How To Guide [EU model] Unlock bootloader of European model

Search This thread

Rapper_skull

Senior Member
Apr 21, 2011
351
196
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.

First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.

Before starting I would like to thank polygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.

Requirements:

  • The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
  • A compatible build, read below
  • A Windows or Linux PC with adb and fastboot drivers installed

Check if your build is compatible:

  • Go to Settings -> About device -> Version and check Build number:
    • If your build is between RMX3301_11_A.14 and RMX3301_11_A.18, go to the procedure below
    • If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.18, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14

Procedure:

  1. Make sure under Developer options you have OEM unlocking and USB debugging enabled
  2. Download and extract the attached gt2pro_eu_unlock_dirtypipe_v0.2.zip file
  3. Open a terminal in the folder of the extracted files
  4. Connect the phone to the PC and select the File transfer option
  5. Run the script:
    • On Windows, type run.bat and press enter
    • On Linux, type ./run.sh and press enter
  6. Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
  • At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.

Changelog:

v0.2:
  • Show more info about device for better debug
  • Show the model at the end to check if it worked

For technical people: how does it work?

The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the may 2022 security update. At the time of writing, the latest build for the GT2 Pro is RMX3301_11_A.18, and it's still vulnerable. I have tested the procedure personally up to build RMX3301_11_A.16. If you're on a newer build and it doesn't work, please report it in the comments.

If you have further questions about the procedure, please post them below.
 

Attachments

  • gt2pro_eu_unlock_dirtypipe_v0.2.zip
    1.4 MB · Views: 244
Last edited:

manu81cba

Member
Nov 15, 2021
36
0
As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.

First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.

Before starting I would like to thankpolygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.

Requirements:
  • The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
  • A compatible build, read below
  • A Windows or Linux PC with adb and fastboot drivers installed
Check if your build is compatible:
  • Go to Settings -> About device -> Version and check Build number:
    • If your build is RMX3301_11_A.14, RMX3301_11_A.15 or RMX3301_11_A.16, go to the procedure below
    • If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.16, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14
Procedure:
  1. Make sure under Developer options you have OEM unlocking and USB debugging enabled
  2. Download and extract the attached gt2pro_eu_unlock_dirtypipe.zip file
  3. Open a terminal in the folder of the extracted files
  4. Connect the phone to the PC and select the File transfer option
  5. Run the script:
    • On Windows, type run.bat and press enter
    • On Linux, type ./run.sh and press enter
  6. Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.

For technical people: how does it work?
The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the may 2022 security update. At the time of writing, the latest build for the GT2 Pro is RMX3301_11_A.16, and it's still vulnerable.

If you have further questions about the procedure, please post them below.
When you try the procedure... delete al date of phone? whe finish---- type run.bat and press enter ---- erase all?
 

Rapper_skull

Senior Member
Apr 21, 2011
351
196
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
I wonder if we can use this temporary root to do some modifications on system.
Theoretically you can do everything you can do on a rooted phone (Magisk, but without modules and Zygisk). In practice I never got Magisk to work properly, so I just limited myself to change the property. My goal was to unlock the bootloader, so I did it and installed Magisk.
 

manu81cba

Member
Nov 15, 2021
36
0
error.jpg


I have this error... why?
 

Rapper_skull

Senior Member
Apr 21, 2011
351
196
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
Working now?
Is rooting temporary? i can modific build.pro? or this process is only for change the model propety?
No, you can't modify any files, since /system is read-only. Even if you manage to do it, you will brick your device since the bootloader is still locked. If you want to unlock your bootloader, follow the official guide I've linked.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Oh okay that makes sense.

    Maybe you can answer this cuz I can't find one anywhere but when trying to do the dd command I messed up and idk if it did something I should be worried about. I typed "adb shell su dd" then I accidentally hit enter so then I thought I could just type "exit" and hit enter to back out but that didn't work and honestly idk what it did. I searched and found that I should have done "ctrl + c" to back out and that's what I did. Everything seems fine but people call dd "disk destroyer" which doesn't sound too good lol.
    Don't worry you didn't destroy anything.
    1
    Hello, rooting noob here, interested in buying the gt 2 pro soon. Does this still work to this day? Once the bootloader is unlocked, is it permanent meaning you can also root the phone for as much as you want. About the kernel sources, do you think realme will publish them leaving space for custom roms?
    Edit: Discussing with a friend I have found this, so those should be the kernel sources right? https://github.com/realme-kernel-opensource/realme_GT2pro-AndroidS-kernel-source
    Yes, that's the kernel source. As for the method, it sure works on the device side. I don't know if Realme changed something server side, but I don't think so.
    1
    I was wondering if you could make a mirror of the latest ota unpatched package in case realme shuts the link down, especially for people who come later
    I have it offline. When I have the time, I will upload it somewhere.
  • 8
    As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.

    First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.

    Before starting I would like to thank polygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.

    Requirements:

    • The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
    • A compatible build, read below
    • A Windows or Linux PC with adb and fastboot drivers installed

    Check if your build is compatible:

    • Go to Settings -> About device -> Version and check Build number:
      • If your build is between RMX3301_11_A.14 and RMX3301_11_A.18, go to the procedure below
      • If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.18, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14

    Procedure:

    1. Make sure under Developer options you have OEM unlocking and USB debugging enabled
    2. Download and extract the attached gt2pro_eu_unlock_dirtypipe_v0.2.zip file
    3. Open a terminal in the folder of the extracted files
    4. Connect the phone to the PC and select the File transfer option
    5. Run the script:
      • On Windows, type run.bat and press enter
      • On Linux, type ./run.sh and press enter
    6. Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
    • At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.

    Changelog:

    v0.2:
    • Show more info about device for better debug
    • Show the model at the end to check if it worked

    For technical people: how does it work?

    The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the may 2022 security update. At the time of writing, the latest build for the GT2 Pro is RMX3301_11_A.18, and it's still vulnerable. I have tested the procedure personally up to build RMX3301_11_A.16. If you're on a newer build and it doesn't work, please report it in the comments.

    If you have further questions about the procedure, please post them below.
    3
    I attached a new version of the script to the OP. This new versions shows more info do better debug problems, and waits 30 seconds before getting the model again to show if everything worked.
    2
    I wonder if we can use this temporary root to do some modifications on system.
    Theoretically you can do everything you can do on a rooted phone (Magisk, but without modules and Zygisk). In practice I never got Magisk to work properly, so I just limited myself to change the property. My goal was to unlock the bootloader, so I did it and installed Magisk.
    1
    When you try the procedure... delete al date of phone? whe finish---- type run.bat and press enter ---- erase all?
    My procedure will not delete any data, but after that you have to follow the official procedure to unlock the bootloader, and that will factory reset your phone.
    1
    What the future with SafetyNe... Finish customs rooms? I can unlock the boatloader but then change android with safe and problem with all app bank and no accept root... What you say?

    Other question... What app for back up use before unlock boatloader ?
    It's better if you ask these questions in a more relevant thread. For now there's no custom rom available for the GT2 Pro, and for SafetyNet you can use https://github.com/kdrag0n/safetynet-fix/