Doro 7060 / 7050 / 7070

  • Doro 7060 (DFC-0190), common european variant;
  • Doro 7070 (DFC-0190), the original scandinavian version;
  • Doro 7050 (DFC-0180), sold in the USA but without KaiOS Store.

Three different variants but with the same operating system, KaiOS. It is the most complete device in terms of navigation with this operating system. It has more keys that redistribute functions, and they are also far apart. This phone is geared towards senior users, but inside it has features that rival other devices. A 2.8 inch display and a 3 megapixel camera. The software inside it is very stable and can be configured with 2 display modes for the menu and 5 different color themes.

Precisely this stability is the result of the work of truly excellent developers, who have practically sealed off any space for hacking...but all is not lost!

Bootmodes

[Power] = normal boot[Power] + [Vol-Up] = boot to recovery[Power] + [Vol+Down] = boot to ffbm[Power] + [Vol-Up] + [Vol-Down] = boot to edl[Power] + [*] = boot to fastboot
recovery = release-keys, of no use to install zipsedl = no loader available yet, so not usablefastboot = crippled, most commands won't workffbm = 'fast factory boot mode' (like boot to linux commandline). It's the only mode with ADB enabled, but no 'USB-Debugging' or root permissions. It's possible to start b2g from here.

Secret codes

display languages*#0044# = english*#385# = croatian*#0385# = croatian*#0420# = czech*#0045# = danish*#0031# = dutch*#0358# = finnish*#0033# = french*#0049# = german*#0030# = greek*#0036# = hungarian*#0039# = italian*#0047# = norwegian*#0048# = polish*#0351# = portuguese*#0040# = romanian*#0007# = russian*#0386# = slovenian*#0034# = spanish*#0046# = swedish*#0090# = turkish
themes*#8881# = black on white*#8882# = white on black*#8883# = green on blue*#8884# = white on green*#8885# = white on blue
fun stuff*#06# = IMEI*#07# = SAR*#2100# = displays a test number for doro's emergency response service*#*#664#*#* = *#*#MMI#*#* KaiOS MMI Test app*#*#258#*#* = firmware build number*#18375# = additional version info*#235543# = LAC and CellID*#*#76389273#*#* = *#*#SOFTWARE#*#* - firmware version*#610000#* = product information app*#13646633# = engineer mode app - including things like a gps tracker...
*#787464# = turn STR function on/off*#*#0704#*#* = factory reset (asks for confirmation)*#*#0574#*#* = LogManager app*#73776673# = toggles debug for 'doro's emergency response service'
*#34247678# = toggles diag-mode for USB
disabled codes - will only work after enabling remote-debugging:*#0606# = MEID*#8378269# = *#TESTBOX# - should open engmode activity*#*#2637643#*#* = same as 'TESTBOX'*#*#33284#*#* = *#*#DEBUG#*#* toggles adb

TEST RESULTS

by Speeduploops

I couldn't find a way to enable remote-debugging (no permissions using ADB in FFBM), so no webide/sideloading:

  • enabling it directly would need access to user-data partition
  • enforcing privileged factory reset (which enables all debugging facilities) would need access to persist partition.
  1. There also is a serial-com as pads inside the device, but it's underneath the battery and would most probably need soldering to be used.
  2. I tried some common exploits, but couldn't find a working/unpatched yet (there is a quite new one for nearly all qualcomms but for this CVE there isn't an exploit available yet).
  3. We would need either/or:
  • a way to get root - so we could enforce a privileged factory reset, which would be the cleanest way;
  • write acces to /data - so we could enable remote-debugging manually (firehose/emmcdownload in edl-mode would work too);
  • -- a way to install an app from adb-shell without usb-debugging - which then could do the reset.