This backdoor was removed by OnePlus with OxygenOS 4.0.2 (“patched”).I was going to put a sort of bad answer here. Which will completely bypass the oem mechanism and will unlock your bootloader even if you can’t boot the system and go to the developer menu.
$ strings emmc_appsboot.mbn | grep lockedĭevice is unlocked! Skipping verification… The good news is that I’m quite sure if I make the device boot from this aboot, it won’t be locked since: Verified boot.img with embedded certificate in boot image Unable to extract public key from certificate RSA KEY found from the embedded certificate Use embedded certificate for verification
RSA is null from the embedded certificate The OP3 file is 2x bigger, and a diff for “strings emmc_appsboot.mbn | grep cert” between then 2 gave me this: No, it didn’t end up well after all, the phone didn’t boot up at all… However I flashed back via EDL the OP3 emmc_appsboot.mbn and I’m back to ground 0. Let’s see what happens when I replace OnePlus3 aboot with this one… = UPDATE: I just finished compiling emmc_appsboot.mbn and signed as well.
PS: don’t worry about wrecking havoc on this device by suggesting something that can be highly experimental, I’v already hard bricked and come back from it… So, we’r fine In fastboot the device says msm8996, so am I not using here the source code for DB820?Ībout arm-eabi, I’m using arm-eabi-4.8, hopefully that’s ok. I have as well downloaded the files for signlk.git. I have downloaded the lk, and actually I see this inside $ tree msm8996 There’s a md5 checksum at boot up, should I be concerned with the “unlocked” bootloader that this won’t happen and actually the phone will boot?.Or rather, it’s enough to compile the emmc_appsboot.mbn and I use the same files from the official firmware for the resto of the mbn/elf/bin’s?.What are the other files for, and how can I build those?.How, and what should I do to correctly build an unlocked aboot / emmc_appsboot.mbn?.However, the arm-eabi link doesn’t download correctly, and I don’t know what framework should I use to actually build the files (I’m on arch linux). signlk/signlk.sh -i=./build-msm8916/emmc_appsboot_unsigned.mbn -o=./build-msm8916/emmc_appsboot.mbn -d Mv build-msm8916/emmc_appsboot.mbn build-msm8916/emmc_appsboot_unsigned.mbn Make -j4 msm8916 EMMC_BOOT=1 TOOLCHAIN_PREFIX=./arm-eabi-4.8/bin/arm-eabi. What I find / and what step I’m in at the moment.Īs far as I understood, aboot, or the bootloader I see when starting the phone on “fastboot” is handled by emmc_appsboot.mbn, the files are as well signed so I can’t simply hex-edit and flash. Since my phone fails to boot even after reflashing everything (original) in EDL mode, I’d like to try the same with the unlocked bootloader, then if that doesn’t work, load a custom kernel from fastboot and see what’s going on with the logs. However, after I flash them in, I’d like to have my bootloader unlocked. I’m interested in recompiling the firmware files (below those included in Oneplus3 official OTA update) I’m also not by definition a programmer so, please keep that in mind if I ask something stupid. I’m not sure if this is the right section since my board in this case is Qualcomm MSM8996 Snapdragon 820 (14 nm) : OnePlus3 smartphone.