[NB1-Collision] [Alternate method] How to unlock the bootloader of Nokia 8.1 (X7)

[hikari_calyx]

WARNING: Overall procedure requires disassembly and you will lose warranty definitely!
I'm not responsible for bricking or damaging your device! It's not meant for average users at all!
You can consider import Nokia X7 from China for test subject, as it's cheaper than Nokia 8.1.


Let me tell you how HMD Nokia Android devices detect if the unlock key valid.
A standalone partition, mfd stores the Serial Number and IMEI/MEID/MAC address that will be used for bootloader checking.
It will check if your IMEI1 and SN in mfd partition valid for the unlock key instead of NVRAM.

To unlock the phone, you need a Nokia 8 NB1 (at least you need to know it's IMEI1 and SN) and an unlock key requested from HMD officially. If you don't have, please ask one from a Nokia 8 user that successfully requested unlock key. I'm not going to provide my unlock key and IMEI/SN.

Our theory of unlock the bootloader is:
1. Hack the mfd partition with the identification of Nokia 8.
2. Flash the unlock key for Nokia 8 to Nokia 8.1 (X7).
3. Restore mfd partition.

This method is unusable on Nokia 3.1 / 5.1 or Plus and Nokia 1 Plus, although MediaTek models are easier to hack with SP Flash Tool.

I guess HMD will block this method soon by changing the public key like before (ProjectCode add 1 or 2), and you can't request unlock key again if lost, so please keep your unlock key at safe place.

Let's get started.

Step 1: Download stock firmware or just firehose file from fih-firmware.hikaricalyx.com/hmd_en.html#pnx
You'll need the firehose file from it. I strongly recommend you to use the firehose file from "OSTLA_X7-OTA-Repair_002" package for faster procedure.

Step 2: dump mfd partition
To dump mfd partition, you can either trigger your phone to Qualcomm EDL mode by wire trick or use eMMC programmer, which is too hardcore to be mentioned.
After you remove the back cover, you can find these two points easily. Power off your phone, use tweezers or a wire to short them, and connect it to PC. Position is posted as attachment below. If you did right, the phone will boot to Qualcomm EDL mode and you can remove the tweezers or wire.
Now use QFIL, load the firehose file in stock firmware. To dump the mfd partition, use the partition manager in QFIL, and right click on the mfd partition, properties, then click "read". Dumped mfd partition is located at %AppData%\Qualcomm\QFIL\COMPORT_XX .

Step 3: Use Hex Editor to change IMEI and SN written in mfd partition

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64  DfM_........swid
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00  productid.......
00000070  50 4E 58 47 41 4D 30 31 32 33 34 35 36 37 38 39  PNXGAM0123456789
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00  ....bt_mac......
000000C0  00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx  ....xxxxxxxxxxxx
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000100  00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63  ........wifi_mac
00000110  00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx  ........xxxxxxxx
00000120  xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00  xxxx............
00000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000150  00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69  ............imei
00000160  5F 31 00 00 00 00 00 00 00 00 00 00 33 35 36 39  _1..............
00000170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For Nokia 8.1 / X7, IMEI1/IMEI2 aren't written in mfd partition at all, but we can write it as we want.
Note, hacking mfd partition will not change your IMEI in NVRAM, which is illegal. It will only change the IMEI that will verify the unlock key under fastboot mode. As it's not written at all, I can assume HMD Global isn't willing to unlock the Nokia 8.1 / X7 from the beginning.

The position of IMEI1 starts from offset 0x0000016C. I assume the IMEI and SN of your Nokia 8 are 123456789012347 and NB1GAD2780012345, which I needn't to mention where to find.

Here's the modified mfd partition:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64  DfM_........swid
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00  productid.......
00000070  4E 42 31 47 41 44 32 37 38 30 30 31 32 33 34 35  NB1GAD2780012345
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00  ....bt_mac......
000000C0  00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx  ....xxxxxxxxxxxx
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000100  00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63  ........wifi_mac
00000110  00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx  ........xxxxxxxx
00000120  xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00  xxxx............
00000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000150  00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69  ............imei
00000160  5F 31 00 00 00 00 00 00 00 00 00 00 31 32 33 34  _1..........1234
00000170  35 36 37 38 39 30 31 32 33 34 37 00 00 00 00 00  56789012347.....

Save it to another place, and please keep your original mfd partition for us to restore.

Step 4: Write back the mfd partition and unlock the bootloader
Use QFIL to write back the mfd partition by either Partition Manager or writing your own rawprogram0.xml, which I needn't to mention here.
After mfd partition written back, please perform force reboot by pressing both volume up key and power key. Then boot your phone to fastboot mode by any method you're familiar with. You still can't replace the cover back yet.

Now flash the unlock key for Nokia 8 to it:

fastboot flash unlock unlock.key
fastboot flashing unlock

Under Android 9 bootloader, "fastboot flashing unlock_critical" command will be treated as "fastboot flashing unlock", so you can't perform critical unlock, unless you downgrade the bootloader part (abl, xbl, xbl_config and tz partitions) to PNX-124F firmware, which you can find in the PNX-124F-0-00CN-B05 stock firmware.

Then confirm bootloader unlock on the phone as usual.

Step 5: Restore mfd partition
To prevent strange issues, you still need to restore your original mfd partition under Qualcomm EDL mode, which I needn't to mention how to do.
After that, you may replace the back cover and phone rooting / custom rom installation is allowed.

That covers the whole bootloader unlock theory. Since it uses the unlock key from Nokia 8 and I tricked the phone as Nokia 8, I called the unlock method "NB1-Collision". However, I can clearly see HMD is still not prepared for bootloader unlock.
Because even bootloader is unlocked, retail device still doesn't allow us to flash any partitions as we want.
When flashing a partition, it will tell us "Flashing is not rooted for fused device". When trying to perform temporarily boot under fastboot mode with retail abl, it will tell us "Unknown command", and same "Flashing is not rooted for fused device" error under service abl.
So the next step is how can we hack the fuse status to disable - this is up to yours.

As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.

 

[luiszevs]

As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.

And how much, if not secret?

 

[hikari_calyx]

And how much, if not secret?

$12 for unlocking Nokia X7 / 8.1 / 9 PureView. As for where to request, this can't be mentioned here - Google is always your best friend.

 

[luiszevs]

...Google is always your best friend.

wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...

 

[light.apps]

wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...

XDA, everything should be free.. who is charging ??

 

[Nollie8969]

XDA, everything should be free.. who is charging ??

Hikari ofcourse

Again, search the web.

 

[Aftab_khatri]

Even if we unlock is there twrp available?

 

[sayaoks]

Even if we unlock is there twrp available?

is twrp not available??

 

[wrp2015]

Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.

 

[nickyip123]

Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.

No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.

 

[wrp2015]

No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.

Would it still be possible to install another "launcher" on this phone, so the "ask google" bar will be hidden on the home screen?

 

[Nollie8969]

Ofcourse. Lawnchair for example. Change settings to hide Google

 

[wrp2015]

No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.

Thank you for your response. Since the phone is brand new and I haven't even unpacked it, I am ready to send it back for a refund. Is there a phone that has similar specs and approximate price (300 euro) as the Nokia 8.1 that I could run LineageOS on?
A good speaker and large screen are some of the things important to me. I do not do any gaming.
I am located in the Netherlands, Europe. Is it an easy process to install LOS (I am not an expert in these things and my schedule is overfull as is), or will I need to find someone who is willing to do it for me for a fee? In the latter case, where would I go?
Is it recommended for lay men to run LOS on their phones, as when something goes wrong they won't know what to do?