On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.
What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:
CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.
Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.
Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot
How to check whether you can downgrade? It's quite simple.
1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.
Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.
Download the tool from here: http://skrilax.droid-developers.org/moto/tools/CDTParser_1.00.zip
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.
I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.
Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
As always the best my brother.
whirleyes said:
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Correct me if I'm wrong
Java command line tool
Click to expand...
Click to collapse
But without root we aren't able to wipe the CID partition?
No idea. I think, fastboot doesn't implement function.
dtrail1 said:
But without root we aren't able to wipe the CID partition?
Click to expand...
Click to collapse
I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.
If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.
In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..
Bye
Thanks for the files!
Skrilax_CZ said:
Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot
How to check whether you can downgrade? It's quite simple.
1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.
Click to expand...
Click to collapse
Hi Skrilax
This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:
2.3.5
2.3.6
My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.
It's possible, somehow a workaround to flash this?
May I just delete the CDT bin?
system also have diferent secure version, this is a problem to flash system too?
And, Thanks a lot for the tool!
is it possible to downgrade with this method?
im on the latest china leak and am unable to root or downgrade...
someone help pls...
pedrotorresfilho said:
Hi Skrilax
My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.
It's possible, somehow a workaround to flash this?
May I just delete the CDT bin?
system also have diferent secure version, this is a problem to flash system too?
And, Thanks a lot for the tool!
Click to expand...
Click to collapse
I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.
Where is the control ?
linusmax said:
I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.
Where is the control ?
Click to expand...
Click to collapse
Hi, thanks 4 the reply.
Had you flashed the lower secure mbmloader before?
Status code (Locked 0) :/
Sent from my XT910 using Tapatalk 2
@pedrotorresfilho: Secure version is a plain number. What I was describing is signature type (different column).
And no, once you have cdt.bin with sec. ver 03, you can only flash another one with sec. ver 03.
Skrilax_CZ said:
@pedrotorresfilho: Secure version is a plain number. What I was describing is signature type (different column).
And no, once you have cdt.bin with sec. ver 03, you can only flash another one with sec. ver 03.
Click to expand...
Click to collapse
Oh, Man!
Actual official OTA to Vivo is GB 2.3.5, but update to 2.3.6 before ICS rollout is about to happen. Next one will probably be the good one. (All the OTA updates to LatAm razrs came from service providers, carrier: Rogers, Fido, Telcel, Vivo...)
I saw a VIVO update news in motorola website and I'm guessing ICS will come first to vivo phones.
Thanks a lot!
Bump!
whirleyes said:
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 5 : SKT XT910S
-CID 4 : CN XT910/KDDI IS12M (XT909)
-CID 2 : VZW XT912
#CID for LATAM? (I haven't check)
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.
Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
Click to expand...
Click to collapse
Thanks for sharing!
I have a bricked xt910s which has no sbf files to flash...
My question is if i change the CID in other razr version's fastboot files cdt (to match my xt910s), would i be able to flash it to my damn SKT Razr?
Would it be possible to edit that cdt file?
I greatly appreciated your suggestions!
Thanks.
Sent from my HTC Wildfire
reachking said:
Would it be possible to edit that cdt file?
Click to expand...
Click to collapse
The cdt file is sign by a Motorola security certificate. If you edit it, it will failed the verification test. It won't be flash-able.
whirleyes said:
The cdt file is sign by a Motorola security certificate. If you edit it, it will failed the verification test. It won't be flash-able.
Click to expand...
Click to collapse
am stuck on ICS 4.04 leak(non rooted) i plan to flash 2.3.6 on this and give motorola my non booting phone to get a motherboard or some sort of replaced phone to get back to the 2.3.6.
nischalnischal said:
am stuck on ICS 4.04 leak(non rooted) i plan to flash 2.3.6 on this and give motorola my non booting phone to get a motherboard or some sort of replaced phone to get back to the 2.3.6.
Click to expand...
Click to collapse
No need to change hardware parts. They are able to flash special signed fastboot files to rewrite partitions.
Gesendet von meinem XT910 mit Tapatalk 2
dtrail1 said:
No need to change hardware parts. They are able to flash special signed fastboot files to rewrite partitions.
Gesendet von meinem XT910 mit Tapatalk 2
Click to expand...
Click to collapse
wow thats news good let me try that
nischalnischal said:
wow thats news good let me try that
Click to expand...
Click to collapse
Of course it's possible they'll check partition signature to find out you void warranty.
Related
Hi Everyone,
Many apologies upfront - I'm new to this forum - Hello everyone! - and I'm a complete newbie to phones and am starting to learn this whole thing about rooting/SBF/unlocking guides - please bare with me...
I have a Xoom 3G, and have successfully created my own unsecured boot.img and have been able to patch it to an unlocked bootloader (fastboot oem unlock) and have been able to flash the boot.img successfully, giving me an easy root access on HC 3.1. Where I'm failing to understand with the Atrix is:
1. What is this SBF (Binary File) - I've trialed and errored as much with sbf_flash -x on the original SBF with all thje *.img files and in theory it all appears to be the same as what I have on the Xoom (CG56.img being the boot.img)? Can I just flash the boot.img with the modified ro.secure=0 to emulate what was done on the Xoom - so flash the unsecured boot.img and push the su and Superuser.apk?
2. Following question 1, do I need to have the bootloader unlocked prior to flashing the unsecure boot.img to the boot partition? Is this a neccessary step? Will I brick my phone if I do not unlock the bootloader prior to flashing a unsecure boot.img?
3. I think I have a HKTW version of the phone (this is the firmware I have):
Branding: Retail Hong Kong/Taiwan
Version: 0.56.0 Service
Android Version: 2.2.2
Bootloader Version: N/A
Webtop version: 6.61.22
Is there a way I can upgrade to 2.3.4? I'm guessing there is a leaked version of the SBF (even if it's a testing/development version) that I can easily RSD the sbf to this phone, and everything should be still AOK? What I really mean is, is there a necessary requirement for puddings like the ATT/OLYFR versions?
4. Again - following question 3, if I did let's say apply the SBF of the HKTW 2.3.4, can I then apply the original SBF so that I can get OTA of 2.3.4 when it becomes available?
Many apologies upfront - I seem to be getting confused because I learnt how to root/unlock on the Xoom, and this "signed/unsigned" / "locked/unlocked bootloader" thing is really confusing...
Any advice is much appreciated.
Thanks heaps in advance!!!
PART ONE ON ANSWERING YOUR QUESTION (UNLOCKING BOOTLOADER)
I have no idea about flashing an unsecured boot.img. I am guessing that is the way you root the xoom and you are wondering how to unlock the atrix.
An SBF file cannot be flashed by fastboot. To flash an sbf file, you need to download a utility called RSD Lite.
I am going to give you step by step instructions on how to unlock your bootloader.
(You agree this will void your warranty and the bootloader on the atrix CANNOT be relocked)
1. Download RSD Lite 5.3.1 and the drivers for your phone.
2.Download this bootloader unlock file for International Atrix
3.Unzip (or unrar lols) the file. You should get a .sbf file
4. Power down your phone.
5. Turn on your phone by holding the power/lock button and the volume up key.
6. You should see a line of text that reads "Starting RSD protocol support"
7. Start RSD Lite and plug your phone into your computer.
8. RSD Lite should detect your phone as model SE Flash olympus
9. Press the "..." button and select the file you unzip.
10. Press start and wait.
11. After awhile, your phone should reboot.
12. Turn it off and put it in RSD mode (step 5)
13. Check RSD Lite. Make sure the Result states "PASS"
14. Disconnect the USB and remove the battery.
15. Put the battery back in and now start your phone while holding power/lock and volume down.
16. You should see "Fastboot". Press volume up.
17. You should see "Starting Fastboot protocol support"
18. Now plug your USB back in and issue the "fastboot oem unlock" command
19. You should get a unique ID for your device.
20. Run fastboot oem unlock "unique ID" (without quotes)
21. You now have an unlocked bootloader.
frankus0512 said:
2. Following question 1, do I need to have the bootloader unlocked prior to flashing the unsecure boot.img to the boot partition? Is this a neccessary step? Will I brick my phone if I do not unlock the bootloader prior to flashing a unsecure boot.img?
Click to expand...
Click to collapse
Yes it is necessary. With a locked bootloader flashing it will fail but should not brick your device.
If all you want is root, there are easier ways ie gingerbreak
frankus0512 said:
Is there a way I can upgrade to 2.3.4? I'm guessing there is a leaked version of the SBF (even if it's a testing/development version) that I can easily RSD the sbf to this phone, and everything should be still AOK? What I really mean is, is there a necessary requirement for puddings like the ATT/OLYFR versions?
Click to expand...
Click to collapse
2.3.4 RSD is for AT&T atrix for now, it will not work on our phones.
"is there a necessary requirement for puddings"
puddings are used to unlock your bootloader
If you want 2.3.4, custom roms are your best bet now
Thank you for your kind response!!!!
If I flash the IHOP.sbf, can I then revert back to the original SBF if I need to get Warranty claims, etc? Do I need to "fastboot oem unlock" prior to flashing the original SBF?
Also - what's the main difference between a ROM and a AOSP kernel? Is a ROM equivalent to a SBF?
Thanks so much once again!!!
frankus0512 said:
If I flash the IHOP.sbf, can I then revert back to the original SBF if I need to get Warranty claims, etc?
Click to expand...
Click to collapse
Nope =( It is irreversible.
frankus0512 said:
Do I need to "fastboot oem unlock" prior to flashing the original SBF?
Click to expand...
Click to collapse
Run "fastboot oem unlock" after flashing the IHOP file. Doing it before will result in nothing.
frankus0512 said:
Also - what's the main difference between a ROM and a AOSP kernel?
Click to expand...
Click to collapse
ROM is like an operating system for your phone (example windows 7, ubuntu 10.10) while kernel is like drivers, they allow the OS to interect with the hardware. AOSP kernel? I don't think it exists.
frankus0512 said:
Is a ROM equivalent to a SBF?
Click to expand...
Click to collapse
ROM is like an OS, SBF is a file motorola uses to flash a phone back to stock.
frankus0512 said:
Thank you for your kind response!!!!
Thanks so much once again!!!
Click to expand...
Click to collapse
Your welcome! Hope it helped!
Thank you so much again Matthew5025!
Final question - ROM, you mentioned it's like an OS.
After the bootloader has been unlocked - I found out that the SBF with pudding contains certain *.img only - can I flash any ROM that is posted here? I know there are different ways to apply a ROM out there, but I'm guessing all a ROM flash does is change the root.img and the system.img for their respective partitions? It doesn't touch anything on the radio side or anything else, right?
Reason I ask is so that I can keep using multiple SIM since the phone is not carrier locked - I travel quite a bit - whenever I'm in different countries (just need to set the APN in there).
Thank you so much once again!!!
Cheers.
frankus0512 said:
After the bootloader has been unlocked - I found out that the SBF with pudding contains certain *.img only - can I flash any ROM that is posted here?
Click to expand...
Click to collapse
I don't actually quite understanding what you are trying to say =(
SBF is not a ROM
Yes you can flash any ROM made for the international atrix. It's always good practice to red the specific ROM threads for more info on the specific ROMS.
frankus0512 said:
I know there are different ways to apply a ROM out there, but I'm guessing all a ROM flash does is change the root.img and the system.img for their respective partitions? It doesn't touch anything on the radio side or anything else, right?
Click to expand...
Click to collapse
Actually, a ROM changes your system partition and alot more. As before, different ROMs change different things and you should always refer back to specific ROM pages on what a specific ROM might change.
Although it is possible for a ROM to modify your radio and kernel, moet developer require you to do it yourself.
frankus0512 said:
Reason I ask is so that I can keep using multiple SIM since the phone is not carrier locked - I travel quite a bit - whenever I'm in different countries (just need to set the APN in there).
Click to expand...
Click to collapse
Get an international kernel/radio and it should work!
Ok so im Rooted. Thats all i have done so far.
But BEFORE I DO THIS. i have read through the noob section a good 3 or 4 times.
SO let me get this straight before i go ahead with it.
My Phone is :
System Version: 4.5.9.1
Model: MB860
Android Version: 2.3.4
Webtop: wt-1.2.0-110
Build Number: 4.5.91
kernel: 2.6.32.9-00001
So i want to flash this file sbf from xda:
Atrix 4G - US MB860
Branding: AT&T US
Version: 4.5.91 NO DOWNGRADE
Android Version: 2.3.4 NEW!
Bootloader Version: N/A
Webtop version: N/A
Requires RSD Lite 5.0.0
Requires Moto Android (De)packer 1.3 to edit.
so from what i have read all this is gonna do is unlock the bootloader, so i can install clockwork correct, and flash roms.?
Flash a 4.5.91 on top of an existing 4.5.91? don't quite understand the logic.
If you want to unlock the BL, look for the "pudding" post in the development section. it's a small 1MB sbf to flash, and is less risk than flashing another big SBF.
once you have a BL unlocked, you can flash CWM
1+ on that or look for the unlock guide on briefmobile i used it alot works well with fasttboot
Sent from my MB860 using Tapatalk
rsdlite says its "SE Flash Olympus" instead of NE, Is that still safe do ya think. Or is this maybe a new model?
It is rooted but i cant find the terminal emulator neither? doesnt that get put on when ya root?
I didnt flash it yet, because im trying to look into this SE/Ne issue before i do it.
Thanks guys.
"root" will put "su" and "superuser" on your phone.
you can try download a terminal emulator from Market. it may be independent of "root"
yep got it, so far it did get ask for superuser permissions, and gave it.
but when i try to chmod the system directory, it keeps telling me the directory is read only... i want to chmod the /system/apps folder, still get the same thing....
hmmm
I believe the directory (partition) is mounted read only (r/o), you'll have to mount it as r/w. It's much easier to do it in Root Explorer
pcrat said:
Ok so im Rooted. Thats all i have done so far.
But BEFORE I DO THIS. i have read through the noob section a good 3 or 4 times.
SO let me get this straight before i go ahead with it.
My Phone is :
System Version: 4.5.9.1
Model: MB860
Android Version: 2.3.4
Webtop: wt-1.2.0-110
Build Number: 4.5.91
kernel: 2.6.32.9-00001
So i want to flash this file sbf from xda:
Atrix 4G - US MB860
Branding: AT&T US
Version: 4.5.91 NO DOWNGRADE
Android Version: 2.3.4 NEW!
Bootloader Version: N/A
Webtop version: N/A
Requires RSD Lite 5.0.0
Requires Moto Android (De)packer 1.3 to edit.
so from what i have read all this is gonna do is unlock the bootloader, so i can install clockwork correct, and flash roms.?
Click to expand...
Click to collapse
You can probably even use the automatic unlocker that is a easy one to use and does all the work for you.
Sent from my MB860 using Tapatalk
The easy unlocker? got alink or program name?
I tried to change the permissions in root expolorer, and sam thing it told me its read only. and it had superuser permission... I dont get it.
EDIT: ok got the permissions changed, now back to unlocking the boot loader.. trying to find the right sbf file now...
Ok tried flashing an abf file it rebooted now it says failed to boot no os dected and a bunch of options,
RSDlite, says in process 99%, for about 3 minutes than says failed
says error switching phone to bp passthrough... is it bricked or what...
EDIT: ok did the fast boot in the CMD dir, and unlocked it,,,, weired, thought i bricked it... but after it unlocked.. i reboot it, now it works.. fine...brand new again , thank god i did a titanium backup yesterday.. but it all works fine again....
Thanks guys...
Is it possible to flash american CID via bmm instead of the original uniqe cid of my xt910?
It will help people to flash the update via stock recovery without any need to bmm...
Only pushing the kernel and flash.
thanks... :highfive:
if its possible, can someone who handle xt912 backup his CID and upload it?
UduBobo said:
Is it possible to flash american CID via bmm instead of the original uniqe cid of my xt910?
It will help people to flash the update via stock recovery without any need to bmm...
Only pushing the kernel and flash.
thanks... :highfive:
if its possible, can someone who handle xt912 backup his CID and upload it?
Click to expand...
Click to collapse
AS long i know, CID is a unique customer identification...
YOu can't use someone else cid ; unless the person wants to give information about its phone to you (i think i'm not sure)
What you want to do ? Flash to JB ?
pablobhz said:
AS long i know, CID is a unique customer identification...
YOu can't use someone else cid ; unless the person wants to give information about its phone to you (i think i'm not sure)
What you want to do ? Flash to JB ?
Click to expand...
Click to collapse
yes, and remove all the CID FAIL thing.
Got it.
Well, i don't think someone will upload a cid for you - as i said it's a personal unique number.
You don't have any backup ?
If u don't... Get used to boot trough bp tools...
Sent from my MOTOROLA RAZR using xda app-developers app
Don't get troubled, and go the safe way!
Install bmm 0.3.4, backup CID, erase CID, flash kernel from bmm, flash baseband (optional), enjoy; but you knew that already.
bmm 0.3.4 gets its way to avoid bp tools so no worries there with CID error.
It is already as easy as it needs to be :good:
PS.: from my understanding the CID is attached to chipset's imei so you can't put whatever CID you want; just your device's one, maybe this answers your question.
osval. said:
Don't get troubled, and go the safe way!
Install bmm 0.3.4, backup CID, erase CID, flash kernel from bmm, flash baseband (optional), enjoy; but you knew that already.
bmm 0.3.4 gets its way to avoid bp tools so no worries there with CID error.
It is already as easy as it needs to be :good:
PS.: from my understanding the CID is attached to chipset's imei so you can't put whatever CID you want; just your device's one, maybe this answers your question.
Click to expand...
Click to collapse
I didn't knew about this trick
Thanks
Just remember to flash "JB kernel-based roms" ONLY right after flashing kernel, otherwise it will not boot, if you want to get back to ics you must flash an ICS kernel to boot, you can backup your kernel before flashing the jb kernel but with erased cid you can flash any ics kernel if you forgot to do that
the safer bet will be keeping your stock ics on main system, an do all the flashing stuff in 2nd system (must activate first, there are tutorials for that) so you can easily come back flashing ics kernel and switch to system 1 if anything goes wrong.
I have bricked my phone. It's stucked in a boot loop.
I had an up-to-date, non-rooted, locked XT1524. Since 3G and 4G didn't work on my country, first I tried flashing the modem and baseband from a retail XT1527 stock ROM. The flashing went OK, but 3G and 4G still didn't work (as happened to pablo_cba in this thread).
Then I turned my common sense off and tried flashing the whole XT1527 ROM. I though that since they were stock ROMs I didn't have any need to root the phone (or install TWRP). And since I was flashing the same version I had, I didn't need to unlock the bootloader either. Wrong! The ROM I flashed was version 5.1 (23.29-15), and my current ROM at the moment was 5.0 (22.50-X). Since I haven't unlocked the bootloader, I can't go back to the retail XT1524 stock ROM published here.
I was able to flash gpt.bin and bootloader.img, but things went south on boot.img. Now the bootloader is stuck with the following error:
Code:
version downgraded for boot
failed to validate boot image
Trying to flash boot.img (or system) fails with error:
Code:
hab check failed for boot
Failed to verify hab image boot
Trying to go back to XT1524 ROM fails with:
Code:
version downgraded for aboot
Trying to unlock the bootloader fails with:
Code:
Enable OEM Unlock
Which is obvious because I haven't enabled it on the phone, but it sucks because I can't boot and enable it.
So, here goes my questions:
- What does the "hab check failed" means? Is there any way to bypass it and finish flashing the XT1527 ROM?
- Is there any way to unlock the bootloader without enabling it first on developer settings?
- Is there anything I can do other than waiting that 5.1 gets rolled to XT1524 phones, and that a stock ROM for it gets leaked?
Thanks a lot for your kindly help!
Ah, I know exactly what happened. The good news is that your device is not bricked. The bad news is that you will need to wait a few weeks for the XT1524 5.1 stock images to be released.
The CID is a one byte Motorola specific value that indicates which region your device is for. Boot and system images are signed by Motorola tools that sign for a specific CID. The bootloaders for Motorola phones are signed with qualcomm tools that do not care about CIDs. As a result, you can flash a bootloader meant for a device with a different CID, but you can't flash a boot or system image for a different CID (while bootloader locked).
Since the bootloader is not CID specific, you were able to flash the new bootloader. The new bootloader blows fuses to increment the security version and prevent rollback. It will not allow you to flash an older boot and system image, since they may contain vulnerabilities. Now, the bootloader won't allow you to flash anything except a new 5.1 ROM signed for your CID.
I'd recommend just waiting a few weeks for the signed official 5.1 images for XT1524 to be released.
If you can't wait and are willing to take your phone apart and void the warranty and solder onto stuff, you can circumvent the Factory Reset Protection feature to unlock your bootloader. I don't recommend doing this, but it can be done. You will need to solder onto test points for the flash (that will be located underneath shielding cans). Writing 0x01 to the last byte of the frp partition will enable bootloader unlocking. Once again, I don't recommend doing this, I'm just stating what is possible.
EDIT: It might be worth a try seeing if Motorola will do something under warranty. The challenge will be to explain your problem in a manner that will not make them consider it to have been damaged by you. I don't know what they will think of your issue.
The exact thing happened to me. I think that the 5.1 firmware will arrive soon to your device. I took to my carrier, and they gave a new one in 2 weeks. I think that Motorola won't help you, as you requested the bootloader code.
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
ronclone said:
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
Click to expand...
Click to collapse
are you looking for a way to edit the extracted images?
If so I think you might be able to edit the extracted boot images with a text editor although not sure how reliable my information is for that
catcatjpg said:
are you looking for a way to edit the extracted images?
If so I think you might be able to edit the extracted boot images with a text editor although not sure how reliable my information is for that
Click to expand...
Click to collapse
yes, i would like to edit the image to skip flashing the bootloader. however, OTA images are different than full factory images. they do not have an easy way to modify a "flash-all.bat" file or equivalent. therefore my question, i would like to know if something like this is posible at all.
ronclone said:
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
Click to expand...
Click to collapse
The bootloader has to be unlocked to manually flash a factory image or OTA. Since you have a Verizon device you cannot unlock your bootloader, so attempting to flash any image of any kind will fail. Worse, even if you did have an unlocked device, without a custom recovery you won't be able to flash modified factory images. The stock recovery checks for the presence of Google's signature in the factory image and, if it doesn't find it, will refuse to flash the package.
Modifying flash-all.bat to not flash the bootloader by commenting out the proper line in the batch file will work since you're not modifying the images themselves, but the point is moot anyway since you cannot manually flash factory images due to that pesky bootloader.
That's the issue. However just to clarify, I absolutely can flash OTA images via fastboot even with a locked bootloader, I've done it multiple times. What I can't do is flash full factory images, the ones that need an unlocked bootloader.
I stand corrected regarding the flashing of OTA update files. Flashing full OTA images is conceivably possible, considering that I forgot Google gave device owners that capability. However, this doesn't change the fact you cannot alter Google-supplied ROM images without losing Google's signature on those files. So you won't be able to flash an OTA without also flashing the bootloader.
So is there a specific reason you have to have that particular bootloader?
It's not a bootloader problem per se. It's an Android version problem for me. I wouldn't mind downgrading the bootloader, is just that pixel devices apparently cannot downgrade bootloeader so it must be done with some kind of trickery.
Your on a device with an unlockable bootloader.
You can only flash official ota zips in recovery provided you are not downgrading.
Any attempt to manipulate the OTA zip will break the Google signature, and therefore any attempt to flash it on a locked bootloader will fail.
Tldr: forget about it
shoey63 said:
Your on a device with an unlockable bootloader.
You can only flash official ota zips in recovery provided you are not downgrading.
Any attempt to manipulate the OTA zip will break the Google signature, and therefore any attempt to flash it on a locked bootloader will fail.
Tldr: forget about it
Click to expand...
Click to collapse
yeah i think you're right. unfortunately.