Android kernel/root researcher needed for Sonim XP8 / XP8800 Verizon, Android 8.1, Qualcomm SDM630
Summary
Freelancer Client is hiring: Android kernel/root researcher needed for Sonim XP8 / XP8800 Verizon, Android 8.1, Qualcomm SDM630.
Location: Remote
Android kernel/root researcher needed for Sonim XP8 / XP8800 Verizon, Android 8.1, Qualcomm SDM630
Requirements:
• Ideal skill set includes:
• Android kernel/root research
• Android 8.x / Linux 4.4 kernel experience
• Qualcomm / SDM630 / EDL familiarity
• arm64 C exploit debugging
• Binder, SELinux, task_struct/cred knowledge
• Magisk / boot image / ramdisk knowledge
• SystemUI / Keyguard reverse engineering
Skills: Java, Linux, Mobile App Development, Android, Technical Support, Embedded Systems, Mobile Development, Reverse Engineering, Android App Development, Android SDK
Budget: $30–$250 USD
Source: Freelancer Client via Remote / Online. Apply on the source website.
Original
Android kernel/root researcher needed for Sonim XP8 / XP8800 Verizon, Android 8.1, Qualcomm SDM630
Please do not bid unless you have Android kernel/root, Qualcomm, bootloader, EDL, or reverse-engineering experience. Generic Android app developers are not a fit for this project.
I need help from an Android kernel/root/reverse-engineering specialist for phones I own: multiple matching Sonim XP8 / XP8800 Verizon rugged Android handsets.
This is not a normal Android app project. I need someone with experience in Android kernel/root research, Qualcomm/EDL workflows, Magisk/boot images, and SystemUI/Keyguard modification.
Once you figure it out for my phone you will have a marketable product to other Sonim XP8 owners.
GOAL
The practical goal is to keep the real Android lockscreen enabled, but remove/hide/disable the lockscreen Emergency Call affordance while keeping the normal phone dialer usable after unlock.
The device can currently expose emergency calling from the lockscreen in a way that exposes unauthorized or accidental dialing from the locked screen.. I know how to dial emergency services manually from the normal dialer; I do not want emergency calling from the lockscreen.
The successful result is not simply “root.” Root may be needed as a method, but the actual deliverable is fixing the lockscreen Emergency Call problem.
PLAN FOR MULTIPLE PHONES
I have three matching Sonim XP8 / XP8800 Verizon units.
I want to work on one phone first as the test/development unit. Once the correct fix is understood and verified, I want to apply the same fix to the other two matching units.
The method should be documented clearly enough that it can be repeated on the other phones without starting over from scratch.
DEVICE DETAILS
Phone1 and Phone3 are fully live-confirmed with:
Device: Sonim XP8 / XP8800
Carrier variant: Verizon XP8800 / VZW_XP8800
Android: 8.1.0 Oreo
Kernel: 4.4.78-perf+
Security patch: 2019-03-01
CPU/platform: Qualcomm SDM630 / sdm660 class
Architecture: arm64-v8a
Build fingerprint:
Sonim/VZW_XP8800/XP8800:8.1.0/8A.0.0-01-8.1.0-15.50.00/137:user/release-keys
SELinux: Enforcing
Normal ADB shell: uid=2000(shell)
Phone2 has the same saved model, Android version, build display ID, and build fingerprint as Phone1/Phone3:
Sonim/VZW_XP8800/XP8800:8.1.0/8A.0.0-01-8.1.0-15.50.00/137:user/release-keys
CURRENT BOOTLOADER / ROOT STATUS
Developer Options → OEM unlocking is enabled.
ADB properties show:
ro.oemunlocksupported=true
sys.oemunlockallowed=1
ro.boot.flash.locked=1
Fastboot reports:
unlocked:no
secure:yes
Device state: locked
These commands fail with remote: unknown command:
fastboot flashing unlock
fastboot oem unlock
related unlock commands
So the visible OEM unlock toggle is not enough; the bootloader remains locked.
EDL / RECOVERY CONTEXT
EDL mode works. The phone appears as Qualcomm 9008 mode. I have a working firehose loader and known-good backups of critical partitions.
Known-good backups include:
boot
vbmeta
devinfo
persist
modemst1
modemst2
fsg
additional small partitions
Verizon radio/NV/service partitions must be preserved.
I do not want random full-firmware flashing or cross-carrier conversion unless there is a specific, well-understood reason.
ACCESS / WORKING SETUP
I can connect the phone to a Linux Mint 22.2 MATE laptop with working ADB, fastboot, Android SDK platform-tools, Android NDK/clang, EDL tools, and the existing backup/exploit-analysis folders.
I can run commands, compile/test native ARM64 Android binaries, push/pull files over ADB, reboot to bootloader/EDL, capture logs, and provide terminal output. I can also provide remote screen-sharing access to the Linux workstation if needed.
For privacy/security, I can provide a clean Linux Mint user account or screen-sharing session with only the XP8 tools/logs/backups needed for the job. I will not provide personal email, Google, carrier, or browser passwords.
The phones are mine and I can authorize debugging, flashing, testing, or temporary-root work as needed, as long as risky writes are discussed first and Verizon radio/NV/service partitions are preserved unless explicitly agreed.
ALREADY TESTED — DO NOT REPEAT
Please do not bid if your plan is just generic Magisk instructions. These have already been tested:
1. Magisk-patched Verizon boot images flashed through EDL
Result: boot warning / hang / no root.
2. AT&T userdebug boot.img only
Result: booted to Fastboot/QC Reference state, not Android/root.
3. AT&T full rawprogram
Inspected and considered unsafe because it writes/erases many bootloader, security, radio, and NV partitions.
4. devinfo/frp/misc/sec/oem/devcfg/keystore/fsc/ssd inspections
No simple unlock/root flag found.
5. qu1ckr00t / Pixel-style CVE-2019-2215 path
Front-half primitives worked, but expected second-page Binder leak never appeared.
6. su98 CVE-2019-2215 path
More adaptive, but leak-only/taskptr-only diagnostics destabilized ADB/device before useful output.
7. Non-root approaches
App lockers, key mappers, ADB settings, and accessibility services do not solve the requirement because the Emergency Call affordance is baked into SystemUI/Keyguard.
WHAT I NEED FROM YOU
I need you to fix the lockscreen Emergency Call problem on this exact device/build.
Primary deliverable:
Keep the real Android lockscreen enabled, keep the normal dialer working after unlock, and remove/hide/disable the lockscreen Emergency Call affordance or otherwise prevent unauthorized/accidental dialing from the locked screen.
Acceptable technical paths include, but are not limited to:
1. Temporary-root or persistent-root method, if root is needed to patch SystemUI/Keyguard.
2. SystemUI/Keyguard APK or framework patch that removes/hides/disables the lockscreen Emergency Call affordance.
3. Magisk, overlay, Xposed/LSPosed, smali/resource patch, or other system-level modification, if root/system access is achieved.
4. Safe exploit-porting path for Android 8.1 / Linux 4.4.78 / Qualcomm SDM630 / arm64, only if needed to gain the access required for the actual lockscreen fix.
5. Signed engineering/userdebug chain analysis, only if it leads to a practical lockscreen Emergency Call fix while preserving Verizon service partitions.
Root by itself is not the goal. A rooted phone that still exposes Emergency Call from the lockscreen is not a successful result.
DESIRED FINAL FIX
Keep real Android lockscreen.
Remove/hide/disable lockscreen Emergency Call affordance.
Keep normal dialer working after unlock, including manually dialing emergency services from the normal dialer.
Preserve LTE/VoLTE, NFC, hardware buttons, PTT button, glove-mode touch, and rugged-device features.
Document the fix clearly enough that it can be applied to the other two matching phones.
REQUIRED SKILLS
Ideal skill set includes:
Android kernel/root research
Android 8.x / Linux 4.4 kernel experience
Qualcomm / SDM630 / EDL familiarity
arm64 C exploit debugging
Binder, SELinux, task_struct/cred knowledge
Magisk / boot image / ramdisk knowledge
SystemUI / Keyguard reverse engineering
smali / JADX / apktool / Ghidra experience
IMPORTANT CONSTRAINTS
Do not suggest KingRoot/KingoRoot/one-click root tools.
Do not suggest app lockers or lockscreen replacement.
Do not suggest disabling the normal dialer.
Do not repeat generic Magisk patched-boot instructions.
Do not modify modemst1, modemst2, fsg, persist, modema, modemb, sec, ssd, devcfg, or bootloader-stage partitions unless we explicitly agree and understand the risk.
DELIVERABLES
1. Initial technical review of my existing logs/summaries.
2. Proposed plan for fixing the lockscreen Emergency Call issue before running anything risky.
3. The actual fix or patch method used.
4. Any scripts, source code, APK patches, Magisk modules, smali/resource edits, or commands used.
5. Clear documentation of what changed and how to verify the fix.
6. Restore/rollback notes.
7. Explanation of any remaining limitations.
8. Repeatable instructions for applying the verified fix to the other two matching Sonim XP8 / XP8800 Verizon units.
All work is for my own devices and should remain private.
Location & Details
Apply on source →About this listing
This remote opportunity was imported from Freelancer and is shown here for discovery. To apply, follow the link to the original posting.