Hiya guys!
So, I've been plucking away at trial and error with my G6 (H873 Canadian) now that I have edl to fall back to and by using qdloader flashes to write my nand I have written my device with a hybrid of the pie beta 29a and an unlocked us997 aboot. after modifying the devinfo partition... my magisk modified boot image gets me as far as my lockscreen. I can login but my background is black. if I open magisk manager it shows it as installed but then crashes seconds later. ideas? I have very minimal knowledge of the partition structure and the chain of trust for this device and I am absolutely sure it's my mistake so maybe someone who is kind enough and has the time could explain a bit more to me about the inner workings of this mishmash bootup and possibly help me fix it to remain booted? Preferrable if I don't have to downgrade by the way pie has saved this device performance wise.
After more screwing about I somehow relocked the bootloader and the key that worked before is now rejected. Any help?
No further luck but it doesn't matter. the boot loops have stopped and my changes are intact. h873 running dual speaker mod and adblocking hosts file. root, however, is not still functioning and my attempted viper4android install is in some weird instant reboot to bootloader limbo.
If I can do it by simply ****ing around I'm confident someone can do more than me with enough time and knowledge. I'm not giving up either. I just honestly don't know what I'm doing. I do caution anyone who messes with this sort of stuff to dump a full partition level backup of your phone. I know I nearly lost my misc partition (imei won't work right without it) and was saved by an earlier dump in my preliminary testing
H873: Question what aboot did you use and how did you modify the devinfo partition? Ive literally been working on the aboot in Ghidra for 5 weeks, I have root in system with a modified su98, system is not currently mountable because it is not referenced in /proc/mounts . From what I can gather the devinfo must have 0x2 at both 0x10 and 0xe0 while both are equal to 2 and device reset is called the unlock bit in rpmb is equal to Y else it is N then it will erase unlock key from rpmb. Also im not afraid of bricking I have been in edl mode well over 50 times and have explored every single partition on this thing. I have the aboot for US997 unlocked variant and the files from runningnak3d's AFH. The fastboot portion of the aboot when looking at the de-compiled code in Ghidra is extremely small and strict.
Related
HTC promises tu unlock Sensation bootloader in august, thus people can load custom rom's etc..
interesting isn't it.
would be nice to show this to Acer people.
http://www.fonehome.co.uk/2011/07/11/htc-unlocked-bootloader-release-date/
here is source.
our bootloader is unlocked it doesn't need unlocking... just has an checksum check to be sure partitions are not corrupted
The acer a500 Iconia has a locked bootloader! So this would be nice if acer followed suite!
No, iconia bootloader is not locked. It is encrypted with aes-128-cbc using Secure Boot Key. SBK cannot be changed once written by the manufacturer. Messing around with boot config table and ODM data can be dangerous and decrypting stuff manually not quite convenient.
Generally, you should not need SBK and nvflash unless you brick badly (having checksum errors on both LNX and SOS or overwriting encrypted/bootloader partitions). If you do, make sure you know the UID of your device and contact sc2k. Maybe some time later he will release and automated and safe tool to recover the device, but until then users are highly recommended not to mess with mmcblk0 and be extremely careful when writing recovery and boot images.
sp3dev said:
No, iconia bootloader is not locked. It is encrypted with aes-128-cbc using Secure Boot Key. SBK cannot be changed once written by the manufacturer. Messing around with boot config table and ODM data can be dangerous and decrypting stuff manually not quite convenient.
Generally, you should not need SBK and nvflash unless you brick badly (having checksum errors on both LNX and SOS or overwriting encrypted/bootloader partitions). If you do, make sure you know the UID of your device and contact sc2k. Maybe some time later he will release and automated and safe tool to recover the device, but until then users are highly recommended not to mess with mmcblk0 and be extremely careful when writing recovery and boot images.
Click to expand...
Click to collapse
Just putting this info out there and to add to what you had wrote about the UID...etc
when you do a NAND backup using CWM... there existed a UID.txt file that let you know what your UID is.... make sure you keep this in a safe place if you need this info later...etc
Previously I tried to write TA backup file of my F8132 (HK Variant) into its partition, then I found that the warning message showed before SONY boot logo disappeared.
But I need to flash a stock firmware to prevent boot failure since signature will be verified before booting. Actually the phone is relocked with DRM features come back, just like a locked new phone. The camera focus is OK. and X-Reality works fine, etc. You can get OTA firmware updates again.
After that, I tried to unlock bootloader again by flashtool. Since we know that the data will be completely erased during the boot after unlocking. I tried to erase boot and FOTAKernel partition by fastboot. Of course the phone can't boot without a kernel, and the data will not be erased automatically. I used fastboot to boot a TWRP recovery image directly.
Finally the phone booted into recovery mode, but the data partition was encrypted and I should input a password, or erase it. So I had to format the partition. Then I checked the cache partition and found out that the OTA firmware will be download to /storage/emulated/0/recovery/update-package. Maybe it's simply a zip file, but I'm too late to check it. (Maybe I can get it the next time after an OTA download finished Now I found that it is not a zip file). But the most interesting thing I found was that I received the Nougat OTA update of 39.2.A.0.327, after I formatting the data partition! At this moment I'm in unlocked Marshmallow 35.1.A.0.297 and AndroPlus Kernel v12 with DRM fix. However, there is something different from normal unlocked phone with DRM fix. The SECURITY test which shows the DRM keys said:
Code:
WIDEVINE [Key OK] [Active]
CKB [Key OK] [Active]
HUK: ****************
PRODID_AID : 0004
OTP_LOCK_CONFIG : 1555
OTP_LOCK_STATUS : LOCKED
AUTH_ENABLE : 07
DEVICE_ID : ********
[B]FIDO_KEYS : Not provisioned[/B]
Factory Reset Reason: virgin,notimestamp
I have checked with my friends, and found out that:
If it has not been unlocked yet, the FIDO_KEYS will show Provisioned;
If it has been unlocked, and without DRM fix, the HUK will be generic error!, and FIDO_KEYS will be Not provisioned, SUNTORY error;
if it has been unlocked, but with DRM fix, the FIDO_KEYS will show Not provisioned, provision failed.
The camera and X-Reality works fine, and I finally get the Nougat OTA package for 297, but I can't unpack it now.
It's interesting because if you unlock the phone, then reboot to let it erase the data partition by itself, finally flash a DRM fixed kernel, you will not receive an OTA firmware update (but you can update the system apps). So I guess I skipped some changes to TA partition during the manual erase of those partitions. I plan to study it when I'm free in holidays.:fingers-crossed:
This is probably just becoz of the drm fix in androplus work so well that it fake the system that the phone is in LB status. U can try do that OTA in UB but it will fail
KWOKSFUNG said:
This is probably just becoz of the drm fix in androplus work so well that it fake the system that the phone is in LB status. U can try do that OTA in UB but it will fail
Click to expand...
Click to collapse
I use the fix all the time, but I have never received OTA before. And I think I can just flash stock kernel and recovery to let it update successfully if I don't modify the system partition, maybe.
How about this?
You can build your own kernel with drmfix and DK.ftf (if you've backed up TA partition prior to unlock the bootloader).
Droid Turbo XT1254 Marshmallow->Lollipop downgrade (unlocking bootloader)COMING SOON?
*this is new thread because I started last as Q&A by mistake so first 2 pages may look off with posts and answers.
DOWNGRADING EXPERIMENT TOPIC
So as you may know , after upgrading to Marshmallow OTA, on locked bootloader there won't be any option to unlock bootloader (ever as some people say) , sunshine officially doens't support Marshmallow. The only option is to downgrade which again isn't possible on locked BL..
Or is it ?
Introduction - skip to DOWNGRADE
First of all I'm not an programmer , but have some experience with locked down motorola's bl's , firmware's ,downgrades and so on..
I'm sure when somebody says impossible, it doesn't really mean impossible, but rather not worthy to some. So in my case I bought the phone few days ago, wasn't fully up to date with infos on unlocking BL so didn't check FW version when buying , just after I checked and phone was updated on MM 1-2 days before buying it. On not unlockable BL phone will become useless to me very soon, while unlocked I would plan to have it for long period of time. It goes in Verzion's favour for me to ditch the phone and buy a new one except I'm not in USA , there are no Verzion services in my country and if there were I would never ever buy (again) anything from Verzion. Well I lived in Japan , and there is network Softbank which is well.. Imagine Verizon but on steroids when it comes to tying people down, locked bootloaders and software, insane fee's and so on.. Well that Softbank bough Verizon some time ago .. I was avoiding them at all cost, but on to the topic now.
DOWNGRADE - fastboot
I would like to invite everybody who is interested in this and who can help to participate in this. Every programmer that has time and can contribute would be greatly appreciated! In return I'm willing to sacrifice my phone and my time , even paying some reasonable donations.
While experimenting in the end I was able to flash all bootloader files from various different versions including all partitions related to it which gets upgraded. Even managed to flash XT1250 MM bootloader. Bootloader version DOES change in bootloader / fastboot ,But it doesn't mean ANYTHING. While downgrading , something else, possibly other parts of bootloader obviously search for match and there is more to it than simple bootloader , more experienced , chime on in here! SElinux enforcing? Verity?
(see attachments)
SU4TL-49 bootloader.img to motoboot flash - Successfully
SU4TL-49 manually flashing 1 by 1:
tz.mbn -[/B] Successfully
SBL1.mbn (bootloader) - [/B] Successfully
sdi.mbn - [/B] Successfully
fsg.mbn to mdm1m9kefs3 - [/B] Successfully
rpm.mbn - [/B] Successfully
emmc_appsboot.mbn to aboot - [/B] Successfully
gpt.bin to "partition" , it's the partitions info partition, people say it can't be downgraded or flashed cross versions. After some experimenting mfastboot failed but fastboot succeded, on some versions mfastboot worked - [/B] Successfully
What I can't get to downgrade / cross flash no mather which bootloader and combinations of firmware im on :
boot.img
recovery.img
system,img (sparse_chunk files)
I will go deeper, but hope that new full firmware SBF will be released soon in case of brick. Verzion is slow. I'm making my own full 6.0.1 xml.zip based on full flashable zip's , repacked system.img sparsechunks, rewrited the script but can't get to flash system files due to invalid signed image. Any help with that? It would also help already bricked guys because who knows when'll Verzion release it..
Downgrade OTA way , stock Android Recovery
While stock android recovery is pretty much useless, it can do software upgrades OTA on a fully stock system , which we on locked bootloaders and MM have.
In my opinion , the way is to trick stock recovery into thinking it's flashing ota, and that whole envieroment is like recovery is expecting it while it's actually flashing downgraded version full / close to full firmware in combination with you flashing some partitions manually through fastboot. OTA's contain only "patch" and just replaces files which get changed on new SW. Or even maybe reverse OTA downgrade?
I've made my own update.zip and signed it , but so far get footer size is wrong error so can't flash it .. Need more help here too..
That looks promising!
Marshmallow feels slower than lollipop for me and I wish I could downgrade but I just can't!
I am looking forward to see what you can do about this issue
Good luck bro!
sorry for my mistake, I do not intend to comment here
@EjđiSixo
How to remove the "signed" of system image or bypass it? Fastboot or RSD are stuck at flashing system image. Does this "sign" relate to boot, recovery, partition? Or it's simply the "sign" to prevent downgrade???
I've never succeeded with partition downgrade...
---------- Post added at 10:29 PM ---------- Previous post was at 10:19 PM ----------
when I was flashing the only system.img (3GB), it said that "wrong at header magi". But after a bit time, fastboot separated the file and began to flash. But still failed because of signed image.
I've tried to remove the code from updater-script but it could not write files to system
Not out yet!
Thanks! I think if we all try , we can do it ! For now main focus is downgrading anyhow, even to half working Lollipop just in the purpose of unlocking bootloader with sunshine.
@mr_5kool
Feel free to comment and ask / suggest, thats what this topic is for!
Unforutenately thats the part I haven't yet figured out myself. It is a " permissions" to prevent the downgrade , bootloader and possibly something else checks current version / keys / properly signed image and then flashes. With other bootloader I'm still not able to flash it because it's obviously locked. Motorola probably signs their images differently.
You can't flash 3GB image because when flashing, phone recieve's partition first to ram so max download size is set to 255mb per file. You have to repack system.img to sparse chunks. But you don't have to bother with it , I already repacked system.img which I found at fully stock flashable MCG24.251-5 . It again failed due to invalid signed image . If we could figure out what is exactly signed and how , that would open a lot more possibilities. Possibly even flashing prerooted roms on locked bootloader. There are more possibilities , who knows..
Currently the only thing notices downgrade when flashing is recovery. In bootloader log says I tried to downgrade. Even with downgraded bootloader (kind of, there is sbl2 and sbl3 but they don't get upgraded )
Anyway, I tried something just for the "gags" . Flashed all partitions of XT1250 bootloader. Got to Motorola's site, posted "unlock bootloader data". It returned it's not unlockable of course.. The first sequence of numbers in data is your imei , it starts with 99 and it's verzion's specific imei.
My theory is that motorola ties unlock bootloader data to every phone and imei and stores it in database ( please confirm) . So even with moto maxx bootloader I can't unlock because :
1 it reads my verzion imei
2 it doesn't find alltogether data in the database..
I don't know what are other numbers in the data you get from fastboot, possibly some serial numbers and so on, haven't really checked it .. That's why i think this method is not possible at all for now. Manipulating that data in your phone and running it through motorola's site knowing that exact same code works for some device might be possible, but I think there is really way too much impossible messing involved. If somebody can share more about this?
lol
http://forum.xda-developers.com/dro...ficial-marshmallow-build-mcg24-t3512813/page2
I've renamed it like suggested in the post #11
Download link is at 1st page. It's just a OTA.
Yes I just renamed it.
IT DOESN'T WORK WITH ADB AND YOU CAN'T FLASH IT AGAIN THROUGH RECOVERY. ITS OTA.
EDIT: The post that I was responding to has been removed.
The method to downgrade from Lollipop to Kitkat is the same with what I've done. It may be possible. Some said that "impossible to downgrade with locked bootloader on vrz". So the system image may be signed with bootloader (or imei, serial or something else, god know).
The unlock method of Sunshine takes place in Trustzone (sbl2). They cannot get unlock code.
You succesfully downgraded LL to KK on droid? There is partition for trust zone alone "tz.mbn" , downgradable without any problem. I only see sbl1 get's upgraded on droid turbo , never saw in any firmware sbl2 or 3 yet.. So I'm little confused.. I remember I saw some PDF regarding that..
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Finally managed to *Brick my devices while trying to make latest sbf firmware (what an irony ) because used some of files from that stupid OTA . Tried flashing all possible firmware I have but it doesn't fix it so system got corrupted probably and for now didn't succed flashing any of the available systems. Flashing MM recovery doesn't help. It's a " recovery loop".
Basically phone starts , vibrates , goes into recovery, it says "erasing" , it does the factory reset then restarts and over and over again erasing restarting loop.
I'll continue exploring downgrade options but top priority now is making working marshmallow sbf or waiting for stupid Verzion to release it already. Just checked with SUA and it still doesn't show repair so firmware isn't available still.
Biggest problem is signed system images which are probably signed by RSA and I need help with that..
I have same problem erasing
Can't flash SU4TL gpt.bin anymore , so success was definitely connected to experiment and steps I did so I'll investigate more.
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
side note, I hate this Q&A format. Not sure why XDA even has it. You can't even format URL links correctly.
Click to expand...
Click to collapse
mr_5kool said:
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
Click to expand...
Click to collapse
I wonder if there is any way to force Verizon to release firmware. This is really low of the lowest, it says 1 week after OTA , now it's almost 1 month. Until somebody forces them , it can be months as far as they are considered. No help from developers / programmers either on any of 2 subjects so don't see my method of full MM SBF working.
god know
:v
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Click to expand...
Click to collapse
Exactly brother .
I solved my problem .
I can downgrade from Marshmallow to lollipop is very easy for my ..
But first step is unlocked bootloader from lollipop..
Sent from my XT1254 using XDA Free mobile app
Yeah people , we all know everything can be done with unlocked bootloader. It's a GOD mode. Nothing strange about downgrading with unlocked BL. This topic is for people stuck on locked BL like myself to try to odowngrade on lollipop only in purpose of UNLOCKING BL. So let's for now focus on locked BL's.
The way to get rid of the warning caused by unlocking the bootloader on other phones would be to flash the proper bootloader logo in fastboot using:
Code:
fastboot flash logo logo.bin
This is how I did it on my old LG Nexus 5X.
Does anyone have the correct logo for the V20? Has anyone tried this on the V20?
It's not a logo file. It's located in aboot and you can't change it.
androiddiego said:
It's not a logo file. It's located in aboot and you can't change it.
Click to expand...
Click to collapse
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Sizzlechest said:
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Click to expand...
Click to collapse
Here is the tool that might be useful to search for and dump the relevant partition, mount it and investigate the source of the picture and text warning:
Partitions Backup & Restore
https://play.google.com/store/apps/details?id=ma.wanam.partitions
In the best case scenario, even use reverse engineering to skip the warning and its delay altogether, anyone?
Or is aboot non-writable?
You modify aboot in any way / shape / or form, and you better open a ticket with LG. When you unlock your bootloader, that stops aboot from verifying the signature of boot, laf, and recovery. XBL still very much does verification of all the other pieces of firmware. One of the first things it checks is the signature of aboot. If aboot has been modified, or wasn't signed with the same RSA cert that matches the RSA key that is in your model's QFPROM, then the phone goes into 9008 mode. At this time, there is no fixing that -- except sending it back to LG (and there may never be now that LG uses UFS nand in their phones).
-- Brian
I've personally looked into this and looks like it can't be changed.
I'm pretty sure the images is in the *raw_resources* partition. Look here.
It must be very hard to modify though considering LG use it for (all?) many models, since I've only found a single development thread for it, and as you'll see that didn't go very far.
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
runningnak3d said:
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
Click to expand...
Click to collapse
so it is indeed possible to change the unlocked bootloader warning?
Security wise, there is no reason that you can't change them. It looks like LG is using RLE encoding, so finding the start and end of an image is going to be interesting. There are offsets in the index, but they don't seem to align.
Also, while I don't think having a corrupt raw_resources partition would give you a 9008 brick, you might want to have a backup ready to flash if you decide to modify it. But, (and there is always a but), since aboot loads this, if aboot pukes and doesn't load, that WILL give you a 9008 brick.
If I were you, I would buy a used V10 off of eBay, and test on that since you can recover from a 9008 with an SD card.
-- Brian
I tried a bunch of things in an attempt to root AT&T's LG K20 (the LGM255), to no avail.
After unlocking bootloader (so says in the options, I don't think it actually did), I tried fiddling with Lekensteyn's LGLAF tool and various forks of it by steadfasterX and others. Tried pushing a TWRP image I made after being able to extract boot/recovery images using the aforementioned tool. LAF did not pushing that image but was fine with deleting partitions from the phone.
I took the risk of deleting the LAF partition in order to get access to fastboot. While it did, just my luck, the lk variant of fastboot on the phone is stripped of essentially all functionally except for get-var and devices. Meaning I cannot flash anything, or modify any variables.
Have no means to restore the LAF partition (well, there is one way I know of possibly, but want to save it as a last resort cause the probability it would work is low and risks bricking completely).
Now there is an lafbak partition, but cant do anything with it.
Theres some background, but here is my real question:
If I were to accept an FOTA update from AT&T, although it would update the firmware to a new version, would it restore or possibly flash a new LAF partition so that I could go into its LAF/Factory Reset mode again?