Better Mobile App

HOW TO UNLOCK THE BOOTLOADER AND WHAT IT Is

works only for Development phones
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
WHAT IS A BOOTLOADER, CAN I UNLOCK IT AND WHAT ARE THE RISKS?
What is a "bootloader?"
What does it mean to unlock the bootloader?
What is "Rooting?"
Does unlocking the bootloader mean I can use my device with any wireless operator?
Should I unlock the bootloader on my device?
How do I tell if my device has an unlockable/re-lockable bootloader?
Will all of my content, data and applications be there after unlocking?
If Google was backing up my device before I unlocked, will all of that data be restored if I set up the same account on the unlocked device?
What happens to my DRM-Protected content after unlocking?
After unlocking my bootloader, why don't some applications work?
Is there a list of the applications that won't work with an unlocked bootloader?
What is "Fastboot" and where do I get it?
How do I access Fastboot on Motorola devices?
Can I re-lock my device after I have unlocked the bootloader?
Will I receive software updates automatically after I have unlocked the bootloader?
WHAT MIGHT GO WRONG WHEN I TRY TO UNLOCK MY DEVICE?
How do I know if Fastboot recognizes my device?
What is my Device ID ?
The string "fastboot oem get_unlock_data" does not return any device ID. What can I do?
I can get a device ID, and my device is listed as supported, but I am getting a "DEVICE NOT FOUND" error when verifying that my device is eligible for unlock. Why?
I can get a device ID, and my device is listed as supported, but I am getting a "DEVICE IS NOT ELIGIBLE FOR UNLOCK" error when verifying that my device is eligible for unlock. Why?
I can get a device ID, and my device is listed as supported, but I am getting another error. Why?
When is my Warranty voided?
How do I re-lock my device and go back to the original software?
Who can I contact for any issues with the unlocking procedure?
How do I get support after I have unlocked and reflashed my own system image?
WHAT IS A BOOTLOADER?
The bootloader performs basic hardware initialization, verifies the integrity of the operating system, starts the operating system, and provides a method to update device software. This validation is important to verify that the software loaded on the device will not damage sensitive components (radios, processors, etc.) or violate regulatory or carrier requirements. Google provides a base bootloader as part of the Android operating system, and most device manufacturers optimize this for their specific devices.
WHAT DOES IT MEAN TO UNLOCK THE BOOTLOADER?
Unlocking the bootloader is the first step towards gaining root privileges. Some developers and enthusiasts unlock and root in order to experiment with applications or with custom builds of Android. Needless to say, you should not attempt to unlock the bootloader unless you know what you are doing.
WHAT IS ROOTING?
Rooting is when the user has gained root or administrative privileges on the device. In general, this gives users access to make modifications that would not normally be possible. With such privileges comes both risk and additional capability-best left to the very technically savvy. With rooting, you could make changes to the device that may permanently damage it or render it inoperable.
DOES UNLOCKING THE BOOTLOADER MEAN I CAN USE MY DEVICE WITH ANY WIRELESS OPERATOR?
No, this does not disable a carrier subsidy lock if one exists. Some subscriptions are tied to a specific wireless operator and the phone cannot be used on another operator's network. A "locked bootloader" and "carrier subsidy lock" are thus two entirely different topics. Do not unlock the bootloader if you are want to to disable the carrier subsidy lock.
SHOULD I UNLOCK THE BOOTLOADER ON MY DEVICE?
Motorola strongly recommends that users do not alter a product's operating system, which includes rooting the device, unlocking the bootloader or running any operating software other than the approved versions issued by Motorola and its partners. If you do, certain functions in your phone might cease to work. You may also damage your phone permanently. Unlocking the bootloader may cause your device to be unsafe and/or cause it to malfunction resulting in physical injuries or significant damage. Developer editions sold with an unlockable bootloader are sold "as-is" with no warranty. Any other device which has had its bootloader unlocked, or whose operating system has been altered, including any failed attempts to unlock the bootloader or alter such operating system, are not covered by Motorola's warranty. Please read more about the risks associated with unlocking the bootloader.
1. IMPORTANT FCC INFORMATION: YOU MUST NOT MAKE OR ENABLE ANY CHANGES TO THE PRODUCT THAT WILL IMPACT ITS FCC GRANT OF EQUIPMENT AUTHORIZATION. The FCC grant is based on the product's emission, modulation, and transmission characteristics, including: power levels, operating frequencies and bandwidths, SAR levels, duty-cycle, transmission modes (e.g., CDMA, GSM), and intended method of using the product (e.g., how the product is held or used in proximity to the body). A change to any of these factors will invalidate the FCC grant. IT IS ILLEGAL TO OPERATE A TRANSMITTING PRODUCT WITHOUT A VALID GRANT.
HOW DO I TELL IF MY DEVICE HAS AN UNLOCKABLE/RE-LOCKABLE BOOTLOADER?
This depends on a few factors. First is whether the device ships with a bootloader that is capable of being unlocked or re-locked. Second is whether the wireless carrier that sells the device allows the bootloader to be unlocked, as each of our operator partners has their own policy. As new devices are released, please check the bootloader introduction page. You will be able to check whether your device shipped with an unlockable bootloader. We will be adding devices to this list regularly.
As of August 2012, the only Motorola devices which can be unlocked are:
Photon Q 4G LTE (Sprint)
RAZR Developer Edition (Europe Only)
Motorola XOOM Verizon
Motorola XOOM Wifi Worldwide
WILL ALL OF MY CONTENT, DATA AND APPLICATIONS BE THERE AFTER UNLOCKING?
No. All user data, content and media on the internal partition are erased when you unlock the bootloader. Please backup any personal content on your device before attempting to unlock. After unlocking, you may need to move data back to your device, set up user accounts, etc.
This is like a factory reset, but data on a removable SD card will not be deleted. However, any apps that depend upon user data on the internal partition will not be able to access this data. Encrypted data on a removable SD card will also be inaccessible as the encryption keys are removed when the bootloader is unlocked.
IF GOOGLE WAS BACKING UP MY DEVICE BEFORE I UNLOCKED, WILL ALL OF THAT DATA BE RESTORED IF I SET UP THE SAME ACCOUNT ON THE UNLOCKED DEVICE?
Yes, using the same account, with the caveat that anything that relied on Digital Rights Management (DRM)-protected content and/or encrypted data will not work if the bootloader is unlocked.
WHAT HAPPENED TO MY DRM-PROTECTED CONTENT AFTER UNLOCKING?
Content that requires Digital Rights Management (DRM) - such as rented movies in Google Play Movies - will not be available if the device is unlocked. This content is only enabled when the bootloader is in a locked state and when the device is running the original software as shipped by Motorola. When the device is re-locked and running the original software image, these capabilities should become available again.
AFTER UNLOCKING MY BOOTLOADER, WHY DON'T SOME APPLICATIONS WORK?
Certain applications rely on functionality that is only available to a device with a locked bootloader and OEM approved software; thus, once the bootloader is unlocked, they will no longer function properly.
IS THERE A LIST OF ALL OF THE APPLICATIONS THAT WILL NOT WORK WITH AN UNLOCKED BOOTLOADER?
Due to the ever-expanding list of new and revised Android apps and developers, it would be difficult to maintain such a list accurately, so no complete list exists.
WHAT IS 'FASTBOOT' AND WHERE DO I GET IT?
Fastboot is the protocol to update the flash file system in Android devices and supports the commands to unlock or lock the device. Fastboot is included in the Android SDK. See the Google developer site for more details.
HOW DO I ACCESS FASTBOOT ON MOTOROLA DEVICES?
Press and hold the volume down button and then press and release the power button. Alternatively, issue the command "adb reboot bootloader" from a terminal window using the Android SDK when connected to the device via USB cable.
CAN I RE-LOCK MY DEVICE AFTER I HAVE UNLOCKED THE BOOTLOADER?
Yes, by re-loading an original Motorola software image and re-locking the bootloader. After relocking your device, you will only be able to reflash your device with a signed system image. If such an image is not available online, you will have to send it to MOTOROLA support for reflashing. MOTOROLA reserves the right to charge for such assistance. Regardless of whether your device is re-locked, such device is still not covered by the MOTOROLA warranty.
WILL I RECEIVE SOFTWARE UPDATES AUTOMATICALLY AFTER I HAVE UNLOCKED THE BOOTLOADER?
Not necessarily; it will depend on what modifications you have made to the software. Accepting a MOTOROLA OTA (over the air) software update after unlocking your device and rooting or modifying your original system software might render your device inoperable. MOTOROLA therefore recommends you do not accept OTA updates after unlocking. MOTOROLA has no obligation to offer software updates for un-locked devices.
[/IMG]
HOW DO I KNOW IF FASTBOOT RECOGNIZES MY DEVICE ?
To validate your installation, please follow these steps:
Turn off your phone.
Push and hold the power and volume down at the same time, release the power button then release volume down. The key sequence to power up in fastboot mode might differ between phone models. The device will power up in Fastboot mode and display a screen similar to this
Connect the phone to the computer via USB-cable. The Fastboot screen on the device will indicate that the device is connected to the Desktop over USB.
Open a command window
Change directory to the tools folder within the Android SDK folder.
To verify that the Desktop and Phone are connected, enter fastboot.exe devices . This should list your device as connected.
WHAT IS MY DEVICE ID ?
Your device ID is a unique string, retrieved through the fastboot command, which is used to generate a unique unlock code for your device. You can retrieve your Device ID by issuing "fastboot oem get_unlock_data" at the command prompt. Your Device ID is unique to your device, and should not be shared with anyone or posted online.
THE STRING "fastboot oem get_unlock_data" DOES NOT RETURN ANY DEVICE ID. WHY?
The bootloader on Motorola devices released before August 2012 is not unlockable. This fastboot command will not return a device ID or unlock data for these Motorola devices. At this point, only the devices on our Supported Devices list are eligible for the unlockable bootloader program.
The Motorola XOOM Tablet and Developer Edition RAZR can be unlocked through our legacy method.
If your device is on our supported list, and fastboot does not work or does not return a device id, please try the following.
Check that your device is in Fastboot mode. On most devices, to enter fastboot mode, power the device off then power up while pressing the power and volume down button simultaneously.
After powering up in fastboot mode, connect your device to your desktop using a USB cable. The fastboot screen on your device should indicate that it is connected over USB
Make sure the Motorola drivers for your device are installed
Make sure fastboot and the Android SDK are installed
I CAN GET A DEVICE ID, AND MY DEVICE IS LISTED AS SUPPORTED, BUT I AM GETTING "DEVICE NOT FOUND" ERROR WHEN VERIFYING THAT MY DEVICE IS ELIGIBLE FOR UNLOCK. WHY?
This error means that our unlock tool checked our online database but could not find a match between the Device ID/Unlock Data you submitted and any device in our database. This should only happen if the device data entered is not correct, or there are delays in updates to our device database.
Please check that your device model, as sold by your operator, is on our supported devices list
Please double check your device ID has to be entered correctly in the Verification field. The output from the fastboot command must be entered in the validation field on a single line, without any (bootloader) string, empty spaces, line feeds or carriage returns.
For example:
$ fastboot oem get_unlock_data ...
(bootloader) 0A40040192024205#4C4D3556313230
(bootloader) 30373731363031303332323239#BD00
(bootloader) 8A672BA4746C2CE02328A2AC0C39F95
(bootloader) 1A3E5#1F53280002000000000000000
(bootloader) 0000000
OKAY [ 0.297s]
must be entered in the Device ID field as a single entry, with no white spaces
0A40040192024205#4C4D355631323030373731363031303332323239#
BD008A672BA4746C2CE02328A2AC0C39F951A3E5#1F532800020000000000000000000000
I CAN RETRIEVE A DEVICE ID, AND MY DEVICE IS LISTED AS SUPPORTED, BUT I AM GETTING "DEVICE NOT ELIGIBLE FOR UNLOCK" ERROR WHEN VERIFYING THAT MY DEVICE IS ELIGIBLE FOR UNLOCK. WHY?
This error means that our unlock tool checked our online database and determined your device and carrier combination is not part of our unlockable bootloader program and, therefore can not be unlocked. Some of our operator partners do not allow unlockable devices on their networks. That is why a device with one operator may be unlockable, but the same model with a different carrier might not.
I CAN RETRIEVE A DEVICE ID, AND MY DEVICE IS LISTED AS SUPPORTED, BUT I AM GETTING ANOTHER ERROR WITH THE ONLINE TOOL. WHY?
Please consult our forum for answers. When posting an issue to this forum, do not post your Device ID on any public forum as it could be used by a third party to generate an unlock code on your behalf and void your device warranty.
WHEN IS MY WARRANTY VOIDED ?
Your device warranty will be voided as soon as an unlock code has been generated through our online tool, regardless of whether you actually unlock your device. Please do not request a bootloader unlock code unless you have read and accepted the terms of our legal agreement.
HOW DO I RE-LOCK MY DEVICE AND GO BACK TO ORIGINAL SOFTWARE ?
You can re-lock your device. Re-locking a bootloader will ensure that the device will only boot to Motorola signed and provided Android Images. PLEASE NOTE: Re-locking a device will not reinstate your device warranty as damage might have occurred when the device was unlocked.
To return to Original Software, you will need to reflash a Motorola signed software image to your device, or send it in to our service center to get reflashed. MOTOROLA reserves the right to charge for any assistance required by users during this process. At this time, we are not posting a recovery image for the Photon Q 4G LTE.
WHO DO I CONTACT FOR ANY OTHER ISSUE WITH THE UNLOCKING PROCEDURE?
Please consult our forum for questions and answers. When posting an issue to this forum, do not post your Device ID on any public forum as it could be used by a third party to generate an unlock code on your behalf and void your device warranty.
https://forums.motorola.com/pages/home
HOW DO I GET SUPPORT AFTER HAVING UNLOCKED AND REFLASHED MY OWN SYSTEM IMAGE?
Motorola is unable to provide you with assistance. Please consult online forums, such as the XDA developer community.
http://www.xda-developers.com
HERE IS THE URL TO MOTOROLA'S UNLOCK YOUR DEVICE PAGE. BE SURE TO CHECK FREQUENTLY TO SEE IF YOUR DEVICE MAKES THE LIST OF SUPPORTED DEVICES
https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a
In Europe, the Motorola RAZR™ Developer Edition is now available through the Motorola Shop.
http://developer.motorola.com/products/bootloader/
Here's the link to take a look at the Photon Q
http://www.motorola.com/us/consumers/MOTOROLA-PHOTON%E2%84%A2-Q-4G-LTE/m-PHOTON-Q-4G-LTE,en_US,pd.html?WT.mc_id=social_blog_asanti_bootloader&WT.mc_ev=click
IF YOU HAVE FOUND THIS HELPFUL PLEASE GIVE THANKS

It doesn't even work for the RARZ yet, if it ever will. Thread locked. Discuss here
Reopened

I get the following error
after i put this command $ fastboot oem get_unlock_data
I get the following error
...
FAILED (remote: (00120000))
finished. total time: 0.246s
I have xoom mz604
sorry! English is not my native language

Do you have the Android sdk and all the drivers properly installed?

Sorry it took to answer
hi,
I installed everything the sdk asked me to update and install
and the error still appears :silly:

1. Check that your device is in Fastboot mode. On most devices, to enter fastboot mode, power the device off then power up while pressing the power and volume up and down button simultaneously. You'll get a black screen scroll down using volume down to Ap Fastboot mode select by pressing volume up.
2. After powering up in fastboot mode, connect your device to your desktop using a OEM USB cable that came with the device. The fastboot screen on your device should indicate that it is connected over USB
3. Make sure the Motorola drivers for your device are installed
4. Make sure fastboot and the Android SDK are installed

I. RETRIEVING YOUR DEVICE ID
2. Put your device in fastboot mode (Power+Vol up & Vol Down) then select Ap Fastboot mode then connect over USB
3. Open a command prompt or Terminal session
4. Go to the Directory where you installed the Android SDK tools, and type:
5. $ fastboot oem get_unlock_data

Confirmed working on O2 Germany RAZR HD:
C:\Program Files (x86)\Android\android-sdk\platform-tools>fastboot oem get_unlock_data
...
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
OKAY [ 0.375s]
finished. total time: 0.376s
http://www.android-hilfe.de/motorol...-hd-voraussichtlich-kaufen-7.html#post4146048

pOOBAH1973 said:
Confirmed working on O2 Germany RAZR HD:
C:\Program Files (x86)\Android\android-sdk\platform-tools>fastboot oem get_unlock_data
...
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
(bootloader) ****** HEX CODE ENTFERNT ******
OKAY [ 0.375s]
finished. total time: 0.376s
http://www.android-hilfe.de/motorol...-hd-voraussichtlich-kaufen-7.html#post4146048
Click to expand...
Click to collapse
Does the code work in the website or do you have to wait for support to be added?

Very helpfull for noobs like me...

Followed instructions to letter
fast boot returns nothing
as if program ran but no parameters were met
nexus6 winows 8.1

I'm trying to unlock my Moto E 2 and I'm having a hard time. I've installed android sdk folder and have it on my macbook's desktop. I've opened a terminal from the folder and entered in "$ fastboot oem get_unlock_data" and all it says is "-bash $ command not found".
I installed the Motorola drivers from the website, and made sure all the sdk files were there including tools, and platform-tools.
What am I missing?!

Can anyone tell me how to bootload my android 2.3.7 Sony st25i???
...new to XDA.

[REF] Education on Device Fundamentals (Bootloader QFuses Hacks O My!)

So I know everyone wants to get a boot loader hack, and as I read I notice a lack of guides on what is a boot loader, how it works, and a lot of references on learning.
Why am I posting this?​
That’s a very good question. There are two main reasons for me posting this. The first reason is that the developers are often times too busy to work on trying to explain and educate the public on the ins an outs of boot loaders. The second reason for this is that I am a firm believer in open transparency. When bounties and other incentives are offered to the community we loose site of what the goal is: To unlock the boot loader. People become so secretive and ideas are not shared, this makes it so people perceive a competition between devs, instead of a competition between the devs and the company’s. This is why I love providing this information, because in the end the money doesn’t matter, it’s the boot loader unlock. So for those two reasons I have created this thread.
So let us begin:
What is a boot loader?​It is a common misconception that a boot loader boots up the OS. Yes this is a type of boot loader, but it is not necessarily what a boot loader is. A boot loader is a set of machine instructions that push a device from an off state to an on state. By looking at this definition we lean there are so many more boot loaders.
Low-Level boot loaders​
These are the boot loader that we usually don’t look at, or hear about. Most of the time these are what are referred to as chip firmware. An example of this is when we look at something like NVFLASH, or other programs that can fix a device regardless of how bricked the device is. With in these boot loaders often times contains the operations on how to start the device i.e. start up the power supply, and other very low level functions.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
omappedia.org​
When we say a boot loader is locked this is usually where the security chain starts. Once this has issued the next stage boot loader, it checks to make sure the signature is correct. We will discuss how they do this in later sections.
omappedia.org​
High-Level boot loaders​These are the boot loaders we are used to things such as Uboot, Aboot, rrboot, Hboot. These binaries are often located in an on chip memory bank. These are the boot loaders that check for buttons pressed, whether to boot into recovery or normal, and what we usually focus on hacking, as we have access to this subsystem through the USB.
omappedia.org​
Many of the on chip boot loaders such as the Low-Level boot loaders are not accessible unless directly connected to the chips leads, however these High-Level boot loaders can be accessed via SPI, I2C, or other inter chip communication.
omappedia.org​
Well that’s all fine and dandy but how the heck do they lock them, can’t we just disable it?
Well unfortunately they have already thought of this. This is where we get QFuses, Write Protect, and other “security” measures that prevent us from reading or writing new code on top. With these “On Chip” security measures, a company is able to start the chain of trust from the initial stage boot loader always making sure that the next stage has a valid signature.
Lets go over a couple of different types of Countermeasures:
eFuses
eFuses are the death of all hackers as these truly are one time write. The idea of an efuse is effectively to blow up a connection to change the value of a bit.
xda-developers.com​
When we look at the image above we can clearly see that one of them seems to be damaged. This one has been written too, and has actually destroyed the connection, making it impossible to reconnect it, unless you want to FIB it and deposit the metal.
Supervisory Code
Supervisory Code is actually more common then most people think. The idea of this is to have an SROM, which contains supervisory commands that are hardcoded commands. These commands are the only commands that can operate on SRAM that is on chip. Once these SROM codes can only be used from the chip level, and cannot be executed if the MMAP table in SRAM has write protection on it, if it does the entire boot loader is erased.
EEPROM
This is an older tech and really isn’t used that much. The basic principle of this is utilizing the idea the semiconductors can behave like ROM under given conditions, and erased given other conditions.
hitequest.com​
This is used in tech like NVRAM and such. It relies on being able to supply multiple voltages as seen above. Another old way of erasing was to flash with UV light as it allowed for all of them to reach the erase condition. The problem is that once programed, they cannot be changed because it requires higher voltages to change. These types are often programed off board and then placed on board, or have usage of something like JTAG to reprogram.
There are many more security measures and this list will continue to expand.
Okay well this all sucks how have we unlocked boot loaders in the past?
Wow now that one is a tough one as there are so many different ways. But lets try and get a list started
Buffer Overload
This method is probably one of the coolest methods out there. I utilizes the basic structure of how subroutines work and then exploits them. When subroutine or for that case a variable enters that stack it gets put there, and then the return address gets put on the end so that it will return to the designated location. The problem comes in when we don’t have sanity checking of variables, or we don’t catch overflowing them. The explanation of this is highly complicated so I’m going to sight some text from Wiki.
Code:
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv)
{
foo(argv[1]);
}
For some one whom sees this they can see that we can specify an array of char with a length longer then 10 and cause a collision into the return address of the stack read. This type of buffer overflow is often referred to as stack smashing. We utilized a technique like this when we built the stack smash for the nook tablet boot loader unlock. We relied on them not checking the header size before loading it into memory. By extending the header by 4 bytes we could smash our own custom return address onto the stack.
Overwriting Existing Code Calls
This is actually how loki worked. It relied on an idea of loading a ramdisk, over existing memory. In this case we utilized shell code that jumped us out of the signature check. By doing this we told the boot loaders to load a ramdisk into a location in memory where we know it will be called. There are three major things done here that we rely on.
The security check for the boot loader occurs when the boot loader is loaded from the ram, any code, which modifies it within the boot loader, will not return as a tampered device.
The boot loader loads the kernel and the ramdisk from memory. Once loaded, then functions are preformed on this. The locations of the ramdisk load are given in the boot header meaning that you can specify any where in code you want to load the ramdisk too.
The function that is being overwritten must be called.
When we look at loki we see that they are overwriting the check_sig function, and putting the custom written shell code there. Once loaded when that function is called it calls the custom code instead of the functional code for check_sig.
I've generated a very rudimentary animation showing how loki works.
This method is extremely tedious as there is no source for a lot of the boot loaders meaning that hole have to be discovered in assembly or a reference to other source codes.
Making a device S-Off or disabling boot loader checking.
This is the one thing that I’m least familiar with. It involves utilizing the boot loader parameters themselves to disable the boot security of primary boot loaders. I’m hopping that someone will be able to point me to more information on how we do this. I do know that doing this is the only true way to unlock a boot loader. Otherwise we rely on the boot loaders not being patched.
Bootstraping and 2nd init
This is actually the “easiest” (use that term lightly) way to overwrite the boot loader. This relies on the system booting up either partially or fully. Theres a really great article here cvpcs.org . The premises of this is that there is an order in which things get booted up. In motorola’s example they boot up the data in the init. They use a ptrace to attach it to the head of the stack, and then when the stack is fully loaded it loads another init, and ramdisk on top of it. This shuts down the entire previous system and allows a second system to be run on top of the current system. In this case the loads take longer as they wait for the complete boot and then boot again on top.
Security leaks and holes.
When we look at the history of hacking we can see that it has always been around and will always be around. For as long as there are new security measures there will be hackers trying. One of the greatest tools that we can get is when leaks occur or when we get holes discovered. One of the greatest examples I can think of was that of the SGNII.
One of the first boot loader hacks discovered with a hole in the boot chain. The Low-level boot loader called the high-level boot loader. The high level boot loader would then check the signature of the boot.img. However they did not check the recovery signature and as such we were able to load another boot loader into the recovery.
Another one of these came in the form of a leak was the SGS3 boot loader. Remember how I said earlier we develop a secure boot chain that goes starts at a Low-Level boot loader. Well in this case we were provided a new boot loader that broke the chain. This boot loader had a valid signature so that the first Low-Level boot loader could verify, and then from there on out there were no verifications.
This thread will continue to grow and evolve.
I WELCOME ALL CONTENT AND CRITICISM. PLEASE LET ME KNOW IF I'M MISSING SOMETHING.

Very informative; nice write up!! Subscribed
Edit: For those trying to learn or get a better understanding can we post our questions here? I ask only because I don't know if you want that obligation.
Sent from my SCH-I545 using xda app-developers app

Good info. Subbed!
Sent from my SCH-I545 using xda app-developers app

Very nice write up
Sent from my SCH-I545 using xda app-developers app

I found this very interesting, thanks for sharing.

Thanks for sharing
Sent from my SCH-I545 using xda app-developers app

Wow. Despite there still being a lot of jargon I didn't understand it was still very informative. I wonder if anyone has considered offering the current bounty for the ME7 bootloader unlock to one of the guys on the LK project as a bribe for the source code of the LK project. Correct me if I'm wrong but that is the project that the new bootloader is based on.
Sent from my ADR6400L using xda app-developers app

DraconicSeed said:
Wow. Despite there still being a lot of jargon I didn't understand it was still very informative. I wonder if anyone has considered offering the current bounty for the ME7 bootloader unlock to one of the guys on the LK project as a bribe for the source code of the LK project. Correct me if I'm wrong but that is the project that the new bootloader I'd baser on.
Sent from my ADR6400L using xda app-developers app
Click to expand...
Click to collapse
Thanks glad you like it. I think we need to clarify two things. A. Bribing of any type is illegal. B. LK is not actually the problem. While LK produces the aboot code, they are not the ones whom would have anyway of unlocking the device because that is all done by Qualcomm. If you look at the partition map there is theres a partition called TZ. This is actually the partition that takes care of the locking, and unlocking theres some some cool stuff that ill have to post about fuses on qualcomm and such.

Loglud said:
Thanks glad you like it. I think we need to clarify two things. A. Bribing of any type is illegal. B. LK is not actually the problem. While LK produces the aboot code, they are not the ones whom would have anyway of unlocking the device because that is all done by Qualcomm. If you look at the partition map there is theres a partition called TZ. This is actually the partition that takes care of the locking, and unlocking theres some some cool stuff that ill have to post about fuses on qualcomm and such.
Click to expand...
Click to collapse
I guess it wouldn't be so much a bribe as a just letting him know that the bounty is there he would still have to come up with the process :angel: I kid of course. But the reason I mentioned LK is because from what I can remember reading, Don (djrbliss) was able to come up with the previous unlock because he noticed that the bootloader was simliar to the open source code for aboot which is what allowed him to work it out. Just thought if we could get our hands on the code for LK it might help. Then again there seems to be progress being made in another thread in regards to using a Dev verision. It sounds like somebody was able to get a temp unlock using a Dev version and is not working with others to try to figure out a way to translate to the consumer editions. You can find it here.
So what your telling me is we need to get an in with someone at Qalcomm
Anyway good info, I obviously still have a lot to learn as I am a flaher but not a dev. I don't know nearly enough about adb, C++, java and the source codes used in android OS to even fake a claim as a Dev lol. Thanks for the info!!

nice
nice ınfos

Not bad, but it confuses several things. S-ON/S-OFF is specific to HTC's smartphone designs and they may not even use it anymore. Also, 2nd init is not a replacement of the bootloader.

[Q] Phones that have no 'Secure Boot' NOT Locked Bootloader

Hey Guys,
I've been using the OnePlus One (Bacon) for the past year and I'd like to switch however the OnePlus One has no 'Secure Boot' not to be confused with 'Locked Bootloader'
I can modify partitions like the SBL (Secondary Bootloader), ABOOT (Android Bootloader) and the Modem without the phone not booting.
Can anyone recommend a phone that either ships without any boot verification chain or has the option to disable 'Secure Boot'

(dylanger) said:
Hey Guys,
I've been using the OnePlus One (Bacon) for the past year and I'd like to switch however the OnePlus One has no 'Secure Boot' not to be confused with 'Locked Bootloader'
I can modify partitions like the SBL (Secondary Bootloader), ABOOT (Android Bootloader) and the Modem without the phone not booting.
Can anyone recommend a phone that either ships without any boot verification chain or has the option to disable 'Secure Boot'
Click to expand...
Click to collapse
I would assume the OPX and OP2 and possibly the OPPO [Find] devices would be similar in this regard, given their relationship. I have access to the OPX/OP2 but haven't had the time to dig into them yet. The new Intels might also be an option with the `fastboot flash keystore` function, so that you can use your own key for boot verification. I haven't had a chance to dig into it yet to see how much you can modify, but from what I gather, they will try to verify boot using the user keystore, followed by the OEM keystore.

binsol said:
I would assume the OPX and OP2 and possibly the OPPO [Find] devices would be similar in this regard, given their relationship. I have access to the OPX/OP2 but haven't had the time to dig into them yet. The new Intels might also be an option with the `fastboot flash keystore` function, so that you can use your own key for boot verification. I haven't had a chance to dig into it yet to see how much you can modify, but from what I gather, they will try to verify boot using the user keystore, followed by the OEM keystore.
Click to expand...
Click to collapse
Cheers for your response. Yeah I haven't even looked at the new Intel CPUs yet, oooo damn a 'fastboot flash keystore' would be very nice. This feature should be on all devices? I wonder why vendors don't just give consumers full access to the hardware.
A quick question. Is the OEM Keystore stored on the Flash or CPU? I guess it would be protected once the OS has booted but that wouldn't protect it against JTAG if its stored on Flash.

(dylanger) said:
Cheers for your response. Yeah I haven't even looked at the new Intel CPUs yet, oooo damn a 'fastboot flash keystore' would be very nice. This feature should be on all devices? I wonder why vendors don't just give consumers full access to the hardware.
A quick question. Is the OEM Keystore stored on the Flash or CPU? I guess it would be protected once the OS has booted but that wouldn't protect it against JTAG if its stored on Flash.
Click to expand...
Click to collapse
I originally thought the OEM keys were burnt-in on a ROM chip, but the more I read about it, it sounds like they're stored in a protected partition on eMMC. The eMMC 4.x+ spec suggests this is the case with the "Replay Protected Memory Block," little kernel source has references to similar protected memory. I'm just starting to dig into into it, but I'm pretty interested to know if it can be DMA'd.
I'm expecting the fastboot flash keystore to become common with late M or N devices with how Google is pushing the verified boot stuff (alerting the user about tampered boot). This would give their warnings a lot more value, since then you could sign your own modifications and only be alerted if something else then made changes to the boot.
The flash keystore seems to have a bunch in common with the (Windows) UEFI secureboot. I would assume that's a reason Intel has a jump on it.

binsol said:
I originally thought the OEM keys were burnt-in on a ROM chip, but the more I read about it, it sounds like they're stored in a protected partition on eMMC. The eMMC 4.x+ spec suggests this is the case with the "Replay Protected Memory Block," little kernel source has references to similar protected memory. I'm just starting to dig into into it, but I'm pretty interested to know if it can be DMA'd.
I'm expecting the fastboot flash keystore to become common with late M or N devices with how Google is pushing the verified boot stuff (alerting the user about tampered boot). This would give their warnings a lot more value, since then you could sign your own modifications and only be alerted if something else then made changes to the boot.
The flash keystore seems to have a bunch in common with the (Windows) UEFI secureboot. I would assume that's a reason Intel has a jump on it.
Click to expand...
Click to collapse
Interesting... I'm guessing Google will use qFuses to track weather or not the boot process has been tampered with. I wonder where the splash screens are located as I guess one could just replace the Tampered Boot screen with the normal boot one.
Surely all areas of the eMMC would be accessible via something like JTAG?
Hmm, yeah it would make sense for Little Kernel to check the OS'es Kernel integrity, something like Get Key from Keystore into a variable, then check against the actual Kernel image?
Little Kernel pretty interesting actually, from what I've gathered it controls stuff like entering modes (Holding Power + VolUp will enter Recovery or Fastboot etc) and Fastboot, have you ever tried to load LK into IDA? Integrating something like the Cerberus App into ABOOT would be awesome, Anti-Theft at the bootloader!

(dylanger) said:
Interesting... I'm guessing Google will use qFuses to track weather or not the boot process has been tampered with. I wonder where the splash screens are located as I guess one could just replace the Tampered Boot screen with the normal boot one.
Surely all areas of the eMMC would be accessible via something like JTAG?
Hmm, yeah it would make sense for Little Kernel to check the OS'es Kernel integrity, something like Get Key from Keystore into a variable, then check against the actual Kernel image?
Little Kernel pretty interesting actually, from what I've gathered it controls stuff like entering modes (Holding Power + VolUp will enter Recovery or Fastboot etc) and Fastboot, have you ever tried to load LK into IDA? Integrating something like the Cerberus App into ABOOT would be awesome, Anti-Theft at the bootloader!
Click to expand...
Click to collapse
I would guess the splash screen is in aboot, since it's the first thing with graphics output, and its alerting you that boot.img onward has been tampered with. If you can replace the splash screens, I'd assume you could break the whole chain since you'd already be altering aboot.
I think if you had raw access to the eMMC, you could replace the keystore. Do you know if JTAG is accessible on the OPO or similar devices? I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons. I've had no luck tracking down the JTAG so far on the board. All I've been able to get is UART.

binsol said:
I would guess the splash screen is in aboot, since it's the first thing with graphics output, and its alerting you that boot.img onward has been tampered with. If you can replace the splash screens, I'd assume you could break the whole chain since you'd already be altering aboot.
I think if you had raw access to the eMMC, you could replace the keystore. Do you know if JTAG is accessible on the OPO or similar devices? I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons. I've had no luck tracking down the JTAG so far on the board. All I've been able to get is UART.
Click to expand...
Click to collapse
Ah true, I didn't know ABOOT was the first process with Graphics Output, cheers for that
Really!? I'd assume that JTAG access is enabled for support purposes? The whole "My phones doesn't work" so you send it in? And they'd just re-partition everything?
I bought a RiffBox along time ago (Never actually used it -_-), that allowed direct access to eMMC, read and write you could dump and write whole bin images.
Another quick question, it was my understanding that some of the boot process used ARM's TrustZone or TZ to store keys.

(dylanger) said:
Ah true, I didn't know ABOOT was the first process with Graphics Output, cheers for that
Really!? I'd assume that JTAG access is enabled for support purposes? The whole "My phones doesn't work" so you send it in? And they'd just re-partition everything?
I bought a RiffBox along time ago (Never actually used it -_-), that allowed direct access to eMMC, read and write you could dump and write whole bin images.
Another quick question, it was my understanding that some of the boot process used ARM's TrustZone or TZ to store keys.
Click to expand...
Click to collapse
The source on the JTAG is evading me at the moment, but iirc the reasoning is that its a huge security hole (shocker...), and not really necessary as the new QC chips are generally regarded as unbrickable, though I have one here that would disagree. You can put the OPO into Qcom download mode and push stock images to the (logical) disk. Will get you out of most bricks, like if you delete boot/recovery and lock the bootloader. I haven't spent enough time digging into it yet to know if you can get raw emmc access that way.
TrustZone is used for secure execution and protected memory. From the LK source it looks like the eMMC keystore is dropped into TZ early in the boot. https://www.codeaurora.org/cgit/qui...rget/msm8974/init.c?h=LA.BR.1.3.2_rb3.16#n362

binsol said:
The source on the JTAG is evading me at the moment, but iirc the reasoning is that its a huge security hole (shocker...), and not really necessary as the new QC chips are generally regarded as unbrickable, though I have one here that would disagree. You can put the OPO into Qcom download mode and push stock images to the (logical) disk. Will get you out of most bricks, like if you delete boot/recovery and lock the bootloader. I haven't spent enough time digging into it yet to know if you can get raw emmc access that way.
TrustZone is used for secure execution and protected memory. From the LK source it looks like the eMMC keystore is dropped into TZ early in the boot. https://www.codeaurora.org/cgit/qui...rget/msm8974/init.c?h=LA.BR.1.3.2_rb3.16#n362
Click to expand...
Click to collapse
Oh the "Download" mode (The sort of last defence, I think its Power in + Volup + Power Button or something), would that be controlled by ABOOT or is it a SoC function? If it is controlled by ABOOT then it could be corrupted pretty easily.
If its controlled by the SoC then where would the code be stored?

(dylanger) said:
Oh the "Download" mode (The sort of last defence, I think its Power in + Volup + Power Button or something), would that be controlled by ABOOT or is it a SoC function? If it is controlled by ABOOT then it could be corrupted pretty easily.
If its controlled by the SoC then where would the code be stored?
Click to expand...
Click to collapse
The key combo trigger is in ABOOT: https://www.codeaurora.org/cgit/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.2_rb3.16#n3280
However, I wouldn't be surprised if its stored in a different partition (ie dbi), then sbl could auto-boot it in the event of corrupt ABOOT. That would make sense to me, but I haven't purposefully erased or flashed a bad ABOOT yet to find out. The one I bricked here can still get into download mode, yet I cant get any other response from ABOOT if I boot it normally, pretty anecdotal, but leads me to believe the download mode is affected by corrupted ABOOT.

binsol said:
The key combo trigger is in ABOOT: https://www.codeaurora.org/cgit/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.2_rb3.16#n3280
However, I wouldn't be surprised if its stored in a different partition (ie dbi), then sbl could auto-boot it in the event of corrupt ABOOT. That would make sense to me, but I haven't purposefully erased or flashed a bad ABOOT yet to find out. The one I bricked here can still get into download mode, yet I cant get any other response from ABOOT if I boot it normally, pretty anecdotal, but leads me to believe the download mode is affected by corrupted ABOOT.
Click to expand...
Click to collapse
I've successfully nulled out some fastboot commands before for Anti-Theft, but I'm pretty sure if you have access to Qualcomm's download mode you should be able to re-flash the ABOOT partition and get out of that brick?
Do you think that OnePlus would ever make LK/ABOOT open source? I'd love to be able to create my own bootloader, I wonder if any vendors do this because I'd buy one of their phones immediately!
Going off topic a little bit:
Have you ever looked into Qualcomm's DIAG mode with QPST? A lot of interesting stuff, I know they lock the modem's NV data down with an SPC (Special Programming Code) its a 6 digit PIN. I wonder if anyone has tried to brute-force this PIN? Because the data would allow you to do lots of interesting stuff like have the phone run on completely unsupported frequencies.

(dylanger) said:
I've successfully nulled out some fastboot commands before for Anti-Theft, but I'm pretty sure if you have access to Qualcomm's download mode you should be able to re-flash the ABOOT partition and get out of that brick?
Do you think that OnePlus would ever make LK/ABOOT open source? I'd love to be able to create my own bootloader, I wonder if any vendors do this because I'd buy one of their phones immediately!
Going off topic a little bit:
Have you ever looked into Qualcomm's DIAG mode with QPST? A lot of interesting stuff, I know they lock the modem's NV data down with an SPC (Special Programming Code) its a 6 digit PIN. I wonder if anyone has tried to brute-force this PIN? Because the data would allow you to do lots of interesting stuff like have the phone run on completely unsupported frequencies.
Click to expand...
Click to collapse
I doubt they will, I think support is a pretty big reason they dont release it. That and the number of people who would actually roll their own would be pretty small. Though I would love if they did.
Were you able to make changes to the OPO ABOOT? I saw your IDA post the other day.
It's bee a while since I was digging around in QPST, there was quite a bit of research done for unlocking additional bands on the OPO, generally being inconclusive. http://forum.xda-developers.com/one...ock-aditional-bands-qualcomm-t2877031/page100
https://nathanpfry.com/wip-band-4-band-17-on-chinamobile-oneplus-one/

binsol said:
I doubt they will, I think support is a pretty big reason they dont release it. That and the number of people who would actually roll their own would be pretty small. Though I would love if they did.
Were you able to make changes to the OPO ABOOT? I saw your IDA post the other day.
It's bee a while since I was digging around in QPST, there was quite a bit of research done for unlocking additional bands on the OPO, generally being inconclusive. http://forum.xda-developers.com/one...ock-aditional-bands-qualcomm-t2877031/page100
https://nathanpfry.com/wip-band-4-band-17-on-chinamobile-oneplus-one/
Click to expand...
Click to collapse
Indeed I was, I used a Hex Editor to null out (\x00) commands like "fastboot flash", "fastboot erase" and "fastboot oem"
Its very irritating, IDA can read everything up until the apps_init function.
Here's a snippet of the apps_init boot process from Reverse Engineering Android's Aboot book (http://newandroidbook.com/Articles/aboot.html)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When IDA got to loading any app, I.E fastboot it would get obfuscated and just render as hex. Have you tried to play around with ABOOT before? So close to actually seeing ARM Assembly.

(dylanger) said:
Indeed I was, I used a Hex Editor to null out (\x00) commands like "fastboot flash", "fastboot erase" and "fastboot oem"
Its very irritating, IDA can read everything up until the apps_init function.
Here's a snippet of the apps_init boot process from Reverse Engineering Android's Aboot book (http://newandroidbook.com/Articles/aboot.html)
When IDA got to loading any app, I.E fastboot it would get obfuscated and just render as hex. Have you tried to play around with ABOOT before? So close to actually seeing ARM Assembly.
Click to expand...
Click to collapse
That's cool, I'll start probing around. I haven't messed with aboot in IDA at all, but I've used IDA a lot in a past.
Do you think the obfuscation is deliberate? Also have you tried some of the mbn scripts around? http://forum.xda-developers.com/showthread.php?t=2641245
I've seen a few references to them when people are reversing bootloaders.

binsol said:
That's cool, I'll start probing around. I haven't messed with aboot in IDA at all, but I've used IDA a lot in a past.
Do you think the obfuscation is deliberate? Also have you tried some of the mbn scripts around? http://forum.xda-developers.com/showthread.php?t=2641245
I've seen a few references to them when people are reversing bootloaders.
Click to expand...
Click to collapse
Really? Reverse Engineering is pretty fun, really getting into the mind of the developer.
Yeah use that plugin,
Oooo I have have found the code that loads fastboot.c
The obfuscation may have been my fault, I've loaded in ABOOT from Color OS and it looks like everything is okay now.
Woohoo! Check that out!

After poking around a little bit more, ColorOS is a KitKat ROM that uses an older ABOOT, that's why it successfully opened in IDA.
If I open ABOOT from OnePlus One's latest firmware (cm-12.1-YOG4PAS1N0-bacon-signed) I get this
Now I think its doing this because the plugin provided by MemoryController is outdated, I have no idea how to create these scripts/plugins for IDA, if anyone does know please let me know, I think this could also unlock the ability to change the boot splash screens on newer firmware as the images in the LOGO partition are encrypted, the code inside of this newer ABOOT could contain the decryption process.
Back to the older KitKat ABOOT here is the boot.img (Kernel) loading code just FYI:

We should probably move this thread over to your OPO topic, It'll probably get move views over there:
http://forum.xda-developers.com/oneplus-one/general/oneplus-one-lk-little-kernel-bootloader-t3269111

binsol said:
I read somewhere that JTAG is generally disabled/removed from non-engineering devices with 800+ series snapdragons.
Click to expand...
Click to collapse
This isn't specifically the source I was thinking of when I wrote that, but it also suggests that JTAG is generally disabled:
http://recon.cx/2013/slides/Recon20...uditing Android's Proprietary Bits-public.pdf
Slides 31,48

binsol said:
This isn't specifically the source I was thinking of when I wrote that, but it also suggests that JTAG is generally disabled:
http://recon.cx/2013/slides/Recon20...uditing Android's Proprietary Bits-public.pdf
Slides 31,48
Click to expand...
Click to collapse
Ah yeah I've seen this, I'm actually digging into the vendor-ril driver (libril-qc-qmi-1.so) as I'd like to share the baseband of one device to another.
Interesting I've found come code referencing "QCRIL_EVT_HOOK_UNSOL_ENGINEER_MODE", UNSOL means Unsolicited Command, meaning its an incoming command from the base band to the upper layers of the RIL, looks kind of backdoor-ey to me, perhaps remote enabling of Engineer Mode?
I've also just seen (I guess) is the SIM PIN and PUK verification code?
Should I create another thread? Would you be interested in discussing further?

There were a lot of interesting strings in the modem last time I looked, like stuff relating to http and hdmi (video drm?). Is this the OnePlus One modem? It would probably make sense to make a thread in that forum. I'm not sure how much interest it would generate here.

How To Guide [OPN2005G] [OOS TMO DE18CB] Unbrick tool to restore your device to OxygenOS

Disclaimer: I hope you don't break your phone, but if you do, it's not my fault. Since you are choosing to modify your phone, you accept full responsibility for whatever happens to it, including any damage that may have occurred as a result of incorrectly flashing your device.
Hey guys, similar to all of @Some_Random_Username's unbrick threads, here are the EDL packages (also known as MSM tools or unbrick tools) that can revive a bricked OnePlus Nord N200 5G.
Important: This is only for the T-Mobile variant of the N200. This will not work on the factory unlocked variant and may or may not work for the Metro variant.
Downloads:
11.0.1.5.DE18CB
Original archive
Google Drive
7z format (thanks @edale1)
AnddoidFileHost
MEGA
zip format (thanks @nv270)
Rethink Files
Also available at https://onepluscommunityserver.com/
Instructions:
Launch MsmDownloadTool V4.0.exe.
On the login prompt select "Others" in the dropdown menu and click on Next.
Wait a few seconds until main window shows up.
Press Start button so that it waits for your device to be connected
Power off your device
Press and hold the volume up and down buttons to get into Qualcomm EDL mode.
Plug your device to your computer.
Should you not manage to do that and have adb access, you can use adb reboot edl instead
Wait ~300 seconds.
Enjoy your brand new device.
FAQ:
Does this work on Mac or on Linux?
Unfortunately no, tool is Windows only. You should need at least Windows 7.
Why is my antivirus freaking out when unzipping the archive or running the tool?
In an effort to protect reverse engineering from being done (and by extension prevent conversion process like it was done on 6T and 7Pro), OnePlus now use VM Protect V3 in their MSM tools. As this tries to detect debug environment, this is seen as malicious behaviour by some antivirus.
How can I check my device project ID?
Use getprop ro.boot.project_name. This however involve having ADB access or access to OxygenOS to use Termux or whatever terminal emulator you prefer.
My device isn't detected
Go to device manager and make sure your phone shows up as QDLOADER 9008.
If it shows up as QHUSB_BULK, it means Qualcomm driver wasn't installed automatically by Windows Update. Download the latest one from Microsoft website at http://download.windowsupdate.com/c..._fba473728483260906ba044af3c063e309e6259d.cab (source https://www.catalog.update.microsof...updateid=8ee52ba0-bdef-4009-88cf-335a678dd67a ) and install it manually by right clicking on QHUSB_BULK and selecting "Update driver software" and "Browse my computer for driver software" to where you downloaded CAB file.
If you can't get into EDL mode by hardware keys, you may use adb reboot edl (will require your phone to still have ADB access)
MSM tool is stuck on "Param pre-processing"
Ensure you're using the Qualcomm drivers linked above.
MSM tool is stuck on "Sahara communication failed"
Unplug your phone, get in fastboot mode, turn off phone, wait 15 secondes and get back in Qualcomm EDL mode. You can also try using a USB 2.0 port instead of a 3.0 one.
What is SMT Download mode?
Just don't try to unlock that mode, it will wipe your IMEI and your Widevine certificate if you use it.
How can I fix "SMT config not found" error?
Please refer to https://forum.xda-developers.com/showpost.php?p=83448961&postcount=61
Credits:
@Some_Random_Username for help getting files and for the mirror
@edale1 and @nv270 for repacking and mirroring the files
@nache2001 for testing the tool out on his device
OnePlus for the device and OS

@Nache and others who have the unlocked version from the oneplus store and have the bootloader locked and phone bricked .. This version will not work with your phone as i just tried it myself today .. hopefully someone gets a hold of the msmdowmload from the tech support ..
patiently waiting for the unlock

So just to confirm: For those of us with Tmobile version, this will install default rom from OnePlus and get rid of all the bloatware from Tmobile and technically make our devices be like they are originally purchased from OP?
And of course, in order to use this our bootloader needs to be unlocked?
Will this lock bootloader again?
And do we unlock it with same code we got from OP first time?
Thanks!

xentonix said:
So just to confirm: For those of us with Tmobile version, this will install default rom from OnePlus and get rid of all the bloatware from Tmobile and technically make our devices be like they are originally purchased from OP?
And of course, in order to use this our bootloader needs to be unlocked?
Will this lock bootloader again?
And do we unlock it with same code we got from OP first time?
Thanks!
Click to expand...
Click to collapse
My understanding is the T-Mobile MSM Tools will restore a T-Mobile variant phone to the state it was in coming from T-Mobile; meaning if you debloated the phone, the bloat will be back.
You can use the MSM Tools even with a locked bootloader.
If your bootloader is unlocked, I believe this will lock it. (it may SIM lock your phone again as well, unsure...)
I think the same unlock token will work, but I'm hesitant to say 'yes' without someone testing it first.

xentonix said:
So just to confirm: For those of us with Tmobile version, this will install default rom from OnePlus and get rid of all the bloatware from Tmobile and technically make our devices be like they are originally purchased from OP?
And of course, in order to use this our bootloader needs to be unlocked?
Will this lock bootloader again?
And do we unlock it with same code we got from OP first time?
Thanks!
Click to expand...
Click to collapse
1. Nope, this will revert your device back to the T-Mobile stock ROM, including all the bloatware. Thsi does not convert your device into an unlocked variant.
2. This works whether your bootloader is locked or unlocked. If your bootloader is unlocked, using this tool will lock it again, and you will need to unlock it by flashing unlock_code.bin again.

edale1 said:
My understanding is the T-Mobile MSM Tools will restore a T-Mobile variant phone to the state it was in coming from T-Mobile; meaning if you debloated the phone, the bloat will be back.
You can use the MSM Tools even with a locked bootloader.
If your bootloader is unlocked, I believe this will lock it. (it may SIM lock your phone again as well, unsure...)
I think the same unlock token will work, but I'm hesitant to say 'yes' without someone testing it first.
Click to expand...
Click to collapse
lzgmc said:
1. Nope, this will revert your device back to the T-Mobile stock ROM, including all the bloatware. Thsi does not convert your device into an unlocked variant.
2. This works whether your bootloader is locked or unlocked. If your bootloader is unlocked, using this tool will lock it again, and you will need to unlock it by flashing unlock_code.bin again.
Click to expand...
Click to collapse
Thank you!
I read an article that was bit unclear and pointed to this so I wanted to confirm.
Also, from everything else I gathered, there is still no way to flash Tmob variant with non Tmob rom?
I was interested to try LineageOS but that's not available also seems like.

Phone's too new still. I think we need the MSM Tools for all the variants available before someone can figure out how to flash one variant into another, and we currently only have the T-Mobile variant's MSM Tools.

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
incoming August 176 patch

I have update installed.
You can use restore image on Magisk uninstall before you start. If you encounter problem, you can use original boot image and run "mock patch"
Install update and switch to Magisk when you're prompted to restart, and let Magisk to install in unused partition, and restart after finished
If you have problem with CTS after update, install riru from Magisk and download safetynet fix, and install in Magisk as well (you have to reboot twice)

I've successful restored my N200 phone several times using the MSM, but this most recent time it appears the process was interrupted and I get the following error when turning on the phone. I can not boot the phone back into EDL mode to run MSM tool again. Every 10 or so boots the phone will boot into fastboot instead of throwing the error. I tried flashing a backed up boot.img and super.img, but no luck getting past the error. Any way to recover?

automatic ddr failed

Thank you! I could only get this to work by:
Unplug phone
Open MSMDownloadTool, don't click start
Hold down volume up and down
Plug phone into USB 2.0 port
Release volume up and down, verify device shows up as QDLOADER in Device Manager
Click "Enum" in MSMDownloadTool
Click on the device in the list and click "Start"

I got bootloader unlock code. I need SIM unlock "One Plus Nord N200 5G" by Metro. Help me!

towardsdawn said:
Thank you! I could only get this to work by:
Unplug phone
Open MSMDownloadTool, don't click start
Hold down volume up and down
Plug phone into USB 2.0 port
Release volume up and down, verify device shows up as QDLOADER in Device Manager
Click "Enum" in MSMDownloadTool
Click on the device in the list and click "Start"
Click to expand...
Click to collapse
I bricked my phone late last night and found this forum & thread; my problem was that each time my computer kept showing my phone as "Kedacom" until I scrolled through and found this post.
You guys saved my ass AND saved me a trip to T-Mobile too! I owe you guys big time!

I successfully flashed a metro-pcs device using the tool in this thread. I bricked my device using the dsu loader in developer options. "Oem unlocking" is greyed out. Can anyone point me to a good bootloader unlocking tutorial for this devicel? Is it possible to use this tool with a rom that has already been rooted? Thanks,
Noob here. One thing to note: device was not recognized in the beginning. I held vol up/down at the same time and then plugged in device. Although the screen was black, the device was shown as "connected" and had no issues flashing. After 300 secs, voila!

bleezycheesy said:
I successfully flashed a metro-pcs device using the tool in this thread. I bricked my device using the dsu loader in developer options. "Oem unlocking" is greyed out. Can anyone point me to a good bootloader unlocking tutorial for this devicel? Is it possible to use this tool with a rom that has already been rooted? Thanks,
Noob here. One thing to note: device was not recognized in the beginning. I held vol up/down at the same time and then plugged in device. Although the screen was black, the device was shown as "connected" and had no issues flashing. After 300 secs, voila!
Click to expand...
Click to collapse
You can try this tutorial. It worked for me on Tmobile, no idea about MetroPCS. Key line is
Code:
adb shell pm uninstall --user 0 com.qualcomm.qti.uim
MSMDownloadTool wipes the entire device and relocks the bootloader if it was unlocked, it doesn't care if you're rooted.

towardsdawn said:
You can try this tutorial. It worked for me on Tmobile, no idea about MetroPCS. Key line is
Code:
adb shell pm uninstall --user 0 com.qualcomm.qti.uim
MSMDownloadTool wipes the entire device and relocks the bootloader if it was unlocked, it doesn't care if you're rooted.
Click to expand...
Click to collapse
Thanks for the reference. It worked!

why no have msm tool for global n200 be2117,

jasmok said:
why no have msm tool for global n200 be2117,
Click to expand...
Click to collapse
OnePlus doesn't seem to want to release it.

bleezycheesy said:
Thanks for the reference. It worked!
Click to expand...
Click to collapse
no it doesn't works on metro variant

Question n20 or n200?

hello, i am faced with the decision to get the tmobile OnePlus N20 or the N200.
I am abandoning samsung after years of being disappointed by not being able tto do witthg my phone what i choose.
I want a device i can root and tinker with and modify as i please.
so im looking at these 2 phones and obviousl the n20 wins according tto tthe specs. butt i would like tto know if anyone has been able tto roott this device yet? or do yyou foresee any major obsttacles to unlocking the boottloader? i dont wantt to be stuck yet again with a device tthat i cant mod the way i want. i would like tto eventually be able to run kali or some custom roms on it. i need a device that i can mosl replace my lapttopwith. i cant afford tthe f;lagship pohone rightt now or i would go witth tthat. if anyone has an suggestions or info i would greatly appreciate it.
also i know these are supposed tto have to be sim unlocked first but i saw in anotther thread on anotherdevice i believe it was an OPO something but there was a script hat got rid of tthe services/apps that prevented unlocking the booloader while sim locked.
does anone know if the same script could be run on this device or will i have to sim unlock i?

The unlocked variant can be rooted as easily as any, as long as you get a copy of its boot image. The TMo variant (which you're after) has yet to get its bootloader unlock token.
To me, having high refresh rate is paramount, so N20 omitting that is a critical flaw. Plus, having tried GSIs on both, I felt N20 was weirdly stuttery/unresponsive for its specs.

PsYk0n4uT said:
hello, i am faced with the decision to get the tmobile OnePlus N20 or the N200.
I am abandoning samsung after years of being disappointed by not being able tto do witthg my phone what i choose.
I want a device i can root and tinker with and modify as i please.
so im looking at these 2 phones and obviousl the n20 wins according tto tthe specs. butt i would like tto know if anyone has been able tto roott this device yet? or do yyou foresee any major obsttacles to unlocking the boottloader? i dont wantt to be stuck yet again with a device tthat i cant mod the way i want. i would like tto eventually be able to run kali or some custom roms on it. i need a device that i can mosl replace my lapttopwith. i cant afford tthe f;lagship pohone rightt now or i would go witth tthat. if anyone has an suggestions or info i would greatly appreciate it.
also i know these are supposed tto have to be sim unlocked first but i saw in anotther thread on anotherdevice i believe it was an OPO something but there was a script hat got rid of tthe services/apps that prevented unlocking the booloader while sim locked.
does anone know if he same scrip could be run on his device so as no o have o wai il i sim unlock i?
Click to expand...
Click to collapse
Get the n20 over the n200 if the final price difference is less than $60.
The n200 is a bad device for its specs because oneplus has no interest in optimizing the OS for its low end phones with 4gb ram, because oneplus has only two devices with 4gb ram: the n100 and n200. Oneplus put an OS designed for 6gb/8gb ram with mid-high end cpus on the N200 which has only 4gb ram and lower end cpu, and as a result, the N200 performs like a Motorola phone with 2gb/3gb ram.
Similarly speced Motorola phones perform much better than oneplus.
Ironically, if you update the N200 to android 12, the system will say the phone has a snapdragon 855 cpu, while it has a low end snapdragon 480 cpu. So basically oneplus software engineers just put an OS designed for high end phones onto the low end N200 without any optimization, and even forgot to change the cpu model name.
If you buy the carrier tmo/metro version, you need to obtain unlock token bin to unlock the bootloader, and you need to sim unlock first to enable OEM unlock or you can use the disabling Qualcomm uim app trick.

googlephoneFKLenAsh said:
Get the n20 over the n200 if the final price difference is less than $60.
The n200 is a bad device for its specs because oneplus has no interest in optimizing the OS for its low end phones with 4gb ram, because oneplus has only two devices with 4gb ram: the n100 and n200. Oneplus put an OS designed for 6gb/8gb ram with mid-high end cpus on the N200 which has only 4gb ram and lower end cpu, and as a result, the N200 performs like a Motorola phone with 2gb/3gb ram.
Similarly speced Motorola phones perform much better than oneplus.
Ironically, if you update the N200 to android 12, the system will say the phone has a snapdragon 855 cpu, while it has a low end snapdragon 480 cpu. So basically oneplus software engineers just put an OS designed for high end phones onto the low end N200 without any optimization, and even forgot to change the cpu model name.
If you buy the carrier tmo/metro version, you need to obtain unlock token bin to unlock the bootloader, and you need to sim unlock first to enable OEM unlock or you can use the disabling Qualcomm uim app trick.
Click to expand...
Click to collapse
Care to elaborate on what this Qualcomm uim app trick happens to be?

So I went with the n20. Actually seems to be a pretty decent phone other than the fact that it shipped with a 7 digit serial so I can't get an unlock token. Been back and forth with OnePlus trying to get it resolved but they always just tell me they will email a response within a few days. Their last response was to add a zero before the serial. But doing so just gives me an error that the serial/unlock code don't match. Hopefully I can get this taken care of and get the bootloader unlocked. OEM unlock was easy peasy to get with the debloat script found elsewhere in the opo threads here

Actually I have to say this is one of the better performing devices that I've owned. Similar to some of the flagship phones I've had. Only the refresh rate I guess would be a turn off for some though it doesn't bother me at all.

N20 of course
6/128 can make big difference from N200
Due to limit of response time, 90Hz IPS may not be better than 60Hz AMOLED
695 is like 750 according to Geekbench

PsYk0n4uT said:
So I went with the n20. Actually seems to be a pretty decent phone other than the fact that it shipped with a 7 digit serial so I can't get an unlock token. Been back and forth with OnePlus trying to get it resolved but they always just tell me they will email a response within a few days. Their last response was to add a zero before the serial. But doing so just gives me an error that the serial/unlock code don't match. Hopefully I can get this taken care of and get the bootloader unlocked. OEM unlock was easy peasy to get with the debloat script found elsewhere in the opo threads here
Click to expand...
Click to collapse
Oem unlock means sim unlock or bootloader unlock?

eagle3489 said:
Oem unlock means sim unlock or bootloader unlock?
Click to expand...
Click to collapse
in short, bootloader unlock.
OEM stands for Original Equipment Manufacturer. It refers to the manufacturer lock on the bootloader. It is a security feature to keep you from accidentally bricking your device by tampering with the system images/files or malware from being able to modify or tamper with your system. This is why SafetyNet fails when you root and many banking apps and games check SafetyNet at the beginning of execution to make sure that your running a secure system before they allow an app to open. There are some ways to get around that by hiding root/magisk with Xposed modules(LSposed) etc... Some methods work for some apps and others dont. Make sure you have everything backed up before doing any modifications to your system because its easy to brick your device(make it unbootable/nonfunctional)
I havent found a way to SIM unlock without going through the carrier. There are services out there that claim to be able to SIM unlock your device for a fee, and many have been reviewed by other members. I have not personally ever used one. But here Im referring to unlocking the bootloader so that the system on the device can be modified (rooted, non-stock ROMs, system tweaks/mods)

ScarletWizard said:
I have the n20 and was able to unlock boot loader and root with still being carrier locked.
Click to expand...
Click to collapse
Yeah, mine is rooted tooted and reasdy to be booted and is sitll carrier locked and not paid off..

ScarletWizard said:
Post your t mobile bill. Here is mine View attachment 5772795
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

I read your posts and decided on the N20 as well and I must say this is an AWESOME little phone.
It came with the stock July OS. I have read many of the posts on here but I'm sort of stuck. I can't seem to figure out how to get a copy of the original OS. Read some options saying if i couldnt get a copy I could try to make one using twrp but that went down a dead end and I am back to square one. I have enabled developer mode, debug over usb, and set the setting to allow oem unlock and I'm kind of stuck at this point. My goal is to root this thing so that I can get call recording working like my older phones.

jonathandeath said:
I read your posts and decided on the N20 as well and I must say this is an AWESOME little phone.
It came with the stock July OS. I have read many of the posts on here but I'm sort of stuck. I can't seem to figure out how to get a copy of the original OS. Read some options saying if i couldnt get a copy I could try to make one using twrp but that went down a dead end and I am back to square one. I have enabled developer mode, debug over usb, and set the setting to allow oem unlock and I'm kind of stuck at this point. My goal is to root this thing so that I can get call recording working like my older phones.
Click to expand...
Click to collapse
File folder on MEGA
mega.nz

ScarletWizard said:
I brick my n20 daily trying exposed modules and I restore everytime using my boot.img backup
Click to expand...
Click to collapse
You should seriously flash this before anything and it'll save you from bootloop

Thank you so much! I am downloading now.
This is the one I picked up just for reference. 8 digit serial number on this model.

I disabled automatic updates and had the oem bootloader unlocked as well as all playstore options for updates disabled and this morning the phone updated itself without warning to the august update. It started talking about upgraded to android s and i factory reset it hoping it would roll everything back, but nope. Stuck on stupid August Update. I just wanted to get root back on it with call recording and lock down all android os updates.

ScarletWizard said:
Where do you find these zips. I haven't seen that in any repo
Click to expand...
Click to collapse
Hours and hours of shospelessly searching the bowels of th einternet my good man.

DrScrad said:
You should seriously flash this before anything and it'll save you from bootloop
Click to expand...
Click to collapse
How do I flash this first? I am starting fresh again tonight and want to do it right.

Gotcha,
So I have chosen to begin this portion with the following.
Disable DM-Verity or Android Verified Boot without TWRP
In this tutorial, we will show you the steps to disable DM-Verity or Android Verified Boot (AVB) without using TWRP Recovery.
www.droidwin.com
First step is to get a stock image file. However I have not been able to make a copy of my stock rom nor the current stock rom on my Phone now which is now on August patch 2022-09-05. I have downloaded several copies but there have been posts saying not to use just any version of stock rom so I'm trying to make sure i'm doing this right.

I am also on
Build Number CPH2459_11_A.08
Basebane version Q_V1_P14
Kernel version 5.4.147-qgki-g26211b5d5105
Hardware version CPH2459_11
I have the following files downloaded to work with.
I'm thinking of using this one.
Inside the following files can be found
If this is all right then I will try to continue with this portion of their instructional.
Does this sound about right?