An idea for disabling latest security check or even drm - Xperia Z5 Android Development

Hey fellow xda members,i want to share an idea about how to disable the latest security check or even drm check ( in case of unlocked bootloader) .
We all know sony have a TA partition which contains certificates which are used to start the functioning of xreality/ bionz engine and noise cancellation engine. Which when we unlock the bootloader will wipe away by wiping the Ta partition or parts of it..
So after wiping it,when the phone boots the os will be doing some security checks which involves the checking of certificates and if the certificate is not available ,the os will disable certain functional parts and binaries which are responsible for starting xreality/bionz and noise cancellation. So if we are able to stop that security check or interface the returning value ( just like what xposed does) then we can possibly stop these problems .
Another point to be noted that,is we cant use any any apps or such things to stop these things. Becoz this check is one of the first things that happens when os boots. For those who have examined the logcat will always see a TA certificate check that happens at several instances especialy ,it happens when the os boots.
Now we have a similar situation before,sony's RIC policy. That too was running at boot time ,even before os boots . But we are able to disable it ( huge thanks to the cleaver developer) . So my point is... if we can analyse and kill the drm check or pass a verification true value to corresponding check via some scripts similar to " RIC killer script" , cant we possibly disable this condition?
Any discussions are welcome. And ideas and trial and error scripts are also welcome.. you dont need a particular device to check this.. as far as i know all z series ( just because i had only owned z,z1, z2, z3 so far ) have this. But the bad thing is , i dont own a sony now. Switched to edge plus for now. But once if this can be done.. i will swich back to z series again.. becoz i just love sony.
Request to Moderator:- I have created this thread here because to catch more attention for this development. But if you feel this thread belongs to some where else ( as this can be a cross platform hack) you can move to corresponding section.
Thanks all

is it worth the effort?
You can hack anything if you have the resources.
Most important are (in decreasing order):
- knowledge
- time
- determination
- documentation (preferably official - unlikely for breaking DRM)
- tools (debugger sw, maybe even special hardware for debugging ROMs)
e.g. noise cancellation
If it is "in" the software and just disabled when a certain check fails:
Then you could monitor the software in the debugger and patch the check to deliver your desired outcome each time the check runs.
This is a very simple scenario.
There are anti reverse engineering measures available that - see resources esp. point 1 - can be overcome. SONY use some of them and stacks them one over the other.
With each update of any involved component the cycle must be repeated as the crafted patch probably won't work anymore ...

DHGE said:
You can hack anything if you have the resources.
Most important are (in decreasing order):
- knowledge
- time
- determination
- documentation (preferably official - unlikely for breaking DRM)
- tools (debugger sw, maybe even special hardware for debugging ROMs)
e.g. noise cancellation
If it is "in" the software and just disabled when a certain check fails:
Then you could monitor the software in the debugger and patch the check to deliver your desired outcome each time the check runs.
This is a very simple scenario.
There are anti reverse engineering measures available that - see resources esp. point 1 - can be overcome. SONY use some of them and stacks them one over the other.
With each update of any involved component the cycle must be repeated as the crafted patch probably won't work anymore ...
Click to expand...
Click to collapse
ya , that is the case to be considered. but you know, the thing is, if we find the suitable patch once, we can make it work on future versions also. and it is 100% true that these loopholes will be patched once they got notified. that may be the exact thing happend with sony's lastest security procedures.

Sony reads our development, testing & achievements on XDA with greedy eyes.
They can learn & join us.
This to listen to their customers & improve their products.
One hand washes the other
Sent from my E6653 @ XDA Portal

Noise reduction and noise cancellation are two different things. Noise cancellation (as in audio) is not affected by unlocking the bootloader.

blakwhite said:
Noise reduction and noise cancellation are two different things. Noise cancellation (as in audio) is not affected by unlocking the bootloader.
Click to expand...
Click to collapse
DRM function hack is a pretty complex procedure. But it can be done. @jimRnor actually did it from Z - Z3, but seems it doesnt work for Z5. (Not sure about the Z3+/Z4, which doesnt even seem to exist in the world)

Please don't get excited about my example .
To clarify what I mean with stacked measures:
In the boot process the device checks the signatures of the system software. Once you patch any bit there the device does not not boot anymore. You cannot just calculate another signature since this is signed by SONY's private key. You'd have to steal it, they revoke it ...
So you have to (thanks SONY we can!) unlock the bootloader to flash a new kernel that disabled the checking (search here or on the web for DM_VERITY).
SONY have another proprietary measure: RIC (on top of DM_VERITY which is an Android/Linux feature since KitKat; universely in use since Lollipop).
Then you have SELinux...

DHGE said:
Please don't get excited about my example .
To clarify what I mean with stacked measures:
In the boot process the device checks the signatures of the system software. Once you patch any bit there the device does not not boot anymore. You cannot just calculate another signature since this is signed by SONY's private key. You'd have to steal it, they revoke it ...
So you have to (thanks SONY we can!) unlock the bootloader to flash a new kernel that disabled the checking (search here or on the web for DM_VERITY).
SONY have another proprietary measure: RIC (on top of DM_VERITY which is an Android/Linux feature since KitKat; universely in use since Lollipop).
Then you have SELinux...
Click to expand...
Click to collapse
Ya i know that, i know exactly what happens just because i have been with sony devices since 4 years.
What i said is not about altering the original signature or changing any thing from TA partition. This is about disabling the drm check. ( sure it can be disabled) and nothing happens with boot ( if something happens with boot, there is no way we can work with a device having unlocked bootloader) .
If you have checked the logcats and compared... then you can see that the drm check actualy does not stops in an unlocked bootloader. It is still fuctioning. Only difference is the values it passes to the os.
In a simple way the values will be:-
1 for locked boot loader
0 for unlocked boot loader.
So i was thinking of stopping that check... or just edit that drm check binary to pass a value 1 for any condition.
Sure these values are accepted by the os and not by kernel or partition or something else. Its just like a condition check by os..
Something like:-
If value == this
Do this ; else
Do something else...
( lol this is the badest programing condition discription ever happend on earth!!!)
So there is a 3rd possibilty too.. alter / patch system files or services.
Also the point to be noted that is, this is just all software based.. sure we cant crack an encripted signature checksum. But we can surely crack some codes..

Let's clarify some points:
- You unlock BL you lose TA partition contents.
- Although you patch the DRM check binary, the DRM keys are needed to make the stuff work so it won't matter if you return a 1.
I own a Z3 and a Z5 and I know a locked bl root method is the only way, unlocked BL voids the warranty and it will make the phone less valuable in terms of selling it, you can try to lock BL but you will never restore the TA.
But that's my opinion.
Enviado desde mi E6653 mediante Tapatalk

McQueen said:
Let's clarify some points:
- You unlock BL you lose TA partition contents.
- Although you patch the DRM check binary, the DRM keys are needed to make the stuff work so it won't matter if you return a 1.
I own a Z3 and a Z5 and I know a locked bl root method is the only way, unlocked BL voids the warranty and it will make the phone less valuable in terms of selling it, you can try to lock BL but you will never restore the TA.
But that's my opinion.
Enviado desde mi E6653 mediante Tapatalk
Click to expand...
Click to collapse
I think thats not fully correct. Because even though there is a wipe happens to TA partition , the partition itself may not be erased. And TA partition is not empty even if you unlock.. there may be still something avilable in it, like imei, mac id, or some other hardware ids ( the reason behind this guess is, beacuse of the reason that IF YOU RESTORE THE WRONG TA FROM ANOTHER SIMILAR PHONE TO YOUR TA, IT WILL HARD BRICK YOUR PHONE, THAT MAY BE BECAUSE OF SOME UNMATCHING HARDWARE ID'S.) so i guess even after the wipe happens, the kernel or the os copies something back into TA partiton on next boot. And then there is only one thing missing in TA. That is the certificates.
In case of keys... yes digital signature keys are used to decript certificate condents . ( google about digital certificate signing) . And since there will be no cretificate avilable to decript, there is no use of keys, even if it is present or not in case of unlocked bootloader. But i am thinking about the possibilites of hacking into the procedures after the certificate check happens.
Ie, it is possible that, the drm check binaries will get and return a value to os to notify it about the presence / absence of certificate. So if we can hack into that returning value .. we can possibly make the os think that, everything is still intact.
Thats the whole idea behind this. I hope u understand.

Guys check this... As i told you always... There are still people out there who can make things happen... This is all you need for now.. Start unlocking your bootloaders...
http://forum.xda-developers.com/xpe...-credentials-restore-unlocking-t3296383/page1

Related

Warning ahead of unlocking bootloader

http://support.setool.net/showthread.php?3-UPDATES-AND-NEWS&p=74240#post74240
read down to Oct 27 news update.
This should kinda serve as a general warning to those who want to unlock their bootloader, though it is not fully confirmed as of yet
Please check production date of your model before any attempt
oh thats so scary. My phone is E16i and has a date of 11W34.
I was able to unlock and relock bootloader for so many times... does it mean that my phone will not get a bad luck on that?
whats resurruction cable method?
Sent from my E15i using xda premium
vientito said:
read down to Oct 27 news update.
This should kinda serve as a general warning to those who want to unlock their bootloader, though it is not fully confirmed as of yet
Please check production date of your model before any attempt
Click to expand...
Click to collapse
To spare everyone the trouble, here's the text of the post in question:
seems most of lately produced msm7227-based phones have chipset with FIXED security hole, which used to altbypass unlock.
(that is not 100% confirmed, we only have few reports, however better be warned)
such phones will DIE after successful unlock procedure.
such dead phones CAN NOT be recovered. ( perhaps, jtag can fix that, perhaps, qualcomm fixed jtag security hole too )
there is NO WAY to determine if phone has fixed chipset or chipset with security hole.
the ONLY safe way is to use unlock by resurrection cables.
if phone can be connected and booted by resurrection cables, phone is safe to unlock.
if phone can not be booted by resurrection cables, phone has fixed chipset and could not be unlocked.
you have been warned.
get and use resurrection cables.
update:
e16 phone with manufacture date 11w38 affected, i think we should care about phones which produced after 11w26
maliceomalice said:
whats resurruction cable method?
Click to expand...
Click to collapse
Seems to be a special designed interface to access the UART recovery mode on a hard bricked device (very low-level stuff, comes right after JTAG'ing). See this YouTube link.
If anyone of you ever followed the awesome Samsung unbrick posts by Adam Outler you should have an idea what UART access means and therefore should have a clue about what the "recovery cable" device is able to do.
The only thing that doesn't add up ... the recovery cable video doesn't show any interface for the W8/E16.
so does it mean newer phones cant unlock bootloader? so my w8 i bought from last week got brick during unlocking bootloader might be a victim of this new security hole? o ya...why must SE do this? to prevent us from bootloading?
....... I got my x8 12 months ago and I successfuly unlocked my bootloader. But what your basically saying is that newer phones can't be unlocked.. like the unlock tool to new phones is a deathtrap? Woooo. Watch out new buyers
sent from my x8 running gingerdx
Simply put, SE has a lot of stakes to protect.
wilbso said:
But what your basically saying is that newer phones can't be unlocked.. like the unlock tool to new phones is a deathtrap?
Click to expand...
Click to collapse
That's the point in case. If the phone is within the specified date of manufacturing you can successfully unlock the bootloader, but after you did the stunt and reboot the device it's basically hard bricked beyond "do it yourself at home" repair possibilities.
The best shot you then have left is to find a repair shop having a RIFF Box (JTAG) or the aforementioned Resurrection Cable (UART Recover) to breathe new life into the device.
However, it's at least good to know that this pithole is there (though I find it fascinating that they kept on fixing up the hardware flaws - or hardware based security holes - in the chipset). EDIT: Might also explain why some people experience weird problems with custom ROMs the majority isn't able to reproduce.
Mine's a 11W28 unlocked my bootloader and it's not bricked.......
B.Jay said:
That's the point in case. If the phone is within the specified date of manufacturing you can successfully unlock the bootloader, but after you did the stunt and reboot the device it's basically hard bricked beyond "do it yourself at home" repair possibilities.
The best shot you then have left is to find a repair shop having a RIFF Box (JTAG) or the aforementioned Resurrection Cable (UART Recover) to breathe new life into the device.
However, it's at least good to know that this pithole is there (though I find it fascinating that they kept on fixing up the hardware flaws - or hardware based security holes - in the chipset). EDIT: Might also explain why some people experience weird problems with custom ROMs the majority isn't able to reproduce.
Click to expand...
Click to collapse
Mine must have been within the specified date cuz like I said before
I unlocked it successfuly, its works perfect. But yeah, thanks for the explanation
sent from my x8 running gingerdx
wilbso said:
....... I got my x8 12 months ago and I successfuly unlocked my bootloader.
Click to expand...
Click to collapse
wilbso said:
Mine must have been within the specified date cuz like I said before I unlocked it successfuly, its works perfect.
Click to expand...
Click to collapse
If you got yours 12 MONTHS ago ... No, yours is NOT in the specified date!
11w26 (and onwards) seem to be problematic
11w38 (and onwards) seem to be sure hard brick
2011, wilbso - NOT 2010 (hint: we're still in 2011 for a few more days)
B.Jay said:
If you got yours 12 MONTHS ago ... No, yours is NOT in the specified date!
11w26 (and onwards) seem to be problematic
11w38 (and onwards) seem to be sure hard brick
2011, wilbso - NOT 2010 (hint: we're still in 2011 for a few more days)
Click to expand...
Click to collapse
Just cuz I got it 12 months ago dosnt mean the model was created then.... on he back of my x8 it says 10w47, that specific anough for ya?
sent from my x8 running gingerdx
Plus my phone is an e15 not an e16 as mentioned in earlier post that's its e16 not e15 phones that willl have the problem
sent from my x8 running gingerdx
amnher said:
oh thats so scary. My phone is E16i and has a date of 11W34.
I was able to unlock and relock bootloader for so many times... does it mean that my phone will not get a bad luck on that?
Click to expand...
Click to collapse
Mine with 11w33,, not bricked..., and always change with many custom kernel....
can explain me with it...?
@wilbso:
U mad, bro?
donny_mey said:
Mine with 11w33,, not bricked..., and always change with many custom kernel....
can explain me with it...?
Click to expand...
Click to collapse
Well, as we can only speculate on the Engrish post TheLaser made on the site from where the info comes from ...
W8/E16 phones within the range of 11W26 through 11W37 seem to be problematic. I interpret this as "there's some hardware fix though it can be worked around in software". If this now refers to flashtool or the replacement bootloader binary is up for anyone's guess.
11W38 and onwards seems to be a candidate for a sure kill after unlocking the bootloader. I interpret this as "the new bootloader binary that gets installed doesn't manage to start up because various 'security holes' have been fixed in the hardware therefore rendering the code defunct". That would at least explain why such hard bricks show no sign of life anymore at all (no LED, no screen, no nothing).
If you find a better theory or a better detailed description written in non-Engrish type ahead ...
B.Jay said:
@wilbso:
U mad, bro?
Well, as we can only speculate on the Engrish post TheLaser made on the site from where the info comes from ...
W8/E16 phones within the range of 11W26 through 11W37 seem to be problematic. I interpret this as "there's some hardware fix though it can be worked around in software". If this now refers to flashtool or the replacement bootloader binary is up for anyone's guess.
11W38 and onwards seems to be a candidate for a sure kill after unlocking the bootloader. I interpret this as "the new bootloader binary that gets installed doesn't manage to start up because various 'security holes' have been fixed in the hardware therefore rendering the code defunct". That would at least explain why such hard bricks show no sign of life anymore at all (no LED, no screen, no nothing).
If you find a better theory or a better detailed description written in non-Engrish type ahead ...
Click to expand...
Click to collapse
i realy sure about that but in 11w38 maybe killed with this act....
but i'm not sure for this,,,, or this a promotion tools from SE tool, and we must buy if we want to unlock that...
it's right...???
donny_mey said:
but i'm not sure for this,,,, or this a promotion tools from SE tool, and we must buy if we want to unlock that...
Click to expand...
Click to collapse
This is not a promotion from SE or any other company. The fact behind this is...
...that if you have a hard bricked W8 you need the "resurrection cable" thingy to _maybe_ restore the firmware on the phone (as there's no intel on how the "resurrection" is possible on the aforementioned models it's yet another guessing based on what has been written all over the place (read: "oberservation"), therefore the "maybe").
...that the safest way to attempt a bootloader unlock on said phones is to do it through the "resurrection cable" as only there you can tell IF it will work or not.
The only "promotion" in all of it is the heads-up on that piece of hardware a do-it-yourself-at-home technician (or privateer wanting to specialize in unbricking dead phones) may need - and that's all.
B.Jay said:
@wilbso:
U mad, bro? Is the 10w47 within the specified date. Because I unlocked bootloader without trouble
Well, as we can only speculate on the Engrish post TheLaser made on the site from where the info comes from ...
W8/E16 phones within the range of 11W26 through 11W37 seem to be problematic. I interpret this as "there's some hardware fix though it can be worked around in software". If this now refers to flashtool or the replacement bootloader binary is up for anyone's guess.
11W38 and onwards seems to be a candidate for a sure kill after unlocking the bootloader. I interpret this as "the new bootloader binary that gets installed doesn't manage to start up because various 'security holes' have been fixed in the hardware therefore rendering the code defunct". That would at least explain why such hard bricks show no sign of life anymore at all (no LED, no screen, no nothing).
If you find a better theory or a better detailed description written in non-Engrish type ahead ...
Click to expand...
Click to collapse
Sorry.... is 10w47 in the specific date? Cuz I managed to unlock bootloader and flash custom kernel. In about to flash another soon just need your oponion
sent from my x8 running gingerdx
wilbso said:
is 10w47 in the specific date? Cuz I managed to unlock bootloader and flash custom kernel. In about to flash another soon just need your oponion
Click to expand...
Click to collapse
10W## through 11W25 should be considered safe
(where 10W## means "from start of production all through 2010")
11W26 through 11W37 could turn out to be problematic
(though I'm not sure what Laser means by that exactly)
11W38 and newer are supposed to hard brick
("no sign of life" .. no LED, no vibrate, no screen, no flash-mode connection)
Note that this seems to apply to the W8 E16 AND X8 E15 as well ... in one of tohno's threads we have a hard bricked X8 (11W43) mentioned.
I'm still trying to make head and tails out of the random info, but I think it's safe to say that one should better have a look at the manufacturing code before trying to unlock the bootload to avoid a bad awakening.
Edit: On a second thought ... while we're still lacking in-depth details I think someone should prod one of the mods to post a sticky tagged as "[WARNING] Read BEFORE attempting bootloader unlock".
I can confirm a hard brick on my Xperia x8 (11w40) when trying to unlock my bootloader.

[Q&A] Collection

Disclaimer: I try my best to produce valid answers, but if you have no idea what you're doing, don't do it.
Terms and Definitions
NVflash / APX mode
This is the lowest level of software that can talk to an Nvidia Tegra device. Basically this is the Holy Grail of memory modification, which can even fix a damaged bootloader.
To use it, one boots the tablet with [Vol +] + [Power]. This will lead to the PC detecting an "APX" device. The screen stays blank.
This is no working solution for anything yet, as not only there is no leaked NVflash binary yet, but also the communication is encrypted via an unique 128bit AES key. This key is at no stage accessible, but can be used to encrypt data during boot. This is where the wheelie tool for previous transformers was of help. The Communication itself happens via a protocol called nv3p, which actually is open source, but as long as the key is unreachable, that's not a lot of use. NOTE: I will create an extra post with a lot more details about this.
Fastboot
The Android Bootloader.
This is the essential part of software which loads Android/a Recovery image/rooting ramfs/etc.
This is the most delicate part in the Android boot process, as fastboot is the lowest level of communication we have so far. In other words: The only way to fix a damaged bootloader would be NVflash, which is not yet available for this device.
Generally the Bootloader is locked as a method to prevent unauthorized access to data stored on the device. A locked Bootloader means no Fastboot.
Bootloader unlocking
To gain access to fastboot devices, the Bootloader needs to be unlocked. This can be as simple as installing an APK provided by the manufacturer or running "fastboot unlock".
Unlocking the Bootloader always leads to three resulting actions: Fastboot now works, all data on the device is wiped, the device's warranty is now void.
Unlocking the bootloader via unlock app can require you to have internet access and a valid google account. This can be problematic in the case of one-time-passwords, as the normal password will possibly not work (and you'll wonder why the heck it doesn't run).
Bootloader locking
This is (at least currently) not possible. Warranty void remains permanent.
RamFS
Simple file system in a file, which gets loaded into RAM. We use this for rooting.
Boot image
A file generally called "boot.img". This contains the kernel.
Recovery image
A partition image that contains a bootable linux kernel and file system, which server the purpose of creating and restoring nandroid backups and perform related tasks.
Brick - general
A device with messed up software, not being able to boot let alone perform any higher task other than being a brick.
Soft brick
A device not booting, which still responds to fastboot queries.
Hard brick / Brick
Fastboot doesn't work anymore. Maybe a visible boot loop, maybe nothing. The only point in which this differs from scrap is the ability to get into APX mode.
Chances are, there will be a way to use NVflash to fix this sometime.
Unbrick
Fixing a bricked device. Currently only soft bricked devices can be unbricked.
Root
General term for having super user abilities on a linux powered device. This can be used for reading/writing/executing restricted files, modifying things, loading custom ROMs etc.
Also having Root can mean "running with scissors", as there's not much left to prevent you from deleting important files and bricking your device.
Remember: Having Root is a very useful device, but with power comes responsibility. Also there is Android malware, which specifically targets rooted devices.
Rooting
The process of gaining Root. In early methods this generally starts with unlocking the device's Bootloader, then booting a Kernel with a purposely prepared ramfs to install and modify certain files.
As always, unlocking the Bootloader means all data will be wiped. By chance at some point someone will figure out a way to do this without unlocking.
ROM
A stock or custom Android ROM image. This contains everything needed for a running system. Custom ROMs contain tweaks, themes, improvements, styles, preloaded apps etc. Also more often than not, a load of bloat ware will be removed.
Bloat ware
Apps nobody needs/many fail to understand what they actually do/bring new ways to crash your device/sniff your precious data/revive long fixed and forgotten security leaks/the manufacturer adds to promote sales ("hey look, we've got an app for that pre installed").
Most importantly, cannot be removed from your device without Root.
Stock
A mint Android ROM, just like what the device gets shipped with.
Guides
Rooting
Requirements: Currently none
Compatible versions: anything > 10.14.1.47
Method: Booting custom Kernel and ramfs
Status: Proven
Link: http://forum.xda-developers.com/showthread.php?t=2516215
Recovery
Creator: Drgravy
Version: 6.0.3.7
Status: Abandoned but functional
Requirements: Bootloader <= 10.14.1.47 (this will not work with 10.26.1.7. Trying to do so will not work, but still boot Android as usual.)
Link: http://forum.xda-developers.com/showthread.php?t=2524401
Recovery
Creator: lpdunwell
Version: 6.0.4.5
Status: Experimental, WIP
Requirements: Bootloader >= 10.26.1.7
Link: http://forum.xda-developers.com/showthread.php?t=2556944
Various information
Hardware assembly date
On the box, rear side label.
Partition information / Unbricking
Link: http://forum.xda-developers.com/showthread.php?t=2546941
Keyboard key remapping
The physical keyboard has custom keys, with functions of debatable value. Here's how to remap them to suit your needs.
Note: This also works for other ASUS Transformers.
Warning: Backup any file you attempt to edit!
Method: The keyboard mapping is described in /system/usr/keylayout/asuspec.kl. The structure is pretty straight forward.
After saving the file, reboot the device.
Code:
Key: Function: Key number: Text:
lock Delete 142 "key 142 FORWARD_DEL WAKE UNLOCK"
search ALT 217 "key 217 ALT_LEFT WAKE UNLOCK"
HDMI configuration
The HDMI resolution can be adjusted. This can be handy under certain circumstances, although results may vary.
Method: Via terminal; disable frame buffer 1, change resolution, enable frame buffer 1
Info: To get a list of valid settings, run "cat /sys/class/graphics/fb0/modes".
This will reset at reboot.
This example enforces 1920x1200 @ 59Hz, in my case to force a HP Compaq monitor to keep running (without this it'll go to sleep for whatever reason).
Code:
echo 0 > /sys/class/graphics/fb1/device/enable
echo "D:1920x1200p-59" > /sys/class/graphics/fb1/mode
echo 1 > /sys/class/graphics/fb1/device/enable
Teardown
Teardown with two images and a brief description of the process: http://forum.xda-developers.com/showthread.php?t=2564143
Q&A
Q: "I have never rooted anything before. Can you send me some fairy dust to fix my bricked tablet if anything goes wrong?"
A: No. And if you are not absolutely sure of what you're doing, there's a fair chance you'll mess it up. Been there, done that.
Q: "What are known causes of bricked TF701?"
A:
Failed upgrade
Flashing incompatible boot.img and blob
Flashing something other than blob to staging
Removal of important files after rooting
Q: "I had a quick look at your instructions for xxx and I don't understand..."
A: Tough luck.
Q: "I re-read your instructions for xxx, searched the forum and I still cannot understand..."
A: Check if there's a matching thread. If there isn't create one with a diagnostically conclusive title. Use as much detail as possible.
Final notes
I hope this helps. As always, updates will follow.
Want to see your tutorial/guide/etc. here? Send me a detailed PM with the subject "TF701 Q&A extension".
You can help making this even better!
Found a mistake or believe I'm wrong about something? Let's discuss it.
Has this helped you? Consider clicking thanks.
THANK YOU for the hack to get a forward delete on the keyboard! That has been bugging me for a year!
Works just the same on the TF700 keyboard, btw.
Ask the mod to make it sticky, then it will always be at the top of the main thread.
Sent from my superfast Asus Infinity TF701with Dock
Snah001 said:
Ask the mod to make it sticky, then it will always be at the top of the main thread.
Sent from my superfast Asus Infinity TF701with Dock
Click to expand...
Click to collapse
he is retired .... Doesnt reply to any request ...
berndblb said:
THANK YOU for the hack to get a forward delete on the keyboard! That has been bugging me for a year!
Works just the same on the TF700 keyboard, btw.
Click to expand...
Click to collapse
yeah, the keymapping crap...
I found tons of "unpack this apk, edit soandso..." but I wanted to have it changed on a lower level. the remapping should work on most if not all transformers, and be easily portable to anything that has a hardware keyboard...
Rikodu said:
he is retired .... Doesnt reply to any request ...
Click to expand...
Click to collapse
Huh? Wut?????
Considering this is the first "Q & A" post, I will sticky it.
Provided the OP updates and maintains it.
MD
I'm pretty sure the resolution hack can be improved, but it's all I needed for now...
anybody write an app for that?
Moscow Desire said:
Huh? Wut?????
Considering this is the first "Q & A" post, I will sticky it.
Provided the OP updates and maintains it.
MD
Click to expand...
Click to collapse
go for it, it's sinking...
cheers
lpdunwell said:
go for it, it's sinking...
cheers
Click to expand...
Click to collapse
Seeing if you were paying attention..... :good:
lol
Maybe you could explain where to see the build date.
As far as I know its in the serial number after the characters. But in my case (and maybe others) I can´t see a date in 160074 .
done
hard bricked tf701t
Dear lpdunwell,
I have a bricked tf701, only asus logo available and loopboot, fastboot menu is broken as well. Only APX mode working, but I could not find appropriate nvflash for my pad (s I see there is no nvflash currently available for my tab)
In your explanation about bricked device, you wrote that there is possibility to recover tf701?
Please describe what nvflash version should I use to succeed?
Thanks in advance,
stream1313
stream1313 said:
Dear lpdunwell,
I have a bricked tf701, only asus logo available and loopboot, fastboot menu is broken as well. Only APX mode working, but I could not find appropriate nvflash for my pad (s I see there is no nvflash currently available for my tab)
In your explanation about bricked device, you wrote that there is possibility to recover tf701?
Please describe what nvflash version should I use to succeed?
Thanks in advance,
stream1313
Click to expand...
Click to collapse
Sorry mate we don't have nvflash and it is too late for you now anyway If you only have access to APX you are hard bricked. Best to sell it for parts and move on.... Or if you want to revive it send it to Asus to fix at a cost or source a replacement mainboard and do it yourself.
sbdags said:
Sorry mate we don't have nvflash and it is too late for you now anyway If you only have access to APX you are hard bricked. Best to sell it for parts and move on.... Or if you want to revive it send it to Asus to fix at a cost or source a replacement mainboard and do it yourself.
Click to expand...
Click to collapse
Hi man.. Why do you think I have to forget about my toy.. It was my Christmas (New Year in Tbilisi, Georgia, opposite planet side) present to myself But it is all the lyric only
Pls explain - do you really think that for ex., several weeks / months later, smb will create the nvflash or any similar SW which will be able to fix my problem? Actually I believe that until all electronic components are ok, device is not "dead" forever... Why you so pessimistic exactly for 701 transformer tab? Pls if you have time reply me
Kind regards,
Stan
stream1313 said:
Hi man.. Why do you think I have to forget about my toy.. It was my Christmas (New Year in Tbilisi, Georgia, opposite planet side) present to myself But it is all the lyric only
Pls explain - do you really think that for ex., several weeks / months later, smb will create the nvflash or any similar SW which will be able to fix my problem? Actually I believe that until all electronic components are ok, device is not "dead" forever... Why you so pessimistic exactly for 701 transformer tab? Pls if you have time reply me
Kind regards,
Stan
Click to expand...
Click to collapse
the way nv flash works is you need to flash the special bootloader to extract your device blobs and device specific keys. As you haven't been able to do it and you CANNOT do it once you have bricked you will have no chance. How are you going to flash a bootloader that you need fastboot for?
Sorry to bring bad news but if you only have APX with no saved nv flash files (which is not yet avail for our device) then you currently have 0% chance of recovering.
sbdags said:
the way nv flash works is you need to flash the special bootloader to extract your device blobs and device specific keys. As you haven't been able to do it and you CANNOT do it once you have bricked you will have no chance. How are you going to flash a bootloader that you need fastboot for?
Sorry to bring bad news but if you only have APX with no saved nv flash files (which is not yet avail for or device) then you currently have 0% chance of recovering.
Click to expand...
Click to collapse
Thanks a lot for reply (as well as for my another, initial thread reply) I have only CWM backup of my tab, on the MD card. But I do not know, does this backup contain all needed stuff? At list, I did not found there saved nv flash or blob files. Just "blobgenerator" (462Kb) and "blobtester" (370Kb), also some system files with "nv" in the name. But I do not have Idea, does CWM saving the low level loader files, at list I was not able to recognize them there...
my apologize for too many questions as well as for my poor English - it is not my native lang
Kind regards,
Stan
stream1313 said:
Thanks a lot for reply (as well as for my another, initial thread reply) I have only CWM backup of my tab, on the MD card. But I do not know, does this backup contain all needed stuff? At list, I did not found there saved nv flash or blob files. Just "blobgenerator" (462Kb) and "blobtester" (370Kb), also some system files with "nv" in the name. But I do not have Idea, does CWM saving the low level loader files, at list I was not able to recognize them there...
my apologize for too many questions as well as for my poor English - it is not my native lang
Kind regards,
Stan
Click to expand...
Click to collapse
No having CWM backups saved won't help you as you have no way of getting to the bootloader which would then be used to open the recovery so you could restore. WIthout a working bootloader you can't proceed. NV Flash uses APX mode to restore the blobs via the wheelie binary. You haven't captured the blobs to restore and as they are encrypted to your device you can't use anyone elses.
It's a new main board or nothing I'm afraid.
sbdags said:
No having CWM backups saved won't help you as you have no way of getting to the bootloader which would then be used to open the recovery so you could restore. WIthout a working bootloader you can't proceed. NV Flash uses APX mode to restore the blobs via the wheelie binary. You haven't captured the blobs to restore and as they are encrypted to your device you can't use anyone elses.
It's a new main board or nothing I'm afraid.
Click to expand...
Click to collapse
I see, everything is clear. Thanks for your time man. But I beleive that Asus has some kind of "backdoor" for such cases, for internal usage, of course. Asus manifest about "mainboard replacement" probably just for business, normally must be some way to crack this protection. I hope somebody from Asus will share some useful info or even software for public usage... Maybe it's my dreams only, I'm realistic (I'm working as IT/IS/GSM/WCDMA, but I'm so far from programming..)
Again, thank you. Pls notify me in case of any news about K00C hack
Problems flashing CWM recovery
stream1313 said:
I see, everything is clear. Thanks for your time man. But I beleive that Asus has some kind of "backdoor" for such cases, for internal usage, of course. Asus manifest about "mainboard replacement" probably just for business, normally must be some way to crack this protection. I hope somebody from Asus will share some useful info or even software for public usage... Maybe it's my dreams only, I'm realistic (I'm working as IT/IS/GSM/WCDMA, but I'm so far from programming..)
Again, thank you. Pls notify me in case of any news about K00C hack
Click to expand...
Click to collapse
----------------------------------------------------------------------------------------
Sorry I am not yet familiar with how to ask questions.
I recently bought a TF701T having used a TF700T now for two years and before that the TF101, TF201 and TF300T.
All these tabs I installed a recovery: CWM or TWRP and flashed the best ROM I could find. Usually Cyanomod or CROMi-X.
Everything worked fine so I was very excited when I got hold of the TF701T with its incredible Q-ratings and smoothness.
Unlocking worked just fine but installing CWM just does not work: flashing with Fastboot works OK but when I boot into recovery the little green man falls down and stays there
FYI: I am on the latest BL: 10.26.1.28, so newer than the mentioned 10.26.1.18 !
Please could anyone respond ?
Regards, JOTX10 from the Netherlands.

SOMC and Android Attest Keys From Another Device

I now have 2 XZ1 Compact devices.
1 has missing SOMC keys (DRM) and the other has missing Android Attest keys. This isn't really a problem but I'm just curious.
Could I take the TA-locked.img from the device with SOMC keys present and flash it to the device with them missing or would that also transfer the IMEI and/or other unique information?
Likewise would I take the keymaster64 files from the device with Android Attest key present and copy them to the device with them missing?
@j4nn
I'm a curious chap and up for testing stuff.
Thanks
@uultimaa, never flash TA from different phone - it would most likely get you a brick.
Using persist partition from different phone would not brick it but would not make the key working either.
You would only get the feeling that the key is present as shown in the security screen, but if you test with auditor from this thread, you would see it does not work in fact.
Thank you for stopping me before I did something stupid.
Are you concerned flashing TA-locked.img to another device would brick it because a root shell's required for operations on that partition and it can't be done from fastboot?
I gather the Android Attest key is practically useless on unlocked devices so I'd rather it be unprovisioned. Are you aware of anything else unique/useful in the persist partition that would make flashing it a bad idea?
I think I'll get a 3rd completely locked XZ1 Compact while they're still around. This phone's still the best and I'm concerned about where hardware key attestation is taking "smart" devices.
If you want me to test anything around TEE exploits or anything else I'm up for it.
Thanks
You will get hard brick without possibility to recover if you flash trim area from diferent phone!! If that happen but you have trim area backup you can recover phone ONLY with an emmc hardware tool by restoring trim area backup. If you don't have trim area backup and you brick you device than apsolutly no way to unbrick it, in that case you can by new mainboard. I'm learned leason with that I can tell you that.

Development Prototype ABL Binary from Nokia XR20 for Bootloader Unlock.

Few months ago a customer asked me to flash couples of Nokia XR20 prototype unit for him, so I managed to get prototype ABL dump of this phone.
WARNING: This is not a guide! DO NOT TRY IT ON OTHER SNAPDRAGON 480 BASED NOKIA PHONES INCLUDING G50, X10, X20, X100, G300 - UNLESS YOU KNOW WHAT YOU'RE DOING!
To use it:
1. Enable flashing permission with HDK (an internal flash tool used by triple-color company, sorry can't disclose more details about that). Please search for related service online, we don't provide or promote such service.
2. Download Prototype ABL from following URL:
Click here
3. Flash prototype ABL and OEM unlock enabled frp partition manually, then you can confirm bootloader unlock:
Code:
fastboot flash abl TTG-abl.elf
fastboot reboot-bootloader
fastboot flashing unlock
fastboot flashing unlock_critical
4. Once bootloader unlock completed, please reinstall stock OS to restore ABL back to normal.
SHA256 checksum of ABL image: ac8143f6e0b449c39127aedd6463e2b9242cf37ce90a86c2988b885e34b0587f
Root Key Hash of ABL image: 622D3D5FE38C4198DDFABB264034EFDE58B986B510393A0CF163E803A3FD985E
Proof of concept is attached below, thanks to @singhnsk for testing.
Bro, Nokia x10 please?
HDK.
Where can I get?
Full name please of this app.
mishak750 said:
HDK.
Where can I get?
Full name please of this app.
Click to expand...
Click to collapse
nope, you can't use it, even if you get the full name
hikari_calyx said:
Few months ago a customer asked me to flash couples of Nokia XR20 prototype unit for him, so I managed to get prototype ABL dump of this phone.
WARNING: This is not a guide! DO NOT TRY IT ON OTHER SNAPDRAGON 480 BASED NOKIA PHONES INCLUDING G50, X10, X20, X100, G300 - UNLESS YOU KNOW WHAT YOU'RE DOING!
To use it:
1. Enable flashing permission with HDK (an internal flash tool used by triple-color company, sorry can't disclose more details about that). Please search for related service online, we don't provide or promote such service.
2. Download Prototype ABL from following URL:
Click here
3. Flash prototype ABL and OEM unlock enabled frp partition manually, then you can confirm bootloader unlock:
Code:
fastboot flash abl TTG-abl.elf
fastboot flash frp frp_oemunlock.img
fastboot reboot-bootloader
fastboot oem unlock-go
4. Once bootloader unlock completed, please reinstall stock OS to restore ABL back to normal.
SHA256 checksum of ABL image: ac8143f6e0b449c39127aedd6463e2b9242cf37ce90a86c2988b885e34b0587f
Proof of concept is attached below, thanks to @singhnsk for testing.
Click to expand...
Click to collapse
man, I'm jealous of XR20 users!
here's hoping that someone will find a X10 prototype soon!
AltFantasy said:
man, I'm jealous of XR20 users!
here's hoping that someone will find a X10 prototype soon!
Click to expand...
Click to collapse
THAT CAME TRUE, **** YEAH!!!
Posted new topic in X10/ X20 phone section, before reading everything up here...
Seems "up the sh*t creek without a paddle" situation.
Damn Nokia, but if anyone would get it working- I'll subscribe to this topic too.
Cheers!
Visionu said:
Bro, Nokia x10 please?
Click to expand...
Click to collapse
Prototype ABL binaries from Nokia X10 and X100, for bootloader unlock purpose.
If you've followed my prototype ABL image release topics so far, then you should know where it comes from. This topic will be edited later if X20 one is available. WARNING: This is not a guide! Prototype ABL binaries are provided as-is...
forum.xda-developers.com
Here you go
Trying not to be offtopic, why a decent phone, from a well known brand like Nokia, that often offered android one devices has now low to zero interest from developers? It's not polemic, I am just curious
phaleg said:
Trying not to be offtopic, why a decent phone, from a well known brand like Nokia, that often offered android one devices has now low to zero interest from developers? It's not polemic, I am just curious
Click to expand...
Click to collapse
Politics+proffits= end user loss
as it comes to coders, it's only so far we get allowed to delve in to, there was time, when I have physically remodded ZTE phone, from non funcioning device in to best phone at the time ALL- during one day on PC using no more that 3 tools and 2 ROM's... now you are constrained to even to get an access to bootloader or the way to extract it without phone started. Silly win for the google (nokia) developers in constraining modifications, with time, (loss of sales) that might change, hence "politics"
Anyone managed to enable boot loader access? Mine had already A13 (funk it) with oem function access disable (grey) in developer mode
phaleg said:
Trying not to be offtopic, why a decent phone, from a well known brand like Nokia, that often offered android one devices has now low to zero interest from developers? It's not polemic, I am just curious
Click to expand...
Click to collapse
because HMD just keeps on locking down everything, and tries to stop people from even unlocking the bootloaders by using broken bootloaders for retail units.
Hikari_Calyx once wrote a whole article on Medium on why it's stupidly hard to unlock the retail units (that are made by HMD), but TL;DR: HMD locks the bootloaders even further every time a new security/feature update is released to its phones by itself, and it even janks the code that makes up the phones' bootloaders, forcing people to use prototype ABL images to unlock the phones.
The fact that you even need prototype/unreleased models of the damn retail units to unlock those units themselves is stupid enough...
As for the older models (e.g: 8 PureView, or 6.1, or whatever before 2021-or-so, I suppose? because there are exceptions, like the G10/G20) though, they're fine. All you need is an unlock key (though, unfortunately, you have to buy the key...), and adb, then use the unlock key, and you're done! Nokia even provided a bootloader unlocking service before (although, they only offered it for a limited time, and it doesn't even work across all of their phones! - they only supported the Nokia 8, and the phone had to run on Android 8 with an old security patch, or else they wouldn't allow the unlocking!)
alegatorul said:
Anyone managed to enable boot loader access? Mine had already A13 (funk it) with oem function access disable (grey) in developer mode
Click to expand...
Click to collapse
that option is useless. Ignore that.
AltFantasy said:
because HMD just keeps on locking down everything, and tries to stop people from even unlocking the bootloaders by using broken bootloaders for retail units.
Hikari_Calyx once wrote a whole article on Medium on why it's stupidly hard to unlock the retail units (that are made by HMD), but TL;DR: HMD locks the bootloaders even further every time a new security/feature update is released to its phones by itself, and it even janks the code that makes up the phones' bootloaders, forcing people to use prototype ABL images to unlock the phones.
The fact that you even need prototype/unreleased models of the damn retail units to unlock those units themselves is stupid enough...
As for the older models (e.g: 8 PureView, or 6.1, or whatever before 2021-or-so, I suppose? because there are exceptions, like the G10/G20) though, they're fine. All you need is an unlock key (though, unfortunately, you have to buy the key...), and adb, then use the unlock key, and you're done! Nokia even provided a bootloader unlocking service before (although, they only offered it for a limited time, and it doesn't even work across all of their phones! - they only supported the Nokia 8, and the phone had to run on Android 8 with an old security patch, or else they wouldn't allow the unlocking!)
Click to expand...
Click to collapse
It's sad that Nokia so fiercely fights people that would like to use android "open" as it should be :/
phaleg said:
It's sad that Nokia so fiercely fights people that would like to use android "open" as it should be :/
Click to expand...
Click to collapse
nah, blame HMD for that.
Nokia is trying to distance itself from its past with their legendary phones (like the N95, E95, N97, 3310, and soooo much more!) now, starting from when they redesigned their logo to a more.... minimalistic look, I guess? and their booths in tech events (e.g: CES) now market their IoT tech, routers, and whatnot...
As for HMD, though, they'll keep on using the old logo, because muh homage to le legendary phones and all that, blah blah. (even though their "new" N95 prototype (you can view it in MrMobile's video about the old Nokia N95) is just essentially very uniform (with just a kickstand built into the camera unit, and speakers that slide out from the left side of the phone....))
HDM or Nokia, logic is the same, it is strange to be so stricth about modding android from a company that used to produce devices with Android one (if I am not mistaken, was the type of android very stock without producers modifications in the SW)
Right, now back as we should on topic..
How did you manage to unlock the bootloader & install twrp or similar app?
alegatorul said:
Right, now back as we should on topic..
How did you manage to unlock the bootloader & install twrp or similar app?
Click to expand...
Click to collapse
I don't know if my guide will also work for your device (though, I suspect it'll still work with the XR20, since all you have to do is flashing the ABL, then do the unlocking commands and all), but here's my guide on how to unlock the bootloader.
Do note, however, that my guide is for a different device (the X10), so it has a few differences here and there, from the XR20 (the unlock commands, and the ABL files). Hikari_Calyx has already given you the commands and files in his post, so just grab that from there.
As for TWRP, you'll have to port the recovery to your phone, which means learning programming and dealing with image layouts and whatnot...
phaleg said:
HDM or Nokia, logic is the same, it is strange to be so stricth about modding android from a company that used to produce devices with Android one (if I am not mistaken, was the type of android very stock without producers modifications in the SW)
Click to expand...
Click to collapse
hahaha, nah, just because a phone runs Android One, doesn't mean its manufacturer will do such a thing. Android One is just the software/operating system part of the phones, and as for the bootloader (which is in the firmware part of the phone), they can just modify it however they want, for the sake of "security" and "stability" and blah blah blah.
It's just like if PC motherboard manufacturers like MSI and ASUS lock people to just using Windows, without any capabilities to use other OSes (e.g: Linux), then claim that they haven't done any modifications to the OS.
AltFantasy said:
hahaha, nah, just because a phone runs Android One, doesn't mean its manufacturer will do such a thing. Android One is just the software/operating system part of the phones, and as for the bootloader (which is in the firmware part of the phone), they can just modify it however they want, for the sake of "security" and "stability" and blah blah blah.
It's just like if PC motherboard manufacturers like MSI and ASUS lock people to just using Windows, without any capabilities to use other OSes (e.g: Linux)
Click to expand...
Click to collapse
Cheers mate.
I'll try with unblocking...
Anyway, the phone is 1 month old under warranty still

How To Guide FYI: NE2217 T-mobile (Carrier locked, BL locked) <== Dont Flash Any Other Region w/o reading.

!!! This is a HIGH RISK method of performing any form of modification, if you are on a T-Mobile ne2217 !!!
There are unidentified files that your device might have conflict with, and cause a bootloop!
Proceed at your own risk! You have been warned!​
OK, first lemme explain. The NE2217 (10 pro) itself does not have any special restrictions on it, unlike the CPH 2419 (10T) which is an exclusive T-Mobile variant. My guide on region swapping the CPH2419 (10T, link below) is still valid for the NE2217 (US- NA) . But there are conditions required or you will enter an infinite bootloop which becomes un-recoverable, without an edl flash. I do not have the specifics as to exactly which partitions cause this, but basically the bottom line is, IF YOU HAVE NOT UNLOCKED YOUR BOOTLOADER, EVEN IF YOU ARE SIM UNLOCKED, do not attempt to region swap.
There are a couple of partitions that are specially locked, that ONLY become write capable using the fastboot command, "Unlock Critical". Without a Bootloader unlock, the Oxygen Updater/Local Update programs, CANNOT make the needed changes to the Kernel, as well as these other important partitions, which have instructions that implicitly block changing to other regions. I cannot confirm if this exists in other countries with carrier locks, but i do know for a fact that T-Mobile has this enforced on all of the 10 Pro (ne2217) purchased through them.
As mentioned in previous threads that ive replied in, I suspected that the apps Oxygen Updater and Local Update, do not have the permissions capable to make direct changes to the boot.img, or recovery.img directly, primarily because those partitons cannot be altered while the system is currently running. These images can only be altered through Fastboot, or EDL thus the need for an MSM Tool if you cannot unlock your bootloader via conventional methods. So what happens is upon "Pre-boot" those special instructions i spoke of, take authority and put the carrier specific files, into an untouchable state that are locked behind the USERDATA partition, so these applications just copy the updated files to the inactive partition and performs the changes during the next boot, and even a hard wipe factory reset does not have the authority to erase the carrier instructions. The only way they are removed is by Unlocking your Bootloader! When you do that, the Qualcomm Processor has an embedded command, which is required to ERASE the entire Userdata partition, to protect the encrypted files protected by the bootloader lock! You can read about that by googling "Qualcomm Bootloader Unlocking".
Hope that makes sense to the majority of you. So again, the ONLY requirement for you to be able to go from 'ne2217', to any other fw is YOUR BOOTLOADER MUST BE UNLOCKED!
Failure to follow that one requirement will indeed force your device into an unusable, infinite bootloop, which can be resolved only by an EDL flash, which as of right now we do not have the tools that can perform this on CONSUMER level. You will have to RMA, your device, or go thru third party channels, which in itself is very risky, and puts you at risk of viruses/malware/wormholes/zombie-apocalypse because you must give someone full access to your computer remotely, and pray that the person only does what you requested. (NOT IDEAL).
Now if you're on a T-Mobile locked device, you are NOT hopeless... as I am on a T-Mobile locked device, and i am now bootloader unlocked as well! These two conditions are independent of each other, but trust me when i tell you that YOU DO NOT WANT TO GO THRU WHAT I HAVE EXPERIENCED, IN ORDER TO REACH THIS GOAL!
In so I will not publicly disclose how i was able to enter the real Fastboot Mode, so that i could pull the unlock code needed to request the unlock token from T-mobile.
(If you are so inclined to do this that you are willing to forgo ALL precautions and risk the possibility of bricking your device, or you have already landed yourself in an unrecoverable bootloop state, and are willing to try ANYTHING, you can join Bootloopers Anonymous, by clickiing it, and drop a message. This is a brand new telegram channel, and i will try to watch it for your requests. And again i strongly advise that you DO NOT embark on MY adventure, but if Unlocked Bootloader by Any Means Necessary is your ultimate goal, and nothing less is acceptable, i will try to help you achieve it... *** YOUR DEVICE WILL ENTER A COMPLETELY UNUSABLE STATE FOR A MINIMUM OF 7 DAYS!! *** but bear in mind that EVEN IF you have to use my method, you will be still subject to the 7-day waiting period outlined by OnePlus company policy. No one can overcome that, as the unlock token comes thru a separate division of Oppo/Oneplus that only generates the token through an automated request which is pushed after the expiration of 7 full days (1-week) has passed. YOU HAVE BEEN WARNED!)
The 10-Pro doesn't require the "In-Depth Testing" app to get your BL unlocked. That said, it also does not mean that OPPO has not designed one for this device because indeed they have. That application is individually encoded with device specifications so that only devices and regions EXPRESSLY AUTHORIZED by Oppo, can submit a request to unlock. DO NOT TRY sideloading any "In Depth Testing" apk floating around on the internet, as these can be altered to contain malware or worse, and then if your device becomes corrupted by it, Oppo can deny you an RMA on your device, thus charging you for the repair as there are warnings that you must acknowledge to even run the app, and attempting to circumvent the safeguards that this app already has in place is considered a violation of ToS.
If OPPO adds your device/region to the list of allowed devices, you will be able to download this application through OFFICIAL channels, and it will be made known to the public.
Once you are completely knowledgeable that your BL has indeed been fully unlocked, you can proceed to follow the instructions in the link to my guide below. The guide is for the CPH2419 (10T), but the instructions are completely compatible with the 10 Pro entire series, assuming your BL is unlocked. On the 10T this is not a requirement, and i honestly do not understand why this enforcement was put into our 10 Pro model, released almost a year earlier. Probably just an oversight by T-Mobile which might be corrected in future builds.
How to use Oxygen Updater + Local Update apks to switch regions.
EDIT: Local Update downgrade it currently installing
No Go, The update installed and downgraded but it just loads to the welcome screen and crashes and boot loops
supercobaltss said:
EDIT: Local Update downgrade it currently installing
No Go, The update installed and downgraded but it just loads to the welcome screen and crashes and boot loops
Click to expand...
Click to collapse
again, what most ppl are failing to do is follow my guide exactly as i defined. The VERY 1st thing you MUST DO... prior to unlocking the Bootloader... Prior to even downloading ANY rollback packages is, you MUST go and Download ANY of the Android 13 beta updates that are available in Oxygen updater. Turn on advanced mode, and select the whichever model you prefer... Its actually best to choose the region you plan on swapping to, for easier transition with the rollback package. IMHO i would always pick the EU model whenever attempting this, simply because that one usually has more bands available. But the main idea behind this is to make the phone, first BREAK the connection it has with T-Mobile's custom kernel, and modem... which is done just by upgrading to an Android 13 beta, as T-Mobile does not EVER release any beta builds, so by doing an actual OS upgrade, your phone must load the OS kernel, and several other partitions/files which i am sure that T-Mobile has branded in the 2217. Upgrading to a newer OS will without a doubt overwrite the carrier locked files, because the Upgrade comes from a higher authority in the chain of trust. Until TMO releases an update, then this is a requirement so that the rollback package of that region can safely downgrade the files, in their correct partitions. If you download a beta 13 thru oxygen updater, you can local update flash it, without problem. I did it myself to several demo devices at Tmobile stores here in Texas to test the technique, after i bricked mine by using a rollback package first!
Remember the 2217 is a T-Mobile EXCLUSIVE! No other carrier may sell this same model... but ALL of the internals are the exact same, and as im sure we are all well aware of, T-Mobile doesnt have the fastest adaptations when it comes to OS updates.
But there are several key identifiers which point to a custom made BL, Kernel, and Modem: 1. The build for all T-Mobile versions is on a revision that no other model has released... This alone could cause BL because if you flash a build that is older than the one you have currently, several files have anti-downgrade measures built into them. This is why we need the signed rollback packages to downgrade. But even if OPPO signed a rollback, unless they released one with T-Mobiles file specs, then anything you flash can create a conflict with an existing file... BL! But i know of about 13 ppl who have attempted my method, plus i just did another one myself last night for someone who contacted me and offered to compensate me royally if i would meet them since we were local logistically. 2. AFAIK, when installing a different rom to a device, you cannot downgrade the modem version. I know this is apparent with Samsung... as if you try to flash a rom with a lower modem version, it usually bricks, and you have to use odin to flash the newer modem back, in order to boot. Again this is taken care of by installing the NEWEST beta for Android 13, unless you had my situation which is, my phone CAME WITH updated security, and build already installed for October 2022. I havent heard of anyone who has said they even have the option to update theirs past August. So new purchases have to be careful. T-mobile sold mine with a blocked Fastboot, that doesnt respond to the button combo. Which clearly identifies they modified the recovery partition. 3. E-fuses have become a staple in Android devices for the past 5+ years.
Sure we have not heard of anything being in the T-mobile fw... but also who here can say that they have a FULL BUILD of the Tmo fw to examine? No one.... there is a generic 2217 build floating around that claims to be official, yet it is the ONLY build that does not have an OTA formatted file structure. All the 10 Pro OTA have been in payload.bin format, yet this happens to come only as a decrypted OFP, or a compressed OFP. *** OPPO is not directly supporting the 10 Pro 2217 or 10 T 2419 ! As these are proprietary T-Mobile builds. This is why you cannot find either of those models fw in the Oppo repository. So if OPPO doesnt release builds for TMO, then how exactly did an "Official 'OFP' for 2217" get released? *** OFP is an Official OPPO format for all the OPPO model phones. 10 Pro is still branded Oneplus, thus just about any OFP file you find in the wild, is almost 100% guaranteed NOT to be an official released build for our phones. Every package for this and the 10T that they have OFFICIALLY released, has been in Payload.bin format, because they havent released any full images yet! So in theory, who's to say that TMO didnt place an efuse into their specific model? Its only code, and if set, then it could have been burned during the initial release, or a later update, like AMAZON did with updates to the Firestick/FireTV devices, which would ONLY allow newer updates to certain files in THEIR build. That would totally explain a bootloop, because the rollback packages all push you back to 11_A.013 .... that build is from Feb-March 2022. Rolling back would almost guarantee that some files are overwritten with older components, which would cause a brick by e-fuse standards. We had to be lucky enough to catch it early in the FIrestick forum, to stop ppl from installing the update. Everyone who did, had their ability to unlock/load custom fw to their devices blocked, and there is still today no way to circumvent it. Sure new methods to mod became available, but only minimal changes, cuz the e-fuse blocked downgrading to exploitable builds. Since TMO has gone this far to stop us from modifying this phone, you can bet solidly on the fact that they have several safeguards in place to protect their investment.
Now im not trying to discourage anyone or discredit anything anyone has said or experienced regarding this phone, but look at the NUMEROUS unanswered replies to handfuls of problems that only happen to 1 or 2 ppl... they all have the same final result, but its astounding how many different scenarios ppl have found, that no one else has experienced, yet it leads to another bricked device. If this problem was rampant among a significant number of users, and it was triggered by the exact same scenario, then TMO would have to address it with an update... But all we know for sure is that there is some file(s) that is not compatible with any other model except the 2217. Til we have an EXACT culprit identified, all we can do is speculate, which is why I am going to re-label this as HIGH RISK in the OP. It has about a 40-50% chance of causing a bootloop, and about a 10% chance to leave your device unresponsive! There have been several released guides for other devices that have close to the same success rate / risk factor. All i can do is share what I have done, and what i know from personal exp.
Im sorry if anyone lands themselves on the wrong side of that equation, but it is a risk that only you can decide if its worth taking. For me, that answer is and always will be YES because i will not own a device that i do not OWN! For others this may be a touch more out of their league, and if thats true they should steer clear, until I or another user can get hold of an official TMO OTA, to examine the diff files in each.
****** Now all of that being said.... if ANYONE wishes to contribute to finding a solution to this dumpster fire, I am not asking for donations.... What i am asking, is for SOMEONE who might have a T-Mobile 10Pro on the release build, or any build PRIOR to 11_A.13 and is looking to help, we NEED an exact copy of an OTA update that might be sitting in your notifications. All updates download to the /sdcard/ partition of your phone in a folder that is accessible without root permissions. If you accept the download for the update, and DONT begin the install immediately, you can locate and pull that OTA to your computer, then delete the file from your phone, and it will cancel the update on reboot. No loss to you, but EXTREMELY HELPFUL to us, because we will have something from TMO to work with, which may give us a clue as to what we need to remove from the updater script ! *******
and FYI the signatures used to sign some of the OTA we already have, are already deciphered and as such can be used to create new signatures after making some changes to the respective regions package. But to make having these be of any value, we need to know what to take out or change in the manifest, that will prevent alterations of the files causing bootloops. If anyone can help with an upload of a TMO-OTA please share publicly or dm myself or one of the other devs who have expressed interest in this issue.
Thanks
I can probably pull the update from my wifes phone. She never updates anything. I did get my 10 pro to boot to android 13 but everything just says its disabled. This is only the 3rd phone ive done this with so ill warranty another one if i have to lol.
supercobaltss said:
EDIT: Local Update downgrade it currently installing
No Go, The update installed and downgraded but it just loads to the welcome screen and crashes and boot loops
Click to expand...
Click to collapse
Yup, this happened to me as well. Setup wizard crashes before I even get very far in it, and I've wiped multiple times trying to complete it somehow.
GuyInDogSuit said:
Yup, this happened to me as well. Setup wizard crashes before I even get very far in it, and I've wiped multiple times trying to complete it somehow.
Click to expand...
Click to collapse
Ive tried to convert multiple different ways. Upgrading to 13 basically screws you with the disabled apps BS, Downgrading just crashes the device. Either way its broken. I've went through 3 devices now messing around.
So I guess it's time to replace it, then? Crap.
GuyInDogSuit said:
So I guess it's time to replace it, then? Crap.
Click to expand...
Click to collapse
Start a RMA on OnePlus website, don't go through T-Mobile. They will have you send in phone and then either reflash your phone and send it back or just send you a new phone which is what they did when I had to do it. All that bs about voiding warranty when unlocking bootloader is just that, bs. They fix or replace without any issues but you have to go through OnePlus.
FML.
I've gotten it working for the most part, but what's most concerning is that there's no IMEI. And it doesn't charge or even acknowledge the cable. Fantastic.
jeffsga88 said:
Start a RMA on OnePlus website, don't go through T-Mobile. They will have you send in phone and then either reflash your phone and send it back or just send you a new phone which is what they did when I had to do it. All that bs about voiding warranty when unlocking bootloader is just that, bs. They fix or replace without any issues but you have to go through OnePlus.
Click to expand...
Click to collapse
I can't even request an RMA as I don't have an IMEI to provide. It's blank in the phone. I think I'm screwed. Or try T-Mobile. Dunno. This sucks.
GuyInDogSuit said:
I can't even request an RMA as I don't have an IMEI to provide. It's blank in the phone. I think I'm screwed. Or try T-Mobile. Dunno. This sucks.
Click to expand...
Click to collapse
The T-Mobile version has your IMEI sketched into the back cover of your phone. You should be able to use that.
jeffsga88 said:
The T-Mobile version has your IMEI sketched into the back cover of your phone. You should be able to use that.
Click to expand...
Click to collapse
Oh. Uh.... completely forgotten about that.
I just updated to Android 13 on the TMO NE2217, device not unlocked, still financed. And now have the option to unlock the BL.
beatbreakee said:
All updates download to the /sdcard/ partition of your phone in a folder that is accessible without root permissions. If you accept the download for the update, and DONT begin the install immediately, you can locate and pull that OTA to your computer, then delete the file from your phone, and it will cancel the update on reboot.
Click to expand...
Click to collapse
Is this still useful, with the NE2217_11_C.26 update? And either way, how can I delete it? I couldn't find anything big in /sdcard. Thanks!
deleted
psm321 said:
Is this still useful, with the NE2217_11_C.26 update? And either way, how can I delete it? I couldn't find anything big in /sdcard. Thanks!
Click to expand...
Click to collapse
^
^
^
^
^
THIS Please my phone ignored my saying no and next reboot the damn thing will go off on me ... so frustrating that even when you set the darn thing to OFF on auto update and such it STILL does this BS...
Damn TMobile and their special lock junk UGH ...
anyway ... please can one direct with a screen shot and file manager they used to find this file so I can delete the thing? ... I have tried to find it and struck out ... but having got the notification today and the Oxygen app is showing 'REBOOT' instead of 'resume' when I ignored the update previously has me thinking if I reboot I will see android 13 pop up and in this case means I will lose my whoop as something with it breaks pairing my wearable ... whoop has offered no timetable for a fix

Categories

Resources