Better Mobile App

[Dev] Bypass "bootloader" [PROPER METHOD]

Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment qsd8250.7z) is toolset to permanently "unlock" semcboot of qsd8250 semc phones ( x10a,x10i, so-o1b )
that means, you can use own kernel and so on.
it is much more better,stable,faster method, than present "bypass".
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run qsd8250_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1464 KB/s (585731 bytes in 0.390s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1531 KB/s (588236 bytes in 0.375s)
successfully wrote 0001ff80
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use qsd8250_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
to find out what tool was used to unlock your phone, use that ( View attachment s1tool.7z ) tool.
if you will see "NOT RECOGNIZED SIMLOCK CERTIFICATE", you are out of luck.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A033"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]
Click to expand...
Click to collapse
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
x10 kernel partition info
03000000220000007502000062000000
Click to expand...
Click to collapse
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...
Click to expand...
Click to collapse
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( x10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x20008000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x24000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
patched semcboot is doing exactly same thing as official "bootloader unlock" ( for some idiotic reasons called "rooting" ) , it skips checking of aARM firmware part ONLY.
it will NOT unlock your phone from network.
after procedure, you CAN use Emma/seUS safely.

I sim unlocked my phone using maxrfon method...does this mean i cannot do this? which should be the same method setool used right?

http://www.x10unlocked.com/
that is the site where i did it...it does it in a super secret way...which i think is the same way setool does it.

haszan1172 said:
Omg omg omg omg omg. This also means full multi touch and other cool stuff. Soo excited! :-[] trollface
Click to expand...
Click to collapse
does it? or is it just a bypass?

Wondering if devs can incorporate this into flashtool so users can unlock the bl easily..

william0410 said:
does it? or is it just a bypass?
Click to expand...
Click to collapse
I think so...he mentioned bootloader 'unlock' quite a few times.

aR_ChRiS said:
Wondering if devs can incorporate this into flashtool so users can unlock the bl easily..
Click to expand...
Click to collapse
I guess it wont be easy cause if the person press the wrong (button)method, he will loose radio. As per the_laser said.
Correct me if i am wrong.
sent from my stock gb not rooted and no add ons.

After reading the comments the_laser wrote on the X8 forum i think i got it. This IS a bootloader unlock EXCEPT for it ignoring the aARM thing, which then defines it as a "bypass" rather than a real unlock. But it does everything a real unlock does.
ALSO anybody know about my predicament...i used maxrfon simunlock method and will try this if i know if i can use teh setool2 version cuz i think it follows the same way maxrfon unlock works.

Don't rush into doing it!
It's pretty useless at the moment anyway! You can't do anything more than you already do, until developers give us new things to try (ROMs, kernels, etc).
Xperia X10i via Tapatalk

Flashed X10a_2.0.A.0.504_Generic and ran qsd8250_semc.cmd
results:
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
* daemon not running. starting it now *
* daemon started successfully *
3530 KB/s (585731 bytes in 0.162s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights
.
274 KB/s (3087 bytes in 0.011s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
605 KB/s (8064 bytes in 0.013s)
Second, we need to write semcboot ;)
2735 KB/s (588228 bytes in 0.210s)
successfully wrote 0001ff80
Press any key to continue . . .
Let's see what we can do now.

Strange!
First:
.config.gz in kernel shows
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.29
# Fri Jan 7 18:21:13 2011
#
Which is like 5 months ago... Where where test versions?
Second:
So you are saying that for format of "boot" we must use zImage... That is just sick...
Third:
Joining of kernel & ramdisk two exe files + batch? Seriously? Come on man! Add some ****ing args support too...
Fourth:
I will try this when my phone get's back...

So its finally bypassed. congrats to all dev working on it. ill try it after there is some kernels/rom/tweaks that require BL bypass. and again. great work.

wow.. looking forward to Dev's comments

That is great!

scoobysnacks said:
How does it mean full multitouch?
Lol....
It isn't that simple.
Click to expand...
Click to collapse
I think Z mentioned how they have the MT driver but dont have a way of incorprating it in because of the locked bootloader, if it's unlocked then he can do it, maybe..

kantk20111 said:
I think Z mentioned how they have the MT driver but dont have a way of incorprating it in because of the locked bootloader, if it's unlocked then he can do it, maybe..
Click to expand...
Click to collapse
Actually he said the exact opposite:
they don't have the drivers and they'd have to write them from scratch, which is next to impossible.
"Rocket science", his words, not mine.
So, let's don't get our hopes up just yet. Stay calm.
Xperia X10i via Tapatalk

Hmm, very interesting. Look forward to see where this leads.
Sent from my X10i using XDA App

go go dev, long life x10

Come on! its been over 2 hours since this was released! where are the Roms using cracked bootloader!!
I'm just breaking the ice, please dont take me seriously!
But out of curiosity, what are the realistic possibilities from having a cracked bootloader? what have the other Android phones done with their cracked bootloaders?

Will hold my excitement until Z, J, or other developers say anything, but i'm following this thread closely.

[REF] xperia 2011 internals, boot process, testpoint

I'd like to clarify few technical internals of xperia 2011 phones.
What is the sequence of sw components that are executed on power on?
Where are they stored? I guess that there is not only the one big flash chip which we have the firmware on, right?
What does grounding of testpoint do - what's the internal logical function when testpoint is grounded while xperia gets connected via usb?
Please correct/extend/clarify my following assumptions (that might be completely wrong) about the boot process:
- the very first sw component that gets started on power on, a primary boot code, is stored in a small rom, which cannot ever be changed and contains also signature verification public key
- the primary boot rom verifies integrity and signature of s1boot, which is stored somewhere in the big flash and starts s1boot if signature check of it was valid
- s1boot checks integrity of other fw components stored in the big flash, like the kernel and baseband fw images
- if all signatures/integrity are ok, baseband fw is passed to radio controller cpu and radio is started, linux kernel is loaded into ram and started
- linux kernel uses it's initernal initramfs as root filesystem and executes init scripts stored there
- mtd partitions (like for /system and /data) are mounted (from the big flash mapped as mtd devices), android core processes are started, phone starts...
Now about s1boot - is this component handling all of following functions?
- flash mode usb interface (i.e. S1 protocol for loading/flashing images?)
- fastboot mode usb interface
- booting from flash as described above
I assume that signature verification is done also in any flashing or image usb loading mode provided by s1boot, right?
Is it right that if testpoint is grounded, s1boot temporarily disables signature verification for code image that may be loaded via usb?
Or does it provide kind of jtag interface via usb?
Does the "boot loader unlock via testpoint without loosing drm" method uses the testpoint in order to flash patched s1boot, that returns always valid verification results?
But how that could be possible - I mean, if s1boot is patched, it's integrity would fail the check done by the primary boot code started from the small rom that can't ever be changed?
Please share your knowledge, I am curious and I'd like to know how it works. Already searched a lot regarding this topic. My assumptions are based on possible similarity with older xperia models that bootloader lock bypass was discussed here (but where the testpoint was not used).
Thanks.

boot (kernel) mtd partition
Is there any reason why access to kernel flash area is not mapped as mtd partition in custom kernels?
I see some bits concerning nand setup for boot area implemented in FXP kernel, but the configs are not used in final nand devices setup.
Is there any hardware reason that causes mapping of kernel flash area as mtd device with write access in linux not to work?

boot process description
I've found quite good boot process description, unfortunately not able to post external links, so google for "Qualcomm MSM Snapdragon 7x30 boot process", it's the first link found (points to tjworld net).
The description is for Qualcomm Mobile Station Modem (MSM) Snapdragon 7x30 system-on-chip platforms, so it should be also valid for Xperia 2011 phones as they use MSM8255, which is a 1GHz variant of MSM7x30 (running at 800MHz) - these chipsets belong to Snapdragon S2 generation chipset.
Most probably the main difference in order to apply the googled boot process description to xperia 2011 devices would be that all references to eMMC (mmcblk) should be considered as mtd flash present in xperia devices instead.
What do you think?

j4nn said:
I've found quite good boot process description, unfortunately not able to post external links, so google for "Qualcomm MSM Snapdragon 7x30 boot process", it's the first link found (points to tjworld net).
The description is for Qualcomm Mobile Station Modem (MSM) Snapdragon 7x30 system-on-chip platforms, so it should be also valid for Xperia 2011 phones as they use MSM8255, which is a 1GHz variant of MSM7x30 (running at 800MHz) - these chipsets belong to Snapdragon S2 generation chipset.
Most probably the main difference in order to apply the googled boot process description to xperia 2011 devices would be that all references to eMMC (mmcblk) should be considered as mtd flash present in xperia devices instead.
What do you think?
Click to expand...
Click to collapse
I think you'll have more luck (if any) in the Dev section. Maybe some mod will have the consideration to move your thread that way.
It may also be a good idea (if you're interested in general Android phone booting as apposed to Xperia specific) to look around in the general Android sections of the forums.
However, don't hesitate to centralize your findings in this thread... I'd be thrilled to read whatever you find out (don't have the time to go looking for it, though).

yes, I guess it would be better in dev section, but it's unfortunate that I cannot post replies (nor start thread) there yet...
my 10 posts minimum in the rules not reached yet:-/

j4nn said:
yes, I guess it would be better in dev section, but it's unfortunate that I cannot post replies (nor start thread) there yet...
my 10 posts minimum in the rules not reached yet:-/
Click to expand...
Click to collapse
You're getting close, though

http://www.anyclub.org/2012/02/android-board-bring-up.html
the link above is quite good in explaining what happens in our msm7x30 chipset

Unbrick Qualcomm - MPRGxxxx.mbn question

I am exploring two approaches for phone recovery
#1 compile rom using kernel source from the MFG (The MFG gave me the FTP download info but my device wasn't in the FTP folder. Long story short, the MFG software team is
"working on getting the files for me" That was a few days ago.... We'll see what happens.)
#2 Use MPRG and msimage files along with flashing program and raw image files from the phone for recovery.
All my research says that two files are needed to unbrick your Qualcomm device
#1 MPRGxxx.mbn/hex
#2 xxxx_msimage.mbn
(where xxxx is the Qualcomm chipset)
I know the msimage file is unique to the device because of partition structure for each manufacturer and therefore you'd need to create the file using QPST.
From reading here it appears that the MPRG file is defined as RAM
http://www.androidbrick.com/unbrick...-you-have-the-right-kind-of-rom-qhsusb_dload/
Would this file (MPRGxxxx.mbn) be universal among all devices that use the same chipset? Can someone give a yes or no and why? Thanks!

hmm, sam problem with me.
i just flash my phone yesterday ( redmi note 3 sd) and i had bootloop my phone, i tried many method, but its say, that the bootloader is locked and i cant flash the phone, then i found " tool studio" emmc download. i'm missing those mprgxxxx.mbn .. . i try to figure out how to build these file too

Mprgxxxx.mbn and xxxx_msimage.mbn for MSM 8953

Ok

Obi Anointed said:
Mprgxxxx.mbn and xxxx_msimage.mbn for MSM 8953
Click to expand...
Click to collapse
Help me please

Root for Alcatel A250DL??

Phone Specs :
Model : A250DL (also referred to as TCL LX)
Android : 8.1.0
Arch : armv7
Kernel : 4.4.95+ (gcc version
6.3.1 20170404)
([email protected] #1)
Build Number : vG7a
Custom build version :
alps-mp-o1.mp1-V1.112_k39tv1.bsp_P15
Baseband Version :
MOLY.LR12A.R3.MP.V10.3.P24
Bootloader : U5G7A0A0CT00
(edit)
Seems the device has a mediatek processor, MT6739
I found a twrp build for this processor, however it does not cooperate with SP Flash Tool, the phone comes up then reboots
almost immediately
OEM Unlocking is available in developer settings, however i can't boot the phone into any other mode besides recovery mode. I've tried a number of button combos as well as 'adb reboot fastboot'. If anyone knows how to enter fastboot mode / know of a TWRP build for this device that'd be great. Thanks

Hi I also that the tcl lx I was wondering if you were ever able to get the phone rooted because I've wanted to root my phone but I haven't found a root for it yet if you could get back to my i would appreciate it

steine said:
Hi I also that the tcl lx I was wondering if you were ever able to get the phone rooted because I've wanted to root my phone but I haven't found a root for it yet if you could get back to my i would appreciate it
Click to expand...
Click to collapse
Hey sorry for the late reply I forgot about this thread if im being honest sadly I never made any progress and ended up bricking the device after trying to install twrp with sp flash tool (the scatter file I used wasn't valid). I'll check my history and see if I can find relevant links but there was a twrp build for this somewhere. The problem for me was getting a scatter file which lead me to bricking. However there is a new exploit for mediatek cpu's (mtk-su) its only been tested on a couple Amazon devices (it was developed as a software root exploit for some Kindle's) but it may work for this as well. I will warn you now though if you end up bricking this it's impossible (to my knowledge) to restore it. Best of luck !

Has anyone made any progress or seen any threads that have gotten further? Just got this phone myself to replace my last as it ended up being same price as said last phone but its an upgrade to boot.

crazypwn said:
Has anyone made any progress or seen any threads that have gotten further? Just got this phone myself to replace my last as it ended up being same price as said last phone but its an upgrade to boot.
Click to expand...
Click to collapse
Also looking for help on rooting this phone. Has anyone found it yet?

There are three major obstacles with rooting this device. First, there doesn't appear to be any type of exploit or official support for unlocking the bootloader. Second, the boot chain is secured with AVB 2.0 signing. Third, the kernel is coded with dm-verity. So, even if SP Flash Tool could be used to flash the boot partition with a patched boot image (systemless root), the secure boot chain will detect the modification and fail to boot the OS. Likewise, if SP Flash Tool could be used to push a pre-rooted system image (system-wide root), device mapping will detect the change to /system and fail to boot into the OS. Like many TCL devices running more recent Android versions, it appears that the Alcatel A250DL cannot be rooted.

Mtk-su seems to work fine
Mtke-su seems to work fine:
github -> /JunioJsv/mediatek-easy-root/blob/master/app/src/main/assets/mtk-su
Log:
param1: 0x1000, param2: 0x8040, type: 13
Building symbol table
kallsyms_addresses pa 0x40eda580
kallsyms_num_syms 51245, addr_count 51245
kallsyms_names pa 0x40f0c650, size 671079
kallsyms_markers pa 0x40fb03c0
kallsyms_token_table pa 0x40fb06f0
kallsyms_token_index pa 0x40fb0a70
Patching credentials
Parsing current_is_single_threaded
c04e5d58: LDR Rt, [PC, #128] ; 0xc04e5de0
init_task VA: 0xc140c578
Potential list_head tasks at offset 0x2b0
comm swapper/0 at offset 0x454
Found own task_struct at node 1
cred VA: 0xd7cf8b80
thread_info flags VA: 0xcd2de000
seccomp mode VA: 0xc3fc4930+20c
Parsing avc_denied
c0485bbc: LDR Rt, [PC, #84] ; 0xc0485c18
selinux_enforcing VA: 0xc15a56d4
Setting selinux_enforcing
Switched selinux to permissivearmv7l machine
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
returned 0
---------- Post added at 10:46 AM ---------- Previous post was at 10:23 AM ----------
Nevermind....no super app binary installed

Viva La Android said:
There are three major obstacles with rooting this device. First, there doesn't appear to be any type of exploit or official support for unlocking the bootloader. Second, the boot chain is secured with AVB 2.0 signing. Third, the kernel is coded with dm-verity. So, even if SP Flash Tool could be used to flash the boot partition with a patched boot image (systemless root), the secure boot chain will detect the modification and fail to boot the OS. Likewise, if SP Flash Tool could be used to push a pre-rooted system image (system-wide root), device mapping will detect the change to /system and fail to boot into the OS. Like many TCL devices running more recent Android versions, it appears that the Alcatel A250DL cannot be rooted.
Click to expand...
Click to collapse
yeah after much research I was just going to make this phone a youtube/remote for my older tv . . . .I found no options either. .

Boot Loop and does not enter recovery screen

Hi folks,
my trusty S3 (SM-T825) got broke unexpectedly. It showed "100% battery" in the morning but was unresponsive. A forced shutdown did reboot the device up to the logo-screen - from where it rebooted again. So obviously it's stuck in a boot loop.
Unfortunately, it does not enter "recovery" either (home) (up) (power). However, it DOES enter "ODIN mode" (home) (down) (power). There it shows me that FRP Lock and OEM lock both are still active. This is no wonder as it caught me unprepared. FRP lock wouldn't be a problem, as I'm the owner of the account and can supply credentials once it boots up again.
Everywhere it is STRONGLY advised to turn off OEM lock before flashing anything to not make it even worse. This renders the device essentially dead, right?
The device is still as original as it can be.
Any chance I can revive it or does that more look like a mainboard problem?
I already have ODIN and I even have an actual 4-part "Original ROM" for my region (Samfw.com_SM-T825_ATO_T825XXU3CTD1_fac.zip), but maybe TWRP and Lineage would be the better options.
Before I just go and make things worse, I'd like to ask for a qualified advice ;-)

smallfreak said:
...... There it shows me that FRP Lock and OEM lock both are still active. This is no wonder as it caught me unprepared. FRP lock wouldn't be a problem, as I'm the owner of the account and can supply credentials once it boots up again.
Everywhere it is STRONGLY advised to turn off OEM lock before flashing anything to not make it even worse. This renders the device essentially dead, right?
Click to expand...
Click to collapse
Afaik you should be able to flash stock with OEM lock active BUT idk if FRP will block flashing process.
If that happens it's imo afterwards in the same state as before so at least it won't worsen it.
Gonna loose all your data anyhow.
Got Smartswitch? This might help as well.
smallfreak said:
....... I already have ODIN and I even have an actual 4-part "Original ROM" for my region (Samfw.com_SM-T825_ATO_T825XXU3CTD1_fac.zip), but maybe TWRP and Lineage would be the better options.
Click to expand...
Click to collapse
You can't replace recovery without OEM unlock.
smallfreak said:
Before I just go and make things worse, I'd like to ask for a qualified advice ;-)
Click to expand...
Click to collapse
Dunno if I'm qualified enough

Next turn ...
I tried flashing TWRP into the AP slot with SamFW FRP-Tool (ODIN). This worked so far but got me a note on the tablet "custom recovery blocked due to FRP lock".
Checking boot on the tablet - as before. Boot loop.
Next turn ...
Code:
Select file AP_T825XXU3CTD1_CL17011592_QB30231355_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar.md5
Select file CP_T825XXU3CTA1_CP14962504_CL17011592_QB28791445_REV00_user_low_ship_MULTI_CERT.tar.md5
Select file CSC_ATO_T825ATO3CTD1_CL18361310_QB30233690_REV00_user_low_ship_MULTI_CERT.tar.md5
Reading... OK
Detect mode: Download mode
Model : SM-T825
Bit : 4
Unique number : CBJ100915EAF124
Storage : 32
Vendor : SAMSUNG
Disk : BJNB4R
Firmware : https://samfw.com/firmware/SM-T825/
Analyze files...
Flashing with SAMSUNG Mobile USB Modem (COM5)
Flash failed
Flash time: 00:47
Reading... FAIL
unchecking CP and CSC, leaving only AP.
Code:
Analyze files...
Flashing with SAMSUNG Mobile USB Modem (COM5)
Flash failed
Flash time: 10:00
Reading... FAIL
Reboot tablet in download-mode, next turn: Try BL + AP:
Code:
Select file BL_T825XXU3CTD1_CL17011592_QB30231355_REV00_user_low_ship_MULTI_CERT.tar.md5
Reading... OK
Detect mode: Download mode
Model : SM-T825
Bit : 4
Unique number : CBJ100915EAF124
Storage : 32
Vendor : SAMSUNG
Disk : BJNB4R
Firmware : https://samfw.com/firmware/SM-T825/
Analyze files...
Flashing with SAMSUNG Mobile USB Modem (COM5)
Checking file BL_T825XXU3CTD1_CL17011592_QB30231355_REV00_user_low_ship_MULTI_CERT.tar.md5
Checking file AP_T825XXU3CTD1_CL17011592_QB30231355_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar.md5
Flashing (1/20) emmc_appsboot.mbn.lz4 OK
Flashing (2/20) lksecapp.mbn.lz4 OK
Flashing (3/20) xbl.elf.lz4Flash failed
Flash time: 01:26
Tablet moans about
SW REV CHECK FAIL : [lksecapp] Fused -1 > Binary 0
Click to expand...
Click to collapse
So maybe the firmware revision is different to the currently installed one? The latest file is from 2020 and since I did the usual OTA updates, this should be the version installed. But even if not, it sould not matter to upload a newer one, right?
Anything I can check?

So then obviously "Game Over"
Another piece of expensive waste that otherwise could have served well for years to come. Yes I know, selling something just once is an inferior business model to repeatedly draining my account for the same service.