Related
Every time Samsung releases a new series of phones, they try to make
it just a little harder for us to find and enter the Service Mode (SM)
menus. Understandably the Service Mode menus allow you to access
functions on your phone directly related to its operation, from
selecting particular service providers, unlocking your SIM card,
changing default networks, bands and destroying your internal
non-volatile (NV) memory, that contain all your IMEI, RF, EFS
parameters, and to make a complete factory wipe and reset.
So this is not to play around with, randomly!
You have been warned.
On the other hand, it also provides extremely useful detailed
information about your mobile network, including all radio related
systems like GPS, WiFi, BlueTooth and NFC. Most of this information
is not available through the usual AOS Java API, and probably will
never be, as vendors consider this area as off-limits to users and
amateur developers.
Note:
All this info was obtained on a European
Samsung Galaxy S4-mini (GT-I9195 LTE)
But reported to work also on:
Samsung Galaxy S5 on US Cellular (SM-G900R4)
Code:
[SIZE=2]Baseband: I9195XXUBML4 [/SIZE]
[SIZE=2]Kernel: 3.4.0-2340422 [/SIZE]
[SIZE=2] [email protected] #1 [/SIZE]
[SIZE=2]Build: JDQ39.I9195XXUBML4 [/SIZE]
[SIZE=2]SE: SEPF_GT-I9195_4.2.2_0022[/SIZE]
Getting into Service Mode (SM)
On this particular model, you have to do this:
Go to dial pad and enter: *#0011#
This will initially take you to Service Mode and showing you
various signal status items, by default. But it's a locked
entry. So to unlock and go to the Main Menu do this:==> [MENU] + [Back]
==> [MENU] + [Key Input] + "Q0"
==> <wait ~5-10 seconds>Now you can hit the thank you button below!
I have not seen this solution anywhere else, and
it required some reversing...
Understading the ServiceMode Menu
<WIP>
This will take some time to investigate, so anyone
who already knows, please post in this thread.
The ServiceMode Menu Structure (brief)
Go to Post#2 for formatted menu structure and items.
Code:
[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2][1] UMTS [/SIZE]
[SIZE=2][2] CDMA [/SIZE]
[SIZE=2][3] LTE [/SIZE]
[SIZE=2][4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2][5] DOCOMO DEBUG SCREEN [/SIZE]
[SIZE=2][6] run EFS SYNC() [/SIZE]
[SIZE=2][7] DEBUG SCREEN [/SIZE]
Some Important Codes
9900 SysDump
This is an important hidden code is that for making a wide range
of system dumps and changing many unknown logging functions.
This will give you a list of the following functions:
Code:
[SIZE=2]Menu Item Setting Description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]Run dumpstate/logcat/modem log - logcat -v threadtime -b radio -d -f /data/log/radio_*.log[/SIZE]
[SIZE=2]Delete dumpstate/logcat [/SIZE]
[SIZE=2]Run dumpstate/logcat [/SIZE]
[SIZE=2]Copy Kernel Log to SD card [/SIZE]
[SIZE=2]Run CP based log [/SIZE]
[SIZE=2]Run Forced CP crash dump [/SIZE]
[SIZE=2]Copy to sdcard (include CP Ramdump) [/SIZE]
[SIZE=2]Debug Level Disabled/LOW - Change debug level [LOW/MID/HIGH][/SIZE]
[SIZE=2]CP Debugging Popup UI: Disabled [/SIZE]
[SIZE=2]Silent Log: Off dev.silentlog.on=(On,Off)[/SIZE]
[SIZE=2]Translation Assistant: Off persist.translation.assistant=(0,1)[/SIZE]
[SIZE=2]Low battery dump: Off [/SIZE]
[SIZE=2]Wakelock Monitoring: OFF [/SIZE]
[SIZE=2]TCP DUMP START ro.product_ship=(true,false) lucky_ril*.log[/SIZE]
[SIZE=2]Enable SecLog (currently disabled) persist.log.seclevel=(0,1)[/SIZE]
[SIZE=2]MTT Logging Setting: OFF persist.brcm.log=(sdcard,none) [Broadcom][/SIZE]
[SIZE=2]ACT data copy [/SIZE]
[SIZE=2]Exit [/SIZE]
9090 DIAG CONFIG
This is also important for changing the internal MUX used for
diagnostic debug output, to/from USB and UART.
Code:
[SIZE=2]DIAG CONFIG[/SIZE]
[SIZE=2][1] USB ( )[/SIZE]
[SIZE=2][2] UART (*)[/SIZE]
[SIZE=2][3] DBG MSG ON (*)[/SIZE]
[SIZE=2][4] DBG MSG OFF ( )[/SIZE]
Basically if you wanna use UART output, you will probably need
to build the MyWay box or use the correct resistance between
the USB ID and GND pins. (See my AnyWay thread.)
0808 USB Settings
This is by far the most important code to know, because it is used to determine,
what drivers are enumerated when connecting your phone to PC via USB cable.
Technically it is a multiplexer (MUX) switch which determine whether the USB
port is directly connected to the CP (Cellular/baseband Processor/modem),
or the AP (Application Processor). This also selects what device features will be
enabled once connected. Such as ADB, RNDIS, and DM (Diagnostic Mode) etc.
To change the mux settings on a Samsung S4/mini, use your dialpad
to get to the "USBSettings" menu, like this:
For AOS <= 4.2.2, without SELinux, use *#7284# or *#3424#.
For AOS >= 4.2.2, with SELinux, use *#0808#.
Code:
[SIZE=2]USB
( ) CP
( ) AP
USB Settings
( ) MTP
( ) MTP + ADB
( ) PTP
(o) PTP + ADB
( ) RNDIS + DM + MODEM
( ) RMNET + DM + MODEM
( ) DM + MODEM + ADB
[OK] [Reboot]
[/SIZE]
A few other service/secret codes
Similarly to my GT-I9300 "Secret Codes" thread, we find many of the
same codes present also in this phone. Do check that thread out, for
understanding how to find more codes relevant for your phone and AOS
version. Also note that most custom ROMs does not support all these,
as they are usually left out or forgotten about, since they are
vendor/modem specific.
Here I show only the most interesting & useful ones, and I have also
used the excellent website PhoneSpell to try to find sensible word
combinations for some of these numbers.
Now, many of these seem not to work at all, but they are present in
the ServiceMode application(s) code and rely on various other
properties being set before being available/activated. Another
type of block is is determined by the content of the EFS files:
/efs/FactoryApp/keystr
/efs/carrier/HiddenMenu
These can be set on a rooted phone by:
Code:
echo -n "OFF" > /efs/FactoryApp/keystr
echo -n "ON" >/efs/carrier/HiddenMenu
echo -n "ON" >/efs/FactoryApp/factorymode
(Somebody need to confirm the KeyString block boolean!)
Here is list of some particularly interesting properties that often
seem involved in blocking/enabling particular ServiceMenu
items/features.
Code:
[SIZE=2]property value/note[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]ril.tcpdumping=On [On,Off][/SIZE]
[SIZE=2]ril.OTPAuth=true OTP Authentication key is 6 random digits long[/SIZE]
[SIZE=2]ro.build.type=eng [eng, user]][/SIZE]
[SIZE=2]ro.cp_debug_level= [0x5500,0x55FF] [/SIZE]
[SIZE=2]ro.csc.sales_code=CHM [NONE, <many otehrs> ][/SIZE]
[SIZE=2]ro.csc.country_code= [KOREA, Unknown, ...] KOREA allows extra menu item: "IMS"[/SIZE]
[SIZE=2]ro.product_ship=false [true,false][/SIZE]
[SIZE=2]ro.product.model= [/SIZE]
[SIZE=2]ro.factorytest=1
dev.silentlog.on= [0,1][/SIZE]
[SIZE=2]persist.radio.lteon=true [true,false][/SIZE]
And here are some of the codes:
Code:
[SIZE=2]code mnemonic description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]06 - IMEI[/SIZE]
[SIZE=2]00112 [/SIZE]
[SIZE=2]0228 0BAT Battery status (ADC, RSSI reading)[/SIZE]
[SIZE=2]0514 - [/SIZE]
[SIZE=2]0599 -[/SIZE]
[SIZE=2]1234 - FW Versions for AP,CP,CSC[/SIZE]
[SIZE=2]123456 -[/SIZE]
[SIZE=2]1575 - GPS test[/SIZE]
[SIZE=2]1111 - FTA SW Version [/SIZE]
[SIZE=2]2222 - FTA FW Version[/SIZE]
[SIZE=2]8888 - [/SIZE]
[SIZE=2]9090 - USB/UART MUX debug switch[/SIZE]
[SIZE=2]99007788 - [/SIZE]
[SIZE=2]197328640 - Service Mode[/SIZE]
[SIZE=2]22558463 CALLTIME Reset Total Call Time[/SIZE]
[SIZE=2]2263 BAND [/SIZE]
[SIZE=2]2580 <mid-col> [/SIZE]
[SIZE=2]268435456 ANTIFKILO "antenna IF kilo?? serviceModeApp_FB.apk / FTATDumpReceiver.class[/SIZE]
[SIZE=2]27663368378 CPMODEMTEST [/SIZE]
[SIZE=2]2767*2878 APOS*CUST Current firmware with factory default settings[/SIZE]
[SIZE=2]301279||279301 - [/SIZE]
[SIZE=2]3214789650 - Start Angry GPS Build.TYPE != "user"[/SIZE]
[SIZE=2]32489 - Ciphering Info[/SIZE]
[SIZE=2]4238378 ICE/GCFTEST GCF Settings?[/SIZE]
[SIZE=2]4387264636 GETRAMINFO [/SIZE]
[SIZE=2]58366 LTEON set persist.radio.lteon=true[/SIZE]
[SIZE=2]6201 - [/SIZE]
[SIZE=2]638732 NETSEC Build.TYPE != "user"[/SIZE]
[SIZE=2]66336 MODEM CP Ram Dump (On/Off) ro.cp_debug_level=[0x5500,0x55FF][/SIZE]
[SIZE=2]6984125* MYTH1A5? ? [/SIZE]
[SIZE=2]7284 PATH Set USB/UART path [/SIZE]
[SIZE=2]738767633 SETSOSOFF Turn OFF SOS*[/SIZE]
[SIZE=2]73876766 SETSOSON Turn ON SOS*[/SIZE]
[SIZE=2]7387677763 SETSOSPROF Set SOS* profile[/SIZE]
[SIZE=2]7387678378 SETSOSTEST Set SOS* test[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]* SOS = Sell Out SMS[/SIZE]
[SIZE=2]<> = some kind of keypad pattern[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
In addition to these numerical codes, there are also few alphanumeric ones.
These can be used from the command-line with the "am" command, like this:
Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://CP_RAMDUMP[/SIZE]
This might also work when already in ServiceMode, by entering the string
after selecting "Key Input" or "Select", from menu. (I have not checked.)
Code:
[SIZE=2]LTE_ANT_PATH_NORMAL[/SIZE]
[SIZE=2]CP_RAMDUMP[/SIZE]
[SIZE=2]DUMP_SVCIPC[/SIZE]
[SIZE=2]DEBUG_SCR[/SIZE]
[SIZE=2]EI_DEBUG_SCR[/SIZE]
[SIZE=2]DATA_ADV[/SIZE]
[SIZE=2]NAMBASIC[/SIZE]
[SIZE=2]TESTMODE[/SIZE]
[SIZE=2]NAMSIMPLE[/SIZE]
[SIZE=2]TEST_CALL[/SIZE]
The Samsung Diagnostics Menu
One special secret code is that of the Samsung Dignostic
Test Menu. This particular menu exsists on pretty much all
Android based Samsung phones. (AFAIK) The code is simply:
*#0*#
It provides for testing things like the Screen, Sound, Vibrator,
all the sensors and more. One one the cooler features for phones
that include an IR transmitter, is that you can use it on most
modern Samsung TV's as a remote control. Thus even easier to use
than any of Samsung's own Remote Control Apps, which are often
bloated and containing spyware.
The available test items you will find on this particular model are:
Code:
[SIZE=2][Red] - screen pixel test[/SIZE]
[SIZE=2][Green] - screen pixel test[/SIZE]
[SIZE=2][Blue] - screen pixel test[/SIZE]
[SIZE=2][Receiver] - (Ear) Receiver test[/SIZE]
[SIZE=2][Vibration] -[/SIZE]
[SIZE=2][Dimming] -[/SIZE]
[SIZE=2][Mega cam] -[/SIZE]
[SIZE=2][Sensor] -[/SIZE]
[SIZE=2][Touch] -[/SIZE]
[SIZE=2][Sleep] - sleep mode (power button) test[/SIZE]
[SIZE=2][Speaker] - listen![/SIZE]
[SIZE=2][Sub key] - testing keys [/SIZE]
[SIZE=2][Front cam] - [/SIZE]
[SIZE=2][IR LED] - Samsung TV compatible IR remote control[/SIZE]
[SIZE=2][LOW FREQUENCY] - Listen 100/200/300 Hz[/SIZE]
[SIZE=2][Black] - screen darkness test[/SIZE]
For other S4 models, check this YouTube video:
"Galaxy S4 Diagnostics Menu *#0*#"
For the S3 GT-I9300 check out the thread:
[REF][INFO][R&D] "Secret Codes" and other hidden features
The ServiceMode Menu Structure
This is really <WIP> as I don't have time to manually type in every damn menu
item for everyone else. So if you wanna help out filling in the blanks, please post
and I'll eventually add it here.
Code:
[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2] [1] UMTS [/SIZE]
[SIZE=2] [2] CDMA [/SIZE]
[SIZE=2] [3] LTE [/SIZE]
[SIZE=2] [4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN [/SIZE]
[SIZE=2] [6] run EFS SYNC() [/SIZE]
[SIZE=2] [7] DEBUG SCREEN [/SIZE]
[SIZE=2] ---------------------------------------------------------------------[/SIZE]
[SIZE=2] [1] UMTS MAIN MENU[/SIZE]
[SIZE=2] [1] DEBUG SCREEN[/SIZE]
[SIZE=2] [2] VERSION INFORMATION[/SIZE]
[SIZE=2] [3] UMTS RF NV[/SIZE]
[SIZE=2] [4] GSM RF NV[/SIZE]
[SIZE=2] [5] AUDIO[/SIZE]
[SIZE=2] [6] COMMON[/SIZE]
[SIZE=2] [7] LTE BAND CONFIG CHECK[/SIZE]
[SIZE=2] [1] DEBUG SCREEN[/SIZE]
[SIZE=2] [1] BASIC INFORMATION[/SIZE]
[SIZE=2] [2] NAS INFORMATION[/SIZE]
[SIZE=2] [3] AS INFORMATION[/SIZE]
[SIZE=2] [4] NEIGHBOUR CELL[/SIZE]
[SIZE=2] [5] GPRS INFORMATION[/SIZE]
[SIZE=2] [6] SIM INFORMATION[/SIZE]
[SIZE=2] [7] HANDOVER[/SIZE]
[SIZE=2] [8] PHONE CONTROL[/SIZE]
[SIZE=2] [9] ANTENNA/ADC[/SIZE]
[SIZE=2] [2] VERSION INFORMATION[/SIZE]
[SIZE=2] [1] SW VERSION[/SIZE]
[SIZE=2] [2] HW VERSION[/SIZE]
[SIZE=2] [3] UMTS RF[/SIZE]
[SIZE=2] [1] RF NV READ[/SIZE]
[SIZE=2] [2] RF NV WRITE[/SIZE]
[SIZE=2] [3] UMTS DIVERSITY CONTROL[/SIZE]
[SIZE=2] [4] RF CALIBRATION CHECK[/SIZE]
[SIZE=2] [4] GSM RF[/SIZE]
[SIZE=2] [1] RF NV READ[/SIZE]
[SIZE=2] [2] RF NV WRITE[/SIZE]
[SIZE=2] [5] AUDIO Locked! ==> See Note (a)[/SIZE]
[SIZE=2] ...[/SIZE]
[SIZE=2] [6] COMMON[/SIZE]
[SIZE=2] [1] FTM[/SIZE]
[SIZE=2] [2] DEBUG INFO[/SIZE]
[SIZE=2] [3] RF SCANNING[/SIZE]
[SIZE=2] [4] DIAG CONFIG[/SIZE]
[SIZE=2] [5] WCDMA SET CHANNEL[/SIZE]
[SIZE=2] [6] NV REBUILD[/SIZE]
[SIZE=2] [7] FACTORY TEST[/SIZE]
[SIZE=2] [8] FORCE SLEEP[/SIZE]
[SIZE=2] [9] GPS[/SIZE]
[SIZE=2] [1] FTM : OFF Locked! ==> See Note (b)[/SIZE]
[SIZE=2] [1] NOT SUPPORT [/SIZE]
[SIZE=2] [2] FTM : OFF[/SIZE]
[SIZE=2] [2] DEBUG INFO[/SIZE]
[SIZE=2] [1] MM REJECT CAUSE[/SIZE]
[SIZE=2] [2] LOG DUMP[/SIZE]
[SIZE=2] [3] UI DEBUG POPUP - N/S[/SIZE]
[SIZE=2] [3] RF SCANNING [/SIZE]
[SIZE=2] [1] SETTING[/SIZE]
[SIZE=2] [2] START RF SCANNING[/SIZE]
[SIZE=2] [3] RESULT TO PC[/SIZE]
[SIZE=2] [4] RESULT TO SCREEN[/SIZE]
[SIZE=2] [4] DIAG CONFIG[/SIZE]
[SIZE=2] [1] USB ( )[/SIZE]
[SIZE=2] [2] UART (*)[/SIZE]
[SIZE=2] [3] DBG MSG ON (*)[/SIZE]
[SIZE=2] [4] DBG MSG OFF ( )[/SIZE]
[SIZE=2] [5] WCDMA SET CHANNEL ==> "WCDMA CHANNEL SET" NOT SUPPORT[/SIZE]
[SIZE=2] [6] NV REBUILD --> Not tested![/SIZE]
[SIZE=2] [7] FACTORY TEST --> Not tested![/SIZE]
[SIZE=2] [8] FORCE SLEEP --> Not tested![/SIZE]
[SIZE=2] [9] GPS[/SIZE]
[SIZE=2] co_gps_menu ==> unknown![/SIZE]
[SIZE=2] [7] LTE BAND CONFIG CHECK --> <E>[/SIZE]
[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [2] CDMA MAIN MENU[/SIZE]
[SIZE=2] [1] COMMON[/SIZE]
[SIZE=2] [2] DATA[/SIZE]
[SIZE=2] [3] RF[/SIZE]
[SIZE=2] [4] CONTROL[/SIZE]
[SIZE=2] [5] DEBUG SCREEN[/SIZE]
[SIZE=2] [6] SUSPEND (001)[/SIZE]
[SIZE=2] [7] TEST SYS(012)[/SIZE]
[SIZE=2] [1] COMMON MENU (1/3) [/SIZE]
[SIZE=2] [1] READ RAW RSSI (018)[/SIZE]
[SIZE=2] [2] MODEL ID (019)[/SIZE]
[SIZE=2] [3] SNDNAM (020)[/SIZE]
[SIZE=2] [4] SNDVERSION (021)[/SIZE]
[SIZE=2] [5] SNDESN (022)[/SIZE]
[SIZE=2] [6] DATASVC ON (023)[/SIZE]
[SIZE=2] [7] DATASVC OFF (024)[/SIZE]
[SIZE=2] [8] VERSION (025)[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (2/4)[/SIZE]
[SIZE=2] [1] REBUILD (026)[/SIZE]
[SIZE=2] [2] PHONE RESET (027)[/SIZE]
[SIZE=2] [3] FS RESET (029)[/SIZE]
[SIZE=2] [4] SIO TO DM (032)[/SIZE]
[SIZE=2] [5] MSL KEY(245)[/SIZE]
[SIZE=2] [6] MSL (246)[/SIZE]
[SIZE=2] [7] F3 MSG (249)[/SIZE]
[SIZE=2] [8] CUR BAND (253)[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (3/4)[/SIZE]
[SIZE=2] [1] ERR LOG CLR (252)[/SIZE]
[SIZE=2] [2] SIM IN OUT CHECK (89)[/SIZE]
[SIZE=2] [3] MEMORY CHECK (90)[/SIZE]
[SIZE=2] [4] ACTIVATION_DATE (99)[/SIZE]
[SIZE=2] [5] SIO_MODE (032)[/SIZE]
[SIZE=2] [6] MOB CAI REV (110)[/SIZE]
[SIZE=2] [7] RECONDITIONED STATUS (200)[/SIZE]
[SIZE=2] [8] PREF MODE SET[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (4/4)[/SIZE]
[SIZE=2] [1] RTRE CONFIG[/SIZE]
[SIZE=2] [2] SMS FORMAT SET[/SIZE]
[SIZE=2] [3] (UN)BLOCK VOICE MT[/SIZE]
[SIZE=2] [4] CHECK FACTORY CMD[/SIZE]
[SIZE=2] [2] DATA[/SIZE]
[SIZE=2] [1] WRITE NV (031) [/SIZE]
[SIZE=2] [2] MRU2 TABLE (033)[/SIZE]
[SIZE=2] [3] NAI SET (034)[/SIZE]
[SIZE=2] [4] INFORMATION[/SIZE]
[SIZE=2] [5] VBATT[/SIZE]
[SIZE=2] [6] THERMISTER[/SIZE]
[SIZE=2] [7] eHRPD e/disable[/SIZE]
[SIZE=2] [3] RF[/SIZE]
[SIZE=2] [1] CALIBRATION [/SIZE]
[SIZE=2] [2] COMMON [/SIZE]
[SIZE=2] [3] PCS [/SIZE]
[SIZE=2] [4] CDMA --> WLAN etc[/SIZE]
[SIZE=2] [5] GPS --> Nice![/SIZE]
[SIZE=2] [4] CONTROL --> Not tested![/SIZE]
[SIZE=2] [5] DEBUG SCREEN --> Not tested![/SIZE]
[SIZE=2] [6] SUSPEND (001) --> Not tested![/SIZE]
[SIZE=2] [7] TEST SYS(012) --> Not tested![/SIZE]
[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [3] LTE MAIN MENU [/SIZE]
[SIZE=2] [1] DEBUG SCREEN [/SIZE]
[SIZE=2] [2] LTE RF [/SIZE]
[SIZE=2] [3] Reserved --> <E>[/SIZE]
[SIZE=2] [4] BACKOFF PLMN TIMER (T3402) [/SIZE]
[SIZE=2] [4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN --> See Note (c)[/SIZE]
[SIZE=2] [6] run EFS SYNC() --> Not tested![/SIZE]
[SIZE=2] [7] DEBUG SCREEN --> Not tested![/SIZE]
Special Notes for the above:
Code:
[SIZE=2]// = The end point/window where the info is displayed
(This usually doesn't have a title.)
<E> = A "Dead End" that take you into an oo-loop page or back
to a locked *#0011# state.
(a) For accessing this sub-menu you may need to:
1. Unblock the KeyString file with:
echo -n "OFF" > /efs/FactoryApp/keystr
2. Enable the carrier HiddenMenu file with:
echo -n "ON" >/efs/carrier/HiddenMenu
3. Set the device shipping property: ro.product_ship=FALSE
(b) For "FTM" (Factory Test Mode) you probably need to set:
1. Enable the FactoryMode file with:
echo -n "ON" >/efs/FactoryApp/factorymode
2. Set the factory test property: ro.factorytest=1
(c) Not available for non-DOCOMO devices, need correct property(ies).
[/SIZE]
Some Useful Examples
Example-1: Removing SIM network lock
Code:
[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][1] DEBUG SCREEN.[/SIZE]
[SIZE=2][6] PHONE CONTROL.[/SIZE]
[SIZE=2][6] NETWORK LOCK[/SIZE]
[SIZE=2][3] PERSO SHA256 OFF[/SIZE]
[SIZE=2]Go Back to Main Menu[/SIZE]
[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][6] COMMON[/SIZE]
[SIZE=2][6] NV REBUILD.[/SIZE]
[SIZE=2][4] Restore Back-up.[/SIZE]
[SIZE=2]Reboot[/SIZE]
This has not been tested by me, since I don't use SIM locked providers.
So make sure you have a complete NANDroid backup of your phone in case something
goes wrong. I do not take any responsibility for damaged phone due to this procedure.
Please confirm if this method works for this phone.
This is bul****!
I don't see the possibility to do a simple "Boby, sit!"
You should be able to get into service mode directly by using the code *#27663368378#
Sent from my SCH-I435 using XDA Free mobile app
LTE BAND CONFIG CHECK don't work
[7] LTE BAND CONFIG CHECK
it still doesn't work after I -------------------------------------------------------
<E> = A "Dead End" that take you into an oo-loop page or back
to a locked *#0011# state.
(a) For accessing this sub-menu you need two things:
1. KeyString file unblocked: /efs/FactoryApp/keystr: "OFF"
2. Property: ro.product_ship=FALSE
--------------------------------------------------------------------------------------------
Actually I want to check if it support bands change. In China, CMCC seems to only support band41.
wiisixtyfour said:
You should be able to get into service mode directly by using the code *#27663368378#
Sent from my SCH-I435 using XDA Free mobile app
Click to expand...
Click to collapse
Doesn't work on GT-I9195
ladislav.heller said:
Doesn't work on GT-I9195
Click to expand...
Click to collapse
It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.
Sent from my SCH-I435 using XDA Free mobile app
How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.
Decompiled NfcTestBroadcastReceiver.java file:
Code:
package com.sec.android.app.nfctest;
import android.content.*;
import android.net.Uri;
import android.nfc.NfcAdapter;
import android.util.Log;
// Referenced classes of package com.sec.android.app.nfctest:
// NfcTestMain
public class NfcTestBroadcastReceiver extends BroadcastReceiver
{
public NfcTestBroadcastReceiver()
{
}
public void onReceive(Context context, Intent intent)
{
String s = intent.getAction();
if(!s.equals("android.provider.Telephony.SECRET_CODE")) goto _L2; else goto _L1
_L1:
Intent intent1 = new Intent("android.intent.action.MAIN");
if(intent.getData().getHost().equals("[COLOR="Red"]6328378[/COLOR]"))
intent1.setClass(context, com/sec/android/app/nfctest/NfcTestMain);
intent1.setFlags(0x10000000);
context.startActivity(intent1);
_L4:
return;
_L2:
if("android.intent.action.BCS_REQUEST".equals(s))
{
Log.i("NfcTestBroadcastReceiver", "BCS_REQUEST receive");
if("AT+NFCVALUE".equalsIgnoreCase(intent.getStringExtra("command")))
{
NfcAdapter nfcadapter = NfcAdapter.getDefaultAdapter(context);
Log.i("NfcTestBroadcastReceiver", "AT+NFCVALUE!!!");
if(nfcadapter.isEnabled())
{
Log.i("NfcTestBroadcastReceiver", "NFC STATE ON!!!");
context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "ON"));
} else
{
Log.i("NfcTestBroadcastReceiver", "NFC STATE OFF!!!");
context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "OFF"));
}
}
}
if(true) goto _L4; else goto _L3
_L3:
}
}
Tried the secret code *#6328378# in phone dialer but nothing happened.
Update:
But it works from commandline:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://6328378
jmzwcn said:
[7] LTE BAND CONFIG CHECK
it still doesn't work after I ...Actually I want to check if it support bands change. In China, CMCC seems to only support band41.
Click to expand...
Click to collapse
Does you phone actually support LTE?
What model?
wiisixtyfour said:
It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.
Click to expand...
Click to collapse
Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?
ladislav.heller said:
How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.
Decompiled NfcTestBroadcastReceiver.java file:
Tried the secret code *#6328378# in phone dialer but nothing happened.
Click to expand...
Click to collapse
Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".
Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).
E:V:A said:
Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?
Click to expand...
Click to collapse
Here is the output from that command on my SCH-I435:
Code:
.:
drwxrwxr-x root root 1969-12-31 15:00 .files
drwxrwxr-x system system 2013-11-09 01:57 FactoryApp
drwx------ system system 2012-12-31 16:00 U0BwJo4kmkmm-BgyzUZgoEY7pn8_
-rw------- radio radio 212 2013-12-01 16:25 apn-changes.xml
drwxr-xr-x radio radio 2013-11-09 01:49 bluetooth
drwxr-xr-x system system 2012-12-31 16:02 carrier
drwx------ system system 2012-12-31 16:00 drm
-rw------- system system 12 2013-11-09 01:58 gyro_cal_data
-rw-r--r-- root root 16 2012-12-31 16:00 h2k.dat
drwxrwxr-x radio radio 2013-11-09 01:49 imei
-rw------- root root 0 2014-05-01 11:17 log
drwx------ root root 1969-12-31 15:00 lost+found
drwxrwx--- radio system 2013-11-09 01:49 prov
drwx------ system system 2012-12-31 16:00 prov_data
drwxrwxr-x system system 2013-11-09 01:49 wifi
./.files:
drwxrwxr-x media system 1969-12-31 15:00 .dm33
drwxrwxr-x media system 1969-12-31 15:00 .dx1
drwxrwxr-x media system 1969-12-31 15:00 .mp301
./.files/.dm33:
./.files/.dx1:
./.files/.mp301:
./FactoryApp:
-rwxr--r-- system system 1 1970-01-01 15:00 baro_delta
-rw------- system system 5 2014-05-01 06:18 batt_cable_count
-rwxrwxr-x media system 2 2014-04-26 21:12 earjack_count
-rwxr--r-- system system 2 2013-11-09 01:49 factorymode
-rwxrwxr-x system radio 4 1969-12-31 15:00 fdata
-rwxrwxr-x system radio 0 2012-12-31 08:00 hist_nv
-rwxr--r-- system system 10 1970-01-01 15:00 hw_ver
-rwxr--r-- system system 2 2013-11-09 01:49 keystr
-rwxr--r-- system system 5 1970-01-01 15:00 prepay
-rwxr--r-- system system 11 1970-01-01 15:00 serial_no
-rwxrwxr-x system radio 270 2012-12-31 08:00 test_nv
./U0BwJo4kmkmm-BgyzUZgoEY7pn8_:
-rwx------ system system 1072 2012-12-31 16:00 qen2gEqW2A+OTDT0KpoESJiYnrk_
-rwx------ system system 1072 2012-12-31 16:00 zm0WY4lY7rpx3kcVTTDWeh8VFRU_
./bluetooth:
-rw-r--r-- radio radio 17 2013-11-09 01:49 bt_addr
./carrier:
-rwxr--r-- system system 2 2014-04-29 12:42 HiddenMenu
./drm:
drwx------ system system 2012-12-31 16:00 h2k
./drm/h2k:
drwx------ system system 2012-12-31 16:00 8tjfX-7nJB21LtUUWIMbdlUfZTU_
./drm/h2k/8tjfX-7nJB21LtUUWIMbdlUfZTU_:
-rwx------ system system 1072 2012-12-31 16:00 HAv-sOqL1pMh2jiAzRoeKCzAmhE_
-rwx------ system system 1072 2012-12-31 16:00 SNbX8rtYWzaqdrnXa79HbAt5OFM_
./imei:
-rwxrwxr-x radio radio 3 2013-12-23 03:38 mps_code.dat
./lost+found:
./prov:
-rw-rw---- radio system 0 2013-11-09 01:49 libdevkm.lock
./prov_data:
drwx------ system system 2013-11-09 01:49 G+8IRqTrHDIvQWyDjPjJkVB5u6o_
drwx------ system system 2012-12-31 16:00 bG5QQZ77nDjI2757PvvQ3rPPrVg_
./prov_data/G+8IRqTrHDIvQWyDjPjJkVB5u6o_:
-rwx------ system system 1072 2013-11-09 01:49 3mvhJJQ5lPk1G+yj67Y71hI3inI_
-rwx------ system system 1072 2013-11-09 01:49 I0jYBKhtBZN0Rru2UXWB+UZ7Vc0_
-rwx------ system system 1072 2013-11-09 01:49 MHkfmzQg-bRYZzQ4Dc1M+rgodfA_
-rwx------ system system 1072 2013-11-09 01:49 iaBl+cROT4fwHRANIx6tIUgBqSA_
-rwx------ system system 1072 2013-11-09 01:49 qOk21RBBYMeZqVYofK+oU09QG2o_
./prov_data/bG5QQZ77nDjI2757PvvQ3rPPrVg_:
-rwx------ system system 1072 2012-12-31 16:00 4OV1KOT1hf21qdU1tnH6b8mOYLI_
-rwx------ system system 1072 2012-12-31 16:00 CuWlydrYrNFsWwuO0IaVlUQVxEg_
-rwx------ system system 1072 2012-12-31 16:00 gh8lZ2gd7MCgXAgHEgG7apFzmR0_
-rwx------ system system 1072 2012-12-31 16:00 pYEZlsu8egNLf3z5mqguGPyhE2Q_
-rwx------ system system 1072 2012-12-31 16:00 z-yiAOMWDX7wyfLCg5VIl-fyXus_
./wifi:
-rw------- system system 17 2013-11-09 01:49 .mac.cob
-rw-rw-r-- system system 17 2013-11-09 01:49 .mac.info
E:V:A said:
Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".
Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).
Click to expand...
Click to collapse
The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.
Sent from my SCH-I435 using XDA Free mobile app
@wiisixtyfour : Can you edit your post and wrap that output in "CODE" tags (the # icon in advanced editor) please. It formats much better and thus easier to read.
E:V:A said:
@wiisixtyfour : Can you wrap that output in "CODE" tags (the # icon in advanced editor) please.
Click to expand...
Click to collapse
Yeah, sorry I'm on the XDA app and it doesn't have all the tags.
Sent from my SCH-I435 using XDA Free mobile app
my model is i9195
i9195 BTU,have rooted
wiisixtyfour said:
The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.
Click to expand...
Click to collapse
Yeah, not sure what they did, but you can play with the other properties, but first try this:
Code:
[SIZE=2]echo -n "OFF" >/efs/FactoryApp/keystr
echo -n "ON" >/efs/FactoryApp/factorymode
echo -n "ON" >/efs/carrier/HiddenMenu
[/SIZE]
(You may also need to chmod these files before changing. And don't forget to change back after your done playing. It could be that factory mode disables some network functionality.)
Second, all the codes I mentioned in OP, are normally entered by "*#<code>#*", but some phones require this: "*#*#<code>#*#*" before working, so try that as well.
PreConfig application can be started using following command:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://83052020100812173552301071192687
Serial number, FCC ID and logo screen:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425
heres one for the sch-i435 users
ladislav.heller said:
Serial number, FCC ID and logo screen:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425
Click to expand...
Click to collapse
So im on att currently and had not been happy with the lack of lte due to this being a verizon branded phone (hspa+ was getting me 4.5 mbps at best ,which I owe major thanks to this thread for even getting me that far ) so after tearing through stacks of codes listed in the android manifest xml files attached to he system keystring apps and such (many of which I couldnt get to do much of anything ) I found one that I havent seen listed that goes Into some ims and lte functions which got me 11.5-12+ mbps ranges pretty darn consistantly. The hiddenkeystring for me is ( *#467# ) I am not saying these are great lte speeds but quite a bit better than I was pulling down before and as I said quite consistantly. Hope this helps
oh also I forgot to mention also gives some nice choices for native flash media as well as some various codecs for audio. oh and some tethering options kindof nice as I had recently lost the ability to hotspot and couldnot find a workaround app that was successful. Dam one other set of options regarding the e-9 won won stuff as far as the network I guess maybe
dp929 said:
...The hiddenkeystring for me is ( *#467# ) ...
Click to expand...
Click to collapse
That doesn't work for the 9195, although they seem very similar.
What's your stock ROM and MODEM FW? Perhaps some getprops please.
@dp929 Can you post a screenshot?
Does anyone know how to stop the fm radio from asking for headphones?
I know it uses it as antenna but with an older samsung phone I disabled it, I just don't remember how, and the reception wasn't that bad
thanks
Hi,
i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
This is what I did:
I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
Now I pushed chainfires su binary to /data/local/tmp
I copied the /system/bin/ip binary to /data/local/tmp
I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
Code:
#!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su
/data/local/tmp/ip "[email protected]"
After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
Now I went to my network settings of my Fire TV and changed them to a static ip address.
I reconnected to my amazon Fire tv and typed su
Code:
[email protected]:/ $ su
[email protected]:/ #
Lastly I installed the Supersu.apk from chainfire
Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.
This rooting method should also work for other versions of the fireOS, though I have not tested them.
Can you downgrade with being in the root state?
sconnyuk said:
Can you downgrade with being in the root state?
Click to expand...
Click to collapse
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
christofsteel said:
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
Click to expand...
Click to collapse
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
sconnyuk said:
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
Click to expand...
Click to collapse
Please report back
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
firetv have selinux? what version linux is it?
christianrodher said:
firetv have selinux? what version linux is it?
Click to expand...
Click to collapse
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
christofsteel said:
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
Click to expand...
Click to collapse
can you double check if sepolicy is present or something similar?
christianrodher said:
can you double check if sepolicy is present or something similar?
Click to expand...
Click to collapse
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
christofsteel said:
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
Click to expand...
Click to collapse
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
@christianrodher No worries, I doubt this is the universal solution! I think it's that the TV runs `ip` with a really lenient SELinux context for some stupidly weird reason.
christianrodher said:
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
Click to expand...
Click to collapse
No I did the exploit on my FireOS version 51.1.0.4. Afaik there was no SELinux present. SELinux is present in FireOS version 5.2.1.1. I can test, if this exlploit works on my now updated Fire TV.
Edit: It did not work I could not mount system read write. Seems like it only works for FireOS 3
Really tried to get this to work. I think I'm close. I saw SELinux complain about the file size so I did some padding. Here's where I'm at
187594885]
I/Kernel ( 163): [ 1503.059370] (0)[163:healthd]healthd: battery l=100 v=4200
t=2.2 h=2 st=5 chg=u
W/linker (10431): ./dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
W/linker (10431): ./dirtycow: unused DT entry: type 0x6fffffff arg 0x1
I/exploit (10431): size 223296
I/exploit (10431):
I/exploit (10431): [*] mmap 0xf7546000
I/exploit (10431): [*] exploit (patch)
I/exploit (10431): [*] currently 0xf7546000=464c457f
I/exploit (10431): [*] madvise = 0xf7546000 223296
I/Kernel ( 0): [ 1509.432532]-(2)[0:swapper/2]CPU2: Booted secondary process
or
I/Kernel ( 0): [ 1509.437302]-(3)[0:swapper/3]CPU3: Booted secondary process
or
I/Kernel ( 87): [ 1509.437743] (0)[87:hps_main][HPS] (0004)(1)(0)action end(2
7)(35)(0)(2) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (6)(230)(0) (0)(0)(0) (0)(6)(230)(0)
(6)
I/exploit (10431): [*] madvise = 0 1048576
I/Kernel ( 0): [ 1511.439231]-(1)[0:swapper/1]CPU1: Booted secondary process
or
I/Kernel ( 87): [ 1511.440339] (0)[87:hps_main]CPU3: shutdown
I/Kernel ( 87): [ 1511.440873] (0)[87:hps_main][HPS] (0800)(1)(2)action end(1
05)(102)(0)(1) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (105)(10)(0) (1666)(10)(0) (0)(102
)(10)(0)(102)
I/exploit (10431): [*] /proc/self/mem -1048576 1048576
I/exploit (10431): [*] exploited 0xf7546000=464c457f
I/art ( 501): Background partial concurrent mark sweep GC freed 256902(12MB
) AllocSpace objects, 15(2MB) LOS objects, 33% free, 20MB/31MB, paused 690us tot
al 136.802ms
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=50.64 rxSuccessRate=38.79 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
93, 94 ignore because P2P is connected
I/Kernel ( 87): [ 1513.438566] (0)[87:hps_main]CPU2: shutdown
I/Kernel ( 87): [ 1513.439651] (0)[87:hps_main][HPS] (0400)(2)(1)action end(7
)(4)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (7)(10)(0) (288)(10)(0) (0)(4)(10)(0)(
4)
I/Kernel ( 87): [ 1515.438476] (0)[87:hps_main]CPU1: shutdown
I/Kernel ( 87): [ 1515.439146] (0)[87:hps_main][HPS] (0200)(2)(0)action end(4
)(3)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (4)(10)(0) (46)(10)(0) (0)(3)(10)(0)(3
)
I/Kernel ( 119): [ 1521.197537] (0)[119:wdtk-0]wdk: [WDK], local_bit:0x1, cpu:
0, check_bit:0x1, RT[1521197519702]
I/Kernel ( 119): [ 1521.197575] (0)[119:wdtk-0]wdk: [WDK]: kick Ex WDT,RT[1521
197568471]
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=3.98 rxSuccessRate=3.61 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
94, 95 ignore because P2P is connected
^C
C:\Program Files (x86)\Minimal ADB and Fastboot>
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
I have an AFTV2 running latest firmware. I also noticed chainfires su binary i had was 32bit so I grabbed a 64bit one. Still no dice
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell shell 13776 2016-10-31 17:43 dirtycow
-rwxrwxrwx shell shell 223296 2016-10-31 18:27 ip
-rwxrwxrwx shell shell 223296 2016-10-31 19:48 ip_script
-rwxrwxrwx shell shell 108480 2016-10-31 19:39 su
[email protected]:/data/local/tmp $
Hopes this helps someone
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
you need to extract the SU binary file from Supersu. apk
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Do you save the shell script as ip_script.sh?
Sent from my SM-G920P using Tapatalk
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
VastVenomm said:
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Click to expand...
Click to collapse
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
I still got 5.0.5.1 on my FTV1. Is there a chance that I might get root using the dirtycow exploit?
christofsteel said:
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
Click to expand...
Click to collapse
Rename apk to zip and extract su no diffence from what I posted.
Thanks to @kryz who managed to generalize the Dirty Cow exploit, XT1028 now has a way to get temporary root : link. Notice that the /system will still be read-only, but at least full access to /data is available. Given the state of XT1028, this looks like a pretty good progress!
Steps to get temp root (in Lollipop):
1) install Croowt.apk, use the 2nd option in the menu : "Get root"
2) install SuperSu apk from the playstore (don't update the binary)
3) install RootChecker apk from the playstore
4) enjoy temporary root (until hard reboot)
The earlier post for Android 4.4.4:
For all KitKat holdouts, I've tried to use Dirty Cow and got temp root. Could work on other Android versions as well. Now, at least this root one does not seem to crash as much (unlike Kingroot). Here is a brief set of steps. First, download this package:
https://mega.nz/#!LFlBRAhS!rDl7PJMkFq7HqUDDgbKV6ddv-C3qkQIJl_CJkhkx2sc
Then
Code:
adb push dirtycow /data/local/tmp
adb push cow-execute /data/local/tmp
adb shell
cd /data/local/tmp
chmod 0777 *
[email protected]_cdma:/data/local/tmp $ ./dirtycow /system/bin/run-as ./cow-execute
bin/run-as ./cow-execute <
warning: new file size (13728) and file old size (9432) differ
size 13728
[] mmap 0xb6e64000
[] exploit (patch)
[] currently 0xb6e64000=464c457f
[] madvise = 0xb6e64000 13728
[] madvise = 0 1048576
[] /proc/self/mem 0 1048576
[] exploited 0xb6e64000=464c457f
[email protected]_cdma:/data/local/tmp $ run-as -exec id
run-as -exec id
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'id' with 0 arguments
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),10
15(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net
_bw_stats) context=u:r:runas:s0
[email protected]_cdma:/data/local/tmp $ run-as -exec sh
run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments
[email protected]_cdma:/data/local/tmp #
Not sure how much one can do here without bootloader unlock though ...
Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.
linuxgator said:
Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.
Click to expand...
Click to collapse
Try this, see if you can copy su binary to system (it will disappear after reboot) :
http://android.stackexchange.com/questions/127230/android-adb-has-root-access-but-no-su-binary
Then soft reboot to make it work, in root shell type :
killall zygote
The hope is to get you SuperSu (until next reboot). I believe we are probably back to where these phones were with the old Pie exploit:
http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623
Kingroot used to be able to make a fake copy of itself into /system which disappeared soon after.
I have this stupid Watcher on my phone, and don't want to try these other steps since I don't want it to kill my corporate email ...
Updated with the new Lollipop instructions!
@linuxgator
Nice link down
@bibikalka any chance you can post the kitkat version again?
[audio.dolby.ds2.enabled]: [true]
this is what i found after firing getprop command in termux.
can someone explain what is it..
Hello everyone!
Today I am publishing my second program!
It's called...
the...
Windows 10 Mobile Installer!!!
Version 1.0!!!
It's easy to use!
It will be constantly updated via this forum!
It comes as .wim package
Extract it and you will find another .wim package
Extract it too and you will find a folder called W10M_Installer !
WARNING! COPY THE FOLDER W10M_Installer TO THE C: DRIVE!!! OTHERWISE THE PROGRAM WILL FAIL TO FIND THE PACKAGES!!!!!
Now after copying the folder to the C: Drive, open it
Open the W10M_Installer.exe as administrator!
Click "List of devices"
Find your model in there
for ex. I have an Lumia 925
so I should write the following package name in the text field:
Lumia920T,925T,928,1020 - DON'T WORRY!! IF THERE IS A (T) THERE IT MEANS THAT IT'S ALSO COMPATIBLE
WITH THE T VERSION!!!
After that click START
Firstly it will detect your device
Then it will prompt - "If you see your device, click 1, if not, reconnect your device and press 2"
If you press 2 it will retry to detect your device
Once it detects you should press 1
and it will start updating!
WARNING! YOUR DEVICE FIRMWARE VERSION SHOULD BE 8.10.14219 OR LATER OTHERWISE THE PROGRAM WILL FAIL TO INSTALL THE UPGRADE!
After finishing the upgrade, it will prompt you
"If the upgrade succeed and now your phone is running Windows 10 Mobile then press 1, if not make sure you are running Lumia Denim (8.10.14219 or later) or upgrade to Lumia Denim and press 2 to restart the upgrade! "
If the upgrade succeeds and you press 1, it will install IME packages, as the update packages have broken IME!
(Bug from Win10 Mobile Update offline package V4.1)
If you see an error, don't worry it's all normal!
Press any key to exit
And delete all keyboards from your Lumia, except English (US)!
Now install Interop Tools and modify the registry to update to a later version of Windows 10 Mobile!
After upgrade the IME error will be fixed!
THIS PROGRAM USES FILES FROM Win10 Mobile Offline Update Package v4.1 published by hikari_calyx! THIS PROGRAM ALSO USES IUTOOLS by Microsoft Corp.
WARNING! THIS PROGRAM IS MADE FOR LUMIAS ONLY!!!!
For help you can click "HELP" button in the program!
Version 1.1 Update!
[FIXED] IME patch not installing after finishing update
[FIXED] detect.exe requires PRO subscription
Here's the download link
https://mega.nz/#!gR4lTYzB!ptxTakr3klj-EFdpHCR6LZDhLwKV9ETdpikp7865hWc
detect.exe error
It looks like you get a message saying it was made with an unlicensed compiler. So, it's not working yet.
C--Dog said:
It looks like you get a message saying it was made with an unlicensed compiler. So, it's not working yet.
Click to expand...
Click to collapse
Well.... Now I have fixed it!
You just need to redownload again!
Please donate to me, if you like my work and want just to support! I will be very happy! Here's the credit card number where to donate to: 4890494450664545. Thank you very much for your support![/SIZE]
This works for Lumia 520 (RM-915)?
TBM 13 said:
This works for Lumia 520 (RM-915)?
Click to expand...
Click to collapse
Yes!
All compatible devices will be available in the program
I'm on lumia 520 and started the update, he copied 132 files and now is stopped for 30 minutes on the word "update started" .... what should I do?
Angyone1 said:
I'm on lumia 520 and started the update, he copied 132 files and now is stopped for 30 minutes on the word "update started" .... what should I do?
Click to expand...
Click to collapse
The phone should restart and show you spinning gears, WAIT AND DO NOT DISCONNECT YOUR DEVICE! IT WILL TAKE 1 HOUR OR MORE TO COMPLETE!
I really need this.. Thankyou so much
gmirz2005 said:
The phone should restart and show you spinning gears, WAIT AND DO NOT DISCONNECT YOUR DEVICE! IT WILL TAKE 1 HOUR OR MORE TO COMPLETE!
Click to expand...
Click to collapse
yep.... finally 3 hours later has finish.... lol
thanks
Angyone1 said:
yep.... finally 3 hours later has finish.... lol
thanks
Click to expand...
Click to collapse
ovinitas said:
I really need this.. Thankyou so much
Click to expand...
Click to collapse
I need this too!
kjjjjj
help me!!
When I connect my Lumia cell phone to my computer, I get a message that an Android device was detected and I can not restore it to Window Phone. Can someone help me?
Not detect Nokia 1320
Hi,
Program does not detect the cell phone...detect.exe?
I write cell type Nokia 1320, and nothing happens?
mic5463 said:
Hi,
Program does not detect the cell phone...detect.exe?
I write cell type Nokia 1320, and nothing happens?
Click to expand...
Click to collapse
You may check the list of supported devices
Yes, Lumia 1320 is on check list.
Windows Device Recovery Tool, normal find phone.
:good::good:
mic5463 said:
Yes, Lumia 1320 is on check list.
Windows Device Recovery Tool, normal find phone.
Click to expand...
Click to collapse
Then the problem is in your device's connection with your computer (ex. Cable damaged, drivers are not installed)
Please check that all the drivers are installed by downloading Windows Device Recovery Tool (if you haven't downloaded it yet)
And also check the data connection of the phone and PC (maybe the cable is damaged)
930 crapy phone
Hey, I am trying 3rd day to upgrade from windows 8.1 to 10, most of the time I am downloading Gigabites of ****....
Can anyone simply answer: Is there a posibility to update Lumia 930?
I tried WPinternals to unlock bootloader, and found out that it is not supporting 930.
I tried this solution also, but it just fails no matter what i do.
Code:
STEP 1! Detecting the device!
MAKE SURE YOU HAVE CONNECTED YOUR DEVICE PROPERLY!
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
Serial: f794abe740331d0e650d4f5f639ac41c
Friendly Name: Windows Phone
Manufacturer: NOKIA
Model: Lumia 930
Command executed successfully.
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
Serial: f794abe740331d0e650d4f5f639ac41c
Friendly Name: Windows Phone
Manufacturer: NOKIA
Model: Lumia 930
Command executed successfully.
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
Serial: f794abe740331d0e650d4f5f639ac41c
Friendly Name: Windows Phone
Manufacturer: NOKIA
Model: Lumia 930
Command executed successfully.
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
Serial: f794abe740331d0e650d4f5f639ac41c
Friendly Name: Windows Phone
Manufacturer: NOKIA
Model: Lumia 930
Command executed successfully.
If your device has been detected then press 1, if not then reconnect your device and press 2 : 1
STEP 2! Updating the device!
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
ERROR: Bad parameters
Command-Line Usage:
Command lines
-?
-p path [-s name] [-n name] [-m manufacturer] [-t model] [-a] [-v] [-V]
-l
Options
-? Show list of commands and usage
-V show VERY detailed progress messages
-a update all connected devices in parallel
-l list the connected devices
-m the phone's manufacturer
-n the phone's friendly name
-p directory path or semicolon-delimited list of package paths
-s the phone's serial number
-t the phone's type (model name)
-v show detailed progress messages
Install update files onto a device.
Command failed. (HRESULT = 0x80dd0001)
If the update has completed and your device is now running Windows 10 mobile then click 1! If you see error code 0x80188306, it means that your device is not running needed operating system! Update your Lumia to Denim and type 2 to restart operation! :
Code:
Update completed!
PART 3! Installing fixes!
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
[1] Started device f794abe740331d0e650d4f5f639ac41c
[1] Transferring files started
[1] Transferred file 1/70
[1] Transferred file 2/70
[1] Transferred file 3/70
[1] Transferred file 4/70
[1] Transferred file 5/70
[1] Transferred file 6/70
[1] Transferred file 7/70
[1] Transferred file 8/70
[1] Transferred file 9/70
[1] Transferred file 10/70
[1] Transferred file 11/70
[1] Transferred file 12/70
[1] Transferred file 13/70
[1] Transferred file 14/70
[1] Transferred file 15/70
[1] Transferred file 16/70
[1] Transferred file 17/70
[1] Transferred file 18/70
[1] Transferred file 19/70
[1] Transferred file 20/70
[1] Transferred file 21/70
[1] Transferred file 22/70
[1] Transferred file 23/70
[1] Transferred file 24/70
[1] Transferred file 25/70
[1] Transferred file 26/70
[1] Transferred file 27/70
[1] Transferred file 28/70
[1] Transferred file 29/70
[1] Transferred file 30/70
[1] Transferred file 31/70
[1] Transferred file 32/70
[1] Transferred file 33/70
[1] Transferred file 34/70
[1] Transferred file 35/70
[1] Transferred file 36/70
[1] Transferred file 37/70
[1] Transferred file 38/70
[1] Transferred file 39/70
[1] Transferred file 40/70
[1] Transferred file 41/70
[1] Transferred file 42/70
[1] Transferred file 43/70
[1] Transferred file 44/70
[1] Transferred file 45/70
[1] Transferred file 46/70
[1] Transferred file 47/70
[1] Transferred file 48/70
[1] Transferred file 49/70
[1] Transferred file 50/70
[1] Transferred file 51/70
[1] Transferred file 52/70
[1] Transferred file 53/70
[1] Transferred file 54/70
[1] Transferred file 55/70
[1] Transferred file 56/70
[1] Transferred file 57/70
[1] Transferred file 58/70
[1] Transferred file 59/70
[1] Transferred file 60/70
[1] Transferred file 61/70
[1] Transferred file 62/70
[1] Transferred file 63/70
[1] Transferred file 64/70
[1] Transferred file 65/70
[1] Transferred file 66/70
[1] Transferred file 67/70
[1] Transferred file 68/70
[1] Transferred file 69/70
[1] Transferred file 70/70
[1] Transferring files complete: 70 files
[1] Update started
[1] Installation failed (HRESULT = 0x80188302)
[1] Failed (0x80188302)
ERROR: 0x80188302
Command failed. (HRESULT = 0x80188302)
(IUTool Version: 11:52:10/Feb 7 2014)
Log file: C:\Users\zlq\AppData\Local\Temp\IUTool-{299338D7-E9AD-4D02-BD74-B341894FDEEF}.etl
[1] Started device f794abe740331d0e650d4f5f639ac41c
[1] Transferring files started
[1] Transferred file 1/1
[1] Transferring files complete: 1 file
[1] Update started
[1] Installation failed (HRESULT = 0x801882c2)
[1] Failed (0x801882c2)
ERROR: 0x801882c2
Command failed. (HRESULT = 0x801882c2)
Done!
Don't worry if you see an error
Now do the following instructions!
1.Open Settings
2.Navigate to Time
'Language' is not recognized as an internal or external command,
operable program or batch file.
3.Remove all keyboards except English (US)
4. Reboot your device
UPDATED SUCCESSFULLY!
Press any key to exit
Press any key to continue . . .