Allright, there's been a lot of discussion as to what it takes to block OTA on the Nook Color, with various scattered reports of success and failure in the wake of B&N's pushing out of the 1.2 OS update.
So I thought this might be a good time to bring our expereinces all together under one thread and list what OS you're running, what you've done to block updates, and how long you've gone without a pushed update.
Please only do this if you regularly leave WiFi on and your NC is regularly in range of and connected to a WiFi hotspot. Also, for the sake of uniformity, please follow the template below. Use the "Followup" item to come back and report if anything changes (whether the update was pushed to you, or whether you manually updated your OS, or disabled OTA blocking and allowed updates to be pushed to you).
I'll start:
OS: 1.1.0 (manual upgrade from 1.0.1)
OTA block method: SQlite FOTA set to "manual."
No OTA update since: 4/27
Followup:
Notes: I had WiFi off between 4/25 and 4/27. My WiFi is always on and connected at home.
Probably would have been a good idea to tack that onto With new update pending, what is best way to block OTA updates?
I've just left my wifi off so far until the new rooting dust settles.
Related
Mentioned patching a security hole but nothing else that I saw. Just finished installing, version shows 7.0.7392.0
Fix for fraudulent third-party digital certificates. This update includes a critical fix to an industry-wide issue with nine untrusted digital certificates that were issued by one root certificate authority. These third-party digital certificates are used to access popular websites and email portals. Although this is not a Microsoft security vulnerability, these untrusted certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all web browser users. This update moves the affected certificates to the "Untrusted Publishers" certificate store on Windows Phone, which helps ensure that these fraudulent certificates are not inadvertently used.
Click to expand...
Click to collapse
That's all it's supposed to be and is. Just got it too. Glad I did as I needed a fresher backup
According to Walsh it also has other fixes though... I wouldn't doubt Microsoft just threw something in there, after all, they didn't mention a single bug fix in NoDo, though obviously there were some.
Issues with 7392 and phone battery life
I'm reading about some users in UK facing horrible battery life after 7392 update... not sure i want to update my phone.
People with stock TMo HD7, anything to report?
Oh and here is the link to the thread:
http://forum.xda-developers.com/showthread.php?t=1068514
UPDATE:
Couldn't wait any more and updated it just now... will post back the results tomorrow.
my phone is updating as i type. back up is taking long to finish. probably because i have lots of files in it.
and its eating approximately 3gb of my disc space
is it safe if i cut and save the back up to a disc of a thumb drive?will it make a difference to paste back the files to its directory given that i need to restore my phone to its previous version?
thanks
updating mine now...will post results...
Updated my htc hd7 us tmobile here in uk all went well I just got the phone today can't see any battery issues. Loving this phone and I just came from a samsung galaxy s2 but I think this is better.
Yeah, been running it almost a day now...no issues.
Sent from E.131st and Miles using XDA Windows Phone 7 App
Can someone just explain to me once I have this 7392.0 update installed do I need to update the firmware and radio and boot loader do these change with the zune software update or do I need to manually update them by flashing with a ruu installer, what's the difference between zune updates and the flashing the latest tmobile rom are they the same thing? Does anyone have a link to the latest tmobile us rom for htc hd7.
Is anyone else having this problem? I have the block updates "on" in the Mods Collection for Ouya, but obviously it isn't working. Every time I turn the system on it's trying to update it. Any suggestions?
StraTTtheRippeR said:
Is anyone else having this problem? I have the block updates "on" in the Mods Collection for Ouya, but obviously it isn't working. Every time I turn the system on it's trying to update it. Any suggestions?
Click to expand...
Click to collapse
I was having this issue also till i got tired of it and i just updated my OUYA, i couldn't figure it out and i also asked for any input about it not working but no one cared and never got a reply back from anyone including WonderEkin but this should be asked over at the Mod collection for OUYA forum if you wana get some type answer...http://forum.xda-developers.com/showthread.php?t=2359390
The block updates only worked until they changed their update method with the 'incremental' updates ~3 months ago. However the latest version of stock SHOULD allow you to temporarily reject an update without plugging/unplugging an Ethernet cable.
But since the mod collection hasn't been updated in several months as well, so I wouldn't expect too much assistance besides "Update to Jackalope and the update-blocking will be built into stock" suggestions...
Yeah, I just gave up and ran the update. I couldn't play anything half of the time because it kept trying to update the system. Everything seems to still be working okay, though...haven't fun into any problems yet. Thanks!
Apparently the ONLY version of Android that is vulnerable to Heartbleed is 4.1.1. I ran a check on my phone, and sure enough I'm running that version, and heartbeats are definitely enabled. I used the Lookout security app to verify this. Is there a way I can patch my system myself and somehow disable the heartbeats feature without having to wait another 3 years for Motorola to come out with a fix? My phone is rooted, but something tells me that OpenSSL probably needs to be essentially recompiled with a flag set to disable heartbeats?
I was hoping there would be a quick config file for OpenSSL that can be modified, but I'm not usually lucky. Based on everything I've seen thus far, a recompile with a flag set is the only way to fix this. Figured i'd give it a shot and ask on here.
I've been thinking about the same thing.
If memory was encrypted that could solve all or part of the problem.
If the Chrome https browser cache were turned off, which I think requires an APK edit there would not be any clear text data in the browser cache.
What do you think?
dosmac said:
Apparently the ONLY version of Android that is vulnerable to Heartbleed is 4.1.1. I ran a check on my phone, and sure enough I'm running that version, and heartbeats are definitely enabled. I used the Lookout security app to verify this. Is there a way I can patch my system myself and somehow disable the heartbeats feature without having to wait another 3 years for Motorola to come out with a fix? My phone is rooted, but something tells me that OpenSSL probably needs to be essentially recompiled with a flag set to disable heartbeats?
I was hoping there would be a quick config file for OpenSSL that can be modified, but I'm not usually lucky. Based on everything I've seen thus far, a recompile with a flag set is the only way to fix this. Figured i'd give it a shot and ask on here.
Click to expand...
Click to collapse
Yep, 4.1.1 is vulnerable to this. 4.1.2 has the no heartbeat fix added in and 4.1.1 took the update that was bugged. That said, we DO have TWO 4.1.2 Stock roms, Mexican Retail and Bell are both 4.1.2 and should have that fix -- needs confirmation. Our Stock ICS roms are all from before this bug was added in and are safe. In reality, only stock, locked AT&T Atrix HD's are vulnerable to this since all the other roms* have this fix.
Normally I'd say something around the lines of give me a few days and I'll look into this more, but I've been busy lately, and when I'm not busy I'm either tired or sore; did some heavy lifting a few weeks ago and my back is still sore from that day.
*Our 4.1.2 roms are untested, but 4.1.2 AOSP has the fix so our 4.1.2 stocks should too
I was just thinking that ther eis no such thing as security. Security is achieved by being harder to exploit than the other computers. Even 3-DES can be cracked with enough computing power.
So encrypting memory and stopping https caching would close two big holes. I'm now wondering what holes would remain to be exploited by the heartbeat exploit on a 4.1.1 device if this were done?
stevep2007 said:
I was just thinking that ther eis no such thing as security. Security is achieved by being harder to exploit than the other computers. Even 3-DES can be cracked with enough computing power.
So encrypting memory and stopping https caching would close two big holes. I'm now wondering what holes would remain to be exploited by the heartbeat exploit on a 4.1.1 device if this were done?
Click to expand...
Click to collapse
If I was on a stock phone running 4.1.1 and I was that worried about heartbleed, I'd unlock the bootloader and install Bell or Mex Retail because both are 4.1.2. I might even be possible to just swap the exploited binaries with the ones in our 4.1.2 roms, that's something someone else worried about this can do. Hell, it might even be possible to run the 4.1.2 roms with safestrap and the AT&T kernel...again, that's a someone else thing...I have no intention of dicking with SSR.
Think about Wifi being hacked....when it first came out a crappy password like 12345678 was good enough because computing power wasn't that good for consumers yet; nowadays, a basic gaming laptop can check 500,000 wpa2 passwords a second, a decent desktop with multiple GPU's can do over a million a second. All wpa2 hacking is sniffing out the verification md5*, then the tools generate passwords and their md5 and compare it against the sniffed out one, eventually you'll find one that matches, especially so if the password sucks. If you know how certain telecoms set up their wifi passwords, you can shorten the amount of time taken by limiting to the characters they use -- for example, AT&T U-Verse** uses 10 digit numeric passwords, so all you'd have to do is limit the tools to use numbers and start with 10 digits....hint: there are only 1 million codes if you use 10 numbers only....10 to the power of 10 and all....
That isn't a wifi hacking tutorial, just an example of how overtime good security unchanged becomes very bad security and how eventually an exploit will be found and security compromised, like how wpa2 for a split second sends out a the verification md5 unencrypted.
*not sure if WPA2 uses md5, but most of us know what md5's are
**last time I read about that service that's what I saw...and I read that a few months ago
S6 Active on AT&T - DQE1 firmware giving me wifi problems. How do I stay on DQD1?
So I had been putting the nougat builds on My S6 Active from a post here on xda. On the DQD1 build everything seemed pretty good for me. Then one morning I awoke to see that the phone had automatically updated itself to the DQE1 build. Then the problems started. Every time the phone would go into lock screen and I'd re-open it, I'd get the wifi connection message. Also had all kinds of problems staying connected to wifi. I put DQD1 back on to do some testing. Problem is, it keeps updating to DQE1 overnight. I found 2 places in android to stop it from doing that but both don't seem to stop it. Again, it updated to DQE1.
Some have suggested that I freeze the update application with package updater pro. Before I go that route, what application or service am I trying to prevent? I got another app that is supposed to allow me to suspend applications/services but I can't seem to identify what app/svc I would actually want to suspend.
U open app ATT Smart WIFI -> to settings. and config app.
or disable thit app.
Now, check wifi again.
roveer said:
So I had been putting the nougat builds on My S6 Active from a post here on xda. On the DQD1 build everything seemed pretty good for me. Then one morning I awoke to see that the phone had automatically updated itself to the DQE1 build. Then the problems started. Every time the phone would go into lock screen and I'd re-open it, I'd get the wifi connection message. Also had all kinds of problems staying connected to wifi. I put DQD1 back on to do some testing. Problem is, it keeps updating to DQE1 overnight. I found 2 places in android to stop it from doing that but both don't seem to stop it. Again, it updated to DQE1.
Some have suggested that I freeze the update application with package updater pro. Before I go that route, what application or service am I trying to prevent? I got another app that is supposed to allow me to suspend applications/services but I can't seem to identify what app/svc I would actually want to suspend.
Click to expand...
Click to collapse
I've had the same problems. I'm hoping the suggestion from above me works.
Ever since I got my phone, I've always had to go to a UbreakiFix store to update my phone, because every time I check for updates I get a message saying that my software is up to date. My phone is still on the December 2020 patch with One UI 3.0. That last time I had to update, a UBreakiFix store was able to do it. That store is about an hour away from me though.
I've connected to Smart Switch on my PC and it also claims that my software is up to date, even though I know for a fact that isn't the case.
I've had a lot of problems with my WiFi, such as WiFi calling not working, to things like online gaming not being possible because of NAT restrictions.
I have no access to the WiFi settings, as I am renting a room out of a house and the homeowner is the one with full control of the network. It's a Netgear Orbi mesh system. I have tried tweaking settings in the past, but only under their supervision. I couldn't ever get online gaming or WiFi calling to work. What's even more frustrating is that AT&T only allows you to check for updates only once every 24 hours.
What would be a good way to test my theory? I need a WiFi network that would allow OTA updates to be downloaded, and I need to be able to check for updates. Any ideas?
Also, is Smart Switch always right about updates?
TLDR; Phone claims it's up to date when it isn't and I suspect my WiFi network is the problem. Need to test that theory.
Connect to any wifi at a store or cafe or friend/relative house. Many cable isp offer wifi connection outside of home try that.
Are you sure that at&t pushed out newer update?
mxxcon said:
Connect to any wifi at a store or cafe or friend/relative house. Many cable isp offer wifi connection outside of home try that.
Are you sure that at&t pushed out newer update?
Click to expand...
Click to collapse
The most recent update with OneUI 3.1 got halted by Samsung but I need the security patch update, not the OneUI 3.1 update. So then if that update is pulled, is it possible that I wouldn't be able to receive the January security patch too?
sjvirchow said:
The most recent update with OneUI 3.1 got halted by Samsung but I need the security patch update, not the OneUI 3.1 update. So then if that update is pulled, is it possible that I wouldn't be able to receive the January security patch too?
Click to expand...
Click to collapse
the 3.1 update has already begun rolling out again, I got it myself a few days back. you're in New Mexico ? when I was in the states Wendy's had unlocked Wi-Fi (if you can actually go in there is another matter) but just outside a building with open Wi-Fi should be enough to run an update check.
or if you can stand the agony of waiting longer on a download, try a free VPN app to check and download.
Actually I'm from Seattle, I just need to change my details on my profile. I used to live in New Mexico.
I've heard that the update is only rolling out in Europe right now.
that might be true honestly I don't know. but if you're still behind on previous security updates they should be waiting for you.
worth giving a vpn a try for one off use.
many if not most of the free ones do sell users data and some even ask for device usage permissions which they don't need at all, so maybe test your theory and then delete it.
I called AT&T, they mentioned nothing about being able to push an update, they said that if the baseband and the build number match that I am up to date, and they referred me to Samsung. Samsung said that "not all S20 FE devices are receiving the January security update, not to worry, your device is up to date."
No. It isn't. They both couldn't be any more wrong.
UPDATE: After some googling I found this page of Samsung S20 FE firmware images, but ATT isn't in that list.