Trapped in fastboot mode with locked bootloader and corrupted custom ROM

I managed to set get_unlock_ability back to 1 again (with an unlocked bootloader, don’t get your hopes up) by using Magisks resetprop

adb shell su -c 'resetprop ro.boot.flash.locked 1'

…and switching the OEM toggle in developer settings back to on.
Magisk for the rescue again :metal:

We should advise people to check fastboot flashing get_unlock_ability before locking the bootloader.
It’s a bit of a hassle having to set up Magisk just to reset that flag, but beats bricking the phone. Maybe there’s another way to fix this :thinking:

14 Likes

I mentioned that (already as we diskussed this the first time) as a a imortant step in my instruction to install iodé.

1 Like

Hi there, thank you all for your contributing to this thread!
We’ve been following it closely and your feedback has not gone unheard.

There is a new package for manual installation available for download here, it’s for build 107 - the latest at time of writing. The script now addresses an error that can be introduced by installing software manually. As long as you use the latest available package, you should not be getting stuck in Fastboot mode.

As always - in case of any issues, #contactsupport
Cheers

12 Likes

Thank you very much for this!
Could you explain a bit more what the problem is? So that we understand it and the community also knows what to do in case of further problems?

I did a quick diff and here’s the most obvious change i could find:

echo "INFO: Deleting factory reset partition"
    ${FASTBOOT_BIN} erase frp

was changed to

echo "INFO: Deleting factory reset partition"
    flash_image_or_abort "${sn}" frp "${IMAGES_DIR}/frp_for_factory.img"
    flash_image_or_abort "${sn}" devinfo "${IMAGES_DIR}/devinfo_for_factory.img"

Those two images mentioned above have also been added to the included images.

Last but not least, the slot is now automatically changed to a:

echo "INFO: Activating partition slot A"
  fastboot --set-active=a

The rest seems to be mostly linting as far as I can tell :thinking:

7 Likes

Thanks for this!

Can confirm that for me the get_unlock_ability flag unexpectedly changed as well to 0, in my case when going from e/os to CalyxOS without having OEM-locked the phone at any point:

From stock to e/os

  • Fresh FP4
  • OEM unlock on untouched stock OS
  • bootloader unlock and unlock_critical
  • checking: get_unlock_ability=1
  • flashing e/os, worked fine
  • still get_unlock_ability=1
  • bootloader lock and lock_critical
  • still get_unlock_ability=1

From e/os to CalyxOS

  • bootloader unlock and unlock_critical
  • still get_unlock_ability=1
  • flashing CalyxOS
  • get_unlock_ability=0, OEM unlocking greyed out while bootloader is still unlocked (which I will not lock for now, of course, until I get that flag set back to 1)
2 Likes

So now, the big question is: how can this done easily?

In /e/OS “root debugging” can be enabled. Maybe in CalyxOS too? If yes, is it possible after enabling it to type in the adb command mentioned by @hirnsushi
and execute it without using magisk? :thinking:

Interesting. From the name of the command I have an idea what it does, but a google search only revealed some posts in the FP-forum from 2017 or so. Where did the ${FATBOOT_BIN} go?

All in all, does this in any way help to figure out what is going wrong and help to recover already bricked devices?

Doesn’t it make sense that OEM unlocking is greyed out when the bootloader is unlocked? From the wording I would think it does.

Not in iodè
Not in calyxOS

Both are privacy and security focused with verified boot. root and root debugging is not part of this philosophy…

Both are possible to root
But is not suggested and not supported and not the Default

resetprop is a feature of Magisk to change read-only properties, so no. But installing the Magisk app and fastboot booting a Magisk patched boot.img should be enough for this to work.

That’s a function declared somewhere else in the script, has been used before to flash the other partitions. It’s essentially a fancy way of saying fastboot flash foo with some error handling. ${FASTBOOT_BIN} is just a variable to point to the included fastboot.

It does, that’s why we need to set ro.boot.flash.locked to 1 so the system thinks the bootloader is locked and the toggle gets enabled.

1 Like

But only in /e/OS
Not in iodè and calyx because of verified boot. Both does not allow to boot any not signed images, recoverys or kernels

1 Like

We are talking unlocked bootloader here, that only applies if you locked it, I’m running Magisk on Calyx right now.
How else would I have been able to change that property on a Calyx device that got changed to get_unlock_property=0?

The part in bold is important here. This isn’t a way to revive bricked phones, only a possibility to maybe save people beforehand.

4 Likes

I would like to give this a try since I want to use CalyxOS with a locked bootloader. However, I’ve never used Magisk or patched a boot.img to use it – would it be possible for you to point me in the right directions to get started/roughly guide me what I need to do? I would very much appreciate the help!

thanks a lot hirnshushi.
You show a working but not so easy way.
I think, no problem for an expierienced user. But for a novice, it is more than easy.

Maybe there will be an easy solution in the future…

2 Likes

Sure :slightly_smiling_face:
Keep in mind that I haven’t tested this, because I didn’t lock my bootloader afterwards and I can’t guarantee that there’s no possibility left to brick your phone!

With that out of the way, download the boot.img and the Magisk.apk (for others trying this on a different ROM, please use the corresponding boot.img for that ROM!) from those two links to your PC…

…and enable ADB debugging on your FP4 if you haven’t already.

  • Install the Magisk app by either running adb install Magisk-v24.3.apk or transferring the .apk to your phone
  • adb reboot bootloader and fastboot boot calyx-3.3.2_magisk_boot.img should boot you into a Magisk enabled Calyx
  • adb shell su -c 'resetprop ro.boot.flash.locked 1' should show a prompt on your phone screen to grant root privileges…
  • Change OEM unlocking to on in Developer options.
  • adb reboot bootloader and most importantly check if fastboot flashing get_unlock_ability actually returns 1
  • :pray: Pray to the ancient gods :smirk:
  • fastboot flashing lock

There might be, I only went with the tools I know, so others more knowledgeable in low level stuff maybe can help here :thinking:

7 Likes

Thank you very much for the guide – OEM re-enabling worked! After having booted with the patched boot.img and issuing adb shell su -c 'resetprop ro.boot.flash.locked 1', OEM unlocking can be toggled again and in fastboot, get_unlock_ability is back to 1.

Before attempting to lock the bootloader, I rebooted again normally without the patched boot.img. OEM unlocking still is set to “on”, but again cannot be toggled anymore (greyed-out) – is this same for you? For me, it would be enough (I do not need to change OEM locking as I did not before on e/os as long as it is ON).

Just want to confirm everything before I attempt locking…

EDIT: Just realized, that OEM unlocking is grayed out regardless of the state of get_unlock_ability as it can be only toggled after issuing adb shell su -c 'resetprop ro.boot.flash.locked 1' granting super-user rights. As it stays “ON”, I should be safe locking the bootloader… (being nervous, nevertheless)

1 Like

I’m glad it worked without problems so far :+1:

That’s correct, yes, ro.boot.flash.locked is set back to 0 once you reboot, that flag gets set automatically if the bootloader is unlocked. We only changed it temporarily to make the OEM unlocking toggle changeable.

I hope it is, I wish you luck.
:crossed_fingers:

3 Likes

Yes, good luck @cosmic

1 Like