I decided to do some digging since I just purchased one of these devices.
fastboot binary is emmc_appsboot.mbn from an update zip.
fastboot oem commands in the CN ROM: unlock, unlock-go, lock, device-info, enable-charger-screen, disable-charger-screen, off-mode-charge, select-display-panel, run-tests
fastboot oem commands in the US ROM: unlock, unlock-go, lock, device-info. US rom is older, which is probably why some commands are missing.
You may be able to find more using a disassembler or with abootool https://github.com/alephsecurity/abootool
First step to getting more research done would probably be to get EDL working for the US variant. Or someone seeing what "unlock-go" does (probably nothing).
After getting EDL working, getting Firehorse functional would be beneficial. However I don't know how the rawprogram.xml is generated. I believe it has to be generated using the partition table somehow, but I do not know how to find the partition table.
I don't know how the bootloader images are signed, but my guess is that flashing CN over US will just leave your phone permanently bricked if they are signed differently. Downgrading the bootloader will also not work if qfuses are implemented correctly (although sometimes they aren't). Checking 16C7 in emmc_appsboot.mbn, US bootloader has the same string across versions and CN has a different one so I'm guessing they are in fact signed differently.
fastboot binary is emmc_appsboot.mbn from an update zip.
fastboot oem commands in the CN ROM: unlock, unlock-go, lock, device-info, enable-charger-screen, disable-charger-screen, off-mode-charge, select-display-panel, run-tests
fastboot oem commands in the US ROM: unlock, unlock-go, lock, device-info. US rom is older, which is probably why some commands are missing.
You may be able to find more using a disassembler or with abootool https://github.com/alephsecurity/abootool
First step to getting more research done would probably be to get EDL working for the US variant. Or someone seeing what "unlock-go" does (probably nothing).
After getting EDL working, getting Firehorse functional would be beneficial. However I don't know how the rawprogram.xml is generated. I believe it has to be generated using the partition table somehow, but I do not know how to find the partition table.
I don't know how the bootloader images are signed, but my guess is that flashing CN over US will just leave your phone permanently bricked if they are signed differently. Downgrading the bootloader will also not work if qfuses are implemented correctly (although sometimes they aren't). Checking 16C7 in emmc_appsboot.mbn, US bootloader has the same string across versions and CN has a different one so I'm guessing they are in fact signed differently.
Last edited:
