I hope this is is not a hoax, because it's is too good to be true. 
Epsylon3 take care man! Hope the /pds partition saga wont repeat.
Epsylon3 take care man! Hope the /pds partition saga wont repeat.
[ABANDONED] Bootloader unlock - discuss bootloader matters here
- Thread starter kevin_diu
- Start date
Take it easy man... Let epsy take it slow... We need someone who can translate from chinese to english to help him... That would help him...
Here is the MD5Sum compare of raw partitions :
https://docs.google.com/spreadsheet...ZEtleGNZQ1llclE&single=true&gid=0&output=html
Yes, it look like the mbmloader is different
Could somebody ask him what was the SBF used for this dump ?
https://docs.google.com/spreadsheet...ZEtleGNZQ1llclE&single=true&gid=0&output=html
Yes, it look like the mbmloader is different
Could somebody ask him what was the SBF used for this dump ?
What is to translate. If it is the forum i used google translate... From chinese to english it is ok
could somebody put this on multiupload : http://115.com/file/clsppejf
oh, its ok i found the good button, but 4 hours ;p
oh, its ok i found the good button, but 4 hours ;p
Last edited:
Not sure if this is of any help but boot/devtree/recovery are the same as 2.3.4 - 4.5.3-109 (http://xdaforums.com/showthread.php?t=1263212).
LOL... He said his defy stays at BL6 and he can't get signal at home so he try to flash BL5 and BL4 with success. And he don't remember what he did with his defy before and tried flash all BL with success.
oh... i really need to check this
Yaaa plzzz free our bootloader epsy
CG56: bploader
---------- Post added at 07:17 PM ---------- Previous post was at 07:15 PM ----------
please upload a .dif file!
Mine (defy locked on v6 132-134 vs Chinese one)
MBMLOADER
EDIT: This mbm_loader change is the "signer info" (who have signed the cert i guess)
CDT
we can see in the CDT.bin its a v5
EDIT: its the 4.5.3-109 one (v5)
MBMLOADER
Code:
diff --git a/sde1.hex b/sde1.hex
index d2fbac7..1b51d20 100644
--- a/sde1.hex
+++ b/sde1.hex
@@ -552,38 +552,38 @@
00002800 43 65 72 74 49 53 57 00 00 00 00 00 00 00 00 00 |CertISW.........|
00002810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002830 01 00 00 00 50 03 00 00 00 a8 00 00 69 87 44 70 |....P.......i.Dp|
00002840 dd 6d 71 19 13 80 c6 60 4b a9 e9 f3 3f d6 e2 fa |.mq....`K...?...|
00002850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000028a0 00 00 00 00 22 3a 79 16 ff ff ff ff 30 4d 00 48 |....":y.....0M.H|
000028b0 00 00 00 00 34 49 00 48 00 00 00 00 48 49 00 48 |....4I.H....HI.H|
000028c0 00 00 00 00 44 49 00 48 01 00 00 00 40 49 00 48 |....DI.H....@I.H|
000028d0 19 f4 01 00 40 4d 00 48 00 0c c8 08 00 4d 00 48 |....@M.H.....M.H|
000028e0 77 00 67 00 04 49 00 48 37 00 00 00 24 49 00 48 |w.g..I.H7...$I.H|
000028f0 00 00 00 00 20 4d 00 48 00 00 00 00 00 00 00 00 |.... M.H........|
00002900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000029b0 00 03 00 00 50 03 00 00 00 00 00 00 00 00 00 00 |....P...........|
000029c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
-00002a30 00 00 00 00 00 00 00 00 7c ca 8b 4c 00 00 00 00 |........|..L....|
-00002a40 d2 21 00 00 00 00 00 00 00 00 00 00 03 00 00 00 |.!..............|
+00002a30 00 00 00 00 00 00 00 00 c5 ac 8b 4c 00 00 00 00 |...........L....|
+00002a40 cc 21 00 00 00 00 00 00 00 00 00 00 03 00 00 00 |.!..............|
00002a50 30 30 04 43 99 e7 f5 9f 79 26 6a 8f d1 f8 51 5a |00.C....y&j...QZ|
00002a60 0e 49 e9 7f b0 6c a7 74 80 63 d2 dc 37 84 21 4d |.I...l.t.c..7.!M|
00002a70 52 be 88 97 92 f7 41 ea 1e bd d5 d2 cf df bf 93 |R.....A.........|
00002a80 47 fb bc c7 65 14 de 59 78 92 a3 fe b9 fb 60 06 |G...e..Yx.....`.|CDT
Code:
diff --git a/sde6.hex b/sde6.hex
index e24df80..dc27732 100644
--- a/sde6.hex
+++ b/sde6.hex
@@ -22,7 +22,7 @@
00000150 00 00 00 00 00 00 00 00 00 00 00 00 37 00 00 00 |............7...|
00000160 08 00 00 00 0b 00 00 00 02 00 00 00 ff ff ff ff |................|
00000170 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
-00000180 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
+00000180 00 00 00 00 ff f7 c3 80 fe ff c3 80 ff ff bf 80 |................|
00000190 03 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 |................|
000001a0 65 62 72 00 00 00 00 00 00 00 00 00 00 00 00 00 |ebr.............|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -34,20 +34,20 @@
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 00 00 00 00 38 00 00 00 10 00 00 00 13 00 00 00 |....8...........|
00000230 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
-00000240 ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff |................|
-00000250 ff ff ff ff ff ff ff ff 03 00 00 00 00 00 ff ff |................|
+00000240 ff ff ff ff ff ff ff ff 00 00 00 00 ff f7 c7 80 |................|
+00000250 fe ff c7 80 ff ff bf 80 03 00 00 00 00 00 ff ff |................|
00000260 00 00 00 00 00 00 00 00 63 64 74 2e 62 69 6e 00 |........cdt.bin.|
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000280 00 00 00 00 00 00 00 00 1f 00 01 00 14 00 00 00 |................|
00000290 17 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff |................|
000002a0 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |................|
000002b0 00 38 07 89 ff 3f 07 89 00 00 07 89 01 00 00 00 |.8...?..........|
-000002c0 00 00 ff ff 06 00 00 00 00 00 00 00 70 64 73 00 |............pds.|
+000002c0 00 00 ff ff 05 00 00 00 00 00 00 00 70 64 73 00 |............pds.|
000002d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000002e0 00 00 00 00 00 00 00 00 00 00 00 00 26 00 00 00 |............&...|
000002f0 18 00 00 00 37 00 00 00 00 00 00 00 ff ff ff ff |....7...........|
00000300 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
-00000310 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
+00000310 00 00 00 00 ff f7 ff 80 fe ff ff 80 ff ff bf 80 |................|
00000320 03 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 |................|
00000330 6c 62 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 |lbl.............|
00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -98,13 +98,13 @@
00000610 80 00 00 00 bf 00 00 00 00 00 00 00 ff ff ff ff |................|
00000620 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000630 00 00 00 00 00 f8 8f 81 ff ff 8f 81 00 00 10 81 |................|
-00000640 03 00 01 00 00 00 ff ff 03 00 00 00 00 00 00 00 |................|
+00000640 03 00 01 00 00 00 ff ff 02 00 00 00 00 00 00 00 |................|
00000650 72 65 63 6f 76 65 72 79 00 00 00 00 00 00 00 00 |recovery........|
00000660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000670 2f 00 01 00 c0 00 00 00 ff 00 00 00 00 00 00 00 |/...............|
00000680 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000690 ff ff ff ff 00 00 00 00 00 f8 8f 81 ff ff 8f 81 |................|
-000006a0 00 00 10 81 03 00 01 00 00 00 ff ff 03 00 00 00 |................|
+000006a0 00 00 10 81 03 00 01 00 00 00 ff ff 02 00 00 00 |................|
000006b0 00 00 00 00 63 64 72 6f 6d 00 00 00 00 00 00 00 |....cdrom.......|
000006c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000006d0 00 00 00 00 21 00 05 00 00 01 00 00 6f 01 00 00 |....!.......o...|
@@ -116,27 +116,27 @@
00000730 00 00 00 00 00 00 00 00 2c 00 00 00 70 01 00 00 |........,...p...|
00000740 73 01 00 00 00 00 00 00 ff ff ff ff ff ff ff ff |s...............|
00000750 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |................|
-00000760 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 00 |................|
+00000760 ff f7 c7 80 fe ff c7 80 ff ff bf 80 03 00 00 00 |................|
00000770 00 00 ff ff 00 00 00 00 00 00 00 00 63 69 64 00 |............cid.|
00000780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000790 00 00 00 00 00 00 00 00 00 00 00 00 2b 00 00 00 |............+...|
000007a0 74 01 00 00 77 01 00 00 00 00 00 00 ff ff ff ff |t...w...........|
000007b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
-000007c0 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
+000007c0 00 00 00 00 ff f7 c7 80 fe ff c7 80 ff ff bf 80 |................|
000007d0 03 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 |................|
000007e0 6b 70 61 6e 69 63 00 00 00 00 00 00 00 00 00 00 |kpanic..........|
000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000800 35 00 00 00 78 01 00 00 97 01 00 00 00 00 00 00 |5...x...........|
00000810 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
-00000820 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff |................|
-00000830 ff ff ff ff 03 00 00 00 00 00 ff ff 00 00 00 00 |................|
+00000820 ff ff ff ff 00 00 00 00 ff f7 ff 80 fe ff ff 80 |................|
+00000830 ff ff bf 80 03 00 00 00 00 00 ff ff 00 00 00 00 |................|
00000840 00 00 00 00 73 79 73 74 65 6d 00 00 00 00 00 00 |....system......|
00000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000860 00 00 00 00 27 00 05 00 98 01 00 00 cf 0b 00 00 |....'...........|
00000870 03 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000880 ff ff ff ff ff ff ff ff 00 00 00 00 00 f8 fb 9e |................|
00000890 ff ff fb 9e 00 00 90 8a 03 00 00 00 00 00 ff ff |................|
-000008a0 06 00 00 00 00 00 00 00 70 72 65 6b 00 00 00 00 |........prek....|
+000008a0 05 00 00 00 00 00 00 00 70 72 65 6b 00 00 00 00 |........prek....|
000008b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000008c0 00 00 00 00 00 00 00 00 20 00 01 00 d0 0b 00 00 |........ .......|
000008d0 d3 0b 00 00 03 00 00 00 ff ff ff ff ff ff ff ff |................|
@@ -153,14 +153,14 @@
00000980 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000990 28 00 00 00 d8 0b 00 00 17 12 00 00 00 00 00 00 |(...............|
000009a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
-000009b0 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff |................|
-000009c0 ff ff ff ff 03 00 00 00 00 00 ff ff 00 00 00 00 |................|
+000009b0 ff ff ff ff 00 00 00 00 ff f7 3f 8d fe ff 3f 8d |..........?...?.|
+000009c0 ff ff bf 80 03 00 00 00 00 00 ff ff 00 00 00 00 |................|
000009d0 00 00 00 00 75 73 65 72 64 61 74 61 00 00 00 00 |....userdata....|
000009e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000009f0 00 00 00 00 25 00 00 00 18 12 00 00 ff 1f 00 00 |....%...........|
00000a00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
-00000a10 ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff |................|
-00000a20 ff ff ff ff ff ff ff ff 03 00 00 00 00 00 ff ff |................|
+00000a10 ff ff ff ff ff ff ff ff 00 00 00 00 ff f7 8f 9c |................|
+00000a20 fe ff 8f 9c ff ff bf 80 03 00 00 00 00 00 ff ff |................|
00000a30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000a60 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff |................|
@@ -264,7 +264,7 @@
00002120 61 74 61 29 00 00 00 00 00 00 00 00 00 00 00 00 |ata)............|
00002130 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
-000037f0 ff ff ff ff ff ff ff ff ff ff ff ff 06 00 00 00 |................|
+000037f0 ff ff ff ff ff ff ff ff ff ff ff ff 05 00 00 00 |................|
00003800 b4 01 00 ca 02 14 da 95 1b 6d dc 97 07 ce 40 ea |.........m....@.|
00003810 53 0f 90 20 91 b5 20 dd 2f f3 00 30 ff ff 00 00 |S.. .. ./..0....|
00003820 02 4e 29 96 c8 e8 57 58 1f 75 18 bb b5 76 e1 8a |.N)...WX.u...v..|
@@ -326,15 +326,15 @@
00003ba0 72 72 74 ad 6c a1 c4 07 9d ca 9f 5d 8a 64 0f 2d |rrt.l......].d.-|
00003bb0 a7 d7 8f 20 fe 00 06 ae 6d 50 c4 86 87 30 4a d8 |... ....mP...0J.|
00003bc0 96 70 32 85 c3 2c 22 4e 3d 8b 24 01 98 90 18 20 |.p2..,"N=.$.... |
-00003bd0 e5 e8 8c 22 19 2e 8b 50 69 6c c8 0c 9a 03 72 19 |..."...Pil....r.|
-00003be0 9f ba 90 78 2c 04 a0 93 1a 90 e5 44 ee ee 2b e6 |...x,......D..+.|
-00003bf0 3e 18 95 06 33 ed 67 a1 17 20 3d 6e ab 6d ae 09 |>...3.g.. =n.m..|
-00003c00 67 2a e6 4c a4 57 6c 92 ea 4d e2 0b 2e 5a bc 34 |g*.L.Wl..M...Z.4|
-00003c10 46 c3 30 1e 5f 95 6b b6 bc 39 9b 91 29 b2 1a df |F.0._.k..9..)...|
-00003c20 19 36 1e 8c 7b e1 9a f9 41 4e 4f 2b a7 25 ce 49 |.6..{...ANO+.%.I|
-00003c30 cb 06 fb 3c eb 8d 93 ae fc 0b 46 9e e2 8c d8 4d |...<......F....M|
-00003c40 45 4b bb 93 2e 70 ba f3 16 1d 1f fb 89 32 d0 73 |EK...p.......2.s|
-00003c50 35 9e ab ff ff ff ff ff ff ff ff ff ff ff ff ff |5...............|
+00003bd0 e5 e8 8c 36 d9 d2 47 75 3d 14 41 0e 57 f5 ce d4 |...6..Gu=.A.W...|
+00003be0 53 8c b3 b2 ee 8a fc b8 6b 8c 73 b7 a9 79 e6 b1 |S.......k.s..y..|
+00003bf0 c3 4a 34 21 9b a4 8a 96 85 71 b8 3d 47 64 b3 a6 |.J4!.....q.=Gd..|
+00003c00 64 af 40 24 97 69 b1 6f 0c b5 4e 44 6e 58 db 13 |d.@$.i.o..NDnX..|
+00003c10 a1 6e 9b 2f d5 d7 9b 0d bc 3b 08 ee ec 83 9d 2f |.n./.....;...../|
+00003c20 28 47 28 e7 fb c6 ea b7 19 91 9d 81 c4 c4 ad f2 |(G(.............|
+00003c30 a1 6e 3e 99 38 ed 31 cd 64 f5 a6 f8 79 66 c2 0f |.n>.8.1.d...yf..|
+00003c40 e7 16 54 b0 0a 58 f3 4b d7 89 af f4 04 3d b3 53 |..T..X.K.....=.S|
+00003c50 53 16 18 ff ff ff ff ff ff ff ff ff ff ff ff ff |S...............|
00003c60 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00004800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|we can see in the CDT.bin its a v5
EDIT: its the 4.5.3-109 one (v5)
Last edited:
i don't know this version of diff
i use this:
Code:
example.hex
00002a30: 7C C5
00002a30: CA AC
00002a40: D2 CCpatcher: http://data.hu/get/4560025/dif.exe
---------- Post added at 07:35 PM ---------- Previous post was at 07:23 PM ----------
i shink this is the bootloader version:
Code:
-000002c0 00 00 ff ff 06 00 00 00 00 00 00 00 70 64 73 00 |............pds.|
+000002c0 00 00 ff ff 05 00 00 00 00 00 00 00 70 64 73 00 |............pds.|
and
-000008a0 06 00 00 00 00 00 00 00 70 72 65 6b 00 00 00 00 |........prek....|
+000008a0 05 00 00 00 00 00 00 00 70 72 65 6b 00 00 00 00 |........prek....|
and
-000037f0 ff ff ff ff ff ff ff ff ff ff ff ff 06 00 00 00 |................|
+000037f0 ff ff ff ff ff ff ff ff ff ff ff ff 05 00 00 00 |................|the kernel & recovery version:
Code:
-000006a0 00 00 10 81 03 00 01 00 00 00 ff ff 03 00 00 00 |................|
+000006a0 00 00 10 81 03 00 01 00 00 00 ff ff 02 00 00 00 |................|
Code:
-00003bd0 e5 e8 8c 22 19 2e 8b 50 69 6c c8 0c 9a 03 72 19 |..."...Pil....r.|
-00003be0 9f ba 90 78 2c 04 a0 93 1a 90 e5 44 ee ee 2b e6 |...x,......D..+.|
-00003bf0 3e 18 95 06 33 ed 67 a1 17 20 3d 6e ab 6d ae 09 |>...3.g.. =n.m..|
-00003c00 67 2a e6 4c a4 57 6c 92 ea 4d e2 0b 2e 5a bc 34 |g*.L.Wl..M...Z.4|
-00003c10 46 c3 30 1e 5f 95 6b b6 bc 39 9b 91 29 b2 1a df |F.0._.k..9..)...|
-00003c20 19 36 1e 8c 7b e1 9a f9 41 4e 4f 2b a7 25 ce 49 |.6..{...ANO+.%.I|
-00003c30 cb 06 fb 3c eb 8d 93 ae fc 0b 46 9e e2 8c d8 4d |...<......F....M|
-00003c40 45 4b bb 93 2e 70 ba f3 16 1d 1f fb 89 32 d0 73 |EK...p.......2.s|
-00003c50 35 9e ab ff ff ff ff ff ff ff ff ff ff ff ff ff |5...............|
+00003bd0 e5 e8 8c 36 d9 d2 47 75 3d 14 41 0e 57 f5 ce d4 |...6..Gu=.A.W...|
+00003be0 53 8c b3 b2 ee 8a fc b8 6b 8c 73 b7 a9 79 e6 b1 |S.......k.s..y..|
+00003bf0 c3 4a 34 21 9b a4 8a 96 85 71 b8 3d 47 64 b3 a6 |.J4!.....q.=Gd..|
+00003c00 64 af 40 24 97 69 b1 6f 0c b5 4e 44 6e 58 db 13 |d.@$.i.o..NDnX..|
+00003c10 a1 6e 9b 2f d5 d7 9b 0d bc 3b 08 ee ec 83 9d 2f |.n./.....;...../|
+00003c20 28 47 28 e7 fb c6 ea b7 19 91 9d 81 c4 c4 ad f2 |(G(.............|
+00003c30 a1 6e 3e 99 38 ed 31 cd 64 f5 a6 f8 79 66 c2 0f |.n>.8.1.d...yf..|
+00003c40 e7 16 54 b0 0a 58 f3 4b d7 89 af f4 04 3d b3 53 |..T..X.K.....=.S|
+00003c50 53 16 18 ff ff ff ff ff ff ff ff ff ff ff ff ff |S...............|---------- Post added at 07:44 PM ---------- Previous post was at 07:35 PM ----------
cdt.bin diff between Chinese and v5?
Last edited:
chinese CDT is the 4.5.3-109 DPP 6-7 http://xdaforums.com/showthread.php?t=1263212
this sbf contains :
this sbf contains :
Code:
-rw-r--r-- 1 root root 18432 Jan 13 19:40 CG31.img
-rw-r--r-- 1 root root 133120 Jan 13 19:40 CG32.img
-rw-r--r-- 1 root root 14419968 Jan 13 19:40 CG33.img
-rw-r--r-- 1 root root 18432 Jan 13 19:40 CG34.img
-rw-r--r-- 1 root root 8388608 Jan 13 19:40 CG35.img
-rw-r--r-- 1 root root 342624256 Jan 13 19:40 CG39.img
-rw-r--r-- 1 root root 274432 Jan 13 19:40 CG42.img
-rw-r--r-- 1 root root 3147776 Jan 13 19:40 CG45.img
-rw-r--r-- 1 root root 8388608 Jan 13 19:40 CG47.img
-rw-r--r-- 1 root root 524288 Jan 13 19:40 CG61.img
-rw-r--r-- 1 root root 18432 Jan 13 19:40 CG64.img
-rw-r--r-- 1 root root 18432 Jan 13 19:40 CG65.img
-rw-r--r-- 1 root root 378298725 Sep 8 18:57 DFPRC_U_4.5.3-109_DPP-6-7_SIGNED_USADEFYPRCB1B50AA00A.0R_JRDNGIBRRTGC_P025_A019_HWp3a_Service1FF.sbf
-rw-r--r-- 1 root root 315392 Jan 13 19:40 RDL03.imgSimilar threads
Top Liked Posts
-
There are no posts matching your filters.
-
23OK, me again
Finally, I got the unlock truth....from the one who really really knows about embedded development.
First, "TI OMAP Board Configure Tool" is just a tool from TI, obviously it's not for public download. Just for the companys which bought their OMAP Development Board. This tool can be used for flash the nand chip, configure the kernel arm board, preboot the board (just like the "tethered" in Apple IOS device) etc.
Second, the 16MB .bin file is a baseboard project file from Moto. This file contains project header, preboot code and a tiny uboot system etc.
Third, the factory reset mode can be used for configure hardware parameters (such as cpu/ram freq, sensors etc) and software parameters (such as nand write address, device type [s/se], secure switch, environment etc) and hardware self-check.
The customer service uses the "TI OMAP Board Configure Tool" to configure the broken phone, such as flash firmware, preboot to factory mode etc.
When they got the broken phone, they use the RSD first, if it does not work they will use the "TI OMAP Board Configure Tool" to preboot the phone into factory reset mode (with baseboard project file).
In the factory reset mode, hardware self-check is the first thing, if the hardware is OK they will try to configure the software parameters (such as switch off the sercure check so that they can flash *ANY* sbf, empty the environment varible so that the phone will become a eng-board, etc).
So, the unlocking process is just get into the factory reset mode and switch off the secure check or empty the environment varible(to be eng-board) or open the fast boot mode.
The truth of the JS unlock process is they use a tool to empty the environment varible, so the IMEI of unlocked device has become an invalid 00000012345 etc. Obviously, this may take some side-effects.
At last, the man told me that DO NOT SIMPLY TRY TO UNLOCK WITH RECOVERY(or similar utils in phone), because the linux can not access to the most important things, because this things are not stored in mtd partitions, the linux won't (can't) mount then. Or you can just hack the bootloader program to bypass the secure check, but it's difficult!
He says except the TI tools, we can research on RSD tool and will find some useful addresses, so that we can write some zero into the address and empty the environment varible.
Now I think there is a easiest way to go, come on everybody let's find out the man who learned to use the JTag (or other) to dump the data of entire nand chip of a unlocked device, and grab out the header of the data. This data is the unlocked configuration.20It can be dangerous for your Defy on this stage!!
Please donate to our developer, Epsylon3 :
http://xdaforums.com/showthread.php?t=1446106
Summary : (Thanks coleho_ and t0desicy)
http://xdaforums.com/showpost.php?p=21579211&postcount=521
http://daccurso.eu/defy/
Helping with unlock :
http://xdaforums.com/showpost.php?p=21402316&postcount=167
MMCBLK dump :
http://www.mediafire.com/?khnvrrr82azwq89
Full dump from a unlocked defy : (Thanks sykoism)
http://xdaforums.com/showpost.php?p=21398414&postcount=157
Quick Links :
Unlocking steps by customer service: http://xdaforums.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
and: http://xdaforums.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)
And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME!18Some thoughts....
Hi folks,
let me first point out, that i do not personaly own a Defy and that i'm not fully aware of all the bootloaders floating around.
I had been PM'ed by furrabbit.nh to give some comments on the attempt to unlock the Defy.
Let me further point out that i am willing to consider the report from the chinese guy as trustworthy.
So i'd like to refer to this translation over here:
http://xdaforums.com/showpost.php?p=21395694&postcount=145
Mmmmh so how to start...
The security on OMAP processors is a real engineering masterpiece, once the CPU has been set to HS mode.
By blowing the HS fuse bit the device gets nearly uncrackable.
There are only to exceptions:
1. You got Motorolas private key and are able to sign your code
2. You got a engineering bootloader (signed as well) that does match the hash keys hard-coded into the device
It seems that there is such a code, if we trust the chinese report
So what does omapinfo give us?
You might refer to the public datasheet of the OMAP3630, which in fact kind of a subset from the OEM variant which includes also all the security stuff.
Tell me if you need the link or something...
Simply tells us that the device marked as high security device (not in GP mode).Code:STATE : 205
By setting the HS bit the internal ROM is aware about the use case of the platform.
In other words the internal ROM code "knows" it is executed on a securtity enabled smartphone.
The internal ROM's bootcode then treats external devices with certain security aspects and prohibits low level debugging as well (e.g. JTAG access).
See my thread over here covering the Milestone hardware:
http://xdaforums.com/showthread.php?t=849632
These device specific hash keys are stored in particular area called efuse bank.Code:PKEY0 : c57aa19e PKEY1 : 31fe2d32 PKEY2 : 2e48bc96 PKEY3 : 15fcea7b PKEY4 : 876578f3
The dedicated registers simply represent the setting of a particular area of fuse bits.
Often these bits are unique to a certain platform or device model, in this case all Defy's of a certain series will have the same keys.
Thoughts about efuses:
http://xdaforums.com/showthread.php?t=911611
Maybe it's not up to date concerning all information, but gives an idea.
The internal ROM loader inside OMAP uses these keys to check the consistancy of the very first loader
stored in external memory (mbmloader).
Usually this is NAND flash or an eMMC storage device.
The ROM knowing it is run in HS mode, then expects a certain format for this very first block as well.
E.g. there are certain keys to grant the rights for the bootcode to access special memory areas.
These keys are even higher level security... i really have to skip some points here,
because i would be too much to explain it all and it's already late.
This is obvious, if you have a look into the public OMAP3630 manual.Code:CPU-ID: 2b89102f
It also hard coded value and represents the silicon verison the processor itself relies on.
There's no specific effect on the security lock.
CPU-ID: 1b89102f -> OMAP36xx ES1.1
CPU-ID: 2b89102f -> OMAP36xx ES1.2
So you may find 1. generation and 2. genration devices here... no big deal.
See page 204 in OMAP36xx manual.
If the story of the chinese guy is true and the service really handed out the same piece of hardware,
there might be hope to convert a usual phone to an engineering one.
The engineering bootloader which is used by Motorola simply has to match the pkeys of the customer phones.
Another story is to flash this loader succesfully to your device if you have not the right tools. So maybe that's why the service needs this mysterious OMAP board configuration tool.
A good thing would be to have the original SBF file of that bootcode.
At least this technique sounds similar to other manufacturers who decided to open up their bootloader.
I guess my comment is not quite complete, but i'll have to sleep now.
Anyway i'll have a look here recently and try to answer questions if i'll find some time.
I also apologize for this technical overdose, but i was asked to put my thoughts down here
Happy hacking and good luck!
scholbert18@Otto.Br What was your defy problem, where did you take and do you know if it went to anywhere else during repair?
I was changing the bootlogo again with this instructions.
then i issued a REBOOT comand on terminal emulator and the phone just showed a black screen, then i pulled the battery, and realized the phone was still connected thru USB, after that the phone wouldn't power up anymore. so i took it to the Moto service center in downtown São Paulo (Av. São Luis 153, Galeria Metrópole). they said their lab was unavailable, so they shipped my phone (wich, by the way, is made in Brasil) back to the factory.
I haven't reallized it was unlocked (SE) until i read this thread, I'll try to flash a Ecláir SBF to se what's what.
BTW my last SBF flash was JRDNEM_U3_3.4.2_179-002_CEE_DEBLUR for CM7.
- - - - - - - - - - - - - - - - - - - - - - - - - -
EDIT: Successfully flashed this 2.1 Ecláir ROM
JORDN_U3_6.36.0_SIGNED_USAJRDNTMOB1B4B5DE1028.0R_JORDANTMO_P022_HWp3_Service1FF
EDIT 2: Also successfully flashed the 2.3 Gingerbread Chinese ROM
p3a_jordan_umts_jordan_china-user-2.3.4-4.5.3-66-62-test-keys-ChinaRetail-CN
YEAH!! I really have a unlocked DEFY!!!
if you guys need anything from me just ask!
Now, back to froyo CEE => CM7 thanks Quarx, Epsylon 3 and Maniac 103 for this awesome ROM! and everyone else here for the support! my thanks meter went CRAZY! 13
---------- Post added at 09:22 PM ---------- Previous post was at 09:22 PM ----------
M so sorry guys to inform that, but today it dint workout .. talk just broke down it between...
Anyways i have told my classmate who works for Nokia Siemens in Bangkok to ask her Motorola guys for such tools.
I will also be trying to talk to another classmate who is in Texas Instruments for the OMAP tool..
The treasure hunt has begun...we will do watever u can to get the "KEY" to the treasure...we know tat only unlocking bootloader can unlock the door of unlimited opportunity
I know u guys had some hopes on me today..but its not just today..the day will come
I will be traveling 500km tomorrow to talk to one more guy who can help
New posts
-
General [OnePlus 12][ROM][OTA][BOOT][Oxygen OS] Repo of Oxygen OS Builds- Latest: snowwolf725
-
Features disabled on fastboot and bootloader. How do I enable them?- Latest: mayberandomparable
-
