The bootloader unlock for Nokia 5.1 Plus X5 is available for paid service that you find online (sorry, cannot disclose where to request or it will violate the rules here).
However, the bootloader unlock flag can be backed up, once we did readback right after bootloader unlocked remotely. Using SP Flash Tool to flash the phone with "Format All + Download" or "Firmware upgrade" mode will cause the unlock state being lost, thus this guide is written for the case.
If you want to repost this guide to other forums or websites, please ask me for permission.
The readback should have been done by the unlock service provider. If the service provider didn't made readback for you, you should do yourself before you mess up everything.
In theory it could be applied on Nokia 3.1, 3.1 Plus and 5.1 as well, but for the situation of Nokia 3.1 Plus (FDP implemented), it will be much complicated, will talk about that later.
It's known there're 3 partitions (efuse, sec1 and seccfg) stored the unlock status signature flag to ensure the bootloader is unlocked, which could only match your phone's hardware ID.
We didn't test if the unlock flag backup can be applied to other devices, but you shouldn't try that or it might not be applicable.
To protect your personal information's safety, don't share your backup to public! It could contain your IMEI!
Back then, we didn't have MediaTek-SU exploit to allow us gain temporarily root permission without unlocked bootloader, but now the MediaTek-SU exploit made the bootloader unlock status restoration possible.
So our idea is:
- Flash the phone with SP flash tool (you must use 5.1824 version, any other newer versions cannot be used), format all + download mode
Use following firmware if you're not sure:
(International Users) Nokia 5.1 Plus: PDA-216A-0-00WW-B01
(Chinese Users) Nokia X5: PDA-209B-0-00CN-B06
These builds are known vulnerable to MediaTek-SU expoit. You can download them from https://fih-firmware.hikaricalyx.com/hmd_en.html#pda .
If you downloaded the firmware with ".nb0" extension, discard it. It's not supported.
- extract following partitions from the readback backup:
efuse, nvram, nvcfg, proinfo, protect1, protect2, sec1, seccfg.
- flash proinfo, protect1 and protect2 partition back to the phone with SP flash tool to allow us use few fastboot commands
- gain root permission with MediaTek-SU exploit
- flash efuse, sec1 and seccfg partitions back to the phone under root permission
- reboot to bootloader mode and check if bootloader unlocked
- if unlocked, flash nvram and nvcfg partition back, and format nvdata partition
DO NOT USE Minimal ADB and Fastboot, always use Google official Android Platform tools from here
Here's how to do.
1. We assume you have the readback right after bootloader unlocked and necessary. Use 7-Zip to extract these files:
efuse.img, nvram.img, nvcfg.img, proinfo.img, protect1.img, protect2.img, sec1.img, seccfg.img.
2. Copy all these 8 files into the same directory where the firmware placed.
3. Make a copy of PDA-0-xxxx-MT6771_Android_scatter.txt at same directory, and rename it to proinfo-MT6771_Android_scatter.txt .
4. Open proinfo-MT6771_Android_scatter.txt with some advanced text editor (e.g. Visual Studio Code), find "proinfo" and change the entry into this:
5. Use the same method to change "protect1" and "protect2" entries:
6. Use SP flash tool to load your modified proinfo-MT6771_Android_scatter.txt, and only tick "proinfo", "protect1" and "protect2" partitions, flash them with "Download only" mode.
7. Boot the phone to normal OS and root it with MediaTek-SU by this guide.
https://forum.xda-developers.com/nokia-x5/how-to/temp-root-solution-nokia-5-1-plus-t3948577
8. Now copy efuse.img, sec1.img and seccfg.img to root directory of internal storage.
9. Enable USB debugging, execute these commands under adb shell or terminal emulator on the phone:
10. Your phone should now booted to fastboot mode. Use this command to check if bootloader unlocked:
Expected response should be:
11. Now flash nvram back to the phone to restore IMEI:
12. Alright, your phone is now restored back to normal and most importantly, bootloader is fully unlocked - you can install Magisk permanently and use latest Magisk build.
Even if this guide is written, flashing the phone with SP Flash Tool is still not encouraged, although it looks easier. Need to note that Android 10 is not rootable yet, even if bootloader unlocked - waiting for @topjohnwu 's news as I donated him a Nokia X5 with unlocked bootloader
However, the bootloader unlock flag can be backed up, once we did readback right after bootloader unlocked remotely. Using SP Flash Tool to flash the phone with "Format All + Download" or "Firmware upgrade" mode will cause the unlock state being lost, thus this guide is written for the case.
If you want to repost this guide to other forums or websites, please ask me for permission.
Code:
PLEASE DISABLE YOUR TRANSLATOR TO PREVENT THE COMMANDS BEING MISTAKENLY TRANSLATED!
针对中国用户的中文版教程正在编写中。The readback should have been done by the unlock service provider. If the service provider didn't made readback for you, you should do yourself before you mess up everything.
In theory it could be applied on Nokia 3.1, 3.1 Plus and 5.1 as well, but for the situation of Nokia 3.1 Plus (FDP implemented), it will be much complicated, will talk about that later.
It's known there're 3 partitions (efuse, sec1 and seccfg) stored the unlock status signature flag to ensure the bootloader is unlocked, which could only match your phone's hardware ID.
We didn't test if the unlock flag backup can be applied to other devices, but you shouldn't try that or it might not be applicable.
To protect your personal information's safety, don't share your backup to public! It could contain your IMEI!
Back then, we didn't have MediaTek-SU exploit to allow us gain temporarily root permission without unlocked bootloader, but now the MediaTek-SU exploit made the bootloader unlock status restoration possible.
So our idea is:
- Flash the phone with SP flash tool (you must use 5.1824 version, any other newer versions cannot be used), format all + download mode
Use following firmware if you're not sure:
(International Users) Nokia 5.1 Plus: PDA-216A-0-00WW-B01
(Chinese Users) Nokia X5: PDA-209B-0-00CN-B06
These builds are known vulnerable to MediaTek-SU expoit. You can download them from https://fih-firmware.hikaricalyx.com/hmd_en.html#pda .
If you downloaded the firmware with ".nb0" extension, discard it. It's not supported.
- extract following partitions from the readback backup:
efuse, nvram, nvcfg, proinfo, protect1, protect2, sec1, seccfg.
- flash proinfo, protect1 and protect2 partition back to the phone with SP flash tool to allow us use few fastboot commands
- gain root permission with MediaTek-SU exploit
- flash efuse, sec1 and seccfg partitions back to the phone under root permission
- reboot to bootloader mode and check if bootloader unlocked
- if unlocked, flash nvram and nvcfg partition back, and format nvdata partition
DO NOT USE Minimal ADB and Fastboot, always use Google official Android Platform tools from here
Here's how to do.
1. We assume you have the readback right after bootloader unlocked and necessary. Use 7-Zip to extract these files:
efuse.img, nvram.img, nvcfg.img, proinfo.img, protect1.img, protect2.img, sec1.img, seccfg.img.
2. Copy all these 8 files into the same directory where the firmware placed.
3. Make a copy of PDA-0-xxxx-MT6771_Android_scatter.txt at same directory, and rename it to proinfo-MT6771_Android_scatter.txt .
4. Open proinfo-MT6771_Android_scatter.txt with some advanced text editor (e.g. Visual Studio Code), find "proinfo" and change the entry into this:
Code:
- partition_index: SYS15
partition_name: proinfo
file_name: proinfo.img
is_download: true5. Use the same method to change "protect1" and "protect2" entries:
Code:
- partition_index: SYS10
partition_name: protect1
file_name: protect1.img
is_download: true
Code:
- partition_index: SYS11
partition_name: protect2
file_name: protect2.img
is_download: true6. Use SP flash tool to load your modified proinfo-MT6771_Android_scatter.txt, and only tick "proinfo", "protect1" and "protect2" partitions, flash them with "Download only" mode.
7. Boot the phone to normal OS and root it with MediaTek-SU by this guide.
https://forum.xda-developers.com/nokia-x5/how-to/temp-root-solution-nokia-5-1-plus-t3948577
8. Now copy efuse.img, sec1.img and seccfg.img to root directory of internal storage.
9. Enable USB debugging, execute these commands under adb shell or terminal emulator on the phone:
Code:
su
(confirm root permission on the phone)
dd if=/storage/emulated/0/efuse.img of=/dev/block/bootdevice/by-name/efuse
dd if=/storage/emulated/0/sec1.img of=/dev/block/bootdevice/by-name/sec1
dd if=/storage/emulated/0/seccfg.img of=/dev/block/bootdevice/by-name/seccfg
reboot bootloader10. Your phone should now booted to fastboot mode. Use this command to check if bootloader unlocked:
Code:
fastboot getvar unlockedExpected response should be:
Code:
unlocked: yes11. Now flash nvram back to the phone to restore IMEI:
Code:
fastboot flash nvram /path/to/firmware/directory/nvram.img
fastboot flash nvcfg /path/to/firmware/directory/nvcfg.img
fastboot format nvdata12. Alright, your phone is now restored back to normal and most importantly, bootloader is fully unlocked - you can install Magisk permanently and use latest Magisk build.
Even if this guide is written, flashing the phone with SP Flash Tool is still not encouraged, although it looks easier. Need to note that Android 10 is not rootable yet, even if bootloader unlocked - waiting for @topjohnwu 's news as I donated him a Nokia X5 with unlocked bootloader
Last edited:
