I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
I have been running Cyanogenmod 7 from an sd-card on my Nook tablet. My nephew, damn his eyes, managed to turn on the pattern lock and now I am locked out. It asked me for my google account, and I entered it. It refuses to accept it. I know the account is correct since I made it for this tablet. It will not accept my username / password.
I am incredibly frustrated. I attempted to use adb to see the devices to reset it (referenced here: http://forum.xda-developers.com/showthread.php?t=2237382) and here http://www.addictivetips.com/android/how-to-bypass-disable-pattern-unlock-on-android-via-adb-commands/ but my computer will not recognize the device. At this point, I plan on just nuking the card & starting over. (yay).
My question is, however, can I get to the data I have on the card? I have pictures and documents & I'd really like to get to those before I start the long slog of reformatting this. Is that possible?
Thanks!
I don't know how to retrieve the data, even though I'm sure it's possible (someone else will come along and tell you how to, I'm sure!)
I do however suggest that you make a new bootable CM10 sd-card with another card until then. It could not be easier. A ready-made disk image is availabe at http://iamafanof.wordpress.com/2012/11/18/cm10-0-jellybean-sdcard-img-for-nook-tablet/ Download and burn the card,
That way you can start using your Tablet right away until you figure out how to get to the data.
Oh thanks! I have been avoiding upgrading to CM10 but I guess this is going to push me to.
jmhobbes said:
I have been running Cyanogenmod 7 from an sd-card on my Nook tablet. My nephew, damn his eyes, managed to turn on the pattern lock and now I am locked out. It asked me for my google account, and I entered it. It refuses to accept it. I know the account is correct since I made it for this tablet. It will not accept my username / password.
I am incredibly frustrated. I attempted to use adb to see the devices to reset it (referenced here: http://forum.xda-developers.com/showthread.php?t=2237382) and here http://www.addictivetips.com/android/how-to-bypass-disable-pattern-unlock-on-android-via-adb-commands/ but my computer will not recognize the device.
Click to expand...
Click to collapse
See http://forum.xda-developers.com/showpost.php?p=35971559&postcount=13 for some pointers on how to setup ADB over USB.
My question is, however, can I get to the data I have on the card? I have pictures and documents & I'd really like to get to those before I start the long slog of reformatting this. Is that possible?
...
Click to expand...
Click to collapse
With a Linux (e.g., Ubuntu) PC you should be able mount & access all of the partitions on your SD card. (If you're not using Linux and don't want to mess around with installing it on a PC, you can run it off a CD, e.g, see http://www.howtogeek.com/howto/wind...backup-files-from-your-dead-windows-computer/) To accomplish the same with MS Windows is more complicated, see http://forum.xda-developers.com/showthread.php?t=1585572.
Retrieving your data aside, I am with @asawi: you should move off CM7 and on to CM10.1.
Context
Android uses the same PIN (or pattern) that is used to unlock the screen to decrypt the disk. However the actual decryption key is bound to the device via some internal device key. So ideally you can only decrypt the disk on the device itself, and the device can delay the process and ultimately delete any data if too many failed attempts are made. This is the same concept that's used e.g. on ATM cards, which lock themselves after a couple of failed attempts, so a 4 digit PIN is enough.
Except that's not true, at least not for Qualcomm chipsets, where you can extract the device key, than brute-force the PIN externally, which shouldn't take too long for a 4 digit PIN. See [1]
So I want a strong password for disk encryption, but still a 4 digit PIN for unlocking. I tried the Cryptfs-app, but that crashed, so I used the "vdc cryptfs changepw ..." command on the commandline to set the disk encryption key. On the next reboot, the phone asked for my password, but didn't accept it. So reset everything, and try again. I did this a couple of times with the same result but ultimately got it work by making data not encrypted and then encrypt it using "vdc cryptfs enablecrypto ...".
Not sure exactly what went wrong there, but I saw a couple of QSEECOM errors in the log (QSEECOM is the component that communicates with Qualcomms "secure" execution environment).
This is on a BQ Aquaris X with TWRP and SuperSU but otherwise stock firmware (Android 7.1.1).
The worrying part
Now here is, what worries me: Whenever the phone didn't accept my (correct) password, I rebooted into TWRP. TWRP then asked for my password to decrypt data, and did so successfully. Except it also worked with the wrong password! Apparently during the boot process, when Android asked for my password, it actually decrypted the key and kept it decrypted over a full reboot! Some component didn't get properly reset. I checked by entering the wrong password during boot. When I then rebooted into TWRP I actually had to enter the correct password for it to work.
Now, that the system is working (i.e. it actually continues to boot after I enter the correct password), I cannot reproduce that behaviour. A reboot seems to always clear the key. But who knows, maybe with some trickery it is still possible to keep data decrypted over a reboot. Given how buggy the implementation seems to be.
Question
Is anyone aware of a known bug where the disk encryption key is kept decrypted over a reboot? I couldn't find anything about this.
Conclusion
Use a strong password for disk encryption
Even if you do, don't trust your phone and don't keep real sensitive data on your phone
harry
[1] (can't post links, so google for: Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption blogspot)
3 years later on Android 10 it seems like this issue still exists? And I wondering why encryption is even enabled because it offers basically not protection.
The only workaround in Android 10 that I could think of:
I can use faceunlock for the lockscreen and for the decryption after a boot up. So basically I never really ever have to enter my PIN or pattern.
That means I could use a really strong and complicated PIN or pattern and there for increase the security of the encryption.
How ever, even a 12 digit numerical PIN or pattern (a pattern is basically just a numerical PIN) won't take long to bruteforce.
Hi there,
I have been having endless headaches trying to backup FreeOTP so I can move on to something that has native import/export support and I cannot seem to get it right. I am able to get ADB to see the device, I am able to initiate a backup using `adb backup` but there's an odd behavior I'm noticing. First, upon requesting a backup, I get a prompt on my phone asking me if I want to authorize and if I want to type a password. If I leave the password field blank and hit backup, I get a 1KB .ab file. However, if I do type any password, I get nothing at all. In both cases, a small toast appears saying "Backup finished".
I tried to then use abe-all.jar to turn the .ab to a .tar, it spits out a 1kb .tar file, however extracting that tar files gives back nothing. I should be getting a manifest.xml file but I am getting nothing. So I am certain that something is not right in the backup process itself.
I can't deny the fact that I am starting to panic a bit as I have at least 8 different site's OTP tokens setup with FreeOTP and if anything happens to my phone I will have to go through a painful process of recovering them. This is precisely why I need to move away from FreeOTP.
Using Mac OS El Capitan and the OP7 is not rooted.
Greatly appreciate any help I can get with this.
I know this might come in late, but here's a link to an article that might help migrating from FreeOTP to FreeOTP+ (a.k.a FreeOTPPlus):
FreeOTP: Export Secrets and Migrate to FreeOTPPlus
Photo by Markus Spiske on Pexels.com This article is about the android app(s) which can be used as 2FA, MFA with TOTP. The original FreeOTP app for android was developed by RedHat, but had no optio…
externalmem.wordpress.com
Hello,
my wife recently found her (very) old 'Medion E4504' and now claims that it appartly has many important pictures and messages stored, but she does not remember the PIN.
I can boot it up normally, but of course without the PIN we cannot get past the lockscreen.
As far as I can tell, it runs on Android 5.1 Lollipop, developer options (and USB-debugging) are disabled and it is not rooted.
If I hook it up to a PC, it is recognized, but I cannot see any files on the internal storage, I assume because it is locked.
Is there any way to either bypass the lockscreen (without hard reset and loosing all data of course), or alternatively somehow accessing the internal storage?
I tried this, but it does not work, since I cannot paste anything into the PIN field:
Android 5.x Lockscreen Bypass (CVE-2015-3860)
sites.utexas.edu
Perhaps the phone runs on a later software version where this was fixed.
I tried adb, but when I adb devices when it is booted up to the lockscreen, I cannot see it.
If I boot into bootloader, I can see it in the list if I adb devices, but it seems other commands do not work, I assume because developer options and USB-debugging are not enabled.
Thus, this did not work:
[Android][Guide]Hacking And Bypassing Android Password/Pattern/Face/PI
- DISCLAIMER - This Is For Educational Purposes Only You Shall Not Use This On Other People Phones Without Permission Under Any Circumstances I'm Not Responsible For Any Eventual Errors And Misbehaving Of Your Devices Files And Tutorials Are...
forum.xda-developers.com
Does anyone have any idea?
I would have thought that Android Lollipop 5.1 would be easier to beat . . .
I welcome all suggestions!
Regarding adb, please explain it to me as if I was a five year old, as I do not know much about adb.
Quick update:
I was able to boot into recovery and backup data on a microSD.
I now have two files: 'userdata_20150101_000026.backup' and 'userdata_20150101_000026.backup1', and am trying to figure out if it is possible to extract data from these files on a windows machine.
Sorry, if this is maybe trivial to some, but I am not a pro . . .