I figured it was about time I do a write up about everything we know about ReservedOdm and it's relation to 4G, downgrading and unlocking. For an overview of what ReservedOdm is you can look to this post on the Atrix forum. Essentially ReservedOdm is a one time programmable fuse that is responsible for storing a number of values which relate to Unlock State and OS version.
Now for a few interesting things that we have found out. The unlocked bootloader itself does not seem to care about any values other than the 4 you see at the end of many of the below strings. This appears to be a flag that indicates whether or not the bootloader has gone through the fastboot oem unlock proccess. I will note that merely having the unlocked bootloader flashed does not break 4G on our phones, but having it actually unlocked does.
It would appear that it is possible for ReservedOdm values to be written by both the bootloader and the main OS. This was found out because when people flashed ROM's based on the leaked photon OTA(with bootloader stripped) their phones would have a ReservedOdm value change that would prevent them from flashing any pre-2.3.5 SBF(pudding still work's). It is suspected that the 2.3.5 boot.img is capable of writing these values, since the fuses only changed when using the leaked 2.3.5 boot.img and not with 2.3.5 leak based ROM's that were repacked with an older boot.img.
It would appear that the leaked boot.img does not always change the fuse values, but has happened to some.
The 2.3.5 pudding file that was posted in the unlock thread seems to write a locked 2.3.5 bootloader which prevents both pudding and the unlocked bootloader from being flashed. It has no use and should never bet flashed since all it does is lock phones up.
Since the pudding bootloader seems to be able to be flashed with any ReservedOdm value(but not any bootlaoder), it may still be possible to unlock phones if we can find a way to bypass the bootloader checks on the 2.3.5 bootloaders.
The easiest way to tell if you can unlock is to look at the 3rd non-zero ReservedOdm value. If it is 1 it should be possible to unlock. However if it is 3 it will not be. The 2.3.5 bootloader appears to read this value and will give a sec_exception error if you are trying to flash an older bootloader if the value is 3.
The 2.3.4 SBF's however appear to check the ReservedOdm values and will fail if they are not correct.
I figure I might as well comment on this thread here. From what I can tell this is of no use to us since all the signature checks are respected when you do "fastboot flash rdl.bin". Essentially if you can ramload the rdl you can also flash the pudding file in RSD lite, and if you can't in RSD you also can't here. For electrify users this may be useful under extremely limited circumstances, apparently it can be used to flash pudding from the bootloader of phones shipped with 2.3.5 but not those that have used an OTA. For more info download this.
Recorded Values
If anyone wants to read their ReservedOdm value simply run from adb:
please post the output if it differs from anything in my list.
Now for a few interesting things that we have found out. The unlocked bootloader itself does not seem to care about any values other than the 4 you see at the end of many of the below strings. This appears to be a flag that indicates whether or not the bootloader has gone through the fastboot oem unlock proccess. I will note that merely having the unlocked bootloader flashed does not break 4G on our phones, but having it actually unlocked does.
It would appear that it is possible for ReservedOdm values to be written by both the bootloader and the main OS. This was found out because when people flashed ROM's based on the leaked photon OTA(with bootloader stripped) their phones would have a ReservedOdm value change that would prevent them from flashing any pre-2.3.5 SBF(pudding still work's). It is suspected that the 2.3.5 boot.img is capable of writing these values, since the fuses only changed when using the leaked 2.3.5 boot.img and not with 2.3.5 leak based ROM's that were repacked with an older boot.img.
It would appear that the leaked boot.img does not always change the fuse values, but has happened to some.
The 2.3.5 pudding file that was posted in the unlock thread seems to write a locked 2.3.5 bootloader which prevents both pudding and the unlocked bootloader from being flashed. It has no use and should never bet flashed since all it does is lock phones up.
Since the pudding bootloader seems to be able to be flashed with any ReservedOdm value(but not any bootlaoder), it may still be possible to unlock phones if we can find a way to bypass the bootloader checks on the 2.3.5 bootloaders.
The easiest way to tell if you can unlock is to look at the 3rd non-zero ReservedOdm value. If it is 1 it should be possible to unlock. However if it is 3 it will not be. The 2.3.5 bootloader appears to read this value and will give a sec_exception error if you are trying to flash an older bootloader if the value is 3.
The 2.3.4 SBF's however appear to check the ReservedOdm values and will fail if they are not correct.
I figure I might as well comment on this thread here. From what I can tell this is of no use to us since all the signature checks are respected when you do "fastboot flash rdl.bin". Essentially if you can ramload the rdl you can also flash the pudding file in RSD lite, and if you can't in RSD you also can't here. For electrify users this may be useful under extremely limited circumstances, apparently it can be used to flash pudding from the bootloader of phones shipped with 2.3.5 but not those that have used an OTA. For more info download this.
Recorded Values
Code:
10000000000030001000100004000-photon tried to flash photon 2.3.5 eng? currently unlocked but can't flash normal SBF
10000000000010001000100004000-standard unlocked photon
10000000000010001000100000000-standard locked photon
10000000000010001000100004000-standard unlocked electrify
30000000000030003000100004000-electrify stuck on 2.3.5 previously unlocked bootloader
1000000000003000100004000-electrify stuck on 2.3.5 unlocked bootloader previously installed
20000000000020003000100000000-photon attempted to flash wrong pudding file(2.3.5 testing one)
20000000000030003000100000000-above photon after flashing 2.3.5 electrify SBF
10000000000030003000100004000-photon with 2.3.5 OTA previously unlocked
10000000000030001000100004000-photon with 2.3.5 OTA installed without bootloader(can't downgrade but can unlock)
30000000000030003000100000000 Electrify who performed OTA update to 2.3.5 and now stuck never unlocked
20000000000020001000100004000-Electrify shipped with 2.3.5(unlocked using ramload workaround)
30000000000030002000100000000-Photon with 2.3.5 OTA soak
10000000000010001000100000000-GSM photon on 2.3.5 unknown origin
10000000000010000000100000000-Stock KDDI Photon non-unlocked
10000000000010001000100004000-Unlocked KDDI Photon
20000000000020000000100000000-2.3.5 electrify locked(try modified unlock method from above)
If anyone wants to read their ReservedOdm value simply run from adb:
Code:
adb shell
su
cat /sys/firmware/fuse/ReservedOdm
Last edited: