[APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1

[efrant]

Here are segv11's instructions from earlier in the thread:

Also here is me following those instructions for the Nexus 7 if you want to make sure you're following the steps correctly:
http://xdaforums.com/showthread.php?p=33986295#post33986295

Cheers!

It's actually easier if he runs ls -l in the "by-name" folder, rather than in the "block" folder. That way we don't have to search for the names corresponding to the partition numbers.

Sent from my Nexus 4 using Tapatalk 2

 

[steven676]

Awesome, thanks! Since I don't have a Nexus S, I'm not entirely sure what partitions you have. Can you drill down in the /dev/block/platform folder and find the folder "by-name" and get a list by typing "ls -l" in that folder and post the partition list here.

We have both MTD (OneNAND) and eMMC flash on crespo. For the MTD flash:

shell@android:/ $ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00200000 00040000 "bootloader"
mtd1: 00140000 00040000 "misc"
mtd2: 00800000 00040000 "boot"
mtd3: 00800000 00040000 "recovery"
mtd4: 1d580000 00040000 "cache"
mtd5: 00d80000 00040000 "radio"
mtd6: 006c0000 00040000 "efs"

I can dump any of these partitions for you if you like.

For the eMMC (I very much doubt the information you need is here, but for posterity):

shell@android:/ $ ls -l /dev/block/platform/s3c-sdhci.0/by-name                
lrwxrwxrwx root     root              2013-01-13 19:32 media -> /dev/block/mmcblk0p3
lrwxrwxrwx root     root              2013-01-13 19:32 system -> /dev/block/mmcblk0p1
lrwxrwxrwx root     root              2013-01-13 19:32 userdata -> /dev/block/mmcblk0p2

 

[efrant]

We have both MTD (OneNAND) and eMMC flash on crespo. For the MTD flash:

shell@android:/ $ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00200000 00040000 "bootloader"
mtd1: 00140000 00040000 "misc"
mtd2: 00800000 00040000 "boot"
mtd3: 00800000 00040000 "recovery"
mtd4: 1d580000 00040000 "cache"
mtd5: 00d80000 00040000 "radio"
mtd6: 006c0000 00040000 "efs"

I can dump any of these partitions for you if you like.

For the eMMC (I very much doubt the information you need is here, but for posterity):

shell@android:/ $ ls -l /dev/block/platform/s3c-sdhci.0/by-name                
lrwxrwxrwx root     root              2013-01-13 19:32 media -> /dev/block/mmcblk0p3
lrwxrwxrwx root     root              2013-01-13 19:32 system -> /dev/block/mmcblk0p1
lrwxrwxrwx root     root              2013-01-13 19:32 userdata -> /dev/block/mmcblk0p2

I would hazard a guess that the misc partition is what we are interested in. Can you dump that while the bootloader is unlocked, then again while locked?

Sent from my Nexus 4 using Tapatalk 2

 

[steven676]

I would hazard a guess that the misc partition is what we are interested in. Can you dump that while the bootloader is unlocked, then again while locked?

Can't be that ...

$ sha1sum misc-*
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-locked.img
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-unlocked.img

 

[osm0sis]

It's actually easier if he runs ls -l in the "by-name" folder, rather than in the "block" folder. That way we don't have to search for the names corresponding to the partition numbers.

On the other hand the boot blocks are in there and that's the only way to get at them since they don't have a by-name link.

Can't be that ...

$ sha1sum misc-*
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-locked.img
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-unlocked.img

Hmm misc was my guess too. If you're sure you dumped it correctly then I guess the only option is to dump all of them from the dir segv11 suggested (which would be the EMMCs I guess) and the mtds? Any mmcblk0boot0 or boot1, etc. partitions would also be interesting to see. Since you gave us the by-name we can just match them up with the platform dumps later. That media emmc one jumps at me too, is that the sdcard or something else?

Edit: Please give us that ls -Rl /dev/block output too just so we can see better what we're dealing with.

 

[efrant]

Can't be that ...

$ sha1sum misc-*
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-locked.img
e75a589cf46253fa7d602f38dff1e9d2041aaf7b  misc-unlocked.img

I guess then the best thing to do would be to dump all of them in /dev/block/ except for 1, 2 and 3 (as the lock flag wouldn't be stored in system, media or userdata). Nor would it be in boot, and unlikely in efs or bootloader.

Edit: ninja'd by osm0sis!

Sent from my Nexus 4 using Tapatalk 2

 

[steven676]

Hmm misc was my guess too. Can you dump all of them from the dir segv11 suggested (which would be the EMMCs I guess) and the mtds? Any mmcblk0boot0 or boot1, etc. partitions would also be interesting to see. Since you have us the by-name we can just match them up later now. That media emmc one jumps at me too, is that the sdcard or something else?

461bee05418a547dd9d4710e32a18a8c4ed0a678  bootloader-I9020XXLC2-locked.img
461bee05418a547dd9d4710e32a18a8c4ed0a678  bootloader-I9020XXLC2-unlocked.img
a5178a357af00d1e6b88f93c238fb96f62613f23  efs-locked.img
a5178a357af00d1e6b88f93c238fb96f62613f23  efs-unlocked.img
eaca8def76c679178fdff9edd125d788651cca91  radio-I9020XXKI1-locked.img
eaca8def76c679178fdff9edd125d788651cca91  radio-I9020XXKI1-unlocked.img

"cache" on the MTD device is a yaffs2 filesystem mounted under /cache. "boot" and "recovery" are the boot and recovery images in the regular Android boot image format.

On the eMMC device, "system" is /system, "userdata" is /data, and "media" is /sdcard.

No mmcblk*boot* devices -- here are the entire contents of /dev/block:

# ls -lR
.:
brw-------    1 root     root      254,   0 Jan 14 04:49 dm-0
brw-------    1 root     root        7,   0 Jan 14 04:49 loop0
brw-------    1 root     root        7,   1 Jan 14 04:49 loop1
brw-------    1 root     root        7,   2 Jan 14 04:49 loop2
brw-------    1 root     root        7,   3 Jan 14 04:49 loop3
brw-------    1 root     root        7,   4 Jan 14 04:49 loop4
brw-------    1 root     root        7,   5 Jan 14 04:49 loop5
brw-------    1 root     root        7,   6 Jan 14 04:49 loop6
brw-------    1 root     root        7,   7 Jan 14 04:49 loop7
brw-------    1 root     root      179,   0 Jan 14 04:49 mmcblk0
brw-------    1 root     root      179,   1 Jan 14 04:49 mmcblk0p1
brw-------    1 root     root      179,   2 Jan 14 04:49 mmcblk0p2
brw-------    1 root     root      179,   3 Jan 14 04:49 mmcblk0p3
brw-------    1 root     root       31,   0 Jan 14 04:49 mtdblock0
brw-------    1 root     root       31,   1 Jan 14 04:49 mtdblock1
brw-------    1 root     root       31,   2 Jan 14 04:49 mtdblock2
brw-------    1 root     root       31,   3 Jan 14 04:49 mtdblock3
brw-------    1 root     root       31,   4 Jan 14 04:49 mtdblock4
brw-rw----    1 radio    radio      31,   5 Jan 14 04:49 mtdblock5
brw-------    1 root     root       31,   6 Jan 14 04:49 mtdblock6
drwxr-xr-x    4 root     root            80 Jan 14 04:49 platform
brw-------    1 root     root        1,   0 Jan 14 04:49 ram0
brw-------    1 root     root        1,   1 Jan 14 04:49 ram1
brw-------    1 root     root        1,  10 Jan 14 04:49 ram10
brw-------    1 root     root        1,  11 Jan 14 04:49 ram11
brw-------    1 root     root        1,  12 Jan 14 04:49 ram12
brw-------    1 root     root        1,  13 Jan 14 04:49 ram13
brw-------    1 root     root        1,  14 Jan 14 04:49 ram14
brw-------    1 root     root        1,  15 Jan 14 04:49 ram15
brw-------    1 root     root        1,   2 Jan 14 04:49 ram2
brw-------    1 root     root        1,   3 Jan 14 04:49 ram3
brw-------    1 root     root        1,   4 Jan 14 04:49 ram4
brw-------    1 root     root        1,   5 Jan 14 04:49 ram5
brw-------    1 root     root        1,   6 Jan 14 04:49 ram6
brw-------    1 root     root        1,   7 Jan 14 04:49 ram7
brw-------    1 root     root        1,   8 Jan 14 04:49 ram8
brw-------    1 root     root        1,   9 Jan 14 04:49 ram9

./platform:
drwxr-xr-x    4 root     root           160 Jan 14 04:49 s3c-sdhci.0
drwxr-xr-x    2 root     root           180 Jan 14 04:49 s5pc110-onenand

./platform/s3c-sdhci.0:
drwxr-xr-x    2 root     root           100 Jan 14 04:49 by-name
drwxr-xr-x    2 root     root           100 Jan 14 04:49 by-num
lrwxrwxrwx    1 root     root            18 Jan 14 04:49 mmcblk0 -> /dev/block/mmcblk0
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mmcblk0p1 -> /dev/block/mmcblk0p1
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mmcblk0p2 -> /dev/block/mmcblk0p2
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mmcblk0p3 -> /dev/block/mmcblk0p3

./platform/s3c-sdhci.0/by-name:
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 media -> /dev/block/mmcblk0p3
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 system -> /dev/block/mmcblk0p1
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 userdata -> /dev/block/mmcblk0p2

./platform/s3c-sdhci.0/by-num:
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 p1 -> /dev/block/mmcblk0p1
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 p2 -> /dev/block/mmcblk0p2
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 p3 -> /dev/block/mmcblk0p3

./platform/s5pc110-onenand:
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock0 -> /dev/block/mtdblock0
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock1 -> /dev/block/mtdblock1
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock2 -> /dev/block/mtdblock2
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock3 -> /dev/block/mtdblock3
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock4 -> /dev/block/mtdblock4
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock5 -> /dev/block/mtdblock5
lrwxrwxrwx    1 root     root            20 Jan 14 04:49 mtdblock6 -> /dev/block/mtdblock6

Don't see a /dev/nvram or anything similar either.

 

[segv11]

What version of Android are you running? Pre-ICS kernels didn't make the boot0/boot1 devices visible.

Sent from my stock 4.2.1 manta

 

[osm0sis]

Hmm not sure what to tell you.. misc still seems like the only place it could be.

 

[efrant]

Not sure what dm-0 and loop0 - loop7 are. Maybe it's in there?

I don't think it would be in any of the other ones you listed. If it is like the N1, and the lock flag is in the NVRAM, i doubt it will be possible to get it to work.

Sent from my Nexus 4 using Tapatalk 2

 

[osm0sis]

Not sure what dm-0 and loop0 - loop7 are. Maybe it's in there?

I don't think it would be in any of the other ones you listed. If it is like the N1, and the lock flag is in the NVRAM, i doubt it will be possible to get it to work.

The GN has all those loop and more dm mounts as well. Not sure what they do, though on kernels that support zram I've seen them mount it to a new loop..

 

[steven676]

The GN has all those loop and more dm mounts as well. Not sure what they do, though on kernels that support zram I've seen them mount it to a new loop..

Not sure what dm-0 and loop0 - loop7 are. Maybe it's in there?

dm-* are used by the device mapper -- the kernel infrastructure which supports installing Android apps to SD card. The loop* devices are loopback devices, which are used when you want to pretend that a regular file is actually a disk.

I don't think it would be in any of the other ones you listed. If it is like the N1, and the lock flag is in the NVRAM, i doubt it will be possible to get it to work.

I'm beginning to fear that this may well be the case.

What version of Android are you running? Pre-ICS kernels didn't make the boot0/boot1 devices visible.

Those are from ClockworkMod Recovery 5.0.2.0 -- which, come to think of it, would be a Gingerbread-era kernel. I'll try with a more recent kernel.

EDIT:

$ sha1sum mmcblk0boot*
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3  mmcblk0boot0-locked.img
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3  mmcblk0boot0-unlocked.img
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3  mmcblk0boot1-locked.img
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3  mmcblk0boot1-unlocked.img

All of those files are 1 MB full of null bytes.

 

[segv11]

This is a nice try, but it seems the boot0/boot1 are empty like on the Galaxy Nexus. Bootchain maybe starts in radio firmware then onto OneNAND partitions...

If we've checked all the visible OneNAND and eMMC partition, then it's either in a hidden partition or it's in NVRAM. This is going to be more difficult than we thought. Wonder why Sammy didn't do a param partition on this device...

Sent from my stock 4.2.1 manta

 

[osm0sis]

This is a nice try, but it seems the boot0/boot1 are empty like on the Galaxy Nexus. Bootchain maybe starts in radio firmware then onto OneNAND partitions...

If we've checked all the visible OneNAND and eMMC partition, then it's either in a hidden partition or it's in NVRAM. This is going to be more difficult than we thought. Wonder why Sammy didn't do a param partition on this device...

So is there a nvram dir in /data/ on the Nexus S? I also read dd can still access hidden partitions if you can actually track one down.

Edit: Hmm, or wait, it's a Samsung so the nvram usually lives in efs, no? And we found those were unchanged..

dm-* are used by the device mapper -- the kernel infrastructure which supports installing Android apps to SD card. The loop* devices are loopback devices, which are used when you want to pretend that a regular file is actually a disk.

Would it be worth dumping the loops to see if any of them change with lock state, like nvram?

 

[steven676]

Would it be worth dumping the loops to see if any of them change with lock state, like nvram?

Would probably be easier just to see what files/disk blocks are behind those devices. I can try this at some point, though I'm not terribly hopeful (I strongly suspect they're all unattached.)

 

[osm0sis]

I don't know about everyone else but sometimes I find I've rebooted into the bootloader only to realize I've forgotten to unlock in BootUnlocker beforehand. Well, I decided to make a BootUnlocker Script for my GN so I could just boot to recovery quick, unlock, then adb reboot-bootloader to get back without having to fully boot the OS to make the change.

I've posted the script here: http://xdaforums.com/showpost.php?p=37841533&postcount=176. Tested and working on my maguro device, not sure if it's all the same offset for toro and toroplus, but if so, then it could work for them too once the build.prop assert is changed to match. It'd be relatively simple to change it for the other supported devices as well, so if anyone feels like adapting it, feel free. :good:

Thanks to scary alien for the help on trimming the dd output to something testable.

 

[segv11]

Re: [APP][2012-12-24][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.3

I don't know about everyone else but sometimes I find I've rebooted into the bootloader only to realize I've forgotten to unlock in BootUnlocker beforehand. Well, I decided to make a BootUnlocker Script for my GN so I could just boot to recovery quick, unlock, then adb reboot-bootloader to get back without having to fully boot the OS to make the change.

I've posted the script here: http://xdaforums.com/showpost.php?p=37841533&postcount=176. Tested and working on my maguro device, not sure if it's all the same offset for toro and toroplus, but if so, then it could work for them too once the build.prop assert is changed to match. It'd be relatively simple to change it for the other supported devices as well, so if anyone feels like it, feel free. :good:

Thanks to scary alien for the help on trimming the dd output to something testable.

Maguro, toro, and toroplus all use the same offset. Check the BootUnlocker source code on Google code.

Sent from my 4.1.2 toro Bugless Beast.

 

[osm0sis]

Maguro, toro, and toroplus all use the same offset. Check the BootUnlocker source code on Google code.

Cool! Thanks, will do. Updated.

 

[spartak0s]

may have bricked my phone

Alright, I was running one of the CyanogenMod nightlies and downloaded this app. Set my phone to locked, then forgot about it -- I downloaded today's latest nightlie, but when I rebooted, my phone was unresponsive. I was able to restore an older backup, but naturally everything was gone, and an attempt to flash my previous ROM failed.

So my question is, what do I have to do to unlock the bootloader and get this thing working properly again?

 

[osm0sis]

If you have a custom recovery flashed you can unlock it with the edify script I linked a few posts back. That's your only option if you can't boot to unlock.