I decided to do some digging since I just purchased one of these devices.
fastboot binary is emmc_appsboot.mbn from an update zip.
fastboot oem commands in the CN ROM: unlock, unlock-go, lock, device-info, enable-charger-screen, disable-charger-screen, off-mode-charge, select-display-panel, run-tests
fastboot oem commands in the US ROM: unlock, unlock-go, lock, device-info. US rom is older, which is probably why some commands are missing.
You may be able to find more using a disassembler or with abootool https://github.com/alephsecurity/abootool
First step to getting more research done would probably be to get EDL working for the US variant. Or someone seeing what "unlock-go" does (probably nothing).
After getting EDL working, getting Firehorse functional would be beneficial. However I don't know how the rawprogram.xml is generated. I believe it has to be generated using the partition table somehow, but I do not know how to find the partition table.
I don't know how the bootloader images are signed, but my guess is that flashing CN over US will just leave your phone permanently bricked if they are signed differently. Downgrading the bootloader will also not work if qfuses are implemented correctly (although sometimes they aren't). Checking 16C7 in emmc_appsboot.mbn, US bootloader has the same string across versions and CN has a different one so I'm guessing they are in fact signed differently.
Hello! I have US variant and EDL is working, you can type in adb: reboot edl
So I didn't find out "adb reboot fastboot" doesn't work until now.
Since EDL can read/write partitions, it might be possible to
1. Unlock the bootloader by dumping devinfo, writing unlock bit, then writing it back to the device
2. Upload a su binary to the system partition after the bootloader has been unlocked. (It's not that simple these days, unfortunately)
Additionally there is a flag in build.prop that seems to enable download mode but in reality it does nothing at all. the prop is "persist.sys.dlctrl" with setting of 1. But maybe it's for development devices only.
Unsurprisingly, Factory Test Mode does not give you a root shell. It's the same privilege level as normal boot.
Using the firehose elf from the TWRP thread, I was able to dump the devinfo partition, but the partition is all zeroes. I'm not sure what's missing.
Recently discovered zero-day exploit in Android could possibly help us with an alternative way to achieve root? Anyone with the skills to use this knowledge to get us "no bootloader" owners any closer to our goal?
https://www.helpnetsecurity.com/2019/10/17/android-root-cve-2019-2215/
ZeroTheSavior said:
So I didn't find out "adb reboot fastboot" doesn't work until now.
Since EDL can read/write partitions, it might be possible to
1. Unlock the bootloader by dumping devinfo, writing unlock bit, then writing it back to the device
2. Upload a su binary to the system partition after the bootloader has been unlocked. (It's not that simple these days, unfortunately)
Additionally there is a flag in build.prop that seems to enable download mode but in reality it does nothing at all. the prop is "persist.sys.dlctrl" with setting of 1. But maybe it's for development devices only.
Unsurprisingly, Factory Test Mode does not give you a root shell. It's the same privilege level as normal boot.
Using the firehose elf from the TWRP thread, I was able to dump the devinfo partition, but the partition is all zeroes. I'm not sure what's missing.
Click to expand...
Click to collapse
It doesn't use devinfo to store bootloader bit it's stored in the rpm partition and cannot be modified. As you can see the bootloader does not have to be unlocked to boot non zte signed images, but if it could be unlocked we would be able to run newer devices firmware. Zte played it smart and signed every variant different so aboot from a another variant will brick you.
Sent from my ZTE A2020U Pro using Tapatalk
I see.
Unfortunately I think most of this is beyond my ability and knowledge, this is my first time trying to "exploit" a device (if you can honestly call it that, I don't even know what I'm doing half the time).
But since bootloader does not need to be unlocked to run unsigned images, is it possible to run a custom kernel?
ZeroTheSavior said:
I see.
Unfortunately I think most of this is beyond my ability and knowledge, this is my first time trying to "exploit" a device (if you can honestly call it that, I don't even know what I'm doing half the time).
But since bootloader does not need to be unlocked to run unsigned images, is it possible to run a custom kernel?
Click to expand...
Click to collapse
Yes, I ported Lineage to the device. But trying to modify stock and change the kernel or flash magisk I had no luck. Not sure what the f**k ,is all I can say is, stopping it. I'm doing a lot of security studying and programming I'm sure I'll figure it out sooner or later my goal is to get a custom lk running with fastboot and run oem unlock then switch to CN updated firmware.
Sent from my ZTE A2020U Pro using Tapatalk
Related
Hi everyone ,
I'm posting her because I havn't got enough post to write in the dev section
i'm including a capture made with the software usblyzer a trial can be found on official site
http://www.usblyzer.com/
this is not a full capture because I think we just need the first block of data
my defy is a locked one
so now we need a capture of an unlocked one to compar them
ps: i've flashed 3.4.2-179 CEE
I had the same idea, but the problem is: we need a full dump of a motorola service center employe resetting the omap board to engineering mode, which - as far as I know - is done with a special TI tool and not with RSDLite.
EDIT Correct me please If I am wrong, but I think there are no unlocked bootloaders out there, just phones in engineering mode with the same bootloader, where the bootloader does not check signatures....
pisquared said:
the problem is: we need a full dump of a motorola service center employe resetting the omap board to engineering mode, which - as far as I know - is done with a special TI tool and not with RSDLite.
EDIT Correct me please If I am wrong, but I think there are no unlocked bootloaders out there, just phones in engineering mode with the same bootloader, where the bootloader does not check signatures....
Click to expand...
Click to collapse
since not any engineer from motorola is realeasing tha bin file to flash th omap i'm trying to reverse engineer the flashing process to enter in fastboot mode like t0desicy has tryed to do by modifying the dll used by rsd lite
http://forum.xda-developers.com/showthread.php?t=1443678&page=75
so maybe if we know what is the hex command sent by rsd to enter fastboot mode we don't need to modify the dll but create or own tool to flash custom kernel ?
even if the bootloader is not unlocked in the two cases we can flash unsigned sbf and that's what we are looking for
wont help
I am afraid this will not help
I may be wrong, but:
first, there already is a reverse-engineered tool called sbf_flash:
Code:
blog.opticaldelusion.org/2010/05/sbfflash.html
second, the bootloader i.e. mbmloader and mbm are verified every time on boot, so even if you can flash a hacked bootloader the omap chip will refuse to boot with it
because the writer of sbf_flash does not want to release the source code, your work very is important, though!
maybe one of these can be helpfull:
Code:
wiki.wireshark.org/Tools#USB_capture
but most of them will not work with anything later then windows XP, I am afraid.
EDIT I propose the following scenario: somebody brings a bricked phone to the service center and asks to dump the USB traffic of the operation which switches the phone to engineering mode... So there would be no indication of the employe in the dump, even if the TI software requires a dongle/you name it.
EDIT Just found another free USB sniffer
Code:
code.google.com/p/busdog/
had no time to test it, though
cnc-bootloader
When you need fastboot but just can't get to it
So I was working with my phone trying to see what I can do with it. I got it rooted (via towelroot) installed busybox, SuperSu, the usual. Then I installed custom recovery and then installed a script to enter recovery via VolDown+Power. It softbricked the phone gave me a LG Security Error. I fixed it and thought hey? Why not create an exploit that forces the phone into bootloader mode.
There sadly is no common access to bootloader mode and so unless you softbrick there is no bl mode. Until cnc-bootloader (command and conquer bootloader) is released (now lol). This exploit creates a backup of the boot partition then erases it. I am also developing a computer gui to make it easier and safer. It uses a slightly different method of doing it and it can be a lot safer too, so if you aren't comfortable with this then I'll post a link when I release it. (NOTE: This gui is released by Trident-Dev. It is not open source.) So heres how it works
Download the cnc-bootloader exploit and run with root permission on your device.
It will then make a backup called boot.img and erase your boot partition.
WARNING: Make sure to backup boot.img to your computer before you reboot. This is the only way to exit bootloader mode
Then just reboot your phone like n0rmal and it should be in a bootloader loop!
(This can be fixed by reflashing the backed up boot.img)
The exploit is available on GitHub at (Give me some time to get these 10 posts down and I will post the link. I have it up on Androidforums.com so yea. Just search for rpgslayer redtelko there and it will be one of the only threads you will see
More information is available in the README.md file and stay tuned for the release of our GUI version!
I would like to try this on my Sprint LG G4 to unlock bootloader. Please provide the link.
https://www.codeaurora.org/projects...unds-checking-when-flashing-sparse-images-cve
Based of this?
your account on github doesn't exist.
Hi everyone, I finally got a little time to put together a guide to flashing stuff on the LeEco Le Pro 3 X727.
This phone comes with an unlockable bootloader out of the box, but we found some ways to get around that.
This guide will help anyone with a new X727 unlock the bootloader, install TWRP and root it.
First, I'd like to give huge props to @dr4stic for his excellent work on making it easier to unlock the phone, and for helping me get back to the US ROM after installing the Chinese rom.
On to the flashing...
If you want to take the long way around, this was the first method used for unlocking the bootloader:
First method is using the stock Chinese ROM & renaming it update.zip, place it in the root directory then use the Update app (or in settings) to select that update, then let it do its thing. It takes a while to boot back up so be patient.
Stock Chinese ROM: https://www.androidfilehost.com/?fid=529152257862681546
Once the Chinese ROM is installed and booted up, enable Developer Options, make sure OEM Unlocking is turned on, then enable USB Debugging.
For these next steps, I'm quoting @dr4stic:
Have ADB/Fasboot tools on your computer (I am not helping you here, it you're lucky, maybe your friends will help)
Make sure you have enabled the developer tools, turned on USB debugging, and authorized your computer on your device (again, I'm not helping with that)
Make sure adb can see your device when you run "adb devices"
Run "adb reboot bootloader"
Run "fastboot devices" to make sure you see your device
Run "fastboot oem unlock-go" to unlock your device temporarily
Run "fastboot oem device-info" to verify unlock status
Your bootloader is now permanently unlocked (well, until you re-lock it on purpose).
The second, and much shorter method, is outlined in @dr4stic's thread here: http://forum.xda-developers.com/le-pro3/development/x727-model-persistent-bootloader-unlock-t3500388
Once your bootloader is unlocked, you'll want to install TWRP.
Here are a couple options for TWRP:
https://www.androidfilehost.com/?fid=529152257862668751 (Chinese version)
https://www.androidfilehost.com/?fid=385035244224398544 (GrossoShop version)
Download either of those (or both if you want to try both), extract them and place the .img file(s) into the folder your ADB & Fastboot files are. To make the flashing easier, rename the twrp files to twrp.img. If you still have your command prompt window open, great! If not, open one again.
Now:
Run "fastboot flash recovery twrp.img" (or whatever the twrp image filename is on your computer) to flash TWRP.
When flashing is complete, reboot into TWRP by pressing and holding Power Button and Volume Up Button at the same time and holding until you see the TWRP splash screen.
If TWRP boots up in Chinese, tap the big button on the lower right to open the language settings and choose the language you can understand.
Alright, now you have an unlocked bootloader and custom recovery installed. Your world has opened up a little bit more
The main problem with installing the stock Chinese ROM is that it does not have Google Play and there is no band 12 support (at least for T-Mobile), but at least bands 2 & 4 still work.
It's easy enough to find methods to get that installed, but I tried the GrossoShop ROM which is a very good ROM, but if you must have band 12, you'll need to read down a little farther.
Link to GrossoShop ROM: https://www.androidfilehost.com/?fid=529152257862686304
Okay, if you chose to use the long route and installed the Chinese ROM, you can still get back to the full US version, complete with all LTE bands. dr4stic is responsible for this gem, and was my way back to US ROMdom.
To go from Chinese or Custom ROM back to Stock US version:
The file is located in his Android File Host space here: https://www.androidfilehost.com/?fid=601275311581036717
It's a little tricky to install, so follow these steps:
1. Enter TWRP and from Advanced Wipe, wipe Dalvick/ART Cache, Cache, System and Data (Leave Internal Storage untouched if that's where you copied the new ROM zip).
2. Install CN5.8.018s-to-US5.8.019s.zip
3. DO NOT REBOOT DIRECTLY AFTER FLASHING (Phone just vibrates forever if you reboot directly after flashing)
4. Go back to TWRP Home, then tap Reboot, then tap System.
The phone should reboot after that, and it might take a while. Then follow the setup process as you normally would and it should go through the Google setup as well.
To install root, I use SuperSU. Sometimes it's kinda hard to find the most up to date version, so I'll post the latest one that I have: https://www.androidfilehost.com/?fid=457095661767120474
There's probably a newer version already, but I haven't looked.
Simply download and flash that file in TWRP, reboot and you're rooted. Easy peasy.
To flash only the US modem to restore band 12 on any ROM:
Download: https://www.androidfilehost.com/?fid=601300970940399635
Extract the zip file and place it in your adb & fastboot folder.
From your abd & fastboot files folder (with the modem image in there too) open a command prompt and run
fastboot flash modem modem-5.8.019s.img
Then reboot your phone.
Keep this file handy because you'll need it every time you flash a ROM that doesn't have a US modem.
With the methods listed above, you should now be able to take a new LeEco Le Pro 3 X727 and unlock the bootloader, install TWRP, flash whatever ROMs you want, and restore US modem.
Again, big big thanks to @dr4stic to getting us to this point for the easy unlock option AND big thanks to all of you folks here in the forums for all of you suggestions, efforts and enthusiasm!
I imagine there will be some refinements and/or corrections to this guide as questions and suggestions come up, so please, if you see something in here that is wrong or unclear, please let me know.
Thank you for the good guide.
well done. Please keep it updated...
suhridkhan said:
well done. Please keep it updated...
Click to expand...
Click to collapse
lilila said:
Thank you for the good guide.
Click to expand...
Click to collapse
Thank you and you're welcome. I'll try to keep this updated as new info or procedures come up :good:
hondajohn88 said:
Hi everyone, I finally got a little time to put together a guide to flashing stuff on the LeEco Le Pro 3 X727.
This phone comes with an unlockable bootloader out of the box, but we found some ways to get around that.
This guide will help anyone with a new X727 unlock the bootloader, install TWRP and root it.
First, I'd like to give huge props to @dr4stic for his excellent work on making it easier to unlock the phone, and for helping me get back to the US ROM after installing the Chinese rom.
On to the flashing...
If you want to take the long way around, this was the first method used for unlocking the bootloader:
First method is using the stock Chinese ROM & renaming it update.zip, place it in the root directory then use the Update app (or in settings) to select that update, then let it do its thing. It takes a while to boot back up so be patient.
Stock Chinese ROM: https://www.androidfilehost.com/?fid=529152257862681546
Once the Chinese ROM is installed and booted up, enable Developer Options, make sure OEM Unlocking is turned on, then enable USB Debugging.
For these next steps, I'm quoting @dr4stic:
Have ADB/Fasboot tools on your computer (I am not helping you here, it you're lucky, maybe your friends will help)
Make sure you have enabled the developer tools, turned on USB debugging, and authorized your computer on your device (again, I'm not helping with that)
Make sure adb can see your device when you run "adb devices"
Run "adb reboot bootloader"
Run "fastboot devices" to make sure you see your device
Run "fastboot oem unlock-go" to unlock your device temporarily
Run "fastboot oem device-info" to verify unlock status
Your bootloader is now permanently unlocked (well, until you re-lock it on purpose).
The second, and much shorter method, is outlined in @dr4stic's thread here: http://forum.xda-developers.com/le-pro3/development/x727-model-persistent-bootloader-unlock-t3500388
Once your bootloader is unlocked, you'll want to install TWRP.
Here are a couple options for TWRP:
https://www.androidfilehost.com/?fid=529152257862668751 (Chinese version)
https://www.androidfilehost.com/?fid=385035244224398544 (GrossoShop version)
Download either of those (or both if you want to try both), extract them and place the .img file(s) into the folder your ADB & Fastboot files are. To make the flashing easier, rename the twrp files to twrp.img. If you still have your command prompt window open, great! If not, open one again.
Now:
Run "fastboot flash recovery twrp.img" (or whatever the twrp image filename is on your computer) to flash TWRP.
When flashing is complete, reboot into TWRP by pressing and holding Power Button and Volume Up Button at the same time and holding until you see the TWRP splash screen.
If TWRP boots up in Chinese, tap the big button on the lower right to open the language settings and choose the language you can understand.
Alright, now you have an unlocked bootloader and custom recovery installed. Your world has opened up a little bit more
The main problem with installing the stock Chinese ROM is that it does not have Google Play and there is no band 12 support (at least for T-Mobile), but at least bands 2 & 4 still work.
It's easy enough to find methods to get that installed, but I tried the GrossoShop ROM which is a very good ROM, but if you must have band 12, you'll need to read down a little farther.
Link to GrossoShop ROM: https://www.androidfilehost.com/?fid=529152257862686304
Okay, if you chose to use the long route and installed the Chinese ROM, you can still get back to the full US version, complete with all LTE bands. dr4stic is responsible for this gem, and was my way back to US ROMdom.
To go from Chinese or Custom ROM back to Stock US version:
The file is located in his Android File Host space here: https://www.androidfilehost.com/?fid=601275311581036717
It's a little tricky to install, so follow these steps:
1. Enter TWRP and from Advanced Wipe, wipe Dalvick/ART Cache, Cache, System and Data (Leave Internal Storage untouched if that's where you copied the new ROM zip).
2. Install CN5.8.018s-to-US5.8.019s.zip
3. DO NOT REBOOT DIRECTLY AFTER FLASHING (Phone just vibrates forever if you reboot directly after flashing)
4. Go back to TWRP Home, then tap Reboot, then tap System.
The phone should reboot after that, and it might take a while. Then follow the setup process as you normally would and it should go through the Google setup as well.
To install root, I use SuperSU. Sometimes it's kinda hard to find the most up to date version, so I'll post the latest one that I have: https://www.androidfilehost.com/?fid=457095661767120474
There's probably a newer version already, but I haven't looked.
Simply download and flash that file in TWRP, reboot and you're rooted. Easy peasy.
With the methods listed above, you should now be able to take a new LeEco Le Pro 3 X727 and unlock the bootloader, install TWRP, and flash whatever ROMs you want.
Again, big big thanks to @dr4stic to getting us to this point for the easy unlock option AND big thanks to all of you folks here in the forums for all of you suggestions, efforts and enthusiasm!
I imagine there will be some refinements and/or corrections to this guide as questions and suggestions come up, so please, if you see something in here that is wrong or unclear, please let me know.
Click to expand...
Click to collapse
Nice one John
seffmono said:
Nice one John
Click to expand...
Click to collapse
Thank you kind sir
"...It's easy enough to find methods to get that installed, but I tried the GrossoShop ROM which is a very good ROM, but if you must have band 12, you'll need to read down a little farther..."
Did I miss the part on how to keep the Band 12 capabilities?
Thanks John, you have been very kind and helpful! So here what my setup is...
1. I installed Chinese ROM on 727.
2. Unlocked bootloader
3. Installed twrp, installed CM13.
I'm happy with this setup. All I want is the T-Mobile band 12 support. Can you please post steps on this part as well?
I see a long process where I can install CN.x.x.to.US.x.x.zip file via twrp. But will this lock the bootloader again and replace it with stock recovery? I didn't know that TWRP can update bootloader so I'm curious. If so I can follow dr4stic's guide to unlock the bootloader and then install twrp and restore the backup of my CM13.
Sent from my LEX720 using Tapatalk
ceo.mtcl said:
Thanks John, you have been very kind and helpful! So here what my setup is...
1. I installed Chinese ROM on 727.
2. Unlocked bootloader
3. Installed twrp, installed CM13.
I'm happy with this setup. All I want is the T-Mobile band 12 support. Can you please post steps on this part as well?
I see a long process where I can install CN.x.x.to.US.x.x.zip file via twrp. But will this lock the bootloader again and replace it with stock recovery? I didn't know that TWRP can update bootloader so I'm curious. If so I can follow dr4stic's guide to unlock the bootloader and then install twrp and restore the backup of my CM13.
Sent from my LEX720 using Tapatalk
Click to expand...
Click to collapse
Flashing the CN-US ROM will not relock the bootloader, so you're safe there.
I followed the shorter version to unlock the bootloader and flashed twrp, and it worked. Once I reboot, and go back in recovery, it goes to stock recovery. I wonder if I need to delete the stock recovery?
Sent from my SM-N930V using Tapatalk
rob_z11 said:
I followed the shorter version to unlock the bootloader and flashed twrp, and it worked. Once I reboot, and go back in recovery, it goes to stock recovery. I wonder if I need to delete the stock recovery?
Sent from my SM-N930V using Tapatalk
Click to expand...
Click to collapse
If you install TWRP from fastboot (fastboot flash recovery twrp.img), it should replace the factory recovery.
rob_z11 said:
I followed the shorter version to unlock the bootloader and flashed twrp, and it worked. Once I reboot, and go back in recovery, it goes to stock recovery. I wonder if I need to delete the stock recovery?
Click to expand...
Click to collapse
In fastboot mode type "fastboot flash recovery recovery.img".... Fastboot boot recovery.img will only boot it and return back to stock after reboot. Flash will make it remain.
seffmono said:
In fastboot mode type "fastboot flash recovery recovery.img".... Fastboot boot recovery.img will only boot it and return back to stock after reboot. Flash will make it remain.
Click to expand...
Click to collapse
i will try that.
I am really interested in flashing my phone with cyanogen but I am a total newbie at this. Could someone post a video tutorial for 727 model?
worries said:
I am really interested in flashing my phone with cyanogen but I am a total newbie at this. Could someone post a video tutorial for 727 model?
Click to expand...
Click to collapse
I hate to speak for everyone here but it's highly unlikely someone will take the time to do that. I suggest you instead do as much research as you can, and make a video for the next person like yourself that prefers it. Speaking from experience most people on XDA will recommend spending as much time reading and learning as you can, and then taking the "leap" on your own. Rooting and unlocking is not for the faint of heart, and a bit of confidence in your own abilities can go a long way! I hope this doesn't sound condescending, but just my advice. Best of luck!
I just installed the stock chinese ROM and when it boots it asks for a password to start Android. Has anyone else seen this. Do you know what the password is?
---------- Post added at 05:55 AM ---------- Previous post was at 05:29 AM ----------
Nevermind. Booted into recovery and formatted the system then it ran fine.
huemedia said:
I just installed the stock chinese ROM and when it boots it asks for a password to start Android. Has anyone else seen this. Do you know what the password is?
Click to expand...
Click to collapse
It had this happen and If i remember correctly, their is a bug in the system and it wont let you past that screen regardless what. Just boot to twrp do a data backup. Format everything else except internal storage and reflash your rom
I followed this guide and flashed the US modem zip on top of stock 19s. However, my SIM is recognized and the "Mobile Networks" setting page is grayed out. However, my phone is still booting with Chinese text in the bootloader. How do I fix this?
Anyone tried this method on stock 20s. Build to unlock bootloader
LeEco Pro3
toanau said:
Anyone tried this method on stock 20s. Build to unlock bootloader
LeEco Pro3
Click to expand...
Click to collapse
I am trying the long way and it's failing (20s)
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem device-info
...
(bootloader) Device product name: [le_zl1_oversea]
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Serial console enabled: false
(bootloader) Serial hw output enabled: false
(bootloader) Display panel:
OKAY [ 0.083s]
finished. total time: 0.083s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem unlock-go
...
FAILED (remote: oem unlock is not allowed)
finished. total time: 0.011s
Im dumb, nevermind
How was the bootloader locked? Is it possible to remove "different OS" message?
I'm curious about how "verified boot" and bootloader lock things work.
In the beginning, after some googling, I found there're already tons of tutorials which taught you how to "bypass the bootloader lock on Z2". I tried to follow one of these tutorials, then I confirmed it's true. I'm actually able to flash magisk/twrp/lineageos/etc using the QFIL partition manager under Qualcomm EDL (9008) mode - the "bootloader lock" seems to be totally useless, since such "lock" actually allows me to flash & boot non-official images smoothly. Although there's a warning screen saying "Your device has loaded a different operating system" during boot, it didn't stop me from booting non-official images.
I tried to hash the whole EMMC, including all partitions, the GPT, and the gaps (unpartitioned space) between partitions. After comparing them before/after fastboot oem unlock, I found some partitions indeedly changed. However, after "restoring" them, the bootloader still told me it's "unlocked" or "relocked", instead of "locked".
It seems that the bootloader lock mechanism relies on something outside the EMMC.
I then tried to downgrade to old stock ROM (ZUI 1.9) using QPST/QFIL, it's said that such action could restore the bootloader lock state - I confirmed that it's true, the bootloader was restored to "locked" state - however, I have no idea how it worked.
Hexeditor finds the "Your device has loaded a different operating system" string in aboot.img. However, flashing a modified aboot.img (I'm still not able to remove that check, I just slightly modified the string) didn't seem to be allowed, the device would be "bricked" into 900E (can be unbricked again under 9008).
I feel I'm somewhat getting it... Apologies/thanks to @npjohnson for disturbing him. These articles also helped me a lot: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
https://lineageos.org/engineering/Qualcomm-Firmware/
My current understanding to this problem is as follows (might contain some errors still):
ZUK Z2, as a Qualcomm MSM device, adopts QCOM SecureBoot as well, which has the following flow chart of boot:
PBL/BootROM -> SBL(xbl) -> aboot(littlekernel) -> boot(linux kernel, ramdisk and cmdline)
There is a "chain of trust": PBL knows the hash of a pubkey, therefore it can verify if the SBL is officially signed or not, then SBL verifies aboot, and so on.
Although I still don't know exactly what pub/private keys are involved during this process, it seems that all of those private keys (for Z2) are not publicly available, obviously.
The bootloader (aboot/lk) locking state is supposed to be stored in EFUSE/QFUSE, which could not be accessed through ordinary ways.
Due to the practice of reverting to "locked" state by flashing the stock ZUI 1.9 ROM, I guess it should be stored in EFUSE instead of QFUSE (which is physically blown).
I don't know why Lenovo would allow custom boot/recovery images to boot, without executing the official unlocking procedure. It might be their carelessness, or just an intentional "convenience" (to reduce support pressure/costs from "undisciplined users", while still keeping the device integrity state evident, I guess?)
I once thought EFIdroid is able to replace the offical aboot/lk, then it turned out I just misunderstood it - EFIdroid is actually installed to boot partition, instead of aboot partition.
To be short, it doesn't seem to be possible to eliminate the "Your device has loaded a different operating system" warning, until some sort of vulnerability can be exploited.
Code:
/*
* Your warranty is no longer valid, unless you lie.
*
* I am not responsible for bricked devices, strained relationships,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this kernel
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*
*/
GUIDE UNLOCKING BOOTLOADER & ROOTING Xperia 10 III (PDX213)​STEP 1 - UNLOCK YOUR BOOTLOADER
1- GUIDE UNLOCK BOOTLOADER XPERIA
2- WEB UNLOCK TOOLS BOOTLOADER XPERIA
STEP 2 - DOWNLOAD FIRMWARE STOCK USING XPERIFIRM
STEP 3 - extract boot_X-FLASH-ALL-8A63.sin using zip file manager ( 7zip, for ex here I used Ark zip manager from Fedora OS)
rename boot.000 to boot.img
STEP4 - install magisk manager in your phone from official github release
- open magisk patch your boot.img
STEP5 - go in fastboot and enter :
fastboot flash boot boot_patched.img
ENJOY
Nice! Now maybe someone can look into fixing that green tint.
zpk787 said:
Nice! Now maybe someone can look into fixing that green tint.
Click to expand...
Click to collapse
idk what issue your referering ( maybe thread green tint in oled
? ) here I have totally normal screen color
So I have my bootloader unlocked, developer mode on, USB debugging on, LineageOS 18 GSI installed, and reboot into fastboot with `adb reboot fastboot` but
Code:
$ fastboot boot Download/magisk_patched-23000_BOvMB.img
Sending 'boot.img' (98304 KB) OKAY [ 3.595s]
Booting FAILED (remote: 'Unrecognized command boot')
fastboot: error: Command failed
What?? I also tried to go into bootloader, but similar result. Did I mess up the boot.img?
pepijndevos said:
So I have my bootloader unlocked, developer mode on, USB debugging on, LineageOS 18 GSI installed, and reboot into fastboot with `adb reboot fastboot` but
Code:
$ fastboot boot Download/magisk_patched-23000_BOvMB.img
Sending 'boot.img' (98304 KB) OKAY [ 3.595s]
Booting FAILED (remote: 'Unrecognized command boot')
fastboot: error: Command failed
What?? I also tried to go into bootloader, but similar result. Did I mess up the boot.img?
Click to expand...
Click to collapse
For some reason bootloader no allow fastboot boot
Need : fastboot flash boot patchedboot.img
Yea it's just really scary to flash a patched firmware, what if you did it wrong and it bricks your phone. But well in the end I did it and everything worked out.
One really weird error I get from Magisk is that it says it's in an abnormal state because there is a "su" command that doesn't belong to Magisk. I have no idea where that came from. Should I be concerned? Everything seems to work as far as rooting is concerned, but mysterious su commands could be a security concern maybe. I hope it's not a sketchy GSI or something hehe.
Anyway thanks for your guide. I have MicroG and F-droid working now, as well as ACC. One thing I'd clarify about your guide is that "going into fastboot" is... actual fastboot and not bootloader or recovery which you also use with the fastboot tool. Just a thing that's obvious when you know, but uncertain when you're doing it for the first time.
Oh and another thing that was sliiiightly puzzling is that you actually have to copy the boot.img to your phone, patch it and then copy it back to your PC. Same thing, obvious when you know, kinda puzzling when it's your first time. For me it didn't show up in the file manager after patching so I had to copy it with adb, not sure what that was about.
Did anyone notice negative effects after rooting?
Is the camera working fine?
Is Bluetooth working, the microphone and calling?
Is safetynet check passing?
My main goal is to have Adaway working in root mode and have stable Wireguard VPN connection (without battery saving methods killing the process every few minutes), I will try custom ROMs after I get the rest to run.
Camera, bluetooth, microphone, calling, all working fine. No idea about safetynet haven't checked. As mentioned above, it does say I have an extra `su` that I don't know where it came from.
Did you do any backup of the TA partition (if that is even neccessary)?
I did not. Not even sure what the TA partition is haha
Of course backups are always a good idea when possible. It just seems a lot of the stuff out there assumes you have TWRP.
pepijndevos said:
I did not. Not even sure what the TA partition is haha
Of course backups are always a good idea when possible. It just seems a lot of the stuff out there assumes you have TWRP.
Click to expand...
Click to collapse
Check this: https://forum.xda-developers.com/t/does-rooting-sony-phone-still-lower-their-quality.4318171/
And more generally https://www.xda-developers.com/sony-xperia-android-pie-unlock-bootloader-drm-fix-camera/
I gather that the devices with Android 9 or above can safely be unlocked, but that does not necessarily mean everything works with root.
I just want to avoid rooting the device and realizing I need some DRM keys that I lost.
Please update us should any problems arise!
Raubsau said:
Check this: https://forum.xda-developers.com/t/does-rooting-sony-phone-still-lower-their-quality.4318171/
And more generally https://www.xda-developers.com/sony-xperia-android-pie-unlock-bootloader-drm-fix-camera/
I gather that the devices with Android 9 or above can safely be unlocked, but that does not necessarily mean everything works with root.
I just want to avoid rooting the device and realizing I need some DRM keys that I lost.
Please update us should any problems arise!
Click to expand...
Click to collapse
This is exactly the reason why I haven't rooted my device yet, too. If I understand it correctly, data in the TA partition is modified at the time the bootloader is unlocked, so if we were to create a backup, that would have to happen before unlocking.
The partition is only readable with root privileges, and rooting in general requires an unlocked bootloader. The only way forward is to wait until an exploit becomes available, allowing us to obtain a root shell with the bootloader still locked.
Hopefully it's possible to flash older firmware onto this phone, which would mean we can downgrade to an older Android security patch level if needed (i.e. the potential exploit gets patched by Google or a vendor) - does anyone here know if that's the case? When installing an OTA update, the UI says we won't be able to return to a previous version, but I suppose it's still possible to flash any of the official firmware packages at any point.
Thanks.
Is there any way to get OTA updates while rooted? That's what I loved about LOS. Maybe we'll get it on this device someday.
Thanks for this post. I have managed to unlock the bootloader which is great, but I am not sure how to -
STEP5 - go in fastboot and enter :
fastboot flash boot boot_patched.img
Update: I have not rooted
Unfortunately many users report a WLAN issue with 62.0.A.3.163.
62.0.A.3.131 cannot be downloaded anymore, except the french (FR?) localized versions. Also, I managed to install 62.0.A.3.131 on a 10 III, but denied the update to the latest version to avoid the WiFi troubles.
The boot.img from 62.0.A.3.131 (FR) and 62.0.A.3.163 (EE) differ. I wonder if anything could go wrong with the newer boot.img.
To my understanding, the boot.img contains the kernel... So, I'd like to test it with "fastboot boot boot.img" before I risk flashing, but: "remote: 'unknown command'".
Any suggestions on how to proceed from here?
You can find earlier firmware versions, including "XQ-BT52_Customized EEA_62.0.A.3.131", here: https://forum.xda-developers.com/t/stock-firmware-backups.4382229/
ZenRebel said:
Thanks for this post. I have managed to unlock the bootloader which is great, but I am not sure how to -
STEP5 - go in fastboot and enter :
fastboot flash boot boot_patched.img
Update: I have not rooted
Click to expand...
Click to collapse
If you've managed to unlock your bootloader, that means you have already entered fastboot mode.
combinedfleet said:
You can find earlier firmware versions, including "XQ-BT52_Customized EEA_62.0.A.3.131", here: https://forum.xda-developers.com/t/stock-firmware-backups.4382229/
Click to expand...
Click to collapse
Man! Thank's a lot!
Any idea why the boot_X-FLASH-ALL-8A63.sin files differ slightly even if compared between markets (with the same version numbers)?