Starting OnePlus Android phone when its power button is broken

I have an ancient OnePlus 6 which my son uses for watching cartoon. Recently its power button stopped working and my son drained its battery until it shutdown. Fortunately its volume buttons are still working.

For this you will need a laptop and a USB-C cable to connect the phone with the laptop.

  1. Ensure the phone is charged.
  2. Remove the cable from the phone.
  3. Press the volume down button. Keep it pressed.
  4. While keeping the button pressed insert one of the of the cable into the phone and the other end in the charger or laptop or power bank.
  5. Still keep the volume button pressed until you see something on the screen. Then release the button.
  6. You will now get into phone’s recovery menu. Some versions of One Plus and other Android phones have restart option right here. If yes then choose that and you are done. – Else continue below –
  7. In my case; in OnePlus 6; I had to choose Advanced option and within that it had “Reboot to fastboot” and “Reboot to recovery mode”. Choose “Reboot to fastboot” here. But wait!
  8. First goto your laptop and install ADB tools from Google. Choose one from the following based on your laptop’s operating system.
  9. Extract the contents of the above zip file. Now choose the “Reboot to fastboot” option on your phone. Without this you will not able to turn on or off your phone until it runs out of battery since this mode requires the use of power button to confirm the selection.
  10. Connect the phone to the laptop using the cable then go into the extracted zip file’s directory and run ./fastboot devices to confirm that your phone is detected.
  11. Finally run ./fastboot reboot this will respond with a “Ok” response and your phone will reboot into normal mode. Congrats!

Deep dive into new tax regime of Budget 2020

Budget 2020 is a mixed bag and for the first time it provides the option to choose your tax slab. You have two slabs to choose from. The well understood old one and the new one. New one offers lower tax slabs but without any deductions (except for select few like 80CCD(2)).

There is nothing simple to having two slabs as option. Let’s compare the two and try to understand which one is better and under what circumstances.

Circumstance is the key word here; hence there are so many articles and videos which try to explain this using specific examples. I am not going into a specific case. But will use the power of graphs to plot all possible scenarios from income level 0 to 2Cr. This will hopefully provide some more insight into this mess.

In the below interactive chart the blue line is the tax amount (including applicable surcharge and 4% cess) as per the new slab. The orange line is the tax as per the old slab but without claiming any deductions. It is clear that purely slab-wise the new plan is lighter on tax. The jumps at 50L and 1Cr points are due to surcharges – 10% after 50L and 15% after 1Cr. Irrespective of that the tax as per new slab linearly increases similar to old slab while maintaining almost same difference.

See the Pen New vs Old Tax Comparision (data only) by Nirupam (@applegrew) on CodePen.

Interactive chart 1

From the graph above it might look like taxes from both slabs are exactly equidistant but if we zoom onto the green line at the bottom, we can see that it is not exactly that.

The difference increases as we move towards higher income. It is fixed after 15L slab. After that it increases in steps at 50L & 1Cr points.

What is clear is that as your income increase you need to claim more deductions to benefit from the old slabs.

Zooming into the portion before 15L shows a pretty unpredictable “wavy” difference. That means predicting if you will loose or gain if you use the new plan is much harder here. What is clear is that as your income increase you need to claim more deductions to benefit from the old slabs.

The below interactive chart shows the amount of deductions you need to claim in old slab to just match the tax benefits you get from new slab. In the topmost interactive chart this data is shown by red line near the bottom of the chart.

See the Pen Tax deductions comparision only (data only) by Nirupam (@applegrew) on CodePen.

Interactive chart 2

From 15L point it pretty fixed. You need to claim more than 2.5L of deductions to get benefit from old slab.

From 15L point it pretty fixed. You need to claim more than 2.5L of deductions to get benefit from old slab. If you cannot then switch to new slab. Out of 2.5L 50k Standard deduction you get for free, so what is left is 2L deduction. For that you need to max out your 80C, and NPS or 80D. If you have a home loan then it would be easier because you can claim 2L per annum of interest amount you paid for home loans. However, loans typically have more interest component towards the start and more principal amount at the end. To see how much interest you are paying year wise see –

The big dips after exact 50L and 1Cr points are due to surcharges. Even claiming a small deduction can bring your income to a slab where surcharge is zero or less, making your taxes match the gain in new slab. However, this lasts for approximate 4.5L range.

Let’s have a look at the range before 15L point more closely.

From 5L to 7.5L range the required deduction linearly increases from zero to 1.24L. So if you max out your 80C then that is good enough reason for you to keep using old slab.

From 7.5L to 10L range the rate of increase in required deduction amount lessens. At 10L point the required deduction is 1.88L. This plateaus out and continues until 12L point like that. Removing 50k, we are left with 1.38L deductions to fulfil. Here too if you just max out your 80C then old slab is great for you.

12L to 12.5L is one small range and then 12.5 to 15L range. The deduction for this range varies from 1.88L to 2.08L and 2.08L to 2.5L respectively. Here you need to pretty much max out 80C with NPS or 80D or should have home loans.


HRA is also one significant amount which I have not considered here. All in all figure out your gross income then use interactive chart 2 and locate your income level on x-axis. That should provide you with the min deduction amount you need claim to benefit from old slab. Add all your actual deductions and see if that fits the requirement.

However, even after the flat 50k deduction if you have the need to switch to new tax then you are not saving enough!


Update1: I almost forgot about Standard deduction of 50k which you get in old slabs but not in new one. Updated the article accordingly.

Fix very low call volume on OnePlus 3

I recently faced this issue after a recent update on my OnePlus 3. The guide at – is pretty good. However, the “Safe Mode” test failed for me, then next steps was clean with toothbrush.

I was very much convinced that my ear piece was pretty clean and anyway I wiped it with cloth many times and there was no visible dirt. However, when I took closeup picture of the earpiece I noticed that the grill mesh was very very small. And it seemed like maybe those tiny holes in the grill have been plugged by microscopic dirt.

Checkout the grill closeup below (this is after cleaning):-

I didn’t have a toothbrush with fine enough bristles. So instead I used a cotton swab, dipped in nail polish remover. I rubbed with that couple of times and presto, the low volume issue is fixed!

TIP: You need to tilt the handset sideways against the sunlight (as shown in the pic above) to be able to see the grill holes. If they look dark then the hole is open, else maybe they are plugged.

Tracing $scope events in AngularJS

Scope events in AngularJs is very powerful and useful in connecting disparate modules and directives. However, in a complex application things could become complicated and it would become hard to trace which event is triggered when and who act on those events.

I wrote a simple event tracer which displays a floating div with logs of all the events. The log is color coded, based on if the event was emitted, broadcasted or received.

The log looks like this:-

Event Trace

Event Trace

You can turn on or off the event data using the dataf link. The stackf toggles if the call stack or function code too will be shown which has emitted or consumed this event.

The code:-

var app = angular.module('tracer', []).run(Injector);

function Injector($rootScope) {
    'use strict';

    function log(msg, color) {
        var el = document.getElementById('tracerConsoleUl');
        el.innerHTML += itemHtml.format(color, msg)

    function stringify(o) {
        try {
            return JSON.stringify(o, null, 3);
        } catch (err) {
            console.error('Scope Hack:', err, ' Actual object:', o);
            return '<i>Err: See console</i>';

    function getStackTrace() {
        var r;
        if (Error.captureStackTrace) {
            var obj = {};
            Error.captureStackTrace(obj, getStackTrace);
            r = obj.stack;
        } else if (Error.stack) {
            r = Error().stack;
        } else {
            r = '';

        r = r.replace(/</gm, '&lt;').replace(/>/gm, '&gt;');
        r = r.replace(/^[^\s]+.+$/gm, ''); // removing first line
        r = r.replace(/^\s+at (.+) \([^(]+\)+$/gm, '$1');
        r = r.replace(/^\s+at [^()]+$/gm, ''); // removing rows with only text of format at ... and nothing in braces on right.
        r = r.replace(/\n\n/gm, '\n');
        r = r.replace(/\n/gm, ' &lt; ');

        return r;


    function filter(e, clazz) {

        var flag = angular.element('#tracerConsoleUl').hasClass(clazz);
        if (flag)

    function fclear(e) {


    function fmoveStart(e) {

        angular.element(document).on('mousemove.scopehack', fmove).on('mouseup.scopehack', fmoveEnd);
        var el = angular.element('#tracerConsole');
        var left = e.pageX - parseInt(el.css('left'));
        var top = e.pageY - parseInt(el.css('top'));'left', left);'top', top);

    function fmoveEnd(e) {


    function fmove(e) {

        var el = angular.element('#tracerConsole');

        var p = {
            left: (e.pageX -'left')) + 'px',
            top: (e.pageY -'top')) + 'px'



    try {
        if (!String.prototype.format) {
            String.prototype.format = function() {

                var args = arguments;

                return this.replace(/{(\d+)}/g, function(match, number) {
                    return typeof args[number] != 'undefined' ? args[number] : '<i>NA</i>';


        var html = "<div id='tracerConsole' style='position:absolute;top:50px;left:50px;background-color:white;border:2px solid black;z-index:1000;'>" +
            "<div><span class='ffilter' style='cursor:pointer;'>stackf</span> | <span class='dfilter' style='cursor:pointer;'>dataf</span> | <span class='fclear' style='cursor:pointer;'>clear</span> | <span class='fmove' style='cursor:move;'>move</span>" +
            "</div><ul id='tracerConsoleUl' style='display:block;list-style-type:none;max-height:500px;width:300px;overflow:scroll;'></ul></div>";

        var itemHtml = "<li style='border-bottom:1px solid gray;white-space:pre-wrap;background-color:{0};'>{1}</li>";

        var proto = Object.getPrototypeOf($rootScope);
        var oldOn = proto.$on;
        proto.$on = function mangaledOn(e, f) {
            var fWrapper = function fWrapper(e, d) {
                log('EVENT RECEIVED: {0} <span class="d">\nWITH DATA: {1}</span> <span class="f">\nBY f: {2}</span>'.format(, stringify(d), f.toString()), '#7FD7B6');
      , e, d);

  , e, fWrapper);

        var oldBroadcast = proto.$broadcast;
        proto.$broadcast = function mangaledBroadcast(e, d) {
            log('EVENT BROADCASTED: {0} <span class="d">\nWITH DATA: {1}</span> <span class="f">\nBY s: {2}</span>'.format(e, stringify(d), getStackTrace()), '#FF9C01');

  , e, d);


        var oldEmit = proto.$emit;
        proto.$emit = function mangaledEmit(e, d) {
            log('EVENT EMITTED: {0} <span class="d">\nWITH DATA: {1}</span> <span class="f">\nBY s: {2}</span>'.format(e, stringify(d), getStackTrace()), '#FFE78C');

  , e, d);

        console.log('Scope Hack Injected');
        angular.element('body')[0].innerHTML += html;
        angular.element('#tracerConsole .dfilter').on('click', function dfilter(e) {
            filter(e, 'dhide');

        angular.element('#tracerConsole .ffilter').on('click', function ffilter(e) {
            filter(e, 'fhide');
        angular.element('#tracerConsole .fclear').on('click', fclear);
        angular.element('#tracerConsole .fmove').on('mousedown', fmoveStart);
        angular.element(document).find('head').prepend('<style type="text/css">#tracerConsoleUl.dhide .d {display:none;}#tracerConsoleUl.fhide .f {display:none;} #tracerConsoleUl li{-moz-user-select:text;-webkit-user-select:text;-ms-user-select:text;}</style>');

    } catch (err) {
        console.error('Scope Hack:', err);

To use this, paste this into some script block or some js file and make sure your app’s module depends on this module – tracer.

Using pinned self-signed SSL certificate with Android Volley

Recently for one of my Android apps I wanted to use a self-signed certificate on the server-side. However, if you try to connect to such a server with default settings, the connection is going to be refused. This is because it has been signed by you (your server domain), and ‘you’ is not trusted by any system.

Read the excellent article – Android security – Implementation of Self-signed SSL certificate for your App. This describes all the concepts and the pros and cons of pinning. However, it does not describe how to do this in Volley. The internet is littered with many articles on this, and most of them are outdated and can’t be used now.

So, here is an updated guide. I have tested this on my app which uses Android API 22 and Volley code downloaded on Jan 2015.

First use the official guide to create a singleton class to get the request queue. Now below is the modified code which takes care of the SSL pinning.

public class MySingleton {
    private static char[] KEYSTORE_PASSWORD = "YourKeyStorePass".toCharArray();


    public RequestQueue getRequestQueue() {
        if (mRequestQueue == null) {
            // getApplicationContext() is key, it keeps you from leaking the
            // Activity or BroadcastReceiver if someone passes one in.
            mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HurlStack(null, newSslSocketFactory()));
        return mRequestQueue;


    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("BKS");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = mCtx.getApplicationContext().getResources().openRawResource(R.raw.codeprojectssl);
            try {
                // Initialize the keystore with the provided trusted certificates
                // Provide the password of the keystore
                trusted.load(in, KEYSTORE_PASSWORD);
            } finally {

            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);

            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, tmf.getTrustManagers(), null);

            SSLSocketFactory sf = context.getSocketFactory();
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);

Please note, that the above solution will work for Android API 9 and above. To support the below versions you need to pass an instance of HttpClientStack instead of HurlStack. So, replacing the line

mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HurlStack(null, newSslSocketFactory()));


mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HttpClientStack(new MyHttpClient()));

might work. Where MyHttpClient is the one defined in the CodeProject article. I haven’t tested this part though.

Securing the WordPress Login page

Of late I have seen quite a lot of brute force attempts to login into the admin account of this blog. The source IPs are wide and varied, ranging from Istanbul, Germany, Greece, US and more. In fact according to ArsTechnica article this has been happening for sometime now on a huge scale. I see a POST request on my site every few hours. Recently I submitted a list of such IPs to Deutsche Telekom Abuse Team for the offending IPs from their network.

Protection from the attack ArsTechnica suggested using

Limit Login and WP Better Security plugins. Limit Login is a simple and must have plugin. It blocks an IP for some hours our repeated failure attempts. Of course for this to be useful you need to have a strong password like mine, which is ….. . However, WP Better Security is the best but makes some drastic changes to your site. I don’t like to make so many changes, and would prefer that WordPress came bundled with those features. One of those features is modifying the login url. By default it is like This makes it an easy target. One simple way to fix this is change it.

Changing your login url

I do not want to physically rename wp-login.php, since that would mean after a WordPress upgrade the change would be gone. The other way is to rename it in your web-server configuration. Below is my relevant Nginx configuration. (If you are still using Apache then you may want to switch to Nginx.)

server {
    # Other configs like root etc...
    location ^~ /wp-login.php {
        include phpparams.conf;
        if ($request_method = POST) { return 444; }
    location ^~ /your-secret-login-page-name.php {
        rewrite ^ /wp-login.php break;
        include phpparams.conf;
    # ...

The above config blocks all POST request to wp-login.php but allows GET requests. So, wp-login.php would show up but if someone tries to submit on that page then the server will close the connection (status 444 is a special code which instructs Nginx to close the remote connection). Since we are using ^~ to prevent Nginx from matching to any more regex locations so, if you have any location directive to match .php won’t be used. So, effectively your wp-login.php file source would be sent to the user instead of executing them. That is why I have included phpparams.conf. See the Nginx migration guide for the contents of phpparams.conf.

One Caveat

Now even if you open your-secret-login-page-name.php, the form will still send POST requests to wp-login.php, because after all that is the page which is being served. So, either you need to use web developer tools like Inspector to modify the web code or better write a GreaseMonkey or TamperMonkey script to do that for you.