Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

OP rootdefyxt320

6th June 2013, 09:39 AM   |  #1  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 384
 
414 posts
Join Date:Joined: Oct 2012
More
I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
http://blog.azimuthsecurity.com/2013...ootloader.html

Chipset Specification:
Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
@djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

Here's the link to the memory addresses for Motorola Defy Mini XT320:
http://www.droidevelopers.com/f412/1...emory-map.html

The sbf files that I've used to extract appsbootsec.mbn:
Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

All these sbf files have fastboot support.

At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.

@Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
Last edited by rootdefyxt320; 6th August 2013 at 01:07 AM.
The Following 13 Users Say Thank You to rootdefyxt320 For This Useful Post: [ View ]
10th June 2013, 02:09 AM   |  #2  
Junior Member
Thanks Meter: 5
 
29 posts
Join Date:Joined: Dec 2012
Great! Hope it will work..
The Following User Says Thank You to rkubica91 For This Useful Post: [ View ]
11th June 2013, 03:58 PM   |  #3  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 384
 
414 posts
Join Date:Joined: Oct 2012
More
Anyone else that is experienced in C++ and/or using Interactive Disassembler please feel free to join the team.
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
12th June 2013, 10:15 PM   |  #4  
Member
Thanks Meter: 40
 
64 posts
Join Date:Joined: Feb 2013
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ View ]
13th June 2013, 11:04 AM   |  #5  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 384
 
414 posts
Join Date:Joined: Oct 2012
More
Quote:
Originally Posted by Bernd.Defy

Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
13th June 2013, 11:42 AM   |  #6  
Member
Thanks Meter: 40
 
64 posts
Join Date:Joined: Feb 2013
Quote:
Originally Posted by rootdefyxt320

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn

I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ View ]
13th June 2013, 09:43 PM   |  #7  
Member
Flag Berlin
Thanks Meter: 3
 
62 posts
Join Date:Joined: Feb 2013
More
Is this a way to install a other Android?

Sent from my XT320 using xda app-developers app
14th June 2013, 12:57 AM   |  #8  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 384
 
414 posts
Join Date:Joined: Oct 2012
More
Quote:
Originally Posted by Bernd.Defy

I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.

It says 'unknown oem command' making me believe that it was disabled. I will see how Guitwo2 go with it before declaring the project abandoned.
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
18th June 2013, 11:30 AM   |  #9  
Member
Thanks Meter: 40
 
64 posts
Join Date:Joined: Feb 2013
What's Guitwo's opinion?
19th June 2013, 01:20 AM   |  #10  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 384
 
414 posts
Join Date:Joined: Oct 2012
More
Quote:
Originally Posted by Bernd.Defy

What's Guitwo's opinion?

He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD.

The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
bootloader unlock, motorola defy mini xt320, motorola fire xt530, qfuse
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes