Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,781,851 Members 47,137 Now Online
XDA Developers Android and Mobile Development Forum

[WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

Tip us?
 
rootdefyxt320
Old
(Last edited by rootdefyxt320; 6th August 2013 at 12:07 AM.)
#1  
Senior Member - OP
Thanks Meter 367
Posts: 392
Join Date: Oct 2012
Location: Sydney, NSW, Australia
Default [WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
http://blog.azimuthsecurity.com/2013...ootloader.html

Chipset Specification:
Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
@djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

Here's the link to the memory addresses for Motorola Defy Mini XT320:
http://www.droidevelopers.com/f412/1...emory-map.html

The sbf files that I've used to extract appsbootsec.mbn:
Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

All these sbf files have fastboot support.

At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.

@Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
Devices:
Motorola Defy Mini XT320- Stock 2.3.6 Rooted.
Sony Xperia X10 Mini Pro U20i- Cyanogenmod 10.

Press the thanks button if I helped you instead of saying thanks

The Following 12 Users Say Thank You to rootdefyxt320 For This Useful Post: [ Click to Expand ]
 
rkubica91
Old
#2  
Junior Member
Thanks Meter 5
Posts: 28
Join Date: Dec 2012
Great! Hope it will work..
The Following User Says Thank You to rkubica91 For This Useful Post: [ Click to Expand ]
 
rootdefyxt320
Old
#3  
Senior Member - OP
Thanks Meter 367
Posts: 392
Join Date: Oct 2012
Location: Sydney, NSW, Australia
Anyone else that is experienced in C++ and/or using Interactive Disassembler please feel free to join the team.
Devices:
Motorola Defy Mini XT320- Stock 2.3.6 Rooted.
Sony Xperia X10 Mini Pro U20i- Cyanogenmod 10.

Press the thanks button if I helped you instead of saying thanks

The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ Click to Expand ]
 
Bernd.Defy
Old
#4  
Member
Thanks Meter 40
Posts: 64
Join Date: Feb 2013
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ Click to Expand ]
 
rootdefyxt320
Old
#5  
Senior Member - OP
Thanks Meter 367
Posts: 392
Join Date: Oct 2012
Location: Sydney, NSW, Australia
Quote:
Originally Posted by Bernd.Defy View Post
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
Devices:
Motorola Defy Mini XT320- Stock 2.3.6 Rooted.
Sony Xperia X10 Mini Pro U20i- Cyanogenmod 10.

Press the thanks button if I helped you instead of saying thanks

The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ Click to Expand ]
 
Bernd.Defy
Old
#6  
Member
Thanks Meter 40
Posts: 64
Join Date: Feb 2013
Quote:
Originally Posted by rootdefyxt320 View Post
Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ Click to Expand ]
 
Tubii
Old
#7  
Member
Thanks Meter 3
Posts: 59
Join Date: Feb 2013
Location: Berlin
Is this a way to install a other Android?

Sent from my XT320 using xda app-developers app
 
rootdefyxt320
Old
#8  
Senior Member - OP
Thanks Meter 367
Posts: 392
Join Date: Oct 2012
Location: Sydney, NSW, Australia
Quote:
Originally Posted by Bernd.Defy View Post
I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.
It says 'unknown oem command' making me believe that it was disabled. I will see how Guitwo2 go with it before declaring the project abandoned.
Devices:
Motorola Defy Mini XT320- Stock 2.3.6 Rooted.
Sony Xperia X10 Mini Pro U20i- Cyanogenmod 10.

Press the thanks button if I helped you instead of saying thanks

The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ Click to Expand ]
 
Bernd.Defy
Old
#9  
Member
Thanks Meter 40
Posts: 64
Join Date: Feb 2013
What's Guitwo's opinion?
 
rootdefyxt320
Old
#10  
Senior Member - OP
Thanks Meter 367
Posts: 392
Join Date: Oct 2012
Location: Sydney, NSW, Australia
Quote:
Originally Posted by Bernd.Defy View Post
What's Guitwo's opinion?
He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD.
Devices:
Motorola Defy Mini XT320- Stock 2.3.6 Rooted.
Sony Xperia X10 Mini Pro U20i- Cyanogenmod 10.

Press the thanks button if I helped you instead of saying thanks


The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ Click to Expand ]
Tags
bootloader unlock, motorola defy mini xt320, motorola fire xt530, qfuse
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes