Root realme C11 2021

rmx3231_root.md

root rmx3231

Root realme C11 2021

IMPORTANT!

BACKUP EEEEEVERYTHING. I AM NOT RESPONSIBLE FOR ANY LOSS ON YOUR SIDE

required

• spd_dump and device files from TomKing062
• windows 10 or later (linux users might have to use different commands but it works the same) guide assumes you're using 64 bit os
• have adb and fastboot working with this guide make sure you see your device with adb devices. if not please stop everything, this guide is not for you
• have spreadtrum drivers installed. You might have to reboot windows without driver signature enforcment if install fails. To confirm, run devmgmt.msc and keep an eye on Ports (COM & LPT) if it shows up when device is plugged in when powered off, while holding boot key(volume down)
• python2
• avbtool
• openssl
• aik
• rsa4096_boot.pem

recommended

• Official stock rom. To start a fresh and clean install
• Ensure device is disassembled so you can easily disconnect the battery. At times some operations may fail and leave bootrom is unknown state and can only be restored by removing battery. It very easy and can be done with basic tools. Video
• Notepad++ to read hexdumps

unlock bootloader

• extract spd_dump and files to a folder and open powershell from there
• run .\unlock.bat
• hold the bootkey(vol down) and plug in device
• you will see CONNECT bootrom and other warnings which is fine
• The script will pause. If don't see anything like port error just press enter to continue
• Let it do its thing and once it pauses again, press enter
• Now open m.bin right next to the files with hexeditor or notepad++
• If you have all zeros in the file, sorry you probably messed up somewhere or not supported. If you see a bunch of numbers it now unlocked!
• After reboot, you should see device state unlock

clean start (skip if not using linked official stock rom)

• We need a clean base to start from. Extract the rom and the download tool inside cp_sign/SHARKL3_R11/Download_tool. Load the pac file and the password is P@test001. Click start then connect device with boot key. Once flash is complete, disconnect device from usb
• Power up device, don't sign in or do anything important just yet. Just apply the latest system update
• You will notice that annoying Wireless Test assistant dialog, we will fix this later once we have root. It also prevent saving wifi passwords too as if that wasnt annoying enough :(

setup enviromnent

• run systempropertiesadvanced and open enviromnent variables
• in user variables section, double click the Path row
• Add the following new variables, they will populate the table on the left:
  • C:\Python27
  • C:\Python27\Scripts
  • C:\Program Files\OpenSSL-Win64\bin
  • the directory with adb.exe and fastboot.exe
• Install python2
• Install openssl
• Open cmd and run python2 -m pip install pycryptodome
• Open another cmd as admin and run mklink /H C:\Python27\python2.exe C:\Python27\python.exe

get current fingerprint

• reboot the phone to normal
• run adb shell getprop ro.bootimage.build.fingerprint. it looks something like realme/RMX3231/RMX3231:11/<build_id>/<timestamp>:user/release-keys
• this will be the fingerprint we sign our boot.img with

get current boot slot

• im assume you are readup on how a/b updates work. if not check out official docs
• reboot device to fastboot with adb reboot fastboot
• run fastboot getvar all and scroll down to (bootloader) current-slot. If you flashed official stock you should be in slot b since stock starts with a
• remember the slot since we need it for next commands
• fastboot reboot then power off device

read_part boot

• open up the directory you extracted spd_dump and tools and open powershell from there by shift+right clicking in the folder
• paste into powershell. replace <a_or_b_slot> with your current boot slot from previous command so its read_part boot_b if you flashed original stock:

.\spd_dump exec_addr 0x4f48 fdl fdl1-dl.bin 0x5000 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot_<a_or_b_slot> 0 64m boot.img poweroff

• you now have boot.img which will be patched by magisk
• keep this file somewhere for future updates to magisk when no ota update has occured. You can version it like boot.<patch_level>.img like boot.475.img. use adb shell getprop ro.build.version.incremental

magisk

• Start the phone and install the latest magisk
• Install magisk sector by selecting boot.img
• It creates file in /sdcard/Download/magisk_patched_xxxxx.img(where xxxxx is a random string); pull this file with adb pull /sdcard/Download/magisk_patched_xxxxx.img

aik

• open a powershell where you extracted AIK (you should have unpackimg.bat in this folder)
• run

.\unpackimg.bat <path_to_magisk_patched_xxxxx.img>
.\repackimg.bat

note: replace <path_to...> with the actual file path. you could drag the file to the powershell window and it will fill this for you

• this creates image-new.img
• this is unsigned and not padded to 64mb

signing with avbtool

• in the directory you download avbtool, run:

python2 .\avbtool add_hash_footer --image <path_to_image-new.img> --partition_name boot --partition_size 67108864 --key <location_of_rsa4096_boot.pem> --algorithm SHA256_RSA4096 --prop com.android.build.boot.fingerprint:<current_fingerprint> --prop com.android.build.boot.os_version:11 --salt 7A91E47F8D2CFB95DCCFF13305EE3F07EDCF83A42660A811F3724E1E8B463284

note: replace <path_to...> with the actual file path. you could drag the file to the powershell window and it will fill this for you. replace <current_fingerprint> with current fingerprint of the installed rom

• image-new.img is now 64mb as per android 11 boot.img guidelines

flashing!

• reboot device to normal and run:

adb reboot fastboot
fastboot flash boot <path_to_64mb_image-new.img>

• if this is first time flashing boot, we also need to wipe userdata to avoid being stuck at boot logo due to some leftovers. Don't do this if you are updating magisk or after an ota update since you will erase your data! :
  fastboot erase userdata
• fastboot reboot and voila, you're in!

removing wireless test assistant (if you started by flashing official stock rom in link)

• adb shell dumpsys engineer --execute_power_off
  note: this wipes userdata too

updating magisk

• NEVER AUTOMATICALLY UPDATE MAGISK FROM THE APP! this will break boot partition as the image will not be signed.
• Repeat process from magisk to flashing to patch the file
• Remember to patch the stock boot.img you stored somewhere which is for the current OTA update
• Don't wipe user data once you reach flashing section

when ota update occurs

• Repeat process from get current fingerprint to flashing
• The fingerprint and boot slot will have changed so you have to redo everything!
• Don't wipe user data once you reach flashing section

now what?

• Install lsposed, install gravity box, remove the bloat that comes by default, do a termux box chroot and run gta 4
• enjoy your freedom!

attributions

• TomKing062 🐐