OST LA

Online Service Tool (Simplified Chinese: 软件更新工具 Traditional Chinese: 軟體更新工具) Level A, abbreviated as OST LA, is the service tool developed by FIH Mobile. It's the successor of SUT L* (Software Update Tool Level *).

Known latest version is 6.3.8.

Account Login
To ensure recent phones made by FIH Mobile can be flashed with locked bootloader by authorized service employees, account login is mandatory.

Normally, the account is binded to the MAC of service PC, and the domain is N/A. Other domains are meant for FIH managers, especially the accounts under fihtdc.com domain. Once login successful, you'll get specific licenses and functions granted from server.

It's possible to bypass the account login interface, but the phone still can't be flashed with locked bootloader. Therefore, it's impossible to crack the tool itself. According to internal service guide, you have to contact the CAS for acquiring the account and authorization. Average person cannot obtain account.

Update options
Following options are possible options exist in OST LA.

According to the permission FIH Mobile granted to the account, available options might be limited. Accounts under fihtdc.com domain have all of these options accessible.

Possible Licenses
Following licenses are dumped from the flashing log. These are granted by FIH server.

Possible Functions
Following functions are dumped from the flashing log. These are granted by FIH server.

Commercial and Service bootloader
Service bootloader images exist in the firmwares. These images are password protected and the extraction password is WLBGFIH123.

Under commercial bootloader, if bootloader not unlocked, only bootloader partitions are allowed to be flashed once service permission granted. Under service bootloader, if bootloader not unlocked, all of partitions are allowed to be flashed.

Flashing Security Version
Different phones use different private key to grant the bootloader, but the grant procedure is roughly identical.

Security Version can be seen with command: fastboot oem getSecurityVersion

Version 0001
fastboot oem dm-verity [md5_checksum_of_serial_number] Then service permission granted.

Version 0004
fastboot oem getProjectCode fastboot oem dm-veracity The veracity challenge code is generated randomly every time when phone booted to Download mode, therefore it prevents replay attack. If you don't have credential of using OST LA, the server will refuse to generate permission code. The result of getProjectCode and veracity will be submitted to FIH server for generating a 256-byte service permission code and being flashed like this: fastboot flash veracity [path/to/veracity_challenge_code] Then service permission granted.

After August 2018 Security Update for HMD Nokia Phones (except Nokia 3, 2.1, 3.1 and 5.1), the ProjectCode are added with 1 (e.g. DRG1, PDA1, B2N1, NB11) due to private key change, as a prevention to unofficial bootloader unlock and flash tool. Sharp Aquos S3 Android One (HH6) sold in South Korea is also affected.

Version 0008
fastboot oem getBrandCode fastboot oem getProjectCode fastboot oem dm-veracity The result of getBrandCode (usually NKA), getProjectCode and veracity will be submitted to FIH server for generating a 256-byte service permission code and being flashed like this: fastboot flash veracity [path/to/veracity_challenge_code] Then service permission granted.

Under service bootloader
(If Security Version 0008) fastboot oem getBrandCode fastboot oem getProjectCode fastboot oem getUID The result of getUID is fixed for one specific phone, so the FIH server will always generate a fixed 256-byte code for service permission. And it's being flashed like this: fastboot flash encUID [/path/to/encuid_code] fastboot oem selectKey service fastboot oem doKeyVerify After these commands executed, the phone will have fully access to all of partitions, which will be confirmed with these commands by OST LA: fastboot oem getRootStatus fastboot oem state_of_permission

Edit Phone Information
This button is actually used for booting the phone to FTM mode.

In many cases, the phone will be booted with following procedure: [service_permission_granting] fastboot flash abl_a abl_service.elf fastboot flash abl_b abl_service.elf fastboot flash xbl_a xbl_service.elf fastboot flash xbl_b xbl_service.elf fastboot reboot-bootloader [service_permission_granting] fastboot flash abl_a abl.elf fastboot flash abl_b abl.elf fastboot flash xbl_a xbl.elf fastboot flash xbl_b xbl.elf fastboot oem magic_num fastboot oem allport fastboot oem fuar Then the phone will booted to FTM mode and related FTM scripts will be injected to the phone. Depending on which device you're trying to initialize, the flashing command may vary.