Looking for unlocked OP firmware (save a OP3 phone today!)

[iresearch]

I have my OP3 refusing to boot, I can go into fastboot / recovery mode but that's it.
I have as well flashed everything (stock) in EDL mode with MSMDownloadTool and everything went fine (tried both methods).
However the result didn't change, still even with the new *everything* the phone refused to boot, and onl the led light was on.

Someone would tell, Wait... You did the full MSMDownloadTool procedure, it went all green, and aren't giving up?? (send it to the support , so they can charge a motherboard and it's as if I would buy a new phone)...

Yes, and the reason for it is that there is this "tampering" function in emmc_appsboot.mbn https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/ that does exactly that, even if the phone is well and sane, it will refuse to boot. But that can be changed if I try to start the phone with an unlocked bootloader and TWRP as recovery.
If that's not the case, at least it will give me the chance to load a kernel with fastboot and see why the heck isn't booting up (at least will have some debug information if there's a hardware issue and understand when why / how).

So, I'm quite sure there's some user with OP3 with the secure boot disabled and the bootloader unlocked, can you please get the firmware files and toss them to me? (check the attachment for the files I need)
Afterwards I can reflash everything with MSMDownloadTool and hopefully will find the phone with the unlocked boot and secure boot disabled.

Important note: I can't unlock the bootloader from fastboot since I can't login to the OS itself.
Thanks!

 

[Rukbat]

Have you tried Lineage? https://download.lineageos.org/oneplus3

 

[iresearch]

Have you tried Lineage? https://download.lineageos.org/oneplus3

I'll check if actually includes the same files.

@linux lineage-15.1-20190202-nightly-oneplus3-signed]$ strings file_contexts.bin  | grep firmwa
/firmware
u:object_r:firmware_file:s0
/firmware/image(/.*)?
u:object_r:firmware_file:s0
/vendor/firmware(/.*)?
u:object_r:firmware_file:s0
/system/etc/firmware(/.*)?
u:object_r:firmware_file:s0
/system/vendor/firmware(/.*)?
/sys/firmware/devicetree/base/cpus(/.*)?
u:object_r:firmware_file:s0
/firmware
u:object_r:bt_firmware_file:s0
/bt_firmware

Will try to extract it from system.new.dat.br , hopefully is there.

However I'm unsure if this actually includes the aboot, and the recovery. Do you think it does?


UPDATE:

For those interested in doing this... (how to extract / unpack system.new.dat.br)

1) Extract from the .br (brotli https://en.wikipedia.org/wiki/Brotli ) consider it a zip.
Well on Linux it's pretty easy, since brotli was already installed on my system so all you need to do is :

brotli -d system.new.dat.br 
[i@linux lineage-15.1-20190202-nightly-oneplus3-signed]$ ls
boot.img  file_contexts.bin  install  META-INF  system  system.new.dat  system.new.dat.br  system.patch.dat  system.transfer.list

It will decompress nicely into a .dat file.

2) Convert the .dat (ext4) to an .img (ext4)
https://github.com/xpirt/sdat2img is a small python script that can do so.
On windows you need python installed in order to run it, on Linux well pretty easy.
Download the script , then chmod +x and then convert everything.

$ ./sdat2img.py system.transfer.list system.new.dat system.img
sdat2img binary - version: 1.2

Android Nougat 7.x / Oreo 8.x detected!

Until it says done.

3) Mount the image so you can check / change the content
mkdir mountsystem
sudo mount system.img mountsystem/

@linux mountsystem]$ ls
addon.d  bin         compatibility_matrix.xml  fake-libs    fonts      lib    lost+found    media     recovery-from-boot.p  usr     xbin
app      build.prop  etc                       fake-libs64  framework  lib64  manifest.xml  priv-app  tts                   vendor

On windows you can open the file (I think) with ultraiso or something, if that doesn't work then find something that can read ext4 filesystem.


In any case it looks like what I need is in boot.img and not here ....
mountsystem]$ find . -type f -iname "*.mbn"

./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_MTNL_BSNL.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_H3G-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_CMCC_Volte_OpenMkt-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_YTL-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_EE-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_UK-VoLTE.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Reliance-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_CU_OpenMkt-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_OEM_Test-VoLTE.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_OEM_NoCDMA-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Vodafone-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Airtel-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw_NoCDMA/mcfg_sw_Elisa-VoLTE.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CMCC_Volte_OpenMkt-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_ATT-VoLTE.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_TMO-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_OEM_CDMA-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CU_OpenMkt-Commercial.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_OEM_Test-VoLTE.mbn
./etc/firmware/mbn_ota/mcfg_sw/mcfg_sw_CT_OpenMkt-Commercial.mbn

But it's a nice way if you want to get rid of some unwanted applications

 

[iresearch]

Well, since I got through the process I'm posting the "how to",

boot.img is made up of the ramdisk and the kernel , every linux boot doesn't happen without any of them.
I used abootimg (a tool for Linux) , (others are as well available to do the same ) to extract the kernel and ramdisk

$abootimg -x boot.img 

writing boot image config in bootimg.cfg
extracting kernel in zImage
extracting ramdisk in initrd.img

Then you can extract the initramfs (initd.img here) with:

gunzip -c initrd.img | cpio -iu

If you used another tool that extracted the file with the correct name like ramdisk.cpio.gz, use the same command.

However, by searching all content in the extracted ramdisk I couldn't find any of the mbn files, and actually it was a bit stupid for me to go through the extraction etc, since LineageOS source code for OP3 is up for grabs https://github.com/LineageOS/android_kernel_oneplus_msm8996

However , as I thought....

android_kernel_oneplus_msm8996-lineage-16.0]$  find . -type f -iname "*.mbn"

The mbn* files are Qcom's proprietary files , and are not included at all in LineageOS.

So:
recovery.img
aboot*

Are not part of LineageOS, they are proprietary from the chipset vendor, so, the only way would be to pull the files from a running rooted OP3 and upload so I can download them.


I as well tried to edit emmc_appsboot.mbn with a hex-editor , however I ended up fully bricking the OP3, it was tricky to get it back to soft brick... So don't try it.

I believe it failed not because of my mistake, rather because of the signing, and file integrity checks, so I need the aboot and recovery from a running OP3 configuration...

 

[iresearch]

Yep, confirmed the aboot which for OP3 is basically emmc_appsboot.mbn , has nothing to do with OnePlus, it's Qualcomm's , and I actually found some source code (VIVA LA REVOLUTION!!! - OPENSOURCE )

https://discuss.96boards.org/t/db410c-lk-bootloader-compile-from-source/1958/4
https://source.codeaurora.org/

Also, changing the original emmc_appsboot.mbn with a hex editor would be dumb since the compiled file is signed.

 

[iresearch]

I'm putting some more info here
https://discuss.96boards.org/t/how-to-make-the-mbn-elf-bin-files-for-msm8996/7279
, this will hopefully educate others and be a reference for similar research.

I opened a thread on 96boards as well, it turns out that the boot process is pretty tight , and they use a signing certificate as well (from strings on the headers of emmc_appsboot.mbn]

SANDIEGO1
OEM1#0!
General OEM attestation CA1
OEMattestation CA0
181205165313Z
381130165313Z0
SecTools Test User1
        San Diego1
SecTools1
California1

And there is this as well https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ which has quite some useful information.

I think the only solution to this is for someone to give me his emmc_appsboot.mbn from his phone so I can upload it in mine.
For those who have privacy concerns this file doesn't contain any personal information.

 

[iresearch]

YeyYeyyYey got my phone back

Here’s what anyone should do if it’s in a similar situation:

1. Do a full unbrick method 1 here : https://forums.oneplus.com/threads/guide-mega-unbrick-guide-for-a-hard-bricked-oneplus-3.452634/

2 Download OxygenOS 4.0.0 (Android 7.0) , OnePlus3Oxygen_16_OTA_035_all_1612310359_e10cadfb2af7.zip
adb sideload the file above when in recovery. Why this version? Because it’s vulnerable to CVE-2017-5626 and CVE-2017-5624
Weirdly enough, my phone turned back from the dead after this , however if it didn’t work (as I was expecting) ,
3 I would go into fastboot mode and unlock the bootloader from there with:
fastboot oem 4F500301
Which will completely bypass the oem mechanism and will unlock your bootloader even if you can’t boot the system and go to the developer menu.

This backdoor was removed by OnePlus with OxygenOS 4.0.2 (“patched”).