Hello,
I had this phone as a backup one laying around, and when my present phone died two weeks ago, I have updated the system and unfortunately found out the hard way that I lost all payment cards in Google Pay. The 00EEA variant is not "Google Play Certified" at least from 3.150 (and its variants) and the CTS profile match fails. Adding the ID did not help, nor reporting the issue. I hoped that the new firmware 3.240 will fix the issue, but it did not. The bootloader has been locked and everything seemed OK:
Code:
Device info
Device tampered: false
Device unlocked: false
Device critical unlocked: false
Charger screen enabled: false
I think this problem happened to me in past on Android 9 or 10 as well, and then it has been fixed then, but not this time.
Over last 4 days, I have tried everything including the factory reset, going back to previous slot, even flashing the original 3.150 in EDL mode in one of the slots, to check the problem always persists. During that time I started to be suspicious, as the device fingperprint for newest firmware is Nokia/Panther_00EEA/PAN_sprout:11/RKQ1.200928.002/00EEA_3_240:user/release-keys, but the vbmeta fingerprint is Nokia/Panther_00WW/PAN_sprout:11/RKQ1.200928.002/00WW_3_240:user/release-keys and similar for 3.150 firmware variants.
The WW/EEA variant is stored in oem partition. In the end I found a solution how to fix it on my phone, but it may be dangerous if something goes wrong and it WILL erase user data:
You have to enable developer mode and permit OEM unlocking. Then you have to unlock the phone in fastboot, change the skuid and then you may relock the phone again. The command to check the present skuid:
Bash:
fastboot oem repair skuid get
This will display something like skuid=600EEA (please note the leading 6 which is not displayed)
Bash:
fastboot oem repair skuid set 600WW
will change the skuid to match the one in vmbeta. After new setup/restore of the Backups where posible the device is Google Play certified again.
I am intentionally not giving other commands here needed to reboot to fastboot or to unlock/relock the phone to limit the risks for those not used to such things, but they can be found in other threads here.
Related
Dear Esteemed XDA members,
I have spent literally days of testing and researching to try and unbrick my phone. Friends and family have seen my obsession with trying to fix this, some even offering to buy me a new phone!!!! But this ain't about money - this is about having control of my damn device!!! I'm usually pretty good with trying to solve this kind of stuff, but this time I'm truly stumped (and desperate, and obsessed!). I have come to the conclusion that it's directly related to ARM Trusted Firmware. Here are the details of my "journey" to date... please read it, and if you know how to fix it, please share!!! then I can get my life back!!!! Before I go any further, I am certain that my problem was initially triggered by doing an official update on a rooted phone. So to avoid experiencing the same problem I'm about to describe, it's best to unroot and relock your device before loading new official firmware.
I have a Huawei Honor 4x (Che2-UL00, with Kirin 620 chipset) with an unlocked bootloader. Recently, I tried to manually upgrade from Kitkat (emui3.0) to Lollipop (emui3.1), using the official update.app from huawei's website (image was good - I checked the hash). To load the update.app, I used the official huawei recovery. The progress bar went to roughly 90% and then hung. Upon restarting my phone, it went into rescue mode with the following error: Func NO : 15 (bl31 image) Error NO : 1 (security verify failed).
Interestingly, I looked closely at the fastboot.img files for kitkat Vs lollipop (I got the image files by using HuaweiUpdateExtractor). I noticed that only the lollipop fastboot image contains this error message text. Also, bl31 is related to ARM trusted firmware, for more info search for BL31 (Secure Monitor) on google, or see bl31_main.c in the Trusted Firmware source code. So it seems that the lollipop image is using the full ARM trusted firmware, an extra layer of security which is preventing the (unlocked) bootloader from allowing me to load into recovery. I think this is the core problem, and I think there is a way to solve it but I just don't have a deep enough understanding to get there. Below I'll explain each step I went though and provide some additional diagnostic info:
1. First step was to access recovery mode (Vol UP + power). This failed and resulted in same bl31 error message.
2. Second step was to try and update again using the three-button force update (Vol Up + Vol Down + Power). It vibrates once after a few seconds, and freezes with the logo screen with the red light flashing. As an experiment, I tried this without the SDCARD and noticed it vibrated almost instantly, which suggests that it does try to load something from the SDCARD when inserted. I didn't get any further in this mode.
3. Final step I tried was to load into fastboot (Vol Down + Power). This worked and I got into a special "Rescue&Fastboot" mode. First thing I tried was to manually downgrade to kitkat by flashing the kitkat images using the fastboot flash command. The images boot.img, system.img, recovery.img flashed successfully. cust.img simply failed. I desperately wanted to flash the kitkat fastboot.img which doesn't contain the trusted firmware bl31 image stuff, but fastboot replied: FAILED (remote: Command not allowed). In fact, many of the fastboot commands fail with this same error message, even though there is the "PHONE unlocked" writing in red on my phone screen. With the limited command set available (even fastboot oem device-info is not allowed!), here is the diagnostic info I was able to get:
a) fastboot oem check-rootinfo
(bootloader) old_stat: RISK
(bootloader) now_stat: SAFE
(bootloader) change_time: 1452356543
I think this change from RISK to SAFE is the core of my problem. the change_time is from several days ago when I attempted to update. I think it reflects the trusted firmware state (I'm guessing here, as I can't find documentation for these commands).
b) fastboot oem backdoor info
(bootloader) FB LockState: LOCKED
(bootloader) USER LockState: UNLOCKED
I think that FB LockState: LOCKED means that fastboot is locked (guessing again, can't find documentation!), which explains why many of the commands fail.
c) fastboot oem check-image
(bootloader) secure image verify successfully
I think this checks the recovery image, because when I flash a different recovery, this signature check fails
d) fastboot getvar rescue_phoneinfo
rescue_phoneinfo: Che2-UL00 V100R001CHNC00B365
This appears to be the ROM version at the time of purchase.
e) fastboot oem get-build-number
(bootloader): Che2-UL00 V100R001CHNC00B384
This actually corresponds to the build number of kitkat I was using just before the failed upgrade to lollipop.
f) fastboot oem relock mycode
FAILED (remote: root type not allowed).
I tried this just to see if it wold relock. I'm not sure what the error means, but I do not that this command failed with signature verify fail if i change the recovery image.
Here are the questions I want to ask:
1. Can I force the device to flash a new image? I can't get into recovery or have full access to fastboot commands due to the trusted firmware stuff. And as I mentioned earlier the three button trick fails with a freeze at the logo screen. It appears that I need to do this using a means other than fastboot. The only interface I have is Android Sooner ADB Interface. adb devices renders nothing. Only fastboot finds a device.
2. Can I somehow make the "security verify check" pass so that I don't get that bl31 error? I'm not sure exactly which images this bl31 thing is trying to verify! Perhaps some combination of images from the new lollipop stuff I tried to flash and the kitkat build I had running previously?
3. Can somehow disable all this Trusted Firmware stuff??
4. Any other suggestions???
This is driving me to the brink on insanity!!! Gotta figure it out!! Thanks for reading and trying to help!
Hi,
Did anyone solve this problem?
I'm facing the exact same situation.
Che2-UL00 too.
Thanks in advance!
prezident36 said:
Hi,
Did anyone solve this problem?
I'm facing the exact same situation.
Che2-UL00 too.
Thanks in advance!
Click to expand...
Click to collapse
I still find it hard to believe this problem absolutely cannot be solved. However, I took it to a Huawei service center and they weren't able to unbrick it either. They had to replace the mainboard, which seems like a complete waste. Cost around $50, so not the end of the world but still annoying.
Anyway, screw this whole "trusted firmware" rubbish. I'm the owner of the device, yet I'm not "trusted".
hello, i have exactly the same problem!
---------- Post added at 10:58 PM ---------- Previous post was at 10:41 PM ----------
Where do i get the replacement mainboard from?
Me too, upgrading kitkat to lollipop. Now facing that rescue error.
My Honor 4X is unlock bootloader and root before upgrading lollipop,
Motorola G4 XT1625
Minor Problem: Phone will not start normally, only boots into Fastboot mode.
Minor Problem: Phone is oem Locked
Major Problem: I never went into "settings" on the phone and ENABLED OEM UNLOCKING.
Question: Is it possible to get this phone flashed with stock ROM?
A little background. Not a developer, phone started acting up a few days ago, shutting down or rebooting on its own, do not remember anything such as an update or my clearing of the cache occurring in that time frame, but I was still hoping it was a software issue that would work itself out. Now the phone fails during start up and reports this
STARTUP FAILED
ERROR: Failed to pass validation , backup to fastboot.
It does mention I should use Software Repair Assistant to recover the phone, which correct me if I'm wrong , only works with Verizon phones. I did try the SRA, it connected to the phone, but would stall about halfway through.
I have found much info on this forum regarding unlocking the bootloader of this phone, I have installed on Moto tools on my PC, requested and received an unlock code, connected to the phone and can send commands via command line. Unfortunately when I send the oem unlock the phone responds that I need to enable development mode in settings, which I cannot get to because the phone wont boot to the OS. Is there an easy way around this that I'm just not seeing?
In the end the problem may be hardware related, I just hate to give up on it so easily. Contacted Motorola about the device, as it turns out the unit was 6 days out of warranty ( that's if you use the Amazon ship date, it was only actually 2 days out if you use the activation date). Their response was as expected, sorry can't help you, thanks for being a Motorola customer, have wonderful day, next........
MSC 1/24/18
Hi, I would like to see what the bootloader unlock does exactly do to the raw flash storage. Older phones can be fully unlocked that way, without official permission. Obviously, I need to read out the raw partitions before and after unlocking. The easiest way is to get root and backup from MIUI.
Does anybody know how to root the stock MIUI without unlocking the bootloader? Re-locking does not count.
Does a bootloader-locked, unrooted, stock MIUI let you downgrade? An older ROM might have security bugs that let you root it.
Known pieces of the puzzle, if going the root route:
* Earlier Xiaomi devices let you unlock the bootloader by writing to the devinfo partition. Both the Redmi Note 3 (kenzo) and Redmi Note 4 (mido) still have the bits set at 0x10 and 0x18 as described in the link. But Xiaomi changed things starting with the Redmi Note 5 (whyred) - it has a bit set at 0x90 in an otherwise conspiciously empty devinfo partition.
* The Sony Xperia XZ1 compact can be rooted without unlocking. For that phone, it's motived by DRM.
* How to take complete control of pre-2016 phones. Today, this can serve as a tutorial. Beyond my abilities.
The second way would be to read out (and write to) the phone in EDL mode, or memory debug mode, ...., before and after unlocking the bootloader. Known pieces of the puzzle:
* Zeroing out the abl_a and abl_b partitions might grant read/write access to the raw flash as a mass storage device. This is memory debug mode, similar to EDL. If it doesn't work, you will need EDL to recover because you zeroed out fastboot.
* A list of points of attack on EDL authentication. Once you can bypass EDL authentication, it lets you read and write to raw flash. However, a direct attack on EDL authentication is beyond my abilites.
* Enter EDL mode with test point method or by grounding one of the pins next to the SystemOnChip.
Does anybody know how to bypass EDL authentication?
Does anybody know how to enter memory debug mode without root?
The third way would be to decompile the bootloader chain and see how each piece checks bootloader lock status. However, this is the least useful and probably least fun method. Known pieces of the puzzle:
* Description of the Snapdragon 845 boot process (older but more complete overview)
* Unlock status is checked both by the primary bootloader and the Android bootloader. The primary bootloader lives somewhere in memory and will let you into EDL if the bootloader is unlocked and you rebooted with "fastboot oem edl" etc. The Android bootloader image is the abl.elf file in the official update downloads. It will let you flash (or honor "fastboot oem edl") if it is unlocked.
* Memory debug mode is accessed through the XBL bootloader, i.e. the xbl.img and xbl_config.img files in the official update downloads.
If you found this thread trying to unbrick your phone, you need to go here instead.
Hello,
I have an old Redmi Note 4X stuck on "This device is locked" screen. This is a result of my carelessness and lack of knowledge about Xiaomi security measures.
To sum up:
Bootloader is locked
Stock rom is probably some kind of Chinese Global version since I bough it from HK China
Don’t know the exact Mi account associated with this device
Don’t know and lost access to email used for this Mi account
The phone number associated with this Mi account is now associated to a new account, so this one has no phone attached at all
Result -> I can’t unlock the phone using account.xiomia.com website.
Things I have tried:
Contacted both [email protected] and [email protected]. Got a usless copy paste response which shows they haven’t read my email at all. Than silence.
I tried to get into edl with no success. Fastboot oem edl doesn’t work. Fastboot_edl script hack doesn’t work. I can access the recovery menu and when I press download button phone just boots normally. I haven’t tried shorting EDL Pins as I got annoyed at this point and can’t be bothered to open the phone just to see it also doesn’t work.
I tried unlocking the bootloader by downloading Mi Unlock tool and logging with another xiaomi account. Update: software runs but I get "couldn't unlock" result. Probably no permissions to do this.
Doesn’t help that the phone is really old and a lot of roms/methods lead to dead links. I found a local online services which promises remote unlock in those cases just by providing the 10 digit service code and no “stolen status”. Except they charge about 40$ for this and this is way more than I value this old phone.
Can anyone help?
Small update:
The device I bought was Redmi 4x. Both devices look the same, hence my mistake. Can this thread be moved to a proper forum?
Shorting EDL pins doesn't work. I am out of options and wasted too much time on this. Phone goes to the garbage bin.
Hi everyone,
My friend had bought a second hand realme 7 pro. Upon resetting data/format data, he found that switch bootloader unlocked in the developer options is greyed out to enable state.
The device is clearly not rooted, checked upon yasnac, it fails the CTS, but pass on basic. I don't remember about the google certified status, but I'm pretty sure it's should be not certified.
Booting to fastboot works, and last line on fastboot show device unlocked: true, and when run the "fastboot oem device-info" clearly shows
device unlocked: true
device critical unlocked: false
Now, weird thing is, I remember some here say after bootloader is unlocked, the fingerprint will no longer work. In this case, under display fingerprint in his phone still works, and phone still receives OTA update and is able to install it (last update to firmware A12 F.18 (?)).
I'm not very familiar with realme. OTA while phone is unlocked is widely known in xiaomi, is it the same for realme?
And how about the under display fingerprint, is it really supposed stop working after unlocking bootloader?
Edit: Widevine is also L1, not downgraded to L3