Recover from hard brick with locked bootloader - Fairy tale? - Moto Z2 Force Questions & Answers

Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.

andrecesarvieira said:
Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.
Click to expand...
Click to collapse
My second Z2 kept bricking and locking itself. My only saving Grace was I was able to unlock it since I had the unlock code still and since it wouldn't boot, it would accept the unlock code. It is a slot ab issue where if your phone never took an OTA (I flash all to Oreo and tried flashing DU and AOSP before taking an OTA to open slot B). This caused the phone to lock itself and go a little nuts. But it was unlocked then locked due to slot issues, so it shouldn't count. Maybe my story is a fairy tale ... No... I remember spending the hour trying to figure out why this thing wouldn't install an AOSP rom but my other would just fine, then facepalm when I figured I just needed to take an OTA.

This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742

41rw4lk said:
This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742
Click to expand...
Click to collapse
Alas this person had a different problem from me. It sounds like they had something of a pseudo-lock that just needed a nudge to get the kernel to recognize the OEM unlock had been authorized.
The above thread may prove useful to people who have had issues with locked bootloader but who have access to the system.
I do not have access to the system. fastboot oem blankflash command is "restricted" for me. Yet it still classifies both slots as bootable, it just refuses to boot them, which is not enough to trigger any emergency download apparently. It seems this person never succeeded in doing that, because they found an easier way.
I'm really trying to figure out if buying a cable would be worth it, but I have doubts. I was able to access my usb hub and manually short the pin using a voltmeter and some wire to find which traces were connected -- exactly mimicking the action of most "deepflash" cables.
No dice.
That, and I read that the MSM8998 doesn't use the same programmer as other qualcomm androids, possibly uses an older one, and I haven't found any reference to which one. I think blankflash should be possible on these phones, but triggering edl seems impossible from my position, since I have no adb but I do have a basically useless bootloader, which aggressively overrides edl. :angel:
Basically the way I see this, my bootloader thinks its serving a purpose: fending off modified system files, which I unwittingly made its only function when I locked it. It is forbidden from handing over the power of my z force to a patched OS. Since the bootloader exists, and is technically able to boot, it's just not allowed, edl will never be activated because it utterly defeats android security. edl is the backdoor that opens when everything else is completely gone or unintelligible. Is that accurate? :cyclops:
I am beginning to accept that my phone was not meant to be rooted really in the sense that, yes, its Linux and you can, but it's basically been booby trapped by Lenovo and if you fall for the logic I did at first, and try relocking it at the first sign of strange behavior, you have to buy a new phone. Exactly what they want.

Related

[Q] Explain to me why devs are unable to unlock the MJB bootloader

I've been curious about how the Bootloader is locked down and why it's so difficult/impossible to unlock. How does the mfg get the initial load onto the device when it's manufactured?
I read that this bootloader has some 2048 encryption and that it's impossible to crack. However, I feel like there should be a way to alter the systems firmware from a PC or some kind of connection to the device.
Buchez said:
I've been curious about how the Bootloader is locked down and why it's so difficult/impossible to unlock. How does the mfg get the initial load onto the device when it's manufactured?
I read that this bootloader has some 2048 encryption and that it's impossible to crack. However, I feel like there should be a way to alter the systems firmware from a PC or some kind of connection to the device.
Click to expand...
Click to collapse
The way I read it somewhere is this,
There are efuses built into the processor/motherboard/memory/whatever that the new bootloader "blows" when it is installed. These efuses are necessary pathways for the older bootloaders, hence why they won't install. I don't believe the new bootloader is "locked" per say, it just prevents earlier versions from being installed. There is also a guide somewhere on these forums to recover your device from a brick if you tried to downgrade the bootloader. The new bootloader also doesn't prevent you from installing earlier roms, as long as they are flashable from recovery. Just do not try to use Odin to revert to an earlier rom. That's what causes the bricks, and although there is a procedure to recover, it doesn't sound easy and you end up back on MJB when you're done anyway. Hope that helped.
To whoever wrote the original post I referred to above, my apologies for not giving credit.
Thanks for the reply.
I'm pretty solid with flashing ROM's and such. I have been wondering if it would be possible to use a regular PC and some cool software to reset or reformat the firmware on the system.
Here is a link to the article I was reading:
http://rootzwiki.com/news/att-locks-down-its-galaxy-s-iv-bootloader/
Say I have brand new S3 hardware right off the factory floor. How does that system get injected with the software? When the factories get damaged or "Bricked" units back and refurb them, how do they do that. I know that you can use the SD card trick to jump your phone back to life, but there has to be some master way to do this
Buchez said:
Thanks for the reply.
I'm pretty solid with flashing ROM's and such. I have been wondering if it would be possible to use a regular PC and some cool software to reset or reformat the firmware on the system.
Here is a link to the article I was reading:
http://rootzwiki.com/news/att-locks-down-its-galaxy-s-iv-bootloader/
Say I have brand new S3 hardware right off the factory floor. How does that system get injected with the software? When the factories get damaged or "Bricked" units back and refurb them, how do they do that. I know that you can use the SD card trick to jump your phone back to life, but there has to be some master way to do this
Click to expand...
Click to collapse
I don't have an S3, I'm on the S3 section because my mom broke her phone, so this is speculation based on when I owned an Optimus G:
There are qualcomm tools that can fix a lot more than Odin and Fastboot can, apparently, and manufacturers have access to those. When I had an Atrix 4G someone told me they replace the entire board when eFuses are burned incorrectly, but that sounds really expensive. Anyway, just my 2 cents, i'm out~

Droid Turbo 2 Lets figure out how to get root

This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot

Should I unlock my bootloader for safety reasons

I've always had my devices rooted and running a custom rom or at least a custom kernel or something of the sort "But" ever since I got my pixel about a year ago I haven't felt the need to root at all, stock rom is just perfect and so battery life and I don't see a reason to.
However I was just thinking that now with locked bootloader if for any reason my phone gets bricked then I'm probably [email protected]*t out of luck because I won't be able to flash a factory image to bring the phone back to life.
Should I unlock my bootloader just in case the worse does happen or is there another workaround for such a situation?
Getting bricked is the direct result of flashing images.
nabbed said:
Getting bricked is the direct result of flashing images.
Click to expand...
Click to collapse
I could not disagree more. There are countless threads of individuals taking OTAs and running into boot loop. Additionally I have read through multiple threads where individuals were simply using their phone to play a game, text, phone call etc and the phone shuts off and goes into a loop.
The users with an unlocked bootloader were able to salvage the device. Users without a locked bootloader looked for a RMA.
To the OP- I personally will never own an Android device with a constantly locked bootloader. The safety net of being able to factory reset and flash stock images is something I've always cherished and do not wish to get rid of.
There are security risks to having an unlocked BL. If an Android savvy criminal were to steal your device they could do a lot of damage with obtaining personal information. For me, I'm much more worried about my phone going in to boot loop than I am some criminal being able to take my phone from me.
Sab3elbromba said:
Should I unlock my bootloader just in case the worse does happen or is there another workaround for such a situation?
Click to expand...
Click to collapse
if for any reason, something did get corrupted on your phone with a lockedbootloader and it tripped verified boot. you would be locked out, no course of action but to get an RMA... so if u plan on tinkering with your phone or just would like a failsafe, at least with an unlocked phone. you would be able to flash firmware, etc...
just remember, not to relock your bootloader; unless your phone is running stock firmware and is wiped.... otherwise you will trip verified boot and brick it...
nabbed said:
Getting bricked is the direct result of flashing images.
Click to expand...
Click to collapse
no, it's not. getting a bricked phone is pretty much always because the person did something ill advised or dumb... like relocking their bootloader running custom firmware...
so a diect result of user error, nothing to do with flashing images.

Sony bootloader exploits and/or bypass

Hi
I'm new to the forum but have been doing a fair amount of research. I am stuck now though and would like a bit of help.
My situation is that I have a Xperia XA1 ultra (I know I should post in that device specific forum but not much seems to be happening there) I have a very specific problem that I have treated like a forensics problem.
The phone is locked by a pattern which has been guessed by another person so many times that the gatekeeper only allows one entry per day provided the phone is charged otherwise the timer resets.
It has not been rooted and ADB is disabled.
I have connected to it through fastboot and what I can gather is that it is running Android Oreo.
The system details are as follows:
Product: XA1 Ultra G3221
Build Number: 48.1.A.0.129
Chipset: Mediatek MT6757 Helio P20
Bootloader: Locked
My research has led me to the possibility of loading a recovery image into the RAM of the phone and accessing ADB that way. I tried this with a TWRP image but obviously it didn't work. There is a company called Cellebrite that claims to be able to load it's own boot/recovery image into the bootloader and gain entry that way, however the license is something like £10,000. I'm definitely not a commercial customer.
The final option for me would be to dump the memory via JTAG or chipoff, the contents would be encrypted but I found a blog where somebody had managed to find the location of the gesture.key file while the system was encrypted. I can't remember what the site was called though, it took me ages to find last time.
My main questions are does Sony sign the boot image with it's own keys or does it use the standard Android Verified Boot?
Does Sony reuse the same keys for signing across devices? Likely not but maybe
Is there a way to send specific instructions to the RAM via fastboot?
Does anybody know of an exploit that could be used?
Is there a way to extract the boot.img and recover the Sony keys?
If there any other docs, resources or ways to get the data that could help, I will gladly read and/or try them. I think this forum is probably the biggest resource one though but after a while the specific information needed gets harder to find.
The main thing is that I don't unlock the bootloader and flash anything. It's all got to be live and non data damaging.
I tried MTPwn on the off chance that it would work but nope, it was a no go.
If there was a way to utilise the mediatek exploit to gain entry from fastboot that would be excellent, or to use fastboot to dump the memory.
Thanks for reading, I hope someone can help.
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
XDHx86 said:
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
Click to expand...
Click to collapse
Thanks for getting back to me, yes I realise it is asking for the impossible. I'll have a research around that article and see if I can find some information on how to write the program to dump the contents over USB. I tried Dr Fone but that only gave me the option of a hard reset.
My current line of attack is an exploit over USB called OATmeal, whereby a Raspberry Pi is used over OTG with a filesystem label of "../../data", it allows the filesystem of the phone to be mounted and data written off. It is a little complex and so I am struggling a bit with getting it to work. The team over at Project Zero have a good write-up of it so I'm following that and the POC at exploit-db to guide me through it.
I think I will be able to get the USB part to work but I'm not sure if I have to write a Java file to automatically run when /data is mounted, or if that's even possible.
Forenzo said:
My current line of attack is an exploit over USB called OATmeal
Click to expand...
Click to collapse
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
XDHx86 said:
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
Click to expand...
Click to collapse
Fortunately the device hasn't been updated since around 2-2018 or 3-2018 so any exploit I can find from then onwards that I can use will be great. I really do get that the only realistic option is to unlock the bootloader and flash the recovery but the data needs to be recovered and I absolutely don't want to wipe it.
If I can't do it then it will gather dust until the end of time...
It seems that no matter what I say you won't realize the situation you are in.
I can only suggest to NEVER mess with the phone circuits or the motherboard. No matter which stupid yoututbe tutorial you saw. Those guys are douchebags who only know how to get views and don't care for whatever you/they do to your device.
Needless to say messing with the circuits or the motherboard require dexterity and experience which I'm positive you don't have.
As I said before if you send it to an authorized service center, then they can help you with it without memory loss.
Sending you device to a service center isn't an insult or an act of low self esteem. Service centers exist for a reason, and they're basically geeks who are too passionate about electronics and decided to make a living out of it.
Or maybe you can somehow use the EDL mode on the phone.
In Qualcomm devices the EDL mode is locked and can only be accessed by an authorized person who have the security code of your device. I don't know if it even exist in MTK devices.
Should you actually manage to boot into EDL mode - Assuming it exists and is unlocked - then BEWARE: EDL mode is very low level and any command can directly affect the kernel or compromise the system. Don't use commands you're not sure what do they do.
You can use EDL mode to recover the data from the phone then wipe it clean, then restore the data.
You cannot access memory with EDL mode, but you can access the current image on your device. And from which you can get the key file.
EDL mode is a very very powerful tool (Much more powerful than debugging, fastboot, or anything you may know of) as it doesn't need unlocked bootloader to use it and through which you can do anything to your device including flashing other ROMs.
Good luck on your impossible quest. Make sure to post updates should you find yourself stuck.

TotalSec OS on Pixel 3XL

I got my hands on a Google Pixel 3XL phone modified by TotalSec. It seems like it has LineageOS modified by them and installed but bootloader locked without option to unlock it. Is there a way to force developer options thru OS somehow where I can unlock the bootloader? Tapping 7 times on build does nothing...they sell this phone for €1500 with 6 month service. After 6 months, phone is useless...
I don't know anything about TotalSec. I checked their site and see they offer the Pixel 3 and Pixel 3A. At 1500 euro, for 6 months use (I couldn't find the price for the ongoing subscription) this is clearly not a product intended for the consumer. I didn't see the 3XL.
I'm interested how they accomplished re-locking the bootloader on a Pixel device with a non-stock OS. Having to leave the bootloader unlocked is a security concern. I think many Pixel owners would like to unlock their bootloader, root or make other changes, then re-lock the bootloader.
It seems like they are running LineageOS as a base, modified it and locked it down. You have to literally log in, pay 1500 euros for 6 months of use. There is no option of tap build 7 times to enable developer options so I cant unlock the bootloader. Im currently in fastboot mode and will attempt to load new recovery and bootloader.
Is there a way to unlock a bootloader from fastboot mode?
My friend has one of those coming in. Pixel 4, specifically.
My guess is that they have custom AVB keys installed which allows them to relock the bootloader. Do you get a _yellow_, not orange, warning when you boot the device up?
Regardless, you should be able to flash stock even with a locked bootloader; https://flash.android.com/ should work just fine. I don't recommend you flash the device yet, unless it's your only device, as you might want to grab a copy of the OS just for ... giggles.
{Mod edit: Inappropriate language removed. Oswald Boelcke}
Thank you! Let me try it, it is my extra phone laying around with no use for anything at the moment. I use Pixel 7 Pro as a daily.
No go. It is telling me to enable OEM unlocking
{Mod edit: Inappropriate language removed. Oswald Boelcke}
what happens when you run `fastboot flashing unlock`? im not expecting anything to happen since the developer options are gone but I'm a tad curious. also, see if you can boot it to fastbootd.
there's also an app on fdroid called setedit, try to download it on that phone and search "development_settings_enabled". if it pops up set it to 1 and you should have the developer settings enabled
i won't lie to you i don't think there's anything that can be done. you could try manually installing the stock OS with the fastboot cli but i doubt it would lead to anything.
Yeah I think I tried that. Weird that OS level has triggers that switch on/off the bootloader and not CLI part! CLI should have priority and logically it makes more sense to be done now, not on OS level!
Did you found any solution, I have Pixel 4 with same situation I tried to sideload latest lineage OS flame via recovery to overwrite the existing system done with error !
Mine is stuck in fastboot, cant do anything! I wish I can wipe it and load a fresh OS! No luck so far!
At this point I'm tempted to get one of those devices for myself to experiment on. How much did you all get them for?
I got it for free from a friend of mine but prices are insane, it's $1500-$2000
I got a notification in my email, I dont see that message anymore, setedit app??
Oh yes, I edited the comment to remove it since it doesn't work for writing settings without some permissions that need to be given over ADB.
I'm trying to think what you can do, my friend got theirs and has so far been unable to do anything with it
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
pmnlla said:
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
Click to expand...
Click to collapse
I can send you a Google Pixel 3XL for free, with the bootloader locked from TotalSec. There are a lot of Google Pixels here in Albania that they have no use anymore because there are a lot of alternatives. But with the bootloader locked, we cannot do anything.
What do you mean by that? many useless phones because of the totalsec OS? shoot me an e-mail at [email protected], I know a few people who could possibly help.

Categories

Resources