For a while now I have known that you can attach a terminal emulator to /dev/ttyACM0 while in download mode and send AT commands directly to the modem.
All the commands that I pulled out of /system/bin/atd (the daemon that your dialer, SMS app, etc talk to) were pretty useless while booted into laf. However, this changes all that.
These guys figured out how to toggle the USB configuration while booted into the OS so that you can send AT commands directly to the modem. Here is a video of what can be accomplished with this exploit: link.
I have tested this on the V20 (both H910 and H918), and the modem firmware is still vulnerable.
My H910 is not rooted, and is encrypted, and I was able to unlock it, when only a PIN code or pattern was used. I was NOT able to unlock it if a fingerprint had been setup. However, I WAS able to pull any file I wanted to off the phone even though I could not unlock it. I was also able to make and receive calls.
Code:
/dev/ttyACM0 > AT%KEYLOCK=0
+CIEV: 1,3
+CIEV: 1,4
+CIEV: 1,3
AT%KEYLOCK=0
[0]KEYLOCK OFF
OK
Dialing 611 with the phone locked:
Code:
/dev/ttyACM0 > ATD611
+CIEV: 1,3
ATD611
/dev/ttyACM0 > ATH
NO CARRIER
TL;DR: Make SURE you use the fingerprint sensor if your are even remotely worried that someone might get into your phone. Even if you do, use a fingerprint, someone can still make calls / send text messages.
Also, I will not provide simple instructions on how to recreate this for the simple fact that THIS exploit has NO value other than to F**K someone ELSE over. Unlocking a bootloader helps YOU. Bypassing security even on a non-rooted phone helps NO ONE.
EDIT: Just to be clear, this is not YET known to be a remote exploit. It requires the phone to be connected to a PC.
Also, a link to their official research.
-- Brian
That was really fun to watch.
Related
Little bit of background first...
Finally got my parents (senior citizens) into the smartphone era after StraightTalk starting doing BYOP and I'd had good service so far, but rather than use his old HTC phone which badly needed replacing, he opted to buy the Huawei Sensa (H710VL) branded by TRACFONE and with service via StraightTalk. Fast forward several months, and the old man has discovered a deal for senior citizens from T-Mobile that he likes better, and has opted to switch carriers. Well, he tried to do BYOP with TMOUS and just continue using the H710VL which he likes, but was informed that they wouldn't unlock the phone for another month because they won't do so until you've had it for a year. So therein came my opportunity to promise something I apparently cannot deliver (I told him I'd take the phone home and unlock it for him)!) He (wisely) decided not to wait for me, and went ahead and bought a new phone from TMOUS so he could initiate his new service with them without delay. But I still want to unlock this phone for him, if at all possible!
Fast-forward a few more days--well, I've been screwing around with this phone in the evenings for the past three days, trying to get the bootloader unlocked, and I'm at an impasse. First I had to tangle with the Google account verification, which wouldn't let me even sign into the phone after boot and get to the home screen because I had done a hard reset of the phone first, and didn't have the old man's Google account and password with which to sign back in. Fortunately, intrepid folks who came before me already found a way around that first hurdle. I took the following steps:
1. Went thru HWStartupGuide process until I was able to connect to my home WiFi network. So, internet connection is established.
2. Backed out of there to get to the first setup screen after the TRACFONE splash screen on boot, and used the "emergency calls only" escape hatch to navigate to the stock dialer app.
3. In stock dialer app, entered (without the quotation marks) "*#*#6130#*#*" which took me to the SIM Card Settings screen. Tapped three-dot menu, tapped, "Add SIM Contact," which took me to the native Huawei Contacts app. In Contacts app for the SIM card, tapped "Add Contact," made dummy contact called "Test" with a ph# of 1234. From list of contacts, tapped the "message" bubble icon next to the new "Test" contact, which opened the stock Messages app.
4. In stock Messages app, typed and sent message with the text "www.youtube.com." For obvious reasons the message doesn't send, but it does appear in the messages window, which renders the draft text's content into a hyperlink to YouTube. Bingo! Tapped link and opened up the YouTube app.
5. From the YouTube app, tapped the three-dot menu again, and tapped Privacy Policy from there. Now I'm into Chrome! Opened Chrome without signing in, and navigated to Google.com.
6. From Google.com, searched and then downloaded apk for Test DPC app. Installed Test DPC and set myself up as the new device owner.
7. Now that I'm the device owner, you'd think it would bypass the Google account verification requirement in HWStartupGuide, but no dice. So, rebooted, took same steps to get back into Chrome. From Chrome, I was able to get to the stock Google device search and navigate to the Settings app.
8. From device Settings app, changed settings to allow installations from unknown sources, then I set the option to allow USB debugging, and opened up the dev options to select "Allow OEM Unlock" in preparation for unlocking the locked bootloader, using the unlock code previously sourced from the official Huawei EMUI unlock code site.
So, to sum up, I've got access to the device in general, can use the web and all the apps on the device, and was thus finally able to disable HWStartupGuide to prevent the previous headache from cropping up again. Here's where the impasse starts.
I have Android SDK and everything I need on my laptop (to the best of my knowledge) to facilitate unlocking, flashing, and all the other fun stuff we love to do with our phones.
I was able to confirm the USB and Android drivers are correct and working fine, as I got both fastboot and adb to recognize and list the device when connected via USB cable to the laptop, and it worked both in command prompt and in PowerShell. Fastboot and ADB commands appear to work when facilitated and entered correctly. That is...UNTIL I tried to use the "fastboot oem unlock <unlock code here>" command. It just says "FAILED" with no error code. I tried this from my stock boot options screen (the screen you get when you boot or restart with power and vol-down pressed), and from the stock recovery screen, both to no avail.
This is where I'm all twisted up. There either doesn't appear to be a true bootloader screen to navigate to, or it's purposefully inaccessible, and I don't know how to get to it. If you do a "adb reboot bootloader" command, it just reboots the phone to Android home screen. The only options from the boot options screen are "Power (turn phone off), "Start" (boot to Android home screen), "bar codes" (screen that shows bar codes for the phone's IMEI, Serial #, etc), and "reboot recovery" (stock EMUI recovery screen), where the only options are 'Wipe/Factory Data Reset," "Wipe Cache," and "Reboot."
I feel like if I could get to a true bootloader screen that allows me to enter adb or fastboot command strings in such fashion that you can enter it and then see the process play out on your device screen, then the unlock code from Huawei would probably work and the bootloader would be unlocked, thereby allowing me to root and flash a better ROM, or at least eliminate bloatware and optimize the device for performance. But for whatever reason, and I assume it's purposeful on the part of TRACFONE/StraightTalk, tbh, there isn't a fastboot-capable bootloader screen like my years of using HTC phones taught me to take for granted.
So there I be...stuck, even WITH the unlock code from Huawei! What a crock! I know TMOUS will apparently unlock it in a month or so, but to me, that's not the point. I should be able to accomplish it on my own with the unlock code I got from Huawei. And that's why I'm throwing my hands up and begging for help.
Is there anything else I can try? Is there any other devious way to perhaps flash a different bootloader interface onto the phone that would allow me to use fastboot commands properly? Is it possible to mount the SD card from bootloader and push an apk to it that would install some kind of generic bootloader screen? I'm now a little out of my league, but I am willing to try just about anything that anyone thinks might work. Any advice or suggestions warmly welcomed...not worried about bricking the phone or anything, as it's not much better than a paperweight in its current form anyway.
Thanks!!
smb282
So my GF has doubt that her phone (Samsung A5) has been tapped by her ex BF who knew her phone pass and did take care of all devices they posses
Assuming that is the case, will the factory reset remove tracking software from her phone of will I have to flash her phone with fresh OS to be sure the software has been removed completely
gesaugen said:
So my GF has doubt that her phone (Samsung A5) has been tapped by her ex BF who knew her phone pass and did take care of all devices they posses
Assuming that is the case, will the factory reset remove tracking software from her phone of will I have to flash her phone with fresh OS to be sure the software has been removed completely
Click to expand...
Click to collapse
If the ex actually did something like that and embedded into the system partition on the device, a factory reset will not remove it.
You would need to flash the device with the firmware to remove it, you may even need to use the "re-partition" option in Odin when you flash the device.
It would also be wise to change the password on her Google account before flashing the device, to be thorough, change the password and maybe even the email/username while you're at it, then go to system settings and remove the account then sign back in with the new email/password, then flash the device, after flashing and booting, sign back in with the new account details.
I would also change passwords and account details for any other apps on the device, such as Facebook, Facebook Messenger, any other email addresses or other email apps and any other types of social media apps or other apps that require an email/username and password. Change any and everything on the device that the ex could have possibly had access to. If she also has other devices or PC's synced with her phone or email, I'd change the details on those other devices/PC's as well. If she has WiFi at home, change its password and maybe even see about changing the IP of her modem/router.
Then, after that, make sure she doesn't click on/open/download anything from anyone that she doesn't know, including multimedia texts/pics, it could be the ex trying to embed something again, opening it will just compromise the device again.
Sent from my LGL84VL using Tapatalk
While what Droidriven is saying is correct first things first. Has the phone been unlocked and/or rooted? If the phone is locked (*Not tampered) then all of that is overkill. Here's a simple test that you can do to see how at risk you are. Start the phone in Bootloader mode and see what it says at the top. It will either say Locked, Locked *Tampered, Unlocked or Unlocked *Tampered. Locked is exactly what it sounds like, the phone is factory locked. Unlocked again means exactly what it says, the phone is factory unlocked. The caveat is the Tampered. So you can unlock a phone and lock it back which will result in the tampered tag/statement. In which case anything could have been done or undone once the phone was unlocked even if it says locked. If the phone simply says Locked, there is no need to panic and simply factory resetting the phone will erase anything that the ex may have done or installed. If the tampered tag/statement appears that's when more detailed steps should be taken, as described by Droidriven. It is always advisable to change passwords after a breakup even if you don't suspect foul play as a precaution. If she fears foul play Google offers 2-Step verification, which I highly recommend anyway, which allows the account holder to use an Authentication app that randomly generates codes to access the account and also prevents anyone from accessing the account without the users phone in their direct possession. Google also offers security screening tools that allows users to see where they are signed in, when the last time that sign in point was accessed, and the ability to sign out of sessions that may still be active. Furthermore Google offers notifications that will text or email a user anytime a sign-in occurs allowing the user full disclosure and control over their account. Although not mentioned, Facebook also offers similar tools and notifications should the concern arise. First thing first however, find out how to log into your Bootloader and verify if the device has ever been tampered with and then work from there.
VidJunky said:
While what Droidriven is saying is correct first things first. Has the phone been unlocked and/or rooted? If the phone is locked (*Not tampered) then all of that is overkill. Here's a simple test that you can do to see how at risk you are. Start the phone in Bootloader mode and see what it says at the top. It will either say Locked, Locked *Tampered, Unlocked or Unlocked *Tampered. Locked is exactly what it sounds like, the phone is factory locked. Unlocked again means exactly what it says, the phone is factory unlocked. The caveat is the Tampered. So you can unlock a phone and lock it back which will result in the tampered tag/statement. In which case anything could have been done or undone once the phone was unlocked even if it says locked. If the phone simply says Locked, there is no need to panic and simply factory resetting the phone will erase anything that the ex may have done or installed. If the tampered tag/statement appears that's when more detailed steps should be taken, as described by Droidriven. It is always advisable to change passwords after a breakup even if you don't suspect foul play as a precaution. If she fears foul play Google offers 2-Step verification, which I highly recommend anyway, which allows the account holder to use an Authentication app that randomly generates codes to access the account and also prevents anyone from accessing the account without the users phone in their direct possession. Google also offers security screening tools that allows users to see where they are signed in, when the last time that sign in point was accessed, and the ability to sign out of sessions that may still be active. Furthermore Google offers notifications that will text or email a user anytime a sign-in occurs allowing the user full disclosure and control over their account. Although not mentioned, Facebook also offers similar tools and notifications should the concern arise. First thing first however, find out how to log into your Bootloader and verify if the device has ever been tampered with and then work from there.
Click to expand...
Click to collapse
As far as I know, Samsung does not have bootloader mode, it uses Download Mode, otherwise known as factory mode or Odin mode. It also does not quite display the information that you described as you described it. Some Samsung devices may or may not display bootloader status as "locked" or "unlocked", I've never seen anything about Samsung devices ever showing anything about *Tampered. I've seen devices show "custom binary" or "official binary" and show system status as "official" or "custom", some show info for secure boot, activation lock, kernel lock or Knox warranty void.
But, none of this necessarily has anything to do with whether something could have been embedded into system. You can push things to system even if the bootloader is locked and without "triggering" anything or being "flagged" by the system.
Plenty of Samsung devices have been rooted without unlocking the bootloader, without tripping Knox or Qfuse and will show binary status as "Custom"(the one thing that does show that the device is rooted/tampered but still doesn't necessarily indicate any malicious code that might have been placed by the ex, just rooting the device and nothing else would give the same result), all locks at default status as "locked"(non-tampered) and system status as "Official".
Given that the ex was the one that took care of and managed all devices that she owned, I would just take the thorough route just to cover the bases just because there are so many points of entry that the ex could have set up among all of the devices/equipment that she has.
Sent from my LGL84VL using Tapatalk
While I'll give you that there may be differing nomenclature for the things I mentioned, I've never heard of anyway to reach the Root of a device without going through the Bootloader and without leaving some evidence. While I cannot find an actual picture of the bootloader screen, in the link below there's a picture of the recovery menu where you can see the second option on the Samsung A5 Reboot into Bootloader. Ultimately it's up to the OP but becoming tech savvy enough to root a device is not for everyone. If the device shows no signs of being rooted, to learn how to root a device just in case seems less than worthwhile. OP you could also try one of the root detectors on the Play Store.
https://www.teamandroid.com/2017/01/28/enter-recovery-mode-samsung-galaxy-a5-2017/
VidJunky said:
While I'll give you that there may be differing nomenclature for the things I mentioned, I've never heard of anyway to reach the Root of a device without going through the Bootloader and without leaving some evidence. While I cannot find an actual picture of the bootloader screen, in the link below there's a picture of the recovery menu where you can see the second option on the Samsung A5 Reboot into Bootloader. Ultimately it's up to the OP but becoming tech savvy enough to root a device is not for everyone. If the device shows no signs of being rooted, to learn how to root a device just in case seems less than worthwhile. OP you could also try one of the root detectors on the Play Store.
https://www.teamandroid.com/2017/01/28/enter-recovery-mode-samsung-galaxy-a5-2017/
Click to expand...
Click to collapse
This tells me that you aren't familiar with Samsung devices because plenty of Samsung devices have been rooted without unlocking bootloader, I couldn't even begin to count them all. Unlocking bootloader is really only necessary if flashing a custom recovery or custom ROM. Not all Samsung devices are rooted by flashing a custom recovery to gain root. Most of the Samsung devices sold in the US have locked bootloader that cannot be unlocked by any means whatsoever, yet these devices can be rooted. Obviously, they have been rooted without unlocking the bootloader.
Yes, it may have the "reboot bootloader" option in recovery, if selected, that will boot you into download mode/Odin Mode. Typically, what you are describing with bootloader mode applies to devices that use fastboot, Samsung does not use fastboot, it isn't compatible with fastboot, adb works with Samsung but fastboot does not work with Samsung in any way, shape, form or fashion.
And it is possible to root a Samsung device, then install something in system and then remove root immediately after(which means that root checker will not see anything) and it won't show anything in Odin mode, won't trip Knox or Qfuse and still show Official in Odin mode. If it is rooted, then an app is pushed to system then root is immediately removed and this was all done without rebooting the device in the process, then the bootloader, Knox, Qfuse and all that never even detects that root was ever there because it was removed, which means it never gets loaded at boot for the bootloader and other security coding to see that root was there. Some can be rooted and then flash TWRP using Loki without unlocking the bootloader, which "shouldn't" be possible with a locked bootloader, yet, it is done.
I'm just saying, it isn't always as detectable as you imply.
Sent from my LGL84VL using Tapatalk
I wrote the method in 1 II for your reference.
The Qualcomm Diagnostic Port command in Xperia 1&5 is as follows.
(setprop sys.usb.config rndis,eng_mode,adb)
And use the EFSTOols.exe program.
It's easier than I mk2.
Screenshot is
1&5 and 1 MK2
Hello Xperia users! In the meantime, I finally solved the VOLTE problem! I approached Qualcomm's diagnostic port-active-efsExplorer and solved the problem by inserting a VOLTE profile from my carrier
Sorry, this is Korea and I am Korean.
However, I will write down the method in English.
Unlike previous 1&5, Qualcomm's diagnostic port cannot be opened.
opening command
I don't even know. I don't think so.
So it's a little different from before.
I tried to force it open.
debugging connection
Open the Command Proposal window.
adb shell input
su input
Do you want to allow shell on your phone?
prompt acceptance of permission
Then the $ shape changes to #.
Now
setprop persist.usb.eng 1
Copy paste entry. Please enter
And you're gonna be out there during tethering.
In My Computer Item
View Device Manager.
Please turn debugging back on.
Of course, no access.
If you turn on debugging again,
I've already set it up, so it looks like that.
Among them, there is a product model named XQ-AT52.
There are four yellow exclamation points in total.
Manually update driver Press [port] to list the manufacturers
It's called Qualcomm hs-usb-diagh and 9091. with this
I need a manual update. gogo
Now run the EFS Express.
Press 0 on the ROW and OK.
(ROW or SF_Default)
Oh, it takes a long time. I thought it stopped.
It opens if you stay still. LOL
It's open. How nice to see you here!
I am the Korean telecommunication company EFS file extracted from xperia1.
I used it. If you need VOLTE,
XPERIA1 (Modem).Extract from SIN file
I will use the Korean communication file.
Just drag it and put it in a folder.
v check and Yes
There'll be folders that don't exist while you're pulling them in.
Then make it and put the file in.
In the folder where you can view this red file,
Drag and drop the file twice.
The reason is that once you do it, you just go in.
The red file is not updated.
That's how the numbers at the back change when you renew.
So make sure to put it in twice.
Files beginning with NV do not have folders.
Put it on top.
It's over now!
Volte Success ^0^ About IMS
VOLTE OK
Confirm Video Calls
It was such a hard time for me!
I was sad because I couldn't get help.
With 5G mobile phones in 2020,
It was terrible to be on the 3G phone.
If there's someone like me,
This information will help you a lot.
Finally, Marktu
Buy! Buy two! I love it.
Interesting. I wonder if the OpenDevice Modem on AOSP works without that Hack in the same Way. Would be cool to know... Pixel Experience for Example enabled VoLTE, Wifi Calling and Video Calls over Carriers on My Xperia 5 without any additions or extra work. It detects the SIM and loads the needed Configs for it on the Modem. Pretty handy hack from the SONY Community to get extended functionality over AOSP or GSIs
I bought an 8T directly from OnePlus so it's not locked to any carrier. I intend to install a custom ROM on first use. I'd like to know the following before I unbox it:
Are there any steps required before the OEM Unlocking toggle is not greyed-out and before the phone will respond to the unlock command via fastboot?
I'm pretty sure I read a post a while back where the user stated the unlock command wouldn't function until he put a SIM card in the phone, or connected the phone to the internet, or logged into his Google account, or some such thing.
Does anyone with experience unlocking a brand new phone have anything to add? I've been following the 8T forums since before Mauronofrio's TWRP to learn all the procedures, but I don't recall anyone else mentioning issues specific to never-used phones.
The unlock toggle was indeed greyed-out when I unboxed the phone. Connecting to the Internet and completing the Android Setup wizard did not alter the state of the unlock toggle.
Actually, to be clear, I set up the phone first without Internet, then a few days later connected to the internet, but doing so did not make the greyed-out OEM Unlocking toggle suddenly accessible.
So at this point I'm not sure what's the issue... Does the phone need to see a SIM before it will let me access OEM Unlocking? Or does is require a Google account login? Or something else?
I found a comment on a non-XDA forum about a different type of android phone where the user reported that he had solved the problem by connecting to the internet and going through a minimal Google setup.
I gave it a try, only in my case I connected by ethernet cable (USB-C to Ethernet adapter), so it doesn't have anything to do with installing a SIM or turning on WiFi.
Then while connected I did a factory reset to re-start the android setup wizard. This time it took a lot longer to initiate the setup program and there were a lot more steps and conditions to accept along the way. Plus, there were Google terms and conditions to accept that weren't there the first time, and files I had to agree to download. :-( I disconnected before much else and rebooted. This time the OEM Unlocking toggle was enabled.
So I had a broken USB port for a while, but since I want to pull data off my phone (including, if possible, the apps that I needed 2FA to enable like WhatsApp and so on, since I'm currently in Europe for the next 6-12 months and AT&T prepaid doesn't allow me to receive text messages or phone calls).
I bought a replacement daughterboard for the USB connector, and pulled the back of the phone off, removed the old USB connection board, and replaced it with this one. However, I've got some weird problems and I'm not sure if its hardware or software related.
When plugging the phone into USB, there's no indication on the telephone that the phone is charging, there's no indication that the phone has some connection to the computer, the computer doesn't display anything about the phone or allow me to access storage, and ADB can't find the device despite trying about 7 different methods and combinations of drivers, ADB programs, etc.
So I'd believe that my new daughterboard is either broken internally or some other issue ... except ODIN works flawlessly, as I got the inital step of loading the combo firmware to work without issue. (linked here: https://forum.xda-developers.com/t/root_method_rev_b-11_bootloader_using_combo_firmware.4374741/). But I can't get safestrap to work, because it relies on ADB, and ADB still doesn't have any way to connect to the device.
When I start the phone in download mode, I'm able to pull up a device with the Hardware ID USB\VID_04E8&PID_685D&REV_0100, but ADB doesn't recognize it. When I start the phone in any other method, the device doesn't register in device manager. It's a similar story when I tried reaching the phone with ADB from my linux desktop, as "something" exists in download mode, but adb has no ability to actually see the device or make a connection.
As far as avoiding obvious pitfalls, I enabled development mode / USB debugging / OEM unlock in the stock firmware I was running before, and also enabled dev mod/usb debug in the flashed firmware from that page.
It's quite possible that flashing the Combination firmware already wiped my data, as I'm not sure if it does it or not (after scouring the internet, it's pretty much the only option to get root with the B/11 bootloader so it was worth a shot), but ultimately I'd like to try and resolve this ADB issue so that I can actually finish the steps and see if it will work or not.
I just don't know what to troubleshoot next to try and get ADB to work.
To add on to this, I tried reaching out to AT&T to see if I can use my S8+ (VoLTE and all that jazz capable) to receive text messages while abroad here, but they won't let me use the phone even though I'm already abroad, since if it's not compatible with their network in the US it won't be compatible with their roaming network abroad. So I really do have to do the ole root trick.