Thoughts on downgrading to BL unlockable FW

lem22 · Feb 19, 2014

gtmaster303 said:
And what if I'm using the phone on another carrier outside of Verizon?

That's something VZW wants even less than an unlocked bootloader. And even if they won't, how would it be possible to check on what carrier the phone is used and reject only VZW users without losing them (by switching to other carriers again)?

It's not a secret, that the regular XT907 has a locked bootloader, but you still have the option to get the Dev Edition with an unlocked bootloader. If that's also not an alternative for you, there's plenty of other phones either with an unlocked or an unlockable bootloader.
There's absolutely no need to buy a locked XT907 first and then carp about it being locked.

megaghostgamer · Feb 20, 2014

lem22 said:
That's something VZW wants even less than an unlocked bootloader. And even if they won't, how would it be possible to check on what carrier the phone is used and reject only VZW users without losing them (by switching to other carriers again)?

It's not a secret, that the regular XT907 has a locked bootloader, but you still have the option to get the Dev Edition with an unlocked bootloader. If that's also not an alternative for you, there's plenty of other phones either with an unlocked or an unlockable bootloader.
There's absolutely no need to buy a locked XT907 first and then carp about it being locked.

There actually is a need, we pay good money for these decent phones and we get a locked boot loader which is entirely bs. We shouldn't have to pay over $500 for a phone, many of us bought this phone off contract for less then half that price. Also half of us wouldn't spend over $500 for a phone or couldn't afford it. We need freedom with devices, its one of the main reasons why we have android and not apple. These companies are making it hard for us and practically locking us down more than a iPhone. Don't get me wrong this phone is great! Its just the fact we are losing our freedom with android more and more is what ticks me.

Sent from my Venue 8 3830 using XDA Premium HD app

gtmaster303 · Feb 20, 2014

megaghostgamer said:
There actually is a need, we pay good money for these decent phones and we get a locked boot loader which is entirely bs. We shouldn't have to pay over $500 for a phone, many of us bought this phone off contract for less then half that price. Also half of us wouldn't spend over $500 for a phone or couldn't afford it. We need freedom with devices, its one of the main reasons why we have android and not apple. These companies are making it hard for us and practically locking us down more than a iPhone. Don't get me wrong this phone is great! Its just the fact we are losing our freedom with android more and more is what ticks me.

Sent from my Venue 8 3830 using XDA Premium HD app

I concur 100%

Sent from my XT907 using Tapatalk

GnatGoSplat · Feb 20, 2014

lem22 said:
That's something VZW wants even less than an unlocked bootloader. And even if they won't, how would it be possible to check on what carrier the phone is used and reject only VZW users without losing them (by switching to other carriers again)?

It's not a secret, that the regular XT907 has a locked bootloader, but you still have the option to get the Dev Edition with an unlocked bootloader. If that's also not an alternative for you, there's plenty of other phones either with an unlocked or an unlockable bootloader.
There's absolutely no need to buy a locked XT907 first and then carp about it being locked.

We all know the regular XT907 has a locked bootloader. We all know a severely overpriced Dev Edition was available, which, if it were available today, would be an even worse value than it was a year and a half ago when the phone came out. I don't see it for purchase on Motorola's site, so even if someone who likes throwing money away wanted to purchase it, they couldn't. Whether or not we bought the right phone for what we want to do with it is irrelevant to the purpose of this thread. The purpose of this thread is to find a way to unlock the bootloader of the phone we already have. If you'd rather debate the wisdom or lack thereof of purchasing a phone with a locked BL in the first place, then please start your own thread.

zombolt · Feb 21, 2014

Whoever in moto mobility knows how to unlock the boot loader, must feel very gratified knowing how badly so many people want it unlocked and they won't tell us.

Sent from my XT907 using xda app-developers app

GnatGoSplat · Feb 21, 2014

I noticed when I was playing around with an Electrify M that its FXZ file works a little differently than the RAZR M. Where the RAZR's FXZ flashes every partition in a straight shot, the Electrify M flashes some things first, then reboots into bootloader and flashes the rest. I think these are the minimum partitions that have to be flashed in one shot to not break the circle of trust.

partition (I think this sets partition sizes, might not be necessary if partition sizes are the same?)
sbl1
sbl2
sbl3
rpm
tz
aboot

That seems to make sense based on what Dan said about sbl1 being verified first, and it verifying the rest and ending with aboot.
I need to find a malfunctioning (but still booting) water-damaged RAZR M to try this.

gtmaster303 · Feb 21, 2014

GnatGoSplat said:
I noticed when I was playing around with an Electrify M that its FXZ file works a little differently than the RAZR M. Where the RAZR's FXZ flashes every partition in a straight shot, the Electrify M flashes some things first, then reboots into bootloader and flashes the rest. I think these are the minimum partitions that have to be flashed in one shot to not break the circle of trust.

partition (I think this sets partition sizes, might not be necessary if partition sizes are the same?)
sbl1
sbl2
sbl3
rpm
tz
aboot

That seems to make sense based on what Dan said about sbl1 being verified first, and it verifying the rest and ending with aboot.
I need to find a malfunctioning (but still booting) water-damaged RAZR M to try this.

Why water damaged?

Sent from my Droid RAZR M

GnatGoSplat · Feb 21, 2014

gtmaster303 said:
Why water damaged?

I'd just hate to destroy by hard-bricking (another) perfectly good phone. Usually water damaged phones work to some degree, but have some electrical defect that prevents them from functioning 100% and are usually not repairable either, so that would be perfect for experiments like this because if it hard-bricks, no big loss. It doesn't really have to be water damaged though. Anything cheap enough that boots would work.

I read about someone attempting to downgrade a Samsung and he hex edited certificates, which didn't work and never had a chance of working because certs don't work that way, but no one in the thread suggested brute-force flashing using dd straight into block devices so I'm not sure if there is a major obvious flaw with trying it that way that I'm not aware of.

gtmaster303 · Feb 21, 2014

GnatGoSplat said:
I'd just hate to destroy by hard-bricking (another) perfectly good phone. Usually water damaged phones work to some degree, but have some electrical defect that prevents them from functioning 100% and are usually not repairable either, so that would be perfect for experiments like this because if it hard-bricks, no big loss. It doesn't really have to be water damaged though. Anything cheap enough that boots would work.

I read about someone attempting to downgrade a Samsung and he hex edited certificates, which didn't work and never had a chance of working because certs don't work that way, but no one in the thread suggested brute-force flashing using dd straight into block devices so I'm not sure if there is a major obvious flaw with trying it that way that I'm not aware of.

If it's still under warranty I'm sure you can play dumb and just send it in for repair. How will they know what happened anyway?
way back in the day when I had the original CLIQ I sent it in for repair rooted with custom recovery and all. They flashed it back to stock even though I sent it in for a physical defect. I think any phone they get, they will always hard flash back to the latest firmware. So if they can do that, I'm sure they can either hard flash a dev firmware and unlock the bootloader too. I'll call them today and see where it goes.

Sent from my Droid RAZR M

GnatGoSplat · Feb 21, 2014

gtmaster303 said:
If it's still under warranty I'm sure you can play dumb and just send it in for repair. How will they know what happened anyway?

I'd try it if I had a phone with a warranty, but I bought mine used to use on T-Mobile. No warranty.

doubljdog · Feb 22, 2014

GnatGoSplat said:
I'd try it if I had a phone with a warranty, but I bought mine used to use on T-Mobile. No warranty.

I'm pretty tech savvy and have a spare razr m with a borked mic that i don't care to fix as I have a pristine razr m i'm currently using. If you want to walk me through what you're wanting to try, i'd be happy to give it a shot. No harm done if bricked. I'm all for helping the scene if possible, especially if it doesn't cost me anything other than a (to me) useless phone. Plus, I like to fool around with technology, it's why we're here. Let me know

GnatGoSplat · Feb 24, 2014

doubljdog said:
I'm pretty tech savvy and have a spare razr m with a borked mic that i don't care to fix as I have a pristine razr m i'm currently using. If you want to walk me through what you're wanting to try, i'd be happy to give it a shot. No harm done if bricked. I'm all for helping the scene if possible, especially if it doesn't cost me anything other than a (to me) useless phone. Plus, I like to fool around with technology, it's why we're here. Let me know

Wow, thanks for the offer!
I dumped my ROM and compared it to the images in the FXZ for my ROM (9.8.1Q-94). One concern I have is with the sbl1 and sbl2 partitions. What I dumped compared to what's in the FXZ aren't identical. On both those partitions, there's 128-bytes of extra data at the end. On sbl2, it looks like partial strings, I'm almost certain they're not significant. On sbl1, I can't really tell if that extra 128-bytes is significant or not. It could be both are just remnants from when the partitions were resized (older ROM versions may have had different partition sizes). I don't know how to reverse engineer the actual TrustZone code so I don't know if they do a hash or checksum of the entire partition. I kind of doubt it, but I'd feel a lot more comfortable if we could get dumps of sbl1 and sbl2 from a device still on 9.8.1Q-66.

If anyone with such a device is willing to help out, the commands to do it will be:

adb shell
su
dd if=/dev/block/mmcblk0p2 of=/storage/sdcard1/mmcblk0p2
dd if=/dev/block/mmcblk0p3 of=/storage/sdcard1/mmcblk0p3
exit
exit
adb pull /storage/sdcard1/mmcblk0p2 c:\mmcblk0p2
adb pull /storage/sdcard1/mmcblk0p3 c:\mmcblk0p3

This will put 2 files on the root of your c: drive, mmcblk0p2 and mmcblk0p3. If no physical SD card, change sdcard1 to sdcard0. If someone with 9.8.1Q-66 would be willing to dump those, zip them up and upload them, that would be really helpful.

doubljdog · Feb 25, 2014

I am on 9.8.1Q_27-2. What is the easiest way to get it to 66?

Sent from my XT907 using xda app-developers app

EDIT: I found the -66 update. Would you prefer the phones bootloader to be locked or unlocked when I pull the files.I've never unlocked it but it's old enough that I can. Also, I attached a zip with the files from my _27 system in case they would be of any help. Let me know how to proceed.
Nevermind

GnatGoSplat · Feb 25, 2014

Best way is with RSDLite and the fxz file, which might wipe your phone.
Here is RSDLite:
http://www.4shared.com/rar/q61LmCBp/rsd_lite_615__mtk_patch.html

The fxz file for 66:
http://sbf.droid-developers.org/download.php?device=8&file=73

I did a little more research and found a couple potential show stoppers.
1. Some devices don't allow using DD to brute force flash partitions directly. I've read Galaxy S4s for example don't allow it. From my unfortunately experience, it's possible for the XT907 to brute force flash the TZ partition, but I don't know about the others.
2. Even if it's possible to get all the old bootloader files on a device (via brute force flash, JTAG, physically changing chips, etc), sometimes newer bootloaders blow QFuses in the SoC that prevent the older version from working (again, referencing the Galaxy S4). QFuses, when blown, are permanent and irreversible because it physically blows a "fuse" in the chip. Whether or not the XT907 does this, only someone who knows how to read disassembled ARM code would know (or we'd have to try and find out).

doubljdog · Feb 25, 2014

GnatGoSplat said:
Best way is with RSDLite and the fxz file, which might wipe your phone.
Here is RSDLite:
http://www.4shared.com/rar/q61LmCBp/rsd_lite_615__mtk_patch.html

The fxz file for 66:
http://sbf.droid-developers.org/download.php?device=8&file=73

I did a little more research and found a couple potential show stoppers.
1. Some devices don't allow using DD to brute force flash partitions directly. I've read Galaxy S4s for example don't allow it. From my unfortunately experience, it's possible for the XT907 to brute force flash the TZ partition, but I don't know about the others.
2. Even if it's possible to get all the old bootloader files on a device (via brute force flash, JTAG, physically changing chips, etc), sometimes newer bootloaders blow QFuses in the SoC that prevent the older version from working (again, referencing the Galaxy S4). QFuses, when blown, are permanent and irreversible because it physically blows a "fuse" in the chip. Whether or not the XT907 does this, only someone who knows how to read disassembled ARM code would know (or we'd have to try and find out).

As requested, here is mmcblk0p2 and mmcblk0p3 from a stock 9.8.1Q-66 system. Let me know what else is next. As i've said before, if this bricks my phone it is of no concern to me. The only thing I have it for at this point is a spare screen which I imagine would still work fine even if the phone is bricked.

GnatGoSplat · Feb 26, 2014

Thanks, those dumps look good. Before you do anything, maybe also take dumps of mmcblk0p11 thru mmcblk0p14. These are bootloader backup partitions which should contain the same data, but the backup partitions are different sizes. I think they're the same, but padded at the end with FFs so I don't think we will need them; I'll verify this to make sure since we only get one shot.

After that, next step now would be to upgrade to 98.30.1 9.8.1Q-94. This will make you permanently unable to unlock the BL with motochopper.

http://sbf.droid-developers.org/download.php?device=8&file=77

Then root using Saferoot.
http://xdaforums.com/showthread.php?t=2605578

gtmaster303 · Feb 26, 2014

This thread is starting to get interesting...

Sent from my Droid RAZR M

doubljdog · Feb 27, 2014

GnatGoSplat said:
Thanks, those dumps look good. Before you do anything, maybe also take dumps of mmcblk0p11 thru mmcblk0p14. These are bootloader backup partitions which should contain the same data, but the backup partitions are different sizes. I think they're the same, but padded at the end with FFs so I don't think we will need them; I'll verify this to make sure since we only get one shot.

After that, next step now would be to upgrade to 98.30.1 9.8.1Q-94. This will make you permanently unable to unlock the BL with motochopper.

http://sbf.droid-developers.org/download.php?device=8&file=77

Then root using Saferoot.
http://xdaforums.com/showthread.php?t=2605578

A question on the update procedure. Do I just OTA the update or is there a download for it? Also, see attached.

EDIT: Funny that I would quote your post that contains the answer for the question I am asking huh? Getting ahead of myself here. Just got off the grave shift.

GnatGoSplat · Feb 27, 2014

doubljdog said:
A question on the update procedure. Do I just OTA the update or is there a download for it? Also, see attached.

EDIT: Funny that I would quote your post that contains the answer for the question I am asking huh? Getting ahead of myself here. Just got off the grave shift.

Actually, FXZ or OTA update would work, so it's up to you, whichever is easier. :good:

doubljdog · Feb 27, 2014

GnatGoSplat said:
Actually, FXZ or OTA update would work, so it's up to you, whichever is easier. :good:

Updating now, will root when finished.

EDIT: Updated and rooted. Let's make or break this phone.

Thoughts on downgrading to BL unlockable FW

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Member

Attachments

Senior Member

Member

Attachments

Senior Member

Senior Member

Member

Attachments

Senior Member

Member

Similar threads

Top Liked Posts