Unlocking a Moto G7 Play

These are high level notes for myself (and people like me) who like to know what they’re actually doing when unlocking, rooting, and installing custom firmware on a phone. I’ve done this to varying degrees with my previous two phones, and always end up re-tracing painful footsteps to get things done. So I’m jotting down the bits that are important to me.

Enable the developer menu by repeatedly tapping the Build Number in About Phone. Use this to enable bootloader unlocking in the developer menu. This particular Easter egg might vary among Android versions.

One way or another, get Platform-Tools (package platform-tools) and cd into that directory. I installed CLI Tools and ran sdkmanager platform-tools, which seems to be some kind of Android SDK package manager, but I think it can also be downloaded directly as a tarball or zip file.

Also, download the latest Motorola USB drivers – these know how to talk ADB protocol with your phone, and I presume a chunk of this is vendor specific.

Boot the phone to the primary bootloader, ‘fastboot’ (volume down + power on), and connect it via USB.

Run fastboot oem get_unlock_data to get a hex key. Paste into an editor and join the hex strings into one long string. Discard the rest of the text. Therefore, this output data: –

 (bootloader) Unlock data:
 (bootloader) 3A95060139068543#
 (bootloader) 5A52133236393733365A006D6D546F2067280000#
 (bootloader) DB56C7CDAE5D679870DAB53ABF2F9D91FAB05CED#
 (bootloader) A8FAFEC4000000000000000000000000
 OKAY [  0.023s]
 Finished. Total time: 0.028s

will be copied and pasted into an editor, and then edited to look something like this: –

 3A95060139068543#5A5213323639373336 ... 05CED#A8FAFEC4000000000000000000000000 

This is the hex value you give to Motorola in their unlocking form, they will reply by giving you an unlock code. Curiously, this failed when I used the motorola.com site, yet succeeded when I used what appears to be Motorola’s service in the custhelp.com domain. I believe this is their international service, which looks to be outsourced to another company (is it Oracle?). Anyway, it seems legitimate.

With the unlock code that has been sent to you, run e.g. fastboot oem unlock LAEYQFFXQZSIAK4WI5CT, then run it again as prompted (a safeguard). The second time you run it, the phone will reboot with the unlocked bootloader.

Rooting the device should be a simple matter of copying the su binary to /bin or /usr/bin, but it’s not that simple, not least because actually getting a su binary is frustratingly difficult. There were few trustworthy sources that I could find, and more than a few very dodgy looking sources I found while looking. Bear in mind, this is a tool that has the power to own your device – you should be able to trust it well beyond reasonable doubt.

I am still looking. The whole Android ecosystem has that familiar feel of proprietary hell. Easter eggs, warez-like downloads, lack of concise information. On reflection, this is a sad state of affairs for something that was derived from GNU licenced Free Software. Shame on you Google.

Response from fastboot getvar all

Below are the bootloader environment variables defined when fastboot is running.

C:\android\platform-tools>fastboot getvar all
 (bootloader) version: 0.5
 (bootloader) version-bootloader: MBM-2.1-channel_retail-a5c9d71-190702
 (bootloader) product: channel
 (bootloader) board: channel
 (bootloader) secure: yes
 (bootloader) hwrev: PVTB
 (bootloader) radio: 2
 (bootloader) storage-type: emmc
 (bootloader) emmc: 32GB SAMSUNG QD63MB RV=08 PV=01 FV=0000000000000001
 (bootloader) ram: 2GB SAMSUNG LP3 DIE=8Gb M5=01 M6=06 M7=00 M8=1F
 (bootloader) cpu: SDM632
 (bootloader) serialno: ZY32xxxx6Z
 (bootloader) cid: 0x0032
 (bootloader) channelid: 0x00
 (bootloader) uid: A1xxxxx400000000000000000000
 (bootloader) securestate: flashing_unlocked
 (bootloader) iswarrantyvoid: yes
 (bootloader) max-download-size: 536870912
 (bootloader) reason: Volume down key pressed
 (bootloader) imei: 3595xxxxx605834
 (bootloader) meid:
 (bootloader) date: 06-27-2019
 (bootloader) sku: XT1952-1
 (bootloader) carrier_sku: XT1952-1
 (bootloader) battid: SB18C30734
 (bootloader) iccid:
 (bootloader) cust_md5:
 (bootloader) max-sparse-size: 268435456
 (bootloader) current-time: "Tue Sep 10 21:12:12 UTC 2019"
 (bootloader) ro.build.fingerprint[0]: motorola/channel_reteu/channel:9/P
 (bootloader) ro.build.fingerprint[1]: PY29.105-134/e13ed:user/release-ke
 (bootloader) ro.build.fingerprint[2]: ys
 (bootloader) poweroffalarm: 0
 (bootloader) ro.build.version.full[0]: Blur_Version.29.251.156.channel_r
 (bootloader) ro.build.version.full[1]: eteu.retail.en.US
 (bootloader) ro.build.version.qcom: LA.UM.7.6.2.r1-04600-89xx.0
 (bootloader) version-baseband[0]: M632_26. CHANNEL_SUPERDS
 (bootloader) version-baseband[1]: DS_CUST
 (bootloader) kernel.version[0]: Linux version 4.9.112-perf (hudsoncm@ilc
 (bootloader) kernel.version[1]: lbld71) (gcc version 4.9.x 20150123 (pre
 (bootloader) kernel.version[2]: release) (GCC) ) #1 SMP PREEMPT Tue Jul
 (bootloader) kernel.version[3]: 2 04:04:07 CDT 2019
 (bootloader) sbl1.git: MBM-2.1-channel_retail-b508f3a-190702
 (bootloader) rpm.git: MBM-2.1-channel_retail-22daab3-190702
 (bootloader) tz.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) devcfg.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) keymaster.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) cmnlib.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) cmnlib64.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) prov.git: MBM-2.1-channel_retail-8798b8e-dirty-190702
 (bootloader) aboot.git: MBM-2.1-channel_retail-a5c9d71-190702
 (bootloader) frp-state: no protection (77)
 (bootloader) ro.carrier: retgb
 (bootloader) current-slot: b
 (bootloader) running-boot-lun: 0
 (bootloader) running-slot: _b
 (bootloader) slot-suffixes: _a,_b
 (bootloader) slot-count: 2
 (bootloader) slot-successful:_a: Yes
 (bootloader) slot-successful:_b: Yes
 (bootloader) slot-bootable:_a: Yes
 (bootloader) slot-bootable:_b: Yes
 (bootloader) slot-retry-count:_a: 7
 (bootloader) slot-retry-count:_b: 6
 all: listed above
 Finished. Total time: 0.186s

Response from fastboot oem hw

C:\android\platform-tools>fastboot oem hw
 (bootloader) .version: 1.5
 (bootloader) storage/.system: ro.vendor.hw.
 (bootloader) storage/.range: 16GB,32GB
 (bootloader) storage/.auto: key=hwprobe;index=__storage
 (bootloader) storage: 32GB
 (bootloader) ram/.system: ro.vendor.hw.
 (bootloader) ram/.range: 2GB,3GB
 (bootloader) ram/.auto: key=hwprobe;index=__ram
 (bootloader) ram: 2GB
 (bootloader) radio/.system: ro.vendor.hw.
 (bootloader) radio/.range: LATAM,SUPER,NA,NA_TMO
 (bootloader) radio/.cmdline: androidboot.
 (bootloader) radio/.auto: key=hwid;index=2;map=1:LATAM,2:SUPER,3:NA,
 (bootloader) 4:NA_TMO
 (bootloader) radio: SUPER
 (bootloader) nfc/.system: ro.vendor.hw.
 (bootloader) nfc/.range: true,false
 (bootloader) nfc/.chosen: mmi,
 (bootloader) nfc/.auto: key=hwid;index=2;map=1:false,2:false,3:false
 (bootloader) ,4:false
 (bootloader) nfc: false
 (bootloader) imager/.system: ro.vendor.hw.
 (bootloader) imager/.range: 13MP
 (bootloader) imager/.chosen: mmi,
 (bootloader) imager/.auto: default=13MP
 (bootloader) imager: 13MP
 (bootloader) frontcolor/.system: ro.vendor.hw.
 (bootloader) frontcolor/.range: black,other
 (bootloader) frontcolor/.auto: uspace=config;name=build_vars;map=BLA
 (bootloader) CK:black,black:black
 (bootloader) frontcolor:
 (bootloader) fps/.system: ro.vendor.hw.
 (bootloader) fps/.range: true
 (bootloader) fps/.chosen: mmi,
 (bootloader) fps/.auto: default=true
 (bootloader) fps: true
 (bootloader) ecompass/.system: ro.vendor.hw.
 (bootloader) ecompass/.range: true,false
 (bootloader) ecompass/.chosen: mmi,
 (bootloader) ecompass/.auto: key=hwid;index=2;map=1:false,2:false,3:
 (bootloader) true,4:true
 (bootloader) ecompass: false
 (bootloader) dualsim/.system: ro.vendor.hw.
 (bootloader) dualsim/.range: true,false
 (bootloader) dualsim/.cmdline: androidboot.
 (bootloader) dualsim: true
 (bootloader) dtv/.system: ro.vendor.hw.
 (bootloader) dtv/.range: false
 (bootloader) dtv/.chosen: mmi,
 (bootloader) dtv/.auto: default=false
 (bootloader) dtv: false
 (bootloader) .attributes: .range,.cmdline,.chosen,.system,.auto
 (bootloader) .features: radio,ram,storage,dualsim,imager,fps,dtv,nfc
 (bootloader) ,frontcolor,ecompass
 OKAY [  0.136s]
 Finished. Total time: 0.140s

Response from fastboot oem partition

The following appears to be the partition map of the flash memory of the phone.

C:\android\platform-tools>fastboot oem partition
 (bootloader) sbl1_a: offset=128KB, size=512KB
 (bootloader) sbl1_b: offset=640KB, size=512KB
 (bootloader) rpm_a: offset=1152KB, size=256KB
 (bootloader) rpm_b: offset=1664KB, size=256KB
 (bootloader) tz_a: offset=2176KB, size=1792KB
 (bootloader) tz_b: offset=4224KB, size=1792KB
 (bootloader) devcfg_a: offset=6272KB, size=64KB
 (bootloader) devcfg_b: offset=6528KB, size=64KB
 (bootloader) aboot_a: offset=6784KB, size=1536KB
 (bootloader) aboot_b: offset=8320KB, size=1536KB
 (bootloader) cmnlib_a: offset=9856KB, size=1024KB
 (bootloader) cmnlib_b: offset=10880KB, size=1024KB
 (bootloader) cmnlib64_a: offset=11904KB, size=1024KB
 (bootloader) cmnlib64_b: offset=12928KB, size=1024KB
 (bootloader) keymaster_a: offset=13952KB, size=1024KB
 (bootloader) keymaster_b: offset=14976KB, size=1024KB
 (bootloader) prov_a: offset=16000KB, size=192KB
 (bootloader) prov_b: offset=16256KB, size=192KB
 (bootloader) modem_a: offset=16512KB, size=102400KB
 (bootloader) modem_b: offset=118912KB, size=102400KB
 (bootloader) fsc: offset=221312KB, size=4KB
 (bootloader) ssd: offset=221316KB, size=8KB
 (bootloader) dsp_a: offset=221324KB, size=16384KB
 (bootloader) dsp_b: offset=237708KB, size=16384KB
 (bootloader) DDR: offset=254208KB, size=32KB
 (bootloader) utags: offset=254336KB, size=512KB
 (bootloader) utagsBackup: offset=254848KB, size=512KB
 (bootloader) modemst1: offset=255360KB, size=2048KB
 (bootloader) modemst2: offset=257408KB, size=2048KB
 (bootloader) fsg_a: offset=259456KB, size=12288KB
 (bootloader) fsg_b: offset=271744KB, size=12288KB
 (bootloader) persist: offset=284032KB, size=32768KB
 (bootloader) persist2: offset=316800KB, size=8192KB
 (bootloader) frp: offset=324992KB, size=512KB
 (bootloader) cid: offset=325504KB, size=128KB
 (bootloader) logo_a: offset=325632KB, size=16384KB
 (bootloader) logo_b: offset=342016KB, size=16384KB
 (bootloader) carrier: offset=358400KB, size=16384KB
 (bootloader) metadata: offset=374784KB, size=16384KB
 (bootloader) kpan: offset=391168KB, size=8192KB
 (bootloader) boot_a: offset=399360KB, size=32768KB
 (bootloader) boot_b: offset=448512KB, size=32768KB
 (bootloader) dtbo_a: offset=497664KB, size=8192KB
 (bootloader) dtbo_b: offset=505856KB, size=8192KB
 (bootloader) misc: offset=514048KB, size=1024KB
 (bootloader) mota: offset=515072KB, size=512KB
 (bootloader) syscfg: offset=515584KB, size=512KB
 (bootloader) logs: offset=516096KB, size=2048KB
 (bootloader) apdp: offset=518144KB, size=256KB
 (bootloader) msadp: offset=518400KB, size=256KB
 (bootloader) dpo: offset=518656KB, size=8KB
 (bootloader) devinfo: offset=518664KB, size=512KB
 (bootloader) vbmeta_a: offset=519176KB, size=64KB
 (bootloader) vbmeta_b: offset=519240KB, size=64KB
 (bootloader) padA: offset=519424KB, size=4864KB
 (bootloader) hw: offset=524288KB, size=8192KB
 (bootloader) sp: offset=532480KB, size=8192KB
 (bootloader) oem_a: offset=540672KB, size=278528KB
 (bootloader) oem_b: offset=819200KB, size=278528KB
 (bootloader) vendor_a: offset=1097728KB, size=327680KB
 (bootloader) vendor_b: offset=1425408KB, size=327680KB
 (bootloader) system_a: offset=1753088KB, size=2408448KB
 (bootloader) system_b: offset=4161536KB, size=2408448KB
 (bootloader) userdata: offset=6569984KB, size=23965679KB
 OKAY [  0.214s]
 Finished. Total time: 0.219s

Looks like quite a lot of flash is given over to a/b partitioning, given that it’s not actually utilised so far as I can tell. A custom ROM would probably be more efficient.