Question RESEARCH! unlock Bootloader - Black Shark 4

I really really Hope anybody is Able Upload a YouTube video how it works!
mfg
Source
Black Shark 4/4S/4pro/4SPro/5/pro models
from the 4th generation of Black Shark, the threshold for Black Shark flashing has officially become higher. The previous 9008 flashing can be flashed without authorization, but starting from the 4th generation, it must be authorized by the job number, which makes many users unable to complete it by themselves. Judging from the multiple unlocking of Black Shark 4 series account locks, there are also two methods.
Method 1: Unlock the phone by flashing the font library, which is basically biased towards hardware-level maintenance. Non-professionals should not try it. If the Black Shark 4/5 flashing machine is unlocked by flashing the font library, there may be problems that the Xiaomi account cannot be logged in and the upgrade system will be locked again.
Method 2: In addition to the method of dismantling the character library, Black Shark 4/4P/4S/5/5pro/5RS mobile phones can also force open the BL lock, and use the third-party modified version of the JOYUI system to unlock the account lock. At present, this unlocking method is relatively mature, and it can be completed quickly by flashing the phone without disassembling the phone. Special attention, if the Black Shark 4/5 series has a locked machine, do not flash the machine by mistake and brick it into the 9008 port. Such a 9008 port must be disassembled to flash the machine successfully. Limited by the difficulty of flashing, starting from the 4th generation, it does not support ordinary users to unlock BL flashing, and requires professionals to flash successfully.
Spoiler: original
黑鲨4/4S/4pro/4SPro/5/pro机型
从黑鲨4代,黑鲨刷机门槛正式变高,之前的9008刷机是可以免授权刷入的,但4代开始,必须工号授权刷机,这导致很多用户都不能自行完成。从多次解黑鲨4系列账户锁来看,也是有2个方法的。
方法1:拆字库进行刷机解锁,基本偏向于硬件级别维修,非专业人员不要尝试,拆字库刷机解锁的黑鲨4/5刷机,可能出现小米账号不可登录和升级系统再次锁定问题
方法2:除了拆字库的办法,黑鲨4/4P/4S/5/5pro/5RS手机也一样可以强开BL锁,使用第三方修改版本的JOYUI系统来解账户锁。目前来看,该解锁方法相对成熟,并且不需要拆机,通过刷机就能够快速完成。特别注意,黑鲨4/5系列有锁机千万不要刷机错误变砖进9008端口,这样的9008端口必须拆机才能刷机成功。受限于刷机难度,4代开始,并不支持普通用户解锁BL刷机,需要专业人员才能刷机成功
Mod. edit: post translated. alecxs

Hey, as an IT student, these models from the 4th generation have made flashing a bit tougher. Previously, you could flash them without authorization, but now you need a job number for authorization. This has left many users unable to do it themselves. You have to force open the BL lock and use a modified version of the JOYUI system for unlocking. It doesn't require phone disassembly. However, be careful not to accidentally brick your phone into the 9008 port. Starting from the 4th generation, ordinary users can't unlock BL flashing, so professional help is necessary. By the way, when researching for papers, reading online studies can provide valuable insights and up-to-date information on your topic. On https://paperap.com/ I ask writing experts to do my research on various technologies, and the academic professionals' free essays and term papers by Paperap help me so much get ready for my university homework. I hope my suggestions will make your problem easier to solve.

Related

Looking for documentation about Qualcomm bootloader/download mode

I own an LG Optimus Elite phone, which is based around the qualcomm msm7k. This phone, like many other qualcomm devices, has a Download mode you can enter where you can send commands over USB and send commands to the phone for reading/writing RAM and ROM and stuff like this. After some messing around, I found the second stage bootloader (osbl.mbn) on the second partition of the phone. I reverse engineered some stuff and got the bootloader loaded up in ida and a good bit of it figured out, including where the implement the download mode.
I already wrote some code that can talk to the download mode, and I can send commands and receive the replies, and I have already made myself a list of all the supported commands and subcommands and started documenting what they do. I also found the implementation for some of their crypto stuff and some hardcoded keys/hashes. What I'm looking for now is some sort of documentation about the bootloader and/or the download mode. It would be really awesome if somebody could point me to some documentation about what sort of things you can do with this one, or similar bootloaders. Some of the commands look like they are for writing to the internal rom, and I would like to avoid messing with those that might brick my phone if used wrong. And any documentation about the logic for the booting process would really help. I see code here for booting secure elfs and stuff like that that will take a bit of effort to reverse.
gianptune said:
I own an LG Optimus Elite phone, which is based around the qualcomm msm7k. This phone, like many other qualcomm devices, has a Download mode you can enter where you can send commands over USB and send commands to the phone for reading/writing RAM and ROM and stuff like this. After some messing around, I found the second stage bootloader (osbl.mbn) on the second partition of the phone. I reverse engineered some stuff and got the bootloader loaded up in ida and a good bit of it figured out, including where the implement the download mode.
I already wrote some code that can talk to the download mode, and I can send commands and receive the replies, and I have already made myself a list of all the supported commands and subcommands and started documenting what they do. I also found the implementation for some of their crypto stuff and some hardcoded keys/hashes. What I'm looking for now is some sort of documentation about the bootloader and/or the download mode. It would be really awesome if somebody could point me to some documentation about what sort of things you can do with this one, or similar bootloaders. Some of the commands look like they are for writing to the internal rom, and I would like to avoid messing with those that might brick my phone if used wrong. And any documentation about the logic for the booting process would really help. I see code here for booting secure elfs and stuff like that that will take a bit of effort to reverse.
Click to expand...
Click to collapse
i am interested to in this subject
i am trying to do the same thing but i lack the experience.
i have a tablet that has an msm8255 which is made in china, in europe it is sold without the phone capabilities, in rusia there is the same tablet that has the phone capabilities, i flashed the firmware from the rusian tablet, but still, no phone function, so i think i need some ideas on how to download some stuff from the rusian model and flash`it on the european version.
i will do some reasearch at the uni because i have acces to more academical resources.
Are you the same guy from the Wii scene? Anyway I don't know much to help you myself, but you may want to check out revolutionary.io and unlimited.io. they have hacked bootloaders on phones

[Q] Microsoft Surface Pro Custom Boot Screen

Hello!
I am posting here, because I am new on forum, and I can not post on developers Microsoft Surface forum.
Here is the thing I want to do. I am user of Microsoft Surface and I want to change the boot (splash) screen (where it writes "Surface" and where the loading circle is) of my tablet to a custom image. So far I haven't found anything useful that would lead me to the my goal.
I know that this setting have to me changed in firmware (BIOS/UEFI). But is there any way to access to them? Maybe the right .ROM file, opened with MMtool would work?
That you very much for any information.
Regrads, Jerry
I've previously modified many BIOS/UEFI Firmwares, but as always, this requires research and reverse engineering. A good starting point would be either dumping the BIOS or use the UEFI.cap files which are packaged firmware (updates). I will try to do this, but there is a risk of bricking the board and unlike desktop boards I don't see a way to recover from a bad flash on the Surface. (UART might work, but you´d have to disassemble the device first, which isn't easy.)

A ton of difficult questions about Android

They are all about Android 4.3 and upper.
A pair of questions about unrooting/locking/unlocking/booting.
1) What are the benefits of rooting other than being able to a) set custom cpufrequency policies, b) being able to update your phone (to custom new ROMs like cyanogenmod) when your OEM has decided to stop supporting it, c) full filesystem access, d) tuning sysctl parameters?
I don't like the fact the rooting totally breaks Android's security model.
2) Do I understand correctly that a locked phone is the phone in which you cannot overwrite/replace/customize vmlinuz? or there are even stricter limitations?
3) Do I understand correctly that in order to change e.g. /etc files you don't really need a custom ROM, you can boot into TWRP and replace/edit/remove the needed files?
4) Why does unlock wipe all your data?
5) If the phone is locked, how bootloader/firmware understands that our bootloader is untempered? Does the bootloader have a digital signature? I have this question because let's imagine that I 1) unlock 2) change vmlinuz (allow superuser) 3) lock?
6) How does "oem lock" verifies that system data is genuine? Or it simply wipes everything clean? Does Android has some (RO) partition which always contains a genuine virgin ROM you cannot meddle with?
7) If I do "unlock" on my Nexus device, without changing anything or installing any 3d party bootloader (like TWRP), will I be able to update to new official ROMs via OTA updates?
8) Why every "lock" manual says that I need to upload a genuine official ROM - what if I've changed it and made it "rooted"?
Storage.
Why does Android has so many partitions?
What method is used to break the internal storage into partitions? Is it some kind of partition table (MS-DOS, GPT) or it's hardware based?
1. The purpose of rooting is to give you an access level equal to the product's development team. Rooting is basically an unofficial way of doing exactly what the developers are doing on a daily basis. You can either consider that people are going to root and that the community adds value and bug fixes to your product by independent development (Android); or you can actively take measures to lock down root access and maintain a a gateway to development in the belief that this doctrine maintains a unified experience, protects security of intellectual material, and provides better overall security (Apple).
There's pros and cons to each side. With the Android thought, you are offloading a lot of your development burden onto the community and getting R&D, patches, and extending product life in return - for free. You take the risk of lowered security, but usually make it back because the community is a larger workforce with greater man hours and a vested interest in the product. They provide you with answers to problems you don't even know about as long as you listen.
With the Apple thought, you maintain a strong control on making the product do exactly what you want. This makes the product work exactly as expected, which can be easier for the user. However, your design has to be VERY good for the community to accept it. You also suffer in that you lock the community out from enhancing your product, so you HAVE to be the one coming up with all the ideas. Also, if the community finds a breach in your security, it can be devastating. Look at how much energy and money Apple pours into preventing jailbreaks.
I wouldn't be too worried about the 'break in security model' as you say, unless the Android platform becomes fraught with virii. After all, consider that unix on your PC is essentially the same thing, and you request root access on it to install certain things.
2. I'll let someone else chime in with a better answer
3. with root access you don't need a custom ROM, you just need the ability to access root permission and a file browser that will get you to protected areas.
4. I'm not sure I'm thinking about the same stuff as you here. Rooting doesn't wipe anything from what I remember. Replacing the ROM does, but that's because the ROM 'installer' doesn't have anything to preserve user settings. I don't consider this weird since Windows didn't have a really decent migration package built into the installer until windows 8.
5. There's a counter that iterates. Research trianglemod for an example of this topic.
6. It's hard to say what the OEM has for tools without them releasing the tools to the public. They, of course, are going to have better tools than us. No, there is no read only partition that I'm aware of that contains a full ROM that you can dump back in place. I've gone so far as to fully wipe my Galaxy S3 to the point where it only had clockworkmod and a boot screen that never went away. If I went much further, I could probably brick the phone, requiring an external programming program. A full brick would remove interface to your PC, which I believe is a possibility.
7. A new OEM ROM update will do one of three things:
a. update the phone to the new ROM and most likely break all the apps
b. update the phone and wipe everything
c. partially update the phone to a state where it won't boot due to a corruption (I've been here, lol)
8. not sure what we are talking about here
9. Android is based on linux. Linux is designed with specific partitions to handle different tasks for storage, memory access, stuff like that. If you aren't happy with the design, you are free to do something else - you don't have to use Android on an Android phone, you can probably put FreeBSD or Slackware or something, or write your own kernel.

Reading "register" information from my ZTE MF90+

Hi Folks, i read quite a bit in the XDA-dev forums in the last few years, but now it's time to change the status "from passive to active". :silly:
- I have a "ZTE MF90+" (a nifty little mobile 4G WiFi hotspot with battery). The Chipset should be based on a Qualcomm MDM9215.
- I bought it about 3 years ago and it is SIM-Locked (aka Provider-Locked iirc).
- I fiddled around a bit with it and am able to ADB into it (from my Ubuntu 18.04 machine and from my Raspberry Pi, too - e.g. to activate RNDIS/CDC mode for USB tethering)
- I have an unlock code, that should work "to tear down this SIM-Lock wall" without any hassle.
So far, so good ... but my interests are still not satisfied; i want to know what's up with the internals of this modem, when i enter the unlock code. I simply want to observe and understand what's going on under the hood.
To quote Ylvis from their song Stonehenge: "And i know i should be happy, but instead, there's question, i can't get out of my head!"
Maybe a year ago i did some internet research, where i found several clues that the "SIM-Lock" information might be stored inside some Section of a NV storage https://forum.xda-developers.com/showthread.php?t=1954029.
On some other russian hacker forum (that i can't find right now, unfortunately) according to google translate one of them seemed to be able to change one NV entry there to get rid of the Sim-Lock. The tabs are still open on my other Ubuntu 14.04 Laptop 250km away from here, so it might take some time to provide the "russian hacker forum link" here for further reference. I haven't tried it out back then as i heavily relied on this mobile hotspot back then and could neither afford to brick it nor had the time to fiddle around further.
What i remember was also this thread: https://forum.xda-developers.com/showthread.php?t=1804117, but this thread is from 2012 and e.g. the download link for the NV-items_reader_writer.rar don't work anymore, so i haven't tried it yet to get this program running.
So now i need your help:
-> What tools can i use (on my Ubuntu Linux machine, if necessary via WINE) to read out a "full image" of the (Android) system to flash back later (if necessary) and what tool can i use to read (and modify if necessary one day) the NV items to compare them "before and after" i unlocked it?
Any hints where to start and in which direction i could head from there? :cyclops:
Please help me to grow and rise :highfive:

Rooting the Anki Vector Robot - a robot that runs Android

Hi,
my name is Melanie, I'm part of an effort to root the Vector robot made by Anki.
Anki has recently gone into administration, with the IP of the company winding up as collateral for an emergency loan that was never paid back.
Vector is very much dependent on the "cloud", namely, Anki's servers running on AWS. The SSL certificate for these servers is due to expire in September. There is little chance of it being renewed since the company has no funds.
A group of tech-savvy owners have got together on Discord to discuss how to help Vector survive the coming demise of his servers. They had already collected a not insignificant amount of information in the form of datasheets and observations as well as images of the internals of the robot and images of jigs Anki used during development.
I'm bringing this project to this forum because, internally, Vector is really a phone without the GSM part.
He is powered by a Qualcomm APQ8009 (Snapdragon 212), which has been paired with a combination ram/flash chip by Kingston, 04EMCP04-NL3DM627. There is also a Wifi/BLE module and a screen and 4 microphones.
The Snapdragon runs an Android boot loader and Linux kerner version 3.18.66-perf.
This is where he becomes different from a phone in that he doesn't start Zygote, but rather runs a number of daemons from systemd.
As shipped, there is no user accessible wired IO.
There are a number of wirepads on the PCB, as well as unpopulated pads for a micro USB port. When I joined the project, the serial port was already known, but while it provides a boot log, there is no getty on it.
The USB port had to this point not been successfully activated.
Since I'm a hardware person, that is where i placed my lever. I populated the USB port and started digging. Finally I found a solder pad labeled F_USB which was not even close tot he USB port, but turned out to be a boot mode pin from the CPU. Pulling it to VCC made the USB port enumerate in EDL mode. Qualcomm call it QDL or QDLoader, but it basically an interface to the ROM in the CPU, just like phones have.
From this I managed to grab a CPU ID but not much more.
Meanwhile, we reverse-engineered the phone app that comes with it and are currently writing a general purpose library to talk to Vector over BLE.
At this point, I found that I was facing a thicket of software, mostly either cracked or containing malware, or both, but very little legit options.
I see a few options to go forward on this:
- Find a software that can talk to the Snapdragon 212 to extract the current image
- Desolder the flash to extract the image via a programmer
- Desolder the CPU to access the flash's data lines without having to heat the flash, which could corrupt it
The last two options are bound to be destructive and all us owners have found a connection to their robots and are loath to sacrifice them. Also, they require a bit of investment and are, because of that, no quick wins.
I'm hoping that someone here may have the missing pieces I need to get from QDL 9008 mode to an image of the flash on my disk. We believe we have another way to flash it, not needing the USB port, but we don't have an image to try it with and flashing something like all zeroes would needlessly destroy a robot.
- Melanie
PS: I would post links but I'm too young to do so. There is a google group called "Project Victor" that has the info we have so far called anki-vector-rooting, a.k.a. Project Victor.
https://groups.google.com/forum/m/#!forum/anki-vector-rooting
You are welcome to PM links to me and I will post them as a work around.
hope the best!
Link to Project Vector
http://projectvictor.my.to/
Sent from my ocean using XDA Labs

Categories

Resources