Bootloader
Unlock bootloader
[Updated 31.01.2025]
We finally managed to find out the key generation algorithm and you can unlock the bootloader via fastboot!
Discoveries
Archive:
Bootloader unlock
-
Clone repository fuckyoumoto
-
Boot the phone to fastboot mode
-
Get the first part of the soc_id
$ fastboot oem get_key
(bootloader) 061A757D042B2A378D9761E60C9D3FBC
(bootloader) finish dump
OKAY [ 0.003s]
Finished. Total time: 0.003s -
Run the
oem_keygen.pyscript to generate the oem key, specifying the received key via the argument$ python oem_keygen.py 061A757D042B2A378D9761E60C9D3FBC
To hash: 061A757D042B2A378D9761E60C9D3FBC061A757D042B2A378D9761E60C9D3FBC
Hash: 87f3aef774eb3edbcdef39e2e94d05c98d7fd1b5db8e7623345412390e1db289
Possible keys:
87f3aef774eb3edbcdef39e2e94d05c9
8d7fd1b5db8e7623345412390e1db289
Capitalized:
87F3AEF774EB3EDBCDEF39E2E94D05C9
8D7FD1B5DB8E7623345412390E1DB289 -
Copy the first generated oem key and specify it with the
fastboot oem key <KEY>command and try unlocking the bootloader$ fastboot oem key 87f3aef774eb3edbcdef39e2e94d05c9
(bootloader) open fastboot unlock
OKAY [ 0.000s]
Finished. Total time: 0.000s$ fastboot flashing unlock
(bootloader) Start unlock flow
(bootloader) 061A757D042B2A378D9761E60C9D3FBC
(bootloader) start fastboot unlock
(bootloader) 87f3aef774eb3edbcdef39e2e94d05c9
(bootloader) Unlock Success
(bootloader) fastboot unlock success
OKAY [ 5.320s]
Finished. Total time: 5.320s -
Checking bootloader unlocking
$ fastboot oem lks
(bootloader) lks = 0
OKAY [ 0.005s]
Finished. Total time: 0.005s
Archive (Old information)
Official unlocking method?
First of all, the device doesn't return any unlock data:
$ fastboot oem get_unlock_data
FAILED (remote: 'unknown command')
fastboot: error: Command failed
Thus it's not possible to unlock the bootloader by any official means.
With fastboot?
The device claims to be unlockable from fastboot
$ fastboot flashing get_unlock_ability
(bootloader) unlock_ability = 16777216
In this case the number is equal to 2^24 (24th bit), which seem to either mean unlockable under certain conditions, or simply an overflow/bug in fastboot when the bootloader can be unlocked.
The device has a mediatek SoC, so trying with the flashing unlock command:
$ fastboot flashing unlock
(bootloader) Start unlock flow
FAILED (remote: 'Unlock key length is incorrect!')
fastboot: error: Command Failed
It requires an unlock key, like all Motorola Devices.
Dump of the current oem key
Just in case, make a dump of the current oem key
$ fastboot oem get_key
(bootloader) **1A****042B2A****97***60C***FBC
(bootloader) finish dump
OKAY [ 0.000s]
Finished. Total time: 0.000s
Install oem key to unlock
$ fastboot oem key **1A****042B2A****97***60C***FBC
(bootloader) open fastboot unlock
OKAY [ 0.000s]
Finished. Total time: 0.000s
Now we can try to unlock the bootloader!
As you can see, unlocking the bootloader with the default key didn't help. We need to try bruteforce key and we'll update the info in the documentation and make a script if it works!
Update: brute forcing won't work because of fastboot timeout, but a keygen could be possible by decompiling lk and reversing the algorithm which checks the key.
$ fastboot flashing unlock
(bootloader) Start unlock flow
(bootloader) **1A****042B2A****97***60C***FBC
(bootloader) start fastboot unlock
(bootloader) **1A****042B2A****97***60C***FBC
FAILED (remote: 'Unlock key code is incorrect!')
fastboot: error: Command failed
Something interesting happens when installing a key without first doing fastboot oem get_key, and then running fastboot flashing unlock
$ fastboot oem key **1A****042B2A****97***60C***FBC
(bootloader) open fastboot unlock
OKAY [ 0.000s]
Finished. Total time: 0.000s
$ fastboot flashing unlock
(bootloader) Start unlock flow
(bootloader)
(bootloader) start fastboot unlock
(bootloader) **1A****042B2A****97***60C***FBC
FAILED (remote: 'Unlock key code is incorrect!')
fastboot: error: Command failed
The first line (which is the key fastboot knoes and has to verify against the second key appearing) is completely empty.
Decompiling LK it's clear that it suppose to be filled by the key (which is also the first part of the SoC ID) that has to be stored inside the global variable before everything else.
I suspect there's a possibility that fastboot hashes an empty 32 character buffer, and could possibly lead to some exploitation of either the sha256 function or the copy of the hash into a temporary buffer.
It is confirmed that feeding the first 32 characters of the hash of an empty string as the key doesn't unlock the bootloader.
Using mtkclient
With mtkclient we get more luck than with fastboot, we are able to read and write the flash, but we're limited
Unfortunately, the device has a patched preloader, meaning we can't crash to BROM, and doesn't allow access to the latter with volume keys. We can only interact with the preloader.
Some file that are required:
- preloader (Easily obtainable from official firmware, or more recently from here)
- Download Agent (Obtainable from RSA SP Flash tool, as it gets extracted during Rescue Mode, and now easy to get from GitHub)
# Read the SECCFG partition, which we want to edit to unlock bootloader
$ mtk r seccfg seccfg.bin --loader DA_PL_NO_CERT_V6.bin --preloader preloader_penangf.bin > logs.txt
Thanks to @DiabloSat, another DA was found that works with mtkclient. From now one, this will be used instead of the official one, as it provides more features and better outputs with mtkclient.
Trying to patch the seccfg partition, results in a "Write data not allowed" error:
# Read the SECCFG partition, which we want to edit to unlock bootloader
$ mtk da seccfg unlock --loader MT6768_USER.bin --preloader preloader_penangf.bin
...
DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c)
So unfortunately not even that works.
Testpoints?
Testpoints are still being investigated.
BROM:
BROM mode has been confirmed to have been disabled by efuse, so we cannot access it.
UART:
To use UART, refer to UART
Further testing is needed.
I suspect to enable UART we need to run fastboot oem p2u first.
The list of the testpoints I've found is here.