- Correct. I did try the v2 test script with no luck booting as well. I'm downloading the complete autoloader now but i think there's more to it. Did you have persist.img and bbpersist.img in your original upgrade tool capture? I managed to capture those files as well (for AAL093). will do some digging if I can get the autoloader to work. Thanks!08-06-17 08:43 PMLike 0
- Correct. I did try the v2 test script with no luck booting as well. I'm downloading the complete autoloader now but i think there's more to it. Did you have persist.img and bbpersist.img in your original upgrade tool capture? I managed to capture those files as well (for AAL093). will do some digging if I can get the autoloader to work. Thanks!08-06-17 08:53 PMLike 0
-
- prdid
- boardid
- sbl1
- rpm
- tz
- devcfg
- aboot
- tunning
- traceability
- fsg
- boot
- bootsig
- keymaster
- lksecapp
- cmnlib
- cmnlib64
- modem
- ddrbak
- dip
- mdtp
- devinfo
- apdp
- msadp
- dpo
- splash
- ddr
- sec
- limits
- fsc
- ssd
- modemst1
- modemst2
- oempersist
- preserved
- persist
- misc
- keystore
- config
- frp
- recovery
- recoverysig
- perm
- nvuser
- metadata
- rcause
- bcota
- blog
- dsp
- syscfg
- mota
- mcfg
- hdcp
- bbpersist
- oem
- system
- cache
- userdata
I've heard Android's flash memory layout was insane, but, yeah. I doubt the issue has to do with the way these select few images are being flashed. Likely, one of the partitions needed to boot the application processor (the Snapdragon that runs Android) fails its security check, drops to fastboot, and flashes the LED in the pattern I described. Thus far, I know of two different LED patterns:
- <blink><blink><blink><pause><repeat>
- <blink><blink><blink><pause><blink><repeat>
The first one happened when I overwrote the "tz", "devcfg", "rpm", and "sbl1" partitions with the images from AAM481, but tried to keep the /system from AAL093. E.g., I thought I could get the updated baseband firmware to work with T-Mobile, but the Android system that isn't buggered up. That led to blank screen, no vibration, and the first LED pattern. Don't do that! The only way to fix that is to pry the back cover off, unscrew the battery connector, and pop that off to de-energize the thing. Then, you have to hold down PWR+VOL_UP (not VOL_DOWN) while inserting the USB cable to get back to a fastboot prompt to undo the damage. And then put the thing back together again.
The second LED pattern, you get that with a fastboot screen. So likely, this means a later stage of the bootloading process failed a security check.
If you dig through the other images in a hex editor, and search for the string "Waterloo", you'll come across the tell-tale signs of a standard X.509 Certificate in ASN.1 format. There's quite a few of them, but without manually extracting the things out into a format readable by openssl, no easy way to tell if they're all the same or slightly different (one is probably a CA certificate, the other are the downstream leaf certificates). Those are likely what are used to verify each stage.
Several of these images are standard ELF files (first three bytes read "ELF" file magic), and probably for the ARM64 (AArch64) architecture. Anyone with a copy of IDA for ARM64 can probably have some fun poking through them better than with a hex editor.thurask and jcrutchvt2010 like this.08-06-17 11:17 PMLike 2 - Is loading AAM481 over that enough to resuscitate the device?
Edit: I'll upload the raw files for AAN355 so that people can play around with it. The SHA-1 of the bbry_qc8953_sfi-user-production_signed-AAN355.zip file is 59785633d83fe5cf8babfd5e324b801617170f79, according to the TCL update API.Last edited by thurask; 08-06-17 at 11:41 PM.
08-06-17 11:31 PMLike 0 -
- Is loading AAM481 over that enough to resuscitate the device?
Edit: I'll upload the raw files for AAN355 so that people can play around with it. The SHA-1 of the bbry_qc8953_sfi-user-production_signed-AAN355.zip file is 59785633d83fe5cf8babfd5e324b801617170f79, according to the TCL update API.08-07-17 06:59 AMLike 0 - Yeah like you said, looks possible that those (tz, devcfg, sbl1, rpm, maybe authboot) need to be flashed elsewhere and the only other mode we can flash from easily is backup bootloader (volume up and power from power off state). You can only tell the difference from main bootloader is the word "backup" at the top. I want to analyze more of the raw files first before I go flashing anything there without the right commands, etc...) In some other newer qualcomm devices, you can use the firehose emmc mbn file (combined with the other files in the qcbc folder of the raw image dump) in QFIL flashing tool. You would need to do that from diagnostic mode though which I've only been able to get to on the keyone by volume up and down held from powered off state and then plug in usb cord. Then keep holding the buttons until solid light comes on. You then need the Qualcomm USB driver package installed for it to find the right COM port driver. Anyway, it looks like this tool uses a flashing mechanism similar to that to flash devcfg, emmc_appsboot, msadp, rpm, and tz.mbn08-07-17 07:34 AMLike 0
- Here they are: https://mega.nz/#!rIdzkBDS!8OElV450v...e0-kPFtHp7ULkY08-07-17 08:04 AMLike 0
- Ok it was easier than I thought....use the autoloader create batch file to create a working one by variant. For example, what works for my cdma, is autoloader_create.bat -t enduser -n bbb100 -vusa This should allow creation of autloaders for any variant just use your correct params.08-07-17 08:06 AMLike 0
- yeah i am looking into what's different but for now you have to create a different zip by variant. -t is image type (either carrier or enduser) -n is device name (eg bbb100, etc) -s is subvariant AND OPTIONAL (eg. att, vzw, china). not needed for devices without subvariant. I added a PAUSE at the end of the autoloader_Create batch to review output but it throws the autoloader into both a zip file and a usable unzipped in the "obj" folder.08-07-17 08:14 AMLike 0
- i'll post as many variants as I can provided work allows my upload to my AFH account... Also trying a carrier image type..08-07-17 08:23 AMLike 0
-
-n bbb100 -v global
-n bbb100 -v emea
-n bbb100 -v usa
-n bbb100 -v usa -s sprint
-n bbb100 -v japan
-n bbb100 -v india
If it's easier than uploading the entire autoloader, just the respective script files and a list of everything in /img would work.08-07-17 08:27 AMLike 0 - As far as I can tell these are the only ones in the wild right now:
-n bbb100 -v global
-n bbb100 -v emea
-n bbb100 -v usa
-n bbb100 -v usa -s sprint
-n bbb100 -v japan
-n bbb100 -v india
If it's easier than uploading the entire autoloader, just the respective script files and a list of everything in /img would work.08-07-17 08:29 AMLike 0 - Uploading bbb100 usa and bbb100 global now. Next up will be emea and sprint. Might be a few hours before all are done. Will provide link as soon as the first one finishes.citystars41 likes this.08-07-17 08:42 AMLike 1
- Ok all, bbb100 USA autoloader is up. Make sure this matches your device before flashing. Fastboot getvar device = bbb100
fastboot getvar variant = usa
fastboot getvar subvariant = blank
https://www.androidfilehost.com/?fid=817550096634791161
bbb100 GLOBAL is now up. As before, make sure this matches your device:
Fastboot getvar device = bbb100
fastboot getvar variant = global
fastboot getvar subvariant = blank
https://www.androidfilehost.com/?fid=817550096634791165
bbb100 EMEA is now up. As before, make sure this matches your device:
Fastboot getvar device = bbb100
fastboot getvar variant = emea
fastboot getvar subvariant = blank
https://www.androidfilehost.com/?fid=961840155545587306Last edited by jcrutchvt2010; 08-07-17 at 11:15 AM.
thurask likes this.08-07-17 09:14 AMLike 1 - Ok all, bbb100 USA autoloader is up. Make sure this matches your device before flashing. Fastboot getvar device = bbb100
fastboot getvar variant = usa
fastboot getvar subvariant = blank
https://www.androidfilehost.com/?fid=817550096634791161
Left: AAN355 flashall.bat (bbb100usa, Lua generated)
Right: AAL093 flashall.bat (bbb100*, from old loader)jcrutchvt2010 likes this.08-07-17 09:23 AMLike 1 - 08-07-17 09:57 AMLike 0
- Yeah I tried carrier mode too for sprint also missing sig. An output of a sprint users "fastboot oem info" might be useful. I would guess they could use the one I already posted and replace the oem file with the sprint one but that may very well not boot. Any sprint user that can post their fastboot oem info command output out there?08-07-17 10:07 AMLike 0
-
- 3 questions. 1) is this 100% equally as safe as the official autoloaders by BlackBerry? 2) is it the complete OS, nothing missing? 3) is it loaded the same way? - simply download and execute the file and the autoloader will do the rest? basically if I use the autoloader will it act the same like as if it was from blackberry themselves?08-07-17 10:25 AMLike 0
- 3 questions. 1) is this 100% equally as safe as the official autoloaders by BlackBerry? 2) is it the complete OS, nothing missing? 3) is it loaded the same way? - simply download and execute the file and the autoloader will do the rest? basically if I use the autoloader will it act the same like as if it was from blackberry themselves?08-07-17 10:28 AMLike 0
- I unpacked the common oem img and the sprint oem img to compare. The sprint one is missing pathlist.xml amongst some other things that define where token paths, etc are defined. It also doesn't have whitelisted carriers like the common one does (as you would expect if it was only sprint specific). Someone with a sprint K1 would have to do some testing.thurask likes this.08-07-17 10:42 AMLike 1
-
Or better yet, read the very next post. Lol.Last edited by conite; 08-07-17 at 11:03 AM.
08-07-17 10:48 AMLike 0
- Forum
- Android BlackBerry Phones & OS
- BlackBerry KEYone
Request for Testers: AAN355 Autoloader
« Which car mount for the KEYOne?
|
Did BB-Keyone Special edition India forgot to add SCREENSHOT feature ?? »
Similar Threads
-
Any good image viewer for manga?
By Moon_Man in forum BlackBerry 10 OSReplies: 10Last Post: 08-16-17, 03:14 AM -
Alert for Walmart or Bestbuy Factory unlocked Priv
By thatguyusa in forum General BlackBerry News, Discussion & RumorsReplies: 31Last Post: 08-09-17, 04:56 PM -
Wrong Autoloader used
By yeshu26 in forum Ask a QuestionReplies: 15Last Post: 08-09-17, 06:11 AM -
How to set Whatsapp custom notifications for incoming calls on bb10?
By crberryy in forum BlackBerry 10 AppsReplies: 2Last Post: 08-08-17, 08:32 AM
LINK TO POST COPIED TO CLIPBOARD