Realme C11 2021\RMX3231\Narzo50i UNLOCKING TUTORIAL

narzo50i_unlock.md

Root Device

Realme C11 2021\RMX3231

IMPORTANT!

BACKUP EVERYTHING. I AM NOT RESPONSIBLE FOR ANY IMPORTANT DATA LOSS ON YOUR SIDE

Requirment

• spd_dump and device files By TomKing062

• windows 11 or later (linux users might have to use different commands but it works the same) guide assumes you're using 64 bit os

• have adb and fastboot working with this guide make sure you see your device with adb devices. if not Install adb drivers , Still not then this guide is not for you

• have spreadtrum drivers installed. You might have to reboot windows without driver signature enforcment if install fails. To confirm, run devmgmt.msc and keep an eye on Ports (COM & LPT) if it shows up when device is plugged in when powered off, while holding boot key(volume down)

• python3 Must

• openssl Must.

• aik Must.

• rsa4096_boot.pem

setup enviromnent

• run systempropertiesadvanced and open enviromnent variables
• in user variables section, double click the Path row
• Add the following new variables, they will populate the table on the left:
  • C:\Python27
  • C:\Python27\Scripts
  • C:\Program Files\OpenSSL-Win64\bin
  • the directory with adb.exe and fastboot.exe
• avbtool open cmd as admin run pip install avbtool .

recommended

• Official stock rom RMX3231_11.A.119. To start a fresh and clean install
• Ensure device is disassembled so you can easily disconnect the battery. At times some operations may fail and leave bootrom is unknown state and can only be restored by removing battery. It's very easy and can be done with basic tools. Tutorial
• Notepad++ to read hexdumps.

unlock bootloader

• extract spd_dump and files to a folder and open powershell from there by enterning powershell.exe in location address
• run .\unlock.bat
• hold the power and Volume_down Key and plug in the device with charging cable.
• you will see CONNECT bootrom and other warnings which is fine
• The script will pause. If don't see anything like port error just press enter to continue
• Let it do its thing and once it pauses again, press enter
• Now open m.bin right next to the files with hexeditor or notepad++
• If you have all zeros in the file, sorry you probably messed up somewhere or not supported. If you see a bunch of numbers it now unlocked!
• After reboot, you should see device state unlock

clean start (skip if not using linked official stock rom)

• We need a clean base to start from.

• Extract the rom and the download tool inside cp_sign\SHARKL3_R11\Download_tool\ResearchDownload.

• Open ResearchDownload.exeLoad the pac file and the password is P@test001. Click start then press Power and Volume_down then connect the device. Once flash is complete, disconnect device from usb

• Power up device, don't sign in or do anything important just yet. Just apply the latest system update

• You will notice that annoying Wireless Test assistant dialog, we will fix this later once we have root. It also prevent saving wifi passwords too as if that wasnt annoying enough :(

• Install openssl

• Open cmd and run python -m pip install pycryptodome

• Open another cmd as admin and run mklink /H C:\Python27\python.exe C:\Python27\python.exe

get current fingerprint

• reboot the phone to normal
• run adb shell getprop ro.bootimage.build.fingerprint. it looks something like realme/RMX3231/RMX3231:11/<build_id>/<timestamp>:user/release-keys
• this will be the fingerprint we sign our boot.img with so save it somewhere

get current boot slot

• im assume you are readup on how a/b updates work. if not check out official docs
• reboot device to fastboot with adb reboot fastboot
• run fastboot getvar all and scroll down to (bootloader) current-slot.
• If you flashed official stock you should be in slot b since stock starts with a
• i faced this soo. if the command fastboot getvar all didnt show anything then just goo with boot_a in commands where its needed
• remember the slot since we need it for next commands
• fastboot reboot then power off device

read_part boot

• open up the directory you extracted spd_dump and tools and open powershell from there by shift+right clicking in the folder
• paste into powershell. replace <a_or_b_slot> with your current boot slot from previous command so its read_part boot_b if you flashed original stock:

.\spd_dump exec_addr 0x4ee8 fdl fdl1-dl.bin 0x5000 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot_<a_or_b_slot> 0 64m boot.img poweroff

• you now have boot.img which will be patched by magisk
• keep this file somewhere for future updates to magisk when no ota update has occured. You can version it like boot.<patch_level>.img like boot.475.img. use adb shell getprop ro.build.version.incremental

magisk

• Start the phone and install the latest magisk
• Install magisk sector by selecting boot.img
• It creates file in /sdcard/Download/magisk_patched_xxxxx.img(where xxxxx is a random string); pull this file with adb pull /sdcard/Download/magisk_patched_xxxxx.img

aik

• open a powershell where you extracted AIK (you should have unpackimg.bat in this folder)
• run

.\unpackimg.bat <path_to_magisk_patched_xxxxx.img>
.\repackimg.bat

note: replace <path_to...> with the actual file path. you could drag the file to the powershell window and it will fill this for you

• this creates image-new.img
• this is unsigned and not padded to 64mb

signing with avbtool

• in the directory you download avbtool, run:

python .\avbtool add_hash_footer --image <path_to_image-new.img> --partition_name boot --partition_size 67108864 --key <location_of_rsa4096_boot.pem> --algorithm SHA256_RSA4096 --prop com.android.build.boot.fingerprint:<current_fingerprint> --prop com.android.build.boot.os_version:11 --salt 7A91E47F8D2CFB95DCCFF13305EE3F07EDCF83A42660A811F3724E1E8B463284

note: replace <path_to...> with the actual file path. you could drag the file to the powershell window and it will fill this for you. replace <current_fingerprint> with current fingerprint of the installed rom

• image-new.img is now 64mb as per android 11 boot.img guidelines, OR
• You can ask any GPT to make this command for you by giving it all the necessary paths to the file and the tutorial command

flashing!

• reboot device to normal and run:

adb reboot fastboot
fastboot flash boot <path_to_64mb_image-new.img>

• if this is first time flashing boot, we also need to wipe userdata to avoid being stuck at boot logo due to some leftovers. Don't do this if you are updating magisk or after an ota update since you will erase your data! :
  fastboot erase userdata
• fastboot reboot and voila, you're in!

removing wireless test assistant (if you started by flashing official stock rom in link)

• adb shell dumpsys engineer --execute_power_off
  note: this wipes userdata too

updating magisk

• NEVER AUTOMATICALLY UPDATE MAGISK FROM THE APP! this will break boot partition as the image will not be signed.
• Repeat process from magisk to flashing to patch the file
• Remember to patch the stock boot.img you stored somewhere which is for the current OTA update
• Don't wipe user data once you reach flashing section

when ota update occurs(work in progress. the following instructions may not work)

• Repeat process from get current fingerprint to flashing
• The fingerprint and boot slot will have changed so you have to redo everything!
• Don't wipe user data once you reach flashing section

now what?

• Enjoy the root
• for banking apps install Play Integrity Fix Module
• Req Any support Just comment below
• OTA UPDATE FIX Realising soon
• TWRP TREE
• Video tutorial Soon
• Join Realme c11 telegram group

attributions

• TomKing062 🐐
• Denzy7 🦁