[ABANDONED] Bootloader unlock - discuss bootloader matters here

Search This thread
By:
Advanced…
walter79

walter79

Recognized Developer
Dec 18, 2006
4,138
4,636
marhensa said:
new defy variant.
any news of its bootloader?

http://m.gsmarena.com/motorola_defy_xt535-4622.php

screenshot-1331287350057-2.png


Sent from XDA-Developers Android Application
Click to expand...
Click to collapse

it is a new defy. http://m.gsmarena.com/motorola_introduces_new_defy_in_china-news-3950.php

It has 2 camera.
 
marhensa

marhensa

Senior Member
Dec 17, 2010
2,019
1,175
Bogor
mihovil13 said:
It's a Defy+ with front camera...nothing new i guess...but, XT series are common to be unlocked...let's wait..
Click to expand...
Click to collapse

joydeep1985 said:
Its just released in China . We have to wait till Mfunz guys or someone else from china gets their hands on it :(
Click to expand...
Click to collapse

walter79 said:
it is a new defy. http://m.gsmarena.com/motorola_introduces_new_defy_in_china-news-3950.php

It has 2 camera.
Click to expand...
Click to collapse

hope that true mihovil13,
XT series are commonly unlocked.

Sent from XDA-Developers Android Application
 
J

jayeshrc

Senior Member
May 2, 2011
165
17
a friend of mine got a backflip engineering device, a company exec gave it to him (it says its not for sale and is an engineering version on the side of the phone) and he's willing to help.. can his phone help us in any way?
 
E

eiyee

Member
Jan 29, 2012
20
34
Utopia
jayeshrc said:
a friend of mine got a backflip engineering device, a company exec gave it to him (it says its not for sale and is an engineering version on the side of the phone) and he's willing to help.. can his phone help us in any way?
Click to expand...
Click to collapse

The backflip is based on Qualcomm MSM 7200A (or so says google), so different hardware platform as well, unfortunately.
 
O

Otto.BR

Senior Member
Aug 19, 2011
54
47
I missed Epsylon3 post about the sec.ko module, but Eiyee PMed with a link:

My last SBF was 3.4.2 179-002 DEBLUR CEE (Froyo CEE for CM7).

[34250.065948] SecGetSWRV = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00
[34250.068542] SecGetModelId = 00 00 00 00
[34250.069427] SecGetProcID = 19 70 00 13 8c 40 6b 01 00 00 dc ff 02 00 0a 09
[34250.073425] SecProcessorType = 44
[34250.073577] Inserting sec module

P.S. Please people, stop PMing me with "help unlock my phone!" stuff, If I Knew how to do it, it would be posted here already. here is my post explaining what happened with my phone.
 
  • Like
Reactions: CallMeVentus, devilthehellraiser, eiyee and 1 other person
K

Kaffeekranz

Senior Member
Dec 29, 2010
240
128
So you've got a blank model Id and your SWRVs differ from ours.
Epsylon tried to change the fuse data, but he changed his values to something different than yours before he bricked his device.
It might be time for him to chime in as he fumbled around with those before.
Simply changing them to your values might be too easy, right?

Though it's nice to see you've got a "normal" HS device after all.

/e

Forget that, I haven't even noticed someone with an unlocked phone has already run the module.
But knowing that this seems to be common behaviour from Asia to South America is still nice to know, as there really seems to be a common unlock option at Motorola.
Whatever.. Eiyee, get on it!
 
Last edited:
skeevydude

skeevydude

Inactive Recognized Contributor
Feb 10, 2012
3,072
3,042
39
Hot Springs
Bravo has 9.10 Bootloader

I've seen that the Defy uses the same bootloader as the Bravo (9.10), so could anything from the Bravo be of any help? And hexdumps of smaller partitions are from our 2.2.1 (only) sbf are identical to the Defy JRDNEM_U3_3.4.3-36-1.7.sbf.

I only noticed cause a google search on hexdumping led me to a post by Epsylon3 about cg31.smg being hexdumped for the partition table, so I hexdumped ours and it was the same, so I did a few others and so were they (a month ago so I don't remember exactly which ones).

Also if anyone knows how to find cg levels, I'd be thankful. Tried the Defy tool posted around here, but no luck except 45. Have a thread here if someone who knows cares to chime in.
 
E

eiyee

Member
Jan 29, 2012
20
34
Utopia
Otto.BR said:
[34250.065948] SecGetSWRV = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00
Click to expand...
Click to collapse

Thanks Otto! As Kaffekranz noted this matches the value observed on the Chinese eng phones.

Kaffeekranz said:
Forget that, I haven't even noticed someone with an unlocked phone has already run the module.
But knowing that this seems to be common behaviour from Asia to South America is still nice to know, as there really seems to be a common unlock option at Motorola.
Whatever.. Eiyee, get on it!
Click to expand...
Click to collapse

Happily! Send me a PM to learn my typical hourly rate :p .. just joking of course.

Actually I don't see where to go with regard to eFuses. There is still no evidence that a normal locked Defy can be turned into a engineering phone only by some software mechanism - for all we know, the Chinese phones and Otto's phone could just have been produced with different initial eFuse values.

Until we can get evidence that it can been done, personally I remain sceptical about the possibility of resetting eFuse values. TI's OMAP security mechanism relies on them being irreversible and it would be a major fail with, I presume, some very big and unhappy TI customers if it turned out the eFuses could not be relied on.

skeevy420 said:
Also if anyone knows how to find cg levels, I'd be thankful. Tried the Defy tool posted around here, but no luck except 45. Have a thread here if someone who knows cares to chime in.
Click to expand...
Click to collapse

You could try this quick python hack. Not tested much, perhaps it even works. :)

Code: 
#!/usr/bin/python

import sys
import struct

for path in sys.argv[1:]: 
    img = open(path).read()

    off = 0
    while True:
        i = img[off:].find("\xb4\x01\x00\xca\x02\x14\xda\x95\x1b\x6d\xdc\x97\x07\xce\x40\xea")
        if i < 0:
            break
        off = off + i
        print "%s version %d (@%#x)" % (path, struct.unpack("<I", img[off-4:off])[0], off-4)
        off = off + 16

    if off == 0:
        print "%s sig not found" % path
 
  • Like
Reactions: Otto.BR and skeevydude
skeevydude

skeevydude

Inactive Recognized Contributor
Feb 10, 2012
3,072
3,042
39
Hot Springs
eiyee said:
Thanks Otto! As Kaffekranz noted this matches the value observed on the Chinese eng phones.



Happily! Send me a PM to learn my typical hourly rate :p .. just joking of course.

Actually I don't see where to go with regard to eFuses. There is still no evidence that a normal locked Defy can be turned into a engineering phone only by some software mechanism - for all we know, the Chinese phones and Otto's phone could just have been produced with different initial eFuse values.

Until we can get evidence that it can been done, personally I remain sceptical about the possibility of resetting eFuse values. TI's OMAP security mechanism relies on them being irreversible and it would be a major fail with, I presume, some very big and unhappy TI customers if it turned out the eFuses could not be relied on.



You could try this quick python hack. Not tested much, perhaps it even works. :)

Thanks, will test when I get home. Python2.x or 3.x ?
Click to expand...
Click to collapse
 
N

nameite

Senior Member
Aug 1, 2011
268
24
EmoBoiix3 said:
MSM7227A = ARMv6

Herpderp Defy.
Click to expand...
Click to collapse

No read here

I brought my gf the XT615, it has the same cpu (MSM7227A) has the new Defy XT535 and Defy mini.

Short bench on Setcpu is around 400ms and long bench is around 450ms
Compared to my Defy@1200ghz, my short bench was 180ms and long bench was 450ms

Anyways I dont think the new Defy will be helpful to us...
 
skeevydude

skeevydude

Inactive Recognized Contributor
Feb 10, 2012
3,072
3,042
39
Hot Springs
eiyee said:
You could try this quick python hack. Not tested much, perhaps it even works. :)

Code: 
#!/usr/bin/python

import sys
import struct

for path in sys.argv[1:]: 
    img = open(path).read()

    off = 0
    while True:
        i = img[off:].find("\xb4\x01\x00\xca\x02\x14\xda\x95\x1b\x6d\xdc\x97\x07\xce\x40\xea")
        if i < 0:
            break
        off = off + i
        print "%s version %d (@%#x)" % (path, struct.unpack("<I", img[off-4:off])[0], off-4)
        off = off + 16

    if off == 0:
        print "%s sig not found" % path
Click to expand...
Click to collapse

Thanks, but it gave same results as the other tool. I've been hoping since both our phones have same bootloader, and are real, real similar in other aspects, maybe the sbf's were the signed the same in regards to CG level.

I really do hope you guys succeed with unlocking the bootloader. With all the knowledgeable and determined devs here, you'll turn that 1 to a 0 eventually.
 
K

Kaffeekranz

Senior Member
Dec 29, 2010
240
128
eiyee said:
Actually I don't see where to go with regard to eFuses. There is still no evidence that a normal locked Defy can be turned into a engineering phone only by some software mechanism - for all we know, the Chinese phones and Otto's phone could just have been produced with different initial eFuse values.

Until we can get evidence that it can been done, personally I remain sceptical about the possibility of resetting eFuse values. TI's OMAP security mechanism relies on them being irreversible and it would be a major fail with, I presume, some very big and unhappy TI customers if it turned out the eFuses could not be relied on.
Click to expand...
Click to collapse

Though it would be highly unlikely that Otto and the Chinese guys got a BAD phone right after sending them in because of downgrade/bootloader issues.
We can say for sure that those secure bits can't be reverted, right? HS stays HS.
The only thing Otto can do is flash unsigned images which mbmloader allows, whereas mbmloader can't be replaced with something else (which seems to be conclusive with Moto's official unlocks regarding the Razr Dev phones).
Unfortunately I can't find much on the internet describing TI's CPFROM (customer programmable fuses ROM).

Are you sure that those SWRVs actually describe efuse bits?
I really don't understand much about this whole topic, but don't sbf upgrades (v5, v6, recently v7) alter exactly these SWRVs bits?
The only thing we know for sure is that SecProcessorType can't be altered and still stays at 44 even on the "unlocked "phones, right?


_________

Funny story:
Most of the time I'm googling for documents I come across IRC logs with you discussing this topic on the milestone channel.
 
O

ofmb

Senior Member
Mar 3, 2011
561
170
Anyone has stable kexec-ed kernel for defy to play with?

AFAIK quarx managed to kexec on the defy but failed to keep it alive.
on milestone they reached to a point where they just couldn't reset/re-init the radio.
so, if a pre-alpha kernel would be released we could aim our efforts on finding a way to make the radio work instead of unlocking the bootloader itself.

tell me what you think about that..
 
You must log in or register to reply here.

Similar threads

samcripp
[Project Cheesecake] Unlocking the DEFY bootloader! - ABANDONED
Replies
839
Views
238K
57op
57op
nidhish91
Defy Custom Kernel Thread[2nd boot source released][Test Kernel released]
Replies
1K
Views
249K
A
americanpittbull
rootdefyxt320
[USERS CAN REQUEST][TUTORIAL]Motorola Defy Mini XT320/XT321 Custom SBF with fastboot
Replies
175
Views
86K
T
tezzar
K
  • Locked
(BOOTLOADER UNLOCK SOCIAL MEDIA CAMPAIGN) Operation: Mosh started by [TSON]
Replies
90
Views
22K
2
2Pints
crakeron
  • Poll
[Guide][zip][Root needed] Unsimlock your Defy (v1.3)[NEW:JB support!]
Replies
521
Views
183K
krestian
krestian

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 23
    V
    viper520
    OK, me again :p
    Finally, I got the unlock truth....from the one who really really knows about embedded development.

    First, "TI OMAP Board Configure Tool" is just a tool from TI, obviously it's not for public download. Just for the companys which bought their OMAP Development Board. This tool can be used for flash the nand chip, configure the kernel arm board, preboot the board (just like the "tethered" in Apple IOS device) etc.
    Second, the 16MB .bin file is a baseboard project file from Moto. This file contains project header, preboot code and a tiny uboot system etc.
    Third, the factory reset mode can be used for configure hardware parameters (such as cpu/ram freq, sensors etc) and software parameters (such as nand write address, device type [s/se], secure switch, environment etc) and hardware self-check.

    The customer service uses the "TI OMAP Board Configure Tool" to configure the broken phone, such as flash firmware, preboot to factory mode etc.
    When they got the broken phone, they use the RSD first, if it does not work they will use the "TI OMAP Board Configure Tool" to preboot the phone into factory reset mode (with baseboard project file).
    In the factory reset mode, hardware self-check is the first thing, if the hardware is OK they will try to configure the software parameters (such as switch off the sercure check so that they can flash *ANY* sbf, empty the environment varible so that the phone will become a eng-board, etc).

    So, the unlocking process is just get into the factory reset mode and switch off the secure check or empty the environment varible(to be eng-board) or open the fast boot mode.

    The truth of the JS unlock process is they use a tool to empty the environment varible, so the IMEI of unlocked device has become an invalid 00000012345 etc. Obviously, this may take some side-effects.

    At last, the man told me that DO NOT SIMPLY TRY TO UNLOCK WITH RECOVERY(or similar utils in phone), because the linux can not access to the most important things, because this things are not stored in mtd partitions, the linux won't (can't) mount then. Or you can just hack the bootloader program to bypass the secure check, but it's difficult!

    He says except the TI tools, we can research on RSD tool and will find some useful addresses, so that we can write some zero into the address and empty the environment varible.

    Now I think there is a easiest way to go, come on everybody let's find out the man who learned to use the JTag (or other) to dump the data of entire nand chip of a unlocked device, and grab out the header of the data. This data is the unlocked configuration.
    View
    20
    K
    kevin_diu
    It can be dangerous for your Defy on this stage!!


    Please donate to our developer, Epsylon3 :
    http://xdaforums.com/showthread.php?t=1446106


    Summary : (Thanks coleho_ and t0desicy)
    http://xdaforums.com/showpost.php?p=21579211&postcount=521
    http://daccurso.eu/defy/

    Helping with unlock :
    http://xdaforums.com/showpost.php?p=21402316&postcount=167

    MMCBLK dump :
    http://www.mediafire.com/?khnvrrr82azwq89

    Full dump from a unlocked defy : (Thanks sykoism)
    http://xdaforums.com/showpost.php?p=21398414&postcount=157

    Quick Links :
    Unlocking steps by customer service: http://xdaforums.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
    and: http://xdaforums.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)

    And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME! :D
    View
    18
    S
    scholbert
    Some thoughts....

    Hi folks,

    let me first point out, that i do not personaly own a Defy and that i'm not fully aware of all the bootloaders floating around.
    I had been PM'ed by furrabbit.nh to give some comments on the attempt to unlock the Defy.

    Let me further point out that i am willing to consider the report from the chinese guy as trustworthy.
    So i'd like to refer to this translation over here:
    http://xdaforums.com/showpost.php?p=21395694&postcount=145

    Mmmmh so how to start...
    The security on OMAP processors is a real engineering masterpiece, once the CPU has been set to HS mode.
    By blowing the HS fuse bit the device gets nearly uncrackable.
    There are only to exceptions:
    1. You got Motorolas private key and are able to sign your code
    2. You got a engineering bootloader (signed as well) that does match the hash keys hard-coded into the device

    It seems that there is such a code, if we trust the chinese report :rolleyes:

    So what does omapinfo give us?
    You might refer to the public datasheet of the OMAP3630, which in fact kind of a subset from the OEM variant which includes also all the security stuff.
    Tell me if you need the link or something...

    Code: 
    STATE :      205
    Simply tells us that the device marked as high security device (not in GP mode).
    By setting the HS bit the internal ROM is aware about the use case of the platform.
    In other words the internal ROM code "knows" it is executed on a securtity enabled smartphone.
    The internal ROM's bootcode then treats external devices with certain security aspects and prohibits low level debugging as well (e.g. JTAG access).
    See my thread over here covering the Milestone hardware:
    http://xdaforums.com/showthread.php?t=849632

    Code: 
    PKEY0 : c57aa19e 
PKEY1 : 31fe2d32 
PKEY2 : 2e48bc96 
PKEY3 : 15fcea7b 
PKEY4 : 876578f3
    These device specific hash keys are stored in particular area called efuse bank.
    The dedicated registers simply represent the setting of a particular area of fuse bits.
    Often these bits are unique to a certain platform or device model, in this case all Defy's of a certain series will have the same keys.
    Thoughts about efuses:
    http://xdaforums.com/showthread.php?t=911611
    Maybe it's not up to date concerning all information, but gives an idea.

    The internal ROM loader inside OMAP uses these keys to check the consistancy of the very first loader
    stored in external memory (mbmloader).
    Usually this is NAND flash or an eMMC storage device.

    The ROM knowing it is run in HS mode, then expects a certain format for this very first block as well.
    E.g. there are certain keys to grant the rights for the bootcode to access special memory areas.

    These keys are even higher level security... i really have to skip some points here,
    because i would be too much to explain it all and it's already late.

    Code: 
    CPU-ID: 2b89102f
    This is obvious, if you have a look into the public OMAP3630 manual.
    It also hard coded value and represents the silicon verison the processor itself relies on.
    There's no specific effect on the security lock.
    CPU-ID: 1b89102f -> OMAP36xx ES1.1
    CPU-ID: 2b89102f -> OMAP36xx ES1.2
    So you may find 1. generation and 2. genration devices here... no big deal.
    See page 204 in OMAP36xx manual.

    If the story of the chinese guy is true and the service really handed out the same piece of hardware,
    there might be hope to convert a usual phone to an engineering one.
    The engineering bootloader which is used by Motorola simply has to match the pkeys of the customer phones.

    Another story is to flash this loader succesfully to your device if you have not the right tools. So maybe that's why the service needs this mysterious OMAP board configuration tool.
    A good thing would be to have the original SBF file of that bootcode.

    At least this technique sounds similar to other manufacturers who decided to open up their bootloader.
    I guess my comment is not quite complete, but i'll have to sleep now.

    Anyway i'll have a look here recently and try to answer questions if i'll find some time.
    I also apologize for this technical overdose, but i was asked to put my thoughts down here ;)

    Happy hacking and good luck!

    scholbert
    View
    18
    O
    Otto.BR
    leodfs said:
    @Otto.Br What was your defy problem, where did you take and do you know if it went to anywhere else during repair?:cool:
    Click to expand...
    Click to collapse

    I was changing the bootlogo again with this instructions.
    then i issued a REBOOT comand on terminal emulator and the phone just showed a black screen, then i pulled the battery, and realized the phone was still connected thru USB, after that the phone wouldn't power up anymore. so i took it to the Moto service center in downtown São Paulo (Av. São Luis 153, Galeria Metrópole). they said their lab was unavailable, so they shipped my phone (wich, by the way, is made in Brasil) back to the factory.

    I haven't reallized it was unlocked (SE) until i read this thread, I'll try to flash a Ecláir SBF to se what's what.

    BTW my last SBF flash was JRDNEM_U3_3.4.2_179-002_CEE_DEBLUR for CM7.

    - - - - - - - - - - - - - - - - - - - - - - - - - -

    EDIT: Successfully flashed this 2.1 Ecláir ROM
    JORDN_U3_6.36.0_SIGNED_USAJRDNTMOB1B4B5DE1028.0R_JORDANTMO_P022_HWp3_Service1FF

    EDIT 2: Also successfully flashed the 2.3 Gingerbread Chinese ROM
    p3a_jordan_umts_jordan_china-user-2.3.4-4.5.3-66-62-test-keys-ChinaRetail-CN

    YEAH!! I really have a unlocked DEFY!!!:D
    if you guys need anything from me just ask!

    Now, back to froyo CEE => CM7 :D thanks Quarx, Epsylon 3 and Maniac 103 for this awesome ROM! and everyone else here for the support! my thanks meter went CRAZY! :D
    View
    13
    arpith.fbi
    arpith.fbi
    :(:(:(:(:(

    ---------- Post added at 09:22 PM ---------- Previous post was at 09:22 PM ----------

    M so sorry guys to inform that, but today it dint workout :( :( .. talk just broke down it between...
    Anyways i have told my classmate who works for Nokia Siemens in Bangkok to ask her Motorola guys for such tools.:p
    I will also be trying to talk to another classmate who is in Texas Instruments for the OMAP tool..
    The treasure hunt has begun...we will do watever u can to get the "KEY" to the treasure...we know tat only unlocking bootloader can unlock the door of unlimited opportunity :)
    I know u guys had some hopes on me today..but its not just today..the day will come :) :)
    I will be traveling 500km tomorrow to talk to one more guy who can help :)
    View

New posts