[bootloader-XT910] Phone Status: unlocked. ChinaRetail 67.2.120

mattlgroff · May 22, 2012

http://bbs.gfan.com/android-4093649-1-1.html

Original:

V版Maxx冒险试刷最新国行4.04现场直播中：

本帖最后由笑飘广唱于 2012-4-26 12:17 编辑

前天刚刚发誓不再刷机了，谁知道最近闲的蛋疼的缘故吧，老上机锋和魔趣，看见新包就忍不住。

刚在魔趣看到一个国行的4.04。spyder-user-4.0.4-6.7.2_GC-120-175-release-keys-ChinaRetail-CN 思前想后，还是试试吧，很多朋友都在等着刷呢，我来做小白吧。祈祷刷坏了我还能刷回元亨3.0，真心好用啊！！可是，人家说，安卓用户三大爱好：重启，拆电池，刷机。Razr不能拆电池，我也很少重启，只有刷机一个爱好了。

好啦，废话少说，言归正传。

机子：V版的maxx，刷机界面为unlocked，已解锁，到手就这样。可能是TB卖家干的，也可能是工程机。不管了，好用就行。

已经下好了，地址在这里：http://115.com/file/e794qtco#fastbo...20-175-release-keys-ChinaRetail-CN-chn.tar.gz 速度很快，1.3兆每秒。我家10兆宽带。

手机充电到50%了。RSD已经开始解压了。用360备份一下通讯录和安装包。这就开始，大家等着啊。

现在是黑屏，显示：AP Fastboot Flash Mode (SE)
0A,73
EMMC Info: Size 16G
Phone status: unlocked
....

哇塞现在已经重启了，大大的绿色机器人画面，肚子上有个多角体在旋转，进度条很快。

又重启了一遍，现在停留在红色M+水波纹开机画面，三分钟了，RSD显示 in progress, 时间有点儿长了，心中十分忐忑不安。

看了看RSD，显示还是 in progress，不知什么时候开始要求手动重启了。ok，手动重启一下。电源+音量下8秒，无用。
看来出问题了。进入开机recovery，双wipe试一下。：-（
完成，重启。。。我祈祷。。。

等等。。轻轻震动了一下，有戏有戏。
哇哈哈哈哈哈！成功进入桌面啦！开始上图！！

OK，最后，root成功。汇报完毕。手里捏着一把汗刷的，请大家多回复，多加分，谢谢！

Translated (badly, by google translate.):

V version Maxx adventure try to brush the latest country line 4.04 broadcast live:

I laugh Gone wide singing at 2012-4-26 12:17 edit

Just the day before yesterday vowed to no longer Brush, who recently busy egg-pain's sake, the old front and magic interesting to see the new package could not help.

Just magic interesting to see a line of 4.04. Spyder-user-4.0.4-6.7.2_GC-120-175-release-keys-ChinaRetail-CN thinking like, or try many of my friends are waiting to brush it, I do white. Prayer brush bad I can brush Yuanheng 3.0, really easy to use. ! However, they said, the three Andrews user Hobbies: restart, remove the battery, brush. Razr can not dismantle the battery, I rarely reboot, only brush a hobby.

Well without further ado, get down to business.

Machine: V version of the maxx, brush machine interface is unlocked, unlocked, hand on this. TB sellers dry, engineering machine. Regardless, easy to use.

Has been under, the address here: http://115.com/file/e794qtco # fastboot-p2b-Spyder-UMTS-Spyder-user-4.0.4-6.7.2-GC-120-175-release-keys the-ChinaRetail-CN-chn.tar.gz fast 130 megabits per second. 10 MB broadband in my home.

Charge their cell phones to 50%. RSD has begun to extract. 360 backup contacts and installation package. This is the beginning, everyone waiting for ah.

It is a black screen, Display: the AP Fastboot on your Flash Mode (SE)
0A, 73
EMMC Info: the Size 16G
Phone status: unlocked
....

Wow now has been reset, the big green robot screen, a polyhedrosis in the rotation in the stomach, the progress bar quickly.

Restarted again, and now remain in the red M + water ripples boot screen, 3 minutes, and RSD show in progress, the time is a bit long, the mind is very uneasy.

Looked at the RSD, or in progress, I do not know when to begin requiring a manual restart. ok, manually restart. Power + volume under 8 seconds, useless.
It seems a problem. Enter to boot the recovery, try the dual-wipe. :-(
Completed, reboot. . . I pray. . .

And so on. . Gently shaken, Me and Me.
Guwahati ha ha ha ha! Successful entry into the desktop it! Start on the map! !

OK, the last, root successfully. The report is completed. Hands sweat pinching a brush, please reply, the more points, thank you!

I don't want to cause a stir unneeded, but what it sounds like is this release-keys FB files unlocked the bootloader of this phone.... Someone correct me if I am wrong.

[TSON] · May 22, 2012

That's basically what it's saying.....

pedrotorresfilho · May 22, 2012

Will try improve this text.

Edit:

He got the OTA file.

Fashed the .sbf leak into a Razr Maxx.

Phone did not started at the first time, he got stuck in M logo.

So started ap fastboot mode and wiped user data/ cache twice.

Then phone started normally and it have unlocked bootloader. (

>>> He didn't unlocked bootloader, just figure out after flashing and phone reboots <<<

The 'Andrews' proceed he followed with photos:
http://www.2zj.com/news/2012/0429/142/67.html

Sent from my XT910 using Tapatalk 2

darkavenger_u2 · May 22, 2012

Pedro Link doesnt work

cheekrox · May 22, 2012

Why dont we extract his BL n try flashing?

theZest · May 22, 2012

Gotta same firmware onboard and cannot understand how he got his BL unlocked. Some kind of magic?

Skrilax_CZ · May 22, 2012

"AP Fastboot Flash Mode (SE)"

SE -> Secure Engineering; same bootlodaer, different eFuses blown.

luizfilipel · May 22, 2012

Anybody know if the verizon version was really released yesterday?

Sent from my XT910 using Tapatalk 2

nischalnischal · May 22, 2012

this mean that Bootloader unlock is not possible isnt it?

kholk · May 22, 2012

I totally quote Skrilax_CZ. He've got an unlocked device because of different eFuses blown.
It's like having a RAZR Developer Edition.

BL Unlock isn't possible on RAZR, otherwise I wouldn't have put any effort on kexec...

pedrotorresfilho · May 22, 2012

Btw. The firmware he used to flash is the same chinese leak. Had you guys noticed that?

Cheers

Sent from my XT910 using Tapatalk 2

farhanito · May 22, 2012

Indeed.
And it didn't unlock mine

Sent from my XT910 using Tapatalk 2

cellzealot · May 22, 2012

There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.

Skrilax_CZ · May 22, 2012

cellzealot said:
There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.

Sorry, but except the listing, it's completely wrong.

Indeed, there are three types of devices:
S - Secure (Omap in HS mode)
SE - Secure Engineering (Omap in HS mode) - no sig. checks except mbmloader + BP
NS - Non Secured (Omap in EMU mode) - no sig. checks except part of BP (mbmloader is signed with CSST key)

OG droid is a S device, OG Droid bootloader doesn't perform security checks at all, only mbmloader is checked by OMAP BootROM.

Even NS have secure part of BP, completely unsecure devices use GP mode for OMAP etc.

S and SE devices share mbmloader and mbm; NS devices have special mbmloader and in most cases mbm too (dunno to be honest, how is it with RAZR, certainly all OMAP3 devices have special NS mbm, just as I use on my Milestone).

"ro.secure" status is used by android, and completely unrelated here. It's whether the OMAP is in HS or EMU mode.

The "allow-mbmloader-flashing" mbm is mbm that allows mbmloader flashing and nothing else. There is also another bootloader to recover the device from USB.

mbmloader doesn't contain any signatures except it's own, this is normal chain of trust. mbmloader checks mbm, loads it, which checks the rest.

Anyway, on RAZR the mbm tells "Device is LOCKED / UNLOCKED: Status code: x", where:
x = 0; locked and not unlockable or never been unlocked
x = 1; unlocked (w/o signature checks, except part of the bp)
x = 2; unlockable device, which has been relocked
x = 3; unlockable device, which has been unlocked (signature checks over mbm, mbmloader and cdt + bp)

nischalnischal · May 22, 2012

Thank you for the wonderful Info Skrilax_CZ and Cellzealot

i mean both enlightened me

BytecodeMe · May 22, 2012

So you can or can not unlock your boot loader with this? I don't think it's been said clearly.

cellzealot · May 22, 2012

You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

pedrotorresfilho · May 22, 2012

cellzealot said:
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

I''ve a question to you guys.

All dev razr are 16G or theres a 8G version?

Cant put this questiion better formulated. I m asking because that sign bypass with p18 was provided by a 16G dev razr and I was wondering if itsn't the 'problema' mountig usb mass storage. If so, can some of you pm me with a dd p18 .img for a test?

Thanks

Sent from my XT910 using Tapatalk 2

cellzealot · May 22, 2012

I only have eng models of DX, D2G and Pro with all the associated files for those devices.
We no longer have the access we used to for internal files and devices.
P3droid has a NS status 1 Razr and is able to flash any of the leaked builds available, including the eng builds.
If there is anything he might be able to provide you that you don't already have I can ask him, but we don't have any files for RAZR that are not in the wild.

Skrilax_CZ · May 22, 2012

cellzealot said:
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

Don't want to argue, but you're really 100% percent sure about this (for a production unit)? Even the production OG droid mbm is unsigned, and doesn't even contain the security functions - regardless of the fuses status, it won't simply check for signatures. (btw. there is another unlocked BL phone, which is XT701. Unlike OG Droid, it has mbm signed).

cellzealot said:
I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

Well yeah, there are three kinds of files, but the "Secure Engineering" version is the same as "Secure" version and just contains mbmloader too, right? Well there is some naming difference between EU and US files over this.

cellzealot said:
The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

Correct, I'd only add that old OMAP3 devices (without eMMC) never had mbmloader update possibility.

[bootloader-XT910] Phone Status: unlocked. ChinaRetail 67.2.120

Inactive Recognized Developer

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Member

Senior Member

Retired Recognized Developer

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Similar threads

Top Liked Posts