Closed melontini closed 1 year ago
Could requests be made from here?
// For ColorOS:
this.requestUrl = "https://ilk.apps.coloros.com/api/v2/";
switch ((Integer) intent.getExtras().get("MessengerFlag")) {
case 1000:
this.requestUrl += "apply-unlock";
break;
case 1001:
this.requestUrl += "check-approve-result";
break;
case Constants.USERCENTER_PLUGIN_ID /*{ENCODED_INT: 1002}*/:
this.requestUrl += "update-client-lock-status";
break;
case 1003:
this.requestUrl += "get-all-status";
break;
case 1004:
this.requestUrl += "lock-client";
break;
}
https://forum.xda-developers.com/t/possible-leads-on-rooting-oppo-a72.4326995/
Update, no.
public final class C1375b {
@SerializedName(m2084a = "chipId")
private String f8580a; //<- pcb
@SerializedName(m2084a = "udid")
private String f8581b; // <- imei
@SerializedName(m2084a = "model")
private String f8582c; //<- ro.product.name
@SerializedName(m2084a = "otaVersion")
private String f8583d;
@SerializedName(m2084a = "token")
private String f8584e; //<- heytap account token.
@SerializedName(m2084a = "clientLockStatus")
private int f8585f;
@SerializedName(m2084a = "operator")
private String f8586g;
public final void m2149a(Context context) {
Context context2;
this.f8581b = C1353i.m2187d(context);
this.f8582c = SystemProperties.get("ro.product.name", "");
this.f8583d = C1353i.m2192b();
context2 = RequestService.f8574b;
this.f8584e = AccountAgent.getToken(context2, context2.getPackageName());
this.f8580a = C1353i.m2190c();
this.f8585f = 0;
this.f8586g = SystemProperties.get("ro.oppo.operator", "");
}
}
Could requests be made from here? case 1000: this.requestUrl += "apply-unlock";
No, the Oppo and the Realme deeptesting apps are quite different. Both the REST urls and the way the request/replies are "encrypted" are different.
Also --totally different from Realme-- with Oppo a) you also need to log in in some way before being able to use the deeptesting app b) the unlocking code is actually used (it's passed as an argument to android.engineer.OplusEngineerManager.fastbootUnlock
).
I have actually reverse-engineered the Oppo app too (and I'll upload the script one of these days), but frankly, it looks pretty pointless ;-(.
This is how far I could get it:
{"resps":"b059szZSBDjP72rtwG/vmNeBftlAJcoLwQ/jvaX7qM70W2Y2BHzV58CrAC2wE1pWmryNHP6r+Nh2yeKv2ijQ"}
{"code":-1007,"message":"会员登录状态查询返回错误"}
which google-translates to "The member login status query returns an error".
realmemobile.com is back online
But it doesn't seem to work any more ;-(
It was fun while it lasted :)
realmemobile.com is back online
But it doesn't seem to work any more ;-(
It was fun while it lasted :)
Well, now we know why it went offline! At least I can query my current code ¯\_(ツ)_/¯
Oppo really hates unlocking for some reason.
realmemobile.com is back online
But it doesn't seem to work any more ;-( It was fun while it lasted :)
curiously, it seems to work again -- maybe it was just a glitch
Great to hear! I did find this on their Indian community center https://c.realme.com/in/post-details/1661960232244367360
I think I'll keep trying to decompile oplus/oppo engineering frameworks until I lose my mind 🥴
thanks. it looks like they couldn't figure out how to fix it without breaking their "legitimate" users too, so they just put it back up temporarily
decompile oplus/oppo engineering
I've looked at that too -- a local exploit would be the real solution -- but I haven't seen any low hanging fruit there
It might be fully joever
https://forum.xda-developers.com/t/how-to-guide-unlocking-using-deeptest-gdpr.4585829/post-88592813
https://forum.xda-developers.com/t/how-to-guide-unlocking-using-deeptest-gdpr.4585829/post-88592813
They have started appending a ....0000000000RMX3471#########
trailer[^1] to the unlockCode
and that's what probably breaks it.
As I don't have access to any real serialno + imei of a supported phone (e.g. like an indian RMX3461 or RMX3471) I don't know if that happens all the time or only when the serialno + imei doesn't match the phone model.
[^1]: The trailer is hex-encoded, like the rest of the unlockCode
This might be getting annoying, but a guy from the "device team" on realme's terrible forum says the server is still "closed".
This change (using the new struct
which includes the model) will break older phones, but I don't think there will enough pushback to make them revert it ;-(
https://forum.xda-developers.com/t/how-to-guide-unlocking-using-deeptest-gdpr.4585829/post-88592813
They have started appending a
....0000000000RMX3471#########
trailer1 to theunlockCode
and that's what probably breaks it.As I don't have access to any real serialno + imei of a supported phone (e.g. like an indian RMX3461 or RMX3471) I don't know if that happens all the time or only when the serialno + imei doesn't match the phone model.
Footnotes
1. The trailer is hex-encoded, like the rest of the `unlockCode` [↩](#user-content-fnref-1-c1b8e7be9aae440ba380f9ab79d670be)
May I ask you a question? Do you know if they append the region to the model name? (CN, EEA, RU etc.)
The model name appended is the one you had used with the applyLkUnlock
command. When using my script without any model ...
option, that's RMX3471
or RMX3461
(the ##...
are probably for padding).
I don't know if they accept any EEA or CN model with the applyLkUnlock
command (they certainly do NOT accept my RMX3474EEA
model, which was the very point of my script ;-)).
Hi, I just wanted to notify you that realmemobile.com has been shut down (permanently?), as it now returns a 'domain is not configured' error and 404 for any request. This includes
lk.
andlkf.
subdomains.realmemobile.com is back online