Cat B35 feature phone crack?

[Tom]

Hello everybody,

is there a way to install unofficial apps on the Cat B35 phone (in particular Whatsapp)??

Thanks

[Hossain Mohammed Shoaib]

i think not

but you can try to the soft method here is it

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.
To post to this group, send email to banana...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/dd395b3f-ef02-4407-b774-37ef0debe088%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ivan]

if your phone could get debug mode then is possible

*#*#33284#*#*

if no we must see through the dumps

ps: i like that phone so much, 2300 mhA of battery and ip 68 certification...it is perfect for my job and lifestyle...it was my choice if i hadn't get the 8110

[Hossain Mohammed Shoaib]

thanks Ivan

i forgot to mention that

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.
To post to this group, send email to banana...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/1b4a6ac9-a010-4b23-891c-51f51b3456e8%40googlegroups.com.

[Hossain Mohammed Shoaib]

Hi Tom
i think it will help you
here 

http://mobilespecs.net/phone/codes/CAT/Cat_B35.html

[Tom]

Thanks everybody, I will look into it

Le jeudi 10 janvier 2019 18:36:57 UTC+1, Hossain Mohammed Shoaib a écrit :

Hi Tom
i think it will help you
here 

http://mobilespecs.net/phone/codes/CAT/Cat_B35.html

On Thu, Jan 10, 2019 at 8:10 PM Hossain Mohammed Shoaib <hossainmohammedshoaib01@gmail.com> wrote:

thanks Ivan

i forgot to mention that

On Thu, Jan 10, 2019 at 8:05 PM Ivan <ivan1...@gmail.com> wrote:

if your phone could get debug mode then is possible

*#*#33284#*#*

if no we must see through the dumps

ps: i like that phone so much, 2300 mhA of battery and ip 68 certification...it is perfect for my job and lifestyle...it was my choice if i hadn't get the 8110

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bananahackers+unsubscribe@googlegroups.com.

[AJ]

Hi everyone, just joined this great community. Planning on buying the B35 soon, almost identical hardware as the 8110, I'll keep you updated on what can be done with the phone.

[Hossain Mohammed Shoaib]

Sure we will be waiting......

On Thu, 28 Feb 2019, 16:56 AJ, <antonio...@gmail.com> wrote:

Hi everyone, just joined this great community. Planning on buying the B35 soon, almost identical hardware as the 8110, I'll keep you updated on what can be done with the phone.

--

You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.

To post to this group, send email to banana...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/83353a2c-212e-41c5-9751-70efd31e5712%40googlegroups.com.

[Luxferre]

Got it not so long ago as well from a friend of my friend from Germany. So, here are my findings on B35 as of now.

1. No firmware images available for analysis. That's sad.

2. No working *#*#debug#*#* code, so no ADB as of now. Of all known codes, only *#06#, *#07#, *#auto# and *#*#0lri#*#* codes work. The latter (LogManager utility) allows you to retrieve a lot of information (see below) into the on-memory files but still no additional actions to perform.

3. We have EDL (booted with * + Power) and Fastboot (# + Power) but no recovery (I haven't found how to boot into it yet).

4. Fastboot is kinda weird here. Only a few fastboot getvar commands work, all others, including fastboot flash, return "Unknown command" on the remote end. The working getvar commands are:

fastboot getvar product
fastboot getvar version
fastboot getvar battery-voltage
fastboot getvar serialno
fastboot getvar secure (which, by the way, returns "no" which should mean the bootloading chain is not signed).

5. The navigator.engmodeExtension object is visible but its methods cannot be exploited (they are called but they almost all return NS_ERROR_UNEXPECTED), so the Pris Root method is not working here because access permissions are properly adjusted.

And now, here's the (kinda) good news. The news are - whoever gets the recovery working, wins everything - here's a string from logcat dump from LogManager utility:

[ro.bootimage.build.fingerprint]: [qcom/msm8909_512/msm8909_512:6.0.1/MMB29M/wangchenkui08161356:user/test-keys]

This means the system image (including recovery) is signed with the same test keys from Android 6.0.1 that FW12 from Nokia 8110 4G was signed with. Which means we can apply update.zip (or better dumping) patches once we get the recovery access.

Any ideas of getting to that damn recovery (if it's even present there)?

[speeduploop]

I'm quite sure the recovery is there -- question is if it's reachable... for us.

(it needs to be there because updates are pre-checked by the running system -- but then delegated to the recovery...)

I really want to get my hands on a b35 -- and will as soon as I can afford it.

[PuriShnit]

If you try to perform a factory reset from the settings, this should reboot to recovery, then you at least know there is a working recovery installed. (I think there is no reset possible without recovery).

However there's still (small?) chance that even if there is a recovery, it doesn't have the option of installing via ADB/SD card.

[Leanne saransingh]

hello,
if the * key is held for 4 seconds(enable keypad lock) and the usb is connected
four devices is enabled in device manager
1. qualcomm usb diagnostics
2. qualcomm usb composite
3. qualcomm modem
4. qualcomm wireless usb ethernet
in adition in settings there is a testBox that you can set to enable or disable
if the keypad lock is not enabled via the "*" key then the above
mentioned is not detected
will try to issue commands via terminal and give results if any

[AdvancedHACKERniV1]

What if file-integrity-check is enabled?

When my Jio Phone F50Y was running KaiOS2.0, it still accepted test-keys but when I flashed omnijb-final.zip, The phone was stuck in a bootloop as file-integrity-check was enabled.

I flashed the stock ROM to fix my phone.

But the Cat B35 has no stock ROM available online hence I strongly suggest to dump all the partitions before trying the hard jailbreak. Just in case.

[Luxferre]

Hello. Hmmm, very interesting: in a locked state, it's really showing up as 05c6:f003 device, in an unlocked state - as 05c6:9092.

But where is that testbox? How do you access it via settings?

[speeduploop]

Couldn't you just use WebIDE to launch those 'hidden' apps?

(this works for the Nokia 8110 at least...)

[Leanne saransingh]

hi,
so after updating the firmware on the cat b35 via the settings > device information > software update,
the test box item was removed and now it is only found as a notification in settings > notices > app notices
before the update however, it was an item in settings > device > device info > more information

On Thursday, 10 January 2019 09:13:58 UTC-4, Tom wrote:

[Luxferre]

If there's no ADB access, there's no WebTools access as well.

So, 05c6:f003 device is definitely a multipoint device (like the one opened in 8110 on dialing ###adbg#). And I'm trying to understand which raw USB endpoints of this device are related to diag port (I have no Faildows and can't use the QXDM as it is, but I can query it over WebUSB in Chrome).

[Luxferre]

Anyway, here's the state of interfaces I could read with WebUSB.

I'll describe the endpoints in the format "internal_endpoint_number/direction/type/blocksize_in_bytes".

Default state 05c6:9092 - 3 interfaces:

Interface 0 - 2 endpoints: 1/in/bulk/512, 1/out/bulk/512.

Interface 1 - 3 endpoints: 3/in/interrupt/10, 2/in/bulk/512, 2/out/bulk/512.

Interface 2 - 3 endpoints: 5/in/interrupt/8, 4/in/bulk/512, 3/out/bulk/512.

Now, the "keylocked" state (but if you connect it locked and then unlock, you can also get this mode) - 05c6:f003 - there is only one interface:

Interface 0 - 3 endpoints: 1/in/bulk/512, 1/out/bulk/512, 2/in/interrupt/28.

So, my main question is: which is which?

And which is the diagnostics port among these interfaces and endpoints?

[speeduploop]

Missed for a moment that adb isn't working on cat...

on 8110 I see (might help):

05c6:9091 --> device off / charging or after dialing ###adbg# and adb-debug enabled

05c6:9092 --> after ###adbg# but adb-debug disabled

05c6:900e --> adb/mtp disabled

05c6:901d --> only adb enabled

05c6:9039 --> adb+mtp

05c6:f003 --> only mtp enabled

18d1:d001 --> recovery sideload

(edit: two 909x sttes were missing)

[Luxferre]

So yep, I verified the info once again: the one that's 05c6:9092 is the composite configuration that contains diagnostics port.

But now, we need to find out which of these 3 interfaces does it use for this port:

Interface 0 - 2 endpoints: 1/in/bulk/512, 1/out/bulk/512.

Interface 1 - 3 endpoints: 3/in/interrupt/10, 2/in/bulk/512, 2/out/bulk/512.

Interface 2 - 3 endpoints: 5/in/interrupt/8, 4/in/bulk/512, 3/out/bulk/512.

(I'm describing the endpoints in the format "internal_endpoint_number/direction/type/blocksize_in_bytes".)

[Luxferre]

So, my preliminary guess is:

Interface 0 (endpoint 1 in/out) is diagnostics port;

Interface 1 (endpoint 2 in/out) is modem port;

Interface 2 (endpoints 3/4/5) is RNDIS port.

At least I'm getting something similar to valid DIAG responses from the Interface 0, endpoint 1 via Python 3.7 / PyUSB.

[Leanne saransingh]

i was able to get an "android adb interface" in device manager on windows
however it only stay connected for 30 seconds
steps to get:
1. enable readout in settings
2. with read out on take the media volume up to 15 and reduce to 8
3. with usb connected power off the phone. you will notice the screen goes blank but the

phone still remains on.
found new hardware should show android adb interface if done for the first time.
note: you will have to do a long power press to force restart the phone to get visual

display back and you can disable readout from settings.
please confirm if you can reproduce the same. thanks

On Thursday, 10 January 2019 09:13:58 UTC-4, Tom wrote:

[speeduploop]

30 seconds would be enough to send an 'adb reboot recovery' or other usefull commands...

[Luxferre]

I couldn't reproduce this.

[Luxferre]

I mean, I managed to reproduce the "hanged" state but it's still in the same 05c6:f003 (MTP-only) mode... or should we inspect composites here as well? ADB protocol is harder than diagnostics...

[speeduploop]

You should probably disable mtp for all your tests... there are devices out there which don't do mtp and adb at the same time.

[Luxferre]

Without MTP, it's constantly in 9092 mode, not in 9091, where ADB is enabled...

[Leanne saransingh]

for me mtp is disable by default

[Luxferre]

What's the VID and PID of the USB device when you manage to get ADB port?

[Leanne saransingh]

vid and pid:
USB\VID_05E8&PID_9091
i can try adding the above to the inf of the driver and see if any result
i can add to both the universal usb adb driver and the qualcomm driver and see which give best response?

[Luxferre]

Ok, so it's 05e8:9091, meanwhile mine has 05c6:9092... 9091 is the correct way, but how did you manage to get a different VID? (05e8 - ICC, Inc. - instead of 05c6 - Qualcomm)?

[Leanne saransingh]

i found it strange to also get a different vid from the normal 05C6
also the 30seconds i mentioned in a previous post now has reduce to 4-6 seconds in connected state.
could be the usb hardware defective?

[Leanne saransingh]

reason for the 05e8 is the phone was connected to an external usb controller
connecting it to the mother board usb port direct gives:
USB\VID_05C6&PID_9091
however the defect is getting worst because i have to fiddle with the usb connecter on phone to get it to detect.
may have to return to get hardware replacement.

[Leanne saransingh]

received the replacement cat b35 and the differences are:
1. there is now an option to send usage data to kaios
2. i can no longer get adb by using the read out and power off method together with the keypad lock mentioned in a previous post
3. the kaistore give apps not found when trying to install some apps via the store. example news

[Leanne saransingh]

official whatsapp is now available on the 2.51 cat b35 kaios update.
however, the phone has a slower response when navigating compared to the previous 2.5.
will try factory reset to see if it improves.

[Leanne saransingh]

question:
anybody know how to get back the messaging application to open when the left arrow is press?
in the 2.51 update from the home screen when the left arrow is press a pop up with "store, maps, assistant and youtube" is now visible instead of the message app opening.

[Luxferre]

Now I'm a bit confused. And amused!

Turns out that *+Power definitely is the recovery. But the menu is missing.

And EDL is turned on with plugging in the cable while holding * + #.

Annnnd... drum roll... first generic MSM8909 firehose I tried was successfully uploaded! I'm going to update it in the dedicated firehose thread.

Stay tuned!