Hey there folks, i was trying to find the white bootlogo of pixel in the bootloader img and exploring stuff meanwhile i came through some interesting fastboot secrets....
on a linux machine...
Code:
strings bootloader-marlin-8996-012001-1702151126.img | grep "flashing"
gives output:
Code:
cmd_flashing_get_unlock_bootloader_nonce
cmd_flashing_unlock_bootloader
cmd_flashing_lock_bootloader
%s: flashing kernel
%s: flashing ramdisk
%s: invalid flashing type
invalid flashing type
flashing unlock
flashing lock
flashing lock_critical
flashing unlock_critical
flashing get_unlock_ability
flashing get_unlock_bootloader_nonce
flashing unlock_bootloader
flashing lock_bootloader
Code:
strings bootloader-marlin-8996-012001-1702151126.img | grep "oem"
gives output:
Code:
cmd_oem_flag_batt_disable_safty_timer
cmd_oem_flag_htc_radio_debug_func
cmd_oem_flag_batt_for_pa_test
cmd_oem_flag_batt_disable_tbatt_protect
cmd_oem_flag_batt_keep_charge_on
cmd_oem_flag_uart
cmd_oem_flag_batt_test_pwr_supply
cmd_oem_dsir add=0x%x, value=0x%x
fastboot oem dsir 53
fastboot oem dsiw 51 FF
Usage: oem get_ks_token [frp|ftm|download] [reboot count]
Reset the stored oem panel in device info
cmd_oem_ramdump failed
oem unlock is not allowed
write_allow_oem_unlock failed
oem reboot-download
oem reboot-ftm
oem rebootRUU
oem listpartition
oem listram
oem dmesg
oem last_dmesg
oem update_emmc_partition
oem read_mmc
oem write_mmc
oem test_emmc
oem ufs_get_lun
oem ufs_set_lun
oem erase_phone_storage
oem unlock
oem lock
oem device-info
oem show-barcodes
oem ramdump
oem getcolorid
oem setcolorid
oem getcid
oem setcid
oem enable-charger-screen
oem disable-charger-screen
oem off-mode-charge
oem select-display-panel
oem readconfig
oem writeconfig
oem easydump
oem readunlock
oem dumpDataCode
oem dsiw
oem dsir
oem ddrtest
oem dump_ram_full
oem get_ks_token
oem get_anti_theft_status
oem sha1sum
oem readmeid
oem refurbish
oem batt_enable_bms_charger_log
oem batt_disable_tbatt_protect
oem batt_enable_fast_charge
oem batt_test_pwr_supply
oem batt_for_pa_test
oem batt_disable_safty_timer
oem batt_keep_charge_on
oem uart
oem htc_radio_debug_func
oem htcramdump
oem autordump2storage
cmd_oem_easydump
cmd_oem_flag_autordump2storage
cmd_oem_flag_batt_enable_bms_charger_log
cmd_oem_flag_batt_enable_fast_charge
cmd_oem_ramdump
cmd_oem_flag_htcramdump
oemerr_%x
androidboot.oem_unlock_support=
oemerr_99
Usage: oem ddrtest 0x<addr> 0x<size> <round> [<break>]
Default test: oem ddrtest 0 0 0
ABT_Propdata_oem
NOCError_Propdata_oem
BIMCError_Propdata_oem
use_oem_external_hdcp
oem_pshold_config
/tz/oem
oem=M
/secboot/oem_secapp
/secboot/oem_general
/tz/oem
macchiato_read_oem_pk_hash() failed {0x%x}
oem_pshold_config
ABT_Propdata_oem
NOCError_Propdata_oem
BIMCError_Propdata_oem
i dont want to fire up my device by giving random commands so if you are curious enough and have a spare device, i'd love to know further outputs...
for example the command:
fastboot flashing unlock_critical (will it forcefully unlock?? even verizon???)
please share output of this command if you are on unlocked bootloader (this can help me to find out splash image and other hidden partitions)
fastboot oem listpartition
so far i found two image like files (.rgb) inside bootloader...
dead_battery.rgb
dead_battery_charging.rgb
Thanks in advance if you are going to help me...
the get/setcolorid seems would be useful if someone wants to replace their backplate with an ebay one that has a different colour, my HTC One M9 also has this command.
unfortunately it require the bootloader to be unlocked even if I just wanna use the getcolorid command (which from what it says make no changes to the device)
PS D:\Desktop\platform-tools> .\fastboot.exe oem getcolorid
...
(bootloader) Command is not supported.
(bootloader) Please unlock device to enable this command.
FAILED (remote failure)
finished. total time: 0.097s
This is some good info. If you have anything else please do share with us Verizon Pixelerz because we do have a few members trying to figure out an exploit.. looks like this could help with reverse engineering the lock/unlock method for us. It's a start, right? Thank you very much OP. ?
I tried some of these commands too but many needed the boot loader to be unlocked.
This was on Pixel 2 XL
AndroidUser00110001 said:
I tried some of these commands too but many needed the boot loader to be unlocked.
This was on Pixel 2 XL
Click to expand...
Click to collapse
Too bad we can't get a script to execute these commands in some sequence to trigger a bug that let's us in... I just don't know..
Sent from my Pixel XL using Tapatalk
this is actually a pretty cool post...
my pixel is unlocked and so I haven't had much interest in poking around with the bootloader... unfortunately, I don't have an extra pixel, otherwise I would fir sure be investigating this. very curious. (but unwilling to sacrifice my phone. lol).
C:\platform-tools>fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) Display panel:
OKAY [ 0.190s]
finished. total time: 0.191s
C:\platform-tools>fastboot oem get_ks_token
...
(bootloader) INFO< Please cut following message >
(bootloader) INFO<<<< Identifier Token Start >>>>
(bootloader) INFO83BC9A76DAD508F92D65EA158E53B949
(bootloader) INFO3213EC77833C57857662EC575FCE27DE
(bootloader) INFOB6C64EEAEFE22ABEF859991CF5E5AFDC
(bootloader) INFO31B8E07AD21F9DDBDD3D91EC7E0988BF
(bootloader) INFO50F15CB886907DC162D0C5C2AB5E59B4
(bootloader) INFO8375E5CBB99EA10B59A1A1B83C3E7E5E
(bootloader) INFOD488BA89360F8974A8A35EDBC85A86FE
(bootloader) INFO75AD4F0F53D59445BB84BDB4BAAB2121
(bootloader) INFOCB045E978F029B644B5AD3D136207261
(bootloader) INFO0B93906FECFA423F8A4E6EBA9CB1CA80
(bootloader) INFO3F0FCDF5515506C0DA0343CC52367921
(bootloader) INFO2696BDA5F7D1812757A849C261AB05D4
(bootloader) INFO3CE67FFEC33948BB60BC2EEF5C8599E2
(bootloader) INFOC94C568D143811064ABFFA9734C4FEBB
(bootloader) INFO7F7D3233DC8235B225A5C0A918F0A56D
(bootloader) INFO072D7C6B52AC38761AA25F672150BAAB
(bootloader) INFO<<<<< Identifier Token End >>>>>
OKAY [ 0.540s]
finished. total time: 0.541s
Related
It says that bootloader is unlocket but in developer options i can't even select allow OEM unlock (it turns off when i press ok)
Code:
fastboot -i 0x2b4c oem device-info
...
(bootloader) Device tampered: true
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.008s]
finished. total time: 0.008s
What's wrong with that? The tampered bit in the bootloader does you no harm. It just means the system partition was modified (like when you install a custom ROM).
MrColdbird said:
What's wrong with that? The tampered bit in the bootloader does you no harm. It just means the system partition was modified (like when you install a custom ROM).
Click to expand...
Click to collapse
but why can't i select oem unlock in developer options?
maryankomar said:
but why can't i select oem unlock in developer options?
Click to expand...
Click to collapse
It says it's unlocked!
Just checked on the numbers of your account. I suggest you go and do a lot of reading about what you are doing
I forgot my new Pattern lock. I had TWRP but it is not working now. Volume Down + Power button just gives a blank screen. After the Oxygen OS latest update, the developer options have been disabled which means OEM unlock and USB debugging are disabled.
Android Device Manager is not helping. I try erasing from the ADM but phone says rebooting and just switches off.
This is what happens when I boot into fastboot using volume up + power:
Code:
fastboot oem unlock
...
FAILED (remote: oem unlock is disabled)
finished. total time: 0.016s
fastboot oem device-info
...
(bootloader) Device tampered: true
(bootloader) Device unlocked: false
(bootloader) Device is_verified: false
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
(bootloader) console_ locked: 1
(bootloader) exec_console_unconsole: 0
OKAY[0.08s]
finished. total time: 0.078s
Code:
adb devices
List of devices attached
adb does not detect any devices either.
What do I do?
The procedure mentioned in Technobuzz Unbrick oneplus 2 is not working either. Nothing seems to be happening after step 8. (Cannot post outside link as I am newbie)
http://forum.xda-developers.com/one...k-to-solve-t3325419/post65579304#post65579304
Similar case, refer to solutions posted
ciber05 said:
http://forum.xda-developers.com/one...k-to-solve-t3325419/post65579304#post65579304
Similar case, refer to solutions posted
Click to expand...
Click to collapse
Found this method in the above quoted post which worked like a charm.
http://forum.xda-developers.com/oneplus-2/general/guide-unbrick-recover-oneplus-2-to-t3269543
Thanks
Hi everyone,
I went back to stock recovery and stock ROM (5.9.020S) in order to use Android Pay.
But I am facing one last issue for locking the device. Each time I go into fast boot mode, I lock the device, I check with device-info, it confirms it is locked. However after reboot I check again it has reverted back as unlocked.
How can I lock the persistently?
It is as if there is a script somewhere at boot that automatically unlock the device bootloader.
- flash the aboot from stock ROM
- flash the xbl from stock ROM
- do not reboot to keep the bootloader still unlocked
- boot in TWRP (do not flash)
- wipe, factory reset, format, reboot system
In order to do what you suggest, I flashed TWRP recovery first. Then I followed all the steps. Then I tried to flash the stock recovery back and tried to lock. Unfortunately, it did not help, still the same issue.
In fastboot, I do "fastboot flashing lock" or "fastboot oem lock". Then I check the status with "fastboot oem device-info". Right after, I always get "Device unlocked: false" which is good and confirm the lock has worked at first.
But if I reboot the bootloader and try again, then the status is back to "Device unlocked: true" and the device is unlocked again. It keeps unlocking after reboot if I attempt to lock.
I need to have the device NOT unlocked in order to use Android Pay. So now, I am not sure what to do to be able to lock the device...
You don't need to flash TWRP in fact sometimes you don't need it (if there is no encryption but do it to be sure) right after flashing
fastboot flash xbl xbl.elf
fastboot flash aboot emmc_appsboot.mbn
These were indeed the files I flashed previously for aboot and xbl.
I tried again to flash the files in fastboot mode, then lock the device with "fastboot oem lock". After reboot, it is unlocked again.
Did you extract those files from 20s or any official OTA zip? Flashing those files are guaranteed to lock the bootloader again. I've tried it many times already so not sure what else could be missing.
What is being displayed when you do right after the flashing and TWRP steps?
Like this?
fastboot oem device-info
...
(bootloader) Device product name: [le_zl1_oversea]
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Serial console enabled: false
(bootloader) Serial hw output enabled: false
(bootloader) Display panel:
OKAY [ 0.097s]
finished. total time: 0.098s
---------- Post added at 02:39 PM ---------- Previous post was at 02:37 PM ----------
See this thread if it will help...
https://forum.xda-developers.com/le-pro3/how-to/guide-return-to-stock-lock-bootloader-t3539513
I got the files from 20S. It really does not work for me.
I do:
fastboot flash xbl xbl.elf
fastboot flash aboot emmc_appsboot.mbn
Click to expand...
Click to collapse
After this when I check, it is like this (before and after reboot):
(bootloader) Device product name: [le_zl1_whole_netcom]
(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Serial console enabled: false
(bootloader) Serial hw output enabled: false
(bootloader) Display panel:
OKAY [ 0.110s]
finished. total time: 0.111s
Click to expand...
Click to collapse
Anyway, thanks for trying to help me!
I already did the same on other phones, but I can't with this lavender:
I boot in fastboot mode and I run `fastboot oem device-info` to check status:
Code:
$ fastboot oem device-info [15:20:59]
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: false
OKAY [ 0.001s]
Finished. Total time: 0.001s
And it seems ok.
Now I try
Code:
$ fastboot flash recovery recovery.img
and it stuck there and it don't do anything.
I tried different PCs and different cables, nothing make it works!
Normally it only lasts some seconds...
What should I try?
Thanks in advance :silly:
i have a motorola moto c how do i unlock the bootloader the fastboot oeam get_unlock_data command says its unknown command
Presumably that's a typo in your quote?
You should quote exactly what happened so people can help.
There are two different errors, local or remote.
Code:
C:\>fastboot stupidcmd
fastboot: usage: unknown command stupidcmd
C:\>fastboot oem stupidcmd
(bootloader) 'stupidcmd' is not a supported oem command
(bootloader) See 'fastboot oem help'
FAILED (remote: '')
fastboot: error: Command failed
Have you tried fastboot oem help?
To answer your question, I believe that Motorola in general has stopped supporting fastboot unlocking on the less expensive models.
delete
Renate said:
Presumably that's a typo in your quote?
You should quote exactly what happened so people can help.
There are two different errors, local or remote.
Code:
C:\>fastboot stupidcmd
fastboot: usage: unknown command stupidcmd
C:\>fastboot oem stupidcmd
(bootloader) 'stupidcmd' is not a supported oem command
(bootloader) See 'fastboot oem help'
FAILED (remote: '')
fastboot: error: Command failed
Have you tried fastboot oem help?
To answer your question, I believe that Motorola in general has stopped supporting fastboot unlocking on the less expensive models.
Click to expand...
Click to collapse
i did try fastboot oem help but it didnt help and its not the typo and the error is remote