FORUMS
Remove All Ads from XDA

[INFO] Nexus 6 / Nexus 9 Enable OEM Unlock [GUIDE] Unlock via TWRP/CWM

142 posts
Thanks Meter: 90
 
By playahate, Senior Member on 20th May 2015, 07:23 PM
Post Reply Email Thread
INTRO


This thread and the method described is dedicated to bricked Nexus 6 and Nexus 9 that has TWRP installed but locked bootloader. No wipes are helpfull, ROMs flashes (or not) but gives permanent bootloop.
If no other methods work, then here is your chance:
IMPORTANT!!! The unlockN6.img file is only for NEXUS 6! The unlockN9.img file is only for NEXUS 9!
The script will work on both N6 and N9.

1. Boot to TWRP. If you didn't wipe the userdata trying to ressurect the device, you can get all your files with
Code:
adb pull sdcard d:\sdcard\
You can use any folder instead of d:\sdcard\ but you must create the folder first.
adb pull sdcard
1.1 If the TWRP logo blinks but doesnt boot you are still good to go as users report that adb still work even in that case.
1.2 With the blinking TWRP logo you can boot to bootloader and perform
Code:
fastboot -w
This will wipe the cache and USERDATA. all your data will dissapear but TWRP will boot normally

NEXUS 6
2.1 Download the unlockN6.img file from the attachments at the bottom of the post and place it to adb folder on PC.
In case the folder is c:\android perform the following:
Code:
adb push c:\android\unlockN6.img /sdcard/unlockN6.img
adb shell dd if=/sdcard/unlockN6.img of=/dev/block/mmcblk0p18
Reboot to bootloader and make:
Code:
fastboot oem unlock
After that you are able to to flash the stock firmware with flash-all.bat or manually file-by-file.
As we don't know how some hash in the beginning of the unlockN6.img file influence the device. We didn't notice any difference though, but Prefferred way is use the script.
Instead of making dd, push and flash the script made by @osm0sis, in the end of the post. For both N6 and N9.
then unlock bootloader and flash ROM.

NEXUS 9
2.2 Download the unlockN9.img file from the attachments (all the credits go to @GedBlake for providing us the file) at the bottom of the post and place it to adb folder on PC.
In case the folder is c:\android perform the following:
Code:
adb push c:\android\unlockN9.img /sdcard/unlockN9.img
adb shell dd if=/sdcard/unlockN9.img of=/dev/block/mmcblk0p27
Reboot to bootloader and make:
Code:
fastboot oem unlock
After that you are able to to flash the stock firmware with flash-all.bat or manually file-by-file.


If you are interested in additional information, all the prosses of gaining the information is given below... Othervise - skip to the dowload.

Problem

As many of you already know, last Nexus devices (and all that will come after N6&N9) have new option in developers settings - Enable OEM Unlock.
New security feature from Google gives regular users new level of keeping their data in private space. And in case of lost (stolen) stock device with keyguard/pin enabled the villian can't even make the device work. The "old" Nexus devices can be easily unlocked/wiped and used as normal. But now, with the new feature, if someone will try to run fastboot oem unlock, will get the following:
Quote:

(bootloader) Check 'Allow OEM Unlock' in Developer Options.
FAILED (remote failure)

with the Device is LOCKED Status Code: 2

Is it good or bad?


Definetly good for regular users. But sometimes it turnes against some "want to be advanced" users. As many of the "unlock/flash custom rom" manuals has the line "You can lock the bootloader with the command fastboot oem lock" many users do this thing. Some of the users make it, as it guarantees the security (as many people think).
But sometimes something goes wrong and system doesn't boot. Many of the manuals say that if one perform fastboot oem lock and fastboot oem unlock again - everything wipes and there is normally booted stock device again... And it is a good method, that ended with the Nexus 5/7. Because now if you lock the device and the system doesnt boot, you will not be able to unlock it as you need to check the 'Allow OEM Unlock' in Developer Options.

INFO. How does it work?


I'll start with the changes, commited in development_prefs.xml, DevelopmentSettings.java and Utils.java from the android.googlesource.com:
Quote:

Enable OEM unlock checkbox in Developer Settings

For Volantis+ devices, we will give users
the ability to enable OEM unlock through
Developer Settings. To do so, we must write
the value to the last byte of a special partition
that does not get erased even after factory reset.

This feature will only be available on devices
with the persistent data partition, thus the checkbox
is only visible for devices that meet this requirement.

So the new devices have that spesial partition that influens wether the device can be unlocked.
If we go deeper in the docs, we can see how all that thing is working.
PersistentDataBlockService.java:
Code:
@Override
    public void onStart() {
        enforceChecksumValidity();
        formatIfOemUnlockEnabled();
        publishBinderService(Context.PERSISTENT_DATA_BLOCK_SERVICE, mService);
    }
    private void formatIfOemUnlockEnabled() {
        if (doGetOemUnlockEnabled()) {
            synchronized (mLock) {
                formatPartitionLocked();
                doSetOemUnlockEnabledLocked(true);
            }
        }
    }
 private void formatPartitionLocked() {
        DataOutputStream outputStream;
        try {
            outputStream = new DataOutputStream(new FileOutputStream(new File(mDataBlockFile)));
        } catch (FileNotFoundException e) {
            Slog.e(TAG, "partition not available?", e);
            return;
        }
        byte[] data = new byte[DIGEST_SIZE_BYTES];
        try {
            outputStream.write(data, 0, DIGEST_SIZE_BYTES);
            outputStream.writeInt(PARTITION_TYPE_MARKER);
            outputStream.writeInt(0); // data size
            outputStream.flush();
        } catch (IOException e) {
            Slog.e(TAG, "failed to format block", e);
            return;
        } finally {
            IoUtils.closeQuietly(outputStream);
        }
        doSetOemUnlockEnabledLocked(false);
        computeAndWriteDigestLocked();
    }
    private void doSetOemUnlockEnabledLocked(boolean enabled) {
        FileOutputStream outputStream;
        try {
            outputStream = new FileOutputStream(new File(mDataBlockFile));
        } catch (FileNotFoundException e) {
            Slog.e(TAG, "partition not available", e);
            return;
        }
        try {
            FileChannel channel = outputStream.getChannel();
            channel.position(getBlockDeviceSize() - 1);
            ByteBuffer data = ByteBuffer.allocate(1);
            data.put(enabled ? (byte) 1 : (byte) 0);
            data.flip();
            channel.write(data);
            outputStream.flush();
        } catch (IOException e) {
            Slog.e(TAG, "unable to access persistent partition", e);
            return;
        } finally {
            IoUtils.closeQuietly(outputStream);
        }
    }
@Override
        public void setOemUnlockEnabled(boolean enabled) {
            // do not allow monkey to flip the flag
            if (ActivityManager.isUserAMonkey()) {
                return;
			}
            enforceOemUnlockPermission();
            enforceIsOwner();
            synchronized (mLock) {
                doSetOemUnlockEnabledLocked(enabled);
                computeAndWriteDigestLocked();
            }
        }
 @Override
        public boolean getOemUnlockEnabled() {
            enforceOemUnlockPermission();
            return doGetOemUnlockEnabled();
        }
Many lines are skipped, you can find them by the link above. As we can see, there is one byte with 1 - allow oem unlock and 0 -do not allow.

DevelopmentSettings.java:
Code:
private static final String ENABLE_OEM_UNLOCK = "oem_unlock_enable";
private CheckBoxPreference mEnableOemUnlock;
@Override
    public void onCreate(Bundle icicle) {
        super.onCreate(icicle);
  mEnableOemUnlock = findAndInitCheckboxPref(ENABLE_OEM_UNLOCK);
        if (!showEnableOemUnlockPreference()) {
            removePreference(mEnableOemUnlock);
        }
    private void updateAllOptions() {
        final Context context = getActivity();
updateCheckBox(mEnableOemUnlock, Utils.isOemUnlockEnabled(getActivity()));
private static boolean showEnableOemUnlockPreference() {
        return !SystemProperties.get(PERSISTENT_DATA_BLOCK_PROP).equals("");
So those lines give us the information, that users try to find out in other threads... So here it is:
The checkbox goes to "off" after every reboot.
So you can't just allow oem unlock and use it sometimes in the future. It will work only with the first reboot to bootloader. And if you reboot the phone without changes - it will reset the option in settings.
UPD: With the 5.1.1 update, it remains enabled after reboot.

Getting things done


If you look into the PersistentDataBlockService.java, you can find the line:
Code:
private static final String PERSISTENT_DATA_BLOCK_PROP = "ro.frp.pst";
And if we go to the /system/build.prop on the device, we will get the following:
ro.frp.pst=/dev/block/platform/sdhci-tegra.3/by-name/PST for the Nexus 9
ro.frp.pst=/dev/block/platform/msm_sdcc.1/by-name/frp for the Nexus 6
The next step is running
Code:
adb shell busybox fdisk /dev/block/mmcblk0
So we can see for the Nexus 6:
Quote:

Number Start (sector) End (sector) Size Code Name
...
18 285696 286719 1024 0700 frp
...

The PST partition of the Nexus 9 is 27.

What can we do about it?
Well. Thats simple. All we need is TWRP/working adb.
Actually some users with blinking TWRP logo still can use adb. Some can perform fastboot -w or fastboot format cache and fastboot format userdata to make TWRP work, wipe and boot.
But sometimes there is no system and nothing can be flashed (as it was with one device on russian forum).
So with all the information written above we made the following:
Asked the guy with the live device to check the allow oem unlock and reboot to recovery.
Code:
adb shell dd if=/dev/block/mmcblk0p18 of=/sdcard/unlock.img
to copy the partition on sdcard and send us the file.
on the "bricked" device run:
Code:
adb push c:\android\unlock.img /sdcard/unlock.img
Where c:\android - is the folder with the adb and file itself.
Code:
adb shell dd if=/sdcard/unlock.img of=/dev/block/mmcblk0p18
and after reboot to bootloader we succesfully performed the fastboot oem unlock.


Hope the information is usefull and will help someone.


IMPORTANT!!! The unlockN6.img file is only for NEXUS 6! The unlockN9.img file is only for NEXUS 9!
The script will work on both N6 and N9.
If you dd the wrong file your device will not boot, you will not be able to use TWRP after that
And ones again: the BEST way is to use @osm0sis UPDATE-Nexus.BootUnlocker.zip from THIS post (or newer is exists).
Attached Files
File Type: img unlockN6.img - [Click for QR Code] (512.0 KB, 2926 views)
File Type: img unlockN9.img - [Click for QR Code] (512.0 KB, 1088 views)
The Following 16 Users Say Thank You to playahate For This Useful Post: [ View ] Gift playahate Ad-Free
 
 
20th May 2015, 07:29 PM |#2  
danarama's Avatar
Senior Member
Flag Oxenhope, West Yorkshire, UK
Thanks Meter: 19,161
 
More
Good effort and very thorough. Problem is not a problem if you have twrp though. Only an issue if you have stock recovery.
20th May 2015, 08:15 PM |#3  
playahate's Avatar
OP Senior Member
Flag Moscow
Thanks Meter: 90
 
More
Quote:
Originally Posted by rootSU

Good effort and very thorough. Problem is not a problem if you have twrp though. Only an issue if you have stock recovery.

Yap. I thougt so...
But we couldn't make it boot... Tried to flash CM, Chroma, stock.zip- nothing... he wiped or erased the system before the lock, so nothing helped after. Ether we got the error, or flashed with 10 seconds and a bootloop. All the wipes from recovery and format (fastboot) didn't help...
The Following 2 Users Say Thank You to playahate For This Useful Post: [ View ] Gift playahate Ad-Free
20th May 2015, 09:02 PM |#4  
danarama's Avatar
Senior Member
Flag Oxenhope, West Yorkshire, UK
Thanks Meter: 19,161
 
More
Quote:
Originally Posted by playahate

Yap. I thougt so...
But we couldn't make it boot... Tried to flash CM, Chroma, stock.zip- nothing... he wiped or erased the system before the lock, so nothing helped after. Ether we got the error, or flashed with 10 seconds and a bootloop. All the wipes from recovery and format (fastboot) didn't help...

We've maybe been lucky on the n6. So far everyone with twrp, even if twrp boot looped, were able to format cache and data and then boot twrp and flash.

None-the-less, very interesting.
20th May 2015, 09:41 PM |#5  
osm0sis's Avatar
Recognized Developer / Recognized Contributor
Flag Halifax
Thanks Meter: 30,148
 
Donate to Me
More
So are these frp partition dumps you got from a N6 so I can examine them for the offset?

Edit: The offset is 07ffff and there are 2 lines of data at the beginning of the file, which could be a hash or security token, so I would NOT advise against flashing any of those images whole if they don't come from your device. The N9, for comparison was 07fffc and was reportedly otherwise empty.

We can flip the byte at that offset and see if it works like with the N9, but I'm worried the hash might interfere. I'll post a test zip once you confirm those are from the N6 and then we'll see!
21st May 2015, 06:03 AM |#6  
playahate's Avatar
OP Senior Member
Flag Moscow
Thanks Meter: 90
 
More
Quote:
Originally Posted by osm0sis

So are these frp partition dumps you got from a N6 so I can examine them for the offset?
I'll post a test zip once you confirm those are from the N6 and then we'll see!

Ok. Those 2 files are from the Nexus 6, that was booting normally and we used it as a donor.
And here is another stock.img in attachment. Its from the device, that we tried to recover (and succeeded at the end), when it wasnt booting. So you can compare those two stock.img of the frp partition from different devices.
Attached Files
File Type: img stock.img - [Click for QR Code] (512.0 KB, 200 views)
The Following 2 Users Say Thank You to playahate For This Useful Post: [ View ] Gift playahate Ad-Free
21st May 2015, 06:20 AM |#7  
osm0sis's Avatar
Recognized Developer / Recognized Contributor
Flag Halifax
Thanks Meter: 30,148
 
Donate to Me
More
Quote:
Originally Posted by playahate

Ok. Those 2 files are from the Nexus 6, that was booting normally and we used it as a donor.
And here is another stock.img in attachment. Its from the device, that we tried to recover (and succeeded at the end), when it wasnt booting. So you can compare those two stock.img of the frp partition from different devices.

Yup, that data is different between the two.. As I said, not sure if it'll have any effect but we can try anyway. Here's the zip to test flipping the byte, it's got support for shamu and flounder/founder_lte added. If we get successful reports of it toggling the oem lockout then I'll sign and publish it in my Odds and Ends thread. Great work and thanks for all the help!

[ Attachment removed - test complete ]
23rd May 2015, 07:25 PM |#8  
osm0sis's Avatar
Recognized Developer / Recognized Contributor
Flag Halifax
Thanks Meter: 30,148
 
Donate to Me
More
14 people have downloaded.. Any reports?

@efrant, you still rocking a N6?
27th May 2015, 08:32 PM |#9  
efrant's Avatar
Developers Relations / Senior Moderator
Flag Montreal
Thanks Meter: 11,467
 
Donate to Me
More
Quote:
Originally Posted by osm0sis

14 people have downloaded.. Any reports?

@efrant, you still rocking a N6?

I just downloaded it and tried it.

My initial state was: bootloader unlocked and "Allow OEM unlock" set to off.

I then ran your script. See the attached screenshot from TWRP.

My end state was bootloader unlocked and "Allow OEM unlock" set to off, i.e., no change at all from the initial state.
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2015-05-27-14-24-51.png
Views:	1064
Size:	82.7 KB
ID:	3334797  
The Following User Says Thank You to efrant For This Useful Post: [ View ] Gift efrant Ad-Free
27th May 2015, 08:38 PM |#10  
efrant's Avatar
Developers Relations / Senior Moderator
Flag Montreal
Thanks Meter: 11,467
 
Donate to Me
More
Just as an aside, @osm0sis & I already determined that the lock state is stored in the "sp" partition. So if someone dumps that partition when in an unlocked state, flashing that to your device when the bootloader is locked will unlock the bootloader. (Tested and confirmed by me.) It would likely work across shamu devices as well, but as osm0sis said, there may be a hash in there that could affect something.
The Following 2 Users Say Thank You to efrant For This Useful Post: [ View ] Gift efrant Ad-Free
27th May 2015, 09:06 PM |#11  
osm0sis's Avatar
Recognized Developer / Recognized Contributor
Flag Halifax
Thanks Meter: 30,148
 
Donate to Me
More
Quote:
Originally Posted by efrant

I just downloaded it and tried it.

My initial state was: bootloader unlocked and "Allow OEM unlock" set to off.

I then ran your script. See the attached screenshot from TWRP.

My end state was bootloader unlocked and "Allow OEM unlock" set to off, i.e., no change at all from the initial state.

Quote:
Originally Posted by efrant

Just as an aside, @osm0sis & I already determined that the lock state is stored in the "sp" partition. So if someone dumps that partition when in an unlocked state, flashing that to your device when the bootloader is locked will unlock the bootloader. (Tested and confirmed by me.) It would likely work across shamu devices as well, but as osm0sis said, there may be a hash in there that could affect something.

Damn must be the hashing at the beginning of frp messing this up too.. Thanks for trying. Maybe flip the byte back for yourself to make sure it's back to its untouched state. Unless anyone has any other ideas I guess I'll have to limit the "Allow OEM Unlock" toggle support to founder*

@playahate Oh well, it was worth a try. @ mention me if you guys come up with anything else.
Post Reply Subscribe to Thread

Tags
enable oem unlock, nexus 6, nexus 9, oem unlock, unlock bootloader

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes