[ROOT][UNLOCK WITHOUT WIPE] or Reset Tamper-/Unlockbit for OnePlus 2

[thedropdead]

Requirements:
[ROOT REQUIRED]
[OEM Unlocking must be allowed under the developer options before flashing this file AND stay activated
as long as you want the device to stay unlocked (OnePlus implemented security features which locks the device on reboot with the switch off)]

* I am not responsible for bricked devices, thermonuclear war, or you getting fired because the alarm app failed.
* Please do some research if you have any concerns about this method before using it!
* YOU are choosing to make these modifications.
* And if you point the finger at me for messing up your device, I will laugh at you.

WARNING: THESE FILES ARE BASED ON THE OXYGEN OS 2.1.1 FIRMWARE, PLEASE ANALYZE YOUR DEVINFO IF THE VERSION IS DIFFERENT TO MAKE SURE NOT BRICKING SOMETHING!
I have not upgraded my device to 2.1.2 yet because there have been some issues with the newest firmware.

Tested and confirmed working on:
OxygenOS 2.2.0 - thanks to @pryggi
OxygenOS 2.1.1
Hydrogen OS 1.2.0 - thanks to @fareed_xtreme



I looked at this thread, thanks to Naman Bhalla for this great work.
and found out that the file attached to this post is the answer to my problem, described in another thread.

After the whole day of work analyzing and dumping and saving via adb from my device to the pc and the other way around i finally did it.

On the frist screenshot is my situation before flashing the new devinfo, on the second after flashing the devinfo from the thread mentioned above.



By changing the bits with a Hex Editor of your choice, or by flashing the files below via dd:

dd bs=4096 of=/dev/block/bootdevice/by-name/devinfo if=/sdcard/oneplus2-devinfo-factory.img

The output should look like the following:

0+1 records in
0+1 records out
1024 bytes transferred in 0.005 secs (204800 bytes/sec)

You can restore your OnePlus 2 to a factory state while still having root or unlock your phone again without having to wipe it! :highfive:




Credits:
Naman Bhalla
Also to segv11 who already managed this in the OnePlus One and Nexus devices

 

[22vlaja]

wow nice job m8

sent from rooted phone

 

[fareed_xtreme]

Modified the same location using a HEX Editor (root) whilst on the Hydrogen OS 1.2.0 and I must say it works.

Screenshot Attached. Good Find @thedropdead

 

[thedropdead]

Thank you and thanks for testing it out on Hydrogen OS @fareed_xtreme
It is not a Revolution like CM13 on the 1+2, but its helpful for people like me who use their developer devices as daily drivers and still want to lock and unlock the device because of security reasons without wiping the whole device.

Modified the same location using a HEX Editor (root) whilst on the Hydrogen OS 1.2.0 and I must say it works.

Screenshot Attached. Good Find @thedropdead

 

[fareed_xtreme]

Thank you and thanks for testing it out on Hydrogen OS @fareed_xtreme
It is not a Revolution like CM13 on the 1+2, but its helpful for people like me who use their developer devices as daily drivers and still want to lock and unlock the device because of security reasons without wiping the whole device.

I needed it for resetting the tamper flag. I have certain issues with my phone and might have to return it in the near future and hence this was important. So thanks again.

 

[thedropdead]

I needed it for resetting the tamper flag. I have certain issues with my phone and might have to return it in the near future and hence this was important. So thanks again.

Thats another good thing to do with it
It was a pleasure to help you out mate

 

[pryggi]

Thanks, I was waiting for this for securing my OPT. Has anyone tested, if it works also on OOS 2.2.0?
Just to clarify, the dd command should be executed in TWRP console?

Would be cool if someone could make an app for this like the Nexus devices have:
https://play.google.com/store/apps/details?id=net.segv11.bootunlocker

 

[thedropdead]

Thanks, I was waiting for this for securing my OPT. Has anyone tested, if it works also on OOS 2.2.0?
Just to clarify, the dd command should be executed in TWRP console?

Would be cool if someone could make an app for this like the Nexus devices have:
https://play.google.com/store/apps/details?id=net.segv11.bootunlocker

Hello pryggi,

It should also work on OOS 2.2.0, you could check that by dumping the partition (by reversing the dd command) like this:

dd bs=4096 if=/dev/block/bootdevice/by-name/devinfo of=/sdcard/oneplus2-devinfo-oos220.img

And looking at the file in the hex editor for differences or by posting it here and i can check it for you.

I have executed the dd command from ADB Shell with the Phone connected via wireless ADB.
You can also execute dd in the Android Terminal Emulator App.

 

[pryggi]

Thanks for your reply. My device is already unlocked. As I don't have a computer with ADB/drivers at hand right now, I managed to run the dd command in Terminal Emulator app after elevating with su. Result is attached. Viewing it in hex seems to confirm, that at least the locking bit seems to be in the same position.

 

[thedropdead]

Thanks for your reply. My device is already unlocked. As I don't have a computer with ADB/drivers at hand right now, I managed to run the dd command in Terminal Emulator app after elevating with su. Result is attached. Viewing it in hex seems to confirm, that at least the locking bit seems to be in the same position.

Thank you for the Dump, i can confirm that the bit is at the same position and the unlock bit is the same.
I compared the file attached at my first post with yours and they are identical ( see attachment, sorry its german, meaning is they are identical).

So by flashing the factory.img from my first post or unchecking OEM Unlock allowed in the developer Settings your device should be locked again and can be unlocked by flashing the unlock.img via dd in ADB or the Android Terminal Emulator within the Phone.

 

[pryggi]

Thanks for the further explanation. I was just wondering about this OEM Unlocking switch in dev options. What would happen, if one would use dd and the factory image file to lock the bootloader and leave the OEM Unlocking switch still unlocked...

I also am interested if this type of locking-unlocking can be done in TWRP... If it can be done there, then it does not offer any benefits in security, if my logic is correct. Although, I might be drifting off topic here.

 

[thedropdead]

Thanks for the further explanation. I was just wondering about this OEM Unlocking switch in dev options. What would happen, if one would use dd and the factory image file to lock the bootloader and leave the OEM Unlocking switch still unlocked...

I also am interested if this type of locking-unlocking can be done in TWRP... If it can be done there, then it does not offer any benefits in security, if my logic is correct. Although, I might be drifting off topic here.

As i can remember i tried that too, by flashing the factory image partition via dd and leaving the switch on, the switch gets toggled off when rebooting, because the switch is just the representation of the unlocking bit in the partition. So when it is turned off, the software will set the bit to zero, means the device will get locked on reboot. Turning the switch on will not override the bit and the device can boot unlocked and the switch will stay on.

It is hard to explain

Your Idea about doing the same thing in TWRP since the ADB is available there is interesting.

I think the problem here is, that once you onlock and flash a custom recovery via fastboot, and relock the device, you already tampered with it, and twrp does provide much more options than the stock recovery image (ADB commands, ...).
So the problem here lies in flashing twrp.

I solved this problem by keeping the stock recovery and locking the device via the image file.
Once i want to use twrp, i unlock the phone by using the unlock.img and use "fastboot boot twrp.img" to boot twrp to backup my device or some other action.

I know that this means if my device gets bricked in this locked state with stock recovery i will have to unlock it normally, but before making any important changes to my software i always unlock my device first in case something goes wrong and with the stock recovery i could not even flash anything so making huge software changes requires me to unlock my device and boot twrp

Hope that this post helps somehow

 

[fareed_xtreme]

FYI: The HEX hack must work on almost all OPT OS Releases.Kinda universal

 

[thedropdead]

FYI: The HEX hack must work on almost all OPT OS Releases.Kinda universal

That is right, i just included the notice in the first post so nobody can tell me i have not told them
It is also possible that OnePlus changes the layout of that partition in one of the upcoming updates/releases and that is why it is still mentioned in the first post, thank you anyway.

 

[casual_kikoo]

@thedropdead I've a question: I should use the "modified" devinfo.img AFTER I go back to stock, if I want to unlock my phone without wiping data, right ? So I go back to stock, flash in fastboot or in terminal emulator the .img, and that's good ? I'me unlocked without data wiped ?

 

[thedropdead]

@thedropdead I've a question: I should use the "modified" devinfo.img AFTER I go back to stock, if I want to unlock my phone without wiping data, right ? So I go back to stock, flash in fastboot or in terminal emulator the .img, and that's good ? I'me unlocked without data wiped ?

That should be the plan if i have understood everything right.
So you are on the custom ROM, want to go back to the stock ROM?
If that is the case i do not see why you should want to flash any image.
You can use TWRP to wipe and then flash the stock ROM, your phone should still be unlocked right?
Please someone correct me if i am wrong.

It would be great if you could tell me what you are trying to achieve.
The unlock image had the purpose to help someone unlock their device if they have a rooted device but have locked it after flashing everything for security reasons.

 

[casual_kikoo]

That should be the plan if i have understood everything right.
So you are on the custom ROM, want to go back to the stock ROM?
If that is the case i do not see why you should want to flash any image.
You can use TWRP to wipe and then flash the stock ROM, your phone should still be unlocked right?
Please someone correct me if i am wrong.

It would be great if you could tell me what you are trying to achieve.
The unlock image had the purpose to help someone unlock their device if they have a rooted device but have locked it after flashing everything for security reasons.

Well, for now I'm under CM13, and, yeah, I know I could wipe and flash stock in TWRP, I just want to know in case .

 

[thedropdead]

Well, for now I'm under CM13, and, yeah, I know I could wipe and flash stock in TWRP, I just want to know in case .

Okay thanks for the clarification.
In the Case of using some unbrick Tool and thus resetting everything including recovery to stock your phone should lock on the first stock boot.
Once it is locked and you do not have root, which would be the case, you have no possibility to flash the img via fastboot or the emulator.

so in conclusion you are better off with wiping and flashing via twrp so you can still flash something if anything goes wrong

 

[qwert.zuio]

It works on OxygenOS 3.0.2 too. I edit the same location using a HEX Editor. And everything is fine.

 

[psiphiguy]

Hey guys, sounds like this is exactly what I've been looking for. Thanks for figuring this out.

But, I'm a bit of a noob, so can you break it down into like a hundred very clear steps?