With this tool, a user can write IMEI to a Qualcomm device and restore NULL IMEI or fix corrupted IMEI on Qualcomm Snapdragon devices. you must follow the steps listed below to prepare your device for the Qualcomm IMEI repair process.
Preparation :
Enable USB Debugging on your device from Developer Options. [[ If Developer Options are missing from your Android phone settings, then go to Settings > About Phone and tap on Build Number for 7-10 times ]].
Some devices need an unlocked bootloader. If it is not unlocked, then unlock the bootloader on your device from here.
Need proper Root permissions. (with Magisk ).
download and setup SDK Platform Tools on PC. ( Download SDK Platform Tools For windows ).
Qualcomm_Smartphone_Write_IMEI_Tool_v1.01.
Steps to Repair IMEI of Snapdragon Device
1- Download and extract qualcomm driver.zip .
2- install Qualcomm COM Port Driver manually.
Open the Device Manager :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2-2 Right-click on PC-NAME and Add drivers :
2-3 Select Browse my computer for driver software -> Let me pick from a list of device drivers on my computer and install Qualcomm COM Port Driver manually.
3- Extract SDK Platform Tools and copy to C:/ .
4- Connect your device to PC using USB Cable.
5- Open command window ( Run as administrator ).
5-1 Now in CMD type the below commands :
cd C:/(SDK Platform Tools location)
Click to expand...
Click to collapse
adb devices
Click to expand...
Click to collapse
adb shell
Click to expand...
Click to collapse
su
Click to expand...
Click to collapse
setprop sys.usb.config diag,adb
Click to expand...
Click to collapse
***** It will open DIAG COM Port or enable DIAG Port.
6- Download and extract Qualcomm_Smartphone_Write_IMEI_Tool_v1.01.zip on your PC.
7- Run Qualcomm_Smartphone_Write_IMEI.exe (Qualcomm IMEI Changer) as administrator.
8- Open settings ( PASSWORD : ustest ).
9- Select Write IMEI1 ( If you have dual SIM device then also select Write IMEI2 ) and click on OK .
10- Enter the IMEI number in the space provided and select COM Port ( COM port : USB ) and then Click on the Write1 Button to begin the Writing Process.
11- You should see the PASS message after a second or two.
12- Now, Reboot your device and check the IMEI by dialing *#06#.
we are done repairing IMEI on Snapdragon powered devices.
I am gettinf read SN fail error on Pixel 5, any reason?
hhkx said:
I am gettinf read SN fail error on Pixel 5, any reason?
View attachment 5621621
Click to expand...
Click to collapse
Hello
I think you are not doing well from 5-1 onwards.
because No connection was established between the phone and the application.
I don't think it is a connection problem because before using pixel 5 diag mode codes below it was giving "connection timeout error".
After applying those, it says SN fail. I also see qualcom com connections in ports in Windows device manager
adb shell
su
resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb
diag_mdlog
hhkx said:
I don't think it is a connection problem because before using pixel 5 diag mode codes below it was giving "connection timeout error".
After applying those, it says SN fail. I also see qualcom com connections in ports in Windows device manager
adb shell
su
resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb
diag_mdlog
Click to expand...
Click to collapse
Hello
This error occurs when there is no connection between the phone and the application.
Please follow the steps carefully and make sure the driver is fully installed on the computer.
Hi. Is it useful for snapdragon 855 devices? Especially lg v50?
Schirip said:
Hi. Is it useful for snapdragon 855 devices? Especially lg v50?
Click to expand...
Click to collapse
Hi, I also had the same question. specifically for Sony Xperia 5 having SD 855.
it does not work as mentioned. I have had a million tries with it.
Qualcomm drivers installed.
Phone detected in Qcom Diag Mode
Tried using Fastboot
Using EDL
Using ADB
Using every other method listed on the internet.
Still says ( Connecting to the device and failed at the end.)
any suggestions?
P.S thank you for your work.
Hello,
Tried to repair IMEI on One plus 10 pro ( sm8450) and it doesn't worked saddly. Said it was changed, rebooted the phone but the old IMEI were still there.
Looking for a reliable way to repair One Plus 10 pro IMEI
Nixeus2 said:
Tried to repair IMEI on One plus 10 pro ( sm8450) and it doesn't worked saddly. Said it was changed, rebooted the phone but the old IMEI were still there.
Click to expand...
Click to collapse
Same for Sony Xperia XZ1 Compact. This app is outated.
If the IMEI is changed, will the phone (Pixel 4XL specifically) continue to receive updates? If yes, then would it be safe to download and install those updates?
<Moderator Note>: "Repairing" an IMEI; i.e. restoring a device's original IMEI is legal. Changing your IMEI from the device's original IMEI is illegal in many countries, and is not allowed on XDA. I've removed the word "Change" from the thread title and one place in the OP.
Rule 9 of XDA Developers Forum Rules :
9. Don't get us into trouble.
Don't post copyrighted materials or do other things which will obviously lead to legal trouble. If you wouldn't do it on your own homepage, you probably shouldn't do it here either. This does not mean that we agree with everything that the software piracy lobby try to impose on us. It simply means that you cannot break any laws here, since we'll end up dealing with the legal hassle caused by you. Please use common sense: respect the forum, its users and those that write great code.
Click to expand...
Click to collapse
how to repair the certificate of a si g950u? it says final imel cert fail
Who has done this successfully?
bikeet said:
Who has done this successfully?
Click to expand...
Click to collapse
Not me
Tested on Xiaomi M9T Pro (because my mobile operator activated some features only on specifc phones so I wish to fake another brand/model)
It always displays "FAIL". :-(
Hi, and thanks for the tutorial, it is possible to work on S20FE (qualcomm 865 - sm8250) ?
Thanks, i will wait for your answer !
Doesn't work on my Samsung S20+ 5G, the DIAG Port is enabled (showed on device manager on COM7) but the app fails to detect connection to my phone. is there any way to repair the IMEI on snapdragon device? I messed up mine bad.
Has anyone tried it to repair imei on Asus Zenfone 8 Flip?
text1 said:
Hello
This error occurs when there is no connection between the phone and the application.
Please follow the steps carefully and make sure the driver is fully installed on the computer.
Click to expand...
Click to collapse
Doesn't work for snapdragon 888, driver is fully installed, even qpst detect it, does the backup but they put an anti-tampering script, i think.
Related
WARNING!
THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
DO IT AT YOUR OWN RISK!
If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
Click to expand...
Click to collapse
So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
Tricking development options for allowing "OEM unlocking" no longer works on latest security update.
What you need to have:
- a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
- tweezers, and probably a standard philips screwdriver
- QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
- Latest Google Platform Tools
- Full backup of your userdata
Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
Please take a look at the attachment below, about the location you need to use tweezers.
For Windows users:
If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.
I assume the COM port number is 8 (COM8).
Click to expand...
Click to collapse
Step 2: Write config partition
As we already know, config partition is also the frp partition.
You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
For your convenience, I've created one.
Now download and extract the attachment below.
Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.
Choose "Tools" - "Partition Manager", then wait for the partition list appear.
As "Load Image" seems not reliable, we have to use command to write it manually.
For 64-bit Windows users, the command is:
Code:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.
Step 3: Trigger the phone back to fastboot mode
Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
Now check the unlock ability:
Code:
fastboot flashing get_unlock_ability
Expected output:
Code:
get_unlock_ability: 1
Step 4: Unlock the bootloader!
And you can unlock the bootloader with familiar commands.
Code:
fastboot flashing unlock_critical
Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Your phone will boot to fastboot mode again, and then:
Code:
fastboot flashing unlock
Confirm unlock on the phone again.
All done, that's how the bootloader is unlocked. You can reassemble the phone.
But strange enough, you can't see any unlock warning.
I will release boot image dumping guide and root guide very soon.
Special thanks:
Wingtech for leaking prototype units
why must Nokia insist on locking their devices down so hard ??
great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?
Great!
Damn Nokia
I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.
Will it be possible to do without disassembly? Just in theory, not now
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
Unwise to say no with absolute certainly, but doubtful
kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
I think it will be possible.
There's a hidden command in aboot "fastboot reboot-emergency" but unusable, unless some sort of authentication is done or bootloader unlocked.
I still don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
That's why disassembly is required for now.
Very interesting breakthrough. Great work
I'm facing the same bootloader unlock in my infinix hot s 3. I believe I can use your procedure to unlock my device. And if necessary how to make changes to the config file? I will be expecting your reply soon. Thanks
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
awab228 said:
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
Click to expand...
Click to collapse
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
hikari_calyx said:
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
Click to expand...
Click to collapse
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
awab228 said:
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
Click to expand...
Click to collapse
1 for allow, 0 for disallow
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
malkabhai said:
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
Click to expand...
Click to collapse
We have full OTA zip of it.
You can use payload dumper + img2simg to convert it to fastboot images. If recovery mode working (including unofficial TWRP), you can also reboot your phone to recovery mode to sideload it.
PAN-141B-0-00WW-B03-update.zip
I was able to use "OEM Unlocking" from developer options and after starting at step 3, to obtain a full unlock. After I was also able to fully root my phone using the normal guide. I am running the latest security update (October 5 2019). No idea why this worked for me...
Hello,
I've got the Nokia 3.2 16gb variant. I can get it into edl mode but it seems to be in Sahara mode. How can I put it into firehose mode? Because I can't load anything using qfil.
Any help?
Missing pads
Any idea where these pads could be now? That does not seem to be there anymore?
Missing testpoint pads
piteer1 said:
Any idea where these pads could be now? That does not seem to be there anymore?
Click to expand...
Click to collapse
I has the same problem. Thanks in advance.
I don't see those test point in my mobile
Hi, does this work for Nokia 6.1 plus TA-1083? or do you have any trick for this too?
I am able to load phone in EDL Mode by making EDL Points short.
Just in case you read my comment, I have a emmc problem post, if you can help -
https://forum.xda-developers.com/nokia-6-1-plus/help/nokia-6-1-plus-edl-mode-emmc-failure-t4114507
Since there is no proper information about unlocking the bootloader for the newer versions of Oneplus Nord 2, this is how I got it to unlock and actually work.
For my system it did reset the device, clearing all the files and factory restoring the device, just make sure to make a backup before you do anything.
Just like any other post, no warranties or anything, this is all at your own risk.
1: Make sure to enable OEM unlocking and ADB Debugging in the developer options
1.1: To have these options, first go to About phone > Version
1.2: Keep tapping the "Build number" to unlock the developer options
1.3: Navigate back to settings and open Additional Settings. There you will find the Developer Options.
2: Install: Platform tools: https://androidfilehost.com/?fid=17248734326145690420
3: Install: MediaTek Preloader USB VCOM drivers: https://drive.google.com/file/d/1TPbW-v9-yOrzH15OaHmsPQad420mULeF/view
4: CMD to the root of the platform tools and use the command "adb reboot bootloader"
5: While in the weird tiny screen, validate that your device is there by typing "fastboot devices"
6: If so, type fastboot flashing unlock
7: Profit.
Hope this helps any other people searching for a proper way to do this.
OMG I spent hours searching for a working fastboot driver. Unlocked successfully! I owe you a beer man drop me your paypal
meterpreter said:
OMG I spent hours searching for a working fastboot driver. Unlocked successfully! I owe you a beer man drop me your paypal
Click to expand...
Click to collapse
The cheers is already great, hope they release a working stock rom soon so we can finally have some custom roms going!
Eastw1ng said:
The cheers is already great, hope they release a working stock rom soon so we can finally have some custom roms going!
Click to expand...
Click to collapse
I hope so too. I would really like to put lineage on this thing, probably the only os that can make a usable device out of this actually very good phone
Unlocking the bootloader requires two settings to be made in Android's Developer Options:
ADB Debugging
Allow OEM Unlock
@Eastw1ng, as obvious as this may be once you remember, unlocking the bootloader is something most people don't do very often - it might make sense to include that in the OP
@NetSoerfer, you're not wrong, quickly added it to the start.
I have a issue, Fastboot cant't find mobiledevice in win10. Adb commands working great. Debugging and oem unlock options enabled.
Tried:
1. different usb ports, cables and PC
2. Oneplus, Google and Mediatek USB drivers. With ADB or Bootloader interface.
3. Reinstalling PC USB drivers.
Am i missing out something?
CapnRene said:
I have a issue, Fastboot cant't find mobiledevice in win10. Adb commands working great. Debugging and oem unlock options enabled.
Tried:
1. different usb ports, cables and PC
2. Oneplus, Google and Mediatek USB drivers. With ADB or Bootloader interface.
3. Reinstalling PC USB drivers.
Am i missing out something?
Click to expand...
Click to collapse
use latest platform tools
SDK Platform Tools release notes | Android Studio | Android Developers
Android SDK Platform-Tools is a component for the Android SDK.
developer.android.com
HofaTheRipper said:
use latest platform tools
SDK Platform Tools release notes | Android Studio | Android Developers
Android SDK Platform-Tools is a component for the Android SDK.
developer.android.com
Click to expand...
Click to collapse
Hmmm, it worked, I think last one was ver. 30. Last year I downloaded "15 second ADB". It seems it made a mess in my ADB directories. Had to delete few folders and path from win10 Environment Variables. Made new folder and added new path.
I think it is last time when I use some kind "ADB installer".
I wonder if Android Studios didn't come with it automatically? Because I reinstalled that and it didn't work?(it might be that 15 sec installer messed up paths)
CapnRene said:
Hmmm, it worked, I think last one was ver. 30. Last year I downloaded "15 second ADB". It seems it made a mess in my ADB directories. Had to delete few folders and path from win10 Environment Variables. Made new folder and added new path.
I think it is last time when I use some kind "ADB installer".
I wonder if Android Studios didn't come with it automatically? Because I reinstalled that and it didn't work?(it might be that 15 sec installer messed up paths)
Click to expand...
Click to collapse
Can you tell me how to install these drivers I tried but still not detecting
You have same issue that adb is detecting phones but fastboot not?
There is no installer by google. You just replace files for updating.
For first make sure CMD doesn't find multiple locations for ADB. Type in CMD where adb. Be sure that it finds correct folder where is platform tools ver 31.0.3!
If it's wrong then you need insert new Path in system variables or changes whole folder where 'where adb' indcates. Also double check that oem unlocking is enabled in developer options on phone.
This is my CMD exaple:
X:\Users\XXX>where adb
X:\platform-tools\adb.exe
And system variables
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
CapnRene said:
You have same issue that adb is detecting phones but fastboot not?
There is no installer by google. You just replace files for updating.
For first make sure CMD doesn't find multiple locations for ADB. Type in CMD where adb. Be sure that it finds correct folder where is platform tools ver 31.0.3!
If it's wrong then you need insert new Path in system variables or changes whole folder where 'where adb' indcates. Also double check that oem unlocking is enabled in developer options on phone.
This is my CMD exaple:
C:\Users\Rene>where adb
C:\platform-tools\adb.exe
And system variables
View attachment 5420349
Click to expand...
Click to collapse
I have done all the things still it's not detecting but surprisingly it's detecting my old one plus 6 easily.
On another lappy where I . using zorin os ubuntu based os simple terminal commands installed android platform tool on Linux and I got easily detected Nord with same commands.
But anyway thanks
CapnRene said:
You have same issue that adb is detecting phones but fastboot not?
There is no installer by google. You just replace files for updating.
For first make sure CMD doesn't find multiple locations for ADB. Type in CMD where adb. Be sure that it finds correct folder where is platform tools ver 31.0.3!
If it's wrong then you need insert new Path in system variables or changes whole folder where 'where adb' indcates. Also double check that oem unlocking is enabled in developer options on phone.
This is my CMD exaple:
C:\Users\Rene>where adb
C:\platform-tools\adb.exe
And system variables
View attachment 5420349
Click to expand...
Click to collapse
Can you tell me twrp given in another thread is working on oos11.3 v10 ?
pankspoo said:
I have done all the things still it's not detecting but surprisingly it's detecting my old one plus 6 easily.
On another lappy where I . using zorin os ubuntu based os simple terminal commands installed android platform tool on Linux and I got easily detected Nord with same commands.
But anyway thanks
Click to expand...
Click to collapse
Have you tried installing these "MediaTek Preloader USB VCOM drivers"? Quite often it's a driver issue and you'll be able to see in the device manager if something's not properly loading the drivers.
pankspoo said:
Can you tell me twrp given in another thread is working on oos11.3 v10 ?
Click to expand...
Click to collapse
It is working for me on v10, just make sure to have the v10 bootloader on hand, it might require a reflash of that after the recovery patch
Eastw1ng said:
Have you tried installing these "MediaTek Preloader USB VCOM drivers"? Quite often it's a driver issue and you'll be able to see in the device manager if something's not properly loading the drivers.
Click to expand...
Click to collapse
Yes installed
Eastw1ng said:
It is working for me on v10, just make sure to have the v10 bootloader on hand, it might require a reflash of that after the recovery patch
Click to expand...
Click to collapse
V10 bootloader means boot.img? If you have that please send me
pankspoo said:
V10 bootloader means boot.img? If you have that please send me
Click to expand...
Click to collapse
You can find the images sakarya posted before: https://forum.xda-developers.com/t/root-tool-oneplus-nord-2-oxygen-11-3-dn2103_11_a-xx-eea.4332959/
pankspoo said:
Yes installed
Click to expand...
Click to collapse
Alright, well just put it into fastboot mode and check your device manager, does it show any devices that are not properly installed? If so, try to resolve it from there
Eastw1ng said:
You can find the images sakarya posted before: https://forum.xda-developers.com/t/root-tool-oneplus-nord-2-oxygen-11-3-dn2103_11_a-xx-eea.4332959/
Click to expand...
Click to collapse
Thanks
As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.
First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.
Before starting I would like to thank polygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.
Requirements:
The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
A compatible build, read below
A Windows or Linux PC with adb and fastboot drivers installed
Check if your build is compatible:
Go to Settings -> About device -> Version and check Build number:
If your build is between RMX3301_11_A.14 and RMX3301_11_A.21, go to the procedure below
If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.21, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14
Procedure:
Make sure under Developer options you have OEM unlocking and USB debugging enabled
Download and extract the attached gt2pro_eu_unlock_dirtypipe_v0.2.zip file
Open a terminal in the folder of the extracted files
Connect the phone to the PC and select the File transfer option
Run the script:
On Windows, type run.bat and press enter
On Linux, type ./run.sh and press enter
Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.
Changelog:v0.2:
Show more info about device for better debug
Show the model at the end to check if it worked
For technical people: how does it work?The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the May 2022 security update. On the GT 2 Pro, the vulnerability has been fixed with the Android 13 update, while the latest Android 12 build (RMX3301_11_A.21) is still vulnerable. I have tested the procedure personally up to build RMX3301_11_A.16. If you're on a newer build and it doesn't work, please report it in the comments.
Will it work on device X?If the following conditions are met:
it is a Realme device;
the kernel version is 5.10.66;
there's a global model with a different ro.product.name that can be unlocked;
then you can edit the startup-root file and replace RMX3301 (near the end) with the ro.product.name of the global model and try if it works. If it doesn't, it could be for a lot of reasons. Unfortunately, I can't help you without physically having the device in hand.
If you have further questions about the procedure, please post them below.
woowww... thanks for you aport
I wonder if we can use this temporary root to do some modifications on system.
criszz said:
I wonder if we can use this temporary root to do some modifications on system.
criszz said:
I wonder if we can use this temporary root to do some modifications on system.
Click to expand...
Click to collapse
Excellent question... for example try modific the build regist
Click to expand...
Click to collapse
Rapper_skull said:
As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.
First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.
Before starting I would like to thankpolygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.
Requirements:
The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
A compatible build, read below
A Windows or Linux PC with adb and fastboot drivers installed
Check if your build is compatible:
Go to Settings -> About device -> Version and check Build number:
If your build is RMX3301_11_A.14, RMX3301_11_A.15 or RMX3301_11_A.16, go to the procedure below
If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.16, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14
Procedure:
Make sure under Developer options you have OEM unlocking and USB debugging enabled
Download and extract the attached gt2pro_eu_unlock_dirtypipe.zip file
Open a terminal in the folder of the extracted files
Connect the phone to the PC and select the File transfer option
Run the script:
On Windows, type run.bat and press enter
On Linux, type ./run.sh and press enter
Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.
For technical people: how does it work?
The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the may 2022 security update. At the time of writing, the latest build for the GT2 Pro is RMX3301_11_A.16, and it's still vulnerable.
If you have further questions about the procedure, please post them below.
Click to expand...
Click to collapse
When you try the procedure... delete al date of phone? whe finish---- type run.bat and press enter ---- erase all?
criszz said:
I wonder if we can use this temporary root to do some modifications on system.
Click to expand...
Click to collapse
Theoretically you can do everything you can do on a rooted phone (Magisk, but without modules and Zygisk). In practice I never got Magisk to work properly, so I just limited myself to change the property. My goal was to unlock the bootloader, so I did it and installed Magisk.
manu81cba said:
When you try the procedure... delete al date of phone? whe finish---- type run.bat and press enter ---- erase all?
Click to expand...
Click to collapse
My procedure will not delete any data, but after that you have to follow the official procedure to unlock the bootloader, and that will factory reset your phone.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I have this error... why?
manu81cba said:
View attachment 5634133
I have this error... why?
Click to expand...
Click to collapse
Can you post the output of adb devices?
Rapper_skull said:
Can you post the output of adb devices?
Click to expand...
Click to collapse
You can explain? no understand.. what do you say?
manu81cba said:
You can explain? no understand.. what do you say?
Click to expand...
Click to collapse
In the terminal, where you are, type adb devices and press enter, then post the output.
Rapper_skull said:
In the terminal, where you are, type adb devices and press enter, then post the output.
Click to expand...
Click to collapse
manu81cba said:
View attachment 5634133
I have this error... why?
Click to expand...
Click to collapse
Yes i have same output on A.16 installed.
manu81cba said:
View attachment 5634153
Click to expand...
Click to collapse
I can see that you have two different versions of adb, one inside the platform-tools folder and one installed elsewhere. Please confirm that by running adb version inside platform-tools and then outside.
Rapper_skull said:
In the terminal, where you are, type adb devices and press enter, then post the output.
Click to expand...
Click to collapse
now put all file decripted to plataform adb... and this result... all ok?
manu81cba said:
now put all file decripted to plataform adb... and this result... all ok?
View attachment 5634159
Click to expand...
Click to collapse
Yes. To make sure, run adb getprop ro.product.name and confirm it's RMX3301.
manu81cba said:
now put all file decripted to plataform adb... and this result... all ok?
View attachment 5634159
Click to expand...
Click to collapse
Working now?
Is rooting temporary? i can modific build.pro? or this process is only for change the model propety?
manu81cba said:
Working now?
Is rooting temporary? i can modific build.pro? or this process is only for change the model propety?
Click to expand...
Click to collapse
No, you can't modify any files, since /system is read-only. Even if you manage to do it, you will brick your device since the bootloader is still locked. If you want to unlock your bootloader, follow the official guide I've linked.
Rapper_skull said:
Yes. To make sure, run adb getprop ro.product.name and confirm it's RMX3301.
Click to expand...
Click to collapse
manu81cba said:
View attachment 5634169
Click to expand...
Click to collapse
Sorry, adb shell getprop ro.product.name
I live in Canada and I have a BC72 (Asian version). I am struggling to get VoLTE and VoWiFi working. I know that mbn file is the key to getting IMS support and sony seems to block some carrier mbn files (only mbn in sales areas are available). So recently I have been working on flashing mbn files to my phone.
UPDATE:
Everything works fine now. Here's the guide:
FIRST THING FIRST: Data is priceless. Always backup before you modify your phone software.
Disclaimer: Not every carrier in the world support VoLTE or VoWiFi. Please ask your carrier first to get more info if you don't know if they provide support to VoLTE or VoWiFi.
Things you need:
1. PC with windows or bootcamp (virtual machines won't work)
2. An Xperia 1 III with magisk installed (see guide here)
3. A reliable USB-C cable
Software you need:
1. EfsTools (from github)
2. Platform tools (from Google)
3. Qualcomm USB diagnostic port driver
4. QPST (from qpsttool.com)
3. mbn files (extract from your phone)
1. Open command line in the platform tools folder, type
Code:
./adb.exe shell
and press enter, you should see a linux shell on your command line starting with $. Then Type
Code:
su
and a super user window should pop up on your phone screen, after you allowing the permission, the $ should change into #, then type
Code:
setprop persist.usb.eng 1
. If your phone asks "Allow access?", press deny; if it doesn't, go to notification centre, find USB options, and select "No data transfer".
2. Go to your device manage on windows, there should be three "Xperia 1 III"s listed. Choose one, right click, and select "Update driver". In the pop up window, select "Browse my computer" and then "Select one from the available drivers". Find Qualcomm USB diagnostic 9091 and select next. Do the same thing for the rest two. For more details, please check this post and there's a Youtube video demonstration.
3. Open QPST Configurator, check the list and find which COM port corresponds to "LAHAINA". Go to the device manager and disable the rest, ONLY KEEP THE PORT FOR LAHAINA. Quit any QPST tools after this.
4. Open command line in the EfsTools folder, type
Code:
./EfsTools.exe efsInfo
and press enter. No error should occur if you configured correctly, and the COM port in step 3 should be shown.
5. Type
Code:
./EfsTools.exe writeFile -i mcfg_autoselect_by_uim -o /nv/item_files/mcfg/mcfg_autoselect_by_uim
and press enter. There is no expected output so that if there's no error message, you are good.
6. Select the mbn file from the mbn folder. Find the mbn file for your carrier. If you're using a secondary operator, please use the mbn file for the main operator (e.g. Koodo -> use Telus mbn). Copy the mcfg_sw.mbn to the root of the EfsTools folder, then type
Code:
./EfsTools.exe uploadDirectory -i mcfg_sw.mbn -o / -v
and press enter.
7. After the command line done it's magic, reboot your phone. Type
Code:
*#*#4636#*#*
in the phone original dialler. Select Phone Information, press the dots at the upper-right corner and select IMS Status, you can check if the IMS status is registered.
Now, you can enjoy VoLTE, VoWiFi, and even 5G (depends on your carrier's support). If you don't see VoLTE or VoWiFi toggle in your phone settings, try install VoEnabler in magisk or run these in adb shell:
Code:
setprop persist.vendor.dbg.ims_volte_enable 1
setprop persist.vendor.dbg.volte_avail_ovr 1
setprop persist.vendor.dbg.vt_avail_ovr 1
setprop persist.vendor.dbg.wfc_avail_ovr 1
Sorry for the late posting. I've been finding mbn files for other carriers but it seems there's no specific carrier's mbn files available on Snapdragon 888 (or I haven't found one). I'll update if there's any progress.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
IMS Status when Wifi is disconnected and connected.
Additional link: Buy me a coffee : )
Interested in the progress of this...if I can get WiFi Calling i would prefer that over LTE calling for when I go to my Sister's Ranch where there's no signal what so ever...
I'm very interested in this, I've been looking for a way to get TMO Wi-Fi calling working on this phone for a while now.
My phone just died today. I’m not sure if the mbn file caused that. I won’t post the guide until I figure it out :-(
Forbesii said:
My phone just died today. I’m not sure if the mbn file caused that. I won’t post the guide until I figure it out :-(
Click to expand...
Click to collapse
Damn fam, hope it works out...i just cross flashed to the US rom from SEA cause I'm on Metro PCS but my modem got ****ed.....so no calling and network is constantly disconnecting
I have the SEA version in the US on T-Mobile. I flashed Ponce's Pixel Experienc GSI and Sony's binaries (no idea if this was necessary) and I have VoLTE and VoWiFi.
thatguy222 said:
I have the SEA version in the US on T-Mobile. I flashed Ponce's Pixel Experienc GSI and Sony's binaries (no idea if this was necessary) and I have VoLTE and VoWiFi.
Click to expand...
Click to collapse
Hmmm I will flash the binaries and see what happens if nothing changes I'll have to get back to Sea
thatguy222 said:
I have the SEA version in the US on T-Mobile. I flashed Ponce's Pixel Experienc GSI and Sony's binaries (no idea if this was necessary) and I have VoLTE and VoWiFi.
Click to expand...
Click to collapse
how did you flash the Binaries?
Delete
Ainz_Ooal_Gown said:
how did you flash the Binaries?
Click to expand...
Click to collapse
fastboot flash oem filename.img
Ainz_Ooal_Gown said:
Hmmm I will flash the binaries and see what happens if nothing changes I'll have to get back to Sea
Click to expand...
Click to collapse
Where might one get these binaries from?
@Forbesii Thanks for starting this thread. I am struggling with the same for my Xperia 5 III. Really Really looking forward to your Complete step-by-step guide and see how I can do this for my xperia as well. Thanks in advance.
Ndlelex said:
Where might one get these binaries from?
Click to expand...
Click to collapse
Sony's website
The guide is done guys. I'm still looking for methods to get mbn files not in the sony firmware.
Thanks for the update on the guide. I believe step 5 is missing a part. The mcfg_autoselect_by_uim file is not in the EFSTools download on Github.
misquia said:
Thanks for the update on the guide. I believe step 5 is missing a part. The mcfg_autoselect_by_uim file is not in the EFSTools download on Github.
Click to expand...
Click to collapse
Yes. I am stuck on the same step. It is returning the below error:
Critical error. Could not find file 'E:\Sony Xperia 5 III\EfsTools-0.14\mcfg_autoselect_by_uim'.
@Forbesii Could you please help/guide on this?
Ignored this step and it still works. The VoLTE and VoWifi both are working now (for Reliance Jio network in India). AMAZING article!
Definitely save it for future.
@Forbesii - On a side note: I am trying to add Airtel mbn (India carrier) file to my Xperia 5 III but it simply doesn't work. Neither VoLTE nor VoWifi. Are there any secondary steps/different command to copy this for SIM 2?
misquia said:
Thanks for the update on the guide. I believe step 5 is missing a part. The mcfg_autoselect_by_uim file is not in the EFSTools download on Github.
Click to expand...
Click to collapse
Thanks for your report, I‘ll update.
anmolkakkar said:
Ignored this step and it still works. The VoLTE and VoWifi both are working now (for Reliance Jio network in India). AMAZING article!
Definitely save it for future.
@Forbesii - On a side note: I am trying to add Airtel mbn (India carrier) file to my Xperia 5 III but it simply doesn't work. Neither VoLTE nor VoWifi. Are there any secondary steps/different command to copy this for SIM 2?
Click to expand...
Click to collapse
I haven’t tested on SIM 2. The second sim at least on Xperia 1 III is not correctly recognized by EFSTools. I might check other methods for the second SIM slot.
Thanks. Will wait to hear back from you.
I tried to install Project Elixir and my phone is hard bricked now... Brick is result of attempting to boot system on TWRP, slot A. Device is in EDL state I guess, because when I connect it by USB, it shows in device manager. I downloaded necessary driver and MiFlash, but I receive information that it can't connect to device: "write time out, maybe device was disconnected". I also removed back cover to find some test spots, but I can't find them. Is it something I can do?
Are you sure you use the right cable? There are USB cables only suitable for charging not for data communication.
user345643234 said:
I tried to install Project Elixir and my phone is hard bricked now... Brick is result of attempting to boot system on TWRP, slot A. Device is in EDL state I guess, because when I connect it by USB, it shows in device manager. I downloaded necessary driver and MiFlash, but I receive information that it can't connect to device: "write time out, maybe device was disconnected". I also removed back cover to find some test spots, but I can't find them. Is it something I can do?
Click to expand...
Click to collapse
This video may help you
You may contact the following person he will surely help you
RKD DEVIL YT OFFICIAL GROUP🗨
Xiaomi | Realme | Oppo | Vivo | Samsung | IPhone | Tecno | Itel | Nokia Etc All Models ➡️ Unbrick_Unlock Service Remotely Via Team viewer⬅️ For Orders Contact Owner only :- https://wa.me/917001105863 ⭐️Official Telegram Channel of RKD DEVIL♥️
t.me
[email protected]
michielm74 said:
Are you sure you use the right cable? There are USB cables only suitable for charging not for data communication.
Click to expand...
Click to collapse
I remember that I used this cable to transfer .zip OS file to phone, so transferring was working under TWRP earlier.
mvikrant97 said:
This video may help you
You may contact the following person he will surely help you
RKD DEVIL YT OFFICIAL GROUP🗨
Xiaomi | Realme | Oppo | Vivo | Samsung | IPhone | Tecno | Itel | Nokia Etc All Models ➡️ Unbrick_Unlock Service Remotely Via Team viewer⬅️ For Orders Contact Owner only :- https://wa.me/917001105863 ⭐️Official Telegram Channel of RKD DEVIL♥️
t.me
[email protected]
Click to expand...
Click to collapse
Unfortunately Mi 11i has different layout of things under the back cover than phone presented in video.
user345643234 said:
I remember that I used this cable to transfer .zip OS file to phone, so transferring was working under TWRP earlier.
Unfortunately Mi 11i has different layout of things under the back cover than phone presented in video.
Click to expand...
Click to collapse
Actually yes I just gave you an idea of how things would work.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
user345643234 said:
I tried to install Project Elixir and my phone is hard bricked now... Brick is result of attempting to boot system on TWRP, slot A. Device is in EDL state I guess, because when I connect it by USB, it shows in device manager. I downloaded necessary driver and MiFlash, but I receive information that it can't connect to device: "write time out, maybe device was disconnected". I also removed back cover to find some test spots, but I can't find them. Is it something I can do?
Click to expand...
Click to collapse
i think Miflash tool wont work in EDL mode, refer this guide this might help you revive your phone :
Download QPST Flash Tool & How to Use it to Flash Firmware on Qualcomm Android Devices
Download all versions of QPST Flash tool and learn how to use the QFIL and Software Download programs to flash firmware files on Qualcomm Android devices.
www.thecustomdroid.com
mvikrant97 said:
Actually yes I just gave you an idea of how things would work.
View attachment 5726623
Click to expand...
Click to collapse
Ok. This layout is also different too. I can't find these two holes under the hood.
asad007 said:
i think Miflash tool wont work in EDL mode, refer this guide this might help you revive your phone :
Download QPST Flash Tool & How to Use it to Flash Firmware on Qualcomm Android Devices
Download all versions of QPST Flash tool and learn how to use the QFIL and Software Download programs to flash firmware files on Qualcomm Android devices.
www.thecustomdroid.com
Click to expand...
Click to collapse
Thanks. Tbh I'm not sure, if it's even in EDL mode, because I noticed that QPST shows infinitely loading green bar in "State" column. Phone reacts to + and power buttons, because when I press it, MiFlash and QPST don't even recognize it properly. When I press - and power buttons, device is recognized in MiFlash. In QPST there is also some info about it.
user345643234 said:
Ok. This layout is also different too. I can't find these two holes under the hood.
Thanks. Tbh I'm not sure, if it's even in EDL mode, because I noticed that QPST shows infinitely loading green bar in "State" column. Phone reacts to + and power buttons, because when I press it, MiFlash and QPST don't even recognize it properly. When I press - and power buttons, device is recognized in MiFlash. In QPST there is also some info about it.
Click to expand...
Click to collapse
Do you have appropriate drivers installed? QD loader 9008 drivers
mvikrant97 said:
Do you have appropriate drivers installed? QD loader 9008 drivers
Click to expand...
Click to collapse
Yes. Before I installed this driver I saw that device is under exclamation/warning mark in device manager. Now there is no warning.
user345643234 said:
Yes. Before I installed this driver I saw that device is under exclamation/warning mark in device manager. Now there is no warni
Click to expand...
Click to collapse
user345643234 said:
Yes. Before I installed this driver I saw that device is under exclamation/warning mark in device manager. Now there is no warning.
Click to expand...
Click to collapse
Please share the screenshot of device manager when your device is connected to the computer.
mvikrant97 said:
Please share the screenshot of device manager when your device is connected to the computer.
Click to expand...
Click to collapse
Ok:
user345643234 said:
Ok:
View attachment 5727943
Click to expand...
Click to collapse
Please follow this guide but you may need paid tools or approach someone who does charge for such services
Follow this link