TheMalachite said:

You mean something like abl.elf.p ?

No

TheMalachite said:

You mean something like abl.elf.p ?

I think it is not a ota patched file.

(Sri Lanka) said:

I think it is not a ota patched file.

Then TCL probably added some kind of proprietary encryption that their tool use to decrypt files before flashing

TheMalachite said:

Then TCL probably added some kind of proprietary encryption that their tool use to decrypt files before fla

TheMalachite said:

Then TCL probably added some kind of proprietary encryption that their tool use to decrypt files before flashing

Yes

TheMalachite said:

Then TCL probably added some kind of proprietary encryption that their tool use to decrypt files before flashing

Also i found the firehose form ModelDownload.dll. and it also support only read information for qpst. It dost support read gpt

(Sri Lanka) said:

Also i found the firehose form ModelDownload.dll. and it also support only read information for qpst. It dost support read gpt

Well, I now consider impossible to unlock TCL Qualcomm bootloader unless someone manage to get a factory / engineer TCL firmware which should allow bootloader unlock but that's quite rare

JayTM said:

Okay so lately the topic of the hour has been tokens
Maybe the commands used in this guide can shed some light. But again we run into an issue where TCL doesn't have an unlock website to paste the token identifier.

How To Unlock Bootloader On Any HTC Smartphone - 2022 Guide

In this tutorial, we will show you the steps to unlock the bootloader on your HTC device. During the initial days, HTC was at the pinnacle of the mobile

www.getdroidtips.com

Click to expand...

I've tried that command before but I just get this

~]$ fastboot oem get_identifier_token
FAILED (remote: 'unknown command')
fastboot: error: Command failed

DoctorBooty said:

I've tried that command before but I just get this

I'm not sure what's going on with windows 10 22h2 but i cannot get the phone to show up when in fastboot mode or edl mode correctly. The device is not showing in command prompt, or I use now Adb app control. In windows 7 it shows up just fine. Hence why I could not try this command. Adb commands while booted work fine.

TechX1991 said:

A large thanks to a friend on TheBootloaderLocksmith's discord by the name Kasha Fatal. They got a stuck in demo mode Alcatel 5002, aka a TCL 5002 in some places, and messed around with it. It had a ton of stuff on it that our TCL phones don't have unless they're demo phones. This lead us down a new rabbit hole with an app called Token_token.apk

This app is also installed on our TCL 10 Pro devices.
-- Install Quick Shortcut Maker, scroll down to tcl.token and run the main activity. It takes you into Token Loader giving you a Security Number for your device
Update (20 minutes later): to get to Token SN, open dialer, type *#*#43886536#*#*
3rd way:

Code:

adb shell am start -n com.tcl.token/com.tcl.token.activity.MainActivity

The negative here
The server is gone

Code:

https://beetle.tclcom.com:8080/accounts/login/?next=/

That's the URL to TCL's server that would have been some form of login using the security number from your device... not all is lost though

In the app is a bunch of developer secrets

Code:

public void p() {
        String str = "";
        if ("true".equals(a("ro.boot.oemtoken", "default"))) {
            str = str + "oemtoken\n";
        }
        if ("true".equals(a("ro.boot.uarttoken", "default"))) {
            str = str + "uarttoken\n";
        }
        if ("true".equals(a("ro.boot.fastboottoken", "default"))) {
            str = str + "fastboottoken\n";
        }
        if ("true".equals(a("ro.boot.adbtoken", "default"))) {
            str = str + "adbtoken\n";
        }
        if ("true".equals(a("ro.boot.smartlogtoken", "default"))) {
            str = str + "smartlogtoken\n";
        }
        if ("true".equals(a("ro.boot.diagtoken", "default"))) {
            str = str + "diagtoken\n";
        }
        if ("true".equals(a("ro.boot.roottoken", "default"))) {
            str = str + "roottoken\n";
        }
        if ("true".equals(a("ro.boot.retailtoken", "default"))) {
            str = str + "retailtoken\n";
        }
        if ("true".equals(a("ro.boot.perftoken", "default"))) {
            str = str + "perftoken\n";
        }
        if ("true".equals(a("ro.boot.smltoken", "default"))) {
            str = str + "smltoken\n";
        }
        this.v.setText(str);
    }

-- I have yet to figure out what item you long press...

Code:

public boolean onItemLongClick(AdapterView<?> adapterView, View view, int i, long j) {

        String string = "oemtoken".equals(this.q.f1242c.get(i)) ? getApplicationContext().getResources().getString(R.string.oem_detail) : "";

        if ("uarttoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.uart_detail);

        }

        if ("fastboottoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.fboot_detail);

        }

        if ("adbtoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.adb_detail);

        }

        if ("smartlogtoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.slog_detail);

        }

        if ("diagtoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.diag_detail);

        }

        if ("roottoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.root_detail);

        }

        if ("retailtoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.retail_detail);

        }

        if ("perftoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.perf_detail);

        }

        if ("smltoken".equals(this.q.f1242c.get(i))) {

            string = getApplicationContext().getResources().getString(R.string.sml_detail);

        }

        if (string.length() > 1) {

            this.t.a(string);

            this.t.b();

        }

        return true;

    }

more info as i dig

Click to expand...

This website is up but it is throwing a not trusted https flag. Also if you take a look at the site certificate it has a name of the signer. Maybe we have to creatively contact this individual instead of Michelle from TCL mobile care that doesn't answer any of our questions.

Also if the token app focuses on the serial number, maybe that's the username and the password well heck if i know. It will be something tricky like activating advanced mode in system update settings where it had a rolling date password.

JayTM said:

This website is up but it is throwing a not trusted https flag. Also if you take a look at the site certificate it has a name of the signer. Maybe we have to creatively contact this individual instead of Michelle from TCL mobile care that doesn't answer any of our questions.

Also if the token app focuses on the serial number, maybe that's the username and the password well heck if i know. It will be something tricky like activating advanced mode in system update settings where it had a rolling date password.

yeah i should have worded that better. The site is up, but the page beyond that token converter isn't there from what I can tell

I asked them to check on the server,
they say that they won't help unlocking the bootloader oof.

"
Dear John,

Thank you very much for your answer.
Please kindly note that, we only provide Firmware and Bootloader software to our Repair Centre, and not to end users.
Flashing the memory of the device, with any software other than the one that came stock from the Factory, will result in the Warranty being voided, and we do not have an option of assisting with this request.
We apologize for any confusion or discomfort.
Please reply to this e-mail, and kindly confirm if you require supplementary information.
Thank you very much for your patience and time.
Looking forward to hearing from you.


Kind regards,
Dan
TCL Mobile Care Team
------------------- Original Message -------------------
From:
Received: 9/5/2022 2:20 PM
To: TCL Mobile EU
Subject: Re: TCL-

Good afternoon Dan,

Thank you for your response, here's the information:

• Exact name of the App

"Token", on the app's certificate it is identified as "TokenService" and comes preinstalled on my device. The full name of the app is "com.tcl.token/com.tcl.token.activity.MainActivity".

I have attached the certificate of the app in question with more details about it.

I've also added to the attachments two printscreens showing that the app and it saying that there is no valid data from the server.

The URL to TCL's server that the app tries to access: https://beetle.tclcom.com:8080/accounts/login/?next=/

• Purpose of usage:

To unlock the bootloader of my device but for that I require a assigned Token, that's why I need to use the app since there's no other way to unlock the bootloader of my device.

I am well aware that "any modification of the software voids warranty" that comes by unlocking the bootloader of my device but the main problem in this situation is that the server that should grant my device assigned tokens isn't granting them.

I hope I've exposed the problem well enough but if not I'll gladly share any more information that you might require.
Best regards
John"

Click to expand...

(Sri Lanka) said:

I think it is not a ota patched file.

no its a patch file. If you extract it to .IMG, you open it in a hex editor, the IMG header is there, and then only parts of the file are filled in with info. The rest is 00/NULL'd out and it only changes what's actually needed

TechX1991 said:

no its a patch file. If you extract it to .IMG, you open it in a hex editor, the IMG header is there, and then only parts of the file are filled in with info. The rest is 00/NULL'd out and it only changes what's actually needed

no 00 null lines all lines are filled. i think it is encrypted files (all files less than 5mb). recovery.img boot.img like large files are in raw formact. i unpacked the boot.img using aik. i compared the ota patched aboot with the files extracted form tcl mobile upgrade they have diffrent headers.

(Sri Lanka) said:

no 00 null lines all lines are filled. i think it is encrypted files (all files less than 5mb). recovery.img boot.img like large files are in raw formact. i unpacked the boot.img using aik. i compared the ota patched aboot with the files extracted form tcl mobile upgrade they have diffrent headers.

TechX1991 said:

If they can be decrypted, we can just read the fastboot commands from the img's. I've tried that already on extracted IMG files, and didn't find anything useful though

Hidden Fastboot OEM Commands

We are close, finally, to bootloader unlock on this device... Tonight, boredom, couldn't sleep, i popped out my 10 pro and started playing with it and found new stuff!! fastboot oem device-info - this command gives you the following info about...

forum.xda-developers.com

queenelizabethofficial said:

Since we've no working token provider server to give us the token this means that our devices are unrootable?

No, there is still a chance that the device can be bootloader unlocked by other ways, from what I've seen.
(also that username)

Honkette1738 said:

No, there is still a chance that the device can be bootloader unlocked by other ways, from what I've seen.
(also that username)

Can you tell me a possible alternative way that we can unlock it?
I'm willing to try it