Nokia 2780 Flip is a KaiOS 3.x device annonounced in the winter of 2022 and as a US-only carrier-unlocked phone. It is very similar to the carrier-locked Nokia 2760 (which lacks the SD card slot and has different Wi-Fi hardware) and seems to be based on an earlier prototype according to an FCC document.
|Nokia 2780 Flip (nokia-weeknd)|
|Released||15 November 2022|
|SoC||Qualcomm QM215 Snapdragon 215
(4 x 1.3GHz Cortex-A53)
|Storage||4GB (+ up to 32GB microSDHC card)|
|Screen||Main: 320 x 240 (143 PPI), 2.7 inches QVGA TFT LCD 1M colors
External: 160 x 128 (115 PPI), 1.77 inches TFT LCD
|Wi-Fi||802.11b/g/n, 2.4GHz, Hotspot|
|Peripherals||GPS & GLONASS|
|Cameras||Rear: 5MP with fixed focus, LED flash|
(H x W x D)
|Open: 202.1 * 58 * 11.47 (mm) 7.96 * 2.28 * 0.45 (in)
Closed: 110.2 * 58 * 19.5 (mm) 4.33 * 2.28 * 0.77 (in)
|Weight||131.2 g (4.62 oz)|
|Battery||Removable Li-Ion 1450mAh HE402|
The power key is the one under the back key along other keys on the phone NOT the key on the side. That key is the emergency key.
Debugging cannot be enabled using any codes, and enabling it using W2D does not enable adb. However, the device can be flashed via fastboot.
The Nokia 2780 Hacking Toolbox uses this to provide read-write access to the device's internal storage via USB. It lets you manually sideload apps and modify the preinstalled system.
The story It has always been possible to "sideload" apps by uploading them to the KaiOS developer portal and adding the device's IMEI to the testing list.
This line in the B2G source code made it clear that KaiOS 3.x also has an engmode API, just like the one used to jailbreak older KaiOS 2.5.x devices. By using the above method to sideload a simple test app, it was possible to look for methods to gain root access. The
startUniversalCommand function seems to have been removed, but it was possible to exploit some other functions vulnerable to shell command injection, e.g.:
navigator.b2g.engmodeManager.execCmdLE(["rmgps", "; dd if=/dev/block/bootdevice/by-name/aboot of=/sdcard/aboot.img"], 2);
This does not give us full root access: SELinux is set to enforcing and restricts most privileged operations. Some operations are allowed, though:
It took me a while to realize that partitions could be dumped like this, because this method only works for partitions not listed in /vendor/etc/selinux/vendor_file_contexts. For instance, this method can't be used to dump the recovery, system or boot partitions, so before I examined the SELinux policies more carefully, I had thought dumping partitions was impossible. -- Affe Null
Dumping the bootloader in
aboot made it possible to search for OEM commands. One of these commands,
fastboot oem sudo, allows flashing without unlocking the bootloader.
Requires fastboot, openssl, and avbtool.py.
KaiOS will not boot unless you add dm-verity related hashtree descriptors and command line parameters from the stock vbmeta.
< reboot and hold the Volume Down key, plug in the device > $ fastboot oem sudo $ openssl genrsa 2048 > key.pem $ avbtool extract_public_key --key key.pem --output pkmd.bin $ avbtool make_vbmeta_image --padding_size 4096 --algorithm SHA512_RSA2048 --key key.pem --public_key_metadata pkmd.bin --output vbmeta_custom.img <additional parameters> $ fastboot flash avb_custom_key pkmd.bin $ fastboot flash vbmeta vbmeta_custom.img
This makes it possible to flash custom recovery or boot images. You might want to use the stock recovery as a reference.
The stock recovery image has a recovery DTBO and the stock boot image is missing the ramdisk because this device uses system-as-root, which
abootimgdoesn't understand. It is recommended to use Android's official
You can make it boot from the SD card by adding
--kernel_cmdline 'root=PARTUUID=<partition-uuid>'to the make_vbmeta_image parameters (requires a compatible ext4 partition on the SD card with an
initexecutable, which you will have to write yourself). This way, you do not have to replace the boot image.
This is unnecessary because flashing works anyway and unlocking has at least one bad side effect: It seems to break KaiOS completely, forcing it to reboot back to fastboot. An unlocked boot loader can be relocked using
fastboot oem lock.
To allow unlocking the bootloader (indirectly, since flashing the config partition from fastboot is prohibited), boot with an init script that writes a 1 to the last bit in the config partition.
While this device is officially available only in the US, from third party sources like Amazon one can import the device to other countries.
Some testpoints have been removed (replaced with stubs) on production devices, including the UART testpoints (pair of testpoints located next to the display/camera connector).