pages 1 & 2
**SIM Card is now partially active without funding - do not complete page 3 (payment)***
*#*#368378#*#* > Clear UI > Check for updates in settings
XP5s
Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.
Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").

Great, thanks alot for instructions, @smokeyou!
In order to be able to boot into patched boot image, does it require to have unlocked bootloader? Assuming I can upgrade my phone to build 8A.0.5-10-8.1.0-10.49.00, but have my bootloader locked, can I still use your instructions? Can you clarify it?
-albertr

albert.r said:
Great, thanks alot for instructions, @smokeyou!
In order to be able to boot into patched boot image, does it require to have unlocked bootloader? Assuming I can upgrade my phone to build 8A.0.5-10-8.1.0-10.49.00, but have my bootloader locked, can I still use your instructions? Can you clarify it?
-albertr
Click to expand...
Click to collapse
Untested but should not be a problem. Bootloader unlocking only allows Fastboot flashing where this method uses EDL only.
Basically the same outcome though just without the option to use TWRP or custom recovery (easily).