[GUIDE] UNBRICK/DOWNGRADE YOUR REALME 6/6I(INDIA)/6S USING SPFLASH TOOL FOR FREE!

Search This thread

cmfan

Member
Dec 13, 2011
29
8
23
I think I have tried all 7 possible combinations with the buttons, none of them gave a reaction.

Charger is a good point: the phone shows no reaction upon plugging in, however I can measure the charger's power consumption and it reaches the expected 30W, so yes, charging works.

fastboot doesn't recognize the phone:
Code:
$ fastboot reboot
< waiting for any device >

adb commands are all unauthorized (except connection commands, but these do not require any interaction with the device):
Code:
$ adb reboot
error: device unauthorized.
This adb server's $ADB_VENDOR_KEYS is not set
Try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device.

$ adb devices
List of devices attached
0123456789ABCDEF    unauthorized

$ adb reconnect
reconnecting 0123456789ABCDEF  [unauthorized]

$ adb reconnect device

$ adb reconnect offline
reconnecting 0123456789ABCDEF

adb could have received the serial no. from the USB controller, no need to actually communicate with phone itself:
Code:
$ lsusb -v |grep -A85 18d1:d001
Bus 001 Device 011: ID 18d1:d001 Google Inc. Nexus 4 (fastboot)
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x18d1 Google Inc.
  idProduct          0xd001 Nexus 4 (fastboot)
  bcdDevice            4.14
  iManufacturer           1 realme
  iProduct                2 RMX2001
  iSerial                 3 0123456789ABCDEF
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          4 adb
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass     66 
      bInterfaceProtocol      1 
      iInterface              5 ADB Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength       0x0016
  bNumDeviceCaps          2
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000006
      BESL Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000f
      Device can operate at Low Speed (1Mbps)
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat           1 micro seconds
    bU2DevExitLat         500 micro seconds
Device Status:     0x0000
  (Bus Powered)

You have mentioned that there are more people with bricked phone due to the A.11. How are they doing. Especially I wonder if any of the formatted devices still react?
 

cmfan

Member
Dec 13, 2011
29
8
23
Hello. again. So, i have asked few people about your situation. Conclusion is, if none of these work you will need to wait until battery wears off and device turns itself off, i'm afraid. I will ask you to not use your phone for like a day and not to keep it connected to a computer for a long time. After making sure it powered off (which, i'm guessing there is actually no way to do that) make sure to prepare the brom.bat file plug in your device with VOL+ - combo and go on. Before doing this make sure to Device Manager > Action > Add Legacy Hardware > Next > Install the hardware that I manually select from a list (Advanced) > Show All Devices > Have Disk > Choose the cdc-acm.inf > Choose Mediatek USB Port and install it to not waste time. I hope your problems will be fixed. I have confirmed that BROM mode shouldn't fall into an inaccessible state because there's no efuse.ini blown. It must be there, but you're probably stuck in a mode that doesn't allow doing anything for some reason.
Ah, you've been faster than me :) . Ok, good to hear that BROM mode is supposed to be still available. So I'll do the waiting then and report back of course.

Again, thank you for assisting so far.
 

daeSundae

Senior Member
Jan 13, 2021
60
13
18
You have mentioned that there are more people with bricked phone due to the A.11. How are they doing. Especially I wonder if any of the formatted devices still react?
Okay. So well, i also flashed the A.11 firmware meaning we are the only ones who used that firmware for flashing, there are other people but the problem with theirs is that they used Format All + Download and after that device still can get into a download mode even after all but they can't boot into system for a reason I do not know. Some of people have already requested motherboard replacement 'n stuff. I will request you to not use that mode (Format All + Download) even if you can, since your device won't be having a Serial Number, IMEI numbers, will lose the capability of hardware attestation, no MAC adresses etc. As i said, it's better to wait and since the device is running i doubt it will take more than 2 days before it fully powers off. Even if your computer fails to bypass authorization like this, plug it out immediately and wait for an hour or so to make sure it turns off, after that restarting from 2nd step, re-installing it's filter using libusb-win32 should fix this problem.
Issues while disabling protection;


View attachment 5196241
Power off your device Restart the process from 2nd step.
 

cmfan

Member
Dec 13, 2011
29
8
23
they used Format All + Download
Too bad :(. There are some tutorials on Hovatek explaining how to set IMEIs, if they still know them (mine has a sticker on the back stating them plus they're on the original case the phone came in too).
i doubt it will take more than 2 days before it fully powers off.
I hope so, however the battery is said to be pretty good (I can't tell, because rooting was the first thing I did with the phone :rolleyes:) and my 8 years old Xperia Mini lasts over a week when just lying around in Airplane mode and that's an old battery and running Android.. Who knows how little the stale mode I'm stuck in will consume? Time will tell.
 

daeSundae

Senior Member
Jan 13, 2021
60
13
18
Too bad :(. There are some tutorials on Hovatek explaining how to set IMEIs, if they still know them (mine has a sticker on the back stating them plus they're on the original case the phone came in too).

I hope so, however the battery is said to be pretty good (I can't tell, because rooting was the first thing I did with the phone :rolleyes:) and my 8 years old Xperia Mini lasts over a week when just lying around in Airplane mode and that's an old battery and running Android.. Who knows how little the stale mode I'm stuck in will consume? Time will tell.
I am looking forward for your reply :p
 

chemicalboyxda

Senior Member
Oct 22, 2010
105
9
38
Hi have my phone in bootloader unlocked but bricked and this method works 100%. My phone is alive again!!!
I have an RMX2001 with eu rom, but i installed the B53 that is better. You can use that ver if you want.
 

daeSundae

Senior Member
Jan 13, 2021
60
13
18
Hi have my phone in bootloader unlocked but bricked and this method works 100%. My phone is alive again!!!
I have an RMX2001 with eu rom, but i installed the B53 that is better. You can use that ver if you want.
Glad to see people are able to unbrick. About EU roms, yes its possible to return to A.Xy version but i'm not sure if any decrypted ofps will work. It caused weird issues with devices it was tested on so i had to remove it's link. Enjoy an unbricked phone! : PP
 

cmfan

Member
Dec 13, 2011
29
8
23
I am looking forward for your reply
Thumbs up, my phone is back to life! 🥳
Your assumption was right, once the battery had drained (I helped along by putting the phone out in the cold, two hours later the battery was down) , BROM mode was accessible again and I could follow your guide to unbrick. I chose B.23 and then updated to A.48 through recovery.
Thanks again for posting here and your help on the way! (y)
 
  • Like
Reactions: daeSundae

daeSundae

Senior Member
Jan 13, 2021
60
13
18
Thumbs up, my phone is back to life! 🥳
Your assumption was right, once the battery had drained (I helped along by putting the phone out in the cold, two hours later the battery was down) , BROM mode was accessible again and I could follow your guide to unbrick. I chose B.23 and then updated to A.48 through recovery.
Thanks again for posting here and your help on the way! (y)
Glad to hear! I will tomorrow be testing another EU ofp with %3 battery then! I will keep it updated here as well. Thanks for reporting back!
 

1thesandy1

Member
Dec 5, 2017
22
0
11
Kolkata
Traceback (most recent call last):
File "main.py", line 3, in <module>
from src.device import Device
File "E:\Bypass Tools Pack\Bypass\src\device.py", line 4, in <module>
import serial.tools.list_ports
ModuleNotFoundError: No module named 'serial'
Press any key to continue . . .




i am getting this error please help
 

1thesandy1

Member
Dec 5, 2017
22
0
11
Kolkata
Thank you daeSundae for helping me, I really appreciate that. So, what do we have:

Sounds reasonable and I hope it's true. :)

The phone was fully charged when it bricked, so yes, the battery will last several days I fear, esp. without driving the display.

Three buttons make 7 possible combinations. I've tried them all, pressing, holding and holding while connecting USB. No reaction at all, unfortunately.

This is kind of weird. The phone identifies as USB ID 18d1:d001 on Linux which is said fastboot device. fastboot does not see it, only adb does. But maybe it justs sees the device, lists it, but cannot communicate otherwise with it. I guess if the device was just silent (or dead) adb would assume unauthorized, in lack of any other behavior.

Window btw does not accept the device at all and lists an "Unknown USB Device (Invalid Configuration Descriptor)".

Sound also reasonable, however waiting for the battery to drain may last a very long time. I am out of ideas on how to force a power off otherwise (apart from sacrificing hardware integrity and disconnecting the battery of course)

Man, do I miss the old days when a ZergRush was all you needed to root and problems like this were solved by pulling the removable battery... :cool:
bro I needyour help
 

daeSundae

Senior Member
Jan 13, 2021
60
13
18
you can see more here about free
or
here with Cm2 Dongle
ttokonline
To be honest I don't mind my guide being stolen etc. To me, important part is people unbricking. Nice to see An Arabic guide now after a Russian guide yesterday. Am not really sure if XDA allows it, but thanks for translating and helping more people by it!
 
Last edited:

daeSundae

Senior Member
Jan 13, 2021
60
13
18
Traceback (most recent call last):
File "main.py", line 3, in <module>
from src.device import Device
File "E:\Bypass Tools Pack\Bypass\src\device.py", line 4, in <module>
import serial.tools.list_ports
ModuleNotFoundError: No module named 'serial'
Press any key to continue . . .




i am getting this error please help
Try following the guide as instructed. If you have an issue, instead of sending the output as text send screenshots. I will recommend you to start from beginning of the guide.
 

abdulkoroglu

New member
Jan 28, 2021
2
0
11
I saw the username yusuf in my friend's pictures. My name is abdullah realme I bought 6 phones with an enthusiasm, I said to root, I succeeded, but I stupidly locked the flash from fastboot because I was done. Now I get a red state error, every 5 seconds the device turns off and on, the rom.ozip file I found on its site, the installers want rom.ofp, the other one asks strach.txt. so I'm in ruins, I'm trying your method, but I get a "no such file or dictionary" error in brom, I think because the device is constantly resetting itself. I hope you can help me.
 

abdulkoroglu

New member
Jan 28, 2021
2
0
11
Adsız.png
seni meşgul ediyorum ama bu hatayada bakarmısın ağlıcam artık
 

daeSundae

Senior Member
Jan 13, 2021
60
13
18
View attachment 5202393seni meşgul ediyorum ama bu hatayada bakarmısın ağlıcam artık
Merhaba. Lütfen aşağıda listelediğim bölümlerin seçimini kaldırıp kalan kısmını flaşla.

opporeserve2,
cdt_engineering,
my_custom,
special_preload,
userdata,
super

daha sonra tekrar aynı download moduna gelerek

super,
userdata,
dtbo,

bölümlerini seçerek tekrar download ettikten sonra sıkıntınız çözülecektir.

English:

Hello. Please deselect partitions i listed below and flash rest of them.

opporeserve2,
cdt_engineering,
my_custom,
special_preload,
userdata,
super

after that again rebooting into download mode flash

super,
userdata,
dtbo,

partitions. Your issue will be fixed after flashing.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    bro can we use this method to revert back from latest b59 firmware in realme 6
    Yes obviously !
    1
    sir please help me i am not able to boot up my phone realme 6 it keeps on restarting on and on and I cannot go into recovery mode also please sir kindly help me I am in need
    Hold power and Volume UP buttons until screen goes black. After that, once you see the screen black (you need to be quick, and might take several tries) plug into pc while holding both volume buttons.

    If not, if it's in a bootloop it's battery will run out rather quickly. Just relax and wait until it powers off.
    1
    can you please provide link for Realme 6i firmware with scatter file ... my device is stuck in boot loop
    Same firmware it works on Realme 6 and 6i Indian Variant.
    1
    can you please provide link for Realme 6i firmware with scatter file ... my device is stuck in boot loop
    Whats your model BTW ???
  • 9
    Hello everyone! So after the new mediatek DAA and SLA protection bypasses you can find github repo of here , using the bypass we are able to use SPFlash Tool, here is a guide how you can do it! This guide is for RMX2001, RMX2002 and RMX2003 ONLY. DON'T DO ANY OF THESE IF YOU HAVE SOMETHING ELSE!

    PLEASE SEE "TROUBLESHOOTING" AT THE END OF THE GUIDE FIRST IF YOU HAVE PROBLEMS IN THE PROCESS BEFORE ASKING!


    ALWAYS USE DOWNLOAD ONLY MODE OF SP FLASH TOOL.
    DON'T TOUCH ANYTHING RELATED TO FORMAT ON SP FLASH TOOL! (IT'S WRITTEN EVERYWHERE, YOU WILL LOSE YOUR IMEIS IF YOU USE FORMAT ALL + DOWNLOAD. YOU ARE SAFE IF YOU USE DOWNLOAD ONLY.)


    VIDEO GUIDES



    FOR LINUX METHOD CLICK HERE - Credits to @bx2_nero

    Windows Method

    Requirements:
    Bypass Tools Pack - (SPFLASH TOOL, DRIVER AND BYPASS FILES)

    Decrypted OFP (OPPO FIRMWARE PACKAGE) Files:

    FULL FIRMWARE - INCLUDES THE "USERDATA" PARTITION, HENCE LARGER.
    B.53 - Mega - Google Drive - Mirror3
    B.37 - Mega - Google Drive - Google Drive 2
    B.23 (First RUI Update for the device) - Mega - Google Drive - Mirror3
    A.50[EU] - Mega - Google Drive
    A.42[EU] - Google Drive - Mirror2


    NOU (NO USERDATA) FIRMWARE - FOR PEOPLE WITH LIMITED DATA PLAN.
    B.53 - Google Drive - Mirror 2
    B.37 - Google Drive - Mirror 2
    B.23 - Google Drive - Mirror 2
    A.50[EU] - Mega - Google Drive
    A.42[EU] - Google Drive - Mirror2

    Please read an explanation of what is userdata partition and how different is this from other firmware here.
    Note: All files with available links above are tested.

    Python (Must add to PATH during installation, see screenshot if you don't understand)
    libusb-win32 - Having Issues? Use this.

    aaf0ca5590e6884c234b1.png

    Make sure to choose the last option.
    1)Open command prompt by running cmd,
    enter
    python -m pip install pyusb pyserial json5
    1611352854113.png

    After the installation, you can re-run the command. If it looks like the screenshot above you're ready to go to next step.

    after the installation leave CMD.
    2) Go to driver folder, find the .inf file right click and press install.
    1611352830350.png

    3)Download this file and install it, after installing plug your phone to PC by connecting your phone to PC while doing Vol+- . You might need this driver as well if it's not detected.

    3a6d351fec8ab9961a5e3.png

    Press next, connect your device to PC while holding Vol+- buttons (your device needs to be powered off) and you will see the mtkdriver down below. Install it.
    310b8508659201f6729f7.png

    Choose MediaTek USB Port and install it.
    4)Turn off your phone and again connect to PC while holding Vol+- buttons then run the brom.bat under Bypass folder. If it says "Protection Disabled" in the end you're ready to go on. (If it's like the screenshot below go on.)
    1611391901952.png

    If you had a problem here, please check the end of the guide for it's fix.

    5)Go into Flash Tool folder and open the SPFlash tool, after that choose scatter file and also if not set, set your download -agent. You don't need to select auth file as authorization is disabled. Once you do it, it should look like this. ALWAYS MAKE SURE DOWNLOAD ONLY MODE IS SELECTED! DON'T SELECT OTHER MODES!

    1611929163628.png

    Click choose DA Agent. (I uploaded an updated bypass tools pack, if you're using older download new one) Go into Bypass Tools Pack > Verified Boot Fix > Choose the "DA_6765_6785_6768_6873_6885_6853.bin" file.

    If its giving error go into Options menu and disable option shown below. You will be able to choose a DA file.
    1611928718706.png


    73cff8e3aa78249f2d298.png

    Make SURE "Download Only" is selected. Don't select ANYTHING ELSE! You will lose your IMEIs, Serial Numbers, Capability of Hardware Attestation etc. if you choose "Format data + Download" make SURE you selected "Download Only".
    1f97e3897519622afb94d.png


    After flashing it should look like this. Download has been complete. Enjoy!

    Now, you can start downloading with the button and after that a checkmark will appear. You can reboot your phone and use it like before now! All your userdata will (inevitably) be cleared!

    POSSIBLE ERROR: "Verified boot enabled."
    1611478791612.png


    There are 2 fixes to this.
    1st Method (DIRECT FIX):
    1611929163628.png

    Click choose DA Agent. (I uploaded an updated bypass tools pack, if you're using older download new one) Go into Bypass Tools Pack > Verified Boot Fix > Choose the "DA_6765_6785_6768_6873_6885_6853.bin" file.

    If its giving error go into Options menu and disable option shown below. You will be able to choose a DA file.
    1611928718706.png


    2nd Method (WORKAROUND):
    If you're getting this error, and you are SURE you used "Download Only" mode, there's a way to get rid of this. First, load the scatter then untick/deselect partitions listed below.

    opporeserve2,
    cdt_engineering,
    my_custom,
    special_preload,
    userdata,
    super,

    After running brom.bat and flashing all partitions except the ones listed above, your phone will be able to reboot to stock recovery. Now select " Power Off" option then go run brom.bat, bypass authorization and then flash partitions listed below from SPFlash Tool.

    super,
    dtbo,
    userdata

    Your device will be able to boot into system after this if you have followed steps correctly.

    POSSIBLE ERROR: Issues while disabling protection;


    1611392223180.png

    Power off your device Restart the process from 2nd step.

    POSSIBLE ERROR: Issues while flashing;
    1611392834527.png


    Power off your device, you will need to do the bypass again. Check your USB Cable, there might be a disconnection. If not, start from 3rd step and make sure you did everything right.

    So, welcome to hell(!).

    For people who want to downgrade:
    If you want to downgrade to any version you would like, just use the B23 file as it is the oldest ofp file i could find for extracting process. If you were on EU version before (Any version starting with A) download ozip from here(for EU) , here(for Global) and manually flash from Realme UI recovery and format your data. Your device will be back at A.XY firmware with EU features (No heytap, no ads, no theme store, no bloatware) you had before.

    For people on EU who want to unbrick:
    So, you can use any version starting with B and it should work. It works in my case, i was on A.48, i flashed B53 and over that flashed B23. No probs at all. If you want to return to EU rom (starting with A) download ozip from here and manually flash from Realme UI recovery and format your data. Your device will be back at A.XY firmware with EU features (No heytap, no ads, no theme store, no bloatware) you had before.

    Thanks --
    https://github.com/bkerler/oppo_decrypt for decryptor.
    https://github.com/MTK-bypass for creating the tool.
    2
    bro can we use this method to revert back from latest b59 firmware in realme 6
    Yes obviously !
    1
    No, I'm not Dinolek. I just talked to him and he accepted my instructions. Let the screenshots lie, I don't mind.
    1
    Thank you daeSundae for helping me, I really appreciate that. So, what do we have:

    Sounds reasonable and I hope it's true. :)

    The phone was fully charged when it bricked, so yes, the battery will last several days I fear, esp. without driving the display.

    Three buttons make 7 possible combinations. I've tried them all, pressing, holding and holding while connecting USB. No reaction at all, unfortunately.

    This is kind of weird. The phone identifies as USB ID 18d1:d001 on Linux which is said fastboot device. fastboot does not see it, only adb does. But maybe it justs sees the device, lists it, but cannot communicate otherwise with it. I guess if the device was just silent (or dead) adb would assume unauthorized, in lack of any other behavior.

    Window btw does not accept the device at all and lists an "Unknown USB Device (Invalid Configuration Descriptor)".

    Sound also reasonable, however waiting for the battery to drain may last a very long time. I am out of ideas on how to force a power off otherwise (apart from sacrificing hardware integrity and disconnecting the battery of course)

    Man, do I miss the old days when a ZergRush was all you needed to root and problems like this were solved by pulling the removable battery... :cool:
    Hello. again. So, i have asked few people about your situation. Conclusion is, if none of these work you will need to wait until battery wears off and device turns itself off, i'm afraid. I will ask you to not use your phone for like a day and not to keep it connected to a computer for a long time. After making sure it powered off (which, i'm guessing there is actually no way to do that) make sure to prepare the brom.bat file plug in your device with VOL+ - combo and go on. Before doing this make sure to Device Manager > Action > Add Legacy Hardware > Next > Install the hardware that I manually select from a list (Advanced) > Show All Devices > Have Disk > Choose the cdc-acm.inf > Choose Mediatek USB Port and install it to not waste time. I hope your problems will be fixed. I have confirmed that BROM mode shouldn't fall into an inaccessible state because there's no efuse.ini blown. It must be there, but you're probably stuck in a mode that doesn't allow doing anything for some reason.
    1
    I am looking forward for your reply
    Thumbs up, my phone is back to life! 🥳
    Your assumption was right, once the battery had drained (I helped along by putting the phone out in the cold, two hours later the battery was down) , BROM mode was accessible again and I could follow your guide to unbrick. I chose B.23 and then updated to A.48 through recovery.
    Thanks again for posting here and your help on the way! (y)
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone