Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

[sexylion23]

Yes, and I also read this http://forum.xda-developers.com/showthread.php?p=34772926#post34772926 and used info from both. While looking around after this didn't work, I discovered that the security message I am getting does not appear to be in aboot, the kernel, wallpaper, morningcall, sbl1-3, or the tz partition. This makes me wonder: what is checking the signatures? I have opened all these partitions in a hex editor and searched them, finding nothing.

Completely mind blown from this link

 

[zeest]

Ya... soooo much info there. The bad thing: the secure boot fuse is blown on our device... I have, I believe, blown the fuses said to here http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html, using wallpaper... but no difference. I don't think it is our bootloader stopping us, or if it is, there is more than the qfuses. But I don't see the error text in our bootloader.

 

[omgbossis21]

System/bin morningcall? I would assume a kernel needs to be conpliled scoured for the security checks, removed, recompiled and flashed.

 

[zeest]

From what I can tell, morningcall would appear to be simply a data file. In a hex viewer, it just shows up as a giant jumble. It is very possible that I am wrong however. Does anyone know what value would have to be blown into the qfuse for it to read as unlocked? It might not be 0x1, but something else. For example, the secure boot qfuse reads a value of 0x20 as locked.

 

[adanmex]

may be 0x30 or 0x31

 

[zeest]

You sure it isn't less? Because if I go higher, I can never reduce. This means, if we find it, I will never be able to unlock with this method.

 

[sammyz]

So maybe the value of unlock would be 0x10?? Which would mean we can never unlock unless we got these before LG programs the phone....

 

[zeest]

From what I have read, they are different qfuses. The one that is set to 0x20 is the "main" lock. The one we need to change is like a bypass.

 

[sammyz]

zeest, can you try 0x30??

 

[adanmex]

@ZEEST, before you try0x30 try 0x21 just to make sure its not that easy.and you can make changes as apposed to being locked on 0x30 or 0x31.what if the last 0 in 0x20 is locked and 0x21 is unlocked. kinda like in 0=off and 1=on or 0=disable and 1=enable.

 

[sammyz]

@ZEEST, before you try0x30 try 0x21 just to make sure its not that easy.and you can make changes as apposed to being locked on 0x30 or 0x31.what if the last 0 in 0x20 is locked and 0x21 is unlocked. kinda like in 0=off and 1=on or 0=disable and 1=enable.

Then we should keep counting up and keep trying adb reboot oem-unlock after each try.

 

[zimlokks]

possibly of bricking?

 

[JJ_Azevedo]

is this helpful?

[REF][R&D] MSM8960 Info, Architecture and Bootloader(s) - Hardware Hacking)

 

[zeest]

Guys, it isn't the same qfuse. The qfuse has a value of 0x0 for secure boot disabled and a value of 0x20 for enabled. There is a DIFFERENT qfuse (believed, at least by me, to be 0x700438) that overrides this one.

@Admire, reading that already, where I am getting most of my info.

 

[rhino889a]

I have the 8960 boot architecture pdf. Not sure if its still available at that xda thread
Tried to get whatever i could from the leaked qualcom files

 

[Spec2nirvash]

Then we should keep counting up and keep trying adb reboot oem-unlock after each try.

sammy what does the phone do after executing that command? Does it soft brick if unauthorized?

 

[zeest]

It does absolutely nothing that we can see, except to return "OK" and continue on with fastboot.
EDIT: Where is fastboot located? I would like to take a look at the code for it, see what, if anything, oem unlock does internally.

 

[Spec2nirvash]

It does absolutely nothing that we can see, except to return "OK" and continue on with fastboot.
EDIT: Where is fastboot located? I would like to take a look at the code for it, see what, if anything, oem unlock does internally.

Yeah I see that, OK with 0.000 time and phone stays on splash screen LOL. I'm not doing this on my Motion, just looking to see if my Premia is locked down like your phones, certainly looks that way

 

[Spec2nirvash]

I can't even execute a getvar all on it.....

 

[zeest]

What happens when you try? Try fastboot getvar Kernel (might be kernel, it is case-sensitive).

 

[Spec2nirvash]

This is what I get:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rich>adb devices
List of devices attached
M931-33975fb8   device


C:\Documents and Settings\Rich>adb reboot bootloader

C:\Documents and Settings\Rich>fastboot oem unlock
...
OKAY [  0.000s]
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar all
all:
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar kernel
kernel: lk
finished. total time: 0.000s

C:\Documents and Settings\Rich>

 

[PlayfulGod]

This is what I get:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rich>adb devices
List of devices attached
M931-33975fb8   device


C:\Documents and Settings\Rich>adb reboot bootloader

C:\Documents and Settings\Rich>fastboot oem unlock
...
OKAY [  0.000s]
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar all
all:
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar kernel
kernel: lk
finished. total time: 0.000s

C:\Documents and Settings\Rich>

wow thats useful.....

 

[adanmex]

i emailed bloodDawn for some helpz

 

[zimlokks]

i mean its not supposed to get that timing, the commands are going thru but the phones internal fasboot commands arent doing anything.

 

[zeest]

wow thats useful.....

Just had her do that to make sure she could use getvar.