Hidden Fastboot OEM Commands - TCL 10 Pro Guides, News, & Discussion

We are close, finally, to bootloader unlock on this device... Tonight, boredom, couldn't sleep, i popped out my 10 pro and started playing with it and found new stuff!!
fastboot oem device-info
- this command gives you the following info about the device (and these are the default statuses)
Code:
(bootloader) Verity mode: true
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: false
OKAY [ 0.002s]
Finished. Total time: 0.003s
fastboot oem enable-charger-screen
- Exactly as it sounds... You know when some Android devices are powered off, you plug them in and they show a simple charging animation? BY DEFAULT, the 10 Pro does not do this. Punch in this command (and the next one), and it will enable charge while powered off!
fastboot oem off-mode-charge 0/1
- Just like above, this works in conjunction with the enable-charger-screen. 0 means disable, 1 is enable. If you want the ability to charge when off, you use 1
Code:
fastboot oem off-mode-charge 1
fastboot oem select-display-panel
- Can't figure out what this one does... doesn't seem to change anything
Dial Pad Code
Found this while digging through the TCL 10SE firmware dump from MTKClient. *#*#33284#*#* enables and disables USB Debugging

Also knew about this about a year ago when I was exploring which commands bootloader responded to, I am still using this phone daily.

JayTM said:
Also knew about this about a year ago when I was exploring which commands bootloader responded to, I am still using this phone daily.
Click to expand...
Click to collapse
I'll use it daily when I can root it lol If we just figure out that oem command, it'll be open

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
They officially dosnt support for unlock bootloader

(Sri Lanka) said:
View attachment 5648783
They officially dosnt support for unlock bootloader
Click to expand...
Click to collapse
Nothing new, same person answered you that answered me a while back maybe a year ago now.

(Sri Lanka) said:
View attachment 5648783
They officially dosnt support for unlock bootloader
Click to expand...
Click to collapse
Their normal response. There's a thread on Reddit right now about this
https://www.reddit.com/r/Android/comments/vvnuq6

KaptinBoxxi said:
Their normal response. There's a thread on Reddit right now about this
https://www.reddit.com/r/Android/comments/vvnuq6
Click to expand...
Click to collapse
Good luck to you

Was messing with this some more tonight, and discovered a few things
fastboot oem -l
this does... something, not sure what. Response is fastboot: usage: empty oem command
fastboot oem -s <whatever>
this was interesting, fastboot response was <waiting for <whatever>> ... so if you did fastboot oem -s 1 , it would say <waiting for 1>
fastboot oem -v
unsure what this does, it does something. "fastboot usage empty oem command"
fastboot oem select-display-panel
no idea what it does

KaptinBoxxi said:
Their normal response. There's a thread on Reddit right now about this
https://www.reddit.com/r/Android/comments/vvnuq6
Click to expand...
Click to collapse
TCL MOBILE UPGARDE tool supports to flash stock firmware on some qualcomm tcl devices. That tool download the stock rom to TCL MOBILE UPGARDE directory (C:\Program Files (x86)\Mobile Upgrade\bin)
But it download the raw firmware as partitions with random letters and numbers
Most of stock rom files less than 5mb are encrypted
In model folder there are some folders with model number that folder include log files and .dll file
i renamed the all downloaded stock rom with partition name with the help of log file
in ModelDownloader.dll, it include the firehose it can open with 7zip as #. there is 2.elf it is the firehose
But it support only Get Flash information in QFIL
Reading GPT is not supported
LOG when try to read partitions in QFIL
Hastebin: Send and Save Text or Code Snippets for Free | Toptal®
Hastebin is a free web-based pastebin service for storing and sharing text and code snippets with anyone. Get started now.
www.toptal.com
I tried this in TCL 20 SE (T671H)

I've been spamming most of TCL's twitter accounts for a couple days, hopefully they mean what they said and they release useful information

(Sri Lanka) said:
TCL MOBILE UPGARDE tool supports to flash stock firmware on some qualcomm tcl devices. That tool download the stock rom to TCL MOBILE UPGARDE directory (C:\Program Files (x86)\Mobile Upgrade\bin)
But it download the raw firmware as partitions with random letters and numbers
Most of stock rom files less than 5mb are encrypted
In model folder there are some folders with model number that folder include log files and .dll file
i renamed the all downloaded stock rom with partition name with the help of log file
in ModelDownloader.dll, it include the firehose it can open with 7zip as #. there is 2.elf it is the firehose
But it support only Get Flash information in QFIL
Reading GPT is not supported
LOG when try to read partitions in QFIL
Hastebin: Send and Save Text or Code Snippets for Free | Toptal®
Hastebin is a free web-based pastebin service for storing and sharing text and code snippets with anyone. Get started now.
www.toptal.com
I tried this in TCL 20 SE (T671H)
Click to expand...
Click to collapse
I messed with this last night as well, and I messed with TPST/TCL PST. neither of which I could get to do anything I wanted them to do

KaptinBoxxi said:
Their normal response. There's a thread on Reddit right now about this
https://www.reddit.com/r/Android/comments/vvnuq6
Click to expand...
Click to collapse
I have also contacted TCL regarding GPL source for the TCL A30 and was ignored. TCL does have some source published here:
TCL GPL source on sourceforge
They seem to be very slow and I suspect do not publish until the device is phased out. Still the terms of the GPL are specific, they are to provide on request regardless of the age of the device. I suspect they will point to the site when challenged and then drag their feet when it is pointed out that the code for your specific device is not on the site.

971shep said:
I have also contacted TCL regarding GPL source for the TCL A30 and was ignored. TCL does have some source published here:
TCL GPL source on sourceforge
They seem to be very slow and I suspect do not publish until the device is phased out. Still the terms of the GPL are specific, they are to provide on request regardless of the age of the device. I suspect they will point to the site when challenged and then drag their feet when it is pointed out that the code for your specific device is not on the site.
Click to expand...
Click to collapse
Yeah, i found that stuff too. Even if its old and phased out, they don't give access to it. I had hope that the 20 Pro was bootloader unlockable, but apparently for the Android 12 beta they participated in, it was a TCL Provided tool with the beta firmware signed to flash, rather than a bootloader. I guess we could find the android 12 download, rip apart the boot.img and find any sort of fastboot commands, but i suspect we won't find much

I'm taking another tact and managed to pull the firmware directly from a TCL A30 using the mtkclient live cd.
I have the following files:
boot.bin gpt.bin nvcfg.bin protect1.bin sspm_2.bin
boot_para.bin gz1.bin nvdata.bin protect2.bin swversion.bin
cache.bin gz2.bin nvram.bin recovery.bin tee1.bin
dtbo.bin lk2.bin oembin.bin scp1.bin tee2.bin
efuse.bin lk.bin oempersist.bin scp2.bin vbmeta.bin
expdb.bin logo.bin otp.bin sec1.bin vbmeta_system.bin
flashinfo.bin md1img.bin para.bin seccfg.bin vbmeta_vendor.bin
frp.bin md_udc.bin persist.bin spmfw.bin vendor_boot.bin
gpt_backup.bin metadata.bin proinfo.bin sspm_1.bin
These are all the files the mtkclient gui found execpt a super.bin and a user_data.bin. The super.bin file (I read a virtual file) was 60GB, way bigger than the A30 and would cause the firmware dump to hang. The user_data.bin would also hang the dump.
My ultimate goal is AOSP12 with minimal bloat and mostly FOSS/F-Droid apps but I would like to start small by enabling bromite's system webview - guide here:
Installing Bromite system webview
My present "aapt d xmltree framework-res.apk res/xml/config_webview_packages.xml"
E: webviewproviders (line=17)
E: webviewprovider (line=19)
A: availableByDefault=(type 0x12)0xffffffff
A: description="Android WebView" (Raw: "Android WebView")
A: packageName="com.android.webview" (Raw: "com.android.webview")

I was digging around the interbawls today and found some interesting stuff on gsmforum for the TCL 10 SE... It was a full system dump using Pandora Tool, 2.8GB in size... don't know if I can link it here.
Differences between 10 SE and 10 Pro though are pretty big. The 10 Pro is a Snapdragon 675 while the SE is a MediaTek MT6762 Helio P22, so no way we're cross flashing and having that sort of fun, but bootloader commands might be possible to dump sincec we have real firmware. MTKTool won't be useful to us because its a qualcomm device, but there's still hope
So, Update:
I've been digging and digging and digging... I have the super.bin from the 10 SE open in a hex editor, searching oem unlock. I discovered that standard android, when enabling OEM Unlock, the PST (aka persistent) partition is where the bit gets flipped to allow oem unlock.
Code:
private void setPersistentDataBlockOemUnlockAllowedBit(boolean allowed) {
final PersistentDataBlockManagerInternal pdbmi
= LocalServices.getService(PersistentDataBlockManagerInternal.class);
// if mOemLock is PersistentDataBlockLock, then the bit should have already been set
if (pdbmi != null && !(mOemLock instanceof PersistentDataBlockLock)) {
Slog.i(TAG, "Update OEM Unlock bit in pst partition to " + allowed);
pdbmi.forceOemUnlockEnabled(allowed);
}
}[/code[
we basically have to hope that actually happens on these 10 pro's.

KaptinBoxxi said:
I was digging around the interbawls today and found some interesting stuff on gsmforum for the TCL 10 SE... It was a full system dump using Pandora Tool, 2.8GB in size... don't know if I can link it here.
Differences between 10 SE and 10 Pro though are pretty big. The 10 Pro is a Snapdragon 675 while the SE is a MediaTek MT6762 Helio P22, so no way we're cross flashing and having that sort of fun, but bootloader commands might be possible to dump sincec we have real firmware. MTKTool won't be useful to us because its a qualcomm device, but there's still hope
So, Update:
I've been digging and digging and digging... I have the super.bin from the 10 SE open in a hex editor, searching oem unlock. I discovered that standard android, when enabling OEM Unlock, the PST (aka persistent) partition is where the bit gets flipped to allow oem unlock.
Code:
private void setPersistentDataBlockOemUnlockAllowedBit(boolean allowed) {
final PersistentDataBlockManagerInternal pdbmi
= LocalServices.getService(PersistentDataBlockManagerInternal.class);
// if mOemLock is PersistentDataBlockLock, then the bit should have already been set
if (pdbmi != null && !(mOemLock instanceof PersistentDataBlockLock)) {
Slog.i(TAG, "Update OEM Unlock bit in pst partition to " + allowed);
pdbmi.forceOemUnlockEnabled(allowed);
}
}[/code[
we basically have to hope that actually happens on these 10 pro's.
Click to expand...
Click to collapse
Most of MTK devices are posstibe to unlock through mtk clinet
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com

(Sri Lanka) said:
Most of MTK devices are posstibe to unlock through mtk clinet
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
tried it... unless we open up the device and find the test point, the computer doesn't see it in the TCL Download mode
Edit: Added a dial pad code to the original post

I'm working on a TCL A30 and found a github site titled MediaTek-labs. The commits were made by [email protected]. This might be of interest:
https://github.com/MediaTek-Labs/common-kernel-4.19
Apparently, in the code base, was a mediatek fastboot:
https://github.com/MediaTek-Labs/common-kernel-4.19/commit/72578594ab429be395af5279e95fd8b7e13c5ebe

KaptinBoxxi said:
Was messing with this some more tonight, and discovered a few things:
Click to expand...
Click to collapse
Most of that is standard options for fastboot.
Code:
C:\>fastboot --help
You can take apart the abl partition and look for strings and try them.
On my Onyx Poke3 I have:
Code:
fastboot oem enable-charger-screen
fastboot oem disable-charger-screen
fastboot oem off-mode-charge
fastboot oem select-display-panel
fastboot oem device-info
fastboot oem cpu
fastboot oem rsn
fastboot oem wsn // DANGER
wsn is write serial number. I don't know if that will screw up anything
The abl (at least mine) is packed insanely for UEFI:
Code:
32 bit ELF file
Program table
Signing
Header
Hashes
Signature
Certificate chain
LZMA archive
MZ DOS executable
PE Portable executable
64 bit ARM code

Renate said:
Most of that is standard options for fastboot.
Code:
C:\>fastboot --help
You can take apart the abl partition and look for strings and try them.
On my Onyx Poke3 I have:
Code:
fastboot oem enable-charger-screen
fastboot oem disable-charger-screen
fastboot oem off-mode-charge
fastboot oem select-display-panel
fastboot oem device-info
fastboot oem cpu
fastboot oem rsn
fastboot oem wsn // DANGER
wsn is write serial number. I don't know if that will screw up anything
The abl (at least mine) is packed insanely for UEFI:
Code:
32 bit ELF file
Program table
Signing
Header
Hashes
Signature
Certificate chain
LZMA archive
MZ DOS executable
PE Portable executable
64 bit ARM code
Click to expand...
Click to collapse
Problem with a lot of that is we don't have full img files of the partitions on the phone as TCL has never released a full firmware, only OTA's that are patch files
Majority of what you've posted doesn't do anything (cpu/rsn/wsn). Also released this phone won't work with any mtk tools because its a qualcomm phone

Related

[GUIDE] How to unlock the bootloader of Nokia 4.2

WARNING!
THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
DO IT AT YOUR OWN RISK!
If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
Click to expand...
Click to collapse
So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
Tricking development options for allowing "OEM unlocking" no longer works on latest security update.
What you need to have:
- a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
- tweezers, and probably a standard philips screwdriver
- QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
- Latest Google Platform Tools
- Full backup of your userdata
Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
Please take a look at the attachment below, about the location you need to use tweezers.
For Windows users:
If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.
I assume the COM port number is 8 (COM8).
Click to expand...
Click to collapse
Step 2: Write config partition
As we already know, config partition is also the frp partition.
You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
For your convenience, I've created one.
Now download and extract the attachment below.
Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.
Choose "Tools" - "Partition Manager", then wait for the partition list appear.
As "Load Image" seems not reliable, we have to use command to write it manually.
For 64-bit Windows users, the command is:
Code:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.
Step 3: Trigger the phone back to fastboot mode
Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
Now check the unlock ability:
Code:
fastboot flashing get_unlock_ability
Expected output:
Code:
get_unlock_ability: 1
Step 4: Unlock the bootloader!
And you can unlock the bootloader with familiar commands.
Code:
fastboot flashing unlock_critical
Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Your phone will boot to fastboot mode again, and then:
Code:
fastboot flashing unlock
Confirm unlock on the phone again.
All done, that's how the bootloader is unlocked. You can reassemble the phone.
But strange enough, you can't see any unlock warning.
I will release boot image dumping guide and root guide very soon.
Special thanks:
Wingtech for leaking prototype units
why must Nokia insist on locking their devices down so hard ??
great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?
Great!
Damn Nokia
I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.
Will it be possible to do without disassembly? Just in theory, not now
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
Unwise to say no with absolute certainly, but doubtful
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
I think it will be possible.
There's a hidden command in aboot "fastboot reboot-emergency" but unusable, unless some sort of authentication is done or bootloader unlocked.
I still don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
That's why disassembly is required for now.
Very interesting breakthrough. Great work
I'm facing the same bootloader unlock in my infinix hot s 3. I believe I can use your procedure to unlock my device. And if necessary how to make changes to the config file? I will be expecting your reply soon. Thanks
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
awab228 said:
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
Click to expand...
Click to collapse
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
hikari_calyx said:
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
Click to expand...
Click to collapse
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
awab228 said:
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
Click to expand...
Click to collapse
1 for allow, 0 for disallow
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
malkabhai said:
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
Click to expand...
Click to collapse
We have full OTA zip of it.
You can use payload dumper + img2simg to convert it to fastboot images. If recovery mode working (including unofficial TWRP), you can also reboot your phone to recovery mode to sideload it.
PAN-141B-0-00WW-B03-update.zip
I was able to use "OEM Unlocking" from developer options and after starting at step 3, to obtain a full unlock. After I was also able to fully root my phone using the normal guide. I am running the latest security update (October 5 2019). No idea why this worked for me...
Hello,
I've got the Nokia 3.2 16gb variant. I can get it into edl mode but it seems to be in Sahara mode. How can I put it into firehose mode? Because I can't load anything using qfil.
Any help?
Missing pads
Any idea where these pads could be now? That does not seem to be there anymore?
Missing testpoint pads
piteer1 said:
Any idea where these pads could be now? That does not seem to be there anymore?
Click to expand...
Click to collapse
I has the same problem. Thanks in advance.
I don't see those test point in my mobile
Hi, does this work for Nokia 6.1 plus TA-1083? or do you have any trick for this too?
I am able to load phone in EDL Mode by making EDL Points short.
Just in case you read my comment, I have a emmc problem post, if you can help -
https://forum.xda-developers.com/nokia-6-1-plus/help/nokia-6-1-plus-edl-mode-emmc-failure-t4114507

[GUIDE] How to dump boot image and root Nokia 3.2 / 4.2

If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
So after you unlock the bootloader successfully, you definitely want to install custom ROM, or at least root the phone, right?
Here's the guide about rooting Nokia 3.2 / 4.2.
This guide could probably work on Nokia 6.2 / 7.2 in the future.
Step 1: Unlock the bootloader
https://forum.xda-developers.com/nokia-4-2/how-to/guide-how-to-unlock-bootloader-nokia-4-2-t3962402
For Nokia 3.2, you'll need to read this as well: https://forum.xda-developers.com/nokia-3-2/how-to/guide-how-to-trigger-nokia-3-2-to-edl-t3962841
Step 2: Acknowledge current slot
You have two methods.
Method 1: After USB debugging enabled, execute this command:
Code:
adb shell getprop ro.boot.slot_suffix
Method 2: Under fastboot mode, execute this command:
Code:
fastboot getvar current-slot
We assume the current slot is b.
Step 3: Trigger the phone to EDL mode again
There's a hidden command in aboot known as "fastboot reboot-emergency".
However, normal fastboot binary doesn't have that command at all, so we need to compile a binary or hack the binary.
For Windows users, I've provided the fastboot binary that can use this command, and I renamed it to edl-fastboot.exe. You can download it on the attachment below.
For macOS/Linux distro users, I'm afraid you have to fork the source code, edit related content and compile yourself.
So with this special version of fastboot binary, we can boot the phone to EDL mode directly:
Code:
edl-fastboot.exe reboot-emergency
But wait, why didn't you mention this command when you released bootloader unlock guide?
That's because, if you attempt to use this command under locked bootloader, bootloader will response "Permission denied, auth needed. " and refuse to proceed the command.
I don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
Click to expand...
Click to collapse
Step 4: Use partition manager to dump the partition
If you've came so far when unlocking the bootloader, you have already know the great partition manager.
Still, we assume the COM port number is 8 (COM8).
When the partition list appears, find "boot_b" (or boot_a if the current slot is a), right click on it, choose "Manage Partition Data" and click "Read Data". Then fh_loader binary will dump the boot image to your PC.
For Windows users, it's located at
Code:
%AppData%\Qualcomm\QFIL\COMPORT_8
Where %AppData% is actually C:\Users\your_user_name\AppData\Roaming .
The filename looks like this: ReadData_emmc_Lun0_0x3a000_Len65536_DT_07_09_2019_13_55_54.bin
Now close the partition manager, your phone will exit EDL mode and boot normally.
If you're interested in dumping full eMMC storage, you may want to read this: https://forum.xda-developers.com/android/general/guide-how-to-dump-write-storage-t3949588
Step 5: Install Magisk Manager and patch the boot image you dumped
I think everyone who reading this guide knows where to download Magisk Manager.
Copy the boot image you dumped with QFIL to Download directory in your phone's internal storage, and rename it to boot.img for your convenience.
In case you don't know how to patch, read this guide: https://topjohnwu.github.io/Magisk/install.html#boot-image-patching
Step 6: Flash patched boot image and reinstall Magisk for ensurance
After you pulled patched boot image from your phone, reboot your phone to fastboot mode, then execute these commands:
Code:
fastboot flash boot magisk_patched.img
fastboot reboot
Note, temporarily boot method introduced back for old A/B devices like Nokia 7 Plus no longer works on Nokia 3.2 / 4.2 - it will boot your phone to Qualcomm 900E mode.
Once your phone booted to normal OS, open Magisk Manager, and reinstall Magisk and required runtime to make the root much more effective.
You may want to read this guide if you want to inherit root along with OTA update: https://topjohnwu.github.io/Magisk/tutorials.html#ota-installation
Extra info about custom rom:
I've tested PHH-Treble GSI on Nokia 4.2 and it made me disappointed.
The vendor compatibility is worse than FIH made Android Phones.
You may want to read this for more details: https://github.com/phhusson/treble_experimentations/wiki/Nokia-4.2
Next preview: Stock firmware reinstallation guide. Note, Nokia 3.2 / 4.2 are not made by FIH, so OST LA no longer works on both devices.
Special thanks:
@topjohnwu for Magisk
Wingtech for leaking prototype units
Reserved
not detected
my pc doesn't detect the phone when its in edl mode. before people start asking I unlocked the bootloader by enabling oem unlock in the phone settings.
I have a TA-1156 (a 3.2 variant) that has a different mainboard layout. For quite a while, I tried in vain to bring it into EDL mode - until I just tried the fastboot command "flash unlock" which worked.
I guess I should have tried that right away as I did have the OEM unlocking option in the developer setup.
Anyway, now I'm unlocked but can't access the partitions with the QFIL partition manager. I suspect the phone expects a different programmer than prog_emmc_firehose_8937_ddr.
I can enter EDL mode easily now with the patched fastboot exe. The correct driver is active and QFIL detects the phone. However, as soon as I follow the instructions by setting the programmer, and then try to start the partition manager, the phone stops responding.
After a while, I get a "sahara" error about no reply from the phone.
I wonder if someone has a stock boot.img of the Nokia 3.2 (build 00EEA) lying around ...
Here is someone else's photo of the mainboard (I just realized that it's actually from hikari_calyx!) but on mine, the right one of the test points you marked in your 3.2 variant does not exist, so I edited it out in the photo:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
JFDee said:
Anyway, now I'm unlocked but can't access the partitions with the QFIL partition manager. I suspect the phone expects a different programmer than prog_emmc_firehose_8937_ddr.
Click to expand...
Click to collapse
My guess was right. Now I'm able to reply to myself with a solution.
I tried a different prog_emmc_firehose_8937_ddr than the one provided by @hikari_calyx in the unlock thread
There is a programmer with the same name in this firmware:
sprout-015B-0-00WW-B01 .rar
It's provided by @bouyhy01 in his rooting thread.
The size of the programmer file is slightly different:
Code:
hikari_calyx: 428,936 bytes
Firmware: 428,944 bytes
Long story short: the different programmer worked in QFIL, so the partition manager worked as well, I got my own boot image, patched, flashed and had root - finally ... Thanks for all the research work, hikari_calyx and bouyhy01 !
Attached is the working programmer file, in case anyone else stumbles upon the same problem. By the way, my phone has the October security patch installed which is currently the latest available.
View attachment prog_emmc_firehose_8937_ddr_from_fw.zip
.
JFDee said:
Here is someone else's photo of the mainboard (I just realized that it's actually from hikari_calyx!) but on mine, the right one of the test points you marked in your 3.2 variant does not exist, so I edited it out in the photo:
View attachment 4867461
Click to expand...
Click to collapse
I guess the only point can be connected to the ground, for example, the RF shield is grounded.
JFDee said:
Attached is the working programmer file, in case anyone else stumbles upon the same problem. By the way, my phone has the October security patch installed which is currently the latest available.
View attachment 4869373
.
Click to expand...
Click to collapse
Thanks for info. Mine Nokia 3.2 is a prototype unit, so I don't know the situation of other versions of Nokia 3.2.
Hello, I have tried this manual for rooting Nokia 4.2 with last security update of 5th of November. After 5 step (flashing patched boot image) my phone try to reboot and then asked for factory reset (Can't load android system - Your data may be corrupt). After making factory reset there were no root at all.
What can i do next ?
PS. It's strange enough when i download boot_b image it was 63.4 Mb snd when i have patched it by Magisk manager - the size od magisk_patched.img became 10.2 Mb

Possible leads on rooting OPPO A72

I have spent a couple days trying to root this phone using an exploit or similar now. What I've discovered so far is:
- Recovery, EDL, Fastbootd (without functions over USB) are all available
- Engineer Mode is available too, but not accessible without credentials
- Similar phones (Realme, OnePlus, other OPPOs) have supposedly been rooted using an "In-Depth Testing" APK
I'm not sure if using the APK on my own phone is a good idea, but I have tried reverse engineering it and have gotten as far as some other threads for other phones have. It seems like the lead ends there, but I don't think enough has been tried. My expertise with Android development is somewhat limited, but I found a couple lines of code that are interesting.
Java:
// This is the request sent to the server based on the status.
// for Realme:
if (this.myContext.getPackageManager().hasSystemFeature("oppo.version.exp")) {
this.myString = "https://lkf.realmemobile.com/realme/v1/";
} else {
this.myString = "https://lk.realmemobile.com/realme/v1/";
}
switch (((Integer) intent.getExtras().get("MessengerFlag")).intValue()) {
case 1000:
this.myString += "applyLkUnlock";
break;
case 1001:
this.myString += "checkApproveResult";
break;
case 1002:
this.myString += "updateLockStatus";
break;
case 1003:
this.myString += "acquireClientStatus";
break;
case 1004:
this.myString += "closeApply";
break;
case 1005:
this.myString += "acquireApplyStatus";
break;
}
// For ColorOS:
this.requestUrl = "https://ilk.apps.coloros.com/api/v2/";
switch ((Integer) intent.getExtras().get("MessengerFlag")) {
case 1000:
this.requestUrl += "apply-unlock";
break;
case 1001:
this.requestUrl += "check-approve-result";
break;
case Constants.USERCENTER_PLUGIN_ID /*{ENCODED_INT: 1002}*/:
this.requestUrl += "update-client-lock-status";
break;
case 1003:
this.requestUrl += "get-all-status";
break;
case 1004:
this.requestUrl += "lock-client";
break;
}
// Based on the response data, it accesses an included class to do the fastboot unlock. The actual value of bArr is based on the response.
((Boolean) Class.forName("android.engineer.OppoEngineerManager").getMethod("fastbootUnlock", byte[].class, Integer.TYPE).invoke(null, bArr, Integer.valueOf(bArr.length))).booleanValue();
// In another function it calls this without a value included. I think this might be used to lock it again.
byte[] bArr = {0};
((Boolean) Class.forName("android.engineer.OppoEngineerManager").getMethod("fastbootUnlock", byte[].class, Integer.TYPE).invoke(null, bArr, 1)).booleanValue();
// OEM Unlock is done after fastboot unlock
((PersistentDataBlockManager) this.activityRef.getSystemService("persistent_data_block")).setOemUnlockEnabled(true);
// You can access engineerMode using this code
engineerMode: *#9434#
Most of this information as available elsewhere, but those threads have stopped working on it. I think it would be worth trying to get a hand on the android.engineer.OppoEngineerManager package and check the fastbootUnlock function. Intercepting the values sent by a successful request might also be useful. If that works, one could probably easily create an APK to do this on any phone.
Is there anyone knowledgeable enough to do this?
I'm not knowledgeable enough but I hope you find answers.
I have an Oppo too (A15) and so far I haven't been able to unlock the bootloader but I'm sure there's a way.
"Unlock OEM" is enabled in the developer mode, but when I plug my phone in fastboot, it says the bootloader is locked.
I'm trying to find a solution to the message "unable to open fastboot HAL"
According to this : "Many of these commands are from OEMs and are documented but require a custom implementation. (Many commands are also OEM-specific and aren't documented). To handle such commands, the fastboot HAL specifies the required OEM commands and allows OEMs to implement their own commands."
So, I guess there's some special OEM command to unlock bootloader, the question is where? Android is open source, ColorOS is opensource (but I don't know if ColorOS has anything to do with the bootloader for that matter), so there's a solution, somewhere.
I read somewhere that you need all password and locking to be disabled in order to unlock bootloader. I removed all passwords, but it didn't help.
I've also noticed some options that might help, in the developer mode: "do not use lockscreen" and, at the very bottom "disable permission monitoring".
But I haven't tried yet.
this is what I get when I use the "fastboot getvar all" command:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There's probably something useful in it, but I don't know what.
I've gotten as far as that too. I believe that OPPO has somehow created a custom unlocking mechanism for the bootloader / fastboot that is accessed by custom APK. I'm not sure how it gets the rights to do it, but maybe there's a way and then the token is used to authenticate.
They must have a way to unlock it. If the package they use is somehow accessible, it should be possible to reverse engineer. Or somehow intercept the response sent by the server and figure out how the byteArray that they send to the class method is constructed.
If what you quoted is true and there might be some custom OEM commands, has anyone tried bruteforcing those?
It should be noted that the kernel is also open source. I have no idea where the bootloader would be or its unlocking mechanism, but considering that we have a boot.img that we can open up, an open source os, open source kernel, open source launcher, there must be something somewhere.
I've followed this tutorial to decrypt the ozip file from here with oppo_ozip_decrypt
It seems to work, but the output zip file is only 45 MB, while the original ozip is like 3 GB...
From the same author, this tool seems interesting but I don't know how to use it.
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
rootinhoppo said:
I've followed this tutorial to decrypt the ozip file from here with oppo_ozip_decrypt
It seems to work, but the output zip file is only 45 MB, while the original ozip is like 3 GB...
From the same author, this tool seems interesting but I don't know how to use it.
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
Click to expand...
Click to collapse
You should try decrypting the .ofp full firmware images.
rootinhoppo said:
If you understand spanish, you may give a try to this tutorial. It didn't work for me, but who knows?
Their tool mtkroot is very easy to use. I only recommend you upgrade the files (adb.exe, fastboot.exe...) in MTKroot 2.5.8\DATA and the one in MTKroot 2.5.8\DATA\app.
Click to expand...
Click to collapse
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter. It looks fairly legit but I still don't expect it to work.
The other tool you showed seems cool too, but I think it'd require the bootloader to be unlocked. It's only for rooting.
linccracker said:
You should try decrypting the .ofp full firmware images.
Click to expand...
Click to collapse
There are no .ofp firmware images available, are there? It's only OZIP update images which are provided by OPPO. Would it be possible to take an .ofp file from one of the similar Realme phones and somehow find the OppoEngineer package there to reverse engineer? They use it too in their unlockers.
Bobgle said:
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter. It looks fairly legit but I still don't expect it to work.
The other tool you showed seems cool too, but I think it'd require the bootloader to be unlocked. It's only for rooting.
There are no .ofp firmware images available, are there? It's only OZIP update images which are provided by OPPO. Would it be possible to take an .ofp file from one of the similar Realme phones and somehow find the OppoEngineer package there to reverse engineer? They use it too in their unlockers.
Click to expand...
Click to collapse
Is the same firmware updates as cph2059 so search Google for " oppo cph2059 ofp firmware"
linccracker said:
Is the same firmware updates as cph2059 so search Google for " oppo cph2059 ofp firmware"
Click to expand...
Click to collapse
I can only find OZIPs and scams.
Bobgle said:
I can only find OZIPs and scams.
Click to expand...
Click to collapse
Here is a gdrive link
CPH2059export_11_C.22_202102181659__GsmMafia.Com.zip
drive.google.com
Bobgle said:
I do understand Spanish, but I don't really trust their tool. I would like to see the source code before using it on my phone or executing it on my PC for that matter.
Click to expand...
Click to collapse
I understand, I'd like to see the source code, too.
But I think it's harmless, or at least not malicious.
The fact that it doesn't require to be installed or to have admin rights is a good point. The fact that you can change everything you want from the \data folder and still use the mtkroot gui is another good point.
There's the apk rootbrowser that I'm not 100% sure of it (there might be some trackers in it). But other than that...
linccracker said:
Here is a gdrive link
CPH2059export_11_C.22_202102181659__GsmMafia.Com.zip
drive.google.com
Click to expand...
Click to collapse
Alright, thanks. Unfortunately, the conventional ofp decrypters can't do it. I think the decryption key is missing / faulty or maybe even the file itself. It'll just spit out a ton of 0kb files. I'm not experienced enough with encryption to fix this, any idea how to? I've had more success with the ozip decrypters in that regard.
Bobgle said:
Alright, thanks. Unfortunately, the conventional ofp decrypters can't do it. I think the decryption key is missing / faulty or maybe even the file itself. It'll just spit out a ton of 0kb files. I'm not experienced enough with encryption to fix this, any idea how to? I've had more success with the ozip decrypters in that regard.
Click to expand...
Click to collapse
GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter - GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
github.com
Try this
Try both extract and decrypt
I think reverse engineering this process alone may not help. Why? Because the OPPO deep testing officially requires a specific software version. It should most probably be an Engineering version of ColorOS.
rootinhoppo said:
I'm not knowledgeable enough but I hope you find answers.
I have an Oppo too (A15) and so far I haven't been able to unlock the bootloader but I'm sure there's a way.
"Unlock OEM" is enabled in the developer mode, but when I plug my phone in fastboot, it says the bootloader is locked.
I'm trying to find a solution to the message "unable to open fastboot HAL"
According to this : "Many of these commands are from OEMs and are documented but require a custom implementation. (Many commands are also OEM-specific and aren't documented). To handle such commands, the fastboot HAL specifies the required OEM commands and allows OEMs to implement their own commands."
So, I guess there's some special OEM command to unlock bootloader, the question is where? Android is open source, ColorOS is opensource (but I don't know if ColorOS has anything to do with the bootloader for that matter), so there's a solution, somewhere.
I read somewhere that you need all password and locking to be disabled in order to unlock bootloader. I removed all passwords, but it didn't help.
I've also noticed some options that might help, in the developer mode: "do not use lockscreen" and, at the very bottom "disable permission monitoring".
But I haven't tried yet.
this is what I get when I use the "fastboot getvar all" command:
View attachment 5399469
There's probably something useful in it, but I don't know what.
Click to expand...
Click to collapse
May I know how did you manage to get to fastboot mode?
Thank You brother.
linccracker said:
GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter - GitHub - bkerler/oppo_decrypt: Oppo .ofp Firmware decrypter and oneplus .ops de-/encrypter
github.com
Try this
Try both extract and decrypt
Click to expand...
Click to collapse
I did, extract says unknown key and decrypt spits out faulty files.
llxxVENOMxxll said:
I think reverse engineering this process alone may not help. Why? Because the OPPO deep testing officially requires a specific software version. It should most probably be an Engineering version of ColorOS.
Click to expand...
Click to collapse
I think OPPO has to have some way to unlock the bootloader for their tech support or own development. There is an engineering mode that can be activated from within ColorOS, maybe that would be sufficient. At least reverse engineering this would give us some kind of idea of how they unlock the bootloader in other firmware.
AFAIK, those deep testing apks were unlocked remotely by OPPO support. I'm really skeptical on how trustworthy those reports are, but if that's true then it might work on the A72 too.
llxxVENOMxxll said:
May I know how did you manage to get to fastboot mode?
Thank You brother.
Click to expand...
Click to collapse
You can enter fastboot mode through adb commands. Just connect your phone, active USB debugging and OEM unlock, then type 'adb reboot fastboot'. There is also an EDL mode which can be found by going into recovery and tapping the version number at the bottom until a message pops up.
Well, the adb reboot fastboot doesn't work on my OPPO A31 (and most other OPPOs). Thanks for your reply tho.
llxxVENOMxxll said:
May I know how did you manage to get to fastboot mode?
Thank You brother.
Click to expand...
Click to collapse
This is the "fastbootd" mode, which is not exactly the same, but this is what we have.
First, I have to say how I did unlocked the OEM.
Because, as I was in developper mode, after fooling around a little with the settings, I tried to move the button oem unlock but it wouldn't move. I tried again and again but it didn't want to unlock.
So, I got the idea to disable developer mode, enable it again and try to unlock oem before doing any other settings.
This time it worked.
So, if you have problem with the OEM Unlock, you know what to do: disable/enable developer mode.
For the fastbood mode, it's the same. It didn't work at once but I fooled around a little. To be honest, I don't remember everything I've done.
But this is what I do now.
I start my phone and plug it on my computer.
On my phone I change the USB mode from "charging" to "MTP transfer" (even if the drivers don't install properly). And of course, the USB Debugging is enabled. I also select the authorization, if required (you only do it once normally).
Then I open a command, I check "adb devices" just to see if it works. And finally, I type "adb reboot fastboot" (I think it didn't work with "adb reboot bootloader).
And that's it.
The phone reboot in recovery mode and when I type "fastboot devices" in the cmd, my devices appear.
For some reason, if I only start in recovery mode with Volume Down + Start button, the recovery screen appears, exactly the same, but not fastboot devices is detected on the cmd. So you have to do all these operations from your computer.
Maybe there's another way though.
We might want to refer this..
Where are the android.jar platform class/dex files on a phone or tablet?
My app uses the class android.view.ViewGroup, which when I develop in Eclipse(I know it's old) seem to come from android.jar. android.jar was downloaded by the SDK Manager. My project had a build
stackoverflow.com
I may start working on this only by this weekend.
Anyone with some knowledge may, in the meantime , try to sniff what the deep test app actually communicates with the OPPO servers.
The dex is extracted from the system framework.
File attached below.
I am a noob in Java and I don't understand what the 'bArr' is, and what it does.. I guess it should probably be a response value from the server..

Huawei P9 EVA-L09 FRP Bypass + Other models (free)

Its taken me a while to figure out a way to bypass the FRP (Factory Reset Protection) Lock on my Huawei EVA-L09 and do so while not bricking my device or installing shady software/roms so if this helps I hope you leave me a like and comment how long its taken you before you found this guide.
Its completely free as I refuse to pay money which I hope you appreciate as every other guide wants you to pay to unlock a device so no matter what level of skills you are this should help you to gain access to you're Huawei EVA-L09 and other models (I've also used this method on a Huawei P Smart (FIG) but this should also work on all the devices listed in the table below)
DeviceModelBootloaderHuawei P8 Lite (2015)ALEKirin 620Huawei Y6IICAMKirin 620Honor 5C / 7 LiteNEMKirin 65x (A)Honor 7XBNDKirin 65x (A)Honor 9 LiteLLDKirin 65x (A)Huawei MediaPad T5AGS2Kirin 65x (A)Huawei Nova 2PICKirin 65x (A)Huawei P10 LiteWASKirin 65x (A)Huawei P20 Lite / Nova 3eANEKirin 65x (A)Huawei P8 Lite (2017)PRAKirin 65x (A)Huawei P9 LiteVNSKirin 65x (A)Huawei Y9 (2018)FLAKirin 65x (A)Huawei MediaPad M5 LiteBAH2Kirin 65x (B)Huawei Nova 2i / Mate 10 LiteRNEKirin 65x (B)Huawei P Smart 2018FIGKirin 65x (B)Honor 6 PlusPEKirin 925Huawei P8GRAKirin 935Honor 8 Pro / V9DUKKirin 950Honor 8FRDKirin 950Huawei P9 StandartEVAKirin 950Honor 9STFKirin 960Huawei Mate 9 ProLONKirin 960Huawei Mate 9MHAKirin 960Huawei MediaPad M5CMRKirin 960Huawei Nova 2sHWIKirin 960Huawei P10VTRKirin 960
First download and extract the Android SDK Platform-Tools package for windows from -> https://developer.android.com/studio/command-line/adb
Next download drivers from -> https://adb.clockworkmod.com/ and run .exe file
Next go to -> https://github.com/mashed-potatoes/PotatoNV and read through the entire page and follow the steps to install HiSuite, test point drivers and latest version of PotatoNV and find out where you're test point are on you're device and learn how to use the tool
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Open PotatoNV and click disable FBlock and choose you're bootloader (refer to list on GitHub Repo) in my case for the Huawei EVA-L09 it was the Kirin 950 and follow the repo instructions to ground you're test point while inserting you're USB, now the target device field should show you're device then click start! and If you've followed the steps correctly then congrats you've generated a new bootloader code and got the following display.
Click to expand...
Click to collapse
From the display write down the "New Unlock Code" + "Build number" for later
Click to expand...
Click to collapse
Now we need the firmware to flash
Go to -> http://huawei-firmware.com/phone-list/ to find you're compatible firmware
Click to expand...
Click to collapse
My build number was "EVA-L09C02B363" so on the site I searched for that build number but found nothing so I removed 1 character from the end "EVA-L09C02B36" and found 2 results for "Huawei P9 EVA-L09C02B361 Firmware"
If you cant find a result keep removing 1 character from the end of you're build number until you can find the closet build to yours and Download it
Boot phone into fastboot mode
In the Android SDK Platform-Tools package folder hold In "CTRL + Shift" and Right click in the folder and click the option "open PowerShell window here"
In PowerShell type the following command "./fastboot oem unlock YOUR_CODE_HERE"
Press the volume key to select unlock bootloader on you're phone and press the power button (Now you've unlocked you're bootloader)
Download the firmware and extract the files and move the entire Dload folder to an SDcard (rename the SDcard SDcard) and insert it into you're device
Now boot the phone with both volume buttons pressed down and power button and let it install the new firmware
Click to expand...
Click to collapse
I personally had an error at 99% of install doing it this way so I had to manually flash each partition if you have the same issue then follow the steps
Download the tool Huaweiupdateextract tool -> https://www.leakite.com/flash-huawei-ota-update-without-sdcard/
Click to expand...
Click to collapse
And click "click", now browse for the update.app file inside the Dload folder and right click on the files and click extract all and save them into the Android SDK Platform-Tools package folder you extracted earlier
Boot phone into fastboot mode
Click to expand...
Click to collapse
Now you need to manually flash every .img file you extracted to the corresponding partition, all the .img files are saved in CAPSLOCK and the corresponding partition you need to flash to is the file name in all lowercase minus the .img part so for example the file RECOVERY.img needs to be flashed to the recovery partition and USERDATA.img to userdata and so on
In the same Powershell Window from earlier type "./fastboot flash *partition" "PARTITION.img" and replace partition with every img you extracted, example for USERDATA.img: "./fastboot flash userdata USERDATA.img"
Some flash's may fail, just move on to the next
Then type "./fastboot reboot"
Click to expand...
Click to collapse
And now skip through everything and access you're phone, I then personally booted my phone into Erecovery and clicked Install firmware and recovery and signed into my wifi after downloading I opened my phone and inserted my sim card (in my case it was lyca mobile and after the phone accepts the sim you will be prompted to take the system update, I flashed build EVA-L09C02B361 to my device but now I can update to my original build number EVA-L09C02B363.
Hopefully if you followed everything correctly you've just bypassed FRP.
You're welcome as someone who dosent have a lot to spend on tech I really value this sort of information and hopefully this full guide can help even a beginner gain access to there bricked phone.
Let me know if this helps!
doesn't work on Huawei Y6II CAM-L21 ..
kalinx said:
doesn't work on Huawei Y6II CAM-L21 ..
Click to expand...
Click to collapse
Did you ground the test point while clicking start?
brokeboy said:
Did you ground the test point while clicking start?
Click to expand...
Click to collapse
yes, in many ways i try it but this doesn't work too
kalinx said:
yes, in many ways i try it but this doesn't work too
Click to expand...
Click to collapse
Can you run it without Fblock and then run again with it ticked?
Yes I was struggling with it yesterday all day, in many ways. Now I get off. I will buy Sony Xperia M4 aqua with very easy root, I get unlock code from Sony website. Damn you HUAWEI! :/
kalinx said:
Yes I was struggling with it yesterday all day, in many ways. Now I get off. I will buy Sony Xperia M4 aqua with very easy root, I get unlock code from Sony website. Damn you HUAWEI! :/
Click to expand...
Click to collapse
Can you explain every step you did before to get to that point, also what's wrong with you're device?
Can this process work on Honor 10 col l29? He has kirin 970. Thank you.
levis36 said:
Can this process work on Honor 10 col l29? He has kirin 970. Thank you.
Click to expand...
Click to collapse
If its not on the list then it isn't supported but I believe if you look through the repo maybe someone forked it or there might be an alternative... I typed in honor in the questions and found this but there could be more
I solved it by changing the motherboard. I bought a phone with a broken display, 4 €, I changed the card and it did not have a lock on the screen and I entered the settings, return to the factory settings and everything goes ok. The new motherboard has emui 10.0.0 4 / 64gb and the old one was emui 8.1 which I failed to unlock I don't know the specifications it had. I would have liked to unlock the other one can have 6 / 128g.
levis36 said:
I solved it by changing the motherboard. I bought a phone with a broken display, 4 €, I changed the card and it did not have a lock on the screen and I entered the settings, return to the factory settings and everything goes ok. The new motherboard has emui 10.0.0 4 / 64gb and the old one was emui 8.1 which I failed to unlock I don't know the specifications it had. I would have liked to unlock the other one can have 6 / 128g.
Click to expand...
Click to collapse
Well done, that's good way to get past it... What phone did you take the motherboard from? Did you not find any info on how to use the bootloader unlocker with you're Honor 10 COL-L29 (Kirin 970)?
I tried 3 methods and none of them worked, they were all restricted, I got to a point and I couldn't move on.
Hi, I have a mate 9 with FRP and Bootloader locked, and when I try to unlock bootloader via fastboot, I have a warning telling that FRP needs to be unlocked first. Do you have any suggestiong?
Well, I did it at last After I have done this here and got no FRP bypass, I continued to google because this is weird, being able to run ADB/Fastboot commands, but unable to remove damn FRP. I have found this tool and it worked:
Download Huawei FRP and ID remove Tool For PC
Download Huawei FRP and ID remove Tool For PC if you want to bypass FRP lock google account from Huawei/Honor mobile
huaweiflash.com
So I can now thank the author for this guide, although unclear in some parts, then it has led finally to success. I have spent a couple of hours yesterday trying that bypass from the device (each and every method to start Youtube/Chrome/Maps/Google vie Talkback is already blocked as of now). Then a couple of hours for this guide. I could have purchased me an open phone instead of cracking this one but I wanted to play with some Huawei without having to pay anything.
There were unclear point in the guide, I elaborate
- to start fastboot mode: keep Volume down pressed and connect USB cable.
- you don't need specifically powershell, command line works as well
- the reflash is done from 32GB FAT32 formatted card named SDCARD which contained the unpacked folder dload with firmware files (SDCARD:/dload/<files>)
---initial comment---
EVA-L09 here.
Well, the procedure as described does not remove FRP lock.
PotatoNV worked, oem unlock command went through as well, but... Fastboot screen shows "FRP Lock" in green before the "oem unlock" command run; after the command and subsequent lowlevel reset; and after reflash.
The device asks the Google account after boot the same way as before the unlock/reflash.
Maybe the cumbersome way how you reflashed the phone is instrumental to enable FRP bypass (I have found exactly the same software build and my phone updated normally to 100% from SD card).
I have a P9 EVA-L09 device that has FRP locked. i try this method without PC and its work for me

How To Guide Enabling 4G+ & 5G on Xperia 1 III on non - supported regions (Rooted)

First of all Thanks to johndaniel, htcmage, gorEisberg and Forbesii for their amazing work.
Hello, fellow Xperia users like you I had wondered why Sony had to go with this stupid idea of blocking some regions from accessing 5G, if they had played their cards correctly this could have been a huge hit.
Anyway, let's enable 4G+ and 5G
Note: I have tested this on my Xperia 1 III XQ-BC52 with EU firmware, and I have noticed a battery drain using 5G.
Important Note: You don't lose Wide vine if you follow this correctly because I didn't lose mine. BTW I don't take any responsibilities
And yeah you have to do this after every OTA so this is going to be fun.
Prerequisites:
* Xperia 1 III
* Windows Laptop
* Firmware for your device
* USB Cable
Downloading Firmware​
Download XperiFirm from https://xperifirm.com/download/xperifirm-v4-6-0/ and Install
Open the XperiFirm and Download the firmware for your device ( check your model number and download the firmware)
Preparing the Device for Rooting ​
* Back up all the data from your device.
Make sure the device is supported for Bootloader unlock by opening the dialer and enter the code *#*#7378423#*#* and then press Service Info -> Configuration.
If the Bootloader unlock status is Yes, then you’re lucky and continue the rest of the guide.
Visit https://developer.sony.com/develop/open-devices/get-started/unlock-bootloader/ and Select your device and enter IMEI and get the code.
Enable Developer Options and then Enable OEM Unlocking and USB debugging on your device.
Download Platform tools for Windows using this link
https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Once it’s in bootloader mode or fastboot mode you will see blue light then type this command on CMD:
fastboot oem unlock 0xYOURKEY
Wait for the reply on cmd and then type
fastboot reboot
Now your device is Unlocked.
Rooting ​
Open the firmware folder you have downloaded and look for boot.sin file it looks something like boot_X-FLASH-ALL-4BA8.sin with around 96MB size (might look different for other versions and regions)
Download UnSin Exe from https://forum.xda-developers.com/t/tool-unsin-sin-v3-v4-v5-unpacker-v1-13.3128106/ and then drag and drop the boot.sin this will give you boot.img
Rename the boot_X-FLASH-ALL-4BA8.img into boot.img (easier to flash) and then using Magisk Manager to patch it.
Just don’t delete the original boot.img we need that for the re-locking bootloader.
Now copy the magisk_patched.img into the Platform-tools folder and rename it into boot.img
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Once in fastboot mode type this command
fastboot flash boot boot.img
Wait for it and then type
fastboot reboot
Open magisk and verify it's rooted.
Enabling 5G​
Open CMD and go to the Platform-tools directory and enter the below command:
adb shell
su
setprop persist.usb.eng 1
If the phone, asks for Allow access press Deny.
After that, it should show up 3 Xperia on the device manager and install one by one manually using Qualcomm driver just youtube this part. Use Qualcomm USB diagnostic 9091 or 9081.
Download QPST from https://qpsttool.com/ and install and open EFS Explorer and select LAHAINA if the name is there otherwise try one by one until you see a bunch of folders.
Once all the folders are showing up go to Policyman folder and copy carrier_policy.xml attached in this post and paste it there.
Restart the device.
You should now have the Speed of 5G or 4G+
Don’t stop here.
Time to go back to Stock (Unroot) ​
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Remember the original boot.img we have before patching copy that file into platform tools and replace it with the patched magisk boot.img
Then type this command:
fastboot flash boot.img
Once that’s done then type this command:
fastboot oem lock
Wait for the response and then type this command:
fastboot reboot
Once that’s done your device should format and bootloader locked and back to stock ROM with 5G.
In case if anyone is facing any issue or have doubts comment down below or contact me on my WhatsApp +97333956356
First comment!
GeramanX said:
First comment!
Click to expand...
Click to collapse
You want now a sticker
alot easier, but i am using another pc .
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Just curious but would anyone who has done this please type in their phone dialer menu *#*#service#*#* and tell me what there "current modem config" is under the "Software info" menu?
I have managed to get Volte working with Telstra here in Australia but according the above menu it's not using the Telstra MBN file that is loaded on the phone and is instead using "Row Commercial"
Just curious as I think this might be a bug with the menu not showing the correct file or it is something going a bit crazy on my phone. Cheers, Bentree.
Also @arjun_m4 thank you for this nice guide. What changes did you make to the Carrier_Policy.xml file?
Xperia 1iii indian sim volte wifi calling support but Not 5G support
arjun_m4 said:
First of all Thanks to johndaniel, htcmage, gorEisberg and Forbesii for their amazing work.
Hello, fellow Xperia users like you I had wondered why Sony had to go with this stupid idea of blocking some regions from accessing 5G, if they had played their cards correctly this could have been a huge hit.
Anyway, let's enable 4G+ and 5G
Note: I have tested this on my Xperia 1 III XQ-BC52 with EU firmware, and I have noticed a battery drain using 5G.
Important Note: You don't lose Wide vine if you follow this correctly because I didn't lose mine. BTW I don't take any responsibilities
And yeah you have to do this after every OTA so this is going to be fun.
Prerequisites:
* Xperia 1 III
* Windows Laptop
* Firmware for your device
* USB Cable
Downloading Firmware​
Download XperiFirm from https://xperifirm.com/download/xperifirm-v4-6-0/ and Install
Open the XperiFirm and Download the firmware for your device ( check your model number and download the firmware)
Preparing the Device for Rooting ​
* Back up all the data from your device.
Make sure the device is supported for Bootloader unlock by opening the dialer and enter the code *#*#7378423#*#* and then press Service Info -> Configuration.
If the Bootloader unlock status is Yes, then you’re lucky and continue the rest of the guide.
Visit https://developer.sony.com/develop/open-devices/get-started/unlock-bootloader/ and Select your device and enter IMEI and get the code.
Enable Developer Options and then Enable OEM Unlocking and USB debugging on your device.
Download Platform tools for Windows using this link
https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Once it’s in bootloader mode or fastboot mode you will see blue light then type this command on CMD:
fastboot oem unlock 0xYOURKEY
Wait for the reply on cmd and then type
fastboot reboot
Now your device is Unlocked.
Rooting ​
Open the firmware folder you have downloaded and look for boot.sin file it looks something like boot_X-FLASH-ALL-4BA8.sin with around 96MB size (might look different for other versions and regions)
Download UnSin Exe from https://forum.xda-developers.com/t/tool-unsin-sin-v3-v4-v5-unpacker-v1-13.3128106/ and then drag and drop the boot.sin this will give you boot.img
Rename the boot_X-FLASH-ALL-4BA8.img into boot.img (easier to flash) and then using Magisk Manager to patch it.
Just don’t delete the original boot.img we need that for the re-locking bootloader.
Now copy the magisk_patched.img into the Platform-tools folder and rename it into boot.img
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Once in fastboot mode type this command
fastboot flash boot boot.img
Wait for it and then type
fastboot reboot
Open magisk and verify it's rooted.
Enabling 5G​
Open CMD and go to the Platform-tools directory and enter the below command:
adb shell
su
setprop persist.usb.eng 1
If the phone, asks for Allow access press Deny.
After that, it should show up 3 Xperia on the device manager and install one by one manually using Qualcomm driver just youtube this part. Use Qualcomm USB diagnostic 9091 or 9081.
Download QPST from https://qpsttool.com/ and install and open EFS Explorer and select LAHAINA if the name is there otherwise try one by one until you see a bunch of folders.
Once all the folders are showing up go to Policyman folder and copy carrier_policy.xml attached in this post and paste it there.
Restart the device.
You should now have the Speed of 5G or 4G+
Don’t stop here.
Time to go back to Stock (Unroot) ​
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Remember the original boot.img we have before patching copy that file into platform tools and replace it with the patched magisk boot.img
Then type this command:
fastboot flash boot.img
Once that’s done then type this command:
fastboot oem lock
Wait for the response and then type this command:
fastboot reboot
Once that’s done your device should format and bootloader locked and back to stock ROM with 5G.
In case if anyone is facing any issue or have doubts comment down below or contact me on my WhatsApp +97333956356
Click to expand...
Click to collapse
Hi
Do you have a vídeo, for example in YouTube were can I see steps to do this?
I ask for It becouse I have some doubts about the processing
THX ALOT
There is a wrong comand in the last step.
Right comand is fastboot flash boot boot.img ( two times boot boot)
This is can be a problem with commom user like me.
Time to go back to Stock (Unroot) ​
Open CMD and go to the Platform-tools directory and enter the below command:
adb reboot bootloader
Remember the original boot.img we have before patching copy that file into platform tools and replace it with the patched magisk boot.img
Then type this command:
fastboot flash boot.img
bentree said:
Just curious but would anyone who has done this please type in their phone dialer menu *#*#service#*#* and tell me what there "current modem config" is under the "Software info" menu?
I have managed to get Volte working with Telstra here in Australia but according the above menu it's not using the Telstra MBN file that is loaded on the phone and is instead using "Row Commercial"
Just curious as I think this might be a bug with the menu not showing the correct file or it is something going a bit crazy on my phone. Cheers, Bentree.
Also @arjun_m4 thank you for this nice guide. What changes did you make to the Carrier_Policy.xml file?
Click to expand...
Click to collapse
Thanks for your post Bentree.
I would be very grateful for your advice as to how to get VOLTE going with Xperia 1 III on Telstra.
I would love to get 5G as well. Has anyone tried this firmware change on a XQ-BC72 and had success in getting 5G in a country where this has been disabled?
rollyk said:
Thanks for your post Bentree.
I would be very grateful for your advice as to how to get VOLTE going with Xperia 1 III on Telstra.
I would love to get 5G as well. Has anyone tried this firmware change on a XQ-BC72 and had success in getting 5G in a country where this has been disabled?
Click to expand...
Click to collapse
I'm at work at the moment but I'm currently using a 1 III with Telstra network (boost mobile sim).I have 5g and volte but no VoWifi. When I get home I'll try and write you up the steps required.
bentree said:
I'm at work at the moment but I'm currently using a 1 III with Telstra network (boost mobile sim).I have 5g and volte but no VoWifi. When I get home I'll try and write you up the steps required.
Click to expand...
Click to collapse
Thanks Bentree, whenever you get a chance. Telstra support have obviously not been helpful nor has Sony Australia. If you have a way of accessing 5G and VOLTE on Xperia 1 iii in Oz that woud be awesome
rollyk said:
Thanks Bentree, whenever you get a chance. Telstra support have obviously not been helpful nor has Sony Australia. If you have a way of accessing 5G and VOLTE on Xperia 1 iii in Oz that woud be awesome
Click to expand...
Click to collapse
Yeah Sony will just straight up tell you that, because they have withdrawn from Oz they can't do nothing. Telstra will just say that they don't support the phone on their network. I'll get to it this weekend. Sunday is my only day off from work so I'll write you up a guide then.
For some reason when i try to copy item file from PC i get an error.
File Copy Error: Carrier_Policy.xml is greater than 2048 bytes. Item File Size Limit is 2048 bytes.
okay so here's my stock file that i can easily transfer between my pc and phone using this method but the moment i try the edited one from the op i get an error about max file size...so far i have tried this with 2 different PC, and also i'm on a custom rom so idk if that's the problem.
Not able to perform this action:
"After that, it should show up 3 Xperia on the device manager and install one by one manually using Qualcomm driver just youtube this part. Use Qualcomm USB diagnostic 9091 or 9081"
Any pointers or exact youtube links?

Categories

Resources