stene.xyz

TCL Flip 2 Jailbreak (KEFH Firmware Version)





Thanks to neutronscott

For finding a method to install apps on this phone, and providing a script with information needed to patch the bootloader.
Without his work, I wouldn't have been able to figure this out at all.

Guide (This is probably what you're here for)

    Part 1: Preparation
  1. Download platform-tools - extract this to it's own folder
  2. Download KEFH super.img - needed if you're on KEKA. Put this in the platform-tools folder
  3. Download jailbreak.zip - extract this into the platform-tools folder

    4. Part 2: Unlocking Device
  4. Ensure your device is plugged into the computer, and run autobooter.exe
  5. While the device is still connected, remove and re-insert the battery
  6. Autobooter should respond and send the device into FASTBOOT mode
  7. Unlock the device by running "fastboot flashing unlock" in your platform-tools directory

    8. Part 3: Jailbreak
  8. Flash my patched boot image by running "fastboot flash boot boot-stenexyz.img"
  9. Flash the super.img by running "fastboot flash super super.img" - this will take up to an hour. It will look frozen at 40%. Leave it be.
  10. Flash vbmeta with "fastboot flash vbmeta --disable-verity --disable-verification vbmeta
  11. Flash vbmeta_system with "fastboot flash vbmeta_system --disable-verity --disable-verification vbmeta_system
  12. Flash vbmeta_vendor with "fastboot flash vbmeta_vendor --disable-verity --disable-verification vbmeta_vendor
  13. Reboot the phone by running "fastboot reboot"
  14. Give the phone a minute or two to boot - if it doesn't, scroll down to Unbrick Guide
  15. On the phone's home menu, type "*#*#217703#*#*"
  16. In the list, you should find Magisk - if it's missing, reboot and look again
  17. Open Magisk and allow it to install, then reboot again
  18. Follow the previous instructions to re-open Magisk and allow it to patch the ROM
  19. It will complain about failing when you open the app from now on - ignore this
  20. Now, on the phone's home screen, run "*#*#33284#*#* to enable ADB
Congratulations, you now have an unlocked device!
You can now follow any guide on getting the device set up (vMouse, custom launchers, etc...)

Unbrick Guide (When things go wrong)

  1. Complete all of "Preparation" and "Unlocking Device"
  2. Download KEKA-Stock-Boot.bin
  3. Flash the stock KEKA boot image by running "fastboot flash boot KEKA-Stock-Boot.bin"
  4. The phone should reboot successfully. If not, you have mismatched versions of *something* installed.


Other Useful Files

recovery-stenexyz.img - Patched recovery image that enables ADB (GUI broken, use at own risk)
Partition Scatter File - Untested, pulled from an older OTA update!
super.img - Use to restore if, like me, you accidentally installed a kosher ROM while trying to unbrick. Sadly apps4flip seems to gatekeep this file to prevent people from going back to the full ROM.
TCL Flip 2 Guide - OG source lost, will update with credit if I come across again - Mirrored as .pdf here as obscure Android drive links seem to just disappear
TCL Flip Go Guide - OG source lost, will update with credit if I come across again - Mirrored as .pdf here as obscure Android drive links seem to just disappear


Roll-Your-Own Patched Boot Image

This process is remarkably simple. You'll need Android Image Kitchen and a stock boot image for the version you're patching for.
  1. Unzip AIK
  2. Patch your boot.img with your favorite Magisk installer
  3. Drag your half-patched boot image onto "unpackimg.bat"
  4. In "ramdisk/overlay.d", put this initrc script
  5. Run the "repackimg.bat" script with no arguments. Out should pop "image-new.img"
Congratulations, you now have a patched boot image!
This file will be smaller than the stock boot image. This is fine.
If it doesn't boot, reflash stock and try again. You may have luck with a different image kitchen.

My Notes

Below are all the notes I took while figuring out how to do this. Anything in purple has been added while editing.

app list
*#*#217703#*#*

patched recovery
i have been able to successfully patch stock recovery with carliv. gui doesn't work but disabling debuggable build checks enables adb
For a while I was convinced that mounting the system partition would let me manually edit build.prop to remove this check.
I don't even know if the endurance property is even in build.prop. This wound up not being the play, but still proved useful.

boot.img Patch
neutronscott script for creating boot file - https://github.com/neutronscott/flip2/blob/main/create-boot
needs ramdisk from OTA update, how to get latest? This wasn't true. There's a ramdisk in boot.img. I just don't super understand Android.
looks like there is ramdisk in boot.img - could probably patch there but will need to try on linux See above. Linux wasn't needed due to many nice image kitchens being available. This is good, because I was too lazy to boot into my Mint partition.
carliv image kitchen can unpack the boot.img but repacks badly This is true. Carliv results in a brick when it repacks boot.img.
maybe lpunpack super.img to get system.img, then patch build.prop? Again with build.prop. This isn't needed. neutronscott's method is cleaner.
AIK can successfully patch boot.img to reset endurance prop!!!! magisk not working however I have no fucking clue what Magisk's problem is but it works just fine for root and mrepo works for packages.

installing apps
installing apps needs ro.vendor.tct.endurance to be reset


Article Changelog

September 11, 2024: Added (apparently important) sections about flashing super.img and disabling dm-verity.