Rollback EMUI from 10 to 9 to bypass FRP

[eduuk]

Hi all,

Got a mobile that we dont know the previous Gmail account this was registered with. Therefore, I need to bypass the FRP to recover the mobile and use it for testing purposes. Accidentally, I upgraded it to EMUI 10 and after fixing several softbricks, I have no clue how to downgrade it to EMUI 9.

Goals:

• Rollback EMUI 10 to 9 on Huawei 20x C185
• Abuse flaws on EMUI 9 to bypass FRP
• Do all via Linux tools (preferably console)

Firmware
EVR-L29 C185 EMUI 10

• https://mega.nz/#F!zRUGFKyZ!je09cCOdJRPePDvykLwJCQ
• http://www.mediafire.com/file/m7l6xlqe4se0u7s/dload.zip/file

Fail attempts

• Enter upgrade mode and dload a previous C185 EMUI 9.0.x or EMUI 9.1.x (via OTG cable + microSD card). This always produces the same error: Software upgraded failed!
• Try to change country to have chances to flash different firmware.

Logs:

>  fastboot oem get-build-number
...
(bootloader) :EVR-L29 10.0.0.180(C185E6R3P3)
OKAY [  0.011s]
finished. total time: 0.011s

>  fastboot getvar vendorcountry
vendorcountry: hw/meafnaf
finished. total time: 0.019s

Any idea?

 

[sunrider07]

Try Hisuite

 

[eduuk]

Try Hisuite

hey @sunrider07,

apparently you need to enable HDB options to use HiSuite, right? Tested HiSuite on Linux emulated via Wine. I was able to use the Huawei tool but I couldn't hook up the mobile to the app. Have you used HiSuite to downgrade the bootloader? If so, it is really needed to have adb connection? Remember my phone is protected via FRP.

This is the way to enable HDB (Huawei ADB dev options):

4. Go to device setting and enable USB Debugging. You can follow our guide on how to enable USB Debugging on Huawei phones.
5. Connect HiSuite to your mobile.
6. HiSuite will automatically shows a system update on your device.

Being blocked by FRP, HDB switch cannot be enabled so i am not sure if HiSuite can be used

 

[sunrider07]

My phone is fully stock and unmodified.
And yes, HDB must be enabled for the app to connect.
I was able to downgrade my phone just two days ago and everything works as expected

 

[eduuk]

My phone is fully stock and unmodified.
And yes, HDB must be enabled for the app to connect.
I was able to downgrade my phone just two days ago and everything works as expected

Thanks for your answer. Unfortunately, I do need to find another way to perform a downgrade on the bootloader and base image to EMU 9.0 where there are public and known vulnerabilities to overcome FRP. Otherwise, I will need to wait until a FRP bypass is public, or reverse engineering the HiSuite software to find some fastboot commands to see if I can leverage any of these. It seems I am stuck with it.

 

[eduuk]

Apparently I found this video from 5 days ago: https://www.youtube.com/watch?v=USvi-1O2Y6o

Anyone knows well the mode USB upgrade?

 

[mac231us]

--

 

[eduuk]

I saw that too. I too need to downgrade but cannot as usb is not connecting. I can connect to one of the Hisuite versions through wlan option but it cannot be used to change the system (only through usb). Cannot do system recovery (says take it to service center)

Yes video shows if you go into usb mode through recovery (which I can) you can use the MRT tool to flash the rom. I plan to look into it. Otherwise I might just take it to a service center in an upcoming overseas trip (still almost 2 months away)

Do you know where to download this MRT tool? It seems like super unprofessional tool without github repo.

Separately in my case-The device is not recognized when connecting through usb to the computer (usb ports, cable, windows version, drivers etc all tried-the device type and name is not recognized. OTG usb works but that is only for backups, backup restore and dload method to upgrade-which cannot be used to downgrade to 9.1 or 9.0 from 10.0) Fastboot commands are severely limited in 10 as my device country vendor is unknown. The device works fine otherwise (calls, mms, apps, internet, themes) Device cannot be registered at Huawei as unknown device though I can register in themes. With dload I can switch back and forth between 10.0.0.180 and 183 or even a lower 10 but not to 9 series.

Dont own a Windows10 laptop to use HiSuite, looking for one to see if I can connect it via WiFi. Did you mention you can use all these calls, mms, apps, internet, themes? In this case, we have different issue.

Can you run this command?

$  fastboot getvar vendorcountry
vendorcountry: hw/meafnaf
finished. total time: 0.019s

Surprised there is no way to fastboot erase and install firmware-I heard you need a service rom to completely redo the phone.

The MRT tool must use a fastboot command too. We can always reverse this tool to extract the command. Do you have the tool?

 

[eduuk]

In this video there are downloading links:

MRT sw

 

[mac231us]

--

 

[roshan2989]

anyone able to bypass the frp?