View Single Post
Old 11-27-2019, 12:43 PM   #42
MrTick
Enhtusiast
MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.
 
MrTick's Avatar
 
Posts: 53
Karma: 2340139
Join Date: Dec 2018
Device: K3 DxG PW1 KV PW4
I've done some more digging regarding the fastboot part of uboot.
All quoted code comes from uboot\drivers\usb\gadget\f_fastboot.c from source code package.

It seems all commands sent to the device, before even being parsed are censored by lab126 sanitizing function:

Code:
if (is_restricted_command_on_locked_hw((unsigned char*)cmdbuf)) {
    printf("locked command: %s\n", cmdbuf);
    fastboot_tx_write_str("FAILlocked command");
    goto out;
}
That's basically the reason why boot command fails and probably flash too.

As for the interesting part there is following command available:

Code:
> fastboot getvar unlock_code
0xXXXXXXXXXXXX
OKAY [  0.005s]
finished. total time: 0.006s
It returns 128bit key in an hexadecimal format.

Then there's possibility to unlock the device by executing:
Code:
> fastboot download <secret_unlock_file>
> fastboot flash unlock
However for that we need to download the unlock code to memory first:

Code:
if (strncmp("unlock", cmd, 6) == 0) {
    if (amzn_write_unlock_code(
            (void *)interface.transfer_buffer, download_bytes) == 0) {
        fastboot_tx_write_str("OKAY");
    } else {
        fastboot_tx_write_str("FAILincorrect unlock code");
    }
    return;
}
Obviously uploading code obtained before does not work (I've tried the hex format with and without 0x and pure binary representation of 'unlock_code').
Nothing worked.

Most probably lab126 when provided with our serial number and unlock_code should be able to generate proper unlock file.
Most probably they will not be eager to do so

As for another mysterious commands, following two are also available:
Code:
> fastboot oem relock
OKAY [  0.006s]
finished. total time: 0.006s
So there should be possibility to relock the uboot after a successful unlock.
And also:
Code:
> fastboot oem format
I've not yet tried that, and I'm not eager to do so

I hope answering an 3-month old topic will not do much harm.
MrTick is offline   Reply With Quote