Sigma S3500 Skai

[Шрек KEK]

Root --

Loader --

ADB work only sideload

Some files~

Backup data witch loader: https://drive.google.com/file/d/1KxbncsrlE_AsamW29PreR68xtZacDKyT/view 7zip archive

The latest patch from the developer but is not installed: https://drive.google.com/open?id=1llw26YxvpBeA7X3F28ahGo--iQJrtE2K

Maybe something is possible to do with backup and change root-rights?

Or change the repository when updating via Wifi

[Luxferre]

Thanks for the info. Already got the device, will look into it tomorrow.

[Luxferre]

OK, recovery is entered by powering on while holding #. When an exclamation mark appears, press End key once more.
Conversely, when powering on while holding *, we get into some very Chinese menu. MediaTek specific. I have yet to find out whether we get any Fastboot mode from this.

[Luxferre]

So, here are all we know for now about sKai:

1. Based upon MediaTek MT6572, a famous 3G-only low-budget smartphone chipset from the very long past.

2. Starting retail price in Ukraine - about $40 (999 UAH).

3. Like 8110, it has no separate Back key and no dedicated volume keys.

4. Runs heavily customized KaiOS of 2.5.1.1 version. The recovery menu shows up the KOT49H marking, which means it's based upon Android 4.4.2 low-level base, and release-keys, which means that secret update signature keys are in place.

5. Supports FM radio without wired headphones, as well as recording from the radio.

6. Recovery, which is entered by powering up while holding #, shows a way of custom userdata backup/restore system. The format of that backup is still unknown. Might be encrypted. However, unlike Qualcomm's KaiOS recovery, there's no way to view system logs.

7. Additional internal MTK test menu can be entered by powering up while holding *. This menu is entirely in Mandarin Chinese.

8. Among known working codes are *#06#, *#07# (SAR level, shows 0), *#auto# (KaiOS MMI test), *#testbox# (cut-down MTK Engineering menu) and *#*#0574#*#* (MTKLogger). That's all known for now until the system dumps are obtained.

9. The app:// URL trick has been fixed, so we can't view the app asset contents from browser.

Will keep updated as soon as anything new is found.

P.S. Pinned the thread as the general thread about the device. Please refrain from creating separate sKai-related threads apart from this.

[Шрек KEK]

воскресенье, 20 октября 2019 г., 9:44:16 UTC+3 пользователь Luxferre написал:

Open like 7zip arh or mount in ubuntu

[Luxferre]

OK, thanks, now I see it's a tar.gz, but with a custom 512-byte header. So yes, first we do 7z x, then we do tar xf.

And this is strange, to say the least. No, bro, this is historical. Are they saying that wiping the userdata partition will wipe IMEIs? Why is the NVRAM as a whole and IMEI database in particular stored in nvram/md/NVRAM/NVD_IMEI/MP0B_001 on the same userdata partition? Are they mad?

I know the format of this database file, I wrote a whole article about it. Let me quote the algo:

1. Take the last 12-byte block of the existing 120-byte MP0B_001 file. Invert all its bytes by XORring with 255 (0xff) and then set the last two bytes (10 and 11) to zero. This becomes the master key block.
2. Shape the first 8 bytes of an operating block (byte 0 to 7) from 15 IMEI1 digits with 0 added to the end and each pair swapped (i.e. 357369035621901 becomes [0x53, 0x37, 0x96, 0x30, 0x65, 0x12, 0x09, 0x01]).
3. XOR the operating block with the master key block. Result should be 12 bytes long.
4. Set byte 10 of the resulting block to modulo 256 sum of odd positions of first 10 bytes.
5. Set byte 11 of the resulting block to modulo 256 sum of even positions of first 10 bytes.
6. For IMEI1, write the resulting block to the position 0 of MP0B_001 file, overwriting existing bytes.
7. For IMEI2, repeat the steps 2 to 5 and write the resulting block to the position 12 of MP0B_001 file, overwriting existing bytes.

Now I know why they blocked the debug code. Because if they didn't, writing IMEI editor for this phone would be much easier than for any Qualcomms. And yes, they do need those userdata backup/restore items in the recovery, otherwise we would lose IMEIs. What the hell.

And yes, you can modify local/webapps directory and install everything you need there. And then restore back, but you definitely will need to find out the custom binary header they're using (whether it's a digital signature or whatever).

Going to continue the research in this direction. This is getting very interesting.

[Шрек KEK]

воскресенье, 20 октября 2019 г., 10:39:58 UTC+3 пользователь Luxferre написал:

OK, thanks, now I see it's a tar.gz, but with a custom header. So yes, first we do 7z x, then we do tar xf.

I zak some file with adb 

[Luxferre]

How did you dump it?

[Шрек KEK]

Menu(Backup etc)

apply update (2 or 3) i dont remember and nothing duing

run adb with cmd.exe in console and get key

воскресенье, 20 октября 2019 г., 11:18:44 UTC+3 пользователь Luxferre написал:

[Luxferre]

I see, so it's not the signature key, it's ADB access key (device specific).

[Шрек KEK]

I tryed connect WiFi to WiFi by windowns7 --> Kernell Error or not connect some times
BT FTP/OBEX (like Super Bluetho Hack .jar) --> Kernell Error or not connect

воскресенье, 20 октября 2019 г., 12:38:49 UTC+3 пользователь Luxferre написал:

[Luxferre]

OK, so after wiping through the recovery, the backup data, NVRAM etc. were still intact. This means that userdata partition here is different from the internal sdcard partition.

[Шрек KEK]

I have some ideea. First use Wifi sniffer and get User-Agent, referal etc. Got GET/POST to KaiOS AppStore Server. Get  updata/etc/ file Then make virtual server like xxx.0.0.1/blablalba/kaios/... and re-change DNC IP/ spoof some else. Server give a phone new FOTA data like update.zip hash size autoupload etc. and then phone upload . Or more ez use update installed app(like Google search). The server itself only checks the browser and token.
But I don’t know what the phone checks for the authenticity of the repository, it may be easier to change the repository than to replace it.

[Luxferre]

The problem here is: all update.zip files have vendor key (release-keys) signature for integrity protection. Even if we spoof the FOTA server, we can't spoof the signature unless we know the key.

[Luxferre]

And yep, Є letter is present when Ukrainian input is selected, but on the digit 9, not 3.

[Шрек KEK]

PRELOADER 0x0
MBR 0x1000000
EBR1 0x1080000
PRO_INFO 0x1100000
NVRAM 0x1400000
PROTECT_F 0x1900000
PROTECT_S 0x2300000
SECCFG 0x2d00000
UBOOT 0x2d20000
BOOTIMG 0x2d80000
RECOVERY 0x3480000
SEC_RO 0x3b80000
MISC 0x3bc0000
LOGO 0x3c40000
EXPDB 0x3f40000
ANDROID 0x4940000
CACHE 0x36940000
USRDATA 0x3e940000
FAT 0x97740000

[Шрек KEK]

Not crached file

https://spac1.com/files/view/update-79245637/?Li=-64224719&Lii=79245637&Link_id=1114460&Lt=1&Sn=1&name=Cynep_3Be3ga

[Luxferre]

Can you please upload all the backups (except NVRAM partition)? And also the scatter file you used.

[Luxferre]

Oh, I see the scatter.txt file. Now just need the system partition dumps...

[Шрек KEK]

https://spac1.com/files/view/11111-79258088/?Li=8025426&Lii=79258088&Link_id=781788&Lt=1&Sn=2&name=Cynep_3Be3ga

Дамп Android

rar-->ex2plore

[Luxferre]

Since the vendor representative confirmed that no estimates on the updates are yet known, I continued the research on sKai.

And guess what - I found a way to enter a working Fastboot here! (thanks to the leaked preloader binary).

So, the idea is to spam the string "FASTBOOT" until getting the response "READYTOO" from the bootport (a COM port briefly opening after inserting the cable and then repeatedly short-pressing the End call key in MediaTek phones from the turned-off state).

I adapted a well-known Python 3 script to this simple purpose (see attachment). To run it, install pyserial library, then detect the port that appears on your system after short-pressing and then run the script like this:

python3 mtk-fastbooter.py /dev/tty.usbmodem14200

(replace /dev/tty.usbmodem14200 with your device name).

Probably this script/hack will also be useful for other MT6572-based KaiOS devices.

Now we just have to find out what the fastboot mode is capable of here. But i think the moment of truth is close.

[Luxferre]

Here's a more universal version of this script (mtk-bootseq.py) that also allows entering META and other modes: https://gist.github.com/plugnburn/b3b0bcfd926c48ec5373bea84ce59337

I wonder whether anyone hs reversed MauiMETA command set...

[Luxferre]

Also, found the following fastboot oem commands in the UBOOT image:

fastboot oem p2u - allows redirecting the kernel output to a dedicated UART port on the board (not very useful for us)
fastboot oem reboot-recovery - allows switching to recovery (may be useful)
fastboot oem append-cmdline - allows appending kernel cmdline before typing "fastboot continue"

Also, the major inconvenience is that you have to re-insert the cable before each new fastboot command input, otherwise the connection hangs.

[Luxferre]

Alright, so, after obtaining the stock recovery and boot images and trying to refactor them with this wonderful toolkit (aimed specifically at MT65xx bizarre bootimage format), I found out that recovery reflashing is explicitly prohibited by the fastboot used in sKai, while boot image reflashing is not. First tests showed some success booting the altered image and even getting some root ADB access until ADB connection disappears at all at some point.

So, further research will be aimed at exploiting the bootimage to create a permanent root (probably similar to what was done to CAT B35) and trying to enable the debug mode (namely, "debugger.remote-mode" setting into the "adb-devtools" value) via this mechanism. Stay tuned!

[Luxferre]

And now we have the safe root for sKai and similar phones.

Here's Wallace sKai Edition: https://cloud.disroot.org/s/N5D9WM5tgtorH7k/download

SHA256: a97543aa9090b0a81819167e1f4c597c97d026bd517b2471f9ee3efecd3693df

Enjoy

[Luxferre]

Besides all the path adaptation etc, the secret seems to be in adding the external-api permission into manifest. So you need both engmode-extension and external-api permissions to enable startUniversalCommand in the sKai's KaiOS version.