[Guide] Convert locked OnePlus 8T TMO to Global version with MsmDownloadTool

Search This thread

IAAxl

Member
Nov 1, 2017
42
9
This can:

Bypass TMO flash lock as it uses 9008 EDL.

Remove TMO sim lock and oem lock as you will be using global rom.

Convert your KB2007 (KB09CB) to KB2005 (KB05AA) as much as possible. (Although you're using the latest KB2005 firmware, any LineageOS stuff, such as LOS system,LOS recovery and LOS fastbootd, will still recognize it as KB2007. This is the same in OOS 11. But in OOS 12 system, it shows and acts like a KB2005.)

Should enables dsds (dual sim dual standby) in OOS 12. (Not tested. But status bar shows two empty sim slots in KB2005 OOS 12. After I flash LOS 19.1, slot 2 won't act unless boot with "persist.radio.multisim.config=dsds" prop.)

Give you access to Global OxygenOS firmware. (Bye slow TMO~)

Probably give you better overall condition (e.g. partition) than some fastboot scripts, as it's done directly by 9008 EDL.

AND THIS WILL DELETE ALL YOUR DATA ON DEVICE!!!

Actually, you should be able to change any brand device to any version you like by this method, but take your own risk as nothing is solid tested.


This can't:

Give you a second IMEI. (In OOS IMEI2 is "null". I guess it's hard baked somewhere.)

Remove TMO flash lock or unlock a locked bootloader. (You still need unlock token for that.)

You tell me please. I don't have enough time to test everything.


Please:

BE AWARE THAT YOU ARE RESPONSIBLE FOR WHAT YOU DO TO YOUR HARDWARE, NOT ME.

MY SUCCESS DOESN'T MEAN IT MAST HAPPENS TO YOU.

YOU ARE THE ONE WHO TAKE ALL THE RISKS. (And your phone, too.)

Be kind to other readers and help them, I can't stay online all day, sorry.


Why:

I own a fully unlocked KebabT running LineageOS 18.1, and I decided to try LOS 19.1 out.

But OOS 12 firmware is so buggy that it even broke my LOS instance, and the fastboot (not fastbootD, for hell reasons I can't enter LOS recovery AFTER ALL firmware upgrade) is also too buggy to fix my issue.

I unbricked my phone using this " https://forum.xda-developers.com/t/...l-to-restore-your-device-to-oxygenos.4180981/ " (Thanks for sharing!!!), but only to find that TMO firmware is so old, buggy and limited.

Then I googled and found this "https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/" and this "https://github.com/bkerler/oppo_decrypt" ,but they are slightly outdated and doesn't fit kebab.

I fetched global firmware from here "https://forum.xda-developers.com/t/oneplus-8t-rom-ota-oxygen-os-repo-of-oxygen-os-builds.4193183/" (Thanks for sharing!!!) and started trying.

After a few tries I succeed and decided to share what I found.


How:

Firstly, know your hardware. Especially your ram type (ddr4 or ddr5) !

Then follow what this "https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/" said, BUT WITH EXTRA MODIFICATION on your "settings.xml":

1. Overwrite "BasicInfo Project", "Version", "ModelVerifyPrjName", "ModelVerifyRandom" and "ModelVerifyHashToken", these makes you pass MsmDownloadTool's pre-check.

2. Scroll to the end of file and overwrite [Target ID="1" Desc="O2"] with [Target ID="101" Desc="TMO"], otherwise your flash won't begin as the tool can't find right hardware to flash.

3. Search for "Image ID=" and modify the results. For me, I have a DDR4 device, so I go with "xbl.img" and "xbl_config.img", so FOR ME I change "Image ID="1"" to "Image ID="101"", and change "Image ID="65537"" to "Image ID="65637"". Otherwise MsmDownloadTool won't be able to locate the right xbl img file to flash.

4. Follow the rest of that great guide and have a few tries, you won't lose more as you're already under EDL mode. Wish you success!


And:

Sorry in advance for any possible confusion as I'm not a native English speaker. You can ask in replies!

Please let me know if I'm wrong, I'll try to correct.

If this is already shared by other great guys, please forgive me as I really didn't find any related post in this forum.

I doubt this "https://forum.xda-developers.com/t/...m-unlock-or-bootloader-unlock-needed.4188491/" (Thanks for sharing!!!) is done in the same way but no one mentioned about it.

Special thanks to bkerler for creating this awesome "https://github.com/bkerler/oppo_decrypt" project!

Special thanks to LuK1337 for maintain LineageOS for OnePlus 8T!! You're great!!


Question:

It it possible to remove flash lock in this way?

I've tried several times to flash with kebab not kebabT MsmTool. But I can't make it work.
 

Attachments

  • _settings_xml_backup.zip
    27.5 KB · Views: 42
Last edited:
  • Like
Reactions: BillGoss

jcsww

Senior Member
I'm kind of curious to know what your model number would show up as in the About Phone screen. Being able to incorporate the SIM fix into the ROM would be a good thing. There was a link in the OP to a took that could unpack and repack the OPS file. My concern is, at least with the bastardized Color/Oxygen OS stock hybrid, that it will still see the device as a KB2007 and not an actual KB2005 outside of just the firmware version.
 

IAAxl

Member
Nov 1, 2017
42
9
I'm kind of curious to know what your model number would show up as in the About Phone screen.
For LOS and OOS 11, KB2007. (But for OOS 11 software update page, it shows as KB2005. You're able to get KB2005 OTA updates without any problem.)

For OOS 12, KB2005 everywhere.

You can try to spoof device model by using magisk_hide_props_config module, but it's another story.

Being able to incorporate the SIM fix into the ROM would be a good thing.
If you use global version OOS or flash LOS, sim lock no longer exists.
 
  • Like
Reactions: jcsww

IAAxl

Member
Nov 1, 2017
42
9
Unpack whole rom system vendor product odm
Its all in super.img
You can get super.img using oppo_decrypt.
But, I thought that's an unencrypted raw disk image, am I wrong?
And by the way, I flashed KB2005 super.img into my KB2007, but fastboot flash lock is still there, have to use unlock code bin file to disable it.
 
Last edited:

raven911

Senior Member
Aug 17, 2009
54
1
I apologize, as I don't quite understand the original post. This seems to be trying to specify a way to get dual-sim on KB2007 with A12? Apologies for the dumb questions, 1) How do I found out if my KB2007 has DDR4 or DDR5? 2) The instruction link https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/ , following these steps seems to still leave the device on Android 11 (because that is the rom that comes with the MSM tools). If we then update to Android 12, won't that disable the dual-sim again?
 

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
I apologize, as I don't quite understand the original post. This seems to be trying to specify a way to get dual-sim on KB2007 with A12? Apologies for the dumb questions, 1) How do I found out if my KB2007 has DDR4 or DDR5? 2) The instruction link https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/ , following these steps seems to still leave the device on Android 11 (because that is the rom that comes with the MSM tools). If we then update to Android 12, won't that disable the dual-sim again?
In os12 ofcourse your 2nd sim will disable by bootloader partitions and some other as i mention in another post
But good news is i can fix
But bad news no way yo unpack repack or rw after root
 

IAAxl

Member
Nov 1, 2017
42
9
I apologize, as I don't quite understand the original post. This seems to be trying to specify a way to get dual-sim on KB2007 with A12? Apologies for the dumb questions, 1) How do I found out if my KB2007 has DDR4 or DDR5? 2) The instruction link https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/ , following these steps seems to still leave the device on Android 11 (because that is the rom that comes with the MSM tools). If we then update to Android 12, won't that disable the dual-sim again?
To answer your questions:
1) Check here: https://wiki.lineageos.org/devices/kebab/fw_update
By the way, 8T hardware has two major variables: UFS 3.0 / 3.1 storage, and lpddr 4 / 5 memory. Storage type doesn't matter to rom flash, but memory type does.

2) Yes! You're still on OOS 11 after change-brand flash, but then you can OTA to KB2005 OOS 12 directly.
And, because my final goal is to run LOS, I didn't put my sim in while my phone is on OOS, so I can't really answer if dual sim is available in OOS 11 or 12.
In LOS, I use magisk_hide_props_config module to add "persist.radio.multisim.config=dsds" into system prop to enable dual sim. You can also try this "https://forum.xda-developers.com/t/...bile-8t-kb2007-with-lineage-aosp-rom.4262669/", same stuff.

If your KB2007 is flash locked, you can try the following steps and see if it will work:
A. Use oppo_decrypt to get elf files from msm rom;
B. Use QPST (and the elf file) to flash magisk patched boot.img into your device under 9008.
C. Install magisk model and get dsds.

∆ The risk is in step B.
I'm not familiar enough with QPST and never succeed to get QPST work to do anything.
 

IAAxl

Member
Nov 1, 2017
42
9
Unpack whole rom system vendor product odm
Its all in super.img
Err… Try use MsmTool readback?
Oppo_decrypt offers an option to enable readback. I haven't used it though.

Or can you change what you have to, directly on a rooted device, and check if it works?

I'm still confused. Aren't those img file raw disk images? Can't you mount and read them on any Unix-alike device? How do you usually do this with other devices?
 

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
Err… Try use MsmTool readback?
Oppo_decrypt offers an option to enable readback. I haven't used it though.

Or can you change what you have to, directly on a rooted device, and check if it works?

I'm still confused. Aren't those img file raw disk images? Can't you mount and read them on any Unix-alike device? How do you usually do this with other devices?
let me tell you msm have rb option
but you still not got my pov there,s no rw option in rooted device even after root
so how can i make dump or backup or for which purpose i need backup if i dont even modded something in rooted device

another option which left is unpack system.img vendor.img odm.img etc and modify then repack it
but there,s not way to even convert it to raw i try simg2img but not support by this

even if i able to convert it to raw i can do something

and no its not raw format men. its payload and super
 

IAAxl

Member
Nov 1, 2017
42
9
let me tell you msm have rb option
but you still not got my pov there,s no rw option in rooted device even after root
so how can i make dump or backup or for which purpose i need backup if i dont even modded something in rooted device

another option which left is unpack system.img vendor.img odm.img etc and modify then repack it
but there,s not way to even convert it to raw i try simg2img but not support by this

even if i able to convert it to raw i can do something

and no its not raw format men. its payload and super
Okay I understand now..
The goal is to change sth inside vendor and other partition, but they can't be remounted read-write inside system.
And the img file can't be exacted or repacked.

Will you try to remount those partition in recovery ADB maybe?
 

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
Okay I understand now..
The goal is to change sth inside vendor and other partition, but they can't be remounted read-write inside system.
And the img file can't be exacted or repacked.

Will you try to remount those partition in recovery ADB maybe?
Yes now you fully understand
Yes i tried many thing
And yes in twrp also tried remount etc
I also pull files and edit but when i push
Its said device not have enough space
Its maybe need resize etc
 

Rootk1t

Senior Member
Jun 2, 2013
1,817
763
Yes now you fully understand
Yes i tried many thing
And yes in twrp also tried remount etc
I also pull files and edit but when i push
Its said device not have enough space
Its maybe need resize etc
I don't know if this helps or not.
But there are some scripts to exctract partitions from SUPER, flash them and make -rw.

 

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
I don't know if this helps or not.
But there are some scripts to exctract partitions from SUPER, flash them and make -rw.

I done manything even convert to ext4
In shel its showing rw
And also in root explorer get rw but still not edit anything
 

anra_g

New member
Dec 9, 2022
4
0
So, I'm not need T-Mobile help to sim unlock my phone?
Just convert it to global, and it will be carrier unlocked?
Are I read this right?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    This can:

    Bypass TMO flash lock as it uses 9008 EDL.

    Remove TMO sim lock and oem lock as you will be using global rom.

    Convert your KB2007 (KB09CB) to KB2005 (KB05AA) as much as possible. (Although you're using the latest KB2005 firmware, any LineageOS stuff, such as LOS system,LOS recovery and LOS fastbootd, will still recognize it as KB2007. This is the same in OOS 11. But in OOS 12 system, it shows and acts like a KB2005.)

    Should enables dsds (dual sim dual standby) in OOS 12. (Not tested. But status bar shows two empty sim slots in KB2005 OOS 12. After I flash LOS 19.1, slot 2 won't act unless boot with "persist.radio.multisim.config=dsds" prop.)

    Give you access to Global OxygenOS firmware. (Bye slow TMO~)

    Probably give you better overall condition (e.g. partition) than some fastboot scripts, as it's done directly by 9008 EDL.

    AND THIS WILL DELETE ALL YOUR DATA ON DEVICE!!!

    Actually, you should be able to change any brand device to any version you like by this method, but take your own risk as nothing is solid tested.


    This can't:

    Give you a second IMEI. (In OOS IMEI2 is "null". I guess it's hard baked somewhere.)

    Remove TMO flash lock or unlock a locked bootloader. (You still need unlock token for that.)

    You tell me please. I don't have enough time to test everything.


    Please:

    BE AWARE THAT YOU ARE RESPONSIBLE FOR WHAT YOU DO TO YOUR HARDWARE, NOT ME.

    MY SUCCESS DOESN'T MEAN IT MAST HAPPENS TO YOU.

    YOU ARE THE ONE WHO TAKE ALL THE RISKS. (And your phone, too.)

    Be kind to other readers and help them, I can't stay online all day, sorry.


    Why:

    I own a fully unlocked KebabT running LineageOS 18.1, and I decided to try LOS 19.1 out.

    But OOS 12 firmware is so buggy that it even broke my LOS instance, and the fastboot (not fastbootD, for hell reasons I can't enter LOS recovery AFTER ALL firmware upgrade) is also too buggy to fix my issue.

    I unbricked my phone using this " https://forum.xda-developers.com/t/...l-to-restore-your-device-to-oxygenos.4180981/ " (Thanks for sharing!!!), but only to find that TMO firmware is so old, buggy and limited.

    Then I googled and found this "https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/" and this "https://github.com/bkerler/oppo_decrypt" ,but they are slightly outdated and doesn't fit kebab.

    I fetched global firmware from here "https://forum.xda-developers.com/t/oneplus-8t-rom-ota-oxygen-os-repo-of-oxygen-os-builds.4193183/" (Thanks for sharing!!!) and started trying.

    After a few tries I succeed and decided to share what I found.


    How:

    Firstly, know your hardware. Especially your ram type (ddr4 or ddr5) !

    Then follow what this "https://www.droidwin.com/convert-oneplus-t-mobile-metro-to-global-on-locked-bootloader/" said, BUT WITH EXTRA MODIFICATION on your "settings.xml":

    1. Overwrite "BasicInfo Project", "Version", "ModelVerifyPrjName", "ModelVerifyRandom" and "ModelVerifyHashToken", these makes you pass MsmDownloadTool's pre-check.

    2. Scroll to the end of file and overwrite [Target ID="1" Desc="O2"] with [Target ID="101" Desc="TMO"], otherwise your flash won't begin as the tool can't find right hardware to flash.

    3. Search for "Image ID=" and modify the results. For me, I have a DDR4 device, so I go with "xbl.img" and "xbl_config.img", so FOR ME I change "Image ID="1"" to "Image ID="101"", and change "Image ID="65537"" to "Image ID="65637"". Otherwise MsmDownloadTool won't be able to locate the right xbl img file to flash.

    4. Follow the rest of that great guide and have a few tries, you won't lose more as you're already under EDL mode. Wish you success!


    And:

    Sorry in advance for any possible confusion as I'm not a native English speaker. You can ask in replies!

    Please let me know if I'm wrong, I'll try to correct.

    If this is already shared by other great guys, please forgive me as I really didn't find any related post in this forum.

    I doubt this "https://forum.xda-developers.com/t/...m-unlock-or-bootloader-unlock-needed.4188491/" (Thanks for sharing!!!) is done in the same way but no one mentioned about it.

    Special thanks to bkerler for creating this awesome "https://github.com/bkerler/oppo_decrypt" project!

    Special thanks to LuK1337 for maintain LineageOS for OnePlus 8T!! You're great!!


    Question:

    It it possible to remove flash lock in this way?

    I've tried several times to flash with kebab not kebabT MsmTool. But I can't make it work.
    1
    I'm kind of curious to know what your model number would show up as in the About Phone screen.
    For LOS and OOS 11, KB2007. (But for OOS 11 software update page, it shows as KB2005. You're able to get KB2005 OTA updates without any problem.)

    For OOS 12, KB2005 everywhere.

    You can try to spoof device model by using magisk_hide_props_config module, but it's another story.

    Being able to incorporate the SIM fix into the ROM would be a good thing.
    If you use global version OOS or flash LOS, sim lock no longer exists.