Root realme C11 2021
BACKUP EEEEEVERYTHING. I AM NOT RESPONSIBLE FOR ANY LOSS ON YOUR SIDE
- spd_dump and device files from TomKing062
- windows 10 or later (linux users might have to use different commands but it works the same) guide assumes you're using 64 bit os
- have adb and fastboot working with this guide make sure you see your device with
adb devices
. if not please stop everything, this guide is not for you - have spreadtrum drivers installed. You might have to reboot windows without driver signature enforcment if install fails. To confirm, run
devmgmt.msc
and keep an eye on Ports (COM & LPT) if it shows up when device is plugged in when powered off, while holding boot key(volume down) - python2
- avbtool
- openssl
- aik
- rsa4096_boot.pem
- Official stock rom. To start a fresh and clean install
- Ensure device is disassembled so you can easily disconnect the battery. At times some operations may fail and leave bootrom is unknown state and can only be restored by removing battery. It very easy and can be done with basic tools. Video
- Notepad++ to read hexdumps
- extract spd_dump and files to a folder and open powershell from there
- run
.\unlock.bat
- hold the bootkey(vol down) and plug in device
- you will see
CONNECT bootrom
and other warnings which is fine - The script will pause. If don't see anything like
port error
just press enter to continue - Let it do its thing and once it pauses again, press enter
- Now open
m.bin
right next to the files with hexeditor or notepad++ - If you have all zeros in the file, sorry you probably messed up somewhere or not supported. If you see a bunch of numbers it now unlocked!
- After reboot, you should see device state unlock
- We need a clean base to start from. Extract the rom and the download tool inside
cp_sign/SHARKL3_R11/Download_tool
. Load the pac file and the password isP@test001
. Click start then connect device with boot key. Once flash is complete, disconnect device from usb - Power up device, don't sign in or do anything important just yet. Just apply the latest system update
- You will notice that annoying Wireless Test assistant dialog, we will fix this later once we have root. It also prevent saving wifi passwords too as if that wasnt annoying enough :(
- run
systempropertiesadvanced
and open enviromnent variables - in user variables section, double click the
Path
row - Add the following new variables, they will populate the table on the left:
C:\Python27
C:\Python27\Scripts
C:\Program Files\OpenSSL-Win64\bin
- the directory with
adb.exe
andfastboot.exe
- Install
python2
- Install
openssl
- Open
cmd
and runpython2 -m pip install pycryptodome
- Open another
cmd
as admin and runmklink /H C:\Python27\python2.exe C:\Python27\python.exe
- reboot the phone to normal
- run
adb shell getprop ro.bootimage.build.fingerprint
. it looks something likerealme/RMX3231/RMX3231:11/<build_id>/<timestamp>:user/release-keys
- this will be the fingerprint we sign our boot.img with
- im assume you are readup on how a/b updates work. if not check out official docs
- reboot device to fastboot with
adb reboot fastboot
- run
fastboot getvar all
and scroll down to(bootloader) current-slot
. If you flashed official stock you should be in slotb
since stock starts witha
- remember the slot since we need it for next commands
fastboot reboot
then power off device
- open up the directory you extracted spd_dump and tools and open powershell from there by shift+right clicking in the folder
- paste into powershell. replace
<a_or_b_slot> with your current boot slot from previous command
so itsread_part boot_b
if you flashed original stock:
.\spd_dump exec_addr 0x4f48 fdl fdl1-dl.bin 0x5000 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot_<a_or_b_slot> 0 64m boot.img poweroff
- you now have boot.img which will be patched by magisk
- keep this file somewhere for future updates to magisk when no ota update has occured. You can version it like
boot.<patch_level>.img
likeboot.475.img
. useadb shell getprop ro.build.version.incremental
- Start the phone and install the latest magisk
- Install magisk sector by selecting boot.img
- It creates file in /sdcard/Download/magisk_patched_xxxxx.img(where xxxxx is a random string); pull this file with
adb pull /sdcard/Download/magisk_patched_xxxxx.img
- open a powershell where you extracted AIK (you should have
unpackimg.bat
in this folder) - run
.\unpackimg.bat <path_to_magisk_patched_xxxxx.img>
.\repackimg.bat
note: replace <path_to...>
with the actual file path. you could drag the file to the powershell window and it will fill this for you
- this creates
image-new.img
- this is unsigned and not padded to 64mb
- in the directory you download avbtool, run:
python2 .\avbtool add_hash_footer --image <path_to_image-new.img> --partition_name boot --partition_size 67108864 --key <location_of_rsa4096_boot.pem> --algorithm SHA256_RSA4096 --prop com.android.build.boot.fingerprint:<current_fingerprint> --prop com.android.build.boot.os_version:11 --salt 7A91E47F8D2CFB95DCCFF13305EE3F07EDCF83A42660A811F3724E1E8B463284
note: replace <path_to...>
with the actual file path. you could drag the file to the powershell window and it will fill this for you. replace <current_fingerprint>
with current fingerprint of the installed rom
- image-new.img is now 64mb as per android 11 boot.img guidelines
- reboot device to normal and run:
adb reboot fastboot
fastboot flash boot <path_to_64mb_image-new.img>
- if this is first time flashing boot, we also need to wipe userdata to avoid being stuck at boot logo due to some leftovers. Don't do this if you are updating magisk or after an ota update since you will erase your data! :
fastboot erase userdata
fastboot reboot
and voila, you're in!
adb shell dumpsys engineer --execute_power_off
note: this wipes userdata too
- NEVER AUTOMATICALLY UPDATE MAGISK FROM THE APP! this will break boot partition as the image will not be signed.
- Repeat process from magisk to flashing to patch the file
- Remember to patch the stock boot.img you stored somewhere which is for the current OTA update
- Don't wipe user data once you reach flashing section
- Repeat process from get current fingerprint to flashing
- The fingerprint and boot slot will have changed so you have to redo everything!
- Don't wipe user data once you reach flashing section
- Install lsposed, install gravity box, remove the bloat that comes by default, do a termux box chroot and run gta 4
- enjoy your freedom!