Educational purposes only. Modifying firmware can brick your device, cause data loss, or void your warranty. The author assumes no liability. You are solely responsible. Use at your own risk.
Certain Lenovo tablets ship a bootloader (ABL) with the AOSP test public key embedded as the Android Verified Boot (AVB) root of trust (AvbRSAPublicKey struct). The matching private key is published in AOSP source (external/avb/test/data/testkey_rsa4096.pem), so anyone can sign a vbmeta image that the locked bootloader still accepts as authentic.
LTBox exploits this to enable:
- 🌍 Region conversion — switch between PRC (China) and ROW (Global) firmware
- 🔓 Root — install Magisk, KernelSU, APatch, and more on a locked bootloader
- 🛡️ Anti-rollback bypass — flash older/newer firmware without rollback protection blocking you
- ⚡ Partition flashing — read/write partitions via EDL (Emergency Download) mode
Supported Devices ‡
| Device | Notes |
|---|---|
| Legion Tab Y700 2nd, 3rd Gen | Full support |
| Legion Tab Y700 4th Gen | ZUXOS ≤ 1.5.10.138 † |
| Yoga Pad Pro AI / Yoga Tab Plus AI | Full support |
| Xiaoxin Pad Pro GT / Yoga Tab 11.1 AI | Full support |
🪟 Windows — x86_64 / arm64
- Download the latest release and extract the zip (no spaces or special chars in the path)
- Double-click
ltbox.exe - Pick a task from the sidebar and follow the wizard
Qualcomm USB drivers: the dashboard shows an "Install drivers" banner when the Qualcomm USB drivers are missing. Clicking it downloads and installs the latest
qcom-usb-kernel-driversrelease from GitHub viapnputil. Run LTBox as Administrator the first time sopnputilcan land the.inffiles.
🐧 Linux — x86_64 / aarch64
- Install runtime deps (Debian/Ubuntu shown — adapt for your distro):
sudo apt install \ libusb-1.0-0 libudev1 \ libxkbcommon0 libxkbcommon-x11-0 libwayland-client0 \ libxcb1 libxcb-render0 libxcb-shape0 libxcb-xfixes0 \ libfontconfig1 \ xdg-utils
- Download the latest release Linux tarball (
tar -xzf LTBox-linux_*.tar.gz). The executable bit onltboxis preserved. - Install the udev rules so the desktop session can open the Qualcomm 9008 / Lenovo USB devices without root:
sudo ./ltbox --install-udev
- Replug any connected device.
- (Optional) Add an app-menu entry + icon (per-user, no root):
Drops a
./ltbox --install-desktop
.desktopfile under~/.local/share/applications/and the SVG icon under~/.local/share/icons/hicolor/scalable/apps/. GNOME / KDE pick it up within a few seconds. Re-run after moving the binary. - Run
./ltbox.
The app is a sidebar-driven GUI. Each entry opens a guided wizard.
| Sidebar entry | What it does |
|---|---|
| Dashboard | Device status, region, recent folders, one-click actions |
| Flash Firmware | All-in-one: region → target → wipe/keep → flash. Drives region conversion + rollback handling end-to-end. |
| System Update | Disable or enable OTA updates; Boot Recovery for rescuing a device that failed to boot after an OTA on a converted region |
| Root Device | Root with KernelSU / KernelSU Next / SukiSU / ReSukiSU / APatch / FolkPatch / Magisk (+ forks) |
| Unroot Device | Restore the stock boot image from a prior Root backup |
| Reboot | Jump to System, Recovery, Bootloader, or EDL |
| Advanced | Individual pipeline steps for manual control — see below |
| Settings | Language (en/ko/zh/ru), theme (system/light/dark), default EDL loader path |
Step-by-step manual control over the pipeline, grouped into three sections
Region & patch
- Convert region (vendor_boot + vbmeta rebuild)
- Patch devinfo / persist
Rollback
- Inspect
.imgAVB metadata - Detect anti-rollback index
- Patch anti-rollback index
- Rebuild vbmeta for modified images
EDL ops
- Decrypt
.xfiles → XML - Dump / flash partitions by name (GPT-by-name, EDL)
- Dump / flash physical LUNs (whole-LUN, EDL)
Region conversion patches bytes in vendor_boot.img (PRC↔ROW region identifiers), then re-signs the image with AOSP test keys and rebuilds vbmeta.img so the bootloader accepts it.
Rooting unpacks boot.img or init_boot.img, injects root provider files into the ramdisk, repacks, and re-signs with the original AVB keys. The device boots the modified image because the bootloader trusts the test key signature.
Anti-rollback bypass reads the device's current rollback index via Fastboot, then re-signs the target firmware images with a matching index so the bootloader doesn't reject them as "older" builds.
All flashing goes through EDL mode — LTBox handles the full flow: ADB → Fastboot → EDL transition, programmer upload, partition read/write, and reset. AVB-signed images use the embedded AOSP testkey_rsa2048 / testkey_rsa4096 specs from avbtool-rs (no PEM file needed) so re-signed vbmeta and root-injected boot images verify against the bootloader's pinned test keys.
| Crate | Role |
|---|---|
ltbox-core |
Primitives — errors, settings, logging, GitHub / nightly.link / Lenovo PTSTPD clients, crypto, XML decrypt, live-log sink |
ltbox-device |
Transport layer — ADB, Fastboot, EDL / QDL, serialport discovery, Windows Qualcomm USB driver probe + auto-install |
ltbox-patch |
Image pipeline — AVB (embedded AOSP testkey specs), boot image ramdisk patching, region conversion, rollback index handling, root provider integration |
ltbox-gui |
iced desktop app — the ltbox.exe binary |
‡ Patched devices — vulnerability fixed in newer hardware. ↩
Devices released in 2026+ (e.g. Y700 5th Gen) ship with the AOSP test key removed from the ABL trust path at the factory. The vulnerability is no longer exploitable by LTBox on those devices.
† Y700 4th Gen cutoff — ZUXOS 1.5.10.138 is the last vulnerable build. ↩
ZUXOS 1.5.10.183 ships an updated ABL: the embedded AvbRSAPublicKey is swapped from the AOSP test key to the Y700 5th Gen production RSA-4096 public key.
This work is licensed under CC BY-NC-SA 4.0.
