ZenPad S8.0 signed flash checks
I've found more precisely where signing or some form of unlock is required.
First of all, a useful tool will be 'abootimg' (
https://packages.debian.org/search?keywords=abootimg):
# apt-get install abootimg
With that, the original firmaware that gets started via 'adb reboot bootloader' can be opened as:
$ abootimg -i droidboot.img
$ abootimg -x droidboot.img
$ mkdir new_initrd
$ cd new_initrd/
$ zcat ../initrd.img | cpio -i
As a test, I try inserting into the 1st stage ramdisk 'initrd.img' a new, empty file:
$ touch mynewfile
... and then repack the image with:
$ find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
$ cd ..
Then the abootimg -generated 'bootimg.cfg' file must be updated. In particular, the total size of the image (on the first line, in hexadecimal base: check that the default value, 0xbeead8, converts into the exact size in bytes for the original droidboot.img: compare the two via
$ echo "ibase=16; BEEAD8"| bc
and:
$ ls -l droidboot.img
A new empty file takes 12 bytes more, and without such step abootimg would complain:
$ abootimg --create new_droidboot.img -k zImage -f bootimg.cfg -r newramdisk.cpio.gz -s stage2.img
new_droidboot.img: updated is too big for the Boot Image (12521472 vs 12511960 bytes)
The new size of 12521472 bytes can be converted into HEX as:
$ echo "obase=16; 12521472"| bc
BF1000
... thus copying bootimg.cfg into new_bootimg.cfg, its first line should contain such new value (the rest remains unchanged):
bootsize = 0xbf1000
[...]
Then repacking the image works:
$ abootimg --create new_droidboot.img -k zImage -f new_bootimg.cfg -r newramdisk.cpio.gz -s stage2.img
... and we can try flashing it. First, one can test what happens with the original, unmodified 'droidboot.img' file:
$ adb reboot-bootloader
$ fastboot flash fastboot droidboot.img
sending 'fastboot' (12218 KB)...
OKAY [ 1.256s]
writing 'fastboot'...
OKAY [ 1.144s]
finished. total time: 2.400s
$ fastboot reboot-bootloader
rebooting into bootloader...
OKAY [ 0.892s]
finished. total time: 0.892s
No real changes, everything should work exactly as shipped. But the flashing process is then clear, and can be tried for the new, modified fastboot image:
$ fastboot flash fastboot new_droidboot.img
sending 'fastboot' (12230 KB)...
OKAY [ 1.223s]
writing 'fastboot'...
FAILED (remote: check_sign_key fail: no allow update droidboot)
Clearly here a security restriction is enforced. We must still find out where the message comes from.
The original source code of droidboot.c, which gets run in reboot-bootloader mode, appears to be avalilable here:
https://github.com/quanganh2627/android_hardware_intel/blob/master/libintelprov/droidboot.c
I would like to know what is in particular inside the 'droidboot.img' payload: 'stage2.img', as extracted by adroidboot -x, and for now just repacked in unmodified form. Perhaps it is the signature/security token that we need?
I would like to compare things more closely in particular with a ZenFone 2 of similar hardware specs, and already unlockable; such as the ZE550ML for instance.
Thanks in advance,
--
a.