• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[ABANDONED] Bootloader unlock - discuss bootloader matters here

Search This thread

kevin_diu

Senior Member
Mar 13, 2009
523
114
Hong Kong
It can be dangerous for your Defy on this stage!!


Please donate to our developer, Epsylon3 :
http://forum.xda-developers.com/showthread.php?t=1446106


Summary : (Thanks coleho_ and t0desicy)
http://forum.xda-developers.com/showpost.php?p=21579211&postcount=521
http://daccurso.eu/defy/

Helping with unlock :
http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167

MMCBLK dump :
http://www.mediafire.com/?khnvrrr82azwq89

Full dump from a unlocked defy : (Thanks sykoism)
http://forum.xda-developers.com/showpost.php?p=21398414&postcount=157

Quick Links :
Unlocking steps by customer service: http://forum.xda-developers.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
and: http://forum.xda-developers.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)

And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME! :D
 

Attachments

  • clockworkmod.rar
    6.6 KB · Views: 1,306
Last edited:

sunoldman

Senior Member
Jan 20, 2011
144
34
I don't think so, he said his defy has been repaired, maybe it has been replaced with a engineering board...
 

sunoldman

Senior Member
Jan 20, 2011
144
34
Tell him to upload other small partitions as well, such as
mmcblk1p1-mbmloader (128k)
mmcblk1p2-mbm (512k)
mmcblk1p5-bploader (512k)
etc...
 

hackergnome

Senior Member
Apr 21, 2011
2,610
869
Mumbai
oh... i really need to check this :) its hard to get the chinese translation

Posts by unitary good at 2012-1-13 21:54 Edit Home network that did not last, say goodbye to the forum, but who knows, even the signal is not home, so silly, my bl is 6, and did not move, who knows, brush teeth into bl5 package is successful, and brush teeth into bl4 package also successful, and now with the Hong Kong version, for the 00.59.01 baseband version, and finally a signal at home, but my machine is the situation? ? bl unlocked? ? ? I tried, the bottom of any package through the brush bl, the machine did what I seek to answer ah ah, in the rsd brush machine interface displays awareness bl not unlock, but it allows any package through the end of the brush · · · · give answers to a large silent under it, ready to be the official package evaluation, 2.2 2.3 comparison, because my brush through Well, hey, including Hong Kong Bank, uk national lines, etc., looking forward to it the latest progress, formalized bl unlock the success of my brush into the machine 29, Brush v big package provided by (v large package is to force ah, combining the characteristics of the country and the parallel lines, I like, if you can do not want to brush the other, the clear distinction between parallel and licensed, the battery icon shows different, I love parallel, and this is what I would like to introduce after the end of package features a variety of one v big thank prove my innocence, do not believe that people believe it, ha ha ha, Brush Motorola boot screen shows whether the consent agreement, the following information on the mobile phone scene shot just proposed by the Friends backup pds, the last defeat, this time successful, upload pds backup, in order to brush into the oil are convenient, Just brush the cm7.2, with its advanced backup equipment, and more can all be theoretically recovery5.0 brush into big God who study it, as uploaded to the xda, please altar faithful refueling, home unable to claw machine ah Attachment: You need to log in before you can download or view attachments. No account? Sign up now

huh???
wtf!!

Sent from my MB525 using xda premium
 

Top Liked Posts

  • There are no posts matching your filters.
  • 23
    OK, me again :p
    Finally, I got the unlock truth....from the one who really really knows about embedded development.

    First, "TI OMAP Board Configure Tool" is just a tool from TI, obviously it's not for public download. Just for the companys which bought their OMAP Development Board. This tool can be used for flash the nand chip, configure the kernel arm board, preboot the board (just like the "tethered" in Apple IOS device) etc.
    Second, the 16MB .bin file is a baseboard project file from Moto. This file contains project header, preboot code and a tiny uboot system etc.
    Third, the factory reset mode can be used for configure hardware parameters (such as cpu/ram freq, sensors etc) and software parameters (such as nand write address, device type [s/se], secure switch, environment etc) and hardware self-check.

    The customer service uses the "TI OMAP Board Configure Tool" to configure the broken phone, such as flash firmware, preboot to factory mode etc.
    When they got the broken phone, they use the RSD first, if it does not work they will use the "TI OMAP Board Configure Tool" to preboot the phone into factory reset mode (with baseboard project file).
    In the factory reset mode, hardware self-check is the first thing, if the hardware is OK they will try to configure the software parameters (such as switch off the sercure check so that they can flash *ANY* sbf, empty the environment varible so that the phone will become a eng-board, etc).

    So, the unlocking process is just get into the factory reset mode and switch off the secure check or empty the environment varible(to be eng-board) or open the fast boot mode.

    The truth of the JS unlock process is they use a tool to empty the environment varible, so the IMEI of unlocked device has become an invalid 00000012345 etc. Obviously, this may take some side-effects.

    At last, the man told me that DO NOT SIMPLY TRY TO UNLOCK WITH RECOVERY(or similar utils in phone), because the linux can not access to the most important things, because this things are not stored in mtd partitions, the linux won't (can't) mount then. Or you can just hack the bootloader program to bypass the secure check, but it's difficult!

    He says except the TI tools, we can research on RSD tool and will find some useful addresses, so that we can write some zero into the address and empty the environment varible.

    Now I think there is a easiest way to go, come on everybody let's find out the man who learned to use the JTag (or other) to dump the data of entire nand chip of a unlocked device, and grab out the header of the data. This data is the unlocked configuration.
    20
    It can be dangerous for your Defy on this stage!!


    Please donate to our developer, Epsylon3 :
    http://forum.xda-developers.com/showthread.php?t=1446106


    Summary : (Thanks coleho_ and t0desicy)
    http://forum.xda-developers.com/showpost.php?p=21579211&postcount=521
    http://daccurso.eu/defy/

    Helping with unlock :
    http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167

    MMCBLK dump :
    http://www.mediafire.com/?khnvrrr82azwq89

    Full dump from a unlocked defy : (Thanks sykoism)
    http://forum.xda-developers.com/showpost.php?p=21398414&postcount=157

    Quick Links :
    Unlocking steps by customer service: http://forum.xda-developers.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
    and: http://forum.xda-developers.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)

    And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME! :D
    18
    Some thoughts....

    Hi folks,

    let me first point out, that i do not personaly own a Defy and that i'm not fully aware of all the bootloaders floating around.
    I had been PM'ed by furrabbit.nh to give some comments on the attempt to unlock the Defy.

    Let me further point out that i am willing to consider the report from the chinese guy as trustworthy.
    So i'd like to refer to this translation over here:
    http://forum.xda-developers.com/showpost.php?p=21395694&postcount=145

    Mmmmh so how to start...
    The security on OMAP processors is a real engineering masterpiece, once the CPU has been set to HS mode.
    By blowing the HS fuse bit the device gets nearly uncrackable.
    There are only to exceptions:
    1. You got Motorolas private key and are able to sign your code
    2. You got a engineering bootloader (signed as well) that does match the hash keys hard-coded into the device

    It seems that there is such a code, if we trust the chinese report :rolleyes:

    So what does omapinfo give us?
    You might refer to the public datasheet of the OMAP3630, which in fact kind of a subset from the OEM variant which includes also all the security stuff.
    Tell me if you need the link or something...

    Code:
    STATE :      205
    Simply tells us that the device marked as high security device (not in GP mode).
    By setting the HS bit the internal ROM is aware about the use case of the platform.
    In other words the internal ROM code "knows" it is executed on a securtity enabled smartphone.
    The internal ROM's bootcode then treats external devices with certain security aspects and prohibits low level debugging as well (e.g. JTAG access).
    See my thread over here covering the Milestone hardware:
    http://forum.xda-developers.com/showthread.php?t=849632

    Code:
    PKEY0 : c57aa19e 
    PKEY1 : 31fe2d32 
    PKEY2 : 2e48bc96 
    PKEY3 : 15fcea7b 
    PKEY4 : 876578f3
    These device specific hash keys are stored in particular area called efuse bank.
    The dedicated registers simply represent the setting of a particular area of fuse bits.
    Often these bits are unique to a certain platform or device model, in this case all Defy's of a certain series will have the same keys.
    Thoughts about efuses:
    http://forum.xda-developers.com/showthread.php?t=911611
    Maybe it's not up to date concerning all information, but gives an idea.

    The internal ROM loader inside OMAP uses these keys to check the consistancy of the very first loader
    stored in external memory (mbmloader).
    Usually this is NAND flash or an eMMC storage device.

    The ROM knowing it is run in HS mode, then expects a certain format for this very first block as well.
    E.g. there are certain keys to grant the rights for the bootcode to access special memory areas.

    These keys are even higher level security... i really have to skip some points here,
    because i would be too much to explain it all and it's already late.

    Code:
    CPU-ID: 2b89102f
    This is obvious, if you have a look into the public OMAP3630 manual.
    It also hard coded value and represents the silicon verison the processor itself relies on.
    There's no specific effect on the security lock.
    CPU-ID: 1b89102f -> OMAP36xx ES1.1
    CPU-ID: 2b89102f -> OMAP36xx ES1.2
    So you may find 1. generation and 2. genration devices here... no big deal.
    See page 204 in OMAP36xx manual.

    If the story of the chinese guy is true and the service really handed out the same piece of hardware,
    there might be hope to convert a usual phone to an engineering one.
    The engineering bootloader which is used by Motorola simply has to match the pkeys of the customer phones.

    Another story is to flash this loader succesfully to your device if you have not the right tools. So maybe that's why the service needs this mysterious OMAP board configuration tool.
    A good thing would be to have the original SBF file of that bootcode.

    At least this technique sounds similar to other manufacturers who decided to open up their bootloader.
    I guess my comment is not quite complete, but i'll have to sleep now.

    Anyway i'll have a look here recently and try to answer questions if i'll find some time.
    I also apologize for this technical overdose, but i was asked to put my thoughts down here ;)

    Happy hacking and good luck!

    scholbert
    18
    @Otto.Br What was your defy problem, where did you take and do you know if it went to anywhere else during repair?:cool:

    I was changing the bootlogo again with this instructions.
    then i issued a REBOOT comand on terminal emulator and the phone just showed a black screen, then i pulled the battery, and realized the phone was still connected thru USB, after that the phone wouldn't power up anymore. so i took it to the Moto service center in downtown São Paulo (Av. São Luis 153, Galeria Metrópole). they said their lab was unavailable, so they shipped my phone (wich, by the way, is made in Brasil) back to the factory.

    I haven't reallized it was unlocked (SE) until i read this thread, I'll try to flash a Ecláir SBF to se what's what.

    BTW my last SBF flash was JRDNEM_U3_3.4.2_179-002_CEE_DEBLUR for CM7.

    - - - - - - - - - - - - - - - - - - - - - - - - - -

    EDIT: Successfully flashed this 2.1 Ecláir ROM
    JORDN_U3_6.36.0_SIGNED_USAJRDNTMOB1B4B5DE1028.0R_JORDANTMO_P022_HWp3_Service1FF

    EDIT 2: Also successfully flashed the 2.3 Gingerbread Chinese ROM
    p3a_jordan_umts_jordan_china-user-2.3.4-4.5.3-66-62-test-keys-ChinaRetail-CN

    YEAH!! I really have a unlocked DEFY!!!:D
    if you guys need anything from me just ask!

    Now, back to froyo CEE => CM7 :D thanks Quarx, Epsylon 3 and Maniac 103 for this awesome ROM! and everyone else here for the support! my thanks meter went CRAZY! :D
    13
    :(:(:(:(:(

    ---------- Post added at 09:22 PM ---------- Previous post was at 09:22 PM ----------

    M so sorry guys to inform that, but today it dint workout :( :( .. talk just broke down it between...
    Anyways i have told my classmate who works for Nokia Siemens in Bangkok to ask her Motorola guys for such tools.:p
    I will also be trying to talk to another classmate who is in Texas Instruments for the OMAP tool..
    The treasure hunt has begun...we will do watever u can to get the "KEY" to the treasure...we know tat only unlocking bootloader can unlock the door of unlimited opportunity :)
    I know u guys had some hopes on me today..but its not just today..the day will come :) :)
    I will be traveling 500km tomorrow to talk to one more guy who can help :)