[Q] Crack Bootloader for Motoroi XT720? - Milestone XT720 General

Hi there, I have some questions about Cracking bootloader:
1. Anyone know the way to crack bootloader for Motoroi XT720?
2. If not, so is there any clue?
3. Will my phone brick if I try to override boot partition?
Thanks in advanced!

tiger2wander said:
Hi there, I have some questions about Cracking bootloader:
1. Anyone know the way to crack bootloader for Motoroi XT720?
2. If not, so is there any clue?
3. Will my phone brick if I try to override boot partition?
Thanks in advanced!
Click to expand...
Click to collapse
I don't think you can flash boot partition with images without moto's signature.

How about use `dd` command to write modified raw partition?
I'm amazing it is likely on PC we have BIOS, boot loader and so on, BIOS can write via flash program & boot loader can write directly to boot partition or modify boot sector if you have physical access or root permission through remotely, is it right? please correct me if I'm wrong.

tiger2wander said:
How about use `dd` command to write modified raw partition?
I'm amazing it is likely on PC we have BIOS, boot loader and so on, BIOS can write via flash program & boot loader can write directly to boot partition or modify boot sector if you have physical access or root permission through remotely, is it right? please correct me if I'm wrong.
Click to expand...
Click to collapse
Raw partition might be able to come to reality, but mz still need time to work on it.

It will be great if we can unlock it to get free world!
So, how hard to get it done? is there any block on the road or it is simple need more time to get it stable?

tiger2wander said:
It will be great if we can unlock it to get free world!
So, how hard to get it done? is there any block on the road or it is simple need more time to get it stable?
Click to expand...
Click to collapse
Crack bootloader? not possible. but it seems system's signature can be passed by dump a cg39.smg from the phone, that is means possibility, but needs to testing.

You meant dump then RE it to find any security exploit which can allow us to bypass signature check from bootloader?
BTW, how about progress of existing research about this?
I've just ask Google for this and get some interest articles:
- http://pocketnow.com/thought/efuse-droids-digital-kill-switch
~> is it like this one? if so I will never buy Motorola Phone anymore! it's 2 sh!t to pay money for blocked device...

First of all.
http://droid-developers.org/wiki/Booting_chain
Just read it...

Thanks man, already read it somewhere on Internet
EDITED: but this one have more clear than last one I read!

Related

Lock a bootloader

hello all,
I am interested in locking the bootloader on a sg3, any leads on what steps I may need to accomplish this?
thank you
What carrier are you on?
redusk said:
What carrier are you on?
Click to expand...
Click to collapse
its unlocked, but it would be the canadian variant i747m, also have a intl variant somewhere, i9300 or something
The French Tickl3r said:
hello all,
I am interested in locking the bootloader on a sg3, any leads on what steps I may need to accomplish this?
thank you
Click to expand...
Click to collapse
It's not an easy way. Some eMMC have command to write-protect some areas (temporary, or permanently). But these eMMC commands usually are not presented in source code of kernel because there are no practical reasons to use them (unless you are original manufacturer). So, you need to detect what eMMC chip used in your phone, then find good datasheet to find appropriate command (if any). Then write utility to execute this command (and if you write protect a wrong block then there is no way back).
Thus, you need to be a skilled low-end developer to accomplish this task.
If you mean lock like it's done in phones with locked bootloader - then it's completely different story. In this case, write-protect-till-power-off lock used. So, when such phone boots, whole eMMC is available for writing. And then on the very early stage bootloader executes command write-protect-till-power-off, and you can't write anything to bootloader till you turn power off. If you want to accomplish this behaviour then you have to write your own bootloader, which is not simpler than task above. More over, you won't be able to write your own bootloader because it requires to be signed by private master key, which only Samsung lab has
sorg said:
It's not an easy way. Some eMMC have command to write-protect some areas (temporary, or permanently). But these eMMC commands usually are not presented in source code of kernel because there are no practical reasons to use them (unless you are original manufacturer). So, you need to detect what eMMC chip used in your phone, then find good datasheet to find appropriate command (if any). Then write utility to execute this command (and if you write protect a wrong block then there is no way back).
Thus, you need to be a skilled low-end developer to accomplish this task.
If you mean lock like it's done in phones with locked bootloader - then it's completely different story. In this case, write-protect-till-power-off lock used. So, when such phone boots, whole eMMC is available for writing. And then on the very early stage bootloader executes command write-protect-till-power-off, and you can't write anything to bootloader till you turn power off. If you want to accomplish this behaviour then you have to write your own bootloader, which is not simpler than task above. More over, you won't be able to write your own bootloader because it requires to be signed by private master key, which only Samsung lab has
Click to expand...
Click to collapse
thank you for the detailed response. i shall not pursue this any longer.
best regards, from cloudy montreal

[Q] Unlock bootloader without wipe.

Hello xda friends.
How would you welcome the possibility to unlock the bootloader without wipe?
I have found two ways to do that a while ago, but first I want to ask you what do you feel about it?
I dont want to anybody to feel uncomfortable that even locked bootloader means no security to your userdata at all.
There is a reason why google implemented a full wipe after you do the fastboot oem unlock, to prevent thieves to get your data and personal infos by flashing a custom recovery then adb pulling the userdata partition.
So tell me your opinion. Depending on the feedback I decide to keep the secret or expose it to public.
You will need a windows pc to do it.
bitdomo said:
Hello xda friends.
How would you welcome the possibility to unlock the bootloader without wipe?
I have found two ways to do that a while ago, but first I want to ask you what do you feel about it?
I dont want to anybody to feel uncomfortable that even locked bootloader means no security to your userdata at all.
There is a reason why google implemented a full wipe after you do the fastboot oem unlock, to prevent thieves to get your data and personal infos by flashing a custom recovery then adb pulling the userdata partition.
So tell me your opinion. Depending on the feedback I decide to keep the secret or expose it to public.
You will need a windows pc to do it.
Click to expand...
Click to collapse
It doesn't matter for me.
It doesn't matter to me either.
Sent from my iPhone using Tapatalk
bitdomo said:
Hello xda friends.
How would you welcome the possibility to unlock the bootloader without wipe?
I have found two ways to do that a while ago, but first I want to ask you what do you feel about it?
I dont want to anybody to feel uncomfortable that even locked bootloader means no security to your userdata at all.
There is a reason why google implemented a full wipe after you do the fastboot oem unlock, to prevent thieves to get your data and personal infos by flashing a custom recovery then adb pulling the userdata partition.
So tell me your opinion. Depending on the feedback I decide to keep the secret or expose it to public.
You will need a windows pc to do it.
Click to expand...
Click to collapse
Apps for that have existed for years.
bitdomo said:
Hello xda friends.
So tell me your opinion. Depending on the feedback I decide to keep the secret or expose it to public.
You will need a windows pc to do it.
Click to expand...
Click to collapse
Release it. If the mods decide it's somehow illegal and or a serious security breach they'll let you know. It boils down to how you use the tool. Take a screwdriver. It's a perfectly legal thing to own and incredibly handy in it's intended use. Use that same screwdriver to break into some ones house and it's evidence.
Security through obscurity? No, thank you!
Expose it to us, please.
https://en.wikipedia.org/wiki/Security_through_obscurity
anyway if you can flash twrp with boarddiag tool when bootloader is still locked, then bootloder lock is nothing
RolF2 said:
anyway if you can flash twrp with boarddiag tool when bootloader is still locked, then bootloder lock is nothing
Click to expand...
Click to collapse
psst... that is secret
I say expose it. It will put pressure to have the hole closed.
the people have the "right" to know xD
well, those who want to know anyways
@bitdomo what happened with this? haha

[R&D] Toshiba (11 series) Bootloader Unlock Discussion

Because the the other old Dev thread is getting a bit messy i've created a new thread to continue development of a boot loader unlock for 11 series devices.
Dont post ANYTHING unrelated to development of a way to change toshiba chip's cid!!!
@GeTex says she may be able to get us the firmware / vendor cmds which would be awesome!
===================================JULY 30 UPDATE==================================
Trying to reprogram CID abandoned, looking at alternate methods of unlocking b/l (or getting a custom kernel past QSB/Knox) @GeTex working on writing to memory using the Futex(towelroot) exploit to load some kernel modules.
Relevant links:
http://blog.nativeflow.com/the-futex-vulnerability
http://blog.nativeflow.com/escalating-futex
http://blog.nativeflow.com/pwning-the-kernel-root
====================================Original post====================================
So far we know what Beaups did to get the 15 series chip exploit.
1) Get vendor cmds (we know its cmd26 to reprogram the cid but do not know the args for toshiba chips)
2) Dump eMMC firmware
3) Look through code for how it is programmed
4) Create a tool to use this info and reprogram the CID
We need to
1) Find the args for the command
2) dump toshiba emmc controler's firmware
3) Find how to program CID
4) Modify Beaups tool
Alternatively, If we know what the controller is and the pin map we could manually dump the firmware with existing SD card tools (Wouldn't count on it)
Not sure where you can find it but if you can dump the chip's firmware then we dont need the first step
Relevant docs:
https://drive.google.com/open?id=0BxoK4ISYhlfbbW02TzJ0VlhoV0E
https://drive.google.com/open?id=0BxoK4ISYhlfbdDZvbGxxV2F3OUU
https://github.com/beaups/SamsungCID (read samdunk disclosure)
http://toshiba.semicon-storage.com/us/product/memory/nand-flash/mlc-nand/emmc.html (Our chip is the THGBMHG7C1LBAIL I believe)
http://forum.xda-developers.com/showpost.php?p=37936242&postcount=72
Dumping emmc Ram, Not sure if that helps
deleted
I don't think I can dump the firmware using a JTAG box due to security, can i?
GeTex said:
I don't think I can dump the firmware using a JTAG box due to security, can i?
Click to expand...
Click to collapse
it doesn't look good the JDEC spec says most of those registers are write once read only
what I wanna know is where in the boot process does it check the CID registers and is there anything we can do to manipulate it to read whatever value we feed it
GeTex said:
I don't think I can dump the firmware using a JTAG box due to security, can i?
Click to expand...
Click to collapse
I do not think you can jtag the eMMC chip. and @Legitsu that would involve modifying the bootloader or kernel which we would need an unlocked bl for.
autonomousperson said:
I do not think you can jtag the eMMC chip. and @Legitsu that would involve modifying the bootloader or kernel which we would need an unlocked bl for.
Click to expand...
Click to collapse
maby not what if you modified the locked bootloader.yes it would normally fail the SB and crc checks but its not entirely out
there is also some interesting bits in the cmds uses to read registers
and kernel mods can be done with modules
Legitsu said:
maby not what if you modified the locked bootloader.yes it would normally fail the SB and crc checks but its not entirely out
there is also some interesting bits in the cmds uses to read registers
and kernel mods can be done with modules
Click to expand...
Click to collapse
I think the CID check is before the kernel is even loaded.... Seems to be all with the bootloader
autonomousperson said:
I think the CID check is before the kernel is even loaded.... Seems to be all with the bootloader
Click to expand...
Click to collapse
I would think so as well but may not stop us from doing some tricks such as chainloading exploits
where we boot from the locked aboot patch the cid and somehow make it reset and load the other aboot and feed it that CID
kexec is very very close to being working on the S4 @Surge1223 how up2date is the source for that in your repo ?
honestly I think kexec is going to be the future for all devices its less effort and more viable then finding the rare exploits for actually unlocking the bootloader
I just don't have the time I once did and my skills are rusty AF
Legitsu said:
I would think so as well but may not stop us from doing some tricks such as chainloading exploits
where we boot from the locked aboot patch the cid and somehow make it reset and load the other aboot and feed it that CID
kexec is very very close to being working on the S4 @Surge1223 how up2date is the source for that in your repo ?
honestly I think kexec is going to be the future for all devices its less effort and more viable then finding the rare exploits for actually unlocking the bootloader
I just don't have the time I once did and my skills are rusty AF
Click to expand...
Click to collapse
We can try to get it to go into rescue mode where it boots off sd. Idk how far that will get us as sd boot still needs to be signed (I think). Even if we try to chain load something its only temp and will need to be done every boot and could get messy. Chaining the CID directly is the best option.
autonomousperson said:
We can try to get it to go into rescue mode where it boots off sd. Idk how far that will get us as sd boot still needs to be signed (I think). Even if we try to chain load something its only temp and will need to be done every boot and could get messy. Chaining the CID directly is the best option.
Click to expand...
Click to collapse
see I know the S4 the sdboot no longer works as of NK4 but it works on the S5 ?
recovery mode may show us more info
I wonder what would happen if you imaged a devedtion bootloader and then killed the aboot and let it try from the sdcard (would tell us what it checks when attempting recovery)
messy would be fine as it would provide more info
Legitsu said:
see I know the S4 the sdboot no longer works as of NK4 but it works on the S5 ?
recovery mode may show us more info
I wonder what would happen if you imaged a devedtion bootloader and then killed the aboot and let it try from the sdcard (would tell us what it checks when attempting recovery)
messy would be fine as it would provide more info
Click to expand...
Click to collapse
The dev edition BL on sd would work as its signed BUT it wont display as a dev editon as the CID doesnt match. I think as soon as you touch the sd card bl it will refuse to boot. Unfortunately I no longer have a vzw test device (pulled the samsung eMMC BGA off of it 0/10 would not recommend )
autonomousperson said:
The dev edition BL on sd would work as its signed BUT it wont display as a dev edition as the CID does not match. I think as soon as you touch the sd card bl it will refuse to boot. Unfortunately I no longer have a vzw test device (pulled the samsung eMMC BGA off of it 0/10 would not recommend )
Click to expand...
Click to collapse
I wonder if there is a way to manipulate the CID while its in qualcom-recovery
once you boot it as a DEV edition that opens a lot of doors to do other things
I am still reading the JDEC spec pdf nothing so far
Legitsu said:
I wonder if there is a way to manipulate the CID while its in qualcom-recovery
once you boot it as a DEV edition that opens a lot of doors to do other things
I am still reading the JDEC spec pdf nothing so far
Click to expand...
Click to collapse
Renember that its just a general specification, toshiba has to follow all of it but they can change or add extra features. They said they had some extra security features or something.
http://toshiba.semicon-storage.com/ap-en/product/memory/nand-flash/mlc-nand/emmc.html
THGBMHG7C2LBAIL
Products which applied "Command Queuing" and "Secure Write Protection" functions standardized in JEDEC e・MMC™ Version 5.1 as optional features.
autonomousperson said:
Renember that its just a general specification, toshiba has to follow all of it but they can change or add extra features. They said they had some extra security features or something.
http://toshiba.semicon-storage.com/ap-en/product/memory/nand-flash/mlc-nand/emmc.html
THGBMHG7C2LBAIL
Products which applied "Command Queuing" and "Secure Write Protection" functions standardized in JEDEC e・MMC™ Version 5.1 as optional features.
Click to expand...
Click to collapse
yes but the JDEC spec exists for a reason changing that spec opens you to creating other flaws :>
and neither of those have anything todo with the registers we are interested in
Idk what to do then. The stuff we want (cid) is managed by the eMMC firmware. The bl then reads and compares it to the aboot. We could try a man in the middle thing but we would need it to load before the check happens.
autonomousperson said:
Idk what to do then. The stuff we want (cid) is managed by the eMMC firmware. The bl then reads and compares it to the aboot. We could try a man in the middle thing but we would need it to load before the check happens.
Click to expand...
Click to collapse
read though page 28/29/30/ect of *B51 pdf
look at how they describe the alt operation mode
it says you can set the csd register I wonder what else you can set durning that time (ignore for the moment we don't have a way of setting any registers yet ..(
Legitsu said:
read though page 28/29/30/ect of *B51 pdf
look at how they describe the alt operation mode
it says you can set the csd register I wonder what else you can set durning that time (ignore for the moment we don't have a way of setting any registers yet ..(
Click to expand...
Click to collapse
We would have to find a way to trick it into thinking it is booting. (I think it is first boot, not every boot)
autonomousperson said:
We would have to find a way to trick it into thinking it is booting. (I think it is first boot, not every boot)
Click to expand...
Click to collapse
indeed but progress
Legitsu said:
indeed but progress
Click to expand...
Click to collapse
BUT
We would still need to figure out how to get it to write a new CID (specifically what tf cmd 26 is)
OR
We can use vendor commands like Beaups (would need to find them)

For anybody that has ALREADY unlocked their bootloader >> PLEASE READ!

Hi, I am new to the Nokia 7 Plus forums, and I know that a bootloader unlocking method is sorely needed.
I would like to ask those who have ALREADY unlocked their bootloaders to send me the signature file they used in the "fastboot flashing unlock..." command.
By sending me this file, I can TRY to determine how the IMEI and Serial Number is used to generate the bootloader signature file and, If successful, I can release an unofficial bootloader unlocking method, for FREE.
OR IF SOMEBODY IS ROOTED, PLEASE FOLLOW THESE STEPS AND SEND ME THE FILE GENERATED AFTER:
1. Connect your phone to your PC with USB Debugging on
2. Open Command Prompt and type "adb shell".
3. Then type "su"
4. Then type "cd /dev/block/bootdevice/by-name"
5. Then type "ls -al"
6. Then, you will need to find the "mmcblk0p?" that is listed on the same line as "aboot" (e.g. mmcblk0p1)
7. Once you have found that, type "dd if=/dev/block/bootdevice/by-name/(the mmcblk0p that you got above) of=/sdcard/aboot.img"
8. Then send me the aboot.img file that is located on your phone's SD card.
This applies to all owners of the Nokia 5, 5.1, 6, 6.1, 7, 7+, 8, 8 Sirocco
I hope someone can help you here bro. Mine is locked or I'd definitely do it.
No one has done that, and it's not possible right now.
Areen said:
No one has done that, and it's not possible right now.
Click to expand...
Click to collapse
Well by looking on the threads around Nokia devices, it seems that there are people who used this method to unlock the bootloader
Hi, I have sent you a PM with the key for my Nokia 7. I hope you are able to find something out of them
Development is growing:laugh:
Hi everyone, a quick update:
My Nokia 7 Plus is currently in for repair so I will still try to decipher the signature files before I try any bootloader unlock, and I won't be trying to unlock the bootloader until I get my 7+ back from the shop, but once it gets back....
You're the man! I wish I can help you but unfortunately my device is locked.
$Parker said:
You're the man! I wish I can help you but unfortunately my device is locked.
Click to expand...
Click to collapse
My device is locked too, I will have to try and find out how the signature files are generated and test them on my own device (when I get it back)
Still in mail war with nokia. Let's hope they unlock it. First win is mine. They send the case higher up. So fingers crossed
Sent from my Nokia 7 plus using XDA-Developers Legacy app
I really hope we can figure something out. And pressure Nokia into unlocking the bootloader and release kernel sources.
Areen said:
No one has done that, and it's not possible right now.
Click to expand...
Click to collapse
It is possible. I've done it today. Paid for the signature file, applied it based on the instructions and tada I have unlocked the bootloader. It was a hard earned 5 dollars...
BTW would that aboot.img file be the boot image? Cuz I would need to extract mine and patch it with magisk to get root. Can you tell me how to pull it? Thanks. Signature file I'm not willing to share, sorry, as it probably contains my IMEI. But if you have a Nokia, I'll pay you the 5 bucks to get your own file which you can then reverse engineere.
5$ for unlocking is not a big deal,so don't waste time by finding how the serial number and IMEI number combination works to create bin...unlock the bootloader and try to make custom roms bro, spend time there
By the way I have unlocked and rooted my 7 plus ?
jazzzzzzz said:
5$ for unlocking is not a big deal,so don't waste time by finding how the serial number and IMEI number combination works to create bin...unlock the bootloader and try to make custom roms bro, spend time there
By the way I have unlocked and rooted my 7 plus
Click to expand...
Click to collapse
how did you root it?
donjamal said:
It is possible. I've done it today. Paid for the signature file, applied it based on the instructions and tada I have unlocked the bootloader. It was a hard earned 5 dollars...
BTW would that aboot.img file be the boot image? Cuz I would need to extract mine and patch it with magisk to get root. Can you tell me how to pull it? Thanks. Signature file I'm not willing to share, sorry, as it probably contains my IMEI. But if you have a Nokia, I'll pay you the 5 bucks to get your own file which you can then reverse engineere.
Click to expand...
Click to collapse
Stupid question, but will I be able to use OTA updated(mainly for android P when it comes out) without issues if I unlock the phone and root it beforehand?
Karanfil said:
Stupid question, but will I be able to use OTA updated(mainly for android P when it comes out) without issues if I unlock the phone and root it beforehand?
Click to expand...
Click to collapse
Yes, you will be able to update. But you will lose root.
Karanfil said:
Stupid question, but will I be able to use OTA updated(mainly for android P when it comes out) without issues if I unlock the phone and root it beforehand?
Click to expand...
Click to collapse
With root, not when modifying the system.
We may have other options https://forum.xda-developers.com/nokia-7-plus/how-to/request-opinion-figuring-hidden-oem-t3820511
Has any work been done further on this? If not, would someone please let me know if they'd like to work together to figure this out. Does anyone know if the signature file that's sent to unlock contains an md5 hash?
NtilUrEarsBleed said:
Has any work been done further on this? If not, would someone please let me know if they'd like to work together to figure this out. Does anyone know if the signature file that's sent to unlock contains an md5 hash?
Click to expand...
Click to collapse
We are out of luck already. The old unlock files do not work after the August update. Seems patched up. So, back to no official and/or unofficial unlock again

How To Guide WARNING: Read BEFORE Locking Bootloader

DO NOT LOCK THE BOOTLOADER WHILE ROOTED!
When locking the bootloader while rooted, the boot image will fail verification and the system will fail to boot. You cannot flash a stock boot image with a locked bootloader.
Locking the bootloader will not fix most issues. It will allow you to use apps that check for an unlocked bootloader without the need for any additional modification. That is the ONLY benefit.
If you still want to lock your bootloader, make sure you can say yes to each of the following:
1. Have you restored the stock boot.img / vendor_boot.img and the phone functions normally?
Spoiler: Restore Stock Boot
Boot / DTBO Images [Root / Stock] - 5 / Pro / Ultimate (NOT S)
These images are NOT built from source. These are the stock images from the firmware provided by Asus that are extracted with payload dumper and uploaded without modification. 18.0840.2202.231 18.0840.2201.226 18.0840.2112.211...
forum.xda-developers.com
Follow the instructions in the thread above.
Use only the boot and vendor_boot images.
Do NOT flash any images that end with "-magisk.img"
2. Have you made a backup of everything you do not want to lose when wiping the phone?
Spoiler: Make a Backup
The sdcard is part of the internal storage and is cleared by a factory reset
Copy everything you want to keep to a computer or USB-C storage device
Apps and settings can be backed up by enabling the Google Backup option
Open Settings
Select Google
Select Backup
Select Back up now
Wait for the backup to complete
3. Have you flashed raw firmware and made sure the phone and updates function normally?
Spoiler: Flash Raw Firmware
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
Follow the instructions in the thread above.
If you perform a wipe, you may skip step 4.
4. Have you performed a factory reset and made sure the phone functions normally?
Spoiler: Factory Reset
Open Settings
Select System
Select Reset options
Select Erase all data (factory reset)
Follow the instructions
Once you have verified all of the above requirements, you are now ready to lock the bootloader.
Spoiler: Lock Bootloader
From the bootloader (volume up + power):
Code:
fastboot oem asus-csc_lk
Reserved for QA information
I don't want to spread false information here, but here is a question post I created recently with two replies showing me contacting the help center (two different agents) confirming that I can use the app more than once to unlock the device's bootloader: https://forum.xda-developers.com/t/...nlock-relock-for-asus-rog-phone-5-5s.4367047/ . @Andrologic also confirms the case there for global (EU) version. I have a feeling that for the Tencent version it is because the sellers lock it on a wrong official ROM, or wrong ROM in general, e.g. global ROM, and therefore it confuses the unlock app. I am surprised the device did not even get hard bricked from locking on not the original ROM. By the way, I have contacted the help center of the US store, but I have a feeling it should work on the global (EU) version as well.
falhumai96 said:
I don't want to spread false information here, but here is a question post I created recently with two replies showing me contacting the help center (two different agents) confirming that I can use the app more than once to unlock the device's bootloader: https://forum.xda-developers.com/t/...nlock-relock-for-asus-rog-phone-5-5s.4367047/ . @Andrologic also confirms the case there for global (EU) version. I have a feeling that for the Tencent version it is because the sellers lock it on a wrong official ROM, or wrong ROM in general, e.g. global ROM, and therefore it confuses the unlock app. I am surprised the device did not even get hard bricked from locking on not the original ROM. By the way, I have contacted the help center of the US store, but I have a feeling it should work on the global (EU) version as well.
Click to expand...
Click to collapse
Based on new information, it does seem possible to repair the issues caused by converting.
That said, this guide is still quite relevant. After all, most of the issues people were having were caused by unlocking the bootloader, converting, rooting, and locking the bootloader. The warning for possibility of not being able to unlock have been removed, but the info about restoring to stock before locking has been left.
I send mine in for a motherboard repair I was rooted and everything I unrooted installed stock firmware and locked the bootloader again once I got the phone back I unlocked the bootloader once again and I am rooted again
chairman011 said:
I send mine in for a motherboard repair I was rooted and everything I unrooted installed stock firmware and locked the bootloader again once I got the phone back I unlocked the bootloader once again and I am rooted again
Click to expand...
Click to collapse
@chairman011 what variant of the phone it is (e.g. CN or WW or US, ...etc.)? Also, when they returned it to you and you were able to unlock it again, was it on the original firmware (or any version in its lineage (i.e. not a ROM that's not original))?
If by using ASUS unlock utility one was able to oneself unlock the boot-loader once, then is it safe to say that (after relocking it) it'd be possible to unlock it again?
nexusnerdgeek said:
If by using ASUS unlock utility one was able to oneself unlock the boot-loader once, then is it safe to say that (after relocking it) it'd be possible to unlock it again?
Click to expand...
Click to collapse
Some people have reported that you can't unlock the bootloader again after relocking, using the official "Unlock Device App", but I suspect it is an OS mismatch. This issue has only been observed on Tencent (CN) version with global ROM. Have anyone been able to unlock->relock->unlock on the same version of the phone, but not relocking while on the global ROM (i.e. relocking while on stock CN ROM)?
I am surprised the phone did not hard brick. Usually, and this is a general case in almost all Android phones with bootloader unlock capability, when you relock on a different ROM your phone hard bricks. Always restore to original ROM before relocking. Can people with Tencent (CN) phones with global ROM and locked bootloader flash the original CN ROM without unlocking the bootloader? If so, can you test the "Unlock Device App" to see if it works while on the CN (official) ROM? I gotta a feeling it might work in that situation.
falhumai96 said:
Some people have reported that you can't unlock the bootloader again after relocking, using the official "Unlock Device App", but I suspect it is an OS mismatch. This issue has only been observed on Tencent (CN) version with global ROM. Have anyone been able to unlock->relock->unlock on the same version of the phone, but not relocking while on the global ROM (i.e. relocking while on stock CN ROM)?
I am surprised the phone did not hard brick. Usually, and this is a general case in almost all Android phones with bootloader unlock capability, when you relock on a different ROM your phone hard bricks. Always restore to original ROM before relocking. Can people with Tencent (CN) phones with global ROM and locked bootloader flash the original CN ROM without unlocking the bootloader? If so, can you test the "Unlock Device App" to see if it works while on the CN (official) ROM? I gotta a feeling it might work in that situation.
Click to expand...
Click to collapse
It's an identification mismatch. It's similar to when you throw your SIM card in a different phone and your carrier lists you as having a different phone. Based on the information that has been discovered, it would appear that CN to WW conversions were wiping out the stuff that makes your device your device.
twistedumbrella said:
It's an identification mismatch. It's similar to when you throw your SIM card in a different phone and your carrier lists you as having a different phone. Based on the information that has been discovered, it would appear that CN to WW conversions were wiping out the stuff that makes your device your device.
Click to expand...
Click to collapse
So, basically the bootloader unlock for tencent devices will always locked unless asus uodate their unlock app or has their been another way around it yet?
The unlock app should unlock the bootloader at least once. Unlocking it a second time has mixed results.
Hi there, can you guys help me? I'm one of those unlucky ones who got my phone corrupted and won't boot anymore due to the boot loader. is there a way to fix this?? I've got an ROG phone 5s 16/512 on android12.
Hope you guys can help me! I know you guys have amazing brain cells than me when it comes to these things lol
Oh! and my rog is not the china version thanks
0v3rkill said:
Hi there, can you guys help me? I'm one of those unlucky ones who got my phone corrupted and won't boot anymore due to the boot loader. is there a way to fix this?? I've got an ROG phone 5s 16/512 on android12.
Hope you guys can help me! I know you guys have amazing brain cells than me when it comes to these things lol
Oh! and my rog is not the china version thanks
Click to expand...
Click to collapse
TYou should be able to RAW flash yourself out of it if a factory reset doesn't work. This does happen when re-locking the WW.
Andrologic said:
TYou should be able to RAW flash yourself out of it if a factory reset doesn't work. This does happen when re-locking the WW.
Click to expand...
Click to collapse
Hi there mate, thanks heaps for taking time.on my post. how do i do that? can you send me a link of the step by step guide? again thanks
0v3rkill said:
Hi there mate, thanks heaps for taking time.on my post. how do i do that? can you send me a link of the step by step guide? again thanks
Click to expand...
Click to collapse
Below post from the help guide (credits to the contributors) has links to RAW firmware packages. You just need any one of the WW packages. Download it and with your device in bootloader mode, run one of the .bat flash scripts that you'll find in the RAW package. The version doesn't matter, you can simply update to the latest firmware once you're back up.
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
Andrologic said:
Below post from the help guide (credits to the contributors) has links to RAW firmware packages. You just need any one of the WW packages. Download it and with your device in bootloader mode, run one of the .bat flash scripts that you'll find in the RAW package. The version doesn't matter, you can simply update to the latest firmware once you're back up.
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
Click to expand...
Click to collapse
Hi there, I did follow and did the raw setup it did got me through the boot loop. However, its stuck on the system start up updating screen and stays in 0%.
Darn i thought im already dead! i didn't even know how i fixed it hahahaha! but its working now successfully downgraded to android 11 because its the only firmware i found and managed to make it work again combination of alot of research in google and here xda. working 100% imei two of them, finger print and sn are all intact. thanks guys
For these few reasons I have to give up root & lock the boot-loader: 1. Financial apps stop working from time to time causing much grief; 2. I've used root functionality precisely for nothing for a year I've had it; 3. It was getting all too complicated to keep up with it all.
(The original intention for unlocking/rooting was to get some sort of unofficial VoLTE and VoWiFi for the mobile operator of my choice; however, it didn't help. Then a newer firmware implemented VoLTE and VoWiFi! So my impatience, admittedly couldn't be known at that point in time, backfired.)
I've nothing to preserve on the phone, due to having a Moto G 5G backup phone. I only had it working with adb & fastboot in my Linux laptop (up to date Fedora 36). I had no working Windows laptop then. But I do now. However, adb on Windows says the device is "unauthorised" (as expected); fastboot in it doesn't list the device. So I might be limited to my Linux laptop only. The phone was previously working on the last A11 WW firmware fine.
I've tried to follow the steps from the original post of this thread. First one worked with vendor_boot, dtbo & boot images (used only 18.0840.2202.231 versions of them). Second N/A. With third step, flash_raw_and_wipe_data.sh fails by core dumping.
Right now, the phone boots to fastbootd & not further. Any help is much appreciated.
(I think I'm inching towards fully bricking this phone. I'm not there yet, but getting closer . It'd be nice to get it working again without root & with locked boot loader. Any help is much appreciated.)
This is where I'm at while executing step 3 of the initial guide in this post:
When powered on, in the usual boot loader unlocked warning page, it prompts for power key to be pressed to continue.
(Here if power switch is not pressed within 30 odd seconds, phone powers down automatically.)
Once power key is pressed, it lands in boot loader. Selecting Start, it goes back to boot loader. I think this is called a boot loop.
While in boot loader, selecting "Recovery mode", it progresses to "Android Recovery". Here selecting "Enter fastboot" appears to take it furthest in the booting process of landing at "Android Fastboot".
(The version info showed in Fastboot -- 18.0840.2202.231-0 -- matches with the last A11 update I downloaded from Asus website & had it installed late March this year.)
I don't think it can boot any further at the state that it's in now.
I think this is where it needs a raw firmware to be flashed. This step keeps core-dumping in my Linux laptop when trying to use WW_ZS673KS_18.0840.2106.83_M3.13.24.40-ASUS_1.1.92_Phone-user.raw file that was linked in the original post. This version appears to be quite old. Could the version mismatch between what the phone was running recently (18.0840.2202.231) and the raw file (18.0840.2106.83) cause the core-dump issue? IOW, would somebody have a link for 18.0840.2202.231 raw file please?
I couldn't use my work Windows laptop due to an issue I cannot overcome (installation of driver needed for the phone is somehow blocked in it). So, soon I'll try it from a personal Windows laptop of my neighbor. Let's see if it can progress any further with the help of Windows platform.
In the meantime, I can appreciate to be informed about any tips and tricks such as if this is something that the phone cannot be recovered from. Or even somebody highly skilled would like to help me to achieve a fully functional phone (with bootloader locked please) for a fair compensation. Please let me know. Thanks for any guidance.
nexusnerdgeek said:
This is where I'm at while executing step 3 of the initial guide in this post:
When powered on, in the usual boot loader unlocked warning page, it prompts for power key to be pressed to continue.
(Here if power switch is not pressed within 30 odd seconds, phone powers down automatically.)
Once power key is pressed, it lands in boot loader. Selecting Start, it goes back to boot loader. I think this is called a boot loop.
While in boot loader, selecting "Recovery mode", it progresses to "Android Recovery". Here selecting "Enter fastboot" appears to take it furthest in the booting process of landing at "Android Fastboot".
(The version info showed in Fastboot -- 18.0840.2202.231-0 -- matches with the last A11 update I downloaded from Asus website & had it installed late March this year.)
I don't think it can boot any further at the state that it's in now.
I think this is where it needs a raw firmware to be flashed. This step keeps core-dumping in my Linux laptop when trying to use WW_ZS673KS_18.0840.2106.83_M3.13.24.40-ASUS_1.1.92_Phone-user.raw file that was linked in the original post. This version appears to be quite old. Could the version mismatch between what the phone was running recently (18.0840.2202.231) and the raw file (18.0840.2106.83) cause the core-dump issue? IOW, would somebody have a link for 18.0840.2202.231 raw file please?
I couldn't use my work Windows laptop due to an issue I cannot overcome (installation of driver needed for the phone is somehow blocked in it). So, soon I'll try it from a personal Windows laptop of my neighbor. Let's see if it can progress any further with the help of Windows platform.
In the meantime, I can appreciate to be informed about any tips and tricks such as if this is something that the phone cannot be recovered from. Or even somebody highly skilled would like to help me to achieve a fully functional phone (with bootloader locked please) for a fair compensation. Please let me know. Thanks for any guidance.
Click to expand...
Click to collapse
Confirm that you can send fastboot commands to the device. It's a prerequisite for flashing the original boot img back or doing a RAW flash if boot looped. That's the very first step you need sorted and confirmed. Sounds like you may not be in the right Fastboot mode. The RAW version doesn't matter too much as long as it's in line with your device version, you just need it to get back up and can upgrade normally to other versions.

Categories

Resources