FORUMS
Remove All Ads from XDA

BOUNTY: unlock bootloader for CDMA Moto G at [$250]

374 posts
Thanks Meter: 63
 
By motrinHD, Senior Member on 4th March 2014, 06:25 AM
Post Reply Email Thread
23rd September 2014, 02:10 AM |#411  
T10NAZ's Avatar
Senior Member
Thanks Meter: 496
 
More
Quote:
Originally Posted by shabbypenguin

The problem with setting it to "donations" is that people are cheap and forgetful. I've seen people throw money at copy/paste kernel devs to get them a new phone year after year only to abandon it for the newest phone because they got that donated to them. Rarely think about the people that brought them the stock files they use when they mess up their phone and save their investment, or the people who port recovery and the teams behind the recoveries, the folks who make it possible to flash all your roms/mods/kernels etc.

Obviously the way things were, weren't working out, otherwise they wouldn't have switched to it. Bounties go unpaid by almost half of the people who say they will pay, add into that this was done by a team means that money has to be split. so lets say this $250 dollar bounty, every one was perfect and paid it and it was split 3? 4? ways? that means that to each of the devs who poured countless hours into it would get about the cost of the cdma phone to provide an entire community freedom and ensure their devices can last even longer than what official updates will provide.

The android community is growing and the number of people who donate is IMO staying the same or growing smaller. Ive ported recovery to 7+ devices this year, ported Cyanogenmod to one, and rooted two more. I had to purchase one of the phones i rooted but it wasnt in danger of bricking or actual risk. these guys have put some serious time and effort into it, and btw anyone who is trying to pirate it id seriously reconsider unless you dont value your device.

Yea to be completely honest I did hint at people being stingy and not paying and thats cool that you have ported recoveries and I guess source built or zip pushed a cyano rom

I really dont care about this phone being rooted anyways since I store a few grand in cryto on my moto g, and dont want that stolen xD. If I want an unlockable phone it looks like ill be headed for a GPe device or something so I would have to go through the hassle to be paying someone
 
 
23rd September 2014, 02:12 AM |#412  
shabbypenguin's Avatar
Inactive Recognized Developer
Thanks Meter: 5,423
 
Donate to Me
More
Quote:
Originally Posted by T10NAZ

Yea to be completely honest I did hint at people being stingy and not paying and thats cool that you have ported recoveries and I guess source built or zip pushed a cyano rom

I really dont care about this phone being rooted anyways since I store a few grand in cryto on my moto g, and dont want that stolen xD. If I want an unlockable phone it looks like ill be headed for a GPe device or something so I would have to go through the hassle to be paying someone

there is only one way to build aosp and thats by source :P

@Somcom3X has taken over and is now the official CM maintainer for the moto g 4g
2nd January 2015, 03:39 AM |#413  
BBotteron1's Avatar
Junior Member
Flag Payne
Thanks Meter: 0
 
More
find a fix yet?
Its been awhile so has anyone found a way to unlock the bootloader and root the moto g 4.4.4 2014 without a middleman? Just received this phone on black friday for 29 bucks if i knew it wasnt unlockable i woulda spent an extra 20 and got the other one through straight talk :/
23rd August 2015, 09:14 PM |#414  
droidzer1's Avatar
Senior Member
Thanks Meter: 39
 
More
Quote:
Originally Posted by BBotteron1

Its been awhile so has anyone found a way to unlock the bootloader and root the moto g 4.4.4 2014 without a middleman? Just received this phone on black friday for 29 bucks if i knew it wasnt unlockable i woulda spent an extra 20 and got the other one through straight talk :/

FOUND! The particular Moto G XT-1028 I had could not be rooted by any method I tried (that included about everything) until a couple days ago I found a version of the Kingroot App and it rooted SUCCESSFULLY! If I don't see any other successes here I'll start a thread on it and post the app to root it. This is Kingroot_V4.5.0.803 that worked. Older versions I had tried did not work. I started a thread here and have attached the Kingroot version that worked in that thread: http://forum.xda-developers.com/moto...-root-t3185109

---------- Post added at 03:14 PM ---------- Previous post was at 03:06 PM ----------

Will this qualify for the Root bounty? I will be trying to determine if the bootloader is also unlocked. Working on that right now since the Kingroot is rather automatic and I actually did not expect it would work so I wasn't even watching it close until it was done.
I know idone's great Galaxy Tools app may be for Samsungs but it also works on the Moto G and as you can see in the attached pic it shows the model of this phone - XT-1028, Baseband and so on AND that it has ROOT !
Attached Thumbnails
Click image for larger version

Name:	shot_000004.png
Views:	420
Size:	159.1 KB
ID:	3449197  
31st August 2015, 06:08 AM |#415  
Wiki Admin / Recognized Contributor
Thanks Meter: 1,642
 
More
Quote:
Originally Posted by droidzer1

Will this qualify for the Root bounty? I will be trying to determine if the bootloader is also unlocked.

This definitely does not qualify, here's why:
  1. It's temporary, at least if you use kingroot,
    you can likely permanently install kingroot/supersu/whatever into system and preserve root, but
  2. It doesn't touch the bootloader lock status, locked bootloaders cannot run a custom recovery (at least on moto devices) even with root, it'll simply tell you theres a signature mismatch at boot since official moto kernels (and recoveries) are signed by motorola.
  3. Kingroot itself depends on exploit(s) to gain root, unless you already have root and are simply updating the existing install.
    If you update and all the exploits are patched, you can't root until more are found
  4. 2 and 3 above means that you are stuck on the current rom you are on if you want root, you cannot upgrade nor can you flash a custom rom until we have an unlocked bootloader

The only difference between kingroot and framaroot (for example) is that kingroot has exploits "a", "b", and "c", while framaroot has "x", "y", and "z". And for the moto g on KXB21, only exploit "c" works.

What we need is for someone to make an equivalent tool to sunshine that can unlock the bootloader now that we have temporary root. You can simply buy sunshine, but it costs $25 per device and I paid $20 for my moto g to begin with.
A sprint model moto g can be had for $50-80 anyway.

If you're willing to pay to unlock it, you may as well buy a sprint model XT1031 and convert it to use on vzw, at least then you'll have an official unlock as the XT1028 and XT1031 are similar enough besides the official bootloader unlock status.
1st September 2015, 04:17 AM |#416  
Wiki Admin / Recognized Contributor
Thanks Meter: 1,642
 
More
I only read the first page and last 5 pages of this thread, though obviously noone has a working solution that is also free, not yet anyway
So far it seems like the moto g bootloader (unless otherwise, everything below refers to both the XT1028 and XT1031) resembles it's n4 and n5 contemporaries:

The lock state is stored in
Code:
/dev/block/platform/msm_sdcc.1/by-name/misc -> /dev/block/mmcblk0p30
The lock state itself is at 0x1503, a value of 0x30 indicates it's currently locked, 0x31 is unlocked.
The tamper flag itself is not stored in misc, as this bit is the only difference between my XT1028 which is locked/untampered,
and my XT1031 which is locked/unlocked and tampered.

As previously seen, the lockstate goes from:
  • Status code 0: locked + untampered
  • Status code 1: unlocked + untampered(?) - no way to test this currently
  • Status code 2: locked + tampered
  • Status code 3: unlocked + tampered

You go from code 0 to code 3 by using fastboot oem unlock <unlock code> on the XT1031, and fastboot oem lock begin and fastboot oem lock returns you to code 2, as there are no other modified bits in misc from locked -> unlocked -> relocked, there's no way to return to code 0 or code 1

You can't simply change the contents of misc with root on the moto g, unlike the N4/N5/etc, something (possibly some kernel and/or bootloader protection) is preventing you from directly modifying that value.
What I do know is that even inside CWM you still can't directly modify that partition, though I don't actually know if the copy of CWM I used is based on a stock kernel or CM/QAF based, not that you can even boot it on a locked device

Unlike the N4/N5/etc, the moto g bootloader seems to enter a special mode to do the actual unlocking.
Snapdragons definitely have memory (both ram and nand) protection due to the fact it needs to protect multiple decryption keys (DRM media, cellular encryption, etc), and I wouldn't be surprised at all that this is (at least partly) why I cant directly write to it, and that there have definitely been exploits in the past to modify protected memory to bypass these restrictions.
Perhaps when it enters unlock/relock mode, that is the only time the bootloader can modify the contents of misc, at least under normal conditions.

I do believe that in the past, it has been documented that snapdragon based platforms additionally allow/disallow bootloader unlocking by flags/fuses that are not mapped to the partitioned parts of the nand. As the bootloaders on the XT1028/1031/1032 are (bit) identical, this is the reason the latter two can be unlocked, while the former cannot.

I would assume that sunshine uses some sort of lower level firmware exploit to modify the tamper flag and/or flip the bootloader lock bit. If you already had code that can bypass the security restrictions on the secured portions of memory on snapdragon based devices, I wouldn't be surprised if it's that simple to make a relock/unlock tool for moto g's that have already been unlocked with the unlock code. (ie switch from mode 2 ↔ 3)

I can't say I know how you would unlock an untampered bootloader, obviously it's possible due to sunshine already existing, but I don't have any further leads on how exactly they do what they do beyond this, assuming this is even on the right track.

----------------------------------------------------------------------------------------------------------------------

Even if you can only switch from mode 2 ↔ 3, this would still be useful in the same way that it's useful for nexus devices: to both have a custom/modified rom and also have a way to secure user data. A custom rom is not by definition any less secure then a stock rom, but the ability to load a custom recovery can allow you to bypass security and read user data (either online or offline, depending on data encryption)

Additionally, you can re-unlock a nexii without wiping data. The moto g requires you flashing a signed motorola rom before it will let you relock, so you cannot have any changes while also being safe from offline attacks.
7th January 2016, 08:43 PM |#417  
Member
Thanks Meter: 14
 
More
I was able to flash misc with 0x31 with dd and kingroot it dident unlock my bootloader though just set qe: to 1/1 instead of 0/1.

PuffedCheek:~ Hoppy$ fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 4113
(bootloader) product: falcon
(bootloader) secure: yes
(bootloader) hwrev: 0x83C0
(bootloader) radio: 0x3
(bootloader) emmc: 8GB Toshiba REV=06 PRV=51 TYPE=17
(bootloader) ram: 1024MB Samsung S4 SDRAM DIE=4Gb
(bootloader) cpu: MSM8626 CS
(bootloader) serialno: TA8810ANIQ
(bootloader) cid: 0x0002
(bootloader) channelid: 0x00
(bootloader) uid: 8B255E020F000000000000000000
(bootloader) unlocked: no
(bootloader) iswarrantyvoid: no
(bootloader) mot_sst: 0
(bootloader) max-download-size: 536870912
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei:
(bootloader) meid:
(bootloader) date:
(bootloader) sku:
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) current-time: "Thu Jan 7 20:28:25 UTC 2016"
(bootloader) ro.build.fingerprint[0]: motorola/falcon_verizon/falcon_cdm
(bootloader) ro.build.fingerprint[1]: a:4.4.4/KXB21.14-L1.41/42:user/rel
(bootloader) ro.build.fingerprint[2]: ease-keys
(bootloader) ro.build.version.full[0]: Blur_Version.210.12.41.falcon_cdm
(bootloader) ro.build.version.full[1]: a.Verizon.en.US
(bootloader) ro.build.version.qcom[0]: AU_LINUX_ANDROID_LNX.LA.3.5.1_RB1
(bootloader) ro.build.version.qcom[1]: .04.04.02.048.020
(bootloader) version-baseband:
(bootloader) kernel.version[0]: Linux version 3.4.42-gaf6580c (hudsoncm@
(bootloader) kernel.version[1]: ilclbld54) (gcc version 4.7 (GCC) ) #1 S
(bootloader) kernel.version[2]: MP PREEMPT Wed Jun 25 01:50:02 CDT 2014
(bootloader) sdi.git: git=MBM-NG-V41.13-0-gdc5aeaf
(bootloader) sbl1.git: git=MBM-NG-V41.13-0-g683cb0c
(bootloader) rpm.git: git=MBM-NG-V41.13-0-g71b1aae
(bootloader) tz.git: git=MBM-NG-V41.13-0-ga27c415
(bootloader) aboot.git: git=MBM-NG-V41.13-0-g7dc8e78
(bootloader) qe: qe 1/1
(bootloader) ro.carrier: Dev
all: listed above
finished. total time: 0.065s
PuffedCheek:~ Hoppy$

The unlock status is most likely stored in /dev/blocks/***/cid

I dumped my cid and it has all the unlock data that you get with "fastboot oem get_unlock_data",device type (eg XT10**),serial number,in it along with some motorola certificates.

What we should try is get the cid partiton of someone who has an unlock code,flash it then "fastboot oem unlock <key>" with there key,then flash back our cid.

Could someone whos unlocked post there cid partition and unlock key here for me to test.
(Had this phone 2 years still cant do what i want with it (overclock and run pc linux w/minimal xserver,retroarch on it,so i will be a guinea pig))

My cid partition:
Attached Files
File Type: img cid.img - [Click for QR Code] (128.0 KB, 88 views)
The Following User Says Thank You to Guicrith For This Useful Post: [ View ] Gift Guicrith Ad-Free
2nd November 2016, 03:15 AM |#418  
Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by Guicrith

I was able to flash misc with 0x31 with dd and kingroot it dident unlock my bootloader though just set qe: to 1/1 instead of 0/1.

I dumped my cid and it has all the unlock data that you get with "fastboot oem get_unlock_data",device type (eg XT10**),serial number,in it along with some motorola certificates.

What we should try is get the cid partiton of someone who has an unlock code,flash it then "fastboot oem unlock <key>" with there key,then flash back our cid.

Could someone whos unlocked post there cid partition and unlock key here for me to test.
(Had this phone 2 years still cant do what i want with it (overclock and run pc linux w/minimal xserver,retroarch on it,so i will be a guinea pig))

My cid partition:

The bootloader unlock is most likely tied to the HardwareID such as serial, mac, imei, etc, so it's not as easy as to just flash an unlocked CID copy.
There's more to this madness.
1st March 2017, 10:23 PM |#419  
Junior Member
Thanks Meter: 0
 
More
I will add $25 to the bootloader and $10 to the root!!!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes