Database Info

[PROJECT] Real Unbrick for hard-bricked Moto Z Play (addison)

Welcome everyone!
This project has started, becouse we need real solution for the problem. The problem of hard bricked Moto devices. It is like a curse.
When my device bricked I have done solid research, I have gathered many informations and files essential to revive my cellphone but 5 years experience of linux, rooting, compiling kernels and roms weren't enough to make it work.
But nevermind. I am even more determinated and I am asking ALL of You guys here to help me. Together we will come to solution.
Here is what I got, happy reading :
DICTIONARY:
PBL - Primary bootloader of the chip - this is like BIOS for phone so it checks chip for damage and problems and then it tries to load SBL but if SBL is corrupted or checksum doesn't match, PBL invokes Qualcomm HS-USB QDLoader 9008 emergency mode. PBL is hard flashed into SoC and can't be corrupted by firmware.
SBL - Second stage bootloader wich is more advanced than PBL. It initializes phone hardware and ABOOT.
ABOOT - Application bootloader (HBOOT). You probably know this one well. Android botloader.
Full mmcblk0 backup - Backup of whole phone flash storage byto to byte.
blankflash - method of repairing msm phones in 9008 state
programmer.mbn - Special type of software programmer that is being sent to chip in Qualcomm 9008 emergency mode. There it comunicates with pc via firehose protocol. Each phone has set of their own programmers, they are unique to phone and other programmers don't work. These programmers are signed so tampering it results in not working one.
firehose protocol - it is used to tell programmer what operations it must do on chip.
singleimage.bin - this package contains instructions for programmer and set of files it need (for example to replace)
gpt_main0.bin - Partition layout
rawprogram0.xml - instructions for programmer
patch0.xml - I don't know yet
STAR.exe - Application for managing and editing contents of singleimage.bin aka blankflash files
QPST - Flash tool from Qualcomm it basic function is to handle blank-flashing in a better way, also it allows for in-depth debugging of the process
Qualcom Premium Tool - Program made by Mppg Myanmar that is capable of making unlocking bootloader, OEM locks, making backup/restore of chip firmware, handling blank-flashing in VERY specific way (creating instructions for programmer), reading eMMC structure from firmware (can generate gpt layout so very useful!!!), modyfing FW and removing Xiaomi account. It also contains ALL programmers
for more:
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://alephsecurity.com/
https://github.com/alephsecurity/firehorse
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick
INFO:
1. What causes the brick
I bet 100$ that you hard-bricked your Moto Z Play by installing OTA updates after downgrading firmware. This is only known reason for me at the time of writing this. There is most probable reason why it happens, look:
There are two most common chips on which smartphones are built - Qualcomm and Mediatek. While Mediatek chips are "modification friendly" and simple, Qualcomm chips are somewhat more advanced and have many features that can be enabled or disabled during prorammming in factory. One of them is PBL signature checking. During programming of your phone, proper signatures of SBL are written to it. When someone tries to override default SBL with the new one, it checksums are compared with that stored. If they match, new one is flashed, if not, then update does not happen.
Ok, but what it has to do with brick?!
I explain:
1. You decide to downgrade your firmware
2. During flashing, everything goes "well" (Phone boots), but trully update is partial:
FW in chip is (obviously) more recent that the one you downgrade to, and SBL signature is different (updated), so when it is compared to the signature of SBL from FW you want to flash, it don't match. That don't rise error and flashing continues. Only partition that stays untouched is bootloader, but all other partitions get replaced by those in FW zip. SBL is still compatible with the new partition offsets and partition layout overall so phone functions normally.
3 When OTA is executed, it checks the version of currently installed firware. The most reliabe way to do it is to check checksum of SBL which is pretty logical becouse it's checksum is like "fingerprint" of firmware. Normally, if it would detect the old firmware, OTA would be stopped, but newer SBL tricks it and OTA installs anyway.
4 Results are horrible, becouse OTA does not check GPT table and flashes partitions in bad sectors, corrupting FW.
This causes bootloader to go into Qualcomm HS-USB QDLoader 9008 safe mode.
5 Viola! Hard brick!
2. How to fix it?
That is jolly good question! What we have to do is to reflash full chip firmware. Suprisingly I see some solutions, but those need to be developed:
A) SD-BOOT
It turns out that our fancy chip can probably boot from SD-CARD! The procedure works like this:
- When chip starts, one of the very first things it does is loading the memory, so it can actually work. The trick, is that chip loads it from specific disk, marked with exact name (I don't remember which, but I will do research). Speccially repared SD-CARD can appear with that name, so chip boots from it, not from internal memory. (This trick is proved to work on this model)
How to do it?
- Get full dd of working phone - it must be phone with the SAME chip and very likely the same model
- flash it to SD-CARD of 32GB or more, class 10 speed or higher, directly to card, not partition
- put card in phone, turn it on and wait
- you should see HBOOT
- select fastboot and flash new FW via it
- viola!
!!!THIS IS COMPLICATED PROCEDURE, I WILL MAKE DETAILED THREAD SOON, BUT FOLLOW IT ONLY IF YOU KNOW WHAT ARE YOU DOING!!!
B) FIREHOSE/SAHARA ATTACK
This could be achieved by sending payload via Firehose programmer that would allow to break verification of SBL or somehow allow SBL to be flashed. Now, PBL blocks attempts to update SBL. I have thesis that it is becouse PBL do not allows for SBL downgrade, so it's version must be higher, but we try to flash same version of SBL so it doesn't work. That thesis needs confirmation.
C) CRAFT BLANKFLASH
This would be last resort. It will work for sure, but this method needs knowledge and I don't know if it is doable.
STEP 1: Get white-listed blankflash checksums from OTA (we would need to reverse engineer those)
STEP 2: Break hash
STEP 3: Craft blankflash with needed hash
STEP 4: Flash
NEVER USE BLANKFLASH (ATTENTION!)
DO NOT try any blankflash files. They can make situation a lot worse and even physically (!) dmage your phone.
D) JTAG
Medusa Box etc.
E) Qualcomm Premium Tool
This can even work, but it is untested and there is a slight chance that can worsen state of phone (needs confirming).
The tool is very advanced and I need to gather info about usage, so very probable to be a good solution if we will learn how to use it!
E) METHOD 7
Interesting method from this guy: (7th option, I have contacted him if it is compatibile)
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick/blob/master/Unbrick%20methods.md
3. DOWNLOAD
(Links will be aded *soon*)
XDA:DevDB Information
Unbrick Developement for Moto Z Play (addison) Full-Brick, Tool/Utility for the Moto Z Play
Contributors
Bobernator, Stayn, Artim_96, Camarda
Version Information
Status: Nightly
Created 2019-05-04
Last Updated 2019-05-14

I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.
By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me

Stayn said:
I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.
By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me
Click to expand...
Click to collapse
Hi! Really nice to read that . I didn't tried it but i will chec k it out in a while. Sorry for not responding immediatelly but this will change from now, I have XDA app so I stay updated.

Have you seen this post? There's apparently a new Oreo blankflash https://forum.xda-developers.com/showpost.php?p=79514510&postcount=419

echo92 said:
Have you seen this post? There's apparently a new Oreo blankflash https://forum.xda-developers.com/showpost.php?p=79514510&postcount=419
Click to expand...
Click to collapse
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.
Ps. I am working on a download section!!!
EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.

Bobernator said:
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.
Ps. I am working on a download section!!!
EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.
Click to expand...
Click to collapse
I understand the reason to be suspicious, since there's also no way to verify the origin of this blankflash. Also, is there a OPNS27.76-12-22-10 firmware? I thought OPNS27.76-12-22-9 was the last build?

I will answer this way:

Bobernator said:
I will answer this way:
Click to expand...
Click to collapse
That blankflash looks like it worked - seems your device is in fastboot mode despite the photo angle.

echo92 said:
That blankflash looks like it worked - seems your device is in fastboot mode despite the photo angle.
Click to expand...
Click to collapse
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW

Bobernator said:
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW
Click to expand...
Click to collapse
Can you see your recovery partition with the dummy bootloader from the blankflash? Do you have to flash the GPT/bootloader from firmware first?

Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.
If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:
fastboot flash fsg mmcblk0p29_fsg_backup
fastboot flash modemst1 mmcblk0p27_modemst1_backup
fastboot flash modemst2 mmcblk0p28_modemst2_backup
Click to expand...
Click to collapse
and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2

Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuild the modemst files...

echo92 said:
Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuilt the modemst files...
Click to expand...
Click to collapse
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:

Stayn said:
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:
Click to expand...
Click to collapse
Yup, an IMEI backup is always useful Just wanted to ask since it's not pointed out in the opening post's guide to check your IMEI/signal before committing to step 12/13. If it's working, no need for those two steps!

@echo92 I forgotten about IMEI totally so I can't tell you, but I can't confirm that's safe to flash gpt and bootloader from OREO fw (8.0). I did this way and everthing is working. Even OTA updates to most recent witouth problems! Here are the proofs (language is "Polish" if you want to translate):

Stayn said:
Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.
If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:
and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2
Click to expand...
Click to collapse
I really appreciate this! Thanks!
If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)

echo92 said:
Yup, an IMEI backup is always useful Just wanted to ask since it's not pointed out in the opening post's guide to check your IMEI/signal before committing to step 12/13. If it's working, no need for those two steps!
Click to expand...
Click to collapse
You are surely right. I will correct thread today.

Bobernator said:
I really appreciate this! Thanks!
If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)
Click to expand...
Click to collapse
Don't worry about the IMEI, I got it again after flashing my fsg backup, modem and erasing modemst1 and modemst2, now the problem is that on every ROM I get everytime a popup "com.android.phone" has stopped, till I remove the sim card, what could this be? This isn't my main phone so I'm not worried at all but this could happen to someone else

Dial *#06#, if you will get nothing or zero's that means it can be modem failure
Ps. Is your zip updated now?

Hello Guys,
I have the exact same problem. All started here with a changed screen that after update to 8 stopped working, so I did downgrade to 7, and the touch as back, than it started doing the OTA updates and I (dumb enough) accepted it, and now I have a bricked device.
***EDIT***
Now I could get access to the bootloader again, the flash blank worked but it had a catch, if I just executed the bat, it would not work, I had to open a CMD with admin rights, go to the folder and run the bat from there.
***EDIT 2***
So restored bootloader, and booted just like before it was corrupted, now it keeps asking for update, and I disabled it on the "Developer Menu", is that enough? Will not play with updates on this device anymore, android 7.1.1 with 2017 security updates will do it.
***EDIT 3***
Now I have a Mobile Network problem, it does recognize the SIM Chip, but won't get network access, I didn't backup before doing the Blank Flash, but it was not showing on the system before (because the downgrade from 8 to 6, and them upgrade to 7), is there a way to recover it or fix this no network registration possible?

[GUIDE] AN ESSENTIAL GUIDE FOR G935F/FD

AN ESSENTIAL GUIDE FOR G935F/FD​
DISCLAIMER☆THIS WILL BE A HUGE WORD WALL, SO DON'T BOTHER WITH THIS IN ADVANCE IF YOU MIND READING LARGE AMOUNTS OF WORDS ON SCREEN
☆THIS ISN'T A ROOT GUIDE EXACTLY BUT WHEN YOU READ THIS TILL THE END, ROOTING WILL BE AS EASY AS BREATHING FOR YOU (LITERALLY)
NOTE : THIS GUIDE DOESN'T APPLIES TO YOU IF YOU ALREADY KNOW BASICS AND/OR ARE ADVANCED USER WHO KNOWS GUTS OF ANDROID. THIS IS EXPLICITLY FOR NOOBS LIKE MYSELF WHO ACCIDENTALLY MESS THEIR DEVICES AND GET A BRICK !
WARNING : THIS DOESN'T APPLIES FOR ANY OTHER MODEL THEN G935F/FD, AND IS JUST FOR INFORMATIONAL PURPOSES, I WILL NOT BE RESPONSIBLE FOR ANY DAMAGE CAUSED TO YOUR DEVICE FOLLOWING THIS GUIDE.
P.SHERE I PRESENT MY FIRST GUIDE FOR S7 SERIES, YOU CAN SAY ITS A BASIC ROOTING GUIDE AND SUCH GUIDES ARE EVERYWHERE HERE ON S7 FORUMS BUT THIS ONE CONTAINS VITAL INFORMATION WHICH I COLLECTED FROM VARIOUS SOURCES AND TRIED KEEPING IT AT ONE PLACE AND FOR THE NOOBS LIKE ME WHO DON'T KNOW WHERE TO SEARCH FOR THESE THINGS
ALSO AS I RECEIVE HUNDREDS OF PM'S FOR HELP REGARDING PEOPLE ACCIDENTALLY TURNING OEM UNLOCK OFF AND MESSING THEIR DEVICES, I HAD TO MAKE A GUIDE NOW SO EVERYONE CAN BENEFIT FROM THIS
AND YEAH I CANNOT HELP ANYONE REMOTELY NOW, SORRY LIFE SUCKS IN AT TIMES
AND YOU GUYS KNOW THAT S7 SERIES ARE ALMOST EOL BY SAMSUNG SO I TRIED MAKING AN EOL GUIDE TOO
--------------------------------------------------------------------​
INTRODUCTION
EFS :
EFS (encrypting file system) is the partition which stores nv data of your phone, that is a read only partiton and it contains nv data (non-volatile data) memory which stores all the vital data from the manufacturer which is non volatile or in other words.. not to be removed/modified in any way.. and So, this nv data kinda makes your phone a 'phone'
UFS :
The UFS is universal flash storage chip also known as nand memory in older terms, your internal memory chip on the s7 edge series.. it contains all the android partitions of your phone i.e everything your smartphone has to be a 'smartphone' ..
DM-VERITY :
Device-Mapper verification is a new security measure in latest samsung devices, it basically checks system integrity i.e to check if system partition is modified by any method .. if your system partition is modified even willingly by yourself by any method like non-systemless root/mod/custom binaries etc, dm-verity will kick in and prevent your phone from booting normally. DM-verity is explicitly present in recovery partition which prevents boot on activating and it kicks in through a check inside the stock kernel which activates it.. apparently, removing dm-verity in recovery or kernel makes the device boot-able again.
DRK :
DRK or device root key is present in efs partition of your phone, DRK is a device-unique asymmetric key pair that is signed by Samsung's root key through an X.509 certificate, this certificate proves that the DRK was produced by Samsung. DRK is explicitly present in EFS partition. If due to any reason your drk gets corrupted/deleted, you get a permanent type of dm-verity error and your phone will not boot even stock samsung roms without dm verity disabler zips ..
NV DATA :
Non-volatile data is present on efs partition and includes, device specific vital manufacturer binaries which are never to be modified/removed in anyway. This includes device specific network certificates, IMEIs, SERIAL numbers, bluetooth ids/mac addresses, DRK, nfc parameters and others etc ..
PARTITIONS :
Android adopts linux like partitions and file tables, but most of the partitions present on samsung phones are not to be modified/messed up in any way, other then backing them up. The most common partitions to modify/format include :
1. DATA
2. CACHE
3. DALVIK CACHE
4. SYSTEM
But system partition is often recommended to not modify/format for the reasons I will explain further down in the guide ..
A partitions screenshot of s7 edge G935F running a stock rooted rom on version 8 binary
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The highlighted ones in yellow contain your nv data..
NOTE : ITS A VITAL STEP TO BACKUP ALL NV DATA PARTITIONS AFTER ROOTING (SHOULD BE THE FIRST THING TO DO AFTER ROOTING! )
PARTITION STYLE/IMAGE TYPE :
S7 series (exynos) partition table is A type on oreo stock firmware and until pie based custom roms.. one ui 2.0 introduced A/B style partitioning. Only difference between them is about how hard magisk implementation is in A/B and also the absence of ramdisk. You can get more info in magisk's documentation on github.
FIRMWARE TYPES :
All firmwares before the 10th binary update are called as A firmwares, the 10th or 0 one being called as A and after onwards from that we call the binaries as B firmwares i.e all firmwares from G935FXX1XXXXX to G935FXX9XXXXX will be called A firmwares simply, the 10th one being G935FXXAXXXXX and after that B firmware starts as G935FXXBXXXXX and then binaries continue like C/D/E/F if samsung wanted to update the device further.. S7 exynos are currently on 8th version binary.. where the binary number is actually the bootloader number and you cannot downgrade to lower version binaries from a higher version ..
Also the B firmwares are a very special case, will explain later further down later.
BOOTLOADER VERSION :
Refer to the above paragraph. Numbers/alphabets after XX and before XXXXX denote the version number of the binaries or in other words the bootloader version, which after upgrading to a higher version cannot be downgraded to a lower bootloader version ..
WHAT IS AP/CP/CSC/BL/PIT?
AP is Application Processor, known as PDA in older terms, the core android of the flashing package, CP being the Core Processor also known as modem, while CSC is Consumer Software Customization which contains regional/country based settings for your phone which includes network settings and custom preloaded software, also to mention that CSC has two types CSC and HOME_CSC ..
CSC contains the pit file which partitions and formats the phone before flashing in odin, while HOME_CSC doesn't include pit file and is meant to upgrade/dirty flash without wiping data in odin.. PIT means partition information table, if you are flashing CSC you don't need to manually extract and place pit file in odin as this is automatically done when flashed using CSC..
ODIN :
Odin, the lord of the dead as known in norse mythology is actually a lord of dead samsung phones too you already know what this is, but in case if you really don't; then this is a flashing software for samsung phones and you don't need to select any advanced options in odin when flashing.. just select auto-reboot and f.reset when flashing stock firmwares - all other options are obsolete and/or have no use for s7 series devices. Also when flashing any recovery don't tick auto reboot just f.reset and manually force reboot from download mode to custom recovery using key combinations
DOWNLOAD, RECOVERY MODE, SAFE MODE AND FORCE REBOOT :
While phone is turned off, holding vol down+home+power buttons will make you go in download mode.
And while phone is off, holding vol up+home+power buttons will make you go in recovery mode ..
Holding vol down after samsung animation comes during boot would make you enter in safe mode (this option is obsolete since in most bootloops we cannot go in safe mode because phone isn't booting properly to accept safe mode key input)
Hold vol down+home+power buttons on any screen to force reboot phone ..
DOWNLOAD MODE INFO :
There are details written in download mode which are very useful for diagnosing various issues.
Such as :
>Real Model Number : displays real phone's hardware model.
>System Status : displays intact-ness of /system partition.
>Binary Status : displays intact-ness of other partitions like boot (kernel) or recovery etc.
>KNOX Status : displays the hardware e-fuse status for warranty purposes. Anything other then 0x00 means its tripped.
>Letters B/K/S : letter B means bootloader version number, K for kernel's and S for system's version number. You cannot flash any firmware with lower numbers then displayed here because secure bootloader will always block it.
UPLOAD MODE :
There is not much info on this or any info at all for the matter. All I know per my personal experience is that it happened due to SBL (secure bootloader) error after flashing an incompatible firmware. It can be due to any other software or hardware reasons, but my guess is that it protects phone from becoming a complete brick in case of bootloader error or corruption. But again, its so scarce that hardly any reliable information exists about it and I'm not gonna brick my phone just to see if it really 'works'
FRP LOCK :
FRP lock is the factory reset protection, it kicks in two ways.
1. You had oem unlock off and you forgot to delete your/last google account on device before factory resetting it and for some reason you also forgot that google account's password, so this frp lock kicks in and you need to login with that last google account to regain access to your phone, this is basically an anti-theft measure, also ironically there were/are ways to bypass it too ..
2. If you disable oem unlock after rooting/modifying/installing custom binaries or you try to root/modify/install custom binaries without enabling oem unlock first, you get custom binary blocked by frp on next boot, for solving this you just need to flash back stock rom.. and login with last google account password if required ..
3. Its a bit same like no. 2, but this one is a dreaded and notorious issue.. happens when your drk or efs gets corrupted due to any reason and you also "Accidentally" turn OEM Unlock OFF (lmao) . Now when you flash custom binary you get the same frp lock as no. 2, BUT you cannot boot stock rom back to Enable OEM Unlock due to drk error/efs corruption (which prevents even stock rom from booting up because of dm-verity error) and you cannot fix drk/dm-verity error by flashing no verity zips.. because custom binary block by frp error.......
So now you know its not a good idea to do "Accidents"
COMBINATION BINARIES :
Combination binaries are troubleshooting firmwares developed specially for repairing by samsung which don't have dm-verity checks as well as no developer options either, which mainly can be used to fix imei/efs issues AFTER restoring a backup which you are SURE to be WORKING and taken from an earlier/working environment..
Sometimes combination roms can fix efs/imei and network issues without restoring a working earlier backup (in case of some software bug), though this only works if the original factory efs of your phone is intact ..
NOTE : AS OF NOW, LATEST COMBINATION ROMS FOR VERSION 7 AND 8 BINARIES AREN'T AVAILABLE ON THE POPULAR AND TRUSTWORTHY SOURCES - NOT EVEN ON PAID ONES. SO EITHER DON'T UPGRADE YOUR PHONES TO LATEST BINARIES OR DON'T MESS THEM UP SO THEY DON'T REQUIRE COMBINATION ROMS TO FIX THEM
--------------------------------------------------------------------​
MAIN GUIDE AND ISSUES TROUBLESHOOTING
NOW THAT YOU HAVE READ MY ENCYCLOPEDIA, I WILL BEGIN WITH MY DARWIN PHILOSOPHIES
1. DEVELOPER OPTIONS AND OEM UNLOCK :
Developer options are the first step when you want or even think of modifying/rooting your device in anyway. You go in about section of your phone and tap build number 8 times to enable developer options and then you need to ENABLE OEM UNLOCK BEFORE MODIFYING/ROOTING YOUR DEVICE IN ANYWAY POSSIBLE
FLASHING ROMS AFTER ENABLING OEM UNLOCK DOES NOT CHANGE ITS STATE
BE WARNED : CLEARING DATA OF SETTINGS APP OR FOLLOWING ANY GUIDE ON INTERNET TO DISABLE DEVELOPER OPTIONS AFTER ROOTING/MODIFYING YOUR PHONE CAN RESULT IN OEM UNLOCK BEING TURNED OFF AND YOU GETTING THE CUSTOM BINARY BLOCKED BY FRP MESSAGE
AND YES PLEASE DON'T ACCIDENTALLY TURN OEM UNLOCK OFF FOR HEAVEN'S SAKE
2. USB DEBUGGING :
Although not vital, but usb debugging is needed for using adb from your pc and adb has many useful commands if you like digging in the linux shell, plus many no-root apps require adb commands to make them run some useful functions without root.. I recommend keeping it on just in case.
3. DM-VERITY ERRORS :
Ah yes, I hate this one, this is one of the most notorious errors I have ever seen, DM verity as told above is a system integrity check for modifications, but this dm-verity thing on occasion can make a hard brick coupled with some kind of encryption in the kernel/bootloader, Master @Chainfire describes such behaviour in one of his posts here, it was on nougat though and I can only expect it to be worse on oreo ..
https://forum.xda-developers.com/showpost.php?p=72204306&postcount=978
In simple terms a s7 can become a partial hard brick IF user had no access to a working rom (due to dm-verity) and custom recovery is broken/can't be flashed (due to OEM Unlock being turned off) ..
What worries me most, is that I could not get my device in any sort of booting state without formatting /data and /cache in recovery (something that you would normally be able to do through ODIN by flashing empty images). This means that if you end up in this broken state and for any reason recovery isn't functional, your device may be unrecoverable and essentially bricked. It is certainly not unheard of to have a broken recovery, especially on Samsung devices. Combine the two, and it is a certainty that some users will eventually end up bricked.
Click to expand...
Click to collapse
So, if anyone modifies their system partition after root without disabling dm-verity check in the stock kernel or they root using non-systemless method or they did a swipe for system modifications in twrp or they installed any non-systemless mod, they get dm-verity error.. For most part a dm-verity error due to a modified system partition on a rooted phone can be easily fixed by flashing no-verity zips in twrp recovery ..
OR by flashing a stock firmware of matching binary through odin ..
Even if you have accidentally turned oem unlock off, you simply reflash stock firmware and go in developer options to re-enable oem unlock. This is what I call type 1 dm-verity which is the easy one to fix ..
NOW, lets see another scenario where some people accidentally turned oem unlock off (yeah believe me there are tons of users doing this these days lol) and for those people dm-verity was not going away even after a stock firmware reflash and because they turned OEM UNLOCK OFF they could NOT flash custom binaries to bypass dm-verity either.. HENCE THEIR DEVICE WAS IN A STATE OF SEMI-PERMANENT HARD-BRICK..
My search revealed that a corrupted/missing DRK in EFS partition was actually the root cause of this type of dm-verity error, such unfortunate users CANNOT EVER REVERT BACK TO A STOCK UNMODIFIED ROM (without restoring an intact DRK backup) and they ALWAYS HAVE TO FLASH NO VERITY ZIPS TO USE/BOOT STOCK ROM..
But if OEM UNLOCK IS TURNED OFF, they get STUCK BADLY because device rejects any custom binaries like no-verity zips and twrp etc ..
My further search concluded that since the stock recovery kicked in dm verity, So if the AP file of firmware is extracted and stock recovery is deleted from it, while the boot.img is renamed as recovery.img and only system.img alongwith renamed recovery.img is repacked and flashed alongwith BL, CP and CSC, it allows users to BOOT into stock rom to ENABLE OEM UNLOCK AGAIN and use their device with custom binaries, and so their device is back to the living once more
The exact steps are as follow :
1. Extract the correct matching-binary firmware package.. then extract the AP file, and copy boot.img and system.img to a new separate folder ..
2. Rename boot.img to recovery.img and repack this renamed recovery.img alongwith system.img (only these 2) using autotar tool (I've posted the link to autotar tool now although it gets detected as a virus, So download at your own risk) or any other tar packing utility ..
AutoTar Tool
3. Flash this modified AP using latest odin along with BL, CP and CSC (not HOME_CSC) and only tick auto reboot and f.reset in odin options ..
Your phone should boot now and you can ENABLE OEM UNLOCK to flash custom binaries and make your phone usable again.. personally tested that this method works ..
BE WARNED THAT THIS METHOD REQUIRES ATLEAST 10% BATTERY FOR FLASHING AND BOOTING
Since many devices had been hard bricked for months and battery being drained completely, they couldn't boot or complete flash due to their phone becoming dead in the middle of flashing process or booting process ..
I recommend charging phone by a wireless charger in this state (since wireless charger is said to be working even in bricked state, also connecting it to a charger while in download mode may give it some charge) or simply try continously to boot it, if flash using above method is successful then don't reflash anymore just try to boot phone while putting it on charger ..
And hopefully your device will get out of this dreaded dm-verity + frp lock due to custom binary ..
Here's my original post for such dm-verity fix : https://forum.xda-developers.com/showpost.php?p=82294339&postcount=11
WARNING : MULTIPLE INTERRUPTED/INCOMPLETE FLASHES DUE TO NO BATTERY OR BATTERY DYING IN THE MIDDLE OF FLASHING PROCESS CAN CAUSE PERMANENT UFS CHIP HARDWARE DAMAGE !!
END NOTE : ALL OF DM-VERITY ISSUES ONLY HAPPEN ON A FULLY STOCK ROM WITH STOCK BOOT/KERNEL AND STOCK RECOVERY, ONCE A CUSTOM ROM OR CUSTOM BOOT/KERNEL AND CUSTOM RECOVERY ARE FLASHED, THEN THERE MAY NOT BE A NEED TO FLASH NO VERITY ZIPS, BECAUSE DM-VERITY MAY ALREADY BE DISABLED IN THE CODE. REFER TO YOUR RESPECTIVE ROM THREAD FOR THE REQUIRED INFO.
4. FORCED ENCRYPTION :
My personal experience and testing with root on android 8.0 stock oreo made me conclude that for some reason, the latest twrp as well as tkkg's modified twrp (which only supports quota) fails to mount /data even after formatting, when we reboot first time into system after formatting data and then go again in twrp, twrp fails to see /data again ..
Well, this is not a huge problem BUT if due to any reason your phone got in a non-fixable bootloop and you still got valuable data on it, then there's no practical way to recover it, except copying and moving it from twrp to external sd card/usb otg ..
So yeah an accessible /data is a big factor for me to have it working ..
Tkkg's post on encryption : https://forum.xda-developers.com/showpost.php?p=77296095&postcount=2228
link where he says he hasn't added encryption support : https://forum.xda-developers.com/showpost.php?p=77314388&postcount=1251
I first thought that latest official/tkkg's twrp would have fixed this problem, but even when forced encryption is disabled using zips, every twrp I tried could not see /data partition ..
EDIT : OFFICIAL TWRP 3.3.1+ WORKS BUT WE NEED TO FLASH MAGISK RIGHT AFTER BOOTING TWRP FOR FIRST TIME AFTER DOING A FORMAT DATA UNDER WIPE OPTIONS, AFTER THIS REBOOT TO SYSTEM, AND ENCRYPTION WON'T COME BACK AND YOU WOULD BE ABLE TO ACCESS DATA AFTER EVERY REBOOT IN TWRP !!! SEEMS LIKE IF NO MAGISK = NO /DATA ACCESS IN TWRP OR IN OTHER WORDS "FORCED ENCRYPTION"
5. ODIN ISSUES :
Many users on the forums reported issues with flashing via odin, my own experience and research tells me it can be due to :
》You're using a wrong model firmware.
》You're using a counterfeit/modified phone whose real hardware model is different then what's displayed.
》Your phone's internal nand storage hardware got faulty and fails to write anything on it.
》Odin's version is wrong and/or you got a fake software (can happen when downloading odin from fishy webs)
》Either your PC/Samsung usb drivers/usb cables/usb ports got some bugs/issues.
》Smart switch is running in background processes and it is known to mess with odin flashing (often that's the culprit)
You can try to download odin from a reputable web, re-verify that you're using correct firmware and smart switch isn't running as a background process. Also try checking with some other usb cables/ports or PC. Also verify that your phone isn't a counterfeit product (hardware modified)
If you were already rooted or flashed a custom rom before, and you're sure that OEM Unlock is enabled in developer options, you can try flashing twrp in odin and then a custom rom through twrp - as a last resort. But if you haven't rooted/enabled OEM Unlock before, this won't work either and you may had to take your phone to a repair shop
Heads Up : Incase you didn't knew, but if odin fails a flash or flash gets interrupted at or during sboot.bin (the bootloader flashing step) or you flash a wrong bootloader which unfortunately download mode couldn't stop from getting flashed, it can cause hard bricking due to corrupted bootloader (no download mode) and can only be fixed via UART interface using a hardware repair box. Ofcourse this doesn't include failed flashes at sboot which are due to download mode blocking the flash (its actually protecting itself from flashing a wrong/incompatible bootloader)
6. ROOTS AND SYSTEM-LESS ROOTS :
I guess in all my rant you must have noticed that the biggest problem comes in when efs partition becomes corrupted specifically, now when i searched countless pages of users and their issues I came to conclusion that somehow ROOTS using system modifications and also TWRP with system modifications enabled HAVE A HIGHER CHANCE TO MESS/CORRUPT EFS PARTITION, specifically the FULLY MODIFIED CUSTOM ROMS OUT THERE (AND NO I AM NOT BLAMING ANY CUSTOM ROM OR DEV, JUST THAT A FULLY ACCESSIBLE SYSTEM PARTITION HAVE MORE RISK OF CORRUPTING EFS PAR MY OBSERVATION- I hope to be wrong lol)
Now, thats where system-less roots come in !!
THEY ARE SIMPLY AWESOME AND NOT BECAUSE I AM A FANBOY OF MAGISK BUT BECAUSE THEIR ACCESS TO SYSTEM PARTITION IS TOTALLY INDIRECT WHICH INTURN PASSES SAFETY NET CHECKS TOO.
SYSTEM-LESS ROOTS ARE ONE OF THE BEST EVOLUTION OF ROOTS, IN MY VIEW SYSTEM-LESS ROOT AND SYSTEM-LESS CUSTOM ROM DEV BASE ARE ONE OF THE BEST ROOT AND ROM RESPECTIVELY NOT BECAUSE IT ONLY PERFORMS WELL AND FEELS STABLE BUT BECAUSE IT HAS THE LEAST TENDENCY TO CORRUPT EFS BECAUSE IT IS MUCH MORE CLOSER TO STOCK ROM! A BIG SHOUT OUT TO @_alexndr FOR HIS SUPERB SYSTEM-LESS DEV BASE.. AND THE BEST THING IS THAT DOWNLOAD MODE REPORTS SYSTEM AS OFFICIAL AND PASSES SAFETY NET EVEN WHEN YOU'RE ROOTED AND USING EDXPOSED !
THAT BEING SAID, THE BIGGEST REASONS OF EFS CORRUPTIONS ARE NOT DUE TO CUSTOM ROMS, BUT DUE TO THE VARIOUS MODS AND INCORRECT FOLLOWING OF FLASHING/INSTRUCTIONS WHICH CAUSE THIS.. AND SOMETIMES FAULT/ERROR OF THE HARDWARE TOO.. AND VERY RARELY ITS A MISTAKE ON DEV'S PART ..
Moving on to root types, you got Super SU along with its system-less root option and Magisk (has system-less root as default); both have hiding root options as well, you just need to choose your preference and flash it in twrp.. I really don't recommend king root or any other root types !!
FOR USING SYSTEM-LESS ROOT KEEP SYSTEM READ ONLY IN TWRP!!! (DO NOT SWIPE TO ALLOW SYSTEM MODIFICATIONS WHEN BOOTING IN TWRP FOR FIRST TIME AND TICK DON'T ASK ME AGAIN)
BE AWARE ! CHOOSING SYSTEM MODIFICATIONS IN TWRP WILL AUTOMATICALLY CAUSE NON-SYSTEMLESS ROOT METHOD !
ALSO : WITH MAGISK ONE NEEDS TO FLASH IT AFTER FLASHING NO VERITY ZIPS IN TWRP (IF USING MAGISK IN NON-SYSTEMLESS MODE OR DUE TO DRK BEING CORRUPTED)
Please note that CF Auto root is now obsolete for s7 series on version 5+ binaries ..
7. BOOTLOADER EXCEPTION BUG (SBL ERRROR) :
Another rare and possibly dangerous bug, ironically I encountered it on my first days of getting this device
That screen was terrifying for a noob like me at that time lol, now how did I got it in first place ?
Yeah I tried to be a smart-ass and flashed a normal bootloader along with a combination firmware in odin lol (tried to bypass bootloader blocking flash of lower binary version), flash was successful and when phone booted it caused bootloader exception bug ..
And what I did to solve it ? Simply hold home button until you see upload mode and then force reboot by combination keys and then immediately hold download mode combination keys to go in download mode and reflash stock rom
Seems like other people on forums weren't that lucky to get out of this error easily
Possibly, this error can also be caused by some hardware fault/bug.
Further investigation revealed that SBL error (secure bootloader error) is particularly a semi-corrupted bootloader which in reality would cause the device to become a hard brick which can only be recovered through UART interface using a hardware box (which essentially requires us to open phone's guts), but instead it caused bootloader to get in a fail-safe 'UPLOAD MODE' which is surprising actually because any wrong bootloader flash is sure to make your device a permanent brick.
So better NOT cross-flash firmwares or bootloaders not designed for your phone, specially which are apparently made for same hardware as yours but you may not be that lucky to get in upload mode after that, So :
>Don't try to flash a G935F (global) bootloader on a G935W8 (Canada variant) or G935V/T/A/U (US variants) or G9350/K/L/S (Chinese/Korean/Hongkong variants etc) and vice versa.
>Don't try to flash a G9350/K/L/S (Chinese/Korean/Hongkong variants etc) bootloader on G935V/T/A/U (US variants) or G935F (global) or G935W8 (canada variant) and vice versa.
>The above instructions includes both normal and combination firmwares. Also don't try to flash normal firmware's bootloader with combination firmware or vice versa.
>Don't try to downgrade bootloader by 'any method'..
>Don't use any 'patched odin' to flash an incompatible firmware.
>Don't try to flash bootloader using flashfire/twrp or any other mobile flashing utility.
8. NETWORK AND IMEI'S ISSUES :
Regarding loss of network signals, there are 2 possibilities, either that your imei got deleted/corrupted due to a bad efs partition or your phone's imei was changed and a network certificate patch was used to make it working, and you reflashed your phone through odin or any other flashing method which removed that network certificate patch and you lost your signals ..
Now both can be fixed only by a box or box-like alternative see this thread link for more info :
1. https://forum.xda-developers.com/s7-edge/how-to/fix-imei-downgrading-g935f-fd-t3947911
Remember : There's always a risk of bricking your device or screwing it further by using such (box-free) tools ..
Moreover, signals can be lost when flashing old modem on newer bootloader, it can be fixed by reflashing correct firmware (matching bootloader version) for your phone ..
Signals can also be lost by a bugged out csc (probably due to a bad efs), for solving this you can try changing your csc code by flashing different csc firmware with matching bootloader version (preferably a single csc firmware like dbt/xeu) and then reflashing your original csc to revert back and applying the fix mentioned in No. 1 thread link above.
A bugged out/corrupted efs is often the main culprit for signals issue, which needs combination rom with matching bootloader version and/or an earlier working efs backup to fix it.
See this thread link below for more on this :
2. https://forum.xda-developers.com/s7-edge/how-to/guide-how-to-fix-check-drk-imei-issues-t3379516
Another option is if you got an older working efs backup, just restore it and then give appropriate permissions and then flash combination rom for your rom, but problem is.. you need quite a bit of linux command knowledge and updating the permissions according to your own phone and android version (originally it was done on note 4) plus combination roms for latest binaries are not getting released into public now !!
Please refer to this thread link of note 4 below :
3. https://forum.xda-developers.com/note-4/general/fix-drk-dm-verity-factory-csc-serial-t3422965
As a token I provide my phone's DRK, the prov_data folder (for getting rid of dm-verity error by following No. 3 thread link of note 4 above).. if anyone experienced and interested enough wants to experiment to fix their drk/dm-verity errors permanently ..
NOTE : As policy of xda, I'm not sharing any imei/personal phone data, but just a DRK encrypted key which could benefit users with dm-verity and drk errors, if anyone finds it against xda's terms or rules, feel free to report my shared prov_data (but it has already been shared before for note 4)
BUT EVEN WITH THIS PROV DATA AND SUCCESSFULLY GIVING PERMISSIONS YOU WOULD STILL NEED COMBINATION ROM TO FIX DRK AND SIGNALS/IMEI AS STATED IN NOTE 4 THREAD !
ALSO THIS WILL ONLY WORK ON DEVICES BEING ROOTED AND IN WORKING CONDITION !
TIP : WELL, SOMETIMES YOU TRAVEL ALL THE WORLD TO FIND SOMETHING WHEN ITS ALREADY THERE IN YOUR HOME OR NEIGHBOURHOOD AND SAME THINGS CAN HAPPEN WITH THESE ISSUES TOO, IN THE END YOU DID EVERYTHING YOU CAN TO TRY AND GET YOUR SIGNALS FIXED WHEN YOU JUST HAD TO REPLACE YOUR SIM CARD LOL
SO YEAH SIM CARD CAN BE FAULTY TOO, ALWAYS TRY CHANGING SIM CARDS FIRST IF YOU GET ANY NETWORK ISSUES. ALSO, SOMETIMES ITS THE PHONE'S MODEM HARDWARE THAT'S FAULTY AND YOU CAN'T DO ANYTHING ON THE SOFTWARE SIDE.
9. BATTERY DRAIN ISSUES :
Ever since the version 7 binary update i.e december 2019 security patch and later, I noticed my phone draining battery heavily due to android system and kernel.. and I lost almost 50% of s.o.t and also created this warning thread here :
https://forum.xda-developers.com/showpost.php?p=81410317
SO YEAH. I RECOMMEND USERS TO NOT UPDATE TO VERSION 7 BINARIES OR LATER !! IT WILL ONLY CAUSE A DELIBERATE SAMSUNG CREATED BATTERY DRAIN TO PUSH USERS FOR UPGRADING THEIR PHONES !
10. BINARY UPDATES :
Since samsung has officially made s7 series eol, the updates they will now push would always to some extent, try to limit device in some ways - like the huge battery drains with version 7+ binaries and the fact that you cannot downgrade, the whole point is that they want users to upgrade their phones and hence they will push such updates which will further limit our device !
Also let me tell you, once S7 reaches Version 11 or in other words 'B' binary, its stated that twrp will not work and I think even root will be much harder to achieve and sustain.. if I'm wrong then I request someone to please correct me
ALL IN ALL, UPGRADING BINARIES WILL ONLY CAUSE YOU TO BE STUCK ON EVEN WORST FIRMWARES !!
I REALLY RECOMMEND TO NOT UPDATE YOUR PHONES ANYMORE !!
11. PERSONAL RECOMMENDS :
I am not the one to recommend anyone something but if you do want to get root but want stability, unmodified system-partition, less risks of your phone being messed up or simply you care for your phone's health; this is still a great phone
I heavily recommend alexndr's custom devbase rom or if you don't want that debloated stock rom, you can just use his system-less devbase root option too.. along with system-less Magisk ..
AND MY BIGGEST RECOMMENDATION IS :
ALWAYS BACKUP YOUR EFS AND NV DATA PARTITIONS FIRST THING AFTER ROOT !!!
This is it from this noob guide of mine, thanks for reading such a long "rant", I hope it would benefit you. My original aim was to create an END OF LIFE GUIDE for S7 series combining various info, and I think I'm partially successful in it
I'm always open to add new info and/or correct anything which I mentioned wrong, also if you need any help feel free to post a reply.. I'm not able to help remotely anymore though
But no matter, all the info I learned remains archived in this thread till the end of times
USEFUL LINKS :
ODIN
ODIN
SAMSUNG STOCK ROMS
SAMSUNG USB DRIVERS
OFFICIAL TWRP
SUPER SU
SUPER SU
MAGISK
MAGISK
SYSTEM-LESS ROOT DEVBASE
SYSTEM-LESS DEVBASE ROM
NoVerityOptEncrypt
NoVerityForceEncrypt
ALL CREDITS TO THEIR RESPECTIVE CONTRIBUTORS​

.............................

shah22 said:
.............................
Click to expand...
Click to collapse
https://www.reddit.com/r/GalaxyS7/comments/qn5q99
What do you think about that problem?

[ROOT] [GUIDE] How to root UMIDIGI A11 Pro Max

*PLEASE BE SURE TO READ EVERYTHING BEFORE ROOTING YOUR PHONE!!!*
This guide will help you to root your UMIDIGI A11 Pro Max. Aside from my own knowledge, I used many sources (and I’ll add the respective references, of course) to create this specific manual. In that regard, I organized the information in many sections due to its size.
Also, please be aware this is a guide for UMIDIGI A11 Pro Max, not UMIDIGI A11 Pro, or UMIDIGI A11, or UMIDIGI A13, or any similar model. You’re free to adapt this guide to a different UMIDIGI model though, so you can copy nearly everything here (with the necessary changes) if you want to.
DISCLAIMER: ALL I WROTE HERE WORKED PERFECTLY WITH MY UMIDIGI A11 PRO MAX, BUILD NUMBER UMIDIGI_A11_PRO_MAX_V1.0_20220108, WHICH I ROOTED WITH MAGISK 24.3, BUT I’M NOT A PROFFESIONAL. THIS MEANS I CANNOT GUARANTEE YOU THIS WILL ALWAYS WORK WITH ANOTHER BUILD NUMBER OR MAGISK VERSION, ALTHOUGH I HONESTLY THINK THERE SHOULDN’T BE ANY PROBLEM. FINALLY, ROOTING IS YOUR DECISION, AND IT'S OWN YOUR RESPONSIBILITY IN CASE YOU BRICK YOUR DEVICE, AS I’M NOT COERCING YOU TO DO IT.
With that said, let’s begin!
Things you need to know:​• Currently, there is no custom recovery (like TWRP) for this smartphone. This will make the whole process a bit more complex, but it’s still possible to get root.
• While I think the rooting itself doesn’t void your warranty, the previous and unavoidable step—unlocking the bootloader—does.
• Another thing about unlocking the bootloader: the process will make a FACTORY RESET to your device, so better have a back-up ready.
• We’ll use Magisk, so it’ll still be possible to get FOTA, also named OTA, updates. I’ll elaborate more at the end of this guide.
• As I said, I’m not responsible If you brick your device, but I can give you a hand! (More details just below.)
Preparations:​• Identify your build number to find your stock ROM online. Go to “Settings”, now go to the bottom to “About phone”, and then go again to the bottom and you will find something like this: “Build number: UMIDIGI_A11_PRO_MAX_V1.0_20220108”.
• Go to your PC and download your stock ROM in UMIDIGI’s official forum. Remember there are main releases’ variations for specific regions (like Europe), so be sure to check if EACH LETTER of the names match. If you made a mistake, you’ll be trapped in a boot loop (bricked device). Here is the forum:
https://community.umidigi.com/forum.php?mod=forumdisplay&fid=293&page=1
Click to expand...
Click to collapse
*THIS STOCK ROM IS NECESSARY TO UNBRICK YOUR DEVICE BY GETTING A FRESH INSTALATION IN CASE OF EMERGENCY, SO PLEASE DO NEVER DELETE IT, PRESERVE IT EVEN AFTER YOU GET ROOT. IF YOU MESSED UP READING THIS GUIDE OR LATER, READ YOUR RESPECTIVE THREAD TO UNBRICK YOUR PHONE. FROM HERE ONWARDS, YOU’LL BE IN THEIR HANDS*
• Open the RAR and extract vbmeta.img and boot.img (DO NEVER DELETE THE ORIGINALS).
• Now you need to unlock “Developer options” in your device, as the basic permissions aren’t enough to root. Go to: Settings > About phone > Status. Now go to the bottom and tap “Build number” seven or eight times until a message saying that you’re now a developer appears.
• Go to Settings > System > Advanced > Developer options. Active them if they’re “Off”, now activate “OEM unlocking” and “USB debugging”. This will allow you to: move files between your phone and PC, and use your PC to modify your phone (explained just below).
Installing Android Debug Bridge (ADB) on your PC:​This “simple” interface, as it uses a terminal window (like CMD or PowerShell in Windows), will allow you to control your device from a computer by using methods hidden to simple mortals (mostly for their own security, because the average user could easily brick their device by accident).
The process to do this may vary depending on your OS (Windows 10, Windows 11, Linux, etc.) or even between different updates or drivers of said OS, so I cannot give you specific steps. You can use this guide, which I’m sure is better than anything I could ever write about this topic:
https://www.xda-developers.com/install-adb-windows-macos-linux/
Click to expand...
Click to collapse
Feel free to search for all the guides you need until installing ADB. Take your time, we’re not doing anything that could brick your device if you make a mistake… yet.
Unlocking the bootloader:​• Make sure ADB is correctly installed or you won’t be able to do anything from this point onwards.
• Remember, this specific step will make a FACTORY RESET to your device, so better have a back-up ready. You need this extra permission to root your phone, or install a custom recovery or ROM if you want (sadly there is neither of them to date).
• Connect your device to your PC.
• Open your ADB terminal on your PC and write:
Code:
adb reboot bootloader
*If doesn’t work, write ./adb instead adb, or the variation your terminal uses, and keep using it from now on. Your device will reboot and now you’ll be in fastboot mode (make sure to read the small > FASTBOOT mode… message on the bottom left corner of your device).
• Now the time has come, after this you’ll have a factory reset. Write:
Code:
fastboot flashing unlock
*Again, if fastboot doesn’t work, use ./fastboot, etc.) and a new message will appear on your device. Read it, it won’t say anything new if you’re with this guide, and press the Volume up button to unlock your bootloader.
• To reboot your device, write:
Code:
fastboot reboot
While rebooting, you will read this just below UMIGIDI’s logo:
Orange state:
Your device has been unlocked and can’t be trusted
Your device will boot in 5 seconds
*Spoiler: it won’t reboot in 5 seconds, but 1 or 2 minutes.
• Congratulations! Now you have a brand-new unlocked phone! No more factory resets (unless you brick your phone), so feel free to make the initial configuration.
This section was based on these guides:
https://www.mobilewithdrivers.com/download/unlock-bootloader/umidigi-a11-pro-max
https://www.droidwin.com/how-to-unlock-bootloader-on-umidigi/
Click to expand...
Click to collapse
Patching images:​• Now this process is the rooting itself, time to get Magisk, the rooting tool and the future manager of your root permission (under your orders, of course). Download its latest version on your device and install it.
• Connect your device to your PC and send boot.img (you extracted it at the beginning of this tutorial) to your smartphone and open Magisk app. On the Magisk section, tap “Install” and then “Select and patch a file” and search for your boot.img to patch it.
• The installation (flashing) will continue in a terminal-like screen. Once finished, the direction of the patched file will appear, along an All done! message.
• Now send this new patched file and the vbmeta.img (you extracted it at the beginning of this tutorial) to your ADB folder in your computer.
• Now turn off your phone and hold Power button and Volume up button for 5 seconds, and select Fastboot Mode.
• Open your ADB window and DO NOT CLOSE IT BEFORE FLASHING THE NEXT 2 FILES, OR YOU'LL BRICK YOUR DEVICE:
THE FIRST FILE: Write the following command:
Code:
fastboot --disable-verity --disable-verification flash boot (insert here the name of your magisk patched file, don’t forget to add the “.img” extension)
Example: My file is called magisk_patched-24300_UuPmm.img, so I wrote:
Code:
fastboot --disable-verity --disable-verification flash boot magisk_patched-24300_UuPmm.img
Don’t forget, write ./fastboot or any command’s variation you’ve been using so far.
THE SECOND FILE: Write the following command:
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
• Write this and you’re done:
Code:
fastboot reboot
Enjoy your rooted UMIDIGI A11 Pro Max!
This section was based on these guides:
https://topjohnwu.github.io/Magisk/install.html
https://forum.xda-developers.com/t/umidigi-a11-pro-max-rooted.4366121/
Click to expand...
Click to collapse
About getting FOTA/OTA updates (PLEASE READ THIS TOO OR YOU MAY LOSE YOUR ROOT SOMEDAY!!!):​First, what are FOTA/OTA updates? In short, you could say their function is similar to Windows updates. Usually, rooting with alternatives to Magisk, or installing a custom recovery, prevents you from getting them.
This a rooting guide so, while I won’t help you to getting those updates, I can still give you this comprehensive guide:
https://www.thecustomdroid.com/install-ota-update-rooted-android-device-guide/
Click to expand...
Click to collapse
Lastly, the true reason I wrote this is to alert you that even if you don’t care about FOTA/OTA you still NEED TO DEACTIVATE THE AUTOMATIC UPDATES, otherwise you may lose your root someday or cause problems to your phone (you can search online for the technical reasons of this if you want). From now on, if you want updates, you’ll do it manually.
To deactivate them, go to Settings > System > Advanced > Developer options and turn off "Automatic system updates".
A useful thread about Magisk:​I’ll also leave you this sticky thread of XDA Developers, I’m sure it’ll help you in the future:
https://forum.xda-developers.com/f/magisk.5903/
Click to expand...
Click to collapse
AND THAT’S ALL, THANKS FOR READING!​

thank you for this tutorial I routed my phone but I have orange state at each start which lasts 30 seconds then starts normally what is the problem please and thank you again

hachelfig said:
thank you for this tutorial I routed my phone but I have orange state at each start which lasts 30 seconds then starts normally what is the problem please and thank you again
Click to expand...
Click to collapse
I've tried to find more about that because it kinda annoyed me too, but at the end, it seems to be some sort of "indicator" that you were able to successfully unlock your phone's bootloader. In any case, I'll keep searching and the guide will be updated if I find a way to remove that message.

I used this tutorial https://www.droidwin.com/how-to-remove-red-and-orange-state-warning-in-mediatek-devices/ and it works well thank you

Which vbmeta.img file am I using, when I unpac the file there are:
vbmeta_product.img
vbmeta-sign.img
vbmeta_system.img
vbmeta_sysem_ext.img
vbmeta_vendor.img
Which one should I be using to root?

Oops galeta, would it not have a custom rom or GSI compatible with the Umidigi A11 pro max? I've been looking for something like this for days and I haven't found anything like this, do you know something like this?

hachelfig said:
Eu usei este tutorial https://www.droidwin.com/how-to-remove-red-and-orange-state-warning-in-mediatek-devices/ e funciona bem, obrigado
Click to expand...
Click to collapse
Usei este método! porém meu smatphone morreu! não da sinal de nada

Patrickcnnp said:
Usei este método! porém meu smatphone morreu! não da sinal de nada
Click to expand...
Click to collapse
Foi tudo coreto! ai dei o FASTBOOT REBOOT e não liga mais

I am just wondering if anybody has managed to root the
Umidigi A13 Pro Max 5G

marisaleh said:
Eu só estou querendo saber se alguém conseguiu enraizar o
Umidigi A13 Pro Max 5G
Click to expand...
Click to collapse
Ainda não tive êxito!

Patrickcnnp said:
Ainda não tive êxito!
Click to expand...
Click to collapse
UMIDIGI A13 Pro Max 5G is it a dual slot device?

Be aware guys,
I followed the same procedure above to root UMIDIGI A13 Pro Max 5G
I adapted the procedure to my phone, obviously
It didn't work, ended up with a completely damaged phone.
The only way to recover it was to flash it with the SPFT tool
using firmware mode of flashing,,,
I am just wondering if anybody has managed to
root UMIDIGI A13 Pro Max 5G YET....

marisaleh said:
Be aware guys,
I followed the same procedure above to root UMIDIGI A13 Pro Max 5G
I adapted the procedure to my phone, obviously
It didn't work, ended up with a completely damaged phone.
The only way to recover it was to flash it with the SPFT tool
using firmware mode of flashing,,,
I am just wondering if anybody has managed to
root UMIDIGI A13 Pro Max 5G YET....
Click to expand...
Click to collapse
marisaleh said:
Be aware guys,
I followed the same procedure above to root UMIDIGI A13 Pro Max 5G
I adapted the procedure to my phone, obviously
It didn't work, ended up with a completely damaged phone.
The only way to recover it was to flash it with the SPFT tool
using firmware mode of flashing,,,
I am just wondering if anybody has managed to
root UMIDIGI A13 Pro Max 5G YET....
Click to expand...
Click to collapse
I believe this might be a dual slot device this work only if it is.

Mchlbenner51 said:
I believe this might be a dual slot device this work only if it is.
Click to expand...
Click to collapse
Yes you are right I have just confirmed that using Treble Check app,
it is a dual slot device.
I will now give it another go, and report back
Thanks for you help

Yes Yes Yes
I have just finally succeeded in rooting the Umidigi A13 Pro Max 5G
Yes it is a dual slot device
I rooted it using this simple procedure:
flashed the latest stock rom from Umidigi
Patched boot.img using the latest version of Magisk Manager (magisk_patched.img)
With the phone unlocked and in fastboot mode, I run the following:
fastboot flash boot magisk_patched.img
Fastboot flash vbmeta vbmeta.img
fastboot set_active a
fastboot reboot
The phone rebooted, I completed Magisk install
I now have full root
The orange state warning that pops up on reboot is annoying
and I don't know how to get rid of it yet.
I will be grateful if anyone can help!!!

marisaleh said:
Yes Yes Yes
I have just finally succeeded in rooting the Umidigi A13 Pro Max 5G
Yes it is a dual slot device
I rooted it using this simple procedure:
flashed the latest stock rom from Umidigi
Patched boot.img using the latest version of Magisk Manager (magisk_patched.img)
With the phone unlocked and in fastboot mode, I run the following:
fastboot flash boot magisk_patched.img
Fastboot flash vbmeta vbmeta.img
fastboot set_active a
fastboot reboot
The phone rebooted, I completed Magisk install
I now have full root
The orange state warning that pops up on reboot is annoying
and I don't know how to get rid of it yet.
I will be grateful if anyone can help!!!
Click to expand...
Click to collapse
Does it say your bootloader is unlocked!

Mchlbenner51 said:
Does it say your bootloader is unlocked!
Click to expand...
Click to collapse
It says your device has been unlocked
and cannot be trusted
I'll be grateful if you can help me
get rid of it, it's annoying

marisaleh said:
It says your device has been unlocked
and cannot be trusted
I'll be grateful if you can help me
get rid of it, it's annoying
Click to expand...
Click to collapse
I don't have this phone yet l.
I was pretty sure how to root it so left directions on how to do that.
I would for know l would leave it alone.
When get this phone I will see what I can do about that.
Do not try the remedy that is in this post it could brick your phone.

Mchlbenner51 said:
I don't have this phone yet l.
I was pretty sure how to root it so left directions on how to do that.
I would for know l would leave it alone.
When get this phone I will see what I can do about that.
Do not try the remedy that is in this post it could brick your phone.
Click to expand...
Click to collapse
Thank you very much
I have rooted it with your help
You can see the procedure I
Followed, it's really easy
It's the orange state warning that
I don't know how to remove
I'll wait for you help on that

Mchlbenner51 said:
I don't have this phone yet l.
I was pretty sure how to root it so left directions on how to do that.
I would for know l would leave it alone.
When get this phone I will see what I can do about that.
Do not try the remedy that is in this post it could brick your phone.
Click to expand...
Click to collapse
Good news, I have just managed to remove the orange state warning
Used a Hex editor, modified the stock lk.img and flashed it in fastboot
fastboot flash lk lk.img
Very simple worked perfectly
I am still having a problem with changing selinux mode from
Enforcing to permissive.
I have tried all existing methods and workarounds
I even tried terminal commands like getenforce and setenforce
Nothing will work to change it to permissive
I think it's android 12 security
I will be grateful if anybody can help
Some mods like viper4android will only work if
selinux is in permissive mode

Question Can the P11 Plus be rooted?

Hi all. I'm new to the Lenovo space, so please bear with me. After some searching, I can't quite seem to figure out what the model number of the P11 Plus is? Can anyone enlighten me?
Tab P11 Plus | 11" Family Tablet
Meet the Lenovo Tab P11 Plus, an Android tablet featuring an 11" 2K display and quad speakers for immersive multimedia, plus Google Kids Space and Entertainment Space for family fun and education.
www.lenovo.com
Knowing that, can this particular model's bootloader be unlocked and the OS rooted? Cheers.

Found the model number: TB-J616F or TB-J616X
Android Upgrade Matrix - Lenovo Support US
support.lenovo.com

molohov said:
Found the model number: TB-J616F or TB-J616X
Android Upgrade Matrix - Lenovo Support US
support.lenovo.com
Click to expand...
Click to collapse
Have you found the answer whether the Lenovo P11 Plus (TB-J616F) model can be rooted?

I am thinking of buying this tab. Is it stock unlocked or is it not?

kanines said:
Have you found the answer whether the Lenovo P11 Plus (TB-J616F) model can be rooted?
Click to expand...
Click to collapse
The answer is yes.
First, using Rescue and Smart Assist, DL the latest rom for this model this model. I used TB_J616F_S000046_220311_ROW.
Next go to C:\ProgramData\RSA\Download\RomFiles\TB_J616F_S000046_220311_ROW and you will find the boot.img files. Copy it to a folder on the tablet. Remember where.... duh.
Install Magisk 25.2 which is the version that I used. Follow Magisk instructions to "patch" the copied boot.img file. When complete, copy the patch boot image file back to your Adb/Fastboot folder, normally X:\platform-tools.
Put your tablet in fastboot mode and run: fastboot flash boot <name of patched boot.img file>.
So, there's no need to ask questions as there are a least a bizzion guides on the internet on how to do a "Magisk boot.img patch and flash".

I am stuck on unlocking the bootloader as, when I use adb reboot bootloader. I am greeted with => FASTBOOT mode..., and when i go to fastbootd using recovery mode. I am stuck with Download is not allowed on locked devices, and when trying to unlock. Stuck with Command is not supported in default implentation.

levrx said:
I am stuck on unlocking the bootloader as, when I use adb reboot bootloader. I am greeted with => FASTBOOT mode..., and when i go to fastbootd using recovery mode. I am stuck with Download is not allowed on locked devices, and when trying to unlock. Stuck with Command is not supported in default implentation.
Click to expand...
Click to collapse
every android ive unlocked bootloader, you click on the build number in settings 7 times, after aprox 3 it shows a count down until its unlocked, then it depends on the device im pretty sure, it was diff between my phone n table so it depends on ur device here is some resources
Locking/Unlocking the Bootloader | Android Open Source Project
source.android.com
How To: Unlock Bootloader
How To Unlock Bootloader Galaxy A12. *** Disclaimer I am not responsible for any damage you made to your device You have been warned - Go to Settings -> About phone and find your build number. - Tap on your build number 6 times until you see...
forum.xda-developers.com
Unlocking the bootloader and rooting
DISCLAIMER: I WAS NEVER, HAVE NEVER BEEN, AND WILL NEVER BE RESPONSIBLE OF ANY DAMAGES AGAINST YOUR DEVICES BY YOUR OWN MIS-OPERATIONS # knox_bit_warranty:0x1 # # Your warranty is now void # # You have been warned. # # I will laught at you if you...
forum.xda-developers.com
there is a diff between download mode and fastboot, just so u know, you need adb and fastboot from Androids SDK tools, you can find online, depending on ur computers OS. Also, ADB commands work with ur device on n plugged into the computer fastboot is for commands when ur in fastboot mode

levrx said:
I am stuck on unlocking the bootloader as, when I use adb reboot bootloader. I am greeted with => FASTBOOT mode..., and when i go to fastbootd using recovery mode. I am stuck with Download is not allowed on locked devices, and when trying to unlock. Stuck with Command is not supported in default implentation.
Click to expand...
Click to collapse
I have the same issue!!! It seems a problem with the Fastboot mode.

19blacktiger77 said:
I have the same issue!!! It seems a problem with the Fastboot mode.
Click to expand...
Click to collapse
I solved!!!
I just had to download the latest version of ABD and Fastboot!

Hi. i rooted with this video.. it is in portuguese, but the codes are in english, 15 minutes and it´s done..

I also want to root this device but I am waiting for their Android 12 update. Is anyone running Android 12 ?

I've successfully rooted my Lenovo P11 Plus (J616F) tablet via the latest stock rom + Magisk 25.2, and it was much more painless than I'd thought it'd be. But I can't figure out how to get TWRP or any other custom recovery, and I'd be happy to hear if anyone has had any success with it...
HackVasant said:
I also want to root this device but I am waiting for their Android 12 update. Is anyone running Android 12 ?
Click to expand...
Click to collapse
Yes...
1.) Install USB drivers (I used this to detect fastboot mode: https://motorola-global-en-uk.custhelp.com/app/usb-drivers/)
>> NOTE: With your tablet in fastboot mode, you might have to go into device manager and manually update the drivers for your "unknown android device", pointing it to the usb drivers from the previous step)
2.) Install the lastest ADB and Fastboot software
3.) Unlock your bootloader!
3a.) Enable developer options -> Enable OEM unlocking
3b.) Enter fastboot mode (turn tablet off then hold power + volume up until just after it vibrates)
3c.) With your device connected to your PC, type fastboot flashing unlock in command prompt
4.) Look for the current latest stock rom TB-J616F_S240138_221026_ROW_SVC.ZIP
5.) Extract it somewhere on your PC, and copy boot.img to somewhere on your device
6.) Install Magisk v25.2 on your device
7.) Follow the rest of the installation instructions here: https://topjohnwu.github.io/Magisk/install.html
If all went well, after rebooting you might get a warning about your device being in "Orange State" and therefore cannot be trusted because the bootloader was unlocked... This is normal, and your instinct might be to run the command fastboot flashing lock to get rid of it, but THS IS A BAD IDEA because it could place your device into a "Red State" requiring you to unlock it again, effectively wiping your device

Can it play Redbox (free video app) OK after rooted?
If it's OK, I think Netflix and Amazon Prime will be OK as well

mingkee said:
Can it play Redbox (free video app) OK after rooted?
If it's OK, I think Netflix and Amazon Prime will be OK as well
Click to expand...
Click to collapse
Yes, but you will need to do the following...
1.) In Magisk, make sure you have Zygisk enabled in the settings
2.) Install this Magisk module, then reboot your device:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
3.) Use YASNAC (from the app store) to verify that you pass the safetynet check (it passes for me)
4.) Uninstall Netflix, then manually download and install the latest Netflix APK from your favorite APK site
I didn't test Redbox or Amazon Prime, but I would imagine it'd just be repeating step 4 for each additional app you wish to install
You can also read this for more detailed information about Magisk & SafetyNet:
SafetyNet:Magisk and MagiskHide Installation and Troubleshooting guide
www.didgeridoohan.com

SpectreCular said:
Yes, but you will need to do the following...
1.) In Magisk, make sure you have Zygisk enabled in the settings
2.) Install this Magisk module, then reboot your device:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
3.) Use YASNAC (from the app store) to verify that you pass the safetynet check (it passes for me)
4.) Uninstall Netflix, then manually download and install the latest Netflix APK from your favorite APK site
I didn't test Redbox or Amazon Prime, but I would imagine it'd just be repeating step 4 for each additional app you wish to install
You can also read this for more detailed information about Magisk & SafetyNet:
SafetyNet:Magisk and MagiskHide Installation and Troubleshooting guide
www.didgeridoohan.com
Click to expand...
Click to collapse
The reason why I asked because A12 can make those video apps don't work even after passed safetynet and play integrity (2/3) and apps installed
However, those apps work on OnePlus N200 and 8T but NOT on Moto Edge 2021

mingkee said:
The reason why I asked because A12 can make those video apps don't work even after passed safetynet and play integrity (2/3) and apps installed
However, those apps work on OnePlus N200 and 8T but NOT on Moto Edge 2021
Click to expand...
Click to collapse
Alright well I decided to take the time to check Redbox, and it works (or at least the Watch Free feature does)... And I don't have a prime account, but the prime video app makes it to the sign in screen, if that helps

SpectreCular said:
Alright well I decided to take the time to check Redbox, and it works (or at least the Watch Free feature does)... And I don't have a prime account, but the prime video app makes it to the sign in screen, if that helps
Click to expand...
Click to collapse
Good!
I will make a backup on mine (I have Yoga 11 and practically they're the same) and unlock the bootloader and root it.
The reason why I root it so I can do adb on other device without laptop.
Actually, I have a lot of experience to root variety of machines, but what happened on Edge 2021 A12 puts me on hold on other Moto/Lenovo
I have Netflix and cable apps (Sling and Philo) and Discovery+.

Well just so we're on the same page, the steps I've posted were specifically for J616F, so your mileage may vary if you're using a different device. Also, I would maybe use a more specific stock ROM, since the one I posted is also specifically for J616F

SpectreCular said:
Well just so we're on the same page, the steps I've posted were specifically for J616F, so your mileage may vary if you're using a different device. Also, I would maybe use a more specific stock ROM, since the one I posted is also specifically for J616F
Click to expand...
Click to collapse
I have to make it clear. I have both P11 plus and Yoga 11

I have the P11 Plus J616F model and cannot get the device to unlock after many attempts with wiping device reinstalling firmware reinstalling device drivers. Does failed (unknown status code) after (bootloader) sysytem-fingerprint:Lenovo/TB-J616F/TB-J616F:12/SP1A.210812.0 mean anything to anyone. I can adb reboot recovery, from recovery I can use the keys to choose fastboot and tab goes into fastbootd and fastboot devices returns my device fashboot flashing unlock starts but ends with the failed message above. fastboot getvar all returns a bunch of information about the device but also stops with same failed message. If I choose reboot bootloader using the keys on my tab while in fastbootd tab reboots to FASTBOOT... shows up in device manager as you would expect but typing fastboot flashing unlock returns waiting for device. Any thoughts or ideas would be greatly appreciated.

HCU Unlocking credits (no longer) available

I accidentally purchased credits for dc-unlocker/HCU instead of the three day option (which I have since purchased and used to unlock my bootloader using a hardware TP) so if these are of any use to someone else let me know.

Hello. Can i use that to unlock my P20 Pro?

flaryx said:
Hello. Can i use that to unlock my P20 Pro?
Click to expand...
Click to collapse
Unfortunately they're no longer available, but you can use the same software to unlock the P20 Pro like I did. It's a little bit of a process, but I've got notes from when I did it if you are interested and I think I spent about 20 EUR for the 3 day licence of dc-unlocker/HCU. In the end I did it with the hardware test point because my back cover was loose and I intended to replace the battery anyway (it was bulging)

asozio said:
Unfortunately they're no longer available, but you can use the same software to unlock the P20 Pro like I did. It's a little bit of a process, but I've got notes from when I did it if you are interested and I think I spent about 20 EUR for the 3 day licence of dc-unlocker/HCU. In the end I did it with the hardware test point because my back cover was loose and I intended to replace the battery anyway (it was bulging)
Click to expand...
Click to collapse
Can you tell me the process please. I was thinking of buying the 3 day license or MOS but i don't know if I can do it or not (don't have any expertise on anything hardware related)

flaryx said:
Can you tell me the process please. I was thinking of buying the 3 day license or MOS but i don't know if I can do it or not (don't have any expertise on anything hardware related)
Click to expand...
Click to collapse
I unlocked my P20 Pro using a hardware testpoint, the HCU software, and a lot of time. I would suggest reading the information below, gathering all the tools/software/ROMS/IMGS you need and asking any questions before you purchase a licence or attempt this process.
WARNING!!!! THIS WILL ERASE YOUR PHONE COMPLETELY!!!
I would suggest making sure if you are going to purchase the 3 day license (this is what I did) that you are available to work on the phone for a couple of days (maybe buy it just before the weekend?) as if you run into any issues you won't have much time to fix them.
WARNING!!!! THIS WILL ERASE YOUR PHONE COMPLETELY!!!
BE CAREFUL TO PURCHASE THE THREE DAY LICENSE AT THE CHECKOUT NOT THE CREDITS (I MADE THIS MISTAKE AS YOU CAN PROBABLY TELL FROM THIS THRED)
Otherwise, the steps I went through are below, as well as some of the links to things I found helpful during the process:
1. SOFTWARE VERSION - It was not possible to unlock the bootloader on version 10 of the OS, so you will require HiSuite (https://consumer.huawei.com/au/support/hisuite/) to downgrade or dc-phoenix to flash an earlier version. I used 9.0.0.168 for my phone (Model: CLT-L29) so will reference that in all the steps below, but use the corresponding version for your phone (whichever you downgrade to from HiSuite should be fine?)
2. TESTPOINT - I used the hardware test point (next to the camera once the back cover is removed) but apparently this is possible using the software test point process (I am uncertain of the exact process for this, but there is a guide on the dc-unlocker site somewhere)
3. ADP/FASTBOOT RECOVERY UNLOCKING - Once the HCU software has provided a new code (or if you already have one) you can use fastboot oem unlock <code> where the <code> is the bootloader unlock code to unlock.
WARNING!!!! THIS WILL ERASE YOUR PHONE COMPLETELY!!!
4. ALTERNATIVE OS INSTALLATION - In my case I installed LineageOS 16 using an old guide (https://web.archive.org/web/20210726230701/https://depl0y.com/posts/P20-Pro-LineageOS-Guide/) which will only work (even the official version) if you patch the Lineage installation (update-script requires editing or replacement)
Install TWRP
Enable USB debugging
adb reboot bootloader
fastboot flash recovery_ramdisk twrp-3.7.0_9-0-charlotte.img
Hold VOL-UP & VOL-DOWN
fastboot reboot
You should now be in TWRP.
Flash LineageOS (and gapps)
In TWRP go to Advanced > ADB Sideload
adb sideload adb sideload lineage-16.0-20210211-nightly-charlotte-signed-modified.zip
adb sideload open_gapps-arm64-9.0-nano-20220215.zip
In TWRP go to Reboot > Bootloader
fastboot flash recovery_ramdisk RECOVERY_RAMDISK_9.0.0.168.img
fastboot reboot recovery
You should now be in the stock recovery. If not, boot into stock recovery
Select Wipe data / factory reset
Reboot system now
THE P20 WILL ONLY BOOT WITH THE STOCK RECOVERY, SO REPLACE IT AFTER USING TWRP
5. WEBVIEW FIX FOR GOOGLE APPS - DO NOT SET UP WIFI DURING INSTALL!
Download com.google.android.webview.apk from apkmirror and copy to the device. Install using the default file manager and reboot the phone. Sign in to Google and update webview, google apps, etc
6. ROOT ACCESS - MAGISK
Install apk (copy to storage and run from files) for Magisk and patch RECOVERY_RAMDISK_9.0.0.168.img.
Reboot into bootloader and flash to recovery: fastboot flash recovery_ramdisk RECOVERY_RAMDISK_9.0.0.168_magisk_patched-25200_8akQl.img
TO BOOT PHONE WITH ROOT BOTH VOLUME UP AND POWER BUTTONS NEED TO BE HELD AT STARTUP!