As promised, I’m starting the “Hack The One” cycle. And the first chapter consists of the analysis of what people already have found out about its internals.
So, after over half a year of non-usage I’ve factory-reset my Nokia 1 (TA-1047) and run the full cycle of loads of firmware updates to finally get the most recent stock system. Meanwhile, I collected quite a bit of information from different forums.
Most promising aspects are:
- Unlockable fastboot (see below).
- Allegedly working TWRP build installable or bootable via unlocked fastboot.
Most visible obstacles are:
- Inability to install stock updates with modified system/recovery images.
- Faildows-only SP FlashTool and NVRAM manipulation tooling like MauiMETA.
- No engineering menu app in the firmware.
- Stock recovery is just missing (open android image with “No command” string).
Known codes (besides
*#06#, of course):
*#*#INFO#*#*) - standard Android secret menu;
*#*#372733#*#*- FQC test menus.
Further material in this article and other posts of this series assumes that you have ADB, Fastboot and brain.
The procedure to unlock fastboot (which is your only interface for partition manipulation if you are not on Faildows) is a bit harder than for other MediaTeks. But the way to do this is pretty much official. The only things to beware are that it:
- wipes your data (performs pretty much another factory reset);
- adds a nagging bootscreen message like this:
Anyway, the process consists of the following steps:
- Enable developer menu by going to Settings - System - About phone and tap 7 times on the “Build number” menu item. Now go one level back and “Developer options” menu should appear in Settings - System.
- In the “Developer options” menu, enable the “OEM unlocking” switch. Tap “Enable” on the warning popup. This will enable
fastboot oem unlockcommand.
- In the “Developer options” menu, enable the “USB debugging” switch. Tap “OK” on the warning popup. This will enable ADB. You can also uncheck the “Verify apps over USB” switch.
- Connect the phone in the unlocked state and run
adb devices. Accept the authorization. The
adb devicesoutput should show a string starting with
FRTBA.... That’s your device serial number you’ll need to use in the next step.
- Calculate the OEM key by taking the MD5 hash of the serial number. That can be done in different ways and produce different results, so here’s the correct command to calculate it:
echo -n [your_serial] | md5sum | cut -d ' ' -f1. E.g. the command
echo -n FRTBA81106006136 | md5sum | cut -d ' ' -f1would give
- Reboot the phone to fastboot mode by running
adb reboot bootloader.
- Enter the key calculated on step 4 by running
fastboot oem key [your_key], e.g.
fastboot oem key a0f0f9456ec031d39fcc9d47600128f8.
- Finally, run
fastboot oem unlock. When it prompts you to press Volume Up, just press it. If no prompt appears, replug the cable and try this step again.
On the PC side, both commands from the steps 6 and 7 should respond with something like
OKAY. Then you should reboot with
fastboot reboot and complete the initial system setup after this factory reset. Then you’ll have to re-enable developer menu and ADB as described in steps 0 and 2.
But afterwards, when you reboot into the bootloader with
adb reboot bootloader, you’ll be able to use commands like
fastboot boot and
Unfortunately, the TWRP build I shared is not bootable with
fastboot boot twrp323.img, as it just leads to crash and reboot to normal mode. I’ll probably have to try this with an SD card inserted and see if the behavior is of any difference.
This is something that needs to be researched on in the next chapter. From the general information I managed to collect, there are two primary interfaces:
/dev/radio/atci1 for SIM1 and
/dev/radio/atci2 for SIM2. Of course, these interfaces are only available from the root shell, and we don’t have any ways to achieve temporary root on Nokia 1 yet. However, MTK Engineer mode in the OEM handsets somehow manages to work without root permissions. And this leak just proves the way really exists, we just need to highlight the essential code, which, in my humble and honest opinion, is:
private static final int EVENT_AT_CMD_DONE = 1003;
This means several things to us:
- CdsInfo has the restrictions to run the very command we’re interested in (starting with
AT+EGMR=1) in the user build. For our case, this means we are lucky that this restriction is imposed on such a high level.
- The necessary call is the
invokeOemRilRequestRawmethod of a
com.android.internal.telephony.Phone) which can be obtained by calling a
com.android.internal.telephony.PhoneFactory). The method accepts null-terminated bytestring.
So, here’s the proposed concept of a cleaned-up way to access AT commands in the “fire-and-forget” mode (which should be enough for our purposes) and a basic IMEI changer API on top of this:
As you can see, nothing except standard Android classlibs was used for this snippet.
But I haven’t tested it at all yet. So, whether it works or not, we’ll find out in the next chapter. Stay tuned!