Better Mobile App

[Q] Rooting the Samsung Stratosphere II?

Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!

Holy mother of humanity, these threads get buried QUICKLY!

I have the same phone and have looked everyone trying to find a way to root it

fltbosn said:
I have the same phone and have looked everyone trying to find a way to root it
Click to expand...
Click to collapse
I mean, I know it's a relatively new phone and all, but surely someone with some development knowledge has one by now...
... I'd try to figure it out, but I think it might be a little over my head.

Okay, the problem with the available rooting procedures is that they all try to install things to /data/, which is inaccessible (not even read-only); I've been looking and trying to ask around, but can't find any alternative procedures.
How hard is it to root a phone from scratch? Is it possible to use exploit bases from other phones that use the same SoC and Android version? Any devs able to chime in?

What is it about this Verizon implementation of 4.0.4 that doesn't allow access to /data/, which is what every standard root procedure uses? Do any other Verizon phones use 4.0.4 that don'e have access to the /data/ folder?
(I really, REALLY hate to keep bumping my own thread)

I got this phone too. A root method would be great so I can remove the bloatware.

ShaneRitz said:
I got this phone too. A root method would be great so I can remove the bloatware.
Click to expand...
Click to collapse
I am from Bulgaria and I have bought this phone too and we still can not make it working even with Verizon Wireless SIM card.
The problem probably (not sure) is that it was never turned on or registered so in Bulgarian when I put Verizon Wireless SIM card it can't recognize its home network of Verizon to start the setup.
It seems that it need Verizon network to make first registration and activation of device or I am missing something? The only thing that pop up is Wizard of Verizon that want to set up my phone and account and I can't do it because no Verizon Network connectivity...
Any suggestions?

Trying and failing
WetLlama said:
Hello everyone,
I've recently gotten a Samsung Galaxy™ Stratosphere™ II (Verizon), and can't find anything on rooting this sucker. The pertinent specs (as far as I can tell) are as follows:
Android: 4.0.4
OS Version: 3.0.8-1157001
Dalvik Version: 1.6.0
CPU: Snapdragon S4 (ARMv7 r4)
Hardware: Samsung Aegis2 r4
Anyone have any advice? I'd love to be able to root then make a CWM recovery for this thing, and any help would be greatly appreciated.
Thanks!
Click to expand...
Click to collapse
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.

TheHierophant said:
I have been working through many of the methods, unfortunately with no success. The root exploits don't work (including debugfs which would work on nearly anything) as the file system is locked down HARD even in recovery mode. Even ODIN 3.07 flashing recoveries (CWM touch 6.01) fails check after NANDWRITE step (Same trying to flash an unlocked boot for the MSM8960 (SIII)). I have built the kernel from source successfully but with no way to get the initramfs built there's no way to flash the product. Damn VZW!!! Need some suggestions for moving forward, I'm about stumped.
So I feel your pain friend, I'm sure others are too. Short of an emulator to suck the code off the chip, (which I'm not above doing *if* I had the hardware and twiddling bits in the binary I don't know how we're going to get this thing unlocked yet.
Click to expand...
Click to collapse
You're a much braver man than I, I'll tell you that much.
I've been considering attempting to flash a T-mobile Samsung Relay 4G recovery since the phones are almost identical (with the exception of the radios, of course), but I'm afraid of totally borking it because I have no backup. If you're up for it and haven't tried that one yet, maybe editing some settings in the build.prop of the Relay's stock ROM would work (I don't know really; I'm a hardware guy, not a developer... )?
http://forum.xda-developers.com/showthread.php?t=2117436
There's all of the stuff for it so far, and if you do decide to give it a shot, let me know and I'll try to provide whatever help I can.

Hidden Menu results
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
"You have obtained the key for unlocking the bootloader to install custom OS. In order to unlock the bootloader, you must read and accept the following terms and conditions. By clicking on the “I Agree” button, you acknowledge and agree to the terms and conditions. If you change your mind, you may click on the “Cancel” button, which will stop the process.
1. The unlocking of the bootloader voids and invalidates the warranty of your device. As result of the unlocking, certain functions of your device may cease to function and physical injuries or material damage may occur, for example, due to the phone overheating. You take full responsibility for any and all consequences that may arise from the unlocking of the bootloader. Samsung will not be liable for any damages that such unlocking may cause, and you waive any rights in connection with the unlocking.
2. You will not be able to recover the device to its original state. Even if the device’s setting is restored, the warranty will remain voided and invalid.
3. As result of the unlocking, you may lose certain contents that you have stored on your device, for example, through the malfunction of the DRM functions.
4. You agree that your attempt to unauthorized kernel download from the default setting or without the authorization key will lead to blocking of the device, which may permanently disable the device. Samsung will not be responsible for any damages or injuries that result from such attempt. For downloading of custom kernel, you need to follow through a special installation process as set forth in the device manual.
5. You agree to comply with all applicable laws and regulations as well as any contractual obligations that you may have with your wireless carrier in using the unlocked devices. In particular, you will not operate the unlocked device on any wireless carrier’s network unless such wireless carrier approves of the operation of such unlocked device on its network.
6. You agree not to resell your unlocked devices to other parties without first explaining the content of the terms and conditions herein.
"
Click to expand...
Click to collapse
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.

TheHierophant said:
Okay, fell back and started looking at other approaches. So... following on Adam Outler's work on the SIII I snooped through the .apk's and found this little gem "HiddenMenu.apk" which I disassembled. Low and behold the following things popped out at me [which I put in activation strings]:
Code:
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU"
shell "am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL"
The first line brings up the Hidden menu screen: select the entry and select "enable"
The second line brings up the internal operation test menu which lets you look at all sorts of interesting and possibly dangerous goodies
The third line brings up the following message in a dialog box followed by another dialog asking for the unlock key code
I found the following part inside the constructor for SecureBootMenu:
Code:
.line 24
const-string v0, "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
iput-object v0, p0, Lcom/android/hiddenmenu/SecureBootMenu;->SBOOT_KEY:Ljava/lang/String;
Well, I tried that key and got a message "HIDDENMENU stopped" and a boot into loader still gives the "QUALCOMM SECUREBOOT: ENABLE". So I'm not quite there yet, but there may be something close. I'll keep looking around. If anyone has suggestions or more wisdom LMK.
Click to expand...
Click to collapse
Wow man, that's awesome; I'd mucked around with some of the dialer codes, but never got to that point. I wish I could help at all, but you've blown way past my usefulness at this point -- unless you want a tester.

What about trying various decode methods on that key? It looks like it could be maybe base64.

Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.

Thanks for the suggestions...
Nardholio said:
Here's two ideas that may help you root:
1) Borrow a page from the kindle fire and instead of trying to access /data directly, get around it with a symlink http://www.androidpolice.com/2012/09/17/amazon-kindle-fire-hd-7-already-rooted-heres-how-to-do-it/
2) You said Odin wouldn't let you flash custom bootloaders. See if you can flash custom system images. Get a copy of the stock system image from Kies or samfirmware.com, mount it under Linux, add the superuser apk and su manually and fix permissions, and then repackage it as a .tar.md5 and try to flash it. Here's an (old) guide to do that http://forum.xda-developers.com/showthread.php?t=1081239 I'm sure there's newer ones though.
Click to expand...
Click to collapse
I'll give these a try, have been busy with other things, but have a couple evenings free to experiment. Thank you for the ideas.

Did you get anywhere?
I dissassembled the HiddenMenu.apk and found the same code. When I entered it I got an error saying that the application stopped working.
I ran the string through base64 --decode, but it was full on non-printable characters. I'm wondering if it's encrypted.
I've also tried various methods that symlink data but keep getting permission denied errors. I haven't found a copy of a stock firmware to mess with.

I also have a stratosphere two, and i'm more then happy to help out in anyway possible, even if it means sending my phones to one of you guys trusted hands.

You guys suck. To get the stock firmware for your phone if it's not on sammobile or samfirmware you can trick Kies into downloading it and then intercept the file from your Windows temp folder while it's flashing to your phone (3-4 minute window)
http://forum.xda-developers.com/showthread.php?t=2088809
Then you can transfer it to a linux box to convert it to a mountable file system to root it, before repackaging it as an odin tar. From there you should be able to flash it.
Sent from my SGH-T699 using xda premium

apparently the sch i415 does not support kies

i just checked for a software update on my wife's Stratosphere II SCH-i415 and there is one. I live in NC the update was under settings/about device/ software update. its form Verizon size 506.6 MB. is there a way to pull it before it installs? maybe a root method. I installed it. could not wait. well its jellybean went from 4.0.4 to 4.1.2 baseband 1415vrlj2 to i415vrbma3 kernel was 3.0.8-1157001 to 3.0.31-947060

Wanting to root new CAT S61

Hello,
As the title says, I'm wanting to root my new CAT S61. Anyone managed to unlock the bootloader yet? I've played around with it but haven't had any luck so far.

+1, Me too. Just started debating them on facebook, to maybe have some pressure on to unlock the bootloader the nice way. Until that I am ready to donate. I really miss htc sense, coming from 10-year htc spree.

I have had a few email and chat exchanges with them but haven't made any progress in getting them to provide any help in unlocking the bootloader but I still have my fingers crossed. And yes, I miss htc sense also.......I didn't think I would. FYI, I downloaded Nova Launcher and I set to look much like sense.

I've also been on to their support team looking for assistance with this..... Massively unhelpful...
I asked them about possibilities of unlocking the bootloader (I usually void every warranty covering computer equipment I own within days of owning devices) and I was told along the lines of "No. This will void the warranty so we would not allow this on the device.".... Its MY device and MY warranty to void ffs!
Really gets on my tits the attitude they took.
Anyway, am thinking that unlocking the bootloader may end up like a long wait and a bit of a chore; however if anyone is able to get a dump of the stock image it would surely be possible to patch the image with Magisk then "fastboot flash" it back onto the Cat S61?
This should at least give SU access (for busybox and all that lovely stuff) as well as keeping all the FLIR/proprietary laser/VOC sensor stuff.
EDIT: I've got in touch with Bullitt Group directly instead of going through Cat, and am awaiting a reply from them regarding acquiring a factory image I can play around with... Hopefully they will be able to supply it to me!
Regarding unlocking the bootloader, I haven't tried myself yet (because I haven't got around to getting my laptop OS installed again... That's another story entirely involving bad decisions with Kali lol) but if you boot the phone into bootloader mode (power on the device by using either volume up or volume down and power button or the adb reboot bootloader command via USB). Then you may be able to use the fastboot flashing unlock command to unlock the bootloader...

I really miss the sense freestyle themes, where there is no grid and you pick a theme with background image(can be changed) and stickers (just some themed icons with different sizes). Then you place your stickers and assign apps to them. I myself used an archtecure theme, where there were stickers varying feom minimalistic monopoly houses up to vertically big skyscrapers and horizontally long trains. For my gf I made nature theme with nice summer bliss and clouds, deers, rabbits, butterflies and birds. Its just so customizable. I hate being restricted to grids or standard sizes icons or their 2x, 4x and so on.
k46tank said:
I have had a few email and chat exchanges with them but haven't made any progress in getting them to provide any help in unlocking the bootloader but I still have my fingers crossed. And yes, I miss htc sense also.......I didn't think I would. FYI, I downloaded Nova Launcher and I set to look much like sense.
Click to expand...
Click to collapse
---------- Post added at 06:29 PM ---------- Previous post was at 06:23 PM ----------
I just received a 130MB OTA, I hope it was not a security update, casting me out of the gang, when someone finds the cure for the older build. The build LTE_D0201121.0_S61_0.040.02 gave me Flir Youtube streaming option.
luc1fer said:
I've also been on to their support team looking for assistance with this..... Massively unhelpful...
I asked them about possibilities of unlocking the bootloader (I usually void every warranty covering computer equipment I own within days of owning devices) and I was told along the lines of "No. This will void the warranty so we would not allow this on the device.".... Its MY device and MY warranty to void ffs!
Really gets on my tits the attitude they took.
Anyway, am thinking that unlocking the bootloader may end up like a long wait and a bit of a chore; however if anyone is able to get a dump of the stock image it would surely be possible to patch the image with Magisk then "fastboot flash" it back onto the Cat S61?
This should at least give SU access (for busybox and all that lovely stuff) as well as keeping all the FLIR/proprietary laser/VOC sensor stuff.
EDIT: I've got in touch with Bullitt Group directly instead of going through Cat, and am awaiting a reply from them regarding acquiring a factory image I can play around with... Hopefully they will be able to supply it to me!
Regarding unlocking the bootloader, I haven't tried myself yet (because I haven't got around to getting my laptop OS installed again... That's another story entirely involving bad decisions with Kali lol) but if you boot the phone into bootloader mode (power on the device by using either volume up or volume down and power button or the adb reboot bootloader command via USB). Then you may be able to use the fastboot flashing unlock command to unlock the bootloader...
Click to expand...
Click to collapse

LTE_D0201121.0_S61_0.040.02 is the build I'm on as well, so don't worry too much... However I've been on this build since sometime in July, so don't know why you've only just got the OTA ?
Anyway, the other thought I have been having is trying to port across a custom recovery from the Motorola Moto X4. Same chipset, same RAM, same board and same screen resolution, so it just might work... Once I get hold of a flash dump and unlock the bootloader that is ? I'm getting a bit ahead of myself!

Just received another OTA, September 1st patch, LTE_D0201121.0_S61_0.046.02. Radio is LTE_D0201121.1_S61 after the update. This one was larger, but I forgot to screenshot the exact changes and size.

luc1fer said:
LTE_D0201121.0_S61_0.040.02 is the build I'm on as well, so don't worry too much... However I've been on this build since sometime in July, so don't know why you've only just got the OTA ?
Anyway, the other thought I have been having is trying to port across a custom recovery from the Motorola Moto X4. Same chipset, same RAM, same board and same screen resolution, so it just might work... Once I get hold of a flash dump and unlock the bootloader that is I'm getting a bit ahead of myself!
Click to expand...
Click to collapse
Is any progress?
I am not a programmer, and can not help anything. Looking forward good news!!

Hi there, also looking forward for root, will hopefully get the phone end of the year...

ogghi said:
Hi there, also looking forward for root, will hopefully get the phone end of the year...
Click to expand...
Click to collapse
I will not buy it until it is rootable.

Nope, no luck as of yet... Nothing I seem to try is giving me any options or progress.
Rather frustrated carrying round 2 devices lol one for root apps and the s61 for everything else!
Still impressed at the phone though, VERY utilitarian!

Hey there, I will get my S61 tomorrow.
Was hoping for any root idea, but will hopefully survive without until we have the privilege to get it

... and there is no option in the programmer options (unlock bootloader)?

Did not stumble upon such a function yet.
The most annoying thing without root is missing a good ad blocking. dns66 seems to work, but there are still plenty of ads in apps that get through...
Also having potentially all power unlocked would be great!

So no news here I guess?

To enter bootloader:
1.switch of your phone
2.press volume down
3.conect the power cable

Does anyone refer to this thread?
https://forum.xda-developers.com/apps/magisk/how-to-install-magisc-twrp-locked-t3599926/page2

I've been looking at this phone for some time. I was able to get a Moto Z2 Force from Verizon into EDL mode with simple commands, so I'm wondering if you can unlock this bootloader just by telling it to unlock.
You would put the device into fastboot mode (by going to the bootloader, instructions were posted above i think), and then try some commands like this
fastboot flashing unlock
or
fastboot oem unlock
also check if in developer settings there is a toggle for Allow bootloader unlock or OEM unlock or w/e they call it.
if this works I highly suggest figuring out a way to grab the entire system to make a backup before you do anything. there's no twrp yet but it can't be too difficult to compile, but i dont have this $1000 waste of money to do any of this. i hope this post helps someone

james35888 said:
Does anyone refer to this thread?
https://forum.xda-developers.com/apps/magisk/how-to-install-magisc-twrp-locked-t3599926/page2
Click to expand...
Click to collapse
This doesn’t work since the boot loader is locked (stock boot loader has not been released on the web to my knowledge)
---------- Post added at 01:55 AM ---------- Previous post was at 01:38 AM ----------
Knuxyl said:
I've been looking at this phone for some time. I was able to get a Moto Z2 Force from Verizon into EDL mode with simple commands, so I'm wondering if you can unlock this bootloader just by telling it to unlock.
You would put the device into fastboot mode (by going to the bootloader, instructions were posted above i think), and then try some commands like this
fastboot flashing unlock
or
fastboot oem unlock
also check if in developer settings there is a toggle for Allow bootloader unlock or OEM unlock or w/e they call it.
if this works I highly suggest figuring out a way to grab the entire system to make a backup before you do anything. there's no twrp yet but it can't be too difficult to compile, but i dont have this $1000 waste of money to do any of this. i hope this post helps someone
Click to expand...
Click to collapse
Are these commands on a computer through ADB?
The only options I had on the phone were:
-Start
-Recovery Mode
-Restart Bootloader
-Power Off
-Boot to QMMI
-Boot to FFBM

Hi,
I looked a bit into the process of rooting on this device. It would be cool to get it rooted. I guess this process is in theory simple. But we should focus on the first problem:
Why is the option "OEM unlock" hidden in the developer Menu? Are there ways to make that option usable? If anyone has an idea how to make this option usable, we could get to the next step. Thanks to anyone who has an contribution.
Edit: some additional info
C:\adb\platform-tools>fastboot oem device-info
(bootloader) Verity mode: true
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
OKAY [ 0.000s]
Finished. Total time: 0.000s
CatS61:/ $ getprop | grep oem
[ro.oem_unlock_supported]: [true]
[sys.oem_unlock_allowed]: [0]

There's still hope for bootloader unlock?

Hi, @ante0 , @Pretoriano80 and everyone else!
Been lurking on these forums ever since mate 10 Pro was released, but due to being one of the folks to downgrade from emui 9 to brick I had to take my phone to service for board swapping as I wasn't in a situation to do the testpoint fix myself.
Now, I'm looking to get the bootloader unlock code again and to my surprise even the 3rd party sites are down.
There's a guy at minstryofsolutions that offers bootloader unlock code using testpoint but he asks for 40$ + access to pc for 2 hours + refuses to describe in any way what he's doing to the device and why will the device end up rebranded + new imei and with it new bootloader code ( Obviously device in that condition can't be taken into a Huawei service center) .
So, upon searching and trying to find if anyone had found a way to unlock using testpoint I stumbled upon this : https://forum.xda-developers.com/mediapad-m5/how-to/downgrade-unbrick-huawei-device-methods-t3915693
Op and several others seem successful with downgrading their devices and using dc unlocker to get the code once the security patch is no more.
Op even mentions that for kirin 970 it's probably the same process but I haven't seen anyone sharing their experience doing the same on 979 devices.
Couple users are having issues as well and while op was quite helpful he and several others that were helping out seem to have been gone missing. There's a guy helping out with issues regarding this process but it seems rather finicky when even after doing all this and flashing with dload certain parts like lte modem remain present on a WiFi only tablet.
Does anyone have passes for easy firmware or dc unlocker firmware database? Is anyone willing to give these a try and see if the process will work on our devices or if it will ask for verification of some kind for images being flashed?
It looks quite promising, so if anyone has a bricked device ( Maybe someone that was refused at the Huawei repair center during the wave of downgrades ) would you be willing to give it a try?
I've got no tools, no passes and no other device to use while playing with this.
Obviously, I'm not asking for you guys to go out of your way and brick the device so I can know whether this is a viable option or not lol.
Just thought about sharing and seeing if anyone more knowledgeable has anythiny they'd like to add to this as a tip or personal experience trying this method.
This might be what we are looking for when it comes to unlocking device / downgrading to lower versions.
Hopefully the post I linked helps someone, in case anyone has experience with this please share as well!
Anyways thanks in advance!

Rstment ^m^ said:
Hi, @ante0 , @Pretoriano80 and everyone else!
Been lurking on these forums ever since mate 10 Pro was released, but due to being one of the folks to downgrade from emui 9 to brick I had to take my phone to service for board swapping as I wasn't in a situation to do the testpoint fix myself.
Now, I'm looking to get the bootloader unlock code again and to my surprise even the 3rd party sites are down.
There's a guy at minstryofsolutions that offers bootloader unlock code using testpoint but he asks for 40$ + access to pc for 2 hours + refuses to describe in any way what he's doing to the device and why will the device end up rebranded + new imei and with it new bootloader code ( Obviously device in that condition can't be taken into a Huawei service center) .
So, upon searching and trying to find if anyone had found a way to unlock using testpoint I stumbled upon this : https://forum.xda-developers.com/mediapad-m5/how-to/downgrade-unbrick-huawei-device-methods-t3915693
Op and several others seem successful with downgrading their devices and using dc unlocker to get the code once the security patch is no more.
Op even mentions that for kirin 970 it's probably the same process but I haven't seen anyone sharing their experience doing the same on 979 devices.
Couple users are having issues as well and while op was quite helpful he and several others that were helping out seem to have been gone missing. There's a guy helping out with issues regarding this process but it seems rather finicky when even after doing all this and flashing with dload certain parts like lte modem remain present on a WiFi only tablet.
Does anyone have passes for easy firmware or dc unlocker firmware database? Is anyone willing to give these a try and see if the process will work on our devices or if it will ask for verification of some kind for images being flashed?
It looks quite promising, so if anyone has a bricked device ( Maybe someone that was refused at the Huawei repair center during the wave of downgrades ) would you be willing to give it a try?
I've got no tools, no passes and no other device to use while playing with this.
Obviously, I'm not asking for you guys to go out of your way and brick the device so I can know whether this is a viable option or not lol.
Just thought about sharing and seeing if anyone more knowledgeable has anythiny they'd like to add to this as a tip or personal experience trying this method.
This might be what we are looking for when it comes to unlocking device / downgrading to lower versions.
Hopefully the post I linked helps someone, in case anyone has experience with this please share as well!
Anyways thanks in advance!
Click to expand...
Click to collapse
You can as I've done it.
Use testpoint (this will void warranty as you have to remove back of the phone) and flash bootloader files from DC Phoenix, there are several Kirin970 to choose from but only one should work. DC will tell you when phone is in fastboot mode after flashing.
Then I used IDT (Image Download Tool) to flash board firmware. Boot to board firmware and used HCU to repair imeis and all that. Then used HCU to get an unlock code. After this flash dload firmware back to Oreo (needs to be a new dload because of updated bootloader).
HCU fix guide for BLA:
1)Flash oeminfo (own backup) from fastboot OR dump existing oeminfo using adb pull (adb pull /dev/block/bootdevice/by-name/oeminfo) then flash it from fastboot.
2)Backup modemnvm_system, modemnvm_factory and modemnvm_backup using adb pull from a command prompt (/dev/block/bootdevice/by-name/modemnvm_system and so on)
3)Flash backed up modemnvm_system, modemnvm_factory and modemnvm_backup from fastboot
3)Modify and brand with HCU in the CDMA tab (check everything but those that erase/flash empty board) (remember to fill vendor and cust)
4)Unlock sim 'Direct SIM Unlock'
5)Read Bootloader code if you ever used HCU to get code before or if you need unlock code
6)Download and flash Oreo service firmware from androidhost.ru using a OTG cable and a memory stick. Pick the latest Oreo one you find for your cust
If you fail to do any of the steps above you will end up with no IMEIs or 'No Network' and/or Sim lock
So you'd need: DC/HCU pass and unencrypted board firmware (gem-flash and easy-firmware has them but they're paid.).
I have not tested using DCs own board firmware.

ante0 said:
You can as I've done it.
Use testpoint (this will void warranty as you have to remove back of the phone) and flash bootloader files from DC Phoenix, there are several Kirin970 to choose from but only one should work. DC will tell you when phone is in fastboot mode after flashing.
Then I used IDT (Image Download Tool) to flash board firmware. Boot to board firmware and used HCU to repair imeis and all that. Then used HCU to get an unlock code. After this flash dload firmware back to Oreo (needs to be a new dload because of updated bootloader).
HCU fix guide for BLA:
1)Flash oeminfo (own backup) from fastboot OR dump existing oeminfo using adb pull (adb pull /dev/block/bootdevice/by-name/oeminfo) then flash it from fastboot.
2)Backup modemnvm_system, modemnvm_factory and modemnvm_backup using adb pull from a command prompt (/dev/block/bootdevice/by-name/modemnvm_system and so on)
3)Flash backed up modemnvm_system, modemnvm_factory and modemnvm_backup from fastboot
3)Modify and brand with HCU in the CDMA tab (check everything but those that erase/flash empty board) (remember to fill vendor and cust)
4)Unlock sim 'Direct SIM Unlock'
5)Read Bootloader code if you ever used HCU to get code before or if you need unlock code
6)Download and flash Oreo service firmware from androidhost.ru using a OTG cable and a memory stick. Pick the latest Oreo one you find for your cust
If you fail to do any of the steps above you will end up with no IMEIs or 'No Network' and/or Sim lock
So you'd need: DC/HCU pass and unencrypted board firmware (gem-flash and easy-firmware has them but they're paid.).
I have not tested using DCs own board firmware.
Click to expand...
Click to collapse
Thanks a lot!
Will any of this process leave bootloader unlocked / relocked along the way?
I'm experiencing screen burn in due to outdated firmware and was gonna get the code, apply new adhesive I buy online and have them replace the device's screen + seal it properly in the process so the water resistance remains - kinda essential to hide any signs of tampering like bootloader unlock '-' ( 2nd burn in on Oreo firmware now, both happened within few months of the device running old firmw )
Thanks for the guide as well!
I'm not completely sure how to do the whole process yet but I'll try getting all the software I can right now and try figuring it out.
One question tho, do you have any screenshots you can share of which firmware will work out of those several that you mentioned and is there any possibility of brick by flashing wrong xload, etc.?
I'm on 8.0.0.156 c432 and was gonna drop to 142 or 143 - will have to check which one is the latest without security patch.
Glad to know this is a possibility! Will order the tools required for this and when / if I'm successful I'll create seperate thread under guides as there prolly are peps still trying to unlock.

Rstment ^m^ said:
Thanks a lot!
Will any of this process leave bootloader unlocked / relocked along the way?
I'm experiencing screen burn in due to outdated firmware and was gonna get the code, apply new adhesive I buy online and have them replace the device's screen + seal it properly in the process so the water resistance remains - kinda essential to hide any signs of tampering like bootloader unlock '-' ( 2nd burn in on Oreo firmware now, both happened within few months of the device running old firmw )
Thanks for the guide as well!
I'm not completely sure how to do the whole process yet but I'll try getting all the software I can right now and try figuring it out.
One question tho, do you have any screenshots you can share of which firmware will work out of those several that you mentioned and is there any possibility of brick by flashing wrong xload, etc.?
I'm on 8.0.0.156 c432 and was gonna drop to 142 or 143 - will have to check which one is the latest without security patch.
Glad to know this is a possibility! Will order the tools required for this and when / if I'm successful I'll create seperate thread under guides as there prolly are peps still trying to unlock.
Click to expand...
Click to collapse
I doubt that the burn-in is because of the old firmware, probably the oled panel it's getting old.
You should do the other way around, first send it to Huawei for a display replacement and then get the unlock code.
The procedure it's not really easy and the water resistant part it's the last of your problem, first you must make sure that you don't break the glass back cover when you open it up. xD
Probably Huawei's repair center won't even bother to replace the display only, but they will replace almost everything, so you would endup with a locked bootloader again.

Pretoriano80 said:
I doubt that the burn-in is because of the old firmware, probably the oled panel it's getting old.
You should do the other way around, first send it to Huawei for a display replacement and then get the unlock code.
The procedure it's not really easy and the water resistant part it's the last of your problem, first you must make sure that you don't break the glass back cover when you open it up. xD
Probably Huawei's repair center won't even bother to replace the display only, but they will replace almost everything, so you would endup with a locked bootloader again.
Click to expand...
Click to collapse
The display literally burned in couple months after I boguht the device and and we still had the emui 8 only. Replaced it and switched to the 9 the same month. All was good for a year or so untill they replaced motherboard. Now the same thing all over again, few months have passed - literally 2/3 months and the screen burned in again at the same spot - navigation bar.
The opening part doesn't look that complicated, was thinking of buying a heating plate, heat phone to 120°C and go back and forward cutting adhesive then heating the phone again. Should be fast and efficient this way.
The finicky part that I'm worried about has to do with bricking the device or shorting the motherboard in some way '-' Maybe service also uses some repair stickers that aren't present on any of the guides and will get dmged when I open the device - after all, I took the device for repairs under warranty at least 5+ times by now
Last time for the replacement they indeed replace almost everything - display, battery, back cover, new frame - essentially a new device w same motherboard.

Pretoriano80 said:
I doubt that the burn-in is because of the old firmware, probably the oled panel it's getting old.
You should do the other way around, first send it to Huawei for a display replacement and then get the unlock code.
The procedure it's not really easy and the water resistant part it's the last of your problem, first you must make sure that you don't break the glass back cover when you open it up. xD
Probably Huawei's repair center won't even bother to replace the display only, but they will replace almost everything, so you would endup with a locked bootloader again.
Click to expand...
Click to collapse
Rstment ^m^ said:
The display literally burned in couple months after I boguht the device and and we still had the emui 8 only. Replaced it and switched to the 9 the same month. All was good for a year or so untill they replaced motherboard. Now the same thing all over again, few months have passed - literally 2/3 months and the screen burned in again at the same spot - navigation bar.
The opening part doesn't look that complicated, was thinking of buying a heating plate, heat phone to 120°C and go back and forward cutting adhesive then heating the phone again. Should be fast and efficient this way.
The finicky part that I'm worried about has to do with bricking the device or shorting the motherboard in some way '-' Maybe service also uses some repair stickers that aren't present on any of the guides and will get dmged when I open the device - after all, I took the device for repairs under warranty at least 5+ times by now
Last time for the replacement they indeed replace almost everything - display, battery, back cover, new frame - essentially a new device w same motherboard.
Click to expand...
Click to collapse
Also, if they do replace stuff the code you get through DC will not work.
It works by modifying some strings in the oeminfo partition, so if they were to wipe and reflash everything your code would be lost.
If they replace motherboard you will need a new unlock code.
There is a sticker on one of the screws you need to remove, so they will know you did open it anyway.
Bricking is no problem as you can unbrick using testpoint. Shorting shouldn't be a problem. I tried all the visible points and only 1 or 2 actually send current back so USB devices in computer restarted xD But none of them shorted my phone.

ante0 said:
Also, if they do replace stuff the code you get through DC will not work.
It works by modifying some strings in the oeminfo partition, so if they were to wipe and reflash everything your code would be lost.
If they replace motherboard you will need a new unlock code.
There is a sticker on one of the screws you need to remove, so they will know you did open it anyway.
Bricking is no problem as you can unbrick using testpoint. Shorting shouldn't be a problem. I tried all the visible points and only 1 or 2 actually send current back so USB devices in computer restarted xD But none of them shorted my phone.
Click to expand...
Click to collapse
I see on pictures online that there are some points exposed with the shield on. Will take a look at picture you posted earlier for testpoint location to determine if indeed you can access it without removing the shield - hence not touching the stickers you mentioned - ty!
Wdym by losing dc unlocker code tho?
Does it not read the bootloader code of the device - meaning after they wipe / flash their stuff I can use the same code again to unlock via fastboot?
Or can it not read the code and just modifies the nvme files or whatev inside the partition to allow for a custom bootloader code?
Thanks for all the info! Will go look now for the picture then decide whether I'll open before or afterwards depending on the position of test point.

Rstment ^m^ said:
I see on pictures online that there are some points exposed with the shield on. Will take a look at picture you posted earlier for testpoint location to determine if indeed you can access it without removing the shield - hence not touching the stickers you mentioned - ty!
Wdym by losing dc unlocker code tho?
Does it not read the bootloader code of the device - meaning after they wipe / flash their stuff I can use the same code again to unlock via fastboot?
Or can it not read the code and just modifies the nvme files or whatev inside the partition to allow for a custom bootloader code?
Thanks for all the info! Will go look now for the picture then decide whether I'll open before or afterwards depending on the position of test point.
Click to expand...
Click to collapse
When you use HCU to get code it writes stuff to oeminfo, replacing 2 strings with "DC-UNLOC". So that's used in calculation of code. If you flash back stock, unmodified, oeminfo after using HCU you won't be able to use the code it generated.
Testpoint is located under the shield, so it's not possible to get to it without removing the shield. I have my phone with shield on infront of me. And I can't remember which screw had the sticker on it. If it's on one of the corners I guess you could try to bend it up to get to testpoint.

I just can't understand why the won't release the bootloader unlock at this point? The phone is now 'outdated' and old.... where is the harm?

ante0 said:
When you use HCU to get code it writes stuff to oeminfo, replacing 2 strings with "DC-UNLOC". So that's used in calculation of code. If you flash back stock, unmodified, oeminfo after using HCU you won't be able to use the code it generated.
Testpoint is located under the shield, so it's not possible to get to it without removing the shield. I have my phone with shield on infront of me. And I can't remember which screw had the sticker on it. If it's on one of the corners I guess you could try to bend it up to get to testpoint.
Click to expand...
Click to collapse
Thanks but I'm still having hard of a time following ?
After you use hcu it modifies the oeminfo to get strings it needs for calculations - You get the code aftwerards and your oeminfo is modified, right?
What I don't get is how flashing stock makes code unusable tho?
Is it not original bootloader code we'd get if Huawei site was still up? That code should be usable even after all modifications were reflashed with stock, no?
Or is it a custom code that depends on modified oeminfo to work?

Rstment ^m^ said:
Thanks but I'm still having hard of a time following ?
After you use hcu it modifies the oeminfo to get strings it needs for calculations - You get the code aftwerards and your oeminfo is modified, right?
What I don't get is how flashing stock makes code unusable tho?
Is it not original bootloader code we'd get if Huawei site was still up? That code should be usable even after all modifications were reflashed with stock, no?
Or is it a custom code that depends on modified oeminfo to work?
Click to expand...
Click to collapse
It's a custom code. If you use HCU to generate a code it invalidates your stock code. If you flash back stock oeminfo you can use the code Huawei gave you but not the HCU code (until you use HCU again to generate code).
Iirc on Kirin960 (and probably below it) you can use both HCU and stock code, so it uses another way of generating it I guess

Has anyone tried this approach for a MATE 10? or would you recommend it?

FUHuawei said:
Has anyone tried this approach for a MATE 10? or would you recommend it?
Click to expand...
Click to collapse
What method are you talking about?
If through testpoint, then yes!
Everything works perfectly

geogsm_1 said:
What method are you talking about?
If through testpoint, then yes!
Everything works perfectly
Click to expand...
Click to collapse
Yes, of course, I meant through test point. Do you know of any good step by step guide on how to do it? I want to try it and post here my results, if everything goes well I hope everyone ditches huawei software.
Also, I have searched around for options regarding ROMs, does anyone recommend anything in particular?

FUHuawei said:
Yes, of course, I meant through test point. Do you know of any good step by step guide on how to do it? I want to try it and post here my results, if everything goes well I hope everyone ditches huawei software.
Also, I have searched around for options regarding ROMs, does anyone recommend anything in particular?
Click to expand...
Click to collapse
Yes, I know the method) and have long written instructions on another forum with the permission of my teacher.
Decision made
On Huawei Mate 10 / Mate 10 Pro /, you can get the bootloader unlock code using a testpoint. But you need to have a programmer such as MRT / SIGMA / HDE / HCu-Client

General Bootloader unlock token for T-Mobile variant now available

Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.

AndyYan said:
Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
Click to expand...
Click to collapse
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant

PsYk0n4uT said:
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
Click to expand...
Click to collapse
Try prepending 0s?

Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting

PsYk0n4uT said:
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
Click to expand...
Click to collapse
Tried adding zero on front and back of serial it just tells me invalid serial

PsYk0n4uT said:
Tried adding zero on front and back of serial it just tells me invalid serial
Click to expand...
Click to collapse
Chatting with OnePlus hasn't yielded anything so far

Just a tip, because in my infinite forgetfulness I wasted an hour last night trying to figure out why I was getting the error, fastboot could not open target HAL.
Remember that you must request the unlock code from fastboot, not fastbootd. Which is what you will boot into if you issue adb reboot fastboot.
So here's a quick step by step.
1.Enable usb debugging. 2. Connect your device and allow access for the computer. My device asks if I want it to charge or transfer files. Select transfer files/Android auto and then use adb start-server. May have to unplug the USB cable and reconnect. Select "always allow this device/PC".
3. Issue "adb devices" to make sure your connected.it should list your device by it's serial number. If not then try unplugging the device and revoke adb authorizations in dev options and toggle USB debugging off and back on, may even need to reboot the device to get it to connect after doing this.
4. If your device is listed under devices go ahead and issue "adb reboot fastboot"
5. Once rebooted issue "fastboot devices" and make sure the device is listed again.(If not listed make sure you have your driver's installed correctly and fastboot is installed correctly, may need to install Android SDK into same folder as fastboot)
6.You can select English or whatever language if you want but it doesn't seem necessary.You are in fastbootd mode you will see if you DO select a language.
So from here issue"fastboot reboot bootloader" device will reboot and you will have scrollable option at the top beginning with a big green START at the top. This is regular fastboot And where you wanna be to get your unlock code for submitting to Oppo for your unlock token.
7. Issue "fastboot oem get_unlock_code"
8. It should return the info you need, you will also need your IMEI number when submitting so be sure to copy that down.
you can copy and paste the unlock code into notepad or Word and delete out the extra stuff so your left with just the two lines of your unlock code as one single contiguous string of numbers.
8. Go to the link listed by OP and submit the required info. And wait for what seems like forever.
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code

PsYk0n4uT said:
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
Click to expand...
Click to collapse
Simply "adb reboot bootloader". You won't need fastbootd until GSIs (which I already did ofc).

Thanks, definitely a quicker way to get to fastboot. I guess I wasn't sure if you could reboot directly. Seems maybe I was confusing an older device where you had to reboot to fastboot then "fastboot reboot fastboot" to get to fastbootd for a whole different reason.
This one goes directly to fastbootd when you "adb reboot fastboot"
Nice catch.

with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..

I'm not really sure to be honest, this is my first OnePlus device and just trying to contribute anything I can to get the N20 section up and going as I make progress with the device.
Just a quick search though turns up this and maybe it could be of use if you can still access the bootloader.
the current image(boot/recovery) have been destroyed
I updated my oneplus 8t to KB2005_11.C.11 (OOS 12 ) by first booting to twrp-3.6.1_11-0-kebab.img and then flashed the KB2005_11_C_OTA_1100_all_362b9b_10100001.zip. After the upgrade I had no mobile data on t-mobile and had Volte instead of 5g...
forum.xda-developers.com
Someone mentions extracting the boot.img from stock image and flashing it. I would imagine it should work for you if the stock firmware can be found and circumstances are similar. Maybe at least a start. Wish I could be of more help, maybe someone else can chime in that knows more.
Try Linux, maybe a live dist. if your on a windows machine that won't recognize it just to get it into a state that you can work with it again.
Just an idea, I don't want to steer you wrong as i still have a lot to learn

DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsettinghav
Click to expand...
Click to collapse
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
Click to expand...
Click to collapse
I want to try and help but I'm so new it's sketchy I don't want to say something and get bashed

Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.

Fyi according to a recently made friend who also had the 7 digit serial issue, they were told by OnePlus their dev team is working on an OTA update that will resolve the serial number issues. I'm not sure how that's going to work but I saw the email between them and Oppo support

I guess this must be a widespread issue that they feel is cheaper to invest the amount of money it takes for r&d to come up with a fix than it was to replace a few devices or attempt to do remote repairs.
But this also makes me wonder what avenue they will take to correct the issue.
Also I wonder if someone with the right skillset could gather enough bootloader unlock codes along with the unlock tokens, serial, IMEI, pcba etc.. maybe the algorithm their using to generate the codes could be broken. I'm no crypto expert or math genius either, but if we have the variables to the equation minus one but have the answer, isn't this pretty simple almost pre-algebra?
I mean I guess their not worried about enough people being brave enough to give out sensitive info like that. But maybe Im just ignorant of the complexity of these algorithms.
64 digit key on one end

T-Mobile bought sprint and they have T-Mobile sims no. But I understand that sprint is still a somewhat seperate company (tried to buy a T-Mobile phone and it would not activate on my sprint account. So I bought this from the sprint side of the T-Mobile site so I knew it would work but I assume this is a sprint phone and not a T-Mobile phone so this method would not work.
Can anyone confirm this?

PsYk0n4uT said:
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Click to expand...
Click to collapse
okay peep theres a way i put my oneplus into efu mode, hold both vol up and down then put usb c in continue to hold u should hear PC recognize it

So, before i do it, would deleting the modemst1/modemst2 partitions still let me bypass the t-mobile sim lock and let me unlock the phone like it did on the old oneplus phones?

Flashed a patched boot.img and lost modems. Anyone willing to post the modems? Are they device specific like a device partition?

Sim locked and trying to recover. No radios are working

General OK ... PSA: Stay away from T-Mobile variant of 10T 5g - Details

This is just a PSA for anyone currently with T-Mobile, looking to upgrade or purchase from the carrier.
The T-Mobile exclusive model of the 10T 5G is CPH-2419 ... This is a T-Mobile model ONLY. It can be SIM unlocked through regular methods, ie. paying the full contract off, but that is ALL!
There is absolutely NO WAY to unlock the bootloader of this model, because FASTBOOT is completely disabled, and unable to be re-enabled through any method which is currently available!
This is a software level block, which is specific to this model number.
AFAIK the chipset, board, and all internals are the exact same in respect to the 2413 (india) , 2415 (global) , and 2417 (EU) variants , so there is a SLIM possibility that if you stay BELOW the current A.11 build, you MIGHT be able to force a sideways shift to one of the other regions listed above via the Local Update, and Oxygen Updater combination, but i cannot confirm this due to my accidental mistake of not blocking updates! Mine is now on A.11 which is not available in any other region as of yet on the Oxygen Updater.
I really dont know whether changing regions will actually bring back FASTBOOT or not, except that when attempting to reach FASTBOOT via ADB or other methods, there is a brief, 1 second delay that does indeed make the "Fastboot Mode" screen appear, right before it automatically kicks out and reboots into normal mode. But even then with FASTBOOT running on my pc, and <waiting for devices>, it does not make the connection during the sequence. So this may just be remnants of the bootloader screen!
Also FASTBOOTD does work, and you can send commands regularly via command line, or Fastboot Enhance in that mode, but unlocking, and oem commands either fail or report unrecognized.
ANYONE proficient with probing ADB, Fastbootd, or EDL modes would be highly appreciated, in investigating any possibilities to exploit this restriction, because as with ALL android OS devices, I am almost 100% sure there is a way to mitigate this block, and flash a STOCK payload from one of the other variants. But EVERY cph2419 no matter what build, is shipped with FASTBOOT disabled at the factory level. It is an OPPO block, and has nothing to do with T-mobile other than the fact that they are the ONLY carrier listed in this model's designation.

I had a feeling that this was coming. First it starts with T-Mobile variants and then it starts trickling out to everything else. Keep in mind that Oppo disables fastboot on their devices too. The MSM Tool being locked down behind a technician login was the first hint of what's to come.

EtherealRemnant said:
I had a feeling that this was coming. First it starts with T-Mobile variants and then it starts trickling out to everything else. Keep in mind that Oppo disables fastboot on their devices too. The MSM Tool being locked down behind a technician login was the first hint of what's to come.
Click to expand...
Click to collapse
Yup man... see i never read much into the OPPO acquisition of OnePlus, or i would have researched affected devices further. But in all honesty i wouldn't have suspected that a phone such as the 10 series, which is reportedly going to be on all the major carriers in the next 3-4 months, would take such a drastic step BACKWARDS like this! One plus has ALWAYS been known as "Developer Friendly", and rivaled the Google Pixel series in ease of unlocking bootloader, and rooting! But even stranger is how for so long back in the early days of android, devices were model specific to each carrier, (samsung s2, 3, 4... Moto Z... etc.) then the manufacturers wised up and went to universal hardware that was only sim locked, and could be bought outright unlocked. THEN COMES THIS LEFT TURN, in OnePlus taking a flagship device, and going back to Carrier specific models!
Finally the MOST SHOCKING notion comes with the realization that (for a fee) you can get your Samsung devices bootloader unlocked, (s10 and newer, possibly others thru same service) but this OPPO/Oneplus trainwreck looks to be the possible path coming for even more models like you said!
I just dont understand the war on unlockable bootloaders?! Especially Oneplus... they had the PERFECT system in place. (US models) You had to PHYSICALLY submit a Bootloader Unlock request... Acknowledge that you are aware that you are giving up warranty... wait a week (buyers remorse)... Then if still committed, you have to flash the unlock token. Why go all DICTATOR on us and start moving the devices STILL BRANDED with OnePlus, to a locked down format? Maybe 3 in 10 customers unlock & mod their phones! It takes MORE effort to disable functions and remove them, while at the same time alienating those 3 in 10 thus ensuring LESS SALES!! I fail to understand the logic. I just pray someone always keeps probing these A-hole companies products, for vulnerabilities and exploits that circumvent all their overbearing attempts to control what we can do with OUR devices!
<rant... sorry, this crap just makes my blood boil. cuz i DID demo the 10T at a T-mobile store and they had CPH-2417 models as demo, which were fine. Come to find out that they always planned on only SHIPPING or SELLING these 2419 models to the public!>

beatbreakee said:
Yup man... see i never read much into the OPPO acquisition of OnePlus, or i would have researched affected devices further. But in all honesty i wouldn't have suspected that a phone such as the 10 series, which is reportedly going to be on all the major carriers in the next 3-4 months, would take such a drastic step BACKWARDS like this! One plus has ALWAYS been known as "Developer Friendly", and rivaled the Google Pixel series in ease of unlocking bootloader, and rooting! But even stranger is how for so long back in the early days of android, devices were model specific to each carrier, (samsung s2, 3, 4... Moto Z... etc.) then the manufacturers wised up and went to universal hardware that was only sim locked, and could be bought outright unlocked. THEN COMES THIS LEFT TURN, in OnePlus taking a flagship device, and going back to Carrier specific models!
Finally the MOST SHOCKING notion comes with the realization that (for a fee) you can get your Samsung devices bootloader unlocked, (s10 and newer, possibly others thru same service) but this OPPO/Oneplus trainwreck looks to be the possible path coming for even more models like you said!
I just dont understand the war on unlockable bootloaders?! Especially Oneplus... they had the PERFECT system in place. (US models) You had to PHYSICALLY submit a Bootloader Unlock request... Acknowledge that you are aware that you are giving up warranty... wait a week (buyers remorse)... Then if still committed, you have to flash the unlock token. Why go all DICTATOR on us and start moving the devices STILL BRANDED with OnePlus, to a locked down format? Maybe 3 in 10 customers unlock & mod their phones! It takes MORE effort to disable functions and remove them, while at the same time alienating those 3 in 10 thus ensuring LESS SALES!! I fail to understand the logic. I just pray someone always keeps probing these A-hole companies products, for vulnerabilities and exploits that circumvent all their overbearing attempts to control what we can do with OUR devices!
<rant... sorry, this crap just makes my blood boil. cuz i DID demo the 10T at a T-mobile store and they had CPH-2417 models as demo, which were fine. Come to find out that they always planned on only SHIPPING or SELLING these 2419 models to the public!>
Click to expand...
Click to collapse
I saw the writing on the wall after following the 10 Pro forum once I got my OnePlus 9 so I jumped ship to the Pixel 7 Pro. It's not a perfect device but man it's so much smoother than my 9 ever was. The only real complaint I have is the battery takes too long to charge and the fingerprint sensor is more finicky than the one on my OP9 but it's so nice not having lag everywhere and buggy software plus they're easy to root and keep rooted with the PixelFlasher tool.
As for the lockdown, it's probably T-Mobile that wanted it. People always bought the T-Mobile variants because they sell cheaper than the other ones and then they would convert them to global/EU firmware. What we really need is an end to carriers dictating what a phone manufacturer can and can't do with their product but Apple was the only one who ever successfully strong-armed a carrier (all of them basically in the end since they still don't allow bloatware on the phones). That said, Oppo probably doesn't have any complaints about being forced to disable this as it results in less technical support calls for them when people can't muck their devices up anymore. There were a ton of people bricking their OP9 and OP9P devices and those are just the ones that found their way to XDA to try to get help. I bet that a good chunk of their warranty repairs are from people modding their phones. In fact my OP9 almost became one of them until I got stubborn and sat down and figured out how to mod the MSM Tool myself.

Yeah, this is a bummer. Thanks for sharing! I almost never buy through a carrier anymore. My last oneplus was the 8T and it was a t-mobile variant, it was quite the mess to have to get it unlocked due to the person I bought it from not paying their bill...I got it all sorted out....my bad not double checking, but I got it for a sweet deal.
If Samsungs are easier to unlock the bootloader for their new phones, that changes my buying decisions.
I wonder if you could do the local update to the EU or India beta, then do the rollback to android 12 from a different region, India or EU. Does the local update across regions even work if your bootloader is locked?

maamdroid said:
Yeah, this is a bummer. Thanks for sharing! I almost never buy through a carrier anymore. My last oneplus was the 8T and it was a t-mobile variant, it was quite the mess to have to get it unlocked due to the person I bought it from not paying their bill...I got it all sorted out....my bad not double checking, but I got it for a sweet deal.
If Samsungs are easier to unlock the bootloader for their new phones, that changes my buying decisions.
I wonder if you could do the local update to the EU or India beta, then do the rollback to android 12 from a different region, India or EU. Does the local update across regions even work if your bootloader is locked?
Click to expand...
Click to collapse
ok, that i cannot confirm. YET... I screwed up and forgot to disable Auto Updates in the developer menu, and 1 reboot later, put me on the A.11 build for the OS. All the current OTA, and BETA in the Oxygen Updater, are A.10, and ive tried using the local update apk, but it fails stating something along the lines of, "The version you are trying to flash, is older than the current on im on, so to prevent boot problems, we wont allow you to continue"... I know those werent the actual words, but im sure you know what im talking about. So until the India, EU, or NA builds move up to A.11, I am in limbo! ... I have 3 days to request a RMA from Tmobile, if im gonna return it, and if i cannot circumvent this crap then i definitely aint about to get stuck with it for 2 years! Even if its only costing me $13 a month. I just cant accept a device that has actively removed THE VERY THING that i bought a OnePlus to do!
I am HOPING, i get lucky and an update drops, but my luck says it wont.
But to answer your question, YES... I would believe that you can do the Local update and shift sideways to Global or another region. MY plan was to try moving to ANY other region period, which will forcefully change the model number of the device as well... THEN use that regions Rollback Package, cuz it wipes everything and does a complete downgrade to reinstall. My logic is that IF i can update to say the India, or EU Android 13 Beta with the A.11 kernel, then the partitions are gonna change right? so in theory IT SHOULD flash all the CPH2413 or 2415 partitions, and files respectively. Now im sure that alone wont bring back FB because updates dont usually wipe all data! .... BUUUUUT .... once on that Model, then using the Rollback package WILL fully wipe the data and system so that it can format and place the partitions correctly for Android 12! And THAT is where i think my best opportunity to regain Fastboot will come from! Cuz my phone will be formatted as an Unlockable model number, and the rollback packages are supposed to be a Full Stock Rom, so naturally all the partitions and stock components would be installed as well, & the phone wont KNOW it was a 2419 so whatever was done (if only at software level) to disable FB wont be scripted to disable it on the new region.
Again this is only theory, but it sounds logical... unless someone familiar with OPPO can confirm that they use some hardware method of removing fastboot. But so far i have found a couple older OPPO discussions that at least cited exploits that were found in their respectively Locked devices, which they all had leveraged to get FULL ROOT, and subsequently flash different portions of other builds to their device. Personally, If I can have a full Magisk root, I am 100% content with JUST THAT! I lived with MANY a Samsung that had locked bootloaders, but had Root, and i can make that sacrifice!
Hopefully an update drops in time so i can try!

You would need to try the downgrade package.
https://oxygenos.oneplus.net/4248_sign_CPH2415_11_A_OTA_0080_all_44864f_10100111.zip
I would be surprised if it works but it is worth a shot with the APK.
That's the global/US package.

beatbreakee said:
ok, that i cannot confirm. YET... I screwed up and forgot to disable Auto Updates in the developer menu, and 1 reboot later, put me on the A.11 build for the OS. All the current OTA, and BETA in the Oxygen Updater, are A.10, and ive tried using the local update apk, but it fails stating something along the lines of, "The version you are trying to flash, is older than the current on im on, so to prevent boot problems, we wont allow you to continue"... I know those werent the actual words, but im sure you know what im talking about. So until the India, EU, or NA builds move up to A.11, I am in limbo! ... I have 3 days to request a RMA from Tmobile, if im gonna return it, and if i cannot circumvent
Click to expand...
Click to collapse
Yeah, give the beta a try and then rollback.
@beatbreakee Looks like India .12 full update is available in oxygen updater! Hopefully this works for yah.

EtherealRemnant said:
You would need to try the downgrade package.
https://oxygenos.oneplus.net/4248_sign_CPH2415_11_A_OTA_0080_all_44864f_10100111.zip
I would be surprised if it works but it is worth a shot with the APK.
That's the global/US package.
Click to expand...
Click to collapse
Global and US versions are different. That zip is for EU/Global, not US/NA, it says so right in the file name.
CPH2415 is EU/Global
CPH2417 is US/North America
That being said there is actually a member on the forums here that was able to flash that CPH2415 zip on a CPH2417 (US) phone without issue apparently. Flash at your own risk.
Edit:
This information I posted is not completely correct. Check the post after this one for more information regarding the versions.

Jager said:
Global and US versions are different. That zip is for EU/Global, not US/NA, it says so right in the file name.
CPH2415 is EU/Global
CPH2417 is US/North America
That being said there is actually a member on the forums here that was able to flash that CPH2415 zip on a CPH2417 (US) phone without issue apparently. Flash at your own risk.
Click to expand...
Click to collapse
OnePlus is ridiculous. Why the heck did they feel the need to change this? On the 9 series and 10 Pro, xxx0 was China, xxx1 was India, xxx3 was EU, xxx5 was global (which was US), xxx7 was T-Mobile.
Anyway, EU firmware has always worked fine on global variants, no doubt it's the same situation here.
Was about to post this and went to look but ummm... Actually, OnePlus themselves have listed it like this.
Want to go back to Android 12? Download the Rollback package from the links below:
OnePlus 10T (IN)
OnePlus 10T (EU)
OnePlus 10T (GLO)
OnePlus Community
Introducing our new OnePlus Community experience, with a completely revamped structure, built from the ground-up.
community.oneplus.com
GLO file name is 2415 as well. The one I linked was the same one llinked here, the difference on the EU one is the beginning and end of the file name are different.
EU - https://oxygenos.oneplus.net/4189_sign_CPH2415_11_A_OTA_0080_all_44864f_01000100.zip
GLO - https://oxygenos.oneplus.net/4248_sign_CPH2415_11_A_OTA_0080_all_44864f_10100111.zip
Looks like they're basically the same firmware.

EtherealRemnant said:
OnePlus is ridiculous. Why the heck did they feel the need to change this? On the 9 series and 10 Pro, xxx0 was China, xxx1 was India, xxx3 was EU, xxx5 was global (which was US), xxx7 was T-Mobile.
Anyway, EU firmware has always worked fine on global variants, no doubt it's the same situation here.
Was about to post this and went to look but ummm... Actually, OnePlus themselves have listed it like this.
Want to go back to Android 12? Download the Rollback package from the links below:
OnePlus 10T (IN)
OnePlus 10T (EU)
OnePlus 10T (GLO)
OnePlus Community
Introducing our new OnePlus Community experience, with a completely revamped structure, built from the ground-up.
community.oneplus.com
GLO file name is 2415 as well. The one I linked was the same one llinked here, the difference on the EU one is the beginning and end of the file name are different.
EU - https://oxygenos.oneplus.net/4189_sign_CPH2415_11_A_OTA_0080_all_44864f_01000100.zip
GLO - https://oxygenos.oneplus.net/4248_sign_CPH2415_11_A_OTA_0080_all_44864f_10100111.zip
Looks like they're basically the same firmware.
Click to expand...
Click to collapse
That's a lot more information than I had. Thank you for sharing! It's been confusing since I got the phone at the start of September coming from the 6T and 5T previously.
Thank you for the links as well, I have always been looking for this information regarding the difference in versions. I will be saving this for reference.
This definitely makes it clearer than what I was trying to explain in my previous post.

I'm one that flashed from Global to India. Then I flashed India to Android 13. Then I did rollback to India 12. And now I did India to EU android 12 .a10.
My bootloader is unlocked though.
I didn't know Global beta is out now. I'll flash to that now!!

So I was just in the 10 Pro section and I would be very cautious trying the downgrade package conversion. There have been a few bricks and a few successes converting T-Mobile to another variant and without an MSM Tool to use, I don't know that I would risk a $650 paperweight.

@beatbreakee This guy has the 2017 version and tried flashing the IN version. There aren't a whole lot of details, but whatever he did caused a softbrick. I posted for a little more details on it, but he might be able to provide some more info around this.
@jmayfield337
Full update from Global to EU?
I'm rooted and bootloader unlocked. There isn't a full update for . 08 yet. Could I use the EU full update and do local install or will that mess my current stuff up?
forum.xda-developers.com

EtherealRemnant said:
You would need to try the downgrade package.
https://oxygenos.oneplus.net/4248_sign_CPH2415_11_A_OTA_0080_all_44864f_10100111.zip
I would be surprised if it works but it is worth a shot with the APK.
That's the global/US package.
Click to expand...
Click to collapse
So sorry for the delay... But yes your rollback package worked in getting me off the T-Mobile 2419 , and now I'm on the 2415. A.08 (yay . KINDA...)
Unfortunately this did not have the intended outcome. I mean yes the phone works properly and all... But I'm sure you knew that fastboot did not come back. (Wouldn't be that easy huh?).
Now, here's the next phase.... After repeatedly beating on OP via their chat, and yelling at person after person, I got one of them to slip up and let a few MINOR things leak verbally.
(Bear with me cuz I might be stating something that might be slightly off from him... I could tell English wasn't his 1st language... Or even 2nd)
"Sir what you are requesting is a file authorization to unlock the bootloader on your device, correct" --- OP
"No, because even if I HAD a special file, I would not be able to flash it, because I have NO fastboot mode accessible on my phone. YOU removed or disabled it yourselves!" ---- Me
"Ok after reviewing your previous words sent, I think I know what it is you seek. There is a program called MSM, do you know of, yes?"-OP
"YES I know exactly of that, and you guys made it password restricted so I cannot log in to get what I need, so is it possible you can refer me to get an access account for the tool?"-Me
"Unfortunately sir that is department not of ours, but I will forward your request to them for email response by 24hrs."-OP
"Ok... So what then, you or them will get back to me with info on how to get an account?" -Me
"Well it yes, sir I do not know if that is how they resolve, or maybe they just give you factory fastboot ROM which can be use with the updater application, for local flash. It is my knowledge that other devices we have sold have had this ROM load special fastboot to allow unlock/lock/flash/wipe commands to be sent from your PC, but it was special tool for devices that not have it already!" - OP ...
BINGO!!
I'll spare you the rest of the chat, but of course no one has contacted me....
SOOO... here's my thoughts...
1. This phone is like Samsung in that there is NOT a permanent bootloader lock, and instead there's just a custom ROM (like the old "Combination FW" that restores permissions for higher level functions aka 'Fastboot ROM"
2. This ROM could TECHNICALLY be created or the fastboot portion extracted from another one that already is out for one of these older devices, and we swap it into one of these rollback packages, cuz I did edit the payload properties file to test if simple changes can be made and it still flash... (Answer : yes... It worked!)
3. One of you GURUs who have found TEMP ROOT access on so many other 'unrootable' devices, discover a way in to these, in which we can access the partition where the bootloader exists, and turn it back on with a hex edit, or flip it to UNLOCKED, then I can use Qfil or an EDL prog to flash custom recovery!?!
The reason I say turn it back on is because I am fairly confident it is still functional, primarily because it shows for a half a second, then reboots back into normal mode if 'adb reboot bootloader' is used. How can it be GONE, If the OS still recognizes it. (This suggests there's a script or init command being triggered once that command is sent, and it forces reboot before fastboot can connect to your PC! ... There is still a splash screen triggered from the command... AND all the updates and rollback packages are using something other than EDL to flash all the partitions as .img files, cuz EDL can't communicate with a device while running, but those packages loaded via local update are prepped while running, and processed only by a reboot, which almost confirms that it's fastboot being used. Fastbootd will not process ANY img files, but it does recognize every reg fastboot command!
(Sorry again for long post but I figured detail is needed to solve this.)
I have 48 hours to completely brick this device and still return it, so I am up for ANY actions that you all might suggest, with no regrets! If I get it AT LEAST rooted, I'll take it! Or if we get fastboot enabled again even better. I will monitor this thread for your replies.
Thanks for all input!

EtherealRemnant said:
So I was just in the 10 Pro section and I would be very cautious trying the downgrade package conversion. There have been a few bricks and a few successes converting T-Mobile to another variant and without an MSM Tool to use, I don't know that I would risk a $650 paperweight.
Click to expand...
Click to collapse
Ok... I KINDA followed part of what they did in the 10pro forums.. opening the zip 1st, I edited 1 line:. "Oplus_update_engine_verify_disable=1" it WAS 0 which I understand had something to do with it verifying something on either the device or in the package to be identical before allowing.
Using a 1 disabled that verification. Now whoever tries this MUST be patient! When you start this via local updater app, you need to be above 40% , AND it will look like it is frozen and not processing at 0% for close to 5 min ... Then it will just start ticking off about 1% every 15-30sec til it gets to 60-70... Then it is about 2 percent per 15 sec... Finally when it hits 99% it will again look like it's stuck, but just wait, cuz it will hit 100% about 3-4 min later.
Whole process went seamlessly smooth! I advise not doing ANYTHING on your device while running. But I successfully went from Android 12.1 A.11 to Android 12.0 A.08 2419 to 2015.
Don't know if it matters but I did enable OEM unlocking in dev options 1st. And it persisted thru the whole wipe/flash process.!

Don't know if this means anything...

Congrats on a successful conversion. Sucks that it's still walled off still but I can't say I'm surprised.

@beatbreakee
Dude I just want to thank you for all you hard work into this.
I have a T-Mobile OP10T and was so disappointed to find out there was no way to unlock bl/no root.
So when i found this thread, there is no hope. Now because of you, there's a chance.
Thanks

I would assume it's best not applying any updates if iv just got the phone? If my plan is somehow getting away from T-Mobile software. Right?