Hey Guys,
I know there is an app in the market already Keystore Unlocker, but it doesnt seem to work with the latest su binary. Does anyone know if there is a way to disable the password requirement for stored certificates. It would be a useful feature to bake into some roms or even a new app that works with latest su.
I decomplied the apk for Keystore Unlocker but it was no help. I emailed the developer and asked if he would either update the app and make it paid (99 cents wouldnt be too much) or release the source for us to use for future projects.
Let me know if you guys have any ideas.
Same issue on HTC Incredible, Stock + Root ROM 2.3.4. Really annoying, anyone know a fix? My initial thinking is it's at kernel layer, as Hot Reboot doesn't cause issue but a "full" reboot does. Anybody have a suggestion on fix or workaround?
+1
Would love to bypass the credential storage. It literally decimates the battery trying to log into a credentialed WiFi (try/fail/try/fail) if you don't happen to notice that you haven't done the credential yet.
+1
I have mailed to the app's author, perhaps he has a solution.
Does anybody knows what exactly the app does? Is there a way by command line to activate the credential storage? (so it could be done in autostart)?
There are two possibilities to unlock the keystore. Both need to be run under UID=1000!
1) You have an AOSP based ROM, like Cyanogen:
There is a tool called "keystore_cli", which provides basic access to the keystore by commandline.
Simply run
Code:
su -c 'keystore_cli u <password>' 1000
to unlock it.
Other options are can be found in keystore.c:
Code:
static struct action {
int8_t (*run)();
int8_t code;
int8_t state;
uint32_t perm;
int lengths[MAX_PARAM];
} actions[] = {
{test, 't', 0, TEST, {0}},
{get, 'g', NO_ERROR, GET, {KEY_SIZE}},
{insert, 'i', NO_ERROR, INSERT, {KEY_SIZE, VALUE_SIZE}},
{delete, 'd', 0, DELETE, {KEY_SIZE}},
{exist, 'e', 0, EXIST, {KEY_SIZE}},
{saw, 's', 0, SAW, {KEY_SIZE}},
{reset, 'r', 0, RESET, {0}},
{password, 'p', 0, PASSWORD, {PASSWORD_SIZE, PASSWORD_SIZE}},
{lock, 'l', NO_ERROR, LOCK, {0}},
{unlock, 'u', LOCKED, UNLOCK, {PASSWORD_SIZE}},
{NULL, 0 , 0, 0, {0}},
};
I guess you can figure them out, if you want to.
2) You don't have the keystore_cli tool:
a) You might be able to use a keystore_cli binary from another rom
b) Use unix domain sockets to communicate with the keystore.
The socket is under /dev/socket/keystore.
To access this, you'd have to write a small c programm and use the socket(), write() syscalls.
Luckily. this is exactly what that "keystore unlocker" from the market does.
It comes with a small native executable located at
Code:
/data/data/ru.chunky.AutoKeystore/lib/libkeystorecmd-executable.so
which reads input to send to the socket from stdin.
The format is:
Code:
<code><length1><message1>...
Where <code> would be 'u' to unlock
<length> would be the length of the password as 16bit unsigned int
<message> would be the string representation of the password
In this example the password is "password", which is 8 characters long.
So the length would have to be \0000\0008 and the message to send to the socket
Code:
u\0000\0008password
Running
Code:
su -c "echo -e 'u\0000\0008password' | /data/data/ru.chunky.AutoKeystore/lib/libkeystorecmd-executable.so" 1000
should show a result of
Code:
1
in the commandline, if successful and the keystore should be unlocked.
it sounds brilliant!
Do you have any idea what is the problem with the app and actual su versions?
Awesome find man, shame is ICS fixed this bug. It just requires a pattern lock or pin lock. I wish we could find a workaround for this....
Sent from my HTC Rezound
stm999999999 said:
it sounds brilliant!
Do you have any idea what is the problem with the app and actual su versions?
Click to expand...
Click to collapse
Nope, no idea.
I worked around it like this (cyanogenmod):
In /data/local/userinit.sh I put
Code:
#!/system/bin/sh
nohup /data/local/keystoreunlock_delayed.sh > /dev/null 2> /dev/null &
and the file /data/local/keystoreunlock_delayed.sh contains:
Code:
#!/system/bin/sh
sleep 60
su -c 'keystore_cli u <password>' 1000
The 60 second delay makes sure the phone has already initialized the keystore.
It's a bit of a diry way to do it, but this way it works without any android app.
To test this on my device, I made a file /data/keystoreunlock_delayed.sh
#!/system/bin/sh
su -c 'keystore_cli u <password>' 1000
and execute it within root explorer. But nothing happens!?
I tried su -c 'keystore_cli u <password>' 1000 in terminal Emulator, I got permission denied. I have to do a "su" before, without any parameters, then superuser asks for permission, and then the long command worked.
stm999999999 said:
To test this on my device, I made a file /data/keystoreunlock_delayed.sh
#!/system/bin/sh
su -c 'keystore_cli u <password>' 1000
and execute it within root explorer. But nothing happens!?
Click to expand...
Click to collapse
I forgot the permission 0755. It was 0555.
Can I download keystore_cli somewhere so I can use this script?
I have /system/bin/keystore but not keystore_cli on the rooted 2.3.4 OTA. Using HTC Incredible and would like to use this workaround script.
EDIT: I now realize this is in the Rezound forum. I found this thread by Google search but couldn't find much else on keystore_cli other than zip extract logs.
hm, I do not use a Rezound, too. I have a Desire.
Are you sure, this file is not an integral part of android?
I found one version on dropbox: https://www2.dropbox.com/s/cuu6hm8dvi3jxh5/BI/system/bin/keystore_cli
but I cannot say anything about this file. If it is genuine and ok.
What about asking in an Incredible subforum?
AutoKeystore fixed
I've just resolved "newer su" issue with ru.chunky.AutoKeystore and added password-less VPN Wizard there.
Dear all,
Finally have time to write for the unlock bootloader procedure. I found that search engine (internal / external) might mask new thread, thus for those are urgent need to repair or various reason to unlock bootloader, they might not ahve chance to reach helpful info.
[YOUTUBE]
ps6ngeDPiHc
[/YOUTUBE]
[YOUTUBE]
_9LwOmmF0_s
[/YOUTUBE]
[YOUTUBE]
Gsn8FynWxaU
[/YOUTUBE]
Here are extracted procedure from another thread of mine. Eventually I will remove all unlock bootloader info from the original thread and leave them here.
unlock bootloader manually may apply to many other MT6755 or similar soc can unlock by this way.
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
developemtnt (uncrack procedure) detail is in below.
https://forum.xda-developers.com/m3-note/how-to/m3-note-ported-kernel-source-twrp-3-3-0-t3956911
_AND_
https://github.com/99degree/android_kernel_m3note/tree/m3note_20190813
== Procedure ==
to unlock bootloader, generally the lk have a magic frp partition for security. Either for google suite use, or lk unlock bootloader use. In short, the last dword set to 1 will unlock the bootloader. So you dont have to had a very unfriendly (and possibly not working) tool installed.
if you wanted to know more about the lk and unlock magic, here are the URL, so the myth above can clear. https://github.com/mbskykill/m3note_android_bootable.git
There is a need to check the lk.bin before hand, since unlock bootloader involve "fastboot oem unlock" cmd. so do binary search and see if the string pattern "oem unlock" is appear in the lk.bin itself. if yes, it is likely the lk is capable to unlock. if not, the vendor disable it completely by the source code on purpose. please check the third video for detail idea. one example is m3note intl version, lk does not have "oem unlock", and "boot" cmd is comment out by purpose. that's why the need to install chn version of lk from chn rom that those logic are still available (see some success case is install chn beta rom).
Here are steps to unlock the bootloader.
===YOUR OWN RISK===
(a) make sure lower version (flyme5 ? ) installed
(b) install kingroot(or flyme root, it wont limited to flyme5) to get root
(c) install partitions backup (or other tool)
(d) backup frp partition (need root)
(e) edit with hex tool (hex editor for e.g.)
(f) locate last dword, write 1, save file, write back to frp
(g) reboot and install newer (6.3.0.3A) Chinese version of the rom
(h) optional, step g might fail due to chn/intl (G->A)rom different serial number below script to crack the barrier
http://forum.flymeos.com/thread-38493-1-1.html
(Updated 20191024)
(I)in fastboot mode, do fastboot.exe oem unlock
To garentee the phone is unlocked.
(J)do fastboot boot m3note.img and gets in twrp, format data partition
special notice in step e, the frp modification is shown and highlight clearly in video2 part2, same info is available at first video in 3:39s so please take a look. as well.
special notice in step J, if not doing so, m3note deadloop no matter press any button except power on/off. so in case this case happened, unplug the usb cable and leave it to use up the internal battery power. then vol-down + power button can revive the fastboot env.
then the M3 note is unlocked. please note step h running the said script might have draw back (wipe too much data) such as loss of CDMA MEID (Mobile Equipment Identifier) so do as of
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
technical detail of unlock logic is as below
sec_unlock.c
fastboot_get_unlock_perm {
...
index = partition_get_index(FRP_NAME);
...
size = partition_get_size(index);
unlock_allowed_flag_offset = size - sizeof(unsigned int);
...
}
ok, sizeof(unsigned int) is dword. the offset is (size-1 * dword). so set to 1 means unlock.
Other unlock tutorials:
Meizu E3 bootloader unlock tutorial
WOW mine is L681h version, will it work? any custom rom available for it? TIA
jack dee707 said:
WOW mine is L681h version, will it work? any custom rom available for it? TIA
Click to expand...
Click to collapse
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.
99degree said:
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.
Click to expand...
Click to collapse
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.
jack dee707 said:
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.
Click to expand...
Click to collapse
you had better think in another way round. Rooting method and do the surgery should reference to the method mentioned in http://forum.flymeos.com/thread-38493-1-1.html does. If you have any question about rooting and G version ->A version, you can ask the original author for help, it is for your own good to rescue the phone with proper help. After that, you might consider one step further to unlock bootloader.
It is a bit risky, i had my m3 note as old dev machine so not care. And plz bare in mind L681h model itself already have many variant. So not worth mentioning other model. You can have a check for all variant info by http://deviceinfohw.ru/devices/index.php
As i know, those are mainly category with sm5414 or bq24169 pmic. And the A version supports both as greping keyword found in lk.bin. But other parts i not not sure. Like lens and camera lcm etc. I found no problem with mine.
Once again, i already lost cdma meid with above script as drawback. So do you own risky.
Good luck.
Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.
XRed_CubeX said:
Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.
Click to expand...
Click to collapse
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.
99degree said:
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.
Click to expand...
Click to collapse
I didn't understand any of these things about HxD and then in the video you don't see that you edit this file, look at what it gives me while I try to boot. If I send you the file, please edit it for me?
So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
XRed_CubeX said:
So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
Click to expand...
Click to collapse
A bit strange, seemed like the lk does not support "oem unlock" and "boot" cmd like the one m3note intl lk version does. please take a look on https://youtu.be/Gsn8FynWxaU video and see if it give you some insight.
all the best.
I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.
P.S: I saw the other video and I realized that I was wrong to edit the FRP file.
XRed_CubeX said:
I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.
Click to expand...
Click to collapse
Thx for watching. if your search result shows that is the only place of "oem unlock" then sorry i wont have further advice. if your search shows further (either) "oem unlock", "oem-unlock", "oem bootloader-unlock" kind of pattern is available, then you might have chance to go further. aside, you might worth to have a try to download as many as possible for different version (intl, chn, beta as well) of rom of your phone and do the search to all lk.bin, then see if there is any early version have this fastboot cmd.
PS 1, if you wanted to see if there is any optimized logic of the bootloader-boot-chain, then you better go through the source code (or the one similar to your phone).
one of source of info https://github.com/mbskykill/m3note_android_bootable
PS 2, A side note, your frp image is a bit strange and seem not holding real data. FYI frp is mainly used by google/android for its activation and phone lock etc. so wipe it sometimes overcome the "lost password" issue thats why the key to the solution must written to the last dword to avoid frp content overwrite.
all the best.
For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?
XRed_CubeX said:
For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?
Click to expand...
Click to collapse
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.
99degree said:
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.
Click to expand...
Click to collapse
How to exploit with the seclib.a binary?
XRed_CubeX said:
How to exploit with the seclib.a binary?
Click to expand...
Click to collapse
here are some ideas, so please dont put it too seriously.
In lk, compiling source and linking to lk.bin involve seclib.a and this is the supporting lib that contain functions for check unlock status. In cmd_boot function (yes this is coresponding to fastboot boot cmd) call into this lib for that check. Code snippet:
void cmd_boot(const char *arg, void *data, unsigned sz)
{
.....
lock_state = get_unlocked_status();
if (0 == lock_state)
{
fastboot_fail("oem unlock is false");
return;
}
So you can see your boot cmd fail most likely here. Before you decide to do so, please do full text search the code and your lk.bin and see if those text pattern is available.
the checking function is most likely inside the seclib.a, to prove it, i tried to grep all the lk code and find nothing about it. and this seclib.a file missing from the source tree, you can find it somewhere on the web. I believe disassembly a static lib is easier to disassemble a bin, at least static lib have sections by sections and gcc tools are more handy than ida. Hint: mt6797 is an somewhat more open source one. You can get something from linaro website or github. It should be less chance to make change as it is a static library.
Another supporting fact is, when doing oem unlock and flash unlock, lk itself must write something to the mtd(nand chip) to remember the status. Then every bootstrarp, get_unlocked_status can read the status. That should be similar logic to boot from nand chip for reference. So the frp last dword is the permit for manual unlock, and seclib.a is the gatekeeper and check for every boot.
Hope the above can give you some insight.
Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.
XRed_CubeX said:
Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.
Click to expand...
Click to collapse
Gentleman, i think you are over-engineered. To disassembly the seclib.a is to get more info about the unlock logic and the condition of unlock, such as where does the oem unlock cmd write to, what value it does write to which partition; or another way, which condition should meet when cmd_boot need; and see if able apply to your phone. Let me raise for example, like the write 1 to frp the last dword, this is exploits should do. I dont think patching the preloader or bootloader is a way to go. They are digitally signed; unlike frp partition, google app and android write to it so it is not digitally signed thus safe to do modification. Of course the rule of thumb is not make any risk on physical damage the phone. Hope this is useful for your further reference.
No, I don't even know how to disassemble and where to start