[Dev] Bypass "bootloader" [PROPER METHOD]

Search This thread

the_laser

Senior Member
Feb 15, 2011
271
1,037
Greetings.

warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.


here ( View attachment qsd8250.7z) is toolset to permanently "unlock" semcboot of qsd8250 semc phones ( x10a,x10i, so-o1b )

that means, you can use own kernel and so on.

it is much more better,stable,faster method, than present "bypass".

steps,precautions, etc.

unpack archive to any directory.

if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.


now, if your phone unlocked officially:

flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.

of course, enable "usb debugging"

run qsd8250_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )

you will get similar output

Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1464 KB/s (585731 bytes in 0.390s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1531 KB/s (588236 bytes in 0.375s)
successfully wrote 0001ff80
Press any key to continue . . .

bingo, your phone now has unlocked bootloader.

if your phone unlocked by setool2 software, use qsd8250_setool2.cmd

if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.


to find out what tool was used to unlock your phone, use that ( View attachment s1tool.7z ) tool.
if you will see "NOT RECOGNIZED SIMLOCK CERTIFICATE", you are out of luck.


okay, now about other details.

1.
unlocked bootloader require unlocked loader, yep ?

loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.

to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A033"

( same applies for loader version tag )

so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.

2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.

Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]

[input] - is input binary file.

[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.

you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
x10 kernel partition info
03000000220000007502000062000000

[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9

[block size] - nand block size, if omitted, it is standard size 0x20000

there is example in sinTools\example_build.cmd

3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.

Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...

we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( x10/kernel/arch/arm/boot/Image )

it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x20008000

attributes for image 0x0

segment 2 is ramdisk.

it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x24000000

set attributes for ramdisk 0x80000000, that is extremly important.

there is simple kernel example in sinTools\example_build.cmd

ps.

patched semcboot is doing exactly same thing as official "bootloader unlock" ( for some idiotic reasons called "rooting" ) , it skips checking of aARM firmware part ONLY.

it will NOT unlock your phone from network.

after procedure, you CAN use Emma/seUS safely.
 
Last edited:

-- X10B --

Senior Member
Jan 20, 2011
483
126
Antipolo
Wondering if devs can incorporate this into flashtool so users can unlock the bl easily..

I guess it wont be easy cause if the person press the wrong (button)method, he will loose radio. As per the_laser said.

Correct me if i am wrong.

sent from my stock gb not rooted and no add ons.
 

bharadwaj1991

Senior Member
Feb 20, 2011
230
47
After reading the comments the_laser wrote on the X8 forum i think i got it. This IS a bootloader unlock EXCEPT for it ignoring the aARM thing, which then defines it as a "bypass" rather than a real unlock. But it does everything a real unlock does.

ALSO anybody know about my predicament...i used maxrfon simunlock method and will try this if i know if i can use teh setool2 version cuz i think it follows the same way maxrfon unlock works.
 

andrewddickey

Senior Member
Jan 23, 2011
198
74
Flashed X10a_2.0.A.0.504_Generic and ran qsd8250_semc.cmd

results:
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
* daemon not running. starting it now *
* daemon started successfully *
3530 KB/s (585731 bytes in 0.162s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights
.
274 KB/s (3087 bytes in 0.011s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
605 KB/s (8064 bytes in 0.013s)
Second, we need to write semcboot ;)
2735 KB/s (588228 bytes in 0.210s)
successfully wrote 0001ff80
Press any key to continue . . .

Let's see what we can do now.
 

aZuZu

Inactive Recognized Developer
Jan 19, 2011
638
941
40
Zagreb
Strange!
First:
.config.gz in kernel shows
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.29
# Fri Jan 7 18:21:13 2011
#
Which is like 5 months ago... Where where test versions? :confused:

Second:
So you are saying that for format of "boot" we must use zImage... That is just sick... :mad:

Third:
Joining of kernel & ramdisk two exe files + batch? Seriously? Come on man! Add some ****ing args support too... :eek:

Fourth:
I will try this when my phone get's back...
 

Arnold.Alexius

Senior Member
Aug 12, 2011
163
65
So its finally bypassed. congrats to all dev working on it. ill try it after there is some kernels/rom/tweaks that require BL bypass. and again. great work.
 
Last edited:

iridaki

Retired Forum Moderator
Feb 21, 2007
4,534
5,209
34
Edinburgh, Scotland
I think Z mentioned how they have the MT driver but dont have a way of incorprating it in because of the locked bootloader, if it's unlocked then he can do it, maybe..

Actually he said the exact opposite:
they don't have the drivers and they'd have to write them from scratch, which is next to impossible.
"Rocket science", his words, not mine.
So, let's don't get our hopes up just yet. Stay calm. ;)

Xperia X10i via Tapatalk
 

scattaman

Senior Member
May 11, 2010
183
40
Montego bay
Come on! its been over 2 hours since this was released! where are the Roms using cracked bootloader!!

:D

I'm just breaking the ice, please dont take me seriously!

But out of curiosity, what are the realistic possibilities from having a cracked bootloader? what have the other Android phones done with their cracked bootloaders?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 159
    Greetings.

    warning.
    if you are not developer, please quit reading that post.
    wait for user friendly tool with one big button.


    here ( View attachment qsd8250.7z) is toolset to permanently "unlock" semcboot of qsd8250 semc phones ( x10a,x10i, so-o1b )

    that means, you can use own kernel and so on.

    it is much more better,stable,faster method, than present "bypass".

    steps,precautions, etc.

    unpack archive to any directory.

    if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
    ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.


    now, if your phone unlocked officially:

    flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.

    of course, enable "usb debugging"

    run qsd8250_semc.cmd,
    ( if you want, examine it before run, it is pretty straightforward. )

    you will get similar output

    Code:
    process requires standard 2.x android firmware.
    Press any key to continue . . .
    Getting ROOT rights.
    1464 KB/s (585731 bytes in 0.390s)
    error: protocol fault (no status)
    Waiting ...
    Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
    192 KB/s (3087 bytes in 0.015s)
    success
    Waiting ...
    Getting ROOT rights.
    Waiting ...
    Writing patched semcboot. Two step process
    First, we need get access to semcboot area
    504 KB/s (8064 bytes in 0.015s)
    Second, we need to write semcboot ;)
    1531 KB/s (588236 bytes in 0.375s)
    successfully wrote 0001ff80
    Press any key to continue . . .

    bingo, your phone now has unlocked bootloader.

    if your phone unlocked by setool2 software, use qsd8250_setool2.cmd

    if your phone unlocked by 3rd-party software other than setool2, do not run anything -
    it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
    hopefully, mizerable flea and mOxImKo will release something similar for your phone.


    to find out what tool was used to unlock your phone, use that ( View attachment s1tool.7z ) tool.
    if you will see "NOT RECOGNIZED SIMLOCK CERTIFICATE", you are out of luck.


    okay, now about other details.

    1.
    unlocked bootloader require unlocked loader, yep ?

    loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.

    to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A033"

    ( same applies for loader version tag )

    so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.

    2.
    we should make SIN file somehow, right ?
    for that i prepared "dumb" bin2sin utility.

    Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]

    [input] - is input binary file.

    [partition info]
    android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.

    you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
    x10 kernel partition info
    03000000220000007502000062000000

    [type] - partition type, 9 - partition without spare, 0xA - partition with spare.
    kernel partition is partition without spare.
    if that parameter omitted, type = 9

    [block size] - nand block size, if omitted, it is standard size 0x20000

    there is example in sinTools\example_build.cmd

    3.
    kernel should be prepared specially to be accepted by semcboot.
    for that there is tool bin2elf.

    Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...

    we need 2 segments:
    segment 1 is unpacked linux kernel image, i.e.
    ( x10/kernel/arch/arm/boot/Image )

    it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x20008000

    attributes for image 0x0

    segment 2 is ramdisk.

    it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x24000000

    set attributes for ramdisk 0x80000000, that is extremly important.

    there is simple kernel example in sinTools\example_build.cmd

    ps.

    patched semcboot is doing exactly same thing as official "bootloader unlock" ( for some idiotic reasons called "rooting" ) , it skips checking of aARM firmware part ONLY.

    it will NOT unlock your phone from network.

    after procedure, you CAN use Emma/seUS safely.
    14
    @the_laser

    1) wht do we do if we want to relock bootloader? i am asking just for having a fail-safe option open...

    "unlocked" bootloader does absolutely same things as original, nothing changed.
    no need to return back ;)

    2) can we modify the S1 loader to accept fastboot commands?

    it is like writing it from scratch.
    better build some kernel module for that.

    3) can we now write to /boot partition in OS/recovery? (raw_write)?

    sin signature checking removed totally, you can write anything in phone.
    however, there is few restrictions:

    1.
    partition info and sin type should be proper.
    you can check partition info in corresponding original semc firmware files.

    2.
    semcboot WILL check following and STOP phone in case of failure:

    - security zone validity
    - FOTA code validity
    - mARM ( AMSS or modem code ) validity
    - DSP code validity

    you can safely build and flash own

    kernel_S1-SW-LIVE-AC12-0001-S1-PARTITION.sin
    system_S1-SW-LIVE-AC12-0001-S1-PARTITION-WITH-SPARE.sin
    userdata_S1-SW-LIVE-AC12-0001-S1-PARTITION-WITH-SPARE.sin

    again, do not forget use proper SIN type.
    11
    yaay my 2.3.3 custom kernel booted :)

    no more SE text logo!!!


    @all
    KINDLY STOP CHATTING IN THIS THREAD

    THAT'S AWESOME NEWS!

    And the X10 gets yet another successful burst from the Dev defibrillator! It is alive and kicking once more!


    Here's been the timeline of the X10. It's quite spectacular actually.

    -Pre-release. Huge hype and frenzy and craziness
    -Release-Even more craziness and hype
    -Post-release-dissapointment at locked bootloader and FPS cap and lag
    -Most of 2010-dissapointment at lack of updates, 2.1 delay, lack of rooting
    -Late 2010-Huge hype about 2.1 and its release, phone rooted, dualtouch, phone alive again
    -Early 2011-Great new custom ROMs, phone is alive and kicking, bootloader bypass
    -March 2011-Gingerbread update news, Bootloader bypassed, 2.2 Camera
    -April-June 2011-Dissapointment over no update by SE
    -July-August 2011-Huge craze over upcoming 2.3 update and wild speculation begins
    -August 2011-Release of GB. Mixed reviews but mostly positive. New life breathed into X10. Great stuff ported from Arc.
    -September 2011-Bootloader UNLOCKED! Even more awesomeness coming up!


    Which phone has this kind of history, ever?!
    -
    7
    to solve confusions:

    to unlock bootloader you DO NOT need to have "network unlocked" phone.

    however, if your phone was unlocked from network by any other 3rd-party tool than setool2, your phone will lose radio capability due to mismatched security zone.

    to restore radio capability and have unlocked bootloader you will need "unlock from network" phone using setool2.

    but not worry, i'm sure, that omnibus software will soon "integrate" that method ;)
    6
    @doomlord:

    wht i wanted is the ability to flash boot.img via recovery (raw_write/flash_image)
    will that work?
    you can write whatever you want, but it is better stick to semc standards and use SIN files.

    also there seems to be restriction on size of kernel.sin... i tired a large ramdisk and flash was accpeted but ramdisk was unchanged

    maximum partition size is 0x62 blocks ( 0xC40000 bytes ) for x10i
    dunno about ramdisk/etc restrictions .
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone