Brute Force Bootloader code - Moto G6 Questions & Answers

I am trying to develop a script that will brute force the unlock code for the boot loader. I just need some example codes, in order to find a pattern. (Also the length of the code). I have a prime exclusive so I cant get the code from Motorola.

camSharp said:
I am trying to develop a script that will brute force the unlock code for the boot loader. I just need some example codes, in order to find a pattern. (Also the length of the code). I have a prime exclusive so I cant get the code from Motorola.
Click to expand...
Click to collapse
You should try again. My understanding is that Amazon Prime dropped that stipulation and some people are getting their unlock code.
https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a
Make sure you use the scrub tool even if you know you have scrubbed it correctly yourself. It will make the e-mail unlock boot loader button appear.

I hope you get it, I'm on the same case with this amazon stuff... But you can check this:
https://github.com/pjobson/moto_z2_force_oem_brute_force_pfc
https://github.com/AProgCat/bruteforce-bootloader-unlock
So.. It's nearly impossible to get that code

is there away to port the key to hashcat to crack it?

this is something I theorized about doing, but never got too far into. I was trying for more of an exploitive way to give the code from the site and trying to find a way to bypass the check on the site to just give the code rather than bruteforce

Related

[Q] Samsung Focus S Dev Unlock?

For anyone who has the new Focus S (I am a proud new owner as of Saturday),
Have you dev unlocked the device?
I have been reading about this official Chevron Unlock, but it has an app limit, and does not allow "sideloading" of apps that access higher privelage system files. To me that sounds like you can't really do a whole lot. So I would have to take the Chevron followed by INTEROP-LOCK unlock approach, to use apps like Root Tools.
I am interested in unlocking this device to allow me to install homebrew apps and downloaded .xap files.
Anyone have any luck?
To anyone who has gone this route, what is your experience?
Thanks for the help.
I have a developer unlocked Focus S that I have interop unlocked. It works but most of the homebrews that need interop unlocked haven't been upgraded yet to work with the generation 2 devices.
Sent from my SGH-i937 using XDA Windows Phone 7 App
+ ICS
Rcf686 said:
I have a developer unlocked Focus S that I have interop unlocked. It works but most of the homebrews that need interop unlocked haven't been upgraded yet to work with the generation 2 devices.
Sent from my SGH-i937 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
Same here.
Worth noting, though, that the INEROP unlock + ICS method here does allow you to use ICS without a plan.
i've also dev unlocked and interop unlocked.
the basic unlock will allow you sideload 10 apps that don't need interop unlock.
it's quite easy to interop unlock samsungs right now after you've dev unlocked.
Still no registry access though
Really want to change my accent colors...I find the default ones too...well...default
kwickone said:
Still no registry access though
Really want to change my accent colors...I find the default ones too...well...default
Click to expand...
Click to collapse
yea, i just want to change my sms ringtone, hopefully they figure it out soon, but i think heathcliff is busy still trying to get interop unlock working on HTC devices
I just student dev unlocked
only allowing me 3 side loaded apps?
what gives?
anyone with experience?
Additionally, tried the INTEROP-LOCK unlock approach to remove the limit, and my phone got jacked.
3G/4G stopped working - and all the "methods" for re-starting your 3G/4G did not work, and the Samsung specific apps did not recognize my phone as a Samsung any more :X
I reset the phone, re-registered my student dev unlock - and all is well
anyone had any luck with it recently?
I know it says you have to use a certain version of the diagnosis tool - the one my phone downloaded was marked as "0923" version, which I assumed meant 092311
maybe not?
thanks for the help.
bump bump bump
ehhh, chevron still not having tokens
grrrrr face!
If you are a student you can always do the student unlock approach I took. And I finally got the interop unlock to work using the focus specific method
I've got the developer unlock, but I'm holding off on the interop unlock until it's fully sorted out.
Hope you guys don't mind me asking this...
Does the device relock if you reset it? (for those that is dev and interop unlocked)
Student Dev unlocks carrier?
Does student Dev unlock the carrier or just jailbreak the phone?
Thanks
Used WindowBreak to Inter-Op unlock it.
But, as this is a 2nd Gen Samsung, it's more like a developer unlock:
I can sideload apps, but cant edit the registry etc.
Seven_PRX said:
Used WindowBreak to Inter-Op unlock it.
But, as this is a 2nd Gen Samsung, it's more like a developer unlock:
I can sideload apps, but cant edit the registry etc.
Click to expand...
Click to collapse
You're right you only have acces to view the registry but not to edit. You've to wait to WP7 root tools v9.0 for edit the registry
http://forum.xda-developers.com/showthread.php?t=1265321
The advantatge that you win is to load more than x applications

[Q] Remove pattern lock

hi guys can someone please assist me and I will donate $15 via paypal to the account of the person who can. I need to unlock my Samsung galaxy s5 at & t version phone that has a pattern lock (but also a bootloader lock so I cannot reset the phone). Moreover I do not have a google account registered to my phone so I cannot request a different pattern to unlock the phone. Also usb debugging mode is disable. How can I get back into my phone?
I think you can find a video about that on youtube. We don't need to be giving that information here for the bad guys to read, and bypass other people's lockscreens.

626vzn , No option to allow bootloader unlock in dev-settings.

Absolutely no option to allow oem unlocking in settings, tried everything i could think of to enable through adb interface and it keeps telling me to enable unlocking. im very familiar with the boot loader unlock process for htc devices and know this model is unlockable. i thought maybe the unlocking option only comes with the payment for verizon phone service but that cant be true because ive unlocked my verizon desire 610 and 620 and theyre both black listed from verizon , i do not understand. is there an ota update that adds the unlocking option ? is there anyway to enable it through a different interface? this is driving me nuts. ive only found one other reference to this problem in all the webs search results but there are ten how to guides depicting how to enable dev settings, tick allow unlocking and type one line of code with pictures and links to htc with even more detailed instructions than the first set lol.
there is no movement on the Verizon 626.. any root guide out there doesn't match possible options.. there are a number of people here on it, myself included.. sit n be patient.. it sucks..
Sent from my HTCD200LVW using XDA Free mobile app

Working on a brute force unlock - need unlock codes

So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
I think you would also need the IMEIs and Serial Numbers as the unlock code most probably gets generated with them.
P-Chan80 said:
So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
Click to expand...
Click to collapse
Hello P-Chan80,
Did you success ?
I'm also thinking in brute forcing the unlocking oem code on my Honor 6c Pro.
In my case I can try as many code as I want without rebooting but I have to confirm the fastboot unlocking command by pressing Volume UP and Power on the phone. Do you have this procedure on your Huawei ? I was thinking if it is possible to automate it by opening the phone and sending electrical impulses where the buttons are (with an arduino or a raspberry pi for instance).
Hey. It's a very interesting idea - try to brute the code. BUT I think that it is irrational - as the wear of the phone buttons will cost more than the cost of paid methods of obtaining the code. The question is-how do these services get the codes? I can only assume two options: they take the codes from huawei's database or they know the code generation algorithm(If Huawei use one), because they only need the imei or serial numbe to get unlock code. Do you think it is possible to to find this algorithm too?(Having a data: Imei – unlock code)?
May be it's sounds silly, but what do you think about it?
P-Chan80 said:
So the bootloader allows 5 tries before forcing a reboot. I'm working on a brute force method to send unlock codes until one is successful. Basically send 4 codes, do a fastboot reboot bootloader, send 4 more - until a valid code is found. It takes 6 seconds on my system for the fastboot command to function again after issuing a reboot. At this rate I can only do 12,342 codes per day (give or take a few hundred). Total possible combinations is 7,958,661,109,946,400,884,391,936. This is based on 16 character alpha numeric (36^16). Of course, if there was a pattern like (111AA1111A1AA111), it would greatly reduce this. I'm within my 30 day window, so I'm likely just to send it back and put my $800 in a company that supports the community, but if I find enough of a pattern to consider brute forcing, I might consider keeping it around. I love the hardware, hating the UI and my inability to install my favorite apps from F-Droid that require root...
Click to expand...
Click to collapse
Did eventually worked?
Equivalent is winning the lottery. Considering the number of possible combinations it would take years to complete the whole sequence. Not practical at all.
It would help a lot if you get some sort of pattern but that would be hard to get unless all people with the unlock phones provide their IMEI and unlock codes.
If you get enough matching pairs you might be able to figure out the logic. Then should not be too hard to create a generator by putting together a small script (python/perl/php/bash/whatever). The hard bit is to get the pairs and then the script should not be too hard to create. I could try.
I ask this not knowing anything about the Android bootloader process. Is it possible to dump the bootloader of a locked or unlocked phone and analyse the code to identify where and how it identifies a valid unlock code? And then work backwards from there? Or are codes signed by Huawei using a private key and such an analysis would prove unfeasible?
If the unlock codes are signed, but dumping the bootloader is possible, could an analysis of the bootloader code from a dump allow for an exploit to be developed similar to the Amonet exploit used on the 5th, 7th and 9th gen Fire 7 tablets?
It seems someone is trying this method: https://github.com/SkyEmie/huawei-honor-unlock-bootloader
However no-one has confirmed if it actually works, but some users said it doesn't.
EDIT: Started the process 5 hours ago and it did like 1%. The Huawei M3 Lite I'm testing this on doesn't reboot ever. Not sure I'll keep it running for 20 days.
would it be possible to pause it and resume other time?
that would be great.
hfmls said:
would it be possible to pause it and resume other time?
that would be great.
Click to expand...
Click to collapse
Considering it's a command window, you can make a selection with the mouse and it will "block" / pause until you unselect. That should help run the whole thing to the end.
Are you sure the unlock codes are alphanumeric?
Can someone who have unlocked bootloader send me the code and IMEI in PM ? - I know that is private info, but Unlock code should be related to the IMEI
I do a little research today using this bootloader dump: https://forum.xda-developers.com/hu...rch-requesting-bootloader-dump-t3897062/page2
There are two interesting functions that are taking a param - I think it should be a unlock code, and then one of them is passing the code to other function:
void FUN_000be4e6(void)
{
undefined *puVar1;
undefined *puVar2;
undefined *in_pc;
longlong lVar3;
undefined4 in_cr5;
undefined auStack140 [140];
coprocessor_storelong(0xe,in_cr5,auStack140);
puVar1 = (undefined *)0x3e8;
puVar2 = (undefined *)0x3f0;
lVar3 = 8;
while( true ) {
*in_pc = *puVar1;
in_pc[1] = *puVar2;
in_pc = in_pc + 2;
lVar3 = lVar3 + -1;
if (lVar3 == 0) break;
puVar1 = puVar1 + 1;
puVar2 = puVar2 + 1;
}
/* WARNING: Bad instruction - Truncating control flow here */
halt_baddata();
}
Click to expand...
Click to collapse
I think it should be related because it is getting two elements at a time and the loop iterates 8 times - 8*2=16 - the length of the unlock code
Pretty sure that Huawei only asked for my serial, can't remember them asking for my IMEI, but then it has been a couple of years nearly.
Also seem to remember the code being numbers only, but again it's been a while.
dladz said:
Pretty sure that Huawei only asked for my serial, can't remember them asking for my IMEI, but then it has been a couple of years nearly.
Also seem to remember the code being numbers only, but again it's been a while.
Click to expand...
Click to collapse
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
borovaka said:
Are you sure the unlock codes are alphanumeric?
Can someone who have unlocked bootloader send me the code and IMEI in PM ? - I know that is private info, but Unlock code should be related to the IMEI
I do a little research today using this bootloader dump: https://forum.xda-developers.com/hu...rch-requesting-bootloader-dump-t3897062/page2
There are two interesting functions that are taking a param - I think it should be a unlock code, and then one of them is passing the code to other function:
I think it should be related because it is getting two elements at a time and the loop iterates 8 times - 8*2=16 - the length of the unlock code
Click to expand...
Click to collapse
I was the one who started that thread. I couldn't narrow down on any functions related to unlock code verification though in any of those dumps. Can you share some more light on how you identified that particular function? I'd be interested in taking this up again in my spare time too.
The reasons why I didn't purse it further at that time (as far as I remember) were:
1. There's no partition titled "boot" or "aboot" on atleast EMUI 9. I remember doing some more research on this but seemed to hit a dead-end.
2. Fastboot dump seems to be encrypted. This would make sense since the device has roots-of-trust implemented. Not sure if they only check & verify signatures or also if important sections are encrypted at rest. Didn't pursue this further due to lack of time.
Aodrulez said:
I was the one who started that thread. I couldn't narrow down on any functions related to unlock code verification though in any of those dumps. Can you share some more light on how you identified that particular function? I'd be interested in taking this up again in my spare time too.
Click to expand...
Click to collapse
I used ghidra with the image from the other post. With ARM CORTEX little endian profile
Rstment ^m^ said:
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
Click to expand...
Click to collapse
It was two years ago, can't remember giving my IMEI out, 100% my serial via the official Huawei bootloader unlock method, cannot remember if it was alpha it not.
Either way. Best of luck with this, would love to see someone crack this, could make a tonne of money if you did.
Or even better free
Did some more research on this & it turns out, on recent Huawei devices, the bootloader is named "xloader". The fastboot dump from my rooted phone is encrypted & so won't yield anything useful. It's also very rare to find references to detailed information on this "xloader" image/partition on the internet. Will dig some more when I get time.
Rstment ^m^ said:
What device are you referring to?
Certainly that's not how it worked o.n the latest devices.
They asked for imei number only and on the devices with multiple imeis I think only 1st one was needed. The code that they provide also is alphanumeric : FNHHZ85YQ3WP2T0X
If I find my old imei I'll share it as well, I hope I have a backup somewhere ( I actually found old transcripts from Huawei support including my 1st imei, I'll look for the 2nd one in the following days )
Imei #1 - 866219037075115
Click to expand...
Click to collapse
P20 Pro, Huawei method..
Like I said it's been 2 years so may be remembering it wrong..
dladz said:
P20 Pro, Huawei method..
Like I said it's been 2 years so may be remembering it wrong..
Click to expand...
Click to collapse
I got myne from support so who knows, I didn't get a chance to use website

Unlocking Bootloader

Hi,
I have seen this posted a number of times and people keep saying "just Google" or "look at other threads" however I am confused as to what they mean because none of the stuff around seems valid anymore in 2021.
Right now:
There is no modern up to day process to unlock the bootloader that I can find in Google (even if only looking at the last 1 months sites)
I have found so far is telling me to get an unlock bootloader from Huawei which I can't do (they don't offer it any more)
I have found sites telling me to pay for the bootloader code from funkyhuawei, site that no longer offers them, someone posted about "Direct unlock with no code" but didn't go into details on how that is done, and then I found this on rootmygalaxy:
" Update 2021: All the bootloader unlocking methods have been blocked by Huawei. So none of the methods is working currently. Don’t try to unlock Huawei or Honor devices as of now. For full timeline of events read the story below. We will be updating the post once there is a valid way available. "
So, is that basically meaning that Huawei P20 cannot be unlocked; therefore you cannot root it? If it can be unlocked still can someone, please post a link to how because Google is failing to find anything that is, in fact, working or the information being shared isn't clear enough to explain what is possible.
I am trying to just get information as to if I am wasting my time trying to root this phone, or if it is, in fact, possible or not.
BTW - I have seen {Mod edit} however this only works on EMU 9 or lower. If you are EMU 10 you have to roll back, but it appears Huawei have prevented this (hiSuite doesn't offer the options any more).
Goldendawn said:
BTW - I have seen {Mod edit} however this only works on EMU 9 or lower. If you are EMU 10 you have to roll back, but it appears Huawei have prevented this (hiSuite doesn't offer the options any more).
Click to expand...
Click to collapse
Okay, this has been fixed - so I am doing the roll-back now. If that works, I will try the URL included in the port above and then report back, so if people want to know what is possible.
Okay ... um.... they need to remote onto your computer and do it.... that is totally unacceptable.
So basically, there is no way that I can see that allows "ME" to unlock the bootloader, and instead you are allowing people to access your computer, so they can do it.
Moderator Announcement
@Goldendawn Thread has been cleaned from links and references to paid unlock services that are not accepted at all on XDA in accordance with rule no. 11 and no. 13 of the XDA Forum Rules.
Regards
Oswald Boelcke
Senior Moderator

Categories

Resources