Just a random question for someone with more experience with these things.
Is it possible to trigger the fuse burning process to unlock the phone in any way possible? for example writing a seem which is loaded into the rdl and activated by the oem unlock command, which its looking for, which will in turn trigger the fuse burning process or maybe manually burning the fuse in some other way manually?
Related
Hi guys,
Sorry I've not been around for a while - been having a little issue testing Kernels at the moment as I've managed to re-lock my bootloader! (Doh!). Posted what happened below in case anyone has any thoughts - can't say I'm happy it looks like I'm going to have to pay money to get the simlock removed again!
It started when I was looking into changing the MTD sizes so I could reclaim wasted space in /system and /cache so I could get ~620MB of usable space in /data for apps etc. To do this I had to first know what the current partition sizes are so I wouldn't screw up the partitions needed to boot the phone.
Unfortunately trying 'fastboot oem listpartition' was giving me:
Code:
FAILED (remote: oem unlock 0xFFFFFFFFFFFFFFFF)
and when I tried to unlock the bootloader the SE way with
Code:
fastboot.exe -i 0x0fce oem lock 0xMy_Code
I was getting
Code:
FAILED (remote: Phone is already unlocked!)
"No problem!" thought I, fired up S1Tool and pressed the 'Restore' button thinking this would lock the bootloader using the testpoint method. Then I could unlock it the SE way over fastboot and perhaps the OEM commands would work.
It was a partial success, the phone lost bootloader but wouldn't power on. I couldn't get anything to work, and finally had to re-flash it using the FlashTool. From here I noticed the Sim-lock seemed to be re-enabled and I couldn't get in to FastBoot mode.
When attempting to unlock the bootloader I can't via the SE method because I can't get to FastBoot, and I can't through the S1 Tool method as it complains:
Code:
SETOOL2 SIMLOCK CERTIFICATE, SEMCBOOT ALREADY PATCHED
I've a feeling I'm going to have to go back to the shop that unlocked it in the first place and get them to perform their magic again - no doubt costing me more money! Thought I'd post it here in case there's something I've not tried?
...Seems that Simlock isn't enabled as such, but putting in two different sim-cards makes it display "Emergency Calls Only | No Sim Card" :S
Starting to think I've really broken it!
Just had a thought. Didn't anyone have the idea to capture the dialog between the phone and computer during the official unlock via MiFlashUnlock? Softwares like Device Monitoring Studio can show how MiFlashUnlock does the unlock. I would like to see such a packet capture.
(I can't do it myself because my Kenzos came with unlocked bootloader)
I mean, you can lock them and then unlock them again if you are interested enough.
Hi, I would like to see what the bootloader unlock does exactly do to the raw flash storage. Older phones can be fully unlocked that way, without official permission. Obviously, I need to read out the raw partitions before and after unlocking. The easiest way is to get root and backup from MIUI.
Does anybody know how to root the stock MIUI without unlocking the bootloader? Re-locking does not count.
Does a bootloader-locked, unrooted, stock MIUI let you downgrade? An older ROM might have security bugs that let you root it.
Known pieces of the puzzle, if going the root route:
* Earlier Xiaomi devices let you unlock the bootloader by writing to the devinfo partition. Both the Redmi Note 3 (kenzo) and Redmi Note 4 (mido) still have the bits set at 0x10 and 0x18 as described in the link. But Xiaomi changed things starting with the Redmi Note 5 (whyred) - it has a bit set at 0x90 in an otherwise conspiciously empty devinfo partition.
* The Sony Xperia XZ1 compact can be rooted without unlocking. For that phone, it's motived by DRM.
* How to take complete control of pre-2016 phones. Today, this can serve as a tutorial. Beyond my abilities.
The second way would be to read out (and write to) the phone in EDL mode, or memory debug mode, ...., before and after unlocking the bootloader. Known pieces of the puzzle:
* Zeroing out the abl_a and abl_b partitions might grant read/write access to the raw flash as a mass storage device. This is memory debug mode, similar to EDL. If it doesn't work, you will need EDL to recover because you zeroed out fastboot.
* A list of points of attack on EDL authentication. Once you can bypass EDL authentication, it lets you read and write to raw flash. However, a direct attack on EDL authentication is beyond my abilites.
* Enter EDL mode with test point method or by grounding one of the pins next to the SystemOnChip.
Does anybody know how to bypass EDL authentication?
Does anybody know how to enter memory debug mode without root?
The third way would be to decompile the bootloader chain and see how each piece checks bootloader lock status. However, this is the least useful and probably least fun method. Known pieces of the puzzle:
* Description of the Snapdragon 845 boot process (older but more complete overview)
* Unlock status is checked both by the primary bootloader and the Android bootloader. The primary bootloader lives somewhere in memory and will let you into EDL if the bootloader is unlocked and you rebooted with "fastboot oem edl" etc. The Android bootloader image is the abl.elf file in the official update downloads. It will let you flash (or honor "fastboot oem edl") if it is unlocked.
* Memory debug mode is accessed through the XBL bootloader, i.e. the xbl.img and xbl_config.img files in the official update downloads.
If you found this thread trying to unbrick your phone, you need to go here instead.
I am sure if you have found this forum, you are also looking for the ability to root the LG K92. Unfornatuely, it looks like as it stands currently there is no known way to root the K92.
There was one glimmer of hope on another thread https://forum.xda-developers.com/t/root-aquired.4253159/ but it looks like that may have been a dead end as well.
Am I understanding, unless there is a exploit to gain root access from the Android 10 OS, the only possible way would be to get the bootloader unlocked. I have a K929AM (LG K92 from AT&T) and, as I am sure you already know, LG does not have that on the supported list for bootloader unlocking. In fact, it looks like all of the K series phones do not have bootloader unlocking supported. When you try to boot to Bootloader, it boots into the OS and if you boot to fastboot, you get fastbootd where the OEM unlock does not even appear to work.
According to https://lgk20.com/lg-k92-5g-root-bootloader-unlock-twrp-custom-rom-lmk920am/ (scroll to the bottom) we would expect to see a "bootloader unlock page" but I am not even sure if the LG K92 has one of these and, even if it does, if it would be accessible.
Does anyone have any suggestions on any unsupported methods on how to unlock the bootloader on this phone? I would be happy to test anything at this point. If we can somehow figure this out, this method may work on other K-series devices which would be a big win. So far, the only menus I can access are FASTBOOTD and Download Mode.
To add to this, it looks like it is possible to access the Bootloader (bootloader unlock page) from the LG K20. https://lgk20.com/lg-k20-plus-unlock-bootloader-metropcs-mp260-t-mobile-tp260/2/
I am wondering if it is possible to somehow force the K92 into this menu even if short circuiting something on the board.
Anyone have any ideas?
Hello I want to block my bootloader, I tried to root my phone, something gone wrong, then I decided to install official firmware again, but my bootloader isn't block I think, can't use Google pay etc. In developer options I can't see OEM Unlock bar. I tried to block bootloader by ADB, but my phone can't be found by this program. This solution with chaning data and time and restarting phone also doesn't work