Hello Huawei P20 Mates,
i read about it shortly, that there would be an exploit that allows root access. i read about it on this website httpx://helpnetsecurity.com/2019/10/17/android-root-cve-2019-2215/ (need to change it since new users arent allowed to use links in this forum <.<). the code for accessing root would be even available on github (i wonder why, wait - isn't this illegal?). but anyway, i read from another site that the huawei p20 with october 2019 update would be vulnerable for this one. so basically, its an now open door for us huawei p20 users to root our phones, isnt it?
i just wonder how to use this. i understand the process of compiling it, but what did he mean with "change with device code"? maybe i just didnt get it right. does anyone know what he is talking about in his github project?
p0w3r_off said:
Hello Huawei P20 Mates,
i read about it shortly, that there would be an exploit that allows root access. i read about it on this website httpx://helpnetsecurity.com/2019/10/17/android-root-cve-2019-2215/ (need to change it since new users arent allowed to use links in this forum <.<). the code for accessing root would be even available on github (i wonder why, wait - isn't this illegal?). but anyway, i read from another site that the huawei p20 with october 2019 update would be vulnerable for this one. so basically, its an now open door for us huawei p20 users to root our phones, isnt it?
i just wonder how to use this. i understand the process of compiling it, but what did he mean with "change with device code"? maybe i just didnt get it right. does anyone know what he is talking about in his github project?
Click to expand...
Click to collapse
As far as I know, at the moment No. Huawei stopped releasing boot lock codes.
On the positive side, and thing May change on Android 10
I confirmed this with one click root and some other dev database which I should be able to post her as I believe it doesn't breach the rules since its a developer sits that should imo be linked here but I don't want to post it here but I can pm you the link.
Fundermentaly speaking, I China is rumoured to merge and work hand in hand with Google after trump stepped up the game. It was posted on AC, and a feed I received from the app MEDIUM.
tldr no boot unlock, but no root.
2ISAB said:
As far as I know, at the moment No. Huawei stopped releasing boot lock codes.
On the positive side, and thing May change on Android 10
I confirmed this with one click root and some other dev database which I should be able to post her as I believe it doesn't breach the rules since its a developer sits that should imo be linked here but I don't want to post it here but I can pm you the link.
Fundermentaly speaking, I China is rumoured to merge and work hand in hand with Google after trump stepped up the game. It was posted on AC, and a feed I received from the app MEDIUM.
tldr no boot unlock, but no root.
Click to expand...
Click to collapse
did you even read what i wrote or used the link i told here? i told, that there is a 0-Day Exploit. Its *not* about boot lock codes or fastboot. its about a exploit, using to obtain root rights. then, you could easily read out the nvme file. but i dont understand how to use this relatively new exploit.
p0w3r_off said:
Hello Huawei P20 Mates,
i read about it shortly, that there would be an exploit that allows root access. i read about it on this website httpx://helpnetsecurity.com/2019/10/17/android-root-cve-2019-2215/ (need to change it since new users arent allowed to use links in this forum <.<). the code for accessing root would be even available on github (i wonder why, wait - isn't this illegal?). but anyway, i read from another site that the huawei p20 with october 2019 update would be vulnerable for this one. so basically, its an now open door for us huawei p20 users to root our phones, isnt it?
i just wonder how to use this. i understand the process of compiling it, but what did he mean with "change with device code"? maybe i just didnt get it right. does anyone know what he is talking about in his github project?
Click to expand...
Click to collapse
Yeah it might work, but if you try to modify something using root it would Brick cause of SecBoot.
madoxx77 said:
Yeah it might work, but if you try to modify something using root it would Brick cause of SecBoot.
Click to expand...
Click to collapse
you too, didnt fully read what i wrote, or did you? why are the answers always short like "no wont work because xy - but we ignore z, w and v"?
the thing is, you should *not* change the phone with this exploit. i wouldnt have any interest in changing it with this method. i have more interest in getting the nvme bootloader unlock code which most certainly is stored there since it was with the old huawei phones before that way. like you know, obtaining root rights, saving nvme partition, then open nvme partition with hex editor and then search for BL Code. then, i would unlock the phone the regular way. do you understand what im trying to do?
p0w3r_off said:
you too, didnt fully read what i wrote, or did you? why are the answers always short like "no wont work because xy - but we ignore z, w and v"?
the thing is, you should *not* change the phone with this exploit. i wouldnt have any interest in changing it with this method. i have more interest in getting the nvme bootloader unlock code which most certainly is stored there since it was with the old huawei phones before that way. like you know, obtaining root rights, saving nvme partition, then open nvme partition with hex editor and then search for BL Code. then, i would unlock the phone the regular way. do you understand what im trying to do?
Click to expand...
Click to collapse
Calm down you haven't said anything about bootloader code in original post, simply you cannot obtain BL code cause it's encrypted(not in NVME partition) ? In EMUI 8 it was possible to unlock bootloader using modified NVME but in EMUI 9 you cannot do it. There is one way to obtain BL code but you need to disassemble your phone and it costs like 30 euro, you can find it in mate 20 forum, it's called BLK-RSA
madoxx77 said:
Calm down you haven't said anything about bootloader code in original post, simply you cannot obtain BL code cause it's encrypted(not in NVME partition) In EMUI 8 it was possible to unlock bootloader using modified NVME but in EMUI 9 you cannot do it. There is one way to obtain BL code but you need to disassemble your phone and it costs like 30 euro, you can find it in mate 20 forum, it's called BLK-RSA
Click to expand...
Click to collapse
okaaay this is news to me that this changed in EMUI 9. but, if that is the case, then maybe we should really check if the exploit is maybe working for older versions than android 9? especially the version before the may/june patch 2018 may be different. so the roadmap may be:
- downgrade to EMUI 8.1 version *before* security patch May 2018
- try to use exploit to get root rights in order to read (non-encrypted? - i need more information on this) bootloader code?
two questions are rising here: is the exploit only working for android 9, or is this exploit existing for longer time and versions before? i dunno how it is here. and second thing, is the BL Code already encrypted in EMUI 8.1?
the reason why im asking all of this is, that it may be better to get these informations before i try to do something and even brick my phone in the worst case. or doing hours of work without any result (which would be simply a waste). writing a few lines takes only a few minutes - at all.
p0w3r_off said:
okaaay this is news to me that this changed in EMUI 9. but, if that is the case, then maybe we should really check if the exploit is maybe working for older versions than android 9? especially the version before the may/june patch 2018 may be different. so the roadmap may be:
- downgrade to EMUI 8.1 version *before* security patch May 2018
- try to use exploit to get root rights in order to read (non-encrypted? - i need more information on this) bootloader code?
two questions are rising here: is the exploit only working for android 9, or is this exploit existing for longer time and versions before? i dunno how it is here. and second thing, is the BL Code already encrypted in EMUI 8.1?
the reason why im asking all of this is, that it may be better to get these informations before i try to do something and even brick my phone in the worst case. or doing hours of work without any result (which would be simply a waste). writing a few lines takes only a few minutes - at all.
Click to expand...
Click to collapse
You cannot downgrade to EMUI 8.1 before May 2018cause of xloader, only way is to open your phone and flash old firmware through test points. Also it can maybe work on EMUI 8 but BL code is still encrypted in there, yeah you can unlock bootloader through NVME but you cannot obtain BL code. The only way is as I said before the BLK RSA method.
madoxx77 said:
You cannot downgrade to EMUI 8.1 before may cause of xloader, only way is to open your phone and flash old firmware through test points. Also it can maybe work on EMUI 8 but BL code is still encrypted in there, yeah you can unlock bootloader through NVME but you cannot obtain BL code. The only way is as I said before the BLK RSA method.
Click to expand...
Click to collapse
that is absolutely wrong? i did in the past via the tool from huawei and yeah that was w/o *any* problem? and that was only a few months ago "where i already had EMUI9"? are you even *want* to root/unlock it, or do you just want to say what is not possible but in reality it is?
p0w3r_off said:
that is absolutely wrong? i did in the past via the tool from huawei and yeah that was w/o *any* problem? and that was only a few months ago "where i already had EMUI9"? are you even *want* to root/unlock it, or do you just want to say what is not possible but in reality it is?
Click to expand...
Click to collapse
Why you have to be so offensive ?I just wanted to help you not to brick your phone if you try to do some **** with it. I forgot to say that you can't downgrade from EMUI 9.1 to EMUI 8.1,in past if you had EMUI 9 it was possible to downgrade to EMUI 8.1 via Hisuite
p0w3r_off said:
Hello Huawei P20 Mates,
i read about it shortly, that there would be an exploit that allows root access. i read about it on this website httpx://helpnetsecurity.com/2019/10/17/android-root-cve-2019-2215/ (need to change it since new users arent allowed to use links in this forum <.<). the code for accessing root would be even available on github (i wonder why, wait - isn't this illegal?). but anyway, i read from another site that the huawei p20 with october 2019 update would be vulnerable for this one. so basically, its an now open door for us huawei p20 users to root our phones, isnt it?
i just wonder how to use this. i understand the process of compiling it, but what did he mean with "change with device code"? maybe i just didnt get it right. does anyone know what he is talking about in his github project?
Click to expand...
Click to collapse
I tried running both the original PoC code and quickroot on my P20 Pro (EMUI 9.1.0.328, last patched 1/8/2019) but this EMUI version doesn't seem vulnerable, neither PoC yielded elevated permissions. I'm digging some more into this.
cptnfrd said:
I tried running both the original PoC code and quickroot on my P20 Pro (EMUI 9.1.0.328, last patched 1/8/2019) but this EMUI version doesn't seem vulnerable, neither PoC yielded elevated permissions. I'm digging some more into this.
Click to expand...
Click to collapse
Okay glad to hear you try that. Maybe going back to EMUI 9 would help. The dload method still should work, right?
p0w3r_off said:
Okay glad to hear you try that. Maybe going back to EMUI 9 would help. The dload method still should work, right?
Click to expand...
Click to collapse
I'm not sure, the descriptions of the vulnerability mention that the P20 is affected - one site says only on Android 8 so it's unclear. I'm not familiar with the dload method, can you post a link?
The thing is, as maddoxx77 posted earlier, even if this worked as a way to gain root we'd still have no way to obtain the BL code and possibly only brick the device while trying. Perhaps some hardware based method could work but I don't really have the knowledge or time to dig into it deeper.
F.C.K YOU HUAWEI.
Related
Just tried several times with honor support to get unlocked code before the so called deadline...they refused and said they will not be provided for phone from USA & Canada. Any thoughts about what is going on....
Donald Seguin said:
Just tried several times with honor support to get unlocked code before the so called deadline...they refused and said they will not be provided for phone from USA & Canada. Any thoughts about what is going on....
Click to expand...
Click to collapse
you can try
https://www.emui.com/en/plugin/unlock/index
I got my unock code that way a few weeks ago
thank you.
Will give that a try, are you using a North American phone ( Canada or USA) cause that seems to be what they are blocking for now.
Donald Seguin said:
Will give that a try, are you using a North American phone ( Canada or USA) cause that seems to be what they are blocking for now.
Click to expand...
Click to collapse
No I'm not, I'm in Europe, but it's still worth a try
I just got my code earlier today so it's still working.
Chris (developer for Honor us) said they are not blocking codes at all. In fact, he's still in talks with the uppers trying to reverse the decision. You can easily find him on FB if you'd like to personally reach out to
mattyboyo said:
I just got my code earlier today so it's still working.
Click to expand...
Click to collapse
You guys are correct, support was wrong they are still providing unlock codes...now that I have a code where do I input this in the phone to make sure it is unlocked. I have not done this before...so I will not be flashing A ROM on this just yet!
Donald Seguin said:
You guys are correct, support was wrong they are still providing unlock codes...now that I have a code where do I input this in the phone to make sure it is unlocked. I have not done this before...so I will not be flashing A ROM on this just yet!
Click to expand...
Click to collapse
If you don't know how to unlock bootloader or understand what comes with unlocking a bootloader, do some reading on other threads or do not attempt it at all you could break your phone.
krchi said:
If you don't know how to unlock bootloader or understand what comes with unlocking a bootloader, do some reading on other threads or do not attempt it at all you could break your phone.
Click to expand...
Click to collapse
This much I know...unlock now to preserve the option of a stable Rom sometime in the future after Honor stops supporting the phone...I hate this planned obsolescence which is all too common with Android...
krchi said:
If you don't know how to unlock bootloader or understand what comes with unlocking a bootloader, do some reading on other threads or do not attempt it at all you could break your phone.
Click to expand...
Click to collapse
Do we still get OTA updates after unlocking the bootloader?
I want to stick to EMUI until OTA updates are stopped officially.
Donald Seguin said:
This much I know...unlock now to preserve the option of a stable Rom sometime in the future after Honor stops supporting the phone...I hate this planned obsolescence which is all too common with Android...
Click to expand...
Click to collapse
You don't need to use it now unless you wish to switch to custom ROMs or gain root.
Just keep it until you're ready to make the change. It can be used to unlock and relock as many times as you want.
Unlocking will force a wipe.
There are no stable ROMs at the moment anyway, and I doubt there will still be oldschool ones in the future.
As soon as Oreo is out for your region you could unlock and switch to Treble ROMs, but they're not stable for our phone yet either. Kirin's are fiddly to work with when it comes to custom roms, even with Treble support. Stock is always the best option.
Keep your unlock code somewhere safe, since (like someone already said) you can use and reuse it however often you want, and really stay on stock as long as you can. It's of no use for you to unlock/root right now.
Hi, guys and girls... Welcome to Huawei jail problem ?
Since i bought my device after Huawei locked our bootloaders forever and i didn't know that fact, Now i need root so badly.. i missing some tweaks from my other devices... Is there any chance to root this phone without unlocking bootloader?
They locked bootloaders? I just bought one yesterday. I may still be able to take it back and if they've locked the bootloader, I'd be very tempted to do just that. GRRR
Not a chance
Took my phone back, have a Moto G6 Plus now.
Hudinited said:
Hi, guys and girls... Welcome to Huawei jail problem
Since i bought my device after Huawei locked our bootloaders forever and i didn't know that fact, Now i need root so badly.. i missing some tweaks from my other devices... Is there any chance to root this phone without unlocking bootloader?
Click to expand...
Click to collapse
i continue this thread because i have some interesting information found on a chinese board:
https://club.huawei.com/thread-4790911-1-1.html
they say it would be possible to root your device (even p20 as long as it doesnt have the mediatek chipset, which many of us apparently wont have since most of us apparently stuck with hisilicon kirin 970). they are going in the direction of using apps like 360root and such. i tried 360root with p20 eml-l29 8.10.128 without success, even tried iroot, kingroot, kingoroot, superroot and root master.
but.. you know guys, i know that rooting means to use security vulnerabilities in android generally and kernel. at the moment i try to use different kind of versions on my phone in order to find one that *does* match to the security vulnerabilities of one of the rootapps try to use. you see, when a newer version gets released many security vulnerabilities are getting patched. but this means at the same time, others are going to appear often (if it wouldnt be this way, we would only need 1 security patch for all times forever and everything is fine voila perfect secure device with all best features - but this will most likely never happen). even if they are fixing more and more security holes, we cant forget the fact that kingroot, iroot, 360root is still continuing their work as well. so as maybe today no root is possible for this devices, you can expect them still trying new ways to achieve this goal, which means that there is still hope for the future (but well, i would only wait 1 year since i would then buy a new phone since is then already 2 yrs old )
Looking for some advice........I've just bought an Honor View 10 and I want to root it (just to use Apps that require root access), i.e. I don't need to flash any images etc as I'm not installing a new ROM
Is this possible straight out of the box? i.e Phone still has a locked Bootloader
If so, is there a guide somewhere on how to do this? ......Cheers!
You should really do some research before asking. Your answers are out there, just look for them.
riverbird69 said:
Looking for some advice........I've just bought an Honor View 10 and I want to root it (just to use Apps that require root access), i.e. I don't need to flash any images etc as I'm not installing a new ROM
Is this possible straight out of the box? i.e Phone still has a locked Bootloader
If so, is there a guide somewhere on how to do this? ......Cheers!
Click to expand...
Click to collapse
You REALLY shouldn't have bought any Huawei/Honor device since they no longer give out bootloader unlock codes.
The only way to unlock now is through paid services, so if you still can I suggest you return it and get a phone from another manufaturer like OnePlus or Xiaomi
I know other phones are easier to root since Honor/Huawei aren't giving out Bootloader codes anymore, but that didn't really answer my question though......Is it possible to just root the phone without a Bootloader Code (just root, no flashing)..
riverbird69 said:
I know other phones are easier to root since Honor/Huawei aren't giving out Bootloader codes anymore, but that didn't really answer my question though......Is it possible to just root the phone without a Bootloader Code (just root, no flashing)..
Click to expand...
Click to collapse
No it is not possible. The bootloader code is needed to root/flash. You can like the previous person, spend some cash to get the bootloader code. Hope that helps?
Thanks for the reply, was hoping for a different answer though! Cheers...
riverbird69 said:
Thanks for the reply, was hoping for a different answer though! Cheers...
Click to expand...
Click to collapse
No worries, wish the answer was different. Still without root this phone is amazing
Hello Guys,
long i searched for a method of unlocking the bootloader of eml-l29 Huawei P20. No i didnt find any, and qu1ckr00t didnt prove to be useful either.
it is not relevant anymore. since i did use testpoint too often in research of what is possible and what not, the device died just a few minutes ago. it always enters now only the usb huawei com mode. probably i used to much pressure on the testpoints or what or i accidentally short circuited other points with the screwdrivers.. but as a matter of fact, it is hardware bricked and the board is done for i think. so i dont search for a solution anymore.
people, see this thread as a resource what is possible without unlocking the bootloader and what not. i figured out following things are fact without unlocking the bootloader, so that you all doesn't have to try instead of me:
- you can flash with the testpoint short circuited and the software dc-phoenix and the right chipset/cpu bootloader chosen in temporary bootloader the twrp to erecovery_ramdisk and recovery_ramdisk, it will be permanently available after the process
- you cannot install magisk on it, since xloader seems to block the bootup and always sends you to recovery-mode (which means twrp if you flashed this)
- you cannot install a custom rom like OpenKirin with the testpoint recovery mode, as it - like with magisk, always will send you to recovery mode - i tried it exactly how it is explained on openkirin.net and it always turned out the same
- there is no bootloader unlock code in the nvme partition, i checked it - it seems there is encryption going on there
- the exploit qu1ckr00t is not usable, since the kernel is compiled with spinlock_debug
- and i forgot first: if you have the idea of soldering a cable for testpoint short circuit - no, letit be. you will only hang forever in huawei usb com 1.0 mode - it wont boot normally as long as you're in tp mode
so basically, there is way to get root, it is a way to get to direct data from the partitions. but at the end, the question that arises is - how much profit are you gaining from root or custom roms on this device at the end? in my case, the many tries costed my time, my nerves and now the device itself. it is gone for good. maybe this is for the best, as i never treated it right since i bought it (it had to be repaired two times in 2 years, which is a lot for a normal device at this amount of time) and i only have bad memories in my life with it (lots of things happened, but this is not the right place for such tellings).
my final message for this part of this board (not the board i damaged thou) - leave it alone, don't waste your time anymore on this. move on, there are cheap devices that are better, faster and unlockable too at this day and time. i moved on to my new Nokia 7.2, which is awesome.
so stay healthy guyz.
my journey of exploring the depths of huaweis device huawei p20 eml-l29 ends here. its sad, but at the same time i'm happy that the "horror" of an unlockable bootloader is finally over.
Thanks for your effort and sharing the info. Good luck with new phone
Note: my next phone won't be Huawei, for sure, due to bootloader locking, I am fed up with them
Yes,
I even have no sorry with them if they go down because of the Google lockout. Their strategy is to pull people away from Google PlayStore? Yes, sure. Good luck.
Unlock bootloader and promise to keep it open for P10 upwards and we are happy. Otherwise... byebye and fcku.
FearFac said:
Thanks for your effort and sharing the info. Good luck with new phone
Note: my next phone won't be Huawei, for sure, due to bootloader locking, I am fed up with them
Click to expand...
Click to collapse
What if I have my unlock code? Can I still unlock it or it's impossible now? I requested my code before they stop the bootloader unlocking, but never did anything with it.
ElChe said:
What if I have my unlock code? Can I still unlock it or it's impossible now? I requested my code before they stop the bootloader unlocking, but never did anything with it.
Click to expand...
Click to collapse
You are the lucky one who can root your phone.
FearFac said:
You are the lucky one who can root your phone.
Click to expand...
Click to collapse
Yeah I guess haha. I haven't got around doing it yet. But now I know it's a possibility! So I'll eventually do it!
FearFac said:
You are the lucky one who can root your phone.
Click to expand...
Click to collapse
How do you root it? AFAIK anything newer than EMUI8 is no longer rootable.
I'm on EMUI 10, with an unlocked bootloader, please tell me how to root.
zgomot said:
How do you root it? AFAIK anything newer than EMUI8 is no longer rootable.
I'm on EMUI 10, with an unlocked bootloader, please tell me how to root.
Click to expand...
Click to collapse
I do a query you have emui 10 with bootloader open?how did you do it ?it was not the problem that emui 10 closed the bootloader?can't root with magisk?
zgomot said:
How do you root it? AFAIK anything newer than EMUI8 is no longer rootable.
I'm on EMUI 10, with an unlocked bootloader, please tell me how to root.
Click to expand...
Click to collapse
Where did you get this info from?
I was just thinking of rooting my CLT L09 Emui 9.1.0
Introduction:
This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).
This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).
Frederic also did a great amount of work to temporarily boot a custom OS from USB here.
Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.
Disclaimer:
You are solely responsible for any potential damage(s) caused to your device by this exploit.
FAQ:
- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.
- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.
- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than
- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.
- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.
- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.
- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.
Requirements:
Chromecast With Google TV (sabrina) without USB password mitigation¹
Either a USB A to C, or a C to C cable
A PC running some flavor of 64-bit GNU Linux
`libusb-dev` installed
`fastboot` & `mke2fs` installed from the SDK Platform tools
¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).
Instructions:
Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!
Post-unlock:
The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.
Credits:
Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
Frederic Basse (frederic): The initial exploit and the AES key tip
Special Thanks:
Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
sweet! I know what im doing tonight lol.. of course I need to check mine once I get home to see if it can be unlocked but pretty sure it can.
wow im glad i left mine unplugged
unfortunately mines not able to be unlocked :-(.. its got feb security update.. exploit says its password protected
elliwigy said:
unfortunately mines not able to be unlocked :-(.. its got feb security update.. exploit says its password protected
Click to expand...
Click to collapse
rip, there is no way around it unfortunately (for now atleast)
Stricted said:
rip, there is no way around it unfortunately (for now atleast)
Click to expand...
Click to collapse
Yea, figured as much. I was looking for a way to unlock the bootloader but didnt spend much time on it as i use my nstv pro 2019 model mainly for all my streaming needs lol.
i just left best buy by my house and all the cc they had were mfg 5/2021 lol.. i mustve looked all over.. looked behind stuff tried to find a dusty one but nope lol
probably got a better chance at an old one from walmart
im curious what causes it to not boot with patched boot.img.. on the nstv it was odd for a while since patching boot.img would cause bootloop.. had noticed in the logs it was failing to boot because the verifiedbootstate was orange so made a script for magisk to resetprop ro.boot.verifiedbootstate green and it would boot right up wonder if its something similar.. either way, can only toss up ideas until i get my hands on a unlockable model lol
elliwigy said:
Yea, figured as much. I was looking for a way to unlock the bootloader but didnt spend much time on it as i use my nstv pro 2019 model mainly for all my streaming needs lol.
i just left best buy by my house and all the cc they had were mfg 5/2021 lol.. i mustve looked all over.. looked behind stuff tried to find a dusty one but nope lol
probably got a better chance at an old one from walmart
im curious what causes it to not boot with patched boot.img.. on the nstv it was odd for a while since patching boot.img would cause bootloop.. had noticed in the logs it was failing to boot because the verifiedbootstate was orange so made a script for magisk to resetprop ro.boot.verifiedbootstate green and it would boot right up wonder if its something similar.. either way, can only toss up ideas until i get my hands on a unlockable model lol
Click to expand...
Click to collapse
Nah, it isn't.
Think it's just Amlogic boot image format not linking the repack method.
I'll look into it at some point.
Could this method work on mi box 3?Just asking !!!!
Verhuel15 said:
Could this method work on mi box 3?Just asking !!!!
Click to expand...
Click to collapse
You'd need u-boot source from your OEM - start by requesting that, then you can progress further if they give it to you (they legally have to, but a lot of them don't)
Tell me more about this "usb password mitigation", since it appears that this exploit is not going to be all that useful until this issue is addressed.
96carboard said:
Tell me more about this "usb password mitigation", since it appears that this exploit is not going to be all that useful until this issue is addressed.
Click to expand...
Click to collapse
It's not an "issue" we can overcome.
The BootROM mode we interact with the send the data for this exploit had a password slapped in the interface (to even be able to interact with it). It's a complex password based on a hash of something and a salt.
It's not something we could feasibly brute force, it's not something we can undo, it's not something we can work around.
The exploit was effectively patched in models manufactured after December 2020, and older units updated to February 2021.
If the February 2021 update added the password, wouldn't it be theoretically possible to reverse engineer that update to determine how the password is generated? Or do they encrypt these updates in a way that makes them impossible to disassemble or step through during execution before it burns the eFuses?
bydo said:
If the February 2021 update added the password, wouldn't it be theoretically possible to reverse engineer that update to determine how the password is generated? Or do they encrypt these updates in a way that makes them impossible to disassemble or step through during execution before it burns the eFuses?
Click to expand...
Click to collapse
We can totally (and have) dumped newer updates. You can look at the bootloader.img all you want, but it's AES encrypted, and the only way to get it decrypted is to dump the AES key from memory using the exploit those updates mitigate, so, no, not easy to analyze them.
But lets say we could, there's no way to extract the password that's even semi-feasible.
Brute force is more feasible, and that would take years.
I assume similar to Samsung bootloader revs Google has some form of rollback prevention so not possible to downgrade to an older firmware? do you know if theres anywhere that the ota.zip can be downloaded?
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
elliwigy said:
I assume similar to Samsung bootloader revs Google has some form of rollback prevention so not possible to downgrade to an older firmware? do you know if theres anywhere that the ota.zip can be downloaded?
Click to expand...
Click to collapse
Yeah, dumped on dumps.tadiphone.dev. Rollback is enabled. There's no going back. U-boot enforces it on OS, and BL2 enforces it on BL33 (u-boot).
96carboard said:
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
Click to expand...
Click to collapse
It is (as far as we currently understand) a global password.
npjohnson said:
Yeah, dumped on dumps.tadiphone.dev. Rollback is enabled. There's no going back. U-boot enforces it on OS, and BL2 enforces it on BL33 (u-boot).
It is (as far as we currently understand) a global password.
Click to expand...
Click to collapse
Is that site a private gitlab? i went there but my normal gitlab acct didnt work so i regustered with same email and it said it registered but my acct is blocked waiting for admin approval?
96carboard said:
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
Click to expand...
Click to collapse
pretty sure its not generated on the device.. its likely a key that was already there just wasnt being used until recent update or it was implenented in the update.. this is of course assuming its a global key i.e. same password for all the devices.. sort of similar to how samsung does their firmware maybe, key burned into the device at the factory well hidden behind layers of security to never be seen again even when its used to verify stuff lol
elliwigy said:
Is that site a private gitlab? i went there but my normal gitlab acct didnt work so i regustered with same email and it said it registered but my acct is blocked waiting for admin approval?
Click to expand...
Click to collapse
dumps.tadiphone.dev/dumps
elliwigy said:
pretty sure its not generated on the device.. its likely a key that was already there just wasnt being used until recent update or it was implenented in the update.. this is of course assuming its a global key i.e. same password for all the devices.. sort of similar to how samsung does their firmware maybe, key burned into the device at the factory well hidden behind layers of security to never be seen again even when its used to verify stuff lol
Click to expand...
Click to collapse
It is burned into the device, yeah, no disabling it or intercepting it.
npjohnson said:
dumps.tadiphone.dev/dumps
It is burned into the device, yeah, no disabling it or intercepting it.
Click to expand...
Click to collapse
right after i posted i went to explore and saw the dumps. i noticed there was some userdebug builds early on.. pretty cool.. are these all official firmwares?
and yes makes sense.. its easier to fibd a zero day exploit these days then to waste time trying to get the hardware infused private keys :-/