A large thanks to a friend on TheBootloaderLocksmith's discord by the name Kasha Fatal. They got a stuck in demo mode Alcatel 5002, aka a TCL 5002 in some places, and messed around with it. It had a ton of stuff on it that our TCL phones don't have unless they're demo phones. This lead us down a new rabbit hole with an app called Token_token.apk
This app is also installed on our TCL 10 Pro devices.
-- Install Quick Shortcut Maker, scroll down to tcl.token and run the main activity. It takes you into Token Loader giving you a Security Number for your device
Update (20 minutes later): to get to Token SN, open dialer, type *#*#43886536#*#*
3rd way:
Code:
adb shell am start -n com.tcl.token/com.tcl.token.activity.MainActivity
The negative here
The server is gone
Code:
https://beetle.tclcom.com:8080/accounts/login/?next=/
That's the URL to TCL's server that would have been some form of login using the security number from your device... not all is lost though
In the app is a bunch of developer secrets
Code:
public void p() {
String str = "";
if ("true".equals(a("ro.boot.oemtoken", "default"))) {
str = str + "oemtoken\n";
}
if ("true".equals(a("ro.boot.uarttoken", "default"))) {
str = str + "uarttoken\n";
}
if ("true".equals(a("ro.boot.fastboottoken", "default"))) {
str = str + "fastboottoken\n";
}
if ("true".equals(a("ro.boot.adbtoken", "default"))) {
str = str + "adbtoken\n";
}
if ("true".equals(a("ro.boot.smartlogtoken", "default"))) {
str = str + "smartlogtoken\n";
}
if ("true".equals(a("ro.boot.diagtoken", "default"))) {
str = str + "diagtoken\n";
}
if ("true".equals(a("ro.boot.roottoken", "default"))) {
str = str + "roottoken\n";
}
if ("true".equals(a("ro.boot.retailtoken", "default"))) {
str = str + "retailtoken\n";
}
if ("true".equals(a("ro.boot.perftoken", "default"))) {
str = str + "perftoken\n";
}
if ("true".equals(a("ro.boot.smltoken", "default"))) {
str = str + "smltoken\n";
}
this.v.setText(str);
}
-- I have yet to figure out what item you long press...
Code:
public boolean onItemLongClick(AdapterView<?> adapterView, View view, int i, long j) {
String string = "oemtoken".equals(this.q.f1242c.get(i)) ? getApplicationContext().getResources().getString(R.string.oem_detail) : "";
if ("uarttoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.uart_detail);
}
if ("fastboottoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.fboot_detail);
}
if ("adbtoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.adb_detail);
}
if ("smartlogtoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.slog_detail);
}
if ("diagtoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.diag_detail);
}
if ("roottoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.root_detail);
}
if ("retailtoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.retail_detail);
}
if ("perftoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.perf_detail);
}
if ("smltoken".equals(this.q.f1242c.get(i))) {
string = getApplicationContext().getResources().getString(R.string.sml_detail);
}
if (string.length() > 1) {
this.t.a(string);
this.t.b();
}
return true;
}
more info as i dig
The server appears to be online if you hit that URL in a web browser. The certificate for the host seems to be invalid, however
chrisalx said:
The server appears to be online if you hit that URL in a web browser. The certificate for the host seems to be invalid, however
Click to expand...
Click to collapse
right. doesn't seem to actually try the unlock at all
chrisalx said:
The server appears to be online if you hit that URL in a web browser. The certificate for the host seems to be invalid, however
Click to expand...
Click to collapse
Hello, after having the SN what is the procedure to try to unlock the phone?
ioannis.p said:
Hello, after having the SN what is the procedure to try to unlock the phone?
Click to expand...
Click to collapse
if we knew that, it would be posted here lmao
TechX1991 said:
if we knew that, it would be posted here lmao
Click to expand...
Click to collapse
Ha ha that is correct!!!
Is it a possible to add a rule on our wifi to direct the TCL address to our computer so we can bruteforce the Token?
DoctorBooty said:
Is it a possible to add a rule on our wifi to direct the TCL address to our computer so we can bruteforce the Token?
Click to expand...
Click to collapse
Probably through proxy with like Fiddler 2, but we have no idea what the web request looks like to even begin making our own server for it
It would be simpler to check if that device is even unlockable on bootloader side if someone manage to get full abl and xbl raw partition files by dumping it from the device directly somehow or get it from the TCL Upgrade tool
My opinion is the same, it will be easier to find the right exploit, even if it is direct to Fastboot, than to try to emulate a proxy server for the TCL Token application to work. I don't remember very well, there is a line inside the application when decompiling it that refers to the backup and cache export of the secret code or token. So if I'm not mistaken, after that the device will reboot into fastboot and all the unlock magic will come out.
One question on this device is there an application called User Support which is also accessed with shortcuts?
TheMalachite said:
It would be simpler to check if that device is even unlockable on bootloader side if someone manage to get full abl and xbl raw partition files by dumping it from the device directly somehow or get it from the TCL Upgrade tool
Click to expand...
Click to collapse
Tcl upgrade tool gives decrypted abl and xbl. They are not in raw formact
(Sri Lanka) said:
Tcl upgrade tool gives decrypted abl and xbl. They are not in raw formact
Click to expand...
Click to collapse
What's the file name ?
TheMalachite said:
What's the file name ?
Click to expand...
Click to collapse
I renamed all know files accoring to the log file i have tcl 20 se . All files under 2mb are in raw formact
(Sri Lanka) said:
I renamed all know files accoring to the log file i have tcl 20 se . All files under 2mb are in raw formact
Click to expand...
Click to collapse
Send those abl and xbl files anyway, their might be something interesting to see on it
TheMalachite said:
Send those abl and xbl files anyway, their might be something interesting to see on it
Click to expand...
Click to collapse
Sorry not 2mb under 5mb all files are in encrpted formact. Acccording to log, it says they are in p file formact
(Sri Lanka) said:
Sorry not 2mb under 5mb all files are in encrpted formact. Acccording to log, it says they are in p file formact
Click to expand...
Click to collapse
Xbl abl xbl config
This is.how in xbl in hex edi. The installation log says the are in p file formact
(Sri Lanka) said:
Sorry not 2mb under 5mb all files are in encrpted formact. Acccording to log, it says they are in p file formact
Click to expand...
Click to collapse
You mean something like abl.elf.p ?
Related
I am developing a PHP app that runs on an XDA2 PocketPC. It is for use by field engineers to book themselves to jobs whilst on-site, and it will update our internal stock system etc.
The need has arisen for signature capture, whereby a signature area is embedded into a web page and when the client signs the screen, it is transferred safely into a database at our offices.
I have looked at various possibilities but they all seem to rely on ASP/VBSCRIPT.
Has anyone ever come across something that will integrate with my PHP web app?
In a nutshell: Signature region in web page, user signs screen,signature data sent to a SQL database back at base.
Any ideas? :shock:
Hi limepickle
The webbrowser in WM2003 is really quite primitive in comparison to it's desktop counterparts these days. For that reason, i really do not think that you will find a way to do this in the browser.
I write software similar to that which you are talking about using .NET and i've considered using web pages once or twice for simpler apps, but signature capture was always the sticking point which I could never think of a way to acheive...
Sorry to disappoint you :roll:
Pope <><
limepickle said:
I am developing a PHP app that runs on an XDA2 PocketPC. It is for use by field engineers to book themselves to jobs whilst on-site, and it will update our internal stock system etc.
The need has arisen for signature capture, whereby a signature area is embedded into a web page and when the client signs the screen, it is transferred safely into a database at our offices.
I have looked at various possibilities but they all seem to rely on ASP/VBSCRIPT.
Has anyone ever come across something that will integrate with my PHP web app?
In a nutshell: Signature region in web page, user signs screen,signature data sent to a SQL database back at base.
Any ideas? :shock:
Click to expand...
Click to collapse
your gonna get stuck with a php version since the pocket IE isnt that great,
perhaps you can find a flash based signature capture and has flash on the pocket pcs?
this is our solution:
i created a custom application to do this for our company,
its developed using the OpenNet Compact Framework.
its a fullscreen signature app and when the rep is ready to upload the signature they click the send button that transfers it to a ASP.NET web service. this then saves the image as Jpeg to a shared folder and also to SQL for archiving,
check out:
http://www.opennetcf.org/CategoryView.aspx?category=Home
http://www.codeproject.com/netcf/Signature_Capture.asp
this is an example of the code to use in VS.NET with OpenNetCF.
Code:
using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.IO;
using System.Xml;
namespace WGTools
{
/// <summary>
/// Summary description for frmSignatureCapture.
/// </summary>
public class frmSignatureCapture : System.Windows.Forms.Form
{
private OpenNETCF.Windows.Forms.Signature signature1;
private System.Windows.Forms.Button button1;
private OpenNETCF.Windows.Forms.GroupBox groupBox2;
private System.Windows.Forms.Button button2;
private System.Windows.Forms.Button button3;
private Microsoft.WindowsCE.Forms.InputPanel inputPanel1;
private System.Windows.Forms.ToolBar toolBar1;
private OpenNETCF.Windows.Forms.GroupBox groupBox1;
private System.Windows.Forms.TextBox textBox1;
private System.Windows.Forms.Button button4;
private System.Windows.Forms.Button button5;
Guid guid = Rico.Tools.PocketGuid.NewGuid();
public frmSignatureCapture()
{
InitializeComponent();
}
protected override void Dispose( bool disposing )
{
base.Dispose( disposing );
}
#region Windows Form Designer generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
System.Resources.ResourceManager resources = new System.Resources.ResourceManager(typeof(frmSignatureCapture));
this.groupBox1 = new OpenNETCF.Windows.Forms.GroupBox();
this.button1 = new System.Windows.Forms.Button();
this.signature1 = new OpenNETCF.Windows.Forms.Signature();
this.groupBox2 = new OpenNETCF.Windows.Forms.GroupBox();
this.textBox1 = new System.Windows.Forms.TextBox();
this.button2 = new System.Windows.Forms.Button();
this.button3 = new System.Windows.Forms.Button();
this.inputPanel1 = new Microsoft.WindowsCE.Forms.InputPanel();
this.toolBar1 = new System.Windows.Forms.ToolBar();
this.button4 = new System.Windows.Forms.Button();
this.button5 = new System.Windows.Forms.Button();
//
// groupBox1
//
this.groupBox1.Controls.Add(this.button1);
this.groupBox1.Location = new System.Drawing.Point(8, 0);
this.groupBox1.Size = new System.Drawing.Size(224, 264);
this.groupBox1.Text = "New Signature";
//
// button1
//
this.button1.Location = new System.Drawing.Point(16, 120);
this.button1.Size = new System.Drawing.Size(192, 32);
this.button1.Text = "Create New Signature";
this.button1.Click += new System.EventHandler(this.button1_Click);
//
// signature1
//
this.signature1.BackColor = System.Drawing.Color.DimGray;
this.signature1.BackgroundBitmap = ((System.Drawing.Bitmap)(resources.GetObject("signature1.BackgroundBitmap")));
this.signature1.BorderColor = System.Drawing.Color.Black;
this.signature1.BorderStyle = System.Windows.Forms.BorderStyle.FixedSingle;
this.signature1.ForeColor = System.Drawing.Color.White;
this.signature1.Location = new System.Drawing.Point(240, 0);
this.signature1.Size = new System.Drawing.Size(240, 320);
this.signature1.Text = "SignatureControl";
//
// groupBox2
//
this.groupBox2.Controls.Add(this.button5);
this.groupBox2.Controls.Add(this.button4);
this.groupBox2.Controls.Add(this.textBox1);
this.groupBox2.Location = new System.Drawing.Point(488, 0);
this.groupBox2.Size = new System.Drawing.Size(224, 264);
this.groupBox2.Text = "Signature Details";
//
// textBox1
//
this.textBox1.AcceptsReturn = true;
this.textBox1.Location = new System.Drawing.Point(8, 24);
this.textBox1.Multiline = true;
this.textBox1.ScrollBars = System.Windows.Forms.ScrollBars.Vertical;
this.textBox1.Size = new System.Drawing.Size(208, 96);
this.textBox1.Text = "textBox1";
//
// button2
//
this.button2.Location = new System.Drawing.Point(240, 0);
this.button2.Size = new System.Drawing.Size(24, 20);
this.button2.Text = ">";
this.button2.Click += new System.EventHandler(this.button2_Click);
//
// button3
//
this.button3.Location = new System.Drawing.Point(240, 248);
this.button3.Size = new System.Drawing.Size(24, 20);
this.button3.Text = "c";
//
// button4
//
this.button4.Location = new System.Drawing.Point(32, 176);
this.button4.Size = new System.Drawing.Size(160, 20);
this.button4.Text = "Upload To HeadOffice";
this.button4.Click += new System.EventHandler(this.button4_Click);
//
// button5
//
this.button5.Location = new System.Drawing.Point(32, 208);
this.button5.Size = new System.Drawing.Size(160, 20);
this.button5.Text = "Save To File";
this.button5.Click += new System.EventHandler(this.button5_Click);
//
// frmSignatureCapture
//
this.ClientSize = new System.Drawing.Size(1122, 265);
this.Controls.Add(this.button3);
this.Controls.Add(this.button2);
this.Controls.Add(this.groupBox2);
this.Controls.Add(this.signature1);
this.Controls.Add(this.groupBox1);
this.Controls.Add(this.toolBar1);
this.MaximizeBox = false;
this.MinimizeBox = false;
this.Text = "New Signature";
this.Load += new System.EventHandler(this.frmSignatureCapture_Load);
}
#endregion
private void button1_Click(object sender, System.EventArgs e)
{
this.WindowState = FormWindowState.Maximized;
this.ControlBox = false;
this.Menu = null;
this.signature1.Location = new System.Drawing.Point(0, 0);
this.button2.Location = new System.Drawing.Point(0, 0);
this.button3.Location = new Point(0,298);
this.Controls.Remove(this.toolBar1);
}
private void button2_Click(object sender, System.EventArgs e)
{
this.WindowState = FormWindowState.Normal;
this.ControlBox = true;
this.groupBox2.Location = new System.Drawing.Point(8,0);
this.button2.Visible = false;
this.button3.Visible = false;
this.signature1.Visible = false;
this.Controls.Add(this.toolBar1);
this.textBox1.Text = Convert.ToBase64String(this.signature1.GetSignatureEx(),0,this.signature1.GetSignatureEx().Length);
}
private void frmSignatureCapture_Load(object sender, System.EventArgs e)
{
}
private void button4_Click(object sender, System.EventArgs e)
{
//TEST - send the sig to the WS
WSSig.ws1 wssig = new WGTools.WSSig.ws1();
try
{
textBox1.Text = wssig.CaptureSignature_V1("xxxxxx","username","sigID","notes",this.signature1.GetSignatureEx());
}
catch(Exception e3)
{
textBox1.Text = e3.ToString();
}
}
private void button5_Click(object sender, System.EventArgs e)
{
if(Rico.Tools.Stuff.SaveSigToFile("rico","theid","notes",Convert.ToBase64String(this.signature1.GetSignatureEx(),0,this.signature1.GetSignatureEx().Length)))
MessageBox.Show("Saved To File","Saved",MessageBoxButtons.OK,MessageBoxIcon.Asterisk,MessageBoxDefaultButton.Button1);
this.textBox1.Text = "saved to file";
}
}
}
Yes, I think you're right, Flash will probably be the way to go, seeing as everyone seems to to be .NET / ASP crazy!!!!
LOL
PS. thanks Pope and djrm, I do appreciate you trying to help, its just that anything to do with .net vb etc, may as well be Urdu.
asp.net web signature capture control
You can try out http://mysignature.brinkster.net for this
Don't Necro old threads for shamelesly plugging your software..
Hello all. I need some information on how i can modify an existing apk and add a file to a specified path during installation.
Better...i need that installation creates a file in data/data/com.myprogram.android/myfile where com.myprogram.android is the path of program data. Is that possible???
thx
*bump* - after one year, this is exactly what i also need!
any answer to this? since i modify an existing .apk, changing the java-code is not an option. solution must be pure .apk based / via the manifest
you could do it in a few steps
1) copy the apk to somewhere safe (/mnt/sdcard)
2) uninstall the apk, maybe use PackageManager
3) unzip the apk to a folder, add your changed/new files, zip up the folder again (extension .apk). Use busybox's zip/unzip if you need
4)sign the new apk using this (i tried it it works)
5)install the new+signed apk, maybe use PackageManager
fl3xo said:
Hello all. I need some information on how i can modify an existing apk and add a file to a specified path during installation.
Better...i need that installation creates a file in data/data/com.myprogram.android/myfile where com.myprogram.android is the path of program data. Is that possible???
thx
Click to expand...
Click to collapse
The way I've done this in the past is just store whatever it is you want to add in the res/raw directory of the project, then when the program first runs, copy the raw resource wherever you want it in the tree.
Code:
// Copy the helper app from resources to an executable in our classpath
protected void CopyExtraBin() {
// check if it's already there
File helper = new File("/data/data/com.mypath.myprog/helper_app");
if (helper.exists()) {
// already there, nothing to do.
return;
}
InputStream setdbStream = getResources().openRawResource(R.raw.helper_app);
try {
byte[] bytes = new byte[setdbStream.available()];
DataInputStream dis = new DataInputStream(setdbStream);
dis.readFully(bytes);
FileOutputStream setdbOutStream = new FileOutputStream(
"/data/data/com.mypath.myprog/helper_app");
setdbOutStream.write(bytes);
setdbOutStream.close();
// set executable permissions on our helper
Process process = Runtime.getRuntime().exec("sh");
DataOutputStream os = new DataOutputStream(process.getOutputStream());
os.writeBytes("chmod 755 /data/data/com.mypath.myprog/helper_app\n");
os.writeBytes("exit\n");
os.flush();
} catch (Exception e) {
Toast.makeText(this, e.getMessage(), Toast.LENGTH_LONG).show();
return;
}
}
Gene Poole said:
The way I've done this in the past is just store whatever it is you want to add in the res/raw directory of the project, then when the program first runs, copy the raw resource wherever you want it in the tree.
Code:
// Copy the helper app from resources to an executable in our classpath
protected void CopyExtraBin() {
// check if it's already there
File helper = new File("/data/data/com.mypath.myprog/helper_app");
if (helper.exists()) {
// already there, nothing to do.
return;
}
InputStream setdbStream = getResources().openRawResource(R.raw.helper_app);
try {
byte[] bytes = new byte[setdbStream.available()];
DataInputStream dis = new DataInputStream(setdbStream);
dis.readFully(bytes);
FileOutputStream setdbOutStream = new FileOutputStream(
"/data/data/com.mypath.myprog/helper_app");
setdbOutStream.write(bytes);
setdbOutStream.close();
// set executable permissions on our helper
Process process = Runtime.getRuntime().exec("sh");
DataOutputStream os = new DataOutputStream(process.getOutputStream());
os.writeBytes("chmod 755 /data/data/com.mypath.myprog/helper_app\n");
os.writeBytes("exit\n");
os.flush();
} catch (Exception e) {
Toast.makeText(this, e.getMessage(), Toast.LENGTH_LONG).show();
return;
}
}
Click to expand...
Click to collapse
where to insert it?
Moved to Q&A.
mishanet said:
Gene Poole said:
The way I've done this in the past is just store whatever it is you want to add in the res/raw directory of the project, then when the program first runs, copy the raw resource wherever you want it in the tree.
Code:
// Copy the helper app from resources to an executable in our classpath
protected void CopyExtraBin() {
// check if it's already there
File helper = new File("/data/data/com.mypath.myprog/helper_app");
if (helper.exists()) {
// already there, nothing to do.
return;
}
InputStream setdbStream = getResources().openRawResource(R.raw.helper_app);
try {
byte[] bytes = new byte[setdbStream.available()];
DataInputStream dis = new DataInputStream(setdbStream);
dis.readFully(bytes);
FileOutputStream setdbOutStream = new FileOutputStream(
"/data/data/com.mypath.myprog/helper_app");
setdbOutStream.write(bytes);
setdbOutStream.close();
// set executable permissions on our helper
Process process = Runtime.getRuntime().exec("sh");
DataOutputStream os = new DataOutputStream(process.getOutputStream());
os.writeBytes("chmod 755 /data/data/com.mypath.myprog/helper_app\n");
os.writeBytes("exit\n");
os.flush();
} catch (Exception e) {
Toast.makeText(this, e.getMessage(), Toast.LENGTH_LONG).show();
return;
}
}
Click to expand...
Click to collapse
where to insert it?
Click to expand...
Click to collapse
Yeah I have the same question. I'm wanting to add some files to /data/data/<appdirectory>/lib but since it's permissions are set to drwxr-xr-x system system I can't write to it without changing apk itself.
I tried putting this into some code and I just alot of cannot find symbol errors and DataInputStream and Toast. I'm sure It's just my limited knowledge and maybe changes in android but this example code doesn't seem to work for me.
Gene Poole said:
The way I've done this in the past is just store whatever it is you want to add in the res/raw directory of the project, then when the program first runs, copy the raw resource wherever you want it in the tree.
Code:
// Copy the helper app from resources to an executable in our classpath
protected void CopyExtraBin() {
// check if it's already there
File helper = new File("/data/data/com.mypath.myprog/helper_app");
if (helper.exists()) {
// already there, nothing to do.
return;
}
InputStream setdbStream = getResources().openRawResource(R.raw.helper_app);
try {
byte[] bytes = new byte[setdbStream.available()];
DataInputStream dis = new DataInputStream(setdbStream);
dis.readFully(bytes);
FileOutputStream setdbOutStream = new FileOutputStream(
"/data/data/com.mypath.myprog/helper_app");
setdbOutStream.write(bytes);
setdbOutStream.close();
// set executable permissions on our helper
Process process = Runtime.getRuntime().exec("sh");
DataOutputStream os = new DataOutputStream(process.getOutputStream());
os.writeBytes("chmod 755 /data/data/com.mypath.myprog/helper_app\n");
os.writeBytes("exit\n");
os.flush();
} catch (Exception e) {
Toast.makeText(this, e.getMessage(), Toast.LENGTH_LONG).show();
return;
}
}
Click to expand...
Click to collapse
Hi, this is my code, i cant get upload a simple file:
Signgin in to DropBox:
.....private AccessTokenPair tokensDB;
.....private DropboxAPI<AndroidAuthSession> mDBApi;
.....final static private AccessType ACCESS_TYPE = AccessType.DROPBOX;
.....AppKeyPair appKeys = new AppKeyPair(APP_KEY, APP_SECRET);
.....AndroidAuthSession sesDropBox = new AndroidAuthSession(appKeys, ACCESS_TYPE);
.....mDBApi = new DropboxAPI<AndroidAuthSession>(sesDropBox);
.....mDBApi.getSession().startAuthentication(this);
When activity resums this code is executed:
.....mDBApi.getSession().finishAuthentication();
.....tokensDB = mDBApi.getSession().getAccessTokenPair();
when the user clicks over a button in same activity next code is executed:
protected void subeArchivos() {
.....// Uploading content.
.....String fileContents = "Hello World, this is only an example!!";
.....ByteArrayInputStream inputStream = new ByteArrayInputStream(fileContents.getBytes());
.....try {
..........mDBApi.putFile("/testing.txt", inputStream, fileContents.length(), null, null);
..........//Log.i("DbExampleLog", "The uploaded file's rev is: " + newEntry.rev);
.....} catch (DropboxUnlinkedException e) {
..........// User has unlinked, ask them to link again here.
..........Log.e("DbExampleLog", "User has unlinked.");
.....} catch (DropboxException e) {
..........toast = Toast.makeText(getApplicationContext(), "C U A: " + e.getMessage(), Toast.LENGTH_SHORT);
..........toast.show();
..........//Log.e("DbExampleLog", "Something went wrong while uploading.");
.....}
}
The code in red throws error. and after the conde in yellow is executed.
My mnifiest permissions are:
.....<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"></uses-permission>
.....<uses-permission android:name="android.permission.INTERNET"></uses-permission>
.....<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"></uses-permission>
P.D. All works, exept code in red!!
I hope you can help me!! thx!!
anyone??
I didn't understand anything exc. that you can't upload any file with Dropbox, but I had similar problem. Seems you shouldn't delete the Downloads app, else it bugs DB uploads.
Hope it helps.
thx man, every folder in his place, but maybe something in my code is wrong!!
Hello. Last time I was thinking about locking bootloader for Optimus L9. I decompiled Hidden Menu app and checked how bootloader status is checked. I found that everything is on NV partition. When i dumped nv using dd commad i was searching using hex editor and i found that 4 characters are stored on 00004800 and 00004801 (h) offset. If bootloader is unlocked there should be: 1101 (4353 DEC). This magic numer i found when i decompiled hidden menu app.
Now I need people who can't unlock bootloader and people who can unlock, but don't want to do this. I need also some people who have unlocked bootloader to confim if this string is correct. You need only to dump this 4 characters using my little script. You only must have root. Download zip in attachments and do this using 2 ways:
If you have adb working correctly
Extract zip
Run dump.cmd
Follow instruction
If you have done everything correctly you should have OUTPUT.txt
Check if this file is not empty and if it is ok send here on XDA
If you have problems with above method:
Download and run Terminal Emulator from Google Play
Type su and accept poup-up
Type dd if=/dev/block/platform/omap/omap_hsmmc.1/by-name/nv of=/sdcard/nv.img
Using computer type copy nv.img to the directory where you extracted zip
Open manual.cmd
Follow instructions
Check if OUTPUT.txt is not empty and send there it here
DON'T SEND US NV.IMG, BECAUSE IT INCLUDES IMEI. I ONLY WANT THIS ONE TXT FILE WHICH INCLUDES YOUR BOOTLOADER STATE.
IT WILL HELP US TO FIND METHOD TO LOCK BOOTLOADER AGAIN AND UNLOCK BOOTLOADER FOR SOME PEOPLE.
Decompiled bootloader check code:
Code:
package com.lge.hiddenmenu.bootloadunlock;
import android.app.ListActivity;
import android.os.Bundle;
import android.util.Log;
import android.view.*;
import android.widget.ArrayAdapter;
import android.widget.ListView;
import java.io.File;
import java.io.RandomAccessFile;
public class BootLoader_Unlock extends ListActivity
{
public BootLoader_Unlock()
{
String as[] = new String[1];
as[0] = "BootLoader Unlock Check";
mTopMenu = as;
}
private void showResult(int i)
{
android.app.AlertDialog.Builder builder = new android.app.AlertDialog.Builder(this);
Log.e("BootLoader Unlock", (new StringBuilder()).append("readNV(36): ").append(i).toString());
if(i == 4353)
builder.setMessage("Unlock");
else
builder.setMessage("Lock");
builder.setPositiveButton(0x104000a, null);
builder.setTitle("BootLoader Unlock Check");
builder.show();
}
public int device_unlock_flag_read()
{
short word0;
boolean flag;
File file;
RandomAccessFile randomaccessfile;
word0 = 0;
flag = true;
file = new File("/dev/block/platform/omap/omap_hsmmc.1/by-name/nv");
randomaccessfile = null;
RandomAccessFile randomaccessfile1 = new RandomAccessFile(file, "r");
randomaccessfile1.seek(18432L);
word0 = randomaccessfile1.readShort();
Log.e("BootLoader Unlock", (new StringBuilder()).append("swrv_fused_status=").append(word0).toString());
Exception exception;
Exception exception1;
try
{
randomaccessfile1.close();
}
catch(Exception exception4) { }
if(!flag)
word0 = -1;
return word0;
exception;
_L4:
Log.e("BootLoader Unlock", (new StringBuilder()).append("readNV(36): exception occurs: ").append(exception).toString());
flag = false;
try
{
randomaccessfile.close();
}
catch(Exception exception3) { }
break MISSING_BLOCK_LABEL_73;
exception1;
_L2:
try
{
randomaccessfile.close();
}
catch(Exception exception2) { }
throw exception1;
exception1;
randomaccessfile = randomaccessfile1;
if(true) goto _L2; else goto _L1
_L1:
exception;
randomaccessfile = randomaccessfile1;
if(true) goto _L4; else goto _L3
_L3:
}
public void onCreate(Bundle bundle)
{
super.onCreate(bundle);
setTitle("BootLoader Unlock Check");
setListAdapter(new ArrayAdapter(this, 0x1090003, mTopMenu));
}
public boolean onKeyDown(int i, KeyEvent keyevent)
{
i;
JVM INSTR tableswitch 3 4: default 24
// 3 31
// 4 31;
goto _L1 _L2 _L2
_L1:
return super.onKeyDown(i, keyevent);
_L2:
getWindow().clearFlags(128);
finish();
if(true) goto _L1; else goto _L3
_L3:
}
protected void onListItemClick(ListView listview, View view, int i, long l)
{
if(i == 0)
showResult(device_unlock_flag_read());
}
protected void onPause()
{
getWindow().clearFlags(128);
super.onPause();
}
protected void onResume()
{
getWindow().addFlags(128);
super.onResume();
}
private static final int NV_IDX_SWRV_FUSED_STATUS = 36;
private static final String NV_PATH = "/dev/block/platform/omap/omap_hsmmc.1/by-name/nv";
private static final int UNLOCK_VALUE = 4353;
private final String TAG = "BootLoader Unlock";
private String mTopMenu[];
}
Other resources in attachments.
ok, here, you have my output file. I had lock bootloader, I hope that this file help you. thanks
Sorry for my english
Duno crap about this phone but I went ahead and tried your script.
Would this work on CyanogenMod 9?
Is it even possible to replace nv.img with a modified version without a security error?
I think in nv there is information if bl is locked or unlocked
Here's the dump for my locked bootloader.
Here's the dump for my locked bootloader because i can't unlock it after rma
I think this is an efuse/prom like Samsung's Knox bit. But I thought it were a specific PROM chip, or integrated into the main chipset(the VIA Apollo mainboard southbridges had such a one-way flash cell.
If it's part of NVRAM, there may be the flash voltage line missing for that specific block, though I never heard of such.
No we figured out the exact line that's preventing us from unlocking in the source code. We just can't get the package signed to fix it.
---------- Post added at 03:06 PM ---------- Previous post was at 03:03 PM ----------
Hmm i wonder what the chances of this working is? I have very little hope through what i've been through
bulletfreak said:
No we figured out the exact line that's preventing us from unlocking in the source code. We just can't get the package signed to fix it.
---------- Post added at 03:06 PM ---------- Previous post was at 03:03 PM ----------
Hmm i wonder what the chances of this working is? I have very little hope through what i've been through
Click to expand...
Click to collapse
Although I don't use my L9 P769 anymore, only keep it for a backup, I edited a copy of my NV image with the data @artas182x posted in the OP and flashed it to the phone. The phone booted just fine, but apparently the NV images get's rebuilt or something along those lines with every boot as the Bootloader Status says it's still locked. If we can figure out how to write directly to the NV partition while the device is booted, then we may have a chance to unlock the bootloader.
i confirm that 1101 is for unlocked phone
There must be something on our flash. We must find what writes to nv partition.
You're about to discover a way to unlock the bootloader despite LGs restrictions. But re-locking it may be impossible.
Would watchdog have anything to do with it getting reflashed? Or does that just check for other "malicious" processes?
---------- Post added at 05:05 PM ---------- Previous post was at 05:01 PM ----------
Does Android automatically write logs of the boot up process or would we need to use a logcat for that?
re-lock impossible? its possible now with a cable with 910k resistor, you just need to Flash stock rom via LG mobile support tool or kdz updater, and your BL will be locked
Napisane używając SwiftKey, zaszyfrowane Enigmą i wysłane kablem Ethernet
Just to be sure is anyone actually going to look into this?
LG P768 Boot Unlock
How will i go about trying this? Like can i get a link to a modified nv.img? Logcats are unable to keep logs of the boot up process right? So is there anything i can use to log it?
We need uboot and x-loader logs
artas182x said:
We need uboot and x-loader logs
Click to expand...
Click to collapse
how does one obtain those?
Hello XDA,
I am writing ADB TOOLs in C# but having a problem with PATH recognition
Code:
private void button6_Click(object sender, EventArgs e)
{
openFileDialog1.InitialDirectory = @"C:\";
openFileDialog1.Title = "Select Kernel File";
openFileDialog1.FileName = "Choose File";
openFileDialog1.CheckFileExists = true;
openFileDialog1.CheckFileExists = true;
openFileDialog1.Filter = ".IMG|*.img";
if (openFileDialog1 .ShowDialog () == DialogResult .OK)
{
label1.Text = openFileDialog1 .FileName;
var process = Process.Start("CMD.exe", "/c fastboot flash boot " [COLOR="Red"]+ textBox2.Text[/COLOR] );
process.WaitForExit();
}
The red marked code has a problem i think, when i select a kernel image file located inside multiple directory to flash the CMD opens and just closes in a second nothing actually happens in a phone but when i use a file from a desktop it flashes w/o any problem.
I tried using path.combine( ) but really don't know how to use it, just started writing things in C#.
Thanks!
Bump!:fingers-crossed:
Bump Bump:crying: