Droid Turbo XT1254 Marshmallow->Lollipop downgrade (unlocking bootloader)COMING SOON?
*this is new thread because I started last as Q&A by mistake so first 2 pages may look off with posts and answers.
DOWNGRADING EXPERIMENT TOPIC
So as you may know , after upgrading to Marshmallow OTA, on locked bootloader there won't be any option to unlock bootloader (ever as some people say) , sunshine officially doens't support Marshmallow. The only option is to downgrade which again isn't possible on locked BL..
Or is it ?
Introduction - skip to DOWNGRADE
First of all I'm not an programmer , but have some experience with locked down motorola's bl's , firmware's ,downgrades and so on..
I'm sure when somebody says impossible, it doesn't really mean impossible, but rather not worthy to some. So in my case I bought the phone few days ago, wasn't fully up to date with infos on unlocking BL so didn't check FW version when buying , just after I checked and phone was updated on MM 1-2 days before buying it. On not unlockable BL phone will become useless to me very soon, while unlocked I would plan to have it for long period of time. It goes in Verzion's favour for me to ditch the phone and buy a new one except I'm not in USA , there are no Verzion services in my country and if there were I would never ever buy (again) anything from Verzion. Well I lived in Japan , and there is network Softbank which is well.. Imagine Verizon but on steroids when it comes to tying people down, locked bootloaders and software, insane fee's and so on.. Well that Softbank bough Verizon some time ago .. I was avoiding them at all cost, but on to the topic now.
DOWNGRADE - fastboot
I would like to invite everybody who is interested in this and who can help to participate in this. Every programmer that has time and can contribute would be greatly appreciated! In return I'm willing to sacrifice my phone and my time , even paying some reasonable donations.
While experimenting in the end I was able to flash all bootloader files from various different versions including all partitions related to it which gets upgraded. Even managed to flash XT1250 MM bootloader. Bootloader version DOES change in bootloader / fastboot ,But it doesn't mean ANYTHING. While downgrading , something else, possibly other parts of bootloader obviously search for match and there is more to it than simple bootloader , more experienced , chime on in here! SElinux enforcing? Verity?
(see attachments)
SU4TL-49 bootloader.img to motoboot flash - Successfully
SU4TL-49 manually flashing 1 by 1:
tz.mbn -[/B] Successfully
SBL1.mbn (bootloader) - [/B] Successfully
sdi.mbn - [/B] Successfully
fsg.mbn to mdm1m9kefs3 - [/B] Successfully
rpm.mbn - [/B] Successfully
emmc_appsboot.mbn to aboot - [/B] Successfully
gpt.bin to "partition" , it's the partitions info partition, people say it can't be downgraded or flashed cross versions. After some experimenting mfastboot failed but fastboot succeded, on some versions mfastboot worked - [/B] Successfully
What I can't get to downgrade / cross flash no mather which bootloader and combinations of firmware im on :
boot.img
recovery.img
system,img (sparse_chunk files)
I will go deeper, but hope that new full firmware SBF will be released soon in case of brick. Verzion is slow. I'm making my own full 6.0.1 xml.zip based on full flashable zip's , repacked system.img sparsechunks, rewrited the script but can't get to flash system files due to invalid signed image. Any help with that? It would also help already bricked guys because who knows when'll Verzion release it..
Downgrade OTA way , stock Android Recovery
While stock android recovery is pretty much useless, it can do software upgrades OTA on a fully stock system , which we on locked bootloaders and MM have.
In my opinion , the way is to trick stock recovery into thinking it's flashing ota, and that whole envieroment is like recovery is expecting it while it's actually flashing downgraded version full / close to full firmware in combination with you flashing some partitions manually through fastboot. OTA's contain only "patch" and just replaces files which get changed on new SW. Or even maybe reverse OTA downgrade?
I've made my own update.zip and signed it , but so far get footer size is wrong error so can't flash it .. Need more help here too..
That looks promising!
Marshmallow feels slower than lollipop for me and I wish I could downgrade but I just can't!
I am looking forward to see what you can do about this issue
Good luck bro!
sorry for my mistake, I do not intend to comment here
@EjđiSixo
How to remove the "signed" of system image or bypass it? Fastboot or RSD are stuck at flashing system image. Does this "sign" relate to boot, recovery, partition? Or it's simply the "sign" to prevent downgrade???
I've never succeeded with partition downgrade...
---------- Post added at 10:29 PM ---------- Previous post was at 10:19 PM ----------
when I was flashing the only system.img (3GB), it said that "wrong at header magi". But after a bit time, fastboot separated the file and began to flash. But still failed because of signed image.
I've tried to remove the code from updater-script but it could not write files to system
Not out yet!
Thanks! I think if we all try , we can do it ! For now main focus is downgrading anyhow, even to half working Lollipop just in the purpose of unlocking bootloader with sunshine.
@mr_5kool
Feel free to comment and ask / suggest, thats what this topic is for!
Unforutenately thats the part I haven't yet figured out myself. It is a " permissions" to prevent the downgrade , bootloader and possibly something else checks current version / keys / properly signed image and then flashes. With other bootloader I'm still not able to flash it because it's obviously locked. Motorola probably signs their images differently.
You can't flash 3GB image because when flashing, phone recieve's partition first to ram so max download size is set to 255mb per file. You have to repack system.img to sparse chunks. But you don't have to bother with it , I already repacked system.img which I found at fully stock flashable MCG24.251-5 . It again failed due to invalid signed image . If we could figure out what is exactly signed and how , that would open a lot more possibilities. Possibly even flashing prerooted roms on locked bootloader. There are more possibilities , who knows..
Currently the only thing notices downgrade when flashing is recovery. In bootloader log says I tried to downgrade. Even with downgraded bootloader (kind of, there is sbl2 and sbl3 but they don't get upgraded )
Anyway, I tried something just for the "gags" . Flashed all partitions of XT1250 bootloader. Got to Motorola's site, posted "unlock bootloader data". It returned it's not unlockable of course.. The first sequence of numbers in data is your imei , it starts with 99 and it's verzion's specific imei.
My theory is that motorola ties unlock bootloader data to every phone and imei and stores it in database ( please confirm) . So even with moto maxx bootloader I can't unlock because :
1 it reads my verzion imei
2 it doesn't find alltogether data in the database..
I don't know what are other numbers in the data you get from fastboot, possibly some serial numbers and so on, haven't really checked it .. That's why i think this method is not possible at all for now. Manipulating that data in your phone and running it through motorola's site knowing that exact same code works for some device might be possible, but I think there is really way too much impossible messing involved. If somebody can share more about this?
lol
http://forum.xda-developers.com/dro...ficial-marshmallow-build-mcg24-t3512813/page2
I've renamed it like suggested in the post #11
Download link is at 1st page. It's just a OTA.
Yes I just renamed it.
IT DOESN'T WORK WITH ADB AND YOU CAN'T FLASH IT AGAIN THROUGH RECOVERY. ITS OTA.
EDIT: The post that I was responding to has been removed.
The method to downgrade from Lollipop to Kitkat is the same with what I've done. It may be possible. Some said that "impossible to downgrade with locked bootloader on vrz". So the system image may be signed with bootloader (or imei, serial or something else, god know).
The unlock method of Sunshine takes place in Trustzone (sbl2). They cannot get unlock code.
You succesfully downgraded LL to KK on droid? There is partition for trust zone alone "tz.mbn" , downgradable without any problem. I only see sbl1 get's upgraded on droid turbo , never saw in any firmware sbl2 or 3 yet.. So I'm little confused.. I remember I saw some PDF regarding that..
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Finally managed to *Brick my devices while trying to make latest sbf firmware (what an irony ) because used some of files from that stupid OTA . Tried flashing all possible firmware I have but it doesn't fix it so system got corrupted probably and for now didn't succed flashing any of the available systems. Flashing MM recovery doesn't help. It's a " recovery loop".
Basically phone starts , vibrates , goes into recovery, it says "erasing" , it does the factory reset then restarts and over and over again erasing restarting loop.
I'll continue exploring downgrade options but top priority now is making working marshmallow sbf or waiting for stupid Verzion to release it already. Just checked with SUA and it still doesn't show repair so firmware isn't available still.
Biggest problem is signed system images which are probably signed by RSA and I need help with that..
I have same problem erasing
Can't flash SU4TL gpt.bin anymore , so success was definitely connected to experiment and steps I did so I'll investigate more.
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
side note, I hate this Q&A format. Not sure why XDA even has it. You can't even format URL links correctly.
Click to expand...
Click to collapse
mr_5kool said:
@EjđiSixo
I have never tried before. My Moto X2013 failed to downgrade from LL to KK, too. So, it's the common problem of Verizon Motorola Devices.
If you have problem with "erasing", just enter recovery by "hold power button for a while then fast press volume up button". Phone will enter recovery and do the factory reset. But when rebooting the system, "erasing" appear again.
If partition is dead, flash the higher version, commonly gpt and tz.
PS: still waiting for the official xml firmware
Click to expand...
Click to collapse
I wonder if there is any way to force Verizon to release firmware. This is really low of the lowest, it says 1 week after OTA , now it's almost 1 month. Until somebody forces them , it can be months as far as they are considered. No help from developers / programmers either on any of 2 subjects so don't see my method of full MM SBF working.
god know
:v
ChazzMatt said:
Yes, successfully downgraded 5.1 to 4.4.4 on Droid Turbo but with unlocked bootloader. I helped this guy.
http://forum.xda-developers.com/droid-turbo/help/solved-problem-downgrade-install-ota-t3497791
http://forum.xda-developers.com/droid-turbo/help/how-to-downgrade-lollipop-5-1-to-kitkat-t3494459
Click to expand...
Click to collapse
Exactly brother .
I solved my problem .
I can downgrade from Marshmallow to lollipop is very easy for my ..
But first step is unlocked bootloader from lollipop..
Sent from my XT1254 using XDA Free mobile app
Yeah people , we all know everything can be done with unlocked bootloader. It's a GOD mode. Nothing strange about downgrading with unlocked BL. This topic is for people stuck on locked BL like myself to try to odowngrade on lollipop only in purpose of UNLOCKING BL. So let's for now focus on locked BL's.
Hi guys, I will appreciate if someone can help me. The things is:
I erase system.img from recovery and I backup from XT1706. After I found a site with stock XT1700 rom I downloaded last version which is the S503 I used SP Flash Tools and everything goes well. But when I tried to unlock Bootloader again adb windows said: This operation is not allowed. I tried everything but I wasn't able to unlock Bootloader again. So I downloaded the first version (S116) and surprisingly I could unlock Bootloader. But I get no notification of OTA updates it says that phone has the last version which is not true. Any ideas of what could be happening here? Thanks of hand for you help.
If you downloaded the ROMs from http://motorolastockrom.com/motorola-moto-e3-xt1700 then I suspect the problem is the ROMs have locked boot loaders. I tried installing the S503 version and the S302 version and had the same problem as you. In the end I ended up installing an XT1706 firmware and was able to unlock the bootloader, but sadly it is the same release date and adroid patch version as the XT1700 ROM I was on to begin with (S124)
I had hardbricked my devices while installing an OTA update and the device was Hardbricked .
I blank flashed the device and it booted and bootloader.
Now the problem starts here.
I flashed the OEM_Lock.bat as I wanted to relock the bootloader. I'm not sure what went wrong but the flash didn't complete and stuck in middle.
The problem remains here is it shows
Fastboot Reason: Failed to initialize partition table
I am unable to flash anything now. Recovery.img fails, bootloader.img fails, twrp flashing fails.
Nothing flashes as Bootloader is locked.
I went to Motorola Service Centre. They also couldn't do anything and simply said that their software doesnt read the phone.
Is there anyone whoe can really help me out with anything left to do?
Any method to force flash recovery, even twrp?
Phone is detected as Fastboot athene_16mp S in computer. It doesnt detect as "Qualcomm HS-USB QDLoader 9008".
What firmware are you attempting to flash?
Your device looks like it's still on the blank flash provided bootloader, which means you have to flash at least the GPT and bootloader. The lack of a serial number and the generic identifier implies you have not been able to flash an actual GPT and bootloader. Also, OEM_locked is normal until you get an actual bootloader flashed over the blank flash bootloader, which usually means trying to flash a GPT and bootloader at least as new as the latest version you had on your device (regardless of downgrades).
I'd suggest downloading the latest Nougat stock ROM we have from here. Do not use any of the scripts at this time.
https://forum.xda-developers.com/moto-g4-plus/how-to/stock-rom-npjs25-93-14-4-march-1-t3608138
Unzip the file, delete any old stock ROMs from your ADB folder and copy over the new stock ROM. Try to flash just the GPT and bootloader then reboot to fastboot. See if you reboot into a fastboot screen with details.
If you do, I would proceed to flash the rest of the new ROM without locking your bootloader. If your device boots then, then you can reflash with the locking commands.
Edit - also, this post probably is better suited to the Q and A section...
echo92 said:
What firmware are you attempting to flash?
https://forum.xda-developers.com/moto-g4-plus/how-to/stock-rom-npjs25-93-14-4-march-1-t3608138
Unzip the file, delete any old stock ROMs from your ADB folder and copy over the new stock ROM. Try to flash just the GPT and bootloader then reboot to fastboot. See if you reboot into a fastboot screen with details.
If you do, I would proceed to flash the rest of the new ROM without locking your bootloader. If your device boots then, then you can reflash with the locking commands.
Click to expand...
Click to collapse
The files in mentioned firmware did the trick. It flashed GPT and Bootloader and showed the needed info.:highfive: After that I flashed the same firmware via fastboot commands and device has booted to the stock 7.0 - Bootloader Unlocked. How crazy was I to ignore the proper files to flash? I probably tried 100 times to flash files (wrong once for sure). Thanks alot though for providing the link and instructions. :silly:
Now one last thing, should I flash OEM_Lock file to lock the bootloader so that I can get the lastest Oreo update? I might even think fo selling the device after locking the bootloader. Need your genuine opinion on this as well.
mysteryno46 said:
The files in mentioned firmware did the trick. It flashed GPT and Bootloader and showed the needed info.:highfive: After that I flashed the same firmware via fastboot commands and device has booted to the stock 7.0 - Bootloader Unlocked. How crazy was I to ignore the proper files to flash? I probably tried 100 times to flash files (wrong once for sure). Thanks alot though for providing the link and instructions. :silly:
Now one last thing, should I flash OEM_Lock file to lock the bootloader so that I can get the lastest Oreo update? I might even think fo selling the device after locking the bootloader. Need your genuine opinion on this as well.
Click to expand...
Click to collapse
Eh, you live and learn. Besides, you've now got your device running now!
Honestly, it's up to you. Having a locked or unlocked bootloader will not affect your ability to receive OTA updates - you should still receive updates so long as your firmware matches your software channel (and since your device was XT1643, the NPJS25.93-14-18 April 2018 security update should be the correct firmware). At this moment in time, you'll have to use the NPJS25.93-14-18 firmware to re-lock your bootloader - we don't have the stock Oreo firmware at this time. Thus, if you update to stock Oreo, you will not be able to re-lock your bootloader until you can get a leak of the Oreo firmware.
If you're selling, I'd choose to re-lock the bootloader. Else, a potential buyer who is not used to flashing custom ROMs might wonder if there's any tampering with the device (the bootloader unlocked warning, to someone not used to flashing custom firmware, might scare off potential buyers).
Back to Locked Bootloader, complete stock.
echo92 said:
Eh, you live and learn. Besides, you've now got your device running now!
If you're selling, I'd choose to re-lock the bootloader. Else, a potential buyer who is not used to flashing custom ROMs might wonder if there's any tampering with the device (the bootloader unlocked warning, to someone not used to flashing custom firmware, might scare off potential buyers).
Click to expand...
Click to collapse
I am back to Locked Bootloader as feel the same as you said that anyone buying might get scared by looking the warning sign. Thanks for helping out. :highfive:
Oreo Update via OTA has already started rolling out as per the news I've been reading. I just wanted to see the oreo 8.1 before I sell the phone.
Anyways I got a new device now, Realme C1, 3|32GB as my smartphone usage has declined a lot recently and might remain similar. This device will suffice my requirements.
Thanks for the help and support. :victory:
Hi so I decide to root my phone today
I install magisk I patched the AP files
I load the 4 files to Odin click start, it stop at user data I got a red note says Custom binary Vbmeta blocked by oem lock
My OEM is unlocked any idea how fix it
My phone galaxy s10+ SM-G975F
I'm using the latest firmware
I attach a photo
i fix the problem bootloader was locked
What is this vbmeta package for? For flashing roms I always used the rom, magisk (if wanted root privileges), gapps (if wanted google apps package) and thats all. Why are people flashing other stuff as if it's now a essential rule? Sorry for my ignorance.