System Verity ChecksThanks to the investigation of @nkk71
nkk71 said:
first off, sorry @jollywhitefoot that word just doesnt work well with me, i know what it means, how it's used (harmless), it just hits a nerve
My Final Conclusion
As I have suspected it's the
[ro.boot.veritymode]: [enforcing] --> good
vs
[ro.boot.veritymode]: [logging] --> BAD, and will result with the
"There was an unexpected error and the file system may be corrupted. Please contact HTC support for further assistance."
encryption has nothing to do with it by the way.
So here's a breakdown of what happens during a normal boot.
1) aboot starts, "does stuff"
2) then hands over to boot.img for further processing
3) which should eventually end up with a booting the ROM
This is what a normal (verity=enforcing) would look like:
Code:
aboot part:
...
[510] read_device_info_mmc:read device info from mmc
[520] htc_read_device_info: verity_mode = enforcing
....
kernel/boot.img part:
...
...
How to break it (DO NOT DO THIS): have your boot.img use verified boot (ie verity checking on a modified system partition, by having the "verify" flag in fstab), since system won't pass the check, this will happen:
Code:
aboot is still OK:
...
[500] read_device_info_mmc:read device info from mmc
[510] htc_read_device_info: verity_mode = enforcing
...
BUT once it hits the kernel/boot.img
....
[ 2.737990] c0 466 fs_mgr: Enabling dm-verity for system (mode 1)
[ 2.801811] c1 53 device-mapper: verity: verity_verify_io:io_real_digest=a48df664 io_want_digest=a43baac3
[ 2.801826] c1 53 device-mapper: verity: 259:30: data block 0 is corrupted
[ 2.802645] c1 53 device-mapper: verity: verity_verify_io:io_real_digest=5c67cc54 io_want_digest=5864f2b1
[ 2.802659] c1 53 device-mapper: verity: 259:30: data block 1 is corrupted
[ 2.808372] c0 6 device-mapper: verity: verity_verify_io:io_real_digest=2a70e9c0 io_want_digest=7bafd223
[ 2.808386] c0 6 device-mapper: verity: 259:30: data block 243 is corrupted
[ 2.826504] c1 53 device-mapper: verity: verity_verify_io:io_real_digest=6dff1798 io_want_digest=b40f453c
[ 2.826520] c1 53 device-mapper: verity: 259:30: data block 950780 is corrupted
unfortunately no matter what you restore in TWRP, any following bootup will already be set to "logging" from aboot (because one or several partitions have been "flagged",
so the kernel/boot.img verification won't matter any more
Code:
...
[530] read_device_info_mmc:read device info from mmc
[540] htc_read_device_info: verity_mode = logging
....
this will be passed on to kernel/boot.img and then to the ROM, which the Updater will now consider a corrupt emmc
How to fix: (you tell me)
i've had limited success, in restoring back to "enforcing" instead of "logging", on occasion (no RUU yet), and nothing "conclusive"
and given the amount of [low level] partitions that are now messed up, i have no further info
so yay.... i'm about as close to bricking as possible for the moment
Click to expand...
Click to collapse
Data Encryption and Data SignalShort Story:
Decrypting the DATA partition will break signal
Full Story:
I was testing out data decryption one day and did some tests. Soon I found out that my phone cannot receive any signal.
At first, I thought it was caused by Xposed, so I restore system and boot, flash SuperSU to patch the boot image. The result is still the same, no signal.
Then I thought it might be SuperSU, so I manually modified the fstab of the ramdisk, the signal is still broken.
Before doubting the hardware might be broken, I restored everything back to stock (include forceencrypt boot), and it everything works!!
I've done the tests above several times, just in case I missed anything. The results are always the same: once the data is decrypted, the signal won't work.
Conclusion:
Don't try to decrypt your data until people found out the reasons.
I look forward to exploring this further once I have my 10. Looks like it'll be loads of fun
I wouldn't worry about s-off, soon enough. SunShine will support m10 in the near future (dont ask for ETAs or anything of the sort). There are bound to be some issues we need to fix up once we have our devices, but I am confident we will find a solution shortly.
I'd also stick to flashing full RUUs (official or repacks, makes little difference) when updating a modified device, I've never been a fan of OTAing a modified device, and there is a lot of good reasons not to. Especially if the new boot.img is fully expecting an encrypted userdata partition and you don't have one. Rom developers, recovery developers, kernel developers, and yes exploit developers need to get used to working with an encrypted userdata partition.
If you can get me a logcat from boot on wards on a unencrypted device with radio not working, I will gladly look at it.
topjohnwu said:
To Moderators: I'm not sure if this thread belongs to the developments section, what I'm thinking about is that most people will look at development threads before unlocking bootloaders. Feel free to move this thread to the appropriate sections, but I hope no matter where it goes, this thread could be stickied, since it is quite important.
Everything below is confirmed by various Taiwanese users. Being one of the early adopters, I'm here to step on the mines and do experiments for all of you.
About OTAShort Story:
ALL DEVICES BOOTLOADER UNLOCKED CANNOT RECEIVE OTAs
It might be caused by recovery mismatch, we still cannot know
Full Story:
You got your new phone, and you can't wait to unlock your bootloader, flash TWRP and all the goodies, right?
This is what I have done with my 10, but...
Wait a second!!
The first OTA has just be pushed here in Taiwan, and a weird thing is happening...
Everyone with their phone unlocked and flashed TWRP CANNOT receive the OTA.
It doesn't mean that the OTA cannot be applied, what I mean is your device will be greeted with this screen if an update is available:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Viewing the logcat, it spits out this message:
Code:
1557 8835 W htcCheckinService: The device is emmc error case, can't let user get fota update.
This doesn't mean my system partition is tampered, I've backup the untouched system images.
I am now updated with some special tricks using my system image backup, this shows that my image is legit and untampered.
So the problem isn't that simple.
After a few hours of investigation, I successfully fixed the issue... WITH QUITE SOME EFFORT.
It will take some time to write a complete guide about the procedure. Stay tuned for more details.
Conclusion:
Follow the tiresome guide (I'm going to release soon), or wait for S-OFF to happen.
About Data EncryptionShort Story:
ALL DEVICES WITH DECRYPTED DATA CAN NOT RECEIVE DATA SIGNAL
Full Story:
I was testing out data decryption one day and did some tests. Soon I found out that my phone cannot detect any signal.
First I thought it was caused by Xposed, so I restore system and boot, flash SuperSU to patch the boot image. The result is still the same, no signal.
Then I thought it might be SuperSU, so I manually modified the fstab of the ramdisk, the signal is still broken.
Before doubting the hardware might be broken, I restored everything back to stock (include forceencrypt boot), and it everything works!!
I've done the tests above several times, just in case I missed anything. The result is always the same: once the data is decrypted, the signal won't work.
Conclusion:
Don't try to decrypt your data until people found out the reasons.
Click to expand...
Click to collapse
jcase said:
I wouldn't worry about s-off, soon enough. SunShine will support m10 in the near future (dont ask for ETAs or anything of the sort). There are bound to be some issues we need to fix up once we have our devices, but I am confident we will find a solution shortly.
I'd also stick to flashing full RUUs (official or repacks, makes little difference) when updating a modified device, I've never been a fan of OTAing a modified device, and there is a lot of good reasons not to. Especially if the new boot.img is fully expecting an encrypted userdata partition and you don't have one. Rom developers, recovery developers, kernel developers, and yes exploit developers need to get used to working with an encrypted userdata partition.
If you can get me a logcat from boot on wards on a unencrypted device with radio not working, I will gladly look at it.
Click to expand...
Click to collapse
Here you go
RUUs are not easy to get, especially the newer devices that are not US versions.
Really hope HTC can provide official RUUs to restore our devices.
topjohnwu said:
Here you go
RUUs are not easy to get, especially the newer devices that are not US versions.
Really hope HTC can provide official RUUs to restore our devices.
Click to expand...
Click to collapse
We will see RUUs for it
Will look when i get back home
@topjohnwu
Can you upload a copy of the OTA zip when you get a chance? I'm curious to see how the contents look. Thanks!
Captain_Throwback said:
@topjohnwu
Can you upload a copy of the OTA zip when you get a chance? I'm curious to see how the contents look. Thanks!
Click to expand...
Click to collapse
I'm uploading everything now
Just curious - if this ends up being a huge PITA, anyone know what HTC's return policy is? For me it was between the 10 and the Exynos S7, and I'm giving this a try first.
Does Sammy encrypt the data portion on the S7s as well?
Glad to see Sunshine's coming our way!
He mentioned TWRP. Did he try stock recovery? (or did I miss that in the post?)
Don't get me wrong; I know the guy is a wizard with HTC devices, but I want to know that was tried and failed...
Sent from my HTC One_M8 using Tapatalk
I had tried restoring the system back to 1.21.709.2, then flash 1.30.709.1 stock recovery, still the OTA won't show up on the device.
So it might detect that the recovery and system doesn't match and refuse to push update. There is possibility that HTC is not actually detecting the boot loader unlock, but instead detecting the stock recovery.
However, I have no chance to test it since there is no way to get 1.20.709.2 stock recovery, only if someone unlocks the boot loader now and test if he can detect the OTA, or HTC releases a new OTA so I can test from 1.30.709.1
topjohnwu said:
I had tried restoring the system back to 1.21.709.2, then flash 1.30.709.1 stock recovery, still the OTA won't show up on the device.
So it might detect that the recovery and system doesn't match and refuse to push update. There is possibility that HTC is not actually detecting the boot loader unlock, but instead detecting the stock recovery.
However, I have no chance to test it since there is no way to get 1.20.709.2 stock recovery, only if someone unlocks the boot loader now and test if he can detect the OTA, or HTC releases a new OTA so I can test from 1.30.709.1
Click to expand...
Click to collapse
Did you revert your main version? That's the only way you'd be able to take the OTA again.
Captain_Throwback said:
Did you revert your main version? That's the only way you'd be able to take the OTA again.
Click to expand...
Click to collapse
Yes of course
It is the same issue, same logcat error.
So I simply guess that HTC blocked all bootloader unlocked phones to receive OTA. But it might be detecting the matched recovery with the system though.
Have to wait for someone to unlock their bootloader, or HTC has to release the next OTA for me to test (right now I only got the new recovery)
However, the new recovery still works on the old version.
The trick I used to upgrade my device is about grabbing/guessing the OTA link from HTC server. Then I can manually flash the OTA zip.
So considering these issues, there is no stable root for the 10 as it will cause the signal to drop off right?
Sent from my Galaxy S7 Edge
mahdibassam said:
So considering these issues, there is no stable root for the 10 as it will cause the signal to drop off right?
Click to expand...
Click to collapse
Incorrect. You can still root via the usual/normal means. You just can't be decrypted. That's apparently what is breaking signal.
(Apr 26 Update)
By tests from other HTC 10 owners, we now confirmed that unlocked bootloader without any modifications can receive the OTA.
So it means that HTC didn't detect the bootloader status when pushing OTAs, it is depending on other factors.
What comes up my mind is the following two possibilities (both personal guesses, no confirmations):
The 1.21 stock recovery is different from the 1.30 one, although both functions the same and can accept flashing the OTA.
HTC checks if the stock recovery is valid before allowing the OTA to show up on the device.
HTC introduces some protection method like the Samsung knox: un-official boot images cause the phone to write some flags to the device.
If this is the case, @jcase might be interested in it
Captain_Throwback said:
Incorrect. You can still root via the usual/normal means. You just can't be decrypted. That's apparently what is breaking signal.
Click to expand...
Click to collapse
Oh ok. Marshmallow is encrypted by default if I'm not wrong, so if you don't manually decrypt you should be ok then? Also, since there is no root here on XDA for the 10, we would just have to flash twrp and download and flash super su and that's it? Thanks for your reply.
Sent from my Galaxy S7 Edge
mahdibassam said:
Oh ok. Marshmallow is encrypted by default if I'm not wrong, so if you don't manually decrypt you should be ok then? Also, since there is no root here on XDA for the 10, we would just have to flash twrp and download and flash super su and that's it? Thanks for your reply.
Click to expand...
Click to collapse
Correct. You can choose any root method (SuperSU isn't the only option), but that's been the standard way to root HTC devices for the past several years.
Maybe I misunderstood, but didn't someone say that we needed to be decrypted in order to put a Rom on, it us that just so we don't have to wipe the /data and internal SD each time?
Sent from my HTC One_M8 using XDA Free mobile app
Superguy said:
Maybe I misunderstood, but didn't someone say that we needed to be decrypted in order to put a Rom on, it us that just so we don't have to wipe the /data and internal SD each time?
Sent from my HTC One_M8 using XDA Free mobile app
Click to expand...
Click to collapse
Yes, that's the usual case. What I was pointing out here is that, you can no longer decrypt the data partition anymore (at least for now).
If you want to flash roms, you have to use external sdcard or use adb sideload, and yes if you want to clear data, you have to also clear all internal storage.
topjohnwu said:
(Apr 26 Update)
By tests from other HTC 10 owners, we now confirmed that unlocked bootloader without any modifications can receive the OTA.
So it means that HTC didn't detect the bootloader status when pushing OTAs, it is depending on other factors.
What comes up my mind is the following two possibilities (both personal guesses, no confirmations):
The 1.21 stock recovery is different from the 1.30 one, although both functions the same and can accept flashing the OTA.
HTC checks if the stock recovery is valid before allowing the OTA to show up on the device.
HTC introduces some protection method like the Samsung knox: un-official boot images cause the phone to write some flags to the device.
If this is the case, @jcase might be interested in it
Click to expand...
Click to collapse
When you manually modified the boot.img while decrypted, what exactly did you change? It is possible that the system is performing a checksum validation of the boot block device to determine whether it's been modified, prior to allowing an OTA to install. But it's also possible that certain modifications to the ramdisk cause it to error out as well.
It might just perform the same signature check that causes the "red text" to appear when booting the device, in which case yes, the boot.img would need to be fully stock for the device to accept an OTA. As long as the recovery is signed and is from the current OTA of the previous version, that shouldn't be an issue for taking the OTA, as the only check done there should be for the device name and build fingerprint.
Related
Hello, I am completely new so I apologize if this is the wrong place.
I wanted to be able to lock my bootloader but still use cyanogenmod, specifically, only allow roms that I have compiled myself and signed with my cert to work on my phone. I unpacked the stock recovery.img, and made the necessary changes to the ramdisk to replace the stock OnePlus key with my own. I then was then able to confirm that only my signed zips could be sideloaded, both official CM and OxygenOS zips failed - just as I wanted.
The issue is then that this only worked with an unlocked bootloader. When I locked it, the OP3 entered a boot cycle, with a strange graphical glitch appearing then the screen going black, again and again. I could then no longer boot to either recovery or cyanogenmod, nor could I unlock fastboot. This amazing guide got my phone working again.
I now have three questions. What prevented my phone booting after I locked it, how does the unbrick tool work, and is there anything I can alter, like certifications or hashes, lower down in the boot sequence to allow only my signed images to work (using the previous tool. I am unsure what QLoader is, some form of serial interface to the 820 to write to the storage chip?).
Thanks for any advice you can offer!
Update: I have unpacked boot.img provided in the unbrick tool. I cannot find any keys to modify in /res but I have found a file called "verify_keys". Does anyone know what I need to change in boot.img to allow my self-signed recovery and os to boot? Thanks
UPDATE 2:
From reading some Android notes it appears that instead of replacing the OEM key, you can also just use fastboot to flash keystores for self-signed recovery and roms. This still allows OEM signed images to run, but is certainly a step in the right direction. I have run into an issue with building a correct keystore. I can use keytool and import my previous certs, but "fastboot flash keystore examplename.keystore" fails. I saw "fastboot flash ssd keystore.dat" used, and it works with my current dot keystore file, but then after locking it fails to boot. I'm going to see how I can convert my .keystore to a .dat.
I've been meaning to ask this same question for a while now also, so I'm eager to see the response. I suspect the official OnePlus forums might be a good place to ask as well, since they are visited by engineers from OnePlus. For anyone else who's curious as to what's being discussed and better the understand the risks of an unlocked bootloader (and how to mitigate them), there's a brief article here as well as a paper.
It is always suggested that never re-lock the bootloader until there is valid reason to do it
JumboMan said:
It is always suggested that never re-lock the bootloader until there is valid reason to do it
Click to expand...
Click to collapse
Have you read any of the attached links in my last post? There are valid reasons for doing so.
Just to pose an oversimplified hypothetical, imagine going through immigration/customs in Saudi Arabia (or maybe even the U.S.) with a Android device that has an unlocked bootloader. The officer examines your possesions, then takes your laptop and phone into a back room. Your phone is powered down and encrypted so it's not like they can do anything, right? Wrong. They plug it into a forensics device and flash a surreptitious malware app onto /system before returning it back to you. Then, the next time you turn on your phone your encryption keys and all your data, all your communications are secretly transmitted. You never have a clue... With a locked bootloader and appropriate precautions, that would never be possible.
Update 3:
I am now following the official Android guide for creating a keystore. They show how to create a "keystore.img" not .dat, bu the error I got when trying "fastboot flash keystore ..." said something along the lines of the keystore not being a valid image. Hopefully this will work. After I get this working, I will move on to removing or damaging the OEM key, hence not even allowing OnePlus images to be sideloaded.
JumboMan said:
It is always suggested that never re-lock the bootloader until there is valid reason to do it
Click to expand...
Click to collapse
I do have a valid reason - security. An unlocked bootloader means any code can be flashed to my device. Even with encryption it is vulnerable to cold boot attacks, it makes it easier to bruteforce, and pulling encryption keys from memory.
chocol4te said:
I do have a valid reason - security. An unlocked bootloader means any code can be flashed to my device. Even with encryption it is vulnerable to cold boot attacks, it makes it easier to bruteforce, and pulling encryption keys from memory.
Click to expand...
Click to collapse
sir prefer not rooting and staying on stock ROM with locked bootloader.
emptyragnarok said:
sir prefer not rooting and staying on stock ROM with locked bootloader.
Click to expand...
Click to collapse
Look, I'm sorry, I don't need any more useless comments saying the solution to my problem is to not do anything like on every other forum I've tried. I am perfectly aware of how to lock the bootloader with a stock rom, but I don't want to use the stock rom. I want to use custom roms. From what I have done so far it appears to be possible, so don't tell me it's not, at least without a good reason.
In addition, the stock method isn't even the most secure the phone can be. OnePlus can still sign any code and run it on my device and hence requires my trust in a third party that I am unwilling to give. I only want my own code to run.
Update 4:
Using the unbrick utility, I have updated the MD5 partition with the checksums of my modified boot and recovery partitions. Unfortunately, I am now getting a checksum failed error, with both the MD5 and recovery partitions highlighted in red. So I was wrong about the checksum being compared with hashes in the MD5 partition. Does anyone know where the lowest level checksums are stored? Hopefully if I can change that, then locking the bootloader will be no issue.
chocol4te said:
Update 4:
Using the unbrick utility, I have updated the MD5 partition with the checksums of my modified boot and recovery partitions. Unfortunately, I am now getting a checksum failed error, with both the MD5 and recovery partitions highlighted in red. So I was wrong about the checksum being compared with hashes in the MD5 partition. Does anyone know where the lowest level checksums are stored? Hopefully if I can change that, then locking the bootloader will be no issue.
Click to expand...
Click to collapse
Bro I am not a prolike you but I understand your vision now,... and I am with you in that.... Open Source stuff and ANdroid as an Open source impify that only... We should have our custom code for locking and unlocking our bootloader so we can have the full control over our device.... If not and the guy that said that you can lock the bootloader with the stock rom didn't get that .. even with stock rom and recovery anyone can have the access of the phone by just unlocking the boot loader and that is simple. SO I GOT YOUR VISION AND I AM WITH YOU I WILL TRY TO UNDERSTAND THE LOCKING SYSTEM OF THE BOOT-LOADER AND I WILL TRY TO FIND THE LOCATION OF LOWER LEVEL CHECKSLUMS... WE will try and try untill we succeed.... I AM WITH YOU BRO!!!!!
indroider said:
Bro I am not a prolike you but I understand your vision now,... and I am with you in that.... Open Source stuff and ANdroid as an Open source impify that only... We should have our custom code for locking and unlocking our bootloader so we can have the full control over our device.... If not and the guy that said that you can lock the bootloader with the stock rom didn't get that .. even with stock rom and recovery anyone can have the access of the phone by just unlocking the boot loader and that is simple. SO I GOT YOUR VISION AND I AM WITH YOU I WILL TRY TO UNDERSTAND THE LOCKING SYSTEM OF THE BOOT-LOADER AND I WILL TRY TO FIND THE LOCATION OF LOWER LEVEL CHECKSLUMS... WE will try and try untill we succeed.... I AM WITH YOU BRO!!!!!
Click to expand...
Click to collapse
Thanks! I'm glad to hear it!
chocol4te said:
Thanks! I'm glad to hear it!
Click to expand...
Click to collapse
You're most welcome bro.
Did I just witness a major bro-down?
Awsome thread, I'd also like to put my OP3 in a state where only ROMs I signed my self will run...
Any further development??
Sent from my Pixel XL using XDA-Developers mobile app
---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------
indieross said:
Did I just witness a major bro-down?
Click to expand...
Click to collapse
Whats a bro down?
Sent from my Pixel XL using XDA-Developers mobile app
indroider said:
Any further development??
Sent from my Pixel XL using XDA-Developers mobile app
---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------
Whats a bro down?
Sent from my Pixel XL using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry, other stuff came up. I am still very interested in getting this to work, but I am really stuck if I can't understand why the MD5 verification error occurs when I use Loader to flash the modified images. I looked at CopperheadOS, and in their documentation they show how to re-lock the bootloader with a custom ROM. Here is the shell script they use to upload the OS.
Code:
fastboot flash bootloader bootloader-bullhead-bhz11f.img
fastboot reboot-bootloader
sleep 5
fastboot flash radio radio-bullhead-m8994f-2.6.33.2.14.img
fastboot reboot-bootloader
sleep 5
fastboot -w update image-bullhead-nbd90z.zip
As you can see they flash two images, boot loader and radio, then update the main ROM. Then apparently it boots fine and the bootloader is OEM locked inside the OS. This was for the Nexus 5X, but I want to find out if a similar process is possible on the OP3.
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.
chocol4te said:
Sorry, other stuff came up. I am still very interested in getting this to work, but I am really stuck if I can't understand why the MD5 verification error occurs when I use Loader to flash the modified images. I looked at CopperheadOS, and in their documentation they show how to re-lock the bootloader with a custom ROM. Here is the shell script they use to upload the OS.
As you can see they flash two images, boot loader and radio, then update the main ROM. Then apparently it boots fine and the bootloader is OEM locked inside the OS. This was for the Nexus 5X, but I want to find out if a similar process is possible on the OP3.
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.
Click to expand...
Click to collapse
Ok.. Great to hear... Let me if you need any help.. I m here
chocol4te said:
Sorry, other stuff came up. I am still very interested in getting this to work ... ...
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.
Click to expand...
Click to collapse
This sounds exactly like what I was looking for. Have you been able to progress? Do you think that the bootloader and the radio are somehow linked in the boot verification sequence?
---------- Post added at 05:51 AM ---------- Previous post was at 05:43 AM ----------
chocol4te said:
UPDATE 2:
From reading some Android notes it appears that instead of replacing the OEM key, you can also just use fastboot to flash keystores for self-signed recovery and roms. This still allows OEM signed images to run, but is certainly a step in the right direction. I have run into an issue with building a correct keystore. I can use keytool and import my previous certs, but "fastboot flash keystore examplename.keystore" fails. I saw "fastboot flash ssd keystore.dat" used, and it works with my current dot keystore file, but then after locking it fails to boot. I'm going to see how I can convert my .keystore to a .dat.
Click to expand...
Click to collapse
Have you read this: https://mjg59.dreamwidth.org/31765.html
Hi All,
Currently got no radio signal on my EE HTC 10 due to flashing an incorrect rom. I lost my original backup - amateur.
Have spent a serious amount of time flashing various RUU, ROMS, radio.imgs, firmwares, even with @Kratos90 's patient assistance i'm stuck at square one.
If you have an EE HTC 10 - I'd really appreciate if you could let me know which RADIO/Baseband you are using, along with the OS and possibly ROM you are
using so i can try and give that combination a go.
Example: [email protected]_76.02F / 1.90.401.5
Trying really hard to get this fixed and not sure of the best avenue so hoping this may help.
Many thanks in advance.
Did you perhaps flash SuperSU through TWRP, or use a non-specific for the HTC 10 SuperSU file?
I just read online that doing so can alter the encryption flag and thus break phone signal. (https://www.andromods.com/fix-troubleshoot/rooted-htc-10-no-signal-lost-radio-issues.html)
If so, I am not too sure of what can be done, except maybe flashing the specific SuperSU?
killerojrc said:
Did you perhaps flash SuperSU through TWRP, or use a non-specific for the HTC 10 SuperSU file?
I just read online that doing so can alter the encryption flag and thus break phone signal. (https://www.andromods.com/fix-troubleshoot/rooted-htc-10-no-signal-lost-radio-issues.html)
If so, I am not too sure of what can be done, except maybe flashing the specific SuperSU?
Click to expand...
Click to collapse
Thanks for your suggestion, I have only ever flashed SuperSU once, when i first rooted the phone back in May. So I just did it again, I just tried the steps jcase provides here https://forum.xda-developers.com/htc-10/how-to/guide-root-optionally-s-off-radio-t3373025
3) Using adb, in twrp run - adb shell "echo KEEPFORCEENCRYPT=true>>/data/.supersu"
4) flash latest supersu from http://forum.xda-developers.com/apps...v2-05-t2868133
used - SR2-SuperSU-v2.79-SR2-20170103215521.zip
No Success unforunately - perhaps this SuperSU is not good for the current firmware i've got on there - have reverted back to 1.21.401 TWRP Backup for EVE__001 ( My carrier) but nothing is working.
Hopefully something will work! Welcome to any suggestions!
Thanks.
Is this a specific ee branded phone ? Is your device s off ?
Edit
I See you are s off. Which version of twrp you using ? this may be relevant
Currently 3.0.2-6pme but also had 3.0.3-unofficial-pme on there.
RUU should work if you're using the correct one for your device . Has this phone now been de-branded ?
I would try to format all data in twrp 3.0.3 then Ruu again . Leave root until you're back to square one
I've flashed various RUU and they all go fine but still no radio. I think i have broken encryption or something. Would format data in twrp fix that? I'm away from my pc and phone as am at work for now but will try when I'm back
Read twrp xda thread faq . Check you have the right ruu for your phone ( which I assume is non branded )
You should be good to sort this out, aside from hardware failure but it does sound as if encryption somewhere along your way has caused this
Since K10 is now rootable for MTK variants. Anyone who try to enter TWRP recovery using an app called Root Rashr Flash Tool to enter the recovery without using adb and PC. I use it before but not a 100% sure if I do it in a right way. So anyone? This may help a lot of us to know if K10 may enter TWRP without PC
As far as I remember rashr doesn't have option to boot recovery from storage, but have only options to install recovery or boot to installed one. For K10 fastboot is required to boot to twrp. I'm not sure why twrp can't be flashed..?
Professor Woland said:
As far as I remember rashr doesn't have option to boot recovery from storage, but have only options to install recovery or boot to installed one. For K10 fastboot is required to boot to twrp. I'm not sure why twrp can't be flashed..?
Click to expand...
Click to collapse
There is a security signature in the stock recovery image that would be required to be pasted into the twrp (like in case of Bump! but it's smarter on newer lg phones). Without it phone gets bricked. I guess this signature is also there in the boot image and after making systemless root this signature probably gets corrupted so i don't know how can our device boot up after systemless root . I read some comments that newer security level firmwares (december and january) can't be rooted and maybe this is the reason (i mean maybe in newer firmwares the boot partition is also verified by this signature).
We would need something like bump. I tried some hex editors and pasted the final lines to the end of the twrp from the stock recovery but it didn't work. I guess this signature is like a crc code so it might be generated from the image base but i have no idea how...
gottlasz said:
There is a security signature in the stock recovery image that would be required to be pasted into the twrp (like in case of Bump! but it's smarter on newer lg phones). Without it phone gets bricked. I guess this signature is also there in the boot image and after making systemless root this signature probably gets corrupted so i don't know how can our device boot up after systemless root . I read some comments that newer security level firmwares (december and january) can't be rooted and maybe this is the reason (i mean maybe in newer firmwares the boot partition is also verified by this signature).
We would need something like bump. I tried some hex editors and pasted the final lines to the end of the twrp from the stock recovery but it didn't work. I guess this signature is like a crc code so it might be generated from the image base but i have no idea how...
Click to expand...
Click to collapse
I really don't get them, if they want to sell phones which won't get much updates, than they should make it easyer to instal twrp/unlock bootloader/make custom rom.
Hm I would like to help but my reverse engineering/developing skils are poor. Any hints how to find that signature?
I tought twrp couldn't be flashed because of size, but that won't be big trouble however.
Professor Woland said:
I really don't get them, if they want to sell phones which won't get much updates, than they should make it easyer to instal twrp/unlock bootloader/make custom rom.
Hm I would like to help but my reverse engineering/developing skils are poor. Any hints how to find that signature?
I tought twrp couldn't be flashed because of size, but that won't be big trouble however.
Click to expand...
Click to collapse
Size is not a problem anymore. The recovery partition is 16Mb while the 3.0.2 TWRP is approx 11-12Mb. However i already gave up on searching the signature. I spent days on it and i found a signature (quite long one actually) in the end of each partition (boot, recovery, laf,...). I succesfully added the same signature from the stock recovery to the TWRP but it bricked the phone after i flashed it. Then i found that each signature differs a bit depending on firmware security level and the partition itself so i believe the signature is generated like a crc code or some secret way and totally firmware and partition dependent... no way to generate it by ourselves if we don't know the method.
P.S. i don't care if they sell phones i'm unable to root etc... but why on earth can we not delete unnecessary stock apps to free up space and memory...
gottlasz said:
Size is not a problem anymore. The recovery partition is 16Mb while the 3.0.2 TWRP is approx 11-12Mb. However i already gave up on searching the signature. I spent days on it and i found a signature (quite long one actually) in the end of each partition (boot, recovery, laf,...). I succesfully added the same signature from the stock recovery to the TWRP but it bricked the phone after i flashed it. Then i found that each signature differs a bit depending on firmware security level and the partition itself so i believe the signature is generated like a crc code or some secret way and totally firmware and partition dependent... no way to generate it by ourselves if we don't know the method.
P.S. i don't care if they sell phones i'm unable to root etc... but why on earth can we not delete unnecessary stock apps to free up space and memory...
Click to expand...
Click to collapse
In that case probably signature is from more parts one part is to verify to the phone, and one part is to verify the name or some other specific from recovery so you can't just paste signature to any recovery. If we only could "decrypt" signature. And find a way to create it. Could you upload that signature you found to pastebin or whatever you like?
Professor Woland said:
In that case probably signature is from more parts one part is to verify to the phone, and one part is to verify the name or some other specific from recovery so you can't just paste signature to any recovery. If we only could "decrypt" signature. And find a way to create it. Could you upload that signature you found to pastebin or whatever you like?
Click to expand...
Click to collapse
I'll send it to you tomorrow or on Monday in pm.
Moto G7 Play bootloader unlock issues - "bad key", not OTA, no way to roll back?
My plan was to unlock the bootloader before configuring the new phone - just in case I might need it later, then use the phone as out-of-box. I unlocked the bootloader for the new Moto G7 Play, following the official procedure via the Motorola Accounts page, resulting in:
- Fastboot page shows: "flashing unlocked"
- When booting up, I see a black page with the words "bad key", then the phone boots
- The updater sais that the phone is corrupt and no (OTA) updates can be done
- I could not try TWRP, as there is no TWRP for the G7 Play yet (so not sure if flashing would work)
My concerns now are that I will not be able to update the phone, and that the "bad key" issue might cause other problems.
So my plan would be to roll back and lock the phone again, to use it as out-of-box (not worrying about warranty loss that might already have happened - I did accept these terms). However, that does not work, too:
- Locking bootloader requires factory images, which are not available for the G7 Play
- Locking bootloader with fastboot OEM lock will not work without complete images
Any suggestions how bring the phone back to normal? I am disappointed by Motorola, as they officially offer the unlock procedure - which then does not produce the expected outcome, breaks updating, and provides no way to go back? Mind you, I did not apply any "hacks", nothing but the official Motorola unlocking steps.
Thanks for advice
I have the same problem and i cannot fix it.
I tried to get advice from Motorola support - but replies are very generic, referring to the bootloader unlock page (we obviously found that) or to the Motorola Forum (where the answer isn't). Will now just live with the unlocked phone and hope for the opportunity to OTA / update in a while
CoffeeMachineSwitch said:
- When booting up, I see a black page with the words "bad key", then the phone boots
- The updater sais that the phone is corrupt and no (OTA) updates can be done
Click to expand...
Click to collapse
Unlocking any Motorola bootloader will cause the bootscreen to display "Bad Key". This is normal. It is a warning that the bootloader has been unlocked and the phone may not be "safe". Once you root a Motorola phone, it will display "N/A" instead of "Bad Key". Again, this is normal behavior. There are image makers that can replace the "splash" image and "hide" the "N/A", but since this phone doesn't have TWRP yet, you'll have to live with it for now.
As far as not being able to receive OTA updates, I have no knowledge. In my opinion it shouldn't matter that the bootloader has been unlocked...only if you've modified or deleted system files. I've never worried about system updates as I've always rooted and run custom ROMs, or Xposed (which negates eligibility for OTA).
mn1968 said:
Unlocking any
As far as not being able to receive OTA updates, I have no knowledge. In my opinion it shouldn't matter that the bootloader has been unlocked...only if you've modified or deleted system files. I've never worried about system updates as I've always rooted and run custom ROMs, or Xposed (which negates eligibility for OTA).
Click to expand...
Click to collapse
Thanks for clarifying. And yes, learnt from Moto Support that OTA was disabled for 7 generation
CoffeeMachineSwitch said:
Thanks for clarifying. And yes, learnt from Moto Support that OTA was disabled for 7 generation
Click to expand...
Click to collapse
That would be an unfortunate change if true. Prior devices could be unlocked and still get OTA updates. They won't install if certain changes are made but still get notified of updates.
You still can install full ROM using fastboot commands and regain root by patching boot.img from updated ROM
I did it on both G6 and G7
Where did you get the ROM images from. I understand there are no officials?
CoffeeMachineSwitch said:
Where did you get the ROM images from. I understand there are no officials?
Click to expand...
Click to collapse
Have you tried the LMSA tool? It's a tool you download from Motorola. There is a discussion here about it. It has a rescue button with which, I understand that you can download stock images directly from Motorola, but I haven't used it myself.
umbrisle said:
Have you tried the LMSA tool? ....
Click to expand...
Click to collapse
Yes I have - the last time I tried, however, it said that it would not support the G7 (Play) and did not provide any images/ROMs
CoffeeMachineSwitch said:
Yes I have - the last time I tried, however, it said that it would not support the G7 (Play) and did not provide any images/ROMs
Click to expand...
Click to collapse
I was thinking of buying a G7 Play myself, but I am now leaning more towards a G6 Play, because there are more tools available like a working TWRP.
Should've read the thread here before i go buy g7 play, not my phone get softbricked.
Unblocked bootloader successfully following the official doc but failed to install magisk by copying the wrong build number of boot.img of OTA from here mirrors.lolinet.com/firmware/moto
now my g7 says
Code:
failed to load kernel, no Bootable A/B slot,
Failed to book Linux
falling back to fastboot.
I downloaded `RIVER_RETAIL_9.0_PPO29.80-61_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC` which i think this is the right build number when i see error like
Code:
river/retail corrupted
(can't remember exactly, but it's RETAIL not RETUS)
and make my own version of fastboot command stemming from servicefile.xml, still with unlucky.
there is no recovery.img and google has limited resource to make g7 play back to stock orm, i'd like to see if community has any idea or i have to give it to moto to fix it.
========================update=================================
update: i finally get the correct stock ORM which is exactly matching my build number "XT1952-4_CHANNEL_AMZ_9.0_PPY29.105-36_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC" i was an idiot thinking that mismatch one letter or two will be find, but turns out this is very strict, "second time rooting in my life".
not i has flash all of the original orm into my phone then fastboot reboot works, it give me the original error like
Android Recovery
motorola/channel_retail/channel9/PPY29.105-36/d7abeuser/release-keys
Use volum up/down and power
can't load Android system. Your data may be corrupt.
If you continue to get this message, you may need to perform a factory data
reset and erase all user data stored on this device
=====
Try again
Factory data reset
Click to expand...
Click to collapse
now i need to figure out what to do next
===============update=========
lol, turns out just press Factory data reset will bring the brick back to life!!!!!
just want to post my process for anyone having my issue.
the key point to find the correct build number
umbrisle said:
I was thinking of buying a G7 Play myself, but I am now leaning more towards a G6 Play, because there are more tools available like a working TWRP.
Click to expand...
Click to collapse
.
The G6 Play is really slow, at least the Boost one. I was kind of sorry I bought one to put on Sprint's free unlimited plan. At least Sprint unlocked it for me after 60 days.
Give the G7Play some time, it just came out.
As for you guys complaining of no updates once unlocked, it's not the only phone to require flashing the stock boot.img and relocking to get OTAs.
gedster314 said:
.
As for you guys complaining of no updates once unlocked, it's not the only phone to require flashing the stock boot.img and relocking to get OTAs.
Click to expand...
Click to collapse
Yeah, but there is inconsistency in Motorolas communication, they actively offer the option to unlock the bootloader (with T&C and all) incl. a link to a rollback feature. Which then does not work. So in a scenario where a developer buys the device because it actively offers this features, they dont get what they paid for. Mind you, we are not discussing hacking a device here or jailbraking - we are discussing features that Motorola actively promotes with a dedicated webpage.
wallace_mu said:
was an idiot thinking that mismatch one letter or two will be find, but turns out this is very strict
Click to expand...
Click to collapse
You completely missed the wrong code name "river" in RIVER_RETAIL_9.0_PPO29.80-61_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC it is for another device, while "channel" is the right one
Where did you get the correct Rom from? Thanks
I don't own Moto G7 Play and can not confirm, however this one worked for wallace_mu
wallace_mu said:
XT1952-4_CHANNEL_AMZ_9.0_PPY29.105-36_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC
Click to expand...
Click to collapse
I could successfully lock / unlock / lock the bootloader...
Unlock: fastboot oem unlock [CODE FROM MOTOROLA]
Lock it down:
* first I have to reflash the 'boot.img' from the correct firmware file - fastboot flash boot boot.img
* then I can lock the bootloader clean again with 'fastboot oem lock'. "bad key" is gone, SafetyNet test passed and OTA is working again.
Unlocking / locking again works by the way also. Maybe this will help?
realsine said:
I could successfully lock / unlock / lock the bootloader...
Unlock: fastboot oem unlock [CODE FROM MOTOROLA]
Lock it down:
* first I have to reflash the 'boot.img' from the correct firmware file - fastboot flash boot boot.img
* then I can lock the bootloader clean again with 'fastboot oem lock'. "bad key" is gone, SafetyNet test passed and OTA is working again.
Unlocking / locking again works by the way also. Maybe this will help?
Click to expand...
Click to collapse
yes it does! was waiting for this. 2 quick questions:
- will lock/unlock require factory reset / data loss?
- where to get the (official?) boot.img from (am always careful to flash img from the wild)
thanks!
CoffeeMachineSwitch said:
yes it does! was waiting for this. 2 quick questions:
- will lock/unlock require factory reset / data loss?
- where to get the (official?) boot.img from (am always careful to flash img from the wild)
thanks!
Click to expand...
Click to collapse
Hello,
I'm glad to read that I could help.
I have "my" image of 'https :// mirrors.lolinet.com/firmware/moto/channel/official/RETEU/'. There are also some others - just have a look. And please remove the spaces around '://'. I'm currently not allowed to post (external) links, so this way.
* Every 'LOCK' deletes all data and the system is "clean" again.
* The same applies (unfortunately) to EVERY 'UNLOCK'.
I don't care at the moment because I haven't set up my smartphone yet. But it's not nice.
Best regards
Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?
{Temp_User} said:
Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?
Click to expand...
Click to collapse
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Hi, thank you for the reply.
Sorry for the late reply. I will try this today
JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?
{Temp_User} said:
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?
Click to expand...
Click to collapse
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware
I have with me the latest (previous) android 10 . I have extracted correctly ( used 7-zip zstd ) the lz4 files and flashed the vendor, system and kernel in that order.
upon reboot, I can not get past the splash screen. However i do see that an error appears on top left of my screen as CHECK FAIL binary 7(BOOT). The words are not clear though.
What did i do wrong?
JuanTamqd21 said:
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware
Click to expand...
Click to collapse
please provide an in-depth process?
Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORSYou cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)Boot into system normally.(make sure the OEM unlock is greyed out.Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.Pay attention to what exactly you are wiping.With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.Flash/Install the image files in your recovery. Be patient.
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
{Temp_User} said:
Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORSYou cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)Boot into system normally.(make sure the OEM unlock is greyed out.Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.Pay attention to what exactly you are wiping.With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.Flash/Install the image files in your recovery. Be patient.
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
Click to expand...
Click to collapse
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:
Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).
vmirrimv said:
Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).
Click to expand...
Click to collapse
So long as we both happy and got what we wanted. I finally have a working android 10 on my device(coming from a11)
vmirrimv said:
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:
Click to expand...
Click to collapse
You are correct. I gave up on changing the binaries after seeing it was impossible.
Camera should still work on custom android 10 one ui roms and GSI. I think I tested them before.