Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,728,832 Members 50,492 Now Online
XDA Developers Android and Mobile Development Forum

[DEV][INFO] ReservedOdm, 4G, Unlocking and Downgrading

Tip us?
 
Lightsword1942
Old
(Last edited by Lightsword1942; 25th April 2013 at 05:30 PM.)
#1  
Senior Member - OP
Thanks Meter 116
Posts: 453
Join Date: Apr 2010

 
DONATE TO ME
Default [DEV][INFO] ReservedOdm, 4G, Unlocking and Downgrading

I figured it was about time I do a write up about everything we know about ReservedOdm and it's relation to 4G, downgrading and unlocking. For an overview of what ReservedOdm is you can look to this post on the Atrix forum. Essentially ReservedOdm is a one time programmable fuse that is responsible for storing a number of values which relate to Unlock State and OS version.

Now for a few interesting things that we have found out. The unlocked bootloader itself does not seem to care about any values other than the 4 you see at the end of many of the below strings. This appears to be a flag that indicates whether or not the bootloader has gone through the fastboot oem unlock proccess. I will note that merely having the unlocked bootloader flashed does not break 4G on our phones, but having it actually unlocked does.

It would appear that it is possible for ReservedOdm values to be written by both the bootloader and the main OS. This was found out because when people flashed ROM's based on the leaked photon OTA(with bootloader stripped) their phones would have a ReservedOdm value change that would prevent them from flashing any pre-2.3.5 SBF(pudding still work's). It is suspected that the 2.3.5 boot.img is capable of writing these values, since the fuses only changed when using the leaked 2.3.5 boot.img and not with 2.3.5 leak based ROM's that were repacked with an older boot.img.

It would appear that the leaked boot.img does not always change the fuse values, but has happened to some.

The 2.3.5 pudding file that was posted in the unlock thread seems to write a locked 2.3.5 bootloader which prevents both pudding and the unlocked bootloader from being flashed. It has no use and should never bet flashed since all it does is lock phones up.

Since the pudding bootloader seems to be able to be flashed with any ReservedOdm value(but not any bootlaoder), it may still be possible to unlock phones if we can find a way to bypass the bootloader checks on the 2.3.5 bootloaders.

The easiest way to tell if you can unlock is to look at the 3rd non-zero ReservedOdm value. If it is 1 it should be possible to unlock. However if it is 3 it will not be. The 2.3.5 bootloader appears to read this value and will give a sec_exception error if you are trying to flash an older bootloader if the value is 3.

The 2.3.4 SBF's however appear to check the ReservedOdm values and will fail if they are not correct.

I figure I might as well comment on this thread here. From what I can tell this is of no use to us since all the signature checks are respected when you do "fastboot flash rdl.bin". Essentially if you can ramload the rdl you can also flash the pudding file in RSD lite, and if you can't in RSD you also can't here. For electrify users this may be useful under extremely limited circumstances, apparently it can be used to flash pudding from the bootloader of phones shipped with 2.3.5 but not those that have used an OTA. For more info download this.


Recorded Values
Code:
10000000000030001000100004000-photon tried to flash photon 2.3.5 eng? currently unlocked but can't flash normal SBF
10000000000010001000100004000-standard unlocked photon
10000000000010001000100000000-standard locked photon
10000000000010001000100004000-standard unlocked electrify
30000000000030003000100004000-electrify stuck on 2.3.5 previously unlocked bootloader
1000000000003000100004000-electrify stuck on 2.3.5 unlocked bootloader previously installed
20000000000020003000100000000-photon attempted to flash wrong pudding file(2.3.5 testing one)
20000000000030003000100000000-above photon after flashing 2.3.5 electrify SBF
10000000000030003000100004000-photon with 2.3.5 OTA previously unlocked
10000000000030001000100004000-photon with 2.3.5 OTA installed without bootloader(can't downgrade but can unlock)
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck never unlocked
20000000000020001000100004000-Electrify shipped with 2.3.5(unlocked using ramload workaround)
30000000000030002000100000000-Photon with 2.3.5 OTA soak
10000000000010001000100000000-GSM photon on 2.3.5 unknown origin
10000000000010000000100000000-Stock KDDI Photon non-unlocked
10000000000010001000100004000-Unlocked KDDI Photon
20000000000020000000100000000-2.3.5 electrify locked(try modified unlock method from above)
If anyone wants to read their ReservedOdm value simply run from adb:
Code:
adb shell
su
cat /sys/firmware/fuse/ReservedOdm
please post the output if it differs from anything in my list.
The Following 18 Users Say Thank You to Lightsword1942 For This Useful Post: [ Click to Expand ]
 
phince1
Old
#2  
Senior Member
Thanks Meter 2
Posts: 112
Join Date: Nov 2010
Location: IOWA
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck with locked bl

---------- Post added at 05:56 PM ---------- Previous post was at 05:50 PM ----------

I would also like to say lightsword, that when i fastboot flash RDL3_unlocked_electrify.smg, my phone blinks, then has a steady motologo with no messages. (Unlike other things i flash, I get an error message) I tried oem unlock next but it doesnt do anything on the phone and dos says the typical message. FYI
USC Samsung Galaxy S 3
 
Lightsword1942
Old
#3  
Senior Member - OP
Thanks Meter 116
Posts: 453
Join Date: Apr 2010

 
DONATE TO ME
Quote:
Originally Posted by phince1 View Post
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck with locked bl

---------- Post added at 05:56 PM ---------- Previous post was at 05:50 PM ----------

I would also like to say lightsword, that when i fastboot flash RDL3_unlocked_electrify.smg, my phone blinks, then has a steady motologo with no messages. (Unlike other things i flash, I get an error message) I tried oem unlock next but it doesnt do anything on the phone and dos says the typical message. FYI
What SBF was that smg file pulled from? Was it the one I posted?
 
phince1
Old
#4  
Senior Member
Thanks Meter 2
Posts: 112
Join Date: Nov 2010
Location: IOWA
I think so, maybe the engineering sbf??? It's somewhere in that long post we were working from...
USC Samsung Galaxy S 3
 
Lightsword1942
Old
#5  
Senior Member - OP
Thanks Meter 116
Posts: 453
Join Date: Apr 2010

 
DONATE TO ME
Quote:
Originally Posted by phince1 View Post
I think so, maybe the engineering sbf??? It's somewhere in that long post we were working from...
Ok, I think that was pulled from the 2.3.5 SBF most likely, basically just ramloading the locked bootloader. Doesn't really help us much though.
 
Lokifish Marz
Old
#6  
Lokifish Marz's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 3250
Posts: 3,133
Join Date: Mar 2011
Location: Olympus Mons, Mars

 
DONATE TO ME
Hope this helps;
Previously unlocked Photon
flashed 198_6 SBF
flashed 2.3.5 leak, minus ap20bl.img
unlocked using derpunlock
flashed CWM5 recovery

Baseband is now N_01.28.10R
ODM matches the following:
10000000000010001000100004000-standard unlocked photon
Ubuntop- U4A/Webtop hybrid for all Tegra2 Motorola phones (Fully integrated Ubuntu Desktop)
Live ROM (One "ROM" over 12 phones) (Featured on XDA Portal and multiple other sites around the world and as base by many devs)
Imperium Initiative Photon (used as base by many Photon devs)
Imperium Initiative LS970 (used as base by many LS970 devs)
Imperium Agent LS970 (LS970 version of Live ROM)
Evo Desktop PC (Featured on XDA Portal and multiple other sites around the world)
(Nexus Q)uantum Singularity Project (Media Center, File Server, Website Server, LinuxonAndroid in little black ball of joy)
Umeox x201 EnSec Enhanced Security Patch and Live ROM Installer (used by multiple devs world wide on over 6 different models/versions of x201's)
Every Android device I've owned since the Hero- Media Center, File Server, Website Server
 
Lightsword1942
Old
#7  
Senior Member - OP
Thanks Meter 116
Posts: 453
Join Date: Apr 2010

 
DONATE TO ME
Quote:
Originally Posted by Lokifish Marz View Post
Hope this helps;
Previously unlocked Photon
flashed 198_6 SBF
flashed 2.3.5 leak, minus ap20bl.img
unlocked using derpunlock
flashed CWM5 recovery

Baseband is now N_01.28.10R
ODM matches the following:
10000000000010001000100004000-standard unlocked photon
Do you know if the 2.3.5 leak you flashed has the original leaked boot.img?
 
Lokifish Marz
Old
(Last edited by Lokifish Marz; 13th May 2012 at 08:18 PM.)
#8  
Lokifish Marz's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 3250
Posts: 3,133
Join Date: Mar 2011
Location: Olympus Mons, Mars

 
DONATE TO ME
Quote:
Originally Posted by Lightsword1942 View Post
Do you know if the 2.3.5 leak you flashed has the original leaked boot.img?
All I did to the original leak was remove the AP20 bootloader and any script lines referencing it. I just remembered that I have since flashed joker's 1.3 kernel but other than that there have been no changes that should affect ODM data.
Ubuntop- U4A/Webtop hybrid for all Tegra2 Motorola phones (Fully integrated Ubuntu Desktop)
Live ROM (One "ROM" over 12 phones) (Featured on XDA Portal and multiple other sites around the world and as base by many devs)
Imperium Initiative Photon (used as base by many Photon devs)
Imperium Initiative LS970 (used as base by many LS970 devs)
Imperium Agent LS970 (LS970 version of Live ROM)
Evo Desktop PC (Featured on XDA Portal and multiple other sites around the world)
(Nexus Q)uantum Singularity Project (Media Center, File Server, Website Server, LinuxonAndroid in little black ball of joy)
Umeox x201 EnSec Enhanced Security Patch and Live ROM Installer (used by multiple devs world wide on over 6 different models/versions of x201's)
Every Android device I've owned since the Hero- Media Center, File Server, Website Server
 
Lightsword1942
Old
#9  
Senior Member - OP
Thanks Meter 116
Posts: 453
Join Date: Apr 2010

 
DONATE TO ME
Quote:
Originally Posted by Lokifish Marz View Post
All I did to the original leak was remove the AP20 bootloader and any script lines referencing it. I just remembered that I have since flashed joker's 1.3 kernel but other than that there have been no changes that should affect ODM data.
I had a look at the files and the leaked boot.img does seem to be present in both. Maybe it only writes the value under certain conditions.
 
phince1
Old
#10  
Senior Member
Thanks Meter 2
Posts: 112
Join Date: Nov 2010
Location: IOWA
So no idea on overwriting the bootloader?

Sent from my Motorola Electrify using Xparent Blue Tapatalk 2
USC Samsung Galaxy S 3

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes