Unlock bootloader for AGM X3?

[woct0rdho]

Hello, @proger10 ! I have to unlock the bootloader before flashing some modified firmware into my AGM X3. Do you know how to do that?

I have tried the OEM unlock toggle in developer settings, but it doesn't work. Also I have contacted the customer service, they said they don't officially support unlocking the bootloader. I have found some information on Chinese websites like http://bbs.zol.com.cn/sjbbs/d34009_58.html . It seems that someone succeeded before Jan 2019, but the link has been invalid now.

[proger10]

Hello. Unfortunately, I have no success in this matter yet. I saw link that you metioned too. Seems like romzj.com has been down for a while. I haven't find any cached versions of this page or something like that. Also I have asked @End4You about unlocking on xda-developers and github, no answer for now. I'm sure that it is possible to flash system partition (but not boot partition) without unlocking, so it possible to flash Lineage OS. But without modifiing boot it is not possible to disable annoying SELinux. I will continue invistigating firmware later, now I have no significant success. I have posted what I have found on 4pda but it is in russian.

[woct0rdho]

Thanks! That's a lot of useful information. I hope we can make some progress later on.

[woct0rdho]

Hello again! Finally, I found an interesting firmware on an anonymous Chinese forum. It seems to be leaked from Hisense and is a universal firmware for multiple small OEMs based on Hisense. It has an unlockable bootloader, and other partitions have consistent signatures. Here is the link:

https://mega.nz/file/kdsh0LCA#tbkNHIlG5f07ufoitY2B2RAyLnaRgL9u2K2wAYSAeB4

I can make the phone enter EDL mode using adb reboot edl, then flash the firmware using QFIL. Choose prog_firehose_ddr_60000100.elf, rawprogram_merged.xml and patch_merged.xml.

[MoKuH]

Hi @martinwu42 I'm glad you succeeded! Unfortunately it doesn't work for me. When I'm doing it I got a qfil error "sahara unable to read packet header" I have tried several versions of qfil , as well as differents storage type but I still haven't succeeded yet I also tried the ubuntu version of qfil

[woct0rdho]

Here are my QPST and Qualcomm driver versions:

https://mega.nz/folder/FFsGxQAK#OkbbofbSsFKXOC_rNtsbrA

https://mega.nz/folder/NQlQCYbD#4fXkQSr-Tk6050Den3DOtg

The storage type is UFS.

However, maybe there is a difference between Chinese and International models of AGM X3...

[MoKuH]

Thank you for your help. I installed your files (fresh install on a new laptop), but I still have the same "sahara" error. I have the international version....

[proger10]

Hi @martinwu42 That's good news! So, you are now able now to flash custom unsigned boot, correct? Was anything else required to do to unlock the bootloader (except flashing the firmware)? Also it would be nice to see output of "fastboot getvar all" command in fastboot-mode (adb reboot booloader).

@MoKuH I've successfully flashed some of firmware files (abl, xbl, xbl_config) using QPST.2.7.460. I haven't tried to flash the other yet. It was failing with QPST.2.7.474.

I'm sure it's not neccessary to flash system, vendor and some other partitions to unlock. But flashing only abl, xbl and xbl_config is not enough.

[woct0rdho]

The output for fastboot getvar all is just

all:
Finished. Total time: 0.000s

I'm not using this phone currently, because I still have some problems when installing AOSP treble ROM, or repacking a modified ROM. But I can still do some tests on this phone. Hope we can find a phone with both 'hardcore' hardware and software eventually...

[Alessandro090298]

The output for fastboot getvar all is just

all:
Finished. Total time: 0.000s

I'm not using this phone currently, because I still have some problems when installing AOSP treble ROM, or repacking a modified ROM. But I can still do some tests on this phone. Hope we can find a phone with both 'hardcore' hardware and software eventually...

hi i have agm 3 i flashed chinese rom . its rotteable and bootloader is unlockable. but no play store and services. always crash if i tried to install. can i have the original global rom that i had before thank you? any link of global rom with gapps?

[woct0rdho]

Hello, @Alessandro090298 ! After unlocking the bootloader, you can flash their official international ROM, and the bootloader is still unlocked.

Here are the instructions on their website:

https://web.archive.org/web/20190623163805/https://www.agmdevice.com/index.php/home/brush/index.html

Here is the ROM:

https://mega.nz/file/JYdmUBYL#J_859cH9ZcFqAoXGTW5_JU_w6W46mSiEAUzNpJ39XLs

You need to use a TF card (micro SD card). The TF card slot is the same place as the SIM card slot. Put both T91_4_TF folder and change_product_name file at the root folder of the TF card. Turn off the phone, then turn on the phone pressing three buttons: volume up, volume down, and power. The screen will show the AGM logo, then a white and colorful ring, and the phone will flash the ROM.

T91_4.bin is an encrypted ROM, and proger10 decrypted it in this repo. I'm not sure how to modify and repack it.

After flashing the ROM, there is a system update. After applying the update, the bootloader is still unlocked. It's better to apply the update before doing things like root.

[woct0rdho]

Hi, @proger10 ! After flashing the official international ROM, fastboot getvar all somehow works. Now the outputs are

(bootloader) unlocked:yes
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4150
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) variant:SDM UFS
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x10000000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0x1AE22CD000
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x140000000
(bootloader) secure:yes
(bootloader) serialno:66045fa2
(bootloader) product:QC_Reference_Phone
(bootloader) max-download-size:536870912
(bootloader) kernel:uefi
all:
Finished. Total time: 0.034s

[Alessandro090298]

perfect now i will try. probably it will works thank you. for root i will use the china boot image patched with magisk. the kernel is the same china and international. i really love oreo it's very polished rom

[Alessandro090298]

Hello, @Alessandro090298 ! After unlocking the bootloader, you can flash their official international ROM, and the bootloader is still unlocked.

Here are the instructions on their website:

https://web.archive.org/web/20190623163805/https://www.agmdevice.com/index.php/home/brush/index.html

Here is the ROM:

https://mega.nz/file/JYdmUBYL#J_859cH9ZcFqAoXGTW5_JU_w6W46mSiEAUzNpJ39XLs

You need to use a TF card (micro SD card). The TF card slot is the same place as the SIM card slot. Put both T91_4_TF folder and change_product_name file at the root folder of the TF card. Turn off the phone, then turn on the phone pressing three buttons: volume up, volume down, and power. The screen will show the AGM logo, then a white and colorful ring, and the phone will flash the ROM.

T91_4.bin is an encrypted ROM, and proger10 decrypted it in this repo. I'm not sure how to modify and repack it.

After flashing the ROM, there is a system update. After applying the update, the bootloader is still unlocked. It's better to apply the update before doing things like root.

ok works all perfect. for the root i end with bootloop because incompatible boot img china with global but no prob i revert back to global. any idea how can i root global rom?

[woct0rdho]

ok works all perfect. for the root i end with bootloop because incompatible boot img china with global but no prob i revert back to global. any idea how can i root global rom?

You can use Magisk Manager to patch boot.img. Here are the instructions:

https://topjohnwu.github.io/Magisk/install.html#patching-images

Here is the global boot.img, extracted from the global ROM using the scripts in this repo:

https://mega.nz/file/9cl0HLLI#gA3367k3yULR0hk4M0Hv9n-aUN-faRMKI3mV-2CHriQ

Another way is to flash TWRP recovery, then use it to flash Magisk zip. Here is the TWRP for AGM X3, found in the link I mentioned at first. I don't know how it is compiled, and it may have bugs, like it cannot mount /data:

https://mega.nz/file/9Qc2VT5L#IemYVp7uGSGCg2bCwx-bYAA9XRKCoELPaHuhWl2THbk

By the way, I have submitted AGM X3 to TWRP Builder, but there is a long queue. Any help would be welcome to compile a more usable TWRP:

https://twrpbuilder.github.io/downloads/twrp/#tab=inQueue

And for reference, here is the original recovery.img extracted from the global ROM:

https://mega.nz/file/UElwRJLJ#AvKT61wPq_T2WlyfsUy9EYKBB1tUvuk2rmdgSBvyh1g

[Alessandro090298]

thank you you saved my life with agm

[proger10]

It seems like it is neccessary to flash only abl partition to get ability to unlock bootloader.

So here is summory of how to unlock bootloader: WARNING: THESE ACTIONS CAN DAMAGE YOUR PHONE AND VOID YOUR WARRANTY!!! YOU TAKE ACTIONS AT YOU OWN RISK.

0. Install QPST, USB Drivers, android platform tools (adb and fastboot)
1. Enter edl-mode: adb reboot edl
2. Open QFIL (i'm using QPST.2.7.460) , set "Device Type" UFS in cofiguration
3. Select "Flat Build", select prog_firehose_lite_60000100.elf as programmer
4. Tools -> Partition Manager -> right-click on abl -> Manage Partition Data
5. Backup your partiton (click on "Read Data..."). Your image will placed at C:\Users\< your user >\AppData\Roaming\Qualcomm\QFIL\COMPORT_< number of diagnistic port >. You can scroll status console to find path and filename
6. Flash leaked abl: click "Load Image..." and select abl_60000100.elf.
7. Close Raw Data Manager and Partition Manager, and reboot your phone (long-press on power button).
8. Enter fastboot mode: adb reboot bootloader
9. Unlock bootloader: fastboot flashing unlock. WARNING: IT WILL RESET YOUR PHONE TO FACTORY SETTINGS AND ERASE YOUR DATA (userdata partition)
10. Enable USB-debuuging again
11. Reboot to edl, open Partition Manager and open Raw Data Manager for abl
12. Flash your old abl: click on "Load Image..." and select image from step 5

Now you have unlocked phone and your old firmware. Link for abl_60000100.elf and prog_firehose_lite_60000100.elf: https://mega.nz/folder/015jSCwR#XQfe9vy58UCEYRzVPpfY5w

I think, now this issue can be closed =)

[ZJingTao]

@martinwu42 老哥能麻烦您 加下qq交流下么 也是跟踪小一年。。。今个刚解锁成 不过这些文件我不知为何都无效。。。QQ1252090669麻烦了

[JDoussal]

Hello ! And thank you for all this information and sharings. I have a AGM X3 phone with Chinese ROM that I would like to flash with global ROM. I tried the step by step process presented above by proger10 to unlock the bootloader, but I get stucked at step 9 :"Unlock bootloader: fastboot flashing unlock.". The command window stays indefinitely on "< waiting for any device >" and nothing happens neither on the phone. I tried all over again after a factory reset of the phone, and same problem. It seems somehow that something is wrong with fastboot.

The QFIL I use is with QPST.2.7.460 version.

Any idea ?

Thanks in advance !

[woct0rdho]

@JDoussal Did your phone enter fastboot mode (bootloader mode) successfully? In fastboot mode, there should be some blue text on black background.

Then you can use fastboot devices in command line on PC to list the devices in fastboot mode connecting to your PC. If your phone doesn't show up, you may try the following:

• Check if the USB cable is working.
• Check if the phone shows up in Windows device manager, under 'USB controllers' or 'Other devices'. If not, you may need to install some driver, but I think the driver should come with QPST.
• Upgrade Android platform tools to version 30.

[JDoussal]

@martinwu42 Yes my phone did enter fastboot mode successfully. In fastboot mode I have :

"FastBoot Mode PRODUCT_NAME - QC_Reference_Phone VARIANT - SDM UFS BOOTLOADER VERSION - BASEBAND VERSION - SERIAL NUMBER - 4b7d25a0 SECURE BOOT - yes DEVICE STATE - locked"

And it's in red, not blue.

I tried fastboot devices in command line on PC, but nothing happens. I tried the USB cable, it works. I checked in Windows device manager, and the phone appears under "Other devices" with a warning sign : when I enter the properties, it says that this devices drivers are not installed. Strange because I got the driver from your post above :

"> Here are my QPST and Qualcomm driver versions:

https://mega.nz/folder/FFsGxQAK#OkbbofbSsFKXOC_rNtsbrA

https://mega.nz/folder/NQlQCYbD#4fXkQSr-Tk6050Den3DOtg

The storage type is UFS.

However, maybe there is a difference between Chinese and International models of AGM X3... "

Thank you for your time !

[JDoussal]

Hi ! I finally managed to "force" the USB driver through windows device manager, and it worked perfectly. Now I have unlocked phone and my old firmware. I'll try to install the global ROM now.

[zaskokus]

@woct0rdho have you managed to actually root the device? is there any community support for the phone anywhere? I'd like to buy it but without being able to root it, i'm not taking it...

[woct0rdho]

@zaskokus Yes, I did root it with the steps above, but there is no guarantee that it will work on all devices. Do at your own risk :)

I don't think there is extensive community support for AGM. Maybe you can start some discussion on XDA.

[zaskokus]

@woct0rdho honestly i'm a bit confused, not to mention in the other thread (https://github.com/phhusson/treble_experimentations/issues/294) there was someone trying out lineageos of some sort. I've only dealt with mediatek devices and this qualcomm stuff is very confusing to me. would you be so kind and gave me some more precise directions? it'd be great to actually gather up few people and figure out either lineage or /e/ or whatever other project, so we're not stuck with unsupported by anything/anyone devices.

[woct0rdho]

@zaskokus Maybe you can first refer to some tutorials about QFIL (the most important Qualcomm stuff).

proger10's instructions are already precise, but you need to understand every step so you can have some confidence when flashing. Maybe you can also try to first flash another easier phone using QFIL and try out its various functionalities, and you will gradually know Android's disk partition layout and boot process.

Apparently AGM never released their kernel source, and it requires some reverse engineering to compile LineageOS or other custom ROMs for it. AFAIK there is even no fully usable TWRP recovery for now...