How to make the mbn/elf/bin files for MSM8996


#1

Preview
I’m not sure if this is the right section since my board in this case is Qualcomm MSM8996 Snapdragon 820 (14 nm) : OnePlus3 smartphone. I’m also not by definition a programmer so, please keep that in mind if I ask something stupid.

Objective
I’m interested in recompiling the firmware files (below those included in Oneplus3 official OTA update)
fimrware_files
However, after I flash them in, I’d like to have my bootloader unlocked. Since my phone fails to boot even after reflashing everything (original) in EDL mode, I’d like to try the same with the unlocked bootloader, then if that doesn’t work, load a custom kernel from fastboot and see what’s going on with the logs.

What I find / and what step I’m in at the moment.
As far as I understood, aboot, or the bootloader I see when starting the phone on “fastboot” is handled by emmc_appsboot.mbn , the files are as well signed so I can’t simply hex-edit and flash.

I as well found this:

git clone git://codeaurora.org/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8.git -b LA.BR.1.1.3.c4-01000-8x16.0
git clone http://git.linaro.org/landing-teams/working/qualcomm/lk.git -b dragonboard410c-LA.BR.1.2.7-03810-8x16.0-linaro1
git clone --depth 1 https://git.linaro.org/landing-teams/working/qualcomm/signlk.git
cd lk
make -j4 msm8916 EMMC_BOOT=1 TOOLCHAIN_PREFIX=../arm-eabi-4.8/bin/arm-eabi-
mv build-msm8916/emmc_appsboot.mbn build-msm8916/emmc_appsboot_unsigned.mbn
../signlk/signlk.sh -i=./build-msm8916/emmc_appsboot_unsigned.mbn -o=./build-msm8916/emmc_appsboot.mbn -d
sudo fastboot flash aboot ./build-msm8916/emmc_appsboot.mbn

however, the arm-eabi link doesn’t download correctly, and I don’t know what framework should I use to actually build the files (I’m on arch linux).
where does https://source.codeaurora.org/quic/la/kernel/lk/tree/?h=lk.lnx.1.0.r5-rel fit in this?

Questions

  1. How , and what should I do to correctly build an unlocked aboot / emmc_appsboot.mbn?
  2. What are the other files for , and how can I build those?
  3. Or rather, it’s enough to compile the emmc_appsboot.mbn and I use the same files from the official firmware for the resto of the mbn/elf/bin’s?
  4. There’s a md5 checksum at boot up, should I be concerned with the “unlocked” bootloader that this won’t happen and actually the phone will boot?

Thanks allot.


#2

To build emmc_appsboot you’d need the source code for your device, the source code for DB820C is likely to be similar but is probably not similar enough to work.


#3

Hi Daniel, thank you for your reply,

I have downloaded the lk , and actually I see this inside

$ tree msm8996
msm8996
├── acpuclock.c
├── gpio.c
├── include
│   └── platform
│       ├── clock.h
│       ├── gpio.h
│       ├── iomap.h
│       ├── irqs.h
│       └── partial_goods.h
├── msm8996-clock.c
├── platform.c
└── rules.mk

I have as well downloaded the files for signlk.git.

In fastboot the device says msm8996 , so am I not using here the source code for DB820?
About arm-eabi, I’m using arm-eabi-4.8 , hopefully that’s ok.

PS: don’t worry about wrecking havoc on this device by suggesting something that can be highly experimental, I’v already hard bricked and come back from it… So, we’r fine :smiley:

UPDATE: I just finished compiling emmc_appsboot.mbn and signed as well.
Let’s see what happens when I replace OnePlus3 aboot with this one…

=========================================
UPDATE2

No, it didn’t end up well after all, the phone didn’t boot up at all… However I flashed back via EDL the OP3 emmc_appsboot.mbn and I’m back to ground 0.

The OP3 file is 2x bigger, and a diff for “strings emmc_appsboot.mbn | grep cert” between then 2 gave me this:

$ diff myaboot.txt op3aboot.txt
0a1,9

RSA is null from the embedded certificate
Invalid n value from rsa_from_cert
Invalid e value from rsa_from_cert
Fail to create certificate fingerprint.
Verification with oem keystore failed. Use embedded certificate for verification
RSA KEY found from the embedded certificate
Unable to extract public key from certificate
Verified boot.img with embedded certificate in boot image
certificate

The good news is that I’m quite sure if I make the device boot from this aboot, it won’t be locked since:

$ strings emmc_appsboot.mbn | grep locked
Device unlocked: %s
Device is unlocked! Skipping verification…
use_signed_kernel=%d, is_unlocked=%d, is_tampered=%d.

there’s no unlock in it’s vocabulary…

I’m out of options at the moment, is there anyway I can get the source code from OP to build the damn thing?


#4

Have you ever successfully obtained any source code for anything from any Chinese consumer electronics vendor?

And for what it’s worth, you’re probably dealing with failures to validate signatures in addition to missing source code. Dev boards don’t have the same degree of signature verifications enabled by default as what you find in consumer electronics, which are generally built to deny you ALL of the freedoms of ownership.


#5

Re-reading your original post it looks like all you want is an unlocked bootloader. Why are you trying to rebuild the bootloader to achieve this? If the latest bootloaders from OP no longer support the normal unlocking sequence I’d be surprised is OP would give you the sources and information needed to work around that.


#6

Yes they do allow you to unlock the bootloader, but once you have booted their version of Android and enabled usb debugging, since I’m unable to do that, fastboot oem unlock would deny me anything from fastboot.

Since unlocking the bootloader isn’t a viable option at this point and there are already build ROMs for this phone, can I build my own ROM from ground up with the bootloader and recovery?
The problem again revolves around the bootloader, I’d need to flash something that actually works on the phone…

@doitright yeah, that’s impossible to take the source code from them.
They even don’t provide any tools to debug hardware issues, and if you ask me this problem was probably embedded on their system so we can buy a new phone every 2 -3 years . Fing sc****++ :frowning:

NOTE: I found this https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ which seems interesting, will give it a try if I can.


#7

So why do you say that you are unable to enable unlocking in the developer menu?


#8

Because I can’t boot at all at the operating system.
The phone 2 weeks ago decided it was a good time to stop working, so I could get only to fastboot and recovery, however no more.

Here’s what anyone should do if it’s in a similar situation:

  1. Do a full unbrick method 2 here : https://forums.oneplus.com/threads/guide-mega-unbrick-guide-for-a-hard-bricked-oneplus-3.452634/ (this won’t bring your phone back yet)…
  2. Download OxygenOS 4.0.0 (Android 7.0) , OnePlus3Oxygen_16_OTA_035_all_1612310359_e10cadfb2af7.zip
  3. adb sideload the file above when in recovery. Why this version? Because it’s vulnerable to CVE-2017-5626 and CVE-2017-5624
  4. Weirdly enough, my phone turned back from the dead after this , however if it didn’t work (as I was expecting) , I would go into fastboot mode and unlock the bootloader from there with:
    fastboot oem 4F500301
    Which will completely bypass the oem mechanism and will unlock your bootloader even if you can’t boot the system and go to the developer menu.

This backdoor was removed by OnePlus with OxygenOS 4.0.2 (“patched”).


#9

Just wanting to thank everyone for the support and this great community, that kept me looking for a solution ,hopefully the information shared here will help other users stuck at the same place, since OnePlus support told me that this is probably a hardware problem and most probably they’d replace the mainboard if I sent it to them (which would be a total rip off).