Related
The TWRP Password Protection Thread
Yes, it has been discussed to no end. People say it makes no sense. More importantly, the TWRP team says it makes no sense:
Password protecting TWRP (lockscreen)
http://teamw.in/securetwrp
I've had people ask enough for a protected TWRP that I'm creating this page as a response so I don't have to retype. If you're seeing this page, you're probably asking, "Why doesn't TWRP offer password protection?" You want to lock down your device so that a would-be theif won't be able to wipe your device to get past your lockscreen and/or so they can't wipe away that cool app you bought from the Play Store that will let you track your stolen device via GPS. Well, here's the short answer:
Nothing trumps physical access to your device. If you've lost it, there's no way that TWRP can secure it.
For a longer answer, it's very easy for anyone with just a little bit of knowledge to get around any kind of security that TWRP might have. All they have to do is flash one of the other recoveries that's available that doesn't have password protection to get around it. Most, if not all devices have ways to flash recovery without needing to boot to either Android or recovery (usually via fastboot or download mode / Odin). Quite literally the only way to truly secure your device would be to render the USB port completely unusable which isn't an option for most newer devices that don't have removable batteries. Even then most devices could still be worked with via jtag though it's unlikely that a thief will go to the trouble of paying for a jtag service on a device that has a broken USB port. (Note: I am not recommending that you purposely damage your USB port as it will also likely make it very difficult to recover your device if anything ever goes wrong!)
I also don't want to offer a lockscreen / password protection because it offers such a superficial level of protection. Users rarely read and would skip over any disclaimers that we have that indicate that any protection that we displayed indicating that their device really isn't secure. If your device has fallen into someone else's hands, your best case scenario should be that you hope that they don't get your personal data. If you don't want someone getting your personal data, use Android's device encryption and a good lockscreen.
But it does makes sense in many cases. My objectives with this thread are: to change the minds of the TeamWin team members on this matter, and to discuss the best way to implement TWRP security. I will start by answering TeamWin's post.
1) Most people just want their data safe, not their phones unusable to burglars.
It is true that nothing beats encryption. But encryption with a trivially short PIN, pattern or password is useless. Raw access to the encrypted media allows brute forcing which in almost all realistic cases will recover the key in no time. Making it hard to reach the encrypted media would in these cases provide more security than encryption itself. And in any case, this would be added security, not replacement security, and can only strengthen the system (and in common cases, by a great deal).
The security of some phones is fundamentally broken, and there is nothing TWRP can do to fix that. The only fix could come from updated bootloaders. But bootloaders need to be signed by the phone manufacturer to work (so aftermarket bootloaders are not an option), and many companies are just not serious enough to care.
Case in point: dirty Samsung. All Samsung cares about is ending your warranty if you dare install software of your choice on your own phone. It has made it impossible for developers to overcome this by actually blowing physical fuses within the phone in their bootloaders if you exercise your freedom. Their "upgrade" bootloaders also blow fuses to prevent you from ever downgrading to the more permissive bootloader that might have been in the phone when you first bought it.
They care about invalidating your warranty a lot, but not at all about your data. I can grab a stock S3, flash whatever I want (voiding warranty, or so they say because in many countries it is rightly not so) and get to your data. So it better be encrypted because Sammy is not giving a damn to defend it.
But other phones actually make an effort to defend your data. This is the case of, for instance, all Google Nexus devices, and the OnePlus One. I name these phones because these are the only mass-market phones I know that do not try to take away your tinkering freedom with threats of voided warranties, and so are the only phones I consider when buying. (No feature is worth loosing your freedom IMO.)
These phones actually fully wipe your data when you unlock their bootloaders, a required step before any flashing is allowed. This means that if I grab a bootloader-locked nexus, I can wipe it but not get to the data without the lockscreen code. Well, unless TWRP is flashed. TWRP breaks the security that Google (and others) baked into their phones.
There used to be a good reason to avoid security in the old CWM days: CWM was not touch, and much less was capable of popping up a keyboard. TWRP has gone such a long way forward that now security can be easily implemented. There is no reason to break the security of good phones just because some phones are broken.
One could disallow access to the storage media on their phone (encrypted or not) by installing TWRP with a password and then relocking the bootloader. In this way, the modded phone would be as secure as its stock counterpart. Modding your phone would not longer mean zero security.
2) It turns out that those who want to disable the burglar's ability to reset the phone and sell it can actually do it in many cases!
It so happens that bootloaders usually do not wipe the phone themselves as it is "too complex" an operation. Many times during bootloader unlocking, the bootloader boots stock recovery instructing it to 1) do the wipe, then 2) reset the bootloader lock. If the bootloader is locked and TWRP is installed in place of the stock recovery and TWRP ignores these commands (as current versions do), then there is no way to wipe the data or unlock the bootloader (and thus no way to flash a door to the system) from fastboot.
So if you:
1) setup a TWRP lockscreen,
2) keep a flashable zip that unlocks your bootloader in your phone (see boot unlock scripts),
3) setup an android lockscreen,
4) download a root app that unlocks your bootloader (see BootUnlocker),
5) and lock the bootloader,
...then you are secure. You can recover bootloader access without wiping as long as either one of rooted android and/or recovery works. But you cannot use either without going through their respective lockscreens.
This prevents access to your data, but in the case mentioned here (recovery does the actual bootloader unlock) it also prevents wipes. In this situation, it is not difficult to imagine a burglar attempting to sell you back your own phone on the cheap. Of course suitable contact info would be displayed in your lockscreen. This is even more security than was planned by Google, and not less as is the current situation with TWRP.
I know for a fact that the OnePlus One works in this recovery-invoked-to-unlock-bootloader manner, and I suspect all Nexuses work in the same way. For these phones, anti-theft can be a reality, and getting them back after a robbery, a not so improbable scenario.
NOTE: It should now be obvious why it is very dangerous to lock your bootloader unless a working stock recovery is in place. If you cannot obtain root access in either android or recovery, your recovery is custom (and thus it does not unlock the bootloader), and your bootloader is locked, then you are stuck: you will not be able to unlock your bootloader without a JTAG rig. Under some circumstances this can render your phone unrootable or effectively bricked. This is in part our objective anyway: that burglars are not able to gain control of the phone, not even by full wipe. But it can seriously backfire if you make a configuration mistake or simply forget your passwords. Keep in mind that you can make these mistakes today, without security in TWRP. Bootloader re-locking in a scenario other thank return-to-stock is an intrinsically dangerous operation that only advanced users should attempt.
3) Encryption is insecure unless the boot chain can be trusted.
An adversary that gains physical access to your phone can dump and save a copy of the encrypted partition(s) and plant a password sniffer that later forwards the password to them. You cannot trust your password to a non-tamper-evident device that can be trivially modified. The only way to protect the boot chain from tampering in today's phones is locking the bootloader and restricting access to the recovery.
Countermeasures
Some SoCs are compromised. For example, a signed USB-fed bootloader for the Galaxy Nexus has leaked into the public domain, and with it the SoC of a Galaxy Nexus can be booted entirely via the USB port. A monitor software can be loaded that can read (or write) the complete eMMC (the storage). This is possible because either TI or Samsung leaked a properly signed debugging bootloader. This is an extremely rare case because this bootloader makes you God. I think some Kindle Fires also have a similar thing. Few phones had their security broken so drastically; compromised SoCs are the exception and are very few.
Finally, the attacker could open up the phone and use JTAG to directly access the eMMC. It requires equipment and know-how and work and time, and significantly adds to the full cost of robbing a phone, eating up their profit. Probably almost all phones could be recovered by JTAG.
But of course, there are countermeasures to countermeasures. Many people have discussed damaging JTAG traces, bond wires, or even the IC itself, and some JTAG ports can be irreversibly disabled by design.
Conclusions
1) TWRP is doing nothing in fundamentally insecure phones.
2) TWRP is disabling the security of secure phones.
3) Secure phones with TWRP could be as secure as they are with stock recovery.
4) In some cases phones with TWRP can be even more secure, preventing their unauthorized wiping and reselling.
5) A barrier blocking access to encrypted media can effectively protect more than encryption itself if short keys are used.
6) Encryption is insecure with an unlocked bootloader or an open-access recovery.
We have the rationale, we have the UI, we have the keyboard, and we have the great team of programmers behind TWRP: let's get this old rat hole plugged for good.
Implementation Ideas
Security is never trivial to implement, so I will accumulate some points here to guide the design of a solution. Fell free to contribute.
The passwords must be stored in an irreversible manner, using proven, properly salted cryptographic methods.
The password store (PS) should not be accessible to apps, or else they might attack it by brute-force. In /data/media devices, if the PS is stored in /data/media/0, it should be stored with restrictive permissions such that the fuse daemon will not reflect it into world readable /sdcard. Under kitkar (and even using a permission-less real fat32 /sdcard) files could be made inaccessible under folders in /Android i think. Otherwise the /data partition could work (ugly due interactions with nandroid backups). Also, bytes reserved in the /recovery partition itself could do the trick. NOTE: nandroid backups suffer the same problem: they are world readable copies of your passwords and auth tokens. It is imperative that general solution to this problem be found for TWRP. CM's recovery places the backup files outside of '0' in /data/media which is a good solution for /data/media devices. And going forward, this type of devices should be the norm.
adbd and mtpd should not start before the password is entered.
It is enough to ask for password once per boot.
adb on recovery is the data recovery method of choice when a screen is broken. it should be possible to enter the password via USB to enable adb and mtp with a broken screen. NOTE: by the same token, it should be possible to enter the phone encryption password via USB if any.
Both the recovery lockscreen/password and android lockscreen/password could be the same, since access to android's lockscreen data is needed for encryption support anyway and thus that code is already in place. But then, forget this one password and your phone is a brick!!!
If they are not the same, a way (an app) to change the password (or at least reset it) from root android should be provided.
There could be an official TWRP password manager app that stores the TWRP password in its private data in /data and TWRP could read it from there. (But the interaction with nandroid backups would kinda suck.)
To enter the password over USB, ideally a restricted adbd mode would ask for the password, then restart itself a la "adb root" switcheroo. So that standard adb can be used to enable adbd and another host tool is not needed.
There should be some throttling down of passwords tries both via the recovery popup keyboard and via adb. If the same password is used for android and recovery, then the throttling should not be less aggressive than android's.
Ideally the password hash in the PS should be stored in a way compatible with some proven challenge response authentication so that the data in the PS can support future unlock protocols that do not send the password in the clear.
kind invitation to read this thread:
@Dees_Troy
@bigbiff
thanks!
Lanchon said:
Some SoCs are compromised. For example, a signed USB-fed bootloader for the Galaxy Nexus has leaked into the public domain, and with it the SoC of a Galaxy Nexus can be booted entirely via the USB port. A monitor software can be loaded that can read (or write) the complete eMMC (the storage). This is possible because either TI or Samsung leaked a properly signed debugging bootloader. This is an extremely rare case because this bootloader makes you God. I think some Kindle Fires also have a similar thing. Few phones had their security broken so drastically; compromised SoCs are the exception and are very few.
Click to expand...
Click to collapse
All MediaTek SoCs can be considered compromised, for every single one of them allows the entire ROM to be read back and reflashed using spFlashTool, even with a "locked" 2nd stage bootloader. Furthermore, their source code quality can be considered as "rotten to the core", I would bet my behind on the Mediatek kernel customization containing more than one exploitable hole.
harddisk_wp said:
All MediaTek SoCs can be considered compromised, for every single one of them allows the entire ROM to be read back and reflashed using spFlashTool, even with a "locked" 2nd stage bootloader. Furthermore, their source code quality can be considered as "rotten to the core", I would bet my behind on the Mediatek kernel customization containing more than one exploitable hole.
Click to expand...
Click to collapse
thank you for the contribution. it is good to know that all mediatek devices can be rooted and are effectively unbrickable.
it also seems that the opo is unbrickable: there seems to be a ColorOS leak that flashes the system by debug-booting the qualcomm soc.
This is really important stuff… pitty how most people are more interested in skins than serious security issues. Hope it gets the attention it deserves.
i forgot to mention in the first post that Philz Touch Recovery does have password support. (i think they are actually PINs.) i haven't checked how the security is implemented in Philz though. regrettably that recovery has been discontinued so further investigation seemed useless.
TWRP is such a great piece of software that i simply can't imagine any competition will dare take on it again. that's exactly why it's important to get security merged in TWRP.
Lanchon said:
i forgot to mention in the first post that Philz Touch Recovery does have password support. (i think they are actually PINs.) i haven't checked how the security is implemented in Philz though. regrettably that recovery has been discontinued so further investigation seemed useless.
TWRP is such a great piece of software that i simply can't imagine any competition will dare take on it again. that's exactly why it's important to get security merged in TWRP.
Click to expand...
Click to collapse
3 people in the entire world do a majority of the work for TWRP. We are welcome for contributions to the TWRP projcect at OMNI's gerrit for people who want to get this done.
bigbiff said:
3 people in the entire world do a majority of the work for TWRP. We are welcome for contributions to the TWRP projcect at OMNI's gerrit for people who want to get this done.
Click to expand...
Click to collapse
i thought of that, but adding a feature like this to TWRP probably requires too much effort for somebody who doesnt know the codebase. i imagine that TWRP is sort of an app framework in itself. i chose to advocate for it instead of implementing, i just can't justify the effort it would take *me*. i also tried to help by centralizing ideas on how it should be implemented, if somebody chooses to.
anyway, it's great to know you are not opposing the idea and you would consider merging if somebody implements, that is a good start.
btw, there is a tangentially related issue i'd love to hear your opinion on:
i hear TWRP can mount encrypted partitions and there is a UI for entering PINs, passwords, patterns etc. but i dont have my phone encrypted because if i break my display with the phone encrypted then im toast: i cant extract my files from the device anymore.
would you consider implementing a way to enter the encryption password via usb? maybe some sort of adb shell command?
UPDATE: Added a third item to the OP...
3) Encryption is insecure unless the boot chain can be trusted.
An adversary that gains physical access to your phone can dump and save a copy of the encrypted partition(s) and plant a password sniffer that later forwards the password to them. You cannot trust your password to a non-tamper-evident device that can be trivially modified. The only way to protect the boot chain from tampering in today's phones is locking the bootloader and restricting access to the recovery.
Thank you very much for this call, I highly appreciate it! Me, I consider securing Recovery also very essential, but instead of coding a patch I would like to contribute the overall discussion:
having a locked bootloader normally restricts you to booting a stock kernel without a bootloader-valid signature, right? Otherwise you could simply fastboot any kernel without flashing. But this can be an issue in case your kernel is outdated and has other security flaws which e.g. make it vulnerable from remote. In this case, you secure your device from offline attacks but stay vulnerable to online attacks. The hard questions is: which attacks are more realistic?
in "good old cm7 times", maniac103 implemented a password-protected CWM for the Motorola Defy which was based on entering a password sequence using the sensor keys (back, home, search etc.). See this commit.
many people argue against Android encryption because it is based on the "same password as for the screen unlock". This is essentially not true: It's just the front-end in almost all Stock ROMs which does not support it - the back-end does. You can set a much stronger passphrase for protecting your encryption key using comand line or a tool like this or this (both require root, stupid!). You still suffer from the hardcoded limitations in crypt.c (like only 2000 rounds, just 128bit AES, maximum 16 char limitation etc.) but much better than having just a numeric PIN! Please note that Android 5.0 also tries to store the encryption key in a more secure location than the footer of the disk partition as outlined here.
Even if you could overcome a TWRP password on a bootloader-unlocked device easily by fastbooting a different boot image, it still raises obstacles for a "stupid" attacker (e.g. you need a device with USB and not just a microSD card or USB drive+OTG cable). Although I would still consider it "security by obscurity", in essence, it's going in the same direction as JTAG also being hard(er) to exploit.
The same argument accounts for "dumping your encrypted partition and installing a sniffer" - it raises the barrier and the victim will likely notice that something is wrong (unless it's using a device that's unstable...) because the device will be off or rebooted. A counter-measure would be: if you find your device in such a state, boot into recovery and compare checksums of your boot and system partitions - probably many even more advanced attackers will probably forget to install rogue versions of md5sum/sha256 etc, and of course you could also carry a write-protected USB drive+OTG cable with a clean boot image, provided TWRP would allow you to boot from that (which afaik it currently does not).
Considering the huge security breach of an unprotected recovery, I would consider the option to recover stuff via adb from recovery a secondary objective. A more effective approach which could help against the problem of non-recoverable data from a hardware failure would be having the data already external - like in the approach I posted in this thread where I argue against keeping private data in internal phone memory. Unfortunately, on many devices this will not work with a locked bootloader unless you manage to modify the rootfs elsewise (but I assume recoveries like Philz seem to manage it already somehow with locked bootloaders).
There are many other attack vectors like a memory freeze which a locked bootloader can certainly make more difficult.
For instance, if we had a tool like https://play.google.com/store/apps/details?id=net.segv11.bootunlocker compatible with the OPO, it would be easy to have a pretty secure custom rom.
Scenario (encrypted of course) : unlocked bootloader, TWRP to flash some stuff, back to stock recovery then lock bootloader.
Each time you need back a custom recovery, you unlock the bootloader and to your stuff.
I always did that for the Nexus 4.
Defier525 said:
having a locked bootloader normally restricts you to booting a stock kernel without a bootloader-valid signature, right? Otherwise you could simply fastboot any kernel without flashing. But this can be an issue in case your kernel is outdated and has other security flaws which e.g. make it vulnerable from remote. In this case, you secure your device from offline attacks but stay vulnerable to online attacks. The hard questions is: which attacks are more realistic?
Click to expand...
Click to collapse
thanks!
no, it does not. android reference bootloaders (nexus, opo, etc) do not check kernel signatures when locked. they just disallow flash and boot commands. your point here is void.
Defier525 said:
Even if you could overcome a TWRP password on a bootloader-unlocked device easily by fastbooting a different boot image, it still raises obstacles for a "stupid" attacker (e.g. you need a device with USB and not just a microSD card or USB drive+OTG cable). Although I would still consider it "security by obscurity", in essence, it's going in the same direction as JTAG also being hard(er) to exploit.
Click to expand...
Click to collapse
personally i do not consider connecting the device to a host being any kind of bar raising at all. it is the realm of script kiddies and the standard way stolen phones are reset and/or returned to stock when they have a screen lock.
JTAG, on the other hand, is. it requires physically disassembling the phone and maybe modifying the board. it requires hardware and software tools that are not in the arsenal of the usual adversary. (i am not talking about the NSA!) i have JTAG hardware and use OpenOCD for hardware development but i have never attempted to JTAG a phone and probably never will. it is just too much trouble; not worth it.
modded phones will always be a minority. as long as mainstream phones do not need JTAG after being stolen, i predict modded phones that require JTAG to be recycled will not be recycled and will be sold for parts or maybe resold to the owner at a reduced price. (the "hey, i found this phone..." scenario.)
Defier525 said:
Considering the huge security breach of an unprotected recovery, I would consider the option to recover stuff via adb from recovery a secondary objective. A more effective approach which could help against the problem of non-recoverable data from a hardware failure would be having the data already external - like in the approach I posted in this thread where I argue against keeping private data in internal phone memory. Unfortunately, on many devices this will not work with a locked bootloader unless you manage to modify the rootfs elsewise (but I assume recoveries like Philz seem to manage it already somehow with locked bootloaders).
Click to expand...
Click to collapse
i do not. i do not encrypt my phone because i would not be able to access it with a broken screen. that proposition is unthinkable for me. i use software fallbacks such as keepass. this is a matter of priorities.
also, i dont consider the sdcard hack to be a valid alternative. i will answer to your thread here (but keep in mind that even if it were a valid alternative, this thread is about securing the recovery, not about other options):
-using an external encrypted sdcard with an untrusted boot chain leaves you vulnerable to all caveats of internal encryption, plus more. eg: wiping the phone to get control of its bootloader to plant an attack does not wipe the sdcard.
-the sdcard can be trivially dumped even with a trusted boot chain in place.
-many phones today, including my last 4 phones, do not even have sdcard slots (eg, most of the "free" phones: nexuses and the opo; some GPE phones do have slots) and you can expect the number keep falling down.
-sdcards are extremely slow compared to internal flash.
-sdcards tend to use much more power than internal flash.
-sdcards tend to be unreliable.
-the FTL in sdcards is not designed to handle the constant writing android will subject /data to. most FTLs do not provide good wear leveling, specially if cards are mostly full, and as a result the cards would probably fail soon.
-ASOP encryption of /data is all that is needed since the emulated "internal sdcard" is backed by storage in /data/media since reference android 4.0
-eMMCs in phones *do* provide secure erase commands! it has been a required part of the eMMC standard for years. commands are: SECURE ERASE and SECURE TRIM, and maybe later they added a SECURE DISCARD command, not sure. furthermore, reference android recovery does use these commands while wiping a phone.
Xoib said:
For instance, if we had a tool like https://play.google.com/store/apps/details?id=net.segv11.bootunlocker compatible with the OPO, it would be easy to have a pretty secure custom rom.
Scenario (encrypted of course) : unlocked bootloader, TWRP to flash some stuff, back to stock recovery then lock bootloader.
Each time you need back a custom recovery, you unlock the bootloader and to your stuff.
I always did that for the Nexus 4.
Click to expand...
Click to collapse
this is not solution. you can do this with the opo. it is trivial to use adb shell or the terminal to unlock the bootloader.
but what if android does not boot for any reason? you loose access to your phone? this is not a valid alternative for me.
Lanchon said:
this is not solution. you can do this with the opo. it is trivial to use adb shell or the terminal to unlock the bootloader.
but what if android does not boot for any reason? you loose access to your phone? this is not a valid alternative for me.
Click to expand...
Click to collapse
How do you do that with adb/fastboot without wipe ? (I mean I know oem lock / unlock but unlock implied wiping right)
For your second point, even if I lost access to the android boot, I always get fastboot screen so for me it's a pretty good alternative.
Xoib said:
How do you do that with adb/fastboot without wipe ? (I mean I know oem lock / unlock but unlock implied wiping right)
For your second point, even if I lost access to the android boot, I always get fastboot screen so for me it's a pretty good alternative.
Click to expand...
Click to collapse
you have to change one bit. you need to be root. there are threads that discuss how to, google them.
Lanchon said:
you have to change one bit. you need to be root. there are threads that discuss how to, google them.
Click to expand...
Click to collapse
Right, but adb don't use this trick.
That's why I said it will be cool when the bootunlocker app upgrade to handle OPO address bit.
Thank you for these comments! But could you (re-)post the arguments concerning the fitness of sdcards for /data in the other thread, please? This way we could keep the discussion more focused.
JTAG vs. fastboot: I agree with you, JTAG is a much higher obstacle for a thief and probably most will not go this way while I guess most "bring back to stock" tools work over fastboot anyways. I was just considering a different scenario, e.g. you leave your phone unattended for some minutes on a party.
Data recovery in case of hardware failure: Well this is in conflict with getting more security, unless you additionally secure adb in Recovery like you proposed...
Internal sdcard in /data/media since AOSP 4.0: This was new to me, but it seems to be implemented this way in my Nexus S. I just wonder why my Xperia V does not handle it this way then?
eMMC and secure erase: Okay this was new to me as well. But afaik, TWRP does not use these commands for wiping, does it?
locked bootloader and password protected TWRP: What if an attacker would try to fastboot erase the data or recovery partition? Will a locked, properly implemented bootloader prevent that?
My sd hack in general: I agree, that if this hack only works with a unlocked bootloader (like probably on my Sony) it is less secure than having a locked bootloader even without encryption. Therefore, I was already considering re-locking the bootloader and disabling the hack, but using at least a non-stock userland. Yet, the stock kernel will probably not see any updates anymore and thus will be vulnerable to any upcoming threats.
Yet I think that we both agree in the point, that having password protected TWRP would enhance security. Since TWRP already has all means of a password-unlocker screen in place (for dealing with encrypted /data), it should be trivial to provide a patch which asks for a password before it lets you do anything in TWRP. Maybe if I find some time I can try to see what it would take to implement it, but I am quite busy these days.
Nevertheless, I am quite interested in discussing the security of locked bootloaders and any attack vectors over fastboot in general here.
Hey Guys,
I've been using the OnePlus One (Bacon) for the past year and I'd like to switch however the OnePlus One has no 'Secure Boot' not to be confused with 'Locked Bootloader'
I can modify partitions like the SBL (Secondary Bootloader), ABOOT (Android Bootloader) and the Modem without the phone not booting.
Can anyone recommend a phone that either ships without any boot verification chain or has the option to disable 'Secure Boot'
(dylanger) said:
Hey Guys,
I've been using the OnePlus One (Bacon) for the past year and I'd like to switch however the OnePlus One has no 'Secure Boot' not to be confused with 'Locked Bootloader'
I can modify partitions like the SBL (Secondary Bootloader), ABOOT (Android Bootloader) and the Modem without the phone not booting.
Can anyone recommend a phone that either ships without any boot verification chain or has the option to disable 'Secure Boot'
Click to expand...
Click to collapse
I would assume the OPX and OP2 and possibly the OPPO [Find] devices would be similar in this regard, given their relationship. I have access to the OPX/OP2 but haven't had the time to dig into them yet. The new Intels might also be an option with the `fastboot flash keystore` function, so that you can use your own key for boot verification. I haven't had a chance to dig into it yet to see how much you can modify, but from what I gather, they will try to verify boot using the user keystore, followed by the OEM keystore.
binsol said:
I would assume the OPX and OP2 and possibly the OPPO [Find] devices would be similar in this regard, given their relationship. I have access to the OPX/OP2 but haven't had the time to dig into them yet. The new Intels might also be an option with the `fastboot flash keystore` function, so that you can use your own key for boot verification. I haven't had a chance to dig into it yet to see how much you can modify, but from what I gather, they will try to verify boot using the user keystore, followed by the OEM keystore.
Click to expand...
Click to collapse
Cheers for your response. Yeah I haven't even looked at the new Intel CPUs yet, oooo damn a 'fastboot flash keystore' would be very nice. This feature should be on all devices? I wonder why vendors don't just give consumers full access to the hardware.
A quick question. Is the OEM Keystore stored on the Flash or CPU? I guess it would be protected once the OS has booted but that wouldn't protect it against JTAG if its stored on Flash.
(dylanger) said:
Cheers for your response. Yeah I haven't even looked at the new Intel CPUs yet, oooo damn a 'fastboot flash keystore' would be very nice. This feature should be on all devices? I wonder why vendors don't just give consumers full access to the hardware.
A quick question. Is the OEM Keystore stored on the Flash or CPU? I guess it would be protected once the OS has booted but that wouldn't protect it against JTAG if its stored on Flash.
Click to expand...
Click to collapse
I originally thought the OEM keys were burnt-in on a ROM chip, but the more I read about it, it sounds like they're stored in a protected partition on eMMC. The eMMC 4.x+ spec suggests this is the case with the "Replay Protected Memory Block," little kernel source has references to similar protected memory. I'm just starting to dig into into it, but I'm pretty interested to know if it can be DMA'd.
I'm expecting the fastboot flash keystore to become common with late M or N devices with how Google is pushing the verified boot stuff (alerting the user about tampered boot). This would give their warnings a lot more value, since then you could sign your own modifications and only be alerted if something else then made changes to the boot.
The flash keystore seems to have a bunch in common with the (Windows) UEFI secureboot. I would assume that's a reason Intel has a jump on it.
binsol said:
I originally thought the OEM keys were burnt-in on a ROM chip, but the more I read about it, it sounds like they're stored in a protected partition on eMMC. The eMMC 4.x+ spec suggests this is the case with the "Replay Protected Memory Block," little kernel source has references to similar protected memory. I'm just starting to dig into into it, but I'm pretty interested to know if it can be DMA'd.
I'm expecting the fastboot flash keystore to become common with late M or N devices with how Google is pushing the verified boot stuff (alerting the user about tampered boot). This would give their warnings a lot more value, since then you could sign your own modifications and only be alerted if something else then made changes to the boot.
The flash keystore seems to have a bunch in common with the (Windows) UEFI secureboot. I would assume that's a reason Intel has a jump on it.
Click to expand...
Click to collapse
Interesting... I'm guessing Google will use qFuses to track weather or not the boot process has been tampered with. I wonder where the splash screens are located as I guess one could just replace the Tampered Boot screen with the normal boot one.
Surely all areas of the eMMC would be accessible via something like JTAG?
Hmm, yeah it would make sense for Little Kernel to check the OS'es Kernel integrity, something like Get Key from Keystore into a variable, then check against the actual Kernel image?
Little Kernel pretty interesting actually, from what I've gathered it controls stuff like entering modes (Holding Power + VolUp will enter Recovery or Fastboot etc) and Fastboot, have you ever tried to load LK into IDA? Integrating something like the Cerberus App into ABOOT would be awesome, Anti-Theft at the bootloader!
(dylanger) said:
Interesting... I'm guessing Google will use qFuses to track weather or not the boot process has been tampered with. I wonder where the splash screens are located as I guess one could just replace the Tampered Boot screen with the normal boot one.
Surely all areas of the eMMC would be accessible via something like JTAG?
Hmm, yeah it would make sense for Little Kernel to check the OS'es Kernel integrity, something like Get Key from Keystore into a variable, then check against the actual Kernel image?
Little Kernel pretty interesting actually, from what I've gathered it controls stuff like entering modes (Holding Power + VolUp will enter Recovery or Fastboot etc) and Fastboot, have you ever tried to load LK into IDA? Integrating something like the Cerberus App into ABOOT would be awesome, Anti-Theft at the bootloader!
Click to expand...
Click to collapse
I would guess the splash screen is in aboot, since it's the first thing with graphics output, and its alerting you that boot.img onward has been tampered with. If you can replace the splash screens, I'd assume you could break the whole chain since you'd already be altering aboot.
I think if you had raw access to the eMMC, you could replace the keystore. Do you know if JTAG is accessible on the OPO or similar devices? I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons. I've had no luck tracking down the JTAG so far on the board. All I've been able to get is UART.
binsol said:
I would guess the splash screen is in aboot, since it's the first thing with graphics output, and its alerting you that boot.img onward has been tampered with. If you can replace the splash screens, I'd assume you could break the whole chain since you'd already be altering aboot.
I think if you had raw access to the eMMC, you could replace the keystore. Do you know if JTAG is accessible on the OPO or similar devices? I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons. I've had no luck tracking down the JTAG so far on the board. All I've been able to get is UART.
Click to expand...
Click to collapse
Ah true, I didn't know ABOOT was the first process with Graphics Output, cheers for that
Really!? I'd assume that JTAG access is enabled for support purposes? The whole "My phones doesn't work" so you send it in? And they'd just re-partition everything?
I bought a RiffBox along time ago (Never actually used it -_-), that allowed direct access to eMMC, read and write you could dump and write whole bin images.
Another quick question, it was my understanding that some of the boot process used ARM's TrustZone or TZ to store keys.
(dylanger) said:
Ah true, I didn't know ABOOT was the first process with Graphics Output, cheers for that
Really!? I'd assume that JTAG access is enabled for support purposes? The whole "My phones doesn't work" so you send it in? And they'd just re-partition everything?
I bought a RiffBox along time ago (Never actually used it -_-), that allowed direct access to eMMC, read and write you could dump and write whole bin images.
Another quick question, it was my understanding that some of the boot process used ARM's TrustZone or TZ to store keys.
Click to expand...
Click to collapse
The source on the JTAG is evading me at the moment, but iirc the reasoning is that its a huge security hole (shocker...), and not really necessary as the new QC chips are generally regarded as unbrickable, though I have one here that would disagree. You can put the OPO into Qcom download mode and push stock images to the (logical) disk. Will get you out of most bricks, like if you delete boot/recovery and lock the bootloader. I haven't spent enough time digging into it yet to know if you can get raw emmc access that way.
TrustZone is used for secure execution and protected memory. From the LK source it looks like the eMMC keystore is dropped into TZ early in the boot. https://www.codeaurora.org/cgit/qui...rget/msm8974/init.c?h=LA.BR.1.3.2_rb3.16#n362
binsol said:
The source on the JTAG is evading me at the moment, but iirc the reasoning is that its a huge security hole (shocker...), and not really necessary as the new QC chips are generally regarded as unbrickable, though I have one here that would disagree. You can put the OPO into Qcom download mode and push stock images to the (logical) disk. Will get you out of most bricks, like if you delete boot/recovery and lock the bootloader. I haven't spent enough time digging into it yet to know if you can get raw emmc access that way.
TrustZone is used for secure execution and protected memory. From the LK source it looks like the eMMC keystore is dropped into TZ early in the boot. https://www.codeaurora.org/cgit/qui...rget/msm8974/init.c?h=LA.BR.1.3.2_rb3.16#n362
Click to expand...
Click to collapse
Oh the "Download" mode (The sort of last defence, I think its Power in + Volup + Power Button or something), would that be controlled by ABOOT or is it a SoC function? If it is controlled by ABOOT then it could be corrupted pretty easily.
If its controlled by the SoC then where would the code be stored?
(dylanger) said:
Oh the "Download" mode (The sort of last defence, I think its Power in + Volup + Power Button or something), would that be controlled by ABOOT or is it a SoC function? If it is controlled by ABOOT then it could be corrupted pretty easily.
If its controlled by the SoC then where would the code be stored?
Click to expand...
Click to collapse
The key combo trigger is in ABOOT: https://www.codeaurora.org/cgit/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.2_rb3.16#n3280
However, I wouldn't be surprised if its stored in a different partition (ie dbi), then sbl could auto-boot it in the event of corrupt ABOOT. That would make sense to me, but I haven't purposefully erased or flashed a bad ABOOT yet to find out. The one I bricked here can still get into download mode, yet I cant get any other response from ABOOT if I boot it normally, pretty anecdotal, but leads me to believe the download mode is affected by corrupted ABOOT.
binsol said:
The key combo trigger is in ABOOT: https://www.codeaurora.org/cgit/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.2_rb3.16#n3280
However, I wouldn't be surprised if its stored in a different partition (ie dbi), then sbl could auto-boot it in the event of corrupt ABOOT. That would make sense to me, but I haven't purposefully erased or flashed a bad ABOOT yet to find out. The one I bricked here can still get into download mode, yet I cant get any other response from ABOOT if I boot it normally, pretty anecdotal, but leads me to believe the download mode is affected by corrupted ABOOT.
Click to expand...
Click to collapse
I've successfully nulled out some fastboot commands before for Anti-Theft, but I'm pretty sure if you have access to Qualcomm's download mode you should be able to re-flash the ABOOT partition and get out of that brick?
Do you think that OnePlus would ever make LK/ABOOT open source? I'd love to be able to create my own bootloader, I wonder if any vendors do this because I'd buy one of their phones immediately!
Going off topic a little bit:
Have you ever looked into Qualcomm's DIAG mode with QPST? A lot of interesting stuff, I know they lock the modem's NV data down with an SPC (Special Programming Code) its a 6 digit PIN. I wonder if anyone has tried to brute-force this PIN? Because the data would allow you to do lots of interesting stuff like have the phone run on completely unsupported frequencies.
(dylanger) said:
I've successfully nulled out some fastboot commands before for Anti-Theft, but I'm pretty sure if you have access to Qualcomm's download mode you should be able to re-flash the ABOOT partition and get out of that brick?
Do you think that OnePlus would ever make LK/ABOOT open source? I'd love to be able to create my own bootloader, I wonder if any vendors do this because I'd buy one of their phones immediately!
Going off topic a little bit:
Have you ever looked into Qualcomm's DIAG mode with QPST? A lot of interesting stuff, I know they lock the modem's NV data down with an SPC (Special Programming Code) its a 6 digit PIN. I wonder if anyone has tried to brute-force this PIN? Because the data would allow you to do lots of interesting stuff like have the phone run on completely unsupported frequencies.
Click to expand...
Click to collapse
I doubt they will, I think support is a pretty big reason they dont release it. That and the number of people who would actually roll their own would be pretty small. Though I would love if they did.
Were you able to make changes to the OPO ABOOT? I saw your IDA post the other day.
It's bee a while since I was digging around in QPST, there was quite a bit of research done for unlocking additional bands on the OPO, generally being inconclusive. http://forum.xda-developers.com/one...ock-aditional-bands-qualcomm-t2877031/page100
https://nathanpfry.com/wip-band-4-band-17-on-chinamobile-oneplus-one/
binsol said:
I doubt they will, I think support is a pretty big reason they dont release it. That and the number of people who would actually roll their own would be pretty small. Though I would love if they did.
Were you able to make changes to the OPO ABOOT? I saw your IDA post the other day.
It's bee a while since I was digging around in QPST, there was quite a bit of research done for unlocking additional bands on the OPO, generally being inconclusive. http://forum.xda-developers.com/one...ock-aditional-bands-qualcomm-t2877031/page100
https://nathanpfry.com/wip-band-4-band-17-on-chinamobile-oneplus-one/
Click to expand...
Click to collapse
Indeed I was, I used a Hex Editor to null out (\x00) commands like "fastboot flash", "fastboot erase" and "fastboot oem"
Its very irritating, IDA can read everything up until the apps_init function.
Here's a snippet of the apps_init boot process from Reverse Engineering Android's Aboot book (http://newandroidbook.com/Articles/aboot.html)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When IDA got to loading any app, I.E fastboot it would get obfuscated and just render as hex. Have you tried to play around with ABOOT before? So close to actually seeing ARM Assembly.
(dylanger) said:
Indeed I was, I used a Hex Editor to null out (\x00) commands like "fastboot flash", "fastboot erase" and "fastboot oem"
Its very irritating, IDA can read everything up until the apps_init function.
Here's a snippet of the apps_init boot process from Reverse Engineering Android's Aboot book (http://newandroidbook.com/Articles/aboot.html)
When IDA got to loading any app, I.E fastboot it would get obfuscated and just render as hex. Have you tried to play around with ABOOT before? So close to actually seeing ARM Assembly.
Click to expand...
Click to collapse
That's cool, I'll start probing around. I haven't messed with aboot in IDA at all, but I've used IDA a lot in a past.
Do you think the obfuscation is deliberate? Also have you tried some of the mbn scripts around? http://forum.xda-developers.com/showthread.php?t=2641245
I've seen a few references to them when people are reversing bootloaders.
binsol said:
That's cool, I'll start probing around. I haven't messed with aboot in IDA at all, but I've used IDA a lot in a past.
Do you think the obfuscation is deliberate? Also have you tried some of the mbn scripts around? http://forum.xda-developers.com/showthread.php?t=2641245
I've seen a few references to them when people are reversing bootloaders.
Click to expand...
Click to collapse
Really? Reverse Engineering is pretty fun, really getting into the mind of the developer.
Yeah use that plugin,
Oooo I have have found the code that loads fastboot.c
The obfuscation may have been my fault, I've loaded in ABOOT from Color OS and it looks like everything is okay now.
Woohoo! Check that out!
After poking around a little bit more, ColorOS is a KitKat ROM that uses an older ABOOT, that's why it successfully opened in IDA.
If I open ABOOT from OnePlus One's latest firmware (cm-12.1-YOG4PAS1N0-bacon-signed) I get this
Now I think its doing this because the plugin provided by MemoryController is outdated, I have no idea how to create these scripts/plugins for IDA, if anyone does know please let me know, I think this could also unlock the ability to change the boot splash screens on newer firmware as the images in the LOGO partition are encrypted, the code inside of this newer ABOOT could contain the decryption process.
Back to the older KitKat ABOOT here is the boot.img (Kernel) loading code just FYI:
We should probably move this thread over to your OPO topic, It'll probably get move views over there:
http://forum.xda-developers.com/oneplus-one/general/oneplus-one-lk-little-kernel-bootloader-t3269111
binsol said:
I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons.
Click to expand...
Click to collapse
This isn't specifically the source I was thinking of when I wrote that, but it also suggests that JTAG is generally disabled:
http://recon.cx/2013/slides/Recon20...uditing Android's Proprietary Bits-public.pdf
Slides 31,48
binsol said:
This isn't specifically the source I was thinking of when I wrote that, but it also suggests that JTAG is generally disabled:
http://recon.cx/2013/slides/Recon20...uditing Android's Proprietary Bits-public.pdf
Slides 31,48
Click to expand...
Click to collapse
Ah yeah I've seen this, I'm actually digging into the vendor-ril driver (libril-qc-qmi-1.so) as I'd like to share the baseband of one device to another.
Interesting I've found come code referencing "QCRIL_EVT_HOOK_UNSOL_ENGINEER_MODE", UNSOL means Unsolicited Command, meaning its an incoming command from the base band to the upper layers of the RIL, looks kind of backdoor-ey to me, perhaps remote enabling of Engineer Mode?
I've also just seen (I guess) is the SIM PIN and PUK verification code?
Should I create another thread? Would you be interested in discussing further?
There were a lot of interesting strings in the modem last time I looked, like stuff relating to http and hdmi (video drm?). Is this the OnePlus One modem? It would probably make sense to make a thread in that forum. I'm not sure how much interest it would generate here.
Hey guys,
So thanks to this thread : https://forum.xda-developers.com/pixel-2-xl/how-to/guide-qxdm-port-activation-pixel-2-xl-t3884967
I got my com ports open (see attached photo)
I cant however get past the part about pdc , as pdc gives me "QMI connection not ready, please use USB driver version 1.00.32 or later and fix the connection before using PDC tool."
I'm not sure how to go about fixing this but if we can, then there is the possibility that we could enable voLTE/voWIFI on the pixel 3 with carriers who don't support it(such as bouygues, who supports voLTE but not anything else)
I'm wondering if it is the qpst version I am using or something else?
I am on windows 7 and also had to disable driver signature enforcement.
Hello!
Did you achieve progress in this issue after the publication of the message?
Any success?? I have this damn same issue on my Redmi 4x...
Has anyone figured out the correct drivers yet?
Ingenium13 said:
Has anyone figured out the correct drivers yet?
Click to expand...
Click to collapse
Check this method! Hope this helps.
crok.bic said:
Check this method! Hope this helps.
Click to expand...
Click to collapse
He already mentioned in his last line that he is using windows 7 and also disabled driver signature enforcement.
can you tell me steps for enable QPST on pixel 3
Xdevillived666 said:
Hey guys,
So thanks to this thread : https://forum.xda-developers.com/pixel-2-xl/how-to/guide-qxdm-port-activation-pixel-2-xl-t3884967
I got my com ports open (see attached photo)
I cant however get past the part about pdc , as pdc gives me "QMI connection not ready, please use USB driver version 1.00.32 or later and fix the connection before using PDC tool."
I'm not sure how to go about fixing this but if we can, then there is the possibility that we could enable voLTE/voWIFI on the pixel 3 with carriers who don't support it(such as bouygues, who supports voLTE but not anything else)
I'm wondering if it is the qpst version I am using or something else?
I am on windows 7 and also had to disable driver signature enforcement.
Click to expand...
Click to collapse
can you tell me steps for enable QPST on pixel i am unable to open port on my pixel
Gautamgzb2 said:
can you tell me steps for enable QPST on pixel i am unable to open port on my pixel
Click to expand...
Click to collapse
Hey. I honestly dont remember now. Its been a long time and it was a lot of trial and error by reading that thread I linked. In the end it was useless because A-google no longer provides images for debugging purposes and B-PDC tool doesnt recognize pixel 3 even after opening the ports. Sorry man.
i hve enabled diag port fully edited values in qxdm took ota updates but upon re locking bootloader pixel 3 resets every change i made what the hell how can factory reset revert nvram changes.
"QPST" stands for "Qualcomm Product Support Tool". It's a proprietary tool used to directly write a binary image to the NAND devices on the device. Neither QPST nor the binary images are freely available, and are generally only used during the factory process to flash the initial firmware to the device.
V0latyle said:
"QPST" stands for "Qualcomm Product Support Tool". It's a proprietary tool used to directly write a binary image to the NAND devices on the device. Neither QPST nor the binary images are freely available, and are generally only used during the factory process to flash the initial firmware to the device.
Click to expand...
Click to collapse
Hmmm, no, not true. Qpst / qfil is freely available, We've used it many times with various LG devices especially.
The binary images are freely available for many devices, here's a list of the binary images free to download for the pixel 3 (from google):
In addition, for LG devices, anyone can freely download the kdz image, which is the entire rom, and use the kdz extraction tool to retrieve any individual partition image.
Not all carriers, like at&t / sprint, don't make their kdz available, thus no access to those images, but most do.
AsItLies said:
Hmmm, no, not true. Qpst / qfil is freely available, We've used it many times with various LG devices especially.
The binary images are freely available for many devices, here's a list of the binary images free to download for the pixel 3 (from google):
In addition, for LG devices, anyone can freely download the kdz image, which is the entire rom, and use the kdz extraction tool to retrieve any individual partition image.
Not all carriers, like at&t / sprint, don't make their kdz available, thus no access to those images, but most do.
Click to expand...
Click to collapse
So QPST can be used to flash bootloader, at which point someone should be able to use adb to flash the factory images? Wouldn't someone need to know the starting/ending addresses when writing to block devices?
Is there a reputable source from which to download QPST?
V0latyle said:
So QPST can be used to flash bootloader, at which point someone should be able to use adb to flash the factory images? Wouldn't someone need to know the starting/ending addresses when writing to block devices?
Is there a reputable source from which to download QPST?
Click to expand...
Click to collapse
QPST / qfil links can be found in many places, I've found them in LG v35, v40, v50, G8 forums in guides section, usual title names include 'unlock bootloader' as qfil is used to flash the 'engineering abl' to gain fastboot.
addresses of the partitions are in the partition table of ea device. Depending on how you flash a partition you may need to know it specifically, but almost always you don't. The RawprogramX.xml has them in it if needed though.
There is one caveat, for qfil to work (or any EDL access to happen), with any device, one has to have the 'programmer firehose', which is a signed specific file, for that specific device type. Many mfgs make that file available, Google does not.
AsItLies said:
QPST / qfil links can be found in many places, I've found them in LG v35, v40, v50, G8 forums in guides section, usual title names include 'unlock bootloader' as qfil is used to flash the 'engineering abl' to gain fastboot.
addresses of the partitions are in the partition table of ea device. Depending on how you flash a partition you may need to know it specifically, but almost always you don't. The RawprogramX.xml has them in it if needed though.
There is one caveat, for qfil to work (or any EDL access to happen), with any device, one has to have the 'programmer firehose', which is a signed specific file, for that specific device type. Many mfgs make that file available, Google does not.
Click to expand...
Click to collapse
This was going to be my next question. We aren't talking about LG devices here; we're talking specifically about the Pixel 3. So if the firehose files aren't available, exactly how is QPST any good to anyone?
V0latyle said:
This was going to be my next question. We aren't talking about LG devices here; we're talking specifically about the Pixel 3. So if the firehose files aren't available, exactly how is QPST any good to anyone?
Click to expand...
Click to collapse
I know what we're talkin about here, and I know it's not LG devices. And I never said qpst was any good to anybody here, I just said that it is available, and you said it wasn't, and I said the stock images are available, and you said they weren't.
AsItLies said:
I know what we're talkin about here, and I know it's not LG devices. And I never said qpst was any good to anybody here, I just said that it is available, and you said it wasn't, and I said the stock images are available, and you said they weren't.
Click to expand...
Click to collapse
I think you misunderstand me. As I asked before, please post a legitimate and trustworthy source of QPST. According to Qualcomm, it's only available for specific commercial use.
Secondly, I was specific by what I meant by "binary images" - files to be flashed directly to the NAND devices by means of JTAG or other hardware level protocols. This would include the firehose images, although I admit I'm not sure if those are binary.
Either way, I reiterate that we are talking about the Pixel 3 here. If you know of a trustworthy source for QPST, that's a start. However, the fact remains that the files needed are not available, so what may or may not be possible with LG devices is not relevant in this thread.
V0latyle said:
I think you misunderstand me. As I asked before, please post a legitimate and trustworthy source of QPST. According to Qualcomm, it's only available for specific commercial use.
Secondly, I was specific by what I meant by "binary images" - files to be flashed directly to the NAND devices by means of JTAG or other hardware level protocols. This would include the firehose images, although I admit I'm not sure if those are binary.
Either way, I reiterate that we are talking about the Pixel 3 here. If you know of a trustworthy source for QPST, that's a start. However, the fact remains that the files needed are not available, so what may or may not be possible with LG devices is not relevant in this thread.
Click to expand...
Click to collapse
I think you misunderstood me. You indicated that QPST / qfil is not availabel, it is, I told you where to find it, put in the effort.
And what you mean by 'binary images' is obviously open to interpretation, how in the world would I (or anyone) know you mean anything other than what is available (from google), which are the binary images one would flash with qfil for that device. So again, you're wrong as they are available.
And I'll repeat again, I know we're talking about the p3 and not LG devices. You're using that as a deflection, to try to avoid that your post was obviously wrong in it's information. I bring up LG devices only because they have lots of documentation here on XDA re these utilities, while the p3 does not.
"what may or may not be possible with LG"... yer again wrong. Ea and every qualcomm device can be put in EDL mode, that's what QPST is used for, it's relevant to all devices that have a qualcomm chip.
AsItLies said:
I think you misunderstood me. You indicated that QPST / qfil is not availabel, it is, I told you where to find it, put in the effort.
Click to expand...
Click to collapse
I asked you to provide a specific source. I don't know which forums you're talking about on what site. They could be here on XDA, or Reddit, or any LG forum out there. Your response is akin to "just Google it". The only reputable source I know of is Qualcomm themselves, who, as I stated, are pretty picky about who gets access to the software. Sure, a Google search will turn up a handful of third party sites that claim to have it, but are they trustworthy?
AsItLies said:
And what you mean by 'binary images' is obviously open to interpretation
Click to expand...
Click to collapse
Not really. Binary images = files in purely binary format. Not Java, not hex - ones and zeroes, the file you would use to directly flash a memory device. I was pretty specific about that.
AsItLies said:
how in the world would I (or anyone) know you mean anything other than what is available (from google), which are the binary images one would flash with qfil for that device. So again, you're wrong as they are available.
Click to expand...
Click to collapse
Two posts ago you stated:
AsItLies said:
for qfil to work (or any EDL access to happen), with any device, one has to have the 'programmer firehose', which is a signed specific file, for that specific device type. Many mfgs make that file available, Google does not.
Click to expand...
Click to collapse
So, since no "firehouse" files are available from Google, could QPST be used to flash the partition images in the factory zips?
AsItLies said:
And I'll repeat again, I know we're talking about the p3 and not LG devices. You're using that as a deflection, to try to avoid that your post was obviously wrong in it's information. I bring up LG devices only because they have lots of documentation here on XDA re these utilities, while the p3 does not.
Click to expand...
Click to collapse
No, I'm pointing out that information on LG devices is not relevant. There might be documentation regarding the use of QPST but if the necessary files are not available, that's not much use.
AsItLies said:
"what may or may not be possible with LG"... yer again wrong. Ea and every qualcomm device can be put in EDL mode, that's what QPST is used for, it's relevant to all devices that have a qualcomm chip.
Click to expand...
Click to collapse
I'm specifically referring to the possibility of hardware level device recovery which may be possible on LG devices due to the availability of the required files, but is not currently possible on the Pixel series because we do NOT have the required files.
I'm not going to continue this argument as we are rather OT at this point. This isn't conducive to finding a solution.
XDA thrives on the willingness of users to help out everyone else - the ability and willingness to solve problems. You said there is a solution to this problem; I am asking you provide it. It doesn't matter who is right or wrong in the end; it only matters that we find a solution.
Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
AndyYan said:
Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
Click to expand...
Click to collapse
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
PsYk0n4uT said:
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
Click to expand...
Click to collapse
Try prepending 0s?
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
PsYk0n4uT said:
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
Click to expand...
Click to collapse
Tried adding zero on front and back of serial it just tells me invalid serial
PsYk0n4uT said:
Tried adding zero on front and back of serial it just tells me invalid serial
Click to expand...
Click to collapse
Chatting with OnePlus hasn't yielded anything so far
Just a tip, because in my infinite forgetfulness I wasted an hour last night trying to figure out why I was getting the error, fastboot could not open target HAL.
Remember that you must request the unlock code from fastboot, not fastbootd. Which is what you will boot into if you issue adb reboot fastboot.
So here's a quick step by step.
1.Enable usb debugging. 2. Connect your device and allow access for the computer. My device asks if I want it to charge or transfer files. Select transfer files/Android auto and then use adb start-server. May have to unplug the USB cable and reconnect. Select "always allow this device/PC".
3. Issue "adb devices" to make sure your connected.it should list your device by it's serial number. If not then try unplugging the device and revoke adb authorizations in dev options and toggle USB debugging off and back on, may even need to reboot the device to get it to connect after doing this.
4. If your device is listed under devices go ahead and issue "adb reboot fastboot"
5. Once rebooted issue "fastboot devices" and make sure the device is listed again.(If not listed make sure you have your driver's installed correctly and fastboot is installed correctly, may need to install Android SDK into same folder as fastboot)
6.You can select English or whatever language if you want but it doesn't seem necessary.You are in fastbootd mode you will see if you DO select a language.
So from here issue"fastboot reboot bootloader" device will reboot and you will have scrollable option at the top beginning with a big green START at the top. This is regular fastboot And where you wanna be to get your unlock code for submitting to Oppo for your unlock token.
7. Issue "fastboot oem get_unlock_code"
8. It should return the info you need, you will also need your IMEI number when submitting so be sure to copy that down.
you can copy and paste the unlock code into notepad or Word and delete out the extra stuff so your left with just the two lines of your unlock code as one single contiguous string of numbers.
8. Go to the link listed by OP and submit the required info. And wait for what seems like forever.
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
PsYk0n4uT said:
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
Click to expand...
Click to collapse
Simply "adb reboot bootloader". You won't need fastbootd until GSIs (which I already did ofc).
Thanks, definitely a quicker way to get to fastboot. I guess I wasn't sure if you could reboot directly. Seems maybe I was confusing an older device where you had to reboot to fastboot then "fastboot reboot fastboot" to get to fastbootd for a whole different reason.
This one goes directly to fastbootd when you "adb reboot fastboot"
Nice catch.
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
I'm not really sure to be honest, this is my first OnePlus device and just trying to contribute anything I can to get the N20 section up and going as I make progress with the device.
Just a quick search though turns up this and maybe it could be of use if you can still access the bootloader.
the current image(boot/recovery) have been destroyed
I updated my oneplus 8t to KB2005_11.C.11 (OOS 12 ) by first booting to twrp-3.6.1_11-0-kebab.img and then flashed the KB2005_11_C_OTA_1100_all_362b9b_10100001.zip. After the upgrade I had no mobile data on t-mobile and had Volte instead of 5g...
forum.xda-developers.com
Someone mentions extracting the boot.img from stock image and flashing it. I would imagine it should work for you if the stock firmware can be found and circumstances are similar. Maybe at least a start. Wish I could be of more help, maybe someone else can chime in that knows more.
Try Linux, maybe a live dist. if your on a windows machine that won't recognize it just to get it into a state that you can work with it again.
Just an idea, I don't want to steer you wrong as i still have a lot to learn
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsettinghav
Click to expand...
Click to collapse
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
Click to expand...
Click to collapse
I want to try and help but I'm so new it's sketchy I don't want to say something and get bashed
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Fyi according to a recently made friend who also had the 7 digit serial issue, they were told by OnePlus their dev team is working on an OTA update that will resolve the serial number issues. I'm not sure how that's going to work but I saw the email between them and Oppo support
I guess this must be a widespread issue that they feel is cheaper to invest the amount of money it takes for r&d to come up with a fix than it was to replace a few devices or attempt to do remote repairs.
But this also makes me wonder what avenue they will take to correct the issue.
Also I wonder if someone with the right skillset could gather enough bootloader unlock codes along with the unlock tokens, serial, IMEI, pcba etc.. maybe the algorithm their using to generate the codes could be broken. I'm no crypto expert or math genius either, but if we have the variables to the equation minus one but have the answer, isn't this pretty simple almost pre-algebra?
I mean I guess their not worried about enough people being brave enough to give out sensitive info like that. But maybe Im just ignorant of the complexity of these algorithms.
64 digit key on one end
T-Mobile bought sprint and they have T-Mobile sims no. But I understand that sprint is still a somewhat seperate company (tried to buy a T-Mobile phone and it would not activate on my sprint account. So I bought this from the sprint side of the T-Mobile site so I knew it would work but I assume this is a sprint phone and not a T-Mobile phone so this method would not work.
Can anyone confirm this?
PsYk0n4uT said:
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Click to expand...
Click to collapse
okay peep theres a way i put my oneplus into efu mode, hold both vol up and down then put usb c in continue to hold u should hear PC recognize it
So, before i do it, would deleting the modemst1/modemst2 partitions still let me bypass the t-mobile sim lock and let me unlock the phone like it did on the old oneplus phones?
Flashed a patched boot.img and lost modems. Anyone willing to post the modems? Are they device specific like a device partition?
Sim locked and trying to recover. No radios are working
They let a lot of problems go on. Explain to me why their software is locked. It's pretty easy to actually understand what happened OnePlus is trying to charge us money to go to support people to get our phones taken care of but that's silly to even think of.
maamdroid said:
Explain to me why their software is locked. It's pretty easy to actually understand what happened OnePlus is trying to charge us money to go to support people to get our phones taken care of.
Click to expand...
Click to collapse
What is locked?
Both bootloader and edl are unlocked ( bootloader unlockable via adb ? ) You don't have to contact customer support or anything?
Rstment ^m^ said:
What is locked?
Both bootloader and edl are unlocked ( bootloader unlockable via adb ? ) You don't have to contact customer support or anything?
Click to expand...
Click to collapse
MSM tool to recover from any serious error
Appreciative said:
MSM tool to recover from any serious error
Click to expand...
Click to collapse
Is this a MediateK phone?
I might be wrong then, I am assuming Qualcomm edl is usually unlocked?
Rstment ^m^ said:
Is this a MediateK phone?
I might be wrong then, I am assuming Qualcomm edl is usually unlocked?
Click to expand...
Click to collapse
SnapDragon 8g1. The 10 pro has edl test points and the 10T can boot into edl as well. But without an MSM tool, it's not worth the trouble. They require live authentication to sign the download and install. People are able to bypass the initial login for the msm tool but the next step has not been defeated yet. At least not publicly on xda.
My understanding is the tool verifies login and then gets a key to sign with. There is some speculation that it may use multiple checks during the flash so one key isn't enough. There was also mention that the msm tool binds to the Mac address of your nic and will fail if it's not on the whitelist.
That means you must send your phone back to OP if you brick outside of what fastboot can handle. I returned the 10T to get a 9P. While preparing to send it back, I locked the 10T bootloader back up before swapping boot images so I sent them back a brick on accident. . But, that's the problem. It's that easy and you're without a phone for a few weeks. I've also read that OP handles China different in that they charge for certain services. There was recently a development in the "edl tool" thread where someone from China was unbricked remotely but that agent had a valid login to sign the install.
I am planning to hop over to Nothing Phone after my 9P dies. I certainly won't be back to OP as long as they ship that ColorOS "OxygenOS" hybrid garbage and no MSM tool. With an MSM, we would at least get good rom development to have a better/real OOS experience.
Also, I've been with OnePlus for years. Until recently, I haven't had to use their customer service since they merged with Oppo. It got much worse. OnePlus is dead
Appreciative said:
SnapDragon 8g1. The 10 pro has edl test points and the 10T can boot into edl as well. But without an MSM tool, it's not worth the trouble. They require live authentication to sign the download and install. People are able to bypass the initial login for the msm tool but the next step has not been defeated yet. At least not publicly on xda.
My understanding is the tool verifies login and then gets a key to sign with. There is some speculation that it may use multiple checks during the flash so one key isn't enough. There was also mention that the msm tool binds to the Mac address of your nic and will fail if it's not on the whitelist.
That means you must send your phone back to OP if you brick outside of what fastboot can handle. I returned the 10T to get a 9P. While preparing to send it back, I locked the 10T bootloader back up before swapping boot images so I sent them back a brick on accident. . But, that's the problem. It's that easy and you're without a phone for a few weeks. I've also read that OP handles China different in that they charge for certain services. There was recently a development in the "edl tool" thread where someone from China was unbricked remotely but that agent had a valid login to sign the install.
I am planning to hop over to Nothing Phone after my 9P dies. I certainly won't be back to OP as long as they ship that ColorOS "OxygenOS" hybrid garbage and no MSM tool. With an MSM, we would at least get good rom development to have a better/real OOS experience.
Also, I've been with OnePlus for years. Until recently, I haven't had to use their customer service since they merged with Oppo. It got much worse. OnePlus is dead
Click to expand...
Click to collapse
Wow thanks for the explanation... Never owned OP and just assumed they'd offer access EDL / bootloader unlike other manufacturers...
Doss nothing phone offer edl access without third party approvals? Current Nothing phone is bad pairing of hardware... definitely not on my list unless there's access to edl?
Rstment ^m^ said:
Wow thanks for the explanation... Never owned OP and just assumed they'd offer access EDL / bootloader unlike other manufacturers...
Doss nothing phone offer edl access without third party approvals? Current Nothing phone is bad pairing of hardware... definitely not on my list unless there's access to edl?
Click to expand...
Click to collapse
I'm not positive about NP edl mode. I do know they have a method to unbrick available, using fastboot and critical unlock to flash any/all partitions if I remember right. And the full source tree is also available. It's also 'believed' that Nothing will make reasonable efforts for developers because of Carl Pei. It is believed he was the main reason for OP's dev friendly nature prior to 2020/oppo merge/his departure.
I wrote to Nothing and asked them to provide us dev friendly devices so we can fall in love and get our friends and family on Nothing devices just like we did with OnePlus. They replied and said they look forward to making the device of our dreams in the future.
I know they need a little time to see what works and what sells. I want to support but it won't be the NP1. Maybe the 2 for support. I imagine my 9p will last a good while, my 5T is still a great phone after all these years. It can even play cod mobile still