• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

Use 'fastboot oem citadel' to unlock bootloader? (Verizon Pixel 3)

Search This thread
I unfortunately have a Pixel 3, from Verizon (when I bought it it was not described as a phone issued by Verizon had I known it I wouldn't have bought it). I'm trying to accomplish The impossible by finding some way to unlock the bootloader. Everything has failed of course. But today I came across some Fastboot OEM commands, that actually do something but to the extent of what they accomplished I have no idea.
Code:
fastboot oem citadel
(bootloader) citadel <command>
(bootloader) Commands:
(bootloader)     rescue       Try to rescue Citadel
(bootloader)     state        Print current Citadel state
(bootloader)     reset        Reset Citadel
(bootloader)     reset-locks  Reset AVB locks
(bootloader)     version      Print citadel OS version
(bootloader)     reprovision  Reprovision device after a RMA unlock
(bootloader)     suzyq on|off Enable or disable SuzyQable
FAILED (remote failure)
finished. total time: 0.060s

I have tried to reset command and also the reset-locks command. The reset command returns an 'okay' whereas the reset locks command comes back as a device error. The only thing I know is the reset locks command has something to do with AVB.

When running the state command, a number of things come up. Notably it lists the locks, there are 4 of them. 1-3 have a value of 1 whereas 4 has a value of 0. What these values mean 🤷 it also lists "bootloader: 1", but after running the reset command, the value for "bootloader's changes to 0. There is also 'fastboot oem rma' which I have no idea what it stands for or what it does but when I run it it requires two other variables 'get_challenge' and 'send_response'. I can also enable or disable whatever suzyq is. Also 'fastboot oem continue-factory' works but only appears to reboot the device and if it does anything else, I have no idea.

I'm just trying to get some insight on what these commands might be and what they might do if anything and if anyone has any information I'd be happy to hear it.
 
  • Like
Reactions: ipdev
ok here is the result when running
Code:
fastboot oem citadel state
2...
(bootloader) Citadel state:
(bootloader) Version         : 1
(bootloader) Bootloader state: 1
(bootloader) Production state: 1
(bootloader) Number of locks : 4
(bootloader) 	Lock[0]: 1
(bootloader) 	Lock[1]: 1
(bootloader) 	Lock[2]: 1
(bootloader) 	Lock[3]: 0
OKAY [  0.129s]
finished. total time: 0.129s

The fourth one i assume is NOT locked? I am just guessing 1 = locked, 0 = unlocked or what not. Heres what the values say after running
Code:
fastboot oem citadel reset
2...
OKAY [  0.170s]
finished. total time: 0.170s

Here is the citadel STATE after running the reset command
Code:
2...
(bootloader) Citadel state:
(bootloader) Version         : 1
(bootloader) Bootloader state: 0
(bootloader) Production state: 1
(bootloader) Number of locks : 4
(bootloader) 	Lock[0]: 1
(bootloader) 	Lock[1]: 1
(bootloader) 	Lock[2]: 1
(bootloader) 	Lock[3]: 0
OKAY [  0.126s]
finished. total time: 0.126s

Now assuming 0 = unlocked, then the 'Bootloader state' after running reset command goes from having a value of 1 to a 0. Do we have anything here?
 
SuzyQable = ChromeOS debug cable.
The SuzyQable allows developers, hobbyists, and others to quickly access debugging, recovery, and developer features exposed through some of the USB-C ports on ChromeOS and other Google devices.

I can turn this feature on using the 'fastboot oem citadel suzyq on' command. Looks like if this is to be explored further, I going to have to buy one.
 
I have Verizon and I was able to unlock it) Read more on the Russian-language forum 4pda
I've only seen bits and pieces of this and haven't been able to gather too much because of the language barrier if there's any kind of links you can provide that will point me in the right direction or at least a better one it would be greatly appreciated. I've tried all the tricks that I can come across otherwise. Changing the date and time, taking the SIM card out doing a reset and using ADB to disable the phone, etc. I'm no expert but I can't find a single hint either in a hardware or software, with the exception of two applications that cannot be accessed without some kind of activity launcher and even then only one of them can be accessed without root access. And that is a phone sign up application for Verizon however even with that said there's nothing else to indicate whatsoever that this phone is actually Verizon so I'm kind of a little bit confused as to how this phone will be any different from the international variance if they're made of the same parts in the same exact software. I am currently running Android 12 on this from the developers preview. So if that matters then maybe I won't be able to do this maybe I will. But I'll do whatever it takes I have no shame in experimenting on a device. I already know the risks and have known for several years so I'm not doing anything I haven't already done on another device at some point.
 
ive been following this thread since the begining. I have a verizon P3 xl. Please let me know if theres anything I can test.
Well until one of us goes out and gets. SuzyQ USB C type ChromeOS debugging cable (I will look online and see if there's any locally available at Walmart or the likes and if not, buy one on line this weekend). What I'm hoping is this cable will cancel out the 'device error' when doing a lock reset and if so, what it might do there after.

Just a neat little trick I have found in regards to a SIM card or whatnot. If you know of or use the settings database editor application they also have a feature pack which allows for some of these settings to persist upon a reboot and stopping Android from defaulting any of the settings you change. This might be of use to somebody with one of these devices who does not have one that's carrier unlocked.

Code:
adb shell settings put global euicc_provisioned 1
. Then use setting database editor feature pack (not sure if this is required but if you decide to use this function when turned on, it might be best to remove the persistence from settings database editor). This allowed me to get access right away to Google fi and other options to essentially get a new sim card with new service and allowed me to choose such service and all that other good stuff.
 
So apparently this debug cable does quite a bit of things. Including to some capacity the ability to read and write. If the device is supported, you have access to Closed Case Debugging and Servod. Some features this cable allows when they are activated in a chroot chromeOS environment using hdctools:

Control of firmware write protect.

Flashing of the AP and EC firmware.

EC RW console access.

Read I2C INA219 current sensors (though most production boards do not have them populated).

A subset of these features (e.g., UART lines) can be accessed without a cros_sdk chroot.

Once the SuzyQ is plugged in, three /dev/ttyUSB devices will enumerate:

  1. Cr50 console
  2. CPU/AP console (RW)
  3. EC console (RW)
 
So apparently this debug cable does quite a bit of things. Including to some capacity the ability to read and write. If the device is supported, you have access to Closed Case Debugging and Servod. Some features this cable allows when they are activated in a chroot chromeOS environment using hdctools:


Here is the link for that information regarding what this cable might be able to do. Sorry that I forgot to post it and sorry that the above reply was so sloppy I didn't realize. https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/HEAD/docs/ccd.md
 
From the source code of crosshatch:

Text is too coded when doing a copy paste. As soon as I get inside I will add the text I am speaking of.

Here is a list in the source code for crosshatch, on what the citadel AVB locks are and do:
Code:
# Citadel
PRODUCT_PACKAGES += \
    citadeld \
    citadel_updater \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    wait_for_strongbox
# Citadel debug stuff
PRODUCT_PACKAGES_DEBUG += \
    test_citadel


I can't wait for the cable to get here. I'm licking my chops.
source: https://android.googlesource.com/de...bfe57aaaf2cdd656a4476bbfb5c01314a09/device.mk
 
Note to self and others: DSU (Dynamic System Update), the ability to load a GSI over the current system, does not work on this device on Verizon variant. When device reboots, it immediately boots to a fastboot warning screen saying:
your device is corrupt. It cannot be trusted and may not work properly.

However, hitting the power button reboots the device to "no command", then I press power and vol. up for recovery and reboot system normally. I tried to boot a GSI from google (Android 11 GSI) and a Resurrection Remix GSI android Q and one or the other managed to write something somewhere to raise this warning. Device doesn't seem to be effected in any negative manner despite the warning.
pixelcorrupt.jpg
 

Pixel 3xl

Member
May 9, 2021
10
3
Hello:
Thank you for your work.
I used
Code:
adb shell settings put global euicc_provisioned 1
to enable my Verizon Pixel 3xl's eSIM function, but this function will not work after hard reset.
And do you know how to enable this phone's cdma network function with any codes?
 
Hello:
Thank you for your work.
I used
Code:
adb shell settings put global euicc_provisioned 1
to enable my Verizon Pixel 3xl's eSIM function, but this function will not work after hard reset.
And do you know how to enable this phone's cdma network function with any codes?

I don't know if this will help you at all but I seem to recall something along the lines of changing CDMA through one of the phone applications but you have to use an activity launcher. If you do a Google search for activity runner APK that's the one I use. You would have to look for about phone or phone info in one of the four or five phone applications and launch the activity and options to that effect will come up whether they persist is another story.
 

Pixel 3xl

Member
May 9, 2021
10
3
I don't know if this will help you at all but I seem to recall something along the lines of changing CDMA through one of the phone applications but you have to use an activity launcher. If you do a Google search for activity runner APK that's the one I use. You would have to look for about phone or phone info in one of the four or five phone applications and launch the activity and options to that effect will come up whether they persist is another story.
Wait for your work to find out whether the bootloader can be unlocked.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Well there is this. When booted properly, the device is called proto2 for usb serial. Now as to what it is in edl, I don't know. I didn't have time to look.
    Any progress here yet? All their refurbished pixels seem to be bootloader-locked as well. The interesting thing is, at least on my refurbished pixel 2, in the build.prop file ro.oem_unlock_supported is 1, sys.oem_unlock_allowed is 1, and ro.boot.flash.locked is 1.
  • 5
    If it works, could you please post a tutarial?

    So I just completed the first phase of configurations. I had to make sure my rules.d configs were right. Although they were, they were missing a few entries, but I can confirm the cable *DOES INDEED WORK!!!* It is functioning and it appears a console(s) are indeed opening upon plugging in the phone to a properly configured pc and environment. To what extent and what consoles? I do not yet know. Run this command in a terminal to monitor when Cr50 device emulation is activated on the device we are working with. If the device appears in the list (refreshes every few seconds), the device is successfully recognized, uart should be enabled aloing twith the Cr50 emulation (what we were banking on being available):

    Code:
    $ watch -n 1 "lsusb | grep 18d1:5014"

    5014 is what the Pixel 3 is identified as while this emulation is occuring. The cable MUST be plugged into the PHONE port with the text ADBG facing UP, or the device will not be triggered into the mode we need it in (device is still booted and turned on and usable). Posted below is a screen shot when running 'lsusb' in a terminal, the PC is properly configured and the emulation is ocurring:
    pixel3debug.png


    I don't know if this had an effect, but depending on what fastboot mode you are in, (fastboot vs. fastbootd), the device ID changes, so I added the config to the rules.d files I have set up in /etc/udev.

    Fastboot: 18d1:4ee7
    Fastbootd: 18d1:4ee0

    Once I did that, installed the required dependencies for hdctools cleared my cache and what not, and rebooted, all was working so far, as it should. Now time to research a little and see what I can do and where can find instructions on how to do it :D
    4
    Ok I got the rx error to stop. There are so many dependencies for all of these utilities, it's a miracle I haven't screwed anything up yet.

    If I can get the EC console working, that's where we can flash EC firmware. We also have EDL mode (adb reboot edl) where, if I can get it working, "Qualcomm Sahara / Firehouse Attack Client /Diag Tools": https://github.com/bkerler/edl.git

    I don't know if this is something to do with my configurations not being right but for some reason Ubuntu refuses to read the existence of a device in edl mode. At least in terms of running commands, it doesn't exist. We'll need to definitely install drivers on Windows and get Ubuntu to carry them over. But the tools used for a lot of edl are available only on Windows.

    But getting that to run on a Linux machine is not going to be easy so it looks like I'm going to have to boot up my Windows 7 if I'm to even try because the drivers are only able to be installed there.

    I again was looking through the vendor image. Since I'm trying to access the EC console, I started to look for files related to it. There are 2 files in the vendor image: ec.bin and ec.rec. looking through both are intriguing, but the bin file even more so which I have yet to finish looking through using a hex editor. There are or at least appear to be in readable format, several strong box keys. There is one option in fast food I have yet to try, because of the lack of anything to test.
    Code:
    fastboot flashing unlock_bootloader <request>

    Now it doesn't fail or give me a warning that I can't run the command on a locked device but it tells me to provide a bin file. I was unaware This phone had a bin file to flash when requesting a bootloader unlock. I haven't gotten enough courage to try it but wouldn't it be a son of a gun if ec.bin worked? Also I have a few different variants of fastboot that have been modified in various other forums in an attempt to bypass some of those restrictions and hoping to get commands working that normally wouldn't on other fastboots.

    It probably wouldn't which brings me to the latest update overall. Those files tell me there is a EC console available. But I am having a very hard time getting it set up properly. Most of these tools when configured right will work properly if you have all the dependencies which has been the real kicker here, finding them all. If I can finally get that end of the tools working, then we can update the EC firmware with newer EC bins. And somehow using that same cosole, you can remove write protect on certain other firmwares. I know the council is active or is available because of the certain values I got in which I posted above. Some of stuff I posted above actually comes out of that console.

    All we need is just that one little area to write on, that we can write to an exploit in an attempt to get root privileges if at the very least. I'm sorry I don't have any more than this for today.
    3
    Sorry if this doesn't make any sense guys. I'm going to write down a detailed way on how everybody can at least get this far without having to worry about any destruction to their devices or whatnot. That will hopefully give a better understanding as to what might be going on here and we can work from there. I would also appreciate it if somebody could take a look at the vendor image while mounted and pull the files and question and use a hex editor to look at the code and see if what I'm seeing isn't just some crazy talk. This may take me a few days to put together so I may not be around as I do that but will try and reply if anyone has any more questions.
    3
    Ok so nevermin
    rebooting the device into fastboot (adb reboot-bootloader) and running the usb_console command returns this:
    Code:
    usb_console -d 18d1:5014
    [161155.250820 gpio_wiggling: VOL_DN_L = 0]
    [161155.251544 km_set_vol_dn_btn: vol_dn already set]
    [161155.458140 gpio_wigglingl dn released]
    [161156.020804 gpio_wiggling: PHONE_ON_L = 0]
    [161157.550416 ap_reboot_actions: signaling]
    [161157.550976 ap_reboot_actions: 0 done 0]
    [161157.551540 ap_is_rebooting: MSM_RST_OUT_L_FALLING: ap_is_in_bootloader=1]
    [161157.554112 flash_physical_write: 0x73d00, 0xec bytes]
    [161157.554916 nugget_dispatch_loop: [161157.556064 flash_physical_write: 0x73c00, 0x100 bytes]
    reboot seen (vol-dn: 1)]
    [161157.559688 flash_physical_write: 0x73e00, 0xec bytes]
    [161157.561736 flash_physical_write: 0x73d00, 0x100 bytes]
    [161157.563424 gpio_wiggling: VOL_UP_L = 0]
    [161157.588992 passthru off]
    [161157.622916 ap_reboot_actions: signaling]
    [161157.623476 ap_reboot_actions: 0 done 1]
    [161157.624044 ap_is_rebooting: MSM_RST_OUT_L_RISING: ap_is_in_bootloader=1]
    [161157.624980 nugget_dispatch_loop: reboot seen (vol-[161158.725452 usb_reset, status 9020]
    [161158.809772 SETAD 0x21 (33)]
    rx [Errno 110] Operation timed out

    Again the rx error repeats over and over. Note: Unless the device is rebooted, or it's mode is switched (fastboot vs fastbootd) then the above information will NOT reappear. Instead the message referenced in the post abive this one appears:
    Code:
    --- UART initialized after reboot ---
    [Reset cause: rdd]
    [Retry count: 1 -> 0]
    [Image: RW_B, 0.0.3/brick_v0.0.8279-f93f99159371.195216 update_rollback_mask: stop at 0]
    [159371.195856 gpio_wiggling: AP_EL2_LOW_IRQ = 0]
    Console is enabled; type HELP for help.
    > [159371.238856 passthru usb]
    [159371.239492 usb_init, resume 0]
    [159371.606672 usb_reset, status 4801020]
    [159371.695496 usb_reset, status 9028]
    [159371.779716 SETAD 0x11 (17)]
    rx [Errno 110] Operation timed out

    Nevermind the RX error. Cr50 console is open. Navigating to my hdc tools and running the usb_console command in fastboot or fastbootd returns the RX error, but I am still able to type commands. typing HELP after the usb_console command returns this (ignore the continuous scrolling of RX error. manual scroll to stop the screen and read)
    Code:
    Known commands:
      apfastboot     Assert POWER + VOL_DN to force the AP into fastboot
    The min/default time is 20 seconds, max is 60
      board_id       Display the Board ID values
      help           Print command help
      history        Print console history
      idle           Set or show the idle action: wfi, sleep, deep sleep
      reboot         Reboot Citadel
      repo           Show the repo snapshot for this image
      sleepmask      Display/force sleep mask
      stats          Show the current syatem power stats
      taskinfo       Print task info
      timerinfo      Print timer info
      trngstats      Collect some TRNG stats
      version        Print versions
    HELP CMD = help on CMD.

    The first command apfastboot requires an unlocked bootloader :(

    History shows your command history. I will get to repo later.

    running: taskinfo:
    Code:
    Task Ready Name         Events      Time (s)  StkUsed    Flags
       0 R << idle >>       80000000  556.135876    80/ 512  0000
       1 R HOOKS            20000000    0.166836   120/ 640  0000
       2   NUGGET           00000000    0.286404   168/1024  0000
       3   FACEAUTH         00000000    0.000524    80/2048  0000
       4   AVB              00000000    0.008216    88/4096  0000
       5   KEYMASTER        00000000    0.026576    88/9600  0000
       6   IDENTITY         00000000    0.000224    88/1952  0000
       7   WEAVER           00000000    0.006664   240/1024  0000
       8 R CONSOLE          00000000    0.359764   448/ 576  0000
    Service calls:                 1588
    Total exceptions:              1589
    Task switches:                 1835
    Task switching started: 162202.505900 s
    Time in tasks:           557.084916 s
    Time in exceptions:        0.086496 s

    Version:
    Code:
    Chip:    Google Citadel C2-PVT
    Board:   0
    RO_A:    0.0.3/d55cc99c ok
    RO_B:  * 0.0.3/874a9517 ok
    RW_A:    0.0.3/brick_v0.0.8277-61fd4bbbc ok
    RW_B:  * 0.0.3/brick_v0.0.8279-f93f993f0 ok
    Build:   0.0.3/brick_v0.0.8279-f93f993f0
             2021-02-04 19:23:01 wfrichar

    board_id:
    Code:
    0x00020000 0xff000080 0xfffdffff # MP, PVT/MP

    timerinfo:
    Code:
    Time:     0x00000025f6f75af0 us, 163057.195760 s
    Deadline: 0x00000025f701b268 ->    0.677752 s from now
    Active timers:

    stats:
    Code:
    hard_reset_count            1
    time_since_hard_reset       163124.847384
    wake_count                  106
    time_at_last_wake           162202.503892
    time_spent_awake            17124.537648
    deep_sleep_count            105
    time_at_last_deep_sleep     162200.189768
    time_spent_in_deep_sleep    146000.309736
    time_at_ap_reset            162614.632272
    time_at_ap_bootloader_done  ---

    trngstats:
    Code:
    FUSE.DEV_ID: 0xd2dccd59,0x2102f007
    FUSE.TRNG_LDO_CTRL: 10
    FUSE.RC_JTR_OSCMAX_CC_TRIM: 40
    FUSE.RC_JTR_OSCAVG_CC_TRIM: 72
    FUSE.RC_TIMER_OSC48_CC_TRIM: 77
    FUSE.X_OSC_LDO_CTRL: 9
    FUSE.DS_COUNT: 1
    FUSE.FW_DEFINED_BROM_APPLYSEC: 0xddf
    TRNG.OUTPUT_TIME_COUNTER: 0x0
    PHONE_ON_L: 1
    VOL_UP_L: 1
    VOL_DN_L: 1
    PM_MSM_RST_L: 1
    AP_CTDL_IRQ: 0
    NETS_GOOD: 1
    TEMP.RANGE: 42.625,43.375
    STATS.COUNT: 10
    STATS.MIN: 792
    STATS.MAX: 2215
    STATS.AVG: 1549
    HIST(0-599): 0
    HIST(600-1199): 1
    HIST(1200-1799): 7
    HIST(1800-2399): 2
    HIST(2400-2999): 0
    HIST(3000-3599): 0
    HIST(3600-4199): 0
    HIST(4200-4799): 0
    HIST(4800-5399): 0
    HIST(5400-5999): 0
    HIST(6000-6599): 0
    HIST(6600-7199): 0
    HIST(7200-7799): 0
    HIST(7800-8399): 0
    HIST(8400-8999): 0
    HIST(9000-9599): 0
    HIST(9600-10199): 0
    HIST(10200-10799): 0
    HIST(10800-11399): 0
    HIST(11400-11999): 0
    HIST(12000-): 0

    repo:
    Code:
    97ad30fe2da20fc0300261bc1a3cbc37b989df88 bazel_rules
    3cdf3eca0d0dd70c88b4f76fb44a9999df6e872b core/dcrypto
    f93f993f0a5e6ad9915a28441e48e8dfea6b9afe core/nugget
    e2797a7a7763ec042ce0287bec6bc031d04de9fd host/android
    5f8a04f743447950a3a1977ea87dafa2ceb2c369 host/generic
    5baf30afefa6fbbc2748b2998b48dc3760b89c30 host/linux
    6d6c354952307f1acb7b5bb4a38ccff9aba384bc prebuilts/clang/host/linux-x86
    29c92c535f007cfc33b396e9201f8179eba07194 prebuilts/lcov
    8984774a642892f25b7e353a333833ef7acb8174 prebuilts/linaro/4.9
    b09cda38a63d15ec3c761d48af51e183a1393f1d prebuilts/locked_loaders
    c4bcce8b73b0382a3cafca0009e303581d2d7c46 prebuilts/protoc/linux-x86
    c51dd6870ac22ad6729742bcf72baf6264370fe3 prebuilts/python-virtualenv/linux-x86
    53add29eb7b4eaa9e128e3ec84eac9e65cf4c986 prebuilts/python/linux-x86/2.7.5
    b5ddcdd0fc5f017cba9c823de5c472f10d849e56 prebuilts/riscv-gchips-clang
    fdcc9b8194be613a6f1c48eeef2871407f61223e prebuilts/riscv-gnu/stable
    42e4aa4f4c041746bcc2b3427f35c928bfa3d291 repohooks
    648aea1ad6c5b9937b988f3b3b0099132ce4b1ac test/jenkins
    16b9e671e6223fd2fabde111b56b3d453f4b4ad9 test/system-test-harness
    83c422905dd29a759b67892082bc943b04d2657d third_party/ahdlc
    f5bbc56c79e4ec0653aced61219c370b87df4f75 third_party/cn-cbor
    910a575cc5a204f49c2d266db546e124a04a3b7a third_party/cryptoc
    6924462b9f1522d391df1491a5c7db1f3e98fcda third_party/cryptoc-bsd
    e9c240dc7afc8b67c865625e675e3a5d5d7227cc third_party/libftdi
    9660e1954456ccce8848c9673a08e95aef8ed3a6 third_party/libmpsse
    d9b2ff3e8de040dc630fc4138b2f61be6063f4d9 third_party/nanopb
    1434ce273643b2d57c23df476b7c6f8dbad82dd_party/raiden_spi
    9fa2a3d9e356a1f42a6184dcf1e0508ddfa9dbfb third_party/rapidjson
    7e4ee69b4d716edcda8dd21eecaa608fe494ec17 third_party/scripts
    cb2de5a810df1898cd3ae47d517603b8b12371c0 third_party/tpm2
    END
    2
    Found a Debian based hdctools installation that works *without* having to setup a chromium based chroot. Going to take a bit to install and configure everything. If anyone is interested, the installation is here: https://gitlab.collabora.com/chromium/servod-tools

    Note: even if this works for me, it won't work for you unless you have the suzyq cable or you modify an existing usb-c cable. Supposedly this cable, and when configured properly, automatically opens up consoles and uart, when connected to the device. This should only be possible if the device is unlocked *unless* you are able to enable the suzyq function without unlocking the bootloader. In this case we are able to do just that. And from what I gather, we aren't supposed to be able to enable suzyq at all.