• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Flash international ROM to Tmobile/Metro w/ locked bootloader

Search This thread

justencase6

Senior Member
Dec 29, 2007
147
25
no need for the token, i have found a way that should work on most oneplus phones. all you need is the firehose pulled from the ops file. to back up modemst1 and 2 throw edl mode, once u have done this you can erase them with Qfil , then with a moded msmdownload the oem unlock will now not be grayed out, . always make a back up of the modemst1 and st2.. also it dont hurt to make a backup of the oem_dycnvbk.bin this is were the main copy of your imei is located and is encrypted,
 
  • Like
Reactions: jilebi

jilebi

Senior Member
Dec 22, 2011
87
21
@justencase6 are you suggesting that with your method one can unlock bootloader on Tmobile/Metro variant without getting a token from Oneplus? If so, how exactly does that work? How does deleting the modemst1 and modemst2 partitions impact the bootloader status?
 

justencase6

Senior Member
Dec 29, 2007
147
25
This has been proven on the 7pro for TMobile, there is a flag in the safe/sfs of the efs. All located in the modenst1 and 2 same as simlock. By doing this it will ungray the oem unlock in developer mode, u would still need a moded msmdownload for ur model .
 

justencase6

Senior Member
Dec 29, 2007
147
25
Another way around the flag is with a developer build ,if any for ur model. The modem in it disregards the flag so it can be unlocked. I also have reversed the algorithm to generate the qr codes used to unlock enginermode app. *#*#5646#*#* If any questions u can find me on telegram also user Ju5t3nc4s3
 

jilebi

Senior Member
Dec 22, 2011
87
21
This has been proven on the 7pro for TMobile, there is a flag in the safe/sfs of the efs. All located in the modenst1 and 2 same as simlock.

Thanks for the explanation, @justencase6 !

Just to clarify, which flag are you refering to? Are you saying that the 'SIM unlock' flag is in the EFS or are you saying that the 'bootloader requires token to unlock' flag is in the EFS?

The former makes complete sense, since the EFS in modenst1 and modemst2 holds settings for the broadband processor. Wiping it out must have the system restore that information from the backup partitions, and the 'SIM Unlock' flag is reset. As a result the phone gets SIM unlocked, which in turn causes the 'OEM Unlocking" slider to become ungrey. But does this cause the 'bootloader requires token to unlock' flag also to be reset?

Alternately, is the 'bootloader requires token to unlock' flag in the bootloader and when one restores the patched OPS file from the international version, this 'bootloader requires token to unlock' flag is reset since the bootloader in the international version does not have this flag? If so, why go through the step of deleting the modemst1 and modemst2 partitions for 'SIM Unlock', when the debloat script above can anyway ungrey the "OEM Unlocking" slider?

I would appreciate your help in my understanding the processes and the reasons behind each of them. Thanks!
 

jilebi

Senior Member
Dec 22, 2011
87
21
Another way around the flag is with a developer build ,if any for ur model. The modem in it disregards the flag so it can be unlocked. I also have reversed the algorithm to generate the qr codes used to unlock enginermode app. *#*#5646#*#* If any questions u can find me on telegram also user Ju5t3nc4s3

I see. Where does one get developer builds? I have seen the ROMs released by OP as well as the MSMDownload Tools, but I haven't seen any developer builds. Do you have a link to any of these developer builds for OP phones?
 

justencase6

Senior Member
Dec 29, 2007
147
25
Yes when deleating the efs the simlock is reset, but as of op7 and on they also have a key used to detect the sim in the same place, so when deleted u can not get the sim to work again, untell efs is restored.the bid problem with sim lock now and why it has not been bypassed. The oem unlock flag is the config partition, with the token, the very last bit is the flag showing oem switch is active.
 

jilebi

Senior Member
Dec 22, 2011
87
21

justencase6

Senior Member
Dec 29, 2007
147
25
There must be a app permission being used to gray out the switch, but erasing modenst1 and 2 does it also, over all it looks to be they have it this way for multiple reasons to oem unlock,
 

justencase6

Senior Member
Dec 29, 2007
147
25
U still need the matching token, unless u get a config from a developers build or another ops that lets u oem unlock, then it can be packed into ur build and flashed with msm
 

Cruzg10

Member
Feb 22, 2019
11
0
Novice here when it comes to flashing Oneplus phones. I still have my rooted LG G2 as my daily driver.
I bought my mom and my son the N10 and N100 and I want to flash the international variants on both.
however, I am stuck on the "decrypt python3 etc" windows requirements. I installed python3 v3.9.6 on Windows 10 21H2 but when i go to input the commands i get errors. In CMD i get "python3 not valid command something something"
and using both python3 terminals i get "syntax error". I am stuck. Any help would be greatly appreciated.
N10 5G = Tmobile Version BE2028
N100 = MetroPCS Version BE2015
 

CTH-EVO

Senior Member
@Cruzg10
Couple of things to check.
1) you should install python 3.x as administrator
2) you should also run the script(s) as administrator
3) what's the top line of the script(s)?
If python wasn't installed with a symlink/alias for a command python3. You'' need to revise the shebang to indicate what the python command is for your installed version.

HTH

--Chris
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    no need for the token, i have found a way that should work on most oneplus phones. all you need is the firehose pulled from the ops file. to back up modemst1 and 2 throw edl mode, once u have done this you can erase them with Qfil , then with a moded msmdownload the oem unlock will now not be grayed out, . always make a back up of the modemst1 and st2.. also it dont hurt to make a backup of the oem_dycnvbk.bin this is were the main copy of your imei is located and is encrypted,
  • 3
    I looked at his github code several months ago and it doesn't seem to be legitimate, more like fishing code.
    Like the code he claims to sim unlock, it actually just bypass the setup security and has nothing to do with sim network unlock.

    td;rl: bypassed metropcs sim unlock to ungrey oem unlock and got my unlock code for oneplus

    I tried his method, and it didn't work. Looking back I think I didn't follow the instructions properly.


    BUTTTTTT

    On his github it said his version was a fork of @w1nst0n_fr Universal ADB Debloater. So I tried that out.

    Ran the script, debloated using OnePlus.sh and Qualcomm.sh through the menu.

    Once complete rebooted the device and OEM UNLOCK WAS UNGREYED.

    I was able to toggle it on

    Rebooted into bootloader and ran "fastboot oem unlock" and received something about i must enter the unlock code first (PROGRESS!)

    ran "fastboot oem get_unlock_code" and got the unlock code WITHOUT waiting 180 days on MetroPCS to Sim unlock.

    Not sure if it is actually sim unlocked as I do not know how to test it without swapping sim cards (any suggestions?)
    3
    For those asking for the T-Mobile variant to be uploaded. I have crap upload but am currently trying to upload the patched ops file to share. Once I get it uploaded I'll post it here for you all.
    2

    MAJOR UPDATE: Managed to flash Global stock rom to the MetroPCS variant


    Pros: Stock Oneplus and everything works
    Cons: OEM unlock is still greyed out

    Before you go any further:

    THERE IS NO ROOT FOR THIS DEVICE WITH A LOCKED BOOTLOADER (YET). THIS THREAD IS FOR THE DEVELOPMENT AND TESTING OF METHODS TO ACHIEVE THIS.

    Just got this device from MetroPCS this week and love this device. However I found out very quick that you have to be with MetroPCS for 180 days before you can get unlocked. To unlock the bootloader you have to be sim unlocked from the carrier.

    This thread will be for development of a working root process for others to offer perspective. Feel free to try to replicate at your own risk. If anyone is interested in these files/tools let me know and I will publish more links.


    ;Download international and metro ROM and MSM tool from these thread (thanks to @Some_Random_Username)​

    International

    MetroPCS

    This download will include the latest MSM Download Tool

    The work around that I found does not need MSM to be patched

    ;TOOLS
    download and extract oppo decrypt master
    unpack and repack .OPS files for use with MSM Download Tool 4 .exe




    ----------------------------------------------------------------------------------------------------------------------------------------------

    Method

    ----------------------------------------------------------------------------------------------------------------------------------------------
    TD;RL:
    Extract the .ops file, open settings.xml replace the project ID, repack

    Set up:
    1. Download international zip and metro zip from above, extract into 2 seperate folders and delete billie8t_14_O.01_201218.ops in the metro folder
    2. have adb installed
    3. Install python3 and prereqs for oppo decrypt master

    Extract .ops, edit and flash:
    1. unzip the zip file with the .ops file from both folders and move it to the folder with oppo decrypt
    2. run "python3 opscrypto.py decrypt billie8_14_O.01_210128.ops" (decrypt both .ops files from each firmware, the first one being the metro and get the /extract/settings.xml file and open it. we will need info from it)
    3. Now extract the international firmware with opoo decrypt and open the extract folder
    4. open "settings.xml" from both firmwares in your favorite editor
    6. Change the following in the international settings.xml: Project=20886 to Project=20885 and ModelVerifyRandom= (THESE NEED TO BE EXACTLY WHAT ARE IN THE METRO SETTINGS.XML file)
    6. Save the file
    7. run "python3 opscrypto.py encrypt extract". This will create a file called out.ops
    8. Once finished place out.ops into the metro firmware folder and rename to "billie8t_14_O.01_201218.ops"
    9. With your phone turned on, plug your phone into the computer
    10. Open MSMdownloadtoolv4.0.exe and press start
    11. Run "adb reboot edl"
    12. Your computer should recognize and start the download.
    13. Wait a while and it will reboot.



    Here is my working files for anyone who wants to tinker
    Includes MSMdownloadtools, modded OPS file and (edited settings.xml and patched recovery.img inside OPS)

    Updated downloads include:
    Decrypted Metro OPS (IMGs, BIN, etc)
    Metro to Global (OPS)
    Metro to Global w/ magisk patched recovery (ZIP)
    Google Drive - Updated 7/11/2021
    2
    I was able to flash the Global stock Oneplus rom using MSM download tools to the MetroPCS Nord N10 5G.

    BUT

    OEM unlock is still greyed out. Any ideas?

    also updated first post with how to replicate what I did to flash. This should work on any variant as long as you replace the project number to your own
    2
    You wanted it, you asked for it, here it is in its patched glory. I give you the modified N10 5G TMobile GLOBAL install file for the TMobile MSM tool.

    As the instructions in the OP, just drop this file in to a downloaded tmobile MSM tool, start the flash, and boot your device to EDL. Whole process took me approx. 5min 15sec start to boot.

    Modded file is HERE

    The file does NOT need to be renamed! For your own personal safty BACKUP YOUR ORIGINAL OPS FILE BEFORE MOVING THE MODDED FILE IN PLACE!

    If someone could mirror the file that would be fantastic!!