• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[GUIDE] How to unlock the bootloader of Nokia 4.2

Search This thread

hikari_calyx

Senior Member
WARNING!
THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
DO IT AT YOUR OWN RISK!


If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。

UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
Tricking development options for allowing "OEM unlocking" no longer works on latest security update.

What you need to have:
- a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
- tweezers, and probably a standard philips screwdriver
- QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
- Latest Google Platform Tools
- Full backup of your userdata

Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
Please take a look at the attachment below, about the location you need to use tweezers.

For Windows users:
If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.

I assume the COM port number is 8 (COM8).

Step 2: Write config partition
As we already know, config partition is also the frp partition.
You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
For your convenience, I've created one.

Now download and extract the attachment below.
Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.

Choose "Tools" - "Partition Manager", then wait for the partition list appear.

As "Load Image" seems not reliable, we have to use command to write it manually.
For 64-bit Windows users, the command is:

Code:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc

If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.

Step 3: Trigger the phone back to fastboot mode

Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
Now check the unlock ability:
Code:
fastboot flashing get_unlock_ability

Expected output:
Code:
get_unlock_ability: 1

Step 4: Unlock the bootloader!
And you can unlock the bootloader with familiar commands.
Code:
fastboot flashing unlock_critical

Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
EDBo2XEW4AAzCHG.jpg

Your phone will boot to fastboot mode again, and then:
Code:
fastboot flashing unlock

Confirm unlock on the phone again.

All done, that's how the bootloader is unlocked. You can reassemble the phone.
But strange enough, you can't see any unlock warning.

I will release boot image dumping guide and root guide very soon.

Special thanks:
Wingtech for leaking prototype units
 

Attachments

  • N32_N42_unlock.zip
    239.5 KB · Views: 1,717
  • N42_unlock.jpg
    N42_unlock.jpg
    181 KB · Views: 7,159
  • N32-N42_unlocker_V1.0.5.2.7z
    1.7 MB · Views: 1,625
Last edited:

xDark_

Senior Member
Aug 7, 2013
462
83
why must Nokia insist on locking their devices down so hard ??

great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?
 
  • Like
Reactions: Vagelis1608

Joe199799

Senior Member
Sep 7, 2014
826
282
I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.
 

hikari_calyx

Senior Member
Will it be possible to do without disassembly? Just in theory, not now
I think it will be possible.

There's a hidden command in aboot "fastboot reboot-emergency" but unusable, unless some sort of authentication is done or bootloader unlocked.

I still don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
That's why disassembly is required for now.
 

Skyhuppa

Senior Member
Sep 17, 2016
61
12
skyhuppa.wordpress.com
Very interesting breakthrough. Great work ❣️
I'm facing the same bootloader unlock in my infinix hot s 3. I believe I can use your procedure to unlock my device. And if necessary how to make changes to the config file? I will be expecting your reply soon. Thanks
 

awab228

Senior Member
May 2, 2014
162
87
Khartoum
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
 

hikari_calyx

Senior Member
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you

Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
 
  • Like
Reactions: awab228

hikari_calyx

Senior Member
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.

We have full OTA zip of it.
You can use payload dumper + img2simg to convert it to fastboot images. If recovery mode working (including unofficial TWRP), you can also reboot your phone to recovery mode to sideload it.
PAN-141B-0-00WW-B03-update.zip
 

Ghezus

New member
Dec 4, 2007
1
1
I was able to use "OEM Unlocking" from developer options and after starting at step 3, to obtain a full unlock. After I was also able to fully root my phone using the normal guide. I am running the latest security update (October 5 2019). No idea why this worked for me...
 
  • Like
Reactions: Ryu--X

s3tupw1zard

Senior Member
Jan 17, 2018
60
14
Hello,
I've got the Nokia 3.2 16gb variant. I can get it into edl mode but it seems to be in Sahara mode. How can I put it into firehose mode? Because I can't load anything using qfil.
Any help?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 25
    WARNING!
    THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
    DO IT AT YOUR OWN RISK!


    If you want to repost this guide to other websites, please let me know before you repost.
    For Chinese users: 中文版教程将会在dospy发布。

    UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
    You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
    So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
    Tricking development options for allowing "OEM unlocking" no longer works on latest security update.

    What you need to have:
    - a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
    - tweezers, and probably a standard philips screwdriver
    - QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
    - Latest Google Platform Tools
    - Full backup of your userdata

    Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
    Please take a look at the attachment below, about the location you need to use tweezers.

    For Windows users:
    If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
    If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
    After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.

    I assume the COM port number is 8 (COM8).

    Step 2: Write config partition
    As we already know, config partition is also the frp partition.
    You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
    For your convenience, I've created one.

    Now download and extract the attachment below.
    Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.

    Choose "Tools" - "Partition Manager", then wait for the partition list appear.

    As "Load Image" seems not reliable, we have to use command to write it manually.
    For 64-bit Windows users, the command is:

    Code:
    "C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc

    If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.

    Step 3: Trigger the phone back to fastboot mode

    Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
    Now check the unlock ability:
    Code:
    fastboot flashing get_unlock_ability

    Expected output:
    Code:
    get_unlock_ability: 1

    Step 4: Unlock the bootloader!
    And you can unlock the bootloader with familiar commands.
    Code:
    fastboot flashing unlock_critical

    Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
    EDBo2XEW4AAzCHG.jpg

    Your phone will boot to fastboot mode again, and then:
    Code:
    fastboot flashing unlock

    Confirm unlock on the phone again.

    All done, that's how the bootloader is unlocked. You can reassemble the phone.
    But strange enough, you can't see any unlock warning.

    I will release boot image dumping guide and root guide very soon.

    Special thanks:
    Wingtech for leaking prototype units
    18
    I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.
    1
    why must Nokia insist on locking their devices down so hard ??

    great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?
    1
    Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you

    Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
    1
    Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?

    1 for allow, 0 for disallow