Skip to content

xsmh/qin-doov-hacking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

128 Commits
README.md
README.md
 
 

Repository files navigation

Qin/Doov Hacking

Documentation & tools for hacking Qin (Duoqin) / Doov brand phones.

Support Me

Support me on Ko-fi

ToC

Overview

This guide has been written to walk the owners of Qin/Doov devices through flashing DumberOS (formerly Dumbdroid) or any other compatible ROM of their choice.

The guide assumes that you are using Windows 10/11. If you are using Linux, I trust your ability to figure out the OS specific parts on your own. If you are using macOS, good luck.

If you encounter any issues while following this guide, refer to the common errors section. If your issue isn’t listed there, please open a new issue in this repository and include a description of it along with the relevant logs.

Device compatibility

The guide itself should work on most Qin and Doov devices. As for DumberOS support, it will depend on the device:

Officially supported

  • Qin F21 Pro

  • Qin F22 Pro

  • Doov R77 Pro (R77c)

  • Doov R77

  • Doov R17 (Z17) Pro (3.5 inch screen)

  • Dumber Mini

Works but no official support

Some things may not work. Keys may not be mapped correctly, you will need to use a keymapper. Your experience will vary.

  • Qin F25 Pro

  • Doov R70 Pro

  • Tiq Mini M5

  • Tiq Mini M5s

Does not work

  • Qin F221 (see footnote)

Warning ⚠️ ⚠️ ⚠️

  • Do NOT use AI chatbots for this unless you want a bricked device.
  • Do NOT skip making a backup. I cannot help you if you brick your device and do not have a backup.
  • Do NOT delete or flash the preloader. Recovering from a broken preloader is extremely difficult, if not impossible. Especially without a backup.

Flashing your device can brick your phone if done incorrectly.
By following this guide, you agree to proceed at your own risk. I'm not responsible for any damage, data loss, or other issues that may occur.

Prerequisites

  1. A Qin or Doov brand phone.
  2. A computer with at least 8GB2 of RAM and three USB-A ports3 for running the flashing tools.4 (see footnote for Apple)
  3. Two USB flash drives.5 Each having a capacity of 12GB or more.6 Alternatively, you could use only one flash drive if you have +16GB of RAM, check the note in Make a backup to learn more.
  4. A data transfer USB A-C cable. Strictly A-C, not C-C. Make sure the cable you use is capable of transferring data, not just power.7 No adapters should be used with this cable, it needs to be connected directly to a USB-A port.

Install the flashing tools

This has been by far the most difficult part of the process for most users. To simplify it I have created a customized Linux ISO that comes with the tools you need pre-installed. The OS you are using on your machine is irrelevant as it will not be affected.
The Linux ISO does not include SN Write Tool, which you will only need if you are flashing the American bands and for whatever reason you decide to not go with the Linux way of rewriting the identifiers. You will have to use Windows for that part if you need it.

Create bootable USB stick

  1. Download the Linux ISO that comes pre-installed with the tools.
  2. Download and install Rufus.
  3. Launch Rufus and insert a USB stick. Your USB drive should show up in the Device field.
  4. Click SELECT. Choose the Linux ISO and click Open to confirm.
  5. If you’ve already tried Rufus and the USB stick failed to boot on your system, change Partitioning scheme to GPT and check that Target system is set to UEFI (non CSM). This works on modern systems that disable legacy compatibility.
  6. Click START. Click OK or Yes on any prompts and popups.
  7. The image will now be written to the drive. Once it is done, the status bar will say READY. You can then click CLOSE to finish the process.

Boot from USB stick

There are two ways you could go about this.

Option 1: Connect your USB stick if it is not already. Hold the Shift key while pressing the Restart button and wait until Windows prompts you to choose an option. Click Use a device and then click Removable Device. Windows should now reboot into the USB drive.

Option 2: Connect your USB stick if it is not already. Reboot your computer and go into the BIOS. Disable Secure Boot and change the boot order to make the USB drive the first option. Save and reboot. These are some general instructions. This method will depend on your computer model, so you will have to look it up if you don't know how to do it.

Finally: When the computer reboots, you will be greeted with a few options. Press enter on the first option Start Linux Mint (If you have already done that before and ran into issues, then try picking Compatibility Mode instead). Once you have booted into Linux, you will be shown a login screen. Insert the password user and hit enter.

General info about the Linux ISO

  • Password for logging in to the live Linux environment is user.
  • There is no persistence. Meaning that any data you store on the Linux ISO itself will be lost after a reboot.
  • Wi-Fi may not work on some computer models due to unavailable proprietary drivers. In which case you will have to either use an Ethernet cable or transfer data via an external drive.
  • Any command you run in the terminal is case-sensitive, so type it exactly as instructed.
  • Includes empty vbmeta file, American bands partitions, python script to force fastboot mode, bash script to rewrite IMEI & MAC, and an F21 Pro boot image without TWRP.
  • There are 4 pre-installed programs that you can run with the following commands from the terminal:
  1. adb
  2. fastboot
  3. ghex
  4. mtk for CLI mode of mtkclient & mtk_gui for the graphical interface

To open the terminal, simply click the black square icon in the task bar at the bottom.
Going forward, whenever I mention Run, it means type the command that follows in the terminal and press enter.
You should always run commands from home directory. If you are having an issue with a command, you should run cd first to go back to the home directory if you aren't in it already.

Make a backup

Important

This is the most important step in the guide. It is crucial that you do not skip it.
Do note that this will only backup the firmware, it will not backup personal user data if you have any stored on your device.

Note

If your computer has +16GB of RAM, you could skip using the 2nd drive and store the backup directly on the Linux image and upload it to a cloud storage service (like Google Drive) once it's done (keep in mind the Linux ISO would lose all data after a reboot). I do not recommend this method as it uses RAM as storage and the live image can crash if you run out of it. But it should be safe if you have +32GB RAM. Follow Option 2 if you want to go this route.

Caution

If you have more than one device and you have already made a backup for one, you should change stock_rom in the commands with a different folder name (e.g. stock_rom2) so that you do not overwrite the already existing backup.

Option 1 (Recommended): store backup on 2nd USB stick

  1. While booted into the live Linux image, connect your 2nd USB stick and wait for a notification in the top right corner of the screen that says Volume mounted. This 2nd USB stick should previously be formatted to exFAT (not FAT32), we will use this one for storing the backup. Do not unplug the 1st USB stick that has the Linux image on it.
  2. Open the terminal in the Linux ISO by clicking the black square icon in the taskbar.
  3. Type lsblk and hit enter. Under MOUNTPOINTS you will see an entry similar to
    /media/user/exampleName. In your case exampleName will be whatever your USB drive name is. Take note of this path as we will use it in the next step. Note: Sometimes you might see more than one mountpoint that looks similar but with a different name like /media/user/differentName, we want the one that has the flash drive's name and not something else like your computer's internal drive.
  4. Run mkdir "/media/user/exampleName/stock_rom" but replace exampleName in the path with whatever your drive name was from the previous step. This command creates the folder we will be using to store our backup in.
  5. To make the backup, run mtk rl --skip userdata "/media/user/exampleName/stock_rom" but don't forget to replace exampleName. Connect the cable to your phone while it is turned off and wait for the command to finish running. This will take roughly 10 minutes and will show this message once it is done DaHandler - All Dumped partitions success. If the command ran into any errors at any point, you probably don't have enough storage on your 2nd USB drive (possibly due to it being formatted as FAT32) and you should not proceed until you resolve the issue, even if you see the success message at the end. You can double check to see if the files were actually made inside the stock_rom folder of the USB drive using the file explorer, but keep in mind that this does not mean they were made correctly if you did run into any errors.
  6. To backup the preloader, run mtk r preloader "/media/user/exampleName/stock_rom/preloader.bin" --parttype=boot1. Don't forget to replace exampleName here too. After this has finished, you should now be able to see a bunch of files with .bin extension inside the stock_rom folder of your USB drive.

Option 2: store backup on the live Linux environment

  1. Open the terminal in the Linux ISO by clicking the black square icon in the taskbar.
  2. Run mkdir stock_rom to create the folder we will be using to store our backup in.
  3. To make the backup, run mtk rl --skip userdata stock_rom. Connect the cable to your phone while it is turned off and wait for the command to finish running. This will take roughly 10 minutes and will show this message once it is done DaHandler - All Dumped partitions success. If the command ran into any errors at any point you should not proceed until you resolve the issue, even if you see the success message at the end. You can double check to see if the files were actually made inside the stock_rom folder which you can find inside the home folder using the file explorer, but keep in mind that this does not mean they were made correctly if you did run into any errors.
  4. To backup the preloader, run mtk r preloader stock_rom/preloader.bin --parttype=boot1. After this has finished, you should now be able to see a bunch of files with .bin extension inside the stock_rom folder of your USB drive.
  5. Move the stock_rom folder to an external drive or upload it to a cloud storage solution like Google Drive. Note: rebooting the Linux ISO will reset the live image and you will lose your backup if you haven't moved it somewhere else.

Unlock the bootloader

Warning

This will factory reset your phone and you will lose your data!

You need to unlock the bootloader in order to flash the new ROM.

For most models

  1. Enter fastboot.
  2. Run fastboot flashing unlock.
  3. Run fastboot --disable-verity --disable-verification flash vbmeta vbmeta_a.bin.

For F21 Pro and similar models where “press volume up” doesn’t work

Note

Only use this method if you have the F21 or you have already tried the previous method and it did not work on your device.

  1. Turn off the phone.
  2. Run mtk da seccfg unlock. Connect the cable and wait for the command to finish.
  3. Enter fastboot.
  4. Run fastboot --disable-verity --disable-verification flash vbmeta vbmeta_a.bin.

Flash new ROM

Note

Before flashing a new ROM, if you have the F21 Pro8 and live in US/Canada and want to flash the American bands, jump to Flash American bands on F21 Pro

Note

Some F21 Pro users might have previously installed TWRP. You will need to remove TWRP in order to flash DumberOS.

There are a few LineageOS ROMs available that you can try. I'm going to flash DumberOS as it's currently the best option for these keypad phones.

Caution

DumberOS is a system image that's meant to be flashed to the system partition, and not the super partition. Flashing it to the super partition can take your device into a bootloop that can be difficult to get out of.

  1. Enter fastboot mode if you aren't in it already.
  2. Run fastboot reboot fastboot and wait for the device to reboot into fastbootD (colored text on black background).
  3. Erase user data if you are upgrading from the stock ROM. Updating DumberOS doesn’t require this step. Run the following commands.
    fastboot erase userdata
    fastboot erase metadata
  4. Download the appropriate *.img.gz from the latest build of DumberOS onto the Linux ISO or the 2nd USB drive. Choose between G-apps and Vanilla (Micro-g). For the F21 pro use version 30. For all other phones use 31.
  5. After the download has finished, extract (unzip) the file by right clicking on it and then clicking Extract here. Do NOT simply rename it to .img from .img.gz.
  6. Run this command from fastbootD
    fastboot flash system "Downloads/???.img" but replace ??? with the actual filename and wait for it to finish. Note: The "Downloads/???.img" path assumes you extracted the DumberOS image inside the Downloads folder of the live Linux image.
  7. Run fastboot reboot and wait for the device to reboot. If Orange State warning appears, press the power button to proceed and wait 5-10 minutes for the new OS to boot. Don't worry if it seems stuck on orange state warning on the first boot, just give it some time.

☕ If this saved you time and effort, I’d appreciate your support on Ko-fi

Ko-fi

Enter fastboot

If you need to enter fastboot:

  1. Turn off the phone if it is not already.
  2. Run python3 mtkfastboot.py.
  3. Conncect the cable and wait until the command forces the device to reboot into fastboot. You should see a text that says "fastboot" at the bottom left of the screen.

Tip

Alternatively you could try mtk payload --metamode FASTBOOT in BROM mode.

Recover from backup

If you have messed something up and would like to recover from your backup, do the following:

Warning

This will factory reset your phone and you will lose your data!

Recover stock ROM without affecting American bands or other partitions

  1. Turn off the phone.
  2. Assuming your backup is stored on your USB drive, Run mtk w super "/media/user/exampleName/stock_rom/super.bin" but replace exampleName with the name of your drive as mentioned in Make a backup.
  3. Connect your cable and wait for the command to finish running. Once it's done unplug the cable and turn on the phone.

Tip

Alternatively you could enter fastboot and run fastboot flash super "/media/user/exampleName/stock_rom/super.bin".

Full recovery

Follow the three steps in the previous subsection but replace the command in the 2nd step with mtk wl "/media/user/exampleName/stock_rom". This should take about 10 minutes to flash.

Note

If you encounter the following error message, ignore it: Error: couldn't detect partition: partitionName, skipping.

Remove TWRP from F21 Pro

If you come from that one infamous guide on XDA where they guide you to install TWRP without making a backup. You have probably been stuck trying to flash DumberOS. That's because fastbootD is broken on that particular installation of TWRP.

Solution

Because there are different hardware revisions of the F21 Pro, I cannot guarantee that this solution will work. That's why it's essential to make a backup first. If it does not work for you then you will need to find a boot image that's compatible with your device and does not have TWRP installed.

  1. Make sure that you have made a backup.
  2. Turn off the phone.
  3. Run mtk w boot_a TWRPless_F21_Boot/boot_a.bin.
  4. Connect the cable and wait for the command to finish.

TWRP should now be gone.

Flash American bands on F21 Pro

Note

Skip this section if you do not live in US/Canada.

In this section we will go through the process of flashing American bands on the F21 Pro for users who need them.

  • This part should be followed after unlocking the bootloader and before flashing a new ROM because SN Write Tool does not work with LineageOS/DumberOS.
  • Make sure that you have made a backup.
  • Covered LTE Bands: 2, 4, 12, 13, 17, 66, 71
    This covers most T-Mobile users, in addition to some AT&T support depending on region.
  • Verizon will not work on DumberOS. As for getting it to work on the stock ROM you will need to flash the 1.1.1 firmware which I won't be covering in this guide. You can look up other guides on how to do that.

Flash

Pick one of the following options for flashing the bands. The Linux method is experimental but that's what I would recommend going forward. The Windows method will probably be removed once the Linux method has been tested extensively.

Option 1 (Experimental): Use Linux to rewrite IMEI & MAC

  1. Turn off the phone.
  2. Run mtk r nvdata nvdata.bin, connect the cable and wait for the command to finish running.
  3. Run sudo sh rewrite.sh, type in the password user once prompted and hit enter to rewrite IMEI and MAC addresses to the LTE bands files.
  4. Run mtk wl F30_Modem_Files, connect the cable and wait for the command to finish running to flash LTE bands.
  5. Follow the steps in Verify.

Option 2: Use Windows to rewrite IMEI & MAC

Caution

If you skip SN Write Tool, you’ll get dummy identifiers that may conflict with other devices.

  1. Backup Identifiers

    1. Go to Settings > About Phone.
    2. Write down these fields: IMEI, WiFi MAC, Bluetooth MAC.

  2. Flash LTE Bands

    1. Turn off the phone.
    2. Run mtk wl F30_Modem_Files from the Linux ISO, connect the cable and wait for it to finish.

  3. Prepare SN Write Tool (Windows)

    1. Switch to Windows, download and unzip SN Write Tool.

  4. Restore Identifiers

    1. Open SN Write Tool
    2. Set:
      ComPort: USBVCOM Target Type: Smart Phone
    3. Click System Config. Under Write Option, check IMEI, BT Address, and WiFi Address.
    4. Under Database File
      1. Check Load AP DB from DUT and Load Modem DB from DUT.
      2. Click MD1_DB: Select MDDB_InfoCustomAppSrcP_MT6761S00...EDB (inside AP DB Base/MT6761).
      3. Click AP_DB: Select APDB_MT6761_S01__W1947... (inside AP DB Base/MT6761).
      4. Click Save and return to the main window.
    5. Click Start and input your saved identifiers (no spaces in IMEI, no colons in BT/WiFi).
    6. Hold your phone's Back button, plug it in via USB, and click OK. Wait for the green PASS. If a second window pops up, close it if you already saw PASS.

  5. Follow the steps in Verify.

Verify

  1. Turn on the phone and check IMEI, WiFi MAC, Bluetooth MAC fields in Settings > About Phone to confirm your identifiers are restored.
  2. Dial *#*#3646633#*#* to open Engineer Mode. Go to Band Mode, scroll down and confirm bands 2, 4, 12, 13, 17, 66, 71 are active.
  3. Test calls/texting and internet data on the stock ROM to make sure whatever issue you might face after installing DumberOS isn't related to your carrier.

Device button combinations

Button combos that are useful to know sometimes.

  • For BROM mode you will need to run mtkclient first, and then hold the button combo and plug in the cable while still holding the buttons.
  • Recovery mode is built into the phone and no cable or program is required.
Model BROM (bootrom) Recovery
F21 Pro menu + back (top two buttons) menu + power + *, wait until android logo appears and then hold power + up
F22 Pro menu + back (top two buttons) -
F22 menu + back (top two buttons) power + up. Select and enter the Recovery option and then hold power + up again.
R77 Pro call + power # + power for 10 seconds (disabled on some units)
R77 call + power -
R17 Pro call + power -

Common errors

Error: write_sparse_skip_chunk: don't care size XXXXXXXXX is not a multiple of the block size XXXX

You probably didn't unzip the ROM file you are trying to flash. Unzip and try again with the unzipped file.

FAILED (remote: 'Erase is not allowed on locked devices')

You have not unlocked the bootloader because you probably missed a step in Unlock the bootloader. Go back and redo the steps in that section.

FAILED (remote: 'This partition doesn't exist')

You are probably trying to flash the system partition from fastboot instead of fastbootD.
Run fastboot reboot fastboot and wait for the device to reboot into fastbootD (colored text on black background).

FAILED (remote: 'Not enough space to resize partition')

On some devices like the F21 Pro 3GB model, you might run into this error when you try to flash the system partition with DumberOS.

Solution

You can pick one of the following options to fix it.

Option 1: Delete product partition

  1. Enter fastboot
  2. Run fastboot reboot fastboot and wait for the device to reboot into fastbootD,.
  3. Run fastboot getvar current-slot to check which slot is currently active (a or b). Take note of the active slot as we will be using it in the next step.
  4. Run fastboot delete-logical-partition product_a if your active slot was a in the previous step, otherwise replace product_a with product_b in the command.

You can now repeat steps 6-7 from Flash new ROM section.

Option 2: Delete COW partitions

  1. Enter fastboot mode if you aren't in it already.
  2. Run fastboot getvar all and check if you have any partitions with the name ending with cow. Example: system_a-cow. If you have them proceed to the next step, otherwise ignore this option and use Option 1 instead.
  3. Run fastboot getvar current-slot to check which slot is currently active (a or b). Take note of the active slot as we will be using it later.
For cow partitions that are in slot a (e.g. system_a-cow)
  1. Run fastboot set_active a to set the active slot to a.
  2. Run fastboot reboot fastboot and wait for the device to reboot into fastbootD.
  3. Use fastboot delete-logical-partition examplePartition to delete the desired cow partition. Replace examplePartition with the name of the cow partition you want to delete (e.g. system_a-cow).
  4. Repeat the previous step for each cow partition in the a slot.
For cow partitions that are in slot b (e.g. system_b-cow)
  1. Run fastboot set_active b to set the active slot to b.
  2. Run fastboot reboot fastboot and wait for the device to reboot into fastbootD.
  3. Use fastboot delete-logical-partition examplePartition to delete the desired cow partition. Replace examplePartition with the name of the cow partition you want to delete (e.g. system_b-cow).
  4. Repeat the previous step for each cow partition in the b slot.
Finally
  1. Switch back to your initial active slot with the fastboot set_active exampleSlot command, replace exampleSlot with a or b depending on which one was active before deleting the cow partition.
  2. Repeat steps 6-7 from Flash new ROM section.

Dm-verity corruption

A common issue that many run into is the following message appearing on boot and not letting them go past the bootloader after unlocking the device.

dm-verity corruption
Your device is corrupt.
It can't be trusted and may not work properly
Press power button to continue.
Or, device will power off in 5s

Note

The following solution is only applicable if your device does not boot into the OS after pressing the power button once the message shows up. If it does boot then you have probably unlocked the bootloader with mtkclient and you will need to relock it with mtk da seccfg lock and then unlock it again with fastboot instead.

Solution

Follow step 3-4 from this section. If that doesn't work, you can try this:

  1. Turn off the phone.
  2. Run mtk w vbmeta_a vbmeta_a.bin.
  3. Connect the cable and wait for the command to finish. Then unplug and reboot the phone to see if the message is gone.

Tip

Alternatively you could try mtk da vbmeta 3.

Orange state warning

Your device may show this message on boot. This is normal as long as your device boots after you press the power button and wait 5 seconds. You don't need to remove it but you can if you wish to, although it may require some effort. Follow the AlikornSause guide if you are interested.

Orange State
Your device has been unlocked and can't be trusted
Your device will boot in 5 seconds

Preloader - [LIB]: Status: Handshake failed

Assuming you are using the Linux ISO in this guide and not some other OS:

  1. Make sure your cable matches the description in Prerequisites.
  2. Press CTRL+C to kill mtkclient.
  3. Unplug the cable.
  4. Rerun the command.
  5. Replug the cable.

If it still doesn't work try again in BROM mode. Repeat step 2-4. On step 5 hold the button combo and plug the cable in while still holding the buttons. Repeat this a couple of times if it still doesn't work.

An error occured while extracting files. Command exited abnormally.

If you see this error inside the Linux ISO you are probably running out of RAM and the system is crashing because the live image uses RAM for storage. Most likely because your computer has less RAM than what's stated in Prerequisites.

Special Thanks

Footnotes

  1. DumberOS does not work with the F22 non-pro, it uses a 32-bit system and you will have to find a compatible ROM on your own.

  2. 4GB of RAM is also possible but not recommended because the Linux ISO will crash if you download and extract the DumberOS image on it. You will have to download and extract the DumberOS image from your main operating system on your computer. You would then put it on an external drive, reboot into the Linux ISO and flsah the image with the correct path provided.

  3. At least one USB-A port is required for connecting the phone without adapters because you will most likely run into connection issues if you use it. But you could use an adapter for the USB sticks if you don't have enough USB-A ports on your computer.

  4. No Apple junk. Unless it has an Intel CPU, the Linux ISO should work fine then.

  5. Any other type of external storage device works.

  6. 8 + 12 GB is also fine.

  7. The one included in the box should normally work fine.

  8. Not applicable to other models.

About

Documentation & tools for hacking Qin (Duoqin) / Doov brand phones

Resources

Readme
Activity

Stars

39 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors