1. jcrutchvt2010's Avatar
    So the first loader and the first loader + flashing oempersist didn't work? And you haven't yet tried the V2 loader/script?
    Correct. I did try the v2 test script with no luck booting as well. I'm downloading the complete autoloader now but i think there's more to it. Did you have persist.img and bbpersist.img in your original upgrade tool capture? I managed to capture those files as well (for AAL093). will do some digging if I can get the autoloader to work. Thanks!
    08-06-17 08:43 PM
  2. thurask's Avatar
    Correct. I did try the v2 test script with no luck booting as well. I'm downloading the complete autoloader now but i think there's more to it. Did you have persist.img and bbpersist.img in your original upgrade tool capture? I managed to capture those files as well (for AAL093). will do some digging if I can get the autoloader to work. Thanks!
    Neither bbpersist nor persist are flashed in the logs for the updater app.
    08-06-17 08:53 PM
  3. Kumba42's Avatar
    Neither bbpersist nor persist are flashed in the logs for the updater app.
    Based on what I learned last night when I temp-bricked my device, the flashing LED likely means that one of the bootloader stages failed to verify the security signature of the subsequent stage or of one of the partitions. I ran emmc_appsboot.mbn through a hex editor and simply eyeballed anything of intererst, and you can see the names of all of the different flash partitions after the string (in wide-character format) "UEFI PART":

    1. prdid
    2. boardid
    3. sbl1
    4. rpm
    5. tz
    6. devcfg
    7. aboot
    8. tunning
    9. traceability
    10. fsg
    11. boot
    12. bootsig
    13. keymaster
    14. lksecapp
    15. cmnlib
    16. cmnlib64
    17. modem
    18. ddrbak
    19. dip
    20. mdtp
    21. devinfo
    22. apdp
    23. msadp
    24. dpo
    25. splash
    26. ddr
    27. sec
    28. limits
    29. fsc
    30. ssd
    31. modemst1
    32. modemst2
    33. oempersist
    34. preserved
    35. persist
    36. misc
    37. keystore
    38. config
    39. frp
    40. recovery
    41. recoverysig
    42. perm
    43. nvuser
    44. metadata
    45. rcause
    46. bcota
    47. blog
    48. dsp
    49. syscfg
    50. mota
    51. mcfg
    52. hdcp
    53. bbpersist
    54. oem
    55. system
    56. cache
    57. userdata


    I've heard Android's flash memory layout was insane, but, yeah. I doubt the issue has to do with the way these select few images are being flashed. Likely, one of the partitions needed to boot the application processor (the Snapdragon that runs Android) fails its security check, drops to fastboot, and flashes the LED in the pattern I described. Thus far, I know of two different LED patterns:

    • <blink><blink><blink><pause><repeat>
    • <blink><blink><blink><pause><blink><repeat>


    The first one happened when I overwrote the "tz", "devcfg", "rpm", and "sbl1" partitions with the images from AAM481, but tried to keep the /system from AAL093. E.g., I thought I could get the updated baseband firmware to work with T-Mobile, but the Android system that isn't buggered up. That led to blank screen, no vibration, and the first LED pattern. Don't do that! The only way to fix that is to pry the back cover off, unscrew the battery connector, and pop that off to de-energize the thing. Then, you have to hold down PWR+VOL_UP (not VOL_DOWN) while inserting the USB cable to get back to a fastboot prompt to undo the damage. And then put the thing back together again.

    The second LED pattern, you get that with a fastboot screen. So likely, this means a later stage of the bootloading process failed a security check.

    If you dig through the other images in a hex editor, and search for the string "Waterloo", you'll come across the tell-tale signs of a standard X.509 Certificate in ASN.1 format. There's quite a few of them, but without manually extracting the things out into a format readable by openssl, no easy way to tell if they're all the same or slightly different (one is probably a CA certificate, the other are the downstream leaf certificates). Those are likely what are used to verify each stage.

    Several of these images are standard ELF files (first three bytes read "ELF" file magic), and probably for the ARM64 (AArch64) architecture. Anyone with a copy of IDA for ARM64 can probably have some fun poking through them better than with a hex editor.
    thurask and jcrutchvt2010 like this.
    08-06-17 11:17 PM
  4. thurask's Avatar
    Is loading AAM481 over that enough to resuscitate the device?

    Edit: I'll upload the raw files for AAN355 so that people can play around with it. The SHA-1 of the bbry_qc8953_sfi-user-production_signed-AAN355.zip file is 59785633d83fe5cf8babfd5e324b801617170f79, according to the TCL update API.
    Last edited by thurask; 08-06-17 at 11:41 PM.
    08-06-17 11:31 PM
  5. thurask's Avatar
    08-06-17 11:51 PM
  6. jcrutchvt2010's Avatar
    Is loading AAM481 over that enough to resuscitate the device?

    Edit: I'll upload the raw files for AAN355 so that people can play around with it. The SHA-1 of the bbry_qc8953_sfi-user-production_signed-AAN355.zip file is 59785633d83fe5cf8babfd5e324b801617170f79, according to the TCL update API.
    I'm digging through IDA pro right now actually. And yes, AAM481 reloads without issue. Thanks for all the research! Will keep you posted on what I find today.
    08-07-17 06:59 AM
  7. jcrutchvt2010's Avatar
    Yeah like you said, looks possible that those (tz, devcfg, sbl1, rpm, maybe authboot) need to be flashed elsewhere and the only other mode we can flash from easily is backup bootloader (volume up and power from power off state). You can only tell the difference from main bootloader is the word "backup" at the top. I want to analyze more of the raw files first before I go flashing anything there without the right commands, etc...) In some other newer qualcomm devices, you can use the firehose emmc mbn file (combined with the other files in the qcbc folder of the raw image dump) in QFIL flashing tool. You would need to do that from diagnostic mode though which I've only been able to get to on the keyone by volume up and down held from powered off state and then plug in usb cord. Then keep holding the buttons until solid light comes on. You then need the Qualcomm USB driver package installed for it to find the right COM port driver. Anyway, it looks like this tool uses a flashing mechanism similar to that to flash devcfg, emmc_appsboot, msadp, rpm, and tz.mbn
    08-07-17 07:34 AM
  8. jcrutchvt2010's Avatar
    Ok it was easier than I thought....use the autoloader create batch file to create a working one by variant. For example, what works for my cdma, is autoloader_create.bat -t enduser -n bbb100 -v usa This should allow creation of autloaders for any variant just use your correct params.
    08-07-17 08:04 AM
  9. thurask's Avatar
    Ok it was easier than I thought....use the autoloader create batch file to create a working one by variant. For example, what works for my cdma, is autoloader_create.bat -t enduser -n bbb100 -vusa This should allow creation of autloaders for any variant just use your correct params.
    Is the actual loading logic (i.e. the fastboot blocks) different with this loader? If it works individually that's great, but if one has to prepare several different loaders that are 96% identical (*cough*), it's better to get one unified one.
    08-07-17 08:06 AM
  10. jcrutchvt2010's Avatar
    Is the actual loading logic (i.e. the fastboot blocks) different with this loader? If it works individually that's great, but if one has to prepare several different loaders that are 96% identical (*cough*), it's better to get one unified one.
    yeah i am looking into what's different but for now you have to create a different zip by variant. -t is image type (either carrier or enduser) -n is device name (eg bbb100, etc) -s is subvariant AND OPTIONAL (eg. att, vzw, china). not needed for devices without subvariant. I added a PAUSE at the end of the autoloader_Create batch to review output but it throws the autoloader into both a zip file and a usable unzipped in the "obj" folder.
    08-07-17 08:14 AM
  11. jcrutchvt2010's Avatar
    i'll post as many variants as I can provided work allows my upload to my AFH account... Also trying a carrier image type..
    08-07-17 08:23 AM
  12. thurask's Avatar
    i'll post as many variants as I can provided work allows my upload to my AFH account... Also trying a carrier image type..
    As far as I can tell these are the only ones in the wild right now:
    -n bbb100 -v global
    -n bbb100 -v emea
    -n bbb100 -v usa
    -n bbb100 -v usa -s sprint
    -n bbb100 -v japan
    -n bbb100 -v india

    If it's easier than uploading the entire autoloader, just the respective script files and a list of everything in /img would work.
    08-07-17 08:27 AM
  13. jcrutchvt2010's Avatar
    As far as I can tell these are the only ones in the wild right now:
    -n bbb100 -v global
    -n bbb100 -v emea
    -n bbb100 -v usa
    -n bbb100 -v usa -s sprint
    -n bbb100 -v japan
    -n bbb100 -v india

    If it's easier than uploading the entire autoloader, just the respective script files and a list of everything in /img would work.
    ok will do thanks for the list
    08-07-17 08:29 AM
  14. jcrutchvt2010's Avatar
    ok will do thanks for the list
    Uploading bbb100 usa and bbb100 global now. Next up will be emea and sprint. Might be a few hours before all are done. Will provide link as soon as the first one finishes.
    citystars41 likes this.
    08-07-17 08:42 AM
  15. jcrutchvt2010's Avatar
    Ok all, bbb100 USA autoloader is up. Make sure this matches your device before flashing. Fastboot getvar device = bbb100
    fastboot getvar variant = usa
    fastboot getvar subvariant = blank

    https://www.androidfilehost.com/?fid=817550096634791161

    bbb100 GLOBAL is now up. As before, make sure this matches your device:
    Fastboot getvar device = bbb100
    fastboot getvar variant = global
    fastboot getvar subvariant = blank

    https://www.androidfilehost.com/?fid=817550096634791165

    bbb100 EMEA is now up. As before, make sure this matches your device:
    Fastboot getvar device = bbb100
    fastboot getvar variant = emea
    fastboot getvar subvariant = blank

    https://www.androidfilehost.com/?fid=961840155545587306
    Last edited by jcrutchvt2010; 08-07-17 at 11:15 AM.
    thurask likes this.
    08-07-17 09:14 AM
  16. thurask's Avatar
    Ok all, bbb100 USA autoloader is up. Make sure this matches your device before flashing. Fastboot getvar device = bbb100
    fastboot getvar variant = usa
    fastboot getvar subvariant = blank

    https://www.androidfilehost.com/?fid=817550096634791161
    https://www.diffchecker.com/HO0wxpgh

    Left: AAN355 flashall.bat (bbb100usa, Lua generated)
    Right: AAL093 flashall.bat (bbb100*, from old loader)
    jcrutchvt2010 likes this.
    08-07-17 09:23 AM
  17. thurask's Avatar
    Hmm, "autoloader_create -t enduser -n bbb100 -v usa -s sprint" isn't picking up a signature.
    08-07-17 09:57 AM
  18. jcrutchvt2010's Avatar
    Hmm, "autoloader_create -t enduser -n bbb100 -v usa -s sprint" isn't picking up a signature.
    Yeah I tried carrier mode too for sprint also missing sig. An output of a sprint users "fastboot oem info" might be useful. I would guess they could use the one I already posted and replace the oem file with the sprint one but that may very well not boot. Any sprint user that can post their fastboot oem info command output out there?
    08-07-17 10:07 AM
  19. thurask's Avatar
    Yeah I tried carrier mode too for sprint also missing sig. An output of a sprint users "fastboot oem info" might be useful.
    I guess the most important loaders are USA, EMEA and global with generic OEMs. Sprint is having issues as discussed, and the other variants are either not out yet or are out but haven't been found on CB yet.
    Uzi likes this.
    08-07-17 10:10 AM
  20. jcrutchvt2010's Avatar
    I guess the most important loaders are USA, EMEA and global with generic OEMs. Sprint is having issues as discussed, and the other variants are either not out yet or are out but haven't been found on CB yet.
    Updated post 40 with link to global loader.
    thurask and Uzi like this.
    08-07-17 10:17 AM
  21. beckzyboi's Avatar
    3 questions. 1) is this 100% equally as safe as the official autoloaders by BlackBerry? 2) is it the complete OS, nothing missing? 3) is it loaded the same way? - simply download and execute the file and the autoloader will do the rest? basically if I use the autoloader will it act the same like as if it was from blackberry themselves?
    08-07-17 10:25 AM
  22. conite's Avatar
    3 questions. 1) is this 100% equally as safe as the official autoloaders by BlackBerry? 2) is it the complete OS, nothing missing? 3) is it loaded the same way? - simply download and execute the file and the autoloader will do the rest? basically if I use the autoloader will it act the same like as if it was from blackberry themselves?
    They ARE from BlackBerry. These guys are just trying to make the loading process robust and easy. It's getting there.
    08-07-17 10:28 AM
  23. jcrutchvt2010's Avatar
    I guess the most important loaders are USA, EMEA and global with generic OEMs. Sprint is having issues as discussed, and the other variants are either not out yet or are out but haven't been found on CB yet.
    I unpacked the common oem img and the sprint oem img to compare. The sprint one is missing pathlist.xml amongst some other things that define where token paths, etc are defined. It also doesn't have whitelisted carriers like the common one does (as you would expect if it was only sprint specific). Someone with a sprint K1 would have to do some testing.
    thurask likes this.
    08-07-17 10:42 AM
  24. beckzyboi's Avatar
    They ARE from BlackBerry. These guys are just trying to make the loading process robust and easy. It's getting there.
    thurask said there'll probably be no more autoloaders from BlackBerry?
    08-07-17 10:46 AM
  25. conite's Avatar
    thurask said there'll probably be no more autoloaders from BlackBerry?
    Have you been following this thread? Read back.

    Or better yet, read the very next post. Lol.
    Last edited by conite; 08-07-17 at 11:03 AM.
    08-07-17 10:48 AM
118 1234 ...

Similar Threads

  1. Any good image viewer for manga?
    By Moon_Man in forum BlackBerry 10 OS
    Replies: 10
    Last Post: 08-16-17, 03:14 AM
  2. Alert for Walmart or Bestbuy Factory unlocked Priv
    By thatguyusa in forum General BlackBerry News, Discussion & Rumors
    Replies: 31
    Last Post: 08-09-17, 04:56 PM
  3. Wrong Autoloader used
    By yeshu26 in forum Ask a Question
    Replies: 15
    Last Post: 08-09-17, 06:11 AM
  4. Replies: 2
    Last Post: 08-08-17, 08:32 AM
LINK TO POST COPIED TO CLIPBOARD