WARNING!
THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
DO IT AT YOUR OWN RISK!
If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
Click to expand...
Click to collapse
So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
Tricking development options for allowing "OEM unlocking" no longer works on latest security update.
What you need to have:
- a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
- tweezers, and probably a standard philips screwdriver
- QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
- Latest Google Platform Tools
- Full backup of your userdata
Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
Please take a look at the attachment below, about the location you need to use tweezers.
For Windows users:
If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.
I assume the COM port number is 8 (COM8).
Click to expand...
Click to collapse
Step 2: Write config partition
As we already know, config partition is also the frp partition.
You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
For your convenience, I've created one.
Now download and extract the attachment below.
Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.
Choose "Tools" - "Partition Manager", then wait for the partition list appear.
As "Load Image" seems not reliable, we have to use command to write it manually.
For 64-bit Windows users, the command is:
Code:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.
Step 3: Trigger the phone back to fastboot mode
Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
Now check the unlock ability:
Code:
fastboot flashing get_unlock_ability
Expected output:
Code:
get_unlock_ability: 1
Step 4: Unlock the bootloader!
And you can unlock the bootloader with familiar commands.
Code:
fastboot flashing unlock_critical
Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Your phone will boot to fastboot mode again, and then:
Code:
fastboot flashing unlock
Confirm unlock on the phone again.
All done, that's how the bootloader is unlocked. You can reassemble the phone.
But strange enough, you can't see any unlock warning.
I will release boot image dumping guide and root guide very soon.
Special thanks:
Wingtech for leaking prototype units
why must Nokia insist on locking their devices down so hard ??
great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?
Great!
Damn Nokia
I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.
Will it be possible to do without disassembly? Just in theory, not now
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
Unwise to say no with absolute certainly, but doubtful
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
I think it will be possible.
There's a hidden command in aboot "fastboot reboot-emergency" but unusable, unless some sort of authentication is done or bootloader unlocked.
I still don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
That's why disassembly is required for now.
Very interesting breakthrough. Great work
I'm facing the same bootloader unlock in my infinix hot s 3. I believe I can use your procedure to unlock my device. And if necessary how to make changes to the config file? I will be expecting your reply soon. Thanks
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
awab228 said:
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
Click to expand...
Click to collapse
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
hikari_calyx said:
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
Click to expand...
Click to collapse
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
awab228 said:
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
Click to expand...
Click to collapse
1 for allow, 0 for disallow
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
malkabhai said:
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
Click to expand...
Click to collapse
We have full OTA zip of it.
You can use payload dumper + img2simg to convert it to fastboot images. If recovery mode working (including unofficial TWRP), you can also reboot your phone to recovery mode to sideload it.
PAN-141B-0-00WW-B03-update.zip
I was able to use "OEM Unlocking" from developer options and after starting at step 3, to obtain a full unlock. After I was also able to fully root my phone using the normal guide. I am running the latest security update (October 5 2019). No idea why this worked for me...
Hello,
I've got the Nokia 3.2 16gb variant. I can get it into edl mode but it seems to be in Sahara mode. How can I put it into firehose mode? Because I can't load anything using qfil.
Any help?
Missing pads
Any idea where these pads could be now? That does not seem to be there anymore?
Missing testpoint pads
piteer1 said:
Any idea where these pads could be now? That does not seem to be there anymore?
Click to expand...
Click to collapse
I has the same problem. Thanks in advance.
I don't see those test point in my mobile
Hi, does this work for Nokia 6.1 plus TA-1083? or do you have any trick for this too?
I am able to load phone in EDL Mode by making EDL Points short.
Just in case you read my comment, I have a emmc problem post, if you can help -
https://forum.xda-developers.com/nokia-6-1-plus/help/nokia-6-1-plus-edl-mode-emmc-failure-t4114507
Related
Hi,
New NSS beta is available for download. It will implement installing and restoring
of the bootloader as single click solution. Although the Qcom loader could be
installed via normal flashing, it is much easier this way. Also recovery is intended
to save manual hex editing or cmd line commands.
1. Download the new version
2. Extract to a folder, start the program
3. Insert the 2 loaders in \loaders\special\wp7\ - the qualcom file: RM803_12w07_prod_generic_nokia_osbl.esco,
posted by xorizont here , second file: RM803_11w48_prod_raw_nokia_osbl.bin attached (unzip first)
4. Go to Flashing->WP7 Tools
You are ready to play. Quick description:
- Read PMM button - reads the PMM partition with Nokia specific values(product
code, MAC addresses, et), you can edit in the boxes
- Write PMM button - writes back to the partition a selected value (via Update
checkbox)
Install button - use this to quickly install Qcom loader on 710(no way to load on
800 as the cert is checked)
Parse FS button - you can use this to test NSS partition parser and compare
against 3rd party tool, to make sure something catastrophically wrong will not
happen during recovery
Restore button - This will attempt to recover the Nokia production loader (so called DLOAD)
via raw NAND write into partition 2 of the connected phone. Make
sure you start in Normal mode as NSS will need to check phone type and battery
value (to make sure wrong file is not written to 800, or if the battery is critically
low)
Please keep in mind, this is a Beta version, it has been tested only on one phone
and is possible to be a major phone killer, so thread lightly. It is offered as it is,
with the hope of being useful, and I can't be held responsible for fatal results.
My best recommendation is to check the partitions after write/recovery with
3rd party tool and make sure all is ok before restarting the phone power. All this
until some recovery method is found (if somebody has found flashing routines in
SECBOOT or other loader, pls PM me).
BR, Chris
Thanks for this nice tool!
I just wanted to stress that:
- Read PMM button - reads the PMM partition with Nokia specific values(product
code, MAC addresses, et), you can edit in the boxes
- Write PMM button - writes back to the partition a selected value (via Update
checkbox)
Click to expand...
Click to collapse
Are only possible when the phone has the qualcomm loader right? Because only then it's possible to overwrite the values using the NAND access mode (Qualcomm MSD).
Hi,
Yes, only in NAND mode, on phones that have it. If you have Nokia DLOAD loader
and not hacked phone, you can only read those value via JSON call to NCSD appl.
There isn't any method coded to change them in Normal mode(at least i did not
find one yet).
BR
Bph&co said:
Hi,
Yes, only in NAND mode, on phones that have it. If you have Nokia DLOAD loader
and not hacked phone, you can only read those value via JSON call to NCSD appl.
There isn't any method coded to change them in Normal mode(at least i did not
find one yet).
BR
Click to expand...
Click to collapse
It's good to see there is now a userfriendly way of doing stuff like this. Thanks again
now all we need is a tool to write an .nb file with one click. can one do it?
mariosraptor said:
now all we need is a tool to write an .nb file with one click. can one do it?
Click to expand...
Click to collapse
To be honest i have no idea how that exactly works - is there a need for a file
system parser and proper replacing of a file, or just writting to a const location
in the last partition.
The mount never worked on my Ubuntu install(and i am complete Linux newbie).
Bph&co said:
To be honest i have no idea how that exactly works - is there a need for a file
system parser and proper replacing of a file, or just writting to a const location
in the last partition.
The mount never worked on my Ubuntu install(and i am complete Linux newbie).
Click to expand...
Click to collapse
Thanks God. there is someone else like me in linux.( humor, no offense ofcourse ;-) )
mate i have no idea how it works. nobody wants to write a very accurate tutorial.
not being able to flash the custom rom was the reason that i reverted my bootloader.
To unlock bootloader I used to NCS and firmware posted by xorizont. So how make connection under Windows7 before flash xorizont's firmware if Nokia is in DLOAD mode?
this is very helpfull for many people to get to qulcomm on 710!
+1
So You are able to load Qualcomm B. via NSS even if on the moment I have got DLOAD?
Hi,
New Beta - 0.47.1 - with ability to write moded OS files(.nb).
OS File button - select .nb file
Write OS button - loads the file onto the last partition (change to OSBL mode first)
As with the previous beta - make sure you check the partion parser for errors.
Write will be verified, but not the exact write address, so maybe good to have a
look with WinHex before restarting the phone.
BR
Already a new version, you're working hard man! ;-)
So if i understand correctly, you have automated the process of 'block writing' (which without this tool requires using dd) the created custom roms to the correct partition on the Lumia?
Of course this requires Qualcomm bootloader; for the 710 your tool can load this even if the phone currently has the newer Nokia DLOAD.
Hi,
Yes, i work even in my sleep Right now killing myself with the baseband diss, but
decided to have a break and make this.
It seems the OsBuilder creates raw partition image, to fit exactly into the OS part
of the NAND chip. So all i do is open the usb device as physical disk, parse the
partition structure and do a low level read/write to absolute addresses.
Yes, it is mostly for 710, but write OS function should be working for 800 with
Qcom loader too, just can't test it as i don't have such phone.
Also the Install/Recovery should work forever on a 710, unless Nokia/MS release
some updated bootloader that somehow prevents loading of the signed Qcom
loader and the user does a full flash (or via sneak Zune update) and overwrite
the current DLOAD loader.
BR
Bph&co said:
Hi,
New Beta - 0.47.1 - with ability to write moded OS files(.nb).
OS File button - select .nb file
Write OS button - loads the file onto the last partition (change to OSBL mode first)
oh man you are a superstar. you did what i said it was missing. no more (hopefully) screwd phones.
@Mods please make this sticky.
Click to expand...
Click to collapse
Amazing tool!
I just used it to load Full Unlock Image for Lumia 710 by lucifer3006!
No more linux stuff needed, this is great and almost one-click windows solution!
Thank you!
When we talking about copy moded nb file into partition You mean sdx9 is default partition?
Hi,
The sdb thingi is something from Linux. On low level there are 4 primary partitions
in MBR, all the rest are logical, so the last entry in MBR points to the first logical one,
that for itself contains primary part and next one is logical as well. The last entry
in this linked list is the OS partition.
BR
1. OK I went through this. Tell me please how is possible to unlock bootloader if Lumia is in DLOAD mode? NSS can't reconized WP in this mode.
2. In case of relocking bootloader did I need copy Your specific RM803_11w48_prod_raw_nokia_osbl.bin or download an from navifirm?
I hope it's add backup and restore the "DPP.BIN" function!
like this!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thank you very much!
djtonka said:
1. OK I went through this. Tell me please how is possible to unlock bootloader if Lumia is in DLOAD mode? NSS can't reconized WP in this mode.
2. In case of relocking bootloader did I need copy Your specific RM803_11w48_prod_raw_nokia_osbl.bin or download an from navifirm?
Click to expand...
Click to collapse
Hi,
1 - Maybe you have Zune running and NSS can't open the port ? Use the kill Zune
services option in NSS please
2 - Yes this specific loader is needed (its extract from an original file) and is hash
checked before writting to the second partition to prevent dead phones
BR
This is the stock Rom of N & M for Yoga Book LTE & WIFI for the needers
if any dev want to help me developing a dual boot for Yoga Book, just PM me or join Telegram Group for Yoga Book devs and users:
MOD EDIT: LINK REMOVED
Prees the Thanks button if that helps you
How to install it:
Be careful, these steps will erase all your data on tablet and will downgrade rom (stock marshmallow)
First of all: read and understand all of the instructions.
1. Download the stock ROM
https://cloud.kolyandex.su/index.php/s/4WDt6ghOzHAyP4s (Nougat WiFi version)
https://easy-firmware.com/home/browse/category/id/19521/ (Marshmallo LTE version)
https://androidfilehost.com/?fid=817550096634799507 (Marshmallo WiFi version)
2. Extract it to some folder
3. Download Intel Platform Tool Lite from here: https://01.org/android-ia/downloads/intel-platform-flash-tool-lite
4. Install Intel Platform Tool Lite
4. Boot into fastboot mode
5. Run Intel Platform Tool Lite
6. Make sure your tablet is recognized by the tool (otherwise you need to enable USB-debug in Developer settings)
7. Select "flash_update_from_eng.json" from folder in (2)
8. Push "start to flash"
9. Wait... (You should check tablet's screen in order to lock/unlock bootloader (it should be locked after flash in order to install OTA updates))
10. Reboot tablet
11. Your keyboard might not work: that is normal (just use on-screen keyboard for now)
12. After initial setup: open Contacts app, create new one (if there are no contacts yet), tap search and enter ####6020#
13. Choose your region
14. Reboot
15. Setup again (now halo should work)
16. Go into settings -> about -> updates and update till the last version (may take several hours)
17. Say thanks for alexjustes for his Amazing Steps
Thank you so much for posting this!
Have you tried flashing this through @danjac's TWRP build? I know trying to restore any nandroid backup made after the OTA upgrade to Nougat results in a boot loop.
beltani said:
Thank you so much for posting this!
Have you tried flashing this through @danjac's TWRP build? I know trying to restore any nandroid backup made after the OTA upgrade to Nougat results in a boot loop.
Click to expand...
Click to collapse
Unfort. no, because i dont have a YB Android Version, i have win ver.
THE MAXIMUM POWER said:
Unfort. no, because i dont have a YB Android Version, i have win ver.
Click to expand...
Click to collapse
I'm 99% sure this isn't flashable in custom recovery, at least without some modification and repackaging. It's a package designed for Intel Phone Flash Tools.
Still a huge asset, though, so thanks again!
beltani said:
I'm 99% sure this isn't flashable in custom recovery, at least without some modification and repackaging. It's a package designed for Intel Phone Flash Tools.
Still a huge asset, though, so thanks again!
Click to expand...
Click to collapse
Same, it can only flashed through fastboot mode
I got myself into quite the pickle today. I've been considering selling my Yogabook to switch to a Chromebook 2-in-1. I wanted to get the device back to as full vanilla as possible. I "thought" the first step was to lock the bootloader again and then do a full factory reset, apparently not... After booting back up from locking the bootloader I kept getting an Intel "bootloader error code 01" and Android would not start. It would take me to fastboot mode on it's own but I was unable to use the power button to make a selection and the device would just power off after 5 minutes. Thankfully from there or fore powering off I could hold Volume up on startup and get to fastboot manually or recovery. It being in a locked state now though I couldn't do much of anything else, no flashing anything other than loader, no format, no erase, and TWRP was not able to be booted.
Anyway I finally read a post about DNX mode and how to get to it, but nothing on how to really use it or any decent information imho. After finally finding some users on another part of the forum discussing a DNX flashing tool made for their devices HTC I went searching for a tool for the Lenovo. Lenovo has nothing for this (shame on you Lenovo!) but Intel does have it and it can be used with the recovery image posted above in this thread (and I assume all the others running around). And here is the URL for the tool
https://01.org/android-ia/downloads/intel-platform-flash-tool-lite
You just have to load a valid JSON file containing the proper config information for the ROM you are flashing iwithin the Intel tool. For this particular version of the ROM I did have to modify the "flash_recover_dnx.json" file to remove this section
Code:
{
"duration" : 5000,
"restrict" : null,
"tool" : "sleep"
},
Otherwise the flash tool would not load it due to the a bad tool from this JSON config named "tool". No other changes to the settings of the Intel flashing tool were needed.
Just click "Start to Flash" and once it was done all was well. Took a little over five minutes, it unlocked, flashed, and locked the device again itself.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
No more Intel error stating the device isn't secure every reboot. I did lose all my data that was on it doing this but I wasn't worried about that going into it.
After initial setup in Android I did have to do the trick noted here to get the Halo keyboard working again which then required initial setup once more.
Hope this helps others.
@MarkAllen, thank you for your valuable information. This will help people unbrick their devices.
MarkAllen said:
I got myself into quite the pickle today. I've been considering selling my Yogabook to switch to a Chromebook 2-in-1. I wanted to get the device back to as full vanilla as possible. I "thought" the first step was to lock the bootloader again and then do a full factory reset, apparently not... After booting back up from locking the bootloader I kept getting an Intel "bootloader error code 01" and Android would not start. It would take me to fastboot mode on it's own but I was unable to use the power button to make a selection and the device would just power off after 5 minutes. Thankfully from there or fore powering off I could hold Volume up on startup and get to fastboot manually or recovery. It being in a locked state now though I couldn't do much of anything else, no flashing anything other than loader, no format, no erase, and TWRP was not able to be booted.
Anyway I finally read a post about DNX mode and how to get to it, but nothing on how to really use it or any decent information imho. After finally finding some users on another part of the forum discussing a DNX flashing tool made for their devices HTC I went searching for a tool for the Lenovo. Lenovo has nothing for this (shame on you Lenovo!) but Intel does have it and it can be used with the recovery image posted above in this thread (and I assume all the others running around). And here is the URL for the tool
https://01.org/android-ia/downloads/intel-platform-flash-tool-lite
You just have to load a valid JSON file containing the proper config information for the ROM you are flashing iwithin the Intel tool. For this particular version of the ROM I did have to modify the "flash_recover_dnx.json" file to remove this section
Code:
{
"duration" : 5000,
"restrict" : null,
"tool" : "sleep"
},
Otherwise the flash tool would not load it due to the a bad tool from this JSON config named "tool". No other changes to the settings of the Intel flashing tool were needed.
Just click "Start to Flash" and once it was done all was well. Took a little over five minutes, it unlocked, flashed, and locked the device again itself.
No more Intel error stating the device isn't secure every reboot. I did lose all my data that was on it doing this but I wasn't worried about that going into it.
After initial setup in Android I did have to do the trick noted here to get the Halo keyboard working again which then required initial setup once more.
Hope this helps others.
Click to expand...
Click to collapse
Thank You for the INFOS
The tool does not recognized my device
Please help to flash my yoga book.
Got these with the stock .json file as described above:
06/18/18 12:00:01.188 ERROR : No description value in command sleep
06/18/18 12:00:01.188 ERROR : Cannot create command with tool "sleep"
06/18/18 12:00:01.188 ERROR : Tool sleep not found or invalid tool configuration
Opened that file in notepad and deleted the sleep section - started flashing.
The usb drivers are definitely required, I lost the connection because they weren't loaded. I installed them and refreshed device manager and she started receiving the flash.
Used Win7 to flash also, the intel page says its not supported.
Flash success and locked bootloader after entering the country code - thanks very much all!
jeitana said:
Please help to flash my yoga book.
Click to expand...
Click to collapse
Try installing Android SDK drivers in you PC
Guys, if anyone faced a Probleme during his way to flash the ROM, PLZ tell me the problems with More Details
_Deeb0_ said:
Got these with the stock .json file as described above:
06/18/18 12:00:01.188 ERROR : No description value in command sleep
06/18/18 12:00:01.188 ERROR : Cannot create command with tool "sleep"
06/18/18 12:00:01.188 ERROR : Tool sleep not found or invalid tool configuration
Opened that file in notepad and deleted the sleep section - started flashing.
The usb drivers are definitely required, I lost the connection because they weren't loaded. I installed them and refreshed device manager and she started receiving the flash.
Used Win7 to flash also, the intel page says its not supported.
Flash success and locked bootloader after entering the country code - thanks very much all!
Click to expand...
Click to collapse
Is this compatible with the Yoga Book A12?
I have been away for a while. Why should I want to install this rom?
Ok I wanted to reset this tablet because the SystemUI ap was using %25 of the cpu constantly, I do not know when and hopw this piece of **** got to that level of crappy update, must be some google crap
- Can I unlock the OEM bootloader?
- Can I still use the twrp->Magisk method to root this?
thanks
Shawnki91 said:
Is this compatible with the Yoga Book A12?
Click to expand...
Click to collapse
Sorry but no
hajkan said:
I have been away for a while. Why should I want to install this rom?
Click to expand...
Click to collapse
No Need to reinstall this Rom if you have already your System, both are 100 % same
hajkan said:
Ok I wanted to reset this tablet because the SystemUI ap was using %25 of the cpu constantly, I do not know when and hopw this piece of **** got to that level of crappy update, must be some google crap
- Can I unlock the OEM bootloader?
- Can I still use the twrp->Magisk method to root this?
thanks
Click to expand...
Click to collapse
Reinstall the Rom will fix this, but doing factory reset will fix this too
In case anyone wants the wifi only M firmware here it is https://androidfilehost.com/?fid=817550096634799507
If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
So after you unlock the bootloader successfully, you definitely want to install custom ROM, or at least root the phone, right?
Here's the guide about rooting Nokia 3.2 / 4.2.
This guide could probably work on Nokia 6.2 / 7.2 in the future.
Step 1: Unlock the bootloader
https://forum.xda-developers.com/nokia-4-2/how-to/guide-how-to-unlock-bootloader-nokia-4-2-t3962402
For Nokia 3.2, you'll need to read this as well: https://forum.xda-developers.com/nokia-3-2/how-to/guide-how-to-trigger-nokia-3-2-to-edl-t3962841
Step 2: Acknowledge current slot
You have two methods.
Method 1: After USB debugging enabled, execute this command:
Code:
adb shell getprop ro.boot.slot_suffix
Method 2: Under fastboot mode, execute this command:
Code:
fastboot getvar current-slot
We assume the current slot is b.
Step 3: Trigger the phone to EDL mode again
There's a hidden command in aboot known as "fastboot reboot-emergency".
However, normal fastboot binary doesn't have that command at all, so we need to compile a binary or hack the binary.
For Windows users, I've provided the fastboot binary that can use this command, and I renamed it to edl-fastboot.exe. You can download it on the attachment below.
For macOS/Linux distro users, I'm afraid you have to fork the source code, edit related content and compile yourself.
So with this special version of fastboot binary, we can boot the phone to EDL mode directly:
Code:
edl-fastboot.exe reboot-emergency
But wait, why didn't you mention this command when you released bootloader unlock guide?
That's because, if you attempt to use this command under locked bootloader, bootloader will response "Permission denied, auth needed. " and refuse to proceed the command.
I don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
Click to expand...
Click to collapse
Step 4: Use partition manager to dump the partition
If you've came so far when unlocking the bootloader, you have already know the great partition manager.
Still, we assume the COM port number is 8 (COM8).
When the partition list appears, find "boot_b" (or boot_a if the current slot is a), right click on it, choose "Manage Partition Data" and click "Read Data". Then fh_loader binary will dump the boot image to your PC.
For Windows users, it's located at
Code:
%AppData%\Qualcomm\QFIL\COMPORT_8
Where %AppData% is actually C:\Users\your_user_name\AppData\Roaming .
The filename looks like this: ReadData_emmc_Lun0_0x3a000_Len65536_DT_07_09_2019_13_55_54.bin
Now close the partition manager, your phone will exit EDL mode and boot normally.
If you're interested in dumping full eMMC storage, you may want to read this: https://forum.xda-developers.com/android/general/guide-how-to-dump-write-storage-t3949588
Step 5: Install Magisk Manager and patch the boot image you dumped
I think everyone who reading this guide knows where to download Magisk Manager.
Copy the boot image you dumped with QFIL to Download directory in your phone's internal storage, and rename it to boot.img for your convenience.
In case you don't know how to patch, read this guide: https://topjohnwu.github.io/Magisk/install.html#boot-image-patching
Step 6: Flash patched boot image and reinstall Magisk for ensurance
After you pulled patched boot image from your phone, reboot your phone to fastboot mode, then execute these commands:
Code:
fastboot flash boot magisk_patched.img
fastboot reboot
Note, temporarily boot method introduced back for old A/B devices like Nokia 7 Plus no longer works on Nokia 3.2 / 4.2 - it will boot your phone to Qualcomm 900E mode.
Once your phone booted to normal OS, open Magisk Manager, and reinstall Magisk and required runtime to make the root much more effective.
You may want to read this guide if you want to inherit root along with OTA update: https://topjohnwu.github.io/Magisk/tutorials.html#ota-installation
Extra info about custom rom:
I've tested PHH-Treble GSI on Nokia 4.2 and it made me disappointed.
The vendor compatibility is worse than FIH made Android Phones.
You may want to read this for more details: https://github.com/phhusson/treble_experimentations/wiki/Nokia-4.2
Next preview: Stock firmware reinstallation guide. Note, Nokia 3.2 / 4.2 are not made by FIH, so OST LA no longer works on both devices.
Special thanks:
@topjohnwu for Magisk
Wingtech for leaking prototype units
Reserved
not detected
my pc doesn't detect the phone when its in edl mode. before people start asking I unlocked the bootloader by enabling oem unlock in the phone settings.
I have a TA-1156 (a 3.2 variant) that has a different mainboard layout. For quite a while, I tried in vain to bring it into EDL mode - until I just tried the fastboot command "flash unlock" which worked.
I guess I should have tried that right away as I did have the OEM unlocking option in the developer setup.
Anyway, now I'm unlocked but can't access the partitions with the QFIL partition manager. I suspect the phone expects a different programmer than prog_emmc_firehose_8937_ddr.
I can enter EDL mode easily now with the patched fastboot exe. The correct driver is active and QFIL detects the phone. However, as soon as I follow the instructions by setting the programmer, and then try to start the partition manager, the phone stops responding.
After a while, I get a "sahara" error about no reply from the phone.
I wonder if someone has a stock boot.img of the Nokia 3.2 (build 00EEA) lying around ...
Here is someone else's photo of the mainboard (I just realized that it's actually from hikari_calyx!) but on mine, the right one of the test points you marked in your 3.2 variant does not exist, so I edited it out in the photo:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
JFDee said:
Anyway, now I'm unlocked but can't access the partitions with the QFIL partition manager. I suspect the phone expects a different programmer than prog_emmc_firehose_8937_ddr.
Click to expand...
Click to collapse
My guess was right. Now I'm able to reply to myself with a solution.
I tried a different prog_emmc_firehose_8937_ddr than the one provided by @hikari_calyx in the unlock thread
There is a programmer with the same name in this firmware:
sprout-015B-0-00WW-B01 .rar
It's provided by @bouyhy01 in his rooting thread.
The size of the programmer file is slightly different:
Code:
hikari_calyx: 428,936 bytes
Firmware: 428,944 bytes
Long story short: the different programmer worked in QFIL, so the partition manager worked as well, I got my own boot image, patched, flashed and had root - finally ... Thanks for all the research work, hikari_calyx and bouyhy01 !
Attached is the working programmer file, in case anyone else stumbles upon the same problem. By the way, my phone has the October security patch installed which is currently the latest available.
View attachment prog_emmc_firehose_8937_ddr_from_fw.zip
.
JFDee said:
Here is someone else's photo of the mainboard (I just realized that it's actually from hikari_calyx!) but on mine, the right one of the test points you marked in your 3.2 variant does not exist, so I edited it out in the photo:
View attachment 4867461
Click to expand...
Click to collapse
I guess the only point can be connected to the ground, for example, the RF shield is grounded.
JFDee said:
Attached is the working programmer file, in case anyone else stumbles upon the same problem. By the way, my phone has the October security patch installed which is currently the latest available.
View attachment 4869373
.
Click to expand...
Click to collapse
Thanks for info. Mine Nokia 3.2 is a prototype unit, so I don't know the situation of other versions of Nokia 3.2.
Hello, I have tried this manual for rooting Nokia 4.2 with last security update of 5th of November. After 5 step (flashing patched boot image) my phone try to reboot and then asked for factory reset (Can't load android system - Your data may be corrupt). After making factory reset there were no root at all.
What can i do next ?
PS. It's strange enough when i download boot_b image it was 63.4 Mb snd when i have patched it by Magisk manager - the size od magisk_patched.img became 10.2 Mb
I have spent a couple days trying to root this phone using an exploit or similar now. What I've discovered so far is:
- Recovery, EDL, Fastbootd (without functions over USB) are all available
- Engineer Mode is available too, but not accessible without credentials
- Similar phones (Realme, OnePlus, other OPPOs) have supposedly been rooted using an "In-Depth Testing" APK
I'm not sure if using the APK on my own phone is a good idea, but I have tried reverse engineering it and have gotten as far as some other threads for other phones have. It seems like the lead ends there, but I don't think enough has been tried. My expertise with Android development is somewhat limited, but I found a couple lines of code that are interesting.
Java:
// This is the request sent to the server based on the status.
// for Realme:
if (this.myContext.getPackageManager().hasSystemFeature("oppo.version.exp")) {
this.myString = "https://lkf.realmemobile.com/realme/v1/";
} else {
this.myString = "https://lk.realmemobile.com/realme/v1/";
}
switch (((Integer) intent.getExtras().get("MessengerFlag")).intValue()) {
case 1000:
this.myString += "applyLkUnlock";
break;
case 1001:
this.myString += "checkApproveResult";
break;
case 1002:
this.myString += "updateLockStatus";
break;
case 1003:
this.myString += "acquireClientStatus";
break;
case 1004:
this.myString += "closeApply";
break;
case 1005:
this.myString += "acquireApplyStatus";
break;
}
// For ColorOS:
this.requestUrl = "https://ilk.apps.coloros.com/api/v2/";
switch ((Integer) intent.getExtras().get("MessengerFlag")) {
case 1000:
this.requestUrl += "apply-unlock";
break;
case 1001:
this.requestUrl += "check-approve-result";
break;
case Constants.USERCENTER_PLUGIN_ID /*{ENCODED_INT: 1002}*/:
this.requestUrl += "update-client-lock-status";
break;
case 1003:
this.requestUrl += "get-all-status";
break;
case 1004:
this.requestUrl += "lock-client";
break;
}
// Based on the response data, it accesses an included class to do the fastboot unlock. The actual value of bArr is based on the response.
((Boolean) Class.forName("android.engineer.OppoEngineerManager").getMethod("fastbootUnlock", byte[].class, Integer.TYPE).invoke(null, bArr, Integer.valueOf(bArr.length))).booleanValue();
// In another function it calls this without a value included. I think this might be used to lock it again.
byte[] bArr = {0};
((Boolean) Class.forName("android.engineer.OppoEngineerManager").getMethod("fastbootUnlock", byte[].class, Integer.TYPE).invoke(null, bArr, 1)).booleanValue();
// OEM Unlock is done after fastboot unlock
((PersistentDataBlockManager) this.activityRef.getSystemService("persistent_data_block")).setOemUnlockEnabled(true);
// You can access engineerMode using this code
engineerMode: *#9434#
Most of this information as available elsewhere, but those threads have stopped working on it. I think it would be worth trying to get a hand on the android.engineer.OppoEngineerManager package and check the fastbootUnlock function. Intercepting the values sent by a successful request might also be useful. If that works, one could probably easily create an APK to do this on any phone.
Is there anyone knowledgeable enough to do this?
I'm not knowledgeable enough but I hope you find answers.
I have an Oppo too (A15) and so far I haven't been able to unlock the bootloader but I'm sure there's a way.
"Unlock OEM" is enabled in the developer mode, but when I plug my phone in fastboot, it says the bootloader is locked.
I'm trying to find a solution to the message "unable to open fastboot HAL"
According to this : "Many of these commands are from OEMs and are documented but require a custom implementation. (Many commands are also OEM-specific and aren't documented). To handle such commands, the fastboot HAL specifies the required OEM commands and allows OEMs to implement their own commands."
So, I guess there's some special OEM command to unlock bootloader, the question is where? Android is open source, ColorOS is opensource (but I don't know if ColorOS has anything to do with the bootloader for that matter), so there's a solution, somewhere.
I read somewhere that you need all password and locking to be disabled in order to unlock bootloader. I removed all passwords, but it didn't help.
I've also noticed some options that might help, in the developer mode: "do not use lockscreen" and, at the very bottom "disable permission monitoring".
But I haven't tried yet.
this is what I get when I use the "fastboot getvar all" command:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There's probably something useful in it, but I don't know what.
I've gotten as far as that too. I believe that OPPO has somehow created a custom unlocking mechanism for the bootloader / fastboot that is accessed by custom APK. I'm not sure how it gets the rights to do it, but maybe there's a way and then the token is used to authenticate.
They must have a way to unlock it. If the package they use is somehow accessible, it should be possible to reverse engineer. Or somehow intercept the response sent by the server and figure out how the byteArray that they send to the class method is constructed.
If what you quoted is true and there might be some custom OEM commands, has anyone tried bruteforcing those?
It should be noted that the kernel is also open source. I have no idea where the bootloader would be or its unlocking mechanism, but considering that we have a boot.img that we can open up, an open source os, open source kernel, open source launcher, there must be something somewhere.
I've followed this tutorial to decrypt the ozip file from here with oppo_ozip_decrypt
It seems to work, but the output zip file is only 45 MB, while the original ozip is like 3 GB...
From the same author, this tool seems interesting but I don't know how to use it.
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
rootinhoppo said:
I've followed this tutorial to decrypt the ozip file from here with oppo_ozip_decrypt
It seems to work, but the output zip file is only 45 MB, while the original ozip is like 3 GB...
From the same author, this tool seems interesting but I don't know how to use it.
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
Click to expand...
Click to collapse
You should try decrypting the .ofp full firmware images.
rootinhoppo said:
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
Click to expand...
Click to collapse
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter. It looks fairly legit but I still don't expect it to work.
The other tool you showed seems cool too, but I think it'd require the bootloader to be unlocked. It's only for rooting.
linccracker said:
You should try decrypting the .ofp full firmware images.
Click to expand...
Click to collapse
There are no .ofp firmware images available, are there? It's only OZIP update images which are provided by OPPO. Would it be possible to take an .ofp file from one of the similar Realme phones and somehow find the OppoEngineer package there to reverse engineer? They use it too in their unlockers.
Bobgle said:
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter. It looks fairly legit but I still don't expect it to work.
The other tool you showed seems cool too, but I think it'd require the bootloader to be unlocked. It's only for rooting.
There are no .ofp firmware images available, are there? It's only OZIP update images which are provided by OPPO. Would it be possible to take an .ofp file from one of the similar Realme phones and somehow find the OppoEngineer package there to reverse engineer? They use it too in their unlockers.
Click to expand...
Click to collapse
Is the same firmware updates as cph2059 so search Google for " oppo cph2059 ofp firmware"
linccracker said:
Is the same firmware updates as cph2059 so search Google for " oppo cph2059 ofp firmware"
Click to expand...
Click to collapse
I can only find OZIPs and scams.
Bobgle said:
I can only find OZIPs and scams.
Click to expand...
Click to collapse
Here is a gdrive link
CPH2059export_11_C.22_202102181659__GsmMafia.Com.zip
drive.google.com
Bobgle said:
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter.
Click to expand...
Click to collapse
I understand, I'd like to see the source code, too.
But I think it's harmless, or at least not malicious.
The fact that it doesn't require to be installed or to have admin rights is a good point. The fact that you can change everything you want from the \data folder and still use the mtkroot gui is another good point.
There's the apk rootbrowser that I'm not 100% sure of it (there might be some trackers in it). But other than that...
linccracker said:
Here is a gdrive link
CPH2059export_11_C.22_202102181659__GsmMafia.Com.zip
drive.google.com
Click to expand...
Click to collapse
Alright, thanks. Unfortunately, the conventional ofp decrypters can't do it. I think the decryption key is missing / faulty or maybe even the file itself. It'll just spit out a ton of 0kb files. I'm not experienced enough with encryption to fix this, any idea how to? I've had more success with the ozip decrypters in that regard.
Bobgle said:
Alright, thanks. Unfortunately, the conventional ofp decrypters can't do it. I think the decryption key is missing / faulty or maybe even the file itself. It'll just spit out a ton of 0kb files. I'm not experienced enough with encryption to fix this, any idea how to? I've had more success with the ozip decrypters in that regard.
Click to expand...
Click to collapse
GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter - GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
github.com
Try this
Try both extract and decrypt
I think reverse engineering this process alone may not help. Why? Because the OPPO deep testing officially requires a specific software version. It should most probably be an Engineering version of ColorOS.
rootinhoppo said:
I'm not knowledgeable enough but I hope you find answers.
I have an Oppo too (A15) and so far I haven't been able to unlock the bootloader but I'm sure there's a way.
"Unlock OEM" is enabled in the developer mode, but when I plug my phone in fastboot, it says the bootloader is locked.
I'm trying to find a solution to the message "unable to open fastboot HAL"
According to this : "Many of these commands are from OEMs and are documented but require a custom implementation. (Many commands are also OEM-specific and aren't documented). To handle such commands, the fastboot HAL specifies the required OEM commands and allows OEMs to implement their own commands."
So, I guess there's some special OEM command to unlock bootloader, the question is where? Android is open source, ColorOS is opensource (but I don't know if ColorOS has anything to do with the bootloader for that matter), so there's a solution, somewhere.
I read somewhere that you need all password and locking to be disabled in order to unlock bootloader. I removed all passwords, but it didn't help.
I've also noticed some options that might help, in the developer mode: "do not use lockscreen" and, at the very bottom "disable permission monitoring".
But I haven't tried yet.
this is what I get when I use the "fastboot getvar all" command:
View attachment 5399469
There's probably something useful in it, but I don't know what.
Click to expand...
Click to collapse
May I know how did you manage to get to fastboot mode?
Thank You brother.
linccracker said:
GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter - GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
github.com
Try this
Try both extract and decrypt
Click to expand...
Click to collapse
I did, extract says unknown key and decrypt spits out faulty files.
llxxVENOMxxll said:
I think reverse engineering this process alone may not help. Why? Because the OPPO deep testing officially requires a specific software version. It should most probably be an Engineering version of ColorOS.
Click to expand...
Click to collapse
I think OPPO has to have some way to unlock the bootloader for their tech support or own development. There is an engineering mode that can be activated from within ColorOS, maybe that would be sufficient. At least reverse engineering this would give us some kind of idea of how they unlock the bootloader in other firmware.
AFAIK, those deep testing apks were unlocked remotely by OPPO support. I'm really skeptical on how trustworthy those reports are, but if that's true then it might work on the A72 too.
llxxVENOMxxll said:
May I know how did you manage to get to fastboot mode?
Thank You brother.
Click to expand...
Click to collapse
You can enter fastboot mode through adb commands. Just connect your phone, active USB debugging and OEM unlock, then type 'adb reboot fastboot'. There is also an EDL mode which can be found by going into recovery and tapping the version number at the bottom until a message pops up.
Well, the adb reboot fastboot doesn't work on my OPPO A31 (and most other OPPOs). Thanks for your reply tho.
llxxVENOMxxll said:
May I know how did you manage to get to fastboot mode?
Thank You brother.
Click to expand...
Click to collapse
This is the "fastbootd" mode, which is not exactly the same, but this is what we have.
First, I have to say how I did unlocked the OEM.
Because, as I was in developper mode, after fooling around a little with the settings, I tried to move the button oem unlock but it wouldn't move. I tried again and again but it didn't want to unlock.
So, I got the idea to disable developer mode, enable it again and try to unlock oem before doing any other settings.
This time it worked.
So, if you have problem with the OEM Unlock, you know what to do: disable/enable developer mode.
For the fastbood mode, it's the same. It didn't work at once but I fooled around a little. To be honest, I don't remember everything I've done.
But this is what I do now.
I start my phone and plug it on my computer.
On my phone I change the USB mode from "charging" to "MTP transfer" (even if the drivers don't install properly). And of course, the USB Debugging is enabled. I also select the authorization, if required (you only do it once normally).
Then I open a command, I check "adb devices" just to see if it works. And finally, I type "adb reboot fastboot" (I think it didn't work with "adb reboot bootloader).
And that's it.
The phone reboot in recovery mode and when I type "fastboot devices" in the cmd, my devices appear.
For some reason, if I only start in recovery mode with Volume Down + Start button, the recovery screen appears, exactly the same, but not fastboot devices is detected on the cmd. So you have to do all these operations from your computer.
Maybe there's another way though.
We might want to refer this..
Where are the android.jar platform class/dex files on a phone or tablet?
My app uses the class android.view.ViewGroup, which when I develop in Eclipse(I know it's old) seem to come from android.jar. android.jar was downloaded by the SDK Manager. My project had a build
stackoverflow.com
I may start working on this only by this weekend.
Anyone with some knowledge may, in the meantime , try to sniff what the deep test app actually communicates with the OPPO servers.
The dex is extracted from the system framework.
File attached below.
I am a noob in Java and I don't understand what the 'bArr' is, and what it does.. I guess it should probably be a response value from the server..
Ever wanted to unbrick your device or switch to stock ROM from a custom ROM without using MSM Unbrick tool and keeping your bootloader unlocked after that well fastboot ROMs are here to help you . I have extracted all images from the stock zip and i have made a new zip with the Fastboot ROM with a flash-all.bat included. This will work only if your bootloader is unlocked. This will erase all your data and will wipe your internal storage.
HOW TO FLASH
1). Download the zip
2). Unpack the zip in a folder
3). Reboot the OnePlus 9R in fastboot-bootloader mode (Power and volume + and volume-)
4). Connect the OnePlus 9R to PC
5). Run flash-all.bat flasher
6). Wait until the process end
7). Voila! your OnePlus 9R will now boot into OxygenOS
POINTS TO REMEMBER
* "Invalid sparce file format at header magic" is not an error, you need to wait a bit when you see that string, just wait.
* These ROMs can't be used to update or downgrade your phone but just to restore your phone. Downgrade from OOS 12 works now.
* This can’t be used to switch from ColorOS to OxygenOS you can use MSM unbrick tool to do that.
DOWNLOAD:-
https://sourceforge.net/projects/op8t-9r-fastboot-roms/files/OnePlus_9R/
Nice
Hi OP, I changed the tag from Development to How To Guide, because we only use Development for original work like you build the ROM from kernel/device tree etc... Thanks.
HELLBOY017 said:
Ever wanted to unbrick your device or switch to stock ROM from a custom ROM without using MSM Unbrick tool and keeping your bootloader unlocked after that well fastboot ROMs are here to help you . I have extracted all images from the stock zip and i have made a new zip with the Fastboot ROM with a flash-all.bat included. This will work only if your bootloader is unlocked. This will erase all your data and will wipe your internal storage.
HOW TO FLASH
1). Download the zip
2). Unpack the zip in a folder
3). Reboot the OnePlus 9R in fastboot-bootloader mode (Power and volume + and volume-)
4). Connect the OnePlus 9R to PC
5). Run flash-all.bat flasher
6). Wait until the process end
7). Voila! your OnePlus 9R will now boot into OxygenOS
POINTS TO REMEMBER
* "Invalid sparce file format at header magic" is not an error, you need to wait a bit when you see that string, just wait.
* These ROMs can't be used to update or downgrade your phone but just to restore your phone.
* This can’t be used to switch from ColorOS to OxygenOS you can use MSM unbrick tool to do that.
* !!! IMPORTANT !!!
Before flashing make sure you know about which type of ram your device supports i.e LPDDR4X/LPDDR5 as flashing wrong xbl config will hardbrick your device.
Here’s how you can check what type of ram your device has:-
Now, as to exactly find out which variant that you have, turn on USB debugging and enter this command:-
Code:
adb shell getprop ro.boot.ddr_type
If the value is 0, that means you have LPDDR4X. If the value is 1, that means you have LPDDR5.
This command is more reliable than the Devcheck and other apps.
DOWNLOAD:- https://drive.google.com/file/d/1LTknGhfR2JTtXhN0rGMCS4OwmUdqt3PF/view?usp=sharing
Click to expand...
Click to collapse
Errr sorry I can make sure that I have the DDR5,but it seems that when I complete the flash using the DDR5 profile config,my phone hard bricked, so how can I get it back? Now it can not even enter 9008 mode
zwk22160 said:
Errr sorry I can make sure that I have the DDR5,but it seems that when I complete the flash using the DDR5 profile config,my phone hard bricked, so how can I get it back? Now it can not even enter 9008 mode
Click to expand...
Click to collapse
You will most likely need to visit the service center and get your phone repaired.
Are you sure that your device had DDR5?
theincognito said:
You will most likely need to visit the service center and get your phone repaired.
Are you sure that your device had DDR5?
Click to expand...
Click to collapse
Actually,I checked my DDR type via devcheck instead of the adb command. Seems that the dev check is no so reliable. Anyway, I have already sent my phone to the service center to repair, I have a OnePlus 7 pro as the backup phone, so it doesn't affect me too much.
Created a Tutorial based on your firmware/instructions. Hoping you will like it.
https://androidmtk.com/install-firmware-oneplus-9r
zwk22160 said:
Actually,I checked my DDR type via devcheck instead of the adb command. Seems that the dev check is no so reliable. Anyway, I have already sent my phone to the service center to repair, I have a OnePlus 7 pro as the backup phone, so it doesn't affect me too much.
Click to expand...
Click to collapse
Yeah. The apps aren't reliable at this. Always use the adb command. 100% reliable. And since it's harbricked for you, I am pretty sure that you have a DDR4X variant.
zwk22160 said:
Errr sorry I can make sure that I have the DDR5,but it seems that when I complete the flash using the DDR5 profile config,my phone hard bricked, so how can I get it back? Now it can not even enter 9008 mode
Click to expand...
Click to collapse
It’s clearly written to not trust devcheck and other apps that prop is the only trusted source of finding which type of ram ur device has. It has also come to my attention that DDR5 devices can boot to EDL if we flash wrong xbl configs on them but the DDR4 ones can’t boot to EDL if wrong xbl config is flashed. (Means ddr4 users would have to get phone repaired by service center if wrong xbl config is flashed on their device)
PetiaWarzel said:
Created a Tutorial based on your firmware/instructions. Hoping you will like it.
https://androidmtk.com/install-firmware-oneplus-9r
Click to expand...
Click to collapse
Appreciate it a lot! Thanks
I faced the same problem
Service center says they can't flash it back
They ended up replaced a new motherboard for me
hmm for me the
Code:
adb shell getprop ro.boot.ddr_type
returns empty.
I guess that infers I'm using LPDDR4X?
Edit:
Code:
adb shell getprop
This would return a complete list of all the properties you can query with this command. For me, this list doesn't seem to have any field called "ro.boot.ddr_type"
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'm using the Chinese variant of OP9R, not so sure if it matters.
Also, DevCheck would not report RAM variants under the hardware tab as well.
Leohearts said:
I faced the same problem
Service center says they can't flash it back
They ended up replaced a new motherboard for me
Click to expand...
Click to collapse
I checked it again and
OnePlus9R:/ $ getprop | grep ddr
[ro.boot.ddr_type]: [1]
[vendor.boot.ddr_type]: [1]
OnePlus9R:/ $
I'm sure flashed the ddr5 version, but it hard-bricked and even cant boot into 9008
*UPDATED*
* Added OxygenOS 11.2.6.6 Fastboot ROM
* Removed xbl configs so that now no more hardbricks happen
* Reduced partition sizes for inactive slot so that ROMs can be flashed properly through fastboot
will this work on Chinese variant 12gb/256gb ddr4 ? LE2100 bl is already unlocked
Mkkt Bkkt said:
will this work on Chinese variant 12gb/256gb ddr4 ? LE2100 bl is already unlocked
Click to expand...
Click to collapse
If ur using oxygenos then yes
HELLBOY017 said:
If ur using oxygenos then yes
Click to expand...
Click to collapse
yes , for some reason it came with oxygenos preinstalled
HELLBOY017 said:
Ever wanted to unbrick your device or switch to stock ROM from a custom ROM without using MSM Unbrick tool and keeping your bootloader unlocked after that well fastboot ROMs are here to help you . I have extracted all images from the stock zip and i have made a new zip with the Fastboot ROM with a flash-all.bat included. This will work only if your bootloader is unlocked. This will erase all your data and will wipe your internal storage.
HOW TO FLASH
1). Download the zip
2). Unpack the zip in a folder
3). Reboot the OnePlus 9R in fastboot-bootloader mode (Power and volume + and volume-)
4). Connect the OnePlus 9R to PC
5). Run flash-all.bat flasher
6). Wait until the process end
7). Voila! your OnePlus 9R will now boot into OxygenOS
POINTS TO REMEMBER
* "Invalid sparce file format at header magic" is not an error, you need to wait a bit when you see that string, just wait.
* These ROMs can't be used to update or downgrade your phone but just to restore your phone.
* This can’t be used to switch from ColorOS to OxygenOS you can use MSM unbrick tool to do that.
DOWNLOAD:-
https://mega.nz/folder/ePIETB4D#sU8cJ54l4UI7JCXGwc7Nog
Click to expand...
Click to collapse
Download link in Mega can't download with standard account, requires premium. could you please upload in other hosting website if possible? Thanks!
logeshwywan said:
Download link in Mega can't download with standard account, requires premium. could you please upload in other hosting website if possible? Thanks!
Click to expand...
Click to collapse
Will do
Link updated.
*Apologies for updating it late as I had fever so didn't have time for mirror it somewhere else