amigaser
commented
1 year ago That is, you say that this application cannot be hacked? Is that the problem? I meant to change only the name of the model in the struct and not change the key.
Open amigaser opened 1 year ago
amigaser
commented
1 year ago That is, you say that this application cannot be hacked? Is that the problem? I meant to change only the name of the model in the struct and not change the key.
melontini
commented
1 year ago No. The app needs to be signed by Oppo to interact with system internals.
And about the key. The theory about the first part (before serial) being a SHA digested version of the second part seems to be correct. So, modifying either part of the key invalides the signature.
Btw, sending a serial number stuffed with non-deadbeef character doesn't work. The server doesn't have the 00 check and encrypts everything, but since the bootloader has that check, (I think) the key gets truncated, breaking the signature.
amigaser
commented
1 year ago Thank you, I got it. No chance. :)
amigaser
commented
1 year ago By code *#6776# I can see Manifest: Image. Can someone explain where Manifest and Image come from? From which partition, section or file? Especially interested Image.
pohui
commented
1 year ago Is there any do decryption in server side? what if we simulate the server or do some man in the middle.
turistu
commented
1 year ago By code *#6776# I can see Manifest: Image. Can someone explain where Manifest and Image come from? From which partition, section or file? Especially interested Image.
The first is the region/country code in hex (ro.build.oplus_nv_id. see a list here) from my_manifest/build_prop.
The second is a similar country code, but obtained from the modem via the RIL ("radio interface layer"). I have no idea where the modem stores that data ;-(
amigaser
commented
1 year ago I have no idea where the modem stores that data ;-(
Maybe in nvram? This is the most interesting thing, because it does not change after flashing to another region. Thank you for the information.
P. S. "Image" region code is in nvram (nvdata) at the beginning of the AllFile file in eight bytes in ASCII view.
melontini
commented
8 months ago There's been a new development.
A certain version of deep testing can be modified to do basically anything you want (with the system uid). I'm not sure how useful that is outside of writing old codes to oplus_reserve, but here https://xdaforums.com/t/discussion-a-thread-to-collate-and-share-what-is-known-about-unlocking-fastboot-on-oppo-devices.4490041/post-89323153
After updates on their server, the script no longer works for our smartphones.
pm has-feature oppo.version.exp: true ro.product.name: RMX3393RU ro.product.model: RMX3393 ro.build.version.ota: RMX3393_11.C.12_1120_202305050653
I managed to unlock the bootloader before their updates, but others fail. Deeptest writes "This phone model does not support deep testing." If flash the phone to the Taiwan region where unlocking is supported, then the deeptest passes, but fastboot in bootloader does not unlock. When click "Start the in-depth test," the phone reboot, writes an unlock error and boots back to the system. The request
perl deeptesting-junk.pl pcb 0xHHHHHHHH imei DDDDDDDDDDDDDDD cmd checkApproveResultreturns this{"resultCode":-1006,"msg":"已成功提交审核,正在审核..."}http://videopro.ru/unlock_fail.jpg