[DEV] S7 Active Bootloader Unlock Development - Samsung Galaxy S7 Active Questions & Answers

This thread is for people currently working on unlocking the Galaxy S7 Active bootloader.
Developers only. If you do not want to help unlock the device, please do not post in this thread.
Here are possible attack vectors -- let me know if you are aware of any others:
1. crafted boot.img that breaks the signature check
2. find odin memory corruption vulnerability (highly considering this)
3. try to enable developer mode during boot (maybe possible through devcfg partition).
4. break signature crypto
5. extract primary bootloader -- overwrite keys that verify aboot.

Related

[Q] Technical Questions about Boot Process and Partition Handling..

Hi there !
I just registered to this huge forum full of ressources and so many stuffs to dig in.. I own a Z1 Compact I bought last week and got into mods etc.. This is my first Android device and therefore got into it for the first time.. and what a world.. so many things over here..
As a developper, I'm getting interested in this environment so I first tried to gain access to this unix-based system called Android in order to see how this works..
Here my first steps: I needed to be root on this device..okay.. through tutos I read, I needed to unlock bootloader then I needed to install a new boot called ClockWorkMod (I believe this is a boot, according fastboot argument I supplied..) to allow me running the SuperUser script to be root. Afterwards, I backed up my TA partition..
Okay, these steps were done pretty out of the box, without Android knowledge so far.. Now, I'm about to install busybox for tools I'm used to use on every linux platforms.. but I really lack Android knowledge about Android partitioning system (I came across TA partition, /boot, /data what else ??), content, permissions management.. in few words, Android philosophophy So guys, do you know good web ressources around my questionings so that I can start properly and the right way
I'd really like to contribute in a humbly manner, I've already developped upon ARM platforms with realtime OS and many stuffs around linux kernel, so if you guys had any suggestions for low-level dev and Android in-depth ressources etc.. I'd be grateful
Thanks a lot.
PaowZ said:
Hi there !
I just registered to this huge forum full of ressources and so many stuffs to dig in.. I own a Z1 Compact I bought last week and got into mods etc.. This is my first Android device and therefore got into it for the first time.. and what a world.. so many things over here..
As a developper, I'm getting interested in this environment so I first tried to gain access to this unix-based system called Android in order to see how this works..
Here my first steps: I needed to be root on this device..okay.. through tutos I read, I needed to unlock bootloader then I needed to install a new boot called ClockWorkMod (I believe this is a boot, according fastboot argument I supplied..) to allow me running the SuperUser script to be root. Afterwards, I backed up my TA partition..
Okay, these steps were done pretty out of the box, without Android knowledge so far.. Now, I'm about to install busybox for tools I'm used to use on every linux platforms.. but I really lack Android knowledge about Android partitioning system (I came across TA partition, /boot, /data what else ??), content, permissions management.. in few words, Android philosophophy So guys, do you know good web ressources around my questionings so that I can start properly and the right way
I'd really like to contribute in a humbly manner, I've already developped upon ARM platforms with realtime OS and many stuffs around linux kernel, so if you guys had any suggestions for low-level dev and Android in-depth ressources etc.. I'd be grateful
Thanks a lot.
Click to expand...
Click to collapse
Welcome in the exciting world of Android! I am by no means a programmer, but I have been here for a while and will just explain a few things I think are helpful. If it's stuff you already know, feel free to ignore it.
Important things first: I hope you have made a Backup of your TA-Partition before unlocking the bootloader. Unlocking the bootloader modifies the TA- partition. It is not possible to undo it if you d not have a backup. Flashing someone else's TA will brick your device!
If I am not mistaken, the TA is mainly used to verify that the phone is in original condition e.g. not modified.
Unlocking the Bootloader (BL) removes Sony's DRM-Keys from the partition, because unlocking enables you to get root access and copy all the protected stuff anyways. The result is that you loose access to some of sony's services and the use of XReality engine.
Unlocking the BL breaks the Sony Update Service, but if you unlocked with Flashtool, you will be able to relock easily. Do only relock while on a stock kernel, else the phone won't boot because it detects modified firmware.
AFAIK root is a function of the kernel, as is ClockWorkMod Recovery (CWM). they come included in, for example, DooMKernel.
Superuser and SuperSU are apps that allow you to manage root acces, giving it to the apps that need it, and stopping bad apps from getting it.
Recovery and fastboot *for me* something like a secondary boot partition. I don't know if that's technically correct, but even if the system is unbootable, you can boot into CWM and work from there.
TWRP (TeamWin Recovery Project) is another custom recovery that allows you to do interesting things.
Do not mess with the BL and TA more than necessary. A broken TA, aswell as a messed-up BL, can prevent you from booting. As long as the BL is functional and you can get into Flashmode or fastboot mode, the phone can be saved.
If/when you have root, use Terminal Emulator from Google play to find partitions.
for more tecnical aspects, go over to the "Original Android Development" forum for the Z1C. Be aware that you need a minimum uf 10 posts to be able to post there. They are a little picky about the quality of your posts.
LINKS
http://forum.xda-developers.com/wiki/Android
https://developer.android.com/index.html
https://source.android.com/
http://en.wikipedia.org/wiki/Android_(operating_system)
http://www.google.com :angel:
Hi Coirpre !!
Thanks a lot for the tips
Important things first: I hope you have made a Backup of your TA-Partition before unlocking the bootloader. Unlocking the bootloader modifies the TA- partition. It is not possible to undo it if you d not have a backup. Flashing someone else's TA will brick your device!
Click to expand...
Click to collapse
Unlocking the Bootloader (BL) removes Sony's DRM-Keys from the partition, because unlocking enables you to get root access and copy all the protected stuff anyways. The result is that you loose access to some of sony's services and the use of XReality engine.
Click to expand...
Click to collapse
Well, this step is pretty confusing, since *they* indeed advise you to proceed to TA backup before any BL unlocking but before running the script that saves your TA, you need to be root.. and thus, to load CWM and guess what ? Need to unlock BL to install CWM.. Unless I missed something, it looks a bit weird..
Anyway, I unlocked through the use of FlashTool utility and apparently it hadn't compromised XReality nor TrackID either.. (I read somewhere TrackID app won't start if your DRM are broken.. true ??)
Do not mess with the BL and TA more than necessary. A broken TA, aswell as a messed-up BL, can prevent you from booting. As long as the BL is functional and you can get into Flashmode or fastboot mode, the phone can be saved.
Click to expand...
Click to collapse
This is one of my first questioning.. Usually, if you consider a mainstream PC, you have a piece of code we formerly called a BIOS before EFI system, this BIOS launchs a bootloader (GRUB/LILO whatever.. for linux or NTLDR for Win) and even if you wipe this bootloader, you can always rewrite a fresh one and the BIOS will then start it and the OS to start as well.. You just need to boot upon another medium to restore/install a bootloader, the BIOS is not altered.
But in this device, it appears one can hard-break the unit, solely by messing with BL/TA partitions.. like if there wasn't any BIOS equivalent.. When you say As long as the BL is functional [..] you can get into Flashmode/Fastboot mode I wonder how that piece of code responsible of this feature is not hard-coded in a ROM.. Powering up this device while gently pushing a hardware button is usually processed by a hard-coded system - the BIOS. Just like when you hold pressed the Power button of your running PC, this is the BIOS which interprets this command as a "Shut down right now !!" this is not the role of a bootloader.. I have to know more about Sony system
Thanks for the links, btw
There is a way to root and install CWM without unlocking the bootloader.
BTW Root is allowing us to modify /system and unlocking to change kernel.
/system partition is same as C:/WINDOWS on PC.
Only, on android this is prohibited. And you gain access by rooting it.
So, if you want to root you insert a few apps and scripts to /system. Since it's prohibited developers find exploits to insert those files to /system by various tricks.
That's how you are rooted without unlocking the bootloader. And that's how you can backup your TA before unlocking the bootloader.
And, yeah, CWM can be inserted to /system as well as in kernel. But it's better to be in kernel since it won't be easily wiped out when you screw up something.
Basically, what you did is unlock the bootloader (lost DRM?) > insert CWM to kernel > Use CWM to root.
But don't worry, one couldn't care less about DRM. You don't need that for anything. And I heard Sony fixed removing DRM issues by unlocking the bootloader on latest firmwares but I'm not sure.
And about BIOS, yeah...I was wondering about that as well. But for sure if you mess up with boot.img that you flashed phone won't be able to recover / must go to the service. That's a good question why. Anyone could tell me more about that?
PaowZ said:
Well, this step is pretty confusing, since *they* indeed advise you to proceed to TA backup before any BL unlocking but before running the script that saves your TA, you need to be root.. and thus, to load CWM and guess what ? Need to unlock BL to install CWM.. Unless I missed something, it looks a bit weird..
[...]
I have to know more about Sony system
Click to expand...
Click to collapse
As option58 said, you can root using exploits. Unlocking is the official way provided by sony. However, there are always some hacks which can get you root without unlocking. That way you can back up TA without unlocking. On this device it is quite a hassle and involves flashing japanese and english firmwares...
Some of it is Sony, mainly the TA stuff they integrated for security and modification-checking. The boot process however is probably more or less the same on all android devices.
Option58 said:
And about BIOS, yeah...I was wondering about that as well. But for sure if you mess up with boot.img that you flashed phone won't be able to recover / must go to the service. That's a good question why. Anyone could tell me more about that?
Click to expand...
Click to collapse
I agree that there must be something hardcoded that runs after the power button is pressed, but it probably is not enough. Notice that the device must be acessible (R/W) to restore a messed up BL, which is probably only the case after boot is completed. So:
Buttonpress --> BIOS --> BL (Whichever mode) --> partitions acessible. So If you can not get past the BL, you can not access the memory and thus not fix the BL.
But I am just speculating, so either we get some knowledgeable people in here, or someone has to read it up/google it.
[EDIT:] Oh, and by the way, PaowZ, can you change the topic to something more descriptive, "technical questions about boot process and partition handling" or something? maybe that will attract knowledgeable people...
Buttonpress --> BIOS --> BL (Whichever mode) --> partitions acessible. So If you can not get past the BL, you can not access the memory and thus not fix the BL.
Click to expand...
Click to collapse
I'm almost sure there must be a way to access to raw flash r/o through addressing.. at least from some pin-outs on the motherboard of the Z1C..
I don't know S1 flashing protocol, maybe there is a way to force writes at a specific address, provided we could know start addresses of each partition..
This is actually what I do when I have to deal with ARM devices through a rs232 port.. I can flash wherever I want and too bad if I make a typo in the address. The device just won't load up anything, but it won't hard-brick anything..
PaowZ said:
I'm almost sure there must be a way to access to raw flash r/o through addressing.. at least from some pin-outs on the motherboard of the Z1C..
I don't know S1 flashing protocol, maybe there is a way to force writes at a specific address, provided we could know start addresses of each partition..
This is actually what I do when I have to deal with ARM devices through a rs232 port.. I can flash wherever I want and too bad if I make a typo in the address. The device just won't load up anything, but it won't hard-brick anything..
Click to expand...
Click to collapse
well, this thread might interest you...
and I found this by chance, you were interested in the partitions:
Android-supported hardware shares some common features due to the nature of the operating system. The Android OS is organized into the following images:
Bootloader - Initiates loading of the boot image during startup
Boot image - Kernel and RAMdisk
System image - Android operating system platform and apps
Data image - User data saved across power cycles
Recovery image - Files used for rebuilding or updating the system
Radio image - Files of the radio stack
Click to expand...
Click to collapse
However: this topic is far beyond my knowledge, at the moment I have just started learning Java to start tinkering with Android on app-level. You will have to find out by yourself. However, I am VERY interested in what you find, because these thingsa are always good to know. There are a lot people from the forums which could help you. Just go read a bit in the "Original Android Development" subforum to find the good people
In the Google's YouTube channel there are quite many deep dive videos for multiple aspects of the Android system.
Use the search Luke ?
As far as I read this thread it is too late to make TA backup.

New build TWRP for only Realme Q support flash ozip

Hello . twrp only for realme Q stable
Link download : <Mod edit>
Link vbmeta support root , rom mod : <Mod edit>
Changelog
Modify the optimization project:
* Delete redundant languages, keep English, add Chinese language, default Chinese.
* Modify the default configuration, for example, the default time zone is East Eight Zone, default screen brightness, default vibration, default 24 hours, default return button on the right, default Chinese and so on.
* Modify the default configuration file path to reduce the possibility of conflicts with other people's compiled versions.
* Adjust and optimize the Chinese text and description, and re-edit all the items one by one to make it more accurate, understandable and humanized. Also added display mtp enable off display, file operation result display, operation page title display, permission description when modifying permissions, etc. UI text display.
* Modify the unlocking interface and adjust the height of the sliding unlocking bar, which can effectively prevent misoperation (the original unlocking bar and the operating unlocking bar are of the same height. When the unlocking is completed, the sliding may be repeated, and the corresponding action is directly operated).
* Open more partition backup and restore, such as modern baseband partition, bootloader, persist, cust and other partitions, easy to backup the underlying files before brushing, can restore the underlying files after brushing.
* Add .bin and .mbn format image files, so you don't need a zip brush package, you can write the underlying file. The original version only supports the brushing of .img format image files. (Be sure to pay attention to the right partition!!!!)
* Solve the problem of interface jam when using the simulation operation (the simulation operation is mainly for testing the theme, and no actual operation).
* Add the manual installation root function in Advanced Options > root system. Add a display root system option on this basis for manual operation.
* Added the ability to unenforce encryption, in advanced options > Unforce Encryption. You can remove the official system to force encryption and cancel the check.
* Change the built-in root mode and add magisk as the default root mode.
* Fixed button and button operations for some interfaces.
* The adb/usb debug mode is enabled by default, which is convenient for operating the phone through the computer command line in rec mode.
* MTP is enabled by default. In the rec state, you can also connect your phone to your computer to facilitate file copying.
* Modify the logo interface, modify the main interface page header, and add the display phone model and team name, author name.
* Fix some logical relationships and modify some interface displays.
* Added clear root function
* Added clear power-on password function
* Added ability to clear battery information
* Increase signature boot function
* Restore official rec function, need official boot and system system to operate successfully
* Increase the option of restarting after the automatic upgrade is completed. In the twrp setting, the default is automatic restart. If you uncheck the box, you can either not restart, and it is convenient to perform some operations after the automatic upgrade to prevent twrp from being overwritten.
* Increased avb2.0 verification function
important:
1. This rec supports data partition automatic decryption, encrypted data can be used normally under rec without formatting.
Please do not arbitrarily brush into the recue of unknown origin, it is likely that the data data can not be decrypted, and the data is completely lost.
The official default is to lock the password to encrypt the data. To enter twrp, you need to enter the lock screen password.
2. This rec supports the official original full-size ozip card brush package.
3. You must unlock the bootloader to brush the third-party rec. Please unlock the BL.
4. Built-in root system / remove root function, through the root system, can not only remove dm check, but also enable the system to obtain root privileges.
5. Built-in remove dm checksum and cancel the forced encryption function. Through certain operations, you can remove the official data forced encryption (the person who knows how to operate naturally).
6. Prevent the functions covered by the official rec (any one can be): root system, signature boot, remove dm check, cancel forced encryption, etc.
7. After the card is officially packaged, it is recommended to turn off the avb2.0 check, otherwise it may cause the boot prompt system damage due to root! ! !
8. If the boot prompt system is damaged due to root, etc., you can use the fastboot line to brush boot.img or brush the verification vbmeta to restore normal! ! !
Sounds good. Will I be able to flash lineage os, opengapps pico and latest magisk with this recovery? I don't want anything else complex.
---------- Post added at 06:13 ---------- Previous post was at 05:59 ----------
Says failed to mount /system_root (invalid agument) error: 7 while trying to flash anything from it.
Rom LG16 support only realme 5pro india...realme Q from china no support
29y6145 said:
Rom LG16 support only realme 5pro india...realme Q from china no support
Click to expand...
Click to collapse
Then why the hell is realme q in the title?
Btw after 10 minutes of showing decrypting ozip file I got an error, invalid argument.
29y6145 said:
Rom LG16 support only realme 5pro india...realme Q from china no support
Click to expand...
Click to collapse
what is the codename for Rm5P india? is it same like global (RMX1971EX)?
rah_asia said:
what is the codename for Rm5P india? is it same like global (RMX1971EX)?
Click to expand...
Click to collapse
Yes.
Contacted developer of this Chinese twrp and even he himself said that we shouldn't try to flash custom rom, magisk.zip or gapps package with it for it can't really flash anything else but stock rom and inbuilt magisk 20.0 that is embedded in twrp itself. So aside from rooting color os or installing stock rom in case of hard brick this twrp pretty much useless for custom rom development, testing, flashing or migrating.
greenys' said:
Contacted developer of this Chinese twrp and even he himself said that we shouldn't try to flash custom rom, magisk.zip or gapps package with it for it can't really flash anything else but stock rom and inbuilt magisk 20.0 that is embedded in twrp itself. So aside from rooting color os or installing stock rom in case of hard brick this twrp pretty much useless for custom rom development, testing, flashing or migrating.
Click to expand...
Click to collapse
So, is problem so difficult to overcome that developers can't build proper twrp?
555frost555 said:
So, is problem so difficult to overcome that developers can't build proper twrp?
Click to expand...
Click to collapse
No. The developers are just lazy and most of time they're not in the mood for it for they mostly own RM5P instead of RMQ. However, @thesprintster compiled a theoretically working twrp for our RMQ devices. We're waiting for him to release so we could test it. On the other hand seemingly even roms need a few lines of change so they'll work on Realme Q. It's a huge pain in the ass but it seems RM5P roms won't work on RMQ even with proper recovery these roms need to be changed, recompiled ?* So yeah. This sucks.
greenys' said:
No. The developers are just lazy and most of time they're not in the mood for it for they mostly own RM5P instead of RMQ. However, @thesprintster compiled a theoretically working twrp for our RMQ devices. We're waiting for him to release so we could test it. On the other hand seemingly even roms need a few lines of change so they'll work on Realme Q. It's a huge pain in the ass but it seems RM5P roms won't work on RMQ even with proper recovery these roms need to be changed, recompiled ?* So yeah. This sucks.
Click to expand...
Click to collapse
God, damn it!
Not for nothing that I bought RM5P
"...even roms need a few lines of change..." - it means that there are differences between RM5P and RMQ. What are they like?
555frost555 said:
God, damn it!
Not for nothing that I bought RM5P
"...even roms need a few lines of change..." - it means that there are differences between RM5P and RMQ. What are they like?
Click to expand...
Click to collapse
Dunno. I've never successfully compiled a working
... thing in the past 10 years even though I followed step by step tutorials so I gave up on compiling Android stuff. All I can do is to bug devs to do the work instead of me but I can do that relentlessly thus it bears fruit more or less often. Ask thesprintster about it. I'm bugging him to make that flashable lineage os soon and after that I'm done for good.
THREAD CLOSED!
@29y6145 Please consult the inbox of your private messages.

[ROOT] Magisked Boot Images (XT2071-5)

Magisked Boot Images​
Disclaimer
I only support devices I own. Do not create issues if you are using any other type of config other than what I've listed.
DO NOT CREATE ISSUES ASKING FOR ETA, SUPPORTING ANOTHER MODEL, OR ANYTHING LIKE THAT. YOU WILL NOT LIKE MY RESPONSE. READING IS FUNDEMENTAL. I WILL ONLY SUPPORT A DEVICE THAT I OWN. I WILL NOT GIVE ETAS. I DO NOT NEED TESTERS. AS WITH ANY OTHER ROM OR RECOVERY, I AM NOT RESPONSIBLE FOR ANYTHING THAT MAY HAPPEN TO YOUR DEVICE. UNLOCKING YOUR BOOTLOADER VOIDS YOUR WARRANTY.
What Is It
I've released magisked boot images of the latest update for the XT2071-5 (QPSS30.205-Q3-43-51-13-4). While this may work on other devices/firmwares, I don't provide any form of support for anything other than the configuration above due to different regions having different configurations. I have provided both slot A/B versions of the boot image, both stock and magisked, although fastboot boot will serve you quite well. In order to use this, your boot loader must be unlocked.
Issue Template:
Detailed description of what's happening (Saying calls don't work or phone won't turn on doesn't tell me a thing. I need a detailed description of the issue.)
Screenshot if possible
Logcat (DO NOT PASTE LOGCAT IN ISSUE. USE PASTEBIN OR OTHERS AND PASTE LINK IN ISSUE).
Build Number
Links:
- XDA Forum: https://forum.xda-developers.com/t/root-magisked-boot-images-xt2071-5.4250961/
- File Directory: https://github.com/TheNameIsNigel/misc_files/tree/main/moto/smith

Flash international ROM to Tmobile/Metro w/ locked bootloader

MAJOR UPDATE: Managed to flash Global stock rom to the MetroPCS variant​
Pros: Stock Oneplus and everything works
Cons: OEM unlock is still greyed out
Before you go any further:
THERE IS NO ROOT FOR THIS DEVICE WITH A LOCKED BOOTLOADER (YET). THIS THREAD IS FOR THE DEVELOPMENT AND TESTING OF METHODS TO ACHIEVE THIS.
Just got this device from MetroPCS this week and love this device. However I found out very quick that you have to be with MetroPCS for 180 days before you can get unlocked. To unlock the bootloader you have to be sim unlocked from the carrier.
This thread will be for development of a working root process for others to offer perspective. Feel free to try to replicate at your own risk. If anyone is interested in these files/tools let me know and I will publish more links.
;Download international and metro ROM and MSM tool from these thread (thanks to @Some_Random_Username)​International
MetroPCS
This download will include the latest MSM Download Tool
The work around that I found does not need MSM to be patched
;TOOLS
download and extract oppo decrypt master
unpack and repack .OPS files for use with MSM Download Tool 4 .exe
----------------------------------------------------------------------------------------------------------------------------------------------
Method​----------------------------------------------------------------------------------------------------------------------------------------------
TD;RL:
Extract the .ops file, open settings.xml replace the project ID, repack
Set up:
1. Download international zip and metro zip from above, extract into 2 seperate folders and delete billie8t_14_O.01_201218.ops in the metro folder
2. have adb installed
3. Install python3 and prereqs for oppo decrypt master
Extract .ops, edit and flash:
1. unzip the zip file with the .ops file from both folders and move it to the folder with oppo decrypt
2. run "python3 opscrypto.py decrypt billie8_14_O.01_210128.ops" (decrypt both .ops files from each firmware, the first one being the metro and get the /extract/settings.xml file and open it. we will need info from it)
3. Now extract the international firmware with opoo decrypt and open the extract folder
4. open "settings.xml" from both firmwares in your favorite editor
6. Change the following in the international settings.xml: Project=20886 to Project=20885 and ModelVerifyRandom= (THESE NEED TO BE EXACTLY WHAT ARE IN THE METRO SETTINGS.XML file)
6. Save the file
7. run "python3 opscrypto.py encrypt extract". This will create a file called out.ops
8. Once finished place out.ops into the metro firmware folder and rename to "billie8t_14_O.01_201218.ops"
9. With your phone turned on, plug your phone into the computer
10. Open MSMdownloadtoolv4.0.exe and press start
11. Run "adb reboot edl"
12. Your computer should recognize and start the download.
13. Wait a while and it will reboot.
Here is my working files for anyone who wants to tinker
Includes MSMdownloadtools, modded OPS file and (edited settings.xml and patched recovery.img inside OPS)
Updated downloads include:
Decrypted Metro OPS (IMGs, BIN, etc)
Metro to Global (OPS)
Metro to Global w/ magisk patched recovery (ZIP)
Google Drive - Updated 7/11/2021
Hi!,
Did you try this method:
Root N10 using Magisk
Warning: I'm not responsible for any damage or bricked phones! Mirror for all OxygenOS images General Info: You need adb and fastboot installed and should know how to use it TWRP is not needed You must do this process only once...
forum.xda-developers.com
?
I have reviewed that method, however it seems to only work with the EU and Global version of the phone. With the US version being on TMobile or MetroPCS (which is owned by TMobile) the "OEM" unlock is greyed out.
To be able to unlock the bootloader I have found that you have to do the following:
1. On MetroPCS you have to have the phone for 180 days.
2. Once that 180 days is up you have to apply to get the device unlocked from their network.
3. After the device gets unlocked from the network you can then use "OEM unlock" in the settings.
4. Then you have to apply to OnePlus with IMEI, serial and unlock code (fastboot get_unlock_code)
5. Wait a week
6. They send you the unlock.
To me this is ridiculously convoluted.
I don't want to have to wait 6 months to start modding
Some other OnePlus devices (6t Tmobile specifically), you use a patched/modified MSM tool to flash the firmware, and it bypasses the device checking if its meant for the device or not. From there, you can unlock the bootloader and you're all set.
Try that, link to the 6t instructions below, I'd wonder if it works on the n10. If I had a carrier locked one, I'd try it, but I got my n10 5g from an amazon return pallet lol
T-Mobile 6T to International Conversion (WITHOUT unlocked bootloader/SIM unlock!)
In the previous thread, we discussed a method to convert T-Mobile 6T's to the international variant, sort of, but it required an unlocked bootloader, which itself requires a SIM unlock which T-Mobile gives people a hard time about. However, it...
forum.xda-developers.com
Thank you. Will give it a shot. Are the MSM download tool specific to the device? If not I will give this a shot tomorrow. Any idea how it is patched?
I believe MSM tool is device specified. So I assume you use the Metro MSM and load a modified .OPS from US Retail unlock model? or anything I'm missing? I don't think MSM is included in official oneplus firmware zip.
MSM comes included with the ops firmware. But according to another thread on here
"Crossflashing regional builds is no longer possible by EDL, flash is tied to device project ID. For reference EU devices project ID is 20889 while international devices project ID is 20886."
With that being said. I was able to flash modified Metro firmware (patched ramdisk in boot.img) as noted earlier. So perhaps I can try extracting firmware for the global version and metro, replace any project ID in global with metro project ID and attempt to flash the firmware.
Alternatively we can try to patch the Metro MSM tool like the one used for the 6T above.
ieatgravity said:
MSM comes included with the ops firmware. But according to another thread on here
"Crossflashing regional builds is no longer possible by EDL, flash is tied to device project ID. For reference EU devices project ID is 20889 while international devices project ID is 20886."
With that being said. I was able to flash modified Metro firmware (patched ramdisk in boot.img) as noted earlier. So perhaps I can try extracting firmware for the global version and metro, replace any project ID in global with metro project ID and attempt to flash the firmware.
Alternatively we can try to patch the Metro MSM tool like the one used for the 6T above.
Click to expand...
Click to collapse
If I had one to test, I'd try it myself. I don't think it's device specific, but it might give you an error, much like Galaxy Devices do on device, if you flash firmware that doesn't match and it knows it doesn't match
You used to be able to flash Chinese firmware to Galaxy Tab A 10.1 tablets to get around FRP because there's no google apps on older Galaxy Tablets for the Chinese region. You'd flash the chinese firmware with patched odin, go through setup, go back to odin, flash US firmware, and it'd get around frp... that no longer works because they added a check into the bootloader itself.
KaptinBoxxi said:
If I had one to test, I'd try it myself. I don't think it's device specific, but it might give you an error, much like Galaxy Devices do on device, if you flash firmware that doesn't match and it knows it doesn't match
You used to be able to flash Chinese firmware to Galaxy Tab A 10.1 tablets to get around FRP because there's no google apps on older Galaxy Tablets for the Chinese region. You'd flash the chinese firmware with patched odin, go through setup, go back to odin, flash US firmware, and it'd get around frp... that no longer works because they added a check into the bootloader itself.
Click to expand...
Click to collapse
I saw the 6T had a patched MSMdownloadtool but according to another post on here for the ubrick guide for this specific variant cannot be patched because it has some anti-debugging code built in.
With that said. I noticed the files you get for the MSM tool has two .DLL files (which could be device specific) that the MSM download tool uses. Also since it is possible to flash modified .OPS it might be possible to still flash the Global version. I saw one guide on the 6t that after you flash the global rom from MSM you get the same error I received with the modified .OPS (patched bootloader) I flashed. Error was "your device cannot be trusted and will not boot". But they took it a step further and ran "fastboot OEM unlock critical" and the bootloader unlocked and booted.
If this device wasn't my daily I would have attempted this by now.
I was able to flash the Global stock Oneplus rom using MSM download tools to the MetroPCS Nord N10 5G.
BUT
OEM unlock is still greyed out. Any ideas?
also updated first post with how to replicate what I did to flash. This should work on any variant as long as you replace the project number to your own
ieatgravity said:
I was able to flash the Global stock Oneplus rom using MSM download tools to the MetroPCS Nord N10 5G.
BUT
OEM unlock is still greyed out. Any ideas?
also updated first post with how to replicate what I did to flash. This should work on any variant as long as you replace the project number to your own
Click to expand...
Click to collapse
It is network checked for OEM Unlock even on the global variants. You need to connect via SIM Data or Wifi for it to check if OEM Unlock can be done, which might mean its doing it via IMEI or some other bootloader specific check
Even connected to the internet the toggle is still greyed out. Device still shows BE2025 despite flashing the international firmware. But it does show the International build number. It also has the international system update engine which was able to do OTA update to latest, it also has the icon at the top where you can pick the file.
Other things I have tried:
- replaced vbmeta and vbmeta_system with empty vbmetas [Device got stuck in an EDL loop]
- replaced recovery.img with twrp.img [Device got stuck in an EDL loop]
- replaced boot.img with magisk_patched.img [Device corrupt, cannot be trusted and will not boot - bootloader loop]
- replaced recovery.img with magisk_patched.img [Device boots like normal. Tried booting magisk (volume down + power until splash screen, then release) Device corrupt, cannot be trusted - reboot back into system just fine.
- Used a HEX editor on boot.img to disable dm-verity [Hex code not found - no changes made]
I don't even know where to begin to see if it is network locked with the international rom. Voice over wifi and 5g works just fine though.
ieatgravity said:
MAJOR UPDATE: Managed to flash Global stock rom to the MetroPCS variant​
Pros: Stock Oneplus and everything works
Cons: OEM unlock is still greyed out
Before you go any further:
THERE IS NO ROOT FOR THIS DEVICE WITH A LOCKED BOOTLOADER (YET). THIS THREAD IS FOR THE DEVELOPMENT AND TESTING OF METHODS TO ACHIEVE THIS.
Just got this device from MetroPCS this week and love this device. However I found out very quick that you have to be with MetroPCS for 180 days before you can get unlocked. To unlock the bootloader you have to be sim unlocked from the carrier.
This thread will be for development of a working root process for others to offer perspective. Feel free to try to replicate at your own risk. If anyone is interested in these files/tools let me know and I will publish more links.
;Download international and metro ROM and MSM tool from these thread (thanks to @Some_Random_Username)​International
MetroPCS
This download will include the latest MSM Download Tool
The work around that I found does not need MSM to be patched
;TOOLS
download and extract oppo decrypt master
unpack and repack .OPS files for use with MSM Download Tool 4 .exe
----------------------------------------------------------------------------------------------------------------------------------------------
Method​----------------------------------------------------------------------------------------------------------------------------------------------
TD;RL:
Extract the .ops file, open settings.xml replace the project ID, repack
Set up:
1. Download international zip and metro zip from above, extract into 2 seperate folders and delete billie8t_14_O.01_201218.ops in the metro folder
2. have adb installed
3. Install python3 and prereqs for oppo decrypt master
Extract .ops, edit and flash:
1. unzip the zip file with the .ops file from both folders and move it to the folder with oppo decrypt
2. run "python3 opscrypto.py decrypt billie8_14_O.01_210128.ops" (decrypt both .ops files from each firmware, the first one being the metro and get the /extract/settings.xml file and open it. we will need info from it)
3. Now extract the international firmware with opoo decrypt and open the extract folder
4. open "settings.xml" from both firmwares in your favorite editor
6. Change the following in the international settings.xml: Project=20886 to Project=20885 and ModelVerifyRandom= (THESE NEED TO BE EXACTLY WHAT ARE IN THE METRO SETTINGS.XML file)
6. Save the file
7. run "python3 opscrypto.py encrypt extract". This will create a file called out.ops
8. Once finished place out.ops into the metro firmware folder and rename to "billie8t_14_O.01_201218.ops"
9. With your phone turned on, plug your phone into the computer
10. Open MSMdownloadtoolv4.0.exe and press start
11. Run "adb reboot edl"
12. Your computer should recognize and start the download.
13. Wait a while and it will reboot.
Click to expand...
Click to collapse
I did what someone else suggested i contacted fcc 2 days ago to file a complaint already sim unlocked on metro oem toggle not grey anymore
scottlam1 said:
I did what someone else suggested i contacted fcc 2 days ago to file a complaint already sim unlocked on metro oem toggle not grey anymore
Click to expand...
Click to collapse
How did you go about this? Were you passed your 180 days?
Here is an interesting(or weird) thread
OnePlus Nord | N10 | N100 [TMO/MPCS] Network Unlock & Enable OEM Unlocking (April 19th, 2021)
1.) ADB access must be enabled -Tap build number 7 times until Developer Options are enabled 2.) Enable USB Debugging -For PC-less enable Wireless Debugging Optional if PC-less 3.) Go to Play Store or F-Droid and download Shizuku 4.) Tap...
forum.xda-developers.com
arda99 said:
Here is an interesting(or weird) thread
OnePlus Nord | N10 | N100 [TMO/MPCS] Network Unlock & Enable OEM Unlocking (April 19th, 2021)
1.) ADB access must be enabled -Tap build number 7 times until Developer Options are enabled 2.) Enable USB Debugging -For PC-less enable Wireless Debugging Optional if PC-less 3.) Go to Play Store or F-Droid and download Shizuku 4.) Tap...
forum.xda-developers.com
Click to expand...
Click to collapse
I...
have mixed feelings about this.
Cannot tell if this is troll or someone actually trying to help
ieatgravity said:
How did you go about this? Were you passed your 180 days?
Click to expand...
Click to collapse
150 days just google fcc complaint the form is simple and explains everything i got an email and call from metro a very nice woman
I used your files oem unlocked bootloader still needs unlock token
I'm aware, I still haven't been able to get unlock bootloader ungreyed out either.
At this point I'm not quite sure what to try next but I will keep researching.
If I can find a way to remove dm-verity (secure boot) I'm 100% positive that I can get it rooted without network unlock and unlocked bootloader.
Though an unlocked bootloader would be nice.
ieatgravity said:
I'm aware, I still haven't been able to get unlock bootloader ungreyed out either.
At this point I'm not quite sure what to try next but I will keep researching.
If I can find a way to remove dm-verity (secure boot) I'm 100% positive that I can get it rooted without network unlock and unlocked bootloader.
Though an unlocked bootloader would be nice.
Click to expand...
Click to collapse
No mine is carrier unlocked and the oem in development is active now but i was hoping i woulnt need the token because for some reason onplus says invalid imei when i try to request a token

How To Guide June 20, 2023 TQ3A.230605.010.A1 T-Mobile/MVNOs / June 13, 2023 TQ3A.230605.010 Global - Root Pixel 6 Pro [Raven]

Pixel 6 Pro [Raven]​
Updated May 13, 2023
Note that more than three users have said that 34.0.1 (even May 10, 2023's binary update of 34.0.1) did not work correctly for them. I recommend sticking with 33.0.3 (just below these quotes)
Someone reported it to Google (added a comment about 34.0.1 to the existing 34.0.0 report).
Spoiler
b0uNz said:
tried to flash the latest build of AncientOS with it, did not work. Back to r33.0.3 and it worked fine
Click to expand...
Click to collapse
Aphex13 said:
platform-tools_r34.0.1-windows is not functioning properly. Back to 33.0.3 we go...
Click to expand...
Click to collapse
budmannxx said:
Add me to the list of users that had a problem with platform-tools 34.0.1. I got into a bootloop after running flash-all.bat. Downgraded to 33.0.3, reran the new (old) flash-all.bat, and was all good.
Using 34.0.1, the phone never even got to the fastbootd part of the process
Click to expand...
Click to collapse
May 10, 2023 binary update of 34.0.1:
Homeboy76 said:
Update
I tested SDK Platform-tools r. 34.0.1 it is not fixed. There are still problems with fastbootd. Use SDK Platform-tools r. 33.0.3
Click to expand...
Click to collapse
Namelesswonder said:
Anyone that updated their platform tools and needs to downgrade can use these links.
Windows
https://dl.google.com/android/repository/platform-tools_r33.0.3-windows.zip
Mac
https://dl.google.com/android/repository/platform-tools_r33.0.3-darwin.zip
Linux
https://dl.google.com/android/repository/platform-tools_r33.0.3-linux.zip
Click to expand...
Click to collapse
Factory Images for Nexus and Pixel Devices | Google Play services | Google for Developers
developers.google.com
Google Pixel Update
Android Security Bulletins | Android Open Source Project
source.android.com
Regarding Developer Support Android 12 images, see @Lughnasadh's post here.
I am not linking directly to the Developer Support Android 12 images because I don't want them to be confused with Stable Android 12, and since the Developer Support images won't receive any OTAs...ever. They likely also will never be manually updated on the Developer Support images site, so they will forever be stuck with the security patch level they're currently on, which will become further out of date every month. You can Google search Developer Support Android images if you want to find them.
TL;DR regarding the PSA. If you update one slot to Android 13, you can fastboot reboot bootloader after and then fastboot --set-active=other to change slots in order to flash Android 13 to the new slot, but IF you have Android 13 on one slot and still have Android 12 (including Android 12 bootloader) on the other slot and you try to fully boot into Android 12, you will be permanently bricked and have to seek repair from Google. No one has yet found a way to repair this on our own. I will update if there is any progress. At least a small handful, and probably more, people have done this already.
At a minimum, do this first: fastboot flash bootloader --slot all bootloader-devicename-slider-1.2-3456789.img (change the name of the bootloader file to the one for your device), then you *should* be much safer than without doing that first. Also note that the bootloader is NOT the same as boot.img (kernel). The bootloader image file has "bootloader" in the filename.
IF you have already bricked your phone and the screen is blank - there is likely nothing we can do to help. You should seek to get a repair from Google, possibly under warranty.
You CANNOT go back to Android 12 Stable. It *seems* as if you can, but Android 12 will not work 100% correctly after updating to the Android 13 bootloader.
My tiny, early, very mini-review of Android 13 is here.
Note that this is mainly for the officially listed "Unlocked" Pixel 6 Pro, available directly from the Google Store. All of this will also apply to any other (carrier-specific) variant of the Pixel 6 Pro which you can achieve an unlocked bootloader on. This includes T-Mobile and AT&T variants. It's likely Verizon variants will never be able to unlock their bootloader, or if so it will require paying the right person to do so.
Feel free to ask about general questions, but for anything that's specific to your variant, you should use one of the other already existing threads. You'll find Verizon, AT&T, and T-Mobile-related threads in those respective search results.
Click to expand...
Click to collapse
Here there be dragons. I am not responsible for anything at all.
Spoiler: Warnings / FYI
Unlocking or locking the bootloader will wipe the device every single time, so be sure to have your data backed up before doing so, or better yet, just unlock it as soon as you get the device.​
Click to expand...
Click to collapse
Keep in mind that unlocking the bootloader or rooting might affect your phone's capability to use banking apps such as Google Pay, your local bank's app, or even the ability to install some apps like NetFlix. See @Pekempy's thread Working SafetyNet with Pixel 6 Pro Android 12​
Click to expand...
Click to collapse
If you're going to re-lock the bootloader, make sure the ROM you have on your phone is completely stock (by flashing the latest official firmware) BEFORE re-locking it.​
Click to expand...
Click to collapse
There are no negative consequences if you unlock or re-lock the bootloader other than it will wipe your phone, and while unlocked you get a brief screen when you boot the phone telling you (and anyone who sees your phone at the time) that the bootloader is unlocked. You will also continue to receive updates (if you've merely unlocked the bootloader, you can take updates as normal) unlike Samsung, Sony, et cetera, which have permanent major consequences with reduced functionality even if you un-root and re-lock your bootloader. If you're actually rooted (not just bootloader unlocked), you'll have to perform extra steps to manually update each month, and to keep root/re-root.​
Click to expand...
Click to collapse
All posts about Google Pay or banking will be reported to be deleted. Please keep this thread on-topic. There are at least one or two other How To Guide threads in this section in which folks discuss how to get around banking app restrictions when you're rooted or just have an unlocked bootloader. See @Pekempy's thread Working SafetyNet with Pixel 6 Pro Android 12
Click to expand...
Click to collapse
If users persist in discussing banking apps in this thread, I will have this thread locked and only update this first post when there is new and updated information regarding the subjects of the title of the thread: Unlocking the Pixel 6 Pro bootloader, rooting, and TWRP. See @Pekempy's thread Working SafetyNet with Pixel 6 Pro Android 12
Click to expand...
Click to collapse
Honorable mention to @Jawomo's aodNotify - Notification Light / LED for Pixel 6 Pro! (XDA link) / Notification light / LED for Pixel - aodNotify (Play Store link), which in my opinion restores useful functionality missing in most phones these days. It also solves some subjective issues some folks have with AOD (Always On Display), and/or solves/works around the problem where AOD is required for the optical fingerprint reader to work without the screen being on.​
Click to expand...
Click to collapse
Check warranty status - *may* reveal if a phone is refurbished, only if the phone was refurbished through Google - thanks to @Alekos for making me aware of the site.
Official Google Pixel Update and Software Repair (reported as of January 23, 2022 to still not be updated for the Pixel 6/Pro yet)
Google's Help Page for Find problem apps by rebooting to safe mode - this can be a lifesaver and keep you from having to do a restore to 100% complete stock or even from having to do a factory reset. This will deactivate all Magisk modules, and they'll remain deactivated even after you boot normally after briefly booting to safe mode. You can reenable the Magisk modules as you wish to try to narrow down the problem if it was caused by a Magisk module. This can even get things working again after a Magisk Module wasn't finished installing and potentially causing a bootloop.
Official Google Pixel Install fingerprint calibration software (also available at the bottom of the Update and Software Repair page above) - I believe this is only helpful if you've replaced the screen
Official Google Android Flash Tool (OEM Unlocking needs to be toggled on - you may not have to manually unlock the bootloader - the "site" will do that on its own)
Lughnasadh said:
OEM unlocking in developer options needs to be toggled on. I don't "believe" you have to actually do the "fastboot flashing unlock" command.
Click to expand...
Click to collapse
ADB/Fastboot, Windows Drivers, and unlocking the bootloader (thanks @sidhaarthm for confirming unlocking the bootloader works as intended, be sure to thank him in his post)
You'll need this if you're going to unlock the bootloader on your Pixel 6 Pro: SDK Platform Tools (download links for Windows, Mac, and Linux). Note that you can find links to download the tools elsewhere, but I wouldn't trust them - you never know if they've been modified. Even if the person providing the link didn't do anything intentionally, the tools could be modified without them being aware. Why take a chance of putting your phone security further at risk?
You can alternately use the tools from the SDK Manager, but most of us will want to stick to the basic tools-only without the complications of the full development manager.
For Windows, get Google's drivers here Get the Google USB Driver (ADB will likely work while the phone is fully booted, but if you're like me, you'll need these drivers for after you "adb reboot-bootloader", to be able to use ADB and Fastboot.
Thanks to @96carboard for posting the details of unlocking the bootloader, be sure to thank him in his post. Unlocking or locking the bootloader will wipe the device every single time, so be sure to have your data backed up before doing so, or better yet, just unlock it as soon as you get the device. Keep in mind that unlocking the bootloader or rooting might affect your phone's capability to use banking apps such as Google Pay, or your local bank's app. If you're going to re-lock the bootloader, make sure the ROM you have on your phone is completely stock (by flashing the latest official firmware) BEFORE re-locking it. My experience on my Pixel 1 was that there were no negative consequences if you unlock or re-lock the bootloader other than it will wipe your phone, and while unlocked you get a brief screen when you boot the phone telling you (and anyone who sees your phone at the time) that the bootloader is unlocked. All of this should still be the case. You will also continue to receive updates. Unlike Samsung, Sony, et cetera, which have major consequences with reduced functionality even if you un-root and re-lock your bootloader. If you're actually rooted (not just bootloader unlocked), you'll have to perform extra steps to keep root/re-root.:
The unlock process works like this:
1) Take brand new fresh phone out of box. Do NOT put sim card in it, just power it on (you can put a SIM card if you want, you just don't have to).
2) When it starts harassing you to join Google, hit "skip" and "remind me tomorrow" as applicable until you reach home screen. YOU DO NOT need to plug in a google account.
3) Settings --> About --> Build number. Repeatedly tap it until it says you're a developer.
4) Back --> Network --> WiFi and connect it.
5) Back --> System --> Developer --> OEM unlocking (check), USB debugging (check), plug in USB, authorize on the phone when requested.
Using the Platform Tools previously mentioned in command line/terminal:
6) #
Code:
adb reboot-bootloader
7) #
Code:
fastboot flashing unlock
Now that you've unlocked it, it has been wiped, so repeat 1-4, then disable all the google spyware, and go ahead and start using it while waiting for aosp and root.
Official Instructions for Locking/Unlocking the Bootloader
Click to expand...
Click to collapse
roirraW edor ehT said:
Personally, I would always use the official drivers Google provides unless they just don't work for whatever reason: Get the Google USB Driver (this is for Windows). They work for me. They are rarely updated, but they are every once in a great while, sometimes years in-between.
Click to expand...
Click to collapse
Alekos said:
I agree with this. be careful using drivers or adb/fastboot tools. Some are fine, but there's no need for it really anymore. Google has made it very easy to install drivers and Platform-Tools (adb/fastboot tool).
Google provides the Fastboot/ADB tool (Platform-Tools) and Google USB Drivers (adb/fastboot interface). This will allow any Pixel to interface with Windows using the fastboot/adb protocol. Official Google USB Driver includes support for both the Fastboot and ADB driver interface. There are 3 main drivers (Fastboot, ADB and MTP/Portable File Transfer). The MTP/Portable File Transfer driver is built-in to Windows 7-11.
Fastboot/ADB Driver Interface - Official Download Link:
When flashing a full image or unlocking your bootloader, the fastboot interface is being used.
First Download official Google USB Drivers (it's a zip file). Extract the zip (important!). Right-click on the android_winusb.inf file and hit install. You can then restart your phone to the Bootloader Screen (hold vol-down while it restarts or turns on). When you plug in your phone, Windows Device Manager will show a new device at the top: Android Device: Android Bootloader Interface.
Using the ADB interface: It's the same driver. Enable USB Debugging on your phone, then plug it in to your computer. A prompt will appear on your phone (to allow USB Debugging). The driver in Device Manager will appear as Android Device: Android Composite ADB interface.
Now you can download and use Platform-Tools to flash an Android Image, OTA or run adb/fastboot commands.
Official Download Page
"Android SDK Platform-Tools is a component for the Android SDK. It includes tools that interface with the Android platform, such as adb, fastboot, and systrace"
It's best to make Platform-Tools available system-wide. Download Platform-Tools from the above link and extract it to your C:\ drive - that way you will have a folder to add to the PATH Environment under Window System Properties Menu, Advanced, Environment Variables, System Variables, PATH (google how to do this, very easy). What this does is allow adb/fastboot commands to be run from anywhere in the system, so you don't have to be in the platform-tools folder to run adb/fastboot commands and flash an Android Image (Official or Android Fork such as ProtonAOSP).
Click to expand...
Click to collapse
Rooting-related​
@Az Biker's thread [How To Guide] [Pixel 6 Pro] Easy STEP BY STEP Unlock-Root.​
OR
@V0latyle's thread [How To Guide] Root Pixel 6 Pro with Magisk
Click to expand...
Click to collapse
No longer applies - Things that make rooting more complicated on Android 12
@V0latyle posted a new thread with some very important and fascinating information about the increased difficulty to root Android 12: Read this before rooting. Be sure to thank him there.
Click to expand...
Click to collapse
A list of the other important guides - be sure to thank the respective OPs
For all relevant guide threads just click the yellow "How To Guide" quick filter above the list of threads in the Pixel 6 Pro section.
Here's the Magisk section of XDA's forums, for rooting. Magisk on GitHub. The most recent Magisk Stable is what's recommended these days.
@sean222's thread Restore WiFi and Cellular Data in Quick Settings (Root Required)
@rickysidhu_'s thread HBM (High Brightness Mode)
@gururoop's thread Probable method to upgrade every month, without wiping data and retaining root
@rickysidhu_'s thread Limit Charge
@Typhus_' thread [MOD][MAGISK][ANDROID 12] Addon Features for Pixel Devices - Pixel 6 Pro Thread
@siavash79's thread [MOD][Xposed+Magisk][Pre-Release] AOSP Mods - System modifications for AOSP-based Android 12+ - a mod that compliments @Typhus_' mod above, and may eventually completely replace it.
@TotallyAnxious' thread [MOD] Collection of "Anxious" Modules for Pixel 6/Pro Series
Every single one of @foobar66's posts.
TWRP (not made for the Pixel 6 Pro yet - will update when it has)
I would guess that this should be the appropriate URL for official TWRP custom recovery for the Pixel 6 Pro, but who knows when/if that will actually be made available, and it may become available unofficially in these forum sections before being made official. I'll adjust this URL as needed. https://twrp.me/google/googlepixel6pro.html.
Click to expand...
Click to collapse
Custom kernels for stock ROM(s)
@Freak07's Kirisakura-Kernel for the Pixel 6 Pro (and possibly the Pixel 6)
@DespairFactor's Despair Kernel (I believe also for both the P6P and P6)
@tbalden's CleanSlate Kernel
@acuicultor's Radioactive Kernel
Click to expand...
Click to collapse
Factory Images (requires an unlocked bootloader)
It's also handy to have to the full official firmware available, whether it's to recovery from accidents or for actual development. Note the official link to the general Factory Images for Nexus and Pixel Devices page. The following link goes directly to the Pixel 6 Pro (Raven) section: Pixel 6 Pro Factory Images. I prefer to actually bookmark a link to the device listed immediately below the device I want the firmware for, because Google dumbly (in my opinion) puts the latest firmware at the bottom of the list for each particular device, and that ends up making you scroll a lot after a year or two of monthly updates.
Note: You can still get the December 2021 Factory Images and OTA from this thread, if you need them for any reason: Alternate links to December - all full factory images and OTAs available
Click to expand...
Click to collapse
Full OTA Images (doesn't require an unlocked bootloader)
Full OTA Images for Nexus and Pixel Devices
Click to expand...
Click to collapse
The usefulness of having Verity and Verification enabled (now that it's not needed for root) - post #2 below.
Regarding P6P 5G model numbers and capabilities - post #3 below.
List of all Pixel monthly security bulletins and Play System Updates - post #4 below.
How I root and update (which is identical whether rooting the first time or updating):
Use the latest Magisk Stable (in my case, I keep the app "hidden" / renamed)
Used the full firmware zip, extracted to the same folder as the latest Platform Tools (S:\platform-tools)
Extracted the new boot.img
Copied new boot.img to the phone
Patched the new boot.img with Magisk Stable
Renamed Magisk'd boot.img so I know what version of firmware it's for
Copied the Magisk'd boot.img back to the computer
Disabled all my Magisk Modules
Removed the "-w " from the flash-all.bat
Re-edited the flash-all.bat to verify I saved it with the "-w " taken out
Open a Command Prompt, navigated to S:\platform-tools
adb reboot bootloader
flash-all.bat
Let phone boot, unlock it, check that it's working, allow the update process to finish (gave it five minutes or so)
adb reboot bootloader
fastboot flash boot kernel.img (renamed Magisk'd boot.img)
fastboot reboot
Unlock, check everything's working
Re-enabled the most basic Magisk Modules which I was sure wouldn't cause a critical issue
Reboot, unlock, made sure everything's working
Back to modding!
Click to expand...
Click to collapse
I may append these first four posts with further useful information or links as needed.
Click to expand...
Click to collapse
Disabling Verity and Verification isn't required except for use with some custom kernels, but just rooting those custom kernels with the latest Magisk Stable v24.1 or higher should make them not require disabled Verity and Verification anymore.
A reminder that disabling Verity and Verification, at least if you've never disabled them before, will cause you to need to factory reset the device otherwise there will be corruption.
prokiller1199 said:
if you didnt disable before then it is enabled since the beginning. Disabling requires a full wipe.
It will show this image if you try to disable.
You can also verify it using adb shell with:
adb shell
su
avbctl get-verity
avbctl get-verification
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click to expand...
Click to collapse
The usefulness of having Verity and Verification enabled (now that it's not needed for root but IS still required for some custom kernels):
jwoegerbauer said:
1. DM-Verity ( VB 1.0 ) verifies /system and /vendor - it was introduced with Android 4.4, modified with Android 7
2. Android Verified Boot ( VB 2.0 aka AVB ) additionally verifies /boot - it was introduced with Android 8, works on Project Treble enabled devices
Both are running a hash on the memory blocks mentioned of your device to ensure the integrity of your software and help prevent rootkits and the like.
If you disable VB 1.0 and/or VB 2.0 your Android device becomes vulnerable to malware of any type: IMO only those do it who do not care about the built-in protection.
Click to expand...
Click to collapse
V0latyle said:
Yes - this is covered on Android Source.
The basics:
Android Verified Boot ensures that the boot code is legitimate, by using a boot image "signature" compared to a signature stored in the key registry.
Dm-verity is a method by which the code on the block devices is hashed; this hash is then compared to a reference hash to determine its authenticity before the image is loaded, thereby preventing rootkits from declaring themselves legitimate.
Vbmeta verification is a method of storing those reference hashes to which the generated hashes are compared. This can be and often is used for any critical partition, such as /boot and /system.
These aren't new concepts and indeed have been integral to Android for some time. What is new is how the Android 12 AVB headers were handled.
We still don't know exactly where in the process the problem occurred when trying to run custom boot images with Android 12. I suspect that the issue wasn't custom software itself - after all, you could still flash a custom ROM and run it without issues - but rather, trying to use a modified boot image with otherwise stock Android 12 system. Don't take my word for it, though, because I don't know for sure.
Click to expand...
Click to collapse
Freak07 said:
It has nothing to do with the kernel itself. The anykernel.zip uses magiskboot to "repack" the kernel during the flashing kernel.
Click to expand...
Click to collapse
Regarding P6P 5G model numbers and capabilities:
There are three hardware versions:
G8VOU (AU, US); also listed as G8V0U - zero instead of "oh" on some sites, Google shows the former, G8VOU) - has mmWave 5G support
GF5KQ (JP) - has mmWave 5G support
GLUOG (CA, DE, FR, GB, IE, TW) - no mmWave 5G support
For instance, my factory unlocked direct from Google in the United States Pixel 6 Pro 512 GB is a G8VOU. As far as I know, all other variations in each individual phone are controlled by software (which firmware is loaded) and over the internet (which IMEIs are Carrier Unlocked or not, and OEM Unlockable or not).
Check carriers, their 5G networks & their 5G roaming support for Pixel phones. Make sure and choose your country from the drop-down to see the list of carriers beneath.
There's also the section above that Learn which Pixel phones can work with which kinds of 5G.
My personal advice for how to get your device back up and running like you had it previously after a factory reset:
I use Nova Launcher Prime, so I do backups anytime I change my home screen or app drawer/tabs setup, so widgets and app icons and other Nova-specific configurations are easier to restore.
Go to Android Settings and use Settings' search box for Backup. Make sure that your Google account is set up to backup your apps (and app data for the apps that developers have configured to use Google's Backup API). Make sure things are backed up. Note, this doesn't backup the apps themselves, only the list of apps, so only applies to apps installed from the Play Store. As I said in parentheses, developers have to choose to integrate Google's Backup API into their app, and those apps only will get their app data backed up into Google's cloud.
If you're rooted also, then you could use something like Swift Backup to backup to the cloud. I do so, although I still restore as much as possible through Google's backup, and I only restore through Swift on a case-by-case basis, as needed when I discover an app that's tough to set back up doesn't have it's data restored by Google.
If you've used Google Photos to backup your photos to Google's cloud, then hit the button in Google Photos to free up space. This will automatically and only delete your local copies of photos and videos that it's already backed up.
Once that ^ is done, look at your internal storage with your favorite File Manger and see if there's anything left that you want to back up manually, since a factory reset will wipe everything. Copy them to your computer or a flash drive.
When you're just starting the out of the box setup after the reset, when it asks you if you want to use a cable to restore things from an old phone, choose No, and that will lead you to Google's cloud backup where you can choose to restore everything, or you can select what you want to restore.
I think you can figure out the rest.
Reserved.
Reserved.
Reserved.
Reserved.
If you have any reputable youtube links that you think might be of help as well for complete noobs like me, that would be great.
dj24 said:
If you have any reputable youtube links that you think might be of help as well for complete noobs like me, that would be great.
Click to expand...
Click to collapse
This one's kinda long for what it is, and this is for the Pixel 1, but it should be similar for the Pixel 6/Pro. I won't add it to the first post just yet in case there are differences, and I don't want to recommend something I can't actually try on the 6 Pro (since I won't get mine for likely another two days). Unlocking the Bootloader of the Pixel and Pixel XL
Good luck!
roirraW edor ehT said:
This one's kinda long for what it is, and this is for the Pixel 1, but it should be similar for the Pixel 6/Pro. I won't add it to the first post just yet in case there are differences, and I don't want to recommend something I can't actually try on the 6 Pro (since I won't get mine for likely another two days). Unlocking the Bootloader of the Pixel and Pixel XL
Good luck!
Click to expand...
Click to collapse
This is great. I won't be getting mine for a while as well so please come back and update this thread.
dj24 said:
If you have any reputable youtube links that you think might be of help as well for complete noobs like me, that would be great.
Click to expand...
Click to collapse
Generally YouTube video guides for software related things aren't particularly helpful, as they can often get outdated very quickly; especially in the early days of a device as they can't be updated when new things are found out.
It would probably be best to carefully read through guides
@sidhaarthm reports here (be sure to thank him on his original post):
Bootloader successfully unlocked. I will just run everything stock for now - this is just so I don't have to wipe the device later after I have completed full setup and transferred all my data.
View attachment 5441915
Click to expand...
Click to collapse
dj24 said:
This is great. I won't be getting mine for a while as well so please come back and update this thread.
Click to expand...
Click to collapse
FYI, I'm reminded by several members in these forums that unlocking the bootloader (the first step before being able to root your Carrier-Unlocked Pixel 6 Pro) wipes the device - so does re-locking it. So I highly recommend unlocking it as the first step when you get the phone, otherwise, you'll have to back up anything that doesn't normally get backed up, and go through the initial setup process again. Not a big deal for some, but would likely not be optimal for a new user.
Instructions for Locking/Unlocking the Bootloader (note that unlocking or locking the bootloader will wipe the device every single time, so be sure to have your data backed up before doing so, or better yet, just unlock it as soon as you get the device).
Click to expand...
Click to collapse
roirraW edor ehT said:
FYI, I'm reminded by several members in these forums that unlocking the bootloader (the first step before being able to root your Carrier-Unlocked Pixel 6 Pro) wipes the device - so does re-locking it. So I highly recommend unlocking it as the first step when you get the phone
Click to expand...
Click to collapse
This! It's the first thing you should do out of the box if you plan on rooting later.
@V0latyle posted a new thread with some very important and fascinating information about the increased difficulty to root Android 12: Read this before rooting. Be sure to thank him there.
That's great news about Unlocking the bootloader! I'll be doing that first thing to be ready for the future...
Does this mean to say there is no OEM unlocking switch in the developer options screen?
biTToe said:
Does this mean to say there is no OEM unlocking switch in the developer options screen?
Click to expand...
Click to collapse
There is, its there and you need to flip it.
The unlock process works like this;
1) Take brand new fresh phone out of box. Do NOT put sim card in it, just power it on.
2) When it starts harassing you to join google, hit "skip" and "remind me tomorrow" as applicable until you reach home screen. YOU DO NOT need to plug in a google account.
3) Settings --> About --> Build number. Tap it until it says you're a developer.
4) Back --> Network --> Wifi and connect it.
5) Back --> System --> Developer --> OEM unlocking (check), USB debugging (check), plug in USB, authorize when requested.
6) # adb reboot-bootloader
7) # fastboot flashing unlock
Now that you've unlocked it, it has been wiped, so repeat 1-4, then disable all the google spyware, and go ahead and start using it while waiting for aosp and root.

Categories

Resources