中文

The following steps are for unlocking the Xiaomi Qin 2 (Pro) devices and installing custom ROMs, namely phh's GSI (Generic System Image). They have been tested on (and only on) a Xiaomi Qin 2 (non-Pro) 1+32G and Xiaomi Qin 2 Pro 2+32G, both of which are China version. 2+64G version of Qin 2 Pro is not tested, but I don't expect it to be different.

Great thanks to guys on 4PDA for making this all possible, including but definitely not limited to @ruslang_3_, @xkubus, @0xMihalich, and @som_bbs. Without them, this device would have been stuck with suboptimal and uncustomizable software, without even regular security patches (official updates never merge AOSP security patches). All the following content are based on their work and findings. For more details, please refer to my previous article.

You may want to also read the FAQ section at the end of the article before starting.

Prerequisites

• A Linux PC (or virtual machine, not sure if this will work in WSL)
• A Windows PC (or virtual machine)
• A Xiaomi Qin 2 or Qin 2 Pro device
• Some Linux Shell knowledge

Unlocking

1. (In Linux) Download Android_device_unlock.rar, extract to a folder, and cd into it

   This file was NOT discovered / made / extracted by me. It was originally posted by @ruslang_3_ here. I'm merely mirroring this file since not everyone has a 4PDA account, but I digress.

2. Reboot your phone to bootloader mode using adb (adb reboot bootloader)

3. Run ./fastboot oem get_identifier_token in the extracted folder (you must use this fastboot binary inside the folder)

   You will get an output like following. The XXXXXX part shown here is what you need, and if it spans multiple lines (before the OKAY), you need to concatenate them without any line break.

   ...
   Identifier token:
   XXXXXXXXXXXXXXXXXXXXXXXXXXXX
   OKAY [  0.017s]
   finished. total time: 0.017s
   

4. Run ./signidentifier_unlockbootloader.sh ${TOKEN} rsa4096_vbmeta.pem signature.bin, replacing ${TOKEN} with what you get from the last step.

5. Run ./fastboot flashing unlock_bootloader signature.bin.

   You will see a prompt and some instructions on the screen of your phone. Follow its instructions and press the corresponding buttons, then wait for it to finish unlocking and reboot. Upon rebooting, your phone will be stuck at the logo, but this is expected. Please continue following this instruction to make it boot again.

6. (In Windows) Download Qin2Pro_s9863a1h10_v1.1.0.zip (Qin 2 Pro) or Qin2_china_test2.7z (Qin 2)

   Extract them for the needed .pac file. These files are kindly provided by @ruslang_3_ and @xkubus.

7. Download SPD_Research_Tool_R23.19.3301 .7z

   Extract it for the ResearchDownload tool for Spreadtrum devices and install the corresponding drivers included in the archive file. I'm not describing how to install the drivers here. This file was provided by @xkubus. (Note: if you encounter any driver issues, you may try other drivers for use with Spreadtrum ResearchDownload tool elsewhere)

8. Fire up ResearchDownload, use the first button to choose your respective .pac file downloaded earlier, and wait it to load

   When the file is loaded, click the second button, and untick EraseUBOOT and EraseUBOOTLOG from the list.

9. Click the start button, then, (on Qin 2 Pro) hold Power + Volume Up or (on normal Qin 2) hold Power + AI button, until ResearchDownload detects the device

   After the device is detected, you need to release the buttons

10. Wait for ResearchDownload to finish flashing, then your device will automatically reboot into the official ROM again.

Congratulations, your bootloader is now unlocked, and you can now use the fastboot tool to install custom system images. However, you still cannot flash unsigned boot and recovery images (you can flash system just fine, though). This will be discussed later.

Flashing phh's GSI images

Note: GSI support (including both 10 and 9) is only tested based on the official images mentioned in the previous section (the two zips provided, both Android 9 and China version). Using other versions may or may not work.

1. Download your GSI images.

   Currently, any GSI image based on Android 9 should boot successfully, and GSIs based on Android 10 need to contain at least phh's patches newer than v209 to at least boot. You can download phh's GSIs here. Note that for the normal Qin 2, you need to use arm32_binder64 images, while for Qin 2 Pro you need arm64 images. For both of the devices, you need ab variants of GSIs. (aonly will not work)

2. Reboot your phone into recovery mode to format data.

   This is very important. The data erase feature in bootloader will not work and can cause the GSI to refuse to boot. You CANNOT reboot into recovery in any way from bootloader. Use adb reboot recovery to reboot into the recovery, and when you see the robot icon, press Power + Volume Up to get into the menu.

3. Reboot into bootloader, and run fastboot flash -S 100M system /path/to/your/system.img to install the GSI image

   The -S 100M part is important to get it working. Also note that you need to extract what you downloaded (.xz) to get the actual .img file

4. Run fastboot reboot to reboot into the new system.

   If the GSI of your choice fail to boot, you should first try if adb is available. If so, you can use adb reboot recovery to get back into recovery, clear data and start over again. If not, then your options are (1) Use ResearchDownload to restore to official ROM again; or (2) Take the phone apart, unplug and replug the battery, and then use Power + Volume Down to get back into recovery.

You may experience some random crashes on phh's GSI 10 v209 if your device is Qin 2 Pro. The current solution is to set ro.config.avoid_gfx_accel=true through something like Magisk or by manually editing prop files, or you can use one of my AOSP GSI builds available below. I have already submitted a patch to phh for this exact issue and I think it will be fixed soon.

Here I provide my own builds of phh's GSI 10 images. These may contain fixes and improvements not yet available in phh's, and signed with my own keys instead of testkeys. These contain Google Apps and do not contain su, because I use Magisk myself. I do not guarantee regular updates of these images, and they are not compatible with phh's GSI images -- you cannot switch from one to the other seamlessly. (i.e. you need to format data)

Magisk (Qin 2 Pro)

Installing Magisk on Qin 2 (Pro) is a bit complicated. It requires manual editing of vbmeta. Here I only provide an edited version for the Pro variant, and if you use the normal Qin 2 or you want to update Magisk for yourself, please refer to my previous article on how to create your own vbmeta and flash your own boot / recovery images. (Note that if you only need root, you may not actually want Magisk; the phh's GSI images has variants that contain a su implementation. These include those with -su suffix and all of the Android 10 images from phh).

Note: @xkubus on 4PDA has published a modified firmware for the normal Qin 2 (not Pro) with Magisk included. If you want to use GSI with his Magisk patch, you can simply extract the vbmeta.img and recovery.img from his firmware with ResearchDownload (Google for method) and use it the same way as following.

1. Download vbmeta_signed.img and magisk_rec_v20.3.img (Last updated: 2019-01-16) (These files are only for the Pro variant, and DO NOT try to use them in ResearchDownload).

   This vbmeta contains my signing key on both the boot and recovery partition. After installing these, you will not be able to flash boot and recovery from official ROM or anyone else. You will need to restore official vbmeta or install the corresponding vbmeta from whoever you get the boot or recovery image. Therefore, you should NOT use these images in ResearchDownload as-is. It will fail.

2. Run fastboot flash vbmeta vbmeta_signed.img

3. Run fastboot flash recovery magisk_rec.img

4. Run fastboot reboot, and when the phone gets back into system, execute adb reboot recovery to boot into a system with Magisk enabled

Magisk on this device has to be installed to recovery because boot does not contain a ramdisk. You need to boot into recovery every time to use Magisk (Power + Volume Down). For reboots, please make sure you ALWAYS use some sort of direct reboot to recovery feature, since you cannot activate the recovery via key combinations during a reboot. To use the actual recovery instead of a system with Magisk, you need to press and hold Volume Up during the boot logo when you boot into recovery partition.

FAQs

• Why not make a .pac file for custom ROMs, including Magisk? That would be much easier and won't even need unlocking

  Because I'm lazy and I'm a year 4 student with a lot of stuff to do. I do not want to maintain a .pac file for every possible GSI that me myself do not even use (becasue ResearchDownload only works in Windows and I only use Linux for daily drive) and keep them updated. With an unlocked bootloader, you can do everything with fastboot.

• Would these steps brick my device?

  I do NOT know. Please always remember that you carry out these steps at your own risk, and do not blame any mess-ups on me or any of those guys who devoted a lot of their time into making this possible.

• EdXposed does not work even with Magisk v20.3 and Canary builds of EdXposed

  The new Magisk sepolicy customization will not work on this device because there is no persist mountpoint. The current solution is to simply put SELinux in permissive mode. You can try using magisk_permissive.zip

• The AI button is pretty useless on custom ROMs. Can we re-program it?

  Yes. Here is a Magisk module I have put together that does exactly this: ai-remap.zip. When installed via Magisk Manager, you will be prompted to customize the functionality of the AI button. This was modified from bixby remap.

• On the normal Qin 2 with phh's GSI, why does the system look strange and some features not usable?

  Please refer to this issue

• Why is navigation bar missing?

  Run setprop persist.sys.phh.mainkeys 0

• Why no VoLTE?

  For now, VoLTE is not possible on custom ROMs on Spreadtrum (and MTK) devices, due to their IMS implementation being highly dependent on their proprietary frameworks.

• Why I don't get 4G LTE but only 3G / 2G?

  Please try selecting LTE in Settings - Network manually.

• Bluetooth audio and dialer audio not working.

  My GSI build linked above in the "Flashing GSI" section already contain the fix (since 20200123), and the patch has been submitted to phh's GSI (https://github.com/phhusson/platform_frameworks_av/pull/5). You can expect all GSI ROMs to contain the fix soon (the patch has been merged into phh GSI, just need to wait the images to be updated)

• Why not make a TWRP?

  Two reasons:

  1. A recovery on this device actually makes little sense, because when the system is broken and no adb available, there is no way to reboot into recovery except to unplug & replug the battery (or use ResearchDownload). For some reason, the recovery cannot be activated by pressing Volume Down while holding the power button -- it only works when you do a cold boot, but this is not possible if the system is broken.
  2. I basically cannot get TWRP working. It boots but fails to repond to any input event, not even the buttons. I tried AOSP or Lineage recovery but ended up with the same result. There is one "automatic TWRP porter" that works, but that one is 3.1.0 and does not support the partition layout on this phone which launched with Android 9. Without the source code of it, I cannot make a more recent version of TWRP working.