FORUMS

Two New Moto X and New Moto G Announced, Details Inside

Today’s Moto event just ended and now we have a clear look at all of … more

How Strong Is Your Connection? – XDA Xposed Tuesday

Everyone is always talking about their bars. How many bars of WiFi do they … more

OnePlus 2 Announced: Specs, Price and Details

The OnePlus 2 has just had its Virtual Reality Launch event, and at the XDA Office we all … more

A Helpful Guide to Music Streaming Services

With the launch of Apple Music, music streaming services have recently gained a lot of … more

[WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

424 posts
Thanks Meter: 391
 
By rootdefyxt320, Senior Member on 6th June 2013, 08:39 AM
Post Reply Subscribe to Thread Email Thread
I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
http://blog.azimuthsecurity.com/2013...ootloader.html

Chipset Specification:
Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
@djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

Here's the link to the memory addresses for Motorola Defy Mini XT320:
http://www.droidevelopers.com/f412/1...emory-map.html

The sbf files that I've used to extract appsbootsec.mbn:
Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

All these sbf files have fastboot support.

At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.

@Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
Last edited by rootdefyxt320; 6th August 2013 at 12:07 AM.
The Following 13 Users Say Thank You to rootdefyxt320 For This Useful Post: [ View ]
 
 
10th June 2013, 01:09 AM |#2  
rkubica91's Avatar
Member
Flag Italy
Thanks Meter: 10
 
More
Great! Hope it will work..
The Following User Says Thank You to rkubica91 For This Useful Post: [ View ]
11th June 2013, 02:58 PM |#3  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 391
 
More
Anyone else that is experienced in C++ and/or using Interactive Disassembler please feel free to join the team.
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
12th June 2013, 09:15 PM |#4  
Member
Thanks Meter: 40
 
More
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ View ]
13th June 2013, 10:04 AM |#5  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 391
 
More
Quote:
Originally Posted by Bernd.Defy

Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
13th June 2013, 10:42 AM |#6  
Member
Thanks Meter: 40
 
More
Quote:
Originally Posted by rootdefyxt320

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn

I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.
The Following User Says Thank You to Bernd.Defy For This Useful Post: [ View ]
13th June 2013, 08:43 PM |#7  
Member
Flag Berlin
Thanks Meter: 3
 
More
Is this a way to install a other Android?

Sent from my XT320 using xda app-developers app
13th June 2013, 11:57 PM |#8  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 391
 
More
Quote:
Originally Posted by Bernd.Defy

I used a normal hex-viewer, as most of the user-messages and parameters are visible in plain text.

Also issuing a " fastboot oem unlock" on defy mini does not lead to any result.

It says 'unknown oem command' making me believe that it was disabled. I will see how Guitwo2 go with it before declaring the project abandoned.
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
18th June 2013, 10:30 AM |#9  
Member
Thanks Meter: 40
 
More
What's Guitwo's opinion?
19th June 2013, 12:20 AM |#10  
rootdefyxt320's Avatar
OP Senior Member
Flag Sydney, NSW
Thanks Meter: 391
 
More
Quote:
Originally Posted by Bernd.Defy

What's Guitwo's opinion?

He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD.
The Following User Says Thank You to rootdefyxt320 For This Useful Post: [ View ]
25th June 2013, 02:59 PM |#11  
Guitwo2's Avatar
Senior Member
Flag Marseille
Thanks Meter: 73
 
More
Quote:
Originally Posted by rootdefyxt320

He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD.

The Following 2 Users Say Thank You to Guitwo2 For This Useful Post: [ View ]

Read More
Post Reply Subscribe to Thread

Tags
bootloader unlock, motorola defy mini xt320, motorola fire xt530, qfuse
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes