I really hope this helps someone figure it out... although I'm running 4.4.4 so with my luck the vulnerability was probably patched.
BOUNTY: unlock bootloader for CDMA Moto G at [$250]
- Thread starter motrinHD
- Start date
I really hope this helps someone figure it out... although I'm running 4.4.4 so with my luck the vulnerability was probably patched.
Guys finally got a news about unlocking bootloader must check http://xdaforums.com/showthread.php...oader Unlock EXPLOIT Found!!! (Read This!!!)
I'm a bit confused. What did that have to do with unlocking our devices that cannot be unlocked at all? Your link goes directly to a guy ranting about warranty fraud and it's domino effect on the industry.
Dude check out the first post of the first page In the OP not the rest btw i have another source
http://www.droid-life.com/2014/08/07/moto-x-bootloader-unlock-qualcomm/
Last edited:
That post has been brought up repeatedly in this forum. That's why I thought you were talking about the specific post the link goes to. That's already been patched.
Moto G bootloader unlock is out theroot.ninja
Too bad we still have to pay $25 but at least its $15 cheaper than the China middle man.
25 dollars seems a little too much considering I got the Moto G for $50 and iPhone jailbreaks are free
The author should just take the $250 moto g + $1200 moto x bounties instead could probably earn more.
Too bad we still have to pay $25 but at least its $15 cheaper than the China middle man.
25 dollars seems a little too much considering I got the Moto G for $50 and iPhone jailbreaks are free
The author should just take the $250 moto g + $1200 moto x bounties instead could probably earn more.
Last edited:
its said that it goes to all the phones that has been damaged in the process and all the fees of actually writing the apps and stuff. I'm not hating but yes he should take bounties but over his twitter and xda posts he was not really complaining I would say but hated that no one paid up which is disappointing.
In my eyes a donation page should have been set up to pay what you would like for all of the money drained from writing apps and hosting sites and for all the phones that borked in the process but thats just me.
but Im happy that it costs a little more then half and yes itll probably be pirated lol hopefully his root method that the author said he was gaining for 4.4.4 will be free at least. But who knows.
For the iPhones I think its all donation driven as well so those guys have it good
its said that it goes to all the phones that has been damaged in the process and all the fees of actually writing the apps and stuff. I'm not hating but yes he should take bounties but over his twitter and xda posts he was not really complaining I would say but hated that no one paid up which is disappointing.
In my eyes a donation page should have been set up to pay what you would like for all of the money drained from writing apps and hosting sites and for all the phones that borked in the process but thats just me.
but Im happy that it costs a little more then half and yes itll probably be pirated lol hopefully his root method that the author said he was gaining for 4.4.4 will be free at least. But who knows.
For the iPhones I think its all donation driven as well so those guys have it good
The problem with setting it to "donations" is that people are cheap and forgetful. I've seen people throw money at copy/paste kernel devs to get them a new phone year after year only to abandon it for the newest phone because they got that donated to them. Rarely think about the people that brought them the stock files they use when they mess up their phone and save their investment, or the people who port recovery and the teams behind the recoveries, the folks who make it possible to flash all your roms/mods/kernels etc.
Obviously the way things were, weren't working out, otherwise they wouldn't have switched to it. Bounties go unpaid by almost half of the people who say they will pay, add into that this was done by a team means that money has to be split. so lets say this $250 dollar bounty, every one was perfect and paid it and it was split 3? 4? ways? that means that to each of the devs who poured countless hours into it would get about the cost of the cdma phone to provide an entire community freedom and ensure their devices can last even longer than what official updates will provide.
The android community is growing and the number of people who donate is IMO staying the same or growing smaller. Ive ported recovery to 7+ devices this year, ported Cyanogenmod to one, and rooted two more. I had to purchase one of the phones i rooted but it wasnt in danger of bricking or actual risk. these guys have put some serious time and effort into it, and btw anyone who is trying to pirate it id seriously reconsider unless you dont value your device.
Yea to be completely honest I did hint at people being stingy and not paying and thats cool that you have ported recoveries and I guess source built or zip pushed a cyano rom
I really dont care about this phone being rooted anyways since I store a few grand in cryto on my moto g, and dont want that stolen xD. If I want an unlockable phone it looks like ill be headed for a GPe device or something so I would have to go through the hassle to be paying someone
Yea to be completely honest I did hint at people being stingy and not paying and thats cool that you have ported recoveries and I guess source built or zip pushed a cyano rom
I really dont care about this phone being rooted anyways since I store a few grand in cryto on my moto g, and dont want that stolen xD. If I want an unlockable phone it looks like ill be headed for a GPe device or something so I would have to go through the hassle to be paying someone
there is only one way to build aosp and thats by source
@Somcom3X has taken over and is now the official CM maintainer for the moto g 4g
find a fix yet?
Its been awhile so has anyone found a way to unlock the bootloader and root the moto g 4.4.4 2014 without a middleman? Just received this phone on black friday for 29 bucks if i knew it wasnt unlockable i woulda spent an extra 20 and got the other one through straight talk :/
Its been awhile so has anyone found a way to unlock the bootloader and root the moto g 4.4.4 2014 without a middleman? Just received this phone on black friday for 29 bucks if i knew it wasnt unlockable i woulda spent an extra 20 and got the other one through straight talk :/
FOUND! The particular Moto G XT-1028 I had could not be rooted by any method I tried (that included about everything) until a couple days ago I found a version of the Kingroot App and it rooted SUCCESSFULLY! If I don't see any other successes here I'll start a thread on it and post the app to root it. This is Kingroot_V4.5.0.803 that worked. Older versions I had tried did not work. I started a thread here and have attached the Kingroot version that worked in that thread: http://xdaforums.com/moto-g/help/moto-g-xt1028-successful-root-t3185109
---------- Post added at 03:14 PM ---------- Previous post was at 03:06 PM ----------
Will this qualify for the Root bounty? I will be trying to determine if the bootloader is also unlocked. Working on that right now since the Kingroot is rather automatic and I actually did not expect it would work so I wasn't even watching it close until it was done.
I know idone's great Galaxy Tools app may be for Samsungs but it also works on the Moto G and as you can see in the attached pic it shows the model of this phone - XT-1028, Baseband and so on AND that it has ROOT !
Attachments
Last edited:
This definitely does not qualify, here's why:
- It's temporary, at least if you use kingroot,
you can likely permanently install kingroot/supersu/whatever into system and preserve root, but - It doesn't touch the bootloader lock status, locked bootloaders cannot run a custom recovery (at least on moto devices) even with root, it'll simply tell you theres a signature mismatch at boot since official moto kernels (and recoveries) are signed by motorola.
- Kingroot itself depends on exploit(s) to gain root, unless you already have root and are simply updating the existing install.
If you update and all the exploits are patched, you can't root until more are found - 2 and 3 above means that you are stuck on the current rom you are on if you want root, you cannot upgrade nor can you flash a custom rom until we have an unlocked bootloader
The only difference between kingroot and framaroot (for example) is that kingroot has exploits "a", "b", and "c", while framaroot has "x", "y", and "z". And for the moto g on KXB21, only exploit "c" works.
What we need is for someone to make an equivalent tool to sunshine that can unlock the bootloader now that we have temporary root. You can simply buy sunshine, but it costs $25 per device and I paid $20 for my moto g to begin with.
A sprint model moto g can be had for $50-80 anyway.
If you're willing to pay to unlock it, you may as well buy a sprint model XT1031 and convert it to use on vzw, at least then you'll have an official unlock as the XT1028 and XT1031 are similar enough besides the official bootloader unlock status.
Last edited:
I only read the first page and last 5 pages of this thread, though obviously noone has a working solution that is also free, not yet anyway
So far it seems like the moto g bootloader (unless otherwise, everything below refers to both the XT1028 and XT1031) resembles it's n4 and n5 contemporaries:
The lock state is stored in
The lock state itself is at 0x1503, a value of 0x30 indicates it's currently locked, 0x31 is unlocked.
The tamper flag itself is not stored in misc, as this bit is the only difference between my XT1028 which is locked/untampered,
and my XT1031 which is locked/unlocked and tampered.
As previously seen, the lockstate goes from:
You go from code 0 to code 3 by using fastboot oem unlock <unlock code> on the XT1031, and fastboot oem lock begin and fastboot oem lock returns you to code 2, as there are no other modified bits in misc from locked -> unlocked -> relocked, there's no way to return to code 0 or code 1
You can't simply change the contents of misc with root on the moto g, unlike the N4/N5/etc, something (possibly some kernel and/or bootloader protection) is preventing you from directly modifying that value.
What I do know is that even inside CWM you still can't directly modify that partition, though I don't actually know if the copy of CWM I used is based on a stock kernel or CM/QAF based, not that you can even boot it on a locked device
Unlike the N4/N5/etc, the moto g bootloader seems to enter a special mode to do the actual unlocking.
Snapdragons definitely have memory (both ram and nand) protection due to the fact it needs to protect multiple decryption keys (DRM media, cellular encryption, etc), and I wouldn't be surprised at all that this is (at least partly) why I cant directly write to it, and that there have definitely been exploits in the past to modify protected memory to bypass these restrictions.
Perhaps when it enters unlock/relock mode, that is the only time the bootloader can modify the contents of misc, at least under normal conditions.
I do believe that in the past, it has been documented that snapdragon based platforms additionally allow/disallow bootloader unlocking by flags/fuses that are not mapped to the partitioned parts of the nand. As the bootloaders on the XT1028/1031/1032 are (bit) identical, this is the reason the latter two can be unlocked, while the former cannot.
I would assume that sunshine uses some sort of lower level firmware exploit to modify the tamper flag and/or flip the bootloader lock bit. If you already had code that can bypass the security restrictions on the secured portions of memory on snapdragon based devices, I wouldn't be surprised if it's that simple to make a relock/unlock tool for moto g's that have already been unlocked with the unlock code. (ie switch from mode 2 ↔ 3)
I can't say I know how you would unlock an untampered bootloader, obviously it's possible due to sunshine already existing, but I don't have any further leads on how exactly they do what they do beyond this, assuming this is even on the right track.
----------------------------------------------------------------------------------------------------------------------
Even if you can only switch from mode 2 ↔ 3, this would still be useful in the same way that it's useful for nexus devices: to both have a custom/modified rom and also have a way to secure user data. A custom rom is not by definition any less secure then a stock rom, but the ability to load a custom recovery can allow you to bypass security and read user data (either online or offline, depending on data encryption)
Additionally, you can re-unlock a nexii without wiping data. The moto g requires you flashing a signed motorola rom before it will let you relock, so you cannot have any changes while also being safe from offline attacks.
So far it seems like the moto g bootloader (unless otherwise, everything below refers to both the XT1028 and XT1031) resembles it's n4 and n5 contemporaries:
The lock state is stored in
Code:
/dev/block/platform/msm_sdcc.1/by-name/misc -> /dev/block/mmcblk0p30The lock state itself is at 0x1503, a value of 0x30 indicates it's currently locked, 0x31 is unlocked.
The tamper flag itself is not stored in misc, as this bit is the only difference between my XT1028 which is locked/untampered,
and my XT1031 which is locked/unlocked and tampered.
As previously seen, the lockstate goes from:
- Status code 0: locked + untampered
- Status code 1: unlocked + untampered(?) - no way to test this currently
- Status code 2: locked + tampered
- Status code 3: unlocked + tampered
You go from code 0 to code 3 by using fastboot oem unlock <unlock code> on the XT1031, and fastboot oem lock begin and fastboot oem lock returns you to code 2, as there are no other modified bits in misc from locked -> unlocked -> relocked, there's no way to return to code 0 or code 1
You can't simply change the contents of misc with root on the moto g, unlike the N4/N5/etc, something (possibly some kernel and/or bootloader protection) is preventing you from directly modifying that value.
What I do know is that even inside CWM you still can't directly modify that partition, though I don't actually know if the copy of CWM I used is based on a stock kernel or CM/QAF based, not that you can even boot it on a locked device
Unlike the N4/N5/etc, the moto g bootloader seems to enter a special mode to do the actual unlocking.
Snapdragons definitely have memory (both ram and nand) protection due to the fact it needs to protect multiple decryption keys (DRM media, cellular encryption, etc), and I wouldn't be surprised at all that this is (at least partly) why I cant directly write to it, and that there have definitely been exploits in the past to modify protected memory to bypass these restrictions.
Perhaps when it enters unlock/relock mode, that is the only time the bootloader can modify the contents of misc, at least under normal conditions.
I do believe that in the past, it has been documented that snapdragon based platforms additionally allow/disallow bootloader unlocking by flags/fuses that are not mapped to the partitioned parts of the nand. As the bootloaders on the XT1028/1031/1032 are (bit) identical, this is the reason the latter two can be unlocked, while the former cannot.
I would assume that sunshine uses some sort of lower level firmware exploit to modify the tamper flag and/or flip the bootloader lock bit. If you already had code that can bypass the security restrictions on the secured portions of memory on snapdragon based devices, I wouldn't be surprised if it's that simple to make a relock/unlock tool for moto g's that have already been unlocked with the unlock code. (ie switch from mode 2 ↔ 3)
I can't say I know how you would unlock an untampered bootloader, obviously it's possible due to sunshine already existing, but I don't have any further leads on how exactly they do what they do beyond this, assuming this is even on the right track.
----------------------------------------------------------------------------------------------------------------------
Even if you can only switch from mode 2 ↔ 3, this would still be useful in the same way that it's useful for nexus devices: to both have a custom/modified rom and also have a way to secure user data. A custom rom is not by definition any less secure then a stock rom, but the ability to load a custom recovery can allow you to bypass security and read user data (either online or offline, depending on data encryption)
Additionally, you can re-unlock a nexii without wiping data. The moto g requires you flashing a signed motorola rom before it will let you relock, so you cannot have any changes while also being safe from offline attacks.
I was able to flash misc with 0x31 with dd and kingroot it dident unlock my bootloader though just set qe: to 1/1 instead of 0/1.
PuffedCheek:~ Hoppy$ fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 4113
(bootloader) product: falcon
(bootloader) secure: yes
(bootloader) hwrev: 0x83C0
(bootloader) radio: 0x3
(bootloader) emmc: 8GB Toshiba REV=06 PRV=51 TYPE=17
(bootloader) ram: 1024MB Samsung S4 SDRAM DIE=4Gb
(bootloader) cpu: MSM8626 CS
(bootloader) serialno: TA8810ANIQ
(bootloader) cid: 0x0002
(bootloader) channelid: 0x00
(bootloader) uid: 8B255E020F000000000000000000
(bootloader) unlocked: no
(bootloader) iswarrantyvoid: no
(bootloader) mot_sst: 0
(bootloader) max-download-size: 536870912
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei:
(bootloader) meid:
(bootloader) date:
(bootloader) sku:
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) current-time: "Thu Jan 7 20:28:25 UTC 2016"
(bootloader) ro.build.fingerprint[0]: motorola/falcon_verizon/falcon_cdm
(bootloader) ro.build.fingerprint[1]: a:4.4.4/KXB21.14-L1.41/42:user/rel
(bootloader) ro.build.fingerprint[2]: ease-keys
(bootloader) ro.build.version.full[0]: Blur_Version.210.12.41.falcon_cdm
(bootloader) ro.build.version.full[1]: a.Verizon.en.US
(bootloader) ro.build.version.qcom[0]: AU_LINUX_ANDROID_LNX.LA.3.5.1_RB1
(bootloader) ro.build.version.qcom[1]: .04.04.02.048.020
(bootloader) version-baseband:
(bootloader) kernel.version[0]: Linux version 3.4.42-gaf6580c (hudsoncm@
(bootloader) kernel.version[1]: ilclbld54) (gcc version 4.7 (GCC) ) #1 S
(bootloader) kernel.version[2]: MP PREEMPT Wed Jun 25 01:50:02 CDT 2014
(bootloader) sdi.git: git=MBM-NG-V41.13-0-gdc5aeaf
(bootloader) sbl1.git: git=MBM-NG-V41.13-0-g683cb0c
(bootloader) rpm.git: git=MBM-NG-V41.13-0-g71b1aae
(bootloader) tz.git: git=MBM-NG-V41.13-0-ga27c415
(bootloader) aboot.git: git=MBM-NG-V41.13-0-g7dc8e78
(bootloader) qe: qe 1/1
(bootloader) ro.carrier: Dev
all: listed above
finished. total time: 0.065s
PuffedCheek:~ Hoppy$
The unlock status is most likely stored in /dev/blocks/***/cid
I dumped my cid and it has all the unlock data that you get with "fastboot oem get_unlock_data",device type (eg XT10**),serial number,in it along with some motorola certificates.
What we should try is get the cid partiton of someone who has an unlock code,flash it then "fastboot oem unlock <key>" with there key,then flash back our cid.
Could someone whos unlocked post there cid partition and unlock key here for me to test.
(Had this phone 2 years still cant do what i want with it (overclock and run pc linux w/minimal xserver,retroarch on it,so i will be a guinea pig))
My cid partition:
PuffedCheek:~ Hoppy$ fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 4113
(bootloader) product: falcon
(bootloader) secure: yes
(bootloader) hwrev: 0x83C0
(bootloader) radio: 0x3
(bootloader) emmc: 8GB Toshiba REV=06 PRV=51 TYPE=17
(bootloader) ram: 1024MB Samsung S4 SDRAM DIE=4Gb
(bootloader) cpu: MSM8626 CS
(bootloader) serialno: TA8810ANIQ
(bootloader) cid: 0x0002
(bootloader) channelid: 0x00
(bootloader) uid: 8B255E020F000000000000000000
(bootloader) unlocked: no
(bootloader) iswarrantyvoid: no
(bootloader) mot_sst: 0
(bootloader) max-download-size: 536870912
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei:
(bootloader) meid:
(bootloader) date:
(bootloader) sku:
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) current-time: "Thu Jan 7 20:28:25 UTC 2016"
(bootloader) ro.build.fingerprint[0]: motorola/falcon_verizon/falcon_cdm
(bootloader) ro.build.fingerprint[1]: a:4.4.4/KXB21.14-L1.41/42:user/rel
(bootloader) ro.build.fingerprint[2]: ease-keys
(bootloader) ro.build.version.full[0]: Blur_Version.210.12.41.falcon_cdm
(bootloader) ro.build.version.full[1]: a.Verizon.en.US
(bootloader) ro.build.version.qcom[0]: AU_LINUX_ANDROID_LNX.LA.3.5.1_RB1
(bootloader) ro.build.version.qcom[1]: .04.04.02.048.020
(bootloader) version-baseband:
(bootloader) kernel.version[0]: Linux version 3.4.42-gaf6580c (hudsoncm@
(bootloader) kernel.version[1]: ilclbld54) (gcc version 4.7 (GCC) ) #1 S
(bootloader) kernel.version[2]: MP PREEMPT Wed Jun 25 01:50:02 CDT 2014
(bootloader) sdi.git: git=MBM-NG-V41.13-0-gdc5aeaf
(bootloader) sbl1.git: git=MBM-NG-V41.13-0-g683cb0c
(bootloader) rpm.git: git=MBM-NG-V41.13-0-g71b1aae
(bootloader) tz.git: git=MBM-NG-V41.13-0-ga27c415
(bootloader) aboot.git: git=MBM-NG-V41.13-0-g7dc8e78
(bootloader) qe: qe 1/1
(bootloader) ro.carrier: Dev
all: listed above
finished. total time: 0.065s
PuffedCheek:~ Hoppy$
The unlock status is most likely stored in /dev/blocks/***/cid
I dumped my cid and it has all the unlock data that you get with "fastboot oem get_unlock_data",device type (eg XT10**),serial number,in it along with some motorola certificates.
What we should try is get the cid partiton of someone who has an unlock code,flash it then "fastboot oem unlock <key>" with there key,then flash back our cid.
Could someone whos unlocked post there cid partition and unlock key here for me to test.
(Had this phone 2 years still cant do what i want with it (overclock and run pc linux w/minimal xserver,retroarch on it,so i will be a guinea pig))
My cid partition:
The bootloader unlock is most likely tied to the HardwareID such as serial, mac, imei, etc, so it's not as easy as to just flash an unlocked CID copy.
There's more to this madness.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
7Requirements to Receive Bounty
To earn the bounty, you simply have to find the exploit which will allow the following. You do not have to develop a recovery, or a kernel or a ROM, but you must provide with a working proof of concept, i.e. with a way which allows us to verify that the bootloader has been completely unlocked and that other developers can use this method to install recovery, kernel and ROMs.
Other owners of the MOTO G XT1028 will then test your method, that when we give the bounty to who earns after we successfully test.
WE HAVE $250 for and unlocked bootloader and $60 for ROOT3
