guide: how to have unlocked fastboot without flashing

Search This thread

scottgl9

Senior Member
Mar 26, 2012
56
97
I recently discovered this, and I thought it would be of some benefit to those who are wanting to unlock, modify partitions, etc without the need to flash derpunlock.sbf or modify your photon in any way. What you need to do this:
1) fastboot for Windows or Linux
2) unlocked RDL3 (ramloader) which I am providing

The process is very simple, reboot your Motorola Photon, and hold the volume down button and power button. You will see "fastboot" on the screen, now press volume up. Connect your phone to your computer, and issue the following command which I discovered:

scottgl@scottgl-A105:~$ fastboot flash rdl.bin RDL3_unlocked.smg
sending 'rdl.bin' (3072 KB)...
OKAY [ 0.193s]
writing 'rdl.bin'...
OKAY [ 0.000s]
finished. total time: 0.193s

This will load the unlocked ramloader (unlocked will be displayed at the top even if your phone is locked) which is normally only loaded into ram when flashing an SBF! Amazing, I know. Now you can do all kinds of stuff and you've made no modifications, just issue a "fastboot reboot" and nothing has been modified. Now you are able to erase boot, recovery, oem unlock, etc. Here is an example after you have executed the above. This is just me restoring my default boot and recovery partitions which you can't do from your locked bootloader:

scottgl@scottgl-A105:~$ fastboot erase recovery
erasing 'recovery'...
OKAY [ 0.739s]
finished. total time: 0.739s
scottgl@scottgl-A105:~/Desktop/SMG$ fastboot flash recovery CG58_0x00000120.smg sending 'recovery' (8192 KB)...
OKAY [ 8.760s]
writing 'recovery'...
OKAY [ 1.013s]
finished. total time: 9.773s
scottgl@scottgl-A105:~/Desktop/SMG$ fastboot erase boot
erasing 'boot'...
OKAY [ 0.761s]
finished. total time: 0.761s
scottgl@scottgl-A105:~/Desktop/SMG$ fastboot flash boot CG59_0x00000130.smg
sending 'boot' (8192 KB)...
OKAY [ 8.800s]
writing 'boot'...
OKAY [ 0.697s]
finished. total time: 9.497s
 

Attachments

  • RDL3_unlocked.smg.zip
    476.8 KB · Views: 5,167
Last edited:

scottgl9

Senior Member
Mar 26, 2012
56
97
You can actually unlock the radio with the stock locked bootloader still in place (derpunlock.sbf flashing no longer needed):

scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot flash rdl.bin RDL3_unlocked.smg
sending 'rdl.bin' (3072 KB)...
OKAY [ 0.193s]
writing 'rdl.bin'...
OKAY [ 0.000s]
finished. total time: 0.193s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock
...
(bootloader) Unlocking your device can permanently VOID your warranty.
(bootloader) This process cannot be reversed. If you wish to proceed,
(bootloader) reissue the unlock OEM command containing the unique ID
(bootloader) of your device: XXXXXXXXXXXXXXXX
OKAY [ 0.006s]
finished. total time: 0.006s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock XXXXXXXXXXXXXXXX
...
(bootloader) Device is already unlocked
OKAY [ 0.003s]
finished. total time: 0.003s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$
 

rrusek

Senior Member
Mar 3, 2006
239
68
Razer Phone 2
Google Pixel 7
4G ?

Has anyone tried this method and retained 4G?

You can actually unlock the radio with the stock locked bootloader still in place (derpunlock.sbf flashing no longer needed):

scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot flash rdl.bin RDL3_unlocked.smg
sending 'rdl.bin' (3072 KB)...
OKAY [ 0.193s]
writing 'rdl.bin'...
OKAY [ 0.000s]
finished. total time: 0.193s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock
...
(bootloader) Unlocking your device can permanently VOID your warranty.
(bootloader) This process cannot be reversed. If you wish to proceed,
(bootloader) reissue the unlock OEM command containing the unique ID
(bootloader) of your device: XXXXXXXXXXXXXXXX
OKAY [ 0.006s]
finished. total time: 0.006s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock XXXXXXXXXXXXXXXX
...
(bootloader) Device is already unlocked
OKAY [ 0.003s]
finished. total time: 0.003s
scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$
 

bigslanki

Senior Member
Jul 18, 2009
411
76
what would be the process coming from locked stock _6, would i just flash clock work mod, flash rom.zip then OP's inputs?
 

scottgl9

Senior Member
Mar 26, 2012
56
97
what would be the process coming from locked stock _6, would i just flash clock work mod, flash rom.zip then OP's inputs?

The process of loading the unlocked ramloader is the same regardless of your firmware, even if the bootloader is 'locked'. The ramloader is just that, its written to ram, and so when the phone is reset the code is cleared out of memory. This means to unlock your radio, you don't have to flash anything to your ram, flashing rdl.bin basically just loads the ramloader to executable memory, then jumps to it. I'm still working on figuring out how to use this to chain load a custom recovery.
 
Last edited:

dito33

Senior Member
Jul 13, 2010
881
38
So can I flash CWM after this kind of unlock the bootloader and then custom rom.

Sent from my SPH-D710 using XDA
 

firtermish

Senior Member
Apr 11, 2008
88
11
Mar del Plata
I like what I m reading. Sounds like this would be the saving grace for those photon users stuck on an electrify rom (and yeah I m one of them!). Please let us know when you get to rewrite system with a custom rom with this method!
 

scottgl9

Senior Member
Mar 26, 2012
56
97
So can I flash CWM after this kind of unlock the bootloader and then custom rom.

Sent from my SPH-D710 using XDA

Not yet, you can flash it but it is not yet bootable since I haven't figured out yet how to jump to recovery from the ramloader (you'll probably get an error 2 if you flash CWM then boot to recovery). After you reset your phone, rdl.bin gets cleared out so the same protection mechanisms are still in the bootloader. It's something I'm working on.
 

scottgl9

Senior Member
Mar 26, 2012
56
97
I like what I m reading. Sounds like this would be the saving grace for those photon users stuck on an electrify rom (and yeah I m one of them!). Please let us know when you get to rewrite system with a custom rom with this method!

I already can. just do the following:

fastboot flash rdl.bin RDL3_unlocked.smg
fastboot erase system
fastboot flash system your_system_file.smg
fastboot erase boot
fastboot flash boot your_boot.smg
fastboot reboot

EDIT: file extension doesn't really matter, can be smg or img

Theres also updating from fastboot using a zip file, I'm not 100% sure if this works the same as in recovery:

update <filename> reflash device from update.zip
 
Last edited:

scottgl9

Senior Member
Mar 26, 2012
56
97
It looks like it is some sort of security error(possibly a failed sigcheck or something).

I'm pretty sure the reason you're receiving this error is because this RDL is from derpunlock.sbf from photon_pudding.rar. I'll post the unlocked pudding electrify ramloader.

Attached is the unlocked pudding electrify ramloader, run:

fastboot flash rdl.bin RDL3_unlocked_electrify.smg
 

Attachments

  • RDL3_unlocked_electrify.smg.zip
    475.9 KB · Views: 872
Last edited:

herach

Senior Member
May 18, 2005
145
7
California
I'm pretty sure the reason you're receiving this error is because this RDL is from derpunlock.sbf from photon_pudding.rar. I'll post the unlocked pudding electrify ramloader.

Attached is the unlocked pudding electrify ramloader, run:

fastboot flash rdl.bin RDL3_unlocked_electrify.smg

Tried that. It reboots the device and the device stays on Moto Logo Dual-core Screen with nothing written on it and nothing else works.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 18
    I recently discovered this, and I thought it would be of some benefit to those who are wanting to unlock, modify partitions, etc without the need to flash derpunlock.sbf or modify your photon in any way. What you need to do this:
    1) fastboot for Windows or Linux
    2) unlocked RDL3 (ramloader) which I am providing

    The process is very simple, reboot your Motorola Photon, and hold the volume down button and power button. You will see "fastboot" on the screen, now press volume up. Connect your phone to your computer, and issue the following command which I discovered:

    scottgl@scottgl-A105:~$ fastboot flash rdl.bin RDL3_unlocked.smg
    sending 'rdl.bin' (3072 KB)...
    OKAY [ 0.193s]
    writing 'rdl.bin'...
    OKAY [ 0.000s]
    finished. total time: 0.193s

    This will load the unlocked ramloader (unlocked will be displayed at the top even if your phone is locked) which is normally only loaded into ram when flashing an SBF! Amazing, I know. Now you can do all kinds of stuff and you've made no modifications, just issue a "fastboot reboot" and nothing has been modified. Now you are able to erase boot, recovery, oem unlock, etc. Here is an example after you have executed the above. This is just me restoring my default boot and recovery partitions which you can't do from your locked bootloader:

    scottgl@scottgl-A105:~$ fastboot erase recovery
    erasing 'recovery'...
    OKAY [ 0.739s]
    finished. total time: 0.739s
    scottgl@scottgl-A105:~/Desktop/SMG$ fastboot flash recovery CG58_0x00000120.smg sending 'recovery' (8192 KB)...
    OKAY [ 8.760s]
    writing 'recovery'...
    OKAY [ 1.013s]
    finished. total time: 9.773s
    scottgl@scottgl-A105:~/Desktop/SMG$ fastboot erase boot
    erasing 'boot'...
    OKAY [ 0.761s]
    finished. total time: 0.761s
    scottgl@scottgl-A105:~/Desktop/SMG$ fastboot flash boot CG59_0x00000130.smg
    sending 'boot' (8192 KB)...
    OKAY [ 8.800s]
    writing 'boot'...
    OKAY [ 0.697s]
    finished. total time: 9.497s
    4
    what would be the process coming from locked stock _6, would i just flash clock work mod, flash rom.zip then OP's inputs?

    The process of loading the unlocked ramloader is the same regardless of your firmware, even if the bootloader is 'locked'. The ramloader is just that, its written to ram, and so when the phone is reset the code is cleared out of memory. This means to unlock your radio, you don't have to flash anything to your ram, flashing rdl.bin basically just loads the ramloader to executable memory, then jumps to it. I'm still working on figuring out how to use this to chain load a custom recovery.
    4
    Confirmed! I got rid of the aweful 2.3.5 electrify bootloader. Just did this:

    scottgl@scottgl-A105:~/Desktop/SMG_BP011UP$ fastboot flash boot CG59_0x00000130.smg
    sending 'boot' (3294 KB)...
    OKAY [ 0.206s]
    writing 'boot'...
    OKAY [ 0.734s]
    finished. total time: 0.940s
    3
    You can actually unlock the radio with the stock locked bootloader still in place (derpunlock.sbf flashing no longer needed):

    scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot flash rdl.bin RDL3_unlocked.smg
    sending 'rdl.bin' (3072 KB)...
    OKAY [ 0.193s]
    writing 'rdl.bin'...
    OKAY [ 0.000s]
    finished. total time: 0.193s
    scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock
    ...
    (bootloader) Unlocking your device can permanently VOID your warranty.
    (bootloader) This process cannot be reversed. If you wish to proceed,
    (bootloader) reissue the unlock OEM command containing the unique ID
    (bootloader) of your device: XXXXXXXXXXXXXXXX
    OKAY [ 0.006s]
    finished. total time: 0.006s
    scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$ fastboot oem unlock XXXXXXXXXXXXXXXX
    ...
    (bootloader) Device is already unlocked
    OKAY [ 0.003s]
    finished. total time: 0.003s
    scottgl@scottgl-A105:~/Desktop/SMG_derpunlock$
    3

    Looks like the link is dead. However I think I found a way to get it myself. Flashed the 2.3.4 system to my phone and it's downloading the update right now.

    Edit: Ill know if it's the right update in probably about an hour. It is an extremely slow download, they must be severely limiting connections to phones outside of the states.