Unlocking Bootloader via noavb exploit (still in progress)
Update : Another way is discovered by other people. They reload the full uefi chain and then run unlock command without token verification. This method is from WOA-Project.
A vulnerability exists in Qualcomm ABL component.
By renaming/removing vbmeta_a partition from the GPT partition table,the boot process will fall into NOAVB path.
So we can load unsigned images including recovery,kernel,boot...
But the normal boot process always crashes.But we can boot into Recovery like TWRP.
And the milestone is never called.
So we can communicate with Keymaster TA and send unlock command.
For 8E or some other devices,pvmfw is added.So you can not boot into recovery because of some crashes about pvmfw.
So we need to erase pvmfw_a and pvmfw_b.
But in newer qualcomm devices,qseecom driver is removed.
Instead,we need smcinvoke to communicate.
We need to use libminkdescriptor.so.
However,we meet difficulties about getting the Physical Address of the buffer storing deviceinfo.
TA only accepts PA.