Huawei - bootloader - root

szilveszter21

Member
Apr 8, 2019
13
5
0
Hi,

Just came over from apple for a long time, selected best price/hw (non-noname) devices. I was always trying to jailbreak my phone, and thought Android a better place to come out from your sandboxed environment. At the end of the story I searched a lot in XDA forums and found with mate 20 pro and no bootloader code nothing can be done in an easy way. There are a lot of thread telling how to get bootloader codes , but currently the situation is this:
  1. Funky - !Down! and if it would give, would cost a lot money, irrealistic high price.
  2. Global unlock solutions - not answering or selling anything in real life.
  3. ministery of solutions also unavaiable.
Huawei has no longer giving access to lower level access to the phone "bootloader". To be honest this is disgusting, more disgusting than with Apple, at least you know when you buy people working on jailbreaks and if you not updating one day you will be happy. With Huawei now we are in a crazy situation, during the firmware built they have associated a number from your imei and possible from Serial (as on huawei this field was mandatory for unlock code)...

Each device got a number, and potentially it would make sense to know the exact hashing algorithm when it checked, if we get that and use hashcat that could be a good solution as if i remember well it is 16 numbers for huawei devices, so brute force with hashcat, not on the actual phone is possible...

I was thinking of brute force, but they also reboot the phone each 5 times, so when you want to brute force 4 try reboot, this need time... I am really dissappointed that you buy an android phone and you are almost in the same cage as with apple iphone.

Guys someone please summarize what are the possibilities with boot loader, is anyone working to replicate the hashing mechanism?

This should be for geeks possible for brute force, just we need to elliminate the condition phone, how long does it take to virtually run a cloned boot loader on a PC and pass through a code in milliseconds? In theory , if we get the mechanism known and can utilize hashcat for cracking with numeric only password would be short journey.

Please make a summary what is the current progress and future plan with rooting and unlocking huawei newer devices

When i was holding my last "free" phone completely linux opened phone, it was allowing you to enter into the deepest boot loader and it brought up the next one for flashing like an eeprom, flash mode or persistant... I am quiet sure if you can't go deeper than fastboot you cannot brick your phone, so huawei's statement is not correct, yes could soft brick your phone, but as long as you have a flashing interface alll should go well. I am crying for phones like nokia n900 linux mobile, where actually was your decision what do you want to install into your phone without virtualization/containers/sand boxes.

Please keep us updated about the possibilities and future plans about the boot loader as in the last week I completely lost my trust in huawei, no one tell anything , I also wrote them if they can send me my code, but they simply ignoring my mail at huawei ;)

I am bit beginner, but I guess I read almost every post about this problem, and each post outdated so just bring infos together, first post a long post :(
 

djisgod

Senior Member
Oct 10, 2011
431
97
48
torquay
Buy and unlock code they pop up every now and then but you have to be fast. I got one for six dollars just last week. Root with magisk and you are all set. Screenshot_20190408_184615_com.topjohnwu.magisk.jpg
 

dimon222

Senior Member
Sep 27, 2010
185
47
58
Toronto
romanenko.in
Tl;Dr if you want freedom with firmwares, kernels, root and easy life, you probably picked wrong device.

Code is generated in unknown way and code is tied into special partition in encrypted way that it's difficult to take it out. In previous android versions it was open text so it was possible to get it via exploits, but now no more. Like you mentioned, it's complicated to even brute force it and risky to play with partitions with high chance of making brick out of 1k$ device.

The base with unlock codes was open for engineers until mid of last year when Huawei started shutdown of unlocks. Services like funky, global and ministry are just middlemen who have contacts with Huawei engineers who can get the code when base with keys is open. Base was closed whole time from Jan to April 2019 (Huawei started hunting engineers breaking rules?), and then it suddenly opened for couple of days (that's why you see some happy faces here). They recently again closed it, so yes, it's expected that everyone is quiet now since nobody has access. It will be same until next opening happens (if it ever will?)

Ps: If you still want to play with high risks of making brick, there's telegram group "Big Huawei Exploits" where people are trying to figure out security workarounds, but it's far from average user experience of typical bootloader unlock without knowing internals of emui 9 and Huawei bootloader.
Ps2: full potential of root is not realized for our device due to problems with bootloader unlock (boomer), Huawei partitioning (twrp vs magisk, chose one ONLY) + xposed causes bootloop + incompatibilities with non-x64 drivers for many things like v4a which is making our device going bootloop.
 
Last edited:
  • Like
Reactions: AbgBesar

szilveszter21

Member
Apr 8, 2019
13
5
0
Here is where I got mine for 6 USD.

I have not used it yet but I have if just in case. Others have bought from the same source and confirm that it works.

Sent from my LYA-L0C using Tapatalk
wich did u pick?
Ignore this, they are not selling bootloader unlock code, they are selling reset code for locked devices, I paid 6$ for literaly nothing and 14$ to be spent at their site;). if you got a phone FRP locked, then you can wipe your device and reconfigure, it not helps in OEM, I also asked them via e-mail they not support and will be not supported by them :(
 

djisgod

Senior Member
Oct 10, 2011
431
97
48
torquay
Ignore this, they are not selling bootloader unlock code, they are selling reset code for locked devices, I paid 6$ for literaly nothing and 14$ to be spent at their site;). if you got a phone FRP locked, then you can wipe your device and reconfigure, it not helps in OEM, I also asked them via e-mail they not support and will be not supported by them :(
You got the wrong code. They were selling bootloader unlock codes but have taken then off the site for now. I successfully unlocked my bootloader using the code I purchased from https://sickw.com/?page=bootloader but they are no longer selling them.Screenshot_20190408_184615_com.topjohnwu.magisk.jpg
 

szilveszter21

Member
Apr 8, 2019
13
5
0
well....

Tl;Dr if you want freedom with firmwares, kernels, root and easy life, you probably picked wrong device.

Code is generated in unknown way and code is tied into special partition in encrypted way that it's difficult to take it out. In previous android versions it was open text so it was possible to get it via exploits, but now no more. Like you mentioned, it's complicated to even brute force it and risky to play with partitions with high chance of making brick out of 1k$ device.
Well I don't want to decrypt the roms I have no time to play so much with hascat, but if we can virtually load the Fastboot into a PC app where we can inspect the runtime memory that would make things easier, especially with someone who used to use assembly languages and reverse engineering...
There could be 2 type how they created the BL unlock code, alghorythm which using imei and possible S/N , or it just random, there should be a tiny database on each device of the bootloader code, as if they not giving "personalised fastboot" that means the required code, or the output of the creation process must persist somewhere , and don't forget if we can load the rom into a monitored environment we can see what going to be read from which address in runtime memory.

The base with unlock codes was open for engineers until mid of last year when Huawei started shutdown of unlocks. Services like funky, global and ministry are just middlemen who have contacts with Huawei engineers who can get the code when base with keys is open. Base was closed whole time from Jan to April 2019 (Huawei started hunting engineers breaking rules?), and then it suddenly opened for couple of days (that's why you see some happy faces here). They recently again closed it, so yes, it's expected that everyone is quiet now since nobody has access. It will be same until next opening happens (if it ever will?)


.
Well I am now using Iphone and Android as user, I enjoy debian based linux in my ipad which actually jailbreaked well. I just came originally from maemo, and there everything is possible, you can't actually brick an ARM board, the lowest level there will be a rom which contains the minimal OS which allows you to flash rootfs and mmc media afterward. I assume this is similar to Intel CPU + BIOS with ARM, you can make your computer unoperating, but you can't break down via a keyboard or any software your bios is the lowest level which allow minimal control over voltages and such thing what could enteraly destroy you pheripherias and devices. IF I thinking right the minimal system you can dig down in the layers right now is fastboot, which still seems to be some fancy stuff with too much additional information, can't we dig deeper? or flashing the flashing rom is only possible via diagnostic port what they used during the assembling of the devices? On nokia Geek devices you could go at the deepest level possible and implement multiboot for multiple operating system, rootfs and media was on different device not just different mount/partitions... I am but sad no one creating pocket computers, I got bit upset, so my new n900 is on it's way, however that device 10 year old construction, it is good for things like playing msdos games and some try with C/Cpp but nothing more, I am sure I will need to make the new openssl binary for being able to browse sha2 ssl sites :D
 

szilveszter21

Member
Apr 8, 2019
13
5
0
Idea

Guys, I digged a lot to understand the boot sequence and how the calls / components loaded. As far I saw all current android ARM systems use a Little Kernel opensource Bootloader, with modification. It is called A-BOOT and the interface what we communicate is fastboot. The bootloader verify of the signature each flashing each rom, and eventually during loading as well. With "unlocking" you get the ability to bypass the signature check. Eventually I looked into the rom files they encrypted that's a thing, but the question what it is in the runtime memory.

Just an idea if we have here someone friendly with ARM and assembly/memory inspecting and has 1 or more bootloader code already...

Is this approach possible for some extra geeks
  • download virtual ARM machine
  • load the rom , only the aboot required with oem application with it
  • check in vm's memory what happens when code entered incorrectly/correctly

As I read it secured for the rom images and signatures (from unathorized changes), I don't think the bootloader itself as an application has encrypted memory. So in theory "I am optimistic" if you have your S/N | you BL code, and the | runtime memory hash TADA we can rebuild the hashing alghorythm. I am not experienced with ARM at all, especially not with it cpu operation and memory adressing, so I would need some hyper geek who experienced. It is just an idea if reverse engineering is possible this way or not:). Of course as I can see it need a lot of work without any return, but the challange is hard :D

P.S. first though thing I can imagine, you need usb driver for fastboot on virtual ARM, you need a connected client for fastboot protocol, so virtual USB service. You need to be able to set breakpoint in the virtual ARM box, those just what came into my mind even if u know arm/assembly...
 
Last edited:
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone