[GUIDE] UNBRICK/DOWNGRADE YOUR REALME 6/6I(INDIA)/6S USING SPFLASH TOOL FOR FREE!

[cmfan]

I think I have tried all 7 possible combinations with the buttons, none of them gave a reaction.

Charger is a good point: the phone shows no reaction upon plugging in, however I can measure the charger's power consumption and it reaches the expected 30W, so yes, charging works.

fastboot doesn't recognize the phone:

$ fastboot reboot
< waiting for any device >

adb commands are all unauthorized (except connection commands, but these do not require any interaction with the device):

$ adb reboot
error: device unauthorized.
This adb server's $ADB_VENDOR_KEYS is not set
Try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device.

$ adb devices
List of devices attached
0123456789ABCDEF    unauthorized

$ adb reconnect
reconnecting 0123456789ABCDEF  [unauthorized]

$ adb reconnect device

$ adb reconnect offline
reconnecting 0123456789ABCDEF

adb could have received the serial no. from the USB controller, no need to actually communicate with phone itself:

$ lsusb -v |grep -A85 18d1:d001
Bus 001 Device 011: ID 18d1:d001 Google Inc. Nexus 4 (fastboot)
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x18d1 Google Inc.
  idProduct          0xd001 Nexus 4 (fastboot)
  bcdDevice            4.14
  iManufacturer           1 realme
  iProduct                2 RMX2001
  iSerial                 3 0123456789ABCDEF
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          4 adb
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass     66 
      bInterfaceProtocol      1 
      iInterface              5 ADB Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength       0x0016
  bNumDeviceCaps          2
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000006
      BESL Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000f
      Device can operate at Low Speed (1Mbps)
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat           1 micro seconds
    bU2DevExitLat         500 micro seconds
Device Status:     0x0000
  (Bus Powered)

You have mentioned that there are more people with bricked phone due to the A.11. How are they doing. Especially I wonder if any of the formatted devices still react?

 

[cmfan]

Hello. again. So, i have asked few people about your situation. Conclusion is, if none of these work you will need to wait until battery wears off and device turns itself off, i'm afraid. I will ask you to not use your phone for like a day and not to keep it connected to a computer for a long time. After making sure it powered off (which, i'm guessing there is actually no way to do that) make sure to prepare the brom.bat file plug in your device with VOL+ - combo and go on. Before doing this make sure to Device Manager > Action > Add Legacy Hardware > Next > Install the hardware that I manually select from a list (Advanced) > Show All Devices > Have Disk > Choose the cdc-acm.inf > Choose Mediatek USB Port and install it to not waste time. I hope your problems will be fixed. I have confirmed that BROM mode shouldn't fall into an inaccessible state because there's no efuse.ini blown. It must be there, but you're probably stuck in a mode that doesn't allow doing anything for some reason.

Ah, you've been faster than me . Ok, good to hear that BROM mode is supposed to be still available. So I'll do the waiting then and report back of course.

Again, thank you for assisting so far.

 

[daeSundae]

You have mentioned that there are more people with bricked phone due to the A.11. How are they doing. Especially I wonder if any of the formatted devices still react?

Okay. So well, i also flashed the A.11 firmware meaning we are the only ones who used that firmware for flashing, there are other people but the problem with theirs is that they used Format All + Download and after that device still can get into a download mode even after all but they can't boot into system for a reason I do not know. Some of people have already requested motherboard replacement 'n stuff. I will request you to not use that mode (Format All + Download) even if you can, since your device won't be having a Serial Number, IMEI numbers, will lose the capability of hardware attestation, no MAC adresses etc. As i said, it's better to wait and since the device is running i doubt it will take more than 2 days before it fully powers off. Even if your computer fails to bypass authorization like this, plug it out immediately and wait for an hour or so to make sure it turns off, after that restarting from 2nd step, re-installing it's filter using libusb-win32 should fix this problem.

Spoiler: TROUBLESHOOTING - FAQ AND FIXES

Issues while disabling protection;


View attachment 5196241
Power off your device Restart the process from 2nd step.

 

[cmfan]

they used Format All + Download

Too bad . There are some tutorials on Hovatek explaining how to set IMEIs, if they still know them (mine has a sticker on the back stating them plus they're on the original case the phone came in too).

i doubt it will take more than 2 days before it fully powers off.

I hope so, however the battery is said to be pretty good (I can't tell, because rooting was the first thing I did with the phone ) and my 8 years old Xperia Mini lasts over a week when just lying around in Airplane mode and that's an old battery and running Android.. Who knows how little the stale mode I'm stuck in will consume? Time will tell.

 

[daeSundae]

Too bad . There are some tutorials on Hovatek explaining how to set IMEIs, if they still know them (mine has a sticker on the back stating them plus they're on the original case the phone came in too).

I hope so, however the battery is said to be pretty good (I can't tell, because rooting was the first thing I did with the phone ) and my 8 years old Xperia Mini lasts over a week when just lying around in Airplane mode and that's an old battery and running Android.. Who knows how little the stale mode I'm stuck in will consume? Time will tell.

I am looking forward for your reply

 

[MEGAFON929]

I add your Instruction in my site https://megafon929.github.io/mtk

 

[daeSundae]

I add your Instruction in my site https://megafon929.github.io/mtk

Thanks.

 

[chemicalboyxda]

Hi have my phone in bootloader unlocked but bricked and this method works 100%. My phone is alive again!!!
I have an RMX2001 with eu rom, but i installed the B53 that is better. You can use that ver if you want.

 

[daeSundae]

Hi have my phone in bootloader unlocked but bricked and this method works 100%. My phone is alive again!!!
I have an RMX2001 with eu rom, but i installed the B53 that is better. You can use that ver if you want.

Glad to see people are able to unbrick. About EU roms, yes its possible to return to A.Xy version but i'm not sure if any decrypted ofps will work. It caused weird issues with devices it was tested on so i had to remove it's link. Enjoy an unbricked phone! : PP

 

[cmfan]

I am looking forward for your reply

Thumbs up, my phone is back to life!
Your assumption was right, once the battery had drained (I helped along by putting the phone out in the cold, two hours later the battery was down) , BROM mode was accessible again and I could follow your guide to unbrick. I chose B.23 and then updated to A.48 through recovery.
Thanks again for posting here and your help on the way!

 

[daeSundae]

Thumbs up, my phone is back to life!
Your assumption was right, once the battery had drained (I helped along by putting the phone out in the cold, two hours later the battery was down) , BROM mode was accessible again and I could follow your guide to unbrick. I chose B.23 and then updated to A.48 through recovery.
Thanks again for posting here and your help on the way!

Glad to hear! I will tomorrow be testing another EU ofp with %3 battery then! I will keep it updated here as well. Thanks for reporting back!

 

[ttok.online]

you can see more here about free
or here with Cm2 Dongle
ttokonline

 

[1thesandy1]

Please help my phone is in red state continuously restart and after pressing +- power button it's boots again

 

[1thesandy1]

Traceback (most recent call last):
File "main.py", line 3, in <module>
from src.device import Device
File "E:\Bypass Tools Pack\Bypass\src\device.py", line 4, in <module>
import serial.tools.list_ports
ModuleNotFoundError: No module named 'serial'
Press any key to continue . . .




i am getting this error please help

 

[1thesandy1]

Thank you daeSundae for helping me, I really appreciate that. So, what do we have:

Sounds reasonable and I hope it's true.

The phone was fully charged when it bricked, so yes, the battery will last several days I fear, esp. without driving the display.

Three buttons make 7 possible combinations. I've tried them all, pressing, holding and holding while connecting USB. No reaction at all, unfortunately.

This is kind of weird. The phone identifies as USB ID 18d1:d001 on Linux which is said fastboot device. fastboot does not see it, only adb does. But maybe it justs sees the device, lists it, but cannot communicate otherwise with it. I guess if the device was just silent (or dead) adb would assume unauthorized, in lack of any other behavior.

Window btw does not accept the device at all and lists an "Unknown USB Device (Invalid Configuration Descriptor)".

Sound also reasonable, however waiting for the battery to drain may last a very long time. I am out of ideas on how to force a power off otherwise (apart from sacrificing hardware integrity and disconnecting the battery of course)

Man, do I miss the old days when a ZergRush was all you needed to root and problems like this were solved by pulling the removable battery...

bro I needyour help

 

[daeSundae]

you can see more here about free
or here with Cm2 Dongle
ttokonline

To be honest I don't mind my guide being stolen etc. To me, important part is people unbricking. Nice to see An Arabic guide now after a Russian guide yesterday. Am not really sure if XDA allows it, but thanks for translating and helping more people by it!

 

[daeSundae]

Traceback (most recent call last):
File "main.py", line 3, in <module>
from src.device import Device
File "E:\Bypass Tools Pack\Bypass\src\device.py", line 4, in <module>
import serial.tools.list_ports
ModuleNotFoundError: No module named 'serial'
Press any key to continue . . .




i am getting this error please help

Try following the guide as instructed. If you have an issue, instead of sending the output as text send screenshots. I will recommend you to start from beginning of the guide.

 

[abdulkoroglu]

I saw the username yusuf in my friend's pictures. My name is abdullah realme I bought 6 phones with an enthusiasm, I said to root, I succeeded, but I stupidly locked the flash from fastboot because I was done. Now I get a red state error, every 5 seconds the device turns off and on, the rom.ozip file I found on its site, the installers want rom.ofp, the other one asks strach.txt. so I'm in ruins, I'm trying your method, but I get a "no such file or dictionary" error in brom, I think because the device is constantly resetting itself. I hope you can help me.

 

[abdulkoroglu]

seni meşgul ediyorum ama bu hatayada bakarmısın ağlıcam artık

 

[daeSundae]

View attachment 5202393seni meşgul ediyorum ama bu hatayada bakarmısın ağlıcam artık

Merhaba. Lütfen aşağıda listelediğim bölümlerin seçimini kaldırıp kalan kısmını flaşla.

opporeserve2,
cdt_engineering,
my_custom,
special_preload,
userdata,
super

daha sonra tekrar aynı download moduna gelerek

super,
userdata,
dtbo,

bölümlerini seçerek tekrar download ettikten sonra sıkıntınız çözülecektir.

English:

Hello. Please deselect partitions i listed below and flash rest of them.

opporeserve2,
cdt_engineering,
my_custom,
special_preload,
userdata,
super

after that again rebooting into download mode flash

super,
userdata,
dtbo,

partitions. Your issue will be fixed after flashing.