Jio Phone - Finding secret codes, ROM Dump and Root [Help]

[saveNgo]

Discussion about Jio Phone - finding secret codes,  rom dump and rooting is carreid forward from Nokia 8110 4G secret codes:

So far.... What we know about Jio Phone (Qualcomm model f30C):

[A] Secret codes:

*#06# - display the IMEI (Single SIM).

*#07# - display SAR-related information.

*#2886# (*#auto#) - KaiOS MMI Test utility.

and

*#*#0574#*#* (*#*#0lri#*#*) - LogManager utility.

From available stock rom on internet, after extraction of system.img:

/system/b2g/omni.ja extracted content have "engmodeExtension.js" that contains codes: Those have already mentioned in Nokia 8110 4G secret codes threads.

None of those codes work except the 4 codes mentioned above.

Problem: Unable to find code for "enter/exit adb and debug mode". Not able to connect to Firefox WebIDE. Cannot Install KaiOS supported third party apps.

[B] Information about Recovery:

It is possible to boot into Recovery Mode: Switch off mobile. Keep pressing UP-key and Power-ON-key simultaneously. Relese Power-ON-key when KaiOS Reliance Logo shows up.

Stock recovery screen shows:

"KaiOS Recovery
qcom/msm8909_512/ms

6.0.1/MMB29M/LYF_F3

user/release-keys

Use volume up/down"

With normal stock recovery options like: "Reboot system now, Reboot to bootloader, Apply update from........"

By using recovery option: Apply Update from SD-Card and Apply Update from ADB Sideload.

(1) Tried to install OmniJB zip file.

(2) Tried to install "update.zip" provided on This Github Link.

(3) Tried to install "smith.zip" provised on This Link.

(4) Tried to install "dump_data.zip" file. (Thank you syl...@rentoo.immo )

Resutls for all zip file flashing is same and as follows:

Stock Recovery screen shows:

"failed to verify whole-file signature... Signature verification failed... Installation Aborted..."

adb sideload prompt on PC shows:

"loading: 'C:\adb\dump_data.zip' .... Total xfer: 0.00x". At the same time mobile screen shows: "Installation Aborted" and screen comes back to recovery main page.

It seems that Reliance Jio is not using .x509.pem and .pk8 key files provided by ASOP to sign OTA update.zip. They seems to be using different keys.

I have "releasekey.x509.pem" certificate extracted from system.img /system/etc/security/otacerts.zip and "verity_key" file extracted from boot.img.

But don't have private key .pk8. Hence can't create my own Update.zip and sign it with "SignAPK.jar" method...

Without ability to install zip, there is no way to mount /system or /data or /cache partitions to get useful information.

Problem: Unable to dump ROM in SD-Card or enable ADB mode like shown in Dumping the Nokia 8110 4G Firmware and This Thread.

No Custom Recovery for Jio Phone on internet so far...

[C] QDL Mode / Diagnostic Mode:

It is possible to boot into QDL Mode / Diagnostic Mode (If they are same): Switch off mobile. Keep pressing UP-key and DOWN-key and Power-ON-key simultaneously. Relese Power-ON-key when KaiOS Reliance Logo shows up.

Device Manager on PC shows "Qualcomm HS-USB Diagnostic 9092 (COM16)".

But personally, I have not worked on QDL mode so far. So limited Information.

if anyone in this forum have solutions or suggestions about Jio Phone rom-dump/rooting/modifying then they are most welcome to post.

Your help will be usefull to Jio Phone users, those are still away from joy - "the users of Nokia 8110 with jailbreak" are experiencing now....

[Gelderdrone]

Do you think I can install a stock ROM on the 8810?
And, would that add anything at all?

[saveNgo]

I quite don't understand your question. I assume your question is:Do you think I can install a stock ROM "of Jio Phone" on the "Nokia 8110"?

Well, let's say that Nokia 8110 and Jio Phone f30C are using same chipset (Qualcomm msm8905). So Theoretically one can think that it can be possible to flash one phone's firmware to other one directly.

But in reality, It is not possible. Firmwares are specific to a device; constructed with unique keys and MD5 checksum to make sure it all matches up with phone's hardware. Messing with this can make mobile hard brick. 

Also, network specific files in phone such as baseband files are specific to country's telecom spectrum so that telecom providers can recognize the device and provide appropriate cellular service.

Hence in my opinion, It is not directly possible to install stock rom of any mobile with same specification other mobile as it is.

Although, it is possible to port the firmware into other mobile if they share same chipset. There are several guides about rom and recovery porting available on internet.

(Truly speaking, I have got very less knowledge about rom porting. But I am learning more about it gradually.......)

Once you have constructed custom rom, it is possible to do all pro stuffs like rooting and adding more options in original stock recovery.........

Hey Gelderdrone, let me know if there exist official stock rom available for Nokia 8110. I would like to take a look.

[speeduploop]

I don't think that an official stock rom is available - but with an update script it's possible to dump your phone's flash.

And update scripts have full root rights - so rooting and modding of the 8110 is already possible ;)

(HMD/Nokia choosed to use the AOSP Test Keys for signing of their update.zips :D )

[speeduploop]

Just wanted to add:

KaiOS is based on an Android kernel and Android hardware abstraction layer - so even Android on Nokia 8110 would be possible.

-- if someone wants it enough to do the work needed to adjust a ROM like AOSP or Leanage --

[korpju]

http://mobilespecs.net/phone/codes/Reliance/Reliance_JioPhone.html
These codes legit?

[saveNgo]

Thank-you for the input kopju, I had tested those codes when i had purchased Jio Phone for firs time.

Sadly, apart from *#06#, none of the codes work... :-(

On Tuesday, November 6, 2018 at 1:21:49 AM UTC+5:30, korpju wrote:

http://mobilespecs.net/phone/codes/Reliance/Reliance_JioPhone.html  
These codes legit?

[Nayam Amarshe]

OmniJB is working great in September update of JioPhone F50Y. Had to factory reset for it to work, works great, except for some apps that show invalid signature. The dev mode couldn't be enabled.

[Ivan]

Hi Nayam, you need to open the application.zip file and delete the META-INF folder, then you must see if the manifest.webapp file is valid througt this website: https://jsonlint.com/ then all works fine!

If no modification is shown you must modify the "app" paramether into the metadata.json file or modify application version in the manifest to a high version.

[lyf120]

On Tuesday, November 13, 2018 at 4:28:24 PM UTC+5:30, Nayam Amarshe wrote:
> OmniJB is working great in September update of JioPhone F50Y. Had to factory reset for it to work, works great, except for some apps that show invalid signature. The dev mode couldn't be enabled.

Can you tell how can i install omnijb on jio120b qualcomm model step by step ,and can i install software updates after this.

[Nayam Amarshe]

Just boot to recovery, apply update from sd card, choose omnijb, factory reset, reboot.
I have F50Y.

[lyf120]

On Friday, November 16, 2018 at 12:47:45 PM UTC+5:30, Nayam Amarshe wrote:
> Just boot to recovery, apply update from sd card, choose omnijb, factory reset, reboot.
> I have F50Y.

and software updates will come after installing omnijb ?

[Nayam Amarshe]

They will but you won't be able to install them, signature verification fails.
But you can flash the firmwares from pc.

[lyf120]

On Friday, November 16, 2018 at 1:01:46 PM UTC+5:30, Nayam Amarshe wrote:
> They will but you won't be able to install them, signature verification fails.
> But you can flash the firmwares from pc.

can we uninstall omnijb for installing updates and than again install omnijb?

[Nayam Amarshe]

You can flash original fw for that.

[lyf120]

On Friday, November 16, 2018 at 3:20:01 PM UTC+5:30, Nayam Amarshe wrote:
> You can flash original fw for that.

how to create hotspot in jio phone ,any app for this?

[Nayam Amarshe]

I have an idea of it. Try editing the settings file in system/b2g/defaults. You must find the line that says wifi.tethering.enabled and set it to true.

[lyf120]

On Sunday, November 18, 2018 at 11:23:05 AM UTC+5:30, Nayam Amarshe wrote:
> I have an idea of it. Try editing the settings file in system/b2g/defaults. You must find the line that says wifi.tethering.enabled and set it to true.

how to edit settings?

[saveNgo]

After pointing out by Nayam Amarshe that omniJB is working on JioPhone F50Y, I have given try to JioPhone F30C (Both are Qualcomm Variants).

But results are still negative. Stock Recovery screen shows: "failed to verify whole-file signature... Signature verification failed... Installation Aborted..."

Hence as for now, no OmniJB on JioPhone F30C.   :-(

[Nayam Amarshe]

Maybe you can extract the signature files from your firmware. Try searching for the name of the keys it uses for flashing ota.

[speeduploop]

BTW: just saw in a tear down video that at least the F30C has a serial COM port on it's motherboard... could be a backdoor -- those USB2Serial-Thingies are cheap ;)

[saveNgo]

Thanks speeduploop, I have almost forgot about serial port. I will git it a try in future.

If port points are accessible without opening screws of mobile then it is fine.

Because if the seal on screw is torn by unauthorized person (i.e. other than Jio Service) then warranty of device will be void...

[lyf120]

Need proper post/tread for jio phone root, adb and omnijb intallation.

[AdvancedHACKERniV1]

Jio Phone F50Y has a SECOND SIM SLOT!!!!!

[Nayam Amarshe]

wtf!! Where? How?

[AdvancedHACKERniV1]

Goto the "official update" topic.

You'll find it there

On Saturday, November 24, 2018 at 3:58:22 PM UTC+5:30, Nayam Amarshe wrote:

wtf!! Where? How?

[saveNgo]

AdvanceHACKERniV1 have posted /system dump of Jio Phone F50Y in "Getting ADB working on the Jio Phone" thread.

I have examined the files of /system and found out that  /system/etc/security/otacerts.zip contains OTA varification key named: 'testkey.x509.pem'.

This key is exactly identical to the testkey provided by KaiOS github repository and Android ASOP keys. This is the reson JioPhone F50Y users are able to flash custom update.zip through recovery.

In my case. Jio Phone F30C  /system/etc/security/otacerts.zip contains following key: "releasekey.x509.pem"

I have compared this key with KaiOS and ASOP provided keys. No match at all.

It means I require "releasekey.pk8" and "releasekey.x509.pem" (already available from system.img extraction of Jio Phone F30C Stock rom) to make my own custom update.zip.

Attached is "releasekey.x509.pem" certificate key for reference.

Can anyone help me to find the mentioned keys?? Any suggestions??

[Nayam Amarshe]

Try this:
https://github.com/coreboot/vboot/blob/master/tests/devkeys/android/releasekey.pk8?raw=true

[Hossain Mohammed Shoaib]

how can it work

On Monday, November 26, 2018 at 5:49:00 PM UTC+6, Nayam Amarshe wrote:

Try this:
https://github.com/coreboot/vboot/blob/master/tests/devkeys/android/releasekey.pk8?raw=true

[Nayam Amarshe]

Use the pem and pk8 to sign zips

[saveNgo]

Thank you Nayam, I have tried the key provided by you. Results are Negative. Signature Verification Failed...

Till now, I have tried test-keys provided by Chrome OS (vboot), Sony Open Device, 'priv_keys' on github, 'android_vendor_friendly-arm-kitkat' on github. Each mentioned repository contains releasekey .pk8 and .x509.pem. Nome of them matches with releasekey.x509.pem of JioPhone F30c.

Can anyone provide me "releasekey" related to FireFox OS/ KaiOs/ AOSP Android 6.0.1 ?

Any other suggestions are also welcome.... :-)

[speeduploop]

The whole idea of a releasekey is that no one (but the vendor) knows it ;)

[Nayam Amarshe]

The only solution is porting cwm recovery, which is easy.
The hard stuff is getting the recovery to flash

[saveNgo]

You are correct speedloop. Theoretically, releasekeys or any other keys those are used for making OTA updates has to be kept secret. For security reasons, it is essential. I can understand.

We have insufficient information but as far as we know: Jio has release around 12 variants of Jio Phone. Only F50y users have reported that they can use testkeys provided by KaiOS git repo for jailbreaking. How come Jio have maintained strong security about F30c and not for F50y? Strange....

But at least due to their mistake many things have came into picture about Jio Phone tweeks and hacks. These information will surely help me in future...

Till then, searching for appropriate "releasekey.pk8" key file and waiting for suggestions...

[saveNgo]

It seems that getting suitable 'releasekey.pk8' is hard task. So another possible approach:

boot.img from stock rom of Jio hone F30c has "verity_key" file. After analyzing that file, it comes to my attention that verity_key from boot.img is similar to verity_key from Android AOSP. (at-least this has got matched)

My querry is:

Is it possible to gain root access by modifying boot.img? If possible then how? Any precautions / risks ? ........

[speeduploop]

If I remember correctly verity is part of system-file-integrity... which would be an other topic.

And: the main problem on Jio is that it has no server (adb, telnet, whatever) to connect to --> even with root you wouldn't have a 'door' in ;)

(so you need to root AND create a 'door')

[Nayam Amarshe]

adb shell
mount data
echo -n 'mtp,adb' > /data/property/persist.sys.usb.config

Verify options are not present before do it: adb shell "grep 'persist.service.adb.enable' /system/build.prop"

adb shell
mount system
echo '' >> /system/build.prop
echo '# Enable ADB' >> /system/build.prop
echo 'persist.service.adb.enable=1' >> /system/build.prop 
echo 'persist.service.debuggable=1' >> /system/build.prop
echo 'persist.sys.usb.config=mtp,adb' >> /system/build.prop 

Can you convert this into an update.zip script?

[speeduploop]

In the system-image from Jio (at least F50Y) there is no adb-binary... and you can't enable what doesn't exist ;)

So you need a bigger patch - including adbd or telnet or whatever.