Droid Turbo XT1254 Marshmallow->Lollipop downgrade (unlocking bootloader)COMING SOON?
*this is new thread because I started last as Q&A by mistake so first 2 pages may look off with posts and answers.
DOWNGRADING EXPERIMENT TOPIC
So as you may know , after upgrading to Marshmallow OTA, on locked bootloader there won't be any option to unlock bootloader (ever as some people say) , sunshine officially doens't support Marshmallow. The only option is to downgrade which again isn't possible on locked BL..
Or is it ?
Introduction - skip to DOWNGRADE
First of all I'm not an programmer , but have some experience with locked down motorola's bl's , firmware's ,downgrades and so on..
I'm sure when somebody says impossible, it doesn't really mean impossible, but rather not worthy to some. So in my case I bought the phone few days ago, wasn't fully up to date with infos on unlocking BL so didn't check FW version when buying , just after I checked and phone was updated on MM 1-2 days before buying it. On not unlockable BL phone will become useless to me very soon, while unlocked I would plan to have it for long period of time. It goes in Verzion's favour for me to ditch the phone and buy a new one except I'm not in USA , there are no Verzion services in my country and if there were I would never ever buy (again) anything from Verzion. Well I lived in Japan , and there is network Softbank which is well.. Imagine Verizon but on steroids when it comes to tying people down, locked bootloaders and software, insane fee's and so on.. Well that Softbank bough Verizon some time ago .. I was avoiding them at all cost, but on to the topic now.
DOWNGRADE - fastboot
I would like to invite everybody who is interested in this and who can help to participate in this. Every programmer that has time and can contribute would be greatly appreciated! In return I'm willing to sacrifice my phone and my time , even paying some reasonable donations.
While experimenting in the end I was able to flash all bootloader files from various different versions including all partitions related to it which gets upgraded. Even managed to flash XT1250 MM bootloader. Bootloader version DOES change in bootloader / fastboot ,But it doesn't mean ANYTHING. While downgrading , something else, possibly other parts of bootloader obviously search for match and there is more to it than simple bootloader , more experienced , chime on in here! SElinux enforcing? Verity?
(see attachments)
SU4TL-49 bootloader.img to motoboot flash - Successfully
SU4TL-49 manually flashing 1 by 1:
tz.mbn -[/B] Successfully
SBL1.mbn (bootloader) - [/B] Successfully
sdi.mbn - [/B] Successfully
fsg.mbn to mdm1m9kefs3 - [/B] Successfully
rpm.mbn - [/B] Successfully
emmc_appsboot.mbn to aboot - [/B] Successfully
gpt.bin to "partition" , it's the partitions info partition, people say it can't be downgraded or flashed cross versions. After some experimenting mfastboot failed but fastboot succeded, on some versions mfastboot worked - [/B] Successfully
What I can't get to downgrade / cross flash no mather which bootloader and combinations of firmware im on :
boot.img
recovery.img
system,img (sparse_chunk files)
I will go deeper, but hope that new full firmware SBF will be released soon in case of brick. Verzion is slow. I'm making my own full 6.0.1 xml.zip based on full flashable zip's , repacked system.img sparsechunks, rewrited the script but can't get to flash system files due to invalid signed image. Any help with that? It would also help already bricked guys because who knows when'll Verzion release it..
Downgrade OTA way , stock Android Recovery
While stock android recovery is pretty much useless, it can do software upgrades OTA on a fully stock system , which we on locked bootloaders and MM have.
In my opinion , the way is to trick stock recovery into thinking it's flashing ota, and that whole envieroment is like recovery is expecting it while it's actually flashing downgraded version full / close to full firmware in combination with you flashing some partitions manually through fastboot. OTA's contain only "patch" and just replaces files which get changed on new SW. Or even maybe reverse OTA downgrade?
I've made my own update.zip and signed it , but so far get footer size is wrong error so can't flash it .. Need more help here too..
That looks promising!
Marshmallow feels slower than lollipop for me and I wish I could downgrade but I just can't!
I am looking forward to see what you can do about this issue
Good luck bro!
sorry for my mistake, I do not intend to comment here
@EjđiSixo
How to remove the "signed" of system image or bypass it? Fastboot or RSD are stuck at flashing system image. Does this "sign" relate to boot, recovery, partition? Or it's simply the "sign" to prevent downgrade???
I've never succeeded with partition downgrade...
---------- Post added at 10:29 PM ---------- Previous post was at 10:19 PM ----------
when I was flashing the only system.img (3GB), it said that "wrong at header magi". But after a bit time, fastboot separated the file and began to flash. But still failed because of signed image.
I've tried to remove the code from updater-script but it could not write files to system
Not out yet!
Thanks! I think if we all try , we can do it ! For now main focus is downgrading anyhow, even to half working Lollipop just in the purpose of unlocking bootloader with sunshine.
@mr_5kool
Feel free to comment and ask / suggest, thats what this topic is for!
Unforutenately thats the part I haven't yet figured out myself. It is a " permissions" to prevent the downgrade , bootloader and possibly something else checks current version / keys / properly signed image and then flashes. With other bootloader I'm still not able to flash it because it's obviously locked. Motorola probably signs their images differently.
You can't flash 3GB image because when flashing, phone recieve's partition first to ram so max download size is set to 255mb per file. You have to repack system.img to sparse chunks. But you don't have to bother with it , I already repacked system.img which I found at fully stock flashable MCG24.251-5 . It again failed due to invalid signed image . If we could figure out what is exactly signed and how , that would open a lot more possibilities. Possibly even flashing prerooted roms on locked bootloader. There are more possibilities , who knows..
Currently the only thing notices downgrade when flashing is recovery. In bootloader log says I tried to downgrade. Even with downgraded bootloader (kind of, there is sbl2 and sbl3 but they don't get upgraded )
Anyway, I tried something just for the "gags" . Flashed all partitions of XT1250 bootloader. Got to Motorola's site, posted "unlock bootloader data". It returned it's not unlockable of course.. The first sequence of numbers in data is your imei , it starts with 99 and it's verzion's specific imei.
My theory is that motorola ties unlock bootloader data to every phone and imei and stores it in database ( please confirm) . So even with moto maxx bootloader I can't unlock because :
1 it reads my verzion imei
2 it doesn't find alltogether data in the database..
I don't know what are other numbers in the data you get from fastboot, possibly some serial numbers and so on, haven't really checked it .. That's why i think this method is not possible at all for now. Manipulating that data in your phone and running it through motorola's site knowing that exact same code works for some device might be possible, but I think there is really way too much impossible messing involved. If somebody can share more about this?
lol
http://forum.xda-developers.com/dro...ficial-marshmallow-build-mcg24-t3512813/page2
I've renamed it like suggested in the post #11
Download link is at 1st page. It's just a OTA.
Yes I just renamed it.
IT DOESN'T WORK WITH ADB AND YOU CAN'T FLASH IT AGAIN THROUGH RECOVERY. ITS OTA.
EDIT: The post that I was responding to has been removed.
The method to downgrade from Lollipop to Kitkat is the same with what I've done. It may be possible. Some said that "impossible to downgrade with locked bootloader on vrz". So the system image may be signed with bootloader (or imei, serial or something else, god know).
The unlock method of Sunshine takes place in Trustzone (sbl2). They cannot get unlock code.
You succesfully downgraded LL to KK on droid? There is partition for trust zone alone "tz.mbn" , downgradable without any problem. I only see sbl1 get's upgraded on droid turbo , never saw in any firmware sbl2 or 3 yet.. So I'm little confused.. I remember I saw some PDF regarding that..
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Finally managed to *Brick my devices while trying to make latest sbf firmware (what an irony ) because used some of files from that stupid OTA . Tried flashing all possible firmware I have but it doesn't fix it so system got corrupted probably and for now didn't succed flashing any of the available systems. Flashing MM recovery doesn't help. It's a " recovery loop".
Basically phone starts , vibrates , goes into recovery, it says "erasing" , it does the factory reset then restarts and over and over again erasing restarting loop.
I'll continue exploring downgrade options but top priority now is making working marshmallow sbf or waiting for stupid Verzion to release it already. Just checked with SUA and it still doesn't show repair so firmware isn't available still.
Biggest problem is signed system images which are probably signed by RSA and I need help with that..
I have same problem erasing
Can't flash SU4TL gpt.bin anymore , so success was definitely connected to experiment and steps I did so I'll investigate more.
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
side note, I hate this Q&A format. Not sure why XDA even has it. You can't even format URL links correctly.
Click to expand...
Click to collapse
mr_5kool said:
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
Click to expand...
Click to collapse
I wonder if there is any way to force Verizon to release firmware. This is really low of the lowest, it says 1 week after OTA , now it's almost 1 month. Until somebody forces them , it can be months as far as they are considered. No help from developers / programmers either on any of 2 subjects so don't see my method of full MM SBF working.
god know
:v
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Click to expand...
Click to collapse
Exactly brother .
I solved my problem .
I can downgrade from Marshmallow to lollipop is very easy for my ..
But first step is unlocked bootloader from lollipop..
Sent from my XT1254 using XDA Free mobile app
Yeah people , we all know everything can be done with unlocked bootloader. It's a GOD mode. Nothing strange about downgrading with unlocked BL. This topic is for people stuck on locked BL like myself to try to odowngrade on lollipop only in purpose of UNLOCKING BL. So let's for now focus on locked BL's.
Will I brick a device if I only flash a newest 'gpt.bin'? Just one single file.
Code:
fastboot flash partition gpt.bin
WITHOUT flashing 'bootloader.img'
It's possible you may be able to flash gpt.bin and not have your device brick, I suspect however you may be setting your device up for a later hard brick, e.g. if you were to take an OTA. Previous hard bricks on Moto devices have likely been caused by a mismatch between the GPT/bootloader and the system (especially when taking OTA updates that may not have as stringent checks as the fastboot). https://forum.xda-developers.com/moto-x-2014/general/warning-downgrade-bootloader-partition-t3105147 for what could happen.
What are you attempting to achieve by simply just flashing the GPT?
echo92 said:
What are you attempting to achieve by simply just flashing the GPT?
Click to expand...
Click to collapse
Well, ideally, I want the newest bootloader 81.0C, as I explained in my another post Bootloader 81.0C (sha-7ca0393, 2017-03-20)
.
I beleive LineageOS is better off with BL 81.0C
Specifically, "Advanced Restart" works better with BL 81.0C.
While with older bootloaders, the following happens:
Hang up/freeze on "Advanced Restart"
rybshik said:
Well, ideally, I want the newest bootloader 81.0C, as I explained in my another post Bootloader 81.0C (sha-7ca0393, 2017-03-20)
.
I beleive LineageOS is better off with BL 81.0C
Specifically, "Advanced Restart" works better with BL 81.0C.
While with older bootloaders, the following happens:
Hang up/freeze on "Advanced Restart"
Click to expand...
Click to collapse
In your subsequent post, however, you appear to have concluded the custom logo.bin was the issue causing the restart hang? https://forum.xda-developers.com/showpost.php?p=73292757&postcount=449
As was explained in another reply to your queries, the bootloader isn't one partition, but a lot of individual partitions (e.g. tz, aboot sbl). Although in theory you could dd those partitions from another device, as you proposed, I do not know if there are any verification checks unique to each device.
Perhaps the safest approach is to wait for the 7.1.1 actual release/the 7.1.1 fastboot firmware, to formally update your device to the latest bootloader.
I noticed when extracting a KDZ file I get a DZ file, after extracting DZ I get multiple BIN files, I need a boot.img file and an aboot file of V20 version H915 V10q
Be very, very careful messing with aboot. This is the bootloader of your device and one small wrong move will cause a hard brick. Not even booting into LGUP will be possible. If you have the dirtysanta bootloader, don't flash the aboot because it will relock your bootloader.
As for your question, simply rename .bin to .img!
Similar Prob
NotYetADev said:
Be very, very careful messing with aboot. This is the bootloader of your device and one small wrong move will cause a hard brick. Not even booting into LGUP will be possible. If you have the dirtysanta bootloader, don't flash the aboot because it will relock your bootloader.
As for your question, simply rename .bin to .img!
Click to expand...
Click to collapse
I have the exact same situation as OP but with a KDZ for different LG device..
I don't see boot.img anywhere after DZ extraction, just .BIN files..
Is it as simple as changing the extension from .BIN to .IMG??
I don't want to make a fatal mistake.
dano.556 said:
I have the exact same situation as OP but with a KDZ for different LG device..
I don't see boot.img anywhere after DZ extraction, just .BIN files..
Is it as simple as changing the extension from .BIN to .IMG??
I don't want to make a fatal mistake.
Click to expand...
Click to collapse
Yes it is. But seriously, you will hard brick your device why are you doing this?
dano.556 said:
I have the exact same situation as OP but with a KDZ for different LG device..
I don't see boot.img anywhere after DZ extraction, just .BIN files..
Is it as simple as changing the extension from .BIN to .IMG??
I don't want to make a fatal mistake.
Click to expand...
Click to collapse
Boot.bin is just boot.img with a different extension, just needs renamed. Aboot is the one you never want to touch.
alvinator94 said:
Yes it is. But seriously, you will hard brick your device why are you doing this?
Click to expand...
Click to collapse
This is to install Magisk, stock boot.img required..
What? Just flash Magisk from TWRP.
As far as aboot goes, you can flash aboot from any V20 onto any other V20 except the H918. If you flash ANY firmware from the H918 onto any other model -- brick. If you flash firmware from any model onto the H918 -- brick.
However, if you flash aboot, you ALSO have to flash xbl.
Anyway you want to look at it, if you are messing around with aboot and xbl, you are just looking to brick your phone.
-- Brian
runningnak3d said:
What? Just flash Magisk from TWRP
Click to expand...
Click to collapse
I don't have a custom recovery since Fastboot commands are non accessible on this device I want to install Magisk on. If there's a way to write recovery.img/boot.img without Root then might as well flash patched_boot.img & be done with it
And without fastboot being available, how do you propose flashing the patched boot.img?
-- Brian
runningnak3d said:
And without fastboot being available, how do you propose flashing the patched boot.img?
-- Brian
Click to expand...
Click to collapse
That's the million dollar question ? Maybe SP Flash Tool or Miracle box is the answer I don't know yet..
Or you could do a search on here. The only V20 model that can't (currently) be rooted, is the LS997 -- all other models can.
If you have any model except the H910 or H918, search for DirtySanta. If you have an H918, search for lafsploit, if you have an H910, search for H910 root.
It is Sunday morning, so I figured I would lend a hand even though it is obvious you didn't bother to even peruse this forum.
-- Brian
I tried a bunch of things in an attempt to root AT&T's LG K20 (the LGM255), to no avail.
After unlocking bootloader (so says in the options, I don't think it actually did), I tried fiddling with Lekensteyn's LGLAF tool and various forks of it by steadfasterX and others. Tried pushing a TWRP image I made after being able to extract boot/recovery images using the aforementioned tool. LAF did not pushing that image but was fine with deleting partitions from the phone.
I took the risk of deleting the LAF partition in order to get access to fastboot. While it did, just my luck, the lk variant of fastboot on the phone is stripped of essentially all functionally except for get-var and devices. Meaning I cannot flash anything, or modify any variables.
Have no means to restore the LAF partition (well, there is one way I know of possibly, but want to save it as a last resort cause the probability it would work is low and risks bricking completely).
Now there is an lafbak partition, but cant do anything with it.
Theres some background, but here is my real question:
If I were to accept an FOTA update from AT&T, although it would update the firmware to a new version, would it restore or possibly flash a new LAF partition so that I could go into its LAF/Factory Reset mode again?
Hiya guys!
So, I've been plucking away at trial and error with my G6 (H873 Canadian) now that I have edl to fall back to and by using qdloader flashes to write my nand I have written my device with a hybrid of the pie beta 29a and an unlocked us997 aboot. after modifying the devinfo partition... my magisk modified boot image gets me as far as my lockscreen. I can login but my background is black. if I open magisk manager it shows it as installed but then crashes seconds later. ideas? I have very minimal knowledge of the partition structure and the chain of trust for this device and I am absolutely sure it's my mistake so maybe someone who is kind enough and has the time could explain a bit more to me about the inner workings of this mishmash bootup and possibly help me fix it to remain booted? Preferrable if I don't have to downgrade by the way pie has saved this device performance wise.
After more screwing about I somehow relocked the bootloader and the key that worked before is now rejected. Any help?
No further luck but it doesn't matter. the boot loops have stopped and my changes are intact. h873 running dual speaker mod and adblocking hosts file. root, however, is not still functioning and my attempted viper4android install is in some weird instant reboot to bootloader limbo.
If I can do it by simply ****ing around I'm confident someone can do more than me with enough time and knowledge. I'm not giving up either. I just honestly don't know what I'm doing. I do caution anyone who messes with this sort of stuff to dump a full partition level backup of your phone. I know I nearly lost my misc partition (imei won't work right without it) and was saved by an earlier dump in my preliminary testing
H873: Question what aboot did you use and how did you modify the devinfo partition? Ive literally been working on the aboot in Ghidra for 5 weeks, I have root in system with a modified su98, system is not currently mountable because it is not referenced in /proc/mounts . From what I can gather the devinfo must have 0x2 at both 0x10 and 0xe0 while both are equal to 2 and device reset is called the unlock bit in rpmb is equal to Y else it is N then it will erase unlock key from rpmb. Also im not afraid of bricking I have been in edl mode well over 50 times and have explored every single partition on this thing. I have the aboot for US997 unlocked variant and the files from runningnak3d's AFH. The fastboot portion of the aboot when looking at the de-compiled code in Ghidra is extremely small and strict.