So, I finally found a hole in zagruzchike motomagx phones, which allows the phone to run unsigned AP-firmware
Caution: If you want to do what is described here with their phones - you do so at your own risk .. I am not responsible for the deaths your phone ..
A bit of theory
Hole surfaced in zagruzchike irom-BP. When the phone is switched on bottles (mbm AP-part) first loads into RAM bp-loader and passes BP team perform bp-loader. irom-loader BP checks signature bp-loader, and if it all right - sends execution bp-loader'u. The important point - just before the signature irom loader BP checks the header bp-loader pointer to a certain structure and if this is a pointer - parses the structure .. This structure, in addition to title, contains a set of addresses and values; irom-loader records in each of the addresses (if the address in his view correct) the appropriate value .. Thus it is possible to complete the structure itself and shift to the BP work on "otpatchivaniyu" Bhutan AP (AP bottles are currently loaded into operativku, his signature has been tested before, and he awaits a response from BP, which bp-loader tested signature) .. In doing so, the very structure can arrange for the signature and it is leading title describe patch bp-loader to the starting point to properly check the signature took place ..
Necessary additions to the bp-loader:
Place the signature bp-loader structure following format:
The first four bytes from the beginning of the structure - 0xB17219E9 - constant, which verified the correctness of the structure.
The four bytes - the size of the structure (must be a multiple of eight, but not more than 256).
Next to the list of addresses and values (four bytes at the address and four - on the meaning).
In the title bp-loader should be a pointer to this structure (four bytes at +0 x14 from the start bp-loader) and a pointer to this index (at +0 x08 from the start bp-loader) .. Accordingly to bp-loader tested signature - will need to return the title to the original mind (usually in these fields zeros) and therefore the first patches described in the structure - is precisely the recording of zeros in these fields .. Then follow the patches that need to be applied to ap-Bout ..
After several experiments, I received a minimal set of patches Bout who led that the phone agrees to work with unsigned firmware for Butov 06.a3 (e8) and a3.cf (v8) - phones that "dozhili" until victory ..
Patches depend on a version of Buta, when you install the wrong patch, or correct, but no Bout version sootvetstvuschih - get the corpse. I already is killed z6 - it tried earlier versions of patches, which I did not take into account some checks in Buta, from dimichxp -- e8 killed. Would restore these phones - the big question ..
Well, the basic things like all wrote enclose received Buta you want to ask the phone if your phone version Bout coincides with one of these .. While even the same - think again whether you still need it))
If a man takes to port it to other versions Butov / phones - keep in mind that you need to be very careful and recheck all that do attempt is likely to be only one!