I've done some more digging regarding the fastboot part of uboot.
All quoted code comes from uboot\drivers\usb\gadget\f_fastboot.c from source code package.
It seems all commands sent to the device, before even being parsed are censored by lab126 sanitizing function:
Code:
if (is_restricted_command_on_locked_hw((unsigned char*)cmdbuf)) {
printf("locked command: %s\n", cmdbuf);
fastboot_tx_write_str("FAILlocked command");
goto out;
}
That's basically the reason why boot command fails and probably flash too.
As for the interesting part there is following command available:
Code:
> fastboot getvar unlock_code
0xXXXXXXXXXXXX
OKAY [ 0.005s]
finished. total time: 0.006s
It returns 128bit key in an hexadecimal format.
Then there's possibility to unlock the device by executing:
Code:
> fastboot download <secret_unlock_file>
> fastboot flash unlock
However for that we need to download the unlock code to memory first:
Code:
if (strncmp("unlock", cmd, 6) == 0) {
if (amzn_write_unlock_code(
(void *)interface.transfer_buffer, download_bytes) == 0) {
fastboot_tx_write_str("OKAY");
} else {
fastboot_tx_write_str("FAILincorrect unlock code");
}
return;
}
Obviously uploading code obtained before does not work (I've tried the hex format with and without 0x and pure binary representation of 'unlock_code').
Nothing worked.
Most probably lab126 when provided with our serial number and unlock_code should be able to generate proper unlock file.
Most probably they will not be eager to do so
As for another mysterious commands, following two are also available:
Code:
> fastboot oem relock
OKAY [ 0.006s]
finished. total time: 0.006s
So there should be possibility to relock the uboot after a successful unlock.
And also:
Code:
> fastboot oem format
I've not yet tried that, and I'm not eager to do so
I hope answering an 3-month old topic will not do much harm.