Add LK bootloader binary analysis: fastboot commands, OEM keys, and security config

[Copilot]

• Download lk.img and other release v3 files (seccfg.bin, efuse.bin, proinfo.bin, sec1.bin, frp.bin)
• Install binary analysis tools (strings, binwalk, capstone, openssl)
• Extract all fastboot standard commands (14 commands)
• Extract all fastboot oem commands (42 commands)
• Extract all getvar variables (31 variables)
• Extract valid configuration values (carrier codes, dual SIM, factory mode, etc.)
• Find and extract RSA-2048 public keys from embedded certificates (2 keys found)
• Identify the key used in fastboot oem key command (RSA-2048, Key 2 from cert1/cert2)
• Analyze seccfg.bin (lock state: LOCKED, version 4)
• Analyze efuse.bin (secure boot configuration)
• Analyze proinfo.bin (device: ZY32LNRW97, carrier: amxmx)
• Parse X.509 certificates (Mediatek, RSASSA-PSS with SHA-256)
• Extract LK image signature (256-byte RSA-2048 RSASSA-PSS)
• Document security hash from SEC_POLICY
• Create comprehensive analysis documentation (docs/LK_BINARY_ANALYSIS.md)
• Add troubleshooting section for [secure] not allow error
• Document unlock_ability=16777216 (0x01000000) byte-order quirk
• Expand OEM key documentation with key purpose, fastboot oem key flow, and unlock alternatives
• Run code review (passed, no issues)
• Run CodeQL security check (no code changes to scan)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Eduardob3677]

@copilot segun tu analisis como corrijo
C:\Users\Eduardo\Downloads\Moto-E15-5G-TELEU-15>fastboot oem config fac true
(bootloader) [secure] not allow
FAILED (remote: '')
fastboot: error: Command failed

C:\Users\Eduardo\Downloads\Moto-E15-5G-TELEU-15>
@claude[agent]

[Copilot]

@copilot segun tu analisis como corrijo
C:\Users\Eduardo\Downloads\Moto-E15-5G-TELEU-15>fastboot oem config fac true
(bootloader) [secure] not allow
...

The [secure] not allow error occurs because the Tinno fastboot handler blocks all oem config write commands when the bootloader is locked and the build is a secure (user/release) build.

To fix it, you need to unlock the bootloader first:

1. Enable "OEM Unlocking" in Developer Options
2. Run fastboot flashing get_unlock_ability (must return 1)
3. Run fastboot flashing unlock (confirm with Volume Up — this will factory reset)
4. Verify with fastboot getvar unlocked (should show yes)
5. Then retry: fastboot oem config fac true

If standard unlock is blocked by carrier/device policy, use mtkclient to bypass:

python mtk r seccfg seccfg_backup.bin
python mtk da seccfg unlock

Added troubleshooting section in commit 1fc8d6c.

[Eduardob3677]

@copilot @claude[agent] usando solo comandos fastboot
C:\Users\Eduardo\Downloads\Moto-E15-5G-TELEU-15>fastboot flashing get_unlock_ability
(bootloader) unlock_ability = 16777216
OKAY [ 0.025s]
Finished. Total time: 0.032s

[Copilot]

@copilot @claude[agent] usando solo comandos fastboot
C:\Users\Eduardo\Downloads\Moto-E15-5G-TELEU-15>fastboot flashing get_unlock_ability
(bootloader) unlock_ability = 16777216
...

unlock_ability = 16777216 (0x01000000) means unlock is allowed. This is the value 1 printed with swapped byte order — a known Tinno/MTK bootloader quirk. Since it's non-zero, you can proceed.

Using only fastboot commands:

fastboot flashing unlock

The device will show a confirmation screen — press Volume Up to confirm. This will factory reset the device.

After unlock completes:

fastboot getvar unlocked

Should return yes. Then retry:

fastboot oem config fac true

Updated docs in commit f87a4d8.

[Eduardob3677]

@copilot para que funcionan las keys encontradas y como las uso para el comando fastboot oem key

[Copilot]

@copilot para que funcionan las keys encontradas y como las uso para el comando fastboot oem key

Las dos keys encontradas son llaves públicas RSA-2048 (no privadas). Funcionan así:

• Key 1: Verifica firmas digitales de las imágenes de boot (boot.img, system, tee) durante el arranque seguro (verified boot)
• Key 2: Verifica tokens de desbloqueo firmados enviados con fastboot oem key

No puedes usar fastboot oem key directamente porque ese comando requiere un token firmado con la llave privada correspondiente a Key 2. Esa llave privada la tiene Tinno/Motorola — nunca está incluida en el firmware del dispositivo.

Si envías cualquier dato que no esté firmado correctamente, obtendrás "argument size is wrong" o "oem key and dm_cert key are mismatch".

Para desbloquear tu dispositivo, usa fastboot flashing unlock en su lugar (ya confirmamos que tu unlock_ability es non-zero):

fastboot flashing unlock

Confirma con Volume Up en el dispositivo. Después podrás usar oem config.

Documentación expandida en commit 62b235a.