Unlock bootloader of Huawei devices on Kirin 960/95x/65x/620
GPL-3.0 License
Get binaries for Windows in the releases section. For Linux or macOS consider using the PotatoNV-crossplatform.
Follow the video guide or read the manual below.
The first step is the most difficult thing to do. You need to disassemble your device: this is necessary in order to access the contacts on the motherboard.
If you're not sure that you have enough experience to disassemble the device, then consider using paid software, that supports "software testpoint".
Warning
I strongly recommend watching video manuals for disassembling your device.
Warning
Be extremely careful with planar cables!
These cables are used in tablets, as well as in phones with a fingerprint scanner on the back cover.
You will need: a hair dryer, a guitar pick or a plastic card, conductive tweezers and maybe a screwdriver.
It's time to Google. You need to find the location of a special point on the motherboard – testpoint.
Note
If you are wondering why you need to do something with the unfortunate testpoint, then read the contents of the spoiler below.
To search, use the model name before the hyphen + "testpoint". For example for Honor 9 Lite (LLD-L31) you should Google "lld testpoint".
The marks may vary:
Here you will need sleight of hand: try to short-circuit the point and the metal shield (in option 1 and 2), or short-circuit both points (option 3) with tweezers. Without removing the tweezers, connect the USB cable to the computer.
After 3 seconds, the tweezers can be removed.
Open the "Device Manager" – you should see an unknown device named USB SER
, or Serial Port HUAWEI USB COM 1.0
.
If the device has not been detected, make sure you are using a good cable, the tweezers are not a dielectric, and you are shorting the desired point.
Note
All bootloaders are flashing to RAM, so an incorrect bootloader cannot harm the device.
Note
Disable FBLOCK
checkbox disables a special securtiy check. That modification allows you to flash/erase secure partitions or execute oem commands, that are not available with normal unlocking by unlock code [USERLOCK
].
Warning
FBLOCK
unlocking works correctly only on devices with Kirin 960 or Kirin 65x. Disabling this option can cause serious problems on legacy devices.
Okay, now refer to this table and select the appropriate bootloader.
Press the Start button. 🪄
The procedure will take no more than a minute. The program should write a new unlock code, keep it in a safe place.
Reboot your device to fastboot mode and execute following command on the host machine:
fastboot oem unlock YOUR_CODE_HERE
have fun.
Even before creating PotatoNV, @TishSerg discovered that unlock key can be rewritten with the SHA256 hash of the desired key to the USRKEY
property. However, to access NVME (a raw partition that stores stuff like serial number, device traits, etc.), a user should flash custom recovery or gain temporary root privileges. But both methods are complex and are not guaranteed to work. After researching the legacy bootloader of some Huawei devices, I've found a nve
command, which allows to read or write any property in the NVME partition. Of course, this command requires an unlocked bootloader.
So it remains to find a way to quickly unlock the bootloader. The way out is quite simple - use the bootloader from the board software.
The program uploads a special "USB bootloader" (exported from the board software) through the DOWNLOAD_VCOM
mode. VCOM is smth like EDL on Qualcomm devices: it can be triggered by a system failure or by shorting testpoint.
After uploading the bootloader, the device should switch to the fastboot mode. The "USB bootloader" has an important trait: it's unlocked out-of-the-box, so it allows to execute any command.
So, we're just going to send a command through the USB bulk interface to write SHA256 hash to USRKEY and reboot the device.
That's it.
Device | Model | Bootloader |
---|---|---|
Huawei P8 Lite (2015) | ALE |
Kirin 620 |
Huawei Y6II | CAM |
Kirin 620 |
Honor 5C / 7 Lite | NEM |
Kirin 65x (A) |
Honor 6X | BLN |
Kirin 65x (A) |
Honor 7X | BND |
Kirin 65x (A) |
Honor 9 Lite | LLD |
Kirin 65x (A) |
Huawei MediaPad T5 | AGS2 |
Kirin 65x (A) |
Huawei Nova 2 | PIC |
Kirin 65x (A) |
Huawei P10 Lite | WAS |
Kirin 65x (A) |
Huawei P20 Lite / Nova 3e | ANE |
Kirin 65x (A) |
Huawei P8 Lite (2017) | PRA |
Kirin 65x (A) |
Huawei P9 Lite | VNS |
Kirin 65x (A) |
Huawei Y9 (2018) | FLA |
Kirin 65x (A) |
Huawei MediaPad M5 Lite | BAH2 |
Kirin 65x (B) |
Huawei Nova 2i / Mate 10 Lite | RNE |
Kirin 65x (B) |
Huawei P Smart 2018 | FIG |
Kirin 65x (B) |
Honor 6 Plus | PE |
Kirin 925 |
Honor 7 | PLK |
Kirin 935 |
Huawei P8 | GRA |
Kirin 935 |
Honor 8 Pro / V9 | DUK |
Kirin 950 |
Honor 8 | FRD |
Kirin 950 |
Huawei P9 Standart | EVA |
Kirin 950 |
Honor 9 | STF |
Kirin 960 |
Huawei Mate 9 Pro | LON |
Kirin 960 |
Huawei Mate 9 | MHA |
Kirin 960 |
Huawei MediaPad M5 | CMR |
Kirin 960 |
Huawei Nova 2s | HWI |
Kirin 960 |
Huawei P10 | VTR |
Kirin 960 |
As far as I know, there is currently only one tool that can deal with newer CPUs — HCU Client.
This software requires a license, the most affordable plan is 3 days of access for €19.
See supported models by HCU Client here.
Note
Timed licenses locked to first used PC for two days. Therefore, it would be problematic to use such a license on more than one phone.
Logo by Icons8.
All bootloaders are Huawei Technologies Co., Ltd. property.
This project is not affiliated with Huawei.
Bootloader unlock tool for Huawei devices on Kirin SoC. Copyright (C) 2019-2020 mashed-potatoes
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Thank you, Martin, Moisés, Tibor, Emanuele & all those I've forgotten (sorry!).