Develop Bugs

Increasing security in custom roms by re-locking bootloader

Hello, I am completely new so I apologize if this is the wrong place.
I wanted to be able to lock my bootloader but still use cyanogenmod, specifically, only allow roms that I have compiled myself and signed with my cert to work on my phone. I unpacked the stock recovery.img, and made the necessary changes to the ramdisk to replace the stock OnePlus key with my own. I then was then able to confirm that only my signed zips could be sideloaded, both official CM and OxygenOS zips failed - just as I wanted.
The issue is then that this only worked with an unlocked bootloader. When I locked it, the OP3 entered a boot cycle, with a strange graphical glitch appearing then the screen going black, again and again. I could then no longer boot to either recovery or cyanogenmod, nor could I unlock fastboot. This amazing guide got my phone working again.
I now have three questions. What prevented my phone booting after I locked it, how does the unbrick tool work, and is there anything I can alter, like certifications or hashes, lower down in the boot sequence to allow only my signed images to work (using the previous tool. I am unsure what QLoader is, some form of serial interface to the 820 to write to the storage chip?).
Thanks for any advice you can offer!

Update: I have unpacked boot.img provided in the unbrick tool. I cannot find any keys to modify in /res but I have found a file called "verify_keys". Does anyone know what I need to change in boot.img to allow my self-signed recovery and os to boot? Thanks

UPDATE 2:
From reading some Android notes it appears that instead of replacing the OEM key, you can also just use fastboot to flash keystores for self-signed recovery and roms. This still allows OEM signed images to run, but is certainly a step in the right direction. I have run into an issue with building a correct keystore. I can use keytool and import my previous certs, but "fastboot flash keystore examplename.keystore" fails. I saw "fastboot flash ssd keystore.dat" used, and it works with my current dot keystore file, but then after locking it fails to boot. I'm going to see how I can convert my .keystore to a .dat.

I've been meaning to ask this same question for a while now also, so I'm eager to see the response. I suspect the official OnePlus forums might be a good place to ask as well, since they are visited by engineers from OnePlus. For anyone else who's curious as to what's being discussed and better the understand the risks of an unlocked bootloader (and how to mitigate them), there's a brief article here as well as a paper.

It is always suggested that never re-lock the bootloader until there is valid reason to do it

JumboMan said:
It is always suggested that never re-lock the bootloader until there is valid reason to do it
Click to expand...
Click to collapse
Have you read any of the attached links in my last post? There are valid reasons for doing so.
Just to pose an oversimplified hypothetical, imagine going through immigration/customs in Saudi Arabia (or maybe even the U.S.) with a Android device that has an unlocked bootloader. The officer examines your possesions, then takes your laptop and phone into a back room. Your phone is powered down and encrypted so it's not like they can do anything, right? Wrong. They plug it into a forensics device and flash a surreptitious malware app onto /system before returning it back to you. Then, the next time you turn on your phone your encryption keys and all your data, all your communications are secretly transmitted. You never have a clue... With a locked bootloader and appropriate precautions, that would never be possible.

Update 3:
I am now following the official Android guide for creating a keystore. They show how to create a "keystore.img" not .dat, bu the error I got when trying "fastboot flash keystore ..." said something along the lines of the keystore not being a valid image. Hopefully this will work. After I get this working, I will move on to removing or damaging the OEM key, hence not even allowing OnePlus images to be sideloaded.

JumboMan said:
It is always suggested that never re-lock the bootloader until there is valid reason to do it
Click to expand...
Click to collapse
I do have a valid reason - security. An unlocked bootloader means any code can be flashed to my device. Even with encryption it is vulnerable to cold boot attacks, it makes it easier to bruteforce, and pulling encryption keys from memory.

chocol4te said:
I do have a valid reason - security. An unlocked bootloader means any code can be flashed to my device. Even with encryption it is vulnerable to cold boot attacks, it makes it easier to bruteforce, and pulling encryption keys from memory.
Click to expand...
Click to collapse
sir prefer not rooting and staying on stock ROM with locked bootloader.

emptyragnarok said:
sir prefer not rooting and staying on stock ROM with locked bootloader.
Click to expand...
Click to collapse
Look, I'm sorry, I don't need any more useless comments saying the solution to my problem is to not do anything like on every other forum I've tried. I am perfectly aware of how to lock the bootloader with a stock rom, but I don't want to use the stock rom. I want to use custom roms. From what I have done so far it appears to be possible, so don't tell me it's not, at least without a good reason.
In addition, the stock method isn't even the most secure the phone can be. OnePlus can still sign any code and run it on my device and hence requires my trust in a third party that I am unwilling to give. I only want my own code to run.

Update 4:
Using the unbrick utility, I have updated the MD5 partition with the checksums of my modified boot and recovery partitions. Unfortunately, I am now getting a checksum failed error, with both the MD5 and recovery partitions highlighted in red. So I was wrong about the checksum being compared with hashes in the MD5 partition. Does anyone know where the lowest level checksums are stored? Hopefully if I can change that, then locking the bootloader will be no issue.

chocol4te said:
Update 4:
Using the unbrick utility, I have updated the MD5 partition with the checksums of my modified boot and recovery partitions. Unfortunately, I am now getting a checksum failed error, with both the MD5 and recovery partitions highlighted in red. So I was wrong about the checksum being compared with hashes in the MD5 partition. Does anyone know where the lowest level checksums are stored? Hopefully if I can change that, then locking the bootloader will be no issue.
Click to expand...
Click to collapse
Bro I am not a prolike you but I understand your vision now,... and I am with you in that.... Open Source stuff and ANdroid as an Open source impify that only... We should have our custom code for locking and unlocking our bootloader so we can have the full control over our device.... If not and the guy that said that you can lock the bootloader with the stock rom didn't get that .. even with stock rom and recovery anyone can have the access of the phone by just unlocking the boot loader and that is simple. SO I GOT YOUR VISION AND I AM WITH YOU I WILL TRY TO UNDERSTAND THE LOCKING SYSTEM OF THE BOOT-LOADER AND I WILL TRY TO FIND THE LOCATION OF LOWER LEVEL CHECKSLUMS... WE will try and try untill we succeed.... I AM WITH YOU BRO!!!!!

indroider said:
Bro I am not a prolike you but I understand your vision now,... and I am with you in that.... Open Source stuff and ANdroid as an Open source impify that only... We should have our custom code for locking and unlocking our bootloader so we can have the full control over our device.... If not and the guy that said that you can lock the bootloader with the stock rom didn't get that .. even with stock rom and recovery anyone can have the access of the phone by just unlocking the boot loader and that is simple. SO I GOT YOUR VISION AND I AM WITH YOU I WILL TRY TO UNDERSTAND THE LOCKING SYSTEM OF THE BOOT-LOADER AND I WILL TRY TO FIND THE LOCATION OF LOWER LEVEL CHECKSLUMS... WE will try and try untill we succeed.... I AM WITH YOU BRO!!!!!
Click to expand...
Click to collapse
Thanks! I'm glad to hear it!

chocol4te said:
Thanks! I'm glad to hear it!
Click to expand...
Click to collapse
You're most welcome bro.

Did I just witness a major bro-down?

Awsome thread, I'd also like to put my OP3 in a state where only ROMs I signed my self will run...

Any further development??
Sent from my Pixel XL using XDA-Developers mobile app
---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------
indieross said:
Did I just witness a major bro-down?
Click to expand...
Click to collapse
Whats a bro down?
Sent from my Pixel XL using XDA-Developers mobile app

indroider said:
Any further development??
Sent from my Pixel XL using XDA-Developers mobile app
---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------
Whats a bro down?
Sent from my Pixel XL using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry, other stuff came up. I am still very interested in getting this to work, but I am really stuck if I can't understand why the MD5 verification error occurs when I use Loader to flash the modified images. I looked at CopperheadOS, and in their documentation they show how to re-lock the bootloader with a custom ROM. Here is the shell script they use to upload the OS.
Code:
fastboot flash bootloader bootloader-bullhead-bhz11f.img
fastboot reboot-bootloader
sleep 5
fastboot flash radio radio-bullhead-m8994f-2.6.33.2.14.img
fastboot reboot-bootloader
sleep 5
fastboot -w update image-bullhead-nbd90z.zip
As you can see they flash two images, boot loader and radio, then update the main ROM. Then apparently it boots fine and the bootloader is OEM locked inside the OS. This was for the Nexus 5X, but I want to find out if a similar process is possible on the OP3.
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.

chocol4te said:
Sorry, other stuff came up. I am still very interested in getting this to work, but I am really stuck if I can't understand why the MD5 verification error occurs when I use Loader to flash the modified images. I looked at CopperheadOS, and in their documentation they show how to re-lock the bootloader with a custom ROM. Here is the shell script they use to upload the OS.
As you can see they flash two images, boot loader and radio, then update the main ROM. Then apparently it boots fine and the bootloader is OEM locked inside the OS. This was for the Nexus 5X, but I want to find out if a similar process is possible on the OP3.
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.
Click to expand...
Click to collapse
Ok.. Great to hear... Let me if you need any help.. I m here

chocol4te said:
Sorry, other stuff came up. I am still very interested in getting this to work ... ...
I may also begin work on porting CopperheadOS to the OnePlus 3. I know it sounds unrealistic, but since OnePlus released the binaries and kernels it should make it slightly easier.
Click to expand...
Click to collapse
This sounds exactly like what I was looking for. Have you been able to progress? Do you think that the bootloader and the radio are somehow linked in the boot verification sequence?
---------- Post added at 05:51 AM ---------- Previous post was at 05:43 AM ----------
chocol4te said:
UPDATE 2:
From reading some Android notes it appears that instead of replacing the OEM key, you can also just use fastboot to flash keystores for self-signed recovery and roms. This still allows OEM signed images to run, but is certainly a step in the right direction. I have run into an issue with building a correct keystore. I can use keytool and import my previous certs, but "fastboot flash keystore examplename.keystore" fails. I saw "fastboot flash ssd keystore.dat" used, and it works with my current dot keystore file, but then after locking it fails to boot. I'm going to see how I can convert my .keystore to a .dat.
Click to expand...
Click to collapse
Have you read this: https://mjg59.dreamwidth.org/31765.html

Moto G7 Play bootloader unlock issues - "bad key", not OTA, no way to roll back?

Moto G7 Play bootloader unlock issues - "bad key", not OTA, no way to roll back?
My plan was to unlock the bootloader before configuring the new phone - just in case I might need it later, then use the phone as out-of-box. I unlocked the bootloader for the new Moto G7 Play, following the official procedure via the Motorola Accounts page, resulting in:
- Fastboot page shows: "flashing unlocked"
- When booting up, I see a black page with the words "bad key", then the phone boots
- The updater sais that the phone is corrupt and no (OTA) updates can be done
- I could not try TWRP, as there is no TWRP for the G7 Play yet (so not sure if flashing would work)
My concerns now are that I will not be able to update the phone, and that the "bad key" issue might cause other problems.
So my plan would be to roll back and lock the phone again, to use it as out-of-box (not worrying about warranty loss that might already have happened - I did accept these terms). However, that does not work, too:
- Locking bootloader requires factory images, which are not available for the G7 Play
- Locking bootloader with fastboot OEM lock will not work without complete images
Any suggestions how bring the phone back to normal? I am disappointed by Motorola, as they officially offer the unlock procedure - which then does not produce the expected outcome, breaks updating, and provides no way to go back? Mind you, I did not apply any "hacks", nothing but the official Motorola unlocking steps.
Thanks for advice

I have the same problem and i cannot fix it.

I tried to get advice from Motorola support - but replies are very generic, referring to the bootloader unlock page (we obviously found that) or to the Motorola Forum (where the answer isn't). Will now just live with the unlocked phone and hope for the opportunity to OTA / update in a while

CoffeeMachineSwitch said:
- When booting up, I see a black page with the words "bad key", then the phone boots
- The updater sais that the phone is corrupt and no (OTA) updates can be done
Click to expand...
Click to collapse
Unlocking any Motorola bootloader will cause the bootscreen to display "Bad Key". This is normal. It is a warning that the bootloader has been unlocked and the phone may not be "safe". Once you root a Motorola phone, it will display "N/A" instead of "Bad Key". Again, this is normal behavior. There are image makers that can replace the "splash" image and "hide" the "N/A", but since this phone doesn't have TWRP yet, you'll have to live with it for now.
As far as not being able to receive OTA updates, I have no knowledge. In my opinion it shouldn't matter that the bootloader has been unlocked...only if you've modified or deleted system files. I've never worried about system updates as I've always rooted and run custom ROMs, or Xposed (which negates eligibility for OTA).

mn1968 said:
Unlocking any
As far as not being able to receive OTA updates, I have no knowledge. In my opinion it shouldn't matter that the bootloader has been unlocked...only if you've modified or deleted system files. I've never worried about system updates as I've always rooted and run custom ROMs, or Xposed (which negates eligibility for OTA).
Click to expand...
Click to collapse
Thanks for clarifying. And yes, learnt from Moto Support that OTA was disabled for 7 generation

CoffeeMachineSwitch said:
Thanks for clarifying. And yes, learnt from Moto Support that OTA was disabled for 7 generation
Click to expand...
Click to collapse
That would be an unfortunate change if true. Prior devices could be unlocked and still get OTA updates. They won't install if certain changes are made but still get notified of updates.

You still can install full ROM using fastboot commands and regain root by patching boot.img from updated ROM
I did it on both G6 and G7

Where did you get the ROM images from. I understand there are no officials?

CoffeeMachineSwitch said:
Where did you get the ROM images from. I understand there are no officials?
Click to expand...
Click to collapse
Have you tried the LMSA tool? It's a tool you download from Motorola. There is a discussion here about it. It has a rescue button with which, I understand that you can download stock images directly from Motorola, but I haven't used it myself.

umbrisle said:
Have you tried the LMSA tool? ....
Click to expand...
Click to collapse
Yes I have - the last time I tried, however, it said that it would not support the G7 (Play) and did not provide any images/ROMs

CoffeeMachineSwitch said:
Yes I have - the last time I tried, however, it said that it would not support the G7 (Play) and did not provide any images/ROMs
Click to expand...
Click to collapse
I was thinking of buying a G7 Play myself, but I am now leaning more towards a G6 Play, because there are more tools available like a working TWRP.

Should've read the thread here before i go buy g7 play, not my phone get softbricked.
Unblocked bootloader successfully following the official doc but failed to install magisk by copying the wrong build number of boot.img of OTA from here mirrors.lolinet.com/firmware/moto
now my g7 says
Code:
failed to load kernel, no Bootable A/B slot,
Failed to book Linux
falling back to fastboot.
I downloaded `RIVER_RETAIL_9.0_PPO29.80-61_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC` which i think this is the right build number when i see error like
Code:
river/retail corrupted
(can't remember exactly, but it's RETAIL not RETUS)
and make my own version of fastboot command stemming from servicefile.xml, still with unlucky.
there is no recovery.img and google has limited resource to make g7 play back to stock orm, i'd like to see if community has any idea or i have to give it to moto to fix it.
========================update=================================
update: i finally get the correct stock ORM which is exactly matching my build number "XT1952-4_CHANNEL_AMZ_9.0_PPY29.105-36_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC" i was an idiot thinking that mismatch one letter or two will be find, but turns out this is very strict, "second time rooting in my life".
not i has flash all of the original orm into my phone then fastboot reboot works, it give me the original error like
Android Recovery
motorola/channel_retail/channel9/PPY29.105-36/d7abeuser/release-keys
Use volum up/down and power
can't load Android system. Your data may be corrupt.
If you continue to get this message, you may need to perform a factory data
reset and erase all user data stored on this device
=====
Try again
Factory data reset
Click to expand...
Click to collapse
now i need to figure out what to do next
===============update=========
lol, turns out just press Factory data reset will bring the brick back to life!!!!!
just want to post my process for anyone having my issue.
the key point to find the correct build number

umbrisle said:
I was thinking of buying a G7 Play myself, but I am now leaning more towards a G6 Play, because there are more tools available like a working TWRP.
Click to expand...
Click to collapse
.
The G6 Play is really slow, at least the Boost one. I was kind of sorry I bought one to put on Sprint's free unlimited plan. At least Sprint unlocked it for me after 60 days.
Give the G7Play some time, it just came out.
As for you guys complaining of no updates once unlocked, it's not the only phone to require flashing the stock boot.img and relocking to get OTAs.

gedster314 said:
.
As for you guys complaining of no updates once unlocked, it's not the only phone to require flashing the stock boot.img and relocking to get OTAs.
Click to expand...
Click to collapse
Yeah, but there is inconsistency in Motorolas communication, they actively offer the option to unlock the bootloader (with T&C and all) incl. a link to a rollback feature. Which then does not work. So in a scenario where a developer buys the device because it actively offers this features, they dont get what they paid for. Mind you, we are not discussing hacking a device here or jailbraking - we are discussing features that Motorola actively promotes with a dedicated webpage.

wallace_mu said:
was an idiot thinking that mismatch one letter or two will be find, but turns out this is very strict
Click to expand...
Click to collapse
You completely missed the wrong code name "river" in RIVER_RETAIL_9.0_PPO29.80-61_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC it is for another device, while "channel" is the right one

Where did you get the correct Rom from? Thanks

I don't own Moto G7 Play and can not confirm, however this one worked for wallace_mu
wallace_mu said:
XT1952-4_CHANNEL_AMZ_9.0_PPY29.105-36_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC
Click to expand...
Click to collapse

I could successfully lock / unlock / lock the bootloader...
Unlock: fastboot oem unlock [CODE FROM MOTOROLA]
Lock it down:
* first I have to reflash the 'boot.img' from the correct firmware file - fastboot flash boot boot.img
* then I can lock the bootloader clean again with 'fastboot oem lock'. "bad key" is gone, SafetyNet test passed and OTA is working again.
Unlocking / locking again works by the way also. Maybe this will help?

realsine said:
I could successfully lock / unlock / lock the bootloader...
Unlock: fastboot oem unlock [CODE FROM MOTOROLA]
Lock it down:
* first I have to reflash the 'boot.img' from the correct firmware file - fastboot flash boot boot.img
* then I can lock the bootloader clean again with 'fastboot oem lock'. "bad key" is gone, SafetyNet test passed and OTA is working again.
Unlocking / locking again works by the way also. Maybe this will help?
Click to expand...
Click to collapse
yes it does! was waiting for this. 2 quick questions:
- will lock/unlock require factory reset / data loss?
- where to get the (official?) boot.img from (am always careful to flash img from the wild)
thanks!

CoffeeMachineSwitch said:
yes it does! was waiting for this. 2 quick questions:
- will lock/unlock require factory reset / data loss?
- where to get the (official?) boot.img from (am always careful to flash img from the wild)
thanks!
Click to expand...
Click to collapse
Hello,
I'm glad to read that I could help.
I have "my" image of 'https :// mirrors.lolinet.com/firmware/moto/channel/official/RETEU/'. There are also some others - just have a look. And please remove the spaces around '://'. I'm currently not allowed to post (external) links, so this way.
* Every 'LOCK' deletes all data and the system is "clean" again.
* The same applies (unfortunately) to EVERY 'UNLOCK'.
I don't care at the moment because I haven't set up my smartphone yet. But it's not nice.
Best regards

File Request: modem.img from US Unlocked Pixel 3/XL

TL;DR: I have an Australian unlocked Pixel 3 XL (disabled eSIM), and want to try flashing the US unlocked modem firmware to my phone to see if it will unlock the eSIM.
I believe that the command
Code:
adb pull /dev/block/by-name/modem_a modem.img
(or modem_b for boot slot b) will work from a connected computer w/ ADB and a rooted phone. (Please let me know if this command wouldn't work!)
Full post:
Hey guys, new to XDA, been browsing every now and then for a while though
I'm also no expert in modding, ROMs etc.
It appears that Google has disabled the eSIM on Australian unlocked models of the Pixel 3/3 XL. To my knowledge, there is only one hardware variant of the p3, meaning that the eSIM chip itself is present, but cannot be used, either due to firmware or software limitations.
I have a hunch that it's due to the modem firmware. Why? When it was still on Android 9, the eSIM setup was accessible through the Settings menu, although once a QR code was scanned, a generic error message would pop up - indicating that Android itself had no clue why it didn't work. In Android 10, the option has been removed from Settings.
This makes me think that flashing the modem driver from a model with working eSIM may enable its functionality in software - and there doesn't seem to be any harm in trying. It seems like cross-flashing modems was possible on the original Pixel XL, which similarly had only one hardware variant. This brings me to my issue; I've been unable to find a modem.img file anywhere for the Pixel 3. I've downloaded Google's factory system images, as well as the driver binaries, to decompress and poke around for a modem.img to no avail. I suspect this is because flashing a new image leaves the modem partitions untouched, and the modem firmware from factory remains on the device. (This also makes sense because Google only offers one system image version on its site)
So I'd like an image of the modem partition from a US unlocked pixel 3/3XL, preferably already running the latest version of Android 10 (QQ1A.191205.008) to try out on my phone. Who knows - if this works, maybe other features can be enabled, like FeliCa functionality on non-JP models! (Wishful thinking, I know)
If anyone has any other ideas or thinks I'm on the wrong track let me know - I'm sure we'll find some way to access these locked features
Thanks!
Sidenote: the images I mention above include a radio.img file - what's the difference between this and modem.img? There doesn't seem to be a partition named radio (when looking at `ls /dev/block/by-name`) - is this identical to modem.img??

BigBoy47 said:
So I'd like an image of the modem partition from a US unlocked pixel 3/3XL, preferably already running the latest version of Android 10 (QQ1A.191205.008)
Click to expand...
Click to collapse
I am US, unlocked, rooted - I flash the factory image monthly from https://developers.google.com/android/images
I can pull the files tomorrow but I can't imagine they will be different than what's included in the factory image you can download from the link.
Edit to add: I would suspect this is a regional limitation Google implements with the system based information about the devices location. Maybe on a combination of geo location, ip addresses, or cellular providers.

Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.

BigBoy47 said:
Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.
Click to expand...
Click to collapse
There is no modem.img in the factory image even if you extract the image .zip to get boot.img, etc. Clearly, it gets installed as part of one of the other files. I am not on stock, or I would try a pull.

BigBoy47 said:
Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.
Click to expand...
Click to collapse
Radio.... img is the modem image you're looking for. You'll find it in the root folder after you've extracted the factory image.

all about official firmware and where to find it

This wil be a list of firmware sources and a bit of explanation in different firmware versions and builds. This information has been gathered over the past few weeks, mainly by helping others to find the proper stock roms.
First of all, there seem to be multiple regions that have different firmware’s, and there seem to be different software channels per region or per region per provider. ( for instance vfeu vs reteu )
The phone model is XT2041-X where the X can stand for 1 to 4
The development name / moto name is called: Sofiar ( XT2041-1/3)
the development name for the US name is: Sofia ( xt2041-4 )
The easiest way to find the proper firmware would be via the Lenovo rescue and smart assistant ( LMSA)
you can download it from here: https://download.lenovo.com/consumer/mobiles/rescue_and_smart_v5.0.0.25_setup.exe
Since a few days support has been added to rescue the g8 power
you can download the current firmware for your device via the rescue page.
Manual selection of firmware sources:
So far, every source on the internet points to the lolinet mirror
see https://mirrors.lolinet.com/firmware/moto/sofiar/official/
US version: https://mirrors.lolinet.com/firmware/moto/sofia/official/
a 2nd source would be the moto updates tracker, but I expect that everything you find here Will appear on lolinet
US: https://t.me/s/MotoUpdatesTracker?q=#sofia
The rest of the world: https://t.me/s/MotoUpdatesTracker?q=#sofiar
so far I have not been able to find any other sources. I hope this helps a bit in downloading / finding the stock firmware for your phone.
If you find any other / better source, please let me know, I'll add it to this first post.

Thanks
I successfully updated mine and regained root.
I will post manual update guide later.
A side note: the following must be flashed in fastbootd (fastboot reboot fastbootd or adb reboot fastboot)
boot.img, recovery.img, vbmeta.img, super, dtbo.img

@mingkee Pls can you share manual update guide? THX

endva3 said:
@mingkee Pls can you share manual update guide? THX
Click to expand...
Click to collapse
There's a simple method using LMSA rescue method, but make sure you backup your phone because your phone will be wiped during the process.

Hi, I'm running into a little problem. I used the lolinet link to download the factory ROM for my Moto G Power (Best Buy unlocked, on Verizon). I downloaded the sofia VZW factory ROM first (thinking because I'm on Verizon). I used Magisk to patch the boot.img and fastbooted it. After reboot, I lost the touch screen and cell service -- could not unlock the phone. So I thought no big deal, I'll just reflash the unpatched boot.img from the sofia retus ROM this time. However, I still do not have touch screen. Does anyone have the factory boot.img for QPM30.80.50-1 that originally came with this G Power? Thanks in advance.

quangtran1 said:
Hi, I'm running into a little problem. I used the lolinet link to download the factory ROM for my Moto G Power (Best Buy unlocked, on Verizon). I downloaded the sofia VZW factory ROM first (thinking because I'm on Verizon). I used Magisk to patch the boot.img and fastbooted it. After reboot, I lost the touch screen and cell service -- could not unlock the phone. So I thought no big deal, I'll just reflash the unpatched boot.img from the sofia retus ROM this time. However, I still do not have touch screen. Does anyone have the factory boot.img for QPM30.80.50-1 that originally came with this G Power? Thanks in advance.
Click to expand...
Click to collapse
You may have patched unmatched build number.
Solution: flash full ROM
LMSA rescue is the simplest method but it will wipe the phone

Thanks! That was what I ended up doing.

Is it possible to change fw xt2041-3 (PAHF0004PL) to XT2041-3 (PAHF0006GB)? I'm on the PL version (andoid security January 2020) and the GB version is May 2020. If possible, the bootloader must be unlocked? Can it be changed via any tool (mototool) or via adb commands?

Anyone have the boot.img for QPMS30.80-51-3?
I cant download the latest May update from their server. Some reason the link to download expired a few days after. So if anyone has another link or can just hook it up with the boot.img please
I couldnt get it with the rescue app either it was a lower version.
EDIT
Found it here
https://forum.xda-developers.com/showpost.php?p=82865201&postcount=73

Some lessons learned
pjottrr said:
The easiest way to find the proper firmware would be via the Lenovo rescue and smart assistant ( LMSA)
you can download it from here: https://download.lenovo.com/consumer/mobiles/rescue_and_smart_v5.0.0.25_setup.exe
Since a few days support has been added to rescue the g8 power
you can download the current firmware for your device via the rescue page.
Click to expand...
Click to collapse
In my case, you in fact cannot exactly download the "current" firmware via the rescue page - the phone's updater app thinks QPM30.80-51-3 is the latest version, but the rescue app installs the newer QPM30.80-109. Both are 5/1/2020 security patch level, but the boot.img files are most certainly not interchangeable.
I ended up in a bootloop which I had to rescue the phone to escape. I'd advise anyone wanting to root this phone to just rescue it first.
Also it's essential that you install the Motorola Device Manager/USB drivers in addition to LRSA, otherwise LRSA will incorrectly insist your phone is not in fastboot flash mode if you have to resort to rescuing from fastboot mode.
Finally, the rescue process will not work from a Windows VM under KVM, whether you have the USB device redirected or shared with the host. You need Windows running on bare metal.
Hope this saves someone the hours of annoyance I just went through trying to unbrick the damn thing.

Can jump from a carrier Rom to a unlocked version? And if yes, what's the unlocked phone rom? Cause I only see carrier versions.

Mikael1013 said:
Can jump from a carrier Rom to a unlocked version? And if yes, what's the unlocked phone rom? Cause I only see carrier versions.
Click to expand...
Click to collapse
Switching from a carrier rom to an unlocked version won't SIM unlock a phone (at least not to my knowledge), if that's your objective. But if you're looking to switch the retail flavor rom, try RETUS, specifically XT2041-4_SOFIA_RETUS_10_QPM30.80-13-2_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip.

rlrevell said:
In my case, you in fact cannot exactly download the "current" firmware via the rescue page - the phone's updater app thinks QPM30.80-51-3 is the latest version, but the rescue app installs the newer QPM30.80-109. Both are 5/1/2020 security patch level, but the boot.img files are most certainly not interchangeable.
I ended up in a bootloop which I had to rescue the phone to escape. I'd advise anyone wanting to root this phone to just rescue it first.
Also it's essential that you install the Motorola Device Manager/USB drivers in addition to LRSA, otherwise LRSA will incorrectly insist your phone is not in fastboot flash mode if you have to resort to rescuing from fastboot mode.
Finally, the rescue process will not work from a Windows VM under KVM, whether you have the USB device redirected or shared with the host. You need Windows running on bare metal.
Hope this saves someone the hours of annoyance I just went through trying to unbrick the damn thing.
Click to expand...
Click to collapse
Also a good word of advice before flashing a boot.bin
run the command
fastboot boot boot.bin
or whatever your boot.bin is called
Then you can test your patched file before patching it. Also even better once you get into Android you can open MAGISK and use direct install

TNS201 said:
Also a good word of advice before flashing a boot.bin
run the command
fastboot boot boot.bin
or whatever your boot.bin is called
Then you can test your patched file before patching it. Also even better once you get into Android you can open MAGISK and use direct install
Click to expand...
Click to collapse
I've never actually had this work on any device I've tried to root. Command not implemented or some such error was always the result. Does it work for you on this device?

The download link for the latest Google Fi firmware works again if anyone wants to grab it before it expires...again heh.
SOFIA_RETAIL_QPMS30.80-51-3

CodyF86 said:
The download link for the latest Google Fi firmware works again if anyone wants to grab it before it expires...again heh.
SOFIA_RETAIL_QPMS30.80-51-3
Click to expand...
Click to collapse
Do you have stock boot IMG by any chance? Thx in advance

freddienuxx said:
Do you have stock boot IMG by any chance? Thx in advance
Click to expand...
Click to collapse
sofia_80-51-3boot.img

CodyF86 said:
sofia_80-51-3boot.img
Click to expand...
Click to collapse
Thx man

rlrevell said:
I've never actually had this work on any device I've tried to root. Command not implemented or some such error was always the result. Does it work for you on this device?
Click to expand...
Click to collapse
yea when you are in bootloader with phone attached to the PC it should work
It worked on my pixel 2 xl and this phone

Does anybody have this file available? (Sorry for the spaces, I can't post a link...). The download link has expired.
t.me /motoupdatestracker/ 2752
filename: SOFIA_RETAIL_QPMS30.80-51-5_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
What's the difference between that and RETUS on lolinet? Is there any? Reason I'm asking is that I don't have any radios after that OTA (Google Fi) and flashing the boot.img from RETUS QPMS-30.80-51-5.

{SOLVED} Downgrading to a previous Android version

Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?

{Temp_User} said:
Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?
Click to expand...
Click to collapse
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp

JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Hi, thank you for the reply.
Sorry for the late reply. I will try this today

JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?

{Temp_User} said:
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?
Click to expand...
Click to collapse
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware

I have with me the latest (previous) android 10 . I have extracted correctly ( used 7-zip zstd ) the lz4 files and flashed the vendor, system and kernel in that order.
upon reboot, I can not get past the splash screen. However i do see that an error appears on top left of my screen as CHECK FAIL binary 7(BOOT). The words are not clear though.
What did i do wrong?

JuanTamqd21 said:
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware
Click to expand...
Click to collapse
please provide an in-depth process?

Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORS​You cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)​Boot into system normally.(make sure the OEM unlock is greyed out.​Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )​Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.​Pay attention to what exactly you are wiping.​With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.​Flash/Install the image files in your recovery. Be patient.​
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.​Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)​​You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
​​

{Temp_User} said:
Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORS​You cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)​Boot into system normally.(make sure the OEM unlock is greyed out.​Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )​Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.​Pay attention to what exactly you are wiping.​With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.​Flash/Install the image files in your recovery. Be patient.​
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.​Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)​​You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
​​
Click to expand...
Click to collapse
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:

Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).

vmirrimv said:
Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).
Click to expand...
Click to collapse
So long as we both happy and got what we wanted. I finally have a working android 10 on my device(coming from a11)

vmirrimv said:
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:
Click to expand...
Click to collapse
You are correct. I gave up on changing the binaries after seeing it was impossible.

Camera should still work on custom android 10 one ui roms and GSI. I think I tested them before.