We need our bootloader unlocked. Yes, the developer editions are useful in this case. Our devices are MSM8960 just so you know.
Current Knowledge:
Appsboot address in memory: We don't know yet. It is not in 0x88F00000 becuase motorola stashed it somewhere else (or filled aboot with zeros to protect it from reverse engineering)
We need appsboot reversed engineered in order to unlock the bootloader. I attached some files (ATT 4.1.1) that we need.
Useful links:
http://forum.xda-developers.com/showthread.php?t=1769411
http://forum.xda-developers.com/showthread.php?t=1978703
http://forum.xda-developers.com/showthread.php?t=2086142
http://forum.xda-developers.com/showthread.php?p=35762370
n00bs - STAY AWAY FROM THIS THREAD!!!
Update 1:
Attached memory dump module.
Somebody with root needs to compile the kernel module and run it and upload /sdcard/dump.rom
Thanks!!!
Update 2:
Don't flash another cid + utags.
Instead, mostly by reverse engineering aboot or dumping and comparing dev editions (which we don't have ), we could find what happen(like if nand is written to).
Removed memory dump module because we don't need it (for now).
Update 3:
Just uploaded a bunch of tools and documentation and unlocked bell cid and utags.
Go and download it here:
http://d-h.st/5C9
Update 4:
THIS IS NOT THE ACUAL BOOTLOADER UNLOCK, THIS IS TOOLS TO HELP WITH UNLOCKING THE BOOTLOADER!!!
Also, I found a ton of information about aboot (all in the header too). I also found out that the 0x88F00000 is protected rather than based somewhere else.
The Bell bootloader, if all the cid's use the same signature, then flash cid + utags from bell unlocked and woola, your bootloader is unlocked (does NOT Work on AT&T!!!). THIS IS UNTESTED THOUGH SO DO THIS AT YOUR OWN RISK
Code:
Non-unified boot
appsbl = 0x00000005
flash partition version = 0x00000003
image source pointer = 0x00000000
Base = 0x88F00000
image size = 0x0003FFD8
Code size = 0x0003F7D8
Base + code size = 0x88F3F7D8
Size of signature = 0x00008000
Code Size + base + Size of signature = 0x88F3FFD8
Certificate Chain Size = 0x0
Also bad news,
I hard bricked my device :crying:. But I'm not leaving here without unlocking the bootloader.
Some Arm Code:
Code:
start
MOV R8, #0 ; We havn't compared any bytes yet...
loc_88F18A80
ADD.W R3, R4, R8 ; R4 (I don't remember if this is an address or a return value) + 78 = The UNIQUE_KEY
LDRB.W R2, [R6,R8] ; Load input code
LDRB.W R3, [R3,#0x4E] ; Load correct code
CMP R2, R3 ; Compare n'th byte from correct code and code inputed
BEQ loc_88F18AC0 ; If they equal move to the next byte
B password_incorrect ; Password is incorrect
loc_88F18AC0
ADD.W R8, R8, #1 ; Byte done
CMP.W R8, #20 ; Do twenty times, or the length of the passcode
BNE loc_88F18A80 ; We havn't done it twenty times yet, keep on until we compare each byte
B unlock_bootloader; Password is correct, Unlock the bootloader!!!
Another reserved...
Re: [R&D] Non-dev edition bootloader unlocking
Great to see someone working on this. God knows how bad we need it.
Sent from my MB886 using Tapatalk 2
Re: [R&D] Non-dev edition bootloader unlocking
Hell yeah about time
Sent from my MB886 using xda premium
All for this and I would consider keeping this phone
Sent from my Atrix HD using Tapatalk 2
tcf38012 said:
We need our bootloader unlocked. Yes, the developer editions are useful in this case. Our devices are MSM8960 just so you know.
Current Knowledge:
Appsboot address in memory: 0x88F00000
We need appsboot reversed engineered in order to unlock the bootloader. I attached some files (ATT 4.1.1) that we need.
Useful links:
http://forum.xda-developers.com/showthread.php?t=1769411
http://forum.xda-developers.com/showthread.php?t=1978703
http://forum.xda-developers.com/showthread.php?t=2086142
http://forum.xda-developers.com/showthread.php?p=35762370
n00bs - STAY AWAY FROM THIS THREAD!!!
Update 1:
Attached memory dump module.
Somebody with root needs to compile the kernel module and run it and upload /sdcard/dump.rom
Thanks!!!
Click to expand...
Click to collapse
Great man. I have root what do you need me to do with compiling kernel module?
Sent from my MotoAHD Maxx
Woulldn't someone with an unlocked bootloader need to run it? Lock bootloaders cannot run kernel modules as far as I know.
popfan said:
Woulldn't someone with an unlocked bootloader need to run it? Lock bootloaders cannot run kernel modules as far as I know.
Click to expand...
Click to collapse
They can if they are rooted, Which I'm Not . We just need them in order to crack the algorithm. Thats one approach.
The other is to crack the SBL1 Private Keys (Longer).
Kudos to all of you for giving this a solid effort. We have a nice bounty brewing for whomever opens this device up.
Sent from my MB886 using xda app-developers app
i know right someone figures this out they get there car paid for a month lol
TTLayland said:
Kudos to all of you for giving this a solid effort. We have a nice bounty brewing for whomever opens this device up.
Sent from my MB886 using xda app-developers app
Click to expand...
Click to collapse
x2!
I want to buy this phone so badly, but for a flash addict like me, it would be like going to rehab.
I love this atrix hd but not having root it's killing me...keep working Guy's! We'll pay up!
Sent from my MB886 using xda app-developers app
I think i have a Unlocked BL, Thr BL says: Device is UNLOCKED, Status Code: 1
How do I go about compiling the kernel? Can you give me more details?
vikrambharadwaj said:
I think i have a Unlocked BL, Thr BL says: Device is UNLOCKED, Status Code: 1
How do I go about compiling the kernel? Can you give me more details?
Click to expand...
Click to collapse
I think we need unlockABLE device
OFFFFFFFFFFFFFFF said:
I think we need unlockABLE device
Click to expand...
Click to collapse
What do you mean by that?? I never came across any unlockable device??? Well FYI this is a prototype that I have and I have flashed a user debug quinara build on it.
Huh? What are you talking about.
Unlocked, not unlockable
Sent from my Atrix HD using Tapatalk app
vikrambharadwaj said:
What do you mean by that?? I never came across any unlockable device??? Well FYI this is a prototype that I have and I have flashed a user debug quinara build on it.
Click to expand...
Click to collapse
WAIT!!!,
Could you dump your boot image for 4.1.1 and send it to me?
Thanks in advanced,
TCF38012
Related
Unlocking sites normally charge $25-$30 so please donate if you can because all of these devs put a lot of work into it.
PLEASE give credit (and donations if you can) to:
rhcp0112345 found out how to hex hack unlock the phone (PayPal)
rbnet.it and marcopon for the cool SGUX utility to extract it (donate to marcopon and rbnet.it Paypal)
Bowsa2511 for the command to extract the unlock code on a Mac & Pc (Paypal)
RazvanG for pointing the un-freeze code (Paypal)
DaGentooBoy For optimizing the mac and windows scripts, and a lot of troubleshooting (Paypal)
nbs11 for fixing and optimizing my original mac script, and making it an easier 1-click program. (Paypal)
This code may not work. If you enter the unlock code wrong to many times or if it gives you the wrong unlock code your phone may become bricked. By continuing you will take full responsibility for any damage. I am not liable
Prep:
Make sure that Network Lock is the only thing on... go to phone and enter *#7465625#
Make sure USB debugging is enabled (Settings->Applications->Development->USB Debugging)
Step 1: get the code
For Mac
Download the Samsung Galaxy S Unlocker
Mount the DMG and drag the folder onto the hard drive. DO NOT DRAG THE ICON WITH THE LOCK (the app). Once the file is finished copying continue.
Open the application with the lock. It should open a terminal window. Let it run for a few seconds and then it should show the unlock code
Save/write down the code
Jump to step 2.
For Windows
Download and extract the attached Galaxy S unlocker windows.
Run Generate_Code.bat
Look for the line Network Control Key:YourCode
Save the code
Jump to step 2.
Step 2: Entering the code
Power down your phone
Put in a SIM card from another carrier
Power up your phone
When it boots up it will ask for the unlock code that you found above
Now enter the unlock code you generated in Step 1.
Have fun!
Step 3: Flash back (IF THE CODE WAS UNSUCCESSFUL)
Flash back to an older firmware.
File mirrors:
Download the Samsung Galaxy S Unlocker for Mac here:
http://www.multiupload.com/0XLUKNUYRL
Download the Samsung Galaxy S Unlocker for PC here:
http://www.multiupload.com/Z3VECTI97N
Guide in Spanish here
Guide in Chinese here
LEGAL NOTES (because information should be free for all):
YOU MAY NOT, BY ANY MEANS, USE THIS SOLUTION/CODE OR PART OF IT FOR COMMERCIAL PURPOSES.
DO NOT USE THIS EXTRACTION METHOD COMMERCIALLY
thanks for providing a free method. Out side of what's available in the market....
Sent using xda app....
Dude that is pimp i had all rdy unlocked mine but wanted to see if yours worked and it did thats cool the way i did mine was lot harder TY will donate
worked flawlessly. Great job.
blackerwater said:
Trolling for cash is a no no. check out the forum rules........ But good job none the less
Sent using xda app....
Click to expand...
Click to collapse
My intentions weren't meant to be misunderstood as "Trolling for cash", but more exposure for the free unlocking solution.
I know there are some here that visit multiple sections of the forum, but some are more "loyal" to their own.
So I take it this unlock doesnt survive an Odin flash back to stock. If not we can just re-enter the same code Im guessing
Bowsa2511 said:
My intentions weren't meant to be misunderstood as "Trolling for cash", but more exposure for the free unlocking solution.
I know there are some here that visit multiple sections of the forum, but some are more "loyal" to their own.
Click to expand...
Click to collapse
I can except that explanation.
Thanks for sharing....
Sent using xda app....
OK!
Question To the OP.
Where is my name? Where is my donation link?
It should be at the top. I made this possible. and this thread has been reported.
Fix it.
if i am using my vibrant on a new zealand network does it mean it is unlocked?
Im only asking as I could still use my nexus one on a NZ network b4 I unlocked it.
@OP:
I have updated the first post of your thread and added rhcp0112345 to the list of folks involved in unlocking the Samsung devices.
Regards,
hilaireg said:
@OP:
I have updated the first post of your thread and added rhcp0112345 to the list of folks involved in unlocking the Samsung devices.
Regards,
Click to expand...
Click to collapse
I'm sorry I overlooked that when copy and pasting from one of my other threads
I'm glad you updated the OP, but I just checked XDA and saw his pm for his link to be added,
and didn't get the chance to update the post myself. We devs are not androids, we only work on it lol.
confrontation said:
if i am using my vibrant on a new zealand network does it mean it is unlocked?
Im only asking as I could still use my nexus one on a NZ network b4 I unlocked it.
Click to expand...
Click to collapse
You might have bought a unlocked google dev phone.
Bowsa2511 said:
You might have bought a unlocked google dev phone.
Click to expand...
Click to collapse
Thanks , Is there a way to tell if it was a dev fone? or away to tell if it is unlocked?
confrontation said:
Thanks , Is there a way to tell if it was a dev fone? or away to tell if it is unlocked?
Click to expand...
Click to collapse
If it came rooted, and unlocked. I don't know the phone code to check for the N1
Did the n1 even come locked?
Sent from my Vibrant using XDA App
so i can't unlock this unless i have a non tmobile sim?
tommy96814 said:
so i can't unlock this unless i have a non tmobile sim?
Click to expand...
Click to collapse
just buy a pre-paid sim ($10), borrow a friends, or go to a social gathering and ask random strangers XD
Bowsa2511 said:
If it came rooted, and unlocked. I don't know the phone code to check for the N1
Click to expand...
Click to collapse
Im talking about the samsung vibrant not the N1 lol , I unlocked and rooted my N1 , I want to know how to see if the vibrant is unlocked as I have already rooted it.
confrontation said:
Im talking about the samsung vibrant not the N1 lol , I unlocked and rooted my N1 , I want to know how to see if the vibrant is unlocked as I have already rooted it.
Click to expand...
Click to collapse
*7465625* to check unlock status
Bowsa2511 said:
*7465625* to check unlock status
Click to expand...
Click to collapse
Didnt seem to work.
(Sent from my SAMSUNG-SGH-I897 using XDA App)
WARNING: DO NOT FLASH THIS ON ANY PHONE
IT CONTAINS A NEW BOOTLOADER THAT WILL HARD BRICK YOU AND NOT FEEL GUILTY
All of the credit belongs to devs. Samcripp for setting up Project Cheesecake, the effort to find as many international builds as possible located on cloud servers. Navalynt for cloud test CWM mod. Tenfar for CWM bootstrap. Nate_benji for retrieving the update and uploading it for development purposes.
samcripp said:
SUCCESS
I have in my position a full OTA update. This has Bell GB, but no unlock and it also has the new dreaded ap20 BL, thats been hard bricking ATT phones when people try to sbf to older builds.
Click to expand...
Click to collapse
This is what we know so far about the build. I'm making this thread only to supply the link for the update so that hopefully we can start figuring out how we can use it (if at all). 2nd-init is a possibility, and sifting through the folders might yield to some breakthroughs.
Before I supply the link I want to remind everyone not to flash this on their phone.
Link:
Nate_benji's Megaupload
Multiupload link
Folders in root:
META-INF
patch
preinstall
recovery
system
webtop
ap20bl.img
bp.img
cdrom
cdt.bin
logo.bin
metadata.gpb
Looking forward to see if we can get anything from this, and lastly, thanks again to the devs.
Reserved for devs
You guys realize you can simply use the files to create an update-zip that takes out Motorola's assert checks and bootloader flash?
Very good news!
EDIT: Oops... I forgot that you don't have an unlocked bootloader to work with. It should be a bit more difficult then.
Would it be possible to re-package it with our current bootloader? I imagine this already would have been tried with other updates if it was possible.
D_one said:
Would it be possible to re-package it with our current bootloader? I imagine this already would have been tried with other updates if it was possible.
Click to expand...
Click to collapse
I can't say for sure but what would be great is if we could manufacture a "fruitcake" like package that would leave our BL alone. But once again, we don't have an sbf to fall back to, so we'd need to backup all of our partitions.
kennethpenn said:
You guys realize you can simply use the files to create an update-zip that takes out Motorola's assert checks and bootloader flash?
Very good news!
EDIT: Oops... I forgot that you don't have an unlocked bootloader to work with. It should be a bit more difficult then.
Click to expand...
Click to collapse
Indeed it will be tricky... Is there a way you can help out w/o using an atrix?
Where to download Bell sbf? U4_0.37.?
cctv35 said:
Where to download Bell sbf? U4_0.37.?
Click to expand...
Click to collapse
I highly suggest you don't download anything since you clearly didnt read the post
The most important part is that you shouldnt be flashing anything, also, its an OTA
Ok what about this nv flash where you have to have the special cable? Would it be possible for non at&t ATRIX phones to use that method to flash our unlockable bootloader then use the the files from the rom you now have and make a fruit cake? Just theory I don't think I've read of anyone doing nv flash.
Sent from my MB860 using XDA Premium App
*Facepalm ^
Do you guys even have a stock sbf yet? I forget if NFHimself managed to make something crazy for you guys or not. *goes digging for threads*
http://forum.xda-developers.com/showthread.php?t=1059643&page=5
You can just replace some of the files, the rest need to be patched which will be a pain.
Can a dev who has installed this please post some screenshots? I'd love to see how the Bell version of Gingerbread looks!
the2dcour said:
Do you guys even have a stock sbf yet? I forget if NFHimself managed to make something crazy for you guys or not. *goes digging for threads*
http://forum.xda-developers.com/showthread.php?t=1059643&page=5
You can just replace some of the files, the rest need to be patched which will be a pain.
Click to expand...
Click to collapse
What files need to be patched?
Can't all the necessary partitions + system.img be backed up?
IrshaadH said:
Can a dev who has installed this please post some screenshots? I'd love to see how the Bell version of Gingerbread looks!
Click to expand...
Click to collapse
No one has installed this, because it contains the new ap20bl.
I'm pretty sure we'll have a bell-version 2nd-init soon though.
yes setevendeb25 is surely working on something
Magnetox said:
No one has installed this, because it contains the new ap20bl.
I'm pretty sure we'll have a bell-version 2nd-init soon though.
Click to expand...
Click to collapse
kennethpenn said:
You guys realize you can simply use the files to create an update-zip that takes out Motorola's assert checks and bootloader flash?
Very good news!
EDIT: Oops... I forgot that you don't have an unlocked bootloader to work with. It should be a bit more difficult then.
Click to expand...
Click to collapse
Its UNLOCKED now!!! Hopefully someone can create a cwm4 flashable zip for us..
nate_benji said:
Its UNLOCKED now!!! Hopefully someone can create a cwm4 flashable zip for us..
Click to expand...
Click to collapse
Mhm... hopefully sam is able to get us some Fruitcake!
bongd said:
Mhm... hopefully sam is able to get us some Fruitcake!
Click to expand...
Click to collapse
Any idea what Gingerbread build he's basing the Fruitcake on?
nate_benji said:
Any idea what Gingerbread build he's basing the Fruitcake on?
Click to expand...
Click to collapse
He's kindly asked which SBFs he should prepare Fruitcake for (lol that sounded so weird).
I'm pretty sure he'll do it for Bell, French/Orange SBF, the popular ones for sure... man, I'm so pumped!!!
Hi,
Is this the latest Bell GB build?
Can't you just use CWM and edit out the bits in updater that reference ap20bl? And delete ap20bl.img as well of course.
Is there a better boot loader out there that fixes the ram issue? Maybe a swap in would be a better idea.
This OTA is a patch so you will have to be on Bell's 37.23. I backed up all my .23 partitions if anyone needs them. I was able to get back to .23 without unlocked boot header from ORGB using edited French 2.1.1, just removed all fs code groups basically. Fuse still the same though (cat /sys/firmware/fuse/ReservedOdm=20002000200004000) .
Cheers!
nobody asked about it, so i have to
i read somewhere that this 4X version could help with bootloader..
Hmm, has anyone tried comparing the bootloader,bin from a stock 4X to one from the developer ones, to see what if anything is different?
XperiaPlayer said:
Hmm, has anyone tried comparing the bootloader,bin from a stock 4X to one from the developer ones, to see what if anything is different?
Click to expand...
Click to collapse
the lock is not in the bootloader, but only the check for a lock is. so nomatter which bootloader, you will probably get a locked bootup or unlocked depending on model.
anyways how will you compare that bootloader? i believe only wkpark extracted the bootloader from official distribution kdz file, no developer kdz exists so you can compare, and i believe bootloader allocation is not found within mmcblk0 area, so it will be hard to compare the memory.
I was thinking looking at the assembly of both and seeing what is different. It was just a suggestion that wouldn't work hahha. What im kind of looking for at the moment is a guide on 2nd init. (I cant figure out how to get it to boot.etc, i know its something to do with the DRM, i basically dont know where to get started.) other than 2nd init i am also looking at a custom stock rom....
nobody asked about it, so i have to
i read somewhere that this 4X version could help with bootloader..
Click to expand...
Click to collapse
so how to check whether the phone is the devoloper version?
Sent from my LG-P880 using xda app-developers app
Developer versions have 09x firmware
reas0n said:
Developer versions have 09x firmware
Click to expand...
Click to collapse
I saw that the version information in hidden menu says the AP bootloader version is unknown??What does this mean ??Are you the same with mine??
Sent from my LG-P880 using xda app-developers app
I haven't dev phone and have 'unknown' but i think this option just doesn't mean nothing.
reas0n said:
I haven't dev phone and have 'unknown' but i think this option just doesn't mean nothing.
Click to expand...
Click to collapse
i found that too
it means bootloader is completely issolated from the system itself
and the OS doesn't have access to bootloader or its info for that matter
The Troll said:
i found that too
it means bootloader is completely issolated from the system itself
and the OS doesn't have access to bootloader or its info for that matter
Click to expand...
Click to collapse
Got it.
Sent from my LG-P880 using xda app-developers app
could someone paste me User-Agent for developer's version please...?
http://whatsmyuseragent.com/
It really would be nice if someone with a developer edition could go an this website and post the user agent here. :good:
any word on when someone will be aquiring exploit to unlock ATT moto x bootloader
dgross1123 said:
any word on when someone will be aquiring exploit to unlock ATT moto x bootloader
Click to expand...
Click to collapse
An exploit is highly unlikely. The Moto X bootloader is extremely secure. You may be able to get unlocked through the china middleman - see that thread for details.
Just bought one myself..great phone would love to root it.
Sent from my XT1058 using Tapatalk
reedcasechris420 said:
Just bought one myself..great phone would love to root it.
Sent from my XT1058 using Tapatalk
Click to expand...
Click to collapse
You can root it now - see the PIE thread. Unfortunately, this is a partial root - no write access to /system and no custom recovery. Root is lost upon reboot and must perform procedure again. Still useful for things like Xposed and WiFi Tether....
The better option is to try to unlock the bootloader. Since you are using at XT1058 (I'm guessing AT&T branded?) your only option is the china middleman.
Good Luck
samwathegreat said:
You can root it now - see the PIE thread. Unfortunately, this is a partial root - no write access to /system and no custom recovery. Root is lost upon reboot and must perform procedure again. Still useful for things like Xposed and WiFi Tether....
The better option is to try to unlock the bootloader. Since you are using at XT1058 (I'm guessing AT&T branded?) your only option is the china middleman.
Good Luck
Click to expand...
Click to collapse
my brother just did it.. nothing fancy doesn't give you write permissions or anything...i midswell do it right and go all out with the code. I did contact the person for the codes and he is still doing them and has one for my 06 built phone. I'll will be getting it this day and report back.
Sent from my XT1058 using Tapatalk
samwathegreat said:
An exploit is highly unlikely. The Moto X bootloader is extremely secure. You may be able to get unlocked through the china middleman - see that thread for details.
Click to expand...
Click to collapse
Does anyone know where this guy is getting the codes from? Surely he has a program or something that generates them based on the imei
joshua.justice said:
Does anyone know where this guy is getting the codes from? Surely he has a program or something that generates them based on the imei
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=53423452
joshua.justice said:
Does anyone know where this guy is getting the codes from? Surely he has a program or something that generates them based on the imei
Click to expand...
Click to collapse
No. He got his hands on moto's database.
KJ said:
No. He got his hands on moto's database.
Click to expand...
Click to collapse
He has weird access to it ..some days he can do them other days he can't. I wish we had someone in the states with access to it.
Sorry for the noob question but figured couldnt hurt to ask lol , thanks
Hello
Hello,
Rooting is simple by using the Motorola website.
Unless I don't understand your question correctly.
MikeNaples said:
Hello,
Rooting is simple by using the Motorola website.
Unless I don't understand your question correctly.
Click to expand...
Click to collapse
Not everyone has a Dev edition, or an unlockable version. Those on AT&T and Verizon (and a few others) are unable to get BL unlock codes from Moto's unlock website and hence have to use other methods (such as the PIE exploit)
superp32 said:
Sorry for the noob question but figured couldnt hurt to ask lol , thanks
Click to expand...
Click to collapse
No. If you were still on 4.4 (with WRITE protection disabled), you could 'run' a 4.4.2 safestrap stock-based rom, but if you are on 4.4.2 there is no write protect disable exploit available. No write protection disable exploit = no safestrap = no custom recovery. Sorry.
I guess I forgot that not everyone has a developer edition.
My bad.