Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[DEV][INFO] ReservedOdm, 4G, Unlocking and Downgrading

OP Lightsword1942

12th May 2012, 08:12 PM   |  #1  
OP Senior Member
Thanks Meter: 116
 
453 posts
Join Date:Joined: Apr 2010
Donate to Me
More
I figured it was about time I do a write up about everything we know about ReservedOdm and it's relation to 4G, downgrading and unlocking. For an overview of what ReservedOdm is you can look to this post on the Atrix forum. Essentially ReservedOdm is a one time programmable fuse that is responsible for storing a number of values which relate to Unlock State and OS version.

Now for a few interesting things that we have found out. The unlocked bootloader itself does not seem to care about any values other than the 4 you see at the end of many of the below strings. This appears to be a flag that indicates whether or not the bootloader has gone through the fastboot oem unlock proccess. I will note that merely having the unlocked bootloader flashed does not break 4G on our phones, but having it actually unlocked does.

It would appear that it is possible for ReservedOdm values to be written by both the bootloader and the main OS. This was found out because when people flashed ROM's based on the leaked photon OTA(with bootloader stripped) their phones would have a ReservedOdm value change that would prevent them from flashing any pre-2.3.5 SBF(pudding still work's). It is suspected that the 2.3.5 boot.img is capable of writing these values, since the fuses only changed when using the leaked 2.3.5 boot.img and not with 2.3.5 leak based ROM's that were repacked with an older boot.img.

It would appear that the leaked boot.img does not always change the fuse values, but has happened to some.

The 2.3.5 pudding file that was posted in the unlock thread seems to write a locked 2.3.5 bootloader which prevents both pudding and the unlocked bootloader from being flashed. It has no use and should never bet flashed since all it does is lock phones up.

Since the pudding bootloader seems to be able to be flashed with any ReservedOdm value(but not any bootlaoder), it may still be possible to unlock phones if we can find a way to bypass the bootloader checks on the 2.3.5 bootloaders.

The easiest way to tell if you can unlock is to look at the 3rd non-zero ReservedOdm value. If it is 1 it should be possible to unlock. However if it is 3 it will not be. The 2.3.5 bootloader appears to read this value and will give a sec_exception error if you are trying to flash an older bootloader if the value is 3.

The 2.3.4 SBF's however appear to check the ReservedOdm values and will fail if they are not correct.

I figure I might as well comment on this thread here. From what I can tell this is of no use to us since all the signature checks are respected when you do "fastboot flash rdl.bin". Essentially if you can ramload the rdl you can also flash the pudding file in RSD lite, and if you can't in RSD you also can't here. For electrify users this may be useful under extremely limited circumstances, apparently it can be used to flash pudding from the bootloader of phones shipped with 2.3.5 but not those that have used an OTA. For more info download this.


Recorded Values
Code:
10000000000030001000100004000-photon tried to flash photon 2.3.5 eng? currently unlocked but can't flash normal SBF
10000000000010001000100004000-standard unlocked photon
10000000000010001000100000000-standard locked photon
10000000000010001000100004000-standard unlocked electrify
30000000000030003000100004000-electrify stuck on 2.3.5 previously unlocked bootloader
1000000000003000100004000-electrify stuck on 2.3.5 unlocked bootloader previously installed
20000000000020003000100000000-photon attempted to flash wrong pudding file(2.3.5 testing one)
20000000000030003000100000000-above photon after flashing 2.3.5 electrify SBF
10000000000030003000100004000-photon with 2.3.5 OTA previously unlocked
10000000000030001000100004000-photon with 2.3.5 OTA installed without bootloader(can't downgrade but can unlock)
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck never unlocked
20000000000020001000100004000-Electrify shipped with 2.3.5(unlocked using ramload workaround)
30000000000030002000100000000-Photon with 2.3.5 OTA soak
10000000000010001000100000000-GSM photon on 2.3.5 unknown origin
10000000000010000000100000000-Stock KDDI Photon non-unlocked
10000000000010001000100004000-Unlocked KDDI Photon
20000000000020000000100000000-2.3.5 electrify locked(try modified unlock method from above)
If anyone wants to read their ReservedOdm value simply run from adb:
Code:
adb shell
su
cat /sys/firmware/fuse/ReservedOdm
please post the output if it differs from anything in my list.
Last edited by Lightsword1942; 25th April 2013 at 06:30 PM.
The Following 18 Users Say Thank You to Lightsword1942 For This Useful Post: [ View ]
13th May 2012, 12:56 AM   |  #2  
Senior Member
IOWA
Thanks Meter: 2
 
112 posts
Join Date:Joined: Nov 2010
More
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck with locked bl

---------- Post added at 05:56 PM ---------- Previous post was at 05:50 PM ----------

I would also like to say lightsword, that when i fastboot flash RDL3_unlocked_electrify.smg, my phone blinks, then has a steady motologo with no messages. (Unlike other things i flash, I get an error message) I tried oem unlock next but it doesnt do anything on the phone and dos says the typical message. FYI
13th May 2012, 01:23 AM   |  #3  
OP Senior Member
Thanks Meter: 116
 
453 posts
Join Date:Joined: Apr 2010
Donate to Me
More
Quote:
Originally Posted by phince1

30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck with locked bl

---------- Post added at 05:56 PM ---------- Previous post was at 05:50 PM ----------

I would also like to say lightsword, that when i fastboot flash RDL3_unlocked_electrify.smg, my phone blinks, then has a steady motologo with no messages. (Unlike other things i flash, I get an error message) I tried oem unlock next but it doesnt do anything on the phone and dos says the typical message. FYI

What SBF was that smg file pulled from? Was it the one I posted?
13th May 2012, 01:31 AM   |  #4  
Senior Member
IOWA
Thanks Meter: 2
 
112 posts
Join Date:Joined: Nov 2010
More
I think so, maybe the engineering sbf??? It's somewhere in that long post we were working from...
13th May 2012, 01:33 AM   |  #5  
OP Senior Member
Thanks Meter: 116
 
453 posts
Join Date:Joined: Apr 2010
Donate to Me
More
Quote:
Originally Posted by phince1

I think so, maybe the engineering sbf??? It's somewhere in that long post we were working from...

Ok, I think that was pulled from the 2.3.5 SBF most likely, basically just ramloading the locked bootloader. Doesn't really help us much though.
13th May 2012, 08:49 PM   |  #6  
Lokifish Marz's Avatar
Recognized Contributor / Recognized Developer
Flag Olympus Mons, Mars
Thanks Meter: 3,284
 
2,893 posts
Join Date:Joined: Mar 2011
Donate to Me
More
Hope this helps;
Previously unlocked Photon
flashed 198_6 SBF
flashed 2.3.5 leak, minus ap20bl.img
unlocked using derpunlock
flashed CWM5 recovery

Baseband is now N_01.28.10R
ODM matches the following:
10000000000010001000100004000-standard unlocked photon
13th May 2012, 08:51 PM   |  #7  
OP Senior Member
Thanks Meter: 116
 
453 posts
Join Date:Joined: Apr 2010
Donate to Me
More
Quote:
Originally Posted by Lokifish Marz

Hope this helps;
Previously unlocked Photon
flashed 198_6 SBF
flashed 2.3.5 leak, minus ap20bl.img
unlocked using derpunlock
flashed CWM5 recovery

Baseband is now N_01.28.10R
ODM matches the following:
10000000000010001000100004000-standard unlocked photon

Do you know if the 2.3.5 leak you flashed has the original leaked boot.img?
13th May 2012, 09:05 PM   |  #8  
Lokifish Marz's Avatar
Recognized Contributor / Recognized Developer
Flag Olympus Mons, Mars
Thanks Meter: 3,284
 
2,893 posts
Join Date:Joined: Mar 2011
Donate to Me
More
Quote:
Originally Posted by Lightsword1942

Do you know if the 2.3.5 leak you flashed has the original leaked boot.img?

All I did to the original leak was remove the AP20 bootloader and any script lines referencing it. I just remembered that I have since flashed joker's 1.3 kernel but other than that there have been no changes that should affect ODM data.
Last edited by Lokifish Marz; 13th May 2012 at 09:18 PM.
14th May 2012, 01:06 AM   |  #9  
OP Senior Member
Thanks Meter: 116
 
453 posts
Join Date:Joined: Apr 2010
Donate to Me
More
Quote:
Originally Posted by Lokifish Marz

All I did to the original leak was remove the AP20 bootloader and any script lines referencing it. I just remembered that I have since flashed joker's 1.3 kernel but other than that there have been no changes that should affect ODM data.

I had a look at the files and the leaked boot.img does seem to be present in both. Maybe it only writes the value under certain conditions.
15th May 2012, 03:21 AM   |  #10  
Senior Member
IOWA
Thanks Meter: 2
 
112 posts
Join Date:Joined: Nov 2010
More
So no idea on overwriting the bootloader?

Sent from my Motorola Electrify using Xparent Blue Tapatalk 2

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes