Bootloader Unlock (H815 Asian models) - G4 Q&A, Help & Troubleshooting

Hi!
I am currently working to get my G4 (H815T) unlocked, and although not officially supported by LG, I am looking to reverse engineer the unlock.bin files that one can get through developer.lge.com, also got in touch with Swedish support, whom actually got a so called specialist to try to obtain a file for me, so perhaps there is hope that I will get my hands on one! (prob not going to happen, but the guy is breaking internal rules to try to help me so possible)
Regardless of LG Sweeden, to get started with the reverse engineering project I need a unlock.bin file from a H815 (EU version) anyone on the forum willing to provide one?

jjbredesen said:
Hi!
I am currently working to get my G4 (H815T) unlocked, and although not officially supported by LG, I am looking to reverse engineer the unlock.bin files that one can get through developer.lge.com, also got in touch with Swedish support, whom actually got a so called specialist to try to obtain a file for me, so perhaps there is hope that I will get my hands on one! (prob not going to happen, but the guy is breaking internal rules to try to help me so possible)
Regardless of LG Sweeden, to get started with the reverse engineering project I need a unlock.bin file from a H815 (EU version) anyone on the forum willing to provide one?
Click to expand...
Click to collapse
Ensure that you read the following thread. Completely. Besides many important information you will also find unlock files and why you can't do anything with it:
https://forum.xda-developers.com/g4/help/unlock-technical-steps-to-make-unlocked-t3165391
If you still have interest to do something here let me know. Best is to use IRC. You can find me on freenode in the channel #Carbon-Fusion .
.
Sent from my LG-H815 using XDA Labs

steadfasterX said:
Ensure that you read the following thread. Completely. Besides many important information you will also find unlock files and why you can't do anything with it:
https://forum.xda-developers.com/g4/help/unlock-technical-steps-to-make-unlocked-t3165391
If you still have interest to do something here let me know. Best is to use IRC. You can find me on freenode in the channel #Carbon-Fusion .
.
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Ah, I see, was not aware that the community had a go at this...
So after reading the thread my understanding is basically that the unlock.bin is a standard action authorization token. Used in an OEM action authorization protocol.
So the unlock.bin would normally be generated with a action authorization nonce (It takes the form "::<8 bit action id>:<16 client random bytes>" with all fields hex encoded.) It looks like in this case LG has opted to use the Device ID and IMEI instead of the AAN.
The AAN would be signed to a OAK. (Override Authorization Key, basically it is a public key that is set in the device during manufacturing and that is used to validate action authorization tokens. It is stored as the OAK time-based authenticated EFI variable under the Fastboot GUID of 1ac80a82-4f0c-456b-9a99-debeb431fcc1. The content of this variable is the SHA256 sum of the OAK certificate., and as I understand the developers in the thread you linked to have been able to crack it.)
The AAT token (unlock.bin) should then be a PKCS #7 signed document, where the body takes the form "::<8 bit action id>:<16 client random bytes>:<16 auth agent random bytes>" with all fields hex encoded. The auth agent random bytes added when creating the authorization is to prevent an attacker from mounting an attack by supplying known plain-text values. (this fits perfectly with what we have seen when trying to read the unlock.bin files using HEX editors)
The token must contain all certificates required to validate the signature chain of the token.
The action authorization agent must verify that the nonce is exactly in the prescribed format. (LG website when requesting IMEI and Device ID)
The action authorization agent must verify that the action ID in nonce is a recognized value. (Valid IMEI and Device ID)
If possible, the action authorization agent should verify that the serial number of the G4 is valid. (So custom Device-ID's and IMEI's will not save us)
So what LG is doing here is a a OEM action authorization protocol, basically it is a simple challenge response where the device's Fastboot generates a nonce in this case they just use the Device ID and IMEI, then the OEM action authorization agent signs the nonce and approved action using its private override authorization key (OAK) to generate an authorization token, (this would be the developer.lge.com side of things and the private key is the one the developers in the thread need, but can't crack) and then the device's Fastboot validates the action authorization token (unlock.bin) and executes the action. (bootloader=unlocked)
Now we understand the policy, but even if we got the private key, when flashing a modified unlock.bin fastboot would need to validate that there is no extra data after parsing the token,verify that the signature's certificate chains to the OAK set at manufacturing, verify that all values in the token body have the prescribed values and verify that the value returned by the "oem get-action-nonce " command matches the value in the token body (IMEI and Device-ID)
So to my knowledge we have no chance to unlock the dam thing, that is unless we can find a backdoor to change the bootloader policy mask from state 0 to 1, then the signature enforcement chain described in the thread you linked too would be disabled, but I don't know how this could be done.

jjbredesen said:
...
Click to expand...
Click to collapse
Can you help me on manually verifying the chain?
I extracted all certs and all other parts which are possible. I can verify the certificate chain itself without problems (yes that one is easy) but I want to do the same steps the boot process takes to verify.. I want to use standard Linux commands or python code to do so if possible. Like verifying the digest it whatever is needed..
There is nothing I want to break here but the device needs to do these steps so it must be everything needed for this in the device itself.
I just want to do it manually. Could you guide me how?
.
Sent from my LG-H815 using XDA Labs

Related

Firmware verification

A lot of phones will only boot if the firmware has a valid signature. Does the Samsung Wave check the firmware's signature (if there is one)?
In case of Bootloader I can confirm Signature check.
Because bricked after changing text...
boot_loader.mbn ---> yes, sure
dbl.mbn ---> not tested, but I think yes, because Qualcomm part...
All other files have no valid/mandatory Signature check.
You can modify all files.
Accept MD5 Hash for Multiloader, but this you can disable.
Handset self not check.
Best Regards
Can you tell us what you want to do??
Well, what I really want to know is if the hardware performs signature verification. For example, the bootloader in most HTC phones checks the signature of the firmware and will proceed to boot if it is valid. Replace the bootloader with your own custom bootloader and know checks are performed and you can put anything you want on it because the hardware does not check the signature of the bootloader. I also might want to modify Bada firmware, too. It is a different operating system or platform or whatever you want to call it and it looks like it would be fun to play around with. I own a Motorola DROID 2 Global.
Does anyone understand what I'm talking about?
Read it
http://forum.xda-developers.com/showpost.php?p=12213290&postcount=21
I'm afraid that is not clear enough. Has anyone tried to flash an alternative bootloader. And please, read my terminology. When I say bootloader, I mean software not the etched boot rom.
Has anyone tried to flash an alternative bootloader.
Click to expand...
Click to collapse
In case of our Flash Tool Multiloader we have only 2 files:
boot_loader.mbn----> "Samsung part"
dbl.mbn------------> "Qualcomm part"
As we have 2 CPU inside, 1 from Qualcomm... Call Processor, the other from Samsung = Application Processor.
So in most cases dbl.mbn is complete untouched in my tests. But I've failed in:
---> changing to oldest "unprotected" Boot XXJB6
---> changing to S8530 Boot (dbl.mbn is 1:1 same)
---> changing to modified S8500 Boot = bricked, but reanimated with JTAG
You can see my attempts here:
http://forum.xda-developers.com/showthread.php?t=897468
Boot means boot_loader.mbn, but I was tooo lazy to write full.
Best Regards
Master Melab said:
Has anyone tried to flash an alternative bootloader.
Click to expand...
Click to collapse
Oleg succeed doing it with JTAG. It is sure that it's also possible to do through FOTA, but there is almost no way to succeed at first try, so JTAG is also required there for the first tries. And... why would we do that? ;d
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
OK, getting to formal terminology there are several cryptographic services implemented on Wave bootloader level:
- integrity - on each loader stage
- authentication - modules loaded are verified using hardcoded (in BL3) public key
- confidentiality - some modules are encrypted using symmetric key cryptography
You may as well find some access control (implicit coming from symmetric key confidentiality and loading protocol requiring proper unlock procedure) and non-repudiation elements (storing the history of loaded components).
In more general view:
When talking about bootloader level software, it makes no sense to differentiate between hardware and software verification. It all comes to completeness of the verification chain. In most cases bootloader provides the only designated interface (with the presumption of not intruding hardware components) that is available for writing executable components into non-volatile memory used in the booting process.
Bearing that in mind, I would add to the locked bootloader definition that it does not only verify kernel, but verifies all executable components that take part in the booting process (including bootloader, of course).
Rebellos said:
Oleg succeed doing it with JTAG. It is sure that it's also possible to do through FOTA, but there is almost no way to succeed at first try, so JTAG is also required there for the first tries. And... why would we do that? ;d
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
Click to expand...
Click to collapse
What is [the] "iROM"?
Sent from my DROID2 GLOBAL using XDA App
mijoma said:
OK, getting to formal terminology there are several cryptographic services implemented on Wave bootloader level:
- integrity - on each loader stage
- authentication - modules loaded are verified using hardcoded (in BL3) public key
- confidentiality - some modules are encrypted using symmetric key cryptography
You may as well find some access control (implicit coming from symmetric key confidentiality and loading protocol requiring proper unlock procedure) and non-repudiation elements (storing the history of loaded components).
In more general view:
When talking about bootloader level software, it makes no sense to differentiate between hardware and software verification. It all comes to completeness of the verification chain. In most cases bootloader provides the only designated interface (with the presumption of not intruding hardware components) that is available for writing executable components into non-volatile memory used in the booting process.
Bearing that in mind, I would add to the locked bootloader definition that it does not only verify kernel, but verifies all executable components that take part in the booting process (including bootloader, of course).
Click to expand...
Click to collapse
Please define "BL3". (A stage 3 bootloader?) Yes good point about my definitions, I will add your suggestion. Does the Wave's bootloader use RSA, El Gamal, etc.?
Edit: But, in my mind it does make sense to differentiate the hardware and software.
Sent from my DROID2 GLOBAL using XDA App
Master Melab said:
What is [the] "iROM"?
Sent from my DROID2 GLOBAL using XDA App
Click to expand...
Click to collapse
iROM is a chip that contains code to load the very first bootloader from NAND, it cannot be modified i believe.
Rebellos said:
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
Click to expand...
Click to collapse
Catching errors, maybe?
Master Melab said:
Please define "BL3". (A stage 3 bootloader?) Yes good point about my definitions, I will add your suggestion. Does the Eave's bootloader use RSA, El Gamal, etc.?
Click to expand...
Click to collapse
Yes, I mean stage 3 bootloader.
There are 3 hardcoded public RSA keys. All 512 bit with 2^16+1 exponent.
Master Melab said:
Edit: But, in my mind it does make sense to differentiate the hardware and software.
Click to expand...
Click to collapse
Please justify the differentiation and define what you understand by hardware as I'm not sure whether you are really serious about it or not.
mijoma said:
Yes, I mean stage 3 bootloader.
There are 3 hardcoded public RSA keys. All 512 bit with 2^16+1 exponent.
Please justify the differentiation and define what you understand by hardware as I'm not sure whether you are really serious about it or not.
Click to expand...
Click to collapse
When I say "bootloader" think GNU GRUB and Windows' NTLDR—that is software. The reason for the differentiation is that the bootloader as defined in the PC world, the iOS hacking community, and other parts of the mobile development community is replaceable/flashable. When I refer to "hardware-based verification" I am talking about instructions physically etched on the chip that will perform some sort of signature or hash check of the lowest level of the boot chain. The "low level bootloader" or "LLB" in iOS is checked by the iPad/iPhone/iPod touch's boot ROM. The public key that is used to verify the LLB's signature is represented as physical breaks in the silicon.
Master Melab said:
When I say "bootloader" think GNU GRUB and Windows' NTLDR—that is software. The reason for the differentiation is that the bootloader as defined in the PC world, the iOS hacking community, and other parts of the mobile development community is replaceable/flashable. When I refer to "hardware-based verification" I am talking about instructions physically etched on the chip that will perform some sort of signature or hash check of the lowest level of the boot chain. The "low level bootloader" or "LLB" in iOS is checked by the iPad/iPhone/iPod touch's boot ROM.
Click to expand...
Click to collapse
Sorry, but if the area is not programmable it does not mean it's not software.
When thinking about 'embedded' world, leave the PC world alone. The list of differences is longer than the list of similarities.
Have a point there, but even if the verification is not done by hardware it does not mean it's replaceable (without hardware intrusion). The formal logic would require to show exploitable vulnerability first and there isn't a generic one.
Master Melab said:
The public key that is used to verify the LLB's signature is represented as physical breaks in the silicon.
Click to expand...
Click to collapse
LOL. Sounds like written with blood. Maybe I'm not English native and that's the reason I didn't get it, but could you elaborate (you may go deep without worries) on the method of creating 'physical breaks in the silicon' as it does not seem to be scientific term? It does, however, seem just as a description of a form of 'non-volatile memory'.
What value does the strict lowest level protection policy have when higher level introduce (with increasing probability with each level) vulnerabilities easier to exploit?
Does the Wave's bootloader use RSA, El Gamal, etc.?
Click to expand...
Click to collapse
RSA I've seen.
El Gamal never heard.
etc. not sure...
Maybe if you have some time and you are willing to learn with us. For instance here:
http://forum.xda-developers.com/showpost.php?p=13522665&postcount=50
In Firmware files are many Certs included... few of them seems to have also private parts... but encrypted... example:
EncryptedDevcerttemplateFile
EncryptedPrivKeyFile
According to other Samsung handsets... folder Security is also available on other models... few Certs should be same...
No idea if all Certs are usefull... but maybe fun to train brain.
Best Regards
mijoma said:
Have a point there, but even if the verification is not done by hardware it does not mean it's replaceable (without hardware intrusion).
Click to expand...
Click to collapse
Please, explain.
mijoma said:
LOL. Sounds like written with blood. Maybe I'm not English native and that's the reason I didn't get it, but could you elaborate (you may go deep without worries) on the method of creating 'physical breaks in the silicon' as it does not seem to be scientific term? It does, however, seem just as a description of a form of 'non-volatile memory'.
Click to expand...
Click to collapse
Things like a BIOS or true read only memory have instructions or data encoded into the layout of the circuitry itself. Usually, fuses are either broken or left intact and this may either mean a 1 or a 0, depending on the manufacturers device works.
adfree said:
RSA I've seen.
El Gamal never heard.
etc. not sure...
Maybe if you have some time and you are willing to learn with us. For instance here:
http://forum.xda-developers.com/showpost.php?p=13522665&postcount=50
In Firmware files are many Certs included... few of them seems to have also private parts... but encrypted... example:
EncryptedDevcerttemplateFile
EncryptedPrivKeyFile
According to other Samsung handsets... folder Security is also available on other models... few Certs should be same...
No idea if all Certs are usefull... but maybe fun to train brain.
Best Regards
Click to expand...
Click to collapse
adfree, when I say "etc." I mean "et cetera", which in Latin means "and other things" or "and so forth". El Gamal is another asymmetric cryptosystem that relies on the difficulty of factoring a large composite number, just like RSA.
And thank you for the file.

[Q] [ADVICE NEEDED] Developing a Free method to Network Unlock GT-I8150

Hello XDA!
A quick thanks to those reading/interested and I apologize in advance if this belongs in the development section. I don't have permission to post their yet (perhaps with good reason!). After much searching, I've come to the conclusion there is, as yet, no free method of network unlocking the Galaxy Wonder GT-I8150.
I want to find a method to do this, test it, and then automate the process through a shell script and/or batch file. If it doesn't cost too much, I'll even try and make an app for it. I have two reasons for doing this: I own this model of phone (surprise!) and more importantly, I want to expand my portfolio of little computer projects because I want a job in IT, and I want it now.
So this thread will serve as a knowledge base and brainstorming place. Please -anyone with ideas about how to go about this - let me know!
Here's what I'm trying at the moment: based on a similar method used to unlock the HTC Sensation (and some other models), I'm going through the mmcblk virtual partitions after copying them to a .txt file (filetype is binary, .txt is just so my girl's Mac opens them with a text editor). Using a grep command with a regular expression I'm pulling every single 8 character long string of only digits and exporting the result to another txt file.
I then search the mmcblkXpXX file for these 8 long strings one at a time, trying to read through what I can of the binary file for giveaways like "isim_auth_key" or what not.
I started yesterday so I'm only up to mmcblk0p06.
If you have a network unlocked version of this phone, I might end up needing certain files to compare, but I won't ask unless I think I'm onto something.
Finally, if anyone has found an NV_data.bin, bml5 file (or equivalent) for this model, tell me what it's called! Or where I need to extract it from.
Thanks in advance,
GrayedFox
Info
Here are some links to information about unlocking various models of phones, using slightly different methods, for those interested. None apply directly to the gt-i8150 but I'm trying to tweak them just as a starting point.
http://forum.xda-developers.com/showthread.php?t=828534
http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334
http://forum.xda-developers.com/showthread.php?t=1693491
http://forum.xda-developers.com/showthread.php?t=1335548
http://forum.xda-developers.com/showthread.php?t=1064978
Here is some information from my mmcblk0p06 file... wrapped in spoilers.
PERSO: Failure to write: %sPerso Command can be handled only on a provisioned session or when Card is not present on slotmits/perso.txt
[first mention of a person.txt file I've found]
EFS file read successfully [this implies there IS an efs file somewhere…]
EFS: Creating ISN file
EFS store sequence number
EFS: ISN file not present
AMSS\products\7x30\core\securemsm\smetest\test_crypto\src\sectestcipher.c
if anyone knows how to access that perso.txt file listed, please post the linux command here!
I'm afraid to say I'm running out of ideas here I've pulled every single mmcblk file on the phone - on stock rom and on cyanogenmod - looking for some sort of reference to a network unlock key but it's just not there. I even got Vodafone to send me my unlock key and have been searching the files for the exact key but it's no where on the phone.
I've even data dumped each of these files too - with an authenticated and nonauthenticated sim (network unlocked and network locked) sim and searched using a hex editor. I will have to move on to another project soon, but perhaps this will serve as an informing post for some: let it be known, there are absolutely NO references to an unencrypted network unlock key for this model of phone on stock rom.
Not in any of the mmcblkXpXX files (where most unlock keys are found for other phones) - and I've searched hard.
if anyone has further suggestions I'll remain subbed to this thread. Peace.
Probably they save a lock code, and the unclock is calculated with that lock code and IMEI.
GrayedFox said:
I'm afraid to say I'm running out of ideas here I've pulled every single mmcblk file on the phone - on stock rom and on cyanogenmod - looking for some sort of reference to a network unlock key but it's just not there. I even got Vodafone to send me my unlock key and have been searching the files for the exact key but it's no where on the phone.
I've even data dumped each of these files too - with an authenticated and nonauthenticated sim (network unlocked and network locked) sim and searched using a hex editor. I will have to move on to another project soon, but perhaps this will serve as an informing post for some: let it be known, there are absolutely NO references to an unencrypted network unlock key for this model of phone on stock rom.
Not in any of the mmcblkXpXX files (where most unlock keys are found for other phones) - and I've searched hard.
if anyone has further suggestions I'll remain subbed to this thread. Peace.
Click to expand...
Click to collapse
Hello
while searching for sim unlock i found this method for galaxy s4 mini could you check if it work with our wonder device?
here -> http://forum.xda-developers.com/showthread.php?t=1693491
Regards

Device not detected in bootloader mode.

Help.
I need help unlocking my bootloader, I can type adb devices while the device is powered on & my unique I.D number comes up in cmd, but whenever I boot into bootloader, the device doesn't come up in cmd what gives? All my drivers are up to date & installed correctly, though I get an MTP driver issue, could that be causing this? This is my second M8 (T-Mobile this time), first one was the dev edition s-off & converted to GPe.
You never said what command you used in the bootloader ?
It's :
Fastboot devices (not adb devices)
adb devices for adb wile phone is booted in OS
fastboot devices in fastboot/hboot mode
Oops never mind, another thing - I keep getting an error while trying to submit my code to HTC Dev after getting the identifier token.
EternalAndroid said:
Oops never mind, another thing - I keep getting an error while trying to submit my code to HTC Dev after getting the identifier token.
Click to expand...
Click to collapse
Please state the error if you would [emoji12]
After reading the opening post here, I get the impression that the code you get for the token is more an issue on your side(You messed up somewhere).
That being said, it doesn't help alot saying "I keep getting an error" but you don't tell us what the error is.
Taking a wild guess, it has to do with the actual token. Make sure you don't have any spaces in the selection of the code. Select it with the <<<<< >>>>> included. Do NOT include the <bootloader> parts next to it and again make sure there are NO spaces in the selection.
Comparison pictures of the code how it SHOULD and SHOULD NOT look.
If that is not your problem then give more information as to the error you're receiving. Doesn't help to phone an IT dept for help and you don't tell them what the problem is either, does it? Same here...
jball said:
Please state the error if you would [emoji12]
Click to expand...
Click to collapse
Sorry guys just frustrated & keep forgetting, "error reason token decryption fail (cannot generate result)."
But I think I figured out my issue, so my computer's internet is off right now & I'm trying to do all this from my N5. I'm typing the code on my phone, reading it letter for letter, number for number.
BerndM14 said:
After reading the opening post here, I get the impression that the code you get for the token is more an issue on your side(You messed up somewhere).
That being said, it doesn't help alot saying "I keep getting an error" but you don't tell us what the error is.
Taking a wild guess, it has to do with the actual token. Make sure you don't have any spaces in the selection of the code. Select it with the <<<<< >>>>> included. Do NOT include the <bootloader> parts next to it and again make sure there are NO spaces in the selection.
Comparison pictures of the code how it SHOULD and SHOULD NOT look.
If that is not your problem then give more information as to the error you're receiving. Doesn't help to phone an IT dept for help and you don't tell them what the problem is either, does it? Same here...
Click to expand...
Click to collapse
Oh wow I see
Copy the text to notepad. Copy it to your phone. Open it in your phone using any file manager. Copy and paste .

Bootloader unlocked warning

Hey,
I've been researching the OP3 bootloader and the bootloader warning and I've found a possible method to hide it.
There is a file "emmc_appsboot.mbn" which contains information and strings (see content below). I'm not sure if modifying the file causes booting problems. I've examined the file and found something about verifying various files and blocking the boot process. I'm looking for someone who could help me and explain things. What do you think? If it's going to brick, would it be unbrickable?
Strings:
"Start >"
"< More options"
"Your device has been unlocker and cann't be trusted"
"To learn more, visit: g.co/placeholder"
"If no key pressed:
Your device will boot in 5 seconds"
Something about blocking the boot:
This phone has been flashed with unauthorized software & is locked. Call your mobile operator for additional support.Please note that repair/return for this issue may have additional cost.
boot_verifier: keystore length is invalid
I'm thinking about replacing all these texts with spaces to make the screen look blank. That's the way to "hide" the text, but there's still going to be the 5 seconds delay.
Download link to the file: http://d-h.st/SQID (Uploading attachments wasn't working when I posted this)
EDIT: Feel free to examine the file with a hex editor. Search for those strings to find the position.
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
meiser said:
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
Click to expand...
Click to collapse
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
santeri3700 said:
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
Click to expand...
Click to collapse
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
lance2010 said:
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
Click to expand...
Click to collapse
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
santeri3700 said:
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
Click to expand...
Click to collapse
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
lance2010 said:
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
Click to expand...
Click to collapse
It was a Samsung and a Xiaomi device (partition and bl unlocking stuff, so not exactly related to this). The checksum is what I'm after.
Unfortunately I don't have enough experience and I don't know if it's even possible to do this.
I'm wonder what exactly happens if I edited the code to have only "spaces" or "NBSP".
Would I get any response from the device? Would I see any error codes on the screen?
I'm too unsure to risk my device. But thanks for the answer!
if you not know how to use the OP3 unbrick tool, let it be..in result you got an unbootable device if you change anything inside the bootloader.
It can't be changed.

[TROUBLESHOOTING] Bootloader Unlock Fail: (bootloader) [KillSwitch] Last Byte is 0X01

if you're reading this thread, you're likely tearing out your hair in apt frustration because you're just trying to unlock your bootloader and its a no-go. If you're coming from a One M7 or M8, just be aware that HTC's switched up the game since then. Also, everything mentioned below is indirectly applicable to HTC 10 owners as well.
Writing up this thread as that was me, and I scoured pretty much every link pulled from variations of google keyword searches; and as I was successful in finally unlocking the damn thing, here is my braindump:
[in no particular order], and YMMV, much of this is a compilation of things that saved other people experiencing such errors, every rock unturned is a rock unturned.
There's a new "download mode"---the ol' white backgrounded fastboot that you used to know and love, that's sidelined, you must run fastboot on the black backgrounded Download mode format.
you CANNOT use the standard Google/Android SDK's fastboot. I know, wtf. you MUST use HTC's fastboot (the one they provide on HTCdev.com; note that their's is missing an ADB, you can pluck the ADB portion from the standard Android SDK).
If you are experiencing a fail, I recommend immediately wiping the whole device (reset all data), and then starting anew: from there, be sure to: --get Developer, and check the: allow OEM unlocking + allow USB debugging boxes. also, while you're in settings, might as well: increase the screen off time, put 'no lock screen', allow unknown sources installations, etc. then after all that's set, then try and run the fastboot.
for whatever reason, the Gmail web client might not work happily with your unlock_code.bin that you get sent---and/or you're getting weird HTCdev login errors even though you put in the right password---eff that noise; start anew: create a new account, don't use a Gmail email (I used a live.com email to get the unlock_code.bin that ended up being the golden goose egg). yeah, for reasons unknown, there's some RNGmagic mojo crap going on here, so if you're experiencing errors, there's really nothing to lose by going new routes.
don't use Chrome to go to the HTCdev website; I used Edge (no deliberate Microsoft plug or anything here, fyi)
the HTCdev website won't accept your fastboot paste of oem unlocking info if its not the right number of characters, I tested this, so that's not the problem if you thought it was; I recommend opening up a Notepad and just copying and pasting it there and then double-checking that, and then pasting it onto the HTCdev site.
Dont mean to burst your bubble.. Thats all old news.
Beamed in by telepathy.

Categories

Resources