www.zenfyr.dev
+54
-48
README.md
+54
-48
README.md
······Over the past few years, a suspicious number of companies have started to "take care of your data", aka block/strictly limit your ability to unlock the bootloader on your *own* devices.-While this may not affect you directly, it sets a bad precedent. You never know what will get the axe next: Shizuku? ADB? Sideloading? I thought it might be a good idea to keep track of bad companies and workarounds.+While this may not affect you directly, it sets a bad precedent. You never know what will get the axe next: Shizuku? ADB?<br><br>+**They've already gone after [sideloading](https://mashable.com/article/google-android-sideloading-apps-security).**<br><br>If you know of specific details/unlocking methods, please PR them or drop them in the [discussions](https://github.com/melontini/bootloader-unlock-wall-of-shame/discussions)···The following manufacturers have made it completely impossible to unlock their devices without a workaround.···The following manufacturers allow unlocking under certain conditions, such as region, model, SOC, etc., or require a sacrifice to unlock.The following manufacturers require an online account and/or a waiting period before unlocking.···If you own a MediaTek device exploitable by [mtkclient](https://github.com/bkerler/mtkclient) you can unlock the bootloader using that.<br/>If it also happens to be an OPPO/Realme device and you need to access fastboot: [lkpatcher](https://github.com/R0rt1z2/lkpatcher) ([web version](https://lkpatcher.r0rt1z2.com/))-If you own a phone with the Unisoc UMS9620 or older,you can use this exploit to achieve temporary secure boot bypass and persistently unlock bootloader(except some devices with modified uboot) [CVE-2022-38694_unlock_bootloader](https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader)-If you own a phone with the Unisoc UMS312 UMS512 UD710,you can use this exploit to achieve persistently secure boot bypass, which means all firmwares including splloader,uboot can be modified and resigned. [CVE-2022-38691_38692](https://github.com/TomKing062/CVE-2022-38691_38692)-Otherwise, you can also look into this: [Spectrum_UnlockBL_Tool](https://github.com/zhuofan-16/Spectrum_UnlockBL_Tool) <br/>-This: [xdaforums.com](https://xdaforums.com/t/alldocube-t803-smile_1-bootloader-unlock-w-unisoc-t310.4393389/) <br/>···+If you own a phone with the Unisoc UMS9620 or older,you can use this exploit to achieve temporary secure boot bypass and persistently unlock bootloader(except some devices with modified uboot) [CVE-2022-38694_unlock_bootloader](https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader)+If you own a phone with the Unisoc UMS312 UMS512 UD710,you can use this exploit to achieve persistently secure boot bypass, which means all firmwares including splloader,uboot can be modified and resigned. [CVE-2022-38691_38692](https://github.com/TomKing062/CVE-2022-38691_38692)+Otherwise, you can also look into this: [Spectrum_UnlockBL_Tool](https://github.com/zhuofan-16/Spectrum_UnlockBL_Tool) <br/>+This: [xdaforums.com](https://xdaforums.com/t/alldocube-t803-smile_1-bootloader-unlock-w-unisoc-t310.4393389/) <br/>
+75
-4
brands/amazon/README.md
+75
-4
brands/amazon/README.md
···-Amazon is a weird company in the Android world. They cling onto old Android versions forever (their latest devices still ship with the EOL Android 11), they don't include Google services on their devices, and they are **extremely aggressive towards bootloader unlocks.** Even for the oldest of devices, when an exploit is discovered, Amazon will instantly patch it. There are still some exploits though, depending on your device and firmware version. Check [XDA Forums] for your specific Amazon device.+Amazon is a strange company in the Android world. They cling to old Android versions (their latest devices still ship with the EOL Android 11), they donโt include Google services on their devices, and they are **extremely aggressive towards bootloader unlocks.**+They donโt follow the standard Android bootloader unlocking procedure. Instead, they use their own implementation, which relies on a special partition called `idme`. This partition stores device-specific information such as the S/N, MAC address, and more.+The *official* way to unlock the bootloader is to flash a signed unlock image to `idme` using the command `fastboot flash unlock unlock.bin`. Of course, **this requires Amazon to sign the unlock image.**+**Older MediaTek-based devices can be unlocked using [amonet]**, a bootloader/bootROM exploit [originally developed in 2019 to unlock the Amazon Fire HD 8 (2018)].+The latest devices unlocked with amonet are the Fire TV Stick 3rd Gen and Fire TV Stick Lite 1st Gen (released around 2020).+However, **Amazon has actively patched this exploit**, so even if a port of amonet exists for your device, it may still not be unlockable.+The following list shows all available amonet ports for Amazon devices, along with whether or not they have been patched. **If your device is not included in the list, it is most likely not supported**:+- [Amazon Fire HD 6 / HD 7 (2014)]: All versions are supported; Amazon never patched these devices.+- [Amazon Fire 7 (2015 / 2017)]: All versions are supported; Amazon never patched these devices.+- [Amazon Fire HD 8 / HD 10 (2015)]: All versions are supported; Amazon never patched these devices.+- [Amazon Fire TV 2nd Gen (2015)]: All versions are supported; Amazon never patched this device.+- [Amazon Fire TV Stick 2nd Gen (2016)]: There are several reports of Amazon disabling **bootROM mode** on newer hardware revisions.+- [Amazon Echo Spot 1st Gen (2017)]: All versions are supported; Amazon never patched this device.+- [Amazon Fire TV Stick 4K 1st Gen (2018)]: Devices with serial numbers containing **VM190 or higher** are shipped with **DL-Mode** disabled in **bootROM**. However, Amazon introduced a new exploit in **FireOS 6.2.8.1**, which made it possible to unlock the device even with **DL-Mode** disabled. This exploit was later patched, but there are still ways to downgrade to a supported version.+- [Amazon Fire HD 10 (2019)]: Only a temporary, tethered exploit is available for this device. Amazon disabled **DL-Mode** in **bootROM** on all newer hardware revisions, so only early units can use this method.+- [Amazon Fire TV Stick 3 and Fire TV Stick Lite (2020)]: Amazon patched the exploit in **FireOS 7.2.7.3**. There is a [hardware way to downgrade the device to a supported version], but it requires soldering and is not recommended for inexperienced users.+There are also several **older Qualcomm-based devices that can be unlocked** using the [cuber exploit] ([CVE-2014-0973]):+- [All 3rd Gen Fire HDX devices (2013 ~ 2014)]: All versions are supported; Amazon never patched these devices.+For Amlogic-based devices (e.g., Fire TV Cube), multiple exploits are available. They require **DL-Mode**, which Amazon disabled on newer hardware revisions or through OTA updates (e-fuses). This list shows the available exploits:+- [Fire TV Cube 1st Gen (2018) / Fire TV Pendant (2017)]: These devices can be unlocked as long as they havenโt been updated past **FireOS 6.2.5.8**.+- [Fire TV Cube 2nd Gen (2019)]: This device can be unlocked as long as it hasnโt been updated past **PS7292**.+As of this writing, **no known exploits exist for unlocking the bootloader of Amazon devices released after 2020**.+There have been multiple reports of users [purchasing engineering samples] from third-party sellers, but the firmware on these devices is useless for production units.+Authored by [R0rt1z2](https://github.com/R0rt1z2), [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439).<br/>+[All 3rd Gen Fire HDX devices (2013 ~ 2014)]:https://xdaforums.com/t/dev-bootloader-unlock-procedure-and-software.3030281+[Fire TV 1st Gen (2014)]:https://xdaforums.com/t/firetv-1-bueller-full-bootloader-unlock.3031867+[originally developed in 2019 to unlock the Amazon Fire HD 8 (2018)]:https://www.aftvnews.com/latest-2018-version-of-amazons-fire-hd-8-tablet-has-been-rooted-with-unlocked-bootloader/+[Amazon Fire HD 6 / HD 7 (2014)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-hd7-hd6-ariel.4679761/+[Amazon Fire 7 (2015 / 2017)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-downgrade-fire-7-ford-and-austin.3899860/+[Amazon Fire HD 8 / HD 10 (2015)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-hd-8-10-2015-thebes-and-memphis.4680312/+[Amazon Fire HD 8 (2016)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-hd-8-2016-giza.4303443/+[Amazon Fire HD 8 (2017)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-hd-8-2017-douglas.3962846/+[Amazon Fire HD 10 (2017)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-hd-10-2017-suez.3913639/+[Amazon Echo Spot 1st Gen (2017)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-amazon-echo-spot-2017-rook.4754878/+[Amazon Fire TV 2nd Gen (2015)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-firetv-2-sloane.4222331/+[Amazon Fire TV Stick 2nd Gen (2016)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-tv-stick-2nd-gen-tank.3907002/+[Amazon Fire TV Stick 4K 1st Gen (2018)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-tv-stick-4k-mantis.3978459/+[Amazon Fire HD 10 (2019)]:https://xdaforums.com/t/new-fire-hd10-2019-bootless-root-method-bootloader-unlock-brainstorming.3979343/page-40#post-86371571+[Amazon Fire TV Stick 3 and Fire TV Stick Lite (2020)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-tv-stick-3-and-fire-tv-stick-lite-sheldon-p.4410297/+[hardware way to downgrade the device to a supported version]:https://xdaforums.com/t/unlock-root-twrp-unbrick-fire-tv-stick-3-and-fire-tv-stick-lite-sheldon-p.4410297/page-47#post-89960237+[Fire TV Cube 1st Gen (2018) / Fire TV Pendant (2017)]:https://xdaforums.com/t/root-rooting-the-firetv-cube-and-pendant-with-firefu.3861272/+[Fire TV Cube 2nd Gen (2019)]:https://xdaforums.com/t/unlock-root-twrp-unbrick-firetv-2nd-gen-cube-raven-ps7242.4445971/+[purchasing engineering samples]:https://xdaforums.com/t/fire-hd-8-9th-generation-onyx-engineering-sample-with-root-access-full-fastboot.4121709/
+1
-1
brands/apple/README.md
+1
-1
brands/apple/README.md
···This one is probably expected. No iPhone, iPad, iPod Touch or Apple TV model has had an unlockable bootloader.-As expected, Apple does not allow bootloader unlocking, and never has. Most Apple dives also have an aggressive anti-rollback system, stopping you from downgrading to an older iOS version for jailbreaking purposes.+As expected, Apple does not allow bootloader unlocking, and never has. Most Apple devices also have an aggressive anti-rollback system, stopping you from downgrading to an older iOS version for jailbreaking purposes.
+5
-1
brands/lg/README.md
+5
-1
brands/lg/README.md
···In the past, LG had a developer portal which could be used to unlock phones on their website, however it only supported international models of their phones, but in December 2021, LG [announced][announcement-archive] the developer portal would be shutting down due to LG ending production of all phones. Unisoc devices will never be unlockable, this is *not* LG's fault, Unisoc does not allow unlocking.···Older devices (prior to 2015) do not have partition verification, and assuming you have a root exploit, you can just flash modified partitions with dd -- as recommended by some official LineageOS [install guides]+All LG watches on Android Wear/Wear OS use the [standard unlock procedure](../../misc/generic-unlock.md) via fastboot.+Authored by [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439), [DiabloSat](https://github.com/progzone122)<br/>[announcement-archive]:https://www.reddit.com/r/LineageOS/comments/r961u3/termination_of_lg_mobile_developer_website/
+52
-7
brands/motorola/README.md
+52
-7
brands/motorola/README.md
···Motorola is one of the manufacturers that provide kernel source code for their devices via official repositories on GitHub. However, they usually have weird build instructions, and will not share them unless you threaten to report to the SFC.···-To unlock your bootloader, you have to submit a request on [this][Unlock Code Website] website, which is pretty bad on its own (*wink* [Huawei](../huawei/README.md)). Unisoc devices will never be unlockable, this is *not* Motorola's fault, Unisoc does not allow unlocking.+Qualcomm and MTK CID devices are developed and manufactured by the Motorola main team. MTK Legacy and UNISOC manufacturing process is often delegated to third parties ODMs, mainly their partner [Tinno](https://en.tinno.com/news/69.html), and sometimes other like [Huaqin](https://en.huaqin.com/).+For Qualcomm and MTK CID device, to unlock your bootloader, you have to submit a request on [this][Unlock Code Website] website, which is pretty bad on its own (*wink* [Huawei](../huawei/README.md)). Unisoc devices will never be unlockable, this is *not* Motorola's fault, Unisoc does not allow unlocking.In addition, [this forum post][Old devices ineligible] says that once a device passes a certain age (the age not being specified), the device becomes ineligible.···* [This page][Some Devices] says only "Photon Q 4G LTE, DROID RAZR M(Developer Edition), DROID RAZR HD(Developer Edition CDMA-LTE), MOTOROLA RAZR HD (Rest of World -UMTS/LTE), MOTOROLA RAZR HD (Rogers Canada - UMTS/LTE) and MOTOROLA RAZR i are supported by the Bootloader Unlock site." -- Considering these devices are all over 13 years old, this is likely outdated.* [And from this conversation][turistu's post] [turistu](https://github.com/turistu) had with their support: "most of our E devices doesn't support bootloader unlock program. Please see below a list of devices that support the bootloader unlock program : g100, g51 , g71 , g200 , g52 , g82 , g42 , g62 , g32"* There's also an unofficial way with CID to check if your device can be unlocked, check here: [xdaforums.com][CID check]+* Generally, devices from the g3x series and higher can be unlocked, while G2x and lower (including E devices) cannot be unlocked *officially*.Once your bootloader is unlocked, Motorola does not allow you to relock, attempting to re-lock will [brick your device][brick on relock]+Furthermore, on Motorola CID devices a valid **cid** partition needs to be present in the device to be unlocked or even to be able to boot normally. The unlock data is in fact contained in that partition, and cannot be haltered without getting cid `0xDEAD`.+In case of a corrupted cid partition, you'll need to bring your device for *cid provisioning*, where the cid data is regenerated and signed.+On MTK CID devices, it is impossible to unlock using third party tools (like mtkclient or Chimera), because Motorola validates the unlock state contained in `seccfg` against a stored value in the RPMB region in the flash storage.+Furthermore, Motorola disables BROM USBDL by efuse on newer devices (MTK V6 as well), and the stock Download Agent are limited to only allow flashing the bootloader.+Motorola CID devices (both Qualcomm and Mediatek ones) have a customized bootloader by Motorola, including their security library `mot_sec`.+Decompiling the bootloader it is possible to notice how Motorola includes a special *virtual* partition (it is just part of the cid partition) called `debug_token`.+By issuing `fastboot flash debug_token <debug-token-file>`, it is theoretically possible to disable all security on the device, including secure boot and more.+This file, though, cannot be obtained, since it is most likely used internally by Motorola development team, and it is verified against the public key.+Many on XDA have wondered [if it was possible to develop a keygen](https://xdaforums.com/t/help-with-moto-g-bootloader-unlock-keygen.2631686/).+Motorola unlock process (on CID devices only) involves getting the unlock data from the phone using `fastboot oem get_unlock_data`.+* The first line is the IMEI, with an additional A as padding to reach 16 bytes (IMEI as 15 characters long)+Unfortunately, Motorola seems to use asymmetric encryption for generating the unlock key, meaning that without a private key it is impossible to make a keygen.+On the other hand, the bootloader verifies the key by first generating one on the fly based on the data in CID and hashing it with either HMAC-SHA256 (CID DB v2) or HMAC-SHA1 (CID DB v1), then comparing the hashes of the generated key with the hash of the bytes representation of the provided unlock key.Even though Motorola has been owned by Lenovo for a while, there are still devices around that aren't made by Lenovo.-For some Motorola devices, the firmware is not developed by the company's core team, but simply purchased solutions from various OEMs.+For some Motorola devices, the firmware is not developed by the company's core team, but simply purchased solutions from various ODMs.These are exactly the devices that lack any instructions on how to unlock the bootloader or are completely locked, with no way to unlock.Fortunately, enthusiasts have managed to find unofficial ways to unlock these devices, despite the fact that Moto Agents stubbornly deny the existence of such methods:* Moto G13/G23 - Decompiled the bootloader, studied the algorithm for unlocking the bootloader and [developed a keygen](https://penangf.fuckyoumoto.xyz/docs/dev/bootloader), which is required to get the key to unlock the bootloader.-* Moto G24/G24 Power - Thanks to a leaked engineering DA with full permissions to all partitions and using a custom ChouChou bootloader, [a way to unlock was found](https://fogorow.fuckyoumoto.xyz/docs/dev/bootloader)+* Moto G24/G24 Power - Thanks to Carbonara, allowing privilege excalation in DA mode and a custom bootloader (chouchou), [a way to unlock was found](https://fogorow.fuckyoumoto.xyz/docs/dev/bootloader)For a short while, Google owned Motorola Mobility (from May 2012 to October 2014). Despite Google devices following the normal procedure, Google Motos used the same unlock portal that the modern Lenovo devices use, and of course, Lenovo removed the ability to unlock older devices, so these Google-era Motos are no longer unlockable. This does not include the Nexus 6, see the [Google](../google/README.md) page for Nexus devices.···tldr, Motorola split into two companies in 2011. Motorola Mobility, which made the phones and DVRs and is now owned by Lenovo, and Motorola Solutions, who makes everything else. Solutions has recently started making radios which run Android. Not much is known about these devices, Motorola doesn't even reveal which SoC they use, so nothing is really known about these devices. This [datasheet] for the MOTOTRBO ION mentions "Root Detection: Standard", which in Moto-speak, means "this device always ships with root detection.", indicating that the bootloader is probably not unlockable on these devices. Via [this spreadsheet] from Google, you can see the MOTOTRBO ION's codename -- mkz_sdm660_64, which indicates that possibly it uses a Snapdragon 660 SoC, but the MOTOTRBO ION runs Android 13, which seems weirdly new for a 2017 SoC, no it might just be gibberish or something unrelated.-Most MTK-based Motorola devices **released before 2022 are susceptible to [mtkclient](https://github.com/bkerler/mtkclient) bypass**, and full unlock may require [ChouChou](https://github.com/R0rt1z2/chouchou) / [Kaeru](https://github.com/R0rt1z2/kaeru) patches to disable automatic bootloader lock.+Most MTK-based Motorola devices **released before 2022 are susceptible to [mtkclient](https://github.com/bkerler/mtkclient) auth bypass**, and full unlock may require [chouchou](https://github.com/R0rt1z2/chouchou) / [Kaeru](https://github.com/R0rt1z2/kaeru) patches to disable automatic bootloader lock (as seen on Moto E7, codename `malta`).However, on devices **released after 2022, this method is ineffective** as the preloader vulnerability has been patched and the BROM is blocked via eFuse, and attempting to crash the preloader results in a bootloop in the preloader.+Devices released before 2024 (and some released during 2024 as well) though are vulnerable to [Carbonara](https://shomy.is-a.dev/penumbra/Mediatek/Exploits/Carbonara), a DA1 memory corruption exploit that allows arbitrary code execution.Lenovo usually does not use the Motorola name on their tablets and gaming-oriented phones, and these are typically branded as Lenovo or NEC. While similar to Motorola's unlock process, these have to be unlocked on the [ZUI website], which requires your IMEI, serial number, and email, and they'll send you an unlock-bootloader.img which you flash to the unlock partition in Fastboot to unlock. However, similar to Xiaomi, Lenovo has a quota, which if you surpass, you cannot unlock your bootloader, @MlgmXyysd has created an [unofficial unlock portal] which may work on recent tablets like Legion Y700 4th Gen. Some Motorola tablets, such as the G62, also use the ZUI website to unlock instead of Motorola's unlock portal.···Additional info provided by [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439).<br/>Unofficial ways to unlock "Moto G13/G23/G24/G24 Power" bootloader provided by [DiabloSat](https://github.com/progzone122) & [Shomy](https://github.com/shomykohai).<br/>+Additional info for Motorola CID devices and mtkclient provided by [Shomy](https://github.com/shomykohai).<br/>Lenovo branded and NEC unlock information provided by [CakesTwix](https://github.com/CakesTwix) and [Calyx Hikari](https://github.com/HikariCalyx).<br/>
+8
brands/panasonic/README.md
+8
brands/panasonic/README.md
···+There's nothing to say about Panasonic, really. They have fastboot removed from most of their phones and have no official unlock method.
+47
-3
brands/samsung/README.md
+47
-3
brands/samsung/README.md
···Snapdragon phones prior to the S7/Note7 (2016) can be unlocked regardless of region, as long as it's not locked to a carrier like AT&T or Verizon. The Canadian S7 can also be unlocked as it uses an Exynos SoC, despite Canada normally being a Snapdragon region.-Be aware that unlocking a Samsung device will permanently trip Knox. As a result, many Knox-based features will be broken. This includes, but not limited to: Samsung Pay, Pass, Flow, Health, Secure Folder, Secure Wi-Fi, Smart View. Furthermore, tripping Knox may serve as grounds for voiding your warranty.+**Be aware that unlocking a Samsung device will permanently trip Knox.** As a result, many Knox-based features will be broken. This includes, but not limited to: Samsung Pay, Pass, Flow, Health, Secure Folder, Secure Wi-Fi, Smart View. Furthermore, tripping Knox may serve as grounds for voiding your warranty.+There have been hardware issues caused by unlocking the bootloader, but these have been fixed for some regions. See [here][1] and [here][2]. As of late 2023, Korean Galaxy Fold3 running OneUI 5 still got camera disabled after unlocking, while EU/CN variants had fixed the issue.+As of September 2025, Galaxy Z Fold 5 also has a camera issue after unlocking the bootloader. After analyzing it, we found out it is a "Security Mechanism" to prevent the user from "taking photos" once they unlock the bootloader by providing a "black screen" in the viewfinder. (Fixable by re-locking the bootloader)+As of September 2025, all budget phones that have **Helio G99**, **Dimensity 6100+**, and **Dimensity 6300** have **serious connectivity and unfixable bootloop issues** after unlocking the bootloader and flashing a custom binary which "trips Knox".-In the past, there have been hardware issues caused by unlocking the boatloader, but these have been fixed for some regions. See [here][1] and [here][2]. As of late 2023, Kroean Galaxy Fold3 running OneUI 5 still got camera disabled after unlocking, while EU/CN variants had fixed the issue.+As a result, in the Helio G99 models, the `ril-daemon` will crash every 6 hours, leading to your SIM cards being disabled and showing a NULL IMEI in the settings (temporary). The only fix as of now is restarting the phone or using "third-party" Magisk modules to restart the `ril-daemon` every 6 hours. This is unfixable even after re-locking the bootloader.+In the Dimensity 6100+/6300 models, **you will completely lose 5G connectivity permanently**, and this is unfixable even after re-locking the bootloader. **The modem will crash when connecting to a 5G network**, leading to high battery drain and overheating. The only fix as of now is putting your device in 4G mode.+After intense analysis by ~5 experienced members of the Helio G99 and Dimensity 6100+/6300 community, we found why this happens. It looks like Samsung implemented checks at **both the modem firmware level and software level** to check for the value of the property `ro.vendor.boot.warranty_bit`. The software check uses a function called `DoOemSetwarrantyBit` in `/vendor/lib64/libsec-ril.so`.+After patching the necessary libs in the vendor, we thought it was over until we found out 5G still wasn't working and discovered that a similar but different function is baked into the modem firmware itself by analyzing the contents of the `md1img` partition. This firmware check differs from the libsec-ril's function and isn't patchable by a third party.+> The only fix is to be aware of this issue and not unlock the bootloader and trip Knox in the first place if you don't like these consequences. You have to sacrifice something to root these 2 device types.+**๐ด Regarding the unfixable bootloop issue**, it literally feels like a hard brick. The only thing that works is the display turning on. No matter what you do, even after flashing the stock ROM and re-locking the bootloader, this issue remains unfixable.+This was a serious issue in the initial firmware of the Dimensity 6100+ and 6300 devices and was **fixed by later firmware updates.**+If you want to unlock the bootloader, first update your phone to any firmware released with the 2025 January/April/July security patch.+2. When they attempt to flash an unsigned binary (such as a custom kernel or Magisk-patched AP/boot image), the boot process instantly crashes after the splash screen (first Samsung Galaxy logo).+- What it looks like: A grey fuzzy screen with vertical blue/yellow lines appears when the crash occurs.+3. This issue is unfixable even after reverting the changes, and **you cannot access Android recovery - only download mode remains accessible.**+**There is nothing to worry about regarding this issue if your phone firmware is already updated.**+- As the [writer of this section](https://github.com/ravindu644) of this documentation, I personally experienced this issue and lost $200. I have video proof but will not provide Telegram links here. You can find them in the Galaxy A16 Community if interested.+- [XDA Forum post regarding this exact issue](https://xdaforums.com/t/bootloop-without-access-to-recovery-need-insights-a156e-dsn.4707443/)One of the first things Samsung bootloaders do on phone bootup is check if the bootloader is unlocked, and if it is, and a bootloader unlock has not been authorized, the bootloader will automatically relock. This means SoC level exploits such as mtkclient or EDLUnlock will not work on Samsung devices, unless you reverse engineer, modify and re-flash Samsung's bootloader to stop the bootloader from re-locking.···-Additional info provided by [aries-ts-indo](https://github.com/aries-ts-indo) and [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439).<br/>+Additional info provided by [aries-ts-indo](https://github.com/aries-ts-indo), [ravindu644](https://github.com/ravindu644) and [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439).<br/>
+11
-1
brands/sony/README.md
+11
-1
brands/sony/README.md
······Some carrier locked and US devices can never be unlocked. On Sony devices ([but not all?][service-menu-gone]) you can check if the bootloader is unlockable using the service menu.+Additonally, only Xperia (Sony's main consumer phone/tablet line) is unlockable. Their other Android devices (such as their TVs) are not unlockable.+For devices made [before 2019][TA patch 2019], Sony devices have a partition called `TA`, which contains files needed for things such as enhanced camera image processing, DRM keys, and display enhancements. Upon unlocking the bootloader, this partition is wiped and these features are lost, even on re-locking. If running Android Marshmallow or earlier, you can [back up][TA backup] the partition.···[Unlock Service]:https://developer.sony.com/open-source/aosp-on-xperia-open-devices/get-started/unlock-bootloader[service-menu-gone]:https://www.reddit.com/r/SonyXperia/comments/qir0ze/what_happened_to_the_service_menu/+[TA patch 2019]:https://www.reddit.com/r/SonyXperia/comments/1199y1j/what_are_the_consequences_of_getting_rid_off_the/+[TA backup]:https://together.jolla.com/question/168711/xperia-x-backup-ta-partition-before-unlocking-bootloader/
+15
-3
brands/tcl/README.md
+15
-3
brands/tcl/README.md
···TCL got their start in the mobile world as a contract manufacturer for BlackBerry, and while TCL's contract with BlackBerry ended in 2020, TCL has continued BlackBerry's lineage of "secure bootloaders", AKA, doing everything they can to make you unable to unlock the bootloader. Because of TCL's history with BlackBerry, who has always been horrible with bootloader unlocks, it is unlikely TCL bootloaders will ever be unlockable.+TCL has its own fork of the fastboot utility called `authboot`, which **requires special authorization from their server to perform any bootloader-related operations**. Without this authorization, **it is impossible to unlock the device** or flash unsigned images, effectively eliminating any possibility of installing custom ROMs.+The only exceptions are **engineering samples (EVT/DVT/PVT)** and **rare Chinese revisions** such as the **Key2 BBF100-6**, where the bootloader can either be unlocked or signature verification disabled. However, **these devices were never sold publicly** and are extremely rare on the secondary market, often lacking a valid IMEI or having other limitations.+The BlackBerry Priv and earlier were not manufactured by TCL, but by the original BlackBerry company (aka Research in Motion/RIM) in Canada. Unfortunately, even the oldest of BlackBerry's devices haven't been cracked, and with the shutdown of all services for BB10 and BlackBerry Tablet OS on January 4, 2022, it is now impossible to create apps for these platforms, restricting a potential bootloader unlock to a hardware level exploit only, as it is now basically impossible to do anything with the software. As of 2025, the only BlackBerry devices which have a bootloader unlock exploit are the Passport and Priv, which can be unlocked by flashing the bootloader from a prototype device, however this requires [desoldering the phone's eMMC][passport priv unlock] and connecting it to a flasher.+> TCL acts premium but is nothing more than a Chinese basement. Their soโcalled "security" only restricts users, while their phones are no better or safer than the rest.
+16
brands/teclast/README.md
+16
brands/teclast/README.md
···+Teclast is a Chinese brand known for its budget tablets and, less commonly, Android smartphones.+Teclast follows the [standard unlock procedure](../../misc/generic-unlock.md) for their MediaTek and Allwinner devices. Unisoc devices cannot be unlocked, this is *not* Teclast's fault, Unisoc does not allow unlocking.+Teclast does not share the kernel source code for their devices. This is a violation of the GPLv2 license used in the Linux kernel. The lack of kernel source code severely limits the creation of custom ROMs, and can also at times make it more difficult to root or run GSIs.
+4
-1
brands/tecno/README.md
+4
-1
brands/tecno/README.md
···Tecno requires you to have a [Tecno ID][Tecno ID] for two weeks before the OEM Unlocking option becomes available in the settings. Afterwards, you can follow the [standard unlock guide](../../misc/generic-unlock.md) for devices with a MediaTek SoC. Unisoc devices cannot be unlocked, this is *not* Tecno's fault, Unisoc does not allow unlocking.+Tecno, despite using the GKI (Generic Kernel Image), does not release the kernel source code for its devices. This constitutes a violation of the GPL license, which requires manufacturers to distribute the source code along with the binary kernel builds.+Authored by [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439), [DiabloSat](https://github.com/progzone122).<br/>
+6
-1
brands/ulefone/README.md
+6
-1
brands/ulefone/README.md
···Ulefone follows the [standard unlock procedure](../../misc/generic-unlock.md) for their MediaTek devices. Unisoc devices cannot be unlocked, this is *not* Ulefone's fault, Unisoc does not allow unlocking.+Ulefone initially **released the kernel source code for some of their early phones** (Ulefone Future, Ulefone Metal, and Power Armor 13) [on GitHub](https://github.com/ulefoneofficial?tab=repositories), although these source codes were broken, did not contain all modules, lacked proper build instructions, and all issues remained unresolved.+Since then, **they have never released any kernel source code or respond to requests [by claiming they cannot provide it](https://xdaforums.com/t/ulefone-armor-6-custom-kernel-compile-no-source-available.4553091/)**, thereby violating the terms GPL license.+Authored by [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439), [DiabloSat](https://github.com/progzone122).<br/>
+1
-1
brands/vivo/README.md
+1
-1
brands/vivo/README.md
···There is also a chance that your device is vulnerable to one of the MTK or Unisoc [exploits](../../README.md#universal-soc-based-methods).-Vivo devices have kernel-level patches to block the `su` binary, so to use Magisk you should flash this modified version with `suu`.+Vivo devices have kernel-level patches to block the `su` binary, so to use Magisk you should flash this modified version with `suu`. This only applies on devices which run Funtouch, for devices which run OriginOS (mainly their Chinese market devices), while the bootloader is still not unlockable, `su` is not blocked.
+68
-10
brands/xiaomi/README.md
+68
-10
brands/xiaomi/README.md
···Unisoc devices will never be unlockable, this is *not* Xiaomi's fault, Unisoc does not allow unlocking.-> The specifics of what can and cannot be done change over time and different sources claim different things depending on the time period.+The specifics of what can and cannot be done change over time, and different sources may claim different things depending on the time period.-Currently it is near impossible to unlock Xiaomi phones of the china region, especially if you are outside China and imported the phone.+It is currently **extremely difficult** to unlock Xiaomi phones from the China region, especially if the device was imported and you are outside China.+- Compliance with Xiaomiโs strict rules (no recent device/account/IP changes, no recent bans or warnings, etc.)+Even after completing all of the above, the request undergoes an additional **review process**.+Recent reports suggest that **no applicants have successfully passed the exam or review this year**.-- [This source][bootloader-unlock-block-mainland-china] claims that the final day one could use the provided form to request an unlock was September 9, 2024. It also has an update, it seems that Xiaomi is suggesting inside the Community App that they will bring back the service in 2025, but it wouldn't be the first time a company lied about this.-- In various forum posts [like this one][bootloader-unlock-block-mainland-china-alt] it is mentioned that a china region phone can only be unlocked if one is situated in China and has a level 5 Xiaomi account, or pays for the service in the hopes that a technician can unlock it.-- As of february 6th there are [other requirements], like 180 days without bans or warnings on the account and no recent sensitive changes to the account, also the unlock should be done on the same device and with no ip changes. Also seems that users will have to unlock when they can and in time or won't have the possibility to unlock anymore.+- For Chinese devices, the **MIUI bootloader unlock server has been shut down** โ you must go through the **Community App unlock route**.+- Unlock must be completed within the allowed window, otherwise it may become permanently unavailable+- [Xiaomi-HyperOS-BootLoader-Bypass](https://github.com/MlgmXyysd/Xiaomi-BootLoader-Questionnaire) โ Original PoC (PHP, cumbersome to set up)+- **HyperSploit** โ User-friendly program, patched as of **HyperOS 2.0.203.0**, works only on older builds+- These tools try to automate the Community App request step so you can continue the 7-day waiting process and then unlock with Xiaomiโs official tool.+- Some users claim that visiting a Xiaomi store and asking a technician to downgrade the system version results in a temporary unlocked state. A few reported flashing their own system during this process โ **not recommended** due to high risk and ethical concerns.+- These devices generally still support the **โclassicโ unlock process** (Mi Account login โ Developer Options request โ wait ~7 days โ Mi Unlock tool), without requiring the Community App exam.+- The last official day to submit unlock requests via the old form was reportedly **September 9, 2024**.+- Xiaomi has hinted in the Community App that the service *may return in 2025*, but similar promises have not been fulfilled in the past.+- Multiple forum posts suggest that **only users physically located in China, with Level 5 accounts, and valid Chinese ID can currently unlock**. Others sometimes resort to paid third-party services, though results vary.+- [Xiaomi BootLoader Questionnaire Questions](https://github.com/MlgmXyysd/Xiaomi-BootLoader-Questionnaire) โ community-collected notes and exam details.···As such, for as long as the option is available, you'll skip this community BS and use the bypass methods:-* [HyperSploit][hypersploit] is the newer option. This is a simple to use program with no external dependencies.-* [Xiaomi-HyperOS-BootLoader-Bypass][xiaomi-hyperos-bootLoader-bypass] is the original proof of concept, but it's written in PHP and it's cumbersome to set up.+* [AQLR][aqlr] The current bypass method, though you need to have your computer running at 00:00 Chinese time. (The script is in AQLR.zip at the end of the post.)+* ~~[HyperSploit][hypersploit] is the newer option. This is a simple to use program with no external dependencies.~~ Confirmed as patched as of HyperOS version 2.0.203.0. Still works on old versions.+* ~~[Xiaomi-HyperOS-BootLoader-Bypass][xiaomi-hyperos-bootLoader-bypass] is the original proof of concept, but it's written in PHP and it's cumbersome to set up.~~ Same as above.These will both (for now) allow you to continue with the last of the good old steps, where you wait for 7 days and can then unlock your phone successfully.Do NOT make a new request by pressing the button in the Settings app as that will undo you bypass (hypersploit also mentions this to you). The tool will make the needed request itself.···You should be able to use the "normal" unlock process by itself, wihtout the community app BS-As the "1 device per year" policy is shown in the Xiaomi Community app when applying for unlocking HyperOS devices, this shouldn't affect devices running MIUI, however it's still unknown whether or not they are affected too.···[updated-policies]:https://xiaomitime.com/xiaomi-global-bootloader-unlock-policy-has-changed-20295/[other requirements]:https://xiaomitime.com/xiaomi-restricts-bootloader-unlocking-with-new-180-day-rule-23160/+[aqlr]:https://xdaforums.com/t/how-to-unlock-bootloader-on-xiaomi-hyperos-all-devices-except-cn.4654009/post-89311595
+1
-1
brands/zte/README.md
+1
-1
brands/zte/README.md
···Snapdragon-based nubia devices can be unlocked with the Fastboot command `fastboot oem nubia_unlock NUBIA_MODEL` (e.g. -- if your phone's model number is NX609J, the command would be `fastboot oem nubia_unlock NUBIA_NX609J`.). Newer ZTE devices can also be unlocked with the standard `fastboot flashing unlock` command, but this tends to break the fingerprint sensor, Unisoc devices will never be unlockable, this is *not* ZTE's fault, Unisoc does not allow unlocking. As for non-nubia ZTE devices:
+9
-5
carriers/README.md
+9
-5
carriers/README.md
···All devices sold in Canada after December 1, 2017 are sold unlocked, and any devices sold before then legally have to be unlocked for free, thanks to [the Wireless Code](https://crtc.gc.ca/eng/archive/2017/2017-200.htm). For devices sold before then however..If you buy a Sony or Sharp phone used, high chance it's going to be locked to a Japanese carrier as that's just where Sony and Sharp are popular.
+3
-3
carriers/brands/bell/README.md
+3
-3
carriers/brands/bell/README.md
···+While Bell does allow bootloader unlocking, they've recently started carrier locking again, which is a direct violation of Canada's wireless code. Things could get really bad for bootloader unlocking on Bell, avoid them.
+4
-3
carriers/brands/nttdocomo/README.md
+4
-3
carriers/brands/nttdocomo/README.md
···+NTT Docomo (and associated MVNOs) do not allow you to unlock your bootloader, the OEM unlock option is greyed out.+Authored by [Ivy / Lost-Entrepreneur439](https://github.com/Lost-Entrepreneur439), with additional MVNOs added by [madeline-yana](https://github.com/madeline-yana).<br/>
+9
carriers/brands/softbank/README.md
+9
carriers/brands/softbank/README.md
···+OEM unlocking works fine, however [it seems that Fastboot is modified.](https://www.reddit.com/r/SonyXperia/comments/15qdxt2/bootloader_unlocking_trouble_for_softbank_xperia/)
+7
carriers/brands/spectrum/README.md
+7
carriers/brands/spectrum/README.md