[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices

Search This thread
By:
Advanced…
DRS_Frizzy

DRS_Frizzy

Member
Nov 2, 2022
15
0
OPPO A74 5G
So Oppo uses the same verification method like realme?
If yes as you said if secure boot is disabled it will skip fastboot verify,is there any way to disable this secure boot? And has anyone tried looking into enginner menu maybe there is a option to disable secure boot?
 
melontini

melontini

Senior Member
May 14, 2023
70
8
POCO M3
Realme 8 Pro
DRS_Frizzy said:
So Oppo uses the same verification method like realme?
If yes as you said if secure boot is disabled it will skip fastboot verify,is there any way to disable this secure boot? And has anyone tried looking into enginner menu maybe there is a option to disable secure boot?
Click to expand...
Click to collapse
I assume oppo uses the same process due to framework/partition names and an almost identical OS.

I don't think it's possible to disable secure boot. Maybe in a perfect world it would be possible to patch abl and push it through EDL, or in a super perfect world there might be a vulnerability similar to this https://www.pentestpartners.com/sec...id-bootloader-on-the-qualcomm-snapdragon-660/ (Although even this requires fastboot access)

For now, the only way to unlock an oppo/unsupported realme phone is to have a patchable non qualcomm SOC, or sell your phone and buy an unlockable one.

It's a real shame that oppo decided to lock fastboot in this way, but I just don't see a solution here.
 
melontini

melontini

Senior Member
May 14, 2023
70
8
POCO M3
Realme 8 Pro
melontini said:
btw, after looking around GitHub, I found this very spooky tool https://github.com/H*/Qualcomm-*

I haven't tested it, but it does mention oppo/realme and "bootloader unlock".

If anyone wants to try it, go ahead, but I'm not responsible for anything going wrong. 😅

VirusTotal 8 detects:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
Click to collapse

After looking a bit further, the commands this tool executes seem legit,

It just wraps this tool https://github.com/nijel8/emmcdl

If you want to recreate what this tool does, here's it's GitHub, but keep in mind the VirusTotal score and my lack of responsibility. https://github.com/HadiKhoirudin/Qualcomm-Tool.
/application contains all the commands, /assets all the Loaders, drivers and pre-compiled executables.

Also, this https://manalyzer.org/report/58c5d5708130caec4a2e52586b9ea195 and this https://www.hybrid-analysis.com/sam...f802b9d084fe0be2003b2f17959d47aba787a14a41912

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
Last edited:
melontini

melontini

Senior Member
May 14, 2023
70
8
POCO M3
Realme 8 Pro
melontini said:
After looking a bit further, the commands this tool executes seem legit,

It just wraps this tool https://github.com/nijel8/emmcdl
Click to expand...
Click to collapse
After a while of trying to figure out what this thing does, I think it does nothing. (or maybe I'm blind)

In source, it tries to write something to /devinfo.

Flipping the unlock bit in /devinfo works on old Xiaomi devices [1] [2] and this patch tries to write that bit. https://github.com/HadiKhoirudin/Qu.../resources/devinfo/XIAOMI-unlock-bl-patch.xml, but it doesn't work on modern devices because the bit is stored in the TEE instead [1].

But the realme/oppo/vivo patch tries to write `255`. Due to lack of documentation, it's not clear what this is supposed to do. https://github.com/HadiKhoirudin/Qu.../resources/devinfo/REALME-unlock-bl-patch.xml

Another tool wants you to patch /devinfo yourself: https://github.com/Naveen3Singh/BLUnlocker, but this tool is ~5 years old! And after looking at the issues, the success rate seems shaky... [3]

I bricked my phone while flashing a GSI, so I can't test this, and even if I could, I'm not looking for another brick.


And here's some more rambling:

Let's assume that this tool works, and that we actually live in a perfect world. You still won't be able to enter fastboot because OPPO protects FASTBOOT with a damn RSA KEY.

And even if you could enter fastboot, what are you going to flash? Thanks to OPPO's incredible work, you won't be able to find a proper fastboot ROM unless someone leaks it. Good luck rolling back to the stock/older ROM version!
There are no custom kernels as they often either do not release or release broken kernel sources (Realme 8 pro T kernel says hello! 2 years without source updates! [4]).

Their answer to ANY unlock question is, "Sorry, we care about your data, and we don't trust you with your own device!"
And all this is happening while Realme is going on about how "OSS friendly" they are on their Indian forum!

Sorry for this angry paragraph, but this entire debacle makes me mad.


[1] https://android.stackexchange.com/a/233302
[2] https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
[3] https://github.com/Naveen3Singh/BLUnlocker/issues/1
[4] https://github.com/realme-kernel-opensource/realme_6pro_7pro_8pro_X2-AndroidR-kernel-source
 
User154

User154

Senior Member
Aug 19, 2022
58
14
Nintendo Switch
Samsung Galaxy Tab S7 / S7 Plus
melontini said:
After a while of trying to figure out what this thing does, I think it does nothing. (or maybe I'm blind)

In source, it tries to write something to /devinfo.

Flipping the unlock bit in /devinfo works on old Xiaomi devices [1] [2] and this patch tries to write that bit. https://github.com/HadiKhoirudin/Qu.../resources/devinfo/XIAOMI-unlock-bl-patch.xml, but it doesn't work on modern devices because the bit is stored in the TEE instead [1].

But the realme/oppo/vivo patch tries to write `255`. Due to lack of documentation, it's not clear what this is supposed to do. https://github.com/HadiKhoirudin/Qu.../resources/devinfo/REALME-unlock-bl-patch.xml

Another tool wants you to patch /devinfo yourself: https://github.com/Naveen3Singh/BLUnlocker, but this tool is ~5 years old! And after looking at the issues, the success rate seems shaky... [3]

I bricked my phone while flashing a GSI, so I can't test this, and even if I could, I'm not looking for another brick.


And here's some more rambling:

Let's assume that this tool works, and that we actually live in a perfect world. You still won't be able to enter fastboot because OPPO protects FASTBOOT with a damn RSA KEY.

And even if you could enter fastboot, what are you going to flash? Thanks to OPPO's incredible work, you won't be able to find a proper fastboot ROM unless someone leaks it. Good luck rolling back to the stock/older ROM version!
There are no custom kernels as they often either do not release or release broken kernel sources (Realme 8 pro T kernel says hello! 2 years without source updates! [4]).

Their answer to ANY unlock question is, "Sorry, we care about your data, and we don't trust you with your own device!"
And all this is happening while Realme is going on about how "OSS friendly" they are on their Indian forum!

Sorry for this angry paragraph, but this entire debacle makes me mad.


[1] https://android.stackexchange.com/a/233302
[2] https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
[3] https://github.com/Naveen3Singh/BLUnlocker/issues/1
[4] https://github.com/realme-kernel-opensource/realme_6pro_7pro_8pro_X2-AndroidR-kernel-source
Click to expand...
Click to collapse

Its looks slightly similar to the oem_unlock method here:

https://github.com/bkerler/edl/blob/master/edlclient/Library/Modules/generic.py

I am really sorry for mentioning abl, I didn't mean to send you down a rabbit hole.

I totally get your frustration. This is like the journey I went on with fasbootUnlock method. I found the method, then you needed the key. Then it didn't matter if you got the key because not just any app can reflect the class. It doesn't matter what you try to use the methods from that class, because only apps with oppo or coloros in there name or whatever can use those methods, oh and those apps must be signed with the oppo key to even install and run. If some developer were to coincedentally use one of those names in the package name for their app it wouldn't work on oppo devices. Even if it didn't try to access any of their hidden classes.

I really stupidly assumed oppo would be dev friendly like oneplus were. (Before my oppo I had a pixel 4, before that I had an OP3 + 5 and loved them). I didn't even look if you could unlock the bootloader before buying the phone, I just assumed it wouldn't be any hassle. My find x3 pro is starting to show its age and I will not be buying oppo again.
 
BotchedRPR

BotchedRPR

Member
Apr 8, 2022
35
10
OPPO Reno Z
Samsung Galaxy Note 20
On MediaTek devices that are exploitable with MtkClient you can unlock the bootloader via MtkClient, but then the recovery mode key combo changes to fastboot, BUT the fastboot boot mode still stays locked. This is presumably unlocked with the FastbootUnlock command, but can also be unlocked with a bootloader patch (look at my Reno Z thing)
Sadly none of this applies to Snapdragon devices ;( Could however be useful for MTK.
 
melontini

melontini

Senior Member
May 14, 2023
70
8
POCO M3
Realme 8 Pro
BotchedRPR said:
On MediaTek devices that are exploitable with MtkClient you can unlock the bootloader via MtkClient, but then the recovery mode key combo changes to fastboot, BUT the fastboot boot mode still stays locked. This is presumably unlocked with the FastbootUnlock command, but can also be unlocked with a bootloader patch (look at my Reno Z thing)
Sadly none of this applies to Snapdragon devices ;( Could however be useful for MTK.
Click to expand...
Click to collapse
The fastboot app is locked with an RSA key generated by OPPO. As per unlocking fastboot on mtk devices: https://github.com/R0rt1z2/oplus-unlock seems to do just that. (I should mention that I've never owned an MTK device before)

On snapdragon, it might be possible to do something similar with edl/emmcdl. Maybe...
 
BotchedRPR

BotchedRPR

Member
Apr 8, 2022
35
10
OPPO Reno Z
Samsung Galaxy Note 20
melontini said:
The fastboot app is locked with an RSA key generated by OPPO. As per unlocking fastboot on mtk devices: https://github.com/R0rt1z2/oplus-unlock seems to do just that. (I should mention that I've never owned an MTK device before)

On snapdragon, it might be possible to do something similar with edl/emmcdl. Maybe...
Click to expand...
Click to collapse
That, I know. Or another strategy from OPPO - not release any deeptest app at all (reno Z) :D

For my development I use mtkclient for unlocking the bootloader - after all thats required for flashing unsigned images.
Then comes a problem that even if the bootloader is unlocked, OPPO implemented checks in order to fully screw you up - if the fastboot mode isnt "unlocked" then the phone will just reboot.

I was so fed up that I started reverse engineering the bootloader, and because the bootloader was unlocked and that we have SP Flash bypass (sort of like EDL) I could flash the new bootloader and then have a fully unlocked MTK phone.

I don't have a Snapdragon phone. And even if I had one, step one fails. There'd be no exploit for unlocking the bootloader on snap devices.

Just saying the process to let you know that even if you manage to unlock the bootloader - therell still be a lot of challenges to unlocking fastboot

P.S: when you unlock the bootloader, OPPO removes recovery mode (at least on devices that were "forcefully" unlocked) I'm working on enabling that too, but it's proving to be temperamental. I might help with reverse engineering if you need me. Just tag me.
 
User154

User154

Senior Member
Aug 19, 2022
58
14
Nintendo Switch
Samsung Galaxy Tab S7 / S7 Plus
BotchedRPR said:
On MediaTek devices that are exploitable with MtkClient you can unlock the bootloader via MtkClient, but then the recovery mode key combo changes to fastboot, BUT the fastboot boot mode still stays locked. This is presumably unlocked with the FastbootUnlock command, but can also be unlocked with a bootloader patch (look at my Reno Z thing)
Sadly none of this applies to Snapdragon devices ;( Could however be useful for MTK.
Click to expand...
Click to collapse

Total side note, do mtk devices have fastboot nowadays??

They never used to, I had an mtk as a f**k around phone a few years ago and there was no fastboot, only the mtk preloader which you accessed through sp tools
 
melontini

melontini

Senior Member
May 14, 2023
70
8
POCO M3
Realme 8 Pro
DRS_Frizzy said:
So Oppo uses the same verification method like realme?
If yes as you said if secure boot is disabled it will skip fastboot verify,is there any way to disable this secure boot? And has anyone tried looking into enginner menu maybe there is a option to disable secure boot?
Click to expand...
Click to collapse
I know that this is a fact, but I just wanted to give some more references:

Qualcomm's secure boot state is stored via QFUSE, which is a "Microscopic hardware fuse that is integrated into the SoC - Once physically blown, impossible to reset or replace"

"Qualcomm devices all use fuse based logic to dictate permanent feature configurations/cryptographic key sets. As stated above, the physical version of which is called a QFUSE, and is stored in a region on the SoC called QFPROM in rows.

If the QFUSE fuse row labeled Qualcomm Secure Boot is blown (which is such on non-Chinese/OnePlus deivces), PBL (Qualcomm’s Primary Bootloader) is verified and loaded into memory from BootROM, a non-writable storgage on the SoC. PBL is then executed and brings up a nominal amount of hardware, then verifies the signature of the next bootloader in the chain, loads it, then executes it."

Qualcomm’s Chain of Trust

Covering Qualcomm bootloader’s up to the point of Android being loaded
lineageos.org lineageos.org
 
BotchedRPR

BotchedRPR

Member
Apr 8, 2022
35
10
OPPO Reno Z
Samsung Galaxy Note 20
melontini said:
I know that this is a fact, but I just wanted to give some more references:

Qualcomm's secure boot state is stored via QFUSE, which is a "Microscopic hardware fuse that is integrated into the SoC - Once physically blown, impossible to reset or replace"

"Qualcomm devices all use fuse based logic to dictate permanent feature configurations/cryptographic key sets. As stated above, the physical version of which is called a QFUSE, and is stored in a region on the SoC called QFPROM in rows.

If the QFUSE fuse row labeled Qualcomm Secure Boot is blown (which is such on non-Chinese/OnePlus deivces), PBL (Qualcomm’s Primary Bootloader) is verified and loaded into memory from BootROM, a non-writable storgage on the SoC. PBL is then executed and brings up a nominal amount of hardware, then verifies the signature of the next bootloader in the chain, loads it, then executes it."

Qualcomm’s Chain of Trust

Covering Qualcomm bootloader’s up to the point of Android being loaded
lineageos.org lineageos.org
Click to expand...
Click to collapse
In theory, would a glitch attack work to break the CoT? It's out of reach obviously but just curious.
 
User154

User154

Senior Member
Aug 19, 2022
58
14
Nintendo Switch
Samsung Galaxy Tab S7 / S7 Plus
User154

User154

Senior Member
Aug 19, 2022
58
14
Nintendo Switch
Samsung Galaxy Tab S7 / S7 Plus
BotchedRPR said:
Not really, there are countermeasures against voltage glitching in todays day
I’m not into snapdragon. Don’t even own a working device with it. So I don’t know the SoC design well.
Click to expand...
Click to collapse

I think some of these have still been beaten though?

How come you're not into snapdragon, if you don't mind me asking? I've never been into mtk personally
 
You must log in or register to reply here.

Similar threads

P
  • Sticky
[Discussion] What's your next smartphone / What should I buy
Replies
20K
Views
1M
Aisha Mushtaq 123
Aisha Mushtaq 123
A
  • Locked
All Opera Mobile/Mini versions: Official thread
Replies
3K
Views
1M
orb3000
orb3000
luis86dr
  • Locked
[DISCUSSION] What's the first phone you've ever owned?
Replies
6K
Views
449K
justmpm
justmpm
Hamid Chikh
Samsung Galaxy One UI - Optimization Guide
Replies
7K
Views
813K
blackhawk
blackhawk
IronTechmonkey
MiXplorer: Q&A and FAQ (User Manual)
Replies
3K
Views
531K
ƁɐⱤᶒ
ƁɐⱤᶒ

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 3
    User154
    User154
    Admin: Please move/delete this thread if it is in the wrong place or against the rules.

    I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in particular. The reason being is that there are currently little bits of information scattered here and there across various different device forums. I think it would be useful to have somewhere where we could pool our information on the subject.

    I will say at this point, I'm not sure what progress can be made, but I do think we could answer some of each other's questions and build a bigger picture of what is going on.

    One question I have for example, that I know someone out there will know, or be able to test, is if you have enabled engineer mode with the sec5 app, or otherwise, are you then able to invoke methods from the 'android.engineer.OplusEngineerManager' class without getting an selinux error?

    I have decompiled the deeptesting app and looked through the sources a little and found the method that unlocks fastboot mode. Its signature is as follows:

    fastbootUnlock(byte[ ] bArr, int i)

    The byte array is essentially formed as followed:

    a string is split into pairs of characters,
    each pair is a hex code that is converted to an int,
    the byte value of each of these integers is then stored in a byte array.

    The int that the fastbootUnlock method takes is simply the length of the byte array.

    I have a find x3 pro and have hit a bit of a brick wall in testing in that I cannot invoke methods from the 'android.engineer.OplusEngineerManager' class however I do suspect that with engineer mode enabled it may be possible to invoke methods from this class.

    If you have any information you feel may be relevant, any questions, or even just want to say hello, do not hesitate to post 🙂
    View
    1
    User154
    User154
    So, no major breakthroughs to report but some stuff that may be of use to people.

    After hitting a bit of a brick wall disassembling the deeptesting and engineermode apks I have turn my attention to the system.

    Both these apks rely on custom services implemented by oppo (Although most files relating to them have oplus in the name)

    After loading up one of the service files '[email protected]' in ida I think I can see that the key required to unlock fastboot mode is stored on the odm partition in /odm/etc/DownloadModeKey/ (This is a little over my head but I can see multiple references to this)

    Also I have found an xml with a list of mmi codes, I don't know how much use it will be to anyone, but there are a couple in there that I dont believe have been documented elsewhere, so I will upload it here
    View
    1
    super5at
    super5at
    I did some very cursory reverse-engineering of the deeptest app and basically came to the conclusion that it depends on the response from Oppo's servers. In a properly designed system (which the original Danger hiptop/T-Mobile Sidekick implemented) there's an unlock entitlement cryptographically signed by the OEM. I *assume* that's the case here, but I don't know for sure.
    View
    1
    wizard8400
    wizard8400
    Hi! I'm trying a different approach, to spoof the device model so that the deep test.apk will do its thing.
    I have the realme gt 2 (EU) RMX3311 that can't be unlocked but the Indian version (RMX3312) can be unlocked. Some guys managed to change the region of the RMX3311 to India and the deep test apk allowed the bootloader to be unlocked. So, from what I've read, deep test reads build.prop and if it finds the right model it communicates with realme backend to receive the unlock code, and everything works...
    Now I'm trying to find in the deep test apk when it reads the device model and change that code so it accepts whatever it finds :) The problem is I can't understand smali source code :))
    View
    1
    User154
    User154
    Small update:

    Decided to try and pull the DownloadModeKey from my Find X3 pro via adb, the operation was a success but sadly it just looks like an RSA public key so not much use.
    View

New posts