Even before creating PotatoNV, @TishSerg discovered that unlock key can be rewritten with the SHA256 hash of the desired key to the USRKEY property. However, to access NVME (a raw partition that stores stuff like serial number, device traits, etc.), a user should flash custom recovery or gain temporary root privileges. But both methods are complex and are not guaranteed to work.
After researching the legacy bootloader of some Huawei devices, I’ve found a nve command, which allows to read or write any property in the NVME partition. Of course, this command requires an unlocked bootloader. So it remains to find a way to quickly unlock the bootloader. The way out is quite simple – use the bootloader from the board software.
The program uploads a special “USB bootloader” (exported from the board software) through the DOWNLOAD_VCOM mode. VCOM is smth like EDL on Qualcomm devices: it can be triggered by a system failure or by shorting test points. After uploading the bootloader, the device should switch to the fastboot mode. The “USB bootloader” has an important trait: it’s unlocked out-of-the-box, so it allows to execute any command.
So, we’re just going to send a command through the USB bulk interface to write SHA256 hash to USRKEY and reboot the device.
That’s it.
Features:
- Select option For target device – If the device is connected then this option is appears
- Bootloader – CPU Select which you have to unlock the bootloader
- Serial Number – Is not mandatory to enter the serial number in some cases need to enter a serial number of your device.
- Board ID – Is also not mandatory to enter, if you have failed to unlock the bootloader with the CPU option then you enter your Board id and again try to unlock
- Unlock Code – is automatically generated when you have installed this program. this code is sent to the bootloader of your phone and unlocked.
| Device | Model | Bootloader |
|---|---|---|
| Honor 7X | BND | Kirin 659 (A) |
| Honor 8 Pro / V9 | DUK | Kirin 960 |
| Honor 9 Lite | LLD | Kirin 659 (A) |
| Honor 9 | STF | Kirin 960 |
| Huawei Mate 9 | MHA | Kirin 960 |
| Huawei Mate 9 Pro | LON | Kirin 960 |
| Huawei MediaPad M5 Lite | BAH2 | Kirin 659 (B) |
| Huawei MediaPad M5 | CMR | Kirin 960 |
| Huawei MediaPad T5 | AGS2 | Kirin 659 (A) |
| Huawei Nova 2 | PIC | Kirin 659 (A) |
| Huawei Nova 2i / Mate 10 Lite | RNE | Kirin 659 (B) |
| Huawei Nova 2s | HWI | Kirin 960 |
| Huawei P Smart 2018 | FIG | Kirin 659 (B) |
| Huawei P10 | VTR | Kirin 960 |
| Huawei P20 Lite / Nova 3e | ANE | Kirin 659 (A) |
| Huawei P8 Lite (2017) | PRA | Kirin 659 (A) |
| Huawei P9 Lite | VNS | Kirin 659 (A) |
| Huawei Y9 (2018) | FLA | Kirin 659 (A) |
What’s new !!!
- New UI, no more textboxes
- Fixed crash due to an invalid response in VCOM mode
- Fixed
WVLOCKreadback - Fixed
FBLOCKstate detection on legacy devices (#63 – thx @TBM13)
How To Unlock bootloader?
- To begin with, remove the back cover from your device. You may take the help of a hairdryer to heat the back and then carefully peel off the cover.
- Now you need to find the test point of your device. Then power it off and perform the short test point.
- When that is done, connect your device to the PC via the USB cable
- Launch the PotatoNV Tool and select HUAWEI USB COM 1.0 from the device list.
- Select the bootloader of your device from the tool’s drop-down list. If you aren’t sure of the same, refer to our Devices Tested section above [Selecting the incorrect bootloader will give out the ACK is invalid! ACK=…; Excepted=0xAA or System.TimeoutException error].
- Next up are the Serial Number and Board ID fields, they are optional and you may leave them blank.
- The final section gives out the bootloader unlock code. You may change it to any random strings, but make sure that it has 16 characters.
- Finally, hit the Start button and wait for the process to finish.
- Once done, your device will automatically reboot with the message “Your device has been unlocked”. That’s it, the process stands complete.