Huawei P smart oeminfo - Huawei P Smart Questions & Answers

hello everyone
i have this fig lx1 rooted
i want to debrand it to c432 and I have the oeminfo.bin
how to flash the oeminfo or change it?

Hello!! can you share you c432 oeminfo file please? If i can change the oem info, i'll give you how to make it. I have a tutorial and i don't find the oeminfo file...

Hi, I need oeminfo c432. Please, can you share with me?
Thanks

Is me sharing my oeminfo useful, if I'm currently running a Treble Pie GSI (unofficial)?
FIG-LX1 (L31 board) previously .148 c432 here

Lots of people need that oeminfo files to rebrand their phone, share them please :crying:

I hope this is the right file - copied it from
Code:
/dev/block/platform/hi_mci.0/by-name/
Edited until I know I don't share personal data

..

sun75 said:
Sorry, maybe I'll be wrong... (please correct me!): sharing YOUR oeminfo, you are sharing YOUR imei, mac addresses, serial numbers, etc. I'm wrong?
Click to expand...
Click to collapse
Holy cow - can someone please confirm/deny?
I just saw some other threads, where users shared theirs and I assumed it's safe...

..

sun75 said:
I saw too, but in my oeminfo backup there are many "&token=" and "&hmac=" that, I THINK, are unique for each device... MAYBE I'M WRONG!!!:angel:
---
EDIT:
Interesting things I'm seeing on my oeminfo backup viewing with an hex editor:
- All the Fw installation history, status, checksum, starting from .146 -> to .162 (latest)
- All the IMSI (service provider) you connected to...(Fw by Fw)
- My Device keys (but not, apparently serials, mac, etc, that are in the NVME partition... just done a dd of some partitions not cointained in the update.app).
- Apparently Imeis are in the modemnvm_* partitions (reading other forum posts) stored in crypto format.
So, yes, as for the first two points, I'd suggest not to share it.
Click to expand...
Click to collapse
First off, thanks again for pointing this out and alerting me!
But - I think it's safe to share - awaiting confirmation from a guy, I consider as being an Android Guru (https://forum.xda-developers.com/p1...v-lxx-toolkit-one-t3771015/page2#post77872714).
Using a HexEditor, I only found info related to the latest 2 FW updates I applied (can't remember how many I actually went through, but surely more than 2) - other than that, I can only find the generic SIM/Network Operator identifiers mentioned under IMSI (not my full IMSI), and those hmac and &token keys (which I think are related to the OS).
I also assume, there wouldn't be a Q&A section dedicated to sharing oeminfo/custom.bin files with others in the thread I linked above, if it was not safe.
Edit: Can you please give me more info about the "device keys" you mentioned, how to find them (I also didn't get the "dd of some partitions" part of your reply) - Thanks in advance

..

mega nz/#!0skClZxR!8nEuqKVhEYvBdLMo6VzjcIQwmCS6YrYG8EHr7UuKui0
i dont know if you guys still need it

So its wrong or safe?

..

sun75 said:
I don't know... but I know for sure (please read the entire first thread on this subject https://forum.xda-developers.com/huawei-p-smart/how-to/how-to-root-huawei-p-smart-fig-lx1-t3752705 ) that, no matter if you are unlocked, you will relock your BL and your unlock code will be invalid (because different oeminfo!).
So before doing anything I'll suggest:
- Go back to an earlier firmware with HuRu < June update (because it seems that from August patch DC-Unlocker is out of games!).
- Original Recovery (if something goes wrong... you will not have a Twrp not bootable!)
- Ask more info to someone who already did it!! <----
- 99% you have to pay DC-unlocker to reunlock.... with a different code, but you have a very old firmware, haven't you?
Good luck!
Click to expand...
Click to collapse
I understand, anyone to tell us the instruction? How we can do it?

I'm willing to write a guide on how to debrand, if anyone still needs clarification

Related

Recovery Image needed

Of course, as old veteran, I had to play with my shift. And playing for me means, get deep into that thing.
So I unhid the recovery partition and backed it up. I created a recovery DVD and tested it.
After, I enabled the full capacity of the HDD and ran the recovery. Everything went fine and Vista was back up.
I then formatted the beast again and installed ubuntu...again, no problem.
But then, to my shock, I couldnt run the recovery DVD anymore. Maybe carelessly, I dropped something on its surface and now it gives me a read error and breaks off the recovery. I used ImageX.exe to verify the Xvista.wim, but it confirmed that the wim was not
valid.
Too bad, but now I dont have a recovery possiblity.
I hope someone can help me. I am able to provide my 100mbit ftp for up and downloads.
Recovery
I am also looking for an English recovery image.
I found a nice tool which can mount *.WIM files as a standard drive or folder. With this tool its easy to modify the XVISTA.WIM and the BOOT.WIM.
All I need now is a working recovery partition.
I want to slipstream a Vlite version of Vista and see if i can get it all working.
HTC Service is a nightmare
I install the vista manager, trying to speed up the boot time, but it crash the vista.. , when i try to use F3 to recover, it show blue screen in the middle.
since no recover disc provide, so i try to install xp instead. But i found some function key not work on Shift. so i decide send back to HTC for fixing it, it just a a days only new computer. but HTC want to charge me HK$7XXX ( US$1000 ) . They said i void the warranty term because of installing XP. What i think is the hidden partition ( recovery ) has problem....
I am very disappoint with them, and i will tell everyone about their bad treatment to customer.
By the way, can someone help me to get the ORIGINAL image of the hdd. ??
i already uploaded my (english) recovery image to someone's ftp server.
it took me several days because my upload is less than 40kbyte/s.
so I don't feel re-uploading elsewhere, but:
the image is still on the ftp.
I'll ask if he can give access to you guys.
cmonex said:
i already uploaded my (english) recovery image to someone's ftp server.
it took me several days because my upload is less than 40kbyte/s.
so I don't feel re-uploading elsewhere, but:
the image is still on the ftp.
I'll ask if he can give access to you guys.
Click to expand...
Click to collapse
That would be great...I can move it to my server and make it public to everyone here...
I already got the Japanese recovery dump there (Thanks very much to TokyoRob...cheers mate)
i can share my ftp
yes.. i can share my share open to public to if needed...
If an FTP would be available I would be glad to share my italian recovery image.
Italian image
kisslorand said:
If an FTP would be available I would be glad to share my italian recovery image.
Click to expand...
Click to collapse
I need italian recovery image I hope it's possible!!! Thanks
Problem solve , and HTC CARE ( HK ) really bad
Finally I solve the problem, maybe it can help some other user.
1. Format your HDD with Low level ( don't use quick format ) .
2. reboot and press Shift F3....
3. All the blue screen and error won't appear again.
I am happy with it, but i spend more than 2 days to solve the problem.
But I am very disappoint with Hong Kong HTC, they want to charge me for us$1000 to fix the problem, and claim that i damage the hardware, and need to replace the motherboard... I just brought if for few day and under warranty.
They are really cheating customer. I hope their management guy to contact me by [email protected] , and APOLOGIZE for their BIG mistake.
I will post to all FORUM , newsgroup and let the user know how they treat the customer.
First Recovery Image up
The first image file is up and can be grabbed from here.
https://phatpipez.homeftp.org/HTCShift/
Thanks to TokyoRob, who kindly sent me the image file.
Its a 3GB bin file, dumped by using Pof's guide, which can be
found here
http://pof.eslack.org/blog/2008/04/...re-the-vista-recovery-partition-on-htc-shift/
***I believe the language is Japanese,*** ITS IN ENGLISH!!!!! but I already created a patch to change a fresh installation to any desired language.
More about this later.
I would appreciate it, if someone could send me another recovery image
and also the /Program Files/HTC folder.
unfortunately the guy who has the ftp hasn't replied to me yet and I don't want to give out the login info without permission.
in the worst case, if you can guarantee the image will indeed be public for a long while, then I can take the pain to upload it again to whatever server you give me a login to.
still no reply from this guy I mentioned; but someone else also has the english recovery partition (in 7z, yuck!) on a server, this is not public, but I asked him to PM you all. please do not give out the login info he gives to you.
cmonex said:
still no reply from this guy I mentioned; but someone else also has the english recovery partition (in 7z, yuck!) on a server, this is not public, but I asked him to PM you all. please do not give out the login info he gives to you.
Click to expand...
Click to collapse
Do you want me to change 7z?
You dont like it?
I also changed my FTP to public...more info here http://forum.xda-developers.com/showthread.php?t=405220
.finger licking good...there is all you need to restore your shift.
You can even change the language.
If people need instructions, I will post them later.
Corrupt file
When decompressing Shift_Recovery_Partition_Content.7z with both 7Z or WinRar, the WIM file shows as being corrupted. Would you please repack / verify? Thanks!
jposluns said:
When decompressing Shift_Recovery_Partition_Content.7z with both 7Z or WinRar, the WIM file shows as being corrupted. Would you please repack / verify? Thanks!
Click to expand...
Click to collapse
Thanks for telling. Will do in a couple of hours.
Please post all related issues / questions in http://forum.xda-developers.com/showthread.php?t=405220
Since the topic of this thread is "Recovery Image needed", we could close this thread now.
It is no longer valid.

Imei nulled [problem workout]

Hi there!
Recently, there were a plenty of cases with imei changed to zero. In this sub-forum, there were already three cases ([1][2][3]), and in our local ex-USSR community there were a lot more of them. The problem comes up in an absolutely random way. In my case, it started when I tried 'format sd-card' function, built into the MIUI rom. But if you look through, you'll find that other cases have nothing in common. So, the conclusion is that there is a bug in Huawei internal firmware, that leads to nulling the IMEI. Further comes the problem workout:
in our community (4pda.ru) we've found an app (it's attached), that is able to back-up and restore IMEI. we've revealed, that the code for IMEI back-up is
dd if=/dev/block/mmcblk0p5 of=/sdcard/imeibackup/5.img
dd if=/dev/block/mmcblk0p10 of=/sdcard/imeibackup/10.img
dd if=/dev/block/mmcblk0p11 of=/sdcard/imeibackup/11.img
It reads all data from mmcblk0pXX partitions and writes it into XX.img files (images) in the imeibackup folder, stored on the sd-card. The main idea of how to restore our broken IMEI's is:
1. create the backup of IMEI using this app;
2. replace our current IMEI with our actual IMEI in theese *.img files (images);
3. restore IMEI using this app;
The idea is perfect and is easy-to-guess, but non of theese images contain IMEI in raw. Probably, they are crypted, and with no key to encrypt them, we would not be able to replace current IMEI with actual IMEI.
I will be happy to be wrong and if anyone of you could help to find the IMEI string in theese images (all info is in attach).
But there is also another way. Android SDK contains android.telephony.TelephonyManager.getDeviceId() function that returns an IMEI of the current phone. The idea is to find the body of the function (Android OS source is free-to-download, isn't it?) (it might be decrypting those partitions for further IMEI fetching) and using it, understand how to turn our IMEI into factory condition.
There might be a problem if this function only makes a RemoteProcedureCall to the phone firmware and the phone firmware actually decrypts those partitions and fetches an IMEI. In this case, we'll need some reverce-ingeneering: we'll need to write a core module, that will set hooks on the open/read_file/partition functions of our mmcblk0pXX partitions, open the stack, make a backtrace and a dump of the functions that called for them.
actually, my programming skills are too poor both for the first easy way (find the getDeviceId() function body) and surely, for reverce-ingeneering. Thar's why, there is a request for the xda-developers community:
If you are a Java programmer, could you please help us to find the android.telephony.TelephonyManager.getDeviceId() function body? If yes, could you please explain us its algorithm in a common language? We will be glad for any help.
for moderators: yes, i've already read all the cautions about the responsibility of IMEI change (in any purpose), thank you.
Sounds cool. Sadly im not a developer so i can't help. If you get this working, it could save so many devices. Mine lost imei and bricked, but this would have solveed the imei problem. Good luck, hopefully you'll get it working!
Since this require dev attention, maybe u should PM stockwell/dzo/genokolar.. Or just post this in the dev section.. Its great to have one thing less to worry about when flashing phone..
I don't think it would be as easy as just hexediting the IMEI into the relevant location in the image (or at least, I hope it isn't). Remember that the IMEI is used to uniquely identify phones on the cell network so that it can be blocked if the phone is reported as stolen. For this reason it's not supposed to be easy to change, and it's illegal in some places to do it.
I know that this would be intended to be used to restore the IMEI, but it could just as easily be used to change the IMEI for stolen phones.
Forcing the response from the Java call won't do anything - it would only be used to show the number in android, and not by the hardware.
Send your phone back under warranty.
stockwell said:
I don't think it would be as easy as just hexediting the IMEI into the relevant location in the image (or at least, I hope it isn't). Remember that the IMEI is used to uniquely identify phones on the cell network so that it can be blocked if the phone is reported as stolen. For this reason it's not supposed to be easy to change, and it's illegal in some places to do it.
I know that this would be intended to be used to restore the IMEI, but it could just as easily be used to change the IMEI for stolen phones.
Forcing the response from the Java call won't do anything - it would only be used to show the number in android, and not by the hardware.
Send your phone back under warranty.
Click to expand...
Click to collapse
But in my case I want to restore it not change it.. so its my right. And because some may miss use it I will not reveal how.
Sent from my u8800 using xda premium
stockwell said:
Send your phone back under warranty.
Click to expand...
Click to collapse
We do not mind to send the warranty, but it will not take as imei = 0
stockwell said:
Send your phone back under warranty.
Click to expand...
Click to collapse
Of course, it would be the simpliest way to solve the problem, but in any warranty there is a clause that warranty becomes invalid if IMEI has been changed We would not mind the problem and would just send our phones to warranty, but... it has become invalid, so now we need to have our IMEIs restored...
stockwell said:
Forcing the response from the Java call won't do anything
Click to expand...
Click to collapse
You've missunderstood me. The idea is to reveal an IMEI decryption algorythm by looking through the getDeviceId() functions body. I expect to see there something like this (func names are not real):
Code:
function getDeviceId()
{
$imei = fread(0x12345678); //some code to reveal where IMEI is stored
$imei_num = decrypt_sha1($imei, $key_to_decrypt); //some code to reveal the decryption key and method
return $imei_num;
}
Something like this may help us to write some other code to restore our broken IMEIs and warrantys, for example:
Code:
function restoreDeviceId($imei_to_restore)
{
$imei_encrypted = encrypt_sha1($imei_to_restore, $key_to_decrypt); //here we use an encryption key we discovered in prev. step
if(fwrite(0x12345678, $imei_encrypted)) return true; //here we use the mem adress we discovered in prev. step
return false;
}
Of course, I don't expect this to be that easy as in examples above, but I'm ready to digg
PS: i've just sent an email to the Huawei support with problem description. hope, they can help...
Kindly let me know if they reply positive ,need to restore mine too.....
Hello ppl...
I have the same problem, IMEI = 0.
I'm pretty sure that the IMEI was not in any way changed, since I can register on my network.... and supposedely that is not possible with an IMEI nulled.
By the way, I was with CM7 and also formated the SD Card within android system, guessing that could be the reason for that.
Related or not, I started having troubles with non working wifi and SD Card with 2.3 based roms... with original roms or FLB (2.2.2) system works fine.
It would be very helpfull to some of us if one of the Devs could take a look at this problem.
Thank you all!
stockwell, genokolar, dzo...
Can you help us ?!?!?! PLEEEEEAAAASSSSEEEEEEEEEEEEEEE
I miss my 2.3 roms
My X5 also had nulled IMEI.
Also it had WI-FI MAC address changed to new value and SD-card problems (unknown hardware on my PC and recognized as CD-drive).
Service center guy said that it all hardware issues and main-board to be replaced. So it's covered by warranty (despite the fact that I admitted that I had rooted the phone and had installed custom ROM).
Today a was notified that the phone was fixed. I'll get it back tomorrow.
I'm from ex-USSR too (Moscow).
Garry,
If problema was hardware ir wouldnt work also with 2.2.2 roms... And in fact they work perfect.
Problem is 2.3 related... Lwts see when huawei gives official update. They refer the delay is related with... Guess? WIFI!
Sent from my U8800 using XDA App
Does it going on here?
My IMEI = 0, too
In Germany (homenetwork vodafone) I have no problems to login to the network, having phone calls etc.
Now I'm in Sweden and I can't login to any network here. Or, I am logged in not correctly 'cause I see the signal is changing, but I can only do emergency calls. In the status the network provider is unknown.
Today I was in Kopenhagen, Denmark and there I was able to login to TDC A/S and had a phone call - I received SMS...as usual
So what is that? -.-
nrdl said:
Garry,
If problema was hardware ir wouldnt work also with 2.2.2 roms... And in fact they work perfect.
Problem is 2.3 related... Lwts see when huawei gives official update. They refer the delay is related with... Guess? WIFI!
Click to expand...
Click to collapse
Yes stock ROM (2.2) was almost working (some issues with USB access from PC). Custom ROMs (2.3) and most other of Huawei ROMs (2.2) all had broken WIFI and PC USB access. It's not just 2.3 issue it looks for me like different appearances of one bug. I think it happened because of some hardware issue.
Does ToolBox5iromV1.0.4.2.apk work?
ufukyayla said:
Does ToolBox5iromV1.0.4.2.apk work?
Click to expand...
Click to collapse
I've read about it but google translate is giving me a headache.. But i think the Chinese community have tool to backup IMEI n restoring them..
izzoe said:
I've read about it but google translate is giving me a headache.. But i think the Chinese community have tool to backup IMEI n restoring them..
Click to expand...
Click to collapse
The question about this is that you had to have made backup before... wich doesn't happend... most users don't even noticed their IMEI is now 0.
me too,IMEI is 0
So will this problem be a problem without any solution forever???
in theory, if we could edit backup img to our original imei... solution would be simple...
Justa need the help of some devs or programmers to be able to edit that file. ;-)
Sent from my U8800 using XDA App

Let's figure out how to flash firmware.

As many of you probably know, the traditional way to flash firmware in a Huawei phone is to obtain the UPDATE.APP file, and place it in the /dload/ folder of the SD card.
With the Mate 9, this no longer works. The update fails, even if the update package is correct.
I'd like to bring everyone's brains together to figure out the new, correct way to flash an update. My guess is that it should be on the internal storage somewhere, since the Mate 9 Porsche will not have SD card slot. However, I've tried both the update.zip files and the update.app files in / and /dload/ and nothing seems to work.
If anyone can try and make a successful install, it will be a big breakthrough, so please, everyone, try!
Here are some firmware download links to try:
Chinese version
MHA-AL00C00B125 Full
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1356/g77/v66549/f2/full/update.zip
MHA-AL00C00B115 Full
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G990/g77/v65571/f3/full/update.zip
European Version
MHA-L29C900B115
MHA-L29C432B115
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1356/g77/v66711/f2/full/update.zip
The error I get when flashing makes me think it's down to the file version being used?
I can copy an update.app to the dload folder and using *#*#2846579#*#* and Software update it appears to validate the file, at least that an update.app file exists and then boots into the updater, where it fails at 5%. From memory, my Mate 8 would act the same if I tried to flash an older update.app file?
UPDATE: I can confirm that even with the same firmware version as the phone is on you cannot flash it by putting the update.app in the /dload folder, even though it does look like it finds the file. I'm wondering if we will see the same symptoms if we had a newer than B125 firmware to try.
duraaraa said:
As many of you probably know, the traditional way to flash firmware in a Huawei phone is to obtain the UPDATE.APP file, and place it in the /dload/ folder of the SD card.
With the Mate 9, this no longer works. The update fails, even if the update package is correct.
I'd like to bring everyone's brains together to figure out the new, correct way to flash an update. My guess is that it should be on the internal storage somewhere, since the Mate 9 Porsche will not have SD card slot. However, I've tried both the update.zip files and the update.app files in / and /dload/ and nothing seems to work.
If anyone can try and make a successful install, it will be a big breakthrough, so please, everyone, try!
Here are some firmware download links to try:
Chinese version
MHA-AL00C00B125 Full
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1356/g77/v66549/f2/full/update.zip
MHA-AL00C00B115 Full
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G990/g77/v65571/f3/full/update.zip
European Version
MHA-L29C900B115
MHA-L29C432B115
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1356/g77/v66711/f2/full/update.zip
Click to expand...
Click to collapse
I have found a way to load firmware. It's very tricky, but it works You need to spoof huawei's servers, so it's not something someone with low technical skills can do, unfortunately. Also, so far, loading older firmwares causes a forced reboot once the system boots up. I think it's to do with Huawei Account or Fingerprint, so hopefully I will resolve this within a few hours and report more.
duraaraa said:
I have found a way to load firmware. It's very tricky, but it works You need to spoof huawei's servers, so it's not something someone with low technical skills can do, unfortunately. Also, so far, loading older firmwares causes a forced reboot once the system boots up. I think it's to do with Huawei Account or Fingerprint, so hopefully I will resolve this within a few hours and report more.
Click to expand...
Click to collapse
I think its best to wait for the Euro C432B122 rom, it should come very soon.
I don't have a Mate 9 (yet), but looking through the code it looks as if it should be able to load the UPDATE.APP from a usb device (via an OTG cable) - /usb/dload/UPDATE.APP. Did anyone try that?
Found something here
http://www.carbontesla.com/2016/11/download-huawei-mate-9-b122-firmware-update-mha-l29-europe/
Maybe it helps.
dancrow said:
Found something here
http://www.carbontesla.com/2016/11/download-huawei-mate-9-b122-firmware-update-mha-l29-europe/
Maybe it helps.
Click to expand...
Click to collapse
Seems like a scam site as many others
-Edit- It seems Huawei pulled this build as i read on another forum.
gee2012 said:
Seems like a scam site as many others
-Edit- It seems Huawei pulled this build as i read on another forum.
Click to expand...
Click to collapse
Huawei pulls every build that is not linked to hisuite site. Most be legit links but Huawei is on top of it.
intruda119 said:
Huawei pulls every build that is not linked to hisuite site. Most be legit links but Huawei is on top of it.
Click to expand...
Click to collapse
Here is a working L29 B122 downloadlink i found on the android-hilfe forum https://www.hidrive.strato.com/lnk/0KFjlD4J but the update failed installation
Aah well, we`ll get he update soon i guess.
Would be awesome to be able to get the european rom to work without any limitations on the chinese phone. I would love to help you guys, but my skills are very limited and hope you guys find a way that's doable for most of us
Huawei didn't pull the build. It's a DNS problem. It's only on their server in China, and isn't on their amazon co-located servers.
Set in your hosts file:
Code:
14.215.9.39 update.hicloud.com
And magically, the link works!
Can't be installed, though. With the Mate 9, I've tried HiSuite USB flashing (fails), flashing from dload folder (fails) and flashing from eRecovery (only thing that's worked.)
I've even unpacked a full rom image to try and reverse engineer how the dload folder works, but all I get is:
Code:
/sdcard/dload/au_temp.cfg
/sdcard/dload/UPDATE.APP
/sdcard/dload/update_cust.app
/sdcard/dload/update_vendor.app
/data/media/0/dload/update_cust.app
/data/media/0/dload/update_vendor.app
/data/update/dload/UPDATE.APP
/data/update/dload/update_cust.app
/data/update/dload/update_vendor.app
/usb/dload/UPDATE.APP
/usb/dload/update_cust.app
/usb/dload/update_vendor.app
And I've tried most of those locations, and while the update.app is found, it doesn't want to flash. Even though it's willing to flash the exact same stuff in update.zip format via eRecovery.
The only other way is overriding the OTAs, but it actually has a pretty strict security check at the end for approval with some nifty encrypted text, so we're screwed there too.
i would like to know the dload method still work with SD card OR not? anyone with mate 9 got SD card in slot already try this?
New Firmware EU version
MHA-L29C432B126
changelog ::
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1366/g104/v68165/f1/full/changelog.xml
download link ::
http://update.hicloud.com:8180/TDS/data/files/p3/s15/G1366/g104/v68165/f1/full/update.zip
OnimushaPooh said:
i would like to know the dload method still work with SD card OR not? anyone with mate 9 got SD card in slot already try this?
Click to expand...
Click to collapse
The dload method no longer works. The update.app file is recognized but install always fails. HiSuite USB flash also doesn't work. Only confirmed way in is hijacking erecovery.
duraaraa said:
Only confirmed way in is hijacking erecovery.
Click to expand...
Click to collapse
I have just dicovered that dload indeed fails. Could you be elaborate / give some clue on how this "hijacking erecovery" is working?
Thanks a lot for your support.
dehnhaide said:
I have just dicovered that dload indeed fails. Could you be elaborate / give some clue on how this "hijacking erecovery" is working?
Thanks a lot for your support.
Click to expand...
Click to collapse
I wrote about it in this thread. You trick the phone into connecting to a fake query.hicloud.com and direct it to the firmware you want to download.
duraaraa said:
I wrote about it in this thread. You trick the phone into connecting to a fake query.hicloud.com and direct it to the firmware you want to download.
Click to expand...
Click to collapse
OK. I got that. But I have the whole update.zip package already downloaded. Is there any way I can flash it?! Sorry if I sound noob but this is my first Huawei Mate and am new to their firmware flashing approach.
Thanks.
Sent from my MHA-L29 using Tapatalk
Pleeez!
duraaraa said:
Huawei didn't pull the build. It's a DNS problem. It's only on their server in China, and isn't on their amazon co-located servers.
Set in your hosts file:
Code:
14.215.9.39 update.hicloud.com
And magically, the link works!
Can't be installed, though. With the Mate 9, I've tried HiSuite USB flashing (fails), flashing from dload folder (fails) and flashing from eRecovery (only thing that's worked.)
I've even unpacked a full rom image to try and reverse engineer how the dload folder works, but all I get is:
Code:
/sdcard/dload/au_temp.cfg
/sdcard/dload/UPDATE.APP
/sdcard/dload/update_cust.app
/sdcard/dload/update_vendor.app
/data/media/0/dload/update_cust.app
/data/media/0/dload/update_vendor.app
/data/update/dload/UPDATE.APP
/data/update/dload/update_cust.app
/data/update/dload/update_vendor.app
/usb/dload/UPDATE.APP
/usb/dload/update_cust.app
/usb/dload/update_vendor.app
And I've tried most of those locations, and while the update.app is found, it doesn't want to flash. Even though it's willing to flash the exact same stuff in update.zip format via eRecovery.
The only other way is overriding the OTAs, but it actually has a pretty strict security check at the end for approval with some nifty encrypted text, so we're screwed there too.
Click to expand...
Click to collapse
C'mon @duraaraa, please elaborate how the update.zip or its contents can be flashed from erecovery!!! Please... you've got me all tangled with this "Only confirmed way in is hijacking erecovery.".
Thanks for your help.
dehnhaide said:
C'mon @duraaraa, please elaborate how the update.zip or its contents can be flashed from erecovery!!! Please... you've got me all tangled with this "Only confirmed way in is hijacking erecovery.".
Thanks for your help.
Click to expand...
Click to collapse
If you want a simple explanation, here is how eRecovery works.
1. The phone sends a request to query.hicloud.com on port 80, asking for what firmware it should download.
2. query.hicloud.com sends it information about what firmware it should download, including a URL
3. The phone sends a permission request to download the files to huawei's servers. Then, the phone downloads and parses the URL plus /full/filelist.xml and gets a list of files. If it sees files which match the region of the phone, it recognizes it as a valid update, and begins downloads the files.
4. Before the install starts, the phone contacts query.hisuite.com again to confirm that it's allowed to install. If it receives permission, the phone checks the MD5 of the files it downloaded, then unzips the three files (an update, a public, and a regional file. Three zip files) The phone then tries to install them. If there is an issue (mismatch, not signed, etc.) it spits out an error and fails. If everything passes the test, it installs.
So my method of entry is emulating query.hicloud.com and update.hicloud.com to provide the phone with whatever zip files I want.
duraaraa said:
If you want a simple explanation, here is how eRecovery works.
1. The phone sends a request to query.hicloud.com on port 80, asking for what firmware it should download.
2. query.hicloud.com sends it information about what firmware it should download, including a URL
3. The phone sends a permission request to download the files to huawei's servers. Then, the phone downloads and parses the URL plus /full/filelist.xml and gets a list of files. If it sees files which match the region of the phone, it recognizes it as a valid update, and begins downloads the files.
4. Before the install starts, the phone contacts query.hisuite.com again to confirm that it's allowed to install. If it receives permission, the phone checks the MD5 of the files it downloaded, then unzips the three files (an update, a public, and a regional file. Three zip files) The phone then tries to install them. If there is an issue (mismatch, not signed, etc.) it spits out an error and fails. If everything passes the test, it installs.
So my method of entry is emulating query.hicloud.com and update.hicloud.com to provide the phone with whatever zip files I want.
Click to expand...
Click to collapse
Thanks for the explanation @duraaraa! Shall I understand that both query.hisuite.com and update.hicloud.com share the same 14.215.9.39 IP?
I have only seen the IP (14.215.9.39) for update.hicloud.com? Is there a different one for query.hicloud.com? I need to know to be able to correctly modify the /etc/hosts on my router.
Thanks for your support.

I would like to mod/hack this. Help please? any and all appreciated.

I got a smartwatch from a friend, they said they bought it at walmart. Someone posted a code to type into the dialer, and i got this info from it
LD991A_BSC_A1_LX7789_9304_CAM3A01_LANGA_V2.2
[BRANCH]:
11CW1352MP
MTK61D_BTDIALER_11C
BUILD:BUILD_NO
SERIAL#:
[BUILD TIME]
2016/11/08 12:15
[MRE VERSION] - 266923472
HAL_VERNO:
also, how would i go about getting the IMEI for this thing? do i need to put some sim card in it before it will give me that? I'd like to do.. whatever i can to this thing, most specificially though, change the watch faces. It has a computerized analog clock, i'd rather it show some sort of nifty digital..
Edit : it was *#8375# that showed that info
Look at this: https://forum.xda-developers.com/sm.../readback-extractor-mtk6260-firmware-t3289272
Be careful to take a full recovery dump before anything else !!!
What model is it?
defdefred said:
Look at this: https://forum.xda-developers.com/sm.../readback-extractor-mtk6260-firmware-t3289272
Be careful to take a full recovery dump before anything else !!!
What model is it?
Click to expand...
Click to collapse
That's the thing, with it being chinese with english language. I'm not completely sure. The info there says it's "A1", and it matches the watches called that, on youtube. So, i guess?
Eve_brea said:
That's the thing, with it being chinese with english language. I'm not completely sure. The info there says it's "A1", and it matches the watches called that, on youtube. So, i guess?
Click to expand...
Click to collapse
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool https://drive.google.com/file/d/0B_hRh3DjuBoeeUk3azBBU0ZvSXc/view?usp=sharing
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
You can use the config file from https://drive.google.com/drive/folders/0B_hRh3DjuBoeZktTVXJrWms1U1k to feed the flashtool, but dont "download" neither "format", it will destroy your firmware!
defdefred said:
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool https://drive.google.com/file/d/0B_hRh3DjuBoeeUk3azBBU0ZvSXc/view?usp=sharing
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
You can use the config file from https://drive.google.com/drive/folders/0B_hRh3DjuBoeZktTVXJrWms1U1k to feed the flashtool, but dont "download" neither "format", it will destroy your firmware!
Click to expand...
Click to collapse
Well, if i can pull out a copy of the files, i don't mind sharing them. However I'm not going to do it if there's nothing useful to me. Are there files to. do anything to my watch? Can i change the faces as i want? Add other apps? Unlock the device? It has a sim card slot, i ordered a card from the free company "freedompop" i plan to try in it, but i'm not sure how it's going to go.
Concerning watch faces, is it easly, thanks to Golem, for MT6260 models => https://forum.xda-developers.com/smartwatch/other-smartwatches/watch-vxp-files-t3437311
But it is still ongoing / difficult /maybe impossible for MT6261 models with 4MB ROM / 32 MB RAM.
What is your models (check with the Flashtool / RAM test and don't forget to uncheck the box for the NOR test) ?
One you have a correct backup, you may try other firmware (with other faces) => https://drive.google.com/folderview?id=0B_hRh3DjuBoeblBsakZfUWFCeGM&usp=sharing
Notice that only few will work due to hardware variety of clones.
defdefred said:
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
Click to expand...
Click to collapse
I used *#8375# on the one I just got and came up with the exact match to what OP posted.
Managed to get a Readback on the Rom and formed a back up with the flashtool.
Posted to my google drive if you can download and look at it:
/ file/ d/0ByCO5YTrx3QBWWRqRTJyQVFub3M/ view?usp=sharing
Hope this helps since you were interested. If I need to do something else done to it please let me know username at gmail...

[Help] FSC script found, do you want to add it?

Hi,
Please be kind to answer a few queries below.
Here is what I did (and fear may have done something incorrectly):
So I downloaded a firmware using latest flashtool (0.9.25.0)
Then following advice here I deleted the fwinfo.xml file
Then during Tools=>Bundles=>Create, skipped all TA files (again following advise on above link)
When flashing the generated ftf file I got a pop-up saying FSC script found, I clicked Yes -- this thread shows screenshot
The flashing went fine. It was Orea Central Europe CE1.
---
Now about to flash Pie, I opened the fsc file before doing anything and it has steps like:
Code:
Write-TA:2:2212
Write-TA:2:2316
Write-TA:2:2330
Write-TA:2:2473
Write-TA:2:2486
Write-TA:2:2553
flash:LTALabel:elabel-H8216-row-demo_201803120045218.1_51.1.A.2.183_X-FLASH-LTALABEL-B6B5.sin
set_active:a
Write-TA:2:10021
Write-TA:2:10100
This worried me.
Q 1: What happened when I flashed Oreo, and the FSC script ran these commands? Did it wipe/write zeroes to the TA DRM keys?
Q 2: If I am safe, and my TA keys are OK, how do I check? My Service Menu=>Service Tests=>Security is attached
Q 3: In Service Menu=>Configuration the part about Available Speech Codecs is missing (please see screenshot) -- I see it in my Z3c, but not in my XZ2 now (not sure if it was there before I flashed Oreo)
Q 4: When I now flash Pie, should I skip FSC when prompted as this guy says for M2?
Why you not use newflasher ?
Okay I just heard its name the second time. I'll read and try it.
But any comment to my questions? Anything odd in screenshots? Have I messed up?
Pandemic said:
Why you not use newflasher ?
Click to expand...
Click to collapse
Something to be concerned about Newflasher?
arslanon.e said:
Something to be concerned about Newflasher?
Click to expand...
Click to collapse
No work like a charm.
Pandemic said:
No work like a charm.
Click to expand...
Click to collapse
Thank you, and with your experience, can you tell if my DRM keys are intact?
Is it normal that Speech Codecs part and the missing extries for SOMC Fido and SOMC Attest keys?
Or is it that you don't know?

Categories

Resources