Quote:
Originally Posted by rexbanner
As you suggested...
|
Oops. I deal so much with devices that I don't own that I forget sometimes.
Also, we got bogged down in that 7 minute directory listing thing.
Quote:
Originally Posted by rexbanner
I also just ran the fastboot command which gives
Code:
(bootloader) secure:yes
|
Yeah, I'm not sure if this corresponds directly to SecureBoot being enabled or not. My Poke3 does not have SecureBoot enabled. It also shows:
Code:
(bootloader) secure:no
Also, things get so complicated with those loader files. There are files in the Qualcomm/factory directory which may in fact be equivalent to original files but they are signed by Xiaomi. So the TabUltra having zeroes in the second half of the HWID (001740e100000000) seems to indicate that it's not SecureBoot. But if it is then it accepts a Xiaomi signing?
So if you unlock flashing in the fastboot you get "Orange state" and the abl throws in a 30 second delay. (Which is pointless, because unlike an LCD display showing the warning the Onyx just shows a logo.) We can only get rid of that 30 seconds if we patch abl. I know where to patch it but I haven't got around to the onerous re-packing of UEFI images yet. You can only run a patched abl if SecureBoot is off. Moreover, I'm interested if Onyx is going to make things more evil.
SecureBoot state is printed out on the internal UART when you boot. Another way is to try a patched Firehose loader. On my Poke3 I can make a spelling change, generate a new hash (which still breaks the signing) and run it successfully.
Could you do an experiment some time? Here is the same loader for the Ultra with a spelling change (patch -> potch) and a re-hash. Could you tell me if this works? Just do a GPT listing or something. You can rename this .bin