How To Guide [EU model] Unlock bootloader of European model

Search This thread

Rapper_skull

Senior Member
Apr 21, 2011
390
209
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
Be sure not update system after first boot. Unlock bootloader and then update.
It depends on the version that comes preinstalled. If it's lower than A.14 it will probably not work. Considering that the latest version is A.17 and it should still be vulnerable, there's no worry, since it's always possible to downgrade to A.14 with the Android 13 rollback package.
 

hill67

Senior Member
Dec 29, 2010
272
24
Hey guys. So let me get this right.
If I buy a gt2 pro in europe I can for sure unlock it with this Guide? I live in the netherlands.
Please let's us know if you succeeded in unlocking the bootloader. I am also living in The Netherlands and am also interested in unlocking bootloader and rooting the phone.
 

zwenneke

Senior Member
Sep 8, 2010
90
17
OnePlus 6
OPPO Find X2 Pro
Please let's us know if you succeeded in unlocking the bootloader. I am also living in The Netherlands and am also interested in unlocking bootloader and rooting the phone.
I will. But still not sure if i should get it or not. I would love to unlock and root it but if it doesn't work then I'm stuck for 2 years with a phone i can't root. Plus no development at the moment.
 

Rapper_skull

Senior Member
Apr 21, 2011
390
209
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
I will. But still not sure if i should get it or not. I would love to unlock and root it but if it doesn't work then I'm stuck for 2 years with a phone i can't root. Plus no development at the moment.
As far as the procedure goes, I'm 99% sure it will work on the phone you will find in the Netherlands. I bought mine in Italy and I'm pretty sure it's the same device in EU, EEA, UK and Switzerland. The problem is that Realme could always block the Deep Testing app by checking the serial number server side and match it to the European models. Honestly, I don't think they care that much.
 

zwenneke

Senior Member
Sep 8, 2010
90
17
OnePlus 6
OPPO Find X2 Pro
As far as the procedure goes, I'm 99% sure it will work on the phone you will find in the Netherlands. I bought mine in Italy and I'm pretty sure it's the same device in EU, EEA, UK and Switzerland. The problem is that Realme could always block the Deep Testing app by checking the serial number server side and match it to the European models. Honestly, I don't think they care that much.
Cool. I think I will order it then. I've also got 30 days to return it. So i can try it out and if it doesn't work I send it back. I read there no way to unbrick the phone at the moment?
 

Rapper_skull

Senior Member
Apr 21, 2011
390
209
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
Cool. I think I will order it then. I've also got 30 days to return it. So i can try it out and if it doesn't work I send it back. I read there no way to unbrick the phone at the moment?
If the bootloader is unlocked, you can always unbrick it, unless you mess up the bootloader itself. Otherwise there are people selling access to MSM Download Tool for reasonable prices. A free and open source alternative would be much better, but as I understand the communication between the tool and the phone is encrypted.
 

Quake94

Senior Member
Jan 24, 2009
65
17
yeah, Im not knowledgeable enough to do that just yet.

Anyone know if the A.17 boot.img for the export version was changed from the A.14 version posted here earlier?

Or better yet does anyone have a copy of the A.17 boot.img
I compared MD5 checksum between A.16 and A.17 and the boot.img files are different, however this method of checking may not be conclusive. A.17 global boot.img is posted in other thread
 

GIutton

Senior Member
Dec 26, 2021
64
11
OnePlus 8T
Samsung Galaxy S21 FE
I compared MD5 checksum between A.16 and A.17 and the boot.img files are different, however this method of checking may not be conclusive. A.17 global boot.img is posted in other thread
Well maybe you or someone else can tell me if this process I tried should work or not.
I took the boot.img posted in this thread by Rapper_Skull and patched it with magisk then used "fastboot boot magisk_patched-25200.img" to boot the phone with it which seems to have worked and that gave me temporary root access to accomplish the following step. Next, I used "adb shell getprop ro.boot.slot_suffix" to find that my active slot is _a and then used "adb shell su -c dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img" to pull a copy of the boot image from that slot which should be from my current OTA A.17 correct? I also took one from the inactive _b slot which should be previous OTA A.16 and they were both the exact same size at 192MB. I then patched the _a boot.img with magisk and that seemed to work but I have not tried booting into yet. My main concern here is that the boot.img posted in this thread was only 50MB but the one I pulled from the phone is much larger at 192MB so did I do something wrong here? Would it still be safe to try booting into the magisk patched boot image I pulled from the active slot?
 

Quake94

Senior Member
Jan 24, 2009
65
17
Well maybe you or someone else can tell me if this process I tried should work or not.
I took the boot.img posted in this thread by Rapper_Skull and patched it with magisk then used "fastboot boot magisk_patched-25200.img" to boot the phone with it which seems to have worked and that gave me temporary root access to accomplish the following step. Next, I used "adb shell getprop ro.boot.slot_suffix" to find that my active slot is _a and then used "adb shell su -c dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img" to pull a copy of the boot image from that slot which should be from my current OTA A.17 correct? I also took one from the inactive _b slot which should be previous OTA A.16 and they were both the exact same size at 192MB. I then patched the _a boot.img with magisk and that seemed to work but I have not tried booting into yet. My main concern here is that the boot.img posted in this thread was only 50MB but the one I pulled from the phone is much larger at 192MB so did I do something wrong here? Would it still be safe to try booting into the magisk patched boot image I pulled from the active slot?
Hmm..wouldn't running adb shell su -c dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img pull the magisk_patched-25200.img from slot A since it is active partition? Maybe pull boot_b instead. Or double check how fastboot boot command works.
Also, if the phone boots successfully using magisk_patched-25200.img, maybe that is good enough to flash...
A surefire method is extracting boot.img directly from firmware release or OTA update file but you probably know that already.
 

GIutton

Senior Member
Dec 26, 2021
64
11
OnePlus 8T
Samsung Galaxy S21 FE
Hmm..wouldn't running adb shell su -c dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img pull the magisk_patched-25200.img from slot A since it is active partition? Maybe pull boot_b instead. Or double check how fastboot boot command works.
Also, if the phone boots successfully using magisk_patched-25200.img, maybe that is good enough to flash...
A surefire method is extracting boot.img directly from firmware release or OTA update file but you probably know that already.
Right I just can't find the A.17 OTA anywhere and keep getting an error when I try to use the beta or rollback package to get the phone back to an OTA version that I have access to download.

I thought, but definitely could be wrong, that "fastboot boot magisk-patched_25200.img" would boot the phone using the patched boot image I saved to the PC and leave the boot image in the active slot unchanged for me to pull. But if I am right about "fastboot boot" I shouldn't have to pull a copy anyway since I could just do a "direct install" from the magisk app which would patch the A.17 active slot boot image?
 

Rapper_skull

Senior Member
Apr 21, 2011
390
209
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
Right I just can't find the A.17 OTA anywhere and keep getting an error when I try to use the beta or rollback package to get the phone back to an OTA version that I have access to download.

I thought, but definitely could be wrong, that "fastboot boot magisk-patched_25200.img" would boot the phone using the patched boot image I saved to the PC and leave the boot image in the active slot unchanged for me to pull. But if I am right about "fastboot boot" I shouldn't have to pull a copy anyway since I could just do a "direct install" from the magisk app which would patch the A.17 active slot boot image?
Exactly. Once you boot your patched boot.img you can use Magisk to direct install. BTW this is the global A.17 firmware.
 

GIutton

Senior Member
Dec 26, 2021
64
11
OnePlus 8T
Samsung Galaxy S21 FE
The boot partition is not filled to the max of course, so the boot.img extracted from the firmware files is smaller than the partition size (192 MB). When you dd, you copy the entire partition, including any empty space.
Oh okay that makes sense.

Maybe you can answer this cuz I can't find one anywhere but when trying to do the dd command I messed up and idk if it did something I should be worried about. I typed "adb shell su dd" then I accidentally hit enter so then I thought I could just type "exit" and hit enter to back out but that didn't work and honestly idk what it did. I searched and found that I should have done "ctrl + c" to back out and that's what I did. Everything seems fine but people call dd "disk destroyer" which doesn't sound too good lol.
 

Rapper_skull

Senior Member
Apr 21, 2011
390
209
Naples
Xiaomi Mi Mix 2S
Realme GT 2 Pro
Oh okay that makes sense.

Maybe you can answer this cuz I can't find one anywhere but when trying to do the dd command I messed up and idk if it did something I should be worried about. I typed "adb shell su dd" then I accidentally hit enter so then I thought I could just type "exit" and hit enter to back out but that didn't work and honestly idk what it did. I searched and found that I should have done "ctrl + c" to back out and that's what I did. Everything seems fine but people call dd "disk destroyer" which doesn't sound too good lol.
Don't worry you didn't destroy anything.
 
  • Like
Reactions: GIutton

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.

    First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.

    Before starting I would like to thank polygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.

    Requirements:

    • The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
    • A compatible build, read below
    • A Windows or Linux PC with adb and fastboot drivers installed

    Check if your build is compatible:

    • Go to Settings -> About device -> Version and check Build number:
      • If your build is between RMX3301_11_A.14 and RMX3301_11_A.19, go to the procedure below
      • If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.19, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14

    Procedure:

    1. Make sure under Developer options you have OEM unlocking and USB debugging enabled
    2. Download and extract the attached gt2pro_eu_unlock_dirtypipe_v0.2.zip file
    3. Open a terminal in the folder of the extracted files
    4. Connect the phone to the PC and select the File transfer option
    5. Run the script:
      • On Windows, type run.bat and press enter
      • On Linux, type ./run.sh and press enter
    6. Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
    • At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.

    Changelog:

    v0.2:
    • Show more info about device for better debug
    • Show the model at the end to check if it worked

    For technical people: how does it work?

    The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the may 2022 security update. At the time of writing, the latest build for the GT2 Pro is RMX3301_11_A.19, and it's still vulnerable. I have tested the procedure personally up to build RMX3301_11_A.16. If you're on a newer build and it doesn't work, please report it in the comments.

    If you have further questions about the procedure, please post them below.
    3
    I attached a new version of the script to the OP. This new versions shows more info do better debug problems, and waits 30 seconds before getting the model again to show if everything worked.
    2
    I wonder if we can use this temporary root to do some modifications on system.
    Theoretically you can do everything you can do on a rooted phone (Magisk, but without modules and Zygisk). In practice I never got Magisk to work properly, so I just limited myself to change the property. My goal was to unlock the bootloader, so I did it and installed Magisk.
    1
    When you try the procedure... delete al date of phone? whe finish---- type run.bat and press enter ---- erase all?
    My procedure will not delete any data, but after that you have to follow the official procedure to unlock the bootloader, and that will factory reset your phone.
    1
    What the future with SafetyNe... Finish customs rooms? I can unlock the boatloader but then change android with safe and problem with all app bank and no accept root... What you say?

    Other question... What app for back up use before unlock boatloader ?
    It's better if you ask these questions in a more relevant thread. For now there's no custom rom available for the GT2 Pro, and for SafetyNet you can use https://github.com/kdrag0n/safetynet-fix/