I got my hands on a Google Pixel 3XL phone modified by TotalSec. It seems like it has LineageOS modified by them and installed but bootloader locked without option to unlock it. Is there a way to force developer options thru OS somehow where I can unlock the bootloader? Tapping 7 times on build does nothing...they sell this phone for €1500 with 6 month service. After 6 months, phone is useless...
I don't know anything about TotalSec. I checked their site and see they offer the Pixel 3 and Pixel 3A. At 1500 euro, for 6 months use (I couldn't find the price for the ongoing subscription) this is clearly not a product intended for the consumer. I didn't see the 3XL.
I'm interested how they accomplished re-locking the bootloader on a Pixel device with a non-stock OS. Having to leave the bootloader unlocked is a security concern. I think many Pixel owners would like to unlock their bootloader, root or make other changes, then re-lock the bootloader.
It seems like they are running LineageOS as a base, modified it and locked it down. You have to literally log in, pay 1500 euros for 6 months of use. There is no option of tap build 7 times to enable developer options so I cant unlock the bootloader. Im currently in fastboot mode and will attempt to load new recovery and bootloader.
Is there a way to unlock a bootloader from fastboot mode?
My friend has one of those coming in. Pixel 4, specifically.
My guess is that they have custom AVB keys installed which allows them to relock the bootloader. Do you get a _yellow_, not orange, warning when you boot the device up?
Regardless, you should be able to flash stock even with a locked bootloader; https://flash.android.com/ should work just fine. I don't recommend you flash the device yet, unless it's your only device, as you might want to grab a copy of the OS just for ... giggles.
{Mod edit: Inappropriate language removed. Oswald Boelcke}
Thank you! Let me try it, it is my extra phone laying around with no use for anything at the moment. I use Pixel 7 Pro as a daily.
No go. It is telling me to enable OEM unlocking
{Mod edit: Inappropriate language removed. Oswald Boelcke}
what happens when you run `fastboot flashing unlock`? im not expecting anything to happen since the developer options are gone but I'm a tad curious. also, see if you can boot it to fastbootd.
there's also an app on fdroid called setedit, try to download it on that phone and search "development_settings_enabled". if it pops up set it to 1 and you should have the developer settings enabled
i won't lie to you i don't think there's anything that can be done. you could try manually installing the stock OS with the fastboot cli but i doubt it would lead to anything.
Yeah I think I tried that. Weird that OS level has triggers that switch on/off the bootloader and not CLI part! CLI should have priority and logically it makes more sense to be done now, not on OS level!
Did you found any solution, I have Pixel 4 with same situation I tried to sideload latest lineage OS flame via recovery to overwrite the existing system done with error !
Mine is stuck in fastboot, cant do anything! I wish I can wipe it and load a fresh OS! No luck so far!
At this point I'm tempted to get one of those devices for myself to experiment on. How much did you all get them for?
I got it for free from a friend of mine but prices are insane, it's $1500-$2000
I got a notification in my email, I dont see that message anymore, setedit app??
Oh yes, I edited the comment to remove it since it doesn't work for writing settings without some permissions that need to be given over ADB.
I'm trying to think what you can do, my friend got theirs and has so far been unable to do anything with it
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
pmnlla said:
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
Click to expand...
Click to collapse
I can send you a Google Pixel 3XL for free, with the bootloader locked from TotalSec. There are a lot of Google Pixels here in Albania that they have no use anymore because there are a lot of alternatives. But with the bootloader locked, we cannot do anything.
What do you mean by that? many useless phones because of the totalsec OS? shoot me an e-mail at [email protected], I know a few people who could possibly help.
Related
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot
Hello there,
I would like a more secure and private OS on my phone. Copperhead OS is interesting but I don't have the money to buy a device from them nor the know how to use the source. So my question, what is a good alternative. It seems like there are a lot of options here on XDA. It's my first time here and I'm not the most technical when it comes to software. I was able to switch all my home computing to linux/tails but working with my phone seems much harder. Any advice would be a huge help at this point.
What I think I know:
-I need to unlock my phone, and I have a Verizon Pixel XL. I found this article, (turns out new people can't post links but it is the page with the depixel8 tool), that I think will help me to unlock. Step one of this article mentions fastboot and adb which I think I get from Android SDK. So I'm pretty sure I first download the SDK (gonna find a guide to be safe) and then I do these steps through the terminal.
-Back up everything! I've removed all my pictures, I don't have a ton of contacts but I saved those else where too. Everything at this point can be lost, so when we say "back up everything" is there something I am missing? In my Desktop experience this also meant back up my old windows install, is this the case here? If so how do I do that?
-When the phone is unlocked, I then load a ROM on to it and select it in bootloader?
In summation, very lost, slightly confused, willing to learn! I'm just looking for an OS where I can use open source software, including the OS. Call me paranoid (fixes tin foil hat) but I'd rather try to keep my life private if even a little. Thank you for any help you can provide me in taking my first steps into something new.
If you are already on latest Verizon there is no way to unlock.
So no way to flash any custom roms.
But if security is what you want an unlock bootloader is just the other way. Less security.
Darn, I am on the latest version. I'm not able to unlock using the depixel8 tool? If that's the case I may just pick up a nexus and try to use Copperhead.
Lost And Confused said:
Darn, I am on the latest version. I'm not able to unlock using the depixel8 tool? If that's the case I may just pick up a nexus and try to use Copperhead.
Click to expand...
Click to collapse
If you're past 7.1 then sadly depixel8 won't work
Guess that's a done deal then. Instead of making a new thread I guess I'll just ask here. The way I understand it, Android is open source, but that doesn't mean the OS on my phone is open source. Seeing that the community here works with Android so much, are there any major privacy concerns running the latest version. As an example, Windows, especially Windows 10 is a privacy nightmare. I can't imagine Android is that bad, but what can you tell me?
Hi I was wondering if ANYONE could give be some assistance on my Pixel XL. I JUST bought it from eBay thinking it was like a typical android locked bootloaderwith bootloop. I've tried a lot of options (I believe this one was from Verizon) It's running 8.1 now, I think.
It's booting to the GOOGLE logo then looping from there.
Anyway, whenever anyone has some free time to maybe give me a hand, no rush. I would highly appreciate it.
-wtrgte
wtrgte said:
Hi I was wondering if ANYONE could give be some assistance on my Pixel XL. I JUST bought it from eBay thinking it was like a typical android locked bootloaderwith bootloop. I've tried a lot of options (I believe this one was from Verizon) It's running 8.1 now, I think.
It's booting to the GOOGLE logo then looping from there.
Anyway, whenever anyone has some free time to maybe give me a hand, no rush. I would highly appreciate it.
-wtrgte
Click to expand...
Click to collapse
Hello,
What are those options you have tried to solve your issue?
Did you try to factory reset from stock recovery?
Good luck...
If you do a search for unlocking pixel XL Verizon there is a huge thread on it. If I get a chance I'll link it for you.
Well since the bootloader is locked it's giving the trouble with every type of factory, ota, update I tried. I'm going to keep searching but if someone can link me to something or point me in the right direction, PLEASE DO!
wtrgte said:
Well since the bootloader is locked it's giving the trouble with every type of factory, ota, update I tried. I'm going to keep searching but if someone can link me to something or point me in the right direction, PLEASE DO!
Click to expand...
Click to collapse
He'll,
Describe properly what you tried maybe?
What is the output of the factory reset?
OTA result?
Without proper details, it's hard for people to point you in the right direction...
Cheers...
wtrgte said:
Hi I was wondering if ANYONE could give be some assistance on my Pixel XL. I JUST bought it from eBay thinking it was like a typical android locked bootloaderwith bootloop. I've tried a lot of options (I believe this one was from Verizon) It's running 8.1 now, I think.
It's booting to the GOOGLE logo then looping from there.
Anyway, whenever anyone has some free time to maybe give me a hand, no rush. I would highly appreciate it.
-wtrgte
Click to expand...
Click to collapse
[Guide] Pixel XL Android 9.0 (Pie) Unlock/Root/Install Images/Kernels/Recovery + by Homeboy76
Page 1 (OP)
wtrgte said:
...I JUST bought it from eBay thinking it was like a typical android locked bootloaderwith bootloop. I've tried a lot of options (I believe this one was from Verizon) It's running 8.1 now, I think.
It's booting to the GOOGLE logo then looping from there.
Click to expand...
Click to collapse
Sounds like the exact same situation I just experienced some hours ago I ordered a random Pixel XL off eBay, and also assumed it'd be easy to run a fastboot command to unlock the bootloader. Ran into the grayed-out OEM unlock option, and after some reading, I assume this is a VZW/Verizon model.
This thread here worked great for me (had to factory reset twice though); my Pixel was on 8.1 on last year's April security patch, but apparently this still works even up to the latest Pie version: https://forum.xda-developers.com/pixel-xl/how-to/how-to-unlock-bootloader-verizon-pixel-t3796030 and basically just involves factory resetting, not signing into Google, removing the Phone app, and then being able to OEM unlock.
Once unlocked like that, you really shouldn't ever re-lock it manually unless you have a very good reason to as there's no guarantee in the future you can still unlock like that. I'm currently on LineageOS 15.1 no problems now.
Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.
andrecesarvieira said:
Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.
Click to expand...
Click to collapse
My second Z2 kept bricking and locking itself. My only saving Grace was I was able to unlock it since I had the unlock code still and since it wouldn't boot, it would accept the unlock code. It is a slot ab issue where if your phone never took an OTA (I flash all to Oreo and tried flashing DU and AOSP before taking an OTA to open slot B). This caused the phone to lock itself and go a little nuts. But it was unlocked then locked due to slot issues, so it shouldn't count. Maybe my story is a fairy tale ... No... I remember spending the hour trying to figure out why this thing wouldn't install an AOSP rom but my other would just fine, then facepalm when I figured I just needed to take an OTA.
This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742
41rw4lk said:
This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742
Click to expand...
Click to collapse
Alas this person had a different problem from me. It sounds like they had something of a pseudo-lock that just needed a nudge to get the kernel to recognize the OEM unlock had been authorized.
The above thread may prove useful to people who have had issues with locked bootloader but who have access to the system.
I do not have access to the system. fastboot oem blankflash command is "restricted" for me. Yet it still classifies both slots as bootable, it just refuses to boot them, which is not enough to trigger any emergency download apparently. It seems this person never succeeded in doing that, because they found an easier way.
I'm really trying to figure out if buying a cable would be worth it, but I have doubts. I was able to access my usb hub and manually short the pin using a voltmeter and some wire to find which traces were connected -- exactly mimicking the action of most "deepflash" cables.
No dice.
That, and I read that the MSM8998 doesn't use the same programmer as other qualcomm androids, possibly uses an older one, and I haven't found any reference to which one. I think blankflash should be possible on these phones, but triggering edl seems impossible from my position, since I have no adb but I do have a basically useless bootloader, which aggressively overrides edl. :angel:
Basically the way I see this, my bootloader thinks its serving a purpose: fending off modified system files, which I unwittingly made its only function when I locked it. It is forbidden from handing over the power of my z force to a patched OS. Since the bootloader exists, and is technically able to boot, it's just not allowed, edl will never be activated because it utterly defeats android security. edl is the backdoor that opens when everything else is completely gone or unintelligible. Is that accurate? :cyclops:
I am beginning to accept that my phone was not meant to be rooted really in the sense that, yes, its Linux and you can, but it's basically been booby trapped by Lenovo and if you fall for the logic I did at first, and try relocking it at the first sign of strange behavior, you have to buy a new phone. Exactly what they want.
Ive been rooting since my old Samsung Galaxy 4 using very early versions of Cyanogenmod, Towelroot, Odin and other tools. As recent as this summer I took my older Samsung Tab A while in quarantine and while using TWRP I flashed it and put Leneage on it and love it.
I have an old Verizon Google Pixel XL 2 I want to unlock, root, and repurpose. Here are the hardware details -
- Taimen:11/RP1A.201005.004.A1/6934943
- Android 11 security update Oct 5 2020
- Serial, IMEI and other data available upon request on a case by case basis
I have tried everything I could find on XDA and I find myself the victim of every dead end possible all leading back to the OEM unlocking refusing to stay enabled. Without getting too tl:dr, I've tried all the fastboot this, and critical that, and nothing. I made sure it's fully factory reset with no sim card as well as skipping all the setup prompts to include no pin codes, biometrics, or Google accounts. Wifi is off, Bluetooth is off, usb debugging on, and the latest drivers, OTA img, the latest platform-tools, and the latest version of Android Studio.
The furthest I've been able to get is by using
Code:
adb shell pm uninstall --user 0 com.android.phone
to enable OEM unlocking for a brief time before it goes back to being shaded out.
I'm leaving no rock unturned.
I can fill in any details and answer virtually any question clearly and with as much detail is requested. I'm not some kid or out-of-touch novice who's unable to answer basic questions or pay the respect to follow up. I didn't want to hijack other posts as it's a personal pet peeve of mine and hope others do the same for this post. I'm humbly asking for some assistance realizing what I don't know but can't figure out what I need to know.
Whatever support I receive I shall pay it forward within XDA.
Thank you!
No consistently successful method of bypassing the locked bootloader on a Verizon Pixel 2 XL has been found in the nearly four years this device has been around. There have been scattered reports of success, but most of those were due to an exploit discovered in an old version of the bootloader that has long since been patched.
You have done everything you could, and everything that anyone else with a Verizon device with a still-locked bootloader has done. Unfortunately, they've hit the same brick wall you have, and there is no way we know of to get past it.