LETS GET THIS THING UNLOCKED
Hi I am looking for someone to help me out
As you may or may not know I have been looking into a way to Sim Unlock my Sprint M9, I have sucessfully unlocked my AT&T M9 via a $4 code from ebay. However, this is not an option for Spint as it does not ask for a code
From the success of my AT&T unlock I managed to find that partition mmcblk0p52 held the info for the Sim lock status and by flashing my unlocked partition dump, other people were able to Unlock their GSM M9's.
See more at this thread. http://forum.xda-developers.com/one-m9/general/sim-unlock-method-t3143333
HELP
I need someone that is Sim Unlocked and willing to give me some of their partitions which should be about 100MB worth MAX.
All the partitions I require are the same between TWO LOCKED SPRINT MODELS.
I will then use this to compare to my Locked dumps and hopefully find the goodness
I am only trying to find the difference between Locked Sim and Unlocked SIM .
THERE IS NO PERSONAL DATA ON THESE PARTITIONS
I have attached a script to make it easier (please rename from .txt to .bat) and put in your ADB folder and run. It creates a folder, dumps the blocks there, pulls the dumps to your PC and then deletes the folder (and dumps) from the device).
Please run this with phone booted to custom recovery such as TWRP.
Thanks in advance
Stifilz
Thanks to @mitek_ace for the a dump of the partitions for a locked Sprint
Now i will need partitions from a Sim Unlocked Sprint.
Thanks again team
After comparing the dumps from above with my own sprint dumps and AT&T dumps. I think the SIM Lock status may be hidden in mmcblk0p18 which is the rfg_1 partition. (The first rfg partition from that section). Where as the AT&T SIM Lock status was in mmcblk0p52 which is the rfg_8 partition which is the first rfg partition in the second section of rfg partitions.
Anyway If someone that is Sprint Sim Unlocked can upload that partition for me that would be great
This will not damage your phone or contain personal info.
In recovery
Just copy the code below and paste line by line.
Code:
adb shell "mkdir /sdcard/newPartitions"
adb shell "dd if=dev/block/mmcblk0p18 of=/sdcard/newPartitions/mmcblk0p18"
adb pull /sdcard/newPartitions
adb shell "rm -r /sdcard/newPartitions"
Come on people, lets do this. I want to be able to use my Sprint here in New Zealand. (I have already added the bands required)
Thanks
Stifilz
stifilz said:
After comparing the dumps from above with my own sprint dumps and AT&T dumps. I think the SIM Lock status may be hidden in mmcblk0p18 which is the rfg_1 partition. (The first rfg partition from that section). Where as the AT&T SIM Lock status was in mmcblk0p52 which is the rfg_8 partition which is the first rfg partition in the second section of rfg partitions.
Anyway If someone that is Sprint Sim Unlocked can upload that partition for me that would be great
This will not damage your phone or contain personal info.
In recovery
Just copy the code below and paste line by line.
Code:
adb shell "mkdir /sdcard/newPartitions"
adb shell "dd if=dev/block/mmcblk0p18 of=/sdcard/newPartitions/mmcblk0p18"
adb pull /sdcard/newPartitions
adb shell "rm -r /sdcard/newPartitions"
Come on people, lets do this. I want to be able to use my Sprint here in New Zealand. (I have already added the bands required)
Thanks
Stifilz
Click to expand...
Click to collapse
finally we are near the sim unlock :good::good::highfive::highfive: i also have an sprint m9 that i want to use outside of USA.
if i can help you in anyway when you get the partitions, im ready, just tell me what to do xD
Would be sweet if someone would dump their sprint phone for you. Doesn't take but a few minutes
Sent from my HTC One M9 using XDA Free mobile app
UPDATE: I have compared my Sprint partitions with that of the other Locked Sprint partitions.
I only require the partitions that matched the two Locked handsets.
I have updated the OP and the bat file attached to it.
Someone please help us
Where are the two guys with sim unlocked sprint m9 ? T.T
elmy2424 said:
Where are the two guys with sim unlocked sprint m9 ? T.T
Click to expand...
Click to collapse
I assume you can't sim unlock through Sprint? I have pm'd the only two that I found that were sim unlocked (found in another thread). I am starting to doubt that this way will work.
After updating to 5.1 some more partitions changed and there are only a handful where the information could be held
I'll pull that block for ya...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
OMJ said:
I'll pull that block for ya...
Click to expand...
Click to collapse
Thank you in advance. I don't think it is that one anymore as it changed with the 5.1 update. If you could pull all the blocks in the first posts .bat file that would certainly cover it.
BTW what is that app in the picture?
Thanks
Stifilz
stifilz said:
Thank you in advance. I don't think it is that one anymore as it changed with the 5.1 update. If you could pull all the blocks in the first posts .bat file that would certainly cover it.
BTW what is that app in the picture?
Thanks
Stifilz
Click to expand...
Click to collapse
Sprint Zone
Thanks to @OMJ once again for the unlocked partitions .
Quick update:
the only suspect now is mmcblk0p48.
It was the only one that was different between the locked and unlocked models (allowing for differences between the 5.1 update)
I flashed OMJs mmcblk0p48 which did not help
If anyone can please send me the mmcblk0p48.
Locked or unlocked, I need more to work with.
Thanks again
stifilz said:
Thanks to @OMJ once again for the unlocked partitions .
Quick update:
the only suspect now is mmcblk0p48.
It was the only one that was different between the locked and unlocked models (allowing for differences between the 5.1 update)
I flashed OMJs mmcblk0p48 which did not help
If anyone can please send me the mmcblk0p48.
Locked or unlocked, I need more to work with.
Thanks again
Click to expand...
Click to collapse
you need mmcblk0p48 partition of 5.1? how can i send it to you?
elmy2424 said:
you need mmcblk0p48 partition of 5.1? how can i send it to you?
Click to expand...
Click to collapse
Code:
adb shell "mkdir /sdcard/newPartitions"
adb shell "dd if=dev/block/mmcblk0p48 of=/sdcard/newPartitions/mmcblk0p48"
adb pull /sdcard/newPartitions
adb shell "rm -r /sdcard/newPartitions"
Here is my mmcblk0p48
My device
unlocked boot loader
android version 5.0.2
sim locked
I hope this will help you.
Android 5.0.2
Software Version : 1.32.651.30
ill flash android 5.1 RUU now
maethem said:
Here is my mmcblk0p48
My device
unlocked boot loader
android version 5.0.2
sim locked
I hope this will help you.
Click to expand...
Click to collapse
Exactly the same
elmy2424 said:
Android 5.0.2
Software Version : 1.32.651.30
ill flash android 5.1 RUU now
Click to expand...
Click to collapse
Exactly the same. I am sure 5.1 will be too.
Need mmcblk0p48 from Sim Unlocked people now.
Only have OMJs at the moment, which doesn't change my Unlock status
Thanks
i relocked BL to take the ruu now i get this message when i try to unlock it :crying:
elmy2424 said:
i relocked BL to take the ruu now i get this message when i try to unlock it :crying:
Click to expand...
Click to collapse
easy fix... http://forum.xda-developers.com/showpost.php?p=61691840&postcount=284
@stifilz
Android 5.1
SO: 2.6.651.11
Related
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Video tutorial for Windows:
Video tutorial for Linux/Ubuntu:
Video tutorial for Mac OSX:
UPDATE: This root method will ONLY work on software version 1.22.651.1 and older, if you have 1.22.651.3, please be patient devs are working on it!!!
Here's how to root HTC Evo 4G LTE:
This will give you full root with SuperSU app and busybox.
Completely safe to do, it can't brick your phone in any way but your dog or cat might BURN UP!
For Windows, update drivers using driver files below then double-click on runme.bat.
For Linux, no drivers needed, unzip Evo4GLTERoot.zip to your Downloads directory then open up a terminal and do:
Code:
cd Downloads/Evo4GLTERoot
chmod 755 *
sudo ./adb-linux devices
Then do:
Code:
sh runmelinux.sh
For Mac, no drivers needed, unzip Evo4GLTERoot.zip to your Downloads directory then open up a terminal and do:
Code:
cd Downloads/Evo4GLTERoot
chmod 755 *
sh runmemac.sh
Drivers for 32-bit Windows:
http://downloadandroidrom.com/file/HTCEvo4GLTE/drivers/HTC_Driver_32.zip
Drivers for 64-bit Windows:
http://downloadandroidrom.com/file/HTCEvo4GLTE/drivers/HTC_Driver_64.zip
Download Rooting Files:
http://downloadandroidrom.com/file/HTCEvo4GLTE/Evo4GLTERoot.zip
Mirror: http://stockroms.net/file/HTCEvo4GLTE/Evo4GLTERoot.zip
This is the EXACT SAME method used for Transformer Prime ICS root.
If you need to unroot, here's RUU: (use the version that's same as your software version)
http://stockroms.net/file/HTCEvo4GLTE/RUU
How to Unroot Evo 4G LTE completely back to stock video tutorial:
Credits for RUU:
http://forum.xda-developers.com/showthread.php?t=1654333
FAQ:
Q: Does this give bootloader TAMPERED?
A: Yes but you can install RUU and will be gone.
"Stay High On Android Folks!"
"Good artists copy, great artists steal." - Picaso/Jobs.
All credits go to XDA users sparkym3 and Dan Rosenburg for exploit, please donate to them not me!
But if you want, you can subscribe to my youtube channels: highonandroid
reserved for funny lol photos
this is my dog from the last fight:
Skater Dog!
And I designed this shirt all myself on Photoshop: GET ONE! LOL.
I am sure you probably rooted it but the best way to show that it is rooted is probably to show titanium backup instead of showing an app that anybody can get off the market with or without root.
Edit: I guess showing the script can suffice. Cool beans
Sent from my Galaxy Nexus using Tapatalk 2
here you go.
Win!
Sent from my Galaxy Nexus using Tapatalk 2
Does bootloader show tampered? I know on the one x's it did, but would go away with ruu.
Good job and Congrats!!
I knew it wouldn't be long for root
Sent from my Synergized Aggressive Lionfish Evo using the XDA app
UPS shows mine as delivered...I know what I am doing tonight! I too would like to know if the bootloader stays legit.
Cheers
Does this give us S-OFF?
Worked like a charm. Titanium is very busy right now!
tes5884 said:
Does this give us S-OFF?
Click to expand...
Click to collapse
NO
tes5884 said:
Does this give us S-OFF?
Click to expand...
Click to collapse
No.
Download link isn't working BTW.
TMartin said:
No.
Download link isn't working BTW.
Click to expand...
Click to collapse
try mirror: http://stockroms.net/file/HTCEvo4GLTE/Evo4GLTERoot.zip
Yes the bootloader shows tampered. I also am stuck in a bootloop since running this.
Edit: Ok boot loop is gone but bootloader still shows tampered.
James
cj10488 said:
Yes the bootloader shows tampered. I also am stuck in a bootloop since running this.
James
Click to expand...
Click to collapse
try "fastboot erase cache".
zedomax said:
try "fastboot erase cache".
Click to expand...
Click to collapse
So ZedoMax, did this untamper your bootloader? I'm eager to try this root but I'd prefer to know if your bootloader reads as tampered
Is there a way to unroot if needed so bootloader does not display tampered?
Sent from my EVO using XDA
Robbie_G said:
Is there a way to unroot if needed so bootloader does not display tampered?
Sent from my EVO using XDA
Click to expand...
Click to collapse
I think you can flash RUU to get rid of it, let me try that right now...
cj10488 said:
Yes the bootloader shows tampered. I also am stuck in a bootloop since running this.
Edit: Ok boot loop is gone but bootloader still shows tampered.
James
Click to expand...
Click to collapse
how did you clear the bootloop?
thanks for the method.. ill keep an eye out.. one thing ive learned from the evo is not jump on the first root to come along lol.. i will let the braver souls test it for the masses and when we get a confirmed way to root but save the warranty will be all over it
Robbie_G said:
Is there a way to unroot if needed so bootloader does not display tampered?
Sent from my EVO using XDA
Click to expand...
Click to collapse
Flashing RUU and trying right now.
James
somebody got root?
CWMRecovery or TWRP no more?
so soon compile)
I also would like to know
Does anyone have stock recovery?
hello
I too am interested
standak14 said:
Does anyone have stock recovery?
Click to expand...
Click to collapse
https://docs.google.com/folder/d/0B6WBFlAKqe30YnFxVHVHMFo1X0k/edit
SPSPaWn said:
https://docs.google.com/folder/d/0B6WBFlAKqe30YnFxVHVHMFo1X0k/edit
Click to expand...
Click to collapse
Thanks. Currently there are no recovery does not work? Thank you for your work
ТAMPERED - shows that the guarantee came off ( as in the last boot from SGS4 - WARANTY BIT 1)
But in our case, it can be cured, only writes RELOCKED - and thus guarantee in place) (handed over to RELOCKED than one device )
1. Set the boot (unsecured) - fastboot flash boot boot_init.img
2 . Boot and enable developer mode ( repeatedly click on the " Version - > Advanced- > Build Number " )
3 . Download the revone: http://revolutionary.io/revone
4 . Load on the device - adb push revone /data/local/tmp/
5 . We go in the shell - adb shell (c boot unsecured all root- s commands work without root )
6. In shell :
cd /data/local/tmp
chmod 755 revone
./revone -t - TAMPERED disappear before your next intervention
7. Being in shell reboot into fastboot - reboot bootloader
8. Flash stock boot and recovery
fastboot flash boot boot_stock.img
fastboot flash recovery recovery_stock.img
9. Lock bootloader
fastboot oem lock
10 . EVERYTHING in the loader will only write RELOCKED
P.S. For those who have unlocked the bootloader and who writes TAMPERED
development HTC Desire 601/ZARA in my drive
+1 Owner of Zara looking for SU...
Make us a sectiooon, please xda!
And SPSPaWn, have you rooted your zara yet?
Hello! I am searching for su too. Any help is welcome.
Root is. But without CWMRecovery description will be. Difficult)
Dumps did everything. Even deodex did too) stuck on recover
p.s. Compiled pieces 20 neither went. Maybe put the protection (
Concerning CMWRecovery or TWRPRecovery thoughts ran!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Who is strong in linux all thoughts are welcome, the development environment and source CM - 10.1, 10.2, Jellybean ready for compilation .......
all recovery - it is not possible to get there, go into overdrive (fastboot erase cache - does not help ((((
repository development HTC Zara - http://goo.gl/PpKL8T - who can continue in tandem?)
p.s. no custom recovery obtaining root (safely) is not possible)
SPSPaWn said:
Concerning CMWRecovery or TWRPRecovery thoughts ran!
View attachment 2401666
Who is strong in linux all thoughts are welcome, the development environment and source CM - 10.1, 10.2, Jellybean ready for compilation .......
all recovery - it is not possible to get there, go into overdrive (fastboot erase cache - does not help ((((
repository development HTC Zara - http://goo.gl/PpKL8T - who can continue in tandem?)
p.s. no custom recovery obtaining root (safely) is not possible)
Click to expand...
Click to collapse
Regarding the screenshot, did you succesfully obtain root access?
djtinxo said:
Regarding the screenshot, did you succesfully obtain root access?
Click to expand...
Click to collapse
Yes, but root it is temporary
SPSPaWn said:
Yes, but root it is temporary
Click to expand...
Click to collapse
Instructions, please
standak14 said:
Instructions, please
Click to expand...
Click to collapse
instructions will not be
not yet compile recovery
SPSPaWn said:
instructions will not be
not yet compile recovery
Click to expand...
Click to collapse
Maybe someone in this thread
http://forum.xda-developers.com/showthread.php?t=2456795&page=2
Click to expand...
Click to collapse
could help you to make custom recovery for this device
I'm looking forward for custom ROM on this device cause I'm planning to buy one
Guys who are nice enough and have spare time, please do a clean system dump for me for some sort of dev purpose, I mean in factory reset status. Use cwm and do a backup, zip/7zip it and upload it to google drive or dropbox. Thanks.
**
TheEndHK said:
Guys who are nice enough and have spare time, please do a clean system dump for me for some sort of dev purpose, I mean in factory reset status. Use cwm and do a backup, zip/7zip it and upload it to google drive or dropbox. Thanks.
Click to expand...
Click to collapse
Is it possible to use CWM, because Desire 601 is not yet fully rooted as mentioned by SPSPaWn?
He said he could only obtain temporary root, is it possible/safe to install CWM?
Today I bricked my phone when I try to flash back to 6.0 because I was lazy and use dd to flash modem(radio).
And here is a warningO NOT flash your nexus 6p's bootloader,radio directly,becuase radio,bootloader image for this phone is packed.Using dd to flashing it directly will make you phone bricked.
And my phone is locked because I want to use device protection.So no luck flash radio via fastboot directly.
So I manage a new way to let bootloader thought bootloader can be unlock.
I learn about "factory reset protection"(frp) partition from
http://forum.xda-developers.com/nexus-6/help/info-nexus-6-nexus-9-enable-oem-unlock-t3113539
.
So all factory reset protection problem is just about that frp partition.You just need to dump it out using dd,then use winhex or other software edit the last bit to 01,then your phone is able to unlock.No need for password.
And don't give the device protection too much hope.Many people can unlock it easily because you just need to edit frp partition.Use jtag tools,wire emmc out,even UART or just download mode,and edit that bit then your phone is unlocked.
Apple is the same.Although apple will check iDevices ID,but many people who fix phones in China has some backdoor to unlock it(means reuse it again,data is loss,but who care these data).
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
akaHardison said:
Today I bricked my phone when I try to flash back to 6.0 because I was lazy and use dd to flash modem(radio).
And here is a warningO NOT flash your nexus 6p's bootloader,radio directly,becuase radio,bootloader image for this phone is packed.Using dd to flashing it directly will make you phone bricked.
And my phone is locked because I want to use device protection.So no luck flash radio via fastboot directly.
So I manage a new way to let bootloader thought bootloader can be unlock.
I learn about "factory reset protection"(frp) partition from
http://forum.xda-developers.com/nexus-6/help/info-nexus-6-nexus-9-enable-oem-unlock-t3113539
.
So all factory reset protection problem is just about that frp partition.You just need to dump it out using dd,then use winhex or other software edit the last bit to 01,then your phone is able to unlock.No need for password.
And don't give the device protection too much hope.Many people can unlock it easily because you just need to edit frp partition.Use jtag tools,wire emmc out,even UART or just download mode,and edit that bit then your phone is unlocked.
Apple is the same.Although apple will check iDevices ID,but many people who fix phones in China has some backdoor to unlock it(means reuse it again,data is loss,but who care these data).
View attachment 3679303
Click to expand...
Click to collapse
can you detail the process with pictures if possible.. should help a lot of ppl around here..
rohit25 said:
can you detail the process with pictures if possible.. should help a lot of ppl around here..
Click to expand...
Click to collapse
run "adb shell" in PC
then
"cd /dev/block/platform/s*/f*/b*n*"
then type "dd if=frp of=/sdcard/frp",then the frp partition is dumped in the /sdcard.
use winhex or else edit the last 00 bit to 01,then save the files.
put the frp files back to /sdcard,use "dd if=/sdcard/frp1 of=frp"to flash the unlocked frp back(make sure you are in /dev/block/platform/soc.0/f9824900.sdhci/by-name)
reboot to bootloader,use "fastboot flashing unlock",select yes,then good to go,
Genius ...... Very bad English and grammar.....but I see what you are saying and is pure genius.
What I'm saying is its hard to follow.
Genius guy , dd is dangerous but life saving too
Sent from my Nexus 6P using Tapatalk
Wow, mosdef badass
cool, I wondered about this method months ago but too scared to try it. thanks for trying and sharing it here. cheers!
if you have adb access you can dd a modified devinfo partition back.it will unlock your phone directly.
Sent from iPhone ,using Tapatalk.
this way can work when i have adb access very good idea , what about if i don't have access to adb just fastboot and stock recovery is there any method to unlock my n6p .
Thanked
tenfar said:
if you have adb access you can dd a modified devinfo partition back.it will unlock your phone directly.
Sent from iPhone ,using Tapatalk.
Click to expand...
Click to collapse
hi,
what do you mean by this? I have a LG V10 H901 and I have adb access. what do you mean by modding the devinfo
sorry for being noob
thanks
SuperZoilus said:
hi,
what do you mean by this? I have a LG V10 H901 and I have adb access. what do you mean by modding the devinfo
sorry for being noob
thanks
Click to expand...
Click to collapse
maybe modding devinfo only works for Nexus 6p. try OP's method
Hey guys, is there any new exploits / rootkitXperias for the 6.0.1 update with locked bootloader?
Same question here. This would be very nice.
No have Way For Root M4 Aqua In Locked Bootloader!
and in the future?
kubanec86 said:
and in the future?
Click to expand...
Click to collapse
despite our developers, Coming Soon
I also have locked bootloader (Unlock allowed: no; and also I would prefer to keep the DRM keys and warranty) however it would be great to be able to root it...
well, at least we can preinstall xposed with prf zip
sergioslk said:
well, at least we can preinstall xposed with prf zip
Click to expand...
Click to collapse
prf zip rom don't working, I try it.
That sounds great Hope there will be a solution soon.
Is there any update about it? I really want to update to MM but dont want loose my root.
BVEKT0R said:
Is there any update about it? I really want to update to MM but dont want loose my root.
Click to expand...
Click to collapse
Nope
Can someone with access to the M4 run the Quadrooter checker. Hopefully these security issues give root.
http://blog.checkpoint.com/2016/08/07/quadrooter/
http://www.xda-developers.com/xda-external-link/4-vulnerabilities-found-in-qualcomms-code/
I know people are saying it's a security issue but it's also possibly the only hope for root for a lot of phones.
https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter
CE1
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click to expand...
Click to collapse
I have the E2306 variant, i've been reading about a new bulnerabilty called "humingbad".
In the page where i readed that i found info from a app that search system bulnerabilties and after running on my device there is four bulnerabilties
(cve-2016-2059)(cve-2016-2504)(cve-2016-2503)
(cve-2016-5340).
Correct if i'm wrong but for gain root acces on a locked device is by using a system bulnerabilty like those?
I think maybe with any of the bulnerabilties that i've mentioned before we can get root for locked bootloaders.
(sorry for my english if it's bad, not my native language)
Found this on z5 forums. I'm pretty sure there is dm verity check on m4 too.
We cannot get root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/...fied-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Click to expand...
Click to collapse
DarkerJava said:
Found this on z5 forums. I'm pretty sure there is dm verity check on m4 too.
Click to expand...
Click to collapse
There is not dmverity in m4, i have locked bootloader and i installed the update with an unrooted zip but i could preinstall xposed in /system and also deleted bloatware and booted correctly with xposed working and without root
sergioslk said:
There is not dmverity in m4, i have locked bootloader and i installed the update with an unrooted zip but i could preinstall xposed in /system and also deleted bloatware and booted correctly with xposed working and without root
Click to expand...
Click to collapse
Alright, if there is no firmware verity check, then it should not be to hard to get root in bl locked... just need to find an exploit in /system partition..
Hellow, Everyone can test this way for preerooted rom?
This way rooted we device in lockedbootloader, But every Boot phone is longer. it way test in E2333 and now need to test in other veriants.
Plaese test and feedback in here, boot phone in 40min and uper
http://forum.xda-developers.com/crossdevice-dev/sony/tool-prfcreator-easily-create-pre-t2859904
EHSAN™ said:
Hellow, Everyone can test this way for preerooted rom?
This way rooted we device in lockedbootloader, But every Boot phone is longer. it way test in E2333 and now need to test in other veriants.
Plaese test and feedback in here, boot phone in 40min and uper
http://forum.xda-developers.com/crossdevice-dev/sony/tool-prfcreator-easily-create-pre-t2859904
Click to expand...
Click to collapse
I'll test it soon, and post about the results.
EHSAN™ said:
Hellow, Everyone can test this way for preerooted rom?
This way rooted we device in lockedbootloader, But every Boot phone is longer. it way test in E2333 and now need to test in other veriants.
Plaese test and feedback in here, boot phone in 40min and uper
http://forum.xda-developers.com/crossdevice-dev/sony/tool-prfcreator-easily-create-pre-t2859904
Click to expand...
Click to collapse
Hello,
I've test with "E2303_26.1.A.3.111_1293-7738_R8A.ftf" rom and just "UPDATE-SuperSU-v2.76.zip" (no recovery) but it don't works, the phone boot (it take a long time) but isn't rooted.
You should've already figured out where are these binaries from. I can't help further for these 2 models.
WARNING: This is not a guide! Prototype ABL binaries are provided as-is, flashing them can be risky!
I'm not responsible for potentially permanent brick!
Nokia 3.4 prototype ABL image has been proved functional.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
To use it:
1. Enable flashing permission with HDK (an internal flash tool used by triple-color company, sorry can't disclose more details about that). Please search for related service online, we don't provide or promote such service.
2. Download Prototype ABL from following URL:
Click here for NOKIA 3.4 (DoctorStrange ZQL1838)
Click here for NOKIA 5.4 (DoctorDoom ZQL1849)
3. Flash prototype ABL and OEM unlock enabled frp partition manually, then you can confirm bootloader unlock:
Code:
(for Nokia 3.4) fastboot flash abl DRS-abl.elf
(for Nokia 5.4) fastboot flash abl DRD-abl.elf
(IMPORTANT, DO NOT SKIP) fastboot flash frp frp_oemunlock.img
fastboot reboot-bootloader
fastboot flashing unlock_critical
fastboot oem unlock-go
4. Once bootloader unlock completed, please reinstall stock OS to restore ABL back to normal.
SHA256 checksum of ABL images:
Code:
Nokia 3.4: 79d49737009b1c87f452d814ba6cf5669ccd35a2983f4413f817a7595cb67cfc
Nokia 5.4: 333b221671ed9abe6bd471f29d3c0b14cfeaeebcdc587f882097740f244b93a9
Root Key Hash of ABL images - technically they may interchangable due to same RKH.
Code:
Nokia 3.4: 35631A56E4F0D69967853A758FEF4FF742CF7C6A71B84CE863FE3FCBC70CC394
Nokia 5.4: 35631A56E4F0D69967853A758FEF4FF742CF7C6A71B84CE863FE3FCBC70CC394
This procedure requires specific version of Android? The HDK tool is provided only by the manufacturer?
Rierei said:
This procedure requires specific version of Android? The HDK tool is provided only by the manufacturer?
Click to expand...
Click to collapse
Specific Android version is not required.
HDK access is required to allow you flash any bootloader partitions.
where can i get frp_oemunlock.img and stock os?
are they available with HDK?
Hi guys, I have bootloader unlocked and rooted my Nokia 5.4! however when I tend to delete apps from the system as usual there is always some error! Android 12 February Security Patch!
if anyone wants a recovery image to do a TWRP I can give it!
Someone made it for 3.4?
thimemoria said:
Hi guys, I have bootloader unlocked and rooted my Nokia 5.4! however when I tend to delete apps from the system as usual there is always some error! Android 12 February Security Patch!
Click to expand...
Click to collapse
May you describe how did you manage to unlock the bootloader? Do you have HDK access?
false96 said:
May you describe how did you manage to unlock the bootloader? Do you have HDK access?
Click to expand...
Click to collapse
I got in touch via Telegram with the guy who does the unlocking via TeamViewer or Anydesk and he unlocked it, since the Root process is a little different I had to flash a different boot .img
As I probably can't post links here, whoever wants it I'll send it by PV
Guys, I made a port of TWRP from A3 to Nokia 5.4! Normal boot but need to edit fstab I'll do that and study how it works anything I'll let you know or create a topic!
thimemoria said:
Guys, I made a port of TWRP from A3 to Nokia 5.4! Normal boot but need to edit fstab I'll do that and study how it works anything I'll let you know or create a topic!
Click to expand...
Click to collapse
Great work! Thanks for your efforts. I hope one day we'll have some custom roms.
thimemoria said:
if anyone wants a recovery image to do a TWRP I can give it!
Click to expand...
Click to collapse
could you let me get a copy for the Nokia 5.4
thimemoria said:
As I probably can't post links here, whoever wants it I'll send it by PV
Click to expand...
Click to collapse
hey, I also want one for my Nokia X10!
I´m also interestet in the TWRP for Nokia 5.4 - could you send it to me by PV? Thanks on behalf
thimemoria said:
Hi guys, I have bootloader unlocked and rooted my Nokia 5.4! however when I tend to delete apps from the system as usual there is always some error! Android 12 February Security Patch!
Click to expand...
Click to collapse
That's likely because the system is only mounted as r/o. You can't write there. But maybe I am wrong?
thimemoria said:
if anyone wants a recovery image to do a TWRP I can give it!
Click to expand...
Click to collapse
I never received a message from you about the twrp for Nokia 5.4
does anyone have the twrp for Nokia 5.4
[email protected] said:
does anyone have the twrp for Nokia 5.4
Click to expand...
Click to collapse
eh, no one does. The phone has just had its ABL for bootloader unlocking released, so, of course, there are no TWRP ports for it.
However, you can learn how to port TWRP into the phone (though, really, it'll require you to learn programming and whatnot).
I was going by this post further up the thread.
thimemoria said:
if anyone wants a recovery image to do a TWRP I can give it!