Session 13 — 2026-03-24a
| Field | Value |
|---|---|
| Date | 2026-03-24 |
| Phase | 03a — Custom UEFI ABL |
| Duration | ~3 h |
What Happened
- EDL hardware cable arrived — first hardware EDL session
- BCB loop (leftover from previous test) escaped via EDL
- Ground-truth kernel cmdline captured — required
su -c cat /proc/cmdline(not accessible without root) - Flashed v1.0 → FDE boot loop:
KeyMasterSetRotAndBootStatenot called, FDE password prompt repeats - Built v1.1 with KeyMasterSetRotAndBootState call added → USB shows
05c6:f000(fastboot), but AVB fails on Magisk-patched boot partition - Built v1.2 with cmdline injection attempt → confirmed dead code:
VBCmdLineis already populated by PBL before ABL runs; ABL cannot override it
Key Findings
EDL access depends on ABL
The software EDL trigger (adb reboot edl) works only when Android is running. If a broken ABL prevents Android from booting, only the hardware EDL cable provides 9008 access. The EDL cable is therefore a prerequisite for any ABL flashing experiment.
v1.0: FDE loop root cause
KeyMasterSetRotAndBootState() must be called to unlock the FDE keymaster. Without it, the device requests the disk password on every boot and loops when no password is entered.
v1.1: AVB1 fails on Magisk-patched boot
With KeyMaster fixed, the device enters fastboot (05c6:f000) but AVB verification fails because Magisk modifies boot.img. The fix is to disable AVB or add the patched hash.
ABL Version Log
| Version | Change | Outcome |
|---|---|---|
| v1.0 | Baseline compile | FDE boot loop |
| v1.1 | +KeyMasterSetRotAndBootState | 05c6:f000; AVB1 fails |
| v1.2 | +cmdline injection (dead code) | No change — VBCmdLine pre-set by PBL |