[Q] do we really have a locked bootloader? - Motorola Atrix 2

since we know that (locked bootloader on AT2) that doesn't allow us to flash custom kernels,but we know also that we can unpack/repack boot images to boot.img-kernel and boot.img-ramdisk,and we can flash radio.img,and we can flash non-signed system images (via CWM).
i can not figure the problem with bootloader!
we can flash repacked boot (ramdisk and kernel) and radio images,so we have an unlocked bootloader.
or maybe the Efuse problems?
correct me if i'm wrong.

sad_but_cool1 said:
since we know that (locked bootloader on AT2) that doesn't allow us to flash custom kernels,but we know also that we can unpack/repack boot images to boot.img-kernel and boot.img-ramdisk,and we can flash radio.img,and we can flash non-signed system images (via CWM).
i can not figure the problem with bootloader!
we can flash repacked boot (ramdisk and kernel) and radio images,so we have an unlocked bootloader.
or maybe the Efuse problems?
correct me if i'm wrong.
Click to expand...
Click to collapse
You know there's a Q&A Section, right? Also, this has been covered, like a gazillion times both by Jim, and others who have had this device since day one -- and still do own it!

You can flash a custom kernel but it will not boot. The stock kernel is signed by moto and the bootloader checks for this signature everytime at boot. No signed kernel no boot. Ask Jim, he's replaced several A2's trying to circumvent that check.

mtnlion said:
You can flash a custom kernel but it will not boot. The stock kernel is signed by moto and the bootloader checks for this signature everytime at boot. No signed kernel no boot. Ask Jim, he's replaced several A2's trying to circumvent that check.
Click to expand...
Click to collapse
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !

sad_but_cool1 said:
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !
Click to expand...
Click to collapse
Instead of getting angry, i would suggest that you read and then read some more. Believe it or not, this phone has not been cracked. So read and learn......if not then have fun making a paper weight! Don't come back and cry when your phone wont boot.
Sent from my MB865 using xda premium

sad_but_cool1 said:
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !
Click to expand...
Click to collapse
Humm... not sure where you got this info, but it is 100% incorrect. I would also suggest a little attitude adjustment on your part.
We have tried it all... if you are such an expert than let us know once you have this unlocked.
I have been working on a method to boot from the sdcard with a root kit to flash an unlocked boot loader that we have for this phone, for some time.
Now do some research, read, post in the right section next time. If you keep up being a pain, I will have the thread locked.

Knock It OFF
Keep the thread "civilized".
Any more bickering and you'll get some early Christmas presents
The forums are open to anyone, so if you don't like replies, then don't post. And if you "Do" post, keep it civil.
Also, you guys have a filter option in your control panel, so you don't have to see each other's posts. I highly suggest you start using it.
MD

jimbridgman said:
Humm... not sure where you got this info, but it is 100% incorrect. I would also suggest a little attitude adjustment on your part.
We have tried it all... if you are such an expert than let us know once you have this unlocked.
I have been working on a method to boot from the sdcard with a root kit to flash an unlocked boot loader that we have for this phone, for some time.
Now do some research, read, post in the right section next time. If you keep up being a pain, I will have the thread locked.
Click to expand...
Click to collapse
whats the difference between locked bootloader and efuse protection?
wha you know about locked bootloader?

sad_but_cool1 said:
whats the difference between locked bootloader and efuse protection?
wha you know about locked bootloader?
Click to expand...
Click to collapse
OK, so an efuse is a switch that can be thrown (it is a switch on the cpu , as well as in several other locations on the board), that when thrown can render the phone useless. All these bricks people have been getting lately are because an efuse is thrown.
http://en.m.wikipedia.org/wiki/EFUSE
There are also several efuses that allow the device to be seen as an NS (Non-Secure) device, and will allow you to use the NS bootloader (it is unlocked), and we/I have been working getting all 6 efuse codes for a year now.
The bootloader in our case has three parts and several links in the security chain. Each step and/link has a cert attached to it and you can not move to the next part until the correct cert is handed off to next binary/loader in the chain.
This makes it so that we can not repack boot images or flash unsigned kernels or even some custom ROMs that require a custom kernel.
You need to realize that moto makes their boot loaders un-crackable. The bionic and RAZR are still locked, and the atrix HD just got root last week or the week before, and they are locked worse than the a2.
I also look at it like this if people like mbm, kohlk, hascode, etc. have not been able to crack the other moto devices they work with, then we are pretty SOL.
Does this mean I give up, hell no! It just means I am looking for alternative ways around the issue.
P.S. we can flash system images because the cert is in the filesystem code, and that is why we NEVER use format in an updater script, only erase.

as http://www.sourceconference.com/publications/bos12pubs/android-modding-source.pdf
and
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess
and
http://www.droid-developers.org/wiki/Booting_chain
http://www.droid-developers.org/wiki/File:Boot_chrain_flow.png
where is the problem in our case , and how bootstrap (hijack) works?

sad_but_cool1 said:
as http://www.sourceconference.com/publications/bos12pubs/android-modding-source.pdf
and
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess
and
http://www.droid-developers.org/wiki/Booting_chain
http://www.droid-developers.org/wiki/File:Boot_chrain_flow.png
where is the problem in our case , and how bootstrap (hijack) works?
Click to expand...
Click to collapse
Ok, so first I need to know a little background from you. Are you a developer? Are you an android dev? Have you done any android dev work at all?
What did you not understand in my last post, lets start with that, since I did explain it in good detail. Can you tell me the parts of our bootloader, before we go into any more detail?
The boot hijack allows us to hijack the boot process by using the logcat binary which has setUID privs, so it is prime to steal for perms and it has no FALCs or MACLs on it. What it does is it points (via a linux link), to another file that will allow us to boot to some form of cwm, but you still traverse through all the bootloaders before that binary file is executed, and the system image must be verified first, that is why if you bork your system image bad enough you can not get into cwm/bootstrap/bootmenu, etc.
Again, please ask me specific questions that you have about the bootloader. And understand that I am not a 5th grader, and that I do these things for a very, very, good living, so stop posting documents that explain the whole boot chain and cryptography to me.
Now I will say this one last time, I and others have posted a ton of information on the bootloader and processes over the last year, and please stop reading things like what you posted, those are outdated and or just plain incorrect, since motorola is whole different beast.
So one last time, please ask specific questions, and if this starts getting into how to unlock the bootloader, I will stop answering questions, as I have said a billion times in here that motorola does read this board, and they have thwarted my efforts with patches in the past.
Look, I am a little sorry for being frustrated, or terse, but this has all been covered so many times, and it sounds like you really do not know what you are doing, and I really do not want to explain this all over again, unless you really do know what I am talking about. So far you have not struck me as somone who understands our phones boot process, so I ask that you do a little more research first tear the bootloader and it parts apart, and come back with specific questions. I will use your earlier use of the efuse as a perfect example of what I mean by this.
I will leave you with a few last links to look at to get more familiar with a bootloader and why they are locked, and more:
http://androidforums.com/4657640-post1.html
http://www.tested.com/news/feature/1879-know-your-android-bootloaderwhat-it-is-and-why-it-matters/
Yes everyone, and to the MODS, I am sorry that link was to another forum, but it is very valid to the the point of this discussion.

Thanks man,i know that.
I can say that your AT&T AT2 is different from my AT2.
Cause i flashed a (repacked=not signed) stock boot image 4.766 kb successfully.
Sent from my MB865 using xda app-developers app

sad_but_cool1 said:
Thanks man,i know that.
I can say that your AT&T AT2 is different from my AT2.
Cause i flashed a (repacked=not signed) stock boot image 4.766 kb successfully.
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Which phone and region are you in? We all know the at&t version is a whole lot more locked down, than any international versions, and hence why we treat the at&t phones so differently here, It might have been good to start off your thread with some information about that, so that we did not go down this whole path. Your OP was quite sparse, so just think about that next time. In fact there are 5 different Atrix2 phones, even though there are only 2 model numbers, there are more differences between the regions the phones were released in, so those are also considered different versions even to motorola, and us devs in here.

Ok.
The topic was/is a question,not sparse.
I have MB865 with originally MEARET radio/firm,in middle east (jordan)
Sent from my MB865 using xda app-developers app

sad_but_cool1 said:
Ok.
The topic was/is a question,not sparse.
I have MB865 with originally MEARET radio/firm,in middle east (jordan)
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
But that info was/is very relevant to your question. It has been know for sometime now that the MEARET/SEARET version have a whole different bootloader and boot process than any of the other versions of the A2. The MEARET and SEARET can still fxz back, where the ME865 and the US versions can not.
Now you say you modified YOUR boot image right off your phone, or you took one from say the fxz and modified it, then flashed it, because those are two different situations, both still have the signatures, if they are extracted right. I was able to do this, as long as the kernel file/zimage was not touched, once I touched or played with that, it was all over on the US AT&T phones. The funny thing, is that the only reason to mess with the boot image on the A2 is for a different kernel and possibly to OC, but again I am pretty sure once you change the kernel in the boot image even on the MEARET/SEARET phones, to say an aosp kernel, you will not boot. It might be worth a shot, but keep in mind you have a huge chance of bricking by doing this.
And if you really want an unsigned kernel, why not just use kexec, and be done with it? It has less potential of bricking you, even if you are not completely locked.

jimbridgman said:
both still have the signatures, if they are extracted right.
Click to expand...
Click to collapse
this is the key-point
but i'm not flashing a repacked bootloader (needs RSA private keys from motorola),my work was in boot image.

sad_but_cool1 said:
this is the key-point
Click to expand...
Click to collapse
But only the image itself, not anything modified in the image, if you do mod it.... so if you stick and unsigned aosp kernel in place of the stock zimage, I am betting it will not boot, and might even brick the device. Just a theory, since I can not test with an MEARET phone, but when I have done it with my own compiled kernels with our kernel code, it does not pass the kernel signature check from the mbmloader and mbm.bin, and the device is bricked, on the AT&T phones.
---------- Post added at 12:02 PM ---------- Previous post was at 11:38 AM ----------
sad_but_cool1 said:
this is the key-point
but i'm not flashing a repacked bootloader (needs RSA private keys from motorola),my work was in boot image.
Click to expand...
Click to collapse
I never mentioned the bootloader, just the boot.img

what i want to say is:
boot.img = signing (compiled boot.img-kernel + compressed boot.img-ramdisk.gz )
the boot.img-kernel is signed , but the ramdisk is not,the repacking process doesn't contains signing routines/functions
so the repacked output will be unsigned!

i'll contact wkpark (http://forum.xda-developers.com/member.php?u=4414973) for more info
thanks all, MOD's you can delete this topic

sad_but_cool1 said:
what i want to say is:
boot.img = signing (compiled boot.img-kernel + compressed boot.img-ramdisk.gz )
the boot.img-kernel is signed , but the ramdisk is not,the repacking process doesn't contains signing routines/functions
so the repacked output will be unsigned!
Click to expand...
Click to collapse
The boot image is signed. The kernel is signed and the ramdisk/zimage is signed, on the ATT us version.
So, again the MEARET may be different. Be careful about blanket statements people may get all excited by that.
The thing is that the us version and the HK/TW and the ME versions are all setup the same with signatures at every step.
In the tests with unsigned ramdisk images on the ATT us version it has hard bricked every time.

Related

Check this out...

http://androidcentral.com/team-hydro-bootmanager-coming-soon-puts-end-bootloops-forever-hacking
Very interesting... so if we get stuck in a bootloop we could just recover from a Nandroid backup without having to revert to stock, etc.
Sent from my MB865 with Tapatalk... pardon my swype!
Too bad that wont work for us... it is in the boot.img, and we can't touch that until we get the bootloader unlocked.
Good find though.
Jim
Sent from my MB865 using xda premium
I am pretty sure my phone was bootloop and how would you get it into recovery right now? i had to use the fastboot files to do it. it is a good idea though
jimbridgman said:
Too bad that wont work for us... it is in the boot.img, and we can't touch that until we get the bootloader unlocked.
Good find though.
Jim
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
Ah, nevermind
But just wondering... if it's based off of CWM, and we can reboot into CWM, and we can get CWM to appear on every boot... then shouldn't we be able to get something like this to work without modifying the boot.img?
cogeary said:
Ah, nevermind
But just wondering... if it's based off of CWM, and we can reboot into CWM, and we can get CWM to appear on every boot... then shouldn't we be able to get something like this to work without modifying the boot.img?
Click to expand...
Click to collapse
Nope, if you use the razr boot hijack, it is exactly that, a hijack. It uses several "android/Linux" binaries that it "hijacks", to allow you get into CWM, just before the android UI comes up, but after the kernel is started. To get the particular hack you mentioned, working, you will have to modify the boot image, to include the recovery on boot, that will start just before the kernel is actually started/starting.
Like others have said, that since we have the fxz it does not really matter. Since I have really been doing some serious hacking and development on this phone, I have soft bricked or boot-looped my phone I can't count how many times, and even the razr CWM on boot does not always help. A good backup from CWM, and the fxz is where it is at, and really the best solution for things like this.
Most people on this site who have this phone really should not worry too much about these things, because the likelihood of doing this is very small unless you really are doing some serious hacking or development work like lfaber06 and I are. We will usually not release something to the rest of the world without testing it first, and giving explicit directions on how to do the job without bricking the phone. For those brave souls that are trying to do some dev work, and are new to it, until we get the bootloader unlocked, again the best bet is the fxz and a good backup from CWM.

[WIP][DEV] S-Off [off-topic discussion prohibited]

Hi All,
OK, bootloader is unlocked, I am working on recovery, so the next challenge is....................S-OFF!!! Aw, f%@ck, I thought i had my life back...
I invite all users with ideas and/or knowledge to jump in and tell me what they think I am doing right and what makes me a moron. I have no pride, so lay it on me.
I will post progress reports in Post #2.
Anyway, here's to getting this done quickly.
Steve
Moderator Edit
This Thread has been moved back to the development section in an effort to put an end to the off topic discussion.
Given the size of this thread I'm going to suggest that you USE the Search thread feature located at the top to make sure your suggestion or idea has not been attempted already.
ANY OFF TOPIC POSTS WILL BE DELETED!​
Progress Reports
Just starting out...
One More
This is just in case...
Excellent.
JSLEnterprises said:
Excellent.
Click to expand...
Click to collapse
Thought I'd get out of your thread and the root thread....
sk806 said:
Thought I'd get out of your thread and the root thread....
Click to expand...
Click to collapse
I had to send another message to red not to reopen the think tank thread (title would have been edited obviously), but to still go ahead with the cleanups... lol
Sorry if I'm totally off base here but I do believe reading on XDA somewhere that with the HTC One series phones when you unlock the bootloader it locks the phone from being able to flash recoverys.
This is the reason why I have waited to do the bootloader unlock I didnt want to screw myself from ever being able to flash custom roms.
you have to use this unlock method for the bootloader so why would it screw anything else up? It opens up all possibilities, not close them.
killathenoob said:
Sorry if I'm totally off base here but I do believe reading on XDA somewhere that with the HTC One series phones when you unlock the bootloader it locks the phone from being able to flash recoverys.
This is the reason why I have waited to do the bootloader unlock I didnt want to screw myself from ever being able to flash custom roms.
Click to expand...
Click to collapse
Nope. I have flashed CWM recovery at least 4 times on an international One X AFTER unlocking the bootloader. I wish that were it....
I think you may be thinking of firmware, which is a real mess, because unlocking your bootloader can set your CID to "none", and thus, you can't flash different firmware (i.e., an EU firmware on an Asian phone)...not that that would matter for these carrier-branded phones...
Good job and great progress. Unfortunately, none of us AT&T users can join in on the fun.
killathenoob said:
Sorry if I'm totally off base here but I do believe reading on XDA somewhere that with the HTC One series phones when you unlock the bootloader it locks the phone from being able to flash recoverys.
This is the reason why I have waited to do the bootloader unlock I didnt want to screw myself from ever being able to flash custom roms.
Click to expand...
Click to collapse
If that was completely true, then the Tegra 3 model's would not have cwm recovery... yet they do.
We just havent figured out a working method for ours.
JSLEnterprises said:
If that was completely true, then the Tegra 3 model's would not have cwm recovery... yet they do.
We just havent figured out a working method for ours.
Click to expand...
Click to collapse
i think what Killathehnoob is trying to say is that its only the ROGERS version of the ONE X that when unlocking the BLer HTC has somehow lock the other partitions so that custom recoveries and kernels are not able to be flashed to the phone...which essentially could be the case because all they said they will "unlock" the BLer...BUT they never said they would NOT do anything else in the process. maybe its a possibillity that has been over looked...just THINK TANKING is all
LNKNPRKFN said:
i think what Killathehnoob is trying to say is that its only the ROGERS version of the ONE X that when unlocking the BLer HTC has somehow lock the other partitions so that custom recoveries and kernels are not able to be flashed to the phone...which essentially could be the case because all they said they will "unlock" the BLer...BUT they never said they would NOT do anything else in the process. maybe its a possibillity that has been over looked...
Click to expand...
Click to collapse
I understand what you mean
I wonder if the fact that its new proprietary qualcomm chip is the reason why its being 'limited'... so we may have to rethink the whole initialization process.
we cant even get to the point that the logcat is able to start logging. So we're flying blind.
We've extended the time between loading to the soft reboot after the flash... but that doesnt tell us much.
I found the artice I read check it out
http://mobilesyrup.com/2012/05/02/i...bootloader-unlock-tool-on-one-series-devices/
killathenoob said:
I found the artice I read check it out
http://mobilesyrup.com/2012/05/02/i...bootloader-unlock-tool-on-one-series-devices/
Click to expand...
Click to collapse
Interesting. I think the lack is fastboot boot is what they are referring to. This would prevent custom kernel development on an s-off device, but should still allow flashing of insecure stock boot images, as with the int. HOX, althoug i read it again, anf maybe they are talking about more than that. I am not sure that the article is saying that there is something different with the Rogers version vs other versions, but it seems like there may be, and obviously with the Att version. I think I will spend a day just reading, trying to pick other devs' brains, and start fresh...thanks for the input.
Steve
sk806 said:
Interesting. I think the lack is fastboot boot is what they are referring to. This would prevent custom kernels being flashed on an s-off device, but should still allow flashing of insecure stock boot images, as with the int. HOX. I am not sure that the article is saying that there is something different with the Rogers version, but it seems like there may be, and obviously with the Att version. I think I will spend a day just reading, trying to pick other devs' brains, and start fresh...thanks for the input.
Steve
Click to expand...
Click to collapse
The 'fastboot boot' command works however, its how we got root in the first place.
... delegated to a Nigerian prince. Send money.
killathenoob said:
I found the artice I read check it out
http://mobilesyrup.com/2012/05/02/i...bootloader-unlock-tool-on-one-series-devices/
Click to expand...
Click to collapse
Here is the actual rootzwikk article
http://rootzwiki.com/news/_/articles/dear-htc-can-we-have-our-phones-back-r709
JSLEnterprises said:
The fastboot boot command works however, its how we got root in the first place.
... delegated to a Nigerian prince. Send money.
Click to expand...
Click to collapse
Whoa, very interesting. I was certain it did not on the Int one x.
JSLEnterprises said:
The 'fastboot boot' command works however, its how we got root in the first place.
... delegated to a Nigerian prince. Send money.
Click to expand...
Click to collapse
Just to be clear, you are not referring to fastboot flash boot, right?
Edit, nevermind, jut looked at Paul's post, it is fastboot boot. Wow.
killathenoob said:
I found the artice I read check it out
http://mobilesyrup.com/2012/05/02/i...bootloader-unlock-tool-on-one-series-devices/
Click to expand...
Click to collapse
Again thanks for this. Back to the drawing board!!!!

How do we get a true CWM recovery, an not just a boot hack

Hey, so lkranser and I have made a great discovery tonight.
lkranser's recovery partition was erased due to some of my advice to him.
So I cat'd my recovery partition (/dev/block/mmcblk1p16) into a recovery.img file, and he was able to cat that recovery image file that I created into his recovery partition.
So now the question is how can we use this to our advantage and get CWM on /dev/block/mmcblk1p16, and get it to come up with holding both volume buttons and the power button, as this is the way it works on every other phone.
Idea guys, this thread is a place to throw out some serious ideas to get this to work. Please don't ask for any how-to's for this here.
jimbridgman said:
Hey, so lkranser and I have made a great discovery tonight.
lkranser's recovery partition was erased due to some of my advice to him.
So I cat'd my recovery partition (/dev/block/mmcblk1p16) into a recovery.img file, and he was able to cat that recovery image file that I created into his recovery partition.
So now the question is how can we use this to our advantage and get CWM on /dev/block/mmcblk1p16, and get it to come up with holding both volume buttons and the power button, as this is the way it works on every other phone.
Idea guys, this thread is a place to throw out some serious ideas to get this to work. Please don't ask for any how-to's for this here.
Click to expand...
Click to collapse
a few things.
1. it was not anything you did that made me wipe recovery, it was just me being a complete idiot
2. basically I think we need to figure out how to modify what you cat'd over. then we can pull an image from a similar device that has a true cwm recovery and edit what we need to like the specific partitions in order for it to work on our phone. then we can just cat it over and bingo! working full cwm.
3. why is it that stupid things I do always end up leading to great discoveries on here. this is like the 3rd time it has happened.
so any ideas on how to mount that file in a way we can actually look at it.
---------- Post added at 09:39 PM ---------- Previous post was at 09:22 PM ----------
Some more stuff I found: http://www.clockworkmod.com/rommanager
That has official cwm recovery builds for all supported devices. many have images, I think all the ones with unlocked bootloaders. those images would be flashed with fastboot, or probably could be cat'd over like we did.
others have flashable zips (all the moto devices) and i think those are all the ones with lockked bootloaders. I don't have tie to dig into what they really do right now, but i appears that they just copy some files for recovery to /etc and other places suggesting those devices have a different recovery method
I still think the biggest priority is figuring out how to see the contents of the images with our recovery stuff and those for other devices.
I can tell you what happened to me the other day, I was getting ready to to use RSD as I was bootlooped and went to boot into fastboot but accidentally booted into BP tools and when it booted it booted to CWM. So I tried it a couple of times with the same exact results. Fluke, IDK ??? Havent been in trouble since to try it again!
JRW 28 said:
I can tell you what happened to me the other day, I was getting ready to to use RSD as I was bootlooped and went to boot into fastboot but accidentally booted into BP tools and when it booted it booted to CWM. So I tried it a couple of times with the same exact results. Fluke, IDK ??? Havent been in trouble since to try it again!
Click to expand...
Click to collapse
what is BP tools even
Sent from my MB865 using xda premium
lkrasner said:
what is BP tools even
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
I've wondered the same thing????
JRW 28 said:
I've wondered the same thing????
Click to expand...
Click to collapse
it never does anything for me. it just boots normally into the os. that is why it is going to cwm if you have it set on boot. it did that for me too
lkrasner said:
it never does anything for me. it just boots normally into the os. that is why it is going to cwm if you have it set on boot. it did that for me too
Click to expand...
Click to collapse
Yea but even on a normal boot I could never get past the red moto screen, tried several times hopi g to get into CWM and not have to RSD back.
Just wierd that normal boot wouldn't work but BP tools did?
The only difference I could see is an app called CQATest in the drawer. Has many different tests available. About 50+
Sent from my MB865 using xda premium
made a major breakthrough. my internet is down though so I can't really keep working on it or post details, but I should by tomorrow. stay tuned. stupid Comcast.
EDIT: I'm back up. So basically I figured out how to separate the kernel and ramdisk of both our boot and recovery images. it did not work to re-combine them, but it may still be useful for building cyanogenmod to be able to have our straight kernel. PM me if you wan't more detail.
That said, it did not do exactly what I wanted, but I think at this point we should be able to simply build cwm according to the guides for it. I am doing it right now, and it is in the final build process, so I will let you know how it all turns out.
So, I got it built successfully, but i won't boot. it seems to be the same problem I had before with the stock one. it is way smaller when It is all put back together. around 5 MB instead of 9.
Any ideas why? it appears motorola does not use the standard recovery stuff
lkrasner said:
made a major breakthrough. my internet is down though so I can't really keep working on it or post details, but I should by tomorrow. stay tuned. stupid Comcast.
EDIT: I'm back up. So basically I figured out how to separate the kernel and ramdisk of both our boot and recovery images. it did not work to re-combine them, but it may still be useful for building cyanogenmod to be able to have our straight kernel. PM me if you wan't more detail.
That said, it did not do exactly what I wanted, but I think at this point we should be able to simply build cwm according to the guides for it. I am doing it right now, and it is in the final build process, so I will let you know how it all turns out.
Click to expand...
Click to collapse
Yeah I already have a perl script to do all the separation, but it still puts the kernel into several files, and not just single kernel file with a few separate .ko files.... If you found something that I haven't, then that is awesome.
Here is the script that I use to pull it out of the boot.img:
https://dl.dropbox.com/u/45576654/unpack-bootimg.pl
lkrasner said:
So, I got it built successfully, but i won't boot. it seems to be the same problem I had before with the stock one. it is way smaller when It is all put back together. around 5 MB instead of 9.
Any ideas why? it appears motorola does not use the standard recovery stuff
Click to expand...
Click to collapse
I suspected that might be the case.
jimbridgman said:
I suspected that might be the case.
Click to expand...
Click to collapse
any ideas why.
Sent from my MB865 using xda premium
jimbridgman said:
Yeah I already have a perl script to do all the separation, but it still puts the kernel into several files, and not just single kernel file with a few separate .ko files.... If you found something that I haven't, then that is awesome.
Here is the script that I use to pull it out of the boot.img:
https://dl.dropbox.com/u/45576654/unpack-bootimg.pl
Click to expand...
Click to collapse
mine gave me a ramdisk.cpio.gz and a kernel.gz, I didn't extract that. it was also a pearl script, so probably the same one.
Sent from my MB865 using xda premium
I know I have posted here way to many times. But I want to get this to work.
It seems motorola has done more weird **** to their recovery partitions. Normally you can use certain scripts and binaries to separate a boot or recovery image (they follow the same format) into the ramdisk and kernel. That SHOULD be all that is in them. you can then modify the ramdisk to your liking, or use the kernel with cwm or the like to make it work. However it seems there is more to our image than just the ramdisk and kernel. when I extract them and repack them it seems to work fine, but the result is 5.5MB instead of 9.4MB with no modifications.
Does anyone have any idea what the deal is with that? I think if we can figure out that part we should be able to get a true custom recovery.
P.S. are you sure we cannot replace our boot.img with this same copying method? That is if we could even figure out how to modify it. Is there a hardbrick risk in trying? if so, Any volunteers?
EDIT: so our boot image will unpack and repack to the same exact size, so I think that means we could theoretically edit the ramdisk if that would do any good. the question still remains whether the phone checks its signature on boot or only upon flash
Anyway to test if it checks on boot or flash?
Sent from my MB865 using xda premium
Harrison85 said:
Anyway to test if it checks on boot or flash?
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
I can make a small change that would make it un verified then someone could copy it over and see if it boots. the problem is I am not 100% sure we would be able to restore to the original if it would not boot. I am 99% sure we would be fine, but I don't want to risk bricking completely. My guess is jim will know if it is safe to test or even worth trying, but if you want to be the guinea pig just tell me and I'll send you instructions.
By all means throw Me instructions and I will give it a shot right now
Sent from my MB865 using xda premium
Nevermind. I was sort of wrong. Both images separate just fine and can be recombined, but extracting the ramdisk seems to not extract the whole thing, it is much smaller when it is repacked. therefor you cannot really edit it at all.
Any ideas why?? I think it is just Moto being a pain in the ass as usual.
lkrasner said:
Any ideas why?? I think it is just Moto being a pain in the ass as usual.
Click to expand...
Click to collapse
That is it in a nutshell. They pack their boot image in a different way from all other phone manufacturers, and not in a standard way for android. That is why Moto has their own "special" non-standard bootloader. They use a bitblast to package the boot image files, on top of the standard tgz, so the important files are "zip blasted" on top of the others in "superbit blocks", so there is not much we can do, unless we can de-a-line them, but that is not something I even want to start poking at.

S-OFF - What can I do?

So I am a noob to HTC phones. I understand what S-Off is but I am not entirely sure what I could with my phone with it that I can't do now. I am trying to understand whether I should go through the process since there is always the risk of bricking. Thanks!
I have no idea what S-Off is :/ i need some enlightenment
Sent from my One XL using Tapatalk
S-Off is the main thing that allows u 2 root yr phone...
Sent from my GT-I9300 using xda app-developers app
a simple search on the net can tell you what it does
but it does a lot of "techie" things you're not suppose to do
mrjayviper said:
a simple search on the net can tell you what it does
but it does a lot of "techie" things you're not suppose to do
Click to expand...
Click to collapse
I did do that. It said that I could flash ROMs, Radios, stop my bootloader from saying unlocked. Most of this things with the exception of the last I can already do. I was just wondering if there is something that I could be missing out from. Thanks!
Contrary to popular belief, s-off actually has very little to do with your phone being rooted. S-OFF stands for Security-Off, which basically allows you to modify any partition on the device, and changes will not be reset upon a reboot. Also, the signature checking of the firmware zips is disabled, allowing users to flash unsigned firmware zips containing the separate images of the partitions.
Very simply put, that's what it is. There is a lot more to it that you guys can probably look up. For a user on an hboot below 1.14 it really doesn't do all that much, but it's very useful for devs and people post-hboot 1.14
I'm not totally sure what it will do for us, but it was easy enough for me to go through with it, took about 5 minutes if you've already got ADB/Fastboot set up.
I heard it could take away that stupid red paragraph when I boot and that was all I needed to hear haha
I feel like I just got a new toy but can't read the instruction manual... can I flash a new radio? do I need to do something special like flash through fastboot?
I know I sound like a broken record but
I'd love to see someone create a dual boot program for our phone.
Sent from my HTC One XL
BobbyDukes707 said:
I feel like I just got a new toy but can't read the instruction manual... can I flash a new radio? do I need to do something special like flash through fastboot?
Click to expand...
Click to collapse
You got to wait for the new tools to be released. Nothing happens automatically AFAIK.
You can flash ROMs on newer hboot without fastboot
Sent from my One X using Tapatalk 2
so how do you get rid of the red text on boot??? and also how can the unlocked/ tampered flags be reset (while staying unlocked)
31ken31 said:
so how do you get rid of the red text on boot??? and also how can the unlocked/ tampered flags be reset (while staying unlocked)
Click to expand...
Click to collapse
Things will come, just have to give the devs a chance since we just got s-off.
SouL Shadow gave an excellent response to the question here:
http://forum.xda-developers.com/showpost.php?p=38169711&postcount=2462
But as already indicated, things will come in the future, it really doesn't gain much at the moment. Especially for those still on pre-1.14 hboot (and can already flash radios, kernels from recovery).

[Q] Just throwing this idea out there

I should start by saying I am by no means experienced with unlocking bootloaders or hacking firmware, so if this is a completely noob idea then forgive me but I thought I might as well see if I could help. Anyways, on to my idea; as we all know, the 4.3 bootloader is locked for good. So what if one was to corrupt the bootloader, like brick it on purpose to a point where the bootloader doesn't recognize any update being pushed, and then unbrick the phone with an older unlockable bootloader. Am I losing my mind due to having the locked 4.3 or is this plausible?
And while I have a thread open, could someone explain a few questions I have about knox? If knox is what is causing the bootloader to be locked and there's ways to disable knox, then wouldn't disabling knox make the bootloader unlockable?
ericcue said:
I should start by saying I am by no means experienced with unlocking bootloaders or hacking firmware, so if this is a completely noob idea then forgive me but I thought I might as well see if I could help. Anyways, on to my idea; as we all know, the 4.3 bootloader is locked for good. So what if one was to corrupt the bootloader, like brick it on purpose to a point where the bootloader doesn't recognize any update being pushed, and then unbrick the phone with an older unlockable bootloader. Am I losing my mind due to having the locked 4.3 or is this plausible?
And while I have a thread open, could someone explain a few questions I have about knox? If knox is what is causing the bootloader to be locked and there's ways to disable knox, then wouldn't disabling knox make the bootloader unlockable?
Click to expand...
Click to collapse
This won't work.
The new update changes the keys on the entire bootloader, it's impossible to corrupt the bootloader to a point of failure because the entire thing is hard coded into the board itself. The processor is specifically able recognize the vrucml1 bootchain, and it won't boot without it, unless someone finds a way to bypass that entire mechanism (which I would consider nearly impossible.
Knox is not causing the bootloader to be locked. Verizon patched our work around for unlocking the bootloader and pushed it. Knox is simply a non reversible flash counter for rooting your device. It's coded in the bootloader and system apps to detect this.
Sent from my SCH-I535 using Tapatalk 2
Ah I see. I guess I had trouble understanding that an OTA could completely and irreversibly lock a bootloader. There's got to be some kind of exploit for this at some point right? I'm not sure I can handle this 4.3 nonsense anymore!
And thanks for the knox explanation, I used to hate sprint for the things they did (like booting me for roaming) and now verizon is starting to tick me off.
ericcue said:
Ah I see. I guess I had trouble understanding that an OTA could completely and irreversibly lock a bootloader. There's got to be some kind of exploit for this at some point right? I'm not sure I can handle this 4.3 nonsense anymore!
And thanks for the knox explanation, I used to hate sprint for the things they did (like booting me for roaming) and now verizon is starting to tick me off.
Click to expand...
Click to collapse
There is probably no chance for an exploit to completely unlock a bootloader.
Hardware hacking is almost impossible because of the type of encryption it takes to make the processor and bootchain recognize each other. It's sensitive, and you need to match the numbers specifically to perform a boot. Everyone is familiar with an md5 code, this is a fairly simple algorithm, and we all know that the slightest change in a bad download will generate a completely different md5 sum. In this case, the algorithm is much more complex, and pretty much impossible to match and trick the phone into booting an incorrect bootloader. This is why straight up hacking a bootloader an impossible feat, so we mostly make work arounds.
All our unlocked bootloader was is a very early aboot block. The bootchain trusts the aboot file, and the aboot file trusts anything you put in the recovery and system partitions. Since the new bootchain requires a signed aboot file for ML1, it makes this exploit insignificant and the aboot file doesn't trust anything else you stick in the recovery or system partition.
Loki was another exploit that was patched. Kexec is an example of a work around, and so is safestrap, but these types of workarounds won't unlock the bootloader and allow aosp Rom flashing.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
There is probably no chance for an exploit to completely unlock a bootloader.
Hardware hacking is almost impossible because of the type of encryption it takes to make the processor and bootchain recognize each other. It's sensitive, and you need to match the numbers specifically to perform a boot. Everyone is familiar with an md5 code, this is a fairly simple algorithm, and we all know that the slightest change in a bad download will generate a completely different md5 sum. In this case, the algorithm is much more complex, and pretty much impossible to match and trick the phone into booting an incorrect bootloader. This is why straight up hacking a bootloader an impossible feat, so we mostly make work arounds.
All our unlocked bootloader was is a very early aboot block. The bootchain trusts the aboot file, and the aboot file trusts anything you put in the recovery and system partitions. Since the new bootchain requires a signed aboot file for ML1, it makes this exploit insignificant and the aboot file doesn't trust anything else you stick in the recovery or system partition.
Loki was another exploit that was patched. Kexec is an example of a work around, and so is safestrap, but these types of workarounds won't unlock the bootloader and allow aosp Rom flashing.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
You are a bundle of endless info. Thank you for breaking it down like this!
Edit: I have been curious for awhile about the technical aspect of everything you detailed.
That was amazing lol thanks for clearing all that up. Now I guess the race is on to find safestrap compatible roms. I'm running wicked sensations right now through safestrap and it seems pretty good but I was looking for a rom that could force 4g
SlimSnoopOS said:
You are a bundle of endless info. Thank you for breaking it down like this!
Edit: I have been curious for awhile about the technical aspect of everything you detailed.
Click to expand...
Click to collapse
I wish I knew more coding details, like what this stuff specifically looks like, but it's interesting researching all this material.
These are the kinds of questions I like, they really make you think about what's happening. I wish more users posted questions like these. One day someone might post something that might actually work. It's good creative thinking.
Sent from my SCH-I535 using Tapatalk 2
Kexec will allow flashing of aosp roms in addition to safe strap.
Sent from my SCH-I535 using Tapatalk
Dadud said:
Kexec will allow flashing of aosp roms in addition to safe strap.
Sent from my SCH-I535 using Tapatalk
Click to expand...
Click to collapse
Kexec might be able to, but it depends of that exploit has been patched or not, that kernel mechanism can also be shut down to disallow booting of a 2nd kernel. If the modules are written a certain way you're stuck with that initial boot.
Safestrap can't, it relies on a stock kernel to run, so unless someone makes an aosp rom to run with a 4.3 touchwiz kernel it won't work.
Sent from my SCH-I535 using Tapatalk 2
How did hashcode get cm 10.2 on the droid 3 using kexec and safe strap?
Sent from my SCH-I535 using Tapatalk
I love this thread so much. Thanks BadUsername and everyone else! So why exactly can't we use Kexec?
YevOmega said:
I love this thread so much. Thanks BadUsername and everyone else! So why exactly can't we use Kexec?
Click to expand...
Click to collapse
Getting kexec functionality isn't the easiest process. The holes that allowed kexec on 4.0.4 may have been patched due to the new Linux 3.0 kernel updated in newer versions.
Some developer would have to work on finding that loophole and enabling a second kernel to run.
Hashcode was able to do this on Motorola devices by rewriting the kernel modules to run differently. The way he did it wouldn't work for us anyway because they used OMAP devices. We have a qualcom processor, the loophole he used to enable kexec is completely different then what we would need to enable.
Additionally, it may not even be possible to enable kexec. The whole idea of a locked bootloader is to prevent this from happening. Loopholes constantly get patched, making enabling these types of workarounds increasingly more difficult.
Eventually the loophole that allows safestrap to even run will likely get patched. It's just the nature of making phones increasingly more difficult to root and unlock.
I hope someone has the time and passion to work on kexec, but I wouldn't necessarily count on it. There's likely a reason why it was never implemented on the s4.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
Getting kexec functionality isn't the easiest process. The holes that allowed kexec on 4.0.4 may have been patched due to the new Linux 3.0 kernel updated in newer versions.
Some developer would have to work on finding that loophole and enabling a second kernel to run.
Hashcode was able to do this on Motorola devices by rewriting the kernel modules to run differently. The way he did it wouldn't work for us anyway because they used OMAP devices. We have a qualcom processor, the loophole he used to enable kexec is completely different then what we would need to enable.
Additionally, it may not even be possible to enable kexec. The whole idea of a locked bootloader is to prevent this from happening. Loopholes constantly get patched, making enabling these types of workarounds increasingly more difficult.
Eventually the loophole that allows safestrap to even run will likely get patched. It's just the nature of making phones increasingly more difficult to root and unlock.
I hope someone has the time and passion to work on kexec, but I wouldn't necessarily count on it. There's likely a reason why it was never implemented on the s4.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
*Sigh*
YevOmega said:
*Sigh*
Click to expand...
Click to collapse
It's not the worst thing. In my opinion this phone runs really well on touchwiz roms anyway. Give some time for more roms to come out. Tkrom, cleanrom and jellybeans will all be spectacular when they come out.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
It's not the worst thing. In my opinion this phone runs really well on touchwiz roms anyway. Give some time for more roms to come out. Tkrom, cleanrom and jellybeans will all be spectacular when they come out.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
I totally agree with you. With root and a different launcher, I'm doing fine right now. Really wanted that new quick settings on Paranoid though.
Sent from my SCH-I535 using Tapatalk
Anyone else think that the information that BadUsername posted should be made a sticky?
Should have just rooted when you first got the phone haha
Sent from my SCH-I535 using xda app-developers app
XdrummerXboy said:
Should have just rooted when you first got the phone haha
Click to expand...
Click to collapse
You can gain root access on 4.3, but still can't unlock the bootloader.
The 4.3 OTA has truly downgraded the performance of my phone, so I'm not holding out much hope that 4.3 safestrapped ROMs will do much else - Samsung has rather let me down with this update (even outside of working with Verizon to lock the darn thing down much more tightly).
I used to say that custom ROMs were not needed, because the stock OS ran so well. Since the 4.3 OTA, it feels slower than when it first came with 4.0.4 (?) and has some of the old WiFi and Bluetooth issues back, again. On both of our Galaxy S III phones, btw. Not quite so fun, anymore.
- ooofest
ooofest said:
You can gain root access on 4.3, but still can't unlock the bootloader.
The 4.3 OTA has truly downgraded the performance of my phone, so I'm not holding out much hope that 4.3 safestrapped ROMs will do much else - Samsung has rather let me down with this update (even outside of working with Verizon to lock the darn thing down much more tightly).
I used to say that custom ROMs were not needed, because the stock OS ran so well. Since the 4.3 OTA, it feels slower than when it first came with 4.0.4 (?) and has some of the old WiFi and Bluetooth issues back, again. On both of our Galaxy S III phones, btw. Not quite so fun, anymore.
- ooofest
Click to expand...
Click to collapse
Oh, I didn't catch that. Thanks for the info. And ooofest, were you over at overclockers.uk? I thought I recognized that name from there, maybe it was only here though.
I've honestly lost track of the rooting requirements for this phone after I rooted. Best decision I've made with this phone! But I was nervous to do so...
I agree, it wasn't too terrible when it had 4.0.4, but compared to Cyanogenmod there's no comparison on which is smoother!
Sent from my SCH-I535 using xda app-developers app
XdrummerXboy said:
Oh, I didn't catch that. Thanks for the info. And ooofest, were you over at overclockers.uk?
Click to expand...
Click to collapse
Not that I recall, sorry. I used to be more active here and about, but then decided to go back into stock for 2013 and ramp up the rooting, unlocking, optimization, etc. in 2014.
It would always be ready to re-root and unlock, yes?
Well, never say "always."
XdrummerXboy said:
I agree, it wasn't too terrible when it had 4.0.4, but compared to Cyanogenmod there's no comparison on which is smoother!
Click to expand...
Click to collapse
Indeed.
- ooofest

Categories

Resources