|
| 1 | +--- |
| 2 | +title: Firmware rollback |
| 3 | +--- |
| 4 | + |
| 5 | +import sticker4 from "@site/static/assets/sticker4.png" |
| 6 | +import sticker5 from "@site/static/assets/sticker5.jpg" |
| 7 | + |
| 8 | +## ANTI_ROLLBACK |
| 9 | +ANTI_ROLLBACK protection is activated in our device. |
| 10 | +Is a mechanism used in devices to prevent the installation of older firmware versions that may be vulnerable or insecure. It checks the firmware version before installing it. |
| 11 | + |
| 12 | +You can rollback to an earlier firmware version only if you have [unlocked bootloader](../dev/bootloader.md) |
| 13 | + |
| 14 | +P.S. There is also an [incident where it was possible to rollback the device via RSA](https://youtu.be/OQetN5hAZoU?si=9-W1bdUpbhkLX1VT) when the firmware version has not yet been updated in another region. |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +## Rollback A14 => A14 |
| 19 | +Rollback to the same version of android, but earlier build is possible and the risks of getting hard brick are close to zero, it is quite a safe operation. |
| 20 | + |
| 21 | +1. Download your firmware archive from [lolinet](https://mirrors.lolinet.com/firmware/lenomola/2023/penangf/official/) |
| 22 | +2. Clone the [fuckyoumoto](https://github.com/moto-penangf/fuckyoumoto) repository |
| 23 | +3. Unpack the firmware archive and run the ```flash_stock.sh``` script with the argument |
| 24 | + ``` |
| 25 | + $ ./flash_stock.sh <firmware_directory> |
| 26 | + ``` |
| 27 | + |
| 28 | +## Rollback A14 => A13 |
| 29 | +:::warning |
| 30 | +There is a high probability to get a Hard Brick, which can be restored only via [JTAG](../dev/jtag.md) |
| 31 | + |
| 32 | +Do this only if you know what you are doing and if you have all the equipment to restore the phone via [JTAG](../dev/jtag.md) |
| 33 | +::: |
| 34 | + |
| 35 | +The problem is that A14 had the boot partition split into boot and vendor_boot partitions. |
| 36 | + |
| 37 | +Also, worst and most dangerous of all, the preloader was heavily modified |
| 38 | + |
| 39 | +### Failed attempts |
| 40 | +#### Rollback without flashing preloader |
| 41 | +It will not be enough for you to rollback the firmware according to the above instructions (A14 => A14), you will get a bootloop |
| 42 | + |
| 43 | +##### UART Logs |
| 44 | +````shell |
| 45 | +[10093] mblock_reserve-R[20].start: 0x78000000, size: 0x1600000 map:1 name:ap_md_c_smem |
| 46 | +[10096] [cmdline clear] clear str size=31 |
| 47 | +[10097] g_cmdline size: 1426 |
| 48 | +[10098] cmdline: console=tty0 console=ttyS0,921600n1 root=/dev/ram vmalloc=400M slub_debug=OFZPU swiotlb=noforce cgroup.memory=nosocket,nokmem f |
| 49 | +[10101] : irmware_class.path=/vendor/firmware page_owner=on loop.max_part=7 has_battery_removed=0 loop.max_part=7 androidboot.boot_device |
| 50 | +[10104] : s=bootdevice,soc/11230000.mmc,11230000.mmc,soc/11230000.msdc,11230000.msdc androidboot.securefuse=on androidboot.secureAttKey=A |
| 51 | +[10106] : A androidboot.secureDrmKey=AA androidboot.ApNvState=0 androidboot.PayJoyImei=NS androidboot.hri_sd=0C81B80A5D2ED0817659FD96EBA2 |
| 52 | +[10109] : 31AB94CA01478024B83383D90BFF3FCAEC47 androidboot.lcm=icnl9916_hdp_dsi_vdo_tm ramoops.mem_address=0x4d010000 ramoops.mem_size=0x |
| 53 | +[10112] : e0000 ramoops.pmsg_size=0x10000 ramoops.console_size=0x40000 bootopt=64S3,32N2,64N2 buildvariant=user root=/dev/ram androidboo |
| 54 | +[10115] : t.slot_suffix=_a androidboot.slot=a androidboot.verifiedbootstate=orange androidboot.atm=disabled androidboot.hardware.sku=XT23 |
| 55 | +[10117] : 31-2 androidboot.ramsize=4 androidboot.boardid=16 androidboot.hardware.revision=PVT androidboot.channelmodelname=reteu androidb |
| 56 | +[10120] : oot.odmcarrier= androidboot.targetproduct=penangf_gen androidvendor.manufacturedate=2023 androidboot.force_normal_boot=1 androi |
| 57 | +[10123] : dboot.meta_log_disable=0 androidboot.product.vendor.sku=SKUA mtk_printk_ctrl.disable_uart=0 androidboot.serialno=xxxxxxxxxx and |
| 58 | +[10125] : roidboot.battid=SB18D69209 androidboot.factorymode=0 androidboot.bootreason=kernel_panic gpt=1 usb2jtag_mode=0 androidboot.dtb_ |
| 59 | +[10128] : idx=0 androidboot.dtbo_idx=16 |
| 60 | +[10129] lk boot mode = 0 |
| 61 | +[10130] lk boot reason = 4 |
| 62 | +[10130] lk finished --> jump to linux kernel 64Bit |
| 63 | + |
| 64 | +[10131] |
| 65 | +[LK]jump to K64 0x40080000 |
| 66 | +INFO: [ATF](0)[17.659776]clear_all_on_mux |
| 67 | +INFO: [ATF](0)[17.660272]SPM: enable CPC mode |
| 68 | +INFO: [ATF](0)[17.660810]save kernel info |
| 69 | +INFO: [ATF](0)[17.661305]bl31_prepare_kernel_entry: return to GZ! |
| 70 | +INFO: [ATF](0)[17.662059]el3_exit |
| 71 | +```` |
| 72 | + |
| 73 | +#### Rollback, including preloader |
| 74 | +:::warning |
| 75 | +We're warning you again! There is a high probability to get Hard Brick by flashing the preloader **and you will not be able to repair it without special equipment** |
| 76 | +::: |
| 77 | + |
| 78 | +The last of the experiments resulted in a hard brick that was recovered using [JTAG](../dev/jtag.md) |
| 79 | + |
| 80 | +<img src={sticker4} width="200" /> |
| 81 | + |
| 82 | +#### UART Logs |
| 83 | +````shell |
| 84 | +F0: 102B 0000 |
| 85 | +F3: 0000 0000 [0200] |
| 86 | +V0: 8012 0000 [0001] |
| 87 | +00: 1017 0000 |
| 88 | +F3: 4002 0000 [0200] |
| 89 | +01: 102A 0001 |
| 90 | +02: 0007 8000 |
| 91 | +03: 4002 0000 |
| 92 | +BP: 0800 0288 [0001] |
| 93 | +EC: 0000 0000 [0000] |
| 94 | +CC: 0000 0000 [0005] |
| 95 | +T0: 0000 00B4 [000F] |
| 96 | +System halt! |
| 97 | +```` |
| 98 | + |
| 99 | +#### The theory of why we got Hard Brick |
| 100 | +:::note |
| 101 | +Further testing is required, information will be updated after testing |
| 102 | +::: |
| 103 | + |
| 104 | +preloader a14 differs from preloader a13 in size by only 4KB. And maybe it was enough to call System Halt. |
| 105 | + |
| 106 | + |
| 107 | + |
| 108 | +The problem would have been less significant if mtkclient had correctly flashed a smaller preloader and filled the remaining space after the image with zeros. |
| 109 | + |
| 110 | +But damn it, it's not working the way it's supposed to. |
| 111 | + |
| 112 | +##### Comparing dump and preloader file |
| 113 | +<img src={sticker5} width="200" /> |
| 114 | + |
| 115 | +We did a dump of the preloader via JTAG, cut the place where there should be only zeros (the last address where the bytes should be located is ```000507d0```) |
| 116 | + |
| 117 | +And compared them once again. |
| 118 | + |
| 119 | +And maybe that's the problem, because **we found garbage from the old preloader a14!** (those bytes that were not overwritten). |
| 120 | + |
| 121 | + |
| 122 | + |
| 123 | +##### Possible solution |
| 124 | +We should try [flashing the full preloader dump](https://github.com/moto-penangf/dumps/releases) (which is 4MB in size) and it will definitely overwrite the entire partition and leave no garbage like it does with the official image. |
0 commit comments