Hi,
Does anyone know at what address the radio image should be loaded for disassembly, and what is its entrypoint ?
For reference the hboot image has to be loaded at 0x8e000000, and its entrypoint is at 0x8e001000.
For info, the available oem task commands are:
- 28: format userdata
- 29: format system, cache, userdata (will only format system if security is off)
and the available oem rtask commands are:
- 0: ???
- 7: switch to radio bootloader OR at command prompt *
- 8: switch to radio bootloader OR at command prompt *
- 9: ???
* I'm not sure which of 7 or 8 is the radio bootloader and which is the AT command prompt, as from the SPL point of view, they behave the same (read line, push to radio, print response, and exit when "retuoR" is typed).
Also, the Nexus One and Desire hboot images are nearly exactly identical and those commands exist identically in both hboots
Also, the hboot itself issues AT commands to talk to the radio chip, among others, these are present in the hboot binary:
[email protected]=1,%x,%s
[email protected]=2,1,%s
[email protected]?%x
[email protected]=3,%x
[email protected]=7,%d <- this is a good candidate for the mighty security=off quest
[email protected]?AA <- most likely "get security status"
[email protected]=9,%x
[email protected]?40
According to what people have found on other devices, all the other [email protected] commands are related to actual simlock/unlock
Hi, I am very interested in your findings, also myself and Paul from modaco have been playing around with some commands. Did you continue to look into this yourself or not?
Regards
found this myself hexing both the holiday hboot image and the one in the passimg.zip file..
they do have different lines
All we need is an engineers ID over at HTC apparently and input it right after fastboot oem task (id here) and it will request a reason for the security removal...
What does this actually do to tell the bootloader that it is ok to unlock.
Write a 1 byte file to the system partition?
Write one byte of the bootloader?
Searching google just gave "How to Enable OEM Unlock to unlock your bootloader" articles nothing on how it actually works.
Finally found out how it works.
While trying to find my screen resolution while offline I checked getprop with terminal and sys.oem_unlock_allowed [1] came up.
I then checked /dev/__properties__ and it was there so it is enable by writing sys.oem_unlock_allowed = 1 to /dev/__properties__
Guicrith said:
Finally found out how it works.
While trying to find my screen resolution while offline I checked getprop with terminal and sys.oem_unlock_allowed [1] came up.
I then checked /dev/__properties__ and it was there so it is enable by writing sys.oem_unlock_allowed = 1 to /dev/__properties__
Click to expand...
Click to collapse
Is there any way to prevent a user from accidentally disabling this option in Developer options?
I am asking because if you disable "OEM unlock" after installing a custom ROM in eg. a Samsung phone, the device refuses to boot with a FRP "Custom binary blocked by FRP lock" message.
timba123 said:
I'm on samsung a102u . The galaxy a10e. I added sys.oem_unlock_allowed 1 but now both sys.oem_unlock_allowed 0 and sys.oem_unlock_allowed 1 both are showing up. Is there a command to remove the sys.oem_unlock_allowed 0
Click to expand...
Click to collapse
Well actually the first one is indeed sys.oem_unlock_allowed but the second one is sys.oem_unlocl_allowed so those are not the same: probably you made a typo when adding it and thus it didn't just change the original prop's value but added a new, mistyped prop with the desired value? The K and L buttons on a QWERTY or similar keyboard are next to each other (and the Levenshtein distance between the names of the two props is only 1).
This is an excellent resource for information on bootloader unlock ability.
There are several components at play here:
ro.oem_unlock_supported is set at ROM build time; if 1, the OEM Unlocking toggle should be available. This property is not visible without root.
sys.oem_unlock_allowed is used by some "permissive" devices such as the Google Pixel to determine whether OEM unlocking should be allowed; in the case of the Pixel, this is done by checking an online whitelist of serial numbers
get_unlock_ability is controlled by the OEM Unlocking toggle. Off is 0, on is 1. If 0, the bootloader will reject fastboot flashing unlock. Can be checked in bootloader mode using ADB: fastboot flashing get_unlock_ability
I'm learning how various OEM stores their dm-verity public key in such a way that it cannot be replaced by user owned public key even with the help of memory editing electronic programmers. According to Google's documentation on implementing dm-verity, it says the key is stored in /boot/verity_key.
verity_key verifies the vbmeta.img that contains root hash of the hashtree (and it's metadata like salt and offset) of other partitions. In this way integrity of every partition is verified.
Where exactly this key is stored which makes it tamper proof? Some of the answers I've been given is that it can be embedded in TPM or can be hardcoded in Extended Bootloader itself or somewhere in read only memory.
Here's the answer I learned after some more research. /boot/verity_key which verifies vbmeta.img is itself signed by OEM private key. The OEM public key is hardcoded in bootloader at compilation time. The bootloader is verified by Extended bootloader and Extended bootloader is verified by Primary bootloader (PBL) which is burned on non-writable read only memory (also called BootROM). The chain of trust starts from PBL. But I don't think that all OEMs hardcode key in bootloader this way.
0
Seppppx said:
Does that mean that you could dd the bootloader and reverse engineer it somehow to get the public key?
Click to expand...
Click to collapse
You can simply extract public key by dumping bootloader partition in EDL mode. But even if you manage to extract it, there's not much you can do with that knowledge except to verify verity_key yourself.
Seppppx said:
Also what do you mean by "chain of trust" if that means the verification process then why does (or what does it exactly mean) it start from the PBL when it verifies the extended bootloader which verifies the bootloader.
Click to expand...
Click to collapse
Chain of trust here is the verification process of each stage in the boot process. A chain of trust is usually verified from the end point and goes up to the root node but in boot process it verifies the root node first and goes all the way down to the OS.
PBL is burned on CPU die (underlying circuitry on which CPU is mounted) which can be tampered with physical access in theory but not feasible enough in practise and not scalable either.
PBL verifies itself with Qualcomm's public key which is also hardcoded with PBL. Before PBL is verified, Qualcomm's public key is also verified with the hash stored in eFuse. This entire region is non-writable. This is why PBL is treated as root of trust.
I'm looking to pinout both test pins. I bought this phone a few days ago. I unlocked it with TWRP, I looked at the possibilities. I made a mistake with TWRP by switching the system to sideload B (I chose between A and B) and the system refused to start. I do not have access to the bootloader with the buttons. I only enter QDLoader HS-USB Driver mode working. I read the instructions on how to make a blank flash. I took the 18 files out of the phone and made a new blank flash for this model - moto g9 power / but in the end it gives me an error. Now I'm looking for a solution. - "C: \ Documents and Settings \ Administrator \ Desktop \ MOTO G9 POWER blankflash \ Blankflash for G9 POWER>. \ Qboot.exe blank-flash Motorola qboot utility version 3.86 [0.000] Opening device: \\. \ COM4 [0.000] Detecting device [0.000] ... cpu.id = 333 (0x14d) [0.000] ... cpu.sn = 2936128399 (0xaf01c38f) [0.000] Opening singleimage [0.000] Loading package [0.000] ... filename = pkg.xml [0.000] Loading programmer [0.000] ... filename = programmer.elf [0.000] Sending programmer [0.156] Handling things over to programmer [0.156] Identifying CPU version [0.156] Waiting for firehose to get ready [3.297] ... SM_KAMORTA_H 1.0 [3.297] Determining target secure state [3.297] ... secure = yes [3.375] Configuring device ... [3.391] Flashing GPT ... [3.391] Flashing partition with gpt.bin [3.406] Initializing storage [3,484] ... blksz = 512 [37.016] Re-initializing storage ... [37.016] Initializing storage [37328] Flashing bootloader ... [37.344] Flashing abl_a with abl.elf [37.344] partition abl_a not found! [37.359] ERROR: do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found [37.375] Check qboot_log.txt for more details [37.375] Total time: 37.375s FAILED: qb_flash_singleimage () -> do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found "the last message puzzles me. I want to transfer the system to sideload A again, so I have to reset the device firmly. Are there people familiar with the possibilities?
2 I built a blankflash for the Moto G8
1 How To Blank Flash & Fix/Repair Hard Bricked Motorola Devices/Moto G8+|Tutorial Get It Working Again - YouTube
Version Bootloader MBM-3.O-cebu retail 232f3ba894-201209
motostockrom.com/motorola-moto-g9-power-xt2091-3
I'm looking to pinout both test pins.
Have you tried using LMSA?
It recovered a dead phone for me once.
Rescue and Smart Assistant (LMSA)
Also, I too once accidentally switched slot to B, and system didn't boot. However, I was able to get into fastboot mode and switch by entering the command to switch slots.
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
man88nam said:
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
Click to expand...
Click to collapse
qualcomm edl mode flash tool / Axon10Pro_ (More) _EDL_Tools_v1.1d
In those .XML files, can you delete the line that says "abl" and try again?
I will do, but these files can be downloaded according to the instructions on how to make closed files extracted from the phone itself
https://www.reddit.com/r/MotoG/comments/k73n66
I downloaded from the bootloader 18 files that are original, this is in connection with blank flash, where in the end there is an error, because eight made active "B" sector instead of A
I removed the ABL file from the XML, but the error remains, plus the message for a missing ABL file ELF
[ 37.297] file abl.elf not found in singleimage.bin!
[ 37.297] ERROR: do_package()->do_recipe()->do_flash()->not found
[ 37.297] Check qboot_log.txt for more details
[ 37.297] Total time: 37.297s
I'm just looking for an EDL program that works similar to this command line Set Bootable Partition- Slot A / run_AB-partition-swap - but here it wants some text file for the presence of a port, port_trace.txt
I'm sorry, I can't help further here. Even though the active slot is B, the partition abl_a should exist and should be flashable regardless. It looks as though there isn't such a partition at all, which I don't even know how that happened.
The tool which you are using is correct, it's doing its job properly. Are you sure you have the right firmware version and software channel? Because bootloader.img differ depending on the firmware version and the carrier. I'd also suggest downloading from https://mirrors.lolinet.com/firmware/moto/cebu/official/, instead of the link you mentioned, motostockroms.
Also, try asking in this Telegram group: https://t.me/lolinet. There are people on there who are more knowledgeable, maybe they can help.
After trying the firmware image from lolinet and trying the process again with that firmware, I'd try to get into bootloader mode once again through power buttons, and if that doesn't work, send the phone into the service center.
Motorola_Moto_G9_Power_XT2091-3_RETUK_CEBU_RETAIL_QZC30.Q4-22-57_10_by_(motostockrom.com) With the TWRP program I chose with active slot B / I don't know if it deleted the content from slot A of the bootloader. By the way, I downloaded the original product firmware XT2091-3 according to the instructions for this, which I get when I try blank flash / I have no idea what to do, so I'm looking for a program "qualcomm edl mode flash tool" and I constantly get Indian sites with dangerous behavior.
I thank you for your time
Hey,
Today I found EDL points for Moto G9 power. Infact im also facing firmware issue.
I accidentally locked bootloader with stockrom again trying to unlock but not working.
Causing No valid OS to boot.
if i try unlock again showing message like " enable OEM unlocking in developer options"
unfortunately not podsible. But still waiting for proper EDL flash tool.
feel free to guide if any one got resolution.
Hey,
I've recently updated my Nord 2 from A21 to C10. Phone was unlocked and rooted, so after having reflashed the original boot.img, I forced the installation of the official OTA through TWRP. I had to set ro.commonsoft.ota=OP515BL1 to make it work. After the installation, TWRP failed to mount /system, but that didn't surprised me. I checked that the boot partition has been well flashed.
Now every time I try to power on the phone, it directly tries to run into recovery mode. However it fails and start again and again...
Maybe the system tries to install the OTA using the original recovery, which of course fails, and because of an unknown reason, it doesn't reboot to system.
Because of the last update, fastboot is not accessible anymore using vol -, and BROM mode is not accessible using vol + / vol -.
I tried to crash the preloader using mtkclient but it didn't work.
I tried to use META mode to switch to fastboot, but preloader only answers "READY" (instead of "READYTOOBTSAF"), and nothing changes.
I try to reverse engineer preloader and lk but it's something new for me. META mode code is still present in the preloader, so I don't understand what's wrong with it. Maybe disabled by default on USB...
Does anyone has a solution to boot into BROM mode or make META mode work ?
Or maybe I could find DA authentication files somewhere ?
@Petitoto can you share a bit about how you got the meta command running?
I'm in a similar situation with a Nord 2T. While mtkclient can get some info out of the preloader, meta never seems to connect.
Code:
mtk gettargetconfig
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Main - Getting target info...
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Code:
mtk meta FASTBOOT
META - Status: Waiting for PreLoader VCOM, please connect mobile
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
Hey @Beanow,
I have the same gettargetconfig output, which indicates that the phone is not in BROM mode but stuck in preloader. Trying to interact with the preloader always lead to error because of the DAA (DAA_SIG_VERIFY_FAILED for example).
I have the same issue with mtkclient and meta mode. You can use the following modified mtk-bootseq.py:
py mtk-bootseq.py FASTBOOT COMXX (or python3 mtk-bootseq.py FASTBOOT /dev/ttyACMXX on linux).
Python:
import sys
import time
from serial import Serial
BOOTSEQ = bytes(sys.argv[1], "ascii")
DEVICE = sys.argv[2]
CONFIRM = b"READY" + BOOTSEQ[::-1]
while True:
try:
s = Serial(DEVICE, 115200, timeout=0.1)
print(".\n[+] Device detected")
break
except OSError as e:
sys.stdout.write("."); sys.stdout.flush()
time.sleep(0.1)
print("<-", s.read(256))
def send(bytes):
s.write(bytes)
print("->", str(bytes))
resp = s.read(256)
print("<-", str(resp))
return resp
resp = b''
while resp != CONFIRM:
resp = send(BOOTSEQ)
print("[+] Boot sequence sent")
On another device, it works and I get:
Code:
...............................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READYTOOBTSAF'
[+] Boot sequence sent
However, on my Nord 2, I get:
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Then the next s.write() is hanging.
I get the same result for any other boot mode. However, the code is still present in the preloader.
I unfolded my phone to try to find a test point. I tried all golden points but I only found:
- a point which loads preloader (and not BROM...) in the same way vol + / - do (in red in the picture)
- a point which boots the phone but without Android and OnePlus pictures (what's that ??) (in green)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I don't know how test point is handled: if that's the role of preloader, it may have been disabled by the update (as the BROM and fastboot). We may need to find the DAT0 point of the eMMC to short it and prevent the BROM to find the preloader, making it to go in EDL mode. However, I think that this point isn't exposed, and I won't disassemble my phone further without beeing sure of success...
Thank you so much for the work so far!
Unfortunately I get no response at all on the Nord 2T.
Code:
.......................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
Traceback (most recent call last):
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 31, in <module>
resp = send(BOOTSEQ)
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 24, in send
resp = s.read(256)
File "/usr/lib/python3.10/site-packages/pyserial-3.5-py3.10.egg/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
How did you connect to the device that you're getting these responses?
In my case, I need to use vol+, vol- and power, like mtkclient, or the ttyACM0 won't exist.
(I've got udevadm monitor up, watching for the usb/tty to be added)
Indeed, you need to run into preloader using vol +, vol -
Maybe a driver / python module issue. I've got similar issues on my linux. Try on windows or try to reinstall drivers.
It should work at least for the first answer. Else it means that your preloader doesn't send any data, which is not the case as mtkclient works.
I also tried a different baud, because a pl_lk log from oplusreserve2 partition suggested it may be used. No luck though. Note, this was a very old log I saved early on. Definitely not reflective of latest Nord 2T update.
Code:
[PLFM] boot_tag size = 0x0
BOOT_TAG_VERSION: 0
BOOT_REASON: 0
BOOT_MODE: 0
META_COM TYPE: 0
META_COM ID: 0
META_COM PORT: 285220864
META LOG DISABLE: 0
FAST META GPIO: 5906
LOG_COM PORT: 285220864
LOG_COM BAUD: 921600
LOG_COM EN: 1
LOG_COM SWITCH: 0
MEM_NUM: 2
MEM_SIZE: 0xAE7B
MEM_SIZE: 0xAE8D
I guess I'll try windows then
Code:
python mtk-bootseq.py FASTBOOT COM4
...................................................................................................................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Windows looks to behave similar. Though windows wouldn't take the MTK VCOM driver, so this is win10 default serial, in a VM over USB passthrough.
So, same result not in a VM. Though specifically with powershell I got the same output as you did.
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
This is really a helpfull post for us. I've already a oneplus nord 2 phn,from this post i know the more information about this phn.
Thank you so much.
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
Thanks for this. No need to switch to windows anymore, to use mtk client.
Petitoto said:
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
Click to expand...
Click to collapse
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
All theories, but I would find it really hard to believe there's a problem with Linux drivers / libraries for something as basic as a UART/serial console over USB.
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
I also suspected this PID check and tried to log the else cases, but never reaches those for me.
So removing the check didn't help for mtkclients' meta commands.
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
Click to expand...
Click to collapse
Differents results when using cmd and powershell? There is really no reason for that. Unless it's not the same Python environment, with different pyserial for eg. I have issues to run mtk-bootseq on Linux, but always the same output on Windows' cmd.
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Click to expand...
Click to collapse
Maybe. On linux, I can get different results depending on baud rate, timeout (and luck?). If there is an issue related to the connection, it might explain why the preloader doesn't answer as expected. But as other commands (like mtk gettargetconfig, but also manually handshaking connections and gathering informations in pyserial) work well, I tend to think it's just disabled.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
Click to expand...
Click to collapse
I don't really know how it works. The code is still present in the preloader. However this functionnality is not always enabled. Maybe reversing the preloader more or analysing the log you provided on Github might help to determine whether or not it is enabled. Moreover, even if we manage to switch to fastboot, if the bootloader has been fully disabled, we may face the issue of the preloader trying to run into a non existant fastboot. Maybe the FACTFACT mode may help to reset the device, but I don't really know a lot about this mode.
So removing the check didn't help for mtkclients' meta commands.
Click to expand...
Click to collapse
Once you removed this check, if you print the data sent by the preloader, you'll get the multiple "READY" like mtk-bootseq on Windows. Moreover, I can switch to fastboot using this command on another MTK device.
Dear Sir,
Do you have any method to recover my phone as the figure show?
Thank You