Redmi 3S bootloader CRACKING method

Search This thread

AgentVoid

Senior Member
Sep 7, 2016
183
24
21
Firstly I want to thank @fxsheep for this unlocking method. This is my experience which is personally tried by me. whiIe was lost all my hopes from xiaomi because they didn't give a F about my emails,bug reports,bug posts on mi forums but no one given me actual fix. I was pretty sure the the problem is from their side but they're giving me ancient VPN fix,telling me to wait and wait and wait.....until I die. But thanks to @cristihan for giving me this post link which save me and my 3s life. Now during unlocking my device(which is on miui 10 latest developer ROM) I used a 32 bit windows computer so I can confirm you thet you can use a 32 bit computer to flash it with edl mode but remember to install 9008 32bit drivers from xiaomifirmware. I diy my USB cable without cutting it. Just use a open copper wire piece,insert it inside male USB connecter 2nd pin from left (you can also watch it on youtube how to make a USB deep flash cable without cutting it.) And inserted it on my PC my phone got in edl mode and I just removed my USB cable,removed copper wire from USB connector and reinserted it in my PC. Which amazed me that removing and reinserting USB cable didn't make phone get out of edl mode. Now I already installed edl 9008 drivers and fastboot drivers from xiaomifirmwaredotcom post (which is linked in 2 page of this forum) refreshed mi flash tool also I changed both XML files of this post bl unlocking folder with xiaomifirmware XML files
I didnt used xiaomifirmware bl unlocker Because xiaomifirmware has a long procedure. Then I flashed it then I turned on my device which gives me scary warning in bootlogo but my device boots up to homescreen then I again powered off and rebooted my device into fastboot mode and using my fastboot setup I used shift+right click and opened a command window and typed these magical words "fastboot oem unlock-go" and voila my bootloader is unlocked. Finally I've take a fresh breath of independence from miui then I've installed twrp with this method.
Downloaded twrp latest land
Placed it where I've got my fastboot setup
Renamed it as twrp
Type command fastboot flash recovery twrp.IMG
Got success
But I've got problem here because during typing command "fastboot reboot-recovery or fastboot boot recovery" it just didn't accept it but I've managed it by manually opening twrp using vol up+power.
Now I am very happy by typing this with my havoc is 9.0 pie on redmi 3s.
I also want to say that this method is 1000 times efficient and time saving than xiaomi outdated unlock tool method with xiaomi own errors which they don't want to fix (or putted them intentionally to prevent us from using other ROMs than miui.) Also there is still neither any fix posted nor any miui developer taking a peek to consumer problems. Because miui developers are lazy AF and they just want more money from us.
Thanks to @fxsheep again.
 
Last edited:

cristihan

Senior Member
Oct 9, 2016
274
109
Timisoara
Unlock Redmi 3S without Xiaomi permission

Yep dude I will do it at my risk...

Start Mode options for Redmi 3S:
- Fastboot mode: (Vol-) + (Power Button)
- Recovery mode: (Vol-) + (Vol+) + (Power Button)

Xiaomi Redmi 3S has the ability to enter the EDL (Emergency Download) mode through Fastboot blocked.
For this you need a special cable (DFC - short for Deep Flash Cable), which will force it (the phone) into download mode.
You can buy one from eBay or you can build one of your own. For last option you need the original Xiaomi
cable because all manufacturers sculpt the cable in their own way, have their own colors and designs...
In general, using the colors used by Xiaomi is the safest way.

For second option, do as follows:

- Cut the insulation of the cable along the wires with a blade or a sharp knife.
- Expose the wires at a distance of 4-5cm and gently clean the colored insulation from the black and green wires.
- I got the following : (Xiaomi cable.png)
- Solder a SMT/SMD Microswitch tactile push button or any micro switch with normally open contact as in attached photo
or search on youtube how to do it:(dfc-EN.jpg,SMT-SMD-Microswitch.jpg,dfc-2.jpg)
If you do not have a microswitch leave them so, insulated.

Stage 1.
- Disable Driver Signature Enforcement in Windows 7,8,10_64-Bit
(you can re-enable it after you finish with your phone if you want)
* Go to Start Menu and go to "All Programs", then "Accessories",
right click your mouse on "Command Prompt" and "Run as administrator".
* Run in Terminal:
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS (followed by [ENTER]
bcdedit.exe -set TESTSIGNING ON (followed by [ENTER]
* Reboot your PC/Laptop
Now Signing Enforcement is disabled.
You will se on the lower right-hand corner of your Desktop "Test Mode and OS build".
- To Enable Driver Signature Enforcement do the same except last command that will be:
bcdedit.exe -set TESTSIGNING OFF (followed by [ENTER] and reboot PC.
Stage 2.
- Download the following files: https://mega.nz/#!3VdBlKzR!IhecYqJxGYEVlkum-MBOPq3F4XR9KcSUhUi9QGiLioY
- EDL mode drivers for Redmi 3S: QDLoader+HS-USB+Driver_32-64bit_Setup.zip
(choose your version 32 or 64 bit and install it)
- Fastboot drivers for Redmi 3S: minimal_adb_fastboot_1.4.3_portable.zip
(extract zip on your Desktop. After that you will have a folder "ADB" on Desktop)
- MI Flash tool (this version): MiFlash20170425.zip (install MiFlash on your PC)
- Unlocked version of bootloader for Redmi 3S: unlock-modified.zip (with xml file modified properly)
(extract zip on Desktop. After that you will have a folder "unlock-modified" on Desktop)
- Custom Recovery installer: RedMi3S_Fast__Unlock_edBL_specTWRP.zip
(extract zip on Desktop. A folder with the same name will appear on Desktop)
- ADB driver installer: ADBDriverInstaller.exe
(to install the right driver connect your phone to PC and run the executable)
Stage 3.
On your phone:
- Charge your phone battery to at least 70%
- Update MIUI to the lastest version (v10.2.2 it was mine)
- Go to “Settings” > “About device” and tap several times on MIUI version.
Developer options will be enabled.
- Go to “Developer options”. Enable USB Debugging and OEM-Unlock.
- Turn off the phone.
- Insert the DFC cable only into the phone. Not in your PC yet (do not turn ON your phone!)
On your PC: (assuming you installed all of the above files)
- Open "Device Manager" on your PC and leave it that way.
- Press and keep the Microswitch button of your DFC cable.
- (Or PRESS and KEEP the green and black cable with the exposed parts to each other.)
- Now insert the other end of the cable into the computer.
- With Microswitch button pressed WAIT for 5-6 seconds.
- The computer should signal that a new device has been detected and begin installing drivers for it.
- Under Ports(COM & LPT) “Qualcom HS-USB QDLoader 9008” driver should appear.(HS-USB Driver.jpg)
- Release the Microswitch button.
- (Or disconnect the black and green wires and make sure that they no longer touch.)
Your Xiaomi Redmi 3S is in EDL mode now.
- Open XiaoMIFlash tool and select "unlock-modified" folder from your Desktop and click Refresh.
(you should see something like this: detected-device-Mi_Flash.jpg), your COM port could be different.
- Click Flash and wait to finish. If everything is OK you should see SUCCESS in MIFlash result.
Read messages on your phone's display and accept all requests.
- Turn off your device and start again in fastboot mode; (VOL-)+(Power button).
Attention! You need to start your device in fastboot without booting into the system.
- After restart in Fastboot Mode close XiaoMIFlash tool and go into "RedMi3S_Fast__Unlock_edBL_specTWRP" folder.
- Run doit1.bat.
Your phone will reboot, first startup will take around 10-15 minutes.
After the reboot, turn off the phone, go to fastboot mode again.
If will take more than 15 min to reboot, restart in Fastboot Mode by pressing together (VOL-)+(Power button)
- Run doit2.bat.
TWRP Custom Recovery should start. Swipe to allow changes to system partition. (Flash latest TWRP for your device)
Connect your device to PC, copy custom ROM to SD card and Flash it.
OBS. !!!
If you are flashing any XIAOMI.EU ROM zip file, you need to delete firmware-update/emmc_appsboot.mbn in the zip first.
You can't use MIUI OTA.

All files and methods were taken from the XDA forum, xiaomifirmware.com, en.miui.com or from different websites
(including from Russia, geekteam.pro)during the documentation.I express my gratitude to all of them.
My only merit in this tutorial is to describe how I succeeded to unlock my bootloader.
 

Attachments

  • SMT-SMD-Microswitch.jpg
    SMT-SMD-Microswitch.jpg
    37.3 KB · Views: 337
  • dfc-2.jpg
    dfc-2.jpg
    234.2 KB · Views: 333
  • detected-device-Mi_Flash.jpg
    detected-device-Mi_Flash.jpg
    114.4 KB · Views: 346
  • Like
Reactions: amit140507

amit140507

Member
May 21, 2019
24
17
Mohali
Thanks man.
I used the third method i.e. the test point method but there was a problem qualcomm 9008 was not showing in the device manager.
So, i searched on the other forums and found the correct method. please make a correction in original post .
1. power off
2. Removed back cover and internal cover from motherboard held together by screws (one under MI -sticker)
3. Removed battery connector
4. Reattached battery connector
5. connect the phone using normal USB to pc (phone is still power off)
6. short the test point while holding power and volume down button.
7. device will recognised as qualcomm 9008
8. released both buttons and tweezer/shorting wire.
 

9rav44n

Member
Nov 27, 2019
17
0
Video for unlock bootloader

Then I am probably going to unlock my Redmi 3s prime this way and I will also try to post this video on YouTube

---------- Post added at 02:53 PM ---------- Previous post was at 02:52 PM ----------


Hey thanks for quick response

Bro where is the video you are going to upload
 

Aamirsingh

Senior Member
Nov 17, 2016
99
20
Bro where is the video you are going to upload
I couldn't do it because I gave the device to someone else long ago .

But man , it's too simple . Just make a cut in your xiaomi cable and pinch a pin through black and green wire and u have made your dfc . Connect your device to PC via this cable , and remove out that pin . Now your pc will recognise your device in edl mode . You can flash anything you want via mi flash . Just flash this custom bootoader . And if u are getting error then download official fastboot ROM and extract it on your PC and replace emmcappsboot.mbn with the one provided in this thread a d flash.

Now you will be able to execute "fastboot oem unlock-go"
 

zwsss

New member
Dec 26, 2020
2
0
hi man GG for the tutorial (sry bad english)

i got redmi 3s it is bootlooping. it was able go to the lock screen but only for 1 sec then go to the boot logo again

this phone got bootloader locked, developer off

so i did use the miflash and choose the unlock folder
and flash all except data and storage then i press flash
the status is the operation completed successfully.(0x00000000:Open patch file "C:\Users\username\Desktop\MiPhone\unlock\patch0.xml)
the phone is still on the black screen i had to restart it by my self and go to fast boot and then i type fastboot oem unlock on the cmd it says FAILED (remote: oem unlock is not allowed) what did i do wrong? i am sure that i followed this tutorial

edit: @fxsheep
 

rdm3s

New member
Feb 8, 2021
1
0
Hi everyone. Got a similar problem here.
I have Redmi 3s, use latest emmc_fastboot.mbn from fxsheep, patch0.xml without entries, rawprogram0.xml with two (aboot & abootbak) entries.
Forcing phone into EDL mode with deep flash cable does not allow image flashing. After 90 seconds MiFlash (ver. 2020.3.14.0) stops with Sahara protocol failure:
Code:
[4:08:10 PM  COM10]:info1:16:08:10: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
[4:08:10 PM  COM10]:info1:16:08:10: ERROR: function: sahara_main:924 Sahara protocol error
[4:08:10 PM  COM10]:info1:16:08:10: ERROR: function: main:303 Uploading  Image using Sahara protocol failed
Only testpoint method allows to upload image once. Subsequent attempts result in same Sahara failure and require phone rebooting and using testpoints anew.
After succesful uploading MiFlash shows checkpoint error:
Code:
[6:23:02 PM  COM10]:begin checkPoint
[6:23:02 PM  COM10]:error:Not catch checkpoint (\$fastboot -s .* lock),flash is not done
[6:23:02 PM  COM10]:process exit.
[6:23:03 PM  COM10]:flashSuccess False
After image uploading phone remains in EDL mode with black screen. Switching to fastboot can be done only manually by Power & Vol- buttons. Using command "fastboot oem unlock-go" results in token error and phone rebooting to fastboot.
 

Ice Velez

New member
Mar 7, 2021
4
1
Good day @fxsheep what do you mean by

"BUT one con.You can't upgrade bootloader. But any firmware partition update will update it. So when you are flashing any zip file,you need to delete firmware-update/emmc_appsboot.mbn in the zip first. You can't use MIUI OTA."

so when I flash a custom ROM I have to delete it's "emmc_appsboot.mbn" ?

edit: can I use a newer version of Mi Flash? like Mi Flash Tool?
 

Ice Velez

New member
Mar 7, 2021
4
1
I finally got the EDL cable I ordered online, Thank God it worked, for anyone having the same problems and is reading this follow @fxsheep 's guide but I have a little change, open up the rawprogram0.xml and remove "device" something because it doesn't exist in the unlock folder, that's it. Thank you @fxsheep
 

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Maybe we all faced xiaomi bootloader unlocking problems sometimes.We tried many ways to unlock it but failed. Or maybe we have a second-hand Redmi 3S with account locked.Then,there is a brand new way to unlock it.

    If you can unlock your phone ,DONT try this method

    Instead of using miflashunlock tool,we'll try to crack the aboot (emmc_appsboot.mbn) partition on our phone. But we don't have permission to write any system partition without unlocking.So we need to get the permission first.

    The easiest way to get it is to boot your phone into Qualcomm 9008 EDL mode.This mode is integrated into the SoC so we always will be able to enter it.BUT Xiaomi has taken some actions to block it:crying:.So we do need to have a try.

    The first and easiest way to enter 9008 is to reboot your phone into fastboot ,then type 'fastboot oem edl'. If this way doesn't work ,try the second way.

    Second way:A 'Xiaomi Deep Flash Cable' is needed.You could buy it or diy it.(If you want to diy,just cut open a microusb cable,the you see four wires.Cut open the green one and the black one .Then screw together the four copper wire.)
    Fully shut your phone down and use the cable to connect phone&PC.Nothing seemed to happen,but now your phone is under 9008. Then use a normal cable to connect.You will hear the computer installing a new device.

    Third way: (Not recommended) Open the back of the phone ,tear the shell on the main circuit board down.Then you will see two copper points . Use a wire or tweezer to connect them. Then hold on,use your second hand to connect a USB cable(normal,not deep flash cable).

    After booting into 9008 mode,you need to install the drivers of 9008 . Install this miflash .

    https://drive.google.com/uc?id=0Byw7MVzb0VBXUnhFcmZmdWFaQkU&export=download

    Open miflash and you will see a com port (it's your device).If not check device manager .Install the drivers properly.

    Then, everything is ready.:)

    Download and extract the package below.
    https://drive.google.com/uc?id=0Byw7MVzb0VBXZUctUFYzb1BrSGM&export=download
    An 'unlock' folder will be created and the unlocked version of bootloader is placed in. Then choose the folder in miflash. Click the flash button.It will be done in a few seconds.After it displayed 'Success',hold phone's power button for 15sec until it reboot. Maybe your device will stuck at logo.But don't worry. Just hold power and volume- together for 15sec until it enters fastboot.

    Then the most amazing thing will happen!
    Type 'fastboot oem unlock' on the computer .
    Then you will see a UNLOCKING warning on the phone screen,it looks like Nexus's.Use your volume key and choose Yes. Phone reboots, stuck at logo again. But now everything is done. Just re enter fastboot and flash a custom recovery.
    (Because the unlocking will wipe data using recovery, I have made an action in the 9008 flash package to erase the recovery partition to prevent losing data.)

    After all, your phone has fully unlocked.So doing anything is easy.
    BUT one con.You can't upgrade bootloader. But any firmware partition update will update it. So when you are flashing any zip file,you need to delete firmware-update/emmc_appsboot.mbn in the zip first. You can't use MIUI OTA.
    3
    Exactly. I modified it this way:

    rawprogram0.xml:
    Code:
    <?xml version="1.0" ?>
    <data>
      <!--NOTE: This is an ** Autogenerated file **-->
      <!--NOTE: Sector size is 512bytes-->
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="emmc_appsboot.mbn" label="aboot" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18000000" start_sector="786432"/>
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="emmc_appsboot.mbn" label="abootbak" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18100000" start_sector="788480"/>
    
    </data>

    patch0.xml:
    Code:
    <?xml version="1.0" ?>
    <patches>
    </patches>

    and flashed the folder using MiFlash.exe with phone in EDL mode. I was able to enter edl mode by just doing "fastboot oem edl" from standard fastboot xiaomi screen.

    Maybe patch0.xml can be deleted completely, I don't know but I kept it.

    After flashing this aboot and booting into fastboot again, I was able to do "fastboot oem unlock-go" to unlock the bootloader without waiting for Xiaomi to give me approval or bothering with their stupid one unlock per 3 day policy (error "After 72 hours of trying to unlock the device").

    I did this successfully on a new Xiaomi 3s Prime 3GB I bought from eBay.
    3
    Update 20200510
    Support "fastboot oem edl" command to boot into EDL mode.
    Usage: extract&replace this in older releases.
    https://drive.google.com/uc?id=1TIK14QlLTNKlOyRTLW_yxgo8G0iImuyy&export=download

    Long life LAND! :eek:
    2
    Before 9008 Driver installation read this: https://www.top-password.com/blog/how-to-disable-driver-signature-enforcement-in-windows-10-8-7/
    Without this setting, the driver can not be installed.

    Use an 64bit Win 7 or 10 for Miflash.
    2
    Sounds too simple but I want to know if it really works I mean if anyone has tried it or not
    Of course .I unlocked my phone in this way.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone