Wallace Project

by Luxferre

Wallace by Luxferre is a noir-style rooting app that was tested to work on both Nokia 8110 4G TA-1048 with v16 firmware and Alcatel OT-044D with KaiOS 1.0.

It also has the potential to work on the phones without busybox, since it carries its own unzip binary and uses its own resource loader function. So, despite rooting, this is also a testbed for sandbox escaping (at least for an app with "certified" permission).

Download link

Wallace 0.1: https://cloud.disroot.org/s/CzkyYi4JancRJNX/download

(SHA256: abc4b5f20b3f6ace709e95560db728ce36783c78dcba49d346cbc2d1eec29bb3)

If you still have any issues with Wallace project regarding the new resource loader functionality, here's a "lite" version that uses busybox unzip instead (and obviously works on the devices with Busybox only - 8110 and Alcatels being among them).

Wallace-lite (for Nokia 8110 and Alcatel): https://cloud.disroot.org/s/mAYgjLb9398WfxJ/download

(SHA256: c48884412e6defcc273f2a95835954bfa7b5381faf2ac5218c8c1457ab111066)

How to install

After you enter the developer/debug mode, Wallace app can be installed the same way OmniSD could be installed:

- via WebIDE of old Firefox/Pale Moon/NewMoon and adb forward tcp:6000 localfilesystem:/data/local/debugger-socket command,


- via make-kaios-install (xpcshell) method by jkelol111.

How to use

Just press the central D-pad key and wait until Niander Wallace silhouette fully comes up. Then your ADB shell is rooted until the next reboot.

There's also a (usual) "secret" feature of privileged factory reset (with confirmation prompt, of course) if you press # instead of central key.

How it works

General flow is as follows:

1. First fitting master extension is selected depending on the platform (choice is done among engmodeExtension, jrdExtension and kaiosExtension);

2. Resource loader (see below) method is called to fetch "unzip" binary from the app resources into /data/local/tmp/unzip;

3. With the help of selected master extension startUniversalCommand method, a concatenated command is run to:

- stop adbd service;

- move the unzip binary from /data/local/tmp/unzip to /sbin/unzip and adjust its permissions (since /sbin structure is volatile until next reboot);

- run the unzip command against the local application package to extract adbd binary to /sbin;

- adjust the new /sbin/adbd permissions and start the adbd service again;

- remove leftover folder from primary storage if it's empty.

How resource loader method works

This is the most interesting part in this app. Resource loader uses the fact that main storage (used by B2G API method navigator.getDeviceStorage("sdcard")) can always be referred to as /storage/self/primary/ in the actual FS tree. The only issue is that in some cases (for instance, on 8110 v16 without SD card) the actual storage is mounted onto /storage/self/primary/0but, due to some bug, the root of B2G "sdcard" storage handle still refers to /storage/self/primary/ itself, so attempts to write to the root result in DOM error. Hence, the logic of the loader method is as follows:

1. Shape the XHR with "application/octet-stream" content type and "blob" response type to fetch the necessary resource file. If succeeded, go to the next step, if not, return operation error.

2. Retreive the storage handle with navigator.getDeviceStorage("sdcard") and try writing the resulting blob to 0/tmpbin.bin file (relative to the B2G storage root, not physical location). On success, go to the next step, otherwise return operation error.

3. With the help of selected master extension startUniversalCommand method, run the command to move the file (found with the find command within the /storage/self/primary/ tree, because its location might be either /storage/self/primary/tmpbin.bin or /storage/self/primary/0/tmpbin.bin) to the target location. Return operation success.

So, now that you know what it is and how it all works, feel free to test it out on different configurations (for instance, v13 etc).

Have fun!

P.S. If you don't know who Niander Wallace is, don't worry... Just watch Blade Runner 2049 and you'll find out. ;)

Wallace Toolbox

NOTE: in many countries of the world it is illegal to modify the IMEI, in this case use this tool only to repair it! This guide is for educational purposes only!

I take no responsibility in case of loss of updates or malfunctions of your device!

This is an app that can be installed via WebIDE. Here's what it can do, in order, key by key:

1. Give ADB root (Wallace Lite method);

2. Toggle call recording in KaiOS 2.5.2+ between manual, automatic and off;

3. Install OmniSD-compatible app packages (when the system is in privileged mode) using the system filepicker;

4. Override TTL values for wireless tethering;

5. Edit IMEI1 (on Nokias only);

6. Edit IMEI2 (on Nokias only);

7. Toggle browser's proxy setting;

8. Set the host and port for the browser's proxy;

9. Override the user agent;

*. Run the good old overclocking script;

0. Toggle diagnostics port (on Qualcomms only);

#. Launch the privileged mode factory reset procedure.

WARNING! The items highlighted in red are the most dangerous

and involve additional confirmation messages.


When some feature is unavailable on a particular phone, the utility will give you a corresponding error message, and the item will be in strikethrough line.

(for every question here is the source)