Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

This wiki was created due to discovery of an exploit, which allows installation of unsigned native applications(.bar's) on Blackberry 10 devices, thanks to Oleksandr and FerreiraPablo.

DISCLAIMER! Information on this wiki is provided AS-IS. Authors can't be hold liable for any damage done to your devices. Wiki is completely unrelated to Research In Motions or Blackberry as a brand. Use provided information at your own risk. This wiki exists only for educational purposes.

Do not ask for troubleshooting any of the developers of modifications. There are people that can help you with this(on Reddit or Discord), but before asking for anyone's help, make sure you've done enough research on the matter. Do not spam, please. If you want to contribute, there are links to github repos where you can submit patches.

This wiki provides tutorials on how to use those exploits and allow actions, provided below:

  • Installation of unsigned apps;
  • Downgrade of device OS;
  • "Debloating"(deletion of default apps which are currently unusable).

A couple of words about BlackberryOS10...

This page aims to describe how BlackberryOS10 works, what are the current limitations for using it as daily driver and what are proposed solutions.

About BlackberryOS10 itself.

It is a QNX-based OS...

In the nutshell - QNX is UNIX-like operating system, so you can expect a lot of stuff from Linux and BSD systems work and usual. You can compile a lot of Linux using cross-compiler(or even compiling on the device itself, what BerryMuch is doing) and they would work most of the time.

BlackberryOS10 is based off of QNX 6.5.0.

Still, it uses a lot of proprietary technologies and utilities: no systemd(or any regular daemon manager).

Signing Apps

As you already guessed, BBOS10 is more similar to iOS than Android, in the sense that BBOS10 was designed to run only signed apps(which is not the case for Android). RIM did a lot of work to assure that unsigned apps wouldn't be able to run.

Running unsigned apps

Android runtime

Probably your first gut-reaction to try and use BBOS10 as daily driver would be to take advantage of built-in Android runtime. Sadly, there are a lot of problems with this solution:

  • Performance. Even one of the latest BBOS10 devices, the Q20(Classic), heats up a lot from using basic apps(for example Telegram X or available Firefox browser). And even with this hit, most of the time framerate of apps is ~15FPS and battery drain is huge. Even worse - apps crash a lot.
  • You are limited to Android 4.3. Self explanatory, this is a very, very old version of Android, and finding new apps is practically impossible.
  • You cannot use some native APIs of BBOS10 from Android runtime.

Hosting web services

Second gut-reaction would be to create and host web services or proxies for needed services. This is not a bad idea, and some servers can be ran from BBOS10 itself.

Hosting on web

The problem with solution is that you'd need a server, obviously, which is not free.

Examples include: instant messaging web app from FerreiraPablo - a web matrix client.

Hosting locally on BBOS10

The problem with this solution is necessity to start server every device reboot and necessity of deep understanding how to design such servers.

Debloating

Original Reddit post

The good news is, debloat can be done as one-click solution(on Windows, for Linux it's a little bit more involved). If you plan on doing more to your device, e.g. downgrading, please check the corresponding guide.

Hardware requirements:

  • PC
  • Target blackberry 10 device;
  • Good micro-USB cable which can provide stable connection;

Software requirements:

  • Linux or Windows(minimal reported working version is Windows 7) OS on host;
  • Downloaded patched Autoloader for version HIGHER THAN YOUR DEVICE'S(you can check it in Settings->About->OS Version). Links can be found in original Reddit post. If Reddit link is dead, check out Special links;
  • (on Linux) Blackberry10 MultiTool, link can be found in Special links.

Procedure

1. Turn off your blackberry10 device by holding power button.

2. (On Windows) Run modded Autoloader.

3. Connect your blackberry10 device to the PC.

WARNING! Flashing will delete all data on the device. So backup needed data somewhere, for example on the SD Card.

4. If you have passwod on your device, you will need to type it in opened console on PC.

5. Wait until upload is complete.

6. That's all, debloat is completed.

Downgrade

Downgrade procedure is possible due to discoveries done by Oleksandr, and post about which you can find here.

Hardware requirements:

  • PC
  • Target blackberry 10 device;
  • Good micro-USB cable which can provide stable connection;

Software requirements:

1. Split Autoloader with DBBT

Launch DBBT, select Autoloader and click "Split Autoloader". This will output two files, named "OS*.Signed" and "Radio*.Signed".

On Linux, can be ran with Wine. If you are not familiar enough with Wine, use it with Bottles.

2. Use BlackberrySystemPacker to patch OS and Radio

2.1. Create folders beside binary named "output" and "signed".

2.2. Create text file "patch.txt" and paste next lines into it

removeapp com.twitter com.evernote com.linkedin com.tcs.maps com.rim.bb.app.facebook com.rim.bb.app.retaildemoshim sys.socialconnect.linkedin sys.socialconnect.twitter sys.socialconnect.youtube sys.socialconnect.facebook sys.cfs.box sys.cfs.dropbox sys.uri.youtube sys.weather sys.bbm sys.appworld sys.howto sys.help sys.firstlaunch sys.deviceswitch sys.paymentsystem sys.setupbuffet

replace var/pps/system/navigator/config autorun::1 autorun::0
replace var/pps/system/appconfig/sys.settings false true

replace var/pps/services/bbads/configuration www.blackberry.com/app_includes/asdk service.waitberry.com
replace var/pps/system/ota/serverurls cs.sl.blackberry.com service.waitberry.com
replace var/pps/system/ota/serverurls cp256.pushapi.na.blackberry.com service.waitberry.com
replace var/pps/system/ota/serverurls cse.dcs.blackberry.com service.waitberry.com
replace var/pps/system/ota/serverurls cse.doc.blackberry.com service.waitberry.com

push include/var var

As you can guess, first line removes unusable apps. Second one disables initial setup, that would normally get you stuck waiting for BBID. Next one prevents weird issues. Five next change server url's to which blackberry device tries very hard to connect(you can read a little bit more about it here). Last one adds files from include/var to device's var folder, this allows downgrading(deleting blocklist) and impersonating other users. Download needed var(not uploaded online yet, TODO) folder and put it into folder include, beside binary.

2.3. Create text file "config.json" and paste next lines into it

{
    "procedure": "autopatch",
    "os": "signed/OS.Signed",
    "radio": "signed/Radio.Signed",
    "outputDir": "output",
    "script": "patch.txt",
    "autoloader": true
}

2.4. Run blackberrysystempacker.exe

This will create two files in the output folder, "OS-MOD.Signed" and "Radio-MOD.exe"

On Linux, as previously, can be ran with Wine (and Bottles). Linux version also exists, but untested.

3. Flash patched autoloader

WARNING! This will delete all data on the device. So backup needed data somewhere, for example on the SD Card.
Turn off your blackberry device(by holding power button for long enough). Run "Radio-MOD.exe" and plug cable into the phone. Program on PC will ask password for your phone, enter it.

4. Install Term49 on the device

4.0. Make sure your computer and blackberry device connected to the same network

4.1. Turn on Developer mode on blackberry device

Go to Settings->Security and Privacy->Developer Mode->Turn On.

4.2. Get IP address of blackberry device

Go to Settings->About->(Change category to Network) and under subsection "Wi-Fi", "IPv4" you will find address. Note it.

4.3. Open AppManager and enter noted IP address into it

Proceed with installation of Term49.

5. Download get_root.zip

5.1. Open your browser and go to the https://bb10.root.sx/mod_nvram.zip(TODO: Make a backup online)

5.2. Download provided file to the Downloads folder(default destination)

6. Delete Blacklist

6.1. Open Term49 app on your blackberry device.

6.2. Run provided commands in the terminal:

cd /accounts/1000/shared/downloads
unzip mod_nvram.zip
cd Device-Release
/q/g_nto
./mod_nvram -d

If the output is:

Delete OS BLOCK done 0
Delete secure OS BLOCK done 0
Delete RADIO BLOCK done 0
Delete secure RADIO BLOCK done 0

you did everything correct and blocklist is deleted.

7. Now you can proceed with using any Autoloader(for correct device) for your device.

Install and run unsigned native applications

TODO

Special links

Patched Autoloaders by FerreiraPablo

DBBT(Darcy's BlackBerry Tools)

BlackberrySystemPatcher

Blackberry drivers

Term49

AppManager

Original report on the exploit

Blackberry10 MultiTool

  • bb10mt(link doesn't work, backup needs to be uploaded and link updated here TODO)