Related
disclaimer!
*this thread is not intending to promote the sale of any particular service or cell phone reseller.
*this thread is intended to provide info only. any questions,please ask,some i may add to the FAQ.
*please abide by all forum rules in posting so this thread can remain open
this method uses an official htc java card to turn off the phones security data. the card exists as a legitimate tool for cell phone shops and re-sellers,primarily for the purpose of removing the phones simlock.
since this method of s off is somewhat unusual,this thread is intended to help support folks that are unsure of the differences and similarities. use this info at your own risk.
in this first post,i thot a few FAQs needed to be put in one place,as they are being asked over and over again in the thread.
Frequently Asked Questions
Q: what is s off?what does it do for me?
A: in a nutshell,s-off=security off. it removes all security checks and allows access to all partitions of the phone this means you can:
-change hboot
-change splash inage
-change radios
-flash unsigned files
-go backwards in firmware versions
-other things that maybe ill add later
Q: is this java card process legit??
A:yes,it is. as mentioned above,the java card is a legitimate tool used by some large cell phone repair shops and re-sellers.
Q: how does this work?
A:the java card is plugged into a USB On The Go cable,and plugged into the phone. the java card contains htc-signed diagnostic files wich are used to clear security data. when the phone is booted to hboot with the java card plugged in,it finds the diagnostic file and jumps to a mode where the user can clear "s58" data. this removes any simlock,changes the CID to a generic "supercid",and most importantly,turns off the phones radio secure flag. hooray!
this video of an htc one x will give you a good idea what the process looks like:
HTC One X S-OFF
Q: what exactly is a java card?
A: simply,a java card is an sd card with a microprocessor in it. if someone wishes to provide a more detailed definition,id be happy to put it here.
Q: can we clone the java card so everyone can have s off?
A: yes. but its complicated,and the card to begin with is expensive. there have been some technical discussions about this,but the simple answer is that it is not easy,or practical to clone the java card.
Q: why do i have to pay for this?? shouldnt s off be free?
A: if you have a prollem paying for this service,you are welcome to purchase your own java card and offer the service for free. as has been stated,the java card is expensive- upwards of $1000 depending how may credits are included.
further,even if a software exploit was available,it is good custom to donate to the devs who brought you the tool. remember,no one here owes you custom roms,s-off,etc. support your devs and what they bring you.
Q: is the card good forever?
A: NO! the java card has a limited number of uses.
Q: how do i use this service?
A: you will need to track down a phone shop or reseller that has a card. these are not common,but are available in most countries with some searching.
Q: if im allready unlocked,should i still get s off?
A: in my opinion,yes. wether done via a java card or software exploit,s off is better. it allows more options to recover soft-bricked devices,and allows access to all partitions. an s on phone is still doing plenty of security checks. it also allows a permantly installed recovery to install the boot image. the downside is that your phone WILL let you brick it if your not careful. know what your flashing and why. double check md5 sums to verify the integrity of your downloads. a corrupt bootloader ot radio can damage your phone,potentially unrecoverably. if you just asked "what is an md5sum?" stop and google it now. there are numerous md5summers avaialable for free on the vast interweb,download one and start using it.
Q: if im allready unlocked and running a custom rom and recovery,do i need to take any precautions?
A: yes. the diag file is designed to work on stock software and firmware. i would strongly recomend to:
-restore a bone stock nandroid,or flash a bone stock rom
-reflash your stock recovery
-reflash your stock boot image if you were running a custom kernel
-select 'factory reset' option from hboot
Q: will this wipe my phone?
A: yes it will. so back up your sd card to the pc,and be prepaired to have to re-set everything up when you get it back.
Q: does my phone need to be active?
A: no it does not.
Q: does my sim card need to be present?
A: no it does not.
Q: how do i activate a spare phone while mine is away?
A:it depends on the phone. if you have a gsm phone,or a 4g vzw phone,you can simply swap over your active sim. if the sim is larger in the spare phone,adapters do exist for extremely cheap on ebay and amazon. alternately,you can call vzw,sprint,or your other cdma carriers, or go to their website to activate an older 3g device.
Q: how do i activate my phone when it comes back?
A: like you normally would. s off by itself does not change anything about the phone or how it oporates. its what you do afterward/modify that can have an impact on "normal" operation. so if you moved your sim into another phone,just move it back. if you mailed your phone directly to a reseller with the protective film still on it,then take everything out of the box and activate just like you would if it had just come from htc or your carrier.
Q: if my phone was carrier blocked by htc dev,will i be able to unlock the bootloader if my phone is s off?
A: yes. when the phone comes back,it will have "supercid". this ignores the mid(model id) check that htcdev does on the phone,and will let you get a token and unlock.
Q: are there advantages to unlocking the bootloader?
A: you have a couple extra fastboot commands you can use:
fastboot flash partition imagename.img
and
fastboot boot imagename.img
these commands are useful to install recovery,and boot images into phone memory. with fastboot bootfor example,you can temporarily launch recovery on the phone to flash su if you dont want to permantly install it.
Q: so do i NEED to unlock the bootloader to install recovery?
A: no,you do not. you can install recoveries and all other partitions as zip files. more info on that later.
Q: does superCID give you any benefits?
A: in a word,maybe. on a gsm device where you have multiple carrier and regional firmwares that will work,supercid is of value. with a device on vzw sprint,or other cdma carriers using specific firmware,you can only use those specific ruus anyway. further,accepting an OTA with supercid could leave you unrecoverably bricked,plus it may interfer some some verizon functions(i remember inc 4g users having issue,but the details escape me)
IMO,after unlocking your bootloader,if you choose to do so,you should change your CID back to stock VZW__001 (thats 2 underscores- cid is always 8 digits),HTC__001(again 2 underscores) or whatever it happened to be.
Q: is my cid unique to my particulare phone?
A: no,it is not. it is unique to a carrier or region. all verizon phones ever made have a cid of VZW__001
Q: how do i change my cid back to stock?
A: with this fastboot command:
fastboot oem writecid xxxxxxxx
Q: why is my cid always present on the hboot screen?
A: i dont know htc's logic,but this is simply what the phone does while its s off. it will display whatever your cid is,and is not dependent of your bootloader being locked or unlocked.
Q: what about the TAMPERED and unlocked/relocked badges?
A: if your phone was unlocked when you sent it in, youll get it back factory fresh locked. the tampered badge,i am unsure of at this time,and will update as more info is obtained.
if you sent in a brand new phone,it obviously wont be different(with exception of s off)
one of the big advantages of s off,is that the tampered flag is not triggered by adding a custom recovery or kernel,and since s off removes the various write protections that exist,it is posible to reset either flag. more info on the lock status flag here
Q: will an OTA change my s-off or lock status?
A: it is possible. altho,it is highly unlikely since turning the radio secure flags on via an OTA would also do so on legitimate pre-release test phones.
however...
it really is not reccomended that you try and take an OTA while rooted. a custom recovery is unable to install HTC's OTA pacakage,and attempting to do so ca jam you up horribly. taking an OTA with bloat and system files remove will typicaly result in failure,and taking an OTA with supercid could lead to a processor "do not boot" mode,wich is very effectively a hard brick only recoverable via jtag. or a new device.
the best way to update a rooted device is to update the rom with a recovery-flashable zip file,and the firmware extracted from the OTA package. this will update you just like taking the OTA. there is nothing magical about over the air updates. please,just do it manually. leave the OTAs for the stock crowd.
last and not least!
Q:what do i do once i get back my stock,s-off phone?
A: please see post 2
once you have recieved your stock,s off device back,your basic steps are:
1)change CID/MID back to stock
2)install a recovery
3)install a rom or root access
you have 2 options to install recovery:
1)unlock the bootloader and use fastboot commands
2)leave the bootloader locked,and flash a recovery as a zip file in RUU mode
either way works. i personally always keep my bootloader unlocked so i can use fastboot commands,but that is a personal preference.
to "root by recovery" is not a new concept. once there are no write protections,its easy to install a custom recovery,and use that recovery to either insert the superuser files into the stock rom,or replace the rom entirely.
1) change cid back to stock
this is actually very easy. simply put the phone in fastboot,change to fastboot directory,and enter in a cmd window:
fastboot oem writecid xxxxxxxx
in the case of vzw:
fastboot oem writecid VZW__001
yes,those must be capital letters,and there are 2 underscores.
2) install a recovery
via one of these 2 methods:
1)unlock the bootloader
your phone has come back from sonic with "supercid",wich will allow you to unlock the bootloader natuarally via the htcdev website. see this post for a bit more info on that.
unlocking the bootloader is fairly straightforward,just make sure you use a vzw one specific image. download from one of the following threads:
*links provided when available
the image is easily installed via an unlocked bootloader with the following command:
fastboot flash recovery imagename.img
for example,recovery named CW_touch_recovery:
fastboot flash recovery CW_touch_recovery.img
the image must be in your fastboot working directory.
if you need more specific help with unlock/recovery flashing you can use this guide.
2) keep locked bootloader
the bootloader can stay locked for this method. you can in fact use this to install a new image to any partition,as long as the image is packed up in a proper file.
this assumes a working adb/fastboot and drivers installed. if you dont have these things,you can use this guide from above,downloading the files in post 1,and following the set up adb and prepair to root part in step 2.
once you have adb and fastboot working,download one of the following recovery zip files. do NOT unzip or extract.
*links provided when available
your zip file is flashed in the following manner:
if youre working with a booted,operational phone,you can flsh the file in the following manner:
-open a cmd window
-change to adb/fastboot directory
cd c:\foldername
(cd c:\mini-adb if youve used any of my guides )
-place the zip file you want to flash into adb/fastboot directory
-enable usb debug,disable fastboot,plug in phone
-check for connectivity
adb devices (should return serial number)
-boot to fastboot
adb reboot bootloader
-check for connectivity again
fastboot devices
-flash the file
fastboot erase cache
fastboto oem rebootRUU (will put you in ruu mode,black screen silver htc letters)
fastboot flash zip zipfilename.zip (will send and flash the file. dont interupt it while the cmd window shows its writinging,and the green status bar is moving on the phone screen)
*sometimes a file will fail with a pre-update error. this is normal,just enter again:
fastboot flash zip zipfilename.zip
and this time it will finish
-when you get "finished" and "OK"
fastboot reboot-bootloader (takes you back to fastboot)
-reboot back to the OS
fastbooot reboot
you can use this if you dont have an operational phone as well. you just need to manually put the phone in fastboot(select from hboot menu) then skip the "adb" commands and start with fastboot devices
Click to expand...
Click to collapse
3) install a rom or root access
this is a simple matter of using recovery to either flash superuser,or flash a new rom. in either case,MAKE A BACKUP OF YOUR STOCK UNROOTED ROM!
flash superuser just as you would a rom,after a cache/dalvik wipe. theres tons of info out there on using recovery,so im not going in to great detail on that here.
i dont have this device(well,i dont have the vzw version) so dont ask me whats the best rom to flash. browse the development and original development sections and pick a couple out to try.
if you wish to just run rooted stock,i perosnally prefer superSU to other versions of superuser. you can download it from this thread
_____________________________________________________________________________________________
optional:
if you sent in your phone with a custom recovery installed,and it still is displaying the tampered banner,see this thread to remove it:
*link provided when available
if you want to lock,or unlock your bootloader without messing with htcdev,see this thread for those directions:
*link provided when available
if you want to restore your supermid from 0P6B2**** back to stock ,see this thread:
http://forum.xda-developers.com/showthread.php?p=51677666
_____________________________________________________________________________________________
*work in progress. there will likely be some revisions,but i wanted to get something up for the folks whose devices are coming back
I'm serious considering doing this, if only just so I can have full root. I understand that there won't be any developer support or roms until someone achieves a software exploit. But it would be nice to be able to flash full root.
One question though: I don't have much experience with HTC devices as I always used Samsung before but I'm tired of their locked bootloaders. Basically my question is, one method of s-off is as good as another right? S-off is s-off? And it won't effect my ability to get s-on again? Or use other people's methods for recovery/root and s-off/s-on right?
nicholi2789 said:
I'm serious considering doing this, if only just so I can have full root. I understand that there won't be any developer support or roms until someone achieves a software exploit. But it would be nice to be able to flash full root.
One question though: I don't have much experience with HTC devices as I always used Samsung before but I'm tired of their locked bootloaders. Basically my question is, one method of s-off is as good as another right? S-off is s-off? And it won't effect my ability to get s-on again? Or use other people's methods for recovery/root and s-off/s-on right?
Click to expand...
Click to collapse
Once you are S-Off u are S-Off unless you really screw something up but I have NEVER had any issues and I have owned 4 HTC devices with S-Off via exploits. S-Off is where it's at! Period Will have mine early next week with a Java S-Off... :good: And, we will have a recovery soon enough for our variant so it's just a matter of time before you can flash full root from recovery and then you are good to go. We probably won't see much development until enough people or devs get S-Off or unlocked bootloader. Time will tell but it WILL happen.
shojus said:
Once you are S-Off u are S-Off unless you really screw something up but I have NEVER had any issues and I have owned 4 HTC devices with S-Off via exploits. S-Off is where it's at! Period Will have mine early next week with a Java S-Off... :good: And, we will have a recovery soon enough for our variant so it's just a matter of time before you can flash full root from recovery and then you are good to go. We probably won't see much development until enough people or devs get S-Off or unlocked bootloader. Time will tell but it WILL happen.
Click to expand...
Click to collapse
Thanks for the response. Yeah I've been reading up on S-OFF and all the things you can do to HTC devices since before I got the M8 and still had my S4. I just haven't done any of it yet. It really seems like S-OFF is the only way to go if you want to have complete device freedom. Never had to have anything special to flash radios on Sammy devices. Anyways, yeah I have full faith that we will get S-OFF via an exploit sooner or later. That's why I chose the M8. Because in the past, no matter what, HTC devices always have bootloader exploits it seems like, or at least some development.
This thread is on zero tolerance as of now and will be closed permanently with the next breach of forum rules.
NotATreoFan said:
This thread is on zero tolerance as of now and will be closed permanently with the next breach of forum rules.
Click to expand...
Click to collapse
shojus said:
Click to expand...
Click to collapse
i think they dont want a name given
it also might be the grey market that java cards are. 1/2 this FAQ is not factual, but what do I know? *wink*
dr_drache said:
it also might be the grey market that java cards are. 1/2 this FAQ is not factual, but what do I know? *wink*
Click to expand...
Click to collapse
What is not factual? I'd be happy to correct anything that is not.
Sent from my HTC6435LVW using Tapatalk
scotty1223 said:
What is not factual? I'd be happy to correct anything that is not.
Sent from my HTC6435LVW using Tapatalk
Click to expand...
Click to collapse
well, not to go too deep, javacards at the price you posted, are clones of real ones, sold on the grey market. not necessarily legal, using NDA covered files.
dr_drache said:
well, not to go too deep, javacards at the price you posted, are clones of real ones, sold on the grey market. not necessarily legal, using NDA covered files.
Click to expand...
Click to collapse
That number was for a small credit card from the UK. It was supposed to be legit, but I obviously can't prove or verify it.
Thanks for the info
For the record, my main intention is to provide info about the mechanics. Not really trying provide cost or purchase info
Sent from my HTC6435LVW using Tapatalk
scotty1223 said:
That number was for a small credit card from the UK. It was supposed to be legit, but I obviously can't prove or verify it.
Thanks for the info
For the record, my main intention is to provide info about the mechanics. Not really trying provide cost or purchase info
Sent from my HTC6435LVW using Tapatalk
Click to expand...
Click to collapse
So, how do I know if my phone was S-Off'd via a java card or Firewater? What is the difference? TIA
shojus said:
So, how do I know if my phone was S-Off'd via a java card or Firewater? What is the difference? TIA
Click to expand...
Click to collapse
If it comes back supercid and supermid,then it was s offed via the java card. If cid and mid are correct you have no way of knowing for sure,since the cid and mid are easily restored
Sent from my HTC PG09410 using Tapatalk 2
scotty1223 said:
If it comes back supercid and supermid,then it was s offed via the java card. If cid and mid are correct you have no way of knowing for sure,since the cid and mid are easily restored
Sent from my HTC PG09410 using Tapatalk 2
Click to expand...
Click to collapse
I'm not sure but from pics I seen of exploit don't it throw the tampered flag? As last time I used java card that was not the case
I know that can be restored. I'm guessing he restored cid mid because there were people complaining that he should change this back if you use his services. Just a total guess
Sent from my HTC6525LVW using XDA Premium 4 mobile app
scotty1223 said:
If it comes back supercid and supermid,then it was s offed via the java card. If cid and mid are correct you have no way of knowing for sure,since the cid and mid are easily restored
Sent from my HTC PG09410 using Tapatalk 2
Click to expand...
Click to collapse
That's my dilemma here... Mine came back yesterday with cid and mid correct.
Tigerstown said:
I'm not sure but from pics I seen of exploit don't it throw the tampered flag? As last time I used java card that was not the case
I know that can be restored. I'm guessing he restored cid mid because there were people complaining that he should change this back if you use his services. Just a total guess
Sent from my HTC6525LVW using XDA Premium 4 mobile app
Click to expand...
Click to collapse
the java card will not throw the tampered flag. the exploit... i dont think so,but im not 100% sure.
shojus said:
That's my dilemma here... Mine came back yesterday with cid and mid correct and I am a tad skeptical.
Click to expand...
Click to collapse
i would assume that he corrected the cid and mid in order to provide better service. sorry i cant think of any other ways to know for sure.
Me either but I will discuss this elsewhere . Thanks
scotty1223 said:
i would assume that he corrected the cid and mid in order to provide better service. sorry i cant think of any other ways to know for sure.
Click to expand...
Click to collapse
That is what he said to me he did.
Sent from my HTC6525LVW using XDA Premium 4 mobile app
hello all,
I am interested in locking the bootloader on a sg3, any leads on what steps I may need to accomplish this?
thank you
What carrier are you on?
redusk said:
What carrier are you on?
Click to expand...
Click to collapse
its unlocked, but it would be the canadian variant i747m, also have a intl variant somewhere, i9300 or something
The French Tickl3r said:
hello all,
I am interested in locking the bootloader on a sg3, any leads on what steps I may need to accomplish this?
thank you
Click to expand...
Click to collapse
It's not an easy way. Some eMMC have command to write-protect some areas (temporary, or permanently). But these eMMC commands usually are not presented in source code of kernel because there are no practical reasons to use them (unless you are original manufacturer). So, you need to detect what eMMC chip used in your phone, then find good datasheet to find appropriate command (if any). Then write utility to execute this command (and if you write protect a wrong block then there is no way back).
Thus, you need to be a skilled low-end developer to accomplish this task.
If you mean lock like it's done in phones with locked bootloader - then it's completely different story. In this case, write-protect-till-power-off lock used. So, when such phone boots, whole eMMC is available for writing. And then on the very early stage bootloader executes command write-protect-till-power-off, and you can't write anything to bootloader till you turn power off. If you want to accomplish this behaviour then you have to write your own bootloader, which is not simpler than task above. More over, you won't be able to write your own bootloader because it requires to be signed by private master key, which only Samsung lab has
sorg said:
It's not an easy way. Some eMMC have command to write-protect some areas (temporary, or permanently). But these eMMC commands usually are not presented in source code of kernel because there are no practical reasons to use them (unless you are original manufacturer). So, you need to detect what eMMC chip used in your phone, then find good datasheet to find appropriate command (if any). Then write utility to execute this command (and if you write protect a wrong block then there is no way back).
Thus, you need to be a skilled low-end developer to accomplish this task.
If you mean lock like it's done in phones with locked bootloader - then it's completely different story. In this case, write-protect-till-power-off lock used. So, when such phone boots, whole eMMC is available for writing. And then on the very early stage bootloader executes command write-protect-till-power-off, and you can't write anything to bootloader till you turn power off. If you want to accomplish this behaviour then you have to write your own bootloader, which is not simpler than task above. More over, you won't be able to write your own bootloader because it requires to be signed by private master key, which only Samsung lab has
Click to expand...
Click to collapse
thank you for the detailed response. i shall not pursue this any longer.
best regards, from cloudy montreal
Introduction
This is the bootloader unlock from ZTE. It was provided to me in private email by a ZTE engineer.
Warning
This package is for the USA version of the Axon 7 Mini (tulip) running 7.1.1 b14 firmware. If you are running any other device or firmware version, it may not work.
Note
After some testing, it appears that the Axon 7 Mini is not locked in any way. In other words, apparently neither this package nor tuliptool's unlock are required to flash custom ROMs. The only apparent advantage to flashing this is to get access to fastboot, which provides a way to flash a custom boot and recovery (among other things).
Flashing Instructions
Place axon_mini_unlock.zip on the root of your sdcard.
Reboot into recovery.
Select "Apply update from SD card".
Select axon_mini_unlock.zip.
Usage Instructions
After the package is flashed, you may boot into the bootloader:
adb reboot bootloader
Once in the bootloader, you will see an on-screen menu. Additionally, you may access the typical fastboot commands:
fastboot oem device-info
fastboot oem unlock
fastboot flash ...
... etc ...
Download
axon_mini_unlock.zip
md5: ea8f1a21c8a46b3045d00f17a37fe359
So, after this is done, I can flash TWRP through fastboot and tuliptool is no longer necessary, correct?
Yes, that is correct.
JoeGatto said:
So, after this is done, I can flash TWRP through fastboot and tuliptool is no longer necessary, correct?
Click to expand...
Click to collapse
This package is for the USA version of the Axon 7 Mini (tulip) running 7.1.1 b14 firmware. If you are running any other device or firmware version, it may not work.
Click to expand...
Click to collapse
Is this something your contact mentioned or something that you believe based on your experience?
Any harm in trying it on verdandi/other versions without any risk of bricking?
After some testing, it appears that the Axon 7 Mini is not locked in any way. In other words, apparently neither this package nor tuliptool are required to flash custom ROMs. The only apparent advantage to flashing this is to get access to fastboot.
Click to expand...
Click to collapse
Any way to confirm this is also the case with other versions as well?
Thanks TDM.... you're going to have a lot of Canadians asking about verdandi as it is quite cheap here at the moment. Better get those questions out of the way early. The source is released, same kernel version as the U.S. one with some small differences with drivers (from what I can see) and I am sure that if people know that custom roms are possible on that version (not bootloader locked forever) it would be appreciated.
trpn111 said:
Is this something your contact mentioned or something that you believe based on your experience?
Any harm in trying it on verdandi/other versions without any risk of bricking?
Any way to confirm this is also the case with other versions as well?
Thanks TDM.... you're going to have a lot of Canadians asking about verdandi as it is quite cheap here at the moment. Better get those questions out of the way early. The source is released, same kernel version as the U.S. one with some small differences with drivers (from what I can see) and I am sure that if people know that custom roms are possible on that version (not bootloader locked forever) it would be appreciated.
Click to expand...
Click to collapse
Yeah...verdandi is stuck on Marshmellow. But since it has different hardware it could brick if this is tried.
The ZTE engineer is USA based, he is not on the China development team (read: probably a support engineer). He said: "I attached the unlock update zip package, please try it. It is based on B14 build."
Sorry, that's all I have to go by for "official" information.
I do not want to be responsible for anyone bricking their device, so I cannot claim that this bootloader will work with anything other than a tulip device running 7.1.1 b14.
If you want to try and report back, I'm sure others will appreciate it. But I can't be responsible for the results.
trpn111 said:
Is this something your contact mentioned or something that you believe based on your experience?
Any harm in trying it on verdandi/other versions without any risk of bricking?
Any way to confirm this is also the case with other versions as well?
Thanks TDM.... you're going to have a lot of Canadians asking about verdandi as it is quite cheap here at the moment. Better get those questions out of the way early. The source is released, same kernel version as the U.S. one with some small differences with drivers (from what I can see) and I am sure that if people know that custom roms are possible on that version (not bootloader locked forever) it would be appreciated.
Click to expand...
Click to collapse
Oh, and here is some more information to help you decide...
The volume key combo to enter EDL is handled by aboot (bootloader, eg. the thing we are flashing). This means even if you aren't currently able to use the key combo, you should be able to use it with the new aboot here. And if you can get to EDL, you can never really brick the device.
The volume key combo is detected very early in the aboot code. Like, first thing after basic platform init. So even if this isn't compatible with your device, it's likely we could restore the old aboot (assuming you back it up first, of course).
I'm convinced that the tulip is not locked based on my investigation today. So I have no idea if this aboot is properly signed. If your device is locked and this aboot is not signed properly, the lower boot loader won't load it. I'm not quite sure if that kicks you into EDL or not.
Not sure if that makes the decision easier or harder...
How did you come to the conclusion that tulip is not locked to begin with? If we don't need tuliptool or this aboot, how can I check verdandi if the device is the same 'locked but not really locked' state?
I will have a read about backing up aboot and see what I come up with concerning getting into edl.
So here's the deal...
I initially assumed the bootloader was locked because... well... it's supposed to be. So I found the place in aboot code where it checks the lock flag in the devinfo partition. I used the firehose to write unlocked to that flag. Then I built TWRP, flashed it and it booted. So I assumed everything was working just as I expected.
Today, I flashed the aboot with fastboot support and ran "fastboot oem device-info". It said that my device was locked. So I went to look and, sure enough, my devinfo partition flag was still set. Hmm, that's odd.
So I wrote locked back to the flag. TWRP still booted. Now things are looking pretty suspicious.
But maybe the new aboot doesn't even support locking? So I flashed the original b14 version of aboot and TWRP still booted.
That's pretty hard evidence that aboot is ignoring the lock flag. I don't know what they did -- whether they just removed the code that reads the lock flag or introduced a bug or what.
This does not necessarily mean that the lower layers are unlocked. That is, the lower boot loader may still required a properly signed aboot. I don't know, and I'm not ready to brick my device trying to find out.
trpn111 said:
How did you come to the conclusion that tulip is not locked to begin with? If we don't need tuliptool or this aboot, how can I check verdandi if the device is the same 'locked but not really locked' state?
I will have a read about backing up aboot and see what I come up with concerning getting into edl.
Click to expand...
Click to collapse
Hmm... Looks like this package incompatible with ZTE/P852A11/tulip.
Got error while trying to flash it by stock recovery. Error message says that it is for A12 version of tulip.
Ah, yes, you have the euro model. See the "calling all mini owners" thread, posts #76 and #77.
maestromony said:
Hmm... Looks like this package incompatible with ZTE/P852A11/tulip.
Got error while trying to flash it by stock recovery. Error message says that it is for A12 version of tulip.
Click to expand...
Click to collapse
i get a message saying "cant update from sd card?"
yeshivabachur said:
i get a message saying "cant update from sd card?"
Click to expand...
Click to collapse
Make sure battery level is at least 30% before applying any update. It's a standard protection feature.
JoeGatto said:
Make sure battery level is at least 30% before applying any update. It's a standard protection feature.
Click to expand...
Click to collapse
My battery was 80%+ mine still said can't update from sdcard
Aries2010 said:
My battery was 80%+ mine still said can't update from sdcard
Click to expand...
Click to collapse
Try turning on the OEM unlock setting in developer settings.
JoeGatto said:
Try turning on the OEM unlock setting in developer settings.
Click to expand...
Click to collapse
Thank you so much that worked I appreciate the it . Now I have one more question I have been searching for a way to root stock rom but I can't find any instructions on it. Could you walk me through it or post a link for me if possible? I have the USA mini 7 with B14 firmware
Aries2010 said:
Thank you so much that worked I appreciate the it . Now I have one more question I have been searching for a way to root stock rom but I can't find any instructions on it. Could you walk me through it or post a link for me if possible? I have the USA mini 7 with B14 firmware
Click to expand...
Click to collapse
Rooting the stock ROM will require that you remove verity, so that the OS won't refuse to boot once you've made any changes to the system partition. You'll need to use tuliptool to flash a new boot image, which you can find in this section of the forum. Then, you could either install TWRP through fastboot or using tuliptool.
JoeGatto said:
Rooting the stock ROM will require that you remove verity, so that the OS won't refuse to boot once you've made any changes to the system partition. You'll need to use tuliptool to flash a new boot image, which you can find in this section of the forum. Then, you could either install TWRP through fastboot or using tuliptool.
Click to expand...
Click to collapse
Thank you sir I appreciate it I shall try it tomorrow.
here's a stupid question.... I have only dealt with Samsung devices so, I have trouble understanding any other kind of process that is not Samsung. If a new update comes out while my device is bootloader unlocked can i update it? or will it brick my device?
The "standard" (not Samsung) method of updating via OTA is to ship:
1. Full images of any firmware partitions (rpm, tz, aboot, etc.)
2. Full image of boot.
3. A delta (patch) to system.
Also note that custom recoveries generally do not work with vendor OTA's.
This means that if you wish to apply an OTA, you must first have stock recovery and a completely pristine, unmodified system partition. The rest doesn't matter.
yeshivabachur said:
here's a stupid question.... I have only dealt with Samsung devices so, I have trouble understanding any other kind of process that is not Samsung. If a new update comes out while my device is bootloader unlocked can i update it? or will it brick my device?
Click to expand...
Click to collapse
Want to buy this phone. Need it rooted to do a couple things. Has anybody gotten TWRP and root on it yet?
You can root it by first unlock the bootloader then install magisk via patch boot image method.
How should I get the boot image to actually use that method?
You can download the firmware here: https://mirrors.lolinet.com/firmware/moto/foles/official/RETUS/
Inside zips, find boot.img
Does anyone know anything about custom recovery TWRP yet that's what I'm looking for
there is no custom recovery
ahalol said:
You can root it by first unlock the bootloader then install magisk via patch boot image method.
Click to expand...
Click to collapse
What is the way to unlock the bootloader? I don't believe Motorola officially released it for the phone yet. Have you rooted this phone?
Thereplierbro said:
What is the way to unlock the bootloader? I don't believe Motorola officially released it for the phone yet. Have you rooted this phone?
Click to expand...
Click to collapse
Official unlock from Motorola is available, as long as you aren't referring to the Verizon version.
wraith1932 said:
Official unlock from Motorola is available, as long as you aren't referring to the Verizon version.
Click to expand...
Click to collapse
Does the Verizon one have a greyed out "OEM Bootloader unlock"
Because I bought one off offer up that had the button available but it was purchased from Verizon
Also I asked Motorola for the unlock website an they said they haven't released it yet for Moto z4
Can't say for sure myself, I got the carrier unlocked version. But I believe that button in the options is there no matter what, I remember it on my original Z Force Droid (Verizon only version, no bootloader unlock, official or not).
I would bet that, if it was bought at Verizon, then there won't be a bootloader unlock available - ever.
Dunno what that last part is supposed to mean... Never saw a device-specific Moto Bootloader Unlock page, going all the way back to the original Moto X. There's the page explaining the unlock process, a disclaimer ("anything you do from here isn't our fault, or responsibility to fix" basically), and a link to the next step (with a "log in to Moto" in between). After login, it brings you to instructions to get a code to put in, and the button to check if the device is eligible for unlocking the bootloader.
I would include a link to the first page if I could. Almost there, just one more post...
wraith1932 said:
Official unlock from Motorola is available, as long as you aren't referring to the Verizon version.
Click to expand...
Click to collapse
wraith1932 said:
Can't say for sure myself, I got the carrier unlocked version. But I believe that button in the options is there no matter what, I remember it on my original Z Force Droid (Verizon only version, no bootloader unlock, official or not).
I would bet that, if it was bought at Verizon, then there won't be a bootloader unlock available - ever.
Dunno what that last part is supposed to mean... Never saw a device-specific Moto Bootloader Unlock page, going all the way back to the original Moto X. There's the page explaining the unlock process, a disclaimer ("anything you do from here isn't our fault, or responsibility to fix" basically), and a link to the next step (with a "log in to Moto" in between). After login, it brings you to instructions to get a code to put in, and the button to check if the device is eligible for unlocking the bootloader.
I would include a link to the first page if I could. Almost there, just one more post...
Click to expand...
Click to collapse
All other phones, if the button is not greyed out and you can press the option (and it asked for your password) then it's unlockable. I know because I got a few freaking pixel phones with non usable Bootloader. Wasted about $1,000 looking for a cellphone to use with Sprint that I can root. Every one of them is Verizon.
https://support.motorola.com/us/en/solution/ms87215
DM Verity disabled too?
What about DM verity? Has anyone figured out how to disable that? I need to add a couple of lines to the build.prop file, but can't seem to change the write permissions even with root; any edits made directly on the phone using an editor with root permissions, don't persist after a system reboot. Edits made to the build.prop file externally, and pushed pre-boot via ADB, result in boot loop due to DM verity failing.
(For clarity, I do not have this phone, yet, I have a Z2 Play, but I faced these challenges with that device too)
Jade Eyed Wolf said:
What about DM verity? Has anyone figured out how to disable that? I need to add a couple of lines to the build.prop file, but can't seem to change the write permissions even with root; any edits made directly on the phone using an editor with root permissions, don't persist after a system reboot. Edits made to the build.prop file externally, and pushed pre-boot via ADB, result in boot loop due to DM verity failing.
(For clarity, I do not have this phone, yet, I have a Z2 Play, but I faced these challenges with that device too)
Click to expand...
Click to collapse
I hope a real dev jumps on board to this cellphone. It's pretty decent for what it is honestly
Thereplierbro said:
I hope a real dev jumps on board to this cellphone. It's pretty decent for what it is honestly
Click to expand...
Click to collapse
One of my main reasons for waiting to get one
Jade Eyed Wolf said:
One of my main reasons for waiting to get one
Click to expand...
Click to collapse
It's basically useless until then
Could I get a little guidance on how to patch and flash the boot image? I have ADB/Fastboot setup as well as the XT1980-4 firmware downloaded.
Do I just place the boot.img file on my phone, patch it in Magisk Manager, and flash with fastboot? Anything I need to be careful of?
Also, how should I go about backups here? I've only messed with this stuff when I had a Galaxy S4, everything was super simple with easy bootloader unlock and custom recovery.
battleof3 said:
Could I get a little guidance on how to patch and flash the boot image? I have ADB/Fastboot setup as well as the XT1980-4 firmware downloaded.
Do I just place the boot.img file on my phone, patch it in Magisk Manager, and flash with fastboot? Anything I need to be careful of?
Also, how should I go about backups here? I've only messed with this stuff when I had a Galaxy S4, everything was super simple with easy bootloader unlock and custom recovery.
Click to expand...
Click to collapse
What you said was correct. That's how you patch and flash. Nothing particular to be careful. The only thing would be in order to receive future OTA, you should not modify you /system and /vendor partition during your use of the phone.
ahalol said:
What you said was correct. That's how you patch and flash. Nothing particular to be careful. The only thing would be in order to receive future OTA, you should not modify you /system and /vendor partition during your use of the phone.
Click to expand...
Click to collapse
Dug a little deeper and bootloader is locked tight, no flashing for me. Returning and buying a secondhand LG V30 for cheap. It's unfortunate that carriers love their walled gardens.
See, this is why I was asking about DM Verity. You need to disable that first before flashing anything via ADB/Fastboot.
With DM Verity on, at system startup, the device generates a hash of the /system and /root directories. If the hash does not match the one from the factory, due to changes pushed via ADB or Fastboot or patching other system files with something different, the system reboots, again and again.
I had this same issue with my Z2 Play, which is why I brought it up here.
Rooting these devices is useless, unless you also disable DM Verity.
I tried to follow this method and ended up flashing the wrong boot image (I did go to the right software variant but it was outdated) so i had to go through and try all the images they had and none of them worked so i had to look elsewhere.
After some digging i found a VERY handy tool made by lenovo themselves that lets you update and recover the firmware.
If you use the rescue option and enter your phones info (it seems to verify your phones info so you can only download for devices you have) and it'll download the latest zip for you so you can get the boot image.
Here's the link to the smart assistant
TL;DR Open smart assistant, click flash, click "Go rescue", Click "Moto Phone", enter your phone's info (make sure your phone is connected in fastboot mode), click the download icon next to the file name.
Make sure you DO NOT click the rescue button when the download is finished as that will factory reset your phone, just copy the zip or boot image and close it
Introduction:
This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).
This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).
Frederic also did a great amount of work to temporarily boot a custom OS from USB here.
Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.
Disclaimer:
You are solely responsible for any potential damage(s) caused to your device by this exploit.
FAQ:
- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.
- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.
- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than
- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.
- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.
- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.
- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.
Requirements:
Chromecast With Google TV (sabrina) without USB password mitigation¹
Either a USB A to C, or a C to C cable
A PC running some flavor of 64-bit GNU Linux
`libusb-dev` installed
`fastboot` & `mke2fs` installed from the SDK Platform tools
¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).
Instructions:
Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!
Post-unlock:
The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.
Credits:
Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
Frederic Basse (frederic): The initial exploit and the AES key tip
Special Thanks:
Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
sweet! I know what im doing tonight lol.. of course I need to check mine once I get home to see if it can be unlocked but pretty sure it can.
wow im glad i left mine unplugged
unfortunately mines not able to be unlocked :-(.. its got feb security update.. exploit says its password protected
elliwigy said:
unfortunately mines not able to be unlocked :-(.. its got feb security update.. exploit says its password protected
Click to expand...
Click to collapse
rip, there is no way around it unfortunately (for now atleast)
Stricted said:
rip, there is no way around it unfortunately (for now atleast)
Click to expand...
Click to collapse
Yea, figured as much. I was looking for a way to unlock the bootloader but didnt spend much time on it as i use my nstv pro 2019 model mainly for all my streaming needs lol.
i just left best buy by my house and all the cc they had were mfg 5/2021 lol.. i mustve looked all over.. looked behind stuff tried to find a dusty one but nope lol
probably got a better chance at an old one from walmart
im curious what causes it to not boot with patched boot.img.. on the nstv it was odd for a while since patching boot.img would cause bootloop.. had noticed in the logs it was failing to boot because the verifiedbootstate was orange so made a script for magisk to resetprop ro.boot.verifiedbootstate green and it would boot right up wonder if its something similar.. either way, can only toss up ideas until i get my hands on a unlockable model lol
elliwigy said:
Yea, figured as much. I was looking for a way to unlock the bootloader but didnt spend much time on it as i use my nstv pro 2019 model mainly for all my streaming needs lol.
i just left best buy by my house and all the cc they had were mfg 5/2021 lol.. i mustve looked all over.. looked behind stuff tried to find a dusty one but nope lol
probably got a better chance at an old one from walmart
im curious what causes it to not boot with patched boot.img.. on the nstv it was odd for a while since patching boot.img would cause bootloop.. had noticed in the logs it was failing to boot because the verifiedbootstate was orange so made a script for magisk to resetprop ro.boot.verifiedbootstate green and it would boot right up wonder if its something similar.. either way, can only toss up ideas until i get my hands on a unlockable model lol
Click to expand...
Click to collapse
Nah, it isn't.
Think it's just Amlogic boot image format not linking the repack method.
I'll look into it at some point.
Could this method work on mi box 3?Just asking !!!!
Verhuel15 said:
Could this method work on mi box 3?Just asking !!!!
Click to expand...
Click to collapse
You'd need u-boot source from your OEM - start by requesting that, then you can progress further if they give it to you (they legally have to, but a lot of them don't)
Tell me more about this "usb password mitigation", since it appears that this exploit is not going to be all that useful until this issue is addressed.
96carboard said:
Tell me more about this "usb password mitigation", since it appears that this exploit is not going to be all that useful until this issue is addressed.
Click to expand...
Click to collapse
It's not an "issue" we can overcome.
The BootROM mode we interact with the send the data for this exploit had a password slapped in the interface (to even be able to interact with it). It's a complex password based on a hash of something and a salt.
It's not something we could feasibly brute force, it's not something we can undo, it's not something we can work around.
The exploit was effectively patched in models manufactured after December 2020, and older units updated to February 2021.
If the February 2021 update added the password, wouldn't it be theoretically possible to reverse engineer that update to determine how the password is generated? Or do they encrypt these updates in a way that makes them impossible to disassemble or step through during execution before it burns the eFuses?
bydo said:
If the February 2021 update added the password, wouldn't it be theoretically possible to reverse engineer that update to determine how the password is generated? Or do they encrypt these updates in a way that makes them impossible to disassemble or step through during execution before it burns the eFuses?
Click to expand...
Click to collapse
We can totally (and have) dumped newer updates. You can look at the bootloader.img all you want, but it's AES encrypted, and the only way to get it decrypted is to dump the AES key from memory using the exploit those updates mitigate, so, no, not easy to analyze them.
But lets say we could, there's no way to extract the password that's even semi-feasible.
Brute force is more feasible, and that would take years.
I assume similar to Samsung bootloader revs Google has some form of rollback prevention so not possible to downgrade to an older firmware? do you know if theres anywhere that the ota.zip can be downloaded?
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
elliwigy said:
I assume similar to Samsung bootloader revs Google has some form of rollback prevention so not possible to downgrade to an older firmware? do you know if theres anywhere that the ota.zip can be downloaded?
Click to expand...
Click to collapse
Yeah, dumped on dumps.tadiphone.dev. Rollback is enabled. There's no going back. U-boot enforces it on OS, and BL2 enforces it on BL33 (u-boot).
96carboard said:
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
Click to expand...
Click to collapse
It is (as far as we currently understand) a global password.
npjohnson said:
Yeah, dumped on dumps.tadiphone.dev. Rollback is enabled. There's no going back. U-boot enforces it on OS, and BL2 enforces it on BL33 (u-boot).
It is (as far as we currently understand) a global password.
Click to expand...
Click to collapse
Is that site a private gitlab? i went there but my normal gitlab acct didnt work so i regustered with same email and it said it registered but my acct is blocked waiting for admin approval?
96carboard said:
Is there anything else we know about this password? Is it the same password for all units (i.e. pre-generated) or is it unique (in which case it would have to be generated on-device)?
Click to expand...
Click to collapse
pretty sure its not generated on the device.. its likely a key that was already there just wasnt being used until recent update or it was implenented in the update.. this is of course assuming its a global key i.e. same password for all the devices.. sort of similar to how samsung does their firmware maybe, key burned into the device at the factory well hidden behind layers of security to never be seen again even when its used to verify stuff lol
elliwigy said:
Is that site a private gitlab? i went there but my normal gitlab acct didnt work so i regustered with same email and it said it registered but my acct is blocked waiting for admin approval?
Click to expand...
Click to collapse
dumps.tadiphone.dev/dumps
elliwigy said:
pretty sure its not generated on the device.. its likely a key that was already there just wasnt being used until recent update or it was implenented in the update.. this is of course assuming its a global key i.e. same password for all the devices.. sort of similar to how samsung does their firmware maybe, key burned into the device at the factory well hidden behind layers of security to never be seen again even when its used to verify stuff lol
Click to expand...
Click to collapse
It is burned into the device, yeah, no disabling it or intercepting it.
npjohnson said:
dumps.tadiphone.dev/dumps
It is burned into the device, yeah, no disabling it or intercepting it.
Click to expand...
Click to collapse
right after i posted i went to explore and saw the dumps. i noticed there was some userdebug builds early on.. pretty cool.. are these all official firmwares?
and yes makes sense.. its easier to fibd a zero day exploit these days then to waste time trying to get the hardware infused private keys :-/