[ABANDONED] Bootloader unlock - discuss bootloader matters here

Search This thread
By:
Advanced…
mpiekp

mpiekp

Senior Member
Mar 23, 2011
1,358
621
Eppy post what you think will work, my handset is a willing tester.

Sent from my MB525 using Tapatalk
 
A

adi4motion

Senior Member
May 23, 2010
723
462
Epsylon3 said:
arf, i think i found how to enable the engineering mode.... but i ve made a mistake and now my phone doesnt boot at all :( fully bricked, no more boot loader or usb
Click to expand...
Click to collapse

can you tell what to do...that may unlock the bootloader? maybe there's somebody brave enough to do this:)

as for you phone...take it to service center: if they ask for money we will gladely do our part and pay the bill:)
 
  • Like
Reactions: airwolf1544
Epsylon3

Epsylon3

Senior Member
Jan 25, 2008
1,177
4,310
Geneva
tanguy.forumdoandroid.com
BEWARE : Dont change your fuse data (Phone fully bricked sent to repair service !)

what ive made, changed the efuse data :

<6>[ 2161.395812] SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00

<6>[ 2213.090911] SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00

e0 to e1 ... how ? with this command :

Code: 
static int TryWriteFuseReg(void)
{
	unsigned int result = 99;
	int ret_val = 99;
	SEC_PA_PARAMS ns_efuse_params;

	SecRaiseVfuse();

	ns_efuse_params.component = SEC_CUST_CODE;
	ns_efuse_params.efuse_value = 0x01;
	ns_efuse_params.bch_value = 99;
	result = SEC_ENTRY_pub2sec_dispatcher(API_HAL_MOT_EFUSE,
					      0,
					      FLAG_IRQFIQ_MASK | FLAG_START_HAL_CRITICAL,
					      1,
					      (void *) __pa(&ns_efuse_params));
	printk(KERN_INFO "SEC_ENTRY_pub2sec_dispatcher = %x\n", result);
	if (result == 0)
		ret_val = 0;

	SecLowerVfuse();

	return ret_val;

}

then i tried to reset it to 0 with ns_efuse_params.efuse_value = 0x00; but that doesnt work.

So, ive seen another 1, i tried that and the device has stopped working (not on reset, directly stopped) :

Code: 
	ns_efuse_params.component = SEC_CUST_CODE;
	ns_efuse_params.efuse_value = 0x01;
	ns_efuse_params.bch_value = 99;
	result = SEC_ENTRY_pub2sec_dispatcher(API_HAL_MOT_EFUSE,
					      0,
					      FLAG_IRQFIQ_MASK | FLAG_START_HAL_CRITICAL,
					      0, //<<<<--- DONT DO THAT
					      (void *) __pa(&ns_efuse_params));
	printk(KERN_INFO "SEC_ENTRY_pub2sec_dispatcher = %x\n", result);

Ive put the 0 here to try to "reset" the bit

Code: 
typedef enum {
        /*Starting with random non zero value for component type */
        SEC_AP_PA_PPA = 0x00000065,
        SEC_BP_PPA,
        SEC_BP_PA,
        SEC_ML_PBRDL,
        SEC_MBM,
        SEC_RRDL_BRDL,
        SEC_BPL,
        SEC_AP_OS,
        SEC_BP_OS,
        SEC_BS_DIS,
        SEC_ENG,
        SEC_PROD,
        SEC_CUST_CODE,
        SEC_PKC,
        SEC_MODEL_ID,
        SEC_MAX
} SEC_SV_COMPONENT_T;

to enable eng mod, im almost sure the enum is not good... (i didnt tried) but it should begin with "xf 20 00 00" (bit 13 : ENG and not bit 14: PROD) according to the kernel code
 
Last edited:
  • Like
Reactions: vap_66 and the|gamer
balika01

balika01

Senior Member
Dec 28, 2010
177
214
Epsylon3 said:
what ive made, changed the efuse data :

<6>[ 2161.395812] SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00

<6>[ 2213.090911] SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00

e0 to e1 ... how ? with this command :

Code: 
static int TryWriteFuseReg(void)
{
	unsigned int result = 99;
	int ret_val = 99;
	SEC_PA_PARAMS ns_efuse_params;

	SecRaiseVfuse();

	ns_efuse_params.component = SEC_CUST_CODE;
	ns_efuse_params.efuse_value = 0x01;
	ns_efuse_params.bch_value = 99;
	result = SEC_ENTRY_pub2sec_dispatcher(API_HAL_MOT_EFUSE,
					      0,
					      FLAG_IRQFIQ_MASK | FLAG_START_HAL_CRITICAL,
					      1,
					      (void *) __pa(&ns_efuse_params));
	printk(KERN_INFO "SEC_ENTRY_pub2sec_dispatcher = %x\n", result);
	if (result == 0)
		ret_val = 0;

	SecLowerVfuse();

	return ret_val;

}

then i tried to reset it to 0 with ns_efuse_params.efuse_value = 0x00; but that doesnt work.

So, ive seen another 1, i tried that and the device has stopped working (not on reset, directly stopped) :

Code: 
	ns_efuse_params.component = SEC_CUST_CODE;
	ns_efuse_params.efuse_value = 0x01;
	ns_efuse_params.bch_value = 99;
	result = SEC_ENTRY_pub2sec_dispatcher(API_HAL_MOT_EFUSE,
					      0,
					      FLAG_IRQFIQ_MASK | FLAG_START_HAL_CRITICAL,
					      0, //<<<<--- DONT DO THAT
					      (void *) __pa(&ns_efuse_params));
	printk(KERN_INFO "SEC_ENTRY_pub2sec_dispatcher = %x\n", result);

Ive put the 0 here to try to "reset" the bit

Code: 
typedef enum {
        /*Starting with random non zero value for component type */
        SEC_AP_PA_PPA = 0x00000065,
        SEC_BP_PPA,
        SEC_BP_PA,
        SEC_ML_PBRDL,
        SEC_MBM,
        SEC_RRDL_BRDL,
        SEC_BPL,
        SEC_AP_OS,
        SEC_BP_OS,
        SEC_BS_DIS,
        SEC_ENG,
        SEC_PROD,
        SEC_CUST_CODE,
        SEC_PKC,
        SEC_MODEL_ID,
        SEC_MAX
} SEC_SV_COMPONENT_T;
Click to expand...
Click to collapse

what is the e0 and e1 ???
 
You must log in or register to reply here.

Similar threads

samcripp
[Project Cheesecake] Unlocking the DEFY bootloader! - ABANDONED
Replies
839
Views
238K
57op
57op
nidhish91
Defy Custom Kernel Thread[2nd boot source released][Test Kernel released]
Replies
1K
Views
249K
A
americanpittbull
rootdefyxt320
[USERS CAN REQUEST][TUTORIAL]Motorola Defy Mini XT320/XT321 Custom SBF with fastboot
Replies
175
Views
86K
T
tezzar
K
  • Locked
(BOOTLOADER UNLOCK SOCIAL MEDIA CAMPAIGN) Operation: Mosh started by [TSON]
Replies
90
Views
22K
2
2Pints
crakeron
  • Poll
[Guide][zip][Root needed] Unsimlock your Defy (v1.3)[NEW:JB support!]
Replies
521
Views
183K
krestian
krestian

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 23
    V
    viper520
    OK, me again :p
    Finally, I got the unlock truth....from the one who really really knows about embedded development.

    First, "TI OMAP Board Configure Tool" is just a tool from TI, obviously it's not for public download. Just for the companys which bought their OMAP Development Board. This tool can be used for flash the nand chip, configure the kernel arm board, preboot the board (just like the "tethered" in Apple IOS device) etc.
    Second, the 16MB .bin file is a baseboard project file from Moto. This file contains project header, preboot code and a tiny uboot system etc.
    Third, the factory reset mode can be used for configure hardware parameters (such as cpu/ram freq, sensors etc) and software parameters (such as nand write address, device type [s/se], secure switch, environment etc) and hardware self-check.

    The customer service uses the "TI OMAP Board Configure Tool" to configure the broken phone, such as flash firmware, preboot to factory mode etc.
    When they got the broken phone, they use the RSD first, if it does not work they will use the "TI OMAP Board Configure Tool" to preboot the phone into factory reset mode (with baseboard project file).
    In the factory reset mode, hardware self-check is the first thing, if the hardware is OK they will try to configure the software parameters (such as switch off the sercure check so that they can flash *ANY* sbf, empty the environment varible so that the phone will become a eng-board, etc).

    So, the unlocking process is just get into the factory reset mode and switch off the secure check or empty the environment varible(to be eng-board) or open the fast boot mode.

    The truth of the JS unlock process is they use a tool to empty the environment varible, so the IMEI of unlocked device has become an invalid 00000012345 etc. Obviously, this may take some side-effects.

    At last, the man told me that DO NOT SIMPLY TRY TO UNLOCK WITH RECOVERY(or similar utils in phone), because the linux can not access to the most important things, because this things are not stored in mtd partitions, the linux won't (can't) mount then. Or you can just hack the bootloader program to bypass the secure check, but it's difficult!

    He says except the TI tools, we can research on RSD tool and will find some useful addresses, so that we can write some zero into the address and empty the environment varible.

    Now I think there is a easiest way to go, come on everybody let's find out the man who learned to use the JTag (or other) to dump the data of entire nand chip of a unlocked device, and grab out the header of the data. This data is the unlocked configuration.
    View
    20
    K
    kevin_diu
    It can be dangerous for your Defy on this stage!!


    Please donate to our developer, Epsylon3 :
    http://xdaforums.com/showthread.php?t=1446106


    Summary : (Thanks coleho_ and t0desicy)
    http://xdaforums.com/showpost.php?p=21579211&postcount=521
    http://daccurso.eu/defy/

    Helping with unlock :
    http://xdaforums.com/showpost.php?p=21402316&postcount=167

    MMCBLK dump :
    http://www.mediafire.com/?khnvrrr82azwq89

    Full dump from a unlocked defy : (Thanks sykoism)
    http://xdaforums.com/showpost.php?p=21398414&postcount=157

    Quick Links :
    Unlocking steps by customer service: http://xdaforums.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
    and: http://xdaforums.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)

    And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME! :D
    View
    18
    S
    scholbert
    Some thoughts....

    Hi folks,

    let me first point out, that i do not personaly own a Defy and that i'm not fully aware of all the bootloaders floating around.
    I had been PM'ed by furrabbit.nh to give some comments on the attempt to unlock the Defy.

    Let me further point out that i am willing to consider the report from the chinese guy as trustworthy.
    So i'd like to refer to this translation over here:
    http://xdaforums.com/showpost.php?p=21395694&postcount=145

    Mmmmh so how to start...
    The security on OMAP processors is a real engineering masterpiece, once the CPU has been set to HS mode.
    By blowing the HS fuse bit the device gets nearly uncrackable.
    There are only to exceptions:
    1. You got Motorolas private key and are able to sign your code
    2. You got a engineering bootloader (signed as well) that does match the hash keys hard-coded into the device

    It seems that there is such a code, if we trust the chinese report :rolleyes:

    So what does omapinfo give us?
    You might refer to the public datasheet of the OMAP3630, which in fact kind of a subset from the OEM variant which includes also all the security stuff.
    Tell me if you need the link or something...

    Code: 
    STATE :      205
    Simply tells us that the device marked as high security device (not in GP mode).
    By setting the HS bit the internal ROM is aware about the use case of the platform.
    In other words the internal ROM code "knows" it is executed on a securtity enabled smartphone.
    The internal ROM's bootcode then treats external devices with certain security aspects and prohibits low level debugging as well (e.g. JTAG access).
    See my thread over here covering the Milestone hardware:
    http://xdaforums.com/showthread.php?t=849632

    Code: 
    PKEY0 : c57aa19e 
PKEY1 : 31fe2d32 
PKEY2 : 2e48bc96 
PKEY3 : 15fcea7b 
PKEY4 : 876578f3
    These device specific hash keys are stored in particular area called efuse bank.
    The dedicated registers simply represent the setting of a particular area of fuse bits.
    Often these bits are unique to a certain platform or device model, in this case all Defy's of a certain series will have the same keys.
    Thoughts about efuses:
    http://xdaforums.com/showthread.php?t=911611
    Maybe it's not up to date concerning all information, but gives an idea.

    The internal ROM loader inside OMAP uses these keys to check the consistancy of the very first loader
    stored in external memory (mbmloader).
    Usually this is NAND flash or an eMMC storage device.

    The ROM knowing it is run in HS mode, then expects a certain format for this very first block as well.
    E.g. there are certain keys to grant the rights for the bootcode to access special memory areas.

    These keys are even higher level security... i really have to skip some points here,
    because i would be too much to explain it all and it's already late.

    Code: 
    CPU-ID: 2b89102f
    This is obvious, if you have a look into the public OMAP3630 manual.
    It also hard coded value and represents the silicon verison the processor itself relies on.
    There's no specific effect on the security lock.
    CPU-ID: 1b89102f -> OMAP36xx ES1.1
    CPU-ID: 2b89102f -> OMAP36xx ES1.2
    So you may find 1. generation and 2. genration devices here... no big deal.
    See page 204 in OMAP36xx manual.

    If the story of the chinese guy is true and the service really handed out the same piece of hardware,
    there might be hope to convert a usual phone to an engineering one.
    The engineering bootloader which is used by Motorola simply has to match the pkeys of the customer phones.

    Another story is to flash this loader succesfully to your device if you have not the right tools. So maybe that's why the service needs this mysterious OMAP board configuration tool.
    A good thing would be to have the original SBF file of that bootcode.

    At least this technique sounds similar to other manufacturers who decided to open up their bootloader.
    I guess my comment is not quite complete, but i'll have to sleep now.

    Anyway i'll have a look here recently and try to answer questions if i'll find some time.
    I also apologize for this technical overdose, but i was asked to put my thoughts down here ;)

    Happy hacking and good luck!

    scholbert
    View
    18
    O
    Otto.BR
    leodfs said:
    @Otto.Br What was your defy problem, where did you take and do you know if it went to anywhere else during repair?:cool:
    Click to expand...
    Click to collapse

    I was changing the bootlogo again with this instructions.
    then i issued a REBOOT comand on terminal emulator and the phone just showed a black screen, then i pulled the battery, and realized the phone was still connected thru USB, after that the phone wouldn't power up anymore. so i took it to the Moto service center in downtown São Paulo (Av. São Luis 153, Galeria Metrópole). they said their lab was unavailable, so they shipped my phone (wich, by the way, is made in Brasil) back to the factory.

    I haven't reallized it was unlocked (SE) until i read this thread, I'll try to flash a Ecláir SBF to se what's what.

    BTW my last SBF flash was JRDNEM_U3_3.4.2_179-002_CEE_DEBLUR for CM7.

    - - - - - - - - - - - - - - - - - - - - - - - - - -

    EDIT: Successfully flashed this 2.1 Ecláir ROM
    JORDN_U3_6.36.0_SIGNED_USAJRDNTMOB1B4B5DE1028.0R_JORDANTMO_P022_HWp3_Service1FF

    EDIT 2: Also successfully flashed the 2.3 Gingerbread Chinese ROM
    p3a_jordan_umts_jordan_china-user-2.3.4-4.5.3-66-62-test-keys-ChinaRetail-CN

    YEAH!! I really have a unlocked DEFY!!!:D
    if you guys need anything from me just ask!

    Now, back to froyo CEE => CM7 :D thanks Quarx, Epsylon 3 and Maniac 103 for this awesome ROM! and everyone else here for the support! my thanks meter went CRAZY! :D
    View
    13
    arpith.fbi
    arpith.fbi
    :(:(:(:(:(

    ---------- Post added at 09:22 PM ---------- Previous post was at 09:22 PM ----------

    M so sorry guys to inform that, but today it dint workout :( :( .. talk just broke down it between...
    Anyways i have told my classmate who works for Nokia Siemens in Bangkok to ask her Motorola guys for such tools.:p
    I will also be trying to talk to another classmate who is in Texas Instruments for the OMAP tool..
    The treasure hunt has begun...we will do watever u can to get the "KEY" to the treasure...we know tat only unlocking bootloader can unlock the door of unlimited opportunity :)
    I know u guys had some hopes on me today..but its not just today..the day will come :) :)
    I will be traveling 500km tomorrow to talk to one more guy who can help :)
    View

New posts