View device specification table
| Nokia 2780 Flip 4G (nokia-weeknd) | |
|---|---|
| Released | 15 November 2022 |
| Model | TA-1420 |
| Specifications | |
| SoC | Qualcomm QM215 Snapdragon 215 (4 × 1.3GHz Cortex-A53) |
| RAM | 512MB LPDDR3 |
| GPU | Adreno 308 |
| Storage | 4GB (+ up to 32GB microSDHC card) |
| Network |
2G GSM, 3G UMTS, 4G LTE Cat4 150/50Mbps
Single SIM (Nano-SIM) |
| Screen |
Main: 320 × 240 (143 PPI), 2.7 inches QVGA TFT LCD 1M colors External: 160 × 128 (115 PPI), 1.77 inches TFT LCD |
| Bluetooth | 4.2, A2DP |
| Wi-Fi | 802.11b/g/n, 2.4GHz, Hotspot |
| Peripherals | GPS & GLONASS |
| Cameras | Rear: 5MP with fixed focus, LED flash |
| Dimensions (HWD) |
Open: 202.1 × 58 × 11.47 (mm) 7.96 × 2.28 × 0.45 (in) Closed: 110.2 × 58 × 19.5 (mm) 4.33 × 2.28 × 0.77 (in) |
| Weight | 131.2g (4.62oz) |
| Ports |
|
| Specials |
|
| Battery | Removable Li-Ion 1450mAh HE402 (up to 18 days of 4G standby advertised) |
| KaiOS info | |
| Version | KaiOS 3.1 |
| WA VoIP | Not available |
| Build no. | 00.2238.20.13 |
Nokia 2780 Flip is a KaiOS 3.x device annonounced in the winter of 2022 and as a US-only carrier-unlocked phone. It is very similar to the carrier-locked Nokia 2760 (which lacks the SD card slot and has different Wi-Fi hardware) and seems to be based on an earlier prototype according to an FCC document.
¶ Special boot modes
Don't confuse the Power/End call key on the keypad (right below the Back key) with the side button. It only functions as the emergency button under normal userspace mode and, although you might be able to assign the button to a different action in normal mode, it does not do anything here.
¶ Fastboot mode
With the phone powered off, press and hold both the Power/End call key on the keypad and the Volume down button. When the boot splash screen (KaiOS logo) shows, release the Power/End call key, but keep holding Volume down until the bootloader menu appears.
From here, to interact with the Fastboot interface, you need to connect your phone to a computer with an USB cable, and have the fastboot CLI tool on the computer. On macOS and Linux, fastboot should be included in the android-tools package, which you can install from Homebrew or your package manager:
brew install android-tools
On Windows, you can get fastboot from the Android SDK Platform Tools package by following Sideloading and debugging third-party applications/ADB and WebIDE; you may want to install Google's INF driver so that the computer can see your phone in Fastboot mode (right-click the android_winusb.inf file and click Install; requires administrator privileges). Otherwise, you can also open Device Manager (devmgmt.msc), look for an "Android" device with an exclamation mark, right click and select Install Driver..., Browse my computer for drivers, Let me pick from a list of device drivers on my computer, Have Disk... and select the INF file.
Once the driver is installed, you should see your phone in Device Manager as Android Bootloader Interface.
If you want to wipe all data on the phone and reset it to factory settings:
fastboot oem sudo
fastboot erase userdata
fastboot erase cache
fastboot reboot
¶ Recovery mode
With the phone powered off, hold the Power/End call key on the keypad and the Volume up button. When the phone vibrates, release the Power/End call key, but keep holding Volume up until the No command indicator shows up, then release it.
Press and hold the Power/End call key again, then tap and release the Volume up button. Release the Power/End call key once you get to the recovery menu.
Use D-Pad Up and Down or the volume buttons to move between options, and press Power/End call (not the center OK key) to select.
¶ Jailbreak
Debugging cannot be enabled using any codes, and enabling it using W2D does not enable adb. However, the device can be flashed via fastboot.
The Nokia 2780 Hacking Toolbox uses this to provide read-write access to the device's internal storage via USB. It lets you manually sideload apps and modify the preinstalled system.
According to Nokia Mobile Care, this device is not debug enabled unlike Nokia 800 Tough, the BananaPhone and other older Nokia devices. --Farooq
¶ Flashing vbmeta and custom software
The story It has always been possible to "sideload" apps by uploading them to the KaiOS developer portal and adding the device's IMEI to the testing list.
This line in the B2G source code made it clear that KaiOS 3.x also has an engmode API, just like the one used to jailbreak older KaiOS 2.5.x devices. By using the above method to sideload a simple test app, it was possible to look for methods to gain root access. The startUniversalCommand function seems to have been removed, but it was possible to exploit some other functions vulnerable to shell command injection, e.g.:
navigator.b2g.engmodeManager.execCmdLE(["rmgps", "; dd if=/dev/block/bootdevice/by-name/aboot of=/sdcard/aboot.img"], 2);
This does not give us full root access: SELinux is set to enforcing and restricts most privileged operations. Some operations are allowed, though:
- replacing /data/local/service/updater/updater-daemon to gain code execution on boot (unfortunately, updater-daemon runs in an even more restricted context, but at least it is allowed to run executables from the data partition)
- swapon() and swapoff()
- reading some partitions
It took me a while to realize that partitions could be dumped like this, because this method only works for partitions not listed in /vendor/etc/selinux/vendor_file_contexts. For instance, this method can't be used to dump the recovery, system or boot partitions, so before I examined the SELinux policies more carefully, I had thought dumping partitions was impossible. -- Affe Null
Dumping the bootloader in aboot made it possible to search for OEM commands. One of these commands, fastboot oem sudo, allows flashing without unlocking the bootloader.
Requires fastboot, openssl, and avbtool.py.
KaiOS will not boot unless you add dm-verity related hashtree descriptors and command line parameters from the stock vbmeta.
< reboot and hold the Volume Down key, plug in the device >
$ fastboot oem sudo
$ openssl genrsa 2048 > key.pem
$ avbtool extract_public_key --key key.pem --output pkmd.bin
$ avbtool make_vbmeta_image --padding_size 4096 --algorithm SHA512_RSA2048 --key key.pem --public_key_metadata pkmd.bin --output vbmeta_custom.img <additional parameters>
$ fastboot flash avb_custom_key pkmd.bin
$ fastboot flash vbmeta vbmeta_custom.img
This makes it possible to flash custom recovery or boot images. You might want to use the stock recovery as a reference.
The stock recovery image has a recovery DTBO and the stock boot image is missing the ramdisk because this device uses system-as-root, which
abootimgdoesn't understand. It is recommended to use Android's officialunpack_bootimgandmkbootimgtools instead.
You can make it boot from the SD card by adding
--kernel_cmdline 'root=PARTUUID=<partition-uuid>'to the make_vbmeta_image parameters (requires a compatible ext4 partition on the SD card with aninitexecutable, which you will have to write yourself). This way, you do not have to replace the boot image.
¶ Unlocking the bootloader
This is unnecessary because flashing works anyway and unlocking has at least one bad side effect: It seems to break KaiOS completely, forcing it to reboot back to fastboot. An unlocked boot loader can be relocked using
fastboot oem lock.
To allow unlocking the bootloader (indirectly, since flashing the config partition from fastboot is prohibited), boot with an init script that writes a 1 to the last bit in the config partition.
¶ Availability
While this device is officially available only in the US, from third party sources like Amazon one can import the device to other countries.
¶ Internal photos and PCB layout
- Nokia 2760 "older" version https://fcc.report/FCC-ID/2AJOTTA-1398/5541262.pdf
- Nokia 2760 "newer" version https://fcc.report/FCC-ID/2AJOTTA-1451/5703362.pdf
- Nokia 2780 https://fcc.report/FCC-ID/2AJOTTA-1420/6144974.pdf
¶ Testpoints
Some testpoints have been removed (replaced with stubs) on production devices, including the UART testpoints (pair of testpoints located next to the display/camera connector).