Unlock Bootloader, Even without code!

Did it work?

  • Total voters
    77
Search This thread
By:
Advanced…
hackintosh5

hackintosh5

Senior Member
Sep 15, 2017
1,246
957
--- Please don't quote this entire post ---


I have, with the help of two people who's XDA I don't know, just unlocked an Honor 9 Lite without an unlock code!:angel: The method follows:
Initial revision

0. Prepare adb and fastboot. On windows, change all
Code: 
fastboot
commands to
Code: 
.\fastboot
and similarly for
Code: 
adb

(skip to step 2 if you have the June 2018 patch or earlier)

1a. Downgrade firmware to 8.0.0.xxx (June patch) via androidhost.ru - search for your device, get a C432 version.

1b. Downgrade, instructions are in the 'ReleaseDoc' folder. Use the forced install method

(do not reboot the phone until step 3a is complete)

2a. Enter
Code: 
fastboot
2b. Enter powershell or terminal and type:
Code: 
fastboot oem hwdog certify begin;fastboot oem get-product-model
2c. Send the result to @huaweihax telegram group or in this thread (telegram will have faster response times)
2d. We will send you your slock when we gets a chance. Please be patient, we have real lives. Download it on the same pc as you have fastboot on.
2e. Copy the slock to your working directory
2f. Type in your shell:
Code: 
fastboot flash slock <slock_filename>

(Download twrp on the pc that has fastboot, copy to working directory)

3a.
Code: 
fastboot flash erecovery_ramdisk <twrp filename>
3b. Read step 3c and 3d
3c.
Code: 
fastboot reboot
3d. Hold volume up AFTER the phone vibrates
3e. Twrp should boot up. If not, reboot it and try 3d again

(Each reboot until step 4 is complete, you will restart step 4)

4a. Connect usb
4b.
Code: 
adb shell dd if=/dev/block/bootdevice/by-name/nvme of=/tmp/nvme
4c.
Code: 
adb pull /tmp/nvme

You may now reboot the device, if you want.

5a. Open the nvme file in a hex editor. Find 'FBLOCK' in the file. There should be '8' shortly before the fblock. Move down exactly one line from '8' and you will see 01. Change that to 00 and repeat for all instances of fblock in the file. Save the file.
5c.
Code: 
adb push nvme /tmp/nvme
5d.
Code: 
adb shell dd if=/tmp/nvme of=/dev/block/bootdevice/by-name/nvme

6. Reboot!

CONGRATS! YOUR DEVICE IS NOW UNLOCKED!


Latest revision:
0. Prepare adb and fastboot. On windows, change all fastboot commands to ./fastboot and similarly for adb

Skip to step 2 if you have the June 2018 patch or earlier

1a. Downgrade firmware to June patch via androidhost.ru - search for your device, any C number should work.
1b. Downgrade, instructions are in the 'ReleaseDoc' folder. Use the forced install method

2a. Enter fastboot
2b. DO NOT REBOOT THE PHONE UNTIL STEP 3a is complete!!! Failing to follow this will result in anger!
2c. Enter powershell or terminal and type:
Code: 
fastboot oem hwdog certify begin;fastboot oem get-product-model;fastboot oem get-build-number
2c. Send the result in the telegram group @huaweiHax (link to the public group is at the start of the channel), or, if that's entirely impossible, PM @OldDroid on XDA.
2d. A nice guy will send you your slock. Please be patient, they have real lives. Download it on the same pc as you have fastboot on.
2e. Copy the slock to your working directory
2f.
Code: 
fastboot flash slock <slock_filename>

(Download twrp on the pc that has fastboot, copy to working directory)

3a.
Code: 
fastboot flash erecovery_ramdisk <twrp filename>
3b. Read step 3c and 3d
3c.
Code: 
fastboot reboot
3d. Hold volume up AFTER the phone vibrates
3e. Twrp should boot up. If not, reboot it and try 3d again

4a. Connect usb
4b.
Code: 
adb shell dd if=/dev/block/bootdevice/by-name/nvme of=/tmp/nvme
4c.
Code: 
adb pull /tmp/nvme


WARNING: FOLLOW THESE STEPS VERY CAREFULLY AND DOUBLE-CHECK EVERYTHING!
5a. Open the nvme file with a hex editor. Repeat step 5b until you have done all the instances of FBLOCK.
5b. Search the file for FBLOCK. For each instance, you should see the character 8 shortly before. Go down exactly one line from the 8. Select the .. You should see 01 become highlighted in the hex area. Change the 01 to 00 and repeat 6 more times (7 in total). Save the file as nvmepatched
5c.
Code: 
adb push nvmepatched /tmp/nvme
5d.
Code: 
adb shell dd if=/tmp/nvme of=/dev/block/bootdevice/by-name/nvme

6. Reboot!

CONGRATS! YOUR DEVICE IS NOW UNLOCKED!


----------------------------------------------------------------


Files you might find useful:
nvme.zip: a twrp flashable zip that automates step 5 of the instructions. I have tested it and it works fine for me. If TWRP crashes and restarts, that's fine, but idk why it happens. If it happens to you, please send /tmp/recovery.log to me in pm or here, or in telegram
autoroot.zip: a zip file containing a python script and related files to automatically unlock Huawei's. To use it, put a twrp file called 'twrp-kirin.img' in the 'files' subfolder. I cannot upload that file due to XDA file size restrictions.
https://www.androidfilehost.com/?w=files&flid=285583: thanks to @mrmazak, this is a windows batch tool version of autoroot.zip
 

Attachments

  • autoroot.zip
    62.8 KB · Views: 3,974
  • nvme.zip
    7.1 KB · Views: 3,293
Last edited:
  • Like
  • Love
Reactions: biker_boys, mirhl, saurabh6377 and 10 others
mrmazak

mrmazak

Senior Member
Jun 16, 2013
3,260
1,342
Blu Vivo XL
BLU R1 HD
In the attached photos you will see correct and incorrect converted "slock files"

When you follow the guide from above. Between 2-C and 2-D.
If the you get just a long string of letters and numbers (512 characters to be exact). That string of numbers it that state is "text" it needs to be "HEX". , to do this there are command line tools to do it. But it can be done in a user friendly way in a hex editor program. But this needs to done as hex and not text. The photos show both examples.

In the correct edited photo the long string is written to the left side (the hex area)

In the incorrect edited photo the long string is written to the right side (the text area).

SLOCK CONVERSION
FOR command line use

Copy the long string of text as regular txt file NO EXTRA SPACES -- for this example name it slock.txt

Command line code for linux: Needs "XDD" It should already be installed on most systems.(inside VIM)
Code: 
cat  slock.txt | xxd -r -p > binary-slock.bin


Command line code for Windows: Needs "XDD.exe" It canbe found inside VIM http://www.vim.org/
Code: 
type slock.txt  | xxd.exe -r -p > binary-slock.bin


NVME EDITS

Linux terminal

Code: 
sed 's/\x46 \x42 \x4C \x4F \x43 \x4B \x00 \x00 \x01 \x00 \x00 \x00 \x01/\x46 \x42 \x4C \x4F \x43 \x4B \x00 \x00 \x01 \x00 \x00 \x00 \x00/g' nvme > temp

Windows cmd version needs GNU-SED
OR
reg-expression-tool LIKE "jrepl.bat" (one of my favorite little tools)

Code: 
files\JREPL.BAT "\x46\x42\x4C\x4F\x43\x4B\x00\x00\x01\x00\x00\x00\x01" "\x46\x42\x4C\x4F\x43\x4B\x00\x00\x01\x00\x00\x00\x00" /m /x /f modified-nvme /o -

Scripted method
Windows batch file tool
Use newest version in the folder. And allow tool to update, when first ran.
.
.
 

Attachments

  • correct-slock-as-hex.png
    correct-slock-as-hex.png
    66.3 KB · Views: 5,004
  • incorrect-slock-as-text.png
    incorrect-slock-as-text.png
    90.8 KB · Views: 4,910
Last edited:
  • Like
Reactions: coolkumar, saurabh6377, Lupax and 2 others
hackintosh5

hackintosh5

Senior Member
Sep 15, 2017
1,246
957
mrmazak said:
this sounds like great news for continuing custom roms on Huawei.

Just want to ask about the above section.
Are you saying just the sending of data will be rolled into an app, or the whole thing will be self contained in an app?
Click to expand...
Click to collapse
Just the second stage of sending data, olddroid is 'thinking' about making them both automated, but right now, neither is.
 
  • Like
Reactions: gcpmusic57 and Fredin_
A

aldinista

New member
Dec 18, 2016
2
0
hackintosh5 said:
Again, try another firmware like c432 or c00, but it all depends on whether the dload works or not. If it doesn't install, you'll have to find one that does. If it installs you'll be ok. Just flash the correct model firmware after completing the exploit
Click to expand...
Click to collapse

Oke i try.. ?
Hehehe, sorry because I'm not yet so familiar.
I'm still a beginner ??
 
Fredin_

Fredin_

Senior Member
Feb 19, 2018
313
83
Wait but how can you flash something from fastboot if the bootloader is locked?
 
Last edited:
Fredin_

Fredin_

Senior Member
Feb 19, 2018
313
83
You must log in or register to reply here.

Similar threads

hackintosh5
  • Poll
[GUIDE] Unlock FRP, Phone without system access or bootloader unlock code
Replies
20
Views
18K
A
amillo
VigneshS007
  • Locked
[Guide]Unlock and Root Honor 9 Lite [Videos Added]
Replies
26
Views
39K
M
moonknight01
rituraj_singh
Unlocking "Only LTE" mode in Honor 9 lite
Replies
25
Views
42K
C
click_og
Majid2000
[GUIDE] Downgrade from EMUI 9.1 to 8.0 for bootloader unlocking
Replies
10
Views
9K
O
obvPaul
A
[GUIDE] Unbrick your device or recover from bootloop
Replies
43
Views
18K
Fredin_
Fredin_

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    hackintosh5
    hackintosh5
    --- Please don't quote this entire post ---


    I have, with the help of two people who's XDA I don't know, just unlocked an Honor 9 Lite without an unlock code!:angel: The method follows:
    Initial revision

    0. Prepare adb and fastboot. On windows, change all
    Code: 
    fastboot
    commands to
    Code: 
    .\fastboot
    and similarly for
    Code: 
    adb

    (skip to step 2 if you have the June 2018 patch or earlier)

    1a. Downgrade firmware to 8.0.0.xxx (June patch) via androidhost.ru - search for your device, get a C432 version.

    1b. Downgrade, instructions are in the 'ReleaseDoc' folder. Use the forced install method

    (do not reboot the phone until step 3a is complete)

    2a. Enter
    Code: 
    fastboot
    2b. Enter powershell or terminal and type:
    Code: 
    fastboot oem hwdog certify begin;fastboot oem get-product-model
    2c. Send the result to @huaweihax telegram group or in this thread (telegram will have faster response times)
    2d. We will send you your slock when we gets a chance. Please be patient, we have real lives. Download it on the same pc as you have fastboot on.
    2e. Copy the slock to your working directory
    2f. Type in your shell:
    Code: 
    fastboot flash slock <slock_filename>

    (Download twrp on the pc that has fastboot, copy to working directory)

    3a.
    Code: 
    fastboot flash erecovery_ramdisk <twrp filename>
    3b. Read step 3c and 3d
    3c.
    Code: 
    fastboot reboot
    3d. Hold volume up AFTER the phone vibrates
    3e. Twrp should boot up. If not, reboot it and try 3d again

    (Each reboot until step 4 is complete, you will restart step 4)

    4a. Connect usb
    4b.
    Code: 
    adb shell dd if=/dev/block/bootdevice/by-name/nvme of=/tmp/nvme
    4c.
    Code: 
    adb pull /tmp/nvme

    You may now reboot the device, if you want.

    5a. Open the nvme file in a hex editor. Find 'FBLOCK' in the file. There should be '8' shortly before the fblock. Move down exactly one line from '8' and you will see 01. Change that to 00 and repeat for all instances of fblock in the file. Save the file.
    5c.
    Code: 
    adb push nvme /tmp/nvme
    5d.
    Code: 
    adb shell dd if=/tmp/nvme of=/dev/block/bootdevice/by-name/nvme

    6. Reboot!

    CONGRATS! YOUR DEVICE IS NOW UNLOCKED!


    Latest revision:
    0. Prepare adb and fastboot. On windows, change all fastboot commands to ./fastboot and similarly for adb

    Skip to step 2 if you have the June 2018 patch or earlier

    1a. Downgrade firmware to June patch via androidhost.ru - search for your device, any C number should work.
    1b. Downgrade, instructions are in the 'ReleaseDoc' folder. Use the forced install method

    2a. Enter fastboot
    2b. DO NOT REBOOT THE PHONE UNTIL STEP 3a is complete!!! Failing to follow this will result in anger!
    2c. Enter powershell or terminal and type:
    Code: 
    fastboot oem hwdog certify begin;fastboot oem get-product-model;fastboot oem get-build-number
    2c. Send the result in the telegram group @huaweiHax (link to the public group is at the start of the channel), or, if that's entirely impossible, PM @OldDroid on XDA.
    2d. A nice guy will send you your slock. Please be patient, they have real lives. Download it on the same pc as you have fastboot on.
    2e. Copy the slock to your working directory
    2f.
    Code: 
    fastboot flash slock <slock_filename>

    (Download twrp on the pc that has fastboot, copy to working directory)

    3a.
    Code: 
    fastboot flash erecovery_ramdisk <twrp filename>
    3b. Read step 3c and 3d
    3c.
    Code: 
    fastboot reboot
    3d. Hold volume up AFTER the phone vibrates
    3e. Twrp should boot up. If not, reboot it and try 3d again

    4a. Connect usb
    4b.
    Code: 
    adb shell dd if=/dev/block/bootdevice/by-name/nvme of=/tmp/nvme
    4c.
    Code: 
    adb pull /tmp/nvme


    WARNING: FOLLOW THESE STEPS VERY CAREFULLY AND DOUBLE-CHECK EVERYTHING!
    5a. Open the nvme file with a hex editor. Repeat step 5b until you have done all the instances of FBLOCK.
    5b. Search the file for FBLOCK. For each instance, you should see the character 8 shortly before. Go down exactly one line from the 8. Select the .. You should see 01 become highlighted in the hex area. Change the 01 to 00 and repeat 6 more times (7 in total). Save the file as nvmepatched
    5c.
    Code: 
    adb push nvmepatched /tmp/nvme
    5d.
    Code: 
    adb shell dd if=/tmp/nvme of=/dev/block/bootdevice/by-name/nvme

    6. Reboot!

    CONGRATS! YOUR DEVICE IS NOW UNLOCKED!


    ----------------------------------------------------------------


    Files you might find useful:
    nvme.zip: a twrp flashable zip that automates step 5 of the instructions. I have tested it and it works fine for me. If TWRP crashes and restarts, that's fine, but idk why it happens. If it happens to you, please send /tmp/recovery.log to me in pm or here, or in telegram
    autoroot.zip: a zip file containing a python script and related files to automatically unlock Huawei's. To use it, put a twrp file called 'twrp-kirin.img' in the 'files' subfolder. I cannot upload that file due to XDA file size restrictions.
    https://www.androidfilehost.com/?w=files&flid=285583: thanks to @mrmazak, this is a windows batch tool version of autoroot.zip
    View
    5
    mrmazak
    mrmazak
    In the attached photos you will see correct and incorrect converted "slock files"

    When you follow the guide from above. Between 2-C and 2-D.
    If the you get just a long string of letters and numbers (512 characters to be exact). That string of numbers it that state is "text" it needs to be "HEX". , to do this there are command line tools to do it. But it can be done in a user friendly way in a hex editor program. But this needs to done as hex and not text. The photos show both examples.

    In the correct edited photo the long string is written to the left side (the hex area)

    In the incorrect edited photo the long string is written to the right side (the text area).

    SLOCK CONVERSION
    FOR command line use

    Copy the long string of text as regular txt file NO EXTRA SPACES -- for this example name it slock.txt

    Command line code for linux: Needs "XDD" It should already be installed on most systems.(inside VIM)
    Code: 
    cat  slock.txt | xxd -r -p > binary-slock.bin


    Command line code for Windows: Needs "XDD.exe" It canbe found inside VIM http://www.vim.org/
    Code: 
    type slock.txt  | xxd.exe -r -p > binary-slock.bin


    NVME EDITS

    Linux terminal

    Code: 
    sed 's/\x46 \x42 \x4C \x4F \x43 \x4B \x00 \x00 \x01 \x00 \x00 \x00 \x01/\x46 \x42 \x4C \x4F \x43 \x4B \x00 \x00 \x01 \x00 \x00 \x00 \x00/g' nvme > temp

    Windows cmd version needs GNU-SED
    OR
    reg-expression-tool LIKE "jrepl.bat" (one of my favorite little tools)

    Code: 
    files\JREPL.BAT "\x46\x42\x4C\x4F\x43\x4B\x00\x00\x01\x00\x00\x00\x01" "\x46\x42\x4C\x4F\x43\x4B\x00\x00\x01\x00\x00\x00\x00" /m /x /f modified-nvme /o -

    Scripted method
    Windows batch file tool
    Use newest version in the folder. And allow tool to update, when first ran.
    .
    .
    View
    3
    SeenThings
    SeenThings
    @hackintosh5

    My LLD-L21 (C636) bricked with Bootloader is Relocked & FRP Locked, but has been solved now with the help of your tutorial.
    Thanks you so much sir. :good::good::good:
    View
    2
    hackintosh5
    hackintosh5
    mrmazak said:
    this sounds like great news for continuing custom roms on Huawei.

    Just want to ask about the above section.
    Are you saying just the sending of data will be rolled into an app, or the whole thing will be self contained in an app?
    Click to expand...
    Click to collapse
    Just the second stage of sending data, olddroid is 'thinking' about making them both automated, but right now, neither is.
    View
    2
    hackintosh5
    hackintosh5
    Fredin_ said:
    Wait but how can you flash something from fastboot if the bootloader is unlocked?
    Click to expand...
    Click to collapse
    Please unquote the entire post... Then I'll respond.
    View

New posts