Database Develop

Serious effort to reverse engineer and change the "OK Google Now" activation phrase

Serious effort to reverse engineer and change the "OK Google Now" activation phrase
I just got my Moto X dev edition today, and I plan to try and reverse engineer the activation phrase code in order to change it. I'm going to start by decompiling the touchless application, but I think it will be far more difficult and deeper in the system than that.
Does anyone know where the activation phrase is actually stored? Does anyone know anything about the internal structure of the touchless stuff? And finally, is anyone aware of any other attempts to do this so I can collaborate with them?
Thanks!

glitch003 said:
I just got my Moto X dev edition today, and I plan to try and reverse engineer the activation phrase code in order to change it. I'm going to start by decompiling the touchless application, but I think it will be far more difficult and deeper in the system than that.
Does anyone know where the activation phrase is actually stored? Does anyone know anything about the internal structure of the touchless stuff? And finally, is anyone aware of any other attempts to do this so I can collaborate with them?
Thanks!
Click to expand...
Click to collapse
I got no idea about any of your questions. I wanted to say that doing what your doing would be a very cool feature so thanks for the effort if you get anything going.
I also wanted to mention that I know the OK Google Now phrase is processed on the phone. The voice commands first get processed through Motorola's touchless control app or processes then if it is not recognized as a command it can deal with it then uploads it to google owned google now app. This is why you sometimes get different looking dialers or screens when sending texts depending on if Moto touchless controls handled the action or if google now handled the action.
Just thought of this but I bet it is extremely hard to do what you are doing because no one has created apps to use the low power processor so i presume its locked up somewhere in the phone.

a small start
So, I decompiled the Touchless APK and opened it in Eclipse. I found some interesting stuff in strings.xml, but I think it's just the strings that are displayed to prompt the user This one stood out to me though:
Code:
<string name="hello_moto">OK Google Now</string>
Could it be that the phrase was originally going to be "hello moto" but when Google bought Motorola they changed it for branding purposes?
I think these other string names indicate that could be the case:
Code:
<string name="training_say_hello_moto">Say OK Google Now…</string>
<string name="training_second_hello_moto">Say OK Google Now a second time…</string>
<string name="training_third_hello_moto">Say OK Google Now a third time…</string>
<string name="training_final_hello_moto">Say OK Google Now a final time…</string>
Anyway, if someone wants to change that hello_moto string in the strings.xml file to something else, it might be worth a shot. I can't test any of this yet, because I can't root my phone because it has a spec of dirt under the lens and I'm mailing it back to Motorola to get fixed. But if somebody out there with the knowledge to change this setting in the strings.xml file of the apk wants to try it, I think it's a promising lead.

Hello moto would be cool.. Much better than the OK Moto Magic that was also on the cards... That would just be embarrassing! Good luck man
Sent from my XT1058 using Tapatalk 4

That application is an almighty mess. It has a tremendous amount of classes named things like "a", "aa", "ab", and so forth. Right now, I'm trying to make an Xposed module to send an intent to Tasker rather then start Motorola's interface when the key phase is said. This has been a nightmare of its own. I'm going to start digging for the start phase in earnest once I get this part done.
Sent from my Galaxy Nexus using XDA Premium 4 mobile app

hawkjm73 said:
That application is an almighty mess. It has a tremendous amount of classes named things like "a", "aa", "ab", and so forth. Right now, I'm trying to make an Xposed module to send an intent to Tasker rather then start Motorola's interface when the key phase is said. This has been a nightmare of its own. I'm going to start digging for the start phase in earnest once I get this part done.
Sent from my Galaxy Nexus using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Names like that usually indicate that the code was obfuscated . I would be stunned if they coded it that way!

@glitch003 any luck with this?
Sent from non rooted motoX :'(

I'd totally change "Ok Google Now" to "Jarvis" if I ever had the chance.

hawkjm73 said:
That application is an almighty mess. It has a tremendous amount of classes named things like "a", "aa", "ab", and so forth. Right now, I'm trying to make an Xposed module to send an intent to Tasker rather then start Motorola's interface when the key phase is said. This has been a nightmare of its own. I'm going to start digging for the start phase in earnest once I get this part done.
Sent from my Galaxy Nexus using XDA Premium 4 mobile app
Click to expand...
Click to collapse
It's meant to be an almighty mess, so people like us struggle for months to figure out what the code actually does and to prevent copying of their code

While I haven't been able to change the wakeup phrase, I have changed what happens when you say it. With Tasker, I am able to launch AutoVoice and/or !utter instead of Google Now.
This essentially allows you to control your entire phone with voice, while it's still in your pocket.

Kev1000000 said:
While I haven't been able to change the wakeup phrase, I have changed what happens when you say it. With Tasker, I am able to launch AutoVoice and/or !utter instead of Google Now.
This essentially allows you to control your entire phone with voice, while it's still in your pocket.
Click to expand...
Click to collapse
what exactly are you not launching? From my understanding Moto's runs their own voice recognition stuff, then when it can't recognize the command it then sends it to google now. (even though it looks like it is just running googlw now the entire time it is not. So at what point in the process are you hijacking the code? Also, how easily can you use it? Does it take a long time or does it start just as quick as touchless controls/google now was.

jayboyyyy said:
what exactly are you not launching? From my understanding Moto's runs their own voice recognition stuff, then when it can't recognize the command it then sends it to google now. (even though it looks like it is just running googlw now the entire time it is not. So at what point in the process are you hijacking the code? Also, how easily can you use it? Does it take a long time or does it start just as quick as touchless controls/google now was.
Click to expand...
Click to collapse
It's pretty easy. I simply use Tasker to detect when the Touchless Controls app becomes the foreground app, then immediately kill its process. After that, I launch AutoVoice. With AutoVoice, I can then say "Search" to bring me to Google Now, or "utter" to launch !utter. I can also say any of my home automation commands like, "Turn off the lights" or "Watch TV."
I essentially use the Touchless Controls app as simply a detection of when the phrase was said, and then launch my own processes that I want to launch once it's detected, and kill the app immediately before it sends any data to Google Now.
It's seamless, and extremely quick.

Kev1000000 said:
It's pretty easy. I simply use Tasker to detect when the Touchless Controls app becomes the foreground app, then immediately kill its process. After that, I launch AutoVoice. With AutoVoice, I can then say "Search" to bring me to Google Now, or "utter" to launch !utter. I can also say any of my home automation commands like, "Turn off the lights" or "Watch TV."
I essentially use the Touchless Controls app as simply a detection of when the phrase was said, and then launch my own processes that I want to launch once it's detected, and kill the app immediately before it sends any data to Google Now.
It's seamless, and extremely quick.
Click to expand...
Click to collapse
you want to run a test with a lock on your phone? I'm interested to know if touchless control bypasses the lock or not. I know it can do certain things with the phone in lock. I would assume the few options we have has to do with the fact that once touchless controls pushes the command to google now because it doesn't recognize it they can no longer keep the phone in a locked state. Anyway, if you could run some tests on that and report back I'm interested. Thanks in advance.

I'd like to help
Hey could you upload the apk?
Although I haven't done any reverse engineering before but I have a lot of spare time right now and I'd like to try and help. I just got a developer edition of the Moto X and annoyingly it doesn't seem like there's any easy way to root it right now, since it came with the newest update(at least as far as I can tell).
The only reason that matters to this is that I can't get the apk off of the device, as I don't have the sufficient permissions for data/app. If there's another way to do this then please let me know too!
Thanks
EDIT: nevermind, I realized there's a way to root it if I just unlock the device.

Recompiling with signature
I'm not sure if there is still any interest in this, but I've been trying to work on it nonetheless as a personal project.
This is my first time doing any sort of reverse engineering, and my worry is that we won't be able to sign the app after modifying it.
From what I've read of using apktool, it seems that if you want to keep the signatures you have to move the modified files you have back into the original apk.
Problem is, on OS X there doesn't seem to be a good way to open apks and modify them. Can someone else try and see if it can be recompiled and reinstalled?
Thanks

I messed with this for a short while. I found you can do it just by training. I was able to say "OK f$%& Wad", "OK Moto" and "OK Siri" (joke for my wife). I thought it was due to hex editing some files but that was only a coincidence. Train a phrase using "OK [your word] Now". Sometimes it is tough. Now most of the time you can start it with only "OK [your word]". They use some of the Nuance sdk. Nuance app looks for syllables if I read correctly. I will dig into the files again to see if it can be done more easily. All we need is one guy shouting the phrase and 10 phones want to react. ?
Good luck.

DroidJunk said:
I messed with this for a short while. I found you can do it just by training. I was able to say "OK f$%& Wad", "OK Moto" and "OK Siri" (joke for my wife). I thought it was due to hex editing some files but that was only a coincidence. Train a phrase using "OK [your word] Now". Sometimes it is tough. Now most of the time you can start it with only "OK [your word]". They use some of the Nuance sdk. Nuance app looks for syllables if I read correctly. I will dig into the files again to see if it can be done more easily. All we need is one guy shouting the phrase and 10 phones want to react. ?
Good luck.
Click to expand...
Click to collapse
Well the idea is that we want this to work even if you don't say OK, and you should be able to just say anything you want. Also, it should work without having to try many times.
On a side note, I've run into the issue where basically I can not install on top of the app because it's installed as a system app. I'm not too sure if there's any way to get around this besides removing the permissions check from the device which would be a huge security hole. I also don't even know if that itself will work..

It is probably a signature issue. I have a complete deodex of the original KK dump. If you sign with the same key that might help. You can verify by looking at your logcat when trying to install. Check out data/data/blabla audiomonitor. In the files Dir there is a file svsid_trigger. This is recreated each time you train. I would believe it to be a voice sample if you want to call it that. There are other files in there that when opened show the phrase OK Google now. This is where I hex edited but it did nothing. It will even run without some of these files. My theory is one of these files contains a sample of what it should look like. Decompiling the apk is about as messy as you described. When you check the prefs you see the phrase is set to custom phrase which appears to be a function/class. This also gets rewritten when the phone is booted. Curious to see what happens. I really expect Google or moto to change this. It just does not make sense to have all the phones responding to the same thing. Even with training others can activate it. I was watching a video on the phone and that activated it. LOL

DroidJunk said:
It is probably a signature issue. I have a complete deodex of the original KK dump. If you sign with the same key that might help. You can verify by looking at your logcat when trying to install. Check out data/data/blabla audiomonitor. In the files Dir there is a file svsid_trigger. This is recreated each time you train. I would believe it to be a voice sample if you want to call it that. There are other files in there that when opened show the phrase OK Google now. This is where I hex edited but it did nothing. It will even run without some of these files. My theory is one of these files contains a sample of what it should look like. Decompiling the apk is about as messy as you described. When you check the prefs you see the phrase is set to custom phrase which appears to be a function/class. This also gets rewritten when the phone is booted. Curious to see what happens. I really expect Google or moto to change this. It just does not make sense to have all the phones responding to the same thing. Even with training others can activate it. I was watching a video on the phone and that activated it. LOL
Click to expand...
Click to collapse
I know it's a signature issue when I am trying to install it, but even when I uninstall and install again, I get a permissions issue because it's not installed as a system app.
Also, changing the value of the audio file is interesting, but the problem is that unless we know the algorithms to generate the audio files, I don't know how we can adjust that. It seems cleaner to just go into the code and remove the checks altogether. On the other hand, it takes more investigating, and right now I am completely blocked on this. I don't have much time to mess with this anymore unfortunately, but I do want to try to remove the permissions altogether and see if it will let me install the app as a user app.

Synderesis said:
I know it's a signature issue when I am trying to install it, but even when I uninstall and install again, I get a permissions issue because it's not installed as a system app.
Also, changing the value of the audio file is interesting, but the problem is that unless we know the algorithms to generate the audio files, I don't know how we can adjust that. It seems cleaner to just go into the code and remove the checks altogether. On the other hand, it takes more investigating, and right now I am completely blocked on this. I don't have much time to mess with this anymore unfortunately, but I do want to try to remove the permissions altogether and see if it will let me install the app as a user app.
Click to expand...
Click to collapse
Check here when you get around to decompiling audiomonitor.apk. \AudioMonitor.apk\smali\com\motorola\audiomonitor\uis\training. It might be a good start. I use to be good at smali, but it has been a couple of years.

Certification failed for valid app

I developed an app and I sent it to processing submission but every time get certification failed.
this is an errors list
https://dev.windowsphone.com/FileVendor/FileAsset?fileid=b66b4fae-c1d6-48e8-802b-86afa07a56f6
MS told that app crashes when they press the button, but for me on my device everything works well. I don't know what could be wrong?

Try it on both phone and emulator. Using the emu, try it on different resolutions, try it on different amounts of RAM , etc.
Did they give you any exception details? Use those to try and track down where it could be coming from (example: if it's a NPE, check everything that *could* be null, even if it *shouldn't* be).

I dont have emulator because my pc dont support slat.
I really dont know how to test my app because on my device works well and i dont have another wp8 device

cro.dev said:
I dont have emulator because my pc dont support slat.
I really dont know how to test my app because on my device works well and i dont have another wp8 device
Click to expand...
Click to collapse
Try using Nokia Remote Device Access. They pretty mush have two or three of every Lumia device available.
Its free too!
Sent from my Lumia 928 (RM-860) using Tapatalk

Today my app finally submited to store but when I install it and open, when I try to log in it terminates. That was same error when my app certification failed. Microsoft told me that my app terminates when try to log in.
When I deploy my app on deployer it works like charm. But I dont know why same app not work when I install it from Store.
This is C# code in action when I press Log in button and app terminates
Code:
string zap;
if (cbZap.IsChecked.Value)
zap = "1";
else
zap = "0";
if (File.Exists("X.dat"))
File.Delete("X.dat");
using (StreamWriter sr = File.CreateText("X.dat"))
{
sr.WriteLine(string.Format("{0};{1};{2}", tbIme.Text, tbLozinka.Password, zap));
sr.Close();
}
//NavigationService.GoBack();
NavigationService.Navigate(new Uri("/MainPage.xaml", UriKind.Relative));

cro.dev said:
Today my app finally submited to store but when I install it and open, when I try to log in it terminates. That was same error when my app certification failed. Microsoft told me that my app terminates when try to log in.
When I deploy my app on deployer it works like charm. But I dont know why same app not work when I install it from Store.
This is C# code in action when I press Log in button and app terminates
Code:
string zap;
if (cbZap.IsChecked.Value)
zap = "1";
else
zap = "0";
if (File.Exists("X.dat"))
File.Delete("X.dat");
using (StreamWriter sr = File.CreateText("X.dat"))
{
sr.WriteLine(string.Format("{0};{1};{2}", tbIme.Text, tbLozinka.Password, zap));
sr.Close();
}
//NavigationService.GoBack();
NavigationService.Navigate(new Uri("/MainPage.xaml", UriKind.Relative));
Click to expand...
Click to collapse
go to the DEBUG menu >exceptions...
Tick al the check-boxes under "thrown";
uninstall the app from your device. Debug the app again, look for any unhandled exceptions.

mcosmin222 said:
go to the DEBUG menu >exceptions...
Tick al the check-boxes under "thrown";
uninstall the app from your device. Debug the app again, look for any unhandled exceptions.
Click to expand...
Click to collapse
Looks like everything works well. There is no problem in app when I deploy it with deployer. Only with app downloaded from Store I've got problems.

I actually have a guess about that...
You're writing files to the app's install folder. This works (bizarrely enough) on sideloaded apps. However, it's entirely possible that store apps might *not* have the required permissions to write to their install folders. In that case, your code would be throwing Access Denied errors, and (since you aren't handling exceptions, apparently...) crashing.
Also, you should always set the global exception handler (in App.xaml.cs, for C# XAML apps) to do something useful.

GoodDayToDie said:
I actually have a guess about that...
You're writing files to the app's install folder. This works (bizarrely enough) on sideloaded apps. However, it's entirely possible that store apps might *not* have the required permissions to write to their install folders. In that case, your code would be throwing Access Denied errors, and (since you aren't handling exceptions, apparently...) crashing.
Also, you should always set the global exception handler (in App.xaml.cs, for C# XAML apps) to do something useful.
Click to expand...
Click to collapse
thank you for your tip. So where I would be able to write files then, because my app is based on writing and reading file.

... really? The isolated storage folder, like all the documentation around file handling on WP tells you. Writing files to an application's install directory has been a bad idea (and often not possible, unless you are running with more privileges than you should be) since before modern smartphones even existed.
You can do it using the normal System.IO classes, but there's actually an entire collection of classes (in System.IO.IsolatedStorage, see http://msdn.microsoft.com/en-us/library/System.IO.IsolatedStorage(v=vs.95).aspx) explicitly for managing files in WP (and other Silverlight) apps. The IsolatedStorageFile class is the one with most of the info you'll be interested in.

GoodDayToDie said:
... really? The isolated storage folder, like all the documentation around file handling on WP tells you. Writing files to an application's install directory has been a bad idea (and often not possible, unless you are running with more privileges than you should be) since before modern smartphones even existed.
You can do it using the normal System.IO classes, but there's actually an entire collection of classes (in System.IO.IsolatedStorage, see http://msdn.microsoft.com/en-us/library/System.IO.IsolatedStorage(v=vs.95).aspx) explicitly for managing files in WP (and other Silverlight) apps. The IsolatedStorageFile class is the one with most of the info you'll be interested in.
Click to expand...
Click to collapse
I forget to write that I found solution few hours ago. I found my answers here
http://www.c-sharpcorner.com/Upload...-to-save-and-read-text-file-from-windows-pho/
thanks. Everything works well now.

[Q] How can Windows Phone 8 handle AccessViolationException?

There are many C++/CX codes in my Windows Phone 8 app so there might be many dangling pointers access which will cause AccessViolationException. Actually I know that __try & __except can catch them but I hope that my app can get notified like some callback function can get called while AccessViolationException raised that it's NOT surrounding by __try __except.
And I have tried Application.UnhandledException in C# code and ::SetUnhandledExceptionFilter(which is private API and I somehow successfully invoke it) but still failed to get called.
So is there any way to get notified while AccessViolationException is raised?

In case somebody has the same problem, I solve my problem by using _set_se_translator, a crt API

Ooh, details on that would be good (OK, I should just go read the docs...) but thanks for posting the solution! C++/CX has way too many modes of memory management; it's pretty easy to get it wrong if you try doing anything even vaguely outside the standard use cases. (Example: Do not malloc an array of Platform::String and then assign to it. Any non-nulls in the array (leftover data from prior allocations) will be treated as though they are valid strings that you are assigning over, which means the "old string's" reference count will be decremented, which may lead to memory corruption. Using calloc instead works, by the way, though it's still kind of a hack.) Anyhow, debugging that stuff is annoying, especially since you can only debug native *or* managed, not both.

Accessing features in Windows phone 8(.1) development

When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?

proch said:
When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?
Click to expand...
Click to collapse
Another question would be - if something like intune can enforce lock screen password policies, shouldn't I be able to do it the same way that intune does it? If so, how? If not - why not?

It's not possible to check if user enabled lock screen password or not as far as I know
but if you want to made your app secure (because it may include important data)
you can create a password for your own application !
I did it in a little notepad app my password page allow user to set a password with all English and Persian Characters , numbers and special Chars like [email protected]#$ and etc.

Sent from my RM-994_eu_poland_1183 using Tapatalk

It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.

GoodDayToDie said:
It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.
Click to expand...
Click to collapse
Thanks for this great and detailed information. See, that's exactly what I'd do if I were developing a desktop app - since i know that intune does it, I'd figure out how intune does it and voila. I'm finally getting over the idea that the same methodologies apply to windows phone development.
For my own educational purposes (since I want to understand this platform better), I would really like to know specifically how you go about accessing the registry APIs (for example). If there's any way for you to describe any number of these methods, I'd greatly appreciate it. Thanks again!

My NativeAccess libraries (check my signature, or search on the forum or on Codeplex) contain an example of one way to access the registry. The code is open-source; you may use the libraries as-is (don't expect to get them into the store, though I won't stop you from trying), use the source code as a reference, or modify/build them yourself; the license is very liberal (MS Permissive). The functions I use are generally documented on MSDN, in the desktop APIs section; the phone has the same functions, although the DLL names are changed and the header files hide them.

Question What is the current state of unlocking fastboot?

Have decided to rejoin XDA after a while off to see what sort of response I get to this.
A browse of the forum tells me that there is no known way to unlock fastboot, I was wondering what methods had been explored in an attempt to do this?
More specifically there are 2 potential methods I'd like to ask about.
1: I have seen mentioned in a comment here a tool I stumbled across a few months ago while messing around with another device,
edl/README.md at master · bkerler/edl
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - edl/README.md at master · bkerler/edl
github.com
There is one option in particular that I think is of interest,
edl modules oemunlock enable -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2: After a quick browse of the disassembled Oppo deeptesting app I can see a number of references to a class that is only accessible via reflection 'android.engineer.OplusEngineerManager'
and it contains a method 'fastbootUnlock'. Has anyone tried to access this class and its methods at all?
Maybe none of these things will be of any use, but before I spend too much time exploring them, I was interested to hear if anyone else had explored these at all? If so what progress was or wasn't made?

A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.

User154 said:
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
Click to expand...
Click to collapse
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).

daniml3 said:
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
Click to expand...
Click to collapse
Its great that someone else is looking at this! I hadn't posted another update as I haven't made a huge amount of progress, and I wasn't sure anybody would be interested.
The fastbootUnlock method returns a boolean and takes 2 parameters, a byte array and an int. From what I can see it is the only method of the OplusEngineerManager class that the deeptesting app calls. It contains 2 calls to the fastbootUnlock method. Once where it calls it with an empty byte array and the int is 1. I was actually able to invoke the method from my test app in this way and got a false return value (rather than just getting null like the other methods I tried to invoke). The second is contained within a method of the deeptesting app that takes a string as its parameter. It then converts this string to a byte array which it passes as the paramter for the fastbootUnlock method along with the int of 1.
Edit:
The second call to fastbootUnlock uses the length of the byte array as the int and not 1. Please forgive me it was late when I wrote this and I was not looking at the source.
Thats about as far as I am with it at the moment, the next task is to find out what that string it passes is exactly, and is it something that needs to be generated by Oppo.
I would imagine the realme framework woukd be similar, if you would like to compare I can provide the full list of methods from the OplusEngineerManager class?

Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!

xarf903 said:
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
Click to expand...
Click to collapse
Hi, thanks for your reply. At the moment there isn't too nuch to test, but if I do manage to find a way I will need plenty of testers, so thank you

A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Edit:
I have looked into this more and it turns out most of this is wrong. The activity is started from within the deeptesting app and not the startup wizard

User154 said:
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Click to expand...
Click to collapse
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.

daniml3 said:
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
Click to expand...
Click to collapse
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?

User154 said:
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
Click to expand...
Click to collapse
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?

daniml3 said:
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
Click to expand...
Click to collapse
I had a closer look at the logs and I can see that sadly I am getting the same SELinux error.
I can't see much of a way around it at the moment.

I have made a thread in general should anyone wish to discuss this further. Most of this is applicable to all Oppo devices and there are people that have looked at this in different ways and found different things out when trying to unlock fastboot on other devices. I think it would be useful to have somewhere to discuss unlocking fastboot on Oppo devices in general.
[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices
Admin: Please move/delete this thread if it is in the wrong place or against the rules. I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in...
forum.xda-developers.com