Cracking the Alcatel Smartflip

[Spider_]

I usually use a Galaxy, but after Google Messages wanted access to my body sensor data every time I send or receive a text message and will not go away, I decided I wanted a challenge and a fresh start. So I picked up a Alcatel Smartflip on black Friday and got to work.

For reference, my phone's information:

• KaiOS 2.5.2
• Production code/Model: 4052R
• Platform version: 48.0a2
• Software version/build number: ZX34UA40
• Hardware version: 04
• Hardware revision: qcom
• SVN: 02

This is available through Settings > Device > Device Information, but also using below.

Secret codes:

• *#*#33284#*#*: Enable USB debugging access -> ADB (T bug appears in top bar)
  
• *#06#: Displays IMEI and SVN numbers
• *#3228#: Displays internal version numbers
• *#4636#: Production code, software version, and hardware version
• *#8378269# (*#TESTBOX#): Testbox tools (More on later)
• *#2886#: Hardware MMI testing (ex: seeing if all buttons are recognized properly by OS
• *#07#: SAR Info
  

ADB was fairly easy to enable, but the real challenge is getting root access.

Some progress: I discovered how to enter EDL/Download mode. Hold the Power button and both volume up and down simultaneously. You'll get a warning screen instructing you to long press Vol up in order to enter Download mode. I'm now trying to interact with it with edl.py, and if anyone has ideas, let me know. I'll update with more progress.

[Spider_]

Update: This phone is extremely locked down. Here are some roadblocks:

- KaiOS recovery mode only has the ability to wipe the phone or reboot. Nothing about SD cards anywhere. There is a "Mount /system" options, but ADB access appears to be disabled in this mode. If anyone knows a way this can be exploited, please let me know

- There is no Fastboot mode. Both the usual button combinations and adb reboot fastboot make the phone restart normally. The same goes for adb reboot edl. There may be some other way to access those modes, but I don't know how

- I also tried contacting support to ask about my main goal, uploading my own applications, and they confirmed there is no legitimate method to doing so. God damnit.

I think the key might be Download mode, but neither adb nor the fastboot commands work during this mode. See my above update for how to access it. EDL.py throws "resource busy" errors when I try to connect in this mode, not sure why.

I hope someone else can help me or build off of this, because I am not experienced enough to come up with new security vulnerabilities on my own.

[Luxferre]

Did you try installing Wallace/Wallace Lite via the DevTools/kdeploy after enabling the debug mode?

All necessary material is here: https://sites.google.com/view/bananahackers/development/wallace-project?authuser=0

[PuriShnit]

WebIDE doesn't work on these newer Alcatels - can't connect at all.

I didn't try kdeploy, but are there any chances to expect it to work when WebIDE doesn't?

On 3 December 2019 10:31:32 pm Luxferre <subor...@gmail.com> wrote:

Did you try installing Wallace/Wallace Lite via the DevTools/kdeploy?

On Sunday, December 1, 2019 at 12:15:43 AM UTC+2, Spider_ wrote:

I usually use a Galaxy, but after Google Messages wanted access to my body sensor data every time I send or receive a text message and will not go away, I decided I wanted a challenge and a fresh start. So I picked up a Alcatel Smartflip on black Friday and got to work.

For reference, my phone's information:

• KaiOS 2.5.2
• Production code/Model: 4052R
• Platform version: 48.0a2
• Software version/build number: ZX34UA40
• Hardware version: 04
• Hardware revision: qcom
• SVN: 02

This is available through Settings > Device > Device Information, but also using below.

Secret codes:

• *#*#33284#*#*: Enable USB debugging access -> ADB (T bug appears in top bar)
  
• *#06#: Displays IMEI and SVN numbers
• *#3228#: Displays internal version numbers
• *#4636#: Production code, software version, and hardware version
• *#8378269# (*#TESTBOX#): Testbox tools (More on later)
• *#2886#: Hardware MMI testing (ex: seeing if all buttons are recognized properly by OS
• *#07#: SAR Info
  

ADB was fairly easy to enable, but the real challenge is getting root access.

Some progress: I discovered how to enter EDL/Download mode. Hold the Power button and both volume up and down simultaneously. You'll get a warning screen instructing you to long press Vol up in order to enter Download mode. I'm now trying to interact with it with edl.py, and if anyone has ideas, let me know. I'll update with more progress.

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/fe12beee-6b17-43f0-b4af-85bd162ce678%40googlegroups.com.

[Luxferre]

kdeploy (from their most recent snapshot) should work because it automatically does all the forwarding and doesn't make any unnecessary calls unlike old XPConnect APIs. I'd say - if kdeploy doesn't work with *#*#debug#*#* on then we're in trouble.

P.S. Also, of course, double-check you're not using charge-only USB cable :) I have around 100 of micro-USBs, don't rememeber which one is which, and caught myself doing this every now and then...

[PuriShnit]

We are not talking about EDL flashing, (thru firehose loaders, available with SigmaKey tool etc).

We're talking about adb sideloading, with debugger-socket via WebIDE etc.

On 4 December 2019 3:40:55 am softwarecellutions <purekosh...@gmail.com> wrote:

#alreadyhacked and made KOSHER by softwarecellutions 

To unsubscribe from this group and stop receiving emails from it, send an email to bananahackers+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/fe12beee-6b17-43f0-b4af-85bd162ce678%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/b102f4ad-2880-4c94-8c0d-04c0c9c62eee%40googlegroups.com.

[Joshua Robin]

The issue with these phones is that the adb forward command doesn’t seem to work. Adb shell doesn’t have permission to cd to hardly any directories either.

[Beny Shad]

Hey hope all is well,
Have you or anyone else tried gdeploy on the Alcatel Smartflip?

[Joshua Robin]

From what I remember gdeploy uses the adb port forward, so it won’t work with these phones.

[Ivan Alex HC]

yes! webide, like gdeploy and make-kaios-install need the debugging to work....so nothing to do for now

[Andy Balholm]

Have you tried my fork of edl.py (https://github.com/andybalholm/edl)? I patched it to fix some issues I was having with the Cingular Flip 2; maybe my patches will help on the SmartFlip as well.

[Ivan Alex HC]

Someone on this page of gsmhosting forum have unlocked the Smartflip (I think only sim unlock, I don't know what sortware him have used) http://forum.gsmhosting.com/vbb/f272/furiousgold-successfully-unlocked-repaired-flashed-phones-661803/index1022.html#post13913713

[kaios tester]

Can you posts a tutorial to put the device on download mode? I downgraded my Alcatel MyFlip and The kaistore is the old version when it is only black. Plus I have the boot image (.mbn) for kaios 2.5 for the myflip but download mode will not work anymore for some odd reason. 

I used qfil to downgrade

[kaios tester]

And now omisd is supported on the MYFLIP after the downgrade

[Ars youtube channal]

omnisd for smb313e install java mobail smb313e sar samsung mobail ke liye omnisd banao plz sar modal no smb313e

[Ivan Alex HC]

Someone have successfully flashed a more recent model using this tool https://github.com/andybalholm/edl with the firehose for CAT B35 , can someone confirm that this works on 4052x and A405DL models?

Il giorno sabato 30 novembre 2019 23:15:43 UTC+1, Spider_ ha scritto:

[Dana Conrad]

What model are you referring to? Can you link to instructions to try? Without any fancy trickery, here is the result of using the linked edl tool with the CAT B35 firehose:

% python3 edl.py -loader 0x000940e100000000.mbn
Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.

Using loader 0x000940e100000000.mbn ... 

Waiting for the device
.....................
[At this point, boot device with Vol+ AND Vol- Held down, then when prompted, hold only Vol+ down. Device is now in "Download" mode]
....................
....Device detected :)
Mode detected: Sahara

------------------------
HWID: 0x009600e10042004d (MSM_ID:0x009600e1,OEM_ID:0x0042,MODEL_ID:0x004d)
PK_HASH: 0xb451bd3b38d9edd197ccadf0838d5f8652b8f4642e5bf70411c8153d1ac40adb
Serial: 0x1ba5e6a1
SBL Version: 0x00000000

Unexpected error on uploading, maybe signature of loader wasn't accepted ?
Sorry, couldn't talk to Sahara, please reboot the device !

[At this point, the battery must be removed in order to reboot the device]

I'm not sure if this helps or not. Hopefully it does! Let me know if I did something wrong in the process above. I did not use a special EDL programming cable, just a regular USB cable.

[Dana C.]

>Someone on this page of gsmhosting forum have unlocked the Smartflip (I think only sim unlock, I don't know what sortware him have used) http://forum.gsmhosting.com/vbb/f272/furiousgold-successfully-unlocked-repaired-flashed-phones-661803/index1022.html#post13913713

I looked into this, they were using a FuriousGold tool, the only one of which I can find that claims to support the OT-4052 models is "QCom Smart Tool". This claims to be able to 

• Generate Unlock Codes
•  Data dump
•  Read flash

•  Repair imei
•  Security rebuild
•  Unlock by cable

However! The only changelog of that specific tool I could find that mentioned the OT-4052 variants only mentioned "DIRECT UNLOCK / COUNTER RESET / FRP RESET" of these devices. So I'm not sure what capabilities the tool actually has, and it's $100 for a limited duration usage or $200 for unlimited duration usage, so I'm not quite to the point of spending the money to find out.

Surely if we were able to get a dump of the stock ROM that would be helpful, right? And I'm unsure what "Direct Unlock" means, if it unlocks the bootloader or just frees it from a certain mobile provider. My money's on the latter.

I suspect we need a firehose that contains the correct PK_HASH signature, right? Incidentally, I found that the PK_HASH for the CAT B35 was actually present in the CAT B35 firehose if you opened it up in a hex editor and searched for that string. I can't imagine good things would result if we simply cut/pasted in the 4052 PK_HASH though. Or at least, I'm not about to try it - a bricked phone will probably result.

[Dana C.]

Third post in a row, sorry for the spam, but I also found that the official (I think) QPST tool can connect to the phone when it's in download mode, though I don't know enough to know if that's a useful tool for us or not. Windows seemed to be able to automatically find the drivers. I suspect it's the same situation where you really need the .mbn file to do anything useful.

[Ivan Alex HC]

Don't worry, any new information is useful, keep posting :)

[Dana C.]

>  I found that the PK_HASH for the CAT B35 was actually present in the CAT B35 firehose if you opened it up in a hex editor and searched for that string. I can't imagine good things would result if we simply cut/pasted in the 4052 PK_HASH though. Or at least, I'm not about to try it - a bricked phone will probably result. 

Tried this one, no change in behavior. It was a long shot anyway - too good to be true. The good news though is it did not brick my phone! 

[Dana C.]

I have noticed that in the recovery mode, if you hold down Vol+ or Vol-, the menu selection turns from blue to green, though this does not seem to have any sort of effect on behavior. Is this of any significance? Is this known from any other device?

[Dana C.]

Is the website needrom.com legit? There is a 4052R rom posted here: https://www.needrom.com/download/stock-alcatel-4052r/

I downloaded it and scanned it with Windows Defender and it didn't find anything malicious. I don't know enough to know what I'm looking at but opening it up, it looks real. There are several .mbn files, I suspect they will only work for the "R" version. I'll try on my "C" version after work just to see.

Are we allowed to post full rom zip files here? I can upload it, since you need to register for an account before it will let you.

[Dana C.]

Addendum: I thought better of uploading it here, in case there are legal repercussions. I doubt it, but you never know. I'll let that link stand.

[Dana C.]

Ok, can someone who knows what they're doing try this firehose? I am getting "Successfully uploaded programmer :)" but then the edl.py script exits with an error and the phone resets. I don't know if I'm doing something wrong or it's never going to work.

The error:

Successfully uploaded programmer :)
Traceback (most recent call last):
File "edl.py", line 419, in <module>
main()
File "edl.py", line 191, in main
info=fh.connect(0)
File "/Users/dana/kaios stuff/edl-master-mystery/Library/firehose.py", line 337, in connect
rsp=self.xmlsend(data)
File "/Users/dana/kaios stuff/edl-master-mystery/Library/firehose.py", line 66, in xmlsend
self.cdc.write(data,self.cfg.MaxXMLSizeInBytes)
File "/Users/dana/kaios stuff/edl-master-mystery/Library/usb.py", line 61, in write
self.device.write(self.EP_OUT,command[pos:pos+pktsize])
File "/usr/local/lib/python3.7/site-packages/pyusb-1.1.0.post7+gc8d48cd-py3.7.egg/usb/core.py", line 982, in write
File "/usr/local/lib/python3.7/site-packages/pyusb-1.1.0.post7+gc8d48cd-py3.7.egg/usb/backend/libusb1.py", line 842, in bulk_write
File "/usr/local/lib/python3.7/site-packages/pyusb-1.1.0.post7+gc8d48cd-py3.7.egg/usb/backend/libusb1.py", line 938, in __write
File "/usr/local/lib/python3.7/site-packages/pyusb-1.1.0.post7+gc8d48cd-py3.7.egg/usb/backend/libusb1.py", line 604, in _check
usb.core.USBError: [Errno 19] No such device (it may have been disconnected)

[Dana C.]

I just thought I would update this thread as I bet there are people subscribed to this that don't get general email notifications of other threads. I've been working with Affe null to find vulnerabilities - or rather I've been testing out vulnerabilities that they've found - so far here are the ones found in the Smartflip (all tested on the "C" variant, others may differ):

Arbitrary system options can be set via the Calendar app, though this still does not allow for enabling port forwarding or root in ADB to my knowledge. Maybe someone who is more familiar with the inner workings of Kaios can specify some settings to enable this? The instructions are in the Gitlab link in this post:

https://groups.google.com/g/bananahackers/c/hCIkVrcJgNA/m/ZULUbZv3AQAJ

The "testbox" and "mmitest" apps can be opened via a MozActivity() line in a webpage script, via:

new MozActivity({name: "testbox"})

and

new MozActivity({name: 'mmitest'})  

Though I don't know if these apps are really of any use.

The one that seems most useful is the "internal-system-engineering-mode" page of the "testbox" app:

https://groups.google.com/g/bananahackers/c/hCIkVrcJgNA/m/yBn7fYRnAgAJ

Unfortunately I haven't been able to open it yet on the Smartflip 4052C. I did take a look at the javascript file that it should run if we are able to get it to open, and the line that sets service.adb.root is commented out, so it may not do anything once we are able to launch it anyway. See here:

https://groups.google.com/g/bananahackers/c/hCIkVrcJgNA/m/gn-JYhdcAgAJ

I'm not super clear on how to use MozActivity() in a webpage, so it's entirely possible I'm just doing something wrong there. The manifest.webapp files are not terribly easy to read :-P

Anyway, that's my summary.

[William Turner]

I don't know if this has been posted before, but I

found a programmer for Alcatel 4052R (Go Flip 3 or QuickFlip)

These look like they may be OEM programmers.

https://github.com/programmer-collection/alcatel/blob/master/Gflip3_ATT/Gflip3_ATT_NPRG.mbn

together with the firehose loader:

https://github.com/andybalholm/edl

I was able to successfully backup/modify all partitions.

There are other Go Flip programmers posted there. 

https://github.com/programmer-collection/alcatel