Ask barnes and Noble to unlock the bootloader - Barnes & Noble Nook Tablet

http://www.facebook.com/barnesandnoble/posts/10150466892360020
incase you can't get on facebook or something:
Use this tweet!
Code:
everyone we need to quickly work to get the bootloader of the nook unlocked time to #freethenook! Come on B&N Dont leave us hanging! @nookbn
Or come up with your own creative tweet with #freethenook
Would love some support.

Liked and commented.

Suggest you keep it simple and concise. Remember the TLR rule for online posts. Second, keep it non-tech. Last, give specific examples of benefits. Example below.
To Barnes & Noble:
I love your Nook Color. I want to love your Nook Tablet, but can't, because it is hostile to me. You've locked it down, and I can't do cool things with it (see below for cool uses on the Color). Please unlock it and make your techie users happy. Thanks.
[insert links of cool NC stuff here, eg. running Shadowrun with a BT game controller, etc]

Done and done, it was a pleasure to help.

Liked and commented.

done and done

Hazzah! Hopefully it will get lots of comments and they will see our numbers.

Liked and commented. Dont forget to like other peoples comments too, Remember threatening to return makes us look like fairweather fans. If we instead point out how we can be help and great sales tool to them we have a better chance to get them to unlock it.

Liked and commented.
Sent from my Gingervolt-ed VS910 4G using xda premium

For non-facebook people, put up the #freethenook hashtag.

Liked, and posted a long comment

Wrote a quick tweet:
everyone we need to quickly work to get the bootloader of the nook unlocked time to #freethenook! Come on B&N Dont leave us hanging! @nookbn

Done. Thanks for rallying the troops (that includes me!).

Liked and commented

Liked! this should be unlocked

Liked and tweeted.

liked, commented, tweeted.

Tweeted it.
Sent from my ADR6350 using xda premium

Does this thread mean we have confirmed that there is no fastboot on the Tablet, or that there is but it does not honor the oem unlock or similar commands? I'm not seeing anything definite yet?
That is, not just that the commands fail, but that people are actually sending commands to the fastbooted device - given the mixed reports on the existence/nonexistence of adb early on, bear in mind that fastboot requires that you're able to reach the device once you get it in the mode.
The values in the options flags can be dug out of device manager once a) you get the device into fastboot mode and b) you get a set of drivers that see it in fastboot mode.
Until I hear that the Tablet supports a full recovery to stock via a format of /system and /data and a completely clean install, not the crippled semi-recovery that many Android devices use, the Nook Color is probably worth at least three times what the Tablet is worth to me, since I'm 99% sure that I could softbrick it if there isn't a good onboard recovery.
To tempt folks to explore fastboot, here's the quick help output:
usage: fastboot [ <option> ] <command>
commands:
update <filename> reflash device from update.zip
flashall flash boot + recovery + system
flash <partition> [ <filename> ] write a file to a flash partition
erase <partition> erase a flash partition
getvar <variable> display a bootloader variable
boot <kernel> [ <ramdisk> ] download and boot kernel
flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it
devices list all connected devices
reboot reboot device normally
reboot-bootloader reboot device into bootloader
options:
-w erase userdata and cache
-s <serial number> specify device serial number
-p <product> specify product name
-c <cmdline> override kernel commandline
-i <vendor id> specify a custom USB vendor id
-b <base_addr> specify a custom kernel base address
-n <page size> specify the nand page size. default:
2048

Sent to
Mary Ellen Keating,
Senior Vice President,
Corporate Communications & Public Affairs
telephone: (212) 633-3323
e-mail: [email protected]
To whom it may concern,
Since the release of the NookTablet I’m seeing and hearing from a lot of people jumping ship due to B&N misleading marketing. Its proclaimed "keeping it open" that your CEO was quoted as enforcing and advertised 16gb of storage both have been a seemingly deliberate farce.
The NookColor was made popular by the fact that it was easily recoverable and customizable, and through the community that supported the device your product accelerated past what you thought it would bring you. I personally bought 4 NookColors for these very reasons and gave one to my Mother, my grandmother and my sister. For the dying breed of Brick and Mortar book stores, this tablet could have put you above and beyond your competition had you kept to the same architecture of the NookColor in actually keeping it open. By locking Bluetooth, only allowing 1gb of 16gb to be used for personal data and icing the cake by locking the bootloader, you have shot yourself in the foot.
Personally I know loosing me as a customer will make so small of a marginal difference in your EOD, you might not notice, but how many customers like me can you afford to lose who talked you up to friends and family, to use and buy your products because they believed in a company and its practices, the type of viral marketing that made your previous tablet such a success, brought you out of the 80s and into the market you are in now.
I do hope that you rethink your policies on the devices you sell. And at the end of the day, it is your decision to make, but its my job and responsibility as a consumer to bring these things to your attention.
With sincerest and kindest regards,
Steven T Caputo

Related

[Q] Rooting the Samsung Stratosphere II?

Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!
Holy mother of humanity, these threads get buried QUICKLY!
I have the same phone and have looked everyone trying to find a way to root it
fltbosn said:
I have the same phone and have looked everyone trying to find a way to root it
Click to expand...
Click to collapse
I mean, I know it's a relatively new phone and all, but surely someone with some development knowledge has one by now...
... I'd try to figure it out, but I think it might be a little over my head.
Okay, the problem with the available rooting procedures is that they all try to install things to /data/, which is inaccessible (not even read-only); I've been looking and trying to ask around, but can't find any alternative procedures.
How hard is it to root a phone from scratch? Is it possible to use exploit bases from other phones that use the same SoC and Android version? Any devs able to chime in?
What is it about this Verizon implementation of 4.0.4 that doesn't allow access to /data/, which is what every standard root procedure uses? Do any other Verizon phones use 4.0.4 that don'e have access to the /data/ folder?
(I really, REALLY hate to keep bumping my own thread)
I got this phone too. A root method would be great so I can remove the bloatware.
ShaneRitz said:
I got this phone too. A root method would be great so I can remove the bloatware.
Click to expand...
Click to collapse
I am from Bulgaria and I have bought this phone too and we still can not make it working even with Verizon Wireless SIM card.
The problem probably (not sure) is that it was never turned on or registered so in Bulgarian when I put Verizon Wireless SIM card it can't recognize its home network of Verizon to start the setup.
It seems that it need Verizon network to make first registration and activation of device or I am missing something? The only thing that pop up is Wizard of Verizon that want to set up my phone and account and I can't do it because no Verizon Network connectivity...
Any suggestions?
Trying and failing
WetLlama said:
Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!
Click to expand...
Click to collapse
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.
TheHierophant said:
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.
Click to expand...
Click to collapse
You're a much braver man than I, I'll tell you that much.
I've been considering attempting to flash a T-mobile Samsung Relay 4G recovery since the phones are almost identical (with the exception of the radios, of course), but I'm afraid of totally borking it because I have no backup. If you're up for it and haven't tried that one yet, maybe editing some settings in the build.prop of the Relay's stock ROM would work (I don't know really; I'm a hardware guy, not a developer... )?
http://forum.xda-developers.com/showthread.php?t=2117436
There's all of the stuff for it so far, and if you do decide to give it a shot, let me know and I'll try to provide whatever help I can.
Hidden Menu results
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
"You have obtained the key for unlocking the bootloader to install custom OS. In order to unlock the bootloader, you must read and accept the following terms and conditions. By clicking on the “I Agree” button, you acknowledge and agree to the terms and conditions. If you change your mind, you may click on the “Cancel” button, which will stop the process.
1. The unlocking of the bootloader voids and invalidates the warranty of your device. As result of the unlocking, certain functions of your device may cease to function and physical injuries or material damage may occur, for example, due to the phone overheating. You take full responsibility for any and all consequences that may arise from the unlocking of the bootloader. Samsung will not be liable for any damages that such unlocking may cause, and you waive any rights in connection with the unlocking.
2. You will not be able to recover the device to its original state. Even if the device’s setting is restored, the warranty will remain voided and invalid.
3. As result of the unlocking, you may lose certain contents that you have stored on your device, for example, through the malfunction of the DRM functions.
4. You agree that your attempt to unauthorized kernel download from the default setting or without the authorization key will lead to blocking of the device, which may permanently disable the device. Samsung will not be responsible for any damages or injuries that result from such attempt. For downloading of custom kernel, you need to follow through a special installation process as set forth in the device manual.
5. You agree to comply with all applicable laws and regulations as well as any contractual obligations that you may have with your wireless carrier in using the unlocked devices. In particular, you will not operate the unlocked device on any wireless carrier’s network unless such wireless carrier approves of the operation of such unlocked device on its network.
6. You agree not to resell your unlocked devices to other parties without first explaining the content of the terms and conditions herein.
"
Click to expand...
Click to collapse
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.
TheHierophant said:
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.
Click to expand...
Click to collapse
Wow man, that's awesome; I'd mucked around with some of the dialer codes, but never got to that point. I wish I could help at all, but you've blown way past my usefulness at this point -- unless you want a tester.
What about trying various decode methods on that key? It looks like it could be maybe base64.
Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.
Thanks for the suggestions...
Nardholio said:
Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.
Click to expand...
Click to collapse
I'll give these a try, have been busy with other things, but have a couple evenings free to experiment. Thank you for the ideas.
Did you get anywhere?
I dissassembled the HiddenMenu.apk and found the same code. When I entered it I got an error saying that the application stopped working.
I ran the string through base64 --decode, but it was full on non-printable characters. I'm wondering if it's encrypted.
I've also tried various methods that symlink data but keep getting permission denied errors. I haven't found a copy of a stock firmware to mess with.
I also have a stratosphere two, and i'm more then happy to help out in anyway possible, even if it means sending my phones to one of you guys trusted hands.
You guys suck. To get the stock firmware for your phone if it's not on sammobile or samfirmware you can trick Kies into downloading it and then intercept the file from your Windows temp folder while it's flashing to your phone (3-4 minute window)
http://forum.xda-developers.com/showthread.php?t=2088809
Then you can transfer it to a linux box to convert it to a mountable file system to root it, before repackaging it as an odin tar. From there you should be able to flash it.
Sent from my SGH-T699 using xda premium
apparently the sch i415 does not support kies
i just checked for a software update on my wife's Stratosphere II SCH-i415 and there is one. I live in NC the update was under settings/about device/ software update. its form Verizon size 506.6 MB. is there a way to pull it before it installs? maybe a root method. I installed it. could not wait. well its jellybean went from 4.0.4 to 4.1.2 baseband 1415vrlj2 to i415vrbma3 kernel was 3.0.8-1157001 to 3.0.31-947060

The TWRP Password Protection Thread

The TWRP Password Protection Thread
Yes, it has been discussed to no end. People say it makes no sense. More importantly, the TWRP team says it makes no sense:
Password protecting TWRP (lockscreen)
http://teamw.in/securetwrp
I've had people ask enough for a protected TWRP that I'm creating this page as a response so I don't have to retype. If you're seeing this page, you're probably asking, "Why doesn't TWRP offer password protection?" You want to lock down your device so that a would-be theif won't be able to wipe your device to get past your lockscreen and/or so they can't wipe away that cool app you bought from the Play Store that will let you track your stolen device via GPS. Well, here's the short answer:
Nothing trumps physical access to your device. If you've lost it, there's no way that TWRP can secure it.
For a longer answer, it's very easy for anyone with just a little bit of knowledge to get around any kind of security that TWRP might have. All they have to do is flash one of the other recoveries that's available that doesn't have password protection to get around it. Most, if not all devices have ways to flash recovery without needing to boot to either Android or recovery (usually via fastboot or download mode / Odin). Quite literally the only way to truly secure your device would be to render the USB port completely unusable which isn't an option for most newer devices that don't have removable batteries. Even then most devices could still be worked with via jtag though it's unlikely that a thief will go to the trouble of paying for a jtag service on a device that has a broken USB port. (Note: I am not recommending that you purposely damage your USB port as it will also likely make it very difficult to recover your device if anything ever goes wrong!)
I also don't want to offer a lockscreen / password protection because it offers such a superficial level of protection. Users rarely read and would skip over any disclaimers that we have that indicate that any protection that we displayed indicating that their device really isn't secure. If your device has fallen into someone else's hands, your best case scenario should be that you hope that they don't get your personal data. If you don't want someone getting your personal data, use Android's device encryption and a good lockscreen.
But it does makes sense in many cases. My objectives with this thread are: to change the minds of the TeamWin team members on this matter, and to discuss the best way to implement TWRP security. I will start by answering TeamWin's post.
1) Most people just want their data safe, not their phones unusable to burglars.
It is true that nothing beats encryption. But encryption with a trivially short PIN, pattern or password is useless. Raw access to the encrypted media allows brute forcing which in almost all realistic cases will recover the key in no time. Making it hard to reach the encrypted media would in these cases provide more security than encryption itself. And in any case, this would be added security, not replacement security, and can only strengthen the system (and in common cases, by a great deal).
The security of some phones is fundamentally broken, and there is nothing TWRP can do to fix that. The only fix could come from updated bootloaders. But bootloaders need to be signed by the phone manufacturer to work (so aftermarket bootloaders are not an option), and many companies are just not serious enough to care.
Case in point: dirty Samsung. All Samsung cares about is ending your warranty if you dare install software of your choice on your own phone. It has made it impossible for developers to overcome this by actually blowing physical fuses within the phone in their bootloaders if you exercise your freedom. Their "upgrade" bootloaders also blow fuses to prevent you from ever downgrading to the more permissive bootloader that might have been in the phone when you first bought it.
They care about invalidating your warranty a lot, but not at all about your data. I can grab a stock S3, flash whatever I want (voiding warranty, or so they say because in many countries it is rightly not so) and get to your data. So it better be encrypted because Sammy is not giving a damn to defend it.
But other phones actually make an effort to defend your data. This is the case of, for instance, all Google Nexus devices, and the OnePlus One. I name these phones because these are the only mass-market phones I know that do not try to take away your tinkering freedom with threats of voided warranties, and so are the only phones I consider when buying. (No feature is worth loosing your freedom IMO.)
These phones actually fully wipe your data when you unlock their bootloaders, a required step before any flashing is allowed. This means that if I grab a bootloader-locked nexus, I can wipe it but not get to the data without the lockscreen code. Well, unless TWRP is flashed. TWRP breaks the security that Google (and others) baked into their phones.
There used to be a good reason to avoid security in the old CWM days: CWM was not touch, and much less was capable of popping up a keyboard. TWRP has gone such a long way forward that now security can be easily implemented. There is no reason to break the security of good phones just because some phones are broken.
One could disallow access to the storage media on their phone (encrypted or not) by installing TWRP with a password and then relocking the bootloader. In this way, the modded phone would be as secure as its stock counterpart. Modding your phone would not longer mean zero security.
2) It turns out that those who want to disable the burglar's ability to reset the phone and sell it can actually do it in many cases!
It so happens that bootloaders usually do not wipe the phone themselves as it is "too complex" an operation. Many times during bootloader unlocking, the bootloader boots stock recovery instructing it to 1) do the wipe, then 2) reset the bootloader lock. If the bootloader is locked and TWRP is installed in place of the stock recovery and TWRP ignores these commands (as current versions do), then there is no way to wipe the data or unlock the bootloader (and thus no way to flash a door to the system) from fastboot.
So if you:
1) setup a TWRP lockscreen,
2) keep a flashable zip that unlocks your bootloader in your phone (see boot unlock scripts),
3) setup an android lockscreen,
4) download a root app that unlocks your bootloader (see BootUnlocker),
5) and lock the bootloader,
...then you are secure. You can recover bootloader access without wiping as long as either one of rooted android and/or recovery works. But you cannot use either without going through their respective lockscreens.
This prevents access to your data, but in the case mentioned here (recovery does the actual bootloader unlock) it also prevents wipes. In this situation, it is not difficult to imagine a burglar attempting to sell you back your own phone on the cheap. Of course suitable contact info would be displayed in your lockscreen. This is even more security than was planned by Google, and not less as is the current situation with TWRP.
I know for a fact that the OnePlus One works in this recovery-invoked-to-unlock-bootloader manner, and I suspect all Nexuses work in the same way. For these phones, anti-theft can be a reality, and getting them back after a robbery, a not so improbable scenario.
NOTE: It should now be obvious why it is very dangerous to lock your bootloader unless a working stock recovery is in place. If you cannot obtain root access in either android or recovery, your recovery is custom (and thus it does not unlock the bootloader), and your bootloader is locked, then you are stuck: you will not be able to unlock your bootloader without a JTAG rig. Under some circumstances this can render your phone unrootable or effectively bricked. This is in part our objective anyway: that burglars are not able to gain control of the phone, not even by full wipe. But it can seriously backfire if you make a configuration mistake or simply forget your passwords. Keep in mind that you can make these mistakes today, without security in TWRP. Bootloader re-locking in a scenario other thank return-to-stock is an intrinsically dangerous operation that only advanced users should attempt.
3) Encryption is insecure unless the boot chain can be trusted.
An adversary that gains physical access to your phone can dump and save a copy of the encrypted partition(s) and plant a password sniffer that later forwards the password to them. You cannot trust your password to a non-tamper-evident device that can be trivially modified. The only way to protect the boot chain from tampering in today's phones is locking the bootloader and restricting access to the recovery.
Countermeasures
Some SoCs are compromised. For example, a signed USB-fed bootloader for the Galaxy Nexus has leaked into the public domain, and with it the SoC of a Galaxy Nexus can be booted entirely via the USB port. A monitor software can be loaded that can read (or write) the complete eMMC (the storage). This is possible because either TI or Samsung leaked a properly signed debugging bootloader. This is an extremely rare case because this bootloader makes you God. I think some Kindle Fires also have a similar thing. Few phones had their security broken so drastically; compromised SoCs are the exception and are very few.
Finally, the attacker could open up the phone and use JTAG to directly access the eMMC. It requires equipment and know-how and work and time, and significantly adds to the full cost of robbing a phone, eating up their profit. Probably almost all phones could be recovered by JTAG.
But of course, there are countermeasures to countermeasures. Many people have discussed damaging JTAG traces, bond wires, or even the IC itself, and some JTAG ports can be irreversibly disabled by design.
Conclusions
1) TWRP is doing nothing in fundamentally insecure phones.
2) TWRP is disabling the security of secure phones.
3) Secure phones with TWRP could be as secure as they are with stock recovery.
4) In some cases phones with TWRP can be even more secure, preventing their unauthorized wiping and reselling.
5) A barrier blocking access to encrypted media can effectively protect more than encryption itself if short keys are used.
6) Encryption is insecure with an unlocked bootloader or an open-access recovery.
We have the rationale, we have the UI, we have the keyboard, and we have the great team of programmers behind TWRP: let's get this old rat hole plugged for good.
Implementation Ideas
Security is never trivial to implement, so I will accumulate some points here to guide the design of a solution. Fell free to contribute.
The passwords must be stored in an irreversible manner, using proven, properly salted cryptographic methods.
The password store (PS) should not be accessible to apps, or else they might attack it by brute-force. In /data/media devices, if the PS is stored in /data/media/0, it should be stored with restrictive permissions such that the fuse daemon will not reflect it into world readable /sdcard. Under kitkar (and even using a permission-less real fat32 /sdcard) files could be made inaccessible under folders in /Android i think. Otherwise the /data partition could work (ugly due interactions with nandroid backups). Also, bytes reserved in the /recovery partition itself could do the trick. NOTE: nandroid backups suffer the same problem: they are world readable copies of your passwords and auth tokens. It is imperative that general solution to this problem be found for TWRP. CM's recovery places the backup files outside of '0' in /data/media which is a good solution for /data/media devices. And going forward, this type of devices should be the norm.
adbd and mtpd should not start before the password is entered.
It is enough to ask for password once per boot.
adb on recovery is the data recovery method of choice when a screen is broken. it should be possible to enter the password via USB to enable adb and mtp with a broken screen. NOTE: by the same token, it should be possible to enter the phone encryption password via USB if any.
Both the recovery lockscreen/password and android lockscreen/password could be the same, since access to android's lockscreen data is needed for encryption support anyway and thus that code is already in place. But then, forget this one password and your phone is a brick!!!
If they are not the same, a way (an app) to change the password (or at least reset it) from root android should be provided.
There could be an official TWRP password manager app that stores the TWRP password in its private data in /data and TWRP could read it from there. (But the interaction with nandroid backups would kinda suck.)
To enter the password over USB, ideally a restricted adbd mode would ask for the password, then restart itself a la "adb root" switcheroo. So that standard adb can be used to enable adbd and another host tool is not needed.
There should be some throttling down of passwords tries both via the recovery popup keyboard and via adb. If the same password is used for android and recovery, then the throttling should not be less aggressive than android's.
Ideally the password hash in the PS should be stored in a way compatible with some proven challenge response authentication so that the data in the PS can support future unlock protocols that do not send the password in the clear.
kind invitation to read this thread:
@Dees_Troy
 @bigbiff
thanks!
Lanchon said:
Some SoCs are compromised. For example, a signed USB-fed bootloader for the Galaxy Nexus has leaked into the public domain, and with it the SoC of a Galaxy Nexus can be booted entirely via the USB port. A monitor software can be loaded that can read (or write) the complete eMMC (the storage). This is possible because either TI or Samsung leaked a properly signed debugging bootloader. This is an extremely rare case because this bootloader makes you God. I think some Kindle Fires also have a similar thing. Few phones had their security broken so drastically; compromised SoCs are the exception and are very few.
Click to expand...
Click to collapse
All MediaTek SoCs can be considered compromised, for every single one of them allows the entire ROM to be read back and reflashed using spFlashTool, even with a "locked" 2nd stage bootloader. Furthermore, their source code quality can be considered as "rotten to the core", I would bet my behind on the Mediatek kernel customization containing more than one exploitable hole.
harddisk_wp said:
All MediaTek SoCs can be considered compromised, for every single one of them allows the entire ROM to be read back and reflashed using spFlashTool, even with a "locked" 2nd stage bootloader. Furthermore, their source code quality can be considered as "rotten to the core", I would bet my behind on the Mediatek kernel customization containing more than one exploitable hole.
Click to expand...
Click to collapse
thank you for the contribution. it is good to know that all mediatek devices can be rooted and are effectively unbrickable.
it also seems that the opo is unbrickable: there seems to be a ColorOS leak that flashes the system by debug-booting the qualcomm soc.
This is really important stuff… pitty how most people are more interested in skins than serious security issues. Hope it gets the attention it deserves.
i forgot to mention in the first post that Philz Touch Recovery does have password support. (i think they are actually PINs.) i haven't checked how the security is implemented in Philz though. regrettably that recovery has been discontinued so further investigation seemed useless.
TWRP is such a great piece of software that i simply can't imagine any competition will dare take on it again. that's exactly why it's important to get security merged in TWRP.
Lanchon said:
i forgot to mention in the first post that Philz Touch Recovery does have password support. (i think they are actually PINs.) i haven't checked how the security is implemented in Philz though. regrettably that recovery has been discontinued so further investigation seemed useless.
TWRP is such a great piece of software that i simply can't imagine any competition will dare take on it again. that's exactly why it's important to get security merged in TWRP.
Click to expand...
Click to collapse
3 people in the entire world do a majority of the work for TWRP. We are welcome for contributions to the TWRP projcect at OMNI's gerrit for people who want to get this done.
bigbiff said:
3 people in the entire world do a majority of the work for TWRP. We are welcome for contributions to the TWRP projcect at OMNI's gerrit for people who want to get this done.
Click to expand...
Click to collapse
i thought of that, but adding a feature like this to TWRP probably requires too much effort for somebody who doesnt know the codebase. i imagine that TWRP is sort of an app framework in itself. i chose to advocate for it instead of implementing, i just can't justify the effort it would take *me*. i also tried to help by centralizing ideas on how it should be implemented, if somebody chooses to.
anyway, it's great to know you are not opposing the idea and you would consider merging if somebody implements, that is a good start.
btw, there is a tangentially related issue i'd love to hear your opinion on:
i hear TWRP can mount encrypted partitions and there is a UI for entering PINs, passwords, patterns etc. but i dont have my phone encrypted because if i break my display with the phone encrypted then im toast: i cant extract my files from the device anymore.
would you consider implementing a way to enter the encryption password via usb? maybe some sort of adb shell command?
UPDATE: Added a third item to the OP...
3) Encryption is insecure unless the boot chain can be trusted.
An adversary that gains physical access to your phone can dump and save a copy of the encrypted partition(s) and plant a password sniffer that later forwards the password to them. You cannot trust your password to a non-tamper-evident device that can be trivially modified. The only way to protect the boot chain from tampering in today's phones is locking the bootloader and restricting access to the recovery.
Thank you very much for this call, I highly appreciate it! Me, I consider securing Recovery also very essential, but instead of coding a patch I would like to contribute the overall discussion:
having a locked bootloader normally restricts you to booting a stock kernel without a bootloader-valid signature, right? Otherwise you could simply fastboot any kernel without flashing. But this can be an issue in case your kernel is outdated and has other security flaws which e.g. make it vulnerable from remote. In this case, you secure your device from offline attacks but stay vulnerable to online attacks. The hard questions is: which attacks are more realistic?
in "good old cm7 times", maniac103 implemented a password-protected CWM for the Motorola Defy which was based on entering a password sequence using the sensor keys (back, home, search etc.). See this commit.
many people argue against Android encryption because it is based on the "same password as for the screen unlock". This is essentially not true: It's just the front-end in almost all Stock ROMs which does not support it - the back-end does. You can set a much stronger passphrase for protecting your encryption key using comand line or a tool like this or this (both require root, stupid!). You still suffer from the hardcoded limitations in crypt.c (like only 2000 rounds, just 128bit AES, maximum 16 char limitation etc.) but much better than having just a numeric PIN! Please note that Android 5.0 also tries to store the encryption key in a more secure location than the footer of the disk partition as outlined here.
Even if you could overcome a TWRP password on a bootloader-unlocked device easily by fastbooting a different boot image, it still raises obstacles for a "stupid" attacker (e.g. you need a device with USB and not just a microSD card or USB drive+OTG cable). Although I would still consider it "security by obscurity", in essence, it's going in the same direction as JTAG also being hard(er) to exploit.
The same argument accounts for "dumping your encrypted partition and installing a sniffer" - it raises the barrier and the victim will likely notice that something is wrong (unless it's using a device that's unstable...) because the device will be off or rebooted. A counter-measure would be: if you find your device in such a state, boot into recovery and compare checksums of your boot and system partitions - probably many even more advanced attackers will probably forget to install rogue versions of md5sum/sha256 etc, and of course you could also carry a write-protected USB drive+OTG cable with a clean boot image, provided TWRP would allow you to boot from that (which afaik it currently does not).
Considering the huge security breach of an unprotected recovery, I would consider the option to recover stuff via adb from recovery a secondary objective. A more effective approach which could help against the problem of non-recoverable data from a hardware failure would be having the data already external - like in the approach I posted in this thread where I argue against keeping private data in internal phone memory. Unfortunately, on many devices this will not work with a locked bootloader unless you manage to modify the rootfs elsewise (but I assume recoveries like Philz seem to manage it already somehow with locked bootloaders).
There are many other attack vectors like a memory freeze which a locked bootloader can certainly make more difficult.
For instance, if we had a tool like https://play.google.com/store/apps/details?id=net.segv11.bootunlocker compatible with the OPO, it would be easy to have a pretty secure custom rom.
Scenario (encrypted of course) : unlocked bootloader, TWRP to flash some stuff, back to stock recovery then lock bootloader.
Each time you need back a custom recovery, you unlock the bootloader and to your stuff.
I always did that for the Nexus 4.
Defier525 said:
having a locked bootloader normally restricts you to booting a stock kernel without a bootloader-valid signature, right? Otherwise you could simply fastboot any kernel without flashing. But this can be an issue in case your kernel is outdated and has other security flaws which e.g. make it vulnerable from remote. In this case, you secure your device from offline attacks but stay vulnerable to online attacks. The hard questions is: which attacks are more realistic?
Click to expand...
Click to collapse
thanks!
no, it does not. android reference bootloaders (nexus, opo, etc) do not check kernel signatures when locked. they just disallow flash and boot commands. your point here is void.
Defier525 said:
Even if you could overcome a TWRP password on a bootloader-unlocked device easily by fastbooting a different boot image, it still raises obstacles for a "stupid" attacker (e.g. you need a device with USB and not just a microSD card or USB drive+OTG cable). Although I would still consider it "security by obscurity", in essence, it's going in the same direction as JTAG also being hard(er) to exploit.
Click to expand...
Click to collapse
personally i do not consider connecting the device to a host being any kind of bar raising at all. it is the realm of script kiddies and the standard way stolen phones are reset and/or returned to stock when they have a screen lock.
JTAG, on the other hand, is. it requires physically disassembling the phone and maybe modifying the board. it requires hardware and software tools that are not in the arsenal of the usual adversary. (i am not talking about the NSA!) i have JTAG hardware and use OpenOCD for hardware development but i have never attempted to JTAG a phone and probably never will. it is just too much trouble; not worth it.
modded phones will always be a minority. as long as mainstream phones do not need JTAG after being stolen, i predict modded phones that require JTAG to be recycled will not be recycled and will be sold for parts or maybe resold to the owner at a reduced price. (the "hey, i found this phone..." scenario.)
Defier525 said:
Considering the huge security breach of an unprotected recovery, I would consider the option to recover stuff via adb from recovery a secondary objective. A more effective approach which could help against the problem of non-recoverable data from a hardware failure would be having the data already external - like in the approach I posted in this thread where I argue against keeping private data in internal phone memory. Unfortunately, on many devices this will not work with a locked bootloader unless you manage to modify the rootfs elsewise (but I assume recoveries like Philz seem to manage it already somehow with locked bootloaders).
Click to expand...
Click to collapse
i do not. i do not encrypt my phone because i would not be able to access it with a broken screen. that proposition is unthinkable for me. i use software fallbacks such as keepass. this is a matter of priorities.
also, i dont consider the sdcard hack to be a valid alternative. i will answer to your thread here (but keep in mind that even if it were a valid alternative, this thread is about securing the recovery, not about other options):
-using an external encrypted sdcard with an untrusted boot chain leaves you vulnerable to all caveats of internal encryption, plus more. eg: wiping the phone to get control of its bootloader to plant an attack does not wipe the sdcard.
-the sdcard can be trivially dumped even with a trusted boot chain in place.
-many phones today, including my last 4 phones, do not even have sdcard slots (eg, most of the "free" phones: nexuses and the opo; some GPE phones do have slots) and you can expect the number keep falling down.
-sdcards are extremely slow compared to internal flash.
-sdcards tend to use much more power than internal flash.
-sdcards tend to be unreliable.
-the FTL in sdcards is not designed to handle the constant writing android will subject /data to. most FTLs do not provide good wear leveling, specially if cards are mostly full, and as a result the cards would probably fail soon.
-ASOP encryption of /data is all that is needed since the emulated "internal sdcard" is backed by storage in /data/media since reference android 4.0
-eMMCs in phones *do* provide secure erase commands! it has been a required part of the eMMC standard for years. commands are: SECURE ERASE and SECURE TRIM, and maybe later they added a SECURE DISCARD command, not sure. furthermore, reference android recovery does use these commands while wiping a phone.
Xoib said:
For instance, if we had a tool like https://play.google.com/store/apps/details?id=net.segv11.bootunlocker compatible with the OPO, it would be easy to have a pretty secure custom rom.
Scenario (encrypted of course) : unlocked bootloader, TWRP to flash some stuff, back to stock recovery then lock bootloader.
Each time you need back a custom recovery, you unlock the bootloader and to your stuff.
I always did that for the Nexus 4.
Click to expand...
Click to collapse
this is not solution. you can do this with the opo. it is trivial to use adb shell or the terminal to unlock the bootloader.
but what if android does not boot for any reason? you loose access to your phone? this is not a valid alternative for me.
Lanchon said:
this is not solution. you can do this with the opo. it is trivial to use adb shell or the terminal to unlock the bootloader.
but what if android does not boot for any reason? you loose access to your phone? this is not a valid alternative for me.
Click to expand...
Click to collapse
How do you do that with adb/fastboot without wipe ? (I mean I know oem lock / unlock but unlock implied wiping right)
For your second point, even if I lost access to the android boot, I always get fastboot screen so for me it's a pretty good alternative.
Xoib said:
How do you do that with adb/fastboot without wipe ? (I mean I know oem lock / unlock but unlock implied wiping right)
For your second point, even if I lost access to the android boot, I always get fastboot screen so for me it's a pretty good alternative.
Click to expand...
Click to collapse
you have to change one bit. you need to be root. there are threads that discuss how to, google them.
Lanchon said:
you have to change one bit. you need to be root. there are threads that discuss how to, google them.
Click to expand...
Click to collapse
Right, but adb don't use this trick.
That's why I said it will be cool when the bootunlocker app upgrade to handle OPO address bit.
Thank you for these comments! But could you (re-)post the arguments concerning the fitness of sdcards for /data in the other thread, please? This way we could keep the discussion more focused.
JTAG vs. fastboot: I agree with you, JTAG is a much higher obstacle for a thief and probably most will not go this way while I guess most "bring back to stock" tools work over fastboot anyways. I was just considering a different scenario, e.g. you leave your phone unattended for some minutes on a party.
Data recovery in case of hardware failure: Well this is in conflict with getting more security, unless you additionally secure adb in Recovery like you proposed...
Internal sdcard in /data/media since AOSP 4.0: This was new to me, but it seems to be implemented this way in my Nexus S. I just wonder why my Xperia V does not handle it this way then?
eMMC and secure erase: Okay this was new to me as well. But afaik, TWRP does not use these commands for wiping, does it?
locked bootloader and password protected TWRP: What if an attacker would try to fastboot erase the data or recovery partition? Will a locked, properly implemented bootloader prevent that?
My sd hack in general: I agree, that if this hack only works with a unlocked bootloader (like probably on my Sony) it is less secure than having a locked bootloader even without encryption. Therefore, I was already considering re-locking the bootloader and disabling the hack, but using at least a non-stock userland. Yet, the stock kernel will probably not see any updates anymore and thus will be vulnerable to any upcoming threats.
Yet I think that we both agree in the point, that having password protected TWRP would enhance security. Since TWRP already has all means of a password-unlocker screen in place (for dealing with encrypted /data), it should be trivial to provide a patch which asks for a password before it lets you do anything in TWRP. Maybe if I find some time I can try to see what it would take to implement it, but I am quite busy these days.
Nevertheless, I am quite interested in discussing the security of locked bootloaders and any attack vectors over fastboot in general here.

Wanting to root new CAT S61

Hello,
As the title says, I'm wanting to root my new CAT S61. Anyone managed to unlock the bootloader yet? I've played around with it but haven't had any luck so far.
+1, Me too. Just started debating them on facebook, to maybe have some pressure on to unlock the bootloader the nice way. Until that I am ready to donate. I really miss htc sense, coming from 10-year htc spree.
I have had a few email and chat exchanges with them but haven't made any progress in getting them to provide any help in unlocking the bootloader but I still have my fingers crossed. And yes, I miss htc sense also.......I didn't think I would. FYI, I downloaded Nova Launcher and I set to look much like sense.
I've also been on to their support team looking for assistance with this..... Massively unhelpful...
I asked them about possibilities of unlocking the bootloader (I usually void every warranty covering computer equipment I own within days of owning devices) and I was told along the lines of "No. This will void the warranty so we would not allow this on the device.".... Its MY device and MY warranty to void ffs!
Really gets on my tits the attitude they took.
Anyway, am thinking that unlocking the bootloader may end up like a long wait and a bit of a chore; however if anyone is able to get a dump of the stock image it would surely be possible to patch the image with Magisk then "fastboot flash" it back onto the Cat S61?
This should at least give SU access (for busybox and all that lovely stuff) as well as keeping all the FLIR/proprietary laser/VOC sensor stuff.
EDIT: I've got in touch with Bullitt Group directly instead of going through Cat, and am awaiting a reply from them regarding acquiring a factory image I can play around with... Hopefully they will be able to supply it to me!
Regarding unlocking the bootloader, I haven't tried myself yet (because I haven't got around to getting my laptop OS installed again... That's another story entirely involving bad decisions with Kali lol) but if you boot the phone into bootloader mode (power on the device by using either volume up or volume down and power button or the adb reboot bootloader command via USB). Then you may be able to use the fastboot flashing unlock command to unlock the bootloader...
I really miss the sense freestyle themes, where there is no grid and you pick a theme with background image(can be changed) and stickers (just some themed icons with different sizes). Then you place your stickers and assign apps to them. I myself used an archtecure theme, where there were stickers varying feom minimalistic monopoly houses up to vertically big skyscrapers and horizontally long trains. For my gf I made nature theme with nice summer bliss and clouds, deers, rabbits, butterflies and birds. Its just so customizable. I hate being restricted to grids or standard sizes icons or their 2x, 4x and so on.
k46tank said:
I have had a few email and chat exchanges with them but haven't made any progress in getting them to provide any help in unlocking the bootloader but I still have my fingers crossed. And yes, I miss htc sense also.......I didn't think I would. FYI, I downloaded Nova Launcher and I set to look much like sense.
Click to expand...
Click to collapse
---------- Post added at 06:29 PM ---------- Previous post was at 06:23 PM ----------
I just received a 130MB OTA, I hope it was not a security update, casting me out of the gang, when someone finds the cure for the older build. The build LTE_D0201121.0_S61_0.040.02 gave me Flir Youtube streaming option.
luc1fer said:
I've also been on to their support team looking for assistance with this..... Massively unhelpful...
I asked them about possibilities of unlocking the bootloader (I usually void every warranty covering computer equipment I own within days of owning devices) and I was told along the lines of "No. This will void the warranty so we would not allow this on the device.".... Its MY device and MY warranty to void ffs!
Really gets on my tits the attitude they took.
Anyway, am thinking that unlocking the bootloader may end up like a long wait and a bit of a chore; however if anyone is able to get a dump of the stock image it would surely be possible to patch the image with Magisk then "fastboot flash" it back onto the Cat S61?
This should at least give SU access (for busybox and all that lovely stuff) as well as keeping all the FLIR/proprietary laser/VOC sensor stuff.
EDIT: I've got in touch with Bullitt Group directly instead of going through Cat, and am awaiting a reply from them regarding acquiring a factory image I can play around with... Hopefully they will be able to supply it to me!
Regarding unlocking the bootloader, I haven't tried myself yet (because I haven't got around to getting my laptop OS installed again... That's another story entirely involving bad decisions with Kali lol) but if you boot the phone into bootloader mode (power on the device by using either volume up or volume down and power button or the adb reboot bootloader command via USB). Then you may be able to use the fastboot flashing unlock command to unlock the bootloader...
Click to expand...
Click to collapse
LTE_D0201121.0_S61_0.040.02 is the build I'm on as well, so don't worry too much... However I've been on this build since sometime in July, so don't know why you've only just got the OTA ?
Anyway, the other thought I have been having is trying to port across a custom recovery from the Motorola Moto X4. Same chipset, same RAM, same board and same screen resolution, so it just might work... Once I get hold of a flash dump and unlock the bootloader that is ? I'm getting a bit ahead of myself!
Just received another OTA, September 1st patch, LTE_D0201121.0_S61_0.046.02. Radio is LTE_D0201121.1_S61 after the update. This one was larger, but I forgot to screenshot the exact changes and size.
luc1fer said:
LTE_D0201121.0_S61_0.040.02 is the build I'm on as well, so don't worry too much... However I've been on this build since sometime in July, so don't know why you've only just got the OTA ?
Anyway, the other thought I have been having is trying to port across a custom recovery from the Motorola Moto X4. Same chipset, same RAM, same board and same screen resolution, so it just might work... Once I get hold of a flash dump and unlock the bootloader that is I'm getting a bit ahead of myself!
Click to expand...
Click to collapse
Is any progress?
I am not a programmer, and can not help anything. Looking forward good news!!
Hi there, also looking forward for root, will hopefully get the phone end of the year...
ogghi said:
Hi there, also looking forward for root, will hopefully get the phone end of the year...
Click to expand...
Click to collapse
I will not buy it until it is rootable.
Nope, no luck as of yet... Nothing I seem to try is giving me any options or progress.
Rather frustrated carrying round 2 devices lol one for root apps and the s61 for everything else!
Still impressed at the phone though, VERY utilitarian!
Hey there, I will get my S61 tomorrow.
Was hoping for any root idea, but will hopefully survive without until we have the privilege to get it
... and there is no option in the programmer options (unlock bootloader)?
Did not stumble upon such a function yet.
The most annoying thing without root is missing a good ad blocking. dns66 seems to work, but there are still plenty of ads in apps that get through...
Also having potentially all power unlocked would be great!
So no news here I guess?
To enter bootloader:
1.switch of your phone
2.press volume down
3.conect the power cable
Does anyone refer to this thread?
https://forum.xda-developers.com/apps/magisk/how-to-install-magisc-twrp-locked-t3599926/page2
I've been looking at this phone for some time. I was able to get a Moto Z2 Force from Verizon into EDL mode with simple commands, so I'm wondering if you can unlock this bootloader just by telling it to unlock.
You would put the device into fastboot mode (by going to the bootloader, instructions were posted above i think), and then try some commands like this
fastboot flashing unlock
or
fastboot oem unlock
also check if in developer settings there is a toggle for Allow bootloader unlock or OEM unlock or w/e they call it.
if this works I highly suggest figuring out a way to grab the entire system to make a backup before you do anything. there's no twrp yet but it can't be too difficult to compile, but i dont have this $1000 waste of money to do any of this. i hope this post helps someone
james35888 said:
Does anyone refer to this thread?
https://forum.xda-developers.com/apps/magisk/how-to-install-magisc-twrp-locked-t3599926/page2
Click to expand...
Click to collapse
This doesn’t work since the boot loader is locked (stock boot loader has not been released on the web to my knowledge)
---------- Post added at 01:55 AM ---------- Previous post was at 01:38 AM ----------
Knuxyl said:
I've been looking at this phone for some time. I was able to get a Moto Z2 Force from Verizon into EDL mode with simple commands, so I'm wondering if you can unlock this bootloader just by telling it to unlock.
You would put the device into fastboot mode (by going to the bootloader, instructions were posted above i think), and then try some commands like this
fastboot flashing unlock
or
fastboot oem unlock
also check if in developer settings there is a toggle for Allow bootloader unlock or OEM unlock or w/e they call it.
if this works I highly suggest figuring out a way to grab the entire system to make a backup before you do anything. there's no twrp yet but it can't be too difficult to compile, but i dont have this $1000 waste of money to do any of this. i hope this post helps someone
Click to expand...
Click to collapse
Are these commands on a computer through ADB?
The only options I had on the phone were:
-Start
-Recovery Mode
-Restart Bootloader
-Power Off
-Boot to QMMI
-Boot to FFBM
Hi,
I looked a bit into the process of rooting on this device. It would be cool to get it rooted. I guess this process is in theory simple. But we should focus on the first problem:
Why is the option "OEM unlock" hidden in the developer Menu? Are there ways to make that option usable? If anyone has an idea how to make this option usable, we could get to the next step. Thanks to anyone who has an contribution.
Edit: some additional info
C:\adb\platform-tools>fastboot oem device-info
(bootloader) Verity mode: true
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
OKAY [ 0.000s]
Finished. Total time: 0.000s
CatS61:/ $ getprop | grep oem
[ro.oem_unlock_supported]: [true]
[sys.oem_unlock_allowed]: [0]

Sonim XP8 (Root?)

Finally got tired of the Pixel 2 XL after the third one. Now I have this super rugged handset that I can actually hold on to! Great loud audio too!
The Sonim XP8 comes with a seemingly near stock Android 7.1.1 ROM. OEM unlocking is available in the developer options. I have it enabled. Does anyone know how to use the ADB/Fastboot tools to unlock it? The standard commands do not work. My unit is personal and not under any "enterprise" restrictions. Thanks for any help fellow hackers ... some TWRP would be awesome.
ctradio said:
Does anyone know how to use the ADB/Fastboot tools to unlock it? The standard commands do not work. My unit is personal and not under any "enterprise" restrictions. Thanks for any help fellow hackers ... some TWRP would be awesome.
Click to expand...
Click to collapse
(Im)patiently waiting for this too. I don't care if it is single touch or long drawn out process involving a cauldron, hermetic circle, and a full moon. Root is sorely needed...
Phuhque said:
(Im)patiently waiting for this too. I don't care if it is single touch or long drawn out process involving a cauldron, hermetic circle, and a full moon. Root is sorely needed...
Click to expand...
Click to collapse
Good luck! Still nothing. It looks like we might be able to sign up as a developer on their page .... fwiw. I find the interface on that device to be awful and am in the early stages of fighting AT&T for my money back. That device and another one with the same stupid issues and an admitted software problem that I'd have to wait for the carrier to decide to release. Awesone idea for a device, absolutely rushed to market with god awful software that was new in '16 or so.
ctradio said:
I find the interface on that device to be awful and am in the early stages of fighting AT&T for my money back. .
Click to expand...
Click to collapse
I am on T-Mobile and found the factory unlocked version with no bloatware (obtainable directly from the) to be rather refreshing, even if it did set me back an extra $100. I suggest do getting the refund, then turning around and getting the "clean" version. It may be more expensive, but considering how much it costs for monthly insurance, the overall price becomes somewhat more competitive with the 3 year "comprehensive" warranty...
Phuhque said:
I am on T-Mobile and found the factory unlocked version with no bloatware (obtainable directly from the) to be rather refreshing, even if it did set me back an extra $100. I suggest do getting the refund, then turning around and getting the "clean" version. It may be more expensive, but considering how much it costs for monthly insurance, the overall price becomes somewhat more competitive with the 3 year "comprehensive" warranty...
Click to expand...
Click to collapse
I was told there was no carrier unlocked variant of this thing. Didyou get it from Sonim? Also, any problems at all with it? I had two with touch issues along the right side of the screen (it perceives a light constant touch in various areas and it gets worse the longer the screen is on). The units would eventually start selecting things on its own and even deleting contacts. Also, the speaker phone is useless and the UI is horribly laggy at times (my mind operates fast and it screws with me). I presented them with a "laundry list" of the issues.
ctradio said:
I was told there was no carrier unlocked variant of this thing. Didyou get it from Sonim? Also, any problems at all with it? I had two with touch issues along the right side of the screen (it perceives a light constant touch in various areas and it gets worse the longer the screen is on). The units would eventually start selecting things on its own and even deleting contacts. Also, the speaker phone is useless and the UI is horribly laggy at times (my mind operates fast and it screws with me). I presented them with a "laundry list" of the issues.
Click to expand...
Click to collapse
Someone flat out lied to you. Go here: https://store.sonimtech.com/products/sonim-xp8-blk-nam
Well, maybe not lied at the time you were told... I waited several months for them to post it on their store page. In response to your concerns....
No issues with it going all AI on me. Speaker PHONE portion leaves a bit to be desired, but for audio books, this thing is damned awesome and really loud. Not sure how to reference the lag. My previous phone was a Note 4 with issues.
My own complaints. The lock screen is a pain. The default music program is broken in my opinion. I am suffering through with Musicolet for my books.
What sold me on this is that is is one of the last phones made today that has a removable battery (really my only requirement in a new phone), has both gps an glonass, and in a pinch I can use is an a hurled object to an opponents head. Someone complained about the camera, but it seems fine to me. Wouldn't matter much as I am partially colorblind and won't see any difference.
I have only had mine for a week, and am still tweaking the settings to how I want them. Honestly, I like it.
I would really love to see some support for this phone. Especially since the monsters at Telus have disabled the 2nd sim slot for no good reason. I have tried everything but without Root I am out of luck getting the dual sim feature to function. Is there anything I can provide to assist someone more knowledgeable in getting a root solution for this phone? Please let me know.
mertin said:
I would really love to see some support for this phone. Especially since the monsters at Telus have disabled the 2nd sim slot for no good reason. I have tried everything but without Root I am out of luck getting the dual sim feature to function. Is there anything I can provide to assist someone more knowledgeable in getting a root solution for this phone? Please let me know.
Click to expand...
Click to collapse
Hello,
I just bought this phone. I use 2 sim cards at the same time but it does not work properly: I can receive and make calls, but I can not send or review sms / mms on 1 operator. I use the xp8800 in France, it is a Att model unlocked. to have the 2 sim cards at the same time I rebooted several times, cut the data, without really understanding how I did . is there a way to restart the network part of Android ?
Thanks
Pascal S
I take it we are still coming up snake-eyes when it comes to someone being able to root the XP8. I am rather surprised with the fact it is on 7.1.1. Is this still an unbeatable task to overcome?
The thread is closed, this is the tested version of the firmware
Unlock fastboot
Step 1, open the developer mode
Go to “Settings” → “About Phone” and click “Version Number” 7 times to open Developer mode.
Step 2, open oemlock
Go to “Settings” → “Other Settings” → “Developer Mode” and open the OEM to unlock;
3 START mode
flash <partition> [ <filename> ] Write a file to a flash partition.
flashing lock Locks the device. Prevents flashing.
flashing unlock Unlocks the device. Allows flashing
any partition except
bootloader-related partitions.
flashing lock_critical Prevents flashing bootloader-related
partitions.
flashing unlock_critical Enables flashing bootloader-related
partitions.
flashing get_unlock_ability Queries bootloader to see if the
device is unlocked.
flashing get_unlock_bootloader_nonce Queries the bootloader to get the
unlock nonce.
flashing unlock_bootloader <request> Issue unlock bootloader using request.
flashing lock_bootloader Locks the bootloader to prevent
bootloader version rollback.
erase <partition> Erase a flash partition.
Firmware update soon.. ??
In May, I sent of another email to Sonim Tech support asking about firmware. I did get a response back. Granted it was rather vague, but it was an answer. Further granted, is is now mid June and no updates in sight including one that allows the viewing of PDF's. grrrr.
The support guy did mention that AT&T is going to be one of the first providers to get the update. That sucks for me because I got my unit direct. He also said the month of May was a non-official time frame.
So still waiting and no success story yet posted of anyone unlocking this little beastie.
https://www.att.com/devicehowto/tutorial.html#!/stepbystep/id/stepbystep_KM1259507?make=Sonim&model=XP8XP8800
No idea how to update manually, though...
Phuhque said:
In May, I sent of another email to Sonim Tech support asking about firmware. I did get a response back. Granted it was rather vague, but it was an answer. Further granted, is is now mid June and no updates in sight including one that allows the viewing of PDF's. grrrr.
The support guy did mention that AT&T is going to be one of the first providers to get the update. That sucks for me because I got my unit direct. He also said the month of May was a non-official time frame.
So still waiting and no success story yet posted of anyone unlocking this little beastie.
Click to expand...
Click to collapse
No idea how to update manually, though...[/QUOTE]
Thanks for the news , but no working to ATT from France , until in OTA .
Wait and see if dual sim working clean ....
Has anyone seen this video? There's a part in the video where as the guy turns it on, and there is a prompt to re-lock the bootloader(which, of course, implies that the bootloader is unlocked); I don't know how this really helps, but it might give someone more experienced than I something to grab at. I should mention that it is mentioned as a pre-production model of the Sonim XP8, so it probably won't apply to models that most people have, but it's something to look at.
Sonim XP8
I know that Verizon is now selling the Sonim XP8. Does anybody happen to know if it is possible to use both SIM card slots with this device after it is unlocked?
Being able to use BOTH AT&T AND Verizon would be a huge benefit to me.
is there any root yet ive tried about every root apps i cant even find working drivers for this phone
Thecctech said:
is there any root yet ive tried about every root apps i cant even find working drivers for this phone
Click to expand...
Click to collapse
Drivers are not an issue.. It's using Qualcomm reference designs from the S660 dev kit where most generic Qualcomm drivers should work with minimal modification.
This is a good thing! Most of the root apps are using a collection of known exploits where only vulnerable devices would fall victim. You would have to use an exploit that's more recent then the security patch level installed but you also have to remember - if you can do it that easily then an attacker can do it just as easily too! I personally believe that the association between root and device/firmware level vulnerabilities is the reason why most see root in a negative context today.
As far as I'm concerned - we only have 2 "correct" ways to achieve root.
1. Obtain (or compile) either a Debug or Engineering firmware variant from AT&T that includes the native su packages for adb root. This is usually not an option for us individuals.
2. Unlock the bootloader and use a patched boot image.. Works great! To unlock the bootloader takes a bit of work though and flashing still requires EDL so with that I have not been able to make a public instruction set yet.
Could be in the next few days.. Could be in the next few months.. I'm honestly not sure. Mostly just a matter of collecting images, testing, and finding time.
Enjoy!
XP8 Android Root Theory - DEBUG or Magisk over EDL
EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.
One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
or
Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.
Recommend method ..
It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.
Disclaimer
-Devices with locked bootloaders will display a custom OS warning at boot
-Tested on AT&T branded devices only - please provide system dump for validation on other builds
-I have not identified any JTAG procedures and I can not help if you hard brick your device!
-This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
-Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!
Magisk Root
Step 1 - Pull Boot.img
We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
1. Create an XML file with the data below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot to EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Backup boot.img using the following command
Code:
fh_loader.exe --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0 --memoryname=emmc --noprompt --reset
Or visit the XP8 carrier firmware thread for full system backup steps.
https://forum.xda-developers.com/showpost.php?p=80465045&postcount=6
Step 2 - Magisk Patch
1. ADB push boot.img /storage/self/primary/Download/
2. Install Magisk Manager and apply patch to boot.img
2a. Download from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
2b. Extract and run adb install magisk.apk
2c. Open Magisk app and apply patch to boot.img
3. ADB pull /storage/self/primary/Download/magisk_patched.img
Step 3 - Restore
1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot back into EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Apply magisk_patched.img using the following command
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0 --memoryname=emmc --noprompt --reset
USERDEBUG Flash
Step 1 - Backup
1. Boot to EDL mode and load firehose programmer
2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
Example: GPTConsole 19
3. Initiate backup
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0 --memoryname=emmc --noprompt --reset
4. Wipe all partitions
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0 --memoryname=emmc --noprompt --reset
5. Restore new image
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0 --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
// rawprogram0_unsparse.xml for some images
Images and OTA Files
Full 8.1 System Image
XP8A_ATT_user_8A.0.5-11-8.1.0-10.54.00
XP8A_ATT-user-8A.0.5-10-8.1.0-10.49.00
USERDEBUG Images
XP8A_ATT_userdebug_8A.0.5-11-8.1.0-10.54.00
XP8A_ACG-userdebug-8A.0.0-00-7.1.1-32.00.12
XP8A_USC-userdebug-8A.0.0-00-7.1.1-34.00.10
(ATT 7.1 pending upload. Please check back or use other links available further in thread.)
OTA Updates
XP8_ATT_user_N10.01.75-O10.49.00
XP8_ATT_user_O10.49.00-O10.54.00
XP8_TEL_user_N12.00.24-O12.23.00
Flash Tools - programmer (elf) file provided by eleotk!
XP8 Drivers
Firmware Carrier Codes
Code:
None = 0,
ATT = 10
Bell = 11
Telus = 12
Sasktel = 13
Harris = 14
Verizon = 15
Ecom = 16
NAM = 17
Rogers = 18
T_Mobile = 19
EU_Generic = 20
MSI = 21
CISCO = 22
NAM_Public_Safety = 23
Vodafone_Global = 24
Orange = 25
Southern_Linc = 26
OPTIO = 27
India = 28
SPRINT = 29
JVCK = 30
AUS = 31
ACG = 32
CSPIRE = 33
USC = 34
SB = 35
Multi = 99
Automatic OTA without AT&T service:
Purchase a blank AT&T SIM card ($5)
Start online prepaid activation - complete pages 1 & 2
**SIM Card is now partially active without funding - do not complete page 3 (payment)***
*#*#368378#*#* > Clear UI > Check for updates in settings
XP5s
Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.
Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").
Great, thanks alot for instructions, @smokeyou!
In order to be able to boot into patched boot image, does it require to have unlocked bootloader? Assuming I can upgrade my phone to build 8A.0.5-10-8.1.0-10.49.00, but have my bootloader locked, can I still use your instructions? Can you clarify it?
-albertr
albert.r said:
Great, thanks alot for instructions, @smokeyou!
In order to be able to boot into patched boot image, does it require to have unlocked bootloader? Assuming I can upgrade my phone to build 8A.0.5-10-8.1.0-10.49.00, but have my bootloader locked, can I still use your instructions? Can you clarify it?
-albertr
Click to expand...
Click to collapse
Untested but should not be a problem. Bootloader unlocking only allows Fastboot flashing where this method uses EDL only.
Basically the same outcome though just without the option to use TWRP or custom recovery (easily).

General Bootloader unlock token for T-Mobile variant now available

Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
AndyYan said:
Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
Click to expand...
Click to collapse
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
PsYk0n4uT said:
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
Click to expand...
Click to collapse
Try prepending 0s?
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
PsYk0n4uT said:
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
Click to expand...
Click to collapse
Tried adding zero on front and back of serial it just tells me invalid serial
PsYk0n4uT said:
Tried adding zero on front and back of serial it just tells me invalid serial
Click to expand...
Click to collapse
Chatting with OnePlus hasn't yielded anything so far
Just a tip, because in my infinite forgetfulness I wasted an hour last night trying to figure out why I was getting the error, fastboot could not open target HAL.
Remember that you must request the unlock code from fastboot, not fastbootd. Which is what you will boot into if you issue adb reboot fastboot.
So here's a quick step by step.
1.Enable usb debugging. 2. Connect your device and allow access for the computer. My device asks if I want it to charge or transfer files. Select transfer files/Android auto and then use adb start-server. May have to unplug the USB cable and reconnect. Select "always allow this device/PC".
3. Issue "adb devices" to make sure your connected.it should list your device by it's serial number. If not then try unplugging the device and revoke adb authorizations in dev options and toggle USB debugging off and back on, may even need to reboot the device to get it to connect after doing this.
4. If your device is listed under devices go ahead and issue "adb reboot fastboot"
5. Once rebooted issue "fastboot devices" and make sure the device is listed again.(If not listed make sure you have your driver's installed correctly and fastboot is installed correctly, may need to install Android SDK into same folder as fastboot)
6.You can select English or whatever language if you want but it doesn't seem necessary.You are in fastbootd mode you will see if you DO select a language.
So from here issue"fastboot reboot bootloader" device will reboot and you will have scrollable option at the top beginning with a big green START at the top. This is regular fastboot And where you wanna be to get your unlock code for submitting to Oppo for your unlock token.
7. Issue "fastboot oem get_unlock_code"
8. It should return the info you need, you will also need your IMEI number when submitting so be sure to copy that down.
you can copy and paste the unlock code into notepad or Word and delete out the extra stuff so your left with just the two lines of your unlock code as one single contiguous string of numbers.
8. Go to the link listed by OP and submit the required info. And wait for what seems like forever.
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
PsYk0n4uT said:
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
Click to expand...
Click to collapse
Simply "adb reboot bootloader". You won't need fastbootd until GSIs (which I already did ofc).
Thanks, definitely a quicker way to get to fastboot. I guess I wasn't sure if you could reboot directly. Seems maybe I was confusing an older device where you had to reboot to fastboot then "fastboot reboot fastboot" to get to fastbootd for a whole different reason.
This one goes directly to fastbootd when you "adb reboot fastboot"
Nice catch.
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
I'm not really sure to be honest, this is my first OnePlus device and just trying to contribute anything I can to get the N20 section up and going as I make progress with the device.
Just a quick search though turns up this and maybe it could be of use if you can still access the bootloader.
the current image(boot/recovery) have been destroyed
I updated my oneplus 8t to KB2005_11.C.11 (OOS 12 ) by first booting to twrp-3.6.1_11-0-kebab.img and then flashed the KB2005_11_C_OTA_1100_all_362b9b_10100001.zip. After the upgrade I had no mobile data on t-mobile and had Volte instead of 5g...
forum.xda-developers.com
Someone mentions extracting the boot.img from stock image and flashing it. I would imagine it should work for you if the stock firmware can be found and circumstances are similar. Maybe at least a start. Wish I could be of more help, maybe someone else can chime in that knows more.
Try Linux, maybe a live dist. if your on a windows machine that won't recognize it just to get it into a state that you can work with it again.
Just an idea, I don't want to steer you wrong as i still have a lot to learn
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsettinghav
Click to expand...
Click to collapse
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
Click to expand...
Click to collapse
I want to try and help but I'm so new it's sketchy I don't want to say something and get bashed
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Fyi according to a recently made friend who also had the 7 digit serial issue, they were told by OnePlus their dev team is working on an OTA update that will resolve the serial number issues. I'm not sure how that's going to work but I saw the email between them and Oppo support
I guess this must be a widespread issue that they feel is cheaper to invest the amount of money it takes for r&d to come up with a fix than it was to replace a few devices or attempt to do remote repairs.
But this also makes me wonder what avenue they will take to correct the issue.
Also I wonder if someone with the right skillset could gather enough bootloader unlock codes along with the unlock tokens, serial, IMEI, pcba etc.. maybe the algorithm their using to generate the codes could be broken. I'm no crypto expert or math genius either, but if we have the variables to the equation minus one but have the answer, isn't this pretty simple almost pre-algebra?
I mean I guess their not worried about enough people being brave enough to give out sensitive info like that. But maybe Im just ignorant of the complexity of these algorithms.
64 digit key on one end
T-Mobile bought sprint and they have T-Mobile sims no. But I understand that sprint is still a somewhat seperate company (tried to buy a T-Mobile phone and it would not activate on my sprint account. So I bought this from the sprint side of the T-Mobile site so I knew it would work but I assume this is a sprint phone and not a T-Mobile phone so this method would not work.
Can anyone confirm this?
PsYk0n4uT said:
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Click to expand...
Click to collapse
okay peep theres a way i put my oneplus into efu mode, hold both vol up and down then put usb c in continue to hold u should hear PC recognize it
So, before i do it, would deleting the modemst1/modemst2 partitions still let me bypass the t-mobile sim lock and let me unlock the phone like it did on the old oneplus phones?
Flashed a patched boot.img and lost modems. Anyone willing to post the modems? Are they device specific like a device partition?
Sim locked and trying to recover. No radios are working

Categories

Resources