Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[bootloader-XT910] Phone Status: unlocked. ChinaRetail 67.2.120

OP mattlgroff

22nd May 2012, 02:57 PM   |  #11  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter: 1,098
 
1,590 posts
Join Date:Joined: Jan 2012
Donate to Me
More
Btw. The firmware he used to flash is the same chinese leak. Had you guys noticed that?

Cheers

Sent from my XT910 using Tapatalk 2
22nd May 2012, 03:24 PM   |  #12  
farhanito's Avatar
Senior Member
Flag Jakarta
Thanks Meter: 223
 
870 posts
Join Date:Joined: Aug 2010
More
Indeed.
And it didn't unlock mine

Sent from my XT910 using Tapatalk 2
22nd May 2012, 03:28 PM   |  #13  
Senior Member
Flag Philadelphia, PA
Thanks Meter: 883
 
1,345 posts
Join Date:Joined: Jan 2008
More
There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.
The Following 2 Users Say Thank You to cellzealot For This Useful Post: [ View ]
22nd May 2012, 04:13 PM   |  #14  
Skrilax_CZ's Avatar
Recognized Developer
Flag Prague
Thanks Meter: 1,351
 
902 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by cellzealot

There are 3 types of Motorola OMAP devices.

S= Secured : a stock production locked bootloader

SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.

NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.

It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.

Sorry, but except the listing, it's completely wrong.

Indeed, there are three types of devices:
S - Secure (Omap in HS mode)
SE - Secure Engineering (Omap in HS mode) - no sig. checks except mbmloader + BP
NS - Non Secured (Omap in EMU mode) - no sig. checks except part of BP (mbmloader is signed with CSST key)

OG droid is a S device, OG Droid bootloader doesn't perform security checks at all, only mbmloader is checked by OMAP BootROM.

Even NS have secure part of BP, completely unsecure devices use GP mode for OMAP etc.

S and SE devices share mbmloader and mbm; NS devices have special mbmloader and in most cases mbm too (dunno to be honest, how is it with RAZR, certainly all OMAP3 devices have special NS mbm, just as I use on my Milestone).

"ro.secure" status is used by android, and completely unrelated here. It's whether the OMAP is in HS or EMU mode.

The "allow-mbmloader-flashing" mbm is mbm that allows mbmloader flashing and nothing else. There is also another bootloader to recover the device from USB.

mbmloader doesn't contain any signatures except it's own, this is normal chain of trust. mbmloader checks mbm, loads it, which checks the rest.

Anyway, on RAZR the mbm tells "Device is LOCKED / UNLOCKED: Status code: x", where:
x = 0; locked and not unlockable or never been unlocked
x = 1; unlocked (w/o signature checks, except part of the bp)
x = 2; unlockable device, which has been relocked
x = 3; unlockable device, which has been unlocked (signature checks over mbm, mbmloader and cdt + bp)
Last edited by Skrilax_CZ; 22nd May 2012 at 04:24 PM.
The Following 8 Users Say Thank You to Skrilax_CZ For This Useful Post: [ View ]
22nd May 2012, 04:18 PM   |  #15  
Senior Member
Flag Bangalore
Thanks Meter: 25
 
226 posts
Join Date:Joined: Aug 2010
Thank you for the wonderful Info Skrilax_CZ and Cellzealot i mean both enlightened me
22nd May 2012, 04:55 PM   |  #16  
BytecodeMe's Avatar
Senior Member
Flag San Diego
Thanks Meter: 776
 
667 posts
Join Date:Joined: Apr 2012
Donate to Me
More
So you can or can not unlock your boot loader with this? I don't think it's been said clearly.
22nd May 2012, 05:00 PM   |  #17  
Senior Member
Flag Philadelphia, PA
Thanks Meter: 883
 
1,345 posts
Join Date:Joined: Jan 2008
More
You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

Last edited by cellzealot; 22nd May 2012 at 05:14 PM. Reason: corrections
22nd May 2012, 05:44 PM   |  #18  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter: 1,098
 
1,590 posts
Join Date:Joined: Jan 2012
Donate to Me
More
Quote:
Originally Posted by cellzealot

You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

The dual core OMAPs with fastboot support work very differently, as pointed out by Skrilax_CZ above.

Anyways, once again, thanks for the detailed clarification. There is very little clear understanding about how this all actually works and I am happy to both contribute what I know and keep learning from others.

I''ve a question to you guys.

All dev razr are 16G or theres a 8G version?

Cant put this questiion better formulated. I m asking because that sign bypass with p18 was provided by a 16G dev razr and I was wondering if itsn't the 'problema' mountig usb mass storage. If so, can some of you pm me with a dd p18 .img for a test?

Thanks

Sent from my XT910 using Tapatalk 2
22nd May 2012, 06:13 PM   |  #19  
Senior Member
Flag Philadelphia, PA
Thanks Meter: 883
 
1,345 posts
Join Date:Joined: Jan 2008
More
I only have eng models of DX, D2G and Pro with all the associated files for those devices.
We no longer have the access we used to for internal files and devices.
P3droid has a NS status 1 Razr and is able to flash any of the leaked builds available, including the eng builds.
If there is anything he might be able to provide you that you don't already have I can ask him, but we don't have any files for RAZR that are not in the wild.
22nd May 2012, 06:27 PM   |  #20  
Skrilax_CZ's Avatar
Recognized Developer
Flag Prague
Thanks Meter: 1,351
 
902 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by cellzealot

You are welcome and I am happy to have been corrected by Skrilax_CZ on my partial explanation of the boot chain and security, thanks!

The OG Droid reports as SE in RSD Lite though, I can assure you.

Don't want to argue, but you're really 100% percent sure about this (for a production unit)? Even the production OG droid mbm is unsigned, and doesn't even contain the security functions - regardless of the fuses status, it won't simply check for signatures. (btw. there is another unlocked BL phone, which is XT701. Unlike OG Droid, it has mbm signed).

Quote:
Originally Posted by cellzealot

I have both NS and SE models for some older devices and they report correctly in RSD Lite as well.
I also have all of the separate bootloader SBF files for those devices and they come in 3 types.

Consumer_replacer_hs_part is the stock secured mbm

Nonconsumer_replacer_hs_part is the secured engineering mbm

Nonconsumer_replaced is the NS unsecured mbm

Well yeah, there are three kinds of files, but the "Secure Engineering" version is the same as "Secure" version and just contains mbmloader too, right? Well there is some naming difference between EU and US files over this.

Quote:
Originally Posted by cellzealot

The old SBF files never contained the bootloader and the mbmloaders were always updated only by the OTA zips and the discreet bootloader files were rarely ever seen.

Correct, I'd only add that old OMAP3 devices (without eMMC) never had mbmloader update possibility.
Last edited by Skrilax_CZ; 22nd May 2012 at 06:38 PM.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes