Hackin the doro 7050 / 7060 / 7070 -- secret keys and what else we know...

2,146 views
Skip to first unread message

speeduploop

unread,
Jun 24, 2019, 12:45:14 PM6/24/19
to comp.mobile.nokia.8110
Hi People!

I have my doro 7070 now quite a while - and I'm loving it...
-- but it's quite locked up.

I now want to share what I know until now.

Bootmodes:
[Power] --> normal boot
[Power] + [Vol-Up] --> boot to recovery
[Power] + [Vol+Down] --> boot to ffbm
[Power] + [Vol-Up] + [Vol-Down] --> boot to edl
[Power] + [*] --> boot to fastboot

recovery --> release-keys - so of no use to install zips
edl --> no loader available yet - so not usable
fastboot --> crippled - most commands won't work

ffbm --> 'fast factory boot mode' (like boot to linux commandline)
--> only mode with ADB enabled - but no 'USB-Debugging' or root permissions.
It's possible to start b2g from here - but that's of no real use either.

Additional drawback: fastboot reports that the bootchain is secured...

--------------------------------------------------------------------------------

Secret codes:

- display languages -
*#0044# --> english
*#385#  --> croatian
*#0385# --> croatian
*#0420# --> czech
*#0045# --> danish
*#0031# --> dutch
*#0358# --> finnish
*#0033# --> french
*#0049# --> german
*#0030# --> greek
*#0036# --> hungarian
*#0039# --> italian
*#0047# --> norwegian
*#0048# --> polish
*#0351# --> portuguese
*#0040# --> romanian
*#0007# --> russian
*#0386# --> slovenian
*#0034# --> spanish
*#0046# --> swedish
*#0090# --> turkish

- themes -
*#8881# --> black on white
*#8882# --> white on black
*#8883# --> green on blue
*#8884# --> white on green
*#8885# --> white on blue

- fun stuff -
*#06# --> IMEI
*#07# --> SAR
*#2100# --> displays a test number for doro's emergency response service
*#*#664#*#* --> *#*#MMI#*#* KaiOS MMI Test app
*#*#258#*#* --> firmware build number
*#18375# --> additional version info
*#235543# --> LAC and CellID
*#*#76389273#*#* --> *#*#SOFTWARE#*#* - firmware version
*#610000#* --> product information app
*#13646633# --> engineer mode app - including things like a gps tracker...

*#787464# --> turn STR function on/off
*#*#0704#*#* --> factory reset (asks for confirmation)
*#*#0574#*#* --> LogManager app
*#73776673# --> toggles debug for 'doro's emergency response service'

*#34247678# --> toggles diag-mode for USB

disabled codes - will only work after enabling remote-debugging:
*#0606# --> MEID
*#8378269# --> *#TESTBOX# - should open engmode activity
*#*#2637643#*#* --> same as 'TESTBOX'
*#*#33284#*#* --> *#*#DEBUG#*#* toggles adb

--------------------------------------------------------------------------------

I couldn't find a way to enable remote-debugging - so no webide/sideloading.
- enabling it directly would need access to user-data partition
- enforcing privileged factory reset (which enables all debugging facilities) would need access to persist partition.

I tried both by scripts for on-device xpcshell (from adb shell in ffbm)
--> but got errors about missing write permissions to those partitions.
(obviously...)

There also is a serial-com as pads inside the device - but it's underneath the battery and would most probably need soldering to be used.
-- I couldn't get a working connection by just 'taping' cables down on them :)
(but it's also possible that this port is disabled - hard to say)
I don't really like the idea of soldering on my doro...

I tried some common exploits - but couldn't find a working/unpatched yet.
(there is a quite new one for nearly all qualcomms but for this CVE there isn't an exploit available yet)

We would need either/or:
-- a way to get root - so we could enforce a privileged factory reset, which would be the cleanest way
-- write acces to /data - so we could enable remote-debugging manually (firehose/emmcdownload in edl-mode would work too)
-- a way to install an app from adb-shell without usb-debugging - which then could do the reset

Best options:
-- doro enabling remote-debugging on upcomming firmware version
-- KaiOS releasing a trivial app to do a privileged factory reset for developers
(this won't happen - but would be the best way...)

At the moment the doro is quite locked down - which is sad because it's so much better than the Nokia 8110.
And it's quite different too - apps only tested/debugged on the 8110 won't work well on the doro.
The doro differs in screen-size, number of keys, handling on 'flip-close'... having only one devie to develop/debug on is a really bad thing...
(we've seen that all the time the last days... people complaining about messed-up navigation because apps are developed on devices with different behaviour and/or keypad - mostly Jio vs Nokia)

So yeah - that's it... should be mostly everything known about the doro's internals...

One/two last things for people who don't know:
the doro 7070 is the 'scandinavian/home' version of the doro 7060 - which is already on KaiOS v2.5.1

Happy hackig!

speeduploop

Fan of G.K

unread,
Jun 25, 2019, 6:47:07 AM6/25/19
to comp.mobile.nokia.8110
Feeling very unlucky, I want this great device 😀

Ivan Alex HC

unread,
Jul 28, 2019, 1:22:17 PM7/28/19
to comp.mobile.nokia.8110
I share here all I've pulled out from my Doro 7060 system partition:


I hope this could help also other BananaHackers to found where is the problem. If there is, for example, an ADB solution under our noses and we cannot see it.

If hidden in /system/bin there is a command that only an ADB's advanced expert can tell to us and we can't know.

Thank you for your help!

Florian Brüll

unread,
Oct 18, 2019, 3:35:35 AM10/18/19
to comp.mobile.nokia.8110
Is there any chance that we will see any progress for the doro 7060 in the near future?
Does doro still provides firmware updates> kaios 2.5.1?
Is WhatsApp and other kaios apps working on the 7060 out of the box?

Ivan Alex HC

unread,
Oct 18, 2019, 6:17:39 AM10/18/19
to comp.mobile.nokia.8110
Is yours also branded? I have one branded TIM, it is now in assistance for a few weeks. I sent 3 e-mails to the Doro service and after having threatened to report them for misleading advertising they made themselves available for the ROM change. In the end that is the problem: the TIM logo, even if they said that the update for the TIM and Wind branded is undergoing delays.
Now I am still waiting to be contacted for the withdrawal of the device.
If you want to know if it is possible to install third-party apps, unfortunately it is currently not possible. Me and Speeduploop performed various tests. The only solution would be to get a compatible firehose for the patched data partition flash in EDL mode ... but it hasn't been discovered yet.
Doro is very strict about this, they keep us exclusive on their products.
I could recommend it to a senior if he had the WhatsApp update and no other claims, but for many other things a Nokia 2720 is 20,000 times better.
If you want to develop apps for KaiOS you must forget Doro.

Ivan Alex HC

unread,
Jun 20, 2020, 5:54:08 AM6/20/20
to comp.mobile.nokia.8110
A year has passed since I took this phone and regret it

Thomas Hartung

unread,
Jun 20, 2020, 6:47:06 AM6/20/20
to comp.mobile.nokia.8110
Want to trade for a 8110 ? :D 

Player Singh

unread,
Jun 20, 2020, 6:49:40 AM6/20/20
to comp.mobile.nokia.8110
I am not a developer like you but in my opinion you can give a try to pull out firehorse of Doro using miracle tool 2.58 version as I have pulled many of the backup firmware through this along with firehorse programmer

Ivan Alex HC

unread,
Jun 20, 2020, 7:38:40 AM6/20/20
to comp.mobile.nokia.8110
 I've already the 8110 as main phone, and got Doro for tests, many useless tests

Il giorno sabato 20 giugno 2020 12:49:40 UTC+2, Player Singh ha scritto:
I am not a developer like you but in my opinion you can give a try to pull out firehorse of Doro using miracle tool 2.58 version as I have pulled many of the backup firmware through this along with firehorse programmer

 thank you for suggestion, but I've already tried too many solutions, withour success. This is and heavy modified version of KaiOS. Its also impossible to set an mp3 as ringtone, or mto move icons on the app menu. To get this phone was a waste of money and time

G Power

unread,
Jun 20, 2020, 8:06:27 AM6/20/20
to comp.mobile.nokia.8110
Even the Cache Injection is also not working on this so secured doro?

Ivan Alex HC

unread,
Jun 20, 2020, 9:09:26 AM6/20/20
to comp.mobile.nokia.8110
I had the Doro for 4 months closed in a box, waiting for someone to buy it. I took it out only to go back to experimenting with the new Luxferre tools, which are more suitable for a Mediakon, not a Qualcomm. I also tried to insert the file contained in the image cache-jb.img using adb, and then using a "busybox" binary from / data / local / tmp with adb: in any case "access denied"

now the only possible way is to get in touch with this user on Reddit, who claims to have managed to get the "Developer" menu on his Doro 7070 (which is practically the same model, DFC-0190, but sold in Sweden). It is not clear how he did it, since he did not explain it.
Message has been deleted

Luxferre

unread,
Jul 9, 2020, 10:49:33 AM7/9/20
to comp.mobile.nokia.8110
Ordered 7060 from Germany. Hopefully it will arrive in the beginning of August.

As this is one of the few KaiOS phones left unhacked, I finally decided to join the research as well. But we have to get through all the crazy hoops to get such a device here, so I need to wait "a bit" more.

Any found info will be published here in the first place, so you won't miss anything. Stay tuned!

G Power

unread,
Jul 9, 2020, 11:31:34 AM7/9/20
to comp.mobile.nokia.8110
You are actually ordering most unlucky expensive and secured device of KaiOS kingdom

Luxferre

unread,
Jul 9, 2020, 12:44:56 PM7/9/20
to comp.mobile.nokia.8110
Exactly. Not the most expensive though - the most expensive one is Nokia 800 Tough.

But I need to see this myself.

Luxferre

unread,
Jul 9, 2020, 2:11:30 PM7/9/20
to comp.mobile.nokia.8110
From the image shared by Ivan, the only vector seems to be viable: somehow start the B2G activity called internal-system-engineering-mode that contains the full rooting/privileged mode script and ADB enabler.

It can be done directly (if you manage to inject any app that can create MozActivity instances), or indirectly: by setting a number into the engineering-mode.key B2G setting (via mozSettings), and then you'll be able to run this activity by calling this number normally.

So, think along these lines. Everything else should be clear in a month or so when the device arrives to me.

PuriShnit

unread,
Jul 9, 2020, 2:26:21 PM7/9/20
to banana...@googlegroups.com

Can any of these not be achieved by xpcshell (which may be run from within the device)?

Luxferre

unread,
Jul 9, 2020, 3:07:45 PM7/9/20
to banana...@googlegroups.com
AFAIK xpcshell already requires a debugger socket present and active.
But if you can execute something like navigator.mozSettings.createLock().set({ 'engineering-mode.key': 1234567 }) from xpcshell, then it should be possible.

Luxferre

unread,
Jul 9, 2020, 3:34:31 PM7/9/20
to banana...@googlegroups.com
Can anyone with Doro 7060 check this usecase?

1) Boot into FFBM (power + volume down)
2) connect with ADB
3) enter xpcshell on the device
4) execute this command: navigator.mozSettings.createLock().set({'engineering-mode.key': '1234567'});
5) reboot into the normal mode
6) dial the number 1234567 (press Call afterwards)
7) tell me what happens or better send the screenshot :)

PuriShnit

unread,
Jul 9, 2020, 3:55:57 PM7/9/20
to banana...@googlegroups.com

If it's done from FFBM, you'd probably first need to start b2g, no?

Luxferre

unread,
Jul 9, 2020, 4:09:45 PM7/9/20
to comp.mobile.nokia.8110
Probably. But if navigator object isn't available, you might try this xpcshell command line instead:

Components.utils.import("resource://gre/modules/Services.jsm");XPCOMUtils.defineLazyServiceGetter(this,"settings","@mozilla.org/settingsService;1","nsISettingsService");settings.createLock().set({'engineering-mode.key': '1234567'});

Luxferre

unread,
Jul 9, 2020, 4:45:18 PM7/9/20
to banana...@googlegroups.com
My bad. We are prohibited from using the lazy service getter in sync xpcshell. The correct command string would be:

Components.classes["@mozilla.org/settingsService;1"].createInstance().QueryInterface(Components.interfaces.nsISettingsService).createLock().set('engineering-mode.key','1234567',function(){});

Or something like that. Will check tomorrow.

Ivan Alex HC

unread,
Jul 9, 2020, 5:45:03 PM7/9/20
to comp.mobile.nokia.8110
Here how we are proceeding:
adb pull /system/b2g
cd/b2g
adb push libnss3.so run-mozilla.sh xpcshell /data/local/tmp
adb shell
cd /data/local/tmp
chmod 0777 ./libnss3.so ./run-mozilla.sh ./xpcshell
LD_LIBRARY_PATH=/system/b2g ./xpcshell

after this we have the JS shell

using this command

Components.classes["@mozilla.org/settingsService;1"].createInstance().QueryInterface(Components.interfaces.nsISettingsService).createLock().set('engineering-mode.key','1234567',function(){});

nothing happens.

After this I should reboot, then I've to dial 1234567 and call, but I get the "Emergecy only" message
Tried with #1234567# and i see "Connection problem or invalid MMI code"
Message has been deleted
Message has been deleted

Ivan Alex HC

unread,
Jul 23, 2020, 2:45:38 PM7/23/20
to banana...@googlegroups.com
How? It is not rooted yet!
And why? It is the worst KaiOS phone ever!

Il giorno giovedì 23 luglio 2020 20:04:39 UTC+2, OMKAR SAWANT ha scritto:

Hey Ivan sir can you share clean dump of doro 7060 please

Message has been deleted

Ivan Alex HC

unread,
Jul 24, 2020, 12:46:30 AM7/24/20
to banana...@googlegroups.com
Everything has already been tried, including Qfil ... please don't make stupid requests, this is doubly so.
The reason? Doro is not yet rooted and even if I did it, I would do everything to replace his useless shitty rom, which is the worst of the KaiOS devices!

This thread started a year ago with the intention of freeing the Doro, and as you can see every attempt in our tests are failed! I regretted buying it! But I still try to root it.
It is not possible to install anything on the Doro to try to improve it! Nothing!

And you, Jio Phone user, who already have the privilege of being able to install OmniSD, and being the yours a Qualcomm-based model also you can install custom ROMs from the more efficient Nokia 8110, such as GerdaOS or Stock KaiOS 2.5.1... you come here with these requests? Are you crazy?

You said:
With help of qfil tool because I want port this rom of my jio phone.  For system.img backup go to hovatek YouTube channel then you will find plz give me the files
I said before:
And why? It is the worst KaiOS phone ever!
If you don't understand it and you're still asking me about Doro's ROM .... should I think you're stupid? Or not? Tell me!

I gladly ask you to make an exchange: give me your Jio Phone ( 1.300 rupees / € 15 ) and in return I give you this shitty flip phone ( € 90 / 7.740 rupees ), I think I make the deal, in terms of hackability and usability, not you.

EDIT (6 hours later):  so you insist! Then you are just an idiot!

Screenshot_20200724-104921.png

now I understand that you are another of those YouTubers who only think about making videos to attract views regardless of the quality of their content! How disgusting! As if there wasn't enough filth on YouTube. X^(

Il giorno venerdì 24 luglio 2020 04:12:46 UTC+2, OMKAR SAWANT ha scritto:
With help of qfil tool because I want port this rom of my jio phone.  For system.img backup go to hovatek YouTube channel then you will find plz give me the files


Ivan Alex HC

unread,
Sep 22, 2020, 8:52:39 PM9/22/20
to comp.mobile.nokia.8110
Hey guys, finally I got OmniSD, Wallace and any app I want. I've already written the guide and pubblished a video on it. You can see everything on the dedicated page of our website:

PS: jailbreak and app sideload only works in FFBM mode, but you can use OmniSD or bHacker app to sideload other apps in normal mode.
PPS: root privileges are not yet available, so we have still to use this crappy GUI, no way to edit it. However, we can still sideload third-party apps.

Have fun! :)

Il giorno lunedì 24 giugno 2019 18:45:14 UTC+2, speeduploop ha scritto:
Hi People!

I have my doro 7070 now quite a while - and I'm loving it...
-- but it's quite locked up.

I now want to share what I know until now.

Bootmodes:
[Power] --> normal boot
[Power] + [Vol-Up] --> boot to recovery
[Power] + [Vol+Down] --> boot to ffbm
[Power] + [Vol-Up] + [Vol-Down] --> boot to edl
[Power] + [*] --> boot to fastboot

recovery --> release-keys - so of no use to install zips
edl --> no loader available yet - so not usable
fastboot --> crippled - most commands won't work

ffbm --> 'fast factory boot mode' (like boot to linux commandline)
--> only mode with ADB enabled - but no 'USB-Debugging' or root permissions.
It's possible to start b2g from here - but that's of no real use either.

Additional drawback: fastboot reports that the bootchain is secured...

--------------------------------------------------------------------------------

Secret codes:

- display languages -
*#0044# --> english
*#385#  --> croatian
*#0385# --> croatian
*#0420# --> czech
*#0045# --> danish
*#0031# --> dutch
*#0358# --> finnish
*#0033# --> french
*#0049# --> german
*#0030# --> greek
*#0036# --> hungarian
*#0039# --> italian
*#0047# --> norwegian
*#0048# --> polish
*#0351# --> portuguese
*#0040# --> romanian
*#0007# --> russian
*#0386# --> slovenian
*#0034# --> spanish
*#0046# --> swedish
*#0090# --> turkish

- themes -
*#8881# --> black on white
*#8882# --> white on black
*#8883# --> green on blue
*#8884# --> white on green
*#8885# --> white on blue

- fun stuff -
*#06# --> IMEI
*#07# --> SAR
*#2100# --> displays a test number for doro's emergency response service
*#*#664#*#* --> *#*#MMI#*#* KaiOS MMI Test app
*#*#258#*#* --> firmware build number
*#18375# --> additional version info
*#235543# --> LAC and CellID
*#*#76389273#*#* --> *#*#SOFTWARE#*#* - firmware version
*#610000#* --> product information app
*#13646633# --> engineer mode app - including things like a gps tracker...

*#787464# --> turn STR function on/off
*#*#0704#*#* --> factory reset (asks for confirmation)
*#*#0574#*#* --> LogManager app
*#73776673# --> toggles debug for 'doro's emergency response service'

*#34247678# --> toggles diag-mode for USB

disabled codes - will only work after enabling remote-debugging:
*#0606# --> MEID
*#8378269# --> *#TESTBOX# - should open engmode activity
*#*#2637643#*#* --> same as 'TESTBOX'
*#*#33284#*#* --> *#*#DEBUG#*#* toggles adb

--------------------------------------------------------------------------------

I couldn't find a way to enable remote-debugging - so no webide/sideloading.
- enabling it directly would need access to user-data partition
- enforcing privileged factory reset (which enables all debugging facilities) would need access to persist partition.

I tried both by scripts for on-device xpcshell (from adb shell in ffbm)
--> but got errors about missing write permissions to those partitions.
(obviously...)

There also is a serial-com as pads inside the device - but it's underneath the battery and would most probably need soldering to be used.
-- I couldn't get a working connection by just 'taping' cables down on them :)
(but it's also possible that this port is disabled - hard to say)
I don't really like the idea of soldering on my doro...

I tried some common exploits - but couldn't find a working/unpatched yet.
(there is a quite new one for nearly all qualcomms but for this CVE there isn't an exploit available yet)

We would need either/or:
-- a way to get root - so we could enforce a privileged factory reset, which would be the cleanest way
-- write acces to /data - so we could enable remote-debugging manually (firehose/emmcdownload in edl-mode would work too)
-- a way to install an app from adb-shell without usb-debugging - which then could do the reset

Best options:
-- doro enabling remote-debugging on upcomming firmware version
-- KaiOS releasing a trivial app to do a privileged factory reset for developers
(this won't happen - but would be the best way...)

At the moment the doro is quite locked down - which is sad because it's so much better than the Nokia 8110.
And it's quite different too - apps only tested/debugged on the 8110 won't work well on the doro.
The doro differs in screen-size, number of keys, handling on 'flip-close'... having only one devie to develop/debug on is a really bad thing...
(we've seen that all the time the last days... people complaining about messed-up navigation because apps are developed on devices with different behaviour and/or keypad - mostly Jio vs Nokia)

So yeah - that's it... should be mostly everything known about the doro's internals...

One/two last things for people who don't know:
the doro 7070 is the 'scandinavian/home' version of the doro 7060 - which is already on KaiOS v2.5.1

Happy hackig!

speeduploop

Luxferre

unread,
Sep 23, 2020, 12:01:49 AM9/23/20
to comp.mobile.nokia.8110
Actually, yes, to sum up all the situation: apply W2D universal jailbreak to the Doro and enable the ADB & DevTools, but then install everything via FFBM mode.

The remaining task is finding the difference between how adbd gets run in FFBM mode vs. normal mode. Probably, a small helper app will be created to be able to restart adbd the way we need in the normal mode with necessary vendor keys.
Reply all
Reply to author
Forward
0 new messages