This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot
Does anybody have any information about how to modify the HBOOT image, or installing an entirely different boot image (e.g. Das U-Boot) onto this device? Or on any device? I've searched various forums for posts regarding HBOOT but not finding any regarding this.
I recently found my G2 (and G1!) buried in storage. I'd forgotten how much I enjoyed using them, especially the G2. I did the root thing, installing TWRP and a KitKat-based ROM, but it is terribly slow, not least of which for its reported 384M usable RAM.
I like to think I've got a pretty good idea as to how Android devices (generally) boot up, and was thinking I've got a fair amount of practice under my belt building my own Linux kernels, and how I'd really like a Raspberry Pi (or variant), but this device already has everything I'd need for a "SBC"-style device.
If I could slap Das U-Boot on there, I think it'd be pretty easy to (try to) boot a Linux kernel and shell and then figure out laboriously what to do for hardware drivers. (For that matter, what's the G2's capability re: USB OTG?) If it's a matter of making actual changes to HBOOT to tell it to load something other than Android (or kernel followed by Android), I'd be fine with researching that and then doing the laborious building an optimized kernel and drivers.
I could also be talking out my ass and have not, in fact, really understood the Android booting process. But I need a project and it would be really cool if I could work on this, I just don't really know where to look beyond what I've read. I did read one sequence where somebody reported on how they actually did a dual-boot Debian/Android setup (literal dual-boot, not a Debian chroot, which involved him modding the boot image for his LG Optimus). I haven't had time to follow through with it to be sure I can apply any of his findings to HBOOT, but I suppose that might be the best place to start.
One other thing -- if I modify HBOOT and break something, is that a brick, or can I arbitrarily swap out boot images even if they don't work? Or, more directly, will I have a means to re-burn the original image even if I were to completely wipe it? Will fastboot or adb recognize the device and be able to communicate with its filesystem? Not that I'm worried too much about bricking it, but it'd be nice to minimize that chance before I just bite the bullet and try another boot image and cross my fingers.
Hi @dwkindig,
You don't need to install a bootloader other than HBOOT to install non-Android software. For instance, I have recently ported postmarketOS to the HTC Desire Z. So if you need a project to work on, check it out. There are a lot of things you could help out with .
Hi
I am currently looking into the Asus, but other than unlocking bootloader, i havent found a good collection of guides for tinkering with the device. Info is a bit sporadic and directions to back out of "uh-oh" moments also look slim. I guess the whole A/B partitions thing takes a little to get my head around. I am a bit of a newbie when it comes to Asus, but i have fiddled around with Samsungs Sonys and my soon to be replaced HTC 10. I am currently considering this device, but development and ways to mod the device look very complicated for this device. I am also looking into Oneplus and Redmi.
Due to the developmental nature of the mod-software none of its very concise or compiled into a guide -- im sure once more people get the phone (U.S. market) we'll see proper guides.
Believe it or not I finally figured out a workaround to unlock DIAG Port without root access on my SM-G975U1 which was quite a time consuming process, I am on the most recent ETL1 FW. Dialer codes sadly weren't part of the workaround which would've made this a single step.
My device is recognized by QPST, EFS Explorerer, Service Programming, QFIL, etc... and Window's DM confirms it as 'Qualcomm HS-USB Diagnostics 90B8 (COM11)'.
During the process I took a few wrong turns, messing up my mobile data and IMS Registration, but thankfully I was able to return it to normal.
I would like to factory reset and flash with non-home CSC, but being it was such a lengthy process, I'd like to do more testing while the system is 'messy' so I don't have to flash, then test DIAG mode on a clean system then have to flash again if I make a mistake which I most likely will.
My IMEI is in no need of rescue, but does anyone have any idea if I can use any of these programs to gain further privileges to the system? I have an idea about the basic functionality of QPST, but being that I'm not root, nor have I been on a Qualcomm device, I'm not quite sure how I can take advantage of this particular opportunity to use a function that generally wouldn't benefit a root user in the same way it could potentially benefit me and other non root users.
What I'm most interested in is if QFIL can be used to flash a modified boot.img? That's definitely not the entirety of my curiosity though and would love to hear any and all advantages this could have with non rooted users.
Thank you in advance to anyone who can assist me and other's who will benefit from DIAG Port usage as non-root. The guide will be posted in this thread once I'm able to do some testing with QPST and its related programs, so all answers will be seen here, coming from their original poster.
On this current endeavour I could certainly use some much appreciated guidance from someone more knowledgeable on these programs. I've read about QFIL being used to flash modified boot images which gave me the idea; although that's not the only thing I'm interested in achieving.
***Mods, if there is anywhere acceptable this thread can be moved to where I'll get more replies would you please transfer?
I definitely could use some input about DIAG Mode, QPST, and QFIL and I'm not too sure this is the right place to find it.***
It looks like it is possible to load a boot image using QFIL, or eMMC and QPST Software Download, though I know there is more involved. I wonder if it's possible to inject root into stock FW, I have all the Samsung signatures that I assume would be needed.
I made some changes to the EFS using the Explorer just to have some fun with it, but now onto figuring out exactly how DIAG can benefit non-root users.
I'm guessing the lack of replies mostly has something to do with the development tax on US Snapdragon model's BL unlock.
I'm not too sure how many of us without root, if any, have successfully enabled DIAG. Any suggestions always welcome!
I've used QPST/QFIL recently to write factory firmware to an LG G7 One that had some bizarro retail demo firmware on it, so I'm a wee bit familiar with using it.
QPST/QFIL needs a programmer file (aka the firehose) that is at least specific to the SoC of the device and often specific to the SoC AND manufacturer. I don't even know if firehose files exist for Samsung devices.
Hai Karate said:
I've used QPST/QFIL recently to write factory firmware to an LG G7 One that had some bizarro retail demo firmware on it, so I'm a wee bit familiar with using it.
QPST/QFIL needs a programmer file (aka the firehose) that is at least specific to the SoC of the device and often specific to the SoC AND manufacturer. I don't even know if firehose files exist for Samsung devices.
Click to expand...
Click to collapse
Dude I appreciate you replying, it seems like S10+ forums are dead; besides the guys charging the developer's tax for a BL unlock.
I've seen mentions of Firehose in one or two of program's options themselves but didn't realize it was necessary for flashing with QFIL; i might as well grab it while it's on my mind.
In your opinion do you see any use of DIAG mode outside of flashing and IMEI restore and EFS backup?
I appreciate any help you can give me in advance man.