Develop Bugs

how can i instal instal official froyo to my 2.3.3

i was able to download stock froyo from HTC but i don't know how to instal it in my 2.3.3 Gingerbread version.
also i don't understand this instructions attached to firmware
Please follow below command to download the official android toolchain: (arm-eabi-4.4.3)
git clone https://android.googlesource.com/platform/prebuilt
NOTE: the tool ¡¥git¡¦ will need to be installed first; for example, on Ubuntu, the installation command would be: apt-get install git
--Modify the .bashrc to add the toolchain path, like bellowing example:
PATH=/usr/local/share/toolchain-eabi-4.4.3/bin:$PATH

Are you rooted with s-off? If not you must do this first if you want to easily change between roms. actually to properly root and obtain true s-off one of the steps will be to downgrade to stock froyo, follow the xda or cyanogen wiki to get there
Sent from my HTC Vision using xda premium

demkantor said:
Are you rooted with s-off? If not you must do this first if you want to easily change between roms. actually to properly root and obtain true s-off one of the steps will be to downgrade to stock froyo, follow the xda or cyanogen wiki to get there
Sent from my HTC Vision using xda premium
Click to expand...
Click to collapse
i have tired to downgrade my htc vision but its not working please below is my cmd log
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Patrolscsn>adb devices
List of devices attached
SH0B1RT02382 device
C:\Documents and Settings\Patrolscsn>adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
C:\Documents and Settings\Patrolscsn>adb push fre3vo /data/local/tmp
cannot stat 'fre3vo': No such file or directory
C:\Documents and Settings\Patrolscsn>adb shell
$ chmod 777 /data/local/tmp/fre3vo
chmod 777 /data/local/tmp/fre3vo
Unable to chmod /data/local/tmp/fre3vo: No such file or directory
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local/tmp/fre3vo: not found
$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
/data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
/data/local/tmp/fre3vo: not found
$

Either you forgot to extract the files or you didnt put them in the same folder as adb
Sent from my HTC Vision using xda premium

kenanibeze said:
C:\Documents and Settings\Patrolscsn>adb push fre3vo /data/local/tmp
cannot stat 'fre3vo': No such file or directory
$
Click to expand...
Click to collapse
This is your first error message. All following commands fail because of this. You cannot simply continue when one step is executed with error. You have to fix it and then continue.
The reason for the error message is simple. There is no such file as 'fre3vo' in the directory ‘C:\Documents and Settings\Patrolscsn’. Copy the file 'fre3vo' in this directory or change current directory to one where the file is located. If you don’t know how, then you should probably stop trying to root your device.

the fre3vo is in the directory!!!!!
shared_ptr said:
This is your first error message. All following commands fail because of this. You cannot simply continue when one step is executed with error. You have to fix it and then continue.
The reason for the error message is simple. There is no such file as 'fre3vo' in the directory ‘C:\Documents and Settings\Patrolscsn’. Copy the file 'fre3vo' in this directory or change current directory to one where the file is located. If you don’t know how, then you should probably stop trying to root your device.
Click to expand...
Click to collapse
i have the fre3vo in the directory and i downloaded it from the link provided by xda

kenanibeze said:
i have the fre3vo in the directory and i downloaded it from the link provided by xda
Click to expand...
Click to collapse
Yes, the file fre3vo is in the directory:
C:\platform-tools
But your current directory is (the directory where you execute the commands):
C:\Documents and Settings\Patrolscsn
Execute this command to change your current directory:
cd C:\platform-tools
Good luck, you'll definitely need it

Hold shift and right click in the folder where fre3vo and fastboot.exe etc, then choose open command here
Now start from the begining
Sent from my HTC Vision using xda premium

shared_ptr said:
Yes, the file fre3vo is in the directory:
C:\platform-tools
But your current directory is (the directory where you execute the commands):
C:\Documents and Settings\Patrolscsn
Execute this command to change your current directory:
cd C:\platform-tools
Good luck, you'll definitely need it
Click to expand...
Click to collapse
Thanks so much for the tip, finally after two weeks of searching how to get the magical // sign, I got it I’m ever grateful.:victory:
Please I want to upgrade my HTC sense, but I have no idea which custom sense is good for htc desire Z (I would have preferred sense 4.0 but sense 3.0 looks ok) which one should I go for?
Also which of the custom rom of ICS is best for desire z :highfive:

kenanibeze said:
Thanks so much for the tip, finally after two weeks of searching how to get the magical // sign, I got it I’m ever grateful.:victory:
Please I want to upgrade my HTC sense, but I have no idea which custom sense is good for htc desire Z (I would have preferred sense 4.0 but sense 3.0 looks ok) which one should I go for?
Also which of the custom rom of ICS is best for desire z :highfive:
Click to expand...
Click to collapse
You’re welcome.
I’m not a big fan of Sense, but I would go for Sense 4, since it is more "lightweight" (consumes less storage and CPU) than Sense 3.x. You also have to distinguish between Sense 4.0 and Sense 4.0A which is even more lightweight.
Remember that our device has no official support from HTC, so all ICS ROMs are not perfect. You will notice some glitch here and there, but everything is getting better and better. Some ROMs are pretty stable thought, for example Andromadus Mimicry (which is based on Cyanogenmod 9.1). If you can live without Sense I would recommend you this ROM.
Here are some links to ROMs:
Cyanogenmod 9.1 - Andromadus Mimicry
Sense 4.0A - Gen.Y VisionX
Sense 4.0 - Ice Cream SENSEwich

is my phone bricked?
shared_ptr said:
You’re welcome.
I’m not a big fan of Sense, but I would go for Sense 4, since it is more "lightweight" (consumes less storage and CPU) than Sense 3.x. You also have to distinguish between Sense 4.0 and Sense 4.0A which is even more lightweight.
Remember that our device has no official support from HTC, so all ICS ROMs are not perfect. You will notice some glitch here and there, but everything is getting better and better. Some ROMs are pretty stable thought, for example Andromadus Mimicry (which is based on Cyanogenmod 9.1). If you can live without Sense I would recommend you this ROM.
Here are some links to ROMs:
Cyanogenmod 9.1 - Andromadus Mimicry
Sense 4.0A - Gen.Y VisionX
Sense 4.0 - Ice Cream SENSEwich
Click to expand...
Click to collapse
hello please i need your help i think i have screwed up my htc, i was trying to run the permanent root by strawmental, after running the sequence the phone could not boot again, it stuck at the white background with htc logo.
How can i boot it back to life.
The S is off
h.boot now is 0.76.2000 (PC1011000)
MICROP 0425
CID 11111111
OS 1.34.405.5
this is d cmd log of the permanent root
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Patrolscsn>cd C:\platform-tools
C:\platform-tools>adb devices
List of devices attached
SH0B1RT02382 device
C:\platform-tools>adb push psneuter /data/local/tmp/
1453 KB/s (557962 bytes in 0.375s)
C:\platform-tools>adb push gfree /data/local/tmp/
1357 KB/s (716548 bytes in 0.515s)
C:\platform-tools>adb push busybox /data/local/tmp/
1468 KB/s (1926944 bytes in 1.281s)
C:\platform-tools>adb push hboot-eng.img /data/local/tmp/
1456 KB/s (1048576 bytes in 0.703s)
C:\platform-tools>adb push root_psn /data/local/tmp/
0 KB/s (564 bytes in 1.000s)
C:\platform-tools>adb push su /sdcard/
109 KB/s (26264 bytes in 0.234s)
C:\platform-tools>adb push Superuser.apk /sdcard/
1535 KB/s (196521 bytes in 0.125s)
C:\platform-tools>adb shell chmod 755 /data/local/tmp/*
C:\platform-tools>adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp
/recovery.img
1479 KB/s (3739648 bytes in 2.468s)
C:\platform-tools>adb shell /data/local/tmp/psneuter
property service neutered.
killing adbd. (should restart in a second or two)
C:\platform-tools>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
# ./gfree -f -b hboot-eng.img -y recovery.img
./gfree -f -b hboot-eng.img -y recovery.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
--recovery set. recovery image recovery.img will be installed in partition 21
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gd2764ed
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a6a54, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a6a54 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up partition /dev/block/mmcblk0p18 to /sdcard/part18backup-315983571.bin
...
Writing image hboot-eng.img to partition /dev/block/mmcblk0p18 ...
Backing up current partition 21 and installing specified recovery image...
Backing up partition /dev/block/mmcblk0p21 to /sdcard/part21backup-315983571.bin
...
Writing image recovery.img to partition /dev/block/mmcblk0p21 ...
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-315983571.bin .
..
patching secu_flag: 0
Done.
# ./root_psn
./root_psn
# sync
sync
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum hboot-eng.img
./busybox md5sum hboot-eng.img
7669ae12dc2faa10ae555a164980efd0 hboot-eng.img
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
#

have i bricked my desire Z?

hello guys
please i need your help i think i have screwed up my htc, i downgraded my desire z 2.33 to 2.2 and was trying to run the permanent root by strawmental, after running the sequence the phone could not boot again, it stuck at the white background with htc logo.
How can i boot it back to life.
i tryed fix it with recovery boot, but the clockworkmod v5.02.7 is not working, its log shows
E: can't mount /cache/recovery/command
E: can't mount /cache/recovery/log
E: can't open /cache/recovery/log
E: can't mount /cache/recovery/last_log
E: can't open /cache/recovery/last_log
vision pvt ENG S is off
h.boot now is 0.76.2000 (PC1011000)
MICROP 0425
CID 11111111
OS 1.34.405.5
below is the cmd log
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Patrolscsn>cd C:\platform-tools
C:\platform-tools>adb devices
List of devices attached
SH0B1RT02382 device
C:\platform-tools>adb push psneuter /data/local/tmp/
1453 KB/s (557962 bytes in 0.375s)
C:\platform-tools>adb push gfree /data/local/tmp/
1357 KB/s (716548 bytes in 0.515s)
C:\platform-tools>adb push busybox /data/local/tmp/
1468 KB/s (1926944 bytes in 1.281s)
C:\platform-tools>adb push hboot-eng.img /data/local/tmp/
1456 KB/s (1048576 bytes in 0.703s)
C:\platform-tools>adb push root_psn /data/local/tmp/
0 KB/s (564 bytes in 1.000s)
C:\platform-tools>adb push su /sdcard/
109 KB/s (26264 bytes in 0.234s)
C:\platform-tools>adb push Superuser.apk /sdcard/
1535 KB/s (196521 bytes in 0.125s)
C:\platform-tools>adb shell chmod 755 /data/local/tmp/*
C:\platform-tools>adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp
/recovery.img
1479 KB/s (3739648 bytes in 2.468s)
C:\platform-tools>adb shell /data/local/tmp/psneuter
property service neutered.
killing adbd. (should restart in a second or two)
C:\platform-tools>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
# ./gfree -f -b hboot-eng.img -y recovery.img
./gfree -f -b hboot-eng.img -y recovery.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
--recovery set. recovery image recovery.img will be installed in partition 21
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gd2764ed
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a6a54, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a6a54 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up partition /dev/block/mmcblk0p18 to /sdcard/part18backup-315983571.bin
...
Writing image hboot-eng.img to partition /dev/block/mmcblk0p18 ...
Backing up current partition 21 and installing specified recovery image...
Backing up partition /dev/block/mmcblk0p21 to /sdcard/part21backup-315983571.bin
...
Writing image recovery.img to partition /dev/block/mmcblk0p21 ...
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-315983571.bin .
..
patching secu_flag: 0
Done.
# ./root_psn
./root_psn
# sync
sync
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum hboot-eng.img
./busybox md5sum hboot-eng.img
7669ae12dc2faa10ae555a164980efd0 hboot-eng.img
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
#

0.76.2000 > G2
0.84.2000 > DZ
if you have a DZ you have flashed the g2 hboot which is why it wont boot

like pnut said you may be just fine and still just need to flash a rom
can you do anything in recovery from here?
just because that message showed doesnt mean recovery wont work
but if flashing a rom via recovery dosent work try this
download this : http://www.4ext.net/ddl/vision/recovery.zip
this is a version of 4ext recovery to be flashed through fastboot
unzip it and put the image in the same folder as fastboot.exe on your computer
(if you are unfamiliar with fastboot just think of it as adb)
now open a cmd in that directory (easiest way hold shift and right click in that folder)
make sure you have phone plugged in pc and in fastboot mode
now type this into cmd
Code:
fastboot devices
if you see some leters and numbers good, this is your serial number
now type
Code:
fastboot -w
now
Code:
fastboot flash recovery recovery.img
now
Code:
fastboot reboot-bootloader
from here boot into recovery and you should see 4ext recovery now (better than clockwork)
try and flash a rom from recovery now, something known stable like cm7
reboot and see if it all works
if you want sense roms or any other reason you want the dz hboot go here for a better explanation
http://forum.xda-developers.com/showthread.php?t=1728208
good luck

PNuT. said:
0.76.2000 > G2
0.84.2000 > DZ
if you have a DZ you have flashed the g2 hboot which is why it wont boot
Click to expand...
Click to collapse
i just rechecked and you are 100% right.
Please how can i reflash hboot 084.2000?

PNuT. said:
0.76.2000 > G2
0.84.2000 > DZ
if you have a DZ you have flashed the g2 hboot which is why it wont boot
Click to expand...
Click to collapse
i just rechecked and you are 100% right.
Please how can i reflash hboot 084.2000? Is it posible through fastboot

kenanibeze said:
i just rechecked and you are 100% right.
Please how can i reflash hboot 084.2000? Is it posible through fastboot
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?p=27796375
Sent from my HTC Vision using xda premium

demkantor said:
http://forum.xda-developers.com/showthread.php?p=27796375
Sent from my HTC Vision using xda premium
Click to expand...
Click to collapse
thanks i have booth the phone back to life:victory:
but the gapps(gapps-jb-20120802-signed.zip) i flashed is not working...its like it could not connect. keeps showing sever error
is there any gapps i can flash in. i'm running on Andromadus Mimicry ROM – version 1.5.0

the gapps would be flashed via the aroma installer in mimicry, any google apps not included in the installer would be downloaded from play (maps, gmail, etc) even then you could just use a file explorer to download any .apk from your sdcard or use titanium backup to get any apps back
Sent from my HTC Vision using xda premium

[Guides & Links] how to root ASUS ZenPad 3 8.0 (Z581KL)

This procedure supplements what was posted on 2ch.
this procedure is for firmware v3.3.18 or less.
If your firmware is v3.3.20, you may be able to downgrade to v3.3.18 with the procedure described at the end of this post.
for necessary files, download from the follwoing URL.
hZtZtpsZ://wZwZwZ.axfc.net/u/3777377
Z←remove
(PASS Z581KL)　(差分＝Difference，キーワード＝KEYWORD，ダウンロード＝Download，こちら＝HERE，cacheに置くもの＝Things to put in the cache)
1.extract boot image
turn on debug mode.
then, reboot recovery mode.
Code:
$ adb reboot recovery
after that, mount the system using the terminal volume button and the power button.
Code:
$ adb push dirtycow /tmp/
$ adb push run-as /tmp/
$ adb shell
[email protected]_1:/ $ cd /tmp
[email protected]_1:/tmp $ chmod 777 dirtycow
[email protected]_1:/tmp $ chmod 777 run-as
[email protected]_1:/tmp $ ./dirtycow ./run-as /system/bin/run-as
[email protected]_1:/tmp $ run-as
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
transfer boot.img to PC.
Code:
$ adb pull /tmp/boot.img ./
2.unpacking the boot.img
"mkbootimg_tools-master" is useful because it outputs log of ramdisk size.
(However, binary "mkbootfs" and "mkbootimg" are 32-bit versions.
if your environment is 64-bit, you need to bring 64-bit binaries from CarlivImageKitchen64 etc)
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_source/boot.img bootimg_output
Unpack & decompress bootimg_source/boot.img to bootimg_output
kernel : kernel
ramdisk : ramdisk
page size : 2048
kernel size : 29041019
[COLOR="Red"]ramdisk size : 2924316 <- refer to this value later[/COLOR]
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Unpack completed.
directories after unpacking boot.img looks like this:
bootimg_output
|--ramdisk
|--kernel
`--others(img_info,ramdisk.packed,etc)
3.install SuperSU manually
overwrite the contents of "initrd差分.7z" under directory "ramdisk".
("su" is an empty directory, but also to put it under "ramdisk")
(for "sbin", you only need to add launch_daemon.sh without deleting the existing files)
(permissions on files/directories should be the same as original or other file/directories)
4.repacking the boot.img
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_output boot_patched.img
mkbootimg from bootimg_output/img_info.
kernel : kernel
ramdisk : new_ramdisk
page size : 2048
kernel size : 29041019
ramdisk size : 2924316
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Repack image utility by [email protected]
Check and add the kernel
Check and add the ramdisk
Build the new image
'boot_patched.img' successfully repacked
Kernel size: 29041019, [COLOR="Magenta"][COLOR="Red"]new ramdisk size: 2924316[/COLOR][/COLOR], test_patched.img: 31969280.
test_patched.img has been created.
...
at this time, it is necessary to adjust so that the value of "new ramdisk size" becomes
the same value as "ramdisk size" when unpack.
if the size of "ramdisk" is different from when unpacked, Z581KL will not start.
therefore, deleting unnnecessary files stored under ramdisk/res/images/charger and adding dummy files.
(the difference of about several bytes seems to be no problem)
(once wrong boot.img is written, Z581KL will no start until you write the original boot.img)
however, the size of the original boot.img and the modified boot.img can be different.
(in my environment, the original boot.img was about 67MB, while the modifyed boot.img was
about 32MB)
5.insert modified boot.img
using dirtycow, adb push, and dd, insert the modified boot.img into the /dev/block/mmcblk0p41
also, put "su.img" and "SuperSU.apk" in /cache
then,reboot Z581KL.
"Verification Error" is always displayed when starting up, but if you wait for a while
it will start normally.
that's all.
**********************
Firmware downgrade procedure
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or it is displayed when restarted )
If the firmware is v 5 or higher (currently v 5.3.9.0 is published),
this procedure may indicate an error and the downgrade may fail.
In that case, for now I have no choice but to give up ...

I am sorry if my comment sounds unprofessional. Can you express steps 2-5 in a vulgar manner. Is mkbootimg a tool? ttps://forum.xda-developers.com/android/software-hacking/development-mkbootimg-tools-t2895954

I am experiencing permission denied while performing: adb pull /tmp/boot.img ./
i.imgur.com/TSO0v1g.png

About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit

By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )

yamada_2501 said:
By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )
Click to expand...
Click to collapse
Correct. This is exactly what I've done. My factory firmware was v3.3.20.0. I downloaded the 3.3.18.0 firmware from ASUS website and rename it to the 5.3.9.0 firmware. I was able to downgrade the system using the standard procedures.
---------- Post added at 04:11 AM ---------- Previous post was at 03:55 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
Thank you. I was able to successfully pull that boot.img. However, is there any mkbootimg alternative for windows. It seems like a linux system tool.
---------- Post added at 04:20 AM ---------- Previous post was at 04:11 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
I was able to find this post (ttps://forum.xda-developers.com/redmi-1s/general/guide-unpack-repack-kernel-t2908458). I am not sure if it work. Would you please verify and please post the steps. When I use this tool, I am getting a intrid folder instead of ramdisk folder as describe in your post. The link below is what I have. The red boxed files are the original files. Green arrowed file is the original boot.img
i.imgur.com/8d05Zis.png
Also, would you please provide the codes you used in step 5.
Update:
I was somehow able to push boot.img and the other two files in by modifying step 1's code. However, I think the boot.img I created has an error. Perhaps because of sizing error. I am not able to start the machine. Now, is stuck at fastboot options menu. How can I get back to the recovery menu and perhaps push the original boot.img back.

If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?

yamada_2501 said:
If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?
Click to expand...
Click to collapse
No, when I execute that command, it shows me a bunch of options as shown in the screenshot below.
i.imgur.com/ZJsh5Ub.png

Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
１．Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img

yamada_2501 said:
Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
１．Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img
Click to expand...
Click to collapse
The combination button will not get me to the recovery mode. USB debugging mode requires a OS system. I've been trying to flash/boot the original boot.img from my computer but it has some permission error.
i.imgur.com/rmK65Z9.png
Is it possible to get this permission error fix and flash or boot the original boot.img?

I already upgraded to Nougat 5.3.9.0. Could I downgrade to 3.3.18 without bricking it?

I could get blueborne to work on JP_V5.5.0_220170616.
But shell whose uid=bluetooth is seemingly useless for rooting...
Does anyone know how to get root from bluetooth shell?

is there any guide to flash a ww rom over operator rom?
thanks

How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?

tomo_ward said:
How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?
Click to expand...
Click to collapse
His original instruction left out commands to acquire permission to access boot.img. Read the reply threads between yamada and me. He addressed the instruction to acquire the permission. In order to insert the modified boot.img, you re-execute step 1, but instead of doing an adb pull on the last command of step 1, do an adb push.
However, the issue of this guide is the fact that you need to push the boot.img out, unpack and repack it. The risk of this is that the chance of you getting wrong modified size boot.img. There is no way to re-acquire permission to replace the wrong boot.img with the original one once you can't boot into the system; therefore, you end up with a Z581Kl that just do not boot. I had to send mine Z581KL back to factory in order to fix the effect.
If you are willing to take the risk and does success, please provide the boot.img you have successfully modified. That will definitely be a gospel.

thank you.
I'll try to get Root my Z581KL

Should I change file permission of patched_boot.img before run "dd" command?
[email protected]_1:/tmp # chmod 777 /tmp/patched_boot.img #Do I need?
[email protected]_1:/tmp # dd if=/tmp/patched_boot.img of=/dev/block/mmcblk0p41

Was anyone able to get a boot.img that works?

Cannot download the needed ZIP file.
Any backup?

Uqbar said:
Cannot download the needed ZIP file.
Any backup?
Click to expand...
Click to collapse
None has it any more?

LG G4 fails to complete LOS 14.1 boot after battery drained to zero [Fixed]

The battery of a rooted, UsUed LG G4 running LineageOS 14.1 was accidentally allowed to drain to zero. After re-charging above 50%, the device failed to boot. The LOS boot screen "bubble on a string" animation would continue indefinitely.
The phone still booted to TWRP, download mode, and fastboot mode.
Originally, it was suspected that this was ILAPO. However, this suspicion was incorrect.
After extensive work creating a boot sector that would allow logging and a ton of help from @steadfasterX, it was discovered that various files in /data/system had been corrupted and had sizes of zero. Android would try to read values from these files, fail, and repeat.
First, a full TWRP backup of the phone was made and copied off-device. Then, I made a second backup of /data/system. Next, I deleted the following zero-byte files from /data/system using TWRP (or ADB after launching TWRP).
packages.list
packages.xml
profiles.xml
netpolicy.xml
notification_policy.xml
If this doesn't work, I would have considered deleting other zero-byte files in /data/system. I used "ls -laS" to get a size-ordered list of files in my current directory.
After a reboot, android re-created the files and booted to the lockscreen.
All of the apps in /data/data had already been cleared. Otherwise, Android would probably have choked on the differences between the user IDs that it wanted to assign to apps and the ownership of the various app folders.
The following links suggest ways to restore some apps from previously created backups
GitHub - joshuabragge/twrp-manual-restore: Automate individual app restores from an android TWRP backup
Automate individual app restores from an android TWRP backup - GitHub - joshuabragge/twrp-manual-restore: Automate individual app restores from an android TWRP backup
github.com
https://www.semipol.de/posts/2016/07/android-manually-restoring-apps-from-a-twrp-backup/
(Permanent archive: https://web.archive.org/web/2019083.../android-restoring-apps-from-twrp-backup.html)
There is no warranty on this solution. It was a makeshift effort created by an amateur. If you choose to duplicate it, you do so at your own risk. You may permanently destroy your phone.
Old post below:
I'm trying to understand whether a particular G4 (H815) has ILAPO. Its been sneezing, has a sore throat, and now can't taste anything^H^H oops, I mean:
- Previously, the phone would get hot during use.
- The phone has been UsUed.
- The battery was accidentally allowed to discharge to zero.
- After the battery was recharged, the phone was unable to boot past the Lineageos "bubble on a string" animation. The animation simply continues forever.
- The phone can boot to TWRP, fasboot, download mode, etc.
Attempts to fix:
- Tried renaming /sdcard/Android to /sdcard/Android.old but this had no effect.
- Tried clearing cache and dalvik cache but this had no effect
- (NEW) Tried attaching to computer and launching "adb logcat" during animation. Device is never found. If I remember correctly, "USB debugging" was off when the device died. (ADB does work in TWRP.)
- (NEW) Tried creating a custom 4-core (2 core for boot) boot image using the instructions here https://forum.xda-developers.com/t/...tom-x-cores-boot-image-ilapo-tempfix.3718389/ and used "fastboot flash boot boot.img" to flash it. This doesn't seem to work.
-- If I reboot into TWRP after a long period of waiting for the lineageos splash screen, I get a CPU temperature of 46 C. I don't know what temperature was generated in the same situation the modified boot image was installed.
Most of the info on ILAPO suggests that phones with it can't get past the LG logo. That is not the case here. Is this ILAPO or something different? Does anyone have ideas as to what might be an appropriate fix?
Is it possible to retrieve boot logs using TWRP in order to figure out when/where/why the boot hangs?

electricfield said:
I'm trying to understand whether a particular G4 (H815) has ILAPO. Its been sneezing, has a sore throat, and now can't taste anything^H^H oops, I mean:
- Previously, the phone would get hot during use.
- The phone has been UsUed.
- The battery was accidentally allowed to discharge to zero.
- After the battery was recharged, the phone was unable to boot past the Lineageos "bubble on a string" animation. The animation simply continues forever.
- The phone can boot to TWRP, fasboot, download mode, etc.
Attempts to fix:
- Tried renaming /sdcard/Android to /sdcard/Android.old but this had no effect.
- Tried clearing cache and dalvik cache but this had no effect
- (NEW) Tried attaching to computer and launching "adb logcat" during animation. Device is never found. If I remember correctly, "USB debugging" was off when the device died. (ADB does work in TWRP.)
- (NEW) Tried creating a custom 4-core (2 core for boot) boot image using the instructions here https://forum.xda-developers.com/t/...tom-x-cores-boot-image-ilapo-tempfix.3718389/ and used "fastboot flash boot boot.img" to flash it. This doesn't seem to work.
-- If I reboot into TWRP after a long period of waiting for the lineageos splash screen, I get a CPU temperature of 46 C. I don't know what temperature was generated in the same situation the modified boot image was installed.
Most of the info on ILAPO suggests that phones with it can't get past the LG logo. That is not the case here. Is this ILAPO or something different? Does anyone have ideas as to what might be an appropriate fix?
Is it possible to retrieve boot logs using TWRP in order to figure out when/where/why the boot hangs?
Click to expand...
Click to collapse
Sounds like the ilapo. Is the battery charged now? I don't know which LOS version you have installed but if you use mine:
follow FAQ #7 of my LOS thread

steadfasterX said:
Sounds like the ilapo. Is the battery charged now? I don't know which LOS version you have installed but if you use mine:
follow FAQ #7 of my LOS thread
Click to expand...
Click to collapse
Thank you for your reply. You seem to know more about G4 issues than anyone. I really appreciate your help.
The battery is charged now.
Unfortunately, I am using the microg version of LOS 14.1, rather than your 16.0.
I tried following the instructions in your FAQ #7, but I can't do step 1 (boot android). The only way for me to exit the bootloop is by removing the battery. There is no "debug" in /cache after I mount cache in TWRP.
I also looked at FAQ #1. ADB never finishes waiting for the device. In fact "lsusb" doesn't show the phone during OS boot (ADB is fine when TWRP is loaded).
Any other ideas?

electricfield said:
Thank you for your reply. You seem to know more about G4 issues than anyone. I really appreciate your help.
The battery is charged now.
Unfortunately, I am using the microg version of LOS 14.1, rather than your 16.0.
I tried following the instructions in your FAQ #7, but I can't do step 1 (boot android). The only way for me to exit the bootloop is by removing the battery. There is no "debug" in /cache after I mount cache in TWRP.
I also looked at FAQ #1. ADB never finishes waiting for the device. In fact "lsusb" doesn't show the phone during OS boot (ADB is fine when TWRP is loaded).
Any other ideas?
Click to expand...
Click to collapse
As written in my mentioned FAQ taken battery out is needed in your case. Step 2 iirc.
If you dont use my LOS then no way. The cache/debug is something I've added and no one else has.
Option1:
You can just flash my LOS 16 or /e/ ROM (take a full backup before in TWRP) and use that for debugging your current issue. Why using microg btw? /e/ is great
Option2:
The other option would be pulling the boot img of your current LOS (in TWRP: adb pull /dev/block/bootdevice/by-name/boot ) and rebuilding it as insecure (i.e. usb debug on and adb root ) but if you never did that before it it will be hard i guess. AiK might work here or using mAid which includes bootimgtool.
Option3:
Also you can attach that boot img here and if i ever find the time i can do option2 for you but don't expext that this happens soon .

Thank you again for your help.
I'm a little afraid that installing a new & different ROM will increase the level of complexity. I'll do it if I must, though.
I started looking at option #2. Retrieving the boot image was fine, but unpacking presents a problem.
$ ./unpack-bootimg.sh boot.img.original
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
Is there a guide anywhere?

electricfield said:
Thank you again for your help.
I'm a little afraid that installing a new & different ROM will increase the level of complexity. I'll do it if I must, though.
I started looking at option #2. Retrieving the boot image was fine, but unpacking presents a problem.
$ ./unpack-bootimg.sh boot.img.original
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
Is there a guide anywhere?
Click to expand...
Click to collapse
thousands.. But the problem is that our device is sensitive when it comes to packaging the boot.img again. Bootimgtool is working in 9 of 10 times though.
Boot mAid . Open a terminal. Type bootimgtool --help .important is to use "-v qcom". Then extract the ramdisk with gzip and cpio, then modding the default.prop to make it insecure , then using gzip and cpio again to rebuild the ramdisk, finally using bootimgtool to construct the boot.img again. Sounds harder than it is but i have no access to my pc until monday so i cannot give all the needed cmds atm. There are plenty of guides out there and tools ofc which allow unpack,repack etc. That's why i mentioned AIK which does exactly the above but it fails sometimes to build a correct working boot.img.
So my suggestion is try your luck with one of the tools or wait until I've access to my pc. Consider joining my TG group then for easier support (see my sig)

steadfasterX said:
thousands.. But the problem is that our device is sensitive when it comes to packaging the boot.img again. Bootimgtool is working in 9 of 10 times though.
Boot mAid . Open a terminal. Type bootimgtool --help .important is to use "-v qcom". Then extract the ramdisk with gzip and cpio, then modding the default.prop to make it insecure , then using gzip and cpio again to rebuild the ramdisk, finally using bootimgtool to construct the boot.img again. Sounds harder than it is but i have no access to my pc until monday so i cannot give all the needed cmds atm. There are plenty of guides out there and tools ofc which allow unpack,repack etc. That's why i mentioned AIK which does exactly the above but it fails sometimes to build a correct working boot.img.
So my suggestion is try your luck with one of the tools or wait until I've access to my pc. Consider joining my TG group then for easier support (see my sig)
Click to expand...
Click to collapse
Thank you once again. I'm really impressed by how much help you have been able to give so far.
Unfortunately, I have no phone with which to join the Telegram group.
I made the modified boot image, but adb is still unable to speak to the phone during boot. I note that lsusb does not show the phone during boot -- maybe the system hangs before USB is activated. However, I could have made the boot image incorrectly.
Here is what I did:
[[email protected] extract]$ bootimgtool -i boot
Image size: 41943040
Page size: 4096
Kernel size: 22456976
Ramdisk size: 1672742
Second stage size: 0
Device tree size: 0
Kernel load address: 0x00008000
Ramdisk load address: 0x01000000
Second stage load address: 0x00f00000
Device tree load address: 0x00000000
Tags load address: 0x00000100
Product name:
Command line: maxcpus=4 boot_cpus=0-1 console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 msm_rtb.filter=0x37 boot_cpus=0-1 buildvariant=userdebug
[[email protected] extract]$ bootimgtool -x boot -v qcom
[[email protected] extract]$ gunzip ramdisk
[[email protected] ex]$ cpio -i < ../ramdisk
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
In default.prop, I added:
persist.service.adb.enable=1
persist.service.debuggable=1
[[email protected] ex]$ find > /tmp/filelist
[[email protected] ex]$ cpio -o < /tmp/filelist > ../ramdisk.modified
This produces
-rw-r--r-- 1 android users 4166400 Jan 2 17:29 ramdisk.gunzip.original
-rw-r--r-- 1 android users 4162048 Jan 2 17:31 ramdisk.modified
-rw-r--r-- 1 android users 1672742 Jan 2 17:16 ramdisk.img.original
I don't understand why the "modified" gunzipped file is slightly smaller than the original.
[[email protected] extract]$ mv ramdisk.modified.gz ramdisk.img
[[email protected] extract]$ cp boot boot.original
[[email protected] extract]$ bootimgtool -v qcom -c boot
Overwrite 'boot'? [y/N] y
-rw-r--r-- 1 android users 25370624 Jan 2 17:38 boot
-rw-r--r-- 1 android users 41943040 Jan 2 17:37 boot.original
I am wary because I don't understand why the new file is so much smaller than the original. However, I decided to proceed. Uploaded modified boot to /sdcard/boot.modified
Inside adb:
/dev/block/platform/soc.0/f9824900.sdhci/by-name # ls -al boot
lrwxrwxrwx 1 root root 21 Jan 1 04:16 boot -> /dev/block/mmcblk0p38
/dev/block/platform/soc.0/f9824900.sdhci/by-name # cp /sdcard/boot.modified /dev/block/mmcblk0p38
Plugged in device. On computer "adb wait-for-device". Reboot device.
Unfortunately, no action from adb.

electricfield said:
Thank you once again. I'm really impressed by how much help you have been able to give so far.
Unfortunately, I have no phone with which to join the Telegram group.
I made the modified boot image, but adb is still unable to speak to the phone during boot. I note that lsusb does not show the phone during boot -- maybe the system hangs before USB is activated. However, I could have made the boot image incorrectly.
Here is what I did:
[[email protected] extract]$ bootimgtool -i boot
Image size: 41943040
Page size: 4096
Kernel size: 22456976
Ramdisk size: 1672742
Second stage size: 0
Device tree size: 0
Kernel load address: 0x00008000
Ramdisk load address: 0x01000000
Second stage load address: 0x00f00000
Device tree load address: 0x00000000
Tags load address: 0x00000100
Product name:
Command line: maxcpus=4 boot_cpus=0-1 console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 msm_rtb.filter=0x37 boot_cpus=0-1 buildvariant=userdebug
[[email protected] extract]$ bootimgtool -x boot -v qcom
[[email protected] extract]$ gunzip ramdisk
[[email protected] ex]$ cpio -i < ../ramdisk
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
In default.prop, I added:
persist.service.adb.enable=1
persist.service.debuggable=1
[[email protected] ex]$ find > /tmp/filelist
[[email protected] ex]$ cpio -o < /tmp/filelist > ../ramdisk.modified
This produces
-rw-r--r-- 1 android users 4166400 Jan 2 17:29 ramdisk.gunzip.original
-rw-r--r-- 1 android users 4162048 Jan 2 17:31 ramdisk.modified
-rw-r--r-- 1 android users 1672742 Jan 2 17:16 ramdisk.img.original
I don't understand why the "modified" gunzipped file is slightly smaller than the original.
[[email protected] extract]$ mv ramdisk.modified.gz ramdisk.img
[[email protected] extract]$ cp boot boot.original
[[email protected] extract]$ bootimgtool -v qcom -c boot
Overwrite 'boot'? [y/N] y
-rw-r--r-- 1 android users 25370624 Jan 2 17:38 boot
-rw-r--r-- 1 android users 41943040 Jan 2 17:37 boot.original
I am wary because I don't understand why the new file is so much smaller than the original. However, I decided to proceed. Uploaded modified boot to /sdcard/boot.modified
Inside adb:
/dev/block/platform/soc.0/f9824900.sdhci/by-name # ls -al boot
lrwxrwxrwx 1 root root 21 Jan 1 04:16 boot -> /dev/block/mmcblk0p38
/dev/block/platform/soc.0/f9824900.sdhci/by-name # cp /sdcard/boot.modified /dev/block/mmcblk0p38
Plugged in device. On computer "adb wait-for-device". Reboot device.
Unfortunately, no action from adb.
Click to expand...
Click to collapse
Ok i haven't followed every step bc I'm in half sleep mode already but you did one step wrong : you cant use cp like you did to copy the boot img. Either use the IMG button within TWRP flash menu or use fastboot flash boot boot.img to actually flash the modded boot img

Thank you, once again.
I think that something must be wrong with the boot image.
After "fastboot flash boot boot.modified", I get a blue light. The screen is blank with a cursor in the upper-left hand corner.
"fastboot flash boot boot.original" restores it to its previous state. i.e., it gets to the first lineageos splash screen bubble.
I'm suspicious of the difference between the file sizes of the original and modified boot images.

electricfield said:
Thank you, once again.
I think that something must be wrong with the boot image.
After "fastboot flash boot boot.modified", I get a blue light. The screen is blank with a cursor in the upper-left hand corner.
"fastboot flash boot boot.original" restores it to its previous state. i.e., it gets to the first lineageos splash screen bubble.
I'm suspicious of the difference between the file sizes of the original and modified boot images.
Click to expand...
Click to collapse
Ignore the size diff. That's bc of diff compressing tools but does not matter. Your cpio cmd is unusual . Cpio has switches to create directories and that is not used in yours above . Thats likely the reason why it does not boot at all. Again sorry that i can't help better atm but without my pc..

Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1

electricfield said:
Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1
Click to expand...
Click to collapse
ro.debuggable=1 is better (allows adb root)
security.perf_harden shouldn't be added (or.changed if it was there)
Rest looks ok. At least as long as you really changed these values directly or added them at the top (ro. values can be set only once)
Otherwise you should wait until tomorrow then i can share a 100% working way

electricfield said:
Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1
Click to expand...
Click to collapse
Oh wait! Pls share the bootimgtool command you are using to create the new boot.img

Thank you, again.
The bootimgtool command is the same one as I used before (no change). Before running it, I renamed the new ramdisk to ramdisk.img.
bootimgtool -v qcom -c boot.modified3
Followed by bringing the phone into fastboot mode and running
fastboot flash boot boot.modified3
The phone boots to the lineageos splash screen but no response to "adb wait-for-device".
I'll try ro.debuggable=1 and get rid of security.perf_harden in a few minutes, but I wonder if they are unlikely to change anything given that the device does not show up in (linux) lsusb.

electricfield said:
Thank you, again.
The bootimgtool command is the same one as I used before (no change). Before running it, I renamed the new ramdisk to ramdisk.img.
bootimgtool -v qcom -c boot.modified3
Followed by bringing the phone into fastboot mode and running
fastboot flash boot boot.modified3
The phone boots to the lineageos splash screen but no response to "adb wait-for-device".
I'll try ro.debuggable=1 and get rid of security.perf_harden in a few minutes, but I wonder if they are unlikely to change anything given that the device does not show up in (linux) lsusb.
Click to expand...
Click to collapse
That wont change anything if adb does not come up. Just for completeness.
Ok so if you renamed it to ramdisk.img then all.good that was the thing i had in mind (that you didn't and not.used the -r switch). Well ok then without my pc the only thing i can think of might be the USB cable but thats very unlikely

Thanks again for your help.
The boot image that was flashed is definitely the correct one. I extracted it to another folder and checked it before flashing.
I re-made the boot image, but the result is the same (no adb, no device in lsusb).
What "-r switch" are you referring to in your previous message?
The USB cable works fine for ADB in TWRP, so I doubt it is the problem.

electricfield said:
Thanks again for your help.
The boot image that was flashed is definitely the correct one. I extracted it to another folder and checked it before flashing.
I re-made the boot image, but the result is the same (no adb, no device in lsusb).
What "-r switch" are you referring to in your previous message?
The USB cable works fine for ADB in TWRP, so I doubt it is the problem.
Click to expand...
Click to collapse
The -r (iirc) switch was related to bootimgtool. That way you can choose your newly created ramdisk.img but when you renamed it to ramdisk.img it works without.

Thanks.
I would deeply appreciate if you were able to guide me in making the boot image correctly when you have your computer on Monday.
On the other hand, if this method won't work, its best if I know that so that I can try the next thing....

electricfield said:
Thanks.
I would deeply appreciate if you were able to guide me in making the boot image correctly when you have your computer on Monday.
On the other hand, if this method won't work, its best if I know that so that I can try the next thing....
Click to expand...
Click to collapse
ok here you go, this must be added /changed in default.prop:
Code:
ro.adb.secure=0
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
persist.service.debuggable=1
persist.sys.usb.config=adb
thumbs pressed

Thank you.
I rebuilt the boot image with these entries, but "adb wait-for-device" still does not work during boot.
Any other ideas?

(Journal) A successful attempt at fixing a hard-hardbricked Redmi Note 9 (Global) on Fedora

A long time ago, I posted in a forum thread about my difficulty in trying to revive my M2003J15SG and after having my ethereal Windows install bricked. I switched to Fedora and tried my hand there, where surprisingly, things worked very well. I'm not calling this a guide because I'm basically piecing this together from my bash_history and recollection. I have used the word guide too many times to keep that sentence but yeah, it may be shaky in some places.
Disclaimer​
Code:
/*
* Your warranty is... still valid?
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns.
*
* I have removed the part about laughing at you because I'm not a meanie :3
*
* But yeah, this text is as-is. We provide this work to you without
* warranty of any kind, express or implied and in no event shall the authors
* be liable for any claim, damages or other liability in any way, shape or form,
* arising from, out of, in connection with the work
*
*/
A few things to note​
This is an attempt to document my experience with BROM recovery of a phone that I bricked because I flashed an incorrect littlekernel image. If you're able to use other methods (using fastboot, recovery mode, hell, even preloader mode, you should probably go with that, this is a last resort).
This guide does involve opening your device, you will need a heat gun, a few picks and a screwdriver. No, this is not optional.
If you've read the excellent guide by VD171 on bypassing authentication and flashing, you may notice the important text that states
> Once you get "Protection disabled" at the end, without disconnecting phone and usb, run SP Flash Tool
That's because if you do disconnect and attempt to reconnect your device, it won't be recognized anymore. On Windows, this manifests as the infamous "USB device not recognized" error. This isn't you installing incorrect drivers, that's the device behaving erratically.
To have a second go at it, you have to press Vol Up + Power for about 60 seconds before you can retry.
To enter BROM mode, you need to press Vol Down and no other key, and then plug in your device.
This guide while being Fedora-specific, could be translated to other Linux distros assuming you have the necessary packages installed and have the appropriate permissions and udev rules set
This model of device doesn't need the kamakiri-specific kernel patch
On RHEL-like distros like Rocky Linux and... RHEL, you may need to disable SELinux. I have mine disabled at install so I'm not sure how this guide will behave with SELinux enforcement enabled.
Click to expand...
Click to collapse
Ingredients​
Stock MIUI ROM V11.0.5.0.QJOMIXM (the fastboot variant), which you can get from XiaomiFirmwareUpdater
SP Flash Tool v5.2020 for Linux, which you can get from SPFlashTools
VD171's readback_ui_bak.xml, which you can get from their XDA Forums thread
VD171's scatterfiles for V11.0.5.0.QJOMIXM, which you can get from their XDA forums thread
You'll specifically need MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt and MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
mtkclient, an MTK device exploit kit, which you can find on their GitHub (you'll need their master branch, not their releases, so there'll be instructions on how to fetch it)
A box of chocolate chip cookies
Click to expand...
Click to collapse
a) Preparing the computer​
Step 0: Extract all ingredients and put them into one directory for ease of access
You can do this via the command line or through your file manager, it's just for convinence. This guide will assume that everything is done in one neat folder.
Click to expand...
Click to collapse
Step 1: Install all the dependencies you'll need
Bash:
sudo dnf install android-tools git libusb-devel python3 python3-pip systemd-udev
Step 2: Prevent Linux from interfering with MediaTek serial connections
Bash:
sudo touch /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"0e8d\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"6000\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee -a /etc/udev/rules.d/20-mm-blacklist-mtk.rules
Step 3: Clone mtkclient and install its dependencies
Bash:
git clone https://github.com/bkerler/mtkclient
cd mtkclient
pip3 install -r requirements.txt
python3 setup.py build
sudo python3 setup.py install
Step 4: Install mtkclient's bundled udev rules
Bash:
sudo usermod -a -G dialout $USER
sudo cp Setup/Linux/*.rules /etc/udev/rules.d
Step 5: Reload udev rules
Bash:
sudo udevadm control --reload-rules
sudo udevadm trigger
Step 6: Return to previous directory
Bash:
cd ..
b) Preparing the device​
This is where you basically follow this iFixit guide for the purposes of just disconnecting the battery cable. So, just stop at Step 12, then put the back cover on just flush enough that you can now click the volume and power buttons and insert a cable into the USB-port but not too much so that you have to go through the effort of reopening it again (because, well, you'll have to).
Attempting to skip this will yield you STATUS_EXT_RAM_EXCEPTION.
Click to expand...
Click to collapse
c) Backing everything up​
Alongside ROM and userdata, your EMMC contains your IEMI, your bootloader lock state, MAC addresses, calibration data, the whole nine yards. It's always a good idea to back things up before we get started.
Step 1: Copy readback_ui_bak.xml to the SP Flash Tool directory
Bash:
cp ./readback_ui_bak.xml ./SP_Flash_Tool_v5.2020_Linux/readback_ui_bak.xml
Step 2: Connecting your device and applying the exploit
Start off by running the exploit.
Bash:
cd mtkclient
chown +x mtk
./mtk payload
Once it says Preloader - Status: Waiting for PreLoader VCOM, please connect mobile, hold down Vol Down and connect your phone to the computer. If everything goes according to plan, you'll get an output similar to this.
Code:
Port - Device detected :)
Preloader - CPU: MT6768/MT6769(Helio P65/G85 k68v1)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x707
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: [redacted]
Preloader - SOC_ID: [redacted]
PLTools - Loading payload from mt6768_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: [redacted]/mtkclient/mtkclient/payloads/mt6768_payload.bin
Click to expand...
Click to collapse
Step 3: Open SP Flash Tool
Bash:
cd ../SP_Flash_Tool_v5.2020_Linux
chmod +x flash_tool
sudo ./flash_tool
Yes, I'm aware, it's technically not advisable to grant superuser privileges to, a flashing tool but... I can't get it to work otherwise, if you know how to make it work on Fedora, drop a comment.
Click to expand...
Click to collapse
Step 4: Load the Download Agent (DA)
Click "Choose" and go to (common directory)/mtkclient/mtkclient/Loader/xiaomi_9_DA_6765_6785_6768_6873_6885_6853.bin
Click to expand...
Click to collapse
Step 5: Configure SP Flash Tool
Go to Options > Option
In General, uncheck "Storage Lifecycle Check"
In Connection, select "UART"
COM Port: /dev/ttyACM0 (it may not be the exact number, it'll just look something similar to this)
Baud rate: 921600
In Download
Uncheck "USB Checksum"
Uncheck "Storage Checksum"
Click to expand...
Click to collapse
Step 6: Backup device contents
Start by going to the "Readback" tab, it should already be populated with values that correspond to images from pgpt to otp. If you are presented with an empty table, you've need to go back and check if you've copied readback_ui_bak.xml to the correct directory.
If it shows up, then click "Read Back" and if all goes according to plan, you should see the green checkmark show up eventually.
Click to expand...
Click to collapse
d) Flashing stock firmware​Step 1: Copy scatterfiles to ROM directory
Bash:
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
Step 2: Flash the firmware
Return to the "Download" tab and select the MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt scatterfile we just copied in the ROM's images directory
Select "Firmware Upgrade" from the drop-down menu and then hit "Download". If all goes according to plan, you should see a green checkmark.
Click to expand...
Click to collapse
Step 3: Restore bootloader status (optional)
In case you had an unlocked bootloader before imploding your phone and don't want to bother with Xiaomi's rigmarole, then by restoring seccfg, you should get it back.
Step 3.1: Copy over seccfg from our backup
You're probably going to be using a new terminal window because SP Flash is still running, navigate to your common directory first. The backup we did earlier stored all the images within the SP Flash Tool directory. We need to use sudo because flash_tool was running with root privileges and so, was writing with root privileges as well.
Bash:
sudo cp ./SP_Flash_Tool_v5.2020_Linux/seccfg ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/seccfg
Step 3.2: Change the scatterfile, select the image and flash it
Change the scatterfile to MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt and un-select everything except seccfg
Select "Download Only" from the drop-down menu and then hit "Download". Fingers crossed, green checkmark, you should get your unlock back.
Click to expand...
Click to collapse
Step 4: Reconnect your battery and first boot
If you've reached this point and everything has worked as expected, reconnect your battery, long press the Power button and you should be greeted with a boot animation and hopefully a functioning phone.
Click to expand...
Click to collapse
e) Packing it up​
Basically, just... follow the iFixit guide from Step b) in reverse and seal up your phone. I don't use this phone regularly so I never bothered sealing it, relying only on the plastic clips. You probably should but that's outside the scope of this journal.
Click to expand...
Click to collapse

f) Upgrading to Android 11 (optional)​
As of this writing, LineageOS supports this device under the codename merlinx (the x is because of a conflict with the Moto G3 Turbo, which shares the same codename) and according to their install documentation, they expect a base of Android 11 and this guide flashes Android 10.
I personally used the V12.5.4.0.RJOMIXM firmware (available from XiaomiFirmwareUpdater, again, use the fastboot version) but I did an ever-so-slight change. The entire song-and-dance of needing the bypass exploit is because of "upgrades" made to the payload. I modified flash_all.sh to omit flashing the payload and the modification looks something like this (the other comment-outs were already there in the file)
Bash:
(...)
#fastboot $* flash preloader `dirname $0`/images/preloader_merlin.bin
#if [ $? -ne 0 ] ; then echo "Flash preloader error"; exit 1; fi
#fastboot $* flash efuse `dirname $0`/images/efuse.img
#if [ $? -ne 0 ] ; then echo "Flash efuse error"; exit 1; fi
fastboot $* flash logo `dirname $0`/images/logo.bin
if [ $? -ne 0 ] ; then echo "Flash logo error"; exit 1; fi
fastboot $* flash tee1 `dirname $0`/images/tee.img
"Flash preloader error"; exit 1; fi
(...)
I also commented out the reboot command at the end so I could flash LineageOS's recovery and flash the OS that I wanted.
Bash:
(...)
#fastboot $* reboot
#if [ $? -ne 0 ] ; then echo "Reboot error"; exit 1; fi
(...)
Of course, you need to boot into fastboot mode (by taking a turned off device and pressing Power + Vol Down) before you execute the script
Code:
cd merlin_global_images_V12.5.4.0.RJOMIXM_20220325.0000.00_11.0_global
chmod +x flash_all.sh
./flash_all.sh
Click to expand...
Click to collapse
Sources​
https://github.com/bkerler/mtkclient
https://github.com/bkerler/mtkclient/issues/94
https://www.hovatek.com/blog/my-experience-unbricking-a-dead-boot-lg-stylo-6/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4221065/
https://forum.xda-developers.com/t/...for-merlin-redmi-10x-4g-redmi-note-9.4238149/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223107/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223093/

Wow !
Really amazing guide !
Nice, nice
Thank you very much for contribution