Hovatek Forum MOBILE Android Backup A1 Smart N9
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


Backup A1 Smart N9

Backup A1 Smart N9

leecher
leecher
leecher
Newbie
2
05-04-2020, 08:12 PM
#1



I have a phone by an Austrian Mobile Operator "A1 Smart N9".
This seems to be a rebranded "Vodafor Smart N9" (VFD 720) which in turn seems to be some variant of Alcatel A3A or something like that. It is EMMC memory and based on CPU MT6739.
Now the problem is that the phone boots up normally and lets me enter the unlock code. After that, it just hangs at the boot logo. The boot logo animates but it never starts up (let it run for 24 hours).
The phone contains important data, so factory reset via the Recovery menu therefore is not an option. I need to get my data off the phone.
USB debugging isn't enabled and it contains stock firmware, therefore I don't have adb access to it.
Firmware is just provided via OTA, therefore I don't see a way to get hold of the firmware and install it from an SD card (which would be an option that is offered in the Recovery mode menu).
Now I wanted to dump the memory of the phone in the hope that I may be able to decrypt userdata somehow, therefore I tried to use SP Flash Tool.I think I have the correct loader and auth file from your Alcatel collection:
JRD_6739_CD_A3A_VF.bin
JRD_6739_CD_A3A_VF.auth
I also have a correct scatter file. However, I'm unable to pull off data, as it seems to require some key that I don't have...? That does this mean:
Code:

[00000112] [18:40:52:956027] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000113] [18:40:52:956027] [Tid0x00000c4c] [debug] <--[C58] boot_rom::print_bootrom_log
[00000114] [18:40:52:956027] [Tid0x00000c4c] [info] BROM log END.
[00000115] [18:40:52:956527] [Tid0x00000c4c] [debug] -->[C64] boot_rom::get_soc_id #(boot_rom.cpp, line:1068)
[00000116] [18:40:52:956527] [Tid0x00000c4c] [debug] Tx->: 0x00000001 Hex[e7 ]
[00000117] [18:40:52:956527] [Tid0x00000c4c] [debug] <-Rx: 0x00000001 Hex[e7 ]
[00000118] [18:40:52:956527] [Tid0x00000c4c] [debug] <-Rx: 0x00000004 Hex[00 00 00 20 ]
[00000119] [18:40:52:957027] [Tid0x00000c4c] [debug] <-Rx: 0x00000020 Hex[e8 63 5e 21 f1 d7 90 47 6f 32 01 36 04 86 16 fa ]
[00000120] [18:40:52:957027] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000121] [18:40:52:957027] [Tid0x00000c4c] [debug] <--[C64] boot_rom::get_soc_id
[00000122] [18:40:52:957528] [Tid0x00000c4c] [info] SOC ID: [e8 63 5e 21 f1 d7 90 47 6f 32 01 36 04 86 16 fa 3f 61 40 6a 04 5f 63 23 72 3e dd 97 d4 b4 84 dc ] #(boot_rom_logic.cpp, line:93)
[00000123] [18:40:52:957528] [Tid0x00000c4c] [info] SOC ID: [e8 63 5e 21 f1 d7 90 47 6f 32 01 36 04 86 16 fa 3f 61 40 6a 04 5f 63 23 72 3e dd 97 d4 b4 84 dc ] #(boot_rom_logic.cpp, line:94)
[00000124] [18:40:52:958528] [Tid0x00000c4c] [debug] cert is NULL #(boot_rom_logic.cpp, line:177)
[00000125] [18:40:52:958528] [Tid0x00000c4c] [debug] -->[C70] boot_rom::get_security_config #(boot_rom.cpp, line:920)
[00000126] [18:40:52:959028] [Tid0x00000c4c] [debug] Tx->: 0x00000001 Hex[d8 ]
[00000127] [18:40:52:959028] [Tid0x00000c4c] [debug] <-Rx: 0x00000001 Hex[d8 ]
[00000128] [18:40:52:959028] [Tid0x00000c4c] [debug] <-Rx: 0x00000004 Hex[00 00 00 e7 ]
[00000129] [18:40:52:959028] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000130] [18:40:52:959028] [Tid0x00000c4c] [debug] <--[C70] boot_rom::get_security_config
[00000131] [18:40:52:960028] [Tid0x00000c4c] [error] open file: MT6739.key failed. #(efuse_file_handler.cpp, line:72)
[00000132] [18:40:52:960028] [Tid0x00000c4c] [error] key file is not exist. #(efuse_file_handler.cpp, line:120)
[00000133] [18:40:52:960028] [Tid0x00000c4c] [error] decryption failed. #(efuse_file_handler.cpp, line:88)
[00000134] [18:40:52:960028] [Tid0x00000c4c] [error] Analysis register file failed[0xc001000d] #(boot_rom_logic.cpp, line:197)
[00000135] [18:40:52:960528] [Tid0x00000c4c] [debug] brom read efuse operations: 0
[00000136] [18:40:52:961028] [Tid0x00000c4c] [debug] auth input type (0)  #(boot_rom_logic.cpp, line:220)
[00000137] [18:40:52:961028] [Tid0x00000c4c] [debug] -->[C75] boot_rom::send_auth_file #(boot_rom.cpp, line:1013)
[00000138] [18:40:52:961528] [Tid0x00000c4c] [debug] Tx->: 0x00000001 Hex[e2 ]
[00000139] [18:40:52:961528] [Tid0x00000c4c] [debug] <-Rx: 0x00000001 Hex[e2 ]
[00000140] [18:40:52:962028] [Tid0x00000c4c] [debug] Tx->: 0x00000004 Hex[00 00 08 d0 ]
[00000141] [18:40:52:962528] [Tid0x00000c4c] [debug] <-Rx: 0x00000004 Hex[00 00 08 d0 ]
[00000142] [18:40:52:962528] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000143] [18:40:52:963528] [Tid0x00000c4c] [debug] Tx->: 0x000008d0 Hex[4d 4d 4d 01 38 00 00 00 46 49 4c 45 5f 49 4e 46 ]
[00000144] [18:40:52:964028] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[e3 34 ]
[00000145] [18:40:52:964528] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000146] [18:40:52:965028] [Tid0x00000c4c] [debug] <--[C75] boot_rom::send_auth_file
[00000147] [18:40:52:965028] [Tid0x00000c4c] [debug] -->[C84] boot_rom::qualify_host #(boot_rom.cpp, line:1183)
[00000148] [18:40:52:965028] [Tid0x00000c4c] [debug] Tx->: 0x00000001 Hex[e3 ]
[00000149] [18:40:52:965028] [Tid0x00000c4c] [debug] <-Rx: 0x00000001 Hex[e3 ]
[00000150] [18:40:52:965529] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[00 00 ]
[00000151] [18:40:52:965529] [Tid0x00000c4c] [debug] <-Rx: 0x00000004 Hex[00 00 00 10 ]
[00000152] [18:40:52:966029] [Tid0x00000c4c] [debug] <-Rx: 0x00000010 Hex[b3 7a df 10 ac 70 a8 a9 ad ce de 89 4c 9d 8b 8b ]
[00000153] [18:40:52:966529] [Tid0x00000c4c] [debug] Tx->: 0x00000004 Hex[00 00 00 04 ]
[00000154] [18:40:52:967029] [Tid0x00000c4c] [debug] <-Rx: 0x00000004 Hex[00 00 00 04 ]
[00000155] [18:40:52:967529] [Tid0x00000c4c] [debug] <-Rx: 0x00000002 Hex[70 46 ]
[00000156] [18:40:52:970029] [Tid0x00000c4c] [error] ./brom/boot_rom.cpp(1257): Throw in function int __thiscall boot_rom::qualify_host(void)
Dynamic exception type: class boost::exception_detail::clone_impl<class runtime_exception>
std::exception::what: BROM_SCMD_SLA error. code 0x7046
#(boot_rom.cpp, line:1280)
[00000157] [18:40:52:971029] [Tid0x00000c4c] [debug] <--[C84] boot_rom::qualify_host
[00000158] [18:40:52:971529] [Tid0x00000c4c] [debug] <--[C26] boot_rom_logic::security_verify_connection
[00000159] [18:40:52:971529] [Tid0x00000c4c] [debug] <--[C10] connection::connect_brom
[00000160] [18:40:52:971529] [Tid0x00000c4c] [error] <ERR_CHECKPOINT>[809][error][0xc0060005]</ERR_CHECKPOINT>flashtool_connect_brom fail #(flashtoolex_api.cpp, line:121)
[00000161] [18:40:52:971529] [Tid0x00000c4c] [info] <--[C9] flashtool_connect_brom
Is there any hope that I can pull off data from the device or is it gone for good?
Thank you in advance for your support.
X3non
X3non
X3non
Recognized Contributor
22,062
06-04-2020, 11:21 AM
#2
(05-04-2020, 08:12 PM)leecher I have a phone by an Austrian Mobile Operator "A1 Smart N9".
...
Is there any hope that I can pull off data from the device or is it gone for good?
Thank you in advance for your support.

there's no guarantees that because a device is a rebrand of another then it'll accept the da & auth file of that device
BTW your phone has encrypted userdata (and you never disabled and removed the encryption before now), even if you managed to backup, you will not be able to decrypt / extract the userdata to get its contents. So yes, your data is as good as gone
leecher
leecher
leecher
Newbie
2
06-04-2020, 01:41 PM
#3
As I know the lock screen password, I thought that maybe the encryption key can be calculated from the unlock code in order to decrypt data. Wasn't there some TWRP-Version that had a feature for this?
If this works, I may have to hire a company that dumps the contents of the internal memory by solding out the memory chip, I guess (or find some technician at the cellphone operator who has a valid .auth file for the device to share).
As the phone locks up after entering and verifying the code makes me think that it may still be able to mount the user data, but unfortunately MTP transfer is denied by the phone in this stage of the boot process (even though the device shows up as MTP device).
But without USB debug being on, I have no chance of boot process error analysis...
X3non
X3non
X3non
Recognized Contributor
22,062
06-04-2020, 08:58 PM
#4
(06-04-2020, 01:41 PM)leecher As I know the lock screen password, I thought that maybe the encryption key can be calculated from the unlock code in order to decrypt data. Wasn't there some TWRP-Version that had a feature for this?...

as far as i'm aware that doesn't work for all, sure you're aware that twrp decryption doesn't fully depend on the lock screen password
you should look up encryption on android on aosp website @ https://source.android.com/security/encryption
then again, to flash twrp you will need to unlock bootloader (which is not possible seeing as your phone cant even boot to homescreen and even if it was, unlocking bootloader erases userdata which then defeats what you aim for) . i doubt spft will let you flash a modified image (a security feature very common in mtk android 8.x devices)


(06-04-2020, 01:41 PM)leecher ...If this works, I may have to hire a company that dumps the contents of the internal memory by solding out the memory chip, I guess (or find some technician at the cellphone operator who has a valid .auth file for the device to share).
As the phone locks up after entering and verifying the code makes me think that it may still be able to mount the user data, but unfortunately MTP transfer is denied by the phone in this stage of the boot process (even though the device shows up as MTP device).
But without USB debug being on, I have no chance of boot process error analysis...

a corrupt or incompatible userdata can cause a device to get stuck at animated bootlogo, which might just be what you're looking at (device waiting for a factory reset to complete booting)
BTW how did your phone get to this bricked stage?
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram