How to find "hw_soc_version" for a QCom SOC? - General Questions and Answers

I have an Android device with a QComm SDM680 SOC. The QCom part# of the SOC is SM6225.
How do I find the "hw_soc_version" and "soc_version" of the SDM680/SM6225 ?
I've found some general scripts that collate this type of info, like this one. But the SDM680 is not in any of those lists.
I've searched on the rooted device, grepped the kernel logs and the kernel opensource. fastboot getvar all doesn't expose this info either.
Does anybody know how to find these values?

Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
You can also attach a UART while booting.
Code:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
Note that even though this is a SDM636 the log speaks of 660, but the "JTAG ID" is the correct HWID.
Usually the certs in xbl/abl has the HW_ID in it.
Also:
Code:
Teletex string 11 3007 0000 0000 0000 0000 0000 0000 0000 0000 0000 SOC_VERS
(I've never run into this soc_version before.)
Also, AFAIK, your friendly Firehose loader repository doesn't have a loader for this.
Edit: Oh, you're not looking for the HWID?

Renate said:
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
...
Edit: Oh, you're not looking for the HWID?
Click to expand...
Click to collapse
Thanks for the tip. I checked the SAHARA output. It seems that this HWID consists of the MSM_ID+OEM+MODEL. For the SDM680 I got: HW_ID: 0x001b80e100000000 (MSM_ID=0x001b80e1 OEM_ID=0x0000 MODEL_ID=0x0000).
Looking at bkerler's qualcomm_config.py, it seems that the hw_soc_version and hwid are two different things. For example for the SDM660, the msmid entry is 0x08C0E1, with a comment that the soc_hw_version is different:
Code:
0x08C0E1: "SDM660", # 0x30060000 soc_hw_version
Renate said:
Usually the certs in xbl/abl has the HW_ID in it.
Click to expand...
Click to collapse
Even though it's about the hwid, I looked into this too. It seems that around 2016, the HWID was stored in OU fields in the certificiates in the XBL file (see pages 10-11). But after 2019, it is now stored in the metadata of the MBN image (see page 9) within the XBL file. I only mention it because I thought it might prove useful for you.
Curiously, the HWID wasn't in the certs or metadata in my stock ROM's xbl.elf. Strange.

Yahoo Mike said:
For the SDM680 I got: HW_ID: 0x001b80e100000000...
Click to expand...
Click to collapse
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.

Renate said:
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
Click to expand...
Click to collapse
I think SecureBoot is on. I've had to do a test-points recovery a few times - after I tried to run with a patched (and incorrectly signed) ABL.
In fastbootd & bootloader menus, it says SecureBoot is on. And (as you suggested) fastboot utility agrees:
Code:
C:\>fastboot getvar secure
secure: yes
Finished. Total time: 0.001s
Renate said:
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Click to expand...
Click to collapse
The codename is khaje.
Code:
TB128FU:/ # cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
...<info about 8 processors>...
Hardware : Qualcomm Technologies, Inc KHAJE
That agrees with the run-time /sys/devices/soc0/soc_id value of 518, which is "khaje" according to the stock ROM's /vendor/bin/init.qti.display_boot.sh and /vendor/bin/init.qcom.post_boot.sh.
Curiously, at the beginning of the DTB it says it's "Bengal":
Code:
00 00 00 03 00 00 00 33 00 00 00 00 51 75 61 6C .......3....Qual
63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 69 65 comm Technologie
73 2C 20 49 6E 63 2E 20 42 65 6E 67 61 6C 20 31 s, Inc. Bengal 1
47 62 20 44 44 52 20 48 44 2B 20 53 6F 43 00 00 Gb DDR HD+ SoC..
But at offset 0x2A62D0 it changes its name:
Code:
00 00 00 00 00 03 00 00 00 26 00 00 00 00 51 75 .........&....Qu
61 6C 63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 alcomm Technolog
69 65 73 2C 20 49 6E 63 2E 20 4B 68 61 6A 65 20 ies, Inc. Khaje
53 6F 43 00 00 00 00 00 00 03 00 00 00 0B 00 00 SoC.............
I can't believe how many different numbers/strings QCom has to describe a SoC: soc_id, codename, hwid, msm_id ... and the ever-elusive hw_soc_version.
Anyway, I'll load up this SoC's firehose program to bkerler's edl. I'll slip in a question about how to query the hw_soc_version. I'll post back any reply.

Yahoo Mike said:
The codename is khaje.
Click to expand...
Click to collapse
Khajeh is a city in Iran: https://en.wikipedia.org/wiki/Khajeh,_Iran
Yahoo Mike said:
Curiously, at the beginning of the DTB it says...
Click to expand...
Click to collapse
That's because you are probably looking at multiple DTBs.
You can simply grep/scan for "Qualcomm Technologies".
I don't know why they do that.
The abl scans through them and find the one that best matches.

S/N: 0x7BD1BDD5
HW ID: 0x001B80E10015006D -> HUAWEI
HASH: 0xB25DECD85D217F5D9B53DC3C42EF7846DCEF59DD3E0AF4D12606199F5099FF23D73C3AFFBE5EFBF421A81A197E41FDF5
PBL : 0x00000000
HASH TYPE: SHA384
DEV HASH: 0x0000003AC0D4
CPU : Undefined CPU: 001B80E10015006D

Related

recover bootloader via JTAG

Hi,
I am working on un-bricking my Optimus One (P500) via JTAG, and I need some additional information.
Here is what I did so far:
- created an LPT to JTAG adapter, called the wiggler
- soldered wires to the JTAG pins on the phone's board as shown here
- downloaded openOCD 0.5 and used this configuration file for the wiggler adapter
- started the giveio driver that is in the drivers/ directory of openOCD
- ran the command "openocd --f wiggler.config.file.cfg" and got the following output:
Code:
Open On-Chip Debugger 0.5.0 (2011-08-09-23:21)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
parport port = 0x378
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
6000 kHz
Info : clock speed 500 kHz
Error: JTAG scan chain interrogation failed: all zeroes
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: arm9.cpu: IR capture error; saw 0x00 not 0x01
Warn : Bypassing JTAG setup events due to errors
Info : Embedded ICE version 0
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)
Info : arm9: hardware has 2 breakpoint/watchpoint units
- ran "telnet localhost 4444" and tried issuing debugging commands via jtag
In general I was following the steps described in this wiki. What I saw is that they have certain binary files for their phone which I wasn't able to find for Optimus:
- the IPL and SPL bootolader image files (hboot.img)
- radio image files (radio.img)
- full recovery images
Does anyone know where can we get the same files for Optimus phones? I imagine they can be read off a working phone. Anyone knows how to do this?
Additionally, was anyone able to configure openOCD to work with the MSM7227 chip in this phone? I can't seem to get it to detect the ARM cpu inside it.
Finally, here are some photos of my LPT <-> wiggler <-> JTAG setup.
Suggestions, help, pats on the back appreciated.
Nice! I haven't seen much in the way of hardware work on our phones. I'd be interested in any progress that you make on this. I wish that I could offer more than the pat on the back, but my experience with JTAG is minimal. In any case, good luck!
Sent from my LG-P500 using XDA App
Forgive for my English... I have connected phone to jtag as me to fill in bootloader?
photo my connected i.imgur.com/vUdUV.jpg
myk777 said:
Forgive for my English... I have connected phone to jtag as me to fill in bootloader?
photo my connected i.imgur.com/vUdUV.jpg
Click to expand...
Click to collapse
my openocd.cfg
---------------------------------------------------
interface parport
parport_port 0x378
parport_cable wiggler
jtag_khz 6000
reset_config trst_and_srst srst_pulls_trst
#dream information (or something near it)
set _CHIPNAME lolololo
set _ENDIAN little
set _CPUTAPID 0x12345678
jtag newtap lololo cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
------------------------------------------------------------
some updates
In this message I will try to summarize what we have so far...
[1]
myk777 was able to establish an LTP <-> JTAG connection via the wiggler. Here are the connections he made:
i.imgur.com/vUdUV.jpg
[2]
He also identified the to be ARM1136 with the tap ID 0x203c00e1.
OpenOCD 5.0 contains the configuration file for ARM1136 in the following location:
openocd-0.5.0/target/imx31.cfg
The full documentation for ARM1136 is available here:
google DDI0211K_arm1136_r1p5_trm.pdf
What remains to be done:
A. Configure openocd to use the wiggler and the imx31 to target the ARM1136 chip
B. Try to execute the initial bootloader code (using openocd debugger)
C. Find the binary dumps of the bootloader code for this phone, and try to rewrite it
For A I have the following suggestion:
- set the CPUTAPID=0x203c00e1
- launch openocd with something like this:
openocd -f wiggler.config.file.cfg -f target/imx31.cfg
Has failed flash memory. Has given on repair to service.
Hi guys!
This thread is the closest to my problem with Samsung Galaxy Mini S5570 model. I was on forum with this phone but there I couldn't find any "deeper" thread (most of them ends with "use RiffBox").
So, I have built Clone Wiggler, solder down wires to the JTAG pads and establish connection with bricked phone. Here is what I got from the OpenOCD after start:
Code:
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 500 kHz
Info : clock speed 500 kHz
Info : JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Warn : gdb services need one or more targets defined
Here is OpenOCD config file:
Code:
interface parport
parport_cable wiggler
adapter_khz 500
#debug_level 3
# CPU settings
set _CHIPNAME MSM7227
set _CPUTAPID 0x203c10e1
#set _ENDIAN little
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
And output from "jtag init" and "scan_chain" after telnet localhost 4444:
Code:
telnet localhost 4444
> jtag init
JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
> scan_chain
TapName Enabled IdCode Expected IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
0 MSM7227.cpu Y 0x203c10e1 0x203c10e1 4 0x01 0x0f
S5570 has MSM7227 Qualcomm chip and 4Gb OneNand KAT007012C - BRTT flash. I'm aware that there is no luck with OneNAND and OpenOCD, but I still have the hope and strong will
My OpenOCD version is latest 0.6.1
Any reply is more than welcome and thanks in advance.
I have read that MSM7227 has several cores that operate separately. One core is arm9 (modem processor) and the second is arm11 (applications) ... so configuration file is changed and with this OpenOCD config, JTAG is connected to the arm9 modem processor:
Code:
interface parport
parport_cable wiggler
adapter_khz 300
reset_config trst_and_srst srst_pulls_trst
#debug_level 3
# CPU settings
set _CPUTAPID 0x203c10e1
set _TARGETNAME arm9.cpu
set _ENDIAN little
# create jtag
jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
# create target
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME
Here is output from the OpenOCD:
Code:
Open On-Chip Debugger 0.6.1 (2012-11-04-19:22)
Licensed under GNU GPL v2
For bug reports, read
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 300 kHz
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
arm9
Info : clock speed 250 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
After power is attached to the phone I have to press few times power button (not sure about that - screen just flashes) and then press Power + Volume down + Home buttons. Screen is still black but the phone is nicely recognized by the OpenOCD. The next step is "telnet localhost 4444". Every few seconds GDB was printing some lines so I typed in "reset" and "halt". Here are few commands to show the output:
Code:
> halt
Jazelle debug entry -- BROKEN!
invalid mode value encountered 0
ThumbEE -- incomplete support
cpsr contains invalid mode value - communication failure
Polling target failed, GDB will be halted. Polling again in 100ms
target was in unknown state when halt was requested
target state: halted
target halted in ARM state due to debug-request, current mode: Abort
cpsr: 0x200000d7 pc: 0x003679e0
MMU: disabled, D-Cache: disabled, I-Cache: disabled
Polling succeeded again
> arm9 curstate
halted
> arm9 mdb 2000 100
0x000007d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000007e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000800 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
0x00000810 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
0x00000820 02 00 00 ea 18 28 6f 01 00 00 00 00 3c 45 26 00 .....(o.....<E&.
0x00000830 01 70 a0 e1
> arm reg
System and User mode registers
r0: fffffffb r1: 002fff30 r2: 00000f80 r3: 000000ff
r4: ffffff00 r5: 000000ff r6: 003788cc r7: 0038fabc
r8: 00390320 r9: 00000000 r10: 002fffb0 r11: 00000040
r12: 00390320 sp_usr: ffffffe0 lr_usr: e1a0a002 pc: 003679e0
cpsr: 200000d7
FIQ mode shadow registers
r8_fiq: 000000db r9_fiq: 15c43000 r10_fiq: 00000070 r11_fiq: 00000000
r12_fiq: ffff000c sp_fiq: 00000000 lr_fiq: f000b4bc spsr_fiq: 00000010
Supervisor mode shadow registers
sp_svc: 00000000 lr_svc: 00017118 spsr_svc: 000000d7
Abort mode shadow registers
sp_abt: 002fff1c lr_abt: 0046c140 spsr_abt: 000000d3
IRQ mode shadow registers
sp_irq: 40000030 lr_irq: 009ee8dd spsr_irq: 00000010
Undefined instruction mode shadow registers
sp_und: fffffffc lr_und: ffff0008 spsr_und: 000000db
Well, I hope that Clone wiggler actually communicate with my hard bricked phone. What is the next step and how to unbrick the phone? Please guys give me some hint to move on because I can barely find any quality info about unbricking procedure for S5570. I'm stuck at this point.
In theory bootloader should be loaded to the memory and then written to the NAND (actually OpenNAND). Or is it possible to load a program and run it from OpenOCD to enable communication with Odin?
Thanks in advance and any feedback is more than welcome.
dbunic said:
Hi guys!
This thread is the closest to my problem with Samsung Galaxy Mini S5570 model. I was on forum with this phone but there I couldn't find any "deeper" thread (most of them ends with "use RiffBox").
So, I have built Clone Wiggler, solder down wires to the JTAG pads and establish connection with bricked phone. Here is what I got from the OpenOCD after start:
Code:
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 500 kHz
Info : clock speed 500 kHz
Info : JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Warn : gdb services need one or more targets defined
Here is OpenOCD config file:
Code:
interface parport
parport_cable wiggler
adapter_khz 500
#debug_level 3
# CPU settings
set _CHIPNAME MSM7227
set _CPUTAPID 0x203c10e1
#set _ENDIAN little
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
And output from "jtag init" and "scan_chain" after telnet localhost 4444:
Code:
telnet localhost 4444
> jtag init
JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
> scan_chain
TapName Enabled IdCode Expected IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
0 MSM7227.cpu Y 0x203c10e1 0x203c10e1 4 0x01 0x0f
S5570 has MSM7227 Qualcomm chip and 4Gb OneNand KAT007012C - BRTT flash. I'm aware that there is no luck with OneNAND and OpenOCD, but I still have the hope and strong will
My OpenOCD version is latest 0.6.1
Any reply is more than welcome and thanks in advance.
Click to expand...
Click to collapse
Hello there!
Do you finished with succes?I am planning to try recover same phone but with h-jtag.
Any help welcome
szakiz said:
Hello there!
Do you finished with succes?I am planning to try recover same phone but with h-jtag.
Any help welcome
Click to expand...
Click to collapse
Unfortunately no, phone was fixed with riffbox. Thread was inactive for a while and I didn't have success with inspecting/fixing boot loader via Jtag interface. Hope you will have more luck. Cheers!

[Q] How to convert NDumpCE6 img to bin

Hi all,
i got a new incar navigation system. it has wince 6 installed (Blaupunkt New Nork 800 which is mostly a rebranded ADVENT ADVUV630).
Now, for troubleshooting'n'stuff i've made an Dump from that device using NDumpCE6. I what to use this dump to load it into the Windows CE Emulator form Microsoft.
is there any chance to get it to work?
i got 4 Dumps over all:
Complete Disk: (CF-Card)
DSK1.img - 249 MB (261.095.424 Bytes)
First 16 Hex Values: e9 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Then, i also dumped all Partitions seperatly:
Part00.img - 41,2 MB (43.251.712 Bytes)
First 16 Hex Values: fe 03 00 ea 29 2a 28 00 2a 2a 29 00 2a 2a 2a 00
Part01.img - 30,7 MB (32.243.712 Bytes)
First 16 Hex Values: eb 76 90 45 58 46 41 54 20 20 20 00 00 00 00 00
Which equals to : .vEXFAT (<<< So thats interesting...)
Part02.img - 174 MB (182.976.512 Bytes)
First 16 Hex Values: eb fe 90 4d 53 57 49 4e 34 2e 31 00 08 01 20 00
Which equals to : ...MSWIN4.1....
And little futher : 20 20 46 41 54 33 32 20 20 20 00 00 00 00 00 00
: FAT32 (<<< So thats also interesting...) NOT Anymore - its a Microsoft Windows Boot Record (http://thestarman.pcministry.com/asm/mbr/MSWin41BRinHexEd.htm )
So PART02 seems to hold the boot partition....
Update: Funny thing - i just tried to mount part02.img into DAEMON-Tools - and guess what: it works!
i found one Directory called: CE69
In that Folder i found some Files and other Folders...
arial-uni2.1.ttf
Bluetooth.dll
CE69.EXE
DriveInterfaceCTL.dll
HYDIB.DLL
INIFILE.DLL
INSTALL.INI
Memory.dll
MFCCE400.DLL
MPU.BIN
OSCtrl.exe
Protocol.dll
RunAppPath.txt
SAMPLE.DUI
SYSTEM.INI
UIContainer.dll
UIDesignerDLL.dll
UIFC.DLL
Upgrade.exe
XMRadio.dll
uifilters <FOLDER>
Resource <FOLDER>
Things i tried allready:
Use dumprom.exe to extract anything. Well i got something out of the first partition - but thats only some wince files:
binfs.dll
BINFSCheck.dll
boot.hv
busenum.dll
ceddk.dll
coredll.dll
default.hv
device.dll
devmgr.dll
filesys.dll
flashdrv.dll
fsdmgr.dll
hd.dll
i2c.dll
initdb.ini
initobj.dat
k.ceddk.dll
k.coredll.dll
k.fpcrt.dll
kernel.dll
mspart.dll
nk.exe
oalioctl.dll
osaxst0.dll
pm.dll
regenum.dll
romfsd.dll
sdbus.dll
sdhc.dll
sdmemory.dll
servicesd.exe
user.hv
utldrv.dll
wince.nls
okay - im now try to find something out about that exfat dump and if i could load it somehow...
ofcourse, any help is very welcomed ;-)
Hello,
I may be able to help you as I have the advuv630, but I am curious how do you get the NdumpCE6 to run in the first place on your unit? I see everyone saying "run it" but never how lol.... like do you name it something special and put it on sd card or something?
--thesh0ck
wow, 2012 this post. well to revive if possible, any luck. Messing with my wince head unit in my truck

[GUIDE] How to unlock the bootloader (alternate method)

Well, this method is different from the paid method that forbidden by forum.
The alternate method is simply explained in Chinese at following website.
本方法的中文阐述:https://hikaricalyx.com/2018/04/03/nokia-7-bootloader-unlock-test/
Click to expand...
Click to collapse
As far as I know, this method tested on following models:
- Nokia 6.1 (TA-1054 only)
- Nokia 7
- Nokia 8
- Sharp Aquos S2
WARNING! THIS METHOD IS PRETTY COMPLICATED AND DANGEROUS!
I'M NOT RESPONSIBLE FOR BRICKING THE DEVICE! DO IT AT YOUR OWN RISK!
FIH made Android Phones with Android 7.x pre-installed can unlock the phone with the method I mentioned.
Preparations:
- Your phone must have Android 7.x running, or you're able to downgrade abl/xbl provided with Android 7.x firmware with other methods.
You can find an excuse at service point to let them downgrade for you, like "My work application is incompatible with Android 8.0" or something.
But Nokia 6.1 Android One Global Variant has Android 8.0 installed out of factory, so it's not likely possible.
Install following software on your PC.
- Patched OST LA 6.0.4: https://drive.google.com/open?id=1n91aYT9Di6_v4F3Wjlv8TjfeLc64AcYA
To install it properly, extract the archive and right click on setup.bat, run it with Administrator previleges. You may want to reinstall every Visual C++ Redistributable Runtime.
- QPST, the newer the better, I personally choose 2.7.460, the latest version should be 2.7.472.4. You can find it by simply Googling.
- A Hex editor. You can choose HxD or any other professional Hex Editor like UltraEdit.
And of course, the stock firmware for your phone. For example, I’ve posted the stock firmware for Nokia 7 on xda-developers Nokia 7 forum.
Since the guide involves the proprietary tool OST LA, it only works on Windows. I recommend you use latest Windows 10 stable release to finish the guide.
Minimal OS: Windows 7 Service Pack 1 with latest updates installed, both 32bit and 64bit are acceptable
Let’s get started.
Part 1: Before Unlocking
1. Backup your data on the phone, and logout your Google Account if you’ve logged in.
2. Enable Allow OEM Unlocking and USB Debugging to make following procedure convenient.
3. Extract early stock firmware or I'll upload required abl (to be added).
Part 2: Flash Service abl/xbl
You have multiple methods to flash abl/xbl.
If your phone is running Android 7.1, you can use old "Edit Phone Information" method I mentioned on Nokia 6 forum.
But let me tell you a method to flash service bootloader.
1. Enter fastboot mode (Download mode), and check which slot are you using.
Code:
fastboot getvar current-slot
I assume your current slot is A.
2. Now calculate the md5 checksum of your serial number. For example, the md5 checksum of PL2GAM1234567890 is 154b7ad463038ec186aafa5909505695.
If you have no idea about your serial number, execute this command:
Code:
fastboot devices
Expected output:
Code:
PL2GAM1234567890 fastboot
Of course your serial number can't be PL2GAM1234567890, I'm just making an example.
3. Execute these commands to flash service abl and xbl:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot flash abl_a D:\C1N-0-0430-abl_service.elf
fastboot flash xbl_a D:\C1N-0-0430-xbl_service.elf
If the fastboot returns "unknown command" when executing first command, your phone is running Android 8.x.
Try to downgrade the abl with disassembly and wire trick to EDL.
You'll realize how to achieve that when reading Part 4.
Click to expand...
Click to collapse
The service abl and xbl are extracted from Nokia 7 stock firmware, which can be also used on Nokia 6.1.
4. Reload the service bootloader:
Code:
fastboot reboot-bootloader
Part 3: Enter EDL mode
Skip this part if you can use wire trick to trigger EDL mode.
Execute these commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem reboot-edl
Part 4: Dump a partition
1. Check Device Manager, "Port (COM and LPT)" category to see if your phone is listed as HS-USB QDLoader 9008 (COMx).
If it's listed as HS-USB Diagnostics 9008 or QUSB__BULK in "Universal Serial Bus devices", you need to update the driver manually to HS-USB QDLoader 9008 (COMx), then force reboot your phone and re-enter the EDL mode.
2. Open QFIL, and load the firehose file from stock firmware.
If you're using Nokia 8, you'll also need to change the storage type to UFS in FireHose Configuration.
3. Click "Tools" - "Partition Manager", and click OK.
4. Find deviceinfo (not devinfo) partition, right click on it and click "Manage Partition", then click "Read Image". This will dump deviceinfo partition.
Dumped deviceinfo partition will be placed at "%AppData%\Qualcomm\QFIL\COMPORT_*" with filename like this:
ReadData_eMMC_Lun0_0xb828_Len2048_DT_15_04_2018_15_16_32.bin
5. Use a Hex Editor and jump to offset 0x5101, data will be looked like this:
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00005000 02 50 ED 13 EF C4 07 C3 67 3B CC 83 E1 7F 0B 7E
00005010 CC 40 DD DF 66 6A E8 52 F4 E8 78 7C 8B 87 CC DC
00005020 0F 45 EE F7 E9 71 E6 B0 DE 53 6E 97 84 10 EA 15
00005030 F3 78 07 B4 30 87 29 E3 1B DF 96 31 DE 30 1B 46
00005040 EC D3 33 F5 19 1D 56 EE 0A 5A A9 48 8D A1 83 80
00005050 F6 BA 29 AC 1A 10 BF FD A9 64 D5 79 4D C2 AF 9B
00005060 BD 62 87 49 07 A6 CB 88 22 6D 8C 65 10 94 CD 2F
00005070 3B B7 0C C9 91 92 67 F5 02 17 32 55 4C 5E 8B E7
00005080 1B 4D 70 65 61 46 CB 63 F4 C3 EE F8 45 E0 8D 48
00005090 6B 1E 1C FB 0C 94 48 BB FE AF 01 98 4F 47 4D 3A
000050A0 2A 5F 7F 3E 1E 49 C9 6D 4A 11 A5 19 D6 F1 E7 91
000050B0 5D B6 C8 A4 FA AA 15 BB 69 5F 8B C8 72 2A DD A5
000050C0 D0 DC 8B 4E 33 C8 20 57 6D D5 B8 D4 BF 17 0E B1
000050D0 30 5B 3E 13 BC FF 08 10 4C E2 3E 12 9F 9A A6 54
000050E0 6B D8 DE 98 D4 D7 44 37 7C 6D 43 CA A4 BA D9 C7
000050F0 BB F1 1F 12 90 8D 0D 4B 1B 1E 04 69 69 FD 44 1B
00005100 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
If data exists between 0x5000 and 0x5100, you'll be able to use this method to unlock. Modify the value of 0x5101 to 0xFF like this:
Data above are shown for example. You can't use it and you must use your own deviceinfo.
Click to expand...
Click to collapse
Code:
00005100 06 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6. Save it as deviceinfo_mod.bin to another place and use QFIL to write it back.
Click "Load Image" and choose your deviceinfo_mod.bin. This will write modified deviceinfo back to your phone.
7. Close QPST and reboot your phone to fastboot mode (Download mode).
Part 5: Unlock the phone
1. Remember to keep the OST LA opened to make sure your phone will stay at Download mode.
2. Execute following commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem cert_timecount get
If the output cert_timecount is not zero, you can proceed. Otherwise... (Click to unhide)
execute these commands and check again:
Code:
fastboot flash deviceinfo D:\deviceinfo_mod.bin
fastboot reboot-bootloader
3. Then unlock your phone with following commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot flashing unlock_critical
(Do confirmation on your phone)
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem unlock-go
(Do confirmation on your phone again)
Now your phone is fully unlocked with not serious typo:
Your device has been unlocker and cann't be trusted.
ID: PL2GAM1234567890
Your device will be continue in 5 seconds.
Click to expand...
Click to collapse
Part 6: Restore to stock
You may not be able to install further OTA update unless you switch the slot to previous build and update again, or reinstall stock firmware.
To switch the slot, check your current slot with this command (I assume the current slot is A):
Code:
fastboot --set-active=_b
Then reboot your phone and reinstall OTA update.
To reinstall stock firmware, follow the guide on Nokia 7 plus forum:
https://forum.xda-developers.com/nokia-7-plus/how-to/workaround-flashing-oreo-firmware-t3793791
Required service abl/xbl and firehose for Nokia 6.1 and Nokia 7:
https://drive.google.com/open?id=1lN24vWc8edc_i9BINRTyg-bsNpsKfqCs
Extract password is "WLBGFIH123" (without quotes)
Special thanks:
@heineken78 for Sharp Aquos S2 bootloader unlock
Hello and thanks for sharing.
One question: How can we extract the abl/xbl services as well as firehose from stock rom?
I have a Nokia 2 and would very much like to unlock it.
I did extract the source rom (and also boot.img, system.img, recovery.img), but i don't know how to get the abl/xbl services and firehose firmware.
Can you help me on that?
Thanks
Hi,
Today I was brave enough to risk and dump 200$(TA-1054) in the garbage.
I've followed the procedure up to the modified deviceinfo upload.
For me QFIL wasn't writing the modified bin file on the device unless it's in the folder %AppData%\Qualcomm\QFIL\COMPORT_ (working directory)
After writing it, though, the rest was up to the letter.
I'm currently updating to 8.0 and will post feedback how it works after the updates.
Also, for some reason, I don't have _b slot. Should I worry ?
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot --set-active=_b
Setting current slot to 'b'...
FAILED (remote: Invalid Slot Suffix)
finished. total time: -0.000s
Edit:
The phone is now updated to 8.1 august patch.
Everything I've tested since yesterday works as before, except wi-fi hotspot (I've read it's some 8.1 issue) mobile data. I'll do some testing to try and figure out where this problem came from.
Edit2:
For some reason mobile data is not working after installing august update. Restored it back to July update and everything seems to be ok(including wi-fi hotspot).

[NB1-Collision] [Alternate method] How to unlock the bootloader of Nokia 5 and 6

Like the alternate Nokia 8.1 Bootloader Unlock method before, here's what you need:
- TWRP accessibility with proper bootloader downgrading. You must use Chinese 7to TWRP I posted last year (In Nokia 6 Root Guide) to achieve this (either 3.1.1 or 3.2.1 are OK), so downgrading the bootloader back to Nougat is necessary.
If your phone still stay at Android 7 or 8, great, you're welcome to NB1-Collision method.
As I've introduced in Nokia 8.1 forum:
Since it uses the unlock key from Nokia 8 and I tricked the phone as Nokia 8, I called the unlock method "NB1-Collision".
Click to expand...
Click to collapse
The identification to verify if the unlock key valid is located at deviceinfo partition, and here are the offsets:
SN: 0x00000010
IMEI1: 0x00002010
Still, editing the IMEI1 here will not change the actual IMEI stored at NVRAM, so you can't use this to do anything illegal.
If you know the point, you can unlock your phone without reading this guide. In case you don't, let me tell you how.
Part 0: Obtain an official unlock key for Nokia 8, and you must know it's IMEI1 and SN
Same as before, I will not provide mine, please do it yourself.
Part 1: Boot to TWRP
Skip this part if you can boot to TWRP already. Just boot to TWRP and do Part 2.
To make sure the phone will definitely boot to TWRP with proper signature, you can flash TWRP to boot partition directly:
Code:
fastboot oem dm-verity (md5)
fastboot flash aboot /path/to/D1C-0-331A-emmc_appsboot_service.mbn
fastboot reboot-bootloader
fastboot oem dm-verity (md5)
fastboot flash boot /path/to/7to-twrp.img
The extraction password of the service bootloader zip is "WLBGFIH123", in case you want to know.
Then reboot to the TWRP:
Code:
fastboot reboot
OK, now you've entered the TWRP.
Part 2: Dump the deviceinfo partition and hack it
If you're familiar with adb commands, here's how:
Code:
adb shell dd if=/dev/block/bootdevice/by-name/deviceinfo of=/tmp/deviceinfo.img
adb pull /tmp/deviceinfo.img
The rest of the procedure are straight forward. Use a Hex Editor to edit the deviceinfo partition:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 46 49 48 45 32 50 5F 42 00 00 00 00 01 00 00 00 FIHE2P_B........
00000010 4E 42 31 47 41 44 32 37 38 30 30 31 32 33 34 35 NB1GAD2780012345
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002010 31 32 33 34 35 36 37 38 39 30 31 32 33 34 37 00 123456789012347.
00002020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 00 xxxxxxxxxxxxxxx.
And save it as deviceinfo_mod.img.
Push it back to your phone, along with new version of emmc_appsboot, either service or retail are OK - you can extract it from recent OTA packages.
Code:
adb push /path/to/deviceinfo_mod.img /tmp/d1
adb push /path/to/D1C-0-562H-emmc_appsboot.mbn /tmp/d2
adb shell dd if=/tmp/d1 of=/dev/block/bootdevice/by-name/deviceinfo
adb shell dd if=/tmp/d2 of=/dev/block/bootdevice/by-name/aboot
adb reboot bootloader
Part 3: Unlock the bootloader
Code:
fastboot flash unlock /path/to/unlock.key
fastboot flashing unlock_critical
Your phone will reboot immediately. Don't stop right here, execute following command straight forward:
Code:
fastboot oem alive
When fastboot responsed OKAY, please proceed:
Code:
fastboot flash unlock /path/to/unlock.key
fastboot oem unlock-go
All done. Your phone has unlocked bootloader.
Part 4: Restore original deviceinfo and reinstall stock firmware with OST LA
Code:
fastboot flash deviceinfo /path/to/deviceinfo.img
I needn't to mention how to flash stock firmware with OST LA or NOST.
FYC, firmware can be downloaded from https://fih-firmware.hikaricalyx.com/hmd_en.html#d1c .
Good luck then!
Specially thanks to HMD Global for releasing official Nokia 8 bootloader unlock, otherwise it would be impossible.
I was think about this method before you release. But noone provide me the unlock.key, so I cancel to research this method. But thank for your effort
Elvaa said:
I was think about this method before you release. But noone provide me the unlock.key, so I cancel to research this method. But thank for your effort
Click to expand...
Click to collapse
You can ask for an existing unlock key requested, before the_laser got banned here as alternate method.
But you also need to know it's IMEI1 and SN.
So, you can't flash new emmc_appsboot after you hacked deviceinfo partition.
You can upload the file: deviceinfo.img edited to NB1 and we just need to save the stock deviceinfo.img of the device. And flash directly your deviceinfo.img.
That would be faster
App Unlockbootloader.apk :
Messages Error: Device not support.
???
taicracker said:
You can upload the file: deviceinfo.img edited to NB1 and we just need to save the stock deviceinfo.img of the device. And flash directly your deviceinfo.img.
That would be faster
Click to expand...
Click to collapse
You can't simply do this. As I mentioned before, deviceinfo partition contains unique and critical credentials for your phone, and it will not accept the credentials from other devices.
Also, deviceinfo partition contains your IMEI, and disclose IMEI here is strictly forbidden.
The Unlock.key
Can you Explain me Little About The Unlock Key Please
Việt nam
Until now, it is possible to root nokia 6 ta 1021 android 8.1.0
hikari_calyx said:
You can't simply do this. As I mentioned before, deviceinfo partition contains unique and critical credentials for your phone, and it will not accept the credentials from other devices.
Also, deviceinfo partition contains your IMEI, and disclose IMEI here is strictly forbidden.
Click to expand...
Click to collapse

[GUIDE] How to install Android 10 internal update for Nokia 5.1 Plus

WARNING: This package is never meant for non-experienced members!
Chinese translation of this guide is on the way. (本教程的中文版仍在编写中)
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now void. *
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed.
Please do some research if you have any concerns about features included in this ROM before flashing it! YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you.
*/
We changed the flashing procedure this time, so it will:
- Prevent noobs without any experiences
- Avoid installing many dumb security updates
Target: PDA-311A-0-00WW-B02
Now it's available for public.
Please download and install this to your phone via ADB sideload of 874 command: https://android.googleapis.com/pack.../ace851ea59294177f677018648d6c0614317510e.zip
To Chinese Nokia X5 owners: Please convert your phone to Global Nokia 5.1 Plus before flashing, and don't forget to change SKUID to 600WW.
What's the requirement for flashing?
- Nokia 5.1 Plus X5 with Global Android one firmware installed (any version)
- Rooted phone (either MTK-SU or regular root method are OK)
Or:
- The Bootloader is Unlocked
Here's how (if rooted):
Due to the spelling error of the script, the correct one is attached below.
Please replace it to the one inside package, if you want to use "Click_Me_To_Flash.cmd"..
Click to expand...
Click to collapse
- Download the package and extract it. You'll get 17 img files, and 6 other files.
- Create one directory called "pda-3110" on your phone's internal storage. THIS IS CASE SENSITIVE, so don't use uppercase "PDA".
- Copy all the img files to the pda-3110 directory.
- Execute this under command prompt:
Code:
adb shell
- Check what's your current slot:
Code:
getprop ro.boot.slot_suffix
Take a note whether the slot is "_a" or "_b".
- Grant root permission:
Code:
su
If necessary, grant root permission on the phone. If grant successful, you'll see the dollar ($) symbol will become into hash (#) symbol.
If your phone is rooted with MTK-SU, you must do this:
- Open Magisk Manager and install Magisk on another slot.
After installation complete, stay at installation complete screen and don't reboot.
- Now execute following commands.
If current slot is "_a", then execute these:
Code:
dd if=/storage/emulated/0/pda-3110/boot.img of=/dev/block/bootdevice/by-name/boot_b
dd if=/storage/emulated/0/pda-3110/cam_vpu1.img of=/dev/block/bootdevice/by-name/cam_vpu1_b
dd if=/storage/emulated/0/pda-3110/cam_vpu2.img of=/dev/block/bootdevice/by-name/cam_vpu2_b
dd if=/storage/emulated/0/pda-3110/cam_vpu3.img of=/dev/block/bootdevice/by-name/cam_vpu3_b
dd if=/storage/emulated/0/pda-3110/cda.img of=/dev/block/bootdevice/by-name/cda_b
dd if=/storage/emulated/0/pda-3110/lk.img of=/dev/block/bootdevice/by-name/lk_b
dd if=/storage/emulated/0/pda-3110/logo.img of=/dev/block/bootdevice/by-name/logo_b
dd if=/storage/emulated/0/pda-3110/md1img.img of=/dev/block/bootdevice/by-name/md1img_b
dd if=/storage/emulated/0/pda-3110/odmdtbo.img of=/dev/block/bootdevice/by-name/odmdtbo_b
dd if=/storage/emulated/0/pda-3110/preloader.img of=/dev/block/bootdevice/by-name/preloader_b
dd if=/storage/emulated/0/pda-3110/scp.img of=/dev/block/bootdevice/by-name/scp_b
dd if=/storage/emulated/0/pda-3110/spmfw.img of=/dev/block/bootdevice/by-name/spmfw_b
dd if=/storage/emulated/0/pda-3110/sspm.img of=/dev/block/bootdevice/by-name/sspm_b
dd if=/storage/emulated/0/pda-3110/system.img of=/dev/block/bootdevice/by-name/system_b
dd if=/storage/emulated/0/pda-3110/systeminfo.img of=/dev/block/bootdevice/by-name/systeminfo_b
dd if=/storage/emulated/0/pda-3110/tee.img of=/dev/block/bootdevice/by-name/tee_b
dd if=/storage/emulated/0/pda-3110/vendor.img of=/dev/block/bootdevice/by-name/vendor_b
If current slot is "_b":
Code:
dd if=/storage/emulated/0/pda-3110/boot.img of=/dev/block/bootdevice/by-name/boot_a
dd if=/storage/emulated/0/pda-3110/cam_vpu1.img of=/dev/block/bootdevice/by-name/cam_vpu1_a
dd if=/storage/emulated/0/pda-3110/cam_vpu2.img of=/dev/block/bootdevice/by-name/cam_vpu2_a
dd if=/storage/emulated/0/pda-3110/cam_vpu3.img of=/dev/block/bootdevice/by-name/cam_vpu3_a
dd if=/storage/emulated/0/pda-3110/cda.img of=/dev/block/bootdevice/by-name/cda_a
dd if=/storage/emulated/0/pda-3110/lk.img of=/dev/block/bootdevice/by-name/lk_a
dd if=/storage/emulated/0/pda-3110/logo.img of=/dev/block/bootdevice/by-name/logo_a
dd if=/storage/emulated/0/pda-3110/md1img.img of=/dev/block/bootdevice/by-name/md1img_a
dd if=/storage/emulated/0/pda-3110/odmdtbo.img of=/dev/block/bootdevice/by-name/odmdtbo_a
dd if=/storage/emulated/0/pda-3110/preloader.img of=/dev/block/bootdevice/by-name/preloader_a
dd if=/storage/emulated/0/pda-3110/scp.img of=/dev/block/bootdevice/by-name/scp_a
dd if=/storage/emulated/0/pda-3110/spmfw.img of=/dev/block/bootdevice/by-name/spmfw_a
dd if=/storage/emulated/0/pda-3110/sspm.img of=/dev/block/bootdevice/by-name/sspm_a
dd if=/storage/emulated/0/pda-3110/system.img of=/dev/block/bootdevice/by-name/system_a
dd if=/storage/emulated/0/pda-3110/systeminfo.img of=/dev/block/bootdevice/by-name/systeminfo_a
dd if=/storage/emulated/0/pda-3110/tee.img of=/dev/block/bootdevice/by-name/tee_a
dd if=/storage/emulated/0/pda-3110/vendor.img of=/dev/block/bootdevice/by-name/vendor_a
- Now back to Magisk Manager.
If your phone is rooted with MTK-SU:
Tap Reboot on installation complete screen now, and enjoy Android 10.
If your phone is rooted with regular method (which is, latest Magisk installed properly):
- Open Magisk Manager and install Magisk on another slot.
After installation complete, reboot immediately. Then you should be able to enjoy Android 10 with rooted state.
And here's how (if bootloader unlocked and prefer flashing via fastboot):
- Download the package and extract it. You'll get 17 img files, and 6 other files.
- Use some hex editor (e.g. HxD) to open preloader.img file, and remove the content from 0x0-0x7FF, save it.
Because fastboot will flash preloader.img file you inputted to the offset 0x7FF of actual fastboot partitions, so we must remove header from preloader.img dump, otherwise it will kill the phone.
- After removing header, file size should be 284,672 bytes (278 KiB).
Content range for reference:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 45 4D 4D 43 5F 42 4F 4F 54 00 00 00 01 00 00 00 EMMC_BOOT.......
00000010 00 02 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....ÿÿÿÿÿÿÿÿÿÿÿÿ
00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000007E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000007F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000800 4D 4D 4D 01 38 00 00 00 46 49 4C 45 5F 49 4E 46 MMM.8...FILE_INF
00000810 4F 00 00 00 01 00 00 00 01 00 05 05 10 0F 20 00 O............. .
And here's after removed:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 4D 4D 4D 01 38 00 00 00 46 49 4C 45 5F 49 4E 46 MMM.8...FILE_INF
00000010 4F 00 00 00 01 00 00 00 01 00 05 05 10 0F 20 00 O............. .
00000020 44 4E 04 00 00 00 08 00 F0 00 00 00 6C 06 00 00 DN......ð...l...
00000030 F0 00 00 00 01 00 60 C2 4D 4D 4D 01 0C 00 01 00 ð.....`ÂMMM.....
00000040 01 00 00 00 4D 4D 4D 01 64 00 07 00 90 00 00 00 ....MMM.d.......
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- Use img2simg to convert system.img and vendor.img into sparse images.
If you're Windows user, please find img2simg binaries yourself.
This is known available by default on Ubuntu and Debian (sudo apt install img2simg).
Code:
img2simg system.img system.simg
img2simg vendor.img vendor.simg
- Check current slot:
Code:
fastboot getvar current-slot
In this case, the current slot is a.
- Flash these partitions (including modified preloader) to the slot you currently have (slot a in this case):
Code:
fastboot flash boot_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/boot.img
fastboot flash cam_vpu1_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu1.img
fastboot flash cam_vpu2_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu2.img
fastboot flash cam_vpu3_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu3.img
fastboot flash cda_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cda.img
fastboot flash lk_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/lk.img
fastboot flash logo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/logo.img
fastboot flash md1img_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/md1img.img
fastboot flash odmdtbo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/odmdtbo.img
fastboot flash preloader_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/preloader_header_removed.img
fastboot flash scp_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/scp.img
fastboot flash spmfw_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/spmfw.img
fastboot flash sspm_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/sspm.img
fastboot flash system_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/system.simg
fastboot flash systeminfo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/systeminfo.img
fastboot flash tee_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/tee.img
fastboot flash vendor_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/vendor.simg
fastboot -w reboot
- After reboot, enjoy Android 10.
Download link:
AFH: https://www.androidfilehost.com/?fid=4349826312261767469
SHA256 Checksum: f000263c677ff7f0963a34ece67ecaa2ceb16089e3aa1887dddbbe20d46d590c
FAQ​
Q1: Why you don't just leak OTA packages like before?
A1: This time I don't want to make my life harder in the future.
Q2: When Android 10 will be pushed to my country?
A2: I don't know. I even don't know when HMD Chinese localization team will be back. So no hope for localized Android 10 for Nokia X5 now.
Q3: How can I rollback to Android 9 if not satisfied?
A3: If not bootloader unlocked, switch the slot back to A under fastboot mode, then flash the phone with SP Flash Tool (Download only). Always backup the whole emmc to for the worst case.
If unlocked, use NFT featured on Nokia 7.2 forum: https://forum.xda-developers.com/nokia-7-2/development/tool-nft-1-0-1-nokia-flash-tool-to-t4003267
Q4: How can I unlock the bootloader?
A4: It's paid method and how to request cannot be disclosed here, or it will violate the rules of XDA.
Q5: My phone is bricked!
A5: I'm not responsible at all. We tested it on Nokia X5 sold in China already.
Q6: Can I use GCam?
A6: No. Nokia 5.1 Plus X5 doesn't support Camera2API at all, so no GCam.
Q7: What does HCTSW stand for?
A7: Hikari Calyx Tech SoftWare.
Reserved #2
Can I roll back to android 9 if I change my active partition to a if installed android 10 on b ??
bx2_nero said:
Can I roll back to android 9 if I change my active partition to a if installed android 10 on b ??
Click to expand...
Click to collapse
Probably yes, but you need to perform factory reset under stock recovery before switching slot.
Any reported bug by your tester?
bx2_nero said:
Any reported bug by your tester?
Click to expand...
Click to collapse
CTS probably cannot be passed which expected.
After that, didn't see any bug so far.
One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.
hikari_calyx said:
One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.
Click to expand...
Click to collapse
That means no payment app will work because of SafetyNet and no magisk so no bypassing that.
hikari_calyx said:
One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.
Click to expand...
Click to collapse
In MTK-SU thread it says that any update after March 20 will block temp root , so I think April security patch fixed the MTK-SU method and it is included in the Android 10 build.
Tips to users who want to downgrade the phone:
- You must perform a regular factory reset on settings (Don't do factory reset on recovery or you will get stuck at FRP lock that requires you to install further updates)
After reset done, don't connect the phone to Internet and just reboot to fastboot mode.
- Switch the slot to A under fastboot mode right after factory reset.
Code:
fastboot --set-active=a
- Use SP Flash Tool to flash any Android 9 firmware on following website:
https://fih-firmware.hikaricalyx.com/hmd_en.html#pda
Any PDA-2***-0-00WW-B** (excluding PDA-209B-0-00WW-B06) are OK. I recommend PDA-214A-0-00WW-B01.
- Skip wifi connection at first boot, or you'll be asked to install latest updates and MTK-SU will be blocked.
- root the phone and follow the guide on topic.
I strongly recommend you, don't login Google account until everything is done.
Three Bugs noticed So far in Android™ 10 beta
1◆ Swiping left (The back button should appear on left) toggles back button on Right side
2◆Accent color: Color changes for text and not. bar but not in settings
3◆A white bar appearing above when using apps
To subscribers of this topic:
PDA-311A-0-00WW-B01 minor patch released!
What's new? I don't know - I don't have access to their changelog at all.
But, to install it, you must have PDA-3110-0-00WW-B01 installed and install the package via external SD card. ADB Sideload is unavailable.
https://www.androidfilehost.com/?fid=4349826312261794057
Cannot run su in adb
i have acquired root in phone with mtksu and suboot with magisk , but getting permission denied output when trying to run su in cmd. Shouldi I run mtksu through cmd? I tried doing that but I was getting cannot find su command.
xdriv3r said:
i have acquired root in phone with mtksu and suboot with magisk , but getting permission denied output when trying to run su in cmd. Shouldi I run mtksu through cmd? I tried doing that but I was getting cannot find su command.
Click to expand...
Click to collapse
Make sure that you have acquired root access buy using any root checker , then change the installation to inactive slot in magisk and wait on the same screen after it is successful, it will prompt to reboot..don't reboot open cmd and flash A10 beta , 'su' command should give a prompt on your phone to allow root access in adb , allow that then only you will be able to use the dd commands.
Dm me if you need further assistance.
bx2_nero said:
Make sure that you have acquired root access buy using any root checker , then change the installation to inactive slot in magisk and wait on the same screen after it is successful, it will prompt to reboot..don't reboot open cmd and flash A10 beta , 'su' command should give a prompt on your phone to allow root access in adb , allow that then only you will be able to use the dd commands.
Dm me if you need further assistance.
Click to expand...
Click to collapse
Successfully flashed Android 10 Beta. Thank you all so much.
Is it possible to factory reset the device?
xdriv3r said:
Is it possible to factory reset the device?
Click to expand...
Click to collapse
After the installation of A10 beta ... absolutely....and it will make it more stable.
bx2_nero said:
After the installation of A10 beta ... absolutely....and it will make it more stable.
Click to expand...
Click to collapse
I'll factory reset from the Android settings?
xdriv3r said:
I'll factory reset from the Android settings?
Click to expand...
Click to collapse
Yes you can.

Categories

Resources