Universal Jailbreak method for all KaiOS devices that use Qualcomm processors.

[AdvancedHACKERniV1]

I would like to thank all those who help me in the "How to install a KaiOS app manually" thread.

I would like to thank @Nayam Amarshe for finding the "MiracleBox2.58" cracked version link.

I would like to thank @Luxferre for creating OmniSD.

MESSING WITH FIRMWARE IS DANGEROUS STUFF!!! DO THIS AT YOUR OWN RISK. I'M NOT RESPONSIBLE FOR ANY DAMAGE / BRICKED DEVICE.

Right options selected And right output Fig.0.1

Right options selected And right output Fig.0.2

Create a new directory for the "userdata" dump to be stored Fig.0.3

                                                                                                                                               Fig.0.4

Right options selected And right output Fig.0.5

Steps for Universal Jailbreak:

1. Download "MiracleBox2.58" from https://groups.google.com/forum/#!msg/bananahackers/TBBGHSPA8dg/8wPAxy2fFwAJ
2. Download the FireHorse programmer.
3. Open MiracleBox and select "Read/format flash" tab under the "Qualcomm" tab. [Fig.0.1]
4. Connect your phone in EDL mode.
5. Ensure that "Model" is "Universal Qualcomm Method" and, the right serial port is selected.
6. Make sure that FireHose is prog_emmc_firehose_8909_ddr.mbn and the "Auto" checkbox is ticked.
7. Uncheck the "Auto Programmer" checkbox under "Files/Settings" sub heading, ensure that "Make XML" checkbox is checked, click on the "..." browse button and select the prog_emmc_firehose_8909_ddr.mbn
8. Select "Read Partitions" from the multiple choice options.
9. Click on the start button.
10. After the partitions have been read and listed, uncheck all the partitions except "userdata". [Fig.0.2]
11. Select "Read Flash" from the multiple choice options.
12. Click on the Start button.
13. A popup will appear asking for the directory to store the "userdata" and select a new empty directory. [Fig.0.3]
14. Now you must mount the ext4 "userdata" image. It's super easy to mount it on Linux but on Windows, you need additional tools that you can find online.
15. Let us assume the mount point to be "/mnt/userdata".
16. Download the "omnijb-final.zip" and extract the contents of "omnijb-distribution" to a new folder at "/mnt/userdata/local/webapps" named "omnisd.831337.xyz"
17. Copy the content of "decl.patch" into your clipboard, start editing "webapps.json" at "/mnt/userdata/local/webapps" and take your cursor to the end of the last but one curly brackets at the end of the file and paste the contents of your clipboard.
18. Change "localId" to the next number of the of the previous entry's "localId".[Incremental numbers]
19. You can change "removable" to true if you want the capability of uninstalling OmniSD.
20. Save the file.
21. Now you must download a database editor. I used "RazorSQL" on Windows.
22. Open "/mnt/userdata/local/permissions.sqlite" with your database editor. You must have an option to view the table / contents (For "RazorSQL" it is under "View" under "DB Tools")
23. Enter "moz_perms" in the popup asking the Table Name after clicking on View Table / Contents.
24. You will see all the different permissions for different apps.
25. You can right-click on one of the entries and select the "Launch Edit Table Tool" in "RazorSQL"
26. Scroll all the way down to the bottom, click on the last entry and then click on the "Insert Row" button.
27. Increment "rowid" and "id"
28. Enter "origin" the same throughout the adding new row process i.e. "app://omnisd.831337.xyz^appId=<OmniSD's localId>" without quotes.
29. Enter OmniSD's new "localId" in place of "<OmniSD's localId>" that you previously entered in "/mnt/userdata/local/webapps/webapps.json".
30. Enter "permission" the same throughout the adding new row process i.e. "1" without quotes.
31. Enter "expireType" and "expireTime" the same throughout the row adding process i.e. "0" without quotes.
32. You must create four rows like this.
33. Enter "type" as "indexedDB", "device-storage:sdcard-read", "device-storage:apps-read", "webapps-manage" without quotes each in one row.
    
34. Enter "modificationTime" as "1547284571961", "1547284571968", "1547284571974", "1547284571981" without quotes each in one row.
35. Your final entry should look like this except the "rowid" is not displayed here but it and "id" are different for your device [Fig.0.4]
36. Click on the Save / Commit / Exceute Changes to save your modifications.
37. Close the database editor.
38. Unmount the "userdata" image.
39. Your custom userdata is ready.
40. Go back to MiracleBox And select "Custom Flasher" tab under "Flashing" tab under "Qualcomm" tab. [Fig.0.5]
41. All the essential details that I've mentioned previously.
42. Uncheck the "Auto Programmer" and select "prog_emmc_firehose_8909_ddr.mbn" in the open file dialog box.
43. Select the "File to Write"'s path to the custom "userdata"'s path.
44. Select "userdata" in the "Select Partition" drop down list.
45. Check the "Write Partition" circle and click on the "Start Button"
46. Please wait patiently until the process is completed.
47. Your KaiOS device has been jailbroken!!!

[AdvancedHACKERniV1]

The device should have gone through the first boot before all this is done

[AdvancedHACKERniV1]

In brief, what is being done is:

1. Populated userdata is being extracted from the target device.
2. OmniSD is manually installed to the extracted userdata.
3. The new custom userdata is reflashed to the target device.

[AdvancedHACKERniV1]

It's also a good time to authorize ADB when you have mounted the userdata image.

Just rename adbkey.pub found at "~/.android" on your main PC into "adb_keys" and copy it to "/mnt/userdata/misc/adb" assuming you have mounted your userdata to "/mnt/userdata"

[AdvancedHACKERniV1]

Did anyone try this ?

[ochucki]

Tried without any luck :/   DORO 7060

  Connecting to Phone,Wait..
  Conncet Ok.
  CPUID:0x000940E1
  can not identify
  Manual boot: prog_emmc_firehose_8909_ddr.mbn
  Loading the boot,Wait..
  BootLoad Error. ID: 0003
>>Please change Model,Try again.

[PuriShnit]

I don't think the firehose file is universal for ANY phone, even if it has the same Qualcomm processor.

So for using EDL on the Doro, you'd need to wait until someone releases/leaks its firehose loader file...

[AdvancedHACKERniV1]

Try the auto programmer.

[Jashan Grover]

it would not work.

[Hossain Mohammed Shoaib]

i think this is not needed...
also
@advancedhacker have you got success ?

> --
> You received this message because you are subscribed to the Google Groups
> "comp.mobile.nokia.8110" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bananahacker...@googlegroups.com.
> To post to this group, send email to banana...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bananahackers/eecfe03d-46cd-4557-9b25-1c1434b06a37%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

[AdvancedHACKERniV1]

Yes

[AdvancedHACKERniV1]

I think the firehorse is different for each device. It can be found at the stock ROM of your device. Sadly many devices dont have a stock ROM :(

[try that]

I have downloaded the stock ROM for the Alcatel Go Flip (Alcatel 4044N) from this site: https://alcatelfirmware.com/alcatel-onetouch-go-flip-4044n  But unfortunately the firehorse file is not in there. 

Could be that the firehorse file doesn't always come with the stock ROM? or maybe it has a different name? 

Thanks for your help!

[chabad360]

If I remember correctly, I got mine from the same place and I'm 99% sure it's there. Keep looking.