Bootloader Unlocking (WIP)

In order to flash any third party system images to your device, it is essential to unlock the bootloader first.
Documented here are many different methods in order to do so.

WARNING!

Unlocking your bootloader will wipe your device!
Locking your bootloader on most newer devices will also wipe your device!
Please backup all of your contacts, photos, files, apps, keys, etc. first!

Prerequisites

Research for information surrounding your specific device model.
It is strongly recommended to be running the latest factory images before switching, especially if relocking. However notably some devices must be running an old version to allow installation of alternative systems.

You'll need ADB access in order to attempt any of the methods below.

On your computer

  • Arch Linux: sudo pacman -S android-tools android-udev
  • Fedora: sudo dnf install android-tools
  • Debian: sudo apt install android-tools-adb android-tools-fastboot
  • Mac OS: Download ADB from here and extract it
  • Windows: Install UniversalADB from here and download ADB from here and extract it
  • You'll also need a recovery.img for your specific device. Either ours or TWRP

On your phone

  1. Open the 'Settings' app
  2. Navigate to the 'About' page
  3. Tap on the field labeled 'Build number' 7 times
  4. A toast should appear saying that developer mode has been enabled
  5. There should now be an screen in the 'Settings' app labeled 'Developer options'
  6. Under 'Developer options', enable 'Android debugging'

Fastboot

    Unlocking

    1. Open the dialer app and dial "*##CHECKIN##*"
    2. Enable 'Allow OEM unlocking' under 'Developer options' in Settings if available
    3. Reboot to the bootloader via key combination or $ adb reboot bootloader
    4. $ fastboot oem unlock or $ fastboot flashing unlock
    5. $ fastboot flash recovery recovery.img
    6. Reboot to recovery (use volume buttons to navigate if on or key combination if off)
    7. $ adb sideload system.zip

    Locking

    Locking your bootloader with an incorrectly signed system image or on unsupported device can result in a permanent brick!

    1. After install of a properly signed system you must verify boot, verify functionality, verify update support, and verify the ability to factory reset.
    2. Reboot to the bootloader via key combination or $ adb reboot bootloader
    3. AVB devices only: $ fastboot erase avb_custom_key
    4. AVB devices only: $ fastboot flash avb_custom_key avb_pkmd.bin
    5. $ fastboot oem lock or $ fastboot flashing lock
    6. It is recommended to keep 'Allow OEM unlocking' checked under 'Developer options' in Settings for recovery purposes.

Fastboot (LGE)

  • Devices Supported: Select LGE Phones
  • LGE has their own garbage unlocking method, and prevents most devices from being unlocked.
    1. First check here to see if your device "qualifies"
    2. Create an LG Developer account (sorry)
    3. Note down your IMEI (From original box or from Settings -> About -> Status)
    4. Reboot to the bootloader via key combination or $ adb reboot bootloader
    5. $ fastboot oem device-id
    6. Combine the two lines
    7. Paste it into the site along with the IMEI
    8. Click 'Confirm'
    9. Wait a few minutes for an email
    10. Save the unlock.bin from the email and keep it for future use
    11. $ fastboot flash unlock unlock.bin
    12. $ fastboot flash recovery recovery.img
    13. Reboot to recovery (use volume buttons to navigate if on or key combination if off)
    14. $ adb sideload system.zip

Fastboot (Motorola)

  • Devices Supported: Select Motorola Phones
  • Motorola also has their own garbage unlocking method, and prevents some devices from being unlocked.
    1. First check here to see if your device "qualifies"
    2. If it does, click the 'Unlock' link for your device
    3. Create a Motorola or Google account (sorry)
    4. Reboot to the bootloader via key combination or $ adb reboot bootloader
    5. $ fastboot oem get_unlock_data
    6. Use the little tool on the site to format the above output
    7. Paste it into the field
    8. Click 'Request Unlock Key' and then 'I Agree'
    9. Wait a few minutes for an email
    10. Copy the code from the email and save it for future use
    11. $ fastboot oem unlock [KEY FROM EMAIL]
    12. $ fastboot flash recovery recovery.img
    13. Reboot to recovery (use volume buttons to navigate if on or key combination if off)
    14. $ adb sideload system.zip

WARNING!

From here on all of the following methods can very easily and irreversibly destroy your device!

LG UP

  • Devices Supported: Select LG devices
  • This is not a bootloader unlock, but a way to get a custom recovery installed (which is good enough). It is easy, but can be tedious.
    1. Windows is required for this. KVM USB passthrough has been confirmed to work.
    2. [TO BE COMPLETED]

LG LAF

  • Devices Supported: Select LG devices
  • This is not a bootloader unlock, but a way to get a custom recovery installed (which is good enough). It is easy, but can be tedious.
    1. [TO BE COMPLETED]

Heimdall

  • Devices Supported: Select Samsung devices
    1. [TO BE COMPLETED]

Bulk Mode

  • Devices Supported: Kindle Fire HDX 7/8 2014 (apollo/thor)
  • Credit/Source: @draxie
  • This method is simple, but dangerous.
  • This is not a bootloader unlock, but a way to get a custom recovery installed (which is good enough).
    1. Windows is required for this. KVM USB pass through has been confirmed to work
    2. Download dd from here
    3. Connect your device
    4. > wmic partition where index=22 get diskindex
    5. > wmic partition where (index=17 and numberofblocks=20480) get diskindex
    6. > wmic partition where (index=5 and numberofblocks=4096) get diskindex
    7. The above 3 commands should all return the same DiskIndex
    8. Reboot to the bootloader via key combination or $ adb reboot bootloader
    9. > fastboot -i 0x1949 erase aboot
    10. > fastboot -i 0x1949 reboot
    11. > dd of=\\?\Device\Harddisk[DiskIndex]\Partition6 if=aboot_vuln.mbn
    12. > dd of=\\?\Device\Harddisk[DiskIndex]\Partition18 if=twrp_cubed.img
    13. If you get the error "Error reading file: 87 The parameter is incorrect", ignore it
    14. Wait a few minutes
    15. Force the device off by holding the power button
    16. Reboot to recovery (use volume buttons to navigate if on or key combination if off)
    17. $ adb sideload system.zip

Kernel Exploit

  • This method works by first getting root, then overriding the recovery.
  • This is not a bootloader unlock, but a way to get a custom recovery installed (which is good enough).
    1. Download the following apps: GingerBreak (CVE-2011-1823), Towelroot (CVE-2014-3153), croowt (CVE-2016-5195)
    2. $ adb install *.apk
    3. $ adb push recovery.img /sdcard/recovery.img
    4. Attempt to gain root using each app
    5. $ adb shell
    6. $$ su
    7. $$ dd if=/sdcard/recovery.img of=/dev/block/bootdevice/by-name/recovery
    8. The output path in the above command may be different.
    9. Reboot to recovery (use volume buttons to navigate if on or key combination if off)
    10. $ adb sideload system.zip