Realme 9 pro plus not worked

[amigaser]

After updates on their server, the script no longer works for our smartphones.

pm has-feature oppo.version.exp: true ro.product.name: RMX3393RU ro.product.model: RMX3393 ro.build.version.ota: RMX3393_11.C.12_1120_202305050653

I managed to unlock the bootloader before their updates, but others fail. Deeptest writes "This phone model does not support deep testing." If flash the phone to the Taiwan region where unlocking is supported, then the deeptest passes, but fastboot in bootloader does not unlock. When click "Start the in-depth test," the phone reboot, writes an unlock error and boots back to the system. The request perl deeptesting-junk.pl pcb 0xHHHHHHHH imei DDDDDDDDDDDDDDD cmd checkApproveResult returns this {"resultCode":-1006,"msg":"已成功提交审核，正在审核..."}

http://videopro.ru/unlock_fail.jpg

use the new struct
the model name is not match
the model name is not match
verify partition data fail, status = %r
fastboot_unlock_verify fail

[rapperskull]

The plan would be like this:

1. Apply for the deeptest and unlock the bootloader
2. Flash Magisk patched boot.img
3. Save the content of oplusreserve1
4. With root access, overwrite all the relevant info in oplusreserve1 with zeroes
5. If @turistu is right with the interpretation of the log, it shouldn't be possible to access fastboot (but the bootloader is still unlocked)
6. With root access, restore the content of oplusreserve1 up until the serial number (without the trailer)
7. See if it's possible to access fastboot or not

[melontini]

There's no need to check this. This is how it works. You can have an unlocked bootloader whithout fastboot access, but you can't unlock without fastboot. That's also confirmed by the old mtk-client unlock method.

Btw, I shared the VerifyHashWithRSASignature function here: https://forum.xda-developers.com/t/discussion-a-thread-to-collate-and-share-what-is-known-about-unlocking-fastboot-on-oppo-devices.4490041/post-88602875

[rapperskull]

But we know nothing about step 7, do we?

[melontini]

Well, yeah. I unfortunately can't do that, despite having the original code on hand, because there's no way to write it atm.

[rapperskull]

No worries. If it works, I can think of at least 2 modes of attack:

1. MITM of the deeptesting app, but system apps don't accept user certificates
2. Temporarily root exploit to overwrite the other info after the deeptesting app wrote it

[turistu]

I think we should try to extract the public key from the bootloader and check what's actually inside. BTW, if the two bytes following the serial number are not 0x30 0x30, the permission and model name check are skipped entirely.

That's my impression too. If you're really able to write to opporeserve1, a trick you can try is "stuffing" the model number by appending non-hexdigit characters to it; i.e. (assuming your serial number is deadbeef)

perl deeptesting-junk.pl ... pcb 0xdeadbeefZZZZZZZ

instead of

perl deeptesting-junk.pl ... pcb 0xdeadbeef

Obviously, this cannot work with the deeptesting app, since the app will not use the "stuffed" pcb.

What I'm wondering is what happens if we overwrite everything after the serial with zeroes, like in the old struct. Will the new signature match?

Most probably not.

Can't know without finding what the signature signs.

I think that the first part of the unlockCode is a signature for the second part, and it "signs" whatever this latter contains.

[techyminati]

Bypassing through the script does not work. Fastboot does not unlock.

I suppose that you' re getting again that using the new struct and the model name is not match messages on the screen, right?

same im getting this

[rapperskull]

That's my impression too. If you're really able to write to opporeserve1, a trick you can try is "stuffing" the model number by appending non-hexdigit characters to it; i.e. (assuming your serial number is deadbeef)

perl deeptesting-junk.pl ... pcb 0xdeadbeefZZZZZZZ

instead of

perl deeptesting-junk.pl ... pcb 0xdeadbeef

I tried appending 11 to my serial (since we simply need something different from 00 to skip the model check), but I'm getting the wait for approval message. The serial is fixed to 8 characters, so it isn't hard to imagine they will check it server side.

What I'm wondering is what happens if we overwrite everything after the serial with zeroes, like in the old struct. Will the new signature match?

Most probably not.

Can't know without finding what the signature signs.

I think that the first part of the unlockCode is a signature for the second part, and it "signs" whatever this latter contains.

My hope is that they actually only sign the first part (the serial), in order to be compatible with older versions of the bootloader. I will try to disassemble the old bootloader to see if it already supports the new struct.

EDIT: It does.

[turistu]

That's my impression too. If you're really able to write to opporeserve1, a trick you can try is "stuffing" the model number by appending non-hexdigit characters to it; i.e. (assuming your serial number is deadbeef)

perl deeptesting-junk.pl ... pcb 0xdeadbeefZZZZZZZ

instead of

perl deeptesting-junk.pl ... pcb 0xdeadbeef

I tried appending 11 to my serial

No, try with non-hexdigit characters, like Z or W.

Their server is obviously using something like strtoul(s, 0, 16) to parse the initial part of the string as a number and decide that your serial is garbage if the number turns out greater than 0xffffffff ;-)

(since we simply need something different from 00 to skip the model check), but I'm getting the wait for approval message.

[turistu]

same im getting this

@techyminati thanks

obviously i replaced my real values with "xxxxxx.." here

But notice that if you have a phone model like realme X 10 (where the serial number is something longer), my script would not help at all, even if they were still using the old struct (it's not just a matter of the server artificially blocking the phone model).

[rapperskull]

No, try with non-hexdigit characters, like Z or W.

Same result unfortunately.

[melontini]

They changed approval times again, my real values are also stuck on waiting for approval. The lk. server worked, though.

[techyminati]

same im getting this

@techyminati thanks

obviously i replaced my real values with "xxxxxx.." here

I suggest you delete your next comment, since the unlockCode includes the serial number in hex form (Delete it, don't just edit it, since this github thing shows the edit history ;-)).

But notice that if you have a phone model like realme X 10 (where the serial number is something longer), my script would not help at all, even if they were still using the old struct (it's not just a matter of the server artificially blocking the phone model).

@turistu you've telegram or something to communicate?

[rapperskull]

How do you guys get that screen with the errors? When I try to tamper with my already unlocked phone, I simply get kicked out of fastboot via a reboot.

[melontini]

I think it depends on the CPU brand. Do have a Qualcomm CPU?

[rapperskull]

Yes, Qualcomm.

[turistu]

@turistu you've telegram or something to communicate?

@techyminati you can email me, but I really don't have anything secret to share ;-)

[turistu]

How do you guys get that screen with the errors? When I try to tamper with my already unlocked phone, I simply get kicked out of fastboot via a reboot.

It depends on the phone model; but you can get those error messages (and full boot logs) from the oppo/oplusreserve5 partition: i.e. strings /dev/block/by-name/oplusreserve5 from a root shell.

[techyminati]

@turistu you've telegram or something to communicate?

@techyminati you can email me, but I really don't have anything secret to share ;-)

I just wanted to share, I was trying this on realme Pad 2 (RMP2204) but yeah getting that error

use the new struct.
the model name is not match
the model name is not match
verify partition data fail, status = %r
fastboot_unlock_verify fail

I guess thats due to their server side patch?

[amigaser]

From some /etc/permissions/*.xml file in the my_product partition.

I couldn't find any mention of oppo.version.exp there. :(

[turistu]

From some /etc/permissions/*.xml file in the my_product partition.

I couldn't find any mention of oppo.version.exp there. :(

It should be there, if you have an export firmware. Try adb shell grep oppo.version /my_product/etc/permissions/*.xml (no root needed).

Correction: on your phone model (RMX3393) it should be in my_stock instead of my_product, so

adb shell grep oppo.version /*/etc/permissions/*.xml

should get it either way (no root needed).

In the RMX3393export_11_A.08_2022081714560133 stock rom, I have found it inside RMX3393*.ofp -> super.1.f0d2323d.img -> my_stock_a -> /etc/permissions/realme_stock_app_export_system_features.xml:

<permissions>
  <feature name="oppo.version.exp" />
</permissions>

[turistu]

use the new struct. the model name is not match the model name is not match verify partition data fail, status = %r fastboot_unlock_verify fail

I guess thats due to their server side patch?

Yes, but the change happened on 26 of May, not now.

But they kept returning old-style unlock codes (not triggering that "use the new struct" check) for people who had submitted the application before that date.

Thence the confusion with the app appearing to work for some people but not for others.

[amigaser]

my_stock_a -> /etc/permissions/realme_stock_app_export_system_features.xml

How did you unpack the image of the my_stock_a.img from firmware? What utility? Is there one for Win?

[rapperskull]

How do you guys get that screen with the errors? When I try to tamper with my already unlocked phone, I simply get kicked out of fastboot via a reboot.

It depends on the phone model; but you can get those error messages (and full boot logs) from the oppo/oplusreserve5 partition: i.e. strings /dev/block/by-name/oplusreserve5 from a root shell.

I think it changes between models, because in oplusreserve5 there's nothing.

[melontini]

Obviously, this cannot work with the deeptesting app, since the app will not use the "stuffed" pcb.

I think there might be a way... I can't check if keys generated like this will get approved by the bootloader, but the deep testing app detects an applications like this...

I need to wait 10 days before I can confirm anything.

[turistu]

Obviously, this cannot work with the deeptesting app, since the app will not use the "stuffed" pcb.

but the deep testing app detects an applications like this...

That's something new. Looks like they're introducing new interesting breakages while trying to fix the old

[turistu]

my_stock_a -> /etc/permissions/realme_stock_app_export_system_features.xml

How did you unpack the image of the my_stock_a.img from firmware? What utility? Is there one for Win?

my_stock_a is an erofs file system image. On linux you can just mount it.

No idea about Windows. Beware though that any utility which pretends to unpack a linux filesystem on windows is bound to be buggy and limited (because of features like sparse files, hard links, extended attributes and others).

[amigaser]

I managed to unpack images in erofs using the CRB utility and check the my_stock in the Chinese firmware. There is no such realme_stock_app_export_system_features.xml file. Now the question. If I somehow manage to delete this file from this section in the export firmware, will the deepest work? And the bootloader unlocks? Or do you need something else?

[melontini]

Can you even modify EROFS? It's supposed to be read-only. And even then, you'll lose a bunch of features with a chance of brickage. You'll still need to submit your request using the script, since the Chinese server supports even less models.

[amigaser]

I asked purely theoretically. And almost, for example, for the Realme GT Master Edition (RMX3363), if you flash Chinese firmware via QFIL (the my_stock partition is also replaced), the phone will be "non-export" and the deepest will send request to the Chinese server and the bootloader will unlock. And it works. In fact, my question was: purely theoretically, does it need to change anything else in the firmware, except for deleting this .xml file, so that the deeptest sends a request to the Chinese server and unlocks the bootloader?

[melontini]

Yes, you definitely need more than that. You need at least a correct model to pass the server-side blacklist and the bootloader's model check. I have no idea where the bootloader gets the model name from.

Also, the private key used to generate the signature might be different between servers.

[amigaser]

So this is the key question. Where does the loader take the model? And, if the Chinese server uses another private key for encryption, then another public key must be used for decryption. Where does it come from? Or do I not understand that? It turns out that not only the export feature is important. What is the difference between Chinese and export firmware for the same phone model in terms of unlocking the bootloader?

[melontini]

Honestly, no idea, my phone has no Chinese version.

Unrelated, but they blocked new applications (-1004 applyLkUnlock) and started returning -1002 for all requests from blacklisted models and -1009 from valid ones.

[amigaser]

my phone has no Chinese version

Mine too, only export models. :) But there are Taiwanese firmware. Unlocking usually works on them.

[amigaser]

lk.realmemobile.com has not been working for two days. In the browser, I get path location is not configured. Does everyone have this or is it just my geolocation problem?

[turistu]

It is "working" here -- it accepts applications and generates codes.

Maybe they're geoblocking you, but that error does not suggest it. That server is not configured to accept GET requests on its root path, everybody will get the "path location is not configured" error if they try to go to https://lk.realmemobile.com/ with a browser.

[turistu]

BTW, their shoddy server does not care about the Content-Type, O_NETON or other headers, or extra crap in the POST data -- which means that my script could've been implemented as a form-submitting html + javascript page, which you could've even run in the browser on your phone, instead of having to install perl & stuff.

But it's unfortunately too late for that now ;-(

[amigaser]

Apparently they changed something on their server? Two days ago, he was responding like a https://lkf.realmemobile.com/ in browser. Whitelabel Error Page... etc.

Maybe they're geoblocking you, but that error does not suggest it.

Through VPN, the same thing. Users began to complain that permission to unlock in the deepest stopped coming on Chinese smartphones. Or maybe they just don't have a stable server?

[amigaser]

Can I send a request to the Chinese server through your script to check the possibility of unlocking for a specific model?

[turistu]

Whitelabel Error Page... etc.

I can get a 405 Method not allowed page looking like that by going to https://lk.realmemobile.com/realme/v1/acquireClientStatus

Can I send a request to the Chinese server through your script to check the possibility of unlocking for a specific model?

Yes.

$ perl deeptesting-junk.pl url https://lk.realmemobile.com/realme/v1/ model RMX3474 cmd applyLkUnlock imei some_random_junk
{"resultCode":-1002,"msg":"该机型不支持申请"}
    # RMX3474 not supported, try RMX3370
$ perl deeptesting-junk.pl url https://lk.realmemobile.com/realme/v1/ model RMX3370 cmd applyLkUnlock imei other_random_junk
{"resultCode":0,"msg":"SUCCESS"}

Of course, try with some other random junk for the imei than other_random_junk or they'll tell you to wait 30 days before submitting another application for the same device ;-)

NB: the model should be ro.product.name, not ro.product.model (e.g. RMX3393RU, not RMX3393)

[amigaser]

I sent such a command perl deeptesting-junk.pl url https://lk.realmemobile.com/realme/v1/ model RMX3687 cmd checkApproveResult and received unlockCode with ...00000000000210000000000000000000000000000000RMX3370######### Why did RMX3370 come back? The script does not have this number.

with some other random junk

What should be the other random junk?

[turistu]

I sent such a command perl deeptesting-junk.pl url https://lk.realmemobile.com/realme/v1/ model RMX3687 cmd checkApproveResult and received unlockCode with ...00000000000210000000000000000000000000000000RMX3370######### Why did RMX3370 come back? The script does not have this number.

Because you (or someone else) ran the

perl deeptesting-junk.pl url https://lk.realmemobile.com/realme/v1/ model RMX3370 cmd applyLkUnlock

command before, and that's the model the server has associated with the device identified by the empty serial number and the 00 imei (the defaults from the script).

with some other random junk

What should be the other random junk?

Whatever you like; preferably something that could not be a valid realme imei.

In order not to DOS their server by filling it with crap (though they fully deserve it ;-)), run the script with the same imei and cmd closeApply afterwards.

[amigaser]

What is your opinion, why do some users now get permission from the Chinese server immediately, and some wait for hours or even days? What has changed? Previously, the permission came instantly for all. And from the export server they wait for weeks and do not receive permission at all? Did the servers start not working normally?

[turistu]

@amigaser they're probably trying all kind of lame add-hoc fixes and are cleaning up by hand the database where they hold the serial/imei tuples.

They will have to take the server(s) off completely, sooner or later. They're way too broken to stay online for much longer.

[amigaser]

The "global" server began sending permission to unlock the bootloader.

[melontini]

Or denials and internal server errors. 🤭

They're still sending new struct keys, sooooooooooo...

[amigaser]

When I started applyLkUnlock in the script, I got the binding of my serial/IMEI to another model written in the script. How do I remove this binding to get the right one through the deepest? What should I do?

[turistu]

... cmd closeApply with the same serial and IMEI.

[amigaser]

Is it possible to hack the deeptest application so that it replaces the prescribed model that comes from the server in the response structure to the model of your smartphone? Will this structure be written to oplusreserve1? And will the bootloader unlock fastboot in this case? Or is that all nonsense?

[melontini]

You'll lose the system signature by modifying the deeptesting app. Due to the way the key is encrypted it's not possible to modify the key without making it invalid.