Related
Just a heads up to those who may attempt relocking an unlocked bootloader:
As you probably know, the new Moto E required you to enable bootloader unlocking in the Android developer options menu before you can run the fastboot oem unlock XXXXX command. Unlocking the bootloader wipes the frp partition. Wiping frp restores the default state of OEM unlock disabled. When you relock the bootloader, even if you are already running signed official firmware for your model, the phone will refuse to boot until you reflash the system image. For most models of the Moto E, official firmware has not leaked. Different carriers and regions have different CIDs, even among retail devices, so even signed builds that leak are incompatible across different carriers.
End result: If you are not careful when relocking your bootloader, there is a high risk of soft bricking your device. I made such a mistake today. I just got a new Telus Moto E today, unlocked the bootloader, then relocked it while leaving the software unchanged. Unlocking wiped userdata, disabling re-unlocking. Relocking prevented my phone from booting up till I flashed a signed image that I didn't have, and I could no longer re-unlock either. This soft bricked my phone. Stock firmware signed for my model and region has not leaked. I was able to fix my phone through other means (not available), but for most of you on XDA, your phone would be effectively bricked if you did what I did.
Morals of the story:
Don't relock unless you have a reason to
Make sure you re-enable bootloader unlocking in Android before re-locking
Make sure you have a fastboot flashable official stock image signed to work with your carrier and region before re-locking the bootloader. Currently running the official firmware is not enough.
Is your model a GSM, or CDMA? I have a Boost 4G LTE that I'm having issues unlocking. If you have any ideas on this, hit me in PM so the thread stays on topic.
Peace,
Sox
Dammit, I wish I had seen this before I tried relocking my bootloader!
I'm going to try going through Motorola Customer Service and see where it gets me. I'll keep this thread updated with status: https://forums.motorola.com/posts/dd336f32ff
I did some reverse engineering of the bootloader to try to understand the underlying issues and see if I could find a workaround. See my first post on the above thread (near the bottom of the post) for my findings. In case anyone is curious, I'm attaching the decompiled code (assembly with annotations) from the aboot image in the bootloader. I obtained this by grabbing the XT1524_RETEUALL_MOTOE2 (4G-LTE) _5.0.2_LXI22.50-13_cid7_subsidy-DEFAULT_CFC.xml firmware from here, then running the following on an Ubuntu Utopic (14.10) machine:
Code:
unzip XT1524_*.xml.zip
# The general bootloader.img file format is described here: https://android.googlesource.com/device/lge/hammerhead/+/master/releasetools.py#98
# This bootloader.img is slightly different, but I was able to find the offsets of each section by searching for "ELF" in bootloader.img, and I simply looked at the first 100 bytes or so of bootloader.img to determine the order of the sections in the file
tail -c +520705 bootloader.img > temp
head -c 1048576 temp > aboot.img
sudo apt-get install radare2
radare2 aboot.img
# Within radare:
# Set some options
# Yes, there really is an option named anal.plugin ...
e anal.plugin=arm
e asm.arch=arm
e asm.cpu=arm
e asm.parser=arm.pseudo
e asm.bits=32
# Analyze the file
# This takes a while to run and causes radare to consume over 1GB of RAM
aa
# Find the offset/length of the .text section
S
# This takes even longer to run than 'aa', but only consumes about 100MB of additional RAM
pd 0x00086ba0 @ 0x8f600140 > aboot.asm
# Quit
q
Not sure if this is already common knowledge, but ...
While digging into the bootloader code further, I stumbled across this site where Qualcomm publishes versions of AOSP that are modified to work with various Qualcomm chips: https://www.codeaurora.org/projects/all-active-projects/android-msm
The source released on that site includes bootloader code: https://www.codeaurora.org/cgit/quic/la/kernel/lk
The branches and tags in that git repo are rather cryptic, but the chipset associated with each branch/tag is listed here: https://www.codeaurora.org/xwiki/bin/QAEP/release
(The LNX.LA.* branches/tags are for the msm8916_32 chip in the 2nd gen Moto E.)
It looks like Motorola's bootloader is based on this source code from Qualcomm. Qualcomm's open source implementation of the fastboot command handler is very primitive, so Motorola has replaced it with their own implementation, and it is Motorola's implementation that contains the bugs/misfeatures that cause our re-locking issue. However, much of the code called by Motorola's fastboot implementation is available in Qualcomm's repo, so having Qualcomm's source available makes reverse engineering of Motorola's fastboot implementation much easier.
I finally found a copy of the stock firmware for my phone!
http://forum.xda-developers.com/showpost.php?p=60448421&postcount=27
Flashing the original system image got me up and running again.
Top_Quark said:
I finally found a copy of the stock firmware for my phone!
http://forum.xda-developers.com/showpost.php?p=60448421&postcount=27
Flashing the original system image got me up and running again.
Click to expand...
Click to collapse
Works for me too
MotoE 2015LTE, XT1524,Germany
fxone said:
Works for me, too.
Moto E 2015 LTE, XT1524
Click to expand...
Click to collapse
this thread invigorated my flash lust !
keep us posted, dudes !
Droid Turbo XT1254 Marshmallow->Lollipop downgrade (unlocking bootloader)COMING SOON?
*this is new thread because I started last as Q&A by mistake so first 2 pages may look off with posts and answers.
DOWNGRADING EXPERIMENT TOPIC
So as you may know , after upgrading to Marshmallow OTA, on locked bootloader there won't be any option to unlock bootloader (ever as some people say) , sunshine officially doens't support Marshmallow. The only option is to downgrade which again isn't possible on locked BL..
Or is it ?
Introduction - skip to DOWNGRADE
First of all I'm not an programmer , but have some experience with locked down motorola's bl's , firmware's ,downgrades and so on..
I'm sure when somebody says impossible, it doesn't really mean impossible, but rather not worthy to some. So in my case I bought the phone few days ago, wasn't fully up to date with infos on unlocking BL so didn't check FW version when buying , just after I checked and phone was updated on MM 1-2 days before buying it. On not unlockable BL phone will become useless to me very soon, while unlocked I would plan to have it for long period of time. It goes in Verzion's favour for me to ditch the phone and buy a new one except I'm not in USA , there are no Verzion services in my country and if there were I would never ever buy (again) anything from Verzion. Well I lived in Japan , and there is network Softbank which is well.. Imagine Verizon but on steroids when it comes to tying people down, locked bootloaders and software, insane fee's and so on.. Well that Softbank bough Verizon some time ago .. I was avoiding them at all cost, but on to the topic now.
DOWNGRADE - fastboot
I would like to invite everybody who is interested in this and who can help to participate in this. Every programmer that has time and can contribute would be greatly appreciated! In return I'm willing to sacrifice my phone and my time , even paying some reasonable donations.
While experimenting in the end I was able to flash all bootloader files from various different versions including all partitions related to it which gets upgraded. Even managed to flash XT1250 MM bootloader. Bootloader version DOES change in bootloader / fastboot ,But it doesn't mean ANYTHING. While downgrading , something else, possibly other parts of bootloader obviously search for match and there is more to it than simple bootloader , more experienced , chime on in here! SElinux enforcing? Verity?
(see attachments)
SU4TL-49 bootloader.img to motoboot flash - Successfully
SU4TL-49 manually flashing 1 by 1:
tz.mbn -[/B] Successfully
SBL1.mbn (bootloader) - [/B] Successfully
sdi.mbn - [/B] Successfully
fsg.mbn to mdm1m9kefs3 - [/B] Successfully
rpm.mbn - [/B] Successfully
emmc_appsboot.mbn to aboot - [/B] Successfully
gpt.bin to "partition" , it's the partitions info partition, people say it can't be downgraded or flashed cross versions. After some experimenting mfastboot failed but fastboot succeded, on some versions mfastboot worked - [/B] Successfully
What I can't get to downgrade / cross flash no mather which bootloader and combinations of firmware im on :
boot.img
recovery.img
system,img (sparse_chunk files)
I will go deeper, but hope that new full firmware SBF will be released soon in case of brick. Verzion is slow. I'm making my own full 6.0.1 xml.zip based on full flashable zip's , repacked system.img sparsechunks, rewrited the script but can't get to flash system files due to invalid signed image. Any help with that? It would also help already bricked guys because who knows when'll Verzion release it..
Downgrade OTA way , stock Android Recovery
While stock android recovery is pretty much useless, it can do software upgrades OTA on a fully stock system , which we on locked bootloaders and MM have.
In my opinion , the way is to trick stock recovery into thinking it's flashing ota, and that whole envieroment is like recovery is expecting it while it's actually flashing downgraded version full / close to full firmware in combination with you flashing some partitions manually through fastboot. OTA's contain only "patch" and just replaces files which get changed on new SW. Or even maybe reverse OTA downgrade?
I've made my own update.zip and signed it , but so far get footer size is wrong error so can't flash it .. Need more help here too..
That looks promising!
Marshmallow feels slower than lollipop for me and I wish I could downgrade but I just can't!
I am looking forward to see what you can do about this issue
Good luck bro!
sorry for my mistake, I do not intend to comment here
@EjđiSixo
How to remove the "signed" of system image or bypass it? Fastboot or RSD are stuck at flashing system image. Does this "sign" relate to boot, recovery, partition? Or it's simply the "sign" to prevent downgrade???
I've never succeeded with partition downgrade...
---------- Post added at 10:29 PM ---------- Previous post was at 10:19 PM ----------
when I was flashing the only system.img (3GB), it said that "wrong at header magi". But after a bit time, fastboot separated the file and began to flash. But still failed because of signed image.
I've tried to remove the code from updater-script but it could not write files to system
Not out yet!
Thanks! I think if we all try , we can do it ! For now main focus is downgrading anyhow, even to half working Lollipop just in the purpose of unlocking bootloader with sunshine.
@mr_5kool
Feel free to comment and ask / suggest, thats what this topic is for!
Unforutenately thats the part I haven't yet figured out myself. It is a " permissions" to prevent the downgrade , bootloader and possibly something else checks current version / keys / properly signed image and then flashes. With other bootloader I'm still not able to flash it because it's obviously locked. Motorola probably signs their images differently.
You can't flash 3GB image because when flashing, phone recieve's partition first to ram so max download size is set to 255mb per file. You have to repack system.img to sparse chunks. But you don't have to bother with it , I already repacked system.img which I found at fully stock flashable MCG24.251-5 . It again failed due to invalid signed image . If we could figure out what is exactly signed and how , that would open a lot more possibilities. Possibly even flashing prerooted roms on locked bootloader. There are more possibilities , who knows..
Currently the only thing notices downgrade when flashing is recovery. In bootloader log says I tried to downgrade. Even with downgraded bootloader (kind of, there is sbl2 and sbl3 but they don't get upgraded )
Anyway, I tried something just for the "gags" . Flashed all partitions of XT1250 bootloader. Got to Motorola's site, posted "unlock bootloader data". It returned it's not unlockable of course.. The first sequence of numbers in data is your imei , it starts with 99 and it's verzion's specific imei.
My theory is that motorola ties unlock bootloader data to every phone and imei and stores it in database ( please confirm) . So even with moto maxx bootloader I can't unlock because :
1 it reads my verzion imei
2 it doesn't find alltogether data in the database..
I don't know what are other numbers in the data you get from fastboot, possibly some serial numbers and so on, haven't really checked it .. That's why i think this method is not possible at all for now. Manipulating that data in your phone and running it through motorola's site knowing that exact same code works for some device might be possible, but I think there is really way too much impossible messing involved. If somebody can share more about this?
lol
http://forum.xda-developers.com/dro...ficial-marshmallow-build-mcg24-t3512813/page2
I've renamed it like suggested in the post #11
Download link is at 1st page. It's just a OTA.
Yes I just renamed it.
IT DOESN'T WORK WITH ADB AND YOU CAN'T FLASH IT AGAIN THROUGH RECOVERY. ITS OTA.
EDIT: The post that I was responding to has been removed.
The method to downgrade from Lollipop to Kitkat is the same with what I've done. It may be possible. Some said that "impossible to downgrade with locked bootloader on vrz". So the system image may be signed with bootloader (or imei, serial or something else, god know).
The unlock method of Sunshine takes place in Trustzone (sbl2). They cannot get unlock code.
You succesfully downgraded LL to KK on droid? There is partition for trust zone alone "tz.mbn" , downgradable without any problem. I only see sbl1 get's upgraded on droid turbo , never saw in any firmware sbl2 or 3 yet.. So I'm little confused.. I remember I saw some PDF regarding that..
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Finally managed to *Brick my devices while trying to make latest sbf firmware (what an irony ) because used some of files from that stupid OTA . Tried flashing all possible firmware I have but it doesn't fix it so system got corrupted probably and for now didn't succed flashing any of the available systems. Flashing MM recovery doesn't help. It's a " recovery loop".
Basically phone starts , vibrates , goes into recovery, it says "erasing" , it does the factory reset then restarts and over and over again erasing restarting loop.
I'll continue exploring downgrade options but top priority now is making working marshmallow sbf or waiting for stupid Verzion to release it already. Just checked with SUA and it still doesn't show repair so firmware isn't available still.
Biggest problem is signed system images which are probably signed by RSA and I need help with that..
I have same problem erasing
Can't flash SU4TL gpt.bin anymore , so success was definitely connected to experiment and steps I did so I'll investigate more.
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
side note, I hate this Q&A format. Not sure why XDA even has it. You can't even format URL links correctly.
Click to expand...
Click to collapse
mr_5kool said:
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
Click to expand...
Click to collapse
I wonder if there is any way to force Verizon to release firmware. This is really low of the lowest, it says 1 week after OTA , now it's almost 1 month. Until somebody forces them , it can be months as far as they are considered. No help from developers / programmers either on any of 2 subjects so don't see my method of full MM SBF working.
god know
:v
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Click to expand...
Click to collapse
Exactly brother .
I solved my problem .
I can downgrade from Marshmallow to lollipop is very easy for my ..
But first step is unlocked bootloader from lollipop..
Sent from my XT1254 using XDA Free mobile app
Yeah people , we all know everything can be done with unlocked bootloader. It's a GOD mode. Nothing strange about downgrading with unlocked BL. This topic is for people stuck on locked BL like myself to try to odowngrade on lollipop only in purpose of UNLOCKING BL. So let's for now focus on locked BL's.
Hi,
I have G4 Plus XT1642 (retapac). It came shipped with 6.0.1 MPJ24.139-48 preinstalled.
Well i flashed, deleted, maybe bricked and then made it work again with the latest version i wanted to have (139-63) and then rooted it. Everything worked/works, but the wifi mac shows as 02 000000 or something (but no problem with that, wifi mac is fixed with some earlier backup i have, it also gets fixed when i flash to original).
But the worst thing is: Both IMEI show as 0. In the setting menu, and also when dialing the command *#06# (Both IMEIs show 0).
It gave some errors at fastboot because of "downgrade" or so, but i think that's not the issue.
I tried everything, also reflashed to my original version (ATHENE_MPJ24.139-48_cid50_subsidy-DEFAULT_CFC.xml.zip). Everything is fine, wifi mac displays as original also, but IMEIs still are 0.
No matter what I do, both IMEI show as 0, and SIM cards don't work ofcourse (they work, show carrier names etc but don't get accepted, ---> "emergency calls only", because IMEI is 0 i think.
Before you ask: No i don't have a very early TWRP backup from before flashing, deleted it because I had later backup I though everything was working, didn't try any SIM at that time.
How can I fix this? Is there any hope?
What gives me the little hope: At "boot thing" when I type fastboot getvar imei, it shows the correct imei! It doesn't list the second sim though.
Thanks in advance!
bauss1 said:
Hi,
I have G4 Plus XT1642 (retapac). It came shipped with 6.0.1 MPJ24.139-48 preinstalled.
Well i flashed, deleted, maybe bricked and then made it work again with the latest version i wanted to have (139-63) and then rooted it. Everything worked/works, but the wifi mac shows as 02 000000 or something (but no problem with that, wifi mac is fixed with some earlier backup i have, it also gets fixed when i flash to original).
But the worst thing is: Both IMEI show as 0. In the setting menu, and also when dialing the command *#06# (Both IMEIs show 0).
It gave some errors at fastboot because of "downgrade" or so, but i think that's not the issue.
I tried everything, also reflashed to my original version (ATHENE_MPJ24.139-48_cid50_subsidy-DEFAULT_CFC.xml.zip). Everything is fine, wifi mac displays as original also, but IMEIs still are 0.
No matter what I do, both IMEI show as 0, and SIM cards don't work ofcourse (they work, show carrier names etc but don't get accepted, ---> "emergency calls only", because IMEI is 0 i think.
Before you ask: No i don't have a very early TWRP backup from before flashing, deleted it because I had later backup I though everything was working, didn't try any SIM at that time.
How can I fix this? Is there any hope?
What gives me the little hope: At "boot thing" when I type fastboot getvar imei, it shows the correct imei! It doesn't list the second sim though.
Thanks in advance!
Click to expand...
Click to collapse
https://firmware.center/firmware/Motorola/Moto G4 (Plus)/Stock/XT1642/
#for marshmallow
Try to flash modem files for your phone
https://forum.xda-developers.com/moto-g4-plus/how-to/moto-g4-plus-xt1640-43-athene-npj25-93-t3549369
#for nougat
BlackBeats said:
https://firmware.center/firmware/Motorola/Moto G4 (Plus)/Stock/XT1642/
#for marshmallow
Try to flash modem files for your phone
https://forum.xda-developers.com/moto-g4-plus/how-to/moto-g4-plus-xt1640-43-athene-npj25-93-t3549369
#for nougat
Click to expand...
Click to collapse
Yes. Did exactly that. Flashed the files of XT1642_ATHENE_6.0.1_MPJ24.139-48_cid50_subsidy-DEFAULT_CFC.xml.zip ... with the commands
Code:
fastboot oem fb_mode_set
fastboot flash partition gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash dsp adspso.bin
fastboot flash oem oem.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash system system.img_sparsechunk.5
fastboot flash system system.img_sparsechunk.6
fastboot flash system system.img_sparsechunk.7
fastboot flash modem NON-HLOS.bin
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot erase customize
fastboot erase clogo
fastboot oem fb_mode_clear
fastboot reboot
Showed some "errors" at fastboot at some, but I think that was normal. And flashing worked.
But in the end, both IMEI are still 0.
Even reflashed the NON-HLOS.bin. IMEI numbers are still 0.
Additional information:
The original version this retapac XT1642 G4 plus came shipped with was MPJ24.139-48.
I then wanted to update to the latest non-nougat version, which is MPJ24.139-63.
I could not update directly to MPJ24.139-63 from MPJ24.139-48. (Because the internal recovery showed error, that flashed version must origin from MPJ24.139-23.4).
So I overflashed (with fastboot) to MPJ24.139-23.4. So the version then was even lower than it came shipped with lol. Then from MPJ24.139-23.4, used the internal recovery (not TWRP), to apply the OTA update file MPJ24.139-63. Since then the Wifi mac was 020000000 or something, sometimes random wifi disconnects, and imei 0. After going back to original again, wifi mac is fixed, but sim imei numbers still are 0.
Edit: not sure if the imei and wifi errors accured since MPJ24.139-23.4, or after the OTA update file, or sometime inbetween because i deleted something in TWRP.
bauss1 said:
Additional information:
The original version this retapac XT1642 G4 plus came shipped with was MPJ24.139-48.
I then wanted to update to the latest non-nougat version, which is MPJ24.139-63.
I could not update directly to MPJ24.139-63 from MPJ24.139-48. (Because the internal recovery showed error, that flashed version must origin from MPJ24.139-23.4).
So I overflashed (with fastboot) to MPJ24.139-23.4. So the version then was even lower than it came shipped with lol. Then from MPJ24.139-23.4, used the internal recovery (not TWRP), to apply the OTA update file MPJ24.139-63. Since then the Wifi mac was 020000000 or something, sometimes random wifi disconnects, and imei 0. After going back to original again, wifi mac is fixed, but sim imei numbers still are 0.
Click to expand...
Click to collapse
Try flashing nougat I guess downgrade created a problem
BlackBeats said:
Try flashing nougat I guess downgrade created a problem
Click to expand...
Click to collapse
I don't want nougat. Can I go back to MPJ24.139-63 from nougat? But maybe worth a try if nobody knows any other possibility
bauss1 said:
I don't want nougat. Can I go back to MPJ24.139-63 from nougat? But maybe worth a try if nobody knows any other possibility
Click to expand...
Click to collapse
Try removing oem fb set command
If it doesn't work then flash nougat then use 6.0.1 custom ROM
Edit fb_mode_set
Flashed everything again, without the fastboot oem fb_mode_set (MPJ24.139-48). Both IMEIs are still 0, everything else is fine though, original wifi mac.
---
Then took original over the air update it offered me (NPJ25.93-14). Installed without problems.
But, guess what.... it made things worse.
Now i am on NPJ25.93-14, the IMEIs still are 0, and the wifi mac address is at 02:00:00:00:00:00 again.
What I noticed is, in settings it shows the IMEI SV (Slot1) and IMEI SV (Slot2). They both changed to 08. I think they were 03 or so before.
Edit: In the boot recovery thing it says the usual stuff:
Battery OK (Charging)
flashing_unlocked
Software status: Official
...
So... updating to Nougat did not help, made things worse (wifi mac weird again, IMEI still 0).
Any other ideas?
Anyone looking for the solution to this problem, it has been fixed here: [Guide] [XT16XX] [Solve] Moto G4/Plus IMEI=0 issue
The way to get rid of the warning caused by unlocking the bootloader on other phones would be to flash the proper bootloader logo in fastboot using:
Code:
fastboot flash logo logo.bin
This is how I did it on my old LG Nexus 5X.
Does anyone have the correct logo for the V20? Has anyone tried this on the V20?
It's not a logo file. It's located in aboot and you can't change it.
androiddiego said:
It's not a logo file. It's located in aboot and you can't change it.
Click to expand...
Click to collapse
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Sizzlechest said:
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Click to expand...
Click to collapse
Here is the tool that might be useful to search for and dump the relevant partition, mount it and investigate the source of the picture and text warning:
Partitions Backup & Restore
https://play.google.com/store/apps/details?id=ma.wanam.partitions
In the best case scenario, even use reverse engineering to skip the warning and its delay altogether, anyone?
Or is aboot non-writable?
You modify aboot in any way / shape / or form, and you better open a ticket with LG. When you unlock your bootloader, that stops aboot from verifying the signature of boot, laf, and recovery. XBL still very much does verification of all the other pieces of firmware. One of the first things it checks is the signature of aboot. If aboot has been modified, or wasn't signed with the same RSA cert that matches the RSA key that is in your model's QFPROM, then the phone goes into 9008 mode. At this time, there is no fixing that -- except sending it back to LG (and there may never be now that LG uses UFS nand in their phones).
-- Brian
I've personally looked into this and looks like it can't be changed.
I'm pretty sure the images is in the *raw_resources* partition. Look here.
It must be very hard to modify though considering LG use it for (all?) many models, since I've only found a single development thread for it, and as you'll see that didn't go very far.
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
runningnak3d said:
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
Click to expand...
Click to collapse
so it is indeed possible to change the unlocked bootloader warning?
Security wise, there is no reason that you can't change them. It looks like LG is using RLE encoding, so finding the start and end of an image is going to be interesting. There are offsets in the index, but they don't seem to align.
Also, while I don't think having a corrupt raw_resources partition would give you a 9008 brick, you might want to have a backup ready to flash if you decide to modify it. But, (and there is always a but), since aboot loads this, if aboot pukes and doesn't load, that WILL give you a 9008 brick.
If I were you, I would buy a used V10 off of eBay, and test on that since you can recover from a 9008 with an SD card.
-- Brian
I tried a bunch of things in an attempt to root AT&T's LG K20 (the LGM255), to no avail.
After unlocking bootloader (so says in the options, I don't think it actually did), I tried fiddling with Lekensteyn's LGLAF tool and various forks of it by steadfasterX and others. Tried pushing a TWRP image I made after being able to extract boot/recovery images using the aforementioned tool. LAF did not pushing that image but was fine with deleting partitions from the phone.
I took the risk of deleting the LAF partition in order to get access to fastboot. While it did, just my luck, the lk variant of fastboot on the phone is stripped of essentially all functionally except for get-var and devices. Meaning I cannot flash anything, or modify any variables.
Have no means to restore the LAF partition (well, there is one way I know of possibly, but want to save it as a last resort cause the probability it would work is low and risks bricking completely).
Now there is an lafbak partition, but cant do anything with it.
Theres some background, but here is my real question:
If I were to accept an FOTA update from AT&T, although it would update the firmware to a new version, would it restore or possibly flash a new LAF partition so that I could go into its LAF/Factory Reset mode again?