Luxferre
So, after a long wait (over 3 weeks), for about $187 of the main price and about $20 of extra different customs and delivery fees I finally got my Crosscall Core-S4 and a separately ordered X-Link (Magconn) cable for it today, on November 3 2021. In the bundle, it also has a (vacuum) wired stereo earbud headset, some replaceable buds for it, some "X-Blocker" attachable phone grip, a 5V/1A USB wall charger and a normal microUSB cable. And a branded SIM pin, of course, because the battery here is non-removable.
The device exterior is very impressive, to say the least. Well, French design is French design. It's a bit longer and wider than I expected but still very comfortable to hold and operate. Anyway, now to the main topic - its hardware and software features that matter for our research process. So...
Hadware
Chipset: MediaTek MT6731 (looks like a stripped-down MT6739 version)
RAM: 512 MB
Flash memory: 4GB, user partition has ~1.07 available OOTB (that's what Storage info and MTP file transfer utilities show)
SIM slot: hybrid (1 nano-SIM + microSD or 2 nano-SIMs, which is quite inconvenient for my purposes)
Battery capacity: 2300 mAh
Able to use X-Link/Magconn cable for data transfer/charging/ADB: yes (fully replaces usual microUSB if necessary)
Able to use X-Link/Magconn cable for low level transfer/flashing: no (for some reason, maybe a power management issue)
Software
KaiOS version: 2.5.3.2
Base Android API/ABI level: 23 (Android 6.0)
Firmware version: L1840.6.02.03.FR00
Internal product name: L740
Software tag: kaios_sfp_2_5_3_modric_20201210_2 (pay attention to the "modric" codename, probably has a board similar to Sigma sKai or, at least, the build had that board as a test target)
Baseband firmware version (called "Vendor base version" in Settings menu): alps-mp-m0.kaios.mp1-V1.28.1_hs6731.kaio.m_P1
USB storage protocol: MTP, disabled by default
Preinstalled but removable apps (OOTB, shown without SIM cards): Astrolo, Whatsapp (shown in the left carousel only), Facebook (shown in the left carousel only)
Hackability out of the box
- Debug code (*#*#33284#*#*) is not working (just like in sKai);
- W2D method works but only allows to enable the debugger in the ADB + WebTools mode;
- ADB shell is opened as shell@L740:/ $ prompt;
- SELinux is set to the Enforcing mode;
- ro.debuggable is set to 0, ro.secure is set to 1;
- In non-privileged mode, installing apps with engmode-extension permission is forbidden, all other apps are installable via WebIDE on Waterfox Classic or gdeploy with no issues;
- for all the boot modes, Down arrow key is replacing Vol+ and Up arrow key is replacing Vol-, remember that, and holding Power for 10+ seconds force-reboots from any boot mode if you're stuck;
- recovery can be entered with adb reboot recovery (if ADB is enabled already) or by turning on with Down pressed, and it's quite unusable here (probably lacking another button necessary to operate it), so just force-reboot it if you got there;
- fastboot can be entered with adb reboot bootloader (if ADB is enabled already) or by connecting the cable with Up pressed, but I couldn't get X-Link to see it, only a normal microUSB;
- the fastboot oem unlock command actually does unlock the bootloader (doing factory reset and setting the "orange state", just like some MTK-based Androids of the time) but prompts (on the device itself) to push Volume Up and Volume Down keys that the device doesn't have, and using normal Up or Down keys is actually reversed - you confirm with pushing Down and reject with pushing Up, and then you still don't get any privileged access, you have to do all the procedures again;
- the existing ca.in method only works after the aforementioned bootloader unlock. Well, at least it works and allows you to see the developer menu without W2D and to see all the system processes and preferences in the WebIDE. Now you can go to the "Device Preferences", search for the devtools.apps.forbidden-permissions preference and clear this string. Then you should be able to install apps with engmode-extension permission, but beware that this still has SELinux on, so most Wallace Toolbox features still won't work at all...
Phew. This is definitely the most interesting KaiOS phone I've got in these 3 years (after the original 8110 4G, of course). And this is just the basic stuff. Not even on how to properly dump the boot partition (without the proprietary tooling) and how to patch it correctly to achieve ADB root + SELinux off + debuggable on. This is still to be researched. So stay tuned, and good luck!
yair...@gmail.com
Luxferre
...Port - Device detected :)
Preloader - CPU: MT6739/MT6731()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xb4
Preloader - Disabling Watchdog...
Preloader - HW code: 0x699
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x2
Preloader - ME_ID: 39BF802360D5C6A4F54D768464B8F919
Preloader - SOC_ID: CE90E805E5B14980B5F745ED83DFCD247444D254A0284CF905714F6DBAFB80D2
PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
[Errno 13] Access denied (insufficient permissions)
Kamakiri - Done sending payload...
PLTools - Error, payload answered instead:
Mtk
Mtk - [LIB]: Error on running kamakiri payload
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
Preloader
Preloader - [LIB]: Unknown: 0x1d0a
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2136.bin
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_Security_Error (0x7017)