1. iresearch's Avatar
    I have my OP3 refusing to boot, I can go into fastboot / recovery mode but that's it.
    I have as well flashed everything (stock) in EDL mode with MSMDownloadTool and everything went fine (tried both methods).
    However the result didn't change, still even with the new *everything* the phone refused to boot, and onl the led light was on.

    Someone would tell, Wait... You did the full MSMDownloadTool procedure, it went all green, and aren't giving up?? (send it to the support , so they can charge a motherboard and it's as if I would buy a new phone)...

    Yes, and the reason for it is that there is this "tampering" function in emmc_appsboot.mbn https://ge0n0sis.github.io/posts/201...ture-of-aboot/ that does exactly that, even if the phone is well and sane, it will refuse to boot. But that can be changed if I try to start the phone with an unlocked bootloader and TWRP as recovery.
    If that's not the case, at least it will give me the chance to load a kernel with fastboot and see why the heck isn't booting up (at least will have some debug information if there's a hardware issue and understand when why / how).

    So, I'm quite sure there's some user with OP3 with the secure boot disabled and the bootloader unlocked, can you please get the firmware files and toss them to me? (check the attachment for the files I need)
    Afterwards I can reflash everything with MSMDownloadTool and hopefully will find the phone with the unlocked boot and secure boot disabled.

    Important note: I can't unlock the bootloader from fastboot since I can't login to the OS itself.
    Thanks!
    Attached Thumbnails Looking for unlocked OP firmware (save a OP3 phone today!)-fimrware_files.png  
    02-07-2019 11:18 AM
  2. Rukbat's Avatar
    02-07-2019 01:02 PM
  3. iresearch's Avatar
    I'll check if actually includes the same files.

    Code:
    @linux lineage-15.1-20190202-nightly-oneplus3-signed]$ strings file_contexts.bin  | grep firmwa
    /firmware
    u:object_r:firmware_file:s0
    /firmware/image(/.*)?
    u:object_r:firmware_file:s0
    /vendor/firmware(/.*)?
    u:object_r:firmware_file:s0
    /system/etc/firmware(/.*)?
    u:object_r:firmware_file:s0
    /system/vendor/firmware(/.*)?
    /sys/firmware/devicetree/base/cpus(/.*)?
    u:object_r:firmware_file:s0
    /firmware
    u:object_r:bt_firmware_file:s0
    /bt_firmware
    Will try to extract it from system.new.dat.br , hopefully is there.

    However I'm unsure if this actually includes the aboot, and the recovery. Do you think it does?


    UPDATE:

    For those interested in doing this... (how to extract / unpack system.new.dat.br)

    1) Extract from the .br (brotli https://en.wikipedia.org/wiki/Brotli ) consider it a zip.
    Well on Linux it's pretty easy, since brotli was already installed on my system so all you need to do is :
    Code:
    brotli -d system.new.dat.br 
    [i@linux lineage-15.1-20190202-nightly-oneplus3-signed]$ ls
    boot.img  file_contexts.bin  install  META-INF  system  system.new.dat  system.new.dat.br  system.patch.dat  system.transfer.list
    It will decompress nicely into a .dat file.

    2) Convert the .dat (ext4) to an .img (ext4)
    https://github.com/xpirt/sdat2img is a small python script that can do so.
    On windows you need python installed in order to run it, on Linux well pretty easy.
    Download the script , then chmod +x and then convert everything.
    Code:
    $ ./sdat2img.py system.transfer.list system.new.dat system.img
    sdat2img binary - version: 1.2
    
    Android Nougat 7.x / Oreo 8.x detected!
    Until it says done.

    3) Mount the image so you can check / change the content
    mkdir mountsystem
    sudo mount system.img mountsystem/

    Code:
    @linux mountsystem]$ ls
    addon.d  bin         compatibility_matrix.xml  fake-libs    fonts      lib    lost+found    media     recovery-from-boot.p  usr     xbin
    app      build.prop  etc                       fake-libs64  framework  lib64  manifest.xml  priv-app  tts                   vendor
    On windows you can open the file (I think) with ultraiso or something, if that doesn't work then find something that can read ext4 filesystem.


    In any case it looks like what I need is in boot.img and not here ....
    mountsystem]$ find . -type f -iname "*.mbn"
    Code:
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_MTNL_BSNL.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_H3G-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_CMCC_Volte_OpenMkt-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_YTL-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_EE-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_UK-VoLTE.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Reliance-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_CU_OpenMkt-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_OEM_Test-VoLTE.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_OEM_NoCDMA-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Vodafone-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Airtel-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Elisa-VoLTE.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CMCC_Volte_OpenMkt-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_ATT-VoLTE.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_TMO-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_OEM_CDMA-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CU_OpenMkt-Commercial.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_OEM_Test-VoLTE.mbn
    ./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CT_OpenMkt-Commercial.mbn
    But it's a nice way if you want to get rid of some unwanted applications
    02-07-2019 01:41 PM
  4. iresearch's Avatar
    Well, since I got through the process I'm posting the "how to",

    boot.img is made up of the ramdisk and the kernel , every linux boot doesn't happen without any of them.
    I used abootimg (a tool for Linux) , (others are as well available to do the same ) to extract the kernel and ramdisk

    Code:
    $abootimg -x boot.img 
    
    writing boot image config in bootimg.cfg
    extracting kernel in zImage
    extracting ramdisk in initrd.img
    Then you can extract the initramfs (initd.img here) with:

    Code:
    gunzip -c initrd.img | cpio -iu
    If you used another tool that extracted the file with the correct name like ramdisk.cpio.gz, use the same command.

    However, by searching all content in the extracted ramdisk I couldn't find any of the mbn files, and actually it was a bit stupid for me to go through the extraction etc, since LineageOS source code for OP3 is up for grabs https://github.com/LineageOS/android...neplus_msm8996

    However , as I thought....
    Code:
    android_kernel_oneplus_msm8996-lineage-16.0]$  find . -type f -iname "*.mbn"
    The mbn* files are Qcom's proprietary files , and are not included at all in LineageOS.

    So:
    recovery.img
    aboot*

    Are not part of LineageOS, they are proprietary from the chipset vendor, so, the only way would be to pull the files from a running rooted OP3 and upload so I can download them.


    I as well tried to edit emmc_appsboot.mbn with a hex-editor , however I ended up fully bricking the OP3, it was tricky to get it back to soft brick... So don't try it.

    I believe it failed not because of my mistake, rather because of the signing, and file integrity checks, so I need the aboot and recovery from a running OP3 configuration...
    02-07-2019 05:03 PM
  5. iresearch's Avatar
    Yep, confirmed the aboot which for OP3 is basically emmc_appsboot.mbn , has nothing to do with OnePlus, it's Qualcomm's , and I actually found some source code (VIVA LA REVOLUTION!!! - OPENSOURCE )

    https://discuss.96boards.org/t/db410...-source/1958/4
    https://source.codeaurora.org/

    Also, changing the original emmc_appsboot.mbn with a hex editor would be dumb since the compiled file is signed.
    02-07-2019 05:59 PM
  6. iresearch's Avatar
    I'm putting some more info here
    https://discuss.96boards.org/t/how-t...r-msm8996/7279
    , this will hopefully educate others and be a reference for similar research.

    I opened a thread on 96boards as well, it turns out that the boot process is pretty tight , and they use a signing certificate as well (from strings on the headers of emmc_appsboot.mbn]

    Code:
    SANDIEGO1
    OEM1#0!
    General OEM attestation CA1
    OEMattestation CA0
    181205165313Z
    381130165313Z0
    SecTools Test User1
            San Diego1
    SecTools1
    California1
    And there is this as well https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ which has quite some useful information.

    I think the only solution to this is for someone to give me his emmc_appsboot.mbn from his phone so I can upload it in mine.
    For those who have privacy concerns this file doesn't contain any personal information.
    02-11-2019 10:40 AM
  7. iresearch's Avatar
    YeyYeyyYey got my phone back

    Here’s what anyone should do if it’s in a similar situation:

    1. Do a full unbrick method 1 here : https://forums.oneplus.com/threads/g...plus-3.452634/

    2 Download OxygenOS 4.0.0 (Android 7.0) , OnePlus3Oxygen_16_OTA_035_all_1612310359_e10cadfb2af7.zip
    adb sideload the file above when in recovery. Why this version? Because it’s vulnerable to CVE-2017-5626 and CVE-2017-5624
    Weirdly enough, my phone turned back from the dead after this , however if it didn’t work (as I was expecting) ,
    3 I would go into fastboot mode and unlock the bootloader from there with:
    fastboot oem 4F500301
    Which will completely bypass the oem mechanism and will unlock your bootloader even if you can’t boot the system and go to the developer menu.

    This backdoor was removed by OnePlus with OxygenOS 4.0.2 (“patched”).
    02-11-2019 05:35 PM

Similar Threads

  1. Hsving troublr downloading games on my zte blade phone
    By Android Central Question in forum Ask a Question
    Replies: 4
    Last Post: 02-08-2019, 04:28 PM
  2. How to unblock a phone number that was blocked in error...
    By TinaMillz in forum Samsung Galaxy S9 & S9+
    Replies: 6
    Last Post: 02-07-2019, 02:53 PM
  3. why I AM UNABLE TO RESET MY S93 CELL PHONE?
    By Android Central Question in forum Ask a Question
    Replies: 2
    Last Post: 02-07-2019, 12:23 PM
  4. Best alternative for Google Digital Wellbeing
    By Umbrokhan in forum Samsung Galaxy S9 & S9+
    Replies: 0
    Last Post: 02-07-2019, 10:03 AM
LINK TO POST COPIED TO CLIPBOARD