Someone already asked, but unfortunately the GT 2 kernel version on Android 12 is older and not vulnerable. I don't know about Android 13, but I don't think something changed.
How To Guide [EU model] Unlock bootloader of European model
- Thread starter Rapper_skull
- Start date
Maybe it has other vulnerabilities, but DirtyPipe was introduced in Linux in version 5.8. The GT 2 uses kernel version 4.19.
5.4 but still older then 5.8.
Attachments
Someone posted the procedure to update without losing root. In a nutshell you have to restore images from Magisk, apply the update without tapping "Install" when asked, install Magisk to the inactive slot, NOT reboot, go to the installer again and tap "Install".
The "magisk" directory was not copied to the device. Please make sure it's in the same folder as "run.bat" and update adb to the latest version.
D:\Programas\Android\ADB>run
Android Debug Bridge version 1.0.41
Version 33.0.3-8952118
Installed as D:\Programas\Android\ADB\adb.exe
Device info:
ro.build.product = RMX3301
ro.product.name = RMX3301EEA
ro.build.oplus_nv_id = 01000100
ro.build.display.full_id = RMX3301GDPR_11_A.21_2022092223360000
ro.build.fingerprint = realme/RMX3301EEA/RED8ACL1:12/SKQ1.211019.001/S.GDPR.202209222223:user/release-keys
dirtypipe-android: 1 file pushed, 0 skipped. 27.0 MB/s (46184 bytes in 0.002s)
env-patcher: 1 file pushed, 0 skipped. 14.2 MB/s (13224 bytes in 0.001s)
startup-root: 1 file pushed, 0 skipped. 6.9 MB/s (4977 bytes in 0.001s)
magisk/: 3 files pushed, 0 skipped. 30.0 MB/s (2807528 bytes in 0.089s)
6 files pushed, 0 skipped. 26.3 MB/s (2871913 bytes in 0.104s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=RMX3301 Fingerprint=realme/RMX3301EEA/RED8ACL1:12/SKQ1.211019.001/S.GDPR.202209222223:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libcamxifestriping.so
d503233f PACIASP was found. Offset hook address by +4.
Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd
Empty space size: 2096 bytes
Run index: 1
Stage1 debug filename: /dev/.dirtypipe-0001
Shell code size: 344 0x158 bytes
startup script: /data/local/tmp/startup-root
It worked!
Waiting 30 seconds before checking if it worked...
Waiting for 0 seconds, press CTRL+C to quit ...
ro.product.name = RMX3301
Press any key to continue . . .
Yeah, my bad, now i did it right.
Now, it's on Application submitted screen...but it's taking a long time....i'm waiting for more than 2 hrs
Many thanks, mate, it's unlock now...i think, lol... it was a little weird...
On the apk unlock tool i,ve clicked on the "Query Verification Status", and the app went almost immediately to the START INTERFACE , there i was able to enter via ADB the fastboot flashing unlock where it shows the 2 options: not unlock the bootloader OR lock...after i choosed Unlock, appear something wrtitten in Chinese, then the phone rebooted itself....
How can i see if it's unlocked?
If you start the phone holding the volume up button, you can get in fastboot and see the status.
Using adb reboot bootloader....showing it's unlocked...many thanks, mate
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
1
1. There will be no rollback to version A.21 directly. Rollback is up to version A.14.
2. Yes
3. Yes
Edit:
Maybe you don't need Rollback, I have Deep Testing for RUI 4.0 -
10As you may know, at the time of writing it's not possible to unlock the bootloader of the European model. Fortunately there's a workaround. To know how it works, scroll to the end of the post.
First of all, this is only for the European RMX3301, but you can try on any other global model that doesn't allow the unlocking of the bootloader. I'm not talking about temporary errors, but of the infamous This phone model does not support deep testing error message.
Before starting I would like to thank polygraphene for their implementation of the Dirty Pipe vulnerability on Android. Without that, this would not have been possible.
Requirements:
- The phone with a decent charge. Do not attempt this procedure with the phone at 10% and then cry if something goes wrong
- A compatible build, read below
- A Windows or Linux PC with adb and fastboot drivers installed
Check if your build is compatible:
- Go to Settings -> About device -> Version and check Build number:
- If your build is between RMX3301_11_A.14 and RMX3301_11_A.21, go to the procedure below
- If your build is lower than RMX3301_11_A.14, or higher than RMX3301_11_A.21, install this OTA package to downgrade (or upgrade) to RMX3301_11_A.14
Procedure:
- Make sure under Developer options you have OEM unlocking and USB debugging enabled
- Download and extract the attached gt2pro_eu_unlock_dirtypipe_v0.2.zip file
- Open a terminal in the folder of the extracted files
- Connect the phone to the PC and select the File transfer option
- Run the script:
- On Windows, type run.bat and press enter
- On Linux, type ./run.sh and press enter
- Now the phone is temporarily rooted and the phone model is changed to RMX3301. Do not reboot or you will lose this status.
- At this point you can follow the procedure on the official forum to unlock the bootloader of the global model. If you already have the Deeptesting app installed, clear its data to make sure it will update.
Changelog:
v0.2:
- Show more info about device for better debug
- Show the model at the end to check if it worked
For technical people: how does it work?
The script abuses a vulnerability of the Linux kernel called Dirty Pipe (or CVE-2022-0847). For further details, you can visit the official website. This allows us to gain temporary root and overwrite the ro.product.name property, the only one checked by the Deeptesting app. The vulnerability is present in Android and it has been fixed, at least for the Pixel 6, in the May 2022 security update. On the GT 2 Pro, the vulnerability has been fixed with the Android 13 update, while the latest Android 12 build (RMX3301_11_A.21) is still vulnerable. I have tested the procedure personally up to build RMX3301_11_A.16. If you're on a newer build and it doesn't work, please report it in the comments.
Will it work on device X?
If the following conditions are met:
- it is a Realme device;
- the kernel version is 5.10.66;
- there's a global model with a different ro.product.name that can be unlocked;
If you have further questions about the procedure, please post them below.3I attached a new version of the script to the OP. This new versions shows more info do better debug problems, and waits 30 seconds before getting the model again to show if everything worked.2
Theoretically you can do everything you can do on a rooted phone (Magisk, but without modules and Zygisk). In practice I never got Magisk to work properly, so I just limited myself to change the property. My goal was to unlock the bootloader, so I did it and installed Magisk.1
My procedure will not delete any data, but after that you have to follow the official procedure to unlock the bootloader, and that will factory reset your phone.1
It's better if you ask these questions in a more relevant thread. For now there's no custom rom available for the GT2 Pro, and for SafetyNet you can use https://github.com/kdrag0n/safetynet-fix/
New posts
-
Oneplus 8 pro - F.62 update and call recording- Latest: iulianteodor
-
-
