Development [STOCK][FULL-ROM] OxygenOS_11.3_A.20 EU DN2103 | Unbrick guide

Search This thread

meanoentucorro

New member
Jul 18, 2022
1
0
PSA: There's code to blow efuse gating BROM mode entry in the Android 12 update that's started rolling out recently.

Meaning: unbricking via mtkclient may no longer work once you update to Android 12.

Diff between DN2103_11_A.20 (Android 11 EU) and DN2101_11_C.4 (Android 12 India):

Code:
+[Run-Time] SEC_LOCK = %x
+Blow Disable_BROM_CMD: %d
+Already blow Disable_BROM_CMD: %d, read_data = 0x%x
+[Run-Time] first time blow Disable_BROM_CMD: %d

(lk.bin strings)

Whether this really pertains to disabling volume buttons remains to be seen (I'm not flashing lk.bin from Android 12 update so as to avoid crippling my own device).

Can somebody who has updated to Android 12 confirm that mtkclient no longer works for you (= stuck in preloader VCOM)?

Oppo and Xiaomi are known to have deployed something similar in the past.
I can confirm. Tried this in a stock Nord 2 5G with OOS12. stuck in preloader VCOM. Sad :(
 

Coconut_cube

Member
Aug 3, 2019
9
4
PSA: There's code to blow efuse gating BROM mode entry in the Android 12 update that's started rolling out recently.

Meaning: unbricking via mtkclient may no longer work once you update to Android 12.

Diff between DN2103_11_A.20 (Android 11 EU) and DN2101_11_C.4 (Android 12 India):

Code:
+[Run-Time] SEC_LOCK = %x
+Blow Disable_BROM_CMD: %d
+Already blow Disable_BROM_CMD: %d, read_data = 0x%x
+[Run-Time] first time blow Disable_BROM_CMD: %d

(lk.bin strings)

Whether this really pertains to disabling volume buttons remains to be seen (I'm not flashing lk.bin from Android 12 update so as to avoid crippling my own device).

Can somebody who has updated to Android 12 confirm that mtkclient no longer works for you (= stuck in preloader VCOM)?

Oppo and Xiaomi are known to have deployed something similar in the past.
Took the time to confirm your findings. It's true as far as the code goes which I assume is UART strings but I could be wrong. Will keep this in mind in case I decide to update. I've read on various other forums that people are still able to create backups and restore them using mtkclient (read/write) after updating. If I had to make a guess, BROM mode is still accessible to those who have used mtkclient on their device at least once as it runs an exploit to permanently disable the usual BROM security locks (SLA, DAA, SBC, Mem read/write auth, etc.). It would seem that the efuse is only effective when those are still enabled. Again, this is a complete guess (probably completely wrong too) and I haven't done any device specific research.

I'm curious whether there is another way to access BROM mode, such as a different exploit or a test point on the mainboard but unfortunately I don't have the expertise to figure it out.

I would recommend this video to anybody interested in this sort of stuff. It's where I got most of my information from.
 
  • Like
Reactions: roldev

ezdiy

Member
Mar 29, 2015
42
25
I'm curious whether there is another way to access BROM mode, such as a different exploit or a test point on the mainboard but unfortunately I don't have the expertise to figure it out.
There's always a way - by removing storage during boot (shorting a CLK pin on eMMC or UFS.). I've seen youtube tutorials for some Oppo MTK phone already.

Volume button(s) is what preloader.bin checks, whether to jump *back* to BROM EDL mode, but initial BROM boot itself cares only about storage, it doesn't listen to buttons. Point being, you now have to disassemble the phone (and short proper pin) to use mtkclient.

Another hypothesis is that the code triggers only when the phone bootloader is in locked state.
 
  • Like
Reactions: roldev

Coconut_cube

Member
Aug 3, 2019
9
4
There's always a way - by removing storage during boot (shorting a CLK pin on eMMC or UFS.). I've seen youtube tutorials for some Oppo MTK phone already.

Volume button(s) is what preloader.bin checks, whether to jump *back* to BROM EDL mode, but initial BROM boot itself cares only about storage, it doesn't listen to buttons. Point being, you now have to disassemble the phone (and short proper pin) to use mtkclient.

Another hypothesis is that the code triggers only when the phone bootloader is in locked state.
Thanks for the info. I was under the impression that you boot directly into BROM. Things make more sense now that I know. I guess to really know under what circumstances the efuse gets tripped, the lk.bin file would have to be reverse engineered. Not the easiest thing to say the least. Unless somebody is willing to take up the task, for now we can only wait to see if any more reports of mtkclient not working come up.

By the way, how would you go about flashing the stock Android 12 update with the known good lk.bin?
 
  • Like
Reactions: roldev

ezdiy

Member
Mar 29, 2015
42
25
Thanks for the info. I was under the impression that you boot directly into BROM. Things make more sense now that I know. I guess to really know under what circumstances the efuse gets tripped, the lk.bin file would have to be reverse engineered. Not the easiest thing to say the least. Unless somebody is willing to take up the task, for now we can only wait to see if any more reports of mtkclient not working come up.
The way boot works is:
BROM->preloader.bin(checks if vol-down, if so, jump back to BROM EDL routine). otherwise proceed with preloader vcom, LK etc. The secondary way to enter BROM is simply there being no preloader.bin to run, and BROM initiates its EDL command mode immediately, instead of preloader jumping back to it from later on.

The vol-down check (as well as others debugging stuff, like HW UART via USB) that lies in preloader is gated by efuse during manufacture (if you search ALPS9 tree for xml files, you'll find a list of whats in there).

So what if you want to disable the vol-down access as an OTA update? That's right, you tack a module on lk.bin to burn the efuse (which seems to be heavily implied by the string). The question is under which circumstances, if at all, this routine triggers in lk.bin (the bootable parts of OTA seems to be for bunch along with Nord, think stuff like Oppo Reno 5Z).

As for how these diffs were made, it's just strings & diff from unpacked ota zip vs lk.bin directly read from the device. But this is perhaps straying too technical to mtkclient low level details. PM me if you want to lurk relevant tg group where people deal with stuff more at length on various mtk hw.
By the way, how would you go about flashing the stock Android 12 update with the known good lk.bin?
I simply omit preloader.bin and lk.bin while flashing the OTA that looks sus like this. Either it works fine, or you get a bootloop (in which case you decide, whether you restore backup, or try your luck by completing the update by flashing preloader *AND* lk.bin - Never ever flash disperate versions of preloader & lk separately. Keep either both old, or both new. Version mismatch *between* those two is frequent source of bricks.

EDIT: Whatever applies for lk.bin applies for tee.bin that sits along with it, ie there's technically three-way version dependency between preload-lk-tee images you should keep. Other gotchas like repartitioning, seccfg and whatnot apply too, discussed elsewhere in here I think.
 
Last edited:
  • Like
Reactions: roldev

Coconut_cube

Member
Aug 3, 2019
9
4
The vol-down check (as well as others debugging stuff, like HW UART via USB) that lies in preloader is gated by efuse during manufacture (if you search ALPS9 tree for xml files, you'll find a list of whats in there).

So what if you want to disable the vol-down access as an OTA update? That's right, you tack a module on lk.bin to burn the efuse (which seems to be heavily implied by the string). The question is under which circumstances, if at all, this routine triggers in lk.bin (the bootable parts of OTA seems to be for bunch along with Nord, think stuff like Oppo Reno 5Z).
Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.
 
  • Like
Reactions: ezdiy and roldev

ezdiy

Member
Mar 29, 2015
42
25
Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.
Yep, Xiaomi did the same thing too - downgrading preloader restored BROM key, so the efuse check is most likely added in updated version of preloader.bin. This implies that for as long rollback is possible (without BROM!), you're fine.

From the looks of it, the whole thing seems designed for OTA update on locked bootloader where rollbacks *shouldn't* be possible (ie fastboot flash and spflash both refusing to flash older scatter).
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.
    Yep, Xiaomi did the same thing too - downgrading preloader restored BROM key, so the efuse check is most likely added in updated version of preloader.bin. This implies that for as long rollback is possible (without BROM!), you're fine.

    From the looks of it, the whole thing seems designed for OTA update on locked bootloader where rollbacks *shouldn't* be possible (ie fastboot flash and spflash both refusing to flash older scatter).
    2
    The vol-down check (as well as others debugging stuff, like HW UART via USB) that lies in preloader is gated by efuse during manufacture (if you search ALPS9 tree for xml files, you'll find a list of whats in there).

    So what if you want to disable the vol-down access as an OTA update? That's right, you tack a module on lk.bin to burn the efuse (which seems to be heavily implied by the string). The question is under which circumstances, if at all, this routine triggers in lk.bin (the bootable parts of OTA seems to be for bunch along with Nord, think stuff like Oppo Reno 5Z).
    Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.
    2
    looks like the BROM EDL/Vol key check only gets disabled in C.05
    Both BROM and fastboot work on 05 for me.
    1
    PSA: There's code to blow efuse gating BROM mode entry in the Android 12 update that's started rolling out recently.

    Meaning: unbricking via mtkclient may no longer work once you update to Android 12.

    Diff between DN2103_11_A.20 (Android 11 EU) and DN2101_11_C.4 (Android 12 India):

    Code:
    +[Run-Time] SEC_LOCK = %x
    +Blow Disable_BROM_CMD: %d
    +Already blow Disable_BROM_CMD: %d, read_data = 0x%x
    +[Run-Time] first time blow Disable_BROM_CMD: %d

    (lk.bin strings)

    Whether this really pertains to disabling volume buttons remains to be seen (I'm not flashing lk.bin from Android 12 update so as to avoid crippling my own device).

    Can somebody who has updated to Android 12 confirm that mtkclient no longer works for you (= stuck in preloader VCOM)?

    Oppo and Xiaomi are known to have deployed something similar in the past.
    Took the time to confirm your findings. It's true as far as the code goes which I assume is UART strings but I could be wrong. Will keep this in mind in case I decide to update. I've read on various other forums that people are still able to create backups and restore them using mtkclient (read/write) after updating. If I had to make a guess, BROM mode is still accessible to those who have used mtkclient on their device at least once as it runs an exploit to permanently disable the usual BROM security locks (SLA, DAA, SBC, Mem read/write auth, etc.). It would seem that the efuse is only effective when those are still enabled. Again, this is a complete guess (probably completely wrong too) and I haven't done any device specific research.

    I'm curious whether there is another way to access BROM mode, such as a different exploit or a test point on the mainboard but unfortunately I don't have the expertise to figure it out.

    I would recommend this video to anybody interested in this sort of stuff. It's where I got most of my information from.
    1
    I'm curious whether there is another way to access BROM mode, such as a different exploit or a test point on the mainboard but unfortunately I don't have the expertise to figure it out.
    There's always a way - by removing storage during boot (shorting a CLK pin on eMMC or UFS.). I've seen youtube tutorials for some Oppo MTK phone already.

    Volume button(s) is what preloader.bin checks, whether to jump *back* to BROM EDL mode, but initial BROM boot itself cares only about storage, it doesn't listen to buttons. Point being, you now have to disassemble the phone (and short proper pin) to use mtkclient.

    Another hypothesis is that the code triggers only when the phone bootloader is in locked state.
  • 13
    /*
    * Your warranty is... still valid!
    * I am not responsible for bricked devices, dead SD cards,
    * thermonuclear war, or you getting fired because the alarm app failed.
    * Please do some research yourself before asking or use anything on this thread.
    * I do not offer private assistance via Telegram or any other social outside XDA.
    */

    OxygenOS 11.3 EU Full Stock Firmwares for the OnePlus Nord 2 DN2103
    A.20

    Specifics:

    • This rom will not overwrite your userdata or metadata partition.
    • This rom will not overwrite your IMEI, sensors calibration data, or bootloader unlock status.
      Since these partitions are not included: seccfg, nvcfg, nvdata, nvram, persist, proinfo, protect1, protect2.
    • These partitions are not included since are present in the super partition: my_*, odm, product, system, vendor.
    • The vbmeta partition is not stock.
    • The vbmeta partition is stock. A vbmeta_patched partition for root users can be found attached to this thread.

    Requirements:


    Instructions:

    1. Download and, install Python, extract Mtkclient, and install UsbDk.
    2. Open a terminal (cmd) inside the extracted Mtkclient folder, and type the command pip3 install -r requirements.txt
    3. After the installation has completed, type the command python mtk_gui to start Mtkclient GUI.
    4. Reboot your phone in BROM mode:
      1. Turn off your phone.
      2. Connect the phone via usb to the pc, and immediately press and hold all 3 buttons (Vol+, Vol-, and Power).
      3. The screen of the phone should remain completely black and Mtkclient should find your phone and connect to it, by reporting "device detected :)" in the cmd. Release all the buttons as soon as the phone is detected.
    5. If the phone won't connect properly, check that's being correctly detected in device manager:
      1. Open Device manager.
      2. While the phone is connected in BROM mode to the pc, search for "MediaTek USB Port" under "Ports (COM and LPT)".
      3. Right click on it -> Choose "Update driver" -> "Browse my computer for driver software" -> "Let me pick from a list of available drivers on my computer" -> and change it to "USB serial device".
      4. Sometimes it likes to revert itself back to "MediaTek USB Port", so leave Device manager open to keep an eye on it.
      5. If the phone keeps rebooting itself out of BROM mode, try to be fast when changing the settings inside Device manager. Keep trying until you see that "USB serial device" has stick.
      6. If Mtkclient freezes on "waiting for preloader VCOM", or the phone keeps rebooting itself out of BROM mode, keep rebooting the phone into BROM mode without letting go of the buttons, without disconnecting it from the pc, and without closing Mtkclient. And release all the buttons just when the phone has been detected. (It could need 2 to 3 reboots. If more, disconnect the cable and retry).
    6. You can now use Mtkclient GUI. (see the guides below)
    7. After you're done flashing, you can exit BROM mode by press and hold Vol+ and Power.
    1. Download and install the Re LiveDVD iso of mtkclient and flash it on a pendrive with Rufus.
    2. Create two new folders named "img" and "img_bak" in the pendrive you just flashed with Rufus, and paste inside /img all the files and images you will need.
    3. Start the mtkclient live usb. The login credentials are "user" for both name and password.
    4. Note! the keyboard is set to german by default in the liveusb. To change it, as soon as you boot up in the desktop, click on the "DE" blue text up on the right.
    5. Copy the whole /img and /img_bak directories into the /opt/mtkclient directory.
    6. Disconnect the phone from the pc, and start the MTK script on the desktop of the live usb.
    7. Write the desired command (see below) and press Enter.
    8. As soon as you press Enter, the script will start searching for an attached phone in BROM mode.
      To reboot your phone in BROM mode:
      1. Turn off your phone.
      2. Connect the phone via usb to the pc, and immediately press and hold all 3 buttons (Vol+, Vol-, and Power).
      3. The screen of the phone should remain completely black and Mtkclient should find your phone and connect to it, by reporting "device detected :)" in the cmd. Release all the buttons as soon as the phone is detected.
      4. It is necessary to disconnect the phone, close and reopen the MTK script on the desktop, and reconnect the phone in BROM mode, every time you want to run another command.
    9. To backup any partitions on your phone, use the command python mtk r partition_name_1,partition_name_2,partition_name_3,... img_bak/partition_name_1.img,img_bak/partition_name_2.img,img_bak/partition_name_3.img,.... Example: python mtk r boot,vbmeta,super img_bak/boot.img,img_bak/vbmeta.img,img_bak/super.img. You'll find all your backups inside the /opt/mtkclient/img_bak folder (copy them back to your pendrive to not loose them).
    10. To write all the partitions present in the /img directory to your phone, use the command python mtk wl img. Be sure that the file names have the same name of the partition they're meant to write! Example: The file named "boot.img" <---> Will write the "boot" partition.
    11. Use the command python mtk r preloader img_bak/preloaderdump_backup.bin --parttype=lu1 to backup your preloader partition. You'll find your backup inside the /opt/mtkclient/img_bak folder (copy it back to your pendrive to not loose it).
    12. Use the command python mtk w preloader img/preloaderdump_stock.bin --parttype=lu1 to flash the preloader partition.



    1. If your phone is still not completely fcked up, and even if it is, do a full backup with PartitionsBackupper first + a TWRP backup + Internal storage backup. (better safe than RMA it)
    2. Download the stock firmware .zip, and the latest version of PartitionsBackupper.
    3. Extract both of them in the same directory where adb.exe & fastboot.exe are located (usually the "platform-tools" folder).
    4. Run PartitionsBackupper, choosing the restore option, to flash all partitions with fastboot.
    5. Reboot into the stock recovery and do a full data format before going back messing around. It usually wipes better than TWRP.

    1. Follow this guide only if the command fastboot flashing unlock does not work.
    2. Download and extract the attached seccfg.img unlocked partition.
    3. Download and extract the boot.img, recovery.img, and vbmeta.img from the stock firmware .zip file.
    4. Put all 4 images in a new empty folder, and do not rename the files.
    5. Open Mtkclient (see the guide above).
    6. In the first tab "Read partition(s)": Select the seccfg, boot, recovery, and vbmeta partitions. Click "Read" to backup them up. Save them in a different folder from the one created before.
    7. Now in the second tab "Write partition(s)": Choose "Select from directory" and choose the new folder created before. It should automatically place all 4 images in the correct corresponding partitions. Click "Write" to flash them.
    8. If you're stuck in a bootloop after this, some users have reported that flashing vbmeta a second time fixed it.
    9. You should now have an unlocked bootloader

    This procedure has been successfully tested by an external user.
    1. This guide is useful if your device is not getting recognized via fastboot.
    2. Download and extract the attached preloaderdump_stock.bin image.
    3. Download and extract the boot, recovery, vbmeta, and super images from stock firmware .zip file.
    4. Put the 4 images extracted from the stock firmware, in a new empty folder, and do not rename the files. Do not put the preloader image in this folder.
    5. Open Mtkclient (see the guide above).
    6. In the first tab "Read partition(s)": Select the boot, recovery, vbmeta and super partitions. Click "Read" to backup them up. Save them in a different folder from the one created before.
    7. In the fourth tab "Flash Tools": Choose "Read preloader" to backup it up. Save it in a different folder from the one created before.
    8. Still in the fourth tab "Flash Tools": Choose "Write preloader" and flash the downloaded preloaderdump_stock.bin image.
    9. Last, in the second tab "Write partition(s)": Choose "Select from directory" and choose the new folder created before. It should automatically place all 4 images in the correct corresponding partitions. Click "Write" to flash them.
    10. If you're stuck in a bootloop after this, some users have reported that flashing vbmeta a second time fixed it.
    11. You should now have a working fastboot connnection

    This procedure has been successfully tested by an external user.
    1. This guide is useful as a last resort. If you are not able to restore the stock rom in any other way.
    2. Download the stock firmware and extract the folder inside the .zip file.
    3. Open Mtkclient (see the guide above).
    4. In the first tab "Read partition(s)": Choose "Select all partitions" and click "Read" to backup them up. Save them in a different folder from the one with the stock firmware.
    5. Now in the second tab "Write partition(s)": Choose "Select from directory" and choose the folder with the stock firmware. It should automatically place all the images in the correct corresponding partitions. Click "Write" to flash them.
    6. If you're stuck in a bootloop after this, try flashing the preloader and seccfg partitions following the guides above, and then repeat this procedure a second time.
    7. Your device should hopefully boot now

    Yeah.. Looks like OxygenOS doesn't really like to be rooted. Your phone will occasionally go into a bootloop without any notice or known reason (so far).​
    The cause of this behavior is still unknown to me, if you are able to find any explanation or better solution please post it here!
    The only solution I know so far, is to just format your phone back to stock, and then restore your userdata partition:​
    1. Make a backup of your Internal storage, recovery, boot, vbmeta, and userdata partitions. Both with PartitionBackupper or Mtkclient, what's more handy for you.
    2. Flash the stock firmware on the phone.
    3. Format data with the stock recovery.
    4. Restore your previously backupped partitions and storage.
    5. When booting to system for the first time, it's possible your interface / GUI will be malfunctioning. Just reboot one more time to fix this.
    6. Finally, go into the setting and reset your password / sequence / PIN.

    Thanks to Zombnombs, TheWing, SeBright, Giovix92 for the help!




    DOWNLOAD
    AndroidFileHost
    3
    i also had some sort of a victory :).
    my device was also stuck (Post#13)
    only flashing seccfg.img with the pendrive didnt work, still stuck, and still locked bootloader
    i had to flash the correct versions of boot.img, recovery.img and vbmeta.img via mtktools (in my case A.07)
    now i can start the phone, it's on the welcome screen
    and it seems to have locked bootloader right now.

    i have to see later, what i'm doing now :)

    @All: thanks for your help!
    3
    I've reuploaded the file, please try again
    3
    Are you using windows ? check it in device-manager when you are in "userspace-fastboot" it should report as adb-bootlaoder-interface. If not click on use driver - > adb bootlaoder interface

    Thank you! You beautiful person Kingslayer! It's unbricked!

    Sometimes you overlook the obvious when you're dealing with issues, and for me it was as you said - not installing the device as 'adb bootloader interface' from device manager while in the userspace fastboot. I also started PartitionBakckupper from TWRP as you said so that may have helped as well. But also, as a note for anyone who may face this issue - after it all completed, I received the same red boot error message as earlier, but by booting into fastboot from that screen and reflashing the vbmeta.img from the latest a.16 stock in the OP, it allowed it to boot fine. Is that what you meant at the end there?

    Fingerprint scanner and camera are working fine as well, so the persist is actually still intact too.

    Bloody hell, what a relief. Thank you again man, you saved me the stress of an RMA request I was prepared to make in the morning. And thanks as well Raygen for the tool, once you understand how to actually work it, it does the trick.
    3
    Hey there! Nord 2 5G user and, mostly, developer.
    @Raygen I guess you can add another 'usecase' to the overall guide: managed to hard brick the device. Basically wasn't booting in any mode: fastboot, recovery or whatever; achieved this by flashing boot.img into recovery partition (don't ask me why lol).

    By the way, used your "Locked bootloader" guide with a little modification:
    - I've also added lk & lk2 from my backup, because those apparently are 'damaged' by the previous command (don't ask me how cause I don't have any clue about it).
    - Instead of using
    Bash:
    python mtk wl img
    as you described, I just used a one-liner command based on mtkclient's README:
    Bash:
    python mtk w lk,lk2,boot,recovery,vbmeta lk.img,lk2.img,boot.img,recovery.img,vbmeta.img
    The syntax is the following one:
    Code:
    python mtk w name_1,name_2 name_1.img,name_2.img
    The one-liner command basically flashes everything in one shot, and afterwards, when you disconnect the usb cable and power it on, it *should* boot up. If it doesn't, flash preloader like you did, re-trigger BROM mode and redo that one-liner command.
    Hard bricked intentionally another time to test this out and, at least, have some proofs. :)
    I could attach mines lk & lk2, if needed.

    Hope y'all like it! Cheers!