Earlier post for context: https://lemmy.ml/post/35496495

TL;DR: Don’t buy Huawei or Honor phones if you need bootloader unlocking capabilities. Even on units without a carrier lock. I couldn’t unlock my Honor 90 Lite.

While the following comes from my experience attempting to unlock the bootloader on an Honor 90 Lite, it likely also applies to recent Huawei smartphones. Honor shares a great deal of its codebase with Huawei as it was a subsidiary spun off several years ago.

Unfortunately, a visible OEM unlocking toggle under the developer options does not guarantee bootloader unlocking in practice. It is up to the bootloader itself to accept unlocking commands, which manufacturers can patch out or severely restrict.

Prior to 2020, users could fill in a form on the Huawei/Honor website that provided the 16-character code required to unlock the bootloader. Instead of

fastboot flashing unlock

Huawei/Honor bootloaders require

fastboot oem unlock [16-CHAR CODE]

However, the form has since been discontinued, leaving us with

• Exploits for certain models with Kirin and Qualcomm SOCs
• Various paid and proprietary unlocking services
• Brute-force tools for models without known exploits

Since my phone does not have a known exploit and I don’t feel like handing over my money to unlocking services with characteristically shady-looking websites, I am left with the latter option.

Brute-force with Luhn algorithm

For some time, the unlock codes were 16-digit numerical strings which were related to the IMEI and satisfied the Luhn algorithm (the same algorithm used as a rudimentary checksum for credit card numbers). This greatly narrows down the number of codes to be tried, such that I exhausted the entire space of 16-digit codes satisfying the Luhn algorithm in 45 minutes using the following Python scripts.

https://github.com/vcka/huawei-honor-unlock-bootloader

The better-known of the two Python scripts, this works mostly as intended, but does not stop once the space of 16-digit codes are exhausted, instead continuing up into 17-digit codes and beyond. However, an unlock code longer than 16 digits has never been attested.

https://github.com/borisgrigorov/bootloader-brute-force

This script did not appear in my initial search and didn’t work out of the box on account of expecting a specific error message and stopping execution otherwise. However, it proved a friendlier script than the former with a quick patch and stopped once all 16-digit codes valid under the Luhn algorithm were exhausted.

Huawei/Honor are also known to require 16-digit alphanumeric codes, paritcularly on later models. Adding just the uppercase alphabet would make for a 16-character base-36 code, effectively conveying the information in a 25-digit base-10 code. Searching through this space would take about 800 million times longer. By the time this finishes, I can only hope that humanity has moved on past locked bootloaders. So I ditched any effort of extending the scripts to include alphabetic characters.

Trying both scripts with both IMEIs yielded no working unlock codes, so onto our next options.

Brute-force without Luhn algorithm

But what if it’s still a 16-digit code, but it just doesn’t add up according to the Luhn algorithm? How much longer would that take? The following C programs claim to be the fastest brute-force unlockers, neither of which use the Luhn algorithm.

https://github.com/Martazza/Huawei-Bootloader-Unlocker

The simpler and more well-known of the two, this simply increments up from 1000000000000000, testing each code along the way. At a rate of 200 guesses per second, my computer and phone would have burned through a good chunk of the world’s remaining coal reserves by the time this finishes, even without accounting for alphabetical characters. So this is a no-go.

https://github.com/B83C/huawei_bootloader_unlocker

This optimizes upon the code of the former, incorporating portions of the fastboot source code to suppress unnecessary output. However, it appears to get stuck after guessing only 8 codes. I’ll guess why in a bit.

Previously reported successes and time required to unlock

There are reports of the scripts utilizing the Luhn algorithm working on Huawei and Honor devices from around 2018 and 2019. Those attempts required continuous brute-forcing anywhere from several hours to several days. So why was my computer, featuring an i7-9700 also from 2019, able to iterate through all codes accoring to the Luhn algorithm in only 45 minutes? I am not certain, but my theory is that my phone had been silently discarding attempted codes without ever taking the time to evaluate them. The program from B83C is the only one to check the USB connection status and 8 attempts may have been the cutoff for my phone. I didn’t bother with further testing. And unless someone manages to guess several million codes per second, at which point USB I/O would become a bottleneck, Martazza’s code is of little practical use.

If it had taken longer to search through possible codes, my phone would have died during the process as it did not take in enough charge to sustain itself in fastboot. Fortunately, fastboot is kind enough to wait until the phone is ready again after disconnecting, charging, and reconnecting.

Other things that didn’t work

• fastboot reboot fastboot: bootloader seems to double as fastboot for Huawei/Honor devices. fastboot with a white background and plain orange text doesn’t seem to take any commands.
• Recovery menu accessed by holding volume up during boot: OTG upgrade does not allow choosing a file. USB upgrade allows the phone to show up under adb devices, but there is no dialog to grant permission.
• mtkclient: tried every button combination I could think of during power-up, but could not enter BROM mode
• Honor Suite: Just a dumbed-down syncing tool that requires admin privileges on Windows, no option anywhere related to bootloader unlocking. Worse yet, it doesn’t even detect the phone in fastboot mode, even though the phone suggests opening Honor Suite when in fastboot.

Just to be clear: I could not unlock the bootloader of my Honor 90 Lite (CRT-NX1). Gotta love how we have to worry about things like Cellebrite cracking our precious data in a matter of hours while concerted efforts have done little against the accursed little bootloader.