Well what happens here is the usual "first-boot-to-closed-mode", which messes up your device. The device credentials & whatever get generated in the first boot, and if it is boot to closed mode, the aegis closed mode keys are used and you have no end of trouble when you try to enter open mode later. The correct way to do it: flash the device back-to-back closedmode/openmode, without letting it to boot in between. Use the following command: flasher -F org.img -F emmc.bin -f -R ; flasher -F org.img -k zImage-someopenimage --flash-only==kernel -f -R (as zImage-someopenimage use some image that has same modules as the original. like l2-fixed open image or whatever. Note that you cannot use the NAT-enchanced image here as it has different module deps...) and note, that do not unplug the USB cord between the 2 flashes or else the first flash command will reboot the device to closed mode and it does not work correctly. After this procedure, enable developer mode as usual, unpack the new modules, run depmod and as a last step reflash the new kernel.