5,606,201 Members 33,324 Now Online
XDA Developers Android and Mobile Development Forum

[bootloader-XT910] Phone Status: unlocked. ChinaRetail 67.2.120

Tip us?
 
pedrotorresfilho
Old
#11  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter 1090
Posts: 1,591
Join Date: Jan 2012

 
DONATE TO ME
Btw. The firmware he used to flash is the same chinese leak. Had you guys noticed that?

Cheers

Sent from my XT910 using Tapatalk 2
 
farhanito
Old
#12  
farhanito's Avatar
Senior Member
Thanks Meter 212
Posts: 817
Join Date: Aug 2010
Location: Jakarta
Indeed.
And it didn't unlock mine

Sent from my XT910 using Tapatalk 2
______________________________________
Spyder --> EndeavorU --> Mako --> d802
 
cellzealot
Old
#13  
Senior Member
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
The Following 2 Users Say Thank You to cellzealot For This Useful Post: [ Click to Expand ]
 
Skrilax_CZ
Old
(Last edited by Skrilax_CZ; 22nd May 2012 at 03:24 PM.)
#14  
Skrilax_CZ's Avatar
Recognized Developer
Thanks Meter 1304
Posts: 881
Join Date: Dec 2009
Location: Prague

 
DONATE TO ME
Quote:
Originally Posted by cellzealot View Post
There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.
Sorry, but except the listing, it's completely wrong.

Indeed, there are three types of devices:
S - Secure (Omap in HS mode)
SE - Secure Engineering (Omap in HS mode) - no sig. checks except mbmloader + BP
NS - Non Secured (Omap in EMU mode) - no sig. checks except part of BP (mbmloader is signed with CSST key)

OG droid is a S device, OG Droid bootloader doesn't perform security checks at all, only mbmloader is checked by OMAP BootROM.

Even NS have secure part of BP, completely unsecure devices use GP mode for OMAP etc.

S and SE devices share mbmloader and mbm; NS devices have special mbmloader and in most cases mbm too (dunno to be honest, how is it with RAZR, certainly all OMAP3 devices have special NS mbm, just as I use on my Milestone).

"ro.secure" status is used by android, and completely unrelated here. It's whether the OMAP is in HS or EMU mode.

The "allow-mbmloader-flashing" mbm is mbm that allows mbmloader flashing and nothing else. There is also another bootloader to recover the device from USB.

mbmloader doesn't contain any signatures except it's own, this is normal chain of trust. mbmloader checks mbm, loads it, which checks the rest.

Anyway, on RAZR the mbm tells "Device is LOCKED / UNLOCKED: Status code: x", where:
x = 0; locked and not unlockable or never been unlocked
x = 1; unlocked (w/o signature checks, except part of the bp)
x = 2; unlockable device, which has been relocked
x = 3; unlockable device, which has been unlocked (signature checks over mbm, mbmloader and cdt + bp)
PRIVATE MESSAGES regarding firmwares / support will NOT BE ANSWERED!

Motorola Photon Q
Bootloader: 10.9B
Firmware: CM 10.2
Nightly Builds: CM10.2

Motorola Droid MAXX
Bootloader: 30.B0
Firmware: CM 10.2
Nightly Builds: CM10.2

Acer Iconia A500
Bootloader: V9 0.03.14-MUL (dualboot + recovery + extfs boot + bootmenu)
Android: TegraOwnders JB-MR1 v13
LUbuntu: 13.04


2nd-init for Locked Bootloaders

Acer Iconia A500 / A501 Patched Bootloader Thread

Motorola Phones Stock Firmwares

You may donate me if you like my work.
The Following 8 Users Say Thank You to Skrilax_CZ For This Useful Post: [ Click to Expand ]
 
nischalnischal
Old
#15  
Senior Member
Thanks Meter 19
Posts: 210
Join Date: Aug 2010
Location: Bangalore
Thank you for the wonderful Info Skrilax_CZ and Cellzealot i mean both enlightened me
 
BytecodeMe
Old
#16  
BytecodeMe's Avatar
Senior Member
Thanks Meter 775
Posts: 667
Join Date: Apr 2012
Location: San Diego

 
DONATE TO ME
So you can or can not unlock your boot loader with this? I don't think it's been said clearly.
 
cellzealot
Old
(Last edited by cellzealot; 22nd May 2012 at 04:14 PM.) Reason: corrections
#17  
Senior Member
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
 
pedrotorresfilho
Old
#18  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter 1090
Posts: 1,591
Join Date: Jan 2012

 
DONATE TO ME
Quote:
Originally Posted by cellzealot View Post
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

I''ve a question to you guys.

All dev razr are 16G or theres a 8G version?

Cant put this questiion better formulated. I m asking because that sign bypass with p18 was provided by a 16G dev razr and I was wondering if itsn't the 'problema' mountig usb mass storage. If so, can some of you pm me with a dd p18 .img for a test?

Thanks

Sent from my XT910 using Tapatalk 2
 
cellzealot
Old
#19  
Senior Member
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
I only have eng models of DX, D2G and Pro with all the associated files for those devices.
We no longer have the access we used to for internal files and devices.
P3droid has a NS status 1 Razr and is able to flash any of the leaked builds available, including the eng builds.
If there is anything he might be able to provide you that you don't already have I can ask him, but we don't have any files for RAZR that are not in the wild.
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
 
Skrilax_CZ
Old
(Last edited by Skrilax_CZ; 22nd May 2012 at 05:38 PM.)
#20  
Skrilax_CZ's Avatar
Recognized Developer
Thanks Meter 1304
Posts: 881
Join Date: Dec 2009
Location: Prague

 
DONATE TO ME
Quote:
Originally Posted by cellzealot View Post
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.
Don't want to argue, but you're really 100% percent sure about this (for a production unit)? Even the production OG droid mbm is unsigned, and doesn't even contain the security functions - regardless of the fuses status, it won't simply check for signatures. (btw. there is another unlocked BL phone, which is XT701. Unlike OG Droid, it has mbm signed).

Quote:
Originally Posted by cellzealot View Post
I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm
Well yeah, there are three kinds of files, but the "Secure Engineering" version is the same as "Secure" version and just contains mbmloader too, right? Well there is some naming difference between EU and US files over this.

Quote:
Originally Posted by cellzealot View Post
The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.
Correct, I'd only add that old OMAP3 devices (without eMMC) never had mbmloader update possibility.
PRIVATE MESSAGES regarding firmwares / support will NOT BE ANSWERED!

Motorola Photon Q
Bootloader: 10.9B
Firmware: CM 10.2
Nightly Builds: CM10.2

Motorola Droid MAXX
Bootloader: 30.B0
Firmware: CM 10.2
Nightly Builds: CM10.2

Acer Iconia A500
Bootloader: V9 0.03.14-MUL (dualboot + recovery + extfs boot + bootmenu)
Android: TegraOwnders JB-MR1 v13
LUbuntu: 13.04


2nd-init for Locked Bootloaders

Acer Iconia A500 / A501 Patched Bootloader Thread

Motorola Phones Stock Firmwares

You may donate me if you like my work.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes