Pixel C issue: semi-locked bootloader (says is unlocked, but impossible to flash anything)

[Milosz Derezynski]

(I thought that this group might be appropriate for asking about the Pixel C)

Hi Everyone,

I ported TWRP to the Pixel C, and created a boot image that allows for rooting with SuperSU. Everything worked fine except that root wasn't fully working. One XDA user resorted to flashing SuperSU 2.66 systemless via TWRP, which I advised against since I am well aware of the boot image format used by the Pixel C, and didn't think that the SuperSU boot image patcher can handle this properly.

That worked for root, but it turns out that this semi-bricked his device (and the same happened to me while testing something related):

- the bootloader is unlocked (Coreboot menu says so)

- fastboot says "secure: yes" but "unlocked: yes" too

- "fastboot flashing get_unlock_ability" returns "1"

- "fastboot flashing unlock" says that the bootloader is already unlocked

and..

- it is not possible to flash anything in fastboot (returns "remote: unsupported command" for all targets, even the bootloader itself)

Now our question here is: is there any way to unbrick it from the state it's now? Preferrably with methods available outside of Google's own labs ;-)

TIA,

M.

[Hung-Te Lin]

Sounds like you've wiped all partitions (or the partition table) and corrupted the settings for Android Factory Reset Protection (FRP).

The best solution is probably to recovery via adb sideload.

If that does not work (since you may have already changed the partition table or replaced the recovery program) then you should send it back for RMA.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

[Milosz Derezynski]

That is not at all what happened. Since the Pixel C is really a ChromeOS device, it restored the RO bootloader and the write protection was turned on.

But how do you turn off WP on the Pixel C without access to developer console and flashrom?

M.

[Hung-Te Lin]

FRP and the partition table are all on eMMC, not protected by the write protection.

Bootloader (fastboot) tries to read the partition table and find FRP partition (and read the information).

If that is not properly set then fastboot will not allow you to reflash anything (by returning 'unsupported command') even if the device is locked.

[Milosz Derezynski]

I read the depthcharge fastboot code and the code for board smaug: the fastboot_full_cap flag is not set in nvram is the most likely explanation (it must have been reset)

Mind you, the device can still boot into Android, even into TWRP (a custom Android recovery I've installed), I can even install kernels etc. through the recovery, but fastboot itself does not allow to flash.

References:

Fastboot checking for capabilities:

https://chromium.googlesource.com/chromiumos/platform/depthcharge/+/master/src/fastboot/fastboot.c#1441

https://chromium.googlesource.com/chromiumos/platform/depthcharge/+/master/src/fastboot/capabilities.c#98

Fastboot Capabilities checking nvram for fastboot_full_cap:

https://chromium.googlesource.com/chromiumos/platform/depthcharge/+/master/src/fastboot/capabilities.c#86

"secure" var is set to "yes" if FLASH capability is not set:

https://chromium.googlesource.com/chromiumos/platform/depthcharge/+/master/src/fastboot/fastboot.c#302

Regards

M.

[Milosz Derezynski]

OK, so I've ported ectool to the Pixel C, which works through /dev mode (/dev/cros_ec is available).

The output of "ectool switches":

Current switches:   0x00
Lid switch:         CLOSED
Power button:       UP
Write protect:      ENABLED
Dedicated recovery: DISABLED

And of "ectool flashinfo":

Flash protect flags: 0x0000000f wp_gpio_asserted ro_at_boot ro_now all_now
Valid flags:         0x0000003f wp_gpio_asserted ro_at_boot ro_now all_now STUCK INCONSISTENT
Writable flags:      0x00000000

Am I assuming correctly that either the HW or SW write protection is enabled?

Lastly my question: where is the hardware write protection screw on the Pixel C?

Regards

Milosz

[Stephen]

+furquan

It looks like what happened here is dev mode is on, but the fastboot unlock process failed to update the fastboot full cap flag in SPI flash. So you're stuck in a limbo state where the device is in dev mode but won't let you flash. The workaround I've done for this is to lock the bootloader (virtual dev switch to off), then unlock it again. Of course, you'd have to be running a signed public build for that to work.

Furquan, any ideas what we can do to prevent getting stuck in this state? I've run into some units occasionally that show the same problem but I just overwrite the GBB flags to fix it... not an option on a write protected system.

FYI since I don't think we've posted docs anywhere: the write protect screw is the front camera flex. Removing it requires heating up the display to weaken the adhesive keeping it on.

--
--
Chromium OS discuss mailing list: chromium-os-discuss@chromium.org

View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-discuss+unsub...@chromium.org.

[Milosz Derezynski]

Hey Stephen,

OK so with the current state of the device (a custom developer signed kernel image), what would happen if I locked the bootloader? Is the unlockability flag then reset just like on Nexus devices, so I wouldn't be able to unlock again? I'm just curious at this point what exactly would prevent unlocking it again.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org

View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org

View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

[Mike Frysinger]

how are you qualifying it as a "ChromeOS device" ?  it runs Android, not Chrome OS.

-mike

[Stephen Barber]

I don't think the unlock flag is reset when the device is locked. However, I don't think there are any safeguards in place to prevent you from locking the device into an unbootable state. At the very least you'll need a stock, signed recovery in order to be able to re-unlock.

Steve

[Milosz Derezynski]

OK so, the status of the device is:

There is a custom kernel (dev signed) installed, a custom recovery but a stock system image. Is there any course of action I can take to remedy this issue?

I know I can't flash a bootloader manually, but would it be an option to write directly to the Android recovery partition from the custom recovery (or even Android) and thus flash the stock recovery, then lock and unlock again?

So far trying to reset the kernel and firmware nvram via the TPM was unsuccessful, I can't seem to switch the TPM to physical presence mode.

Regards
Milosz

[Stephen Barber]

Furquan's actually not on Chromium OS discuss so his reply bounced, see below.

Milosz, do you have a root shell and access to fwtool? It should be on the stock recovery images I think, or if not it's buildable from AOSP. If you can get fwtool on there, you can reenable full fastboot capabilities with:

fwtool vbnv write dev_boot_fastboot_full_cap 1 

On Tue, Jan 12, 2016 at 8:38 AM, Furquan Shaikh <fur...@chromium.org> wrote:

On Tue, Jan 12, 2016 at 2:12 AM, Milosz Derezynski <mdere...@gmail.com> wrote:

OK so, the status of the device is:

There is a custom kernel (dev signed) installed, a custom recovery but a stock system image. Is there any course of action I can take to remedy this issue?

I am curious: What are the steps that you followed on this device? How did the fastboot full cap flag get disabled? It seems like you have flashed custom recovery as well as custom kernel image which means that you had that flag enabled at some point of time.

Another question: Do you have root access enabled on this device? If yes, then it would be easy to set the required flag again.

I know I can't flash a bootloader manually, but would it be an option to write directly to the Android recovery partition from the custom recovery (or even Android) and thus flash the stock recovery, then lock and unlock again?

So far trying to reset the kernel and firmware nvram via the TPM was unsuccessful, I can't seem to switch the TPM to physical presence mode.

This flag does not live in the TPM. Instead it lives in the NVRAM region on SPI flash. 

[Douglas Kryder]

hello,

if you have a method to restore the bootloader function i would appreciate hearing it. thank you.

[Milosz Derezynski]

Stephen, Furquan,

This was it! Thank you very much!! I was able to build fwtool within AOSP. Now the device is unlocked again!

Kind Regards

Milosz

[Douglas Kryder]

yes, i seem to have found good results with the fwtool command so thanks to milosz,furquan,stephen and all others who posted to help. thank you.

Regards
Milosz

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-discuss+unsub...@chromium.org.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-discuss+unsub...@chromium.org.

[Milosz Derezynski]

A follow-up from me to address Furquan's question of how this happened in the first place:

I've adapted and built TWRP (a custom Android recovery) for the Pixel C utilizing an AOSP fork, and installed it via fastboot.

The next step for me was to root the device. After a few tries I had built a kernel image that was dev signed, bootable, flashable, and contained the neccessary changes to the ramdisk for root.

I flashed this kernel, and so far, everything was fine.

Then I found that root was not fully working, but it wasn't clear to me what was missing. Someone on the TWRP or kernel thread on XDA suggessted simply flashing SuperSU.

Well, that was of course a terrible idea, since SuperSU modifies the boot image, but anyway, at this point, none the wiser me and a few others did it.

What I recall when I tried rebooting the device just after flashing the SuperSU package is that the Pixel C showed "Need to apply a critical firmware update" on the same screen where you usually see the unlocked warning.

However I was keeping power+vol down pressed to get into the Coreboot menu so maybe I have actually interrupted something, since just after that, the RW bootloader was reset and fastboot was inaccessible even though the device was, and had been, unlocked.

This is what I can recall, maybe it is of some use.

Kind Regards

Milosz

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org

View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.

[Vala]

@MiloszI have the exact same problem as you, but do not understand how you managed to solve it. Please tell me how to unbrick mine,

[Steven Max Patterson]

Here's how I fixed the problem: Flashing to stock Android NPD90G from TWRP error: "remote: unsupported command" I'm now running NPD90G stock

[Douglas Kryder]

sounds like you need to use fwtool utility tools to attempt fixes.

--

[lllo...@gmail.com]

Hi guys,

Do we have possibility to set the fastboot_full_cap value temporary in the fastboot mode?

Or can we somehow reboot the fastboot with pushed correct value

I have the device with the same issue but unfortunately I have no recovery and I cannot use fwtool utility

Regards

воскресенье, 10 января 2016 г., 7:21:19 UTC+2 пользователь Milosz Derezynski написал:

[Hendriniaina Manoa Rakotoarimanana]

Hi, I am in the same case but I did not try yet to disable hardware protection (requires to open the device) and i don t know if it will work. If anyone find any solution to that problem could he/she tell me how ?

[Piotr Gly]

Hi Milosz

I have same issue with semi lock bootloader but my case is bit more complicated i wish to give more info at any other PLACE

Thanks

Regard

Piotr G.