back to index

Asus Zenfone M1 bootloader unlock and LineageOS


Why
Phone
Steps
      WARNING
            Avoid triggering FRP lock
Tools
      fastboot
      adb
variables and possible model differences
Unlocking
      failed attempt, vendor app
      failed attempt, script
      fastboot interrogation
      bootloader unlock, TWRP flash
LineageOS installation
Magisk installation
Issues
TODO

test: 115.43'C, 58'c, 100'F, 1000'K

test: 100kg, 60g, 100mg

test: 0x01 0x10 0x4321 0x1023

[link?:testxxx|123|456]


Why

A cellphone was obtained, with the desire to run LineageOS, in order to maintain control over the hardware.

The solutions available on the internet ranged from fastboot methods that did not work well due to being obsoleted to scripts that did not work for this or that reason.

As a bonus, Android 9 can be used instead of stock Android 8.1.


Phone


Steps

WARNING

This will erase all data from the phone. Backup all or work with a fresh unit.

Avoid triggering FRP lock

When working with a donated unit, do not forget to remove the user account which is logged to the app store. Otherwise there is a risk of triggering the "FRP lock", where the phone insists on logging in to this account before continuing with setup. Removal of this without the account information tends to be annoying. In theory, this is a measure against phone thieves. In practice, it is a headache for hand-me-down uses, and different types of phones tend to require different methods - the merchants buying the stolen equipment of course have both the tools and the knowledge.


Tools

Tools used are fastboot and adb, both in linux and windows versions.

fastboot

fastboot is for communication with the phone in the bootloader mode. Flashing, variable interrogation, and reboots to different modes are possible here.

The bootloader mode can be accessed with powering the phone on with simultaneously pressed volume-up key. Fairly standard android method. Another method is via adb, adb reboot bootloader.

Windows version of fastboot tended to get confused and refused to get variables from the phone. This initially caused some scare as it was thought the automatic script may have damaged the bootloader.

It is said this can be cured by rebooting windows, but it may also return back. Operations with linux version were more reliable, however that version was older and did not support some commands, namely the "flashing" one.

fastboot getvar all
getvar:all FAILED (remote: GetVar Variable Not found)

Individual variables queried were failling too.

Protocol is described at https://android.googlesource.com/platform/system/core/+/master/fastboot/.

adb

adb is for communication with the phone after booting, or in sideload mode. File transfers, shell, reboots to different modes, and other operations are possible.

Linux version was a little old, the TWRP recovery sideload mode required a newer version.


variables and possible model differences

Phones are different. The unlock script refers to variables not present on this specific model, and to their values.

fastboot getvar platform
fastboot getvar current-slot
fastboot getvar build-type
fastboot getvar secret-key-opt
fastboot oem get_random_partition

Unlocking

failed attempt, vendor app

The app was downloaded via Chrome but it refused to install. Maybe it would work from sideload, was not tested. This "official unlock" is said to void the warranty and to not be undoable.

failed attempt, script

Full "canned" solutions containing fastboot.exe, adb.exe and related DLL files, and a .scr or .bat script that does the multistep job, exist. They are however prone to fail in edge cases, when something goes wrong.

fastboot interrogation

fastboot getvar all
(bootloader) CPU:SDM636
(bootloader) platform:sdm636
(bootloader) secret-key-opt:<i>xXXXXxxXxxxXxxxxXxXxxxXxx</i>
(bootloader) build-type:user
(bootloader) unlocked:no
(bootloader) off-mode-charge:1
(bootloader) charger-screen-enabled:1
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4104
(bootloader) version-baseband:
(bootloader) version-bootloader:ZB601KL-0x01-20190216<i>xxxxxx</i>
(bootloader) variant:SDM EMMC
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x15E00000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0x5A3BFBE00
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x100000000
(bootloader) secure:yes
(bootloader) serialno:K4AXB<i>xxxxxxxxxx</i>
(bootloader) product:QC_Reference_Phone
(bootloader) max-download-size:536870912
(bootloader) kernel:uefi
all:
finished. total time: 0.136s
fastboot oem device-info
...
(bootloader) Verity mode: true
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) Bootloader version: ZB601KL-0x01-20190216<i>xxxxxx</i>
OKAY [ 0.000s]
finished. total time: 0.000s

bootloader unlock, TWRP flash

Two phone-specific variables are needed:

To convince the phone to allow the unlock operation, the secret key has to be flashed to the "random partition".

fastboot oem get_random_partition
...
(bootloader) <i>YyYYYyyYYyYYY</i>
OKAY [ 0.000s]
finished. total time: 0.000s
fastboot getvar secret-key-opt
...results in xXXXXxxXxxxXxxxxXxXxxxXxx
...or we can get it from the fastbook getvar all list

We prepare the file to flash

echo <i>xXXXXxxXxxxXxxxxXxXxxxXxx</i> > key.bin

and flash the file

fastboot flash <i>YyYYYyyYYyYYY</i> key.bin
target reported max download size of 536870912 bytes
sending '<i>YyYYYyyYYyYYY</i>' (0 KB)...
OKAY [ 0.010s]
writing '<i>YyYYYyyYYyYYY</i>'...
(bootloader) Begin to do frp unlock ...
(bootloader) FRP unlock successful !!!
OKAY [ 0.005s]
finished. total time: 0.015s

Now we are prepared. We unlock it further. (Here the issue with linux fastboot not supporting the "flashing" command was encountered. The phone was reconnected to the Windows machine.)

fastboot.exe flashing unlock
(some response)
fastboot.exe flashing unlock_critical
(some response)

We check if it really works.

fastboot oem device-info
...
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: true
(bootloader) Bootloader version: ZB601KL-0x01-20190216xxxxxx
OKAY [ 0.001s]
finished. total time: 0.001s

...it did, "Device unlocked: true", and we are ready to flash the recovery partition.

Earlier we obtained the TWRP binary image for the proper phone version; it is NECESSARY to match the version with the phone, or it is likely to not work!

Download from here: https://forum.xda-developers.com/asus-zenfone-max-pro-m1/development/recovery-unofficial-twrp-3-2-3-0-t3888110

Now follow the instructions from the page.

Flash the binary:

fastboot flash recovery twrp-3.3.1-0-X00T-20190526.img
target reported max download size of 536870912 bytes
sending 'recovery' (28884 KB)...
OKAY [ 0.796s]
writing 'recovery'...
OKAY [ 0.000s]
finished. total time: 0.796s

Congratulations, TWRP is installed.

Now, stabilize it:

fastboot reboot recovery

(or power-on with volume-down pressed)

And when asked to swipe to allow modifications, swipe. This trips the Android Verified Boot and allows modifications. Otherwise the system could recover the recovery partition to its original form.


LineageOS installation

The adb sideload method did not work due to the old version of adb.

Alternative method was used, with files loaded to the microSD card.

The main file is lineage-16.0-2020xxxx-nightly-X00TD-signed.zip.

The supplementary file for root was downloaded from https://download.lineageos.org/extras, file addonsu-16.0-arm64-signed.zip was used.

Google apps package was downloaded from https://androidfilehost.com/?flid=170282&w=files, file MindTheGapps-9.0.0-arm64-20190615_031441.zip.

All three files were loaded to the microSD card, the card placed to the phone, the phone booted to recovery. Instructions with wiping partitions from the lineageos installation guide were followed, up to the point where adb sideload is used.

LineageOS was then attempted to be flashed. The operation failed, with error message about a version of firmware.

File PIE_20190401_firmware.zip was located by google and added to the sd card.

Files were flashed one by one, in sequence

After reboot, rooted LineageOS was running on the phone.


Magisk installation

download Magisk from https://magisk.me/:

...and now install all the desired modules

Issues


TODO


If you have any comments or questions about the topic, please let me know here:
Your name:
Your email:
Spambait
Leave this empty!
Only spambots enter stuff here.
Feedback: