My phone is a Vodafone Smart 4 Turbo which a rebranded Coolpad 8865U.
I am trying to root it using the ro.secure=0 methods as all the other rooting exploits failed.
Fastboot seems to detect my phone well enough. I can run this command for example:
Code:
fastboot oem device-info -i 0x1ebf
(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: false
OKAY [ 0.004s]
finished. total time: 0.004s
However if I try to flash recovery it hangs at
Code:
writing 'recovery'...
and if I try to boot from both and original or modified boot.img it hangs at
Code:
booting...
And if I try to erase something it hangs aswell.
Any ideas of what it is going on? I cannot even figure out how to put fastboot in verbose mode to see if there are any errors or anything.
BTW: All troughout this fastboot crap the phone remained perfect functional. The only change was the personal info that got deleted when I unlocked fastboot.
Also these don't work either
Code:
fastboot -i 0x1ebf oem disable-console
fastboot -i 0x1ebf oem enable-console
fastboot -i 0x1ebf oem dmesg
but these do
Code:
fastboot -i 0x1ebf oem disable-charger-screen
fastboot -i 0x1ebf oem enable-charger-screen
And getvar
Code:
fastboot -i 0x1ebf getvar all
all:
finished. total time: 0.002s
returns empty.
This thread looks similar and a method is mentioned briefly http://forum.xda-developers.com/general/help/vodafone-smart-4-turbo-qs-t2852827
However your question may have better luck in this thread http://forum.xda-developers.com/showthread.php?t=2257421
Unfortunately there's next to no support for this device so these methods your trying may not even be legit
Good luck to you
I looked into those thread. The problem I have is not with fastboot not recognizing my phone. It does. It just hangs when it tries to boot/flash/erase.
I was stuck at fastboot, so I decided to look out for extra fastboot commands, after I was done, I didn't needed it at all, but after I saw a command to reset dm verity (only possible via re-flashing stock rom before) I decided to share with the community
Be aware that I didn't tested any command
It'd be good if you say me wich works or not
Fastboot:
Code:
fastboot reboot bootloader
fastboot reboot recovery
fastboot reboot-bootloader
fastboot oem unlock
fastboot oem unlock-go
fastboot oem lock
fastboot flashing unlock
fastboot flashing lock
fastboot flashing lock_critical
fastboot flashing unlock_critical
fastboot flashing get_unlock_ability
fastboot oem device-info preflash
fastboot oem enable-charger-screen
fastboot oem disable-charger-screen
fastboot oem off-mode-charge
fastboot oem select-display-panel
fastboot oem gpt-info
fastboot oem force-hwid_
fastboot oem update-cmdline_
fastboot oem get-splash
fastboot oem show-barcode
fastboot oem unTAR_
fastboot oem dump-pmic-reg_
fastboot oem write-pmic-reg_
fastboot oem get-gpio_
fastboot oem check-fuse
fastboot oem set-fuse
fastboot oem reset-dev_info
fastboot oem adb_enable
fastboot oem shutdown
fastboot oem auth-hash
fastboot oem gen-random
fastboot oem EnterShippingMode
fastboot oem reboot-recovery
fastboot oem check-bat
fastboot oem set-batvol_
fastboot oem get-batvol
fastboot oem get-batcap
fastboot oem mbr-info
fastboot oem reset-mbr-info
fastboot oem read_emmc_blk_
fastboot oem check-DDR
fastboot oem check-ftm
fastboot oem enable-ftm
fastboot oem enable-userdebug
fastboot oem ffu_unlock
fastboot oem emmc_info
fastboot oem ffu_auto
fastboot oem reset_ffu
fastboot oem check-qcn-golden-copy
fastboot oem reset-boot_count
fastboot oem dump-log
fastboot oem system-info
fastboot oem get_build_version
fastboot oem partition-test
fastboot oem crc32-size_
fastboot oem crc32-len_
fastboot oem crc32_
fastboot oem hash_
fastboot oem crc32_debug
fastboot oem crc_test
fastboot oem reset-repartition
fastboot oem reset-dm-verity
some adb commands:
Code:
adb reboot oem-88 (shutdown)
adb reboot oem-68 (factoey_reset_text)
adb reboot oem-69 (factoey_reset)
adb reboot oem-23 (fastboot)
adb reboot oem-78 (recovery_gpt)
adb reboot oem-63 (untar)
adb reboot oem-66 (adb_enable)
adb reboot oem-52 (selinux_permissive)
adb reboot oem-08 (user_unlock)
adb reboot oem-99 (verify_data_size)
adb reboot oem-43 (shipping_mode)
adb reboot oem-11 (ota_set_dm_verity)
adb reboot oem-12 (ota_set_dm_verity_r) [BL]
thoose adb comments are from the code, I'm not the one that wrote them.
Tested:
fastboot oem dump-log
shows some bootloader level logs from recent boots
fastboot oem system-info
Code:
(bootloader) board_info: msm8953
(bootloader) mem_info:
(bootloader) mmc_info:
(bootloader) product_name: ASUS_Z017D_1
(bootloader) product_locale: en-US
(bootloader) product_carrier: US-ASUS_Z017D-WW_Phone
(bootloader) csc_build_version: WW_ZE520KL-14.2020.1703.28-20170410
(bootloader) bt_mac:
(bootloader) wifi_mac:
(bootloader) imei: XXXXXXXXXX
(bootloader) imei2: XXXXXXXXXXX
(bootloader) ssn: XXXXXXXX
(bootloader) isn:
(bootloader) color:
(bootloader) country:
(bootloader) customer:
(bootloader) revenuecountry:
(lol, really lost some **** flashing my phone)
fastboot oem get_build_version
gets the last installed stock rom version, even if you're running custom roms
fastboot oem get-batcap
returns battery capacity
fastboot oem get-batvol
returns battery voltage and capacity
Huawei fastboot commands​
I find some fastboot commands for Huawei ( Get from my P8 Lite 2015 version )
Note: Very high possibility to brick your device if use it wrong!!!!
There they go:
fastboot
flash slock <-- this one was write like it is!!! weird!!!
flash boot
flash recovery
flash system
flash userdata
flash cache
flash cust
flash rescue_recovery
flash device_validation
getvar rescue_version
getvar rescue_phoneinfo
getvar vendorcountry
getvar rescue_ugs_port
getvar rescue_enter_recovery
getvar max-download-size
getvar error_print
getvar partition-type
oem emmc_diag
oem emmc-dump
oem get_key_version
oem battery_present_check
oem get_hwnff_ver
oem get-psid
oem get-build-number
oem get-product-model
oem hwdog certify close
oem backdoor end
oem get-bootinfo
oem check-rootinfo
oem check-image
oem relock
oem hwdog certify set
oem backdoor set
oem frp-erase
oem unlock
oem frp-unlock
oem lock-state info
oem backdoor info
oem hwdog certify begin
oem backdoor get
I hope this help some one!
Bye!
Thank you for the share!
persona78 said:
Huawei fastboot commands
I find some fastboot commands for Huawei ( Get from my P8 Lite 2015 version )
Note: Very high possibility to brick your device if use it wrong!!!!
There they go:
fastboot
flash slock <-- this one was write like it is!!! weird!!!
flash boot
flash recovery
flash system
flash userdata
flash cache
flash cust
flash rescue_recovery
flash device_validation
getvar rescue_version
getvar rescue_phoneinfo
getvar vendorcountry
getvar rescue_ugs_port
getvar rescue_enter_recovery
getvar max-download-size
getvar error_print
getvar partition-type
oem emmc_diag
oem emmc-dump
oem get_key_version
oem battery_present_check
oem get_hwnff_ver
oem get-psid
oem get-build-number
oem get-product-model
oem hwdog certify close
oem backdoor end
oem get-bootinfo
oem check-rootinfo
oem check-image
oem relock
oem hwdog certify set
oem backdoor set
oem frp-erase
oem unlock
oem frp-unlock
oem lock-state info
oem backdoor info
oem hwdog certify begin
oem backdoor get
I hope this help some one!
Bye!
Click to expand...
Click to collapse
Can you please share fastboot binaries in orders supports all commands?
Dears, with the unlock bootloader... how we can run around? Only by purchasing the unlock key? I have a P9Lite for forensic case to analize e.g...
fastboot oem get-psid does not work on a Psmart POT-LX1
but would be very helpful for get IMEI on P20, where it is not printed on backside:
>fastboot oem get-psid
...
FAILED (remote: Command not allowed)
finished. total time: 0.016s
I extracted the "fastboot oem" commands supported by the Pixel 3 XL from the firmware.
I haven't tested these, since most don't work when the bootloader is locked:
Code:
$ fastboot oem dmesg
FAILED (remote: 'Fastboot OEM command (dmesg) is not allowed when locked')
Finished. Total time: 0.081s
Note that fastboot commands can brick and damage your phone. Be careful when testing.
Here's the list of commands. You can run them with "fastboot oem <command>".
Code:
setbrightness
get_config
set_config
rm_config
get_platform_info
set_platform_info
select-display-panel
esim_erase
esim_atp
uart
off-mode-charge
sha1sum
ramdump
ramdump_sahara
rma
dump-chipid
check-hw-security
HALT
set_display_power_mode
citadel
enable-factory-lock
factory-lock
ddrtest
continue-factory
dmesg
500 Internal Server Error said:
I extracted the "fastboot oem" commands supported by the Pixel 3 XL from the firmware.
I haven't tested these, since most don't work when the bootloader is locked:
Code:
$ fastboot oem dmesg
FAILED (remote: 'Fastboot OEM command (dmesg) is not allowed when locked')
Finished. Total time: 0.081s
Note that fastboot commands can brick and damage your phone. Be careful when testing.
Here's the list of commands. You can run them with "fastboot oem <command>".
Code:
setbrightness
get_config
set_config
rm_config
get_platform_info
set_platform_info
select-display-panel
esim_erase
esim_atp
uart
off-mode-charge
sha1sum
ramdump
ramdump_sahara
rma
dump-chipid
check-hw-security
HALT
set_display_power_mode
citadel
enable-factory-lock
factory-lock
ddrtest
continue-factory
dmesg
Click to expand...
Click to collapse
Any idea what OEM citadel does? I have no clue from a precursory look.
Must be super secret. I can't find anything on that
I couldn't find anything about that either.
Pixel 3 XL, haven't crashed it, YET
its in the crosshatch source code....https://android.googlesource.com/de...bfe57aaaf2cdd656a4476bbfb5c01314a09/device.mk
i believe citadel has to do with the new Titan security chip but I could be wrong
elliwigy said:
i believe citadel has to do with the new Titan security chip but I could be wrong
Click to expand...
Click to collapse
It does seem that is the only command new to the 3 XL compared to the 2xl. The latter does not have the Titan chip
NVM, I misunderstood.
Pixel 3 XL, haven't crashed it, YET
cmh714 said:
its in the crosshatch source code....https://android.googlesource.com/de...bfe57aaaf2cdd656a4476bbfb5c01314a09/device.mk
Click to expand...
Click to collapse
Am I pretty much blind or anything, but it doesn't exist anything regarding what the 'set display power mode' OEM command does within the link to the Crosshatch source(s), or..?
Can you "turn off" Titan and then run commands? Is that something to do with Citadel?
500 Internal Server Error said:
I extracted the "fastboot oem" commands supported by the Pixel 3 XL from the firmware.
I haven't tested these, since most don't work when the bootloader is locked:
Click to expand...
Click to collapse
This is the message I am getting when trying to use anyone of the OEM commands, in this case, the possible adjustment of the display power mode.
FAILED (remote: Fastboot OEM command (set_display_power_mode) is not allowed)
finished. total time: 0.378s
PS C:\Users\Christofferwassberg\Downloads\platform-tools_r28.0.1-windows\platform-tools> fastboot oem set_display_power_
mode
Is it any secret restrictions enabled somewhere that is denying us from modifying, or checking the stats of phone, from the bootloader level?
EDIT: Yes, my bootloader is unlocked.
xFirefly93 said:
This is the message I am getting when trying to use anyone of the OEM commands, in this case, the possible adjustment of the display power mode.
FAILED (remote: Fastboot OEM command (set_display_power_mode) is not allowed)
finished. total time: 0.378s
PS C:\Users\Christofferwassberg\Downloads\platform-tools_r28.0.1-windows\platform-tools> fastboot oem set_display_power_
mode
Is it any secret restrictions enabled somewhere that is denying us from modifying, or checking the stats of phone, from the bootloader level?
EDIT: Yes, my bootloader is unlocked.
Click to expand...
Click to collapse
Yes, the device checks whether the PRODUCTION fuse, in our case, likely just QCOM_SEC_BOOT is blown, and if it is it restricts a whole number of commands/functions.
npjohnson said:
Yes, the device checks whether the PRODUCTION fuse, in our case, likely just QCOM_SEC_BOOT is blown, and if it is it restricts a whole number of commands/functions.
Click to expand...
Click to collapse
Sounds like something that only Samsung would add, but Google? Nah..
xFirefly93 said:
Sounds like something that only Samsung would add, but Google? Nah..
Click to expand...
Click to collapse
That wasn't said in a questioning way lol -- its just how it is.
Every non-Chinese phone has Qualcomm Secure Boot enabled by that exact means (the SEC_BOT Fuse row). If you Google it, you'll find such. It's why we can't run custom bootloader's (exempting S-OFF HTC devices which are an odd and interesting case where QCOM secureboot only verfies very specific chunks of the bootchain the user doesn't normally touch).
QCOM secure boot is literally the industry standard lol - using the production state to limit OEM commands is new as of the Pixel 2, and correctly restricting them is new to the 3 series.
Could you maybe provide some info on how you extracted these commands from the firmware? Might be useful to me and others as well.
npjohnson said:
Any idea what OEM citadel does? I have no clue from a precursory look.
Click to expand...
Click to collapse
This is from sargo. I tried some of the other oem commands that sounded non-destructive, but got a lot of invalid oem command errors.
I didn't try any of these citadel commands, but they do sound interesting. I have no idea if they will apply to the blueline/crosshatch.
Code:
[email protected]:# fastboot oem citadel
...
(bootloader) citadel <command>
(bootloader) Commands:
(bootloader) rescue Try to rescue Citadel
(bootloader) state Print current Citadel state
(bootloader) reset Reset Citadel
(bootloader) reset-locks Reset AVB locks
(bootloader) version Print citadel OS version
(bootloader) reprovision Reprovision device after a RMA unlock
(bootloader) suzyq on|off Enable or disable SuzyQable
FAILED (remote failure)
finished. total time: 0.060s
Does anyone know how to use the citadel commands?
Im trying to restore a bricked 3a. so far here are my attempts
PS C:\Program Files (x86)\Minimal ADB and Fastboot> .\fastboot.exe oem citadel
(bootloader) citadel <command>
(bootloader) Commands:
(bootloader) rescue Try to rescue Citadel
(bootloader) state Print current Citadel state
(bootloader) reset Reset Citadel
(bootloader) reset-locks Reset AVB locks
(bootloader) version Print citadel OS version
(bootloader) reprovision Reprovision device after a RMA unlock
(bootloader) suzyq on|off Enable or disable SuzyQable
FAILED (remote: '')
fastboot: error: Command failed
PS C:\Program Files (x86)\Minimal ADB and Fastboot> .\fastboot.exe oem citadel rescue
FAILED (remote: 'no staged data, use fastboot stage <file>')
fastboot: error: Command failed
PS C:\Program Files (x86)\Minimal ADB and Fastboot> .\fastboot.exe stage bootloader-sargo-b4s4-0.2-5402313.img
Sending 'bootloader-sargo-b4s4-0.2-5402313.img' (8349 KB) OKAY [ 0.355s]
Finished. Total time: 0.413s
PS C:\Program Files (x86)\Minimal ADB and Fastboot> .\fastboot.exe oem citadel rescue
(bootloader) Recovering citadel - it may take a couple of minutes
FAILED (remote: 'failed to rescue citadel Bad Buffer Size')
fastboot: error: Command failed
PS C:\Program Files (x86)\Minimal ADB and Fastboot>
Click to expand...
Click to collapse
zimmie said:
Does anyone know how to use the citadel commands?
Im trying to restore a bricked 3a. so far here are my attempts
Click to expand...
Click to collapse
Did you ever manage to make this work? I'm in the same situation
i decided to parse the lk img from the android 9 stock rom so heres the output
Code:
[?] Image size (from header): 847276 bytes
[?] Image name (from header): lk
[?] LK version: N/A
[?] Command Line: N/A
[?] Platform: MT6761
[?] Product: hardware.sku
[?] Needs unlock code: False
[?] Uses verified boot: True
[?] Factory reset protection (FRP): True
[?] FOTA support: False
[?] Available OEM commands: ['fastboot oem p2u', 'fastboot oem off-mode-charge', 'fastboot oem key', 'fastboot oem lks', 'fastboot oem scp_status', 'fastboot oem scp_log_thru_ap_uart', 'fastboot oem usb2jtag', 'fastboot oem ultraflash', 'fastboot oem ultraflash_en', 'fastboot oem secureBoot', 'fastboot oem battery', 'fastboot oem getversions', 'fastboot oem alive', 'fastboot oem getprojectcode', 'fastboot oem getUID', 'fastboot oem auth_timecount', 'fastboot oem auth_start', 'fastboot oem permission', 'fastboot oem getpermissions', 'fastboot oem getsecurityversion', 'fastboot oem md5', 'fastboot oem repair', 'fastboot oem simunlock', 'fastboot oem simlock', 'fastboot oem simlock_status', 'fastboot oem getdllname', 'fastboot oem unlock']
[?] LK ATAGs: ['atag,videolfb-fb_base_h', 'atag,videolfb-fb_base_l', 'atag,videolfb-vramSize', 'atag,boot', 'atag,imix_r', 'atag,fg_swocv_v', 'atag,fg_swocv_i', 'atag,shutdown_time', 'atag,boot_voltage', 'atag,two_sec_reboot', 'atag,mem', 'atag,vcore_dvfs', 'atag,dfo', 'atag,meta', 'atag,devinfo', 'atag,videolfb', 'atag,mdinfo', 'atag,ptp', 'atag,masp']
now one thing im confused about: fastboot oem key
i had researched this and it helped unlock the bootloader of the Nokia 3
they did it by
fastboot oem key <MD5 Hash Of Your Device Serial>
fastboot flashing unlock
i would try and test this but it dont have the phone on me rn
areallydumbperson said:
i decided to parse the lk img from the android 9 stock rom so heres the output
Code:
[?] Image size (from header): 847276 bytes
[?] Image name (from header): lk
[?] LK version: N/A
[?] Command Line: N/A
[?] Platform: MT6761
[?] Product: hardware.sku
[?] Needs unlock code: False
[?] Uses verified boot: True
[?] Factory reset protection (FRP): True
[?] FOTA support: False
[?] Available OEM commands: ['fastboot oem p2u', 'fastboot oem off-mode-charge', 'fastboot oem key', 'fastboot oem lks', 'fastboot oem scp_status', 'fastboot oem scp_log_thru_ap_uart', 'fastboot oem usb2jtag', 'fastboot oem ultraflash', 'fastboot oem ultraflash_en', 'fastboot oem secureBoot', 'fastboot oem battery', 'fastboot oem getversions', 'fastboot oem alive', 'fastboot oem getprojectcode', 'fastboot oem getUID', 'fastboot oem auth_timecount', 'fastboot oem auth_start', 'fastboot oem permission', 'fastboot oem getpermissions', 'fastboot oem getsecurityversion', 'fastboot oem md5', 'fastboot oem repair', 'fastboot oem simunlock', 'fastboot oem simlock', 'fastboot oem simlock_status', 'fastboot oem getdllname', 'fastboot oem unlock']
[?] LK ATAGs: ['atag,videolfb-fb_base_h', 'atag,videolfb-fb_base_l', 'atag,videolfb-vramSize', 'atag,boot', 'atag,imix_r', 'atag,fg_swocv_v', 'atag,fg_swocv_i', 'atag,shutdown_time', 'atag,boot_voltage', 'atag,two_sec_reboot', 'atag,mem', 'atag,vcore_dvfs', 'atag,dfo', 'atag,meta', 'atag,devinfo', 'atag,videolfb', 'atag,mdinfo', 'atag,ptp', 'atag,masp']
now one thing im confused about: fastboot oem key
i had researched this and it helped unlock the bootloader of the Nokia 3
they did it by
fastboot oem key <MD5 Hash Of Your Device Serial>
fastboot flashing unlock
i would try and test this but it dont have the phone on me rn
Click to expand...
Click to collapse
What did you use to parse the image?
honestly i forgot, if i find the tool ill give u the link
Thank you... I'm trying to parse the lk img from Motorola XT2213-3(MT6833) but I don't have enough patience to do it using a hex viewer lol
damnthefall said:
Thank you... I'm trying to parse the lk img from Motorola XT2213-3(MT6833) but I don't have enough patience to do it using a hex viewer lol
Click to expand...
Click to collapse
this took alot of hunting but i finally found it https://github.com/leeminh888/lk_parser
Why do I bootloop after flashing Corvus OS, and my twrp shows random file name
Qintil5 said:
Why do I bootloop after flashing Corvus OS, and my twrp shows random file name
Click to expand...
Click to collapse
wrong place to discuss this, also the random file names are due to user encryption im trying to fix this but my nokia 2.2 died and i have no one to test
areallydumbperson said:
areallydumbperson said:
wrong place to discuss this, also the random file names are due to user encryption im trying to fix this but my nokia 2.2 died and i have no one to test
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Can corvus OS be booted without turning off encryption?