Hi guys
While trying to unlock my mediapad m2 bootloader, I encountered a couple of hidden fastboot commands (found in the stock rom image). Some look like standard things, others seem very interesting:
Code:
fastboot oem backdoor info
[INDENT]FB LockState: LOCKED
USER LockState: LOCKED[/INDENT]
fastboot oem backdoor get
[INDENT]FBLOCK**obfuscated**[/INDENT]
fastboot oem backdoor end
[INDENT]remote: fastboot stat not match[/INDENT]
fastboot oem get-bootinfo
[INDENT]locked[/INDENT]
fastboot oem check-rootinfo
[INDENT]old_stat: SAFE
now_stat: SAFE
change_time: 0000000000[/INDENT]
fastboot oem check-image
[INDENT]secure image verify success[/INDENT]
fastboot oem relock
[INDENT]remote: stat not match[/INDENT]
fastboot oem backdoor set
[INDENT]remote: data parse fail[/INDENT]
fastboot oem frp-erase
[INDENT]Haven't tried, but should remove the Factory Reset Protection (FRP)[/INDENT]
fastboot oem emmc_diag
[INDENT]cid info:
mid 17,oid 256,pnm 064G70,prv 0.0,psn 0x18b66278,
csd dump:
D02700320F5903FFFFFFFFEF864000AB00
ext_csd dump:
...
FMW FAIL! WRITE PROTECT![/INDENT]
fastboot oem emmc-dump
[INDENT]unknown status code[/INDENT]
fastboot oem get_key_version
[INDENT]huawei_key_v1[/INDENT]
fastboot oem battery_present_check
[INDENT]3984mv[/INDENT]
fastboot oem get_hwnff_ver
[INDENT]Ver2.3[/INDENT]
fastboot oem get-psid
[INDENT]SN:**YourIMEI**[/INDENT]
fastboot oem get-build-number
[INDENT]V100R001C00B000[/INDENT]
fastboot oem get-product-model
[INDENT]HUAWEI M2-A01W[/INDENT]
Some commands seem quite useful, while others are quite disturbing (why is there a backdoor?!).
Have fun with these commands... I'll update them if any of you have some updates.
Cheers
Loris
same question too
Related
Hello,
This question is mostly aimed at the experienced devs and hackers who have been hacking and developing with HTC devices for a good several years. I recall with my older HTC devices, there was an array of HTC-specific fastboot commands that could be used with "fastboot oem <command>." You could get a list of the commands with either 'fastboot oem ?' or 'fastboot oem cmdlist' (or something similar-- don't remember exactly). Also, there was a way to enter into a bootloader shell in which these commands could be used on their own without having to type 'fastboot oem.'
Does this feature no longer exist with the HTC 10? I know there are the fastboot oem commands related to bootloader unlocking, and 'fastboot oem rebootRUU' still exists for firmware flashing, but nothing else that used to work with older devices (i.e., the M7) does anything anymore. My fastboot binary is the latest generic fastboot-- I am aware there is an HTC specific fastboot that exists now, but I've used the generic google fastboot for oem firmware flashing, radio flashing, etc without any hiccups whatsoever, and I've never used anything with past devices other than the generic fastboot. And these commands I'm inquiring about, I am fairly sure were built into the device's firmware anyway and had nothing to do with what was built into the fastboot binary.
Device: HTC 10 US Unlocked, firmware is the latest Unlocked firmware (1.96--), bootloader is unlocked and S-OFF...
It was a useful feature, but if it no longer exists, oh well. Any info is appreciated, though. Thanks!
Hello,
i found theese commands in aboot.img, some are testet.
bootloader:
htc_fastboot oem reboot-download
htc_fastboot oem reboot-ftm
htc_fastboot oem rebootRUU
htc_fastboot oem listpartition
htc_fastboot oem listram
htc_fastboot oem dmesg
htc_fastboot oem last_dmesg
htc_fastboot oem get_ext_csd_emmc
htc_fastboot oem get_wp_info_emmc
htc_fastboot oem check_emmc_mid
htc_fastboot oem read_sandisk_fw
htc_fastboot oem update_emmc_partition
htc_fastboot oem read_mmc
htc_fastboot oem write_mmc
htc_fastboot oem test_emmc
htc_fastboot oem erase_phone_storage
htc_fastboot oem select-display-panel
htc_fastboot oem readconfig
htc_fastboot oem writeconfig
htc_fastboot oem easydump
htc_fastboot oem readsecureflag
htc_fastboot oem readunlock
htc_fastboot oem dumpDataCode
htc_fastboot oem dsiw
htc_fastboot oem dsir
htc_fastboot oem ddrtest
htc_fastboot oem dump_ram_full
htc_fastboot oem setbacklight
htc_fastboot oem get_tamper_flag
htc_fastboot oem get_force_sec_boot_reason
axst68 said:
Hello,
i found theese commands in aboot.img, some are testet.
bootloader:
htc_fastboot oem reboot-download
htc_fastboot oem reboot-ftm
htc_fastboot oem rebootRUU
htc_fastboot oem listpartition
htc_fastboot oem listram
htc_fastboot oem dmesg
htc_fastboot oem last_dmesg
htc_fastboot oem get_ext_csd_emmc
htc_fastboot oem get_wp_info_emmc
htc_fastboot oem check_emmc_mid
htc_fastboot oem read_sandisk_fw
htc_fastboot oem update_emmc_partition
htc_fastboot oem read_mmc
htc_fastboot oem write_mmc
htc_fastboot oem test_emmc
htc_fastboot oem erase_phone_storage
htc_fastboot oem select-display-panel
htc_fastboot oem readconfig
htc_fastboot oem writeconfig
htc_fastboot oem easydump
htc_fastboot oem readsecureflag
htc_fastboot oem readunlock
htc_fastboot oem dumpDataCode
htc_fastboot oem dsiw
htc_fastboot oem dsir
htc_fastboot oem ddrtest
htc_fastboot oem dump_ram_full
htc_fastboot oem setbacklight
htc_fastboot oem get_tamper_flag
htc_fastboot oem get_force_sec_boot_reason
Click to expand...
Click to collapse
Oh, cool! Thank you for that information. And yeah, those commands are all slightly different from the old commands that I remembered and tried to use..which would explain why they didn't work
Not entirely clear what aboot.img is...I'm guessing it's the equivalent of what used to be hboot.img.. but that I can find out easily enough.. just curious what tool you use to unpack it, though. Can it be unpacked with Android Image Kitchen?
https://www.google.com/url?sa=t&sou...-CUcQFggyMAI&usg=AOvVaw1wuu1MylB8oC8o8vtAKe0G
oem_sec_boot is 0x%X
cmd_oem_easydump
cmd_oem_dsir add=0x%x, value=0x%x
fastboot oem dsir 53
fastboot oem dsiw 51 FF
Reset the stored oem panel in device info
oem reboot-download
oem reboot-ftm
oem rebootRUU
oem listpartition
oem listram
oem dmesg
oem last_dmesg
oem get_ext_csd_emmc
oem get_wp_info_emmc
oem check_emmc_mid
oem read_sandisk_fw
oem update_emmc_partition
oem read_mmc
oem write_mmc
oem test_emmc
oem ufs_get_lun
oem ufs_set_lun
oem erase_phone_storage
oem select-display-panel
oem readconfig
oem writeconfig
oem easydump
oem readsecureflag
oem readunlock
oem dumpDataCode
oem dsiw
oem dsir
oem ddrtest
oem dump_ram_full
oem setbacklight
oem get_tamper_flag
oem get_force_sec_boot_reason
Usage: oem ddrtest 0x<addr> 0x<size> <round> [<break>]
Default test: oem ddrtest 0 0 0
So a quick thread here. Asus devices won't be unlocked by the common commands which are
Code:
Fastboot oem unlock
Fastboot oem unlock confirm
From now on, asus uses there own codes.
Here it is
Code:
Fastboot oem asus-go
Fastboot oem asus-go confirm
This is not a guide. If you use the old command it will return an error UNKNOWN COMMAND.
Thanks !
thenewgengamer said:
So a quick thread here. Asus devices won't be unlocked by the common commands which are
Code:
Fastboot oem unlock
Fastboot oem unlock confirm
From now on, asus uses there own codes.
Here it is
Code:
Fastboot oem asus-go
Fastboot oem asus-go confirm
This is not a guide. If you use the old command it will return an error UNKNOWN COMMAND.
Thanks !
Click to expand...
Click to collapse
Thanks bro... but when i tried this to my zenfone 5 (t00j), fastboot still shows FAILED (remote: unknown OEM command)
i am using :
ADB version 1.0.35
Revision fc2a139a55f5-android
Same here commands fail ..see date of this post
me too unknown oem command on asus 400cg
Been trying.......
Been trying to unlock this damn bootloader for months now. This is what I got when I gave the command...……………………..
(bootloader) Fail to unlock device due to invalide signature!
OKAY [ 0.031s]
finished. total time: 0.031s
I decided to go back to stock when I learned that the device is receiving Oreo (a bit far too late IMO), but for whatever reason, Android confirms that my bootloader is unlocked, but will not agree to allow me to run
fastboot oem lock to lock the bootloader. Any idea on how to fix this?
ap4ss3rby said:
I decided to go back to stock when I learned that the device is receiving Oreo (a bit far too late IMO), but for whatever reason, Android confirms that my bootloader is unlocked, but will not agree to allow me to run
fastboot oem lock to lock the bootloader. Any idea on how to fix this?
Click to expand...
Click to collapse
Once you have download stock firmware run these commands in fastboot
Note all data on the internal storage will be erased including pictures downloads etc
fastboot oem lock begin
fastboot oem fb_mode_set
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash dsp adspso.bin
fastboot flash oem oem.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash modem NON-HLOS.bin
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot oem fb_mode_clear
fastboot oem lock
WARNING: DO NOT FLASH THE GPT.BIN OR THE BOOTLOADER.IMG/MOTOBOOT.IMG ON A NEWER FIRMWARE WHEN DOWNGRADING, BECAUSE IT CAN HARD BRICK YOUR DEVICE E.G. DO NOT FLASH THE GPT.BIN OR THE BOOTLOADER.IMG/MOTOBOOT.IMG MADE FOR 7.0 ON 8.1.0 EVEN IF THE FILES IN THE FOLDER BUT ITS FINE IF YOU FLASH THE SAME FILES MADE FOR ANDROID 8.1.0 AVOID FLASHING THESE FILES AT ALL TIMES
I AM NOT RESPONSIBLE FOR ANY DAMAGE CAUSED TO YOUR DEVICE, DO THIS AT YOUR OWN RISK
so a little backstory,
i unlocked my bootloader because i wanted to downgrade back to android 7.0, and then my imei broke on me, so i attempted to upgrade back to android 8.1.0 but then everytime i rebooted my phone i see;
"your device is unlocked and cant be trusted
ID: bad key
your device will reboot in 5 seconds"
then would just loop into the bootloader
and when flashing the logo back it will just say "bad key" when editing logo.bin (changing the logo_unlocked to logo_boot)
with this guide i will tell you how to revert your device back to OOB state (OOB means out of box for all those idiots out there )
THIS WAS TESTED ON MY XT1675 IT WILL BE DIFFERENT FOR EACH DEVICE
1) grab your stock firmware, for me its "XT1675_CEDRIC_RETGB_SS_8.1.0_OPP28.85-19-4-2_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml"
2) install minimal ADB and fastboot
3) then once you installed the adb and fastboot drivers we are really just focusing on the fastboot.exe, i will be linking the platform-tools at the bottom of this post
4) extract the firmware to a place and make sure there are no spaces (e.g. C:/Users/Example/Desktop/moto g5 downgrade otherwise cmd will assume its another path to another folder)
5) the most important file is oem.img because this is the signed file by motorola that we will need to relock the bootloader but it should come in the firmware folder, if not PM me and will try my best to find the matching oem.img
6) once you get all your files type these commands to reload the firmware onto the device
fastboot flash gpt gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash dsp adspso.bin
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash system system.img_sparsechunk.5
fastboot flash system system.img_sparsechunk.6
fastboot flash system system.img_sparsechunk.7
fastboot flash system system.img_sparsechunk.8
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot reboot
what you will find now is it will at least boot into the setup screen
we are not done yet!
7) now if you reboot into the bootloader screen the options will be seriously messed up (they will overlap if you press up and down on the volume keys, i think this tells motorola that you tampered with your device)
8) now still on the bootloader screen connect up your device with cmd still open, then type these commands
fastboot oem lock
fastboot oem lock (you have to type it twice)
fastboot flash oem oem.img (you need this to relock the bootloader)
fastboot flash gpt gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash recovery recovery.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash system system.img_sparsechunk.5
fastboot flash system system.img_sparsechunk.6
fastboot flash system system.img_sparsechunk.7
fastboot flash system system.img_sparsechunk.8
fastboot flash boot boot.img
fastboot oem lock
now it will say (lock complete! flash signed images after reboot if needed)
type in
fastboot reboot
now when you reboot your device you will get a black screen then it will show the motorola logo, to fix this go into the bootloader mode and reflash your original bootlogo
you got your device up and running like it did OOB!
LINKS:
Minimal adb and fastboot: https://forum.xda-developers.com/showthread.php?t=2317790
platform tools: https://developer.android.com/studio/releases/platform-tools
if your getting "image signed with key bad key when flashing the boot.img and the recovery.img, i found this really helpful tutorial, just do not flash the files on the G5, this is made for the G5 plus but the bootloader commands works for the G5 as well as the G5 plus
Link: https://forum.xda-developers.com/g5-plus/how-to/solution-to-flash-stock-romfactory-t3691396
also if you get "still requires signed system.img and/or boot.img flash all the system sparsechunk files
I can't re-lock bootloader, getting "(bootloader) Check 'Allow OEM Unlock' in Android Settings > Developer" when I run "fastboot oem lock" second time. Please, help!
gkornaks said:
I can't re-lock bootloader, getting "(bootloader) Check 'Allow OEM Unlock' in Android Settings > Developer" when I run "fastboot oem lock" second time. Please, help!
Click to expand...
Click to collapse
You need to enable oem unlock in developer settings
mattwhite7102 said:
You need to enable oem unlock in developer settings
Click to expand...
Click to collapse
I am having the same error of "Allow OEM unlock" in the android setting, and the option in the developer setting of android is grayed out. I can't switch it.
this is my Z2 force,XT1789-3 4+64GB,and i replaced RAM chip ,now is 6+64GB. bootloader unlocked now.
but when I try to start the phone ,its can go into Fastboot mode only.its said Fail_through from normal boot mode.
fastboot official ROM failed,bootloader.img and GPT.bin cannot to flash.other files are flash all ok but no use to do.
I tried some methods by fastboot version26.0.0 ,but not work:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot oem disable_dm_verity
anyone can help me ?
today ,i tried blankflash_from_7.1NDX26.183-15_17.
then Found that BL model changed from MBM3.00-nash-sprint to MBM3.00-nash-verzion.
and can't enter blankflash mode anymore.The following methods have failed:
fastboot oem blankflash
fastboot oem -edl
fastboot reboot-edl
Does anyone know how Z2F enters the blankflash mode hardware switch or point?
OLDWhite said:
today ,i tried blankflash_from_7.1NDX26.183-15_17.
then Found that BL model changed from MBM3.00-nash-sprint to MBM3.00-nash-verzion.
and can't enter blankflash mode anymore.The following methods have failed:
fastboot oem blankflash
fastboot oem -edl
fastboot reboot-edl
Does anyone know how Z2F enters the blankflash mode hardware switch or point?
Click to expand...
Click to collapse
See if the information in this thread helps you.