[Dev] Bypass "bootloader" [PROPER METHOD]

Search This thread
By:
Advanced…
ephumuris

ephumuris

Senior Member
Dec 7, 2008
3,706
637
37
Hull
Xiaomi Mi Pad 5
Google Pixel 7 Pro
ten_tickles said:
I failed to understand this part.....and now my phone can no longer be used as a phone! :(


if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
Click to expand...
Click to collapse

Plenty of warnings. Your own fault unfortunately. I have had my x10 for a week and even i understood this part! Sorry...
 
  • Like
Reactions: ten_tickles
T

totalundone

Senior Member
Jan 21, 2009
293
40
Ok, let's see if I have this right...

Is your phone SIM locked?
No
--Yes, you can unlock the bootloader with this method

Yes
How did you unlock your SIM lock?
--It came like this from the factory!
----Yes, you can unlock the bootloader with this method
--I unlocked it by typing in a code!
----Yes, you can unlock the bootloader with this method
--I unlocked it by using setool2!
----Yes, you can unlock the bootloader with this method
--I unlocked it with another service!
----NO, you cannot unlock the bootloader with this method

Here's my predicament...
When I first bought my phone, I was eager to unlock my phone and couldn't wait for the sim unlock code. I paid a company to unlock it (it was htccode but i'm not sure if they used setool2, it was a long time ago). However, I *have* my manual sim unlock code.
If I attempt this and I get the security mismatch error - can I then manually input the sim unlock code?
Or is there a way that I can get back into the sim unlock screen and just type it in?

Thanks!
 
runaway_bunny

runaway_bunny

Senior Member
Mar 28, 2011
71
15
Bangalore
Hope this helps...

:) A little heads up for new comers ;ole me...

This is what I Did.

First flashed the 2.1 Generic firmware VIA flashtool
Once 2.1 was flashed, Turned on USB debug
Now closed flashtool
Open the qsd8250_semc tool... followed instructions :)D nothing really, press any key twice !) thats it, and boot loader was unlocked !
Now remember that ur phone is baseband 54 !
So dont flash 2.3 ROMS
Flash the latest baseband that is .71
Now flash custom ROM or anything as per ur wish.

Once again, a million thanks to the_laser...:D
 
  • Like
Reactions: ankur7753
DooMLoRD

DooMLoRD

Inactive Recognized Developer
Jul 27, 2010
13,187
39,710
Pune
runaway_bunny said:
:) A little heads up for new comers ;ole me...

This is what I Did.

First flashed the 2.1 Generic firmware VIA flashtool
Once 2.1 was flashed, Turned on USB debug
Now closed flashtool
Open the qsd8250_semc tool... followed instructions :)D nothing really, press any key twice !) thats it, and boot loader was unlocked !
Now remember that ur phone is baseband 54 !
So dont flash 2.3 ROMS
Flash the latest baseband that is .71
Now flash custom ROM or anything as per ur wish.

Once again, a million thanks to the_laser...:D
Click to expand...
Click to collapse

u can flash 2.3.3 stock rom ftf no issues ;)
 
  • Like
Reactions: runaway_bunny
ankur7753

ankur7753

Senior Member
May 11, 2010
108
3
Mumbai
runaway_bunny said:
:) A little heads up for new comers ;ole me...

This is what I Did.

First flashed the 2.1 Generic firmware VIA flashtool
Once 2.1 was flashed, Turned on USB debug
Now closed flashtool
Open the qsd8250_semc tool... followed instructions :)D nothing really, press any key twice !) thats it, and boot loader was unlocked !
Now remember that ur phone is baseband 54 !
So dont flash 2.3 ROMS
Flash the latest baseband that is .71
Now flash custom ROM or anything as per ur wish.

Once again, a million thanks to the_laser...:D
Click to expand...
Click to collapse

After unlocking the bootloader with the above mentioned steps,do i have to follow the usual steps to install 2.3.3 i.e rooting 2.1,installing busybox,recovery n so on.......
 
runaway_bunny

runaway_bunny

Senior Member
Mar 28, 2011
71
15
Bangalore
ankur7753 said:
After unlocking the bootloader with the above mentioned steps,do i have to follow the usual steps to install 2.3.3 i.e rooting 2.1,installing busybox,recovery n so on.......
Click to expand...
Click to collapse

Once the bootloader is unlocked, root ur phone and install recovery.
Remember, when u install the 2.1 .ftf, ur phone is fresh (without root)
Once its rooted, I flashed wolf ROM v4 and once ROM was flashed, I installed the ftf bundle he provided (that includes the kernel and baseband).
Once its done u can flash the new doom kernel (if u wish :))
 
  • Like
Reactions: ankur7753
G-FACE

G-FACE

Senior Member
Jul 9, 2010
1,338
610
Plovdiv
I have some questions guys. :eek:
If i unlock the BL, will I be able ro re-lock it back if needed?
My worries are if i have to go to waranty service and they refuse to service it because of the open BL. Will it be obvious to the service people if the BL is open?

Does a restore via SEUS/PCC re-locks the bootloader? (Guess no)
 
iridaki

iridaki

Retired Forum Moderator
Feb 21, 2007
4,532
5,190
37
Edinburgh, Scotland
G-FACE said:
I have some questions guys. :eek:
If i unlock the BL, will I be able ro re-lock it back if needed?
My worries are if i have to go to waranty service and they refuse to service it because of the open BL. Will it be obvious to the service people if the BL is open?

Does a restore via SEUS/PCC re-locks the bootloader? (Guess no)
Click to expand...
Click to collapse

It will be obvious to service centers that there has been tampering.
There's no way to re-lock the bootloader for the moment, but I really don't have a clue whether there will be in the future.

Xperia X10i via Tapatalk
 
  • Like
Reactions: G-FACE
M

mylovelyhorse

Senior Member
Feb 9, 2009
61
3
Portsmouth
DooMLoRD said:
u can flash 2.3.3 stock rom ftf no issues ;)
Click to expand...
Click to collapse

Hmm. I have a locked to Orange phone which was running MiUI.

I flashed this 2.3.3 ROM: X10i_3.0.1.G.0.75_CUST-UK GENERIC 1235-7379
Turned on USB Debug & Unknown Sources
Rooted using Flashtool
Closed Flashtool
Ran qsd8250_semc on my W7 PC
Following message appeared:

process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
2208 KB/s (585731 bytes in 0.259s)
Failed to set prot mask (Inappropriate ioctl for device)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights
.
334 KB/s (3087 bytes in 0.009s)

Unable to open router port: Permission denied
Diag_LSM: Diag_LSM_Init: Failed to open handle to diag driver, error = 13 ERR :
MSG Open handle failed, unable to open program 30eeeeee ver 10001 NOT FOUND
:FILE vendor/qcom-proprietary-qsd8k/oncrpc/oncrpc/oncrpc_cb.c:LINE 231:ARG1 82
0965102:ARG2 65537:ARG3 0:
ERR :MSG Couldn't setup RPC call :FILE vendor/qcom-proprietary-qsd8k/oncrpc/on
crpc/oncrpc_cb.c:LINE 276:ARG1 0:ARG2 0:ARG3 0:
Error: Failed to lookup client for 0x30EEEEEE 0x00010001
FATAL :MSG Failed to lookup RPC client. prog = 820965102, vers = 65537, tout =
0 :FILE vendor/semc/system/core/miscta/libmiscta/rpc_service.c:LINE 65:ARG1 820
965102:ARG2 65537:ARG3 0:
reboot: Operation not permitted
Waiting ...
Getting ROOT rights.
Failed to set prot mask (Inappropriate ioctl for device)
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
524 KB/s (8064 bytes in 0.015s)
insmod: init_module '/data/local/tmp/mapper_2.6.29.ko' failed (Operation not per
mitted)
Second, we need to write semcboot ;)
2119 KB/s (588228 bytes in 0.271s)
can't find userdate partition
Press any key to continue . . .

There's a few worrying things in that lot and I suspect the bootloader isn't bypassed. Advice gratefully received!

(note: decided to reflash the ROM, NOT root with flashtool & try again in cas that was my error)
 
Last edited:
aR_ChRiS

aR_ChRiS

Senior Member
Dec 23, 2010
1,417
283
Hong Kong
Google Pixel 5a
mylovelyhorse said:
Hmm. I have a locked to Orange phone which was running MiUI.

I flashed this 2.3.3 ROM: X10i_3.0.1.G.0.75_CUST-UK GENERIC 1235-7379
Turned on USB Debug & Unknown Sources
Rooted using Flashtool
Closed Flashtool
Ran qsd8250_semc on my W7 PC
Following message appeared:

process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
2208 KB/s (585731 bytes in 0.259s)
Failed to set prot mask (Inappropriate ioctl for device)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights
.
334 KB/s (3087 bytes in 0.009s)

Unable to open router port: Permission denied
Diag_LSM: Diag_LSM_Init: Failed to open handle to diag driver, error = 13 ERR :
MSG Open handle failed, unable to open program 30eeeeee ver 10001 NOT FOUND
:FILE vendor/qcom-proprietary-qsd8k/oncrpc/oncrpc/oncrpc_cb.c:LINE 231:ARG1 82
0965102:ARG2 65537:ARG3 0:
ERR :MSG Couldn't setup RPC call :FILE vendor/qcom-proprietary-qsd8k/oncrpc/on
crpc/oncrpc_cb.c:LINE 276:ARG1 0:ARG2 0:ARG3 0:
Error: Failed to lookup client for 0x30EEEEEE 0x00010001
FATAL :MSG Failed to lookup RPC client. prog = 820965102, vers = 65537, tout =
0 :FILE vendor/semc/system/core/miscta/libmiscta/rpc_service.c:LINE 65:ARG1 820
965102:ARG2 65537:ARG3 0:
reboot: Operation not permitted
Waiting ...
Getting ROOT rights.
Failed to set prot mask (Inappropriate ioctl for device)
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
524 KB/s (8064 bytes in 0.015s)
insmod: init_module '/data/local/tmp/mapper_2.6.29.ko' failed (Operation not per
mitted)
Second, we need to write semcboot ;)
2119 KB/s (588228 bytes in 0.271s)
can't find userdate partition
Press any key to continue . . .

There's a few worrying things in that lot and I suspect the bootloader isn't bypassed. Advice gratefully received!
Click to expand...
Click to collapse

Flash a 2.1 firmware, root it then do the unlocking process.

Only flash a 2.3 after you have unlocked the bootloader, unless you are using the kernel downgrade/upgrade method.
 
T

ten_tickles

Senior Member
Nov 1, 2010
272
46
Leicester
@ mylovelyhorse..... I think you've just made the same mistake I made! My device is also locked to orange, and since unlocking bootloader I have no radio signal...

Just thought you should know mate, bad news.
 
You must log in or register to reply here.

Similar threads

jerpelea
{X10}[DEVELOPMENT] -FXP130- CM7.2.0 - RELEASED - FreeXperia Project
Replies
15K
Views
5M
Erofich
Erofich
H
  • Locked
Bootloader Cracking : Devs only
Replies
865
Views
868K
-PiLoT-
-PiLoT-
9Lukas5
[HOW-TO]UNLOCK bootloader for X10
Replies
938
Views
595K
B
bootx
DooMLoRD
[KERNEL][X10] DooMKernel [UNLOCKED BOOTLOADERS]{Rel:v06}[Dt:10/Jan][FW3.0.1.G.0.75]
Replies
2K
Views
630K
M
mubasir
Oodie
[ROM]|22/01|Oodie pRiMe X| MIUI [2.1.20] | MultiLanguage !! | (Unlocked & Locked BL)
Replies
4K
Views
731K
aukdrck
aukdrck

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 159
    D
    Deleted member 3665957
    Greetings.

    warning.
    if you are not developer, please quit reading that post.
    wait for user friendly tool with one big button.


    here ( View attachment qsd8250.7z) is toolset to permanently "unlock" semcboot of qsd8250 semc phones ( x10a,x10i, so-o1b )

    that means, you can use own kernel and so on.

    it is much more better,stable,faster method, than present "bypass".

    steps,precautions, etc.

    unpack archive to any directory.

    if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
    ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.


    now, if your phone unlocked officially:

    flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.

    of course, enable "usb debugging"

    run qsd8250_semc.cmd,
    ( if you want, examine it before run, it is pretty straightforward. )

    you will get similar output

    Code: 
    process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1464 KB/s (585731 bytes in 0.390s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1531 KB/s (588236 bytes in 0.375s)
successfully wrote 0001ff80
Press any key to continue . . .

    bingo, your phone now has unlocked bootloader.

    if your phone unlocked by setool2 software, use qsd8250_setool2.cmd

    if your phone unlocked by 3rd-party software other than setool2, do not run anything -
    it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
    hopefully, mizerable flea and mOxImKo will release something similar for your phone.

    to find out what tool was used to unlock your phone, use that ( View attachment s1tool.7z ) tool.
    if you will see "NOT RECOGNIZED SIMLOCK CERTIFICATE", you are out of luck.


    okay, now about other details.

    1.
    unlocked bootloader require unlocked loader, yep ?

    loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.

    to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A033"

    ( same applies for loader version tag )

    so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.

    2.
    we should make SIN file somehow, right ?
    for that i prepared "dumb" bin2sin utility.

    Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]
    Click to expand...
    Click to collapse

    [input] - is input binary file.

    [partition info]
    android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.

    you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
    x10 kernel partition info
    03000000220000007502000062000000
    Click to expand...
    Click to collapse

    [type] - partition type, 9 - partition without spare, 0xA - partition with spare.
    kernel partition is partition without spare.
    if that parameter omitted, type = 9

    [block size] - nand block size, if omitted, it is standard size 0x20000

    there is example in sinTools\example_build.cmd

    3.
    kernel should be prepared specially to be accepted by semcboot.
    for that there is tool bin2elf.

    Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...
    Click to expand...
    Click to collapse

    we need 2 segments:
    segment 1 is unpacked linux kernel image, i.e.
    ( x10/kernel/arch/arm/boot/Image )

    it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x20008000

    attributes for image 0x0

    segment 2 is ramdisk.

    it looks like entrypoint and load address for segment 1 is always same for all qsd8250-based semc phone, it is 0x24000000

    set attributes for ramdisk 0x80000000, that is extremly important.

    there is simple kernel example in sinTools\example_build.cmd

    ps.

    patched semcboot is doing exactly same thing as official "bootloader unlock" ( for some idiotic reasons called "rooting" ) , it skips checking of aARM firmware part ONLY.

    it will NOT unlock your phone from network.

    after procedure, you CAN use Emma/seUS safely.
    View
    14
    D
    Deleted member 3665957
    DooMLoRD said:
    @the_laser

    1) wht do we do if we want to relock bootloader? i am asking just for having a fail-safe option open...
    Click to expand...
    Click to collapse

    "unlocked" bootloader does absolutely same things as original, nothing changed.
    no need to return back ;)

    2) can we modify the S1 loader to accept fastboot commands?
    Click to expand...
    Click to collapse

    it is like writing it from scratch.
    better build some kernel module for that.

    3) can we now write to /boot partition in OS/recovery? (raw_write)?
    Click to expand...
    Click to collapse

    sin signature checking removed totally, you can write anything in phone.
    however, there is few restrictions:

    1.
    partition info and sin type should be proper.
    you can check partition info in corresponding original semc firmware files.

    2.
    semcboot WILL check following and STOP phone in case of failure:

    - security zone validity
    - FOTA code validity
    - mARM ( AMSS or modem code ) validity
    - DSP code validity

    you can safely build and flash own

    kernel_S1-SW-LIVE-AC12-0001-S1-PARTITION.sin
    system_S1-SW-LIVE-AC12-0001-S1-PARTITION-WITH-SPARE.sin
    userdata_S1-SW-LIVE-AC12-0001-S1-PARTITION-WITH-SPARE.sin

    again, do not forget use proper SIN type.
    View
    11
    kantk20111
    kantk20111
    DooMLoRD said:
    yaay my 2.3.3 custom kernel booted :)

    no more SE text logo!!!


    @all
    KINDLY STOP CHATTING IN THIS THREAD
    Click to expand...
    Click to collapse

    THAT'S AWESOME NEWS!

    And the X10 gets yet another successful burst from the Dev defibrillator! It is alive and kicking once more!


    Here's been the timeline of the X10. It's quite spectacular actually.

    -Pre-release. Huge hype and frenzy and craziness
    -Release-Even more craziness and hype
    -Post-release-dissapointment at locked bootloader and FPS cap and lag
    -Most of 2010-dissapointment at lack of updates, 2.1 delay, lack of rooting
    -Late 2010-Huge hype about 2.1 and its release, phone rooted, dualtouch, phone alive again
    -Early 2011-Great new custom ROMs, phone is alive and kicking, bootloader bypass
    -March 2011-Gingerbread update news, Bootloader bypassed, 2.2 Camera
    -April-June 2011-Dissapointment over no update by SE
    -July-August 2011-Huge craze over upcoming 2.3 update and wild speculation begins
    -August 2011-Release of GB. Mixed reviews but mostly positive. New life breathed into X10. Great stuff ported from Arc.
    -September 2011-Bootloader UNLOCKED! Even more awesomeness coming up!


    Which phone has this kind of history, ever?!
    -
    View
    7
    D
    Deleted member 3665957
    to solve confusions:

    to unlock bootloader you DO NOT need to have "network unlocked" phone.

    however, if your phone was unlocked from network by any other 3rd-party tool than setool2, your phone will lose radio capability due to mismatched security zone.

    to restore radio capability and have unlocked bootloader you will need "unlock from network" phone using setool2.

    but not worry, i'm sure, that omnibus software will soon "integrate" that method ;)
    View
    6
    D
    Deleted member 3665957
    @doomlord:

    wht i wanted is the ability to flash boot.img via recovery (raw_write/flash_image)
    will that work?
    Click to expand...
    Click to collapse
    you can write whatever you want, but it is better stick to semc standards and use SIN files.

    also there seems to be restriction on size of kernel.sin... i tired a large ramdisk and flash was accpeted but ramdisk was unchanged
    Click to expand...
    Click to collapse

    maximum partition size is 0x62 blocks ( 0xC40000 bytes ) for x10i
    dunno about ramdisk/etc restrictions .
    View

New posts