Database Info

[Q] VERIZON Samsung Tab 2 10.1 sch-i915 Hardbrick help

I have an incident that I have accrued myself so no need for those comments. The history of the hardbrick i created. If any information regarding anything feel free.
First of all i rooted my device using towelroot. It works for alot of devices and runs as 3rd party apk installer. Created by the infamous Geohotz. Godbless. https://towelroot.com/ for those of you who do not know.
2nd i was looking and trying to swap my extSdCard with my internal /sdcard. I edited the vold.fstab and the vold.conf files thinking hey i can use the external as full internal to have the devive install apps on properly w/o manually moving and use the internal remaining sdcard memory as virtual Ram. I have not completed this process yet. Ill explain.
After mounting the internal as external and vice. I ended up being stuck in a boot loop. NOTE: i did not have custom recovery(was one of the oopsies) so was stuck with basic android recovery. Reset device did not fix. Was going to Odin flash the stock rom and/or CWM Recovery, but there is absolutely NO STOCK or LEAKED rom anywhere for the verizon model. I also pulled those 2 files off of my other tab 2 10.1 NON VERIZON *vold.fstab and vold.conf and places it into zip file and signed it using signapk.
which now i feel like an idiot finding this link "http://forum.xda-developers.com/galaxy-nexus/themes-apps/tutorial-making-flashable-zips-edify-t1611615"
NOTE: I used a different post somewhere that didnt explain to have the right binary so it gave me a signature mismatch error when trying to flash. Use above post to make sure you use propery binary.
Luckily i did some research and knowledge of what i actually did to fix it and plus my addiction to play around and learn things. I manually duplicated the vold.fstab/vold.conf files from my one device to the bricked one
Boot up device in Android recovery.
installed and loaded up ADB.exe from command line.
Code:
adb shell
su
echo *yourlinehere*> /system/etc/vold.fstab
echo *yourlinehere*>> /sytem/etc/vold.fstab
the first > rewrites the file from start black document and inputs the first line
the 2nd >> note the double >> appends to the next line.
i rebooted and VOILA FIXED!!! but wait....theres more ><
So knowing the troubles i had to fix my lil play around mistake. I wanted to get custom recovery partition installed. Used Rom Manager to install CWM Recovery. I picked the wrong rom for my device and flashed it. The one i used was for the international Tab 2 10.1 the gt-5100. It said it successfully flashed so i figured wth it couldnt hurt right? WRONG i clicked reboot to recovery to check it. and here is where I lie. HARD BRICK. No boot up at all. Plug in charger to outlet or PC i dont even get the charging device battery image. So now here we go more research fun!!!
I looked up some information on how to fix a hard bricked device. some posts say using a jig to bypass it and get into download mode. Ok this is a 30 pin connector not a 4 pin like most the android devices. I could do some research on this and probably rig a jig to convert and match the pin layouts but meh my problem still lies within not having stock firmware for this model. I also learn of Jtag methods. Oh all well and handy but buying the Riff Box and all this gets your device bootable, but hey guess what? it would allow me to boot into that download mode or android recovery. Which still bottom line fails as i dont have a stock rom to flash. OH the dilemna.
What ive come up with. I plugged in my device into my pc. Well what do you know i can actually get recognition. but this is where i am stuck at.
I figured out that the device is recognized and i needed drivers. I found this handy site
https://developer.qualcomm.com/forum/qdevnet-forums/general-discussion/9428 Which also explains that i messed up my boot partition.
I download and installed the QPST program and installed the drivers on win7. I had to reboot and use advanced options to disable the unsigned drivers check. OK sweet connection is up!
I tried using ADB shell but device isnt connected that way.
In the QPST program it shows my device on com10 in download mode. I tried to retrieve some data or partition information from the device but it says i cannot when device is in download mode. So no pulling files and fixing and reflashing them. Back to the same problem before NO STOCK ROM.
So here are the questions I have regarding my situation. The android device im playing with has the base partitions. As an example of this http://www.all-things-android.com/content/review-android-partition-layout
I do not have my partition layout for my device as its bricked. I dont even know if it needs to be repaired yet. If any of you with a verizon tab 2 10.1 sch-i915 has a rooted device and can get me this table or a pit file for this device it would be appreciated
2nd firmware vs firmware. As previously stated I do not have firmware for this verizon tab. HOWEVER i did find firmware for the Sprint version of this exact tablet. My question is, could these stock firmwares be exact duplicates with the exclusion of the boot up screen bs and the /misc partition containing the imei phone stats and carrier information?
3rd Flashing just certain partitions of this firmware. Is it possible if the above is feasible considering i know my /boot partition is messed up and my /recovery partition is messed up to only flash those 2 partitions with the one from sprint. The stock kernal should be the same in both devices for the /boot and the /recovery partition should hold the same android recovery should it not?
4th. If anyone has a rooted sch-i915 device would you be willing to make dump of the partitions using this guide http://forum.xda-developers.com/showthread.php?t=2450045. That would be appreciated.

Let Me Work On That
You Are Possibly In Luck. I Know Somone That Has That Tablet. Problem Is It Is My Mom's And Well She Rather Beat Me With It Then Let Me Touch It. I'll See What I Can Do And Will Post Back.. Wish Me Luck i Will Need It :fingers-crossed:

][NT3L][G3NC][ said:
You Are Possibly In Luck. I Know Somone That Has That Tablet. Problem Is It Is My Mom's And Well She Rather Beat Me With It Then Let Me Touch It. I'll See What I Can Do And Will Post Back.. Wish Me Luck i Will Need It :fingers-crossed:
Click to expand...
Click to collapse
Appreciated good luck.
If not possible and i get it fixed ill post how i did it and such. and also post up a JB 4.12 stock/updated leaked rom of this device which apparently seems to be missing in the world for some damn reason.

I Got A Question
Sorry I Been Busy, & Google Has Not Been Kind 2 Me. I Did Find The California Lottery Vulnerability Report Generated By Nessus. But If Someone Could Please Point Me In The Right Direction Or Just Break It Down For Me As Quickly And Light As You Could, Short, Straight Forward, The LIghtest Kliff Notes Ever Would Be Appreciated.
Verizion SCH-I915 [ 4.1.2 ]
I Only Had A Few Minutes With The Tablet But I Already Rooted It, Installed BusyBox, I Barely Started To Get Into The FIle System.... I'm Using Kali LInux
1. What Partitions/Blocks Do I Need To Obtain To Create An Odin Flashable Recovery Image
2. Is There A Droid Binary, Or Script I Can Use To Dump The Rom While Creating The Above For Odin?
Just Found Something I Downloaded At Some Point Called: ROMGEN Any Idea On That Binary??? And phantomphr33k Any Request.
Forgive Me I Work Nights, Two Kids, So I'm Up Days + On Call During The Day.
lrwxrwxrwx root root 1970-10-27 01:41 aboot -> /dev/block/mmcblk0p5 ???
lrwxrwxrwx root root 1970-10-27 01:41 backup -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 1970-10-27 01:41 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 1970-10-27 01:41 cache -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 1970-10-27 01:41 efs -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 1970-10-27 01:41 fota -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 1970-10-27 01:41 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx root root 1970-10-27 01:41 grow -> /dev/block/mmcblk0p23
lrwxrwxrwx root root 1970-10-27 01:41 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 1970-10-27 01:41 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 1970-10-27 01:41 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 1970-10-27 01:41 pad -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 1970-10-27 01:41 param -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 1970-10-27 01:41 persist -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 1970-10-27 01:41 recovery -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 1970-10-27 01:41 rpm -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 1970-10-27 01:41 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 1970-10-27 01:41 sbl2 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 1970-10-27 01:41 sbl3 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 1970-10-27 01:41 ssd -> /dev/block/mmcblk0p22
lrwxrwxrwx root root 1970-10-27 01:41 system -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 1970-10-27 01:41 tz -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 1970-10-27 01:41 userdata -> /dev/block/mmcblk0p15

Should Post The Rest Tomorrow
I Have Attached Some Text Files With The Output Of A Couple Commands To Get The block/partition layout.
I Have Dumped The system.img which is 1.6gb In SIze
Tomorrow I Should Have : Modem "firmware" , Boot , Recovery
QUESTIONS:
What Is aboot?
Which Is The Kernel?
What Is Modemst*?
And More Important, Which Ones Do I Need To Pull For A Complete ROM Dump?
lrwxrwxrwx 1 0 0 20 Nov 2 1970 aboot -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 0 0 21 Nov 2 1970 backup -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 0 0 20 Nov 2 1970 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 0 0 21 Nov 2 1970 cache -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 0 0 21 Nov 2 1970 efs -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 0 0 21 Nov 2 1970 fota -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 0 0 21 Nov 2 1970 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 0 0 21 Nov 2 1970 grow -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 0 0 20 Nov 2 1970 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 0 0 21 Nov 2 1970 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 0 0 21 Nov 2 1970 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 0 0 20 Nov 2 1970 pad -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 0 0 21 Nov 2 1970 param -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 0 0 21 Nov 2 1970 persist -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 0 0 21 Nov 2 1970 recovery -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 0 0 20 Nov 2 1970 rpm -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 0 0 20 Nov 2 1970 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 0 0 20 Nov 2 1970 sbl2 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 0 0 20 Nov 2 1970 sbl3 -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 0 0 21 Nov 2 1970 ssd -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 0 0 21 Nov 2 1970 system -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 0 0 20 Nov 2 1970 tz -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 0 0 21 Nov 2 1970 userdata -> /dev/block/mmcblk0p15

Sorry its the Holidays so its understandable. Cant really twist your arm to rush it Im by far not an expert on this i do research myself. Ill do my best and if anyone else can shed light please do.
][NT3L][G3NC][ said:
QUESTIONS:
[*]What Is aboot?
[*]Which Is The Kernel?
[*]What Is Modemst*?
[*]And More Important, Which Ones Do I Need To Pull For A Complete ROM Dump?
Click to expand...
Click to collapse
1) Aboot partition is basically your "Odin Downloader" protocol. while booting pressing power + Vol Dwn will put your device in this mode.
2) The kernel/ramdisk is stored in the /boot partition
Note Primary Bootloader and SB* are secondary bootloaders 1,2,3 those are loaded up as well to set certain params + setup/initialize hardware as far as im understanding. and loads up the kernel/ramdisk.
3)Ill quote from another thread: http://forum.xda-developers.com/showthread.php?t=2582811
][NT3L][G3NC][ said:
- backup and restore important device partitions - EFS (Samsung), TA (Sony), MODEM (Exynos devices), MODEMST1 & MODEMST2 (Qualcomm devices),
- root is required
- easy to use
- many localizations
- see paths to important partitions of your device using Menu -> Device Partitions
Click to expand...
Click to collapse
As far as im understanding these partitions hold carrier information/imei and all other sorts of GRPS information in regards to connecting your devices radio to Service. Sorta like your network card drivers and Mac Address
I looked at another persons rom dump and I seen only these partitions in the archive. Sadly I dont remember where i found this but is from a guy who JTAGS devices. So im pretty sure its legit. Its from the Sprints version of this device.
/system.img.ext4(going to be the biggest dump)
/recovery.img
/cache.img.ext4
/boot.img
[QUOTE=']
1. What Partitions/Blocks Do I Need To Obtain To Create An Odin Flashable Recovery Image
2. Is There A Droid Binary, Or Script I Can Use To Dump The Rom While Creating The Above For Odin?
Just Found Something I Downloaded At Some Point Called: ROMGEN Any Idea On That Binary??? And phantomphr33k Any Request.
[/QUOTE]
So basicallly special request if you could is mainly dump those partitions above
This Romgen seemingly looks to dump what is needed for the rom. It also makes and update-script flashable Odin file. Never tried it myself. ive used cygwin/kitchen personally.
If you would do that would be sufficient as a stock rom. Granted if the rom is updated its not stock.....BUT at least it will be an updated stock vwz sch-i915 out there in public finally.
AND...extra special request is a pit file. Reason being is i need to attempt to flash by other means not via odin.(more personal use than general public) and i need the block information to flash partitions to the chip at the certain points. Im extracting the *.img/bin files and compiling *.mbn files and going to attempt to flash directly to the chip. As far as ive seen its worked on a few other devices and i might as well try considering this is a Qualcomm device and it is recognized in QPST. Maybe the security on the bootloader may not allow it but what could it hurt? its already hard bricked right? lol
http://forum.xda-developers.com/showthread.php?t=1916936
program here for windows. I never checked for any linux based tools cuz i use cygwin if i absolutely need linux.
Much appreciated ][NT3L][G3NC][ your making my day :laugh:

happy new years intelligence since it seems ur the only one to view this thread.

so did you ever get a good romdump? I have been trying all night to do it to mine but can not get it to work.

Frp lock solution.

Hi, got one moto g3, frp lock.
I found a link on ebhttp://www.ebay.com/itm/151884511307ay, he can factory reset the phone to clear the frp lock.
Not sure its a fake or real solution.
Before paying $29 , just want to know if it's a real solution or fake?

Probably fake. In the Samsung specific frp implementation there is a bug which allows to circumvent frp (and Samsung is already fixing this bug). And everybody can do this. No need to pay for such a service.
But I'm not aware of such a bug in the Motorola implementation.

To the best of my knowledge, the data we need to access for this is contained in the /persist partition...in theory, if you take a bootloader unlocked device which has never had a google account set up on it before, dump that device's /persist, then reflash it to another device, you SHOULD be able to bypass the FRP lock.
IN THEORY.....don't quote me, and I'm not responsible for any potential damage...I have NOT tested my theory. I'm only making an educated guess.

hp420 said:
To the best of my knowledge, the data we need to access for this is contained in the /persist partition...in theory, if you take a bootloader unlocked device which has never had a google account set up on it before, dump that device's /persist, then reflash it to another device, you SHOULD be able to bypass the FRP lock.
IN THEORY.....don't quote me, and I'm not responsible for any potential damage...I have NOT tested my theory. I'm only making an educated guess.
Click to expand...
Click to collapse
This will only work on a device where the bootloader was already unlocked before FRP is triggered.
You can only flash/overwrite the /persist partition if the bootloader is unlocked. In order to unlock the bootloader you have to select "Allow OEM Unlock" in developer settings first. Which is only possible if you can logon to the device...

u42671 said:
This will only work on a device where the bootloader was already unlocked before FRP is triggered.
You can only flash/overwrite the /persist partition if the bootloader is unlocked. In order to unlock the bootloader you have to select "Allow OEM Unlock" in developer settings first. Which is only possible if you can logon to the device...
Click to expand...
Click to collapse
Yes, that is correct. It's a very specific set of requirements that the device must meet, but I believe it could be possible. If all the conditions are right, I see absolutely no reason why this would not work.

hp420 said:
Yes, that is correct. It's a very specific set of requirements that the device must meet, but I believe it could be possible. If all the conditions are right, I see absolutely no reason why this would not work.
Click to expand...
Click to collapse
Yes, if the boot loader is unlocked you can definitely break frp. Just by flashing a custom rom frp will also be gone .

u42671 said:
Yes, if the boot loader is unlocked you can definitely break frp. Just by flashing a custom rom frp will also be gone .
Click to expand...
Click to collapse
No, this is totally incorrect. There are several people here who have tried that and all have failed. This is why I suspect it lives in the /persist partition. If it's in system, userdata, either cache, etc. it would be incredibly easy to get around. Google has some sort of persistent location for all this stuff....and there just so happens to be a partition literally titled persist....coincidence??? Probably not, imo
Also, you do not need an unlocked bootloader. All you need is TWRP. If you have TWRP you can boot there, then use ADB shell to get root access and you can then flash the partition in question.
check it out....partition mmcblk0p29 is titled persist:
drwxr-xr-x 2 root root 880 Jan 21 1970 .
drwxr-xr-x 4 root root 1000 Jan 21 1970 ..
lrwxrwxrwx 1 root root 20 Jan 21 1970 DDR -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 Jan 21 1970 aboot -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 21 Jan 21 1970 abootBackup -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 Jan 21 1970 boot -> /dev/block/mmcblk0p31
lrwxrwxrwx 1 root root 21 Jan 21 1970 cache -> /dev/block/mmcblk0p40
lrwxrwxrwx 1 root root 21 Jan 21 1970 carrier -> /dev/block/mmcblk0p38
lrwxrwxrwx 1 root root 21 Jan 21 1970 cid -> /dev/block/mmcblk0p25
lrwxrwxrwx 1 root root 21 Jan 21 1970 clogo -> /dev/block/mmcblk0p28
lrwxrwxrwx 1 root root 21 Jan 21 1970 customize -> /dev/block/mmcblk0p39
lrwxrwxrwx 1 root root 21 Jan 21 1970 dhob -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 Jan 21 1970 frp -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 Jan 21 1970 fsc -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 Jan 21 1970 fsg -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 Jan 21 1970 hob -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 20 Jan 21 1970 hyp -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 21 Jan 21 1970 hypBackup -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 Jan 21 1970 keystore -> /dev/block/mmcblk0p36
lrwxrwxrwx 1 root root 21 Jan 21 1970 kpan -> /dev/block/mmcblk0p30
lrwxrwxrwx 1 root root 21 Jan 21 1970 logo -> /dev/block/mmcblk0p27
lrwxrwxrwx 1 root root 21 Jan 21 1970 logs -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 21 Jan 21 1970 metadata -> /dev/block/mmcblk0p26
lrwxrwxrwx 1 root root 20 Jan 21 1970 misc -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 20 Jan 21 1970 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 21 Jan 21 1970 modemst1 -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root 21 Jan 21 1970 modemst2 -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 Jan 21 1970 oem -> /dev/block/mmcblk0p37
lrwxrwxrwx 1 root root 21 Jan 21 1970 padA -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 Jan 21 1970 padB -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 21 Jan 21 1970 padC -> /dev/block/mmcblk0p34
lrwxrwxrwx 1 root root 21 Jan 21 1970 persist -> /dev/block/mmcblk0p29
lrwxrwxrwx 1 root root 21 Jan 21 1970 recovery -> /dev/block/mmcblk0p32
lrwxrwxrwx 1 root root 20 Jan 21 1970 rpm -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 21 Jan 21 1970 rpmBackup -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 20 Jan 21 1970 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 Jan 21 1970 sp -> /dev/block/mmcblk0p35
lrwxrwxrwx 1 root root 21 Jan 21 1970 ssd -> /dev/block/mmcblk0p33
lrwxrwxrwx 1 root root 21 Jan 21 1970 system -> /dev/block/mmcblk0p41
lrwxrwxrwx 1 root root 20 Jan 21 1970 tz -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 Jan 21 1970 tzBackup -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root 21 Jan 21 1970 userdata -> /dev/block/mmcblk0p42
lrwxrwxrwx 1 root root 20 Jan 21 1970 utags -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 21 Jan 21 1970 utagsBackup -> /dev/block/mmcblk0p15
Click to expand...
Click to collapse

What is frp?

banerjeeayan1996 said:
What is frp?
Click to expand...
Click to collapse
Factory Reset Protection

Finally done, without bootloader unlocked.
By going to setting and turn on debugging mode. And he run one simple script. And done.
Going to setting is simple (there are video on YouTube)

How were you able to go to settings and enable debug mode when you are logged out of the phone due to frp?
I know how this works on Samsung devices as Samsung automatically brings up a file manager when you connect a USB storage via OTG and then you can start an apk which brings up settings. Thats what also all the Videos on Youtube are showing.
But on my Moto G I cannot replicate this behaviour. It does not automatically bring up file manager when connecting USB stick via OTG. Only after manually starting file manager you can access the USB stick.

u42671 said:
How were you able to go to settings and enable debug mode when you are logged out of the phone due to frp?
I know how this works on Samsung devices as Samsung automatically brings up a file manager when you connect a USB storage via OTG and then you can start an apk which brings up settings. Thats what also all the Videos on Youtube are showing.
But on my Moto G I cannot replicate this behaviour. It does not automatically bring up file manager when connecting USB stick via OTG. Only after manually starting file manager you can access the USB stick.
Click to expand...
Click to collapse
https://www.youtube.com/watch?v=aaK6TK-oYJ8
br,

riteshgpt60 said:
you can go to setting by this:
https://www.youtube.com/watch?v=aaK6TK-oYJ8
br,
Click to expand...
Click to collapse
Could someone please translate this from portuguese? I can follow it for the most part, but I'd like to know any finer details he may be talking about. My spanish is terrible, let alone trying to understand portuguese lol

hp420 said:
Could someone please translate this from portuguese? I can follow it for the most part, but I'd like to know any finer details he may be talking about. My spanish is terrible, let alone trying to understand portuguese lol
Click to expand...
Click to collapse
First, the guy on the video is selling a program to do the unlocking.
The first part on the video shows a possible exploit to access the developer options, then enable usb debbugging.
The 190 number that he dials is the emergency police number in Brazil, similar to the 911 in US.
Maybe that´s the trick, when you try to make an emergency call, the system may bypass some security features.
I'm at work now, if you need I may translate to english the whole video, but only at home.
The guy is selling this "Motorola FRP Ulocking" software with a password, so even if you follow all the steps listed, you may need the software.

anyone have an interest in chipping in for this so we can release the exploit publicly?

@hp420, its already available publicly.

riteshgpt60 said:
@hp420, its already available publicly.
Click to expand...
Click to collapse
can you please share the link?

Can someone give me the password for frp unlock app . plss help me bro

https://www.youtube.com/watch?v=btXjGLeN5y0&index=1&list=LLFArHcghMf-E7X6EIvmJCWQ

nokia alkng said:
https://www.youtube.com/watch?v=btXjGLeN5y0&index=1&list=LLFArHcghMf-E7X6EIvmJCWQ
Click to expand...
Click to collapse
Bro i know to goto nova launcher n all other apps.. I need to factory reset my phone... While i goto settings d wipe option is hidden.. Nd i cant find the users menu nd OEM unlock feature option... Plss help me someone...

[ROOT] - lafsploit - H918 (any version up to and including 20h) - now n00b friendly

WARNING​
This should go without saying, but you MUST have your bootloader unlocked (check OEM UNLOCK in developer options AND fastboot oem unlock).
If you don't, you WILL brick your phone.
If you don't know how to FULLY unlock your bootloader -- search. This thread is not here to educate you on unlocking your bootloader.
If your bootloader isn't unlocked, you will get a RED warning that your phone has been modified, and will refuse to boot.
If your bootloader IS unlocked, your will have a YELLOW warning even if you haven't modified your phone yet, and your phone will still boot. This is normal!
If you use this on any model V20 besides the H918, you will be stuck in a bootloop, and you will not be able to fix it since you will have wiped out download mode!
There is NO fixing this!
You must be on version H91810p or H91810q
This is now completely safe. It will either work or it won't, but it can NOT brick your phone if you meet the requirements listed above, and you follow the procedure exactly.
If it DOES brick your phone, I am not responsible.
If you deviate from this procedure, and think: "I can just skip a step, or I can do this on my own Linux install". Don't complain if you brick your phone.
This ONLY replaces download mode with TWRP. If you want to root, you can search for how to root. If you don't know how to use TWRP -- search.
PREREQUISITES:
If you aren't on 10p or 10q, grab the H918 10p KDZ: here.
This is NOT a guide for flashing KDZs -- there are plenty of those out there -- search.
You need to grab FWUL (version 2.7 or later) and burn it to a USB stick: link
Even if you have Linux, and you think you can install the dependencies, don't. I know this works from FWUL.
If you choose to press on in expert mode (using FWUL in a VM, using your own Linux install, using WSL, etc), don't get upset if I don't answer your questions.
For Windows you will need Rufus to burn FWUL onto a USB stick.
If you have questions about FWUL, please ask in the FWUL thread.
Installing TWRP
Again, this will ONLY install TWRP onto download mode. What you do with TWRP when it is done is up to you. Flash Magisk or SuperSU. Flash a ROM, or just make a backup of your phone. It is up to you.
I would suggest flashing TWRP onto recovery as well, otherwise you will need to use the vol up + USB cable method to get to TWRP. There is no key combination to get to download mode.
Boot from your FWUL USB stick.
Put your phone into download mode. With the phone powered off, hold vol up and plug in the USB cable. You do not need to touch the power button -- the phone will power on and enter download mode.
Once booted, login. The password is: linux
Double click the LG folder that is on the desktop
Double click on LG LAF (runningnak3d) icon and you will be at a terminal prompt.
The following are the commands that you enter into that terminal. You can copy / paste them if you like.
Code:
git pull
git checkout h918-miscwrte
./step1.sh
When you are told to, pull the USB cable, and the phone will power off. You now have TWRP on your laf partition.
It must be said again, flash TWRP onto recovery so you can easily get to TWRP.
OPTIONAL
If you would like to restore download mode onto your laf partition AFTER you have installed TWRP onto recovery:
Boot to TWRP that is on recovery
Flash this zip: laf_restore.zip
This can be done at any time after you are rooted. About the only reason you would want to flash laf back is if you use LG Backup.
TWRP has the ability to backup your phone, so I am not sure why someone would want this (maybe you are more comfortable with it?).
Also, flashing back to 100% unrooted stock can be accomplished by flashing a zip in TWRP, you don't NEED to flash a KDZ, but again, maybe you are more comfortable doing it that way.
The bottom line is TWRP on both laf and recovery is FAR FAR more useful than flashing laf back. You can test new versions of TWRP while keeping your old known working version (for example).
If you are having problems flashing a ROM, ask in the appropriate ROM thread.
If you are having problems with Magisk, ask in the Magisk thread.
If you are having problems with SuperSU, Lineage, or even TWRP itself, ask in the appropriate thread.
This thread is ONLY for problems if TWRP doesn't boot when you are done.
CREDITS:
Lekensteyn -- His base work on the G2 / G3 gave me a GREAT headstart!
@steadfasterX - He added some real nice features, great guy to bounce ideas off, and just testing crazy ideas because he wasn't afraid to brick his phone Also, for FWUL
tuxuser - Helping with my lacking in Python
@smitel - His original reverse engineering of LG UP. Great inspiration!
@me2151 - His original DirtySanta exploit. Without it, the V20 would probably still not be rooted.
-- Brian
XDA:DevDB Information
lafsploit, Tool/Utility for the LG V20
Contributors
runningnak3d
Source Code: https://gitlab.com/runningnak3d/lglaf
Version Information
Status: Stable
Current Stable Version: 1.1
Stable Release Date: 2018-07-15
Created 2018-04-05
Last Updated 2018-07-16

Congratulations for this amazing work I been follow your work on your original tread it's amazing !!! I current have the note 8 but I still have a v20 (from what i posting right now lol ) the first was. TMobile and right now I have a Verizon unlock v20 Wich I really enjoying Whit Xposed mode well anyway what I trying to said is you work make me pick up my v20 again and give me some inspiration to learn ... Keep going
UPDATE: I GET A TMOBILE V20 now I have root again, thanks again ?

Congrats been following your work since day 1 man the effort paid off. Thanks one man that took on the whole lg dev team.

Will there ever be a chance for the US998 (US Cellular) ?

Awesome can't wait to build lineage for the v20! Now that I have a spare device it'll make learning a lot easier. So now I can test on my current daily driver before adding the mods to my v20 builds. I can't even begin to describe how much this means to so many of us in the community! Especially myself.
That said I'll give it a try tomorrow after work assuming I have friday off & l'll report back asap.
If installing python 3 on windows 10 will the default install settings work? Just wanted to double check. & thanks again man. Amazingly awesome work!
Sent from my LG-D851 using XDA Labs
---------- Post added at 01:35 AM ---------- Previous post was at 01:32 AM ----------
KanBorges said:
Will there ever be a chance for the US998 (US Cellular) ?
Click to expand...
Click to collapse
He is also working on the locked bootloader devices. I'll let him explain most of the details if he has the time. However if you want to read up on the progress check this thread:
https://forum.xda-developers.com/v20/how-to/laf-download-mode-how-root-t3676011/page92
Sent from my LG-D851 using XDA Labs

omg, you sir are a God! [emoji122] [emoji122]
Sent from my LG-H918 using XDA-Developers Legacy app

KanBorges said:
Will there ever be a chance for the US998 (US Cellular) ?
Click to expand...
Click to collapse
Even though the US998 isn't officially unlockable yet, you can follow this: https://forum.xda-developers.com/lg-v30/how-to/us998-bootloader-unlock-achieved-t3743359

https://gist.github.com/zacharee/6aa5fcb56d0a42937869494b12d77da2
working link

Thanks @dudeawsome and @Zacharee1 I fixed the link.

using the instructions provided, I'm consistently getting a usb device not found runtime error, any advice?

If you are on Windows, did you install the LG drivers?
-- Brian

runningnak3d said:
WARNING to G5 and G6 users. I need a partition listing before you try this to make sure misc is in the same location. You can brick your phone if misc is in a different location than the V20.
I am splitting this off from the main laf thread because that thread really needs to be cleaned. It was supposed to just be for development, and now it is impossible to find some valuable info
I say this is for the H918 only, but it should work on the H830 (G5) and H872 (G6) as well. I don't have those devices, so I can't test it. The H830 has a TWRP build, but the H872 doesn't -- so someone would have to risk using the US997 build.
Anyway, if you aren't feint at heart....
Here is a much more detailed guide that @Zacharee1 put together: link.
Enjoy your now rooted H918...
If this scares anyone, I will make it easier, but for the hardcore people, I wanted to get it out there.
I will clean this up and make it prettier when I have the chance.
-- Brian
Click to expand...
Click to collapse
Code:
1|lucye:/ $ ls -l /dev/block/platform/soc/624000.ufshc/by-name/
total 0
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 aboot -> /dev/block/sde6
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 abootbak -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 apdp -> /dev/block/sde26
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 boot -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 cache -> /dev/block/sda17
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 cdt -> /dev/block/sdd3
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 cmnlib -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 cmnlib64 -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 cmnlib64bak -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 cmnlibbak -> /dev/block/sde23
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 ddr -> /dev/block/sdd1
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 devcfg -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 devcfgbak -> /dev/block/sde17
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 devinfo -> /dev/block/sdb6
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 dip -> /dev/block/sdb5
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 dpo -> /dev/block/sde28
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 drm -> /dev/block/sda4
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 eksst -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 encrypt -> /dev/block/sda10
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 eri -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 factory -> /dev/block/sda9
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 fota -> /dev/block/sdb3
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 fsc -> /dev/block/sdf3
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 fsg -> /dev/block/sdb4
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 grow -> /dev/block/sda19
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 grow2 -> /dev/block/sdb7
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 grow3 -> /dev/block/sdc3
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 grow4 -> /dev/block/sdd4
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 grow5 -> /dev/block/sde29
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 grow6 -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 grow7 -> /dev/block/sdg2
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 hyp -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 hypbak -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 keymaster -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 keymasterbak -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 keystore -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 laf -> /dev/block/sda1
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 lafbak -> /dev/block/sda2
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 misc -> /dev/block/sda8
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 modem -> /dev/block/sde18
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 modemst1 -> /dev/block/sdf1
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 modemst2 -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 mpt -> /dev/block/sda3
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 msadp -> /dev/block/sde27
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 operatorlogging -> /dev/block/sda6
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 persist -> /dev/block/sda15
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 persistent -> /dev/block/sdg1
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 pmic -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 pmicbak -> /dev/block/sde15
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 raw_resources -> /dev/block/sde8
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 raw_resourcesbak -> /dev/block/sde9
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 rct -> /dev/block/sda12
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 recovery -> /dev/block/sde2
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 recoverybak -> /dev/block/sde3
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 reserve -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 rpm -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 rpmbak -> /dev/block/sde11
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 sec -> /dev/block/sde19
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 sns -> /dev/block/sda5
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 ssd -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 system -> /dev/block/sda16
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 tz -> /dev/block/sde4
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 tzbak -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 2018-01-16 19:40 userdata -> /dev/block/sda18
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 xbl -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 xbl2 -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 xbl2bak -> /dev/block/sdc2
lrwxrwxrwx 1 root root 15 2018-01-16 19:40 xblbak -> /dev/block/sdb2
I am trying to download source to build twrp for the g6 but I am on my backup dsl (762kb/s) which sucks majorly.
If you are in an IRC chan I will be more then happy to join and give you access to my device remotely if need be.

on windows 10, latest insider build, all drivers installed, v20 detected in normal boot, download and fastboot modes. I'm reinstalling ubuntu just in case something weird happened with it..

@KAsp3rd Join #lglaf on irc.freenode.net
What I need is the GPT -- start LBA / end LBA of misc.
You can get that by running ./partitions.py --list
-- Brian

So after entering Download/LAF Mode and plugging in to computer, I get the following error when running the first command in step 6 of @Zacharee1's guide:
Code:
C:\lglaf>partitions.py --dump laf.img laf
LAF Crypto failed to import!
Traceback (most recent call last):
File "C:\lglaf\partitions.py", line 459, in <module>
main()
File "C:\lglaf\partitions.py", line 406, in main
comm = lglaf.autodetect_device()
File "C:\lglaf\lglaf.py", line 441, in autodetect_device
return USBCommunication()
File "C:\lglaf\lglaf.py", line 297, in __init__
custom_match = self._match_device)
File "C:\Users\SMTB\AppData\Local\Programs\Python\Python36-32\lib\site-packages\usb\core.py", line 1263, in find
raise NoBackendError('No backend available')
usb.core.NoBackendError: No backend available
As I am a total n00b, I have no idea what this means. Any help appreciated!
(using Windows Python install)

You didn't pip install cryptography or PyUSB
-- Brian

Getting the same backend error. Trying to reinstall just throws up an already installed reply. Windows 8.1
That is, trying to run the ./ cmds and the already installed elements are pyusb and crypt

runningnak3d said:
You didn't pip install cryptography or PyUSB
-- Brian
Click to expand...
Click to collapse
Well I did install those. When I try running pip install cryptography/PyUSB again, I get:
Code:
C:\lglaf>pip install cryptography
Requirement already satisfied: cryptography in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages
Requirement already satisfied: idna>=2.1 in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages (from cryptography)
Requirement already satisfied: six>=1.4.1 in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages (from cryptography)
Requirement already satisfied: asn1crypto>=0.21.0 in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages (from cryptography)
Requirement already satisfied: cffi>=1.7; platform_python_implementation != "PyPy" in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages (from cryptography)
Requirement already satisfied: pycparser in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography)
C:\lglaf>pip install PyUSB
Requirement already satisfied: PyUSB in c:\users\smtb\appdata\local\programs\python\python36-32\lib\site-packages

I take it you aren't on Windows 10 so you can't install Ubuntu from the app store?
I can see now why @steadfasterX pushes FWUL (a Linux VM) for things like this. WIndows is such a freaking PITA
Hopefully someone that has Windows can help you, otherwise I am going to grab FWUL tomorrow and maybe change the procedure for people that aren't on WIndows 10.
-- Brian

ok, just tried the whole procedure from start to finish exactly for the second time and am getting the same "usb device not found"
I also tried the non windows 10 method and ended up having the same issue that smtb1963 has, including the laf crypto failed to import message at the top and I do believe that when it says no backend available under usb lib, that these ar basically the same error, no usb communication. I think i am going to try this on a unbuntu virtual box install and see if I get the same error

Verizon Pixel 2, assistance needed

Yes, there is a thread for unlocking the bootloader but that is for a previous version. If anyone with root is running the factory image for Android 9.0, we are in need of a bit image dump. If you can follow the link below and just provide the dump, I am more than happy to do the rest.
From what I have been noticing, there may be a hidden command that is preventing us from getting further in unlocking the bootloader. Any help to either prove or disprove this theory would be greatly appreciated. In the meantime, I am syncing with the aosp repo provided by Google.
Your help could greatly speed up the process ?
https://www.xda-developers.com/how-to-discover-hidden-fastboot-commands
Thank you

I've tried everything as far as decompiling system apks. Someone doing this would really really help out.

there is not one called aboot, here is a print out of what it shows. I did get the aboot1 and aboot2I uploaded them to my google drive.
walleye:/ $ su
walleye:/ # cd /dev/block/bootdevice/by-name
walleye:/dev/block/bootdevice/by-name # ls -all
total 0
drwxr-xr-x 2 root root 1540 1970-12-11 22:15:39.436666759 -0500 .
drwxr-xr-x 3 root root 1680 1970-12-11 22:15:39.436666759 -0500 ..
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.410000090 -0500 abl_a -> /dev/block/sda8
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.403333423 -0500 abl_b -> /dev/block/sda29
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.406666756 -0500 apdp_a -> /dev/block/sda14
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 apdp_b -> /dev/block/sda35
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.423333425 -0500 board_info -> /dev/block/sdf1
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:38.666666683 -0500 boot_a -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.410000090 -0500 boot_b -> /dev/block/sda30
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.433333426 -0500 cdt -> /dev/block/sdd5
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.400000089 -0500 cmnlib64_a -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.423333425 -0500 cmnlib64_b -> /dev/block/sda34
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 cmnlib_a -> /dev/block/sda12
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 cmnlib_b -> /dev/block/sda33
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.426666758 -0500 ddr -> /dev/block/sdd6
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 devcfg_a -> /dev/block/sda16
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.403333423 -0500 devcfg_b -> /dev/block/sda37
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.436666759 -0500 devinfo -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.416666757 -0500 dip -> /dev/block/sdd8
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.430000092 -0500 dpo -> /dev/block/sdd9
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:38.670000016 -0500 dtbo_a -> /dev/block/sda21
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 dtbo_b -> /dev/block/sda42
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.430000092 -0500 frp -> /dev/block/sdd4
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.430000092 -0500 fsc -> /dev/block/sdd17
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.433333426 -0500 fsg -> /dev/block/sdf3
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 hosd_a -> /dev/block/sda10
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 hosd_b -> /dev/block/sda31
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.400000089 -0500 hyp_a -> /dev/block/sda5
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 hyp_b -> /dev/block/sda26
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.423333425 -0500 keymaster_a -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 keymaster_b -> /dev/block/sda32
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 limits -> /dev/block/sdd11
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.410000090 -0500 lockbooter_a -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 lockbooter_b -> /dev/block/sda23
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.433333426 -0500 logfs -> /dev/block/sdd13
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.420000091 -0500 metadata -> /dev/block/sde4
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.420000091 -0500 mfg -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.426666758 -0500 misc -> /dev/block/sdd1
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.413333424 -0500 modem_a -> /dev/block/sda7
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.423333425 -0500 modem_b -> /dev/block/sda28
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 modemst1 -> /dev/block/sdd15
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 modemst2 -> /dev/block/sdd16
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 msadp_a -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 msadp_b -> /dev/block/sda36
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.410000090 -0500 padding0 -> /dev/block/sda1
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 padding1 -> /dev/block/sda44
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:38.673333350 -0500 persist -> /dev/block/sdd3
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.430000092 -0500 pg1fs -> /dev/block/sde2
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.420000091 -0500 pg2fs -> /dev/block/sde3
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.406666756 -0500 pmic_a -> /dev/block/sda6
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 pmic_b -> /dev/block/sda27
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.416666757 -0500 ramdump -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 reserve3 -> /dev/block/sdd18
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.433333426 -0500 reserve4 -> /dev/block/sde5
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.430000092 -0500 reserve5 -> /dev/block/sdf5
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.420000091 -0500 rpm_a -> /dev/block/sda3
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 rpm_b -> /dev/block/sda24
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.413333424 -0500 sec -> /dev/block/sdd7
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.420000091 -0500 splash -> /dev/block/sdd10
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.416666757 -0500 ssd -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.430000092 -0500 sti -> /dev/block/sdd14
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.413333424 -0500 storsec_a -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.410000090 -0500 storsec_b -> /dev/block/sda38
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:38.670000016 -0500 system_a -> /dev/block/sda22
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.430000092 -0500 system_b -> /dev/block/sda43
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.430000092 -0500 toolsfv -> /dev/block/sdd12
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.423333425 -0500 trusty_a -> /dev/block/sda19
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 trusty_b -> /dev/block/sda40
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.420000091 -0500 tz_a -> /dev/block/sda4
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 tz_b -> /dev/block/sda25
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.403333423 -0500 userdata -> /dev/block/sda45
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:38.670000016 -0500 vbmeta_a -> /dev/block/sda18
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.426666758 -0500 vbmeta_b -> /dev/block/sda39
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:38.670000016 -0500 vendor_a -> /dev/block/sda20
lrwxrwxrwx 1 root root 16 1970-12-11 22:15:39.416666757 -0500 vendor_b -> /dev/block/sda41
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.430000092 -0500 xbl_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1970-12-11 22:15:39.416666757 -0500 xbl_b -> /dev/block/sdc1
<
the.puppet.master said:
Yes, there is a thread for unlocking the bootloader but that is for a previous version. If anyone with root is running the factory image for Android 9.0, we are in need of a bit image dump. If you can follow the link below and just provide the dump, I am more than happy to do the rest.
From what I have been noticing, there may be a hidden command that is preventing us from getting further in unlocking the bootloader. Any help to either prove or disprove this theory would be greatly appreciated. In the meantime, I am syncing with the aosp repo provided by Google.
Your help could greatly speed up the process
https://www.xda-developers.com/how-to-discover-hidden-fastboot-commands
Thank you
Click to expand...
Click to collapse

I'm using the pixel 2 and have factory Android 9 /P . Unrooted and waiting for a way to unlock. What is it you need. And they were saying in the other thread if you took the ota to latest Android 9 there is no way it can be done. There will be a way and I know this ,maybe just a matter of time.

mattie_49 said:
I'm using the pixel 2 and have factory Android 9 /P . Unrooted and waiting for a way to unlock. What is it you need. And they were saying in the other thread if you took the ota to latest Android 9 there is no way it can be done. There will be a way and I know this ,maybe just a matter of time.
Click to expand...
Click to collapse
Sorry boss what he's looking for you can't offer, as you're not rooted. "If anyone with root is running the factory image for Android 9.0"
---------- Post added at 01:57 PM ---------- Previous post was at 01:54 PM ----------
@the.puppet.master did you get everything you needed? I'd be willing to update my Pix2 to 9.0 on stock to get what you need. I'm running an unlocked BL Pix2 on the July security patch. Since I mostly run stock, I'd be happy to assist... Just let me know...

b00ster23 said:
Sorry boss what he's looking for you can't offer, as you're not rooted. "If anyone with root is running the factory image for Android 9.0"
---------- Post added at 01:57 PM ---------- Previous post was at 01:54 PM ----------
@the.puppet.master did you get everything you needed? I'd be willing to update my Pix2 to 9.0 on stock to get what you need. I'm running an unlocked BL Pix2 on the July security patch. Since I mostly run stock, I'd be happy to assist... Just let me know...
Click to expand...
Click to collapse
We will surely have an unlock method before long correct? Since it's actually based off Htc I wonder if sunshine might be a route to unlock bootloader ? Actually just looked sunshine released a free tool for pixel /pixel XL called depixel8. Hopefully they will update for pixel 2. Wonder if it would even be worth a try on the 2. I don't think it would hurt anything . I'm almost willing to give it a go.

mattie_49 said:
We will surely have an unlock method before long correct? Since it's actually based off Htc I wonder if sunshine might be a route to unlock bootloader ? Actually just looked sunshine released a free tool for pixel /pixel XL called depixel8. Hopefully they will update for pixel 2. Wonder if it would even be worth a try on the 2. I don't think it would hurt anything . I'm almost willing to give it a go.
Click to expand...
Click to collapse
That exploit was patched in Android 7.1. You can try it, but it simply won't do anything at all. It will eventually happen, but at a standstill right now. I decompiled everything I could to find any other OEM fastboot commands, dialer codes, etc... Found a few unrelated things that, although still cool, did not aid in my quest to unlock the bootloader any.

crixley said:
That exploit was patched in Android 7.1. You can try it, but it simply won't do anything at all. It will eventually happen, but at a standstill right now. I decompiled everything I could to find any other OEM fastboot commands, dialer codes, etc... Found a few unrelated things that, although still cool, did not aid in my quest to unlock the bootloader any.
Click to expand...
Click to collapse
I've always needed to work on my patience anyway. Device is still amazing stock. Getting close to 2 days off charger and nearing 8 hours on screen. No complaints. Thanks for your response.

b00ster23 said:
Sorry boss what he's looking for you can't offer, as you're not rooted. "If anyone with root is running the factory image for Android 9.0"
---------- Post added at 01:57 PM ---------- Previous post was at 01:54 PM ----------
@the.puppet.master did you get everything you needed? I'd be willing to update my Pix2 to 9.0 on stock to get what you need. I'm running an unlocked BL Pix2 on the July security patch. Since I mostly run stock, I'd be happy to assist... Just let me know...
Click to expand...
Click to collapse
I haven't had time to do much of anything since posting this. I got hit with a heavy workload but I should be back on it the next few days. I'll post any findings I come across.
Thanks

the.puppet.master said:
I haven't had time to do much of anything since posting this. I got hit with a heavy workload but I should be back on it the next few days. I'll post any findings I come across.
Thanks
Click to expand...
Click to collapse
Pixel3 about to drop. Surely you guys will find the solution. Wish I knew more about it
So as to I could help.

Sorry to jump in the middle of the conversation. But if your looking for fastboot commands , there's plenty not mentioned anywhere. Using Linux I ran strings laf.img | grep OEM ,oem, etc. There's several lg commands. I even saw a command that , memory might be off, but it basically said skip check. May have printed it out. I'll post if so. Since there's no aboot.img as in previous Google phones I can only guess laf if the beholder now. It certainly hold a lot of info. Oddly I was able to extract it like a zip using 7z.
Sent from my Pixel 2 XL using Tapatalk

blueyes said:
Sorry to jump in the middle of the conversation. But if your looking for fastboot commands , there's plenty not mentioned anywhere. Using Linux I ran strings laf.img | grep OEM ,oem, etc. There's several lg commands. I even saw a command that , memory might be off, but it basically said skip check. May have printed it out. I'll post if so. Since there's no aboot.img as in previous Google phones I can only guess laf if the beholder now. It certainly hold a lot of info. Oddly I was able to extract it like a zip using 7z.
Click to expand...
Click to collapse
Your not interrupting anything . The op doesn't respond to anything. Oh well . It will be figured out. The matter is when

I'm surprised a year into this device none of the dozens of software masterminds haven't unlocked it. Every other Verizon phone seems to be getting unlocked, Samsung, LG. There's a couple sites saying that they can but using a drastic (might not get it back) system by essentially repartitioning it.
mattie_49 said:
Your not interrupting anything . The op doesn't respond to anything. Oh well . It will be figured out. The matter is when
Click to expand...
Click to collapse
Sent from my Pixel 2 XL using Tapatalk

blueyes said:
Sorry to jump in the middle of the conversation. But if your looking for fastboot commands , there's plenty not mentioned anywhere. Using Linux I ran strings laf.img | grep OEM ,oem, etc. There's several lg commands. I even saw a command that , memory might be off, but it basically said skip check. May have printed it out. I'll post if so. Since there's no aboot.img as in previous Google phones I can only guess laf if the beholder now. It certainly hold a lot of info. Oddly I was able to extract it like a zip using 7z.
Click to expand...
Click to collapse
You're on the xl and not regular pixel correct? I found a list of OEM fastboot commands for standard pixel, however a large portion did not work. I also researched and tried old HTC codes to see if perhaps they rehashed some. There was a fastboot command to get your unlock code, however entering it at htcdev does not work.

There's actually the same cmd to get pxl2s unlock code. Only useful after it's unlocked, same as the HTC. I have a OG xl, bought a Verizon 2xl thinking it'll be hacked as quickly as the OG. Just sold it on eBay, turned around and bought a Google version and didn't lose a dime.
crixley said:
You're on the xl and not regular pixel correct? I found a list of OEM fastboot commands for standard pixel, however a large portion did not work. I also researched and tried old HTC codes to see if perhaps they rehashed some. There was a fastboot command to get your unlock code, however entering it at htcdev does not work.
Click to expand...
Click to collapse
Sent from my Pixel 2 XL using Tapatalk
https://drive.google.com/file/d/1mE2IgQ8_Gc4HdyeJjHQDuLTtEZxHkJWf/view?usp=drivesdk
Printed up some of the cmds
---------- Post added at 03:13 PM ---------- Previous post was at 02:52 PM ----------
I think these guys could do it , if you read their posts. True hackers, borderline criminals. Lol
https://sinister.ly/Thread-Google-Pixel-2-XL-IMEIs-Verizon-GS

blueyes said:
There's actually the same cmd to get pxl2s unlock code. Only useful after it's unlocked, same as the HTC. I have a OG xl, bought a Verizon 2xl thinking it'll be hacked as quickly as the OG. Just sold it on eBay, turned around and bought a Google version and didn't lose a dime.
Sent from my Pixel 2 XL using Tapatalk
https://drive.google.com/file/d/1mE2IgQ8_Gc4HdyeJjHQDuLTtEZxHkJWf/view?usp=drivesdk
Printed up some of the cmds
---------- Post added at 03:13 PM ---------- Previous post was at 02:52 PM ----------
I think these guys could do it , if you read their posts. True hackers, borderline criminals. Lol
https://sinister.ly/Thread-Google-Pixel-2-XL-IMEIs-Verizon-GS
Click to expand...
Click to collapse
**SCRATCH MY ORIGINAL RESPONSE, I TOOK A CLOSER LOOK WHILE I'M AT WORK**
I see what you mean, those are not commands however in the sense that we can enter them ourselves. We need to find a way to spoof the initial check that starts the provision, or use one of these ideas:
1.) fastboot oem get_identifier_token - this would be hard as it would require either breaking htcs method of creating unlock.bin files, or finding a way to sign them after tampering.
2.)fastboot oem readconfig/writeconfig. In order to use this we would need to figure out which bit is the "secure" bit. I believe writeconfig actually works on our device

crixley said:
Are you referring to "Bootloader OEM.txt"? That has nothing to do with the bootloader at all and is actually referencing wifi from what I can see. "OEM" does not necessarily refer to the bootloader, but qualcomm, etc.. as well.
Click to expand...
Click to collapse
Can't believe it's been like this since March. Maybe the sunshine people will find a new way

mattie_49 said:
Can't believe it's been like this since March. Maybe the sunshine people will find a new way
Click to expand...
Click to collapse
Feel free to help out. I've spent hours and hours on top of late nights at a busy engineering firm and two children. A lot of the exploits have been figured out by near luck. It takes a lot of time and effort, and unfortunately pixel devices are not as developer supported as nexus ones were.
The fact that we are even in this situation and that google even allows verizon to run the show is frustrating enough.

crixley said:
Feel free to help out. I've spent hours and hours on top of late nights at a busy engineering firm and two children. A lot of the exploits have been figured out by near luck. It takes a lot of time and effort, and unfortunately pixel devices are not as developer supported as nexus ones were.
The fact that we are even in this situation and that google even allows verizon to run the show is frustrating enough.
Click to expand...
Click to collapse
I wish I knew where to even begin helping. I know quite a bit but my knowledge is all about after the bootloader is already unlocked. Sorry didn't mean for it to sound pushy. Didn't mean it like that. I have a new baby as well. Life comes first for sure

mattie_49 said:
I wish I knew where to even begin helping. I know quite a bit but my knowledge is all about after the bootloader is already unlocked. Sorry didn't mean for it to sound pushy. Didn't mean it like that. I have a new baby as well. Life comes first for sure
Click to expand...
Click to collapse
I didn't mean to be rude either, you seem like a nice guy it is just that honestly it is the best way to get something done. I have been using android a long time and learned through practice and a ton of reading. Sometimes it is the only way you'll see any results.
I thought of something else as well as a possible solution:
Since our chips are qualcomm, we could try finding the firehose files for our device and use qloader/qpst to write directly to the partition, or even just as an easy method to provide folks on here to flash android version back to when lock_critical worked (some sort of a command line tool perhaps?)

[RADIO] Cellular Radio Communication -\/ Modem | IMEI \/- Related Security Discussion

[RADIO] Cellular Radio Communication -\/ Modem | IMEI \/- Related Security Discussion!
I hope this Thread Section is A-Ok for the following. @MikeChanning i see this is one of which you are in control of. If not suitable please move it to where you see it is best fit for its final resting place. If you see this and i am sure i have the correct Mike from XDA..... Hey there guy.. =] been a while since we have spoke about the good ol days of the 90's and 00's internet. We will have to have another chat when time permits. Curious to hear more stories about my ex marketing associates and other mutual walks of underground life we ran around with.
Alright now to what I wanted to get a good discussion going on...
This whole discussion you are about to get into is spawned from my extended thirst for knowledge and related comment from @tecknight i just so happened to see moments ago. It is something that could use more educated discussion here as for one it's important to watch what you include in your EDL dumps or file pulls you provide to others. Secondly the more you know the better... The easier it is to *repair* loss of International Mobile Equipment Identity of your device without blowing a gasket!
tecknight said:
I will need all partitions except for:
fsg
modemst1
modemst2
Which contain unique information tied to your phone (IMEI, serial,etc)
I would recommend that you zip the partition images into an archive and upload them to Google drive on some other file sharing service, then PM the URL to me.
Click to expand...
Click to collapse
I too used to think that these partitions carried valuable information however after dealing with Android second operating system aka the RIL and reading various informative articles I have found out that only 2 of those are actually ones to really worry about except for [fsg] and some other partitions.
From what I understand and I have seen modem ST1 and modem st2 do you contain sensitive data however are encrypted and unreadable until you erase them and they get restored on the next reboot which I'm sure you already know. Now [modem] is just an ext4 partition containing nothing but radio firmware binaries themselves. As for [fsg] partition it's still doesn't contain all the NV items for instance and you won't find any IMEI there. Now [/dev/block/boot/device/by-name] directory however does have some interesting information according to articles and more I have recently read. Apparently according to the author of one part of where some of your information is coming from is the [tunning] partition which contained some references to NV items as well but totally different than the ones in [fsg]. Including [/nv/num/550 and [/nvm/context1/550]. When looking at the familiar patterns read from partitions [nvdiag_client -r -p /nvm/num/550] they showed up there more just as well.
This information is coming from a new 2019 Nokia model phone from what I'm Gathering but the bulk of it is common and applies to most all Qualcomm. Defile looked into was a raw binary on an EMMC partition but had some interesting regular structure despite having no file system it appeared as one. This my friends would be the second operating system on Android the RIL. This is where all the complicated work goes on when it comes to programming anything radio related. I am very limited and have unlock numerous phones in my time. Really the most experience I have is with CDMA going back to early days of last decade. So this is all still interesting information I am glad to have came across and share to everyone here. Ok.. Back to this strange amazing structure it appears to contain name-contents and also some o d d ustar references. to some when seeing this you might realize where you have seen them before.. Think and try applying tar xf ... ? With me?
[fsg] and [tunning] partitions are just TAR archives with logic structured EFS items critical for the handsets radiomodule functionality. They are apparently also TOTALLY unencrypted unlike modemst1 and modemst2 partitions that get restored from these. .... So now down to the obvious reason you would do this.. to repair and more by modifying their TAR contents and erasing the modesmst1 and modemst2 partitions that, again, get restored from these you can either repair or run game on the EFS and for example have complete total File System control in a "custom rom" and could create whats been done already but not so advanced as the ideas I have in my mind which would be randomization of these very important sacred identifier numbers 14 numbers long with a luhn check digit. The author i gathered some of this information from has already created a very small self spawning shell script running in busybox of a certain rooted Custom ROM. I don't want to lead this down the negative road and get this convo banned with those of us choosing to discuss how everything works warned/banned so i will end this here.
However if mods do not mind us discussing this in detail simply as protection measures to be watched and or protected by means of hardening security in this area that would be great and I could show an example of a simple small script that does would do the imei repair or worse with ease in a matter of seconds ...
I see positive and negative out of this and already have a load of PoC's that will work. This which people more dedicated than myself these days to research leading to action in the pentesting field might find interesting not to mention including all HATS, cellular manafacturers, ROM programmers, companies both large and small and so many more...
I would love those more experienced in this disucssion to chime in with their comments and correct me / update me if and where I am off and of course make it easier for XDA members to understand what gives so many trouble and renders devices useless unless fixed.. -=]
.
.
.
/me inserts Lamar Burks photo and whispers "this has been a reading rainbow moment" ha ha..
q=]
-noidodroid

RESERVED ..
(off to count sheep for a while - ZZZzz..)

Bump.. nobody?

Anyone ?? Surprised nobody has researched this

I would be interested to know more specific information about the topics you would like to discuss. I can see you have given thoughtful consideration to forum choice and posting guidelines, however the original message is just a little TOO circumspect and vague for me to follow. I am particularly interested to hear about your observations of the RIL and file system in this recent Nokia release, and where you see the vulnerabilities lie. If you could maybe also give some hypothetical scenarios as to how exploitations of your observations might look IRL (yes... IRL, not RIL, lol!). I am at a stage where I'm still learning about the enormous amount of unseen stuff on Android (filesystems, partitions, libraries, APIs, the nuts and bolts of the OS, all the mysterious looking stuff, and of course, the radio interface layer and all its constituents - which, I believe, are STILL relatively insecure - which I think it's also the point of your discussion...).
So... Yes... If you could perhaps give a more concise account of your observations, and perhaps a few starter questions, hopefully those with more knowledge than us might deign to lower themselves to our sordid little level, and get a little dirt on their polished fingernails sharing that sweet sweet knowledge...

With the correct information about this could u technically get any phone from the past working on any carrier or cdma /gsm and then lte (or is that hardware capabilities ) . I'm off topic slightly but not really

thorax.x said:
I would be interested to know more specific information about the topics you would like to discuss. I can see you have given thoughtful consideration to forum choice and posting guidelines, however the original message is just a little TOO circumspect and vague for me to follow. I am particularly interested to hear about your observations of the RIL and file system in this recent Nokia release, and where you see the vulnerabilities lie. If you could maybe also give some hypothetical scenarios as to how exploitations of your observations might look IRL (yes... IRL, not RIL, lol!). I am at a stage where I'm still learning about the enormous amount of unseen stuff on Android (filesystems, partitions, libraries, APIs, the nuts and bolts of the OS, all the mysterious looking stuff, and of course, the radio interface layer and all its constituents - which, I believe, are STILL relatively insecure - which I think it's also the point of your discussion...).
So... Yes... If you could perhaps give a more concise account of your observations, and perhaps a few starter questions, hopefully those with more knowledge than us might deign to lower themselves to our sordid little level, and get a little dirt on their polished fingernails sharing that sweet sweet knowledge...
Click to expand...
Click to collapse
Thanks for replying. Basically what I am trying to get discussion on here is where critical modem related files and RIL files (imei, esn, etc) reside within the files listed and whether or not one can trully gain enough information from said files to find that information. I already know the answer and also wanted to make it a point to others on what not to include in your EDL / Firmware dumps as it could be used by the wrong hands. I also had a bunch of other information more detailed but it looks like its been edited out by someone... Maybe a bit TOO detailed. ha
I will come up with some more direct questions sometime when i get a few minutes free.

.......

camm44 said:
With the correct information about this could u technically get any phone from the past working on any carrier or cdma /gsm and then lte (or is that hardware capabilities ) . I'm off topic slightly but not really
Click to expand...
Click to collapse
Technically yes and no. If the idea i mentioned will write out through serial to RIL and all security is saved or updated then yes but the other methods would be a soft IME! spoof so to speak and the other advanced methods well i cant discuss these as yeah they really could be something new not ever explored. Simply ideas for exploring to help security improve NOT to defraud or do anything illegal... -=]

What programs can be used to read binary code from phone partitions ?

OP topic is not clear...
:good:
thorax.x said:
I would be interested to know more specific information about the topics you would like to discuss. I can see you have given thoughtful consideration to forum choice and posting guidelines, however the original message is just a little TOO circumspect and vague for me to follow. I am particularly interested to hear about your observations of the RIL and file system in this recent Nokia release, and where you see the vulnerabilities lie. If you could maybe also give some hypothetical scenarios as to how exploitations of your observations might look IRL (yes... IRL, not RIL, lol!). I am at a stage where I'm still learning about the enormous amount of unseen stuff on Android (filesystems, partitions, libraries, APIs, the nuts and bolts of the OS, all the mysterious looking stuff, and of course, the radio interface layer and all its constituents - which, I believe, are STILL relatively insecure - which I think it's also the point of your discussion...).
So... Yes... If you could perhaps give a more concise account of your observations, and perhaps a few starter questions, hopefully those with more knowledge than us might deign to lower themselves to our sordid little level, and get a little dirt on their polished fingernails sharing that sweet sweet knowledge...
Click to expand...
Click to collapse
The nature of the discussion here is very unclear to say the least, does the OP have information to share with the community or it is looking for information? Seems like others are interested in the VERY BROAD topic but does not even know where to start a real discussion here. If the OP has valuable info please start by sharing that first and then the community can build on that, thanks

Excellent thread. One of the reasons I no longer use SIM cards is to avoid IMSI catcher detection by bad players. However, even when my Pixel wasn't rooted, a simple PlayStore App showed me local cell towers and they easily detected by IMEI number. I don't even know if Airplane mode does anything. Airplane mode prevents mobile data and telephony Apps from working, but does it prevent leakage of IMEI?

camm44 said:
What programs can be used to read binary code from phone partitions ?
Click to expand...
Click to collapse
What exactly are you trying to read? Which sections of the phone?

alipendier said:
:good:
The nature of the discussion here is very unclear to say the least, does the OP have information to share with the community or it is looking for information? Seems like others are interested in the VERY BROAD topic but does not even know where to start a real discussion here. If the OP has valuable info please start by sharing that first and then the community can build on that, thanks
Click to expand...
Click to collapse
DirtyAngelicaSecured said:
Excellent thread. One of the reasons I no longer use SIM cards is to avoid IMSI catcher detection by bad players. However, even when my Pixel wasn't rooted, a simple PlayStore App showed me local cell towers and they easily detected by IMEI number. I don't even know if Airplane mode does anything. Airplane mode prevents mobile data and telephony Apps from working, but does it prevent leakage of IMEI?
Click to expand...
Click to collapse
Thanks for replying guys. Basically I wanted more discussion on what crucial modem related details such as your IMEI for example reside within modemst1, modemst2, and FSG. This is with the Android operating system and is not only limited to the Nokia that I mentioned. Pretty much should be the same for Qualcomm phones but others I am not so certain. It would be interesting to know across all types of chipsets what we should protect and what is really not a big of a concern as we have always thought. There are already some discussions fear that are great that deal with unlocking T-Mobile and some other carriers but I don't really want to get into that kind of discussion as moderators will can our posts quick. These are some of my ideas in addition to the things I mentioned in the lengthy OP. Would be great to see what we really do need to be careful about and this is also can be a primer for how to repair our lost numbers if need be. Encourage any chat related to the RIL underbelly, modem files, sensitive related files and do hope some of you with greater knowledge then I and others will chime in.
RE: IMSI CATCHERS - I don't worry so much about these. I have monitored Towers for years everywhere I went as a hobby. If you are some kind of person caught in a large group of people such as a rally these are the type of places you really want to be sure to secure your phone. You can buy some material and make a ESD jamming protectant bag to conceal your phone. I just actually bought a roll for the heck of it so I could line my wallets and also a safe box and safe pouch. Again saying I don't worry kind of I guess you could say would be an understatement but I did all of this for sport as I like to put it. Perhaps one day I really will have to use it. Walking to almost any T-Mobile store for example with a booster and you've already connected to an imsi.

Downgrade modem
Hello guys, I currently have an S10e and I have the imei at 0 and that is why I am investigating since the binary 6 is very new and they have not yet launched the exploid to violate this security ... But the issue of radios, modems, ril and baseband have always interested me
noidodroid said:
Thanks for replying guys. Basically I wanted more discussion on what crucial modem related details such as your IMEI for example reside within modemst1, modemst2, and FSG. This is with the Android operating system and is not only limited to the Nokia that I mentioned. Pretty much should be the same for Qualcomm phones but others I am not so certain. It would be interesting to know across all types of chipsets what we should protect and what is really not a big of a concern as we have always thought. There are already some discussions fear that are great that deal with unlocking T-Mobile and some other carriers but I don't really want to get into that kind of discussion as moderators will can our posts quick. These are some of my ideas in addition to the things I mentioned in the lengthy OP. Would be great to see what we really do need to be careful about and this is also can be a primer for how to repair our lost numbers if need be. Encourage any chat related to the RIL underbelly, modem files, sensitive related files and do hope some of you with greater knowledge then I and others will chime in.
RE: IMSI CATCHERS - I don't worry so much about these. I have monitored Towers for years everywhere I went as a hobby. If you are some kind of person caught in a large group of people such as a rally these are the type of places you really want to be sure to secure your phone. You can buy some material and make a ESD jamming protectant bag to conceal your phone. I just actually bought a roll for the heck of it so I could line my wallets and also a safe box and safe pouch. Again saying I don't worry kind of I guess you could say would be an understatement but I did all of this for sport as I like to put it. Perhaps one day I really will have to use it. Walking to almost any T-Mobile store for example with a booster and you've already connected to an imsi.
Click to expand...
Click to collapse

vodoque said:
Hello guys, I currently have an S10e and I have the imei at 0 and that is why I am investigating since the binary 6 is very new and they have not yet launched the exploid to violate this security ... But the issue of radios, modems, ril and baseband have always interested me
Click to expand...
Click to collapse
Keep this "But the issue of radios, modems, ril and baseband have always interested me" kind of talk here and move the s10e talk to their forums. Much cleaner this way. Plus better answers for you. =]

Hi,
1-Firstly I want to ask something are you chronovir. ? if you are the one can you give me your mail adress I want to contact with you
2-When I started to research the android phone in my hand and to examine its partition, I realized that there is no source on the internet.The phone I am currently using is xiaomi mi note 10 lite.Information is usually removed because the illegal part is used some people for bad purposes.No one know anyting about what quallcom partitions do in phone. In the sources I have found now, in addition to modemst1, modemst2 and fsg, some of them also say fsc partition also related to imei.In my phone there is no tunning partition maybe in my phone name is fsc. in my phone there is quallcom chipset.I can backup my nvdata via qualcomm qpst software and it takes backup filename extension qcn or xqcn type.In my phone, when I tried to change imei numbers just beacuse out of curiosity (not illegal purposes) first I delete modemst1, modemst2 and fsg partition after that I edit qcn file and change both imei. after flashed phone detect to imei change and reboot phone in recovery mode and show nv data is corrupted writing . the only fix is the wipe data and after that when my phone open there is no signal or change.If I change only imei2 and delete imei1 . There is no security phone works correctly but only sim2 have signal sim1 cant work anymore.I think inside to rom there is protection. When I searched to rom. I find 2 things. in build.prop there is one sting name is ro.miui.restrict_imei=1 I think this one related to protection but in the internet noting found.Also I find another file but I dont want to say in this forum because of the illegal usage.I dont like apple because of the reason is apple is black box.Do you know.I pull my phone modemst1,modemst2,fsg partition in .img format.I want to edit in my pc but I cant find any method.
2-if you have any android phone can you look at the bk51 and bk52 partition.I suspect those partition but I cannot understand what happened because my knowledge is limited.
Sorry my bad english
I am sharing my phone partition name and list:
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 abl -> /dev/block/sde36
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 ablbak -> /dev/block/sde37
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 aop -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 aopbak -> /dev/block/sde17
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 apdp -> /dev/block/sde8
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk01 -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk02 -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk03 -> /dev/block/sda6
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk04 -> /dev/block/sda7
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk05 -> /dev/block/sda10
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk06 -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk07 -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk08 -> /dev/block/sda20
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk09 -> /dev/block/sda22
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk31 -> /dev/block/sdd1
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk32 -> /dev/block/sdd3
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk33 -> /dev/block/sdd5
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk41 -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk43 -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk44 -> /dev/block/sde30
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk45 -> /dev/block/sde40
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bk47 -> /dev/block/sde50
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk51 -> /dev/block/sdf3
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 bk52 -> /dev/block/sdf4
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 bluetooth -> /dev/block/sde27
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 boot -> /dev/block/sde49
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cache -> /dev/block/sda29
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 catecontentfv -> /dev/block/sde29
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 catefv -> /dev/block/sde19
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cateloader -> /dev/block/sde32
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 cdt -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cmnlib -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cmnlib64 -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cmnlib64bak -> /dev/block/sde23
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cmnlibbak -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 core_nhlos -> /dev/block/sde51
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 cust -> /dev/block/sda31
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 dbg -> /dev/block/sda3
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 ddr -> /dev/block/sdd4
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 devcfg -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 devcfgbak -> /dev/block/sde15
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 devinfo -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 dip -> /dev/block/sde28
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 dsp -> /dev/block/sde48
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 dtbo -> /dev/block/sde45
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 exaid -> /dev/block/sda30
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 frp -> /dev/block/sda9
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 fsc -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 fsg -> /dev/block/sdf1
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 gsort -> /dev/block/sde44
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 hyp -> /dev/block/sde42
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 hypbak -> /dev/block/sde43
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 ifaa -> /dev/block/sde46
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 imagefv -> /dev/block/sda27
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 keymaster -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 keymasterbak -> /dev/block/sde26
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 keystore -> /dev/block/sda8
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 limits -> /dev/block/sde4
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 logdump -> /dev/block/sda24
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 logfs -> /dev/block/sda14
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 logo -> /dev/block/sde47
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 metadata -> /dev/block/sda19
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 minidump -> /dev/block/sda25
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 misc -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 modem -> /dev/block/sde52
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 modemst1 -> /dev/block/sdf5
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 modemst2 -> /dev/block/sdf6
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 msadp -> /dev/block/sde9
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 multiimgoem -> /dev/block/sde1
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 multiimgqti -> /dev/block/sde2
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 oem_misc1 -> /dev/block/sda18
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 oops -> /dev/block/sda16
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 persist -> /dev/block/sdf7
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 persistbak -> /dev/block/sdf8
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 qupfw -> /dev/block/sde6
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 qupfwbak -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 rawdump -> /dev/block/sda26
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 recovery -> /dev/block/sda28
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sda -> /dev/block/sda
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sdb -> /dev/block/sdb
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sdc -> /dev/block/sdc
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sdd -> /dev/block/sdd
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sde -> /dev/block/sde
lrwxrwxrwx 1 root root 14 1970-03-22 19:02 sdf -> /dev/block/sdf
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 secdata -> /dev/block/sde3
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 splash -> /dev/block/sda21
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 spunvm -> /dev/block/sde41
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 ssd -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 storsec -> /dev/block/sde11
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 super -> /dev/block/sda23
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 switch -> /dev/block/sda1
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 toolsfv -> /dev/block/sde35
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 tz -> /dev/block/sde38
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 tzbak -> /dev/block/sde39
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 uefisecapp -> /dev/block/sde33
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 uefisecappbak -> /dev/block/sde34
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 uefivarstore -> /dev/block/sde18
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 userdata -> /dev/block/sda32
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 vbmeta -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 vbmeta_system -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 vbmeta_vendor -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 1970-03-22 19:02 vm-data -> /dev/block/sda12
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 xbl -> /dev/block/sdb2
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 xbl_config -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 xbl_configbak -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 1970-03-22 19:02 xblbak -> /dev/block/sdc2