• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[R&D] [Discussion] Non-dev edition bootloader unlocking

Search This thread

tcf38012

Senior Member
Jan 23, 2012
294
275
We need our bootloader unlocked. Yes, the developer editions are useful in this case. Our devices are MSM8960 just so you know.

Current Knowledge:

Appsboot address in memory: We don't know yet. It is not in 0x88F00000 becuase motorola stashed it somewhere else (or filled aboot with zeros to protect it from reverse engineering)
We need appsboot reversed engineered in order to unlock the bootloader. I attached some files (ATT 4.1.1) that we need.

Useful links:

http://forum.xda-developers.com/showthread.php?t=1769411
http://forum.xda-developers.com/showthread.php?t=1978703
http://forum.xda-developers.com/showthread.php?t=2086142
http://forum.xda-developers.com/showthread.php?p=35762370

n00bs - STAY AWAY FROM THIS THREAD!!!

Update 1:

Attached memory dump module.

Somebody with root needs to compile the kernel module and run it and upload /sdcard/dump.rom

Thanks!!!

Update 2:

Don't flash another cid + utags.

Instead, mostly by reverse engineering aboot or dumping and comparing dev editions (which we don't have :( ), we could find what happen(like if nand is written to).

Removed memory dump module because we don't need it (for now).

Update 3:

Just uploaded a bunch of tools and documentation and unlocked bell cid and utags.

Go and download it here:

http://d-h.st/5C9

Update 4:

THIS IS NOT THE ACUAL BOOTLOADER UNLOCK, THIS IS TOOLS TO HELP WITH UNLOCKING THE BOOTLOADER!!!

Also, I found a ton of information about aboot (all in the header too). I also found out that the 0x88F00000 is protected rather than based somewhere else.

The Bell bootloader, if all the cid's use the same signature, then flash cid + utags from bell unlocked and woola, your bootloader is unlocked (does NOT Work on AT&T!!!). THIS IS UNTESTED THOUGH SO DO THIS AT YOUR OWN RISK



Code:
Non-unified boot


appsbl = 0x00000005
flash partition version = 0x00000003
image source pointer = 0x00000000
Base = 0x88F00000
image size = 0x0003FFD8
Code size = 0x0003F7D8
Base + code size = 0x88F3F7D8
Size of signature = 0x00008000
Code Size + base + Size of signature = 0x88F3FFD8
Certificate Chain Size = 0x0


Also bad news,

I hard bricked my device :crying:. But I'm not leaving here without unlocking the bootloader.


 
Last edited:

tcf38012

Senior Member
Jan 23, 2012
294
275
Some Arm Code:

Code:
start
    MOV        R8, #0 ; We havn't compared any bytes yet...

loc_88F18A80
    ADD.W           R3, R4, R8 ; R4 (I don't remember if this is an address or a return value) + 78 = The UNIQUE_KEY
    LDRB.W          R2, [R6,R8] ; Load input code
    LDRB.W          R3, [R3,#0x4E] ; Load correct code
    CMP             R2, R3 ; Compare n'th byte from correct code and code inputed
    BEQ             loc_88F18AC0 ; If they equal move to the next byte
    B password_incorrect ; Password is incorrect

loc_88F18AC0
    ADD.W           R8, R8, #1 ; Byte done
    CMP.W           R8, #20 ; Do twenty times, or the length of the passcode
    BNE             loc_88F18A80 ; We havn't done it twenty times yet, keep on until we compare each byte
    B unlock_bootloader; Password is correct, Unlock the bootloader!!!
 
Last edited:

Abu-7abash

Senior Member
Feb 21, 2011
2,620
336
30
Amman
Re: [R&D] Non-dev edition bootloader unlocking

Great to see someone working on this. God knows how bad we need it.

Sent from my MB886 using Tapatalk 2
 

Youngunn2008

Senior Member
Aug 2, 2010
3,291
1,552
Alton, IL
We need our bootloader unlocked. Yes, the developer editions are useful in this case. Our devices are MSM8960 just so you know.

Current Knowledge:

Appsboot address in memory: 0x88F00000
We need appsboot reversed engineered in order to unlock the bootloader. I attached some files (ATT 4.1.1) that we need.

Useful links:

http://forum.xda-developers.com/showthread.php?t=1769411
http://forum.xda-developers.com/showthread.php?t=1978703
http://forum.xda-developers.com/showthread.php?t=2086142
http://forum.xda-developers.com/showthread.php?p=35762370

n00bs - STAY AWAY FROM THIS THREAD!!!

Update 1:

Attached memory dump module.

Somebody with root needs to compile the kernel module and run it and upload /sdcard/dump.rom

Thanks!!!

Great man. I have root what do you need me to do with compiling kernel module?

Sent from my MotoAHD Maxx
 
  • Like
Reactions: TTLayland

popfan

Senior Member
Jan 26, 2011
864
250
Woulldn't someone with an unlocked bootloader need to run it? Lock bootloaders cannot run kernel modules as far as I know.
 

TTLayland

Senior Member
Jan 10, 2013
572
157
Orlando
Kudos to all of you for giving this a solid effort. We have a nice bounty brewing for whomever opens this device up.

Sent from my MB886 using xda app-developers app
 

miko85

Senior Member
Jun 26, 2009
208
49
36
i know right someone figures this out they get there car paid for a month lol
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    We need our bootloader unlocked. Yes, the developer editions are useful in this case. Our devices are MSM8960 just so you know.

    Current Knowledge:

    Appsboot address in memory: We don't know yet. It is not in 0x88F00000 becuase motorola stashed it somewhere else (or filled aboot with zeros to protect it from reverse engineering)
    We need appsboot reversed engineered in order to unlock the bootloader. I attached some files (ATT 4.1.1) that we need.

    Useful links:

    http://forum.xda-developers.com/showthread.php?t=1769411
    http://forum.xda-developers.com/showthread.php?t=1978703
    http://forum.xda-developers.com/showthread.php?t=2086142
    http://forum.xda-developers.com/showthread.php?p=35762370

    n00bs - STAY AWAY FROM THIS THREAD!!!

    Update 1:

    Attached memory dump module.

    Somebody with root needs to compile the kernel module and run it and upload /sdcard/dump.rom

    Thanks!!!

    Update 2:

    Don't flash another cid + utags.

    Instead, mostly by reverse engineering aboot or dumping and comparing dev editions (which we don't have :( ), we could find what happen(like if nand is written to).

    Removed memory dump module because we don't need it (for now).

    Update 3:

    Just uploaded a bunch of tools and documentation and unlocked bell cid and utags.

    Go and download it here:

    http://d-h.st/5C9

    Update 4:

    THIS IS NOT THE ACUAL BOOTLOADER UNLOCK, THIS IS TOOLS TO HELP WITH UNLOCKING THE BOOTLOADER!!!

    Also, I found a ton of information about aboot (all in the header too). I also found out that the 0x88F00000 is protected rather than based somewhere else.

    The Bell bootloader, if all the cid's use the same signature, then flash cid + utags from bell unlocked and woola, your bootloader is unlocked (does NOT Work on AT&T!!!). THIS IS UNTESTED THOUGH SO DO THIS AT YOUR OWN RISK



    Code:
    Non-unified boot
    
    
    appsbl = 0x00000005
    flash partition version = 0x00000003
    image source pointer = 0x00000000
    Base = 0x88F00000
    image size = 0x0003FFD8
    Code size = 0x0003F7D8
    Base + code size = 0x88F3F7D8
    Size of signature = 0x00008000
    Code Size + base + Size of signature = 0x88F3FFD8
    Certificate Chain Size = 0x0


    Also bad news,

    I hard bricked my device :crying:. But I'm not leaving here without unlocking the bootloader.


    4
    I'm downloading right now to see what kind of stuff this is. I'll have to look at the Motorola Unlock tool as well.

    EDIT: If you don't know anything about what your doing, don't download it. Its not an unlock, its useful information and files.

    Sent from my MB886 using xda app-developers app
    3
    You think a proto type will help unlock production builds of the phone? I'm not saying it wont, I just remember someone saying that they had little value for us.

    Sent from my MB886 using xda app-developers app

    Well,

    It can root our devices.

    I've got a possible exploit for root on userdebug devices.

    I just need the boot image.
    3
    I want to buy this phone so badly, but for a flash addict like me, it would be like going to rehab.
    3
    I love this atrix hd but not having root it's killing me...keep working Guy's! We'll pay up!

    Sent from my MB886 using xda app-developers app