Develop Bugs

Can you identify this ROM file?

Hi there,
I got my hands on a phone that appears to be a copycat of the HTC Diamond 2. It’s running WM6.5. There is no volume button on it so they have some other trick to get into the boot loader. In order to flash it, the vendor is using a simple process:
1. Put a Loader.bin and Flash.bin file on the SD Card.
2. Turn on the phone while holding the “hang-up” and “back” buttons.
3. The boot loader then kicks in and installs the new ROM.
What I’m trying to figure out is what is the file format for Flash.bin and how can to recreate it myself? Basically I’d like to be able to take an nbh from an official ROM file and convert it to that Flash.bin thing.
Using an HEX editor, I see that the first part of Flash.bin looks very similar to an OS partition that can be extracted from an nbh file (e.g. using NBHExtract) but one difference is that the header of Flash.bin starts with a few more bytes B0B0FF etc.:
B 0 B 0 F F …
42 30 42 30 46 46 0A 00 0C 0C 00 00 8A 90 06 00 0C 0C 00 00 02 02 00 2C 53 4E
I’ve uploaded both Loader.bin and Flash.bin here if you want to look further.
http://rapidshare.com/files/328271954/FLASH.zip
http://rapidshare.com/files/328259421/LOADER.BIN
Any tips greatly appreciated.
Thanks,
Bob

[Q] Unlock Galaxy S

Hello,
I am trying to unlock my sgs, that I bought in Croatia. It is locked to VIP carrier, but none of the metods described in the forums work for me.
I have copied my nv_data. bin file to my computer and extracted the unlock code from it with SGUX utility for windows by rbnet.it and marcopon. But when I reboot the phone with my SIM and enter the unlock code it says unsucsessful unlocking...
I also installed Sgs_Unlock.apk to my phone, witch gave me the same unlock code that doesent work.
Than I tryed to edit nv_data.bin file with hex editor, but it doesent seem to include an address 0x181468.
Thank you wery much!!!
Luka

Try using super one click.
Sent from my GT-I9000 using XDA App

Done
I´ve managed to unlock it with editing nv_data.bin file, that was slightly diferent that the one in this threathttp://forum.xda-developers.com/showthread.php?t=761045 .
Ehtoeh the phone was allready rooted with Super One Click so i could retrive the nv_data.bin file, but that doesent unlock it to other carriers.
This is how i did it:
Follow step 1. from the mentioned thread (retrive the nv_data.bin file).
Open the file with 010 Editor (trial version), go to view, linefeeds and set it to 8 bytes.
Go to mentioned adress (ctrl+g) and see the slightly different line ( ff 01 00 00 00 00 33 35)
Edit it to ff 00 00 00 00 00 33 35 and save.
Follow step 3. from the mentioned (How to unlock/unfreeze all SGS Models) thread, reboot and the phone was unlocked.
Oh i forgot it was running the 2.1 update1 Eclair when i unlocked it.
Luka

I've hosted the file nv_data without've managed to find the line you need to change. whether we could to help;

Let`s think,
Maybe the lock is located at some other address, you just have to find it.
As mentioned in this thread http://forum.xda-developers.com/showthread.php?t=761045 there are 5 different types of locks in 5 different bytes:
network lock, subset lock, sp lock, cp lock and data lock (don`t know if that`s true because i can find only four locks in my phone:network, subset, sp and cp but no data). The locks are defined with byte 00 for lock off and 01 for lock on.
Now enter *#7465625# to phone. It will display the locks and weather they are on or off. (see attachment)
You can now put together a string from the values that you get from the phone 00 for lock off and 01 for lock on.
It should begin with ff followed by the bytes you got from your phone, for example if you have active network lock and all other locks inactive you should have:
ff 01 00 00 00 00 xy xy
As you can see there are two other bytes xy, but we can live without knowing their values as they seem to be differ from phone to phone but they should allways be digits.
Now open your nv_data file with hex editor and search for the string you`ve put together without the last two bytes. You can get more than one result, but the right place is the one where the last two bytes will de digits.
Edit it to ff 00 00 00 00 00 xy xy to turn all the locks off.
I hope you`ll unlock your phone this way and let us know how it goes.
Luka

because I can not find the line you say ,can you find if there is to please;

Can you post a screencapture like i did so i can find that string.

like this ...i quote and the file...I found this address that is similar to saying that

try editing that one to ff 00 00 00 00 00 00 05, but be careful and have your nv_data backed up first cause this can brick your phone.
Iment a screencapture from your phone.
Luka

ok I did the treatment. I just want to tell me exactly, step by step how to switch back to back in mobile

Did you edit your nv_data.bin file and now the phone doesent work?
If so you have to restore your backup like this:
1. Copy the file from the backup (nv_data.bin) to your sdcard.
2. In ADB type the following commands one by one:
su
cp /sdcard/nv_data.bin /efs/nv_data.bin
rm -rf /efs/nv_data.bin.md5 (OR)
busybox rm -rf /efs/nv_data.bin.md5​3. Reboot your phone.
4. Most probably, now your SIM will not work and you will not be able to login into your phone. Please don’t be panic. We are with you
5. Pop off the SIM.
6. Boot your smartphone.
7. Run the below commands through ADB:
su
busybox chown 1001:1001 /efs/nv_data.bin or
chown 1001:1001 /efs/nv_data.bin​
8. Your phone should be OK now.
There is a whole thread on this topic on this forum http://forum.xda-developers.com/showthread.php?t=859914

thnaks for the reply, unfortunately i did not meant that.
i would like to explain me, how you can insert in the sd memory card the nv_data (edit) that i have already processed. In order to sumarize, i would like to know the orders.

Sorry, I didn´t understand you.
So you need to push nv_data.bin file that you have edited back to your phone.
you need to follow the instructions from this thread http://forum.xda-developers.com/showthread.php?t=761045
First copy your nv_data.bin file to root of your sdcard and then use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands:
su
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot​
Post if it worked.
Luka

i can not, look the foto

This happened to me allso, try rooting your phone with superoneclick (ignore message device seem to be rooted) just before entering adb. If that still doesen`t work try with terminal emulator.

Well we made it and unlock it!
The procedure followed was about as I said it.
1. Follow step 1. from the mentioned thread (retrive the nv_data.bin file).
2.Open the file with 010 Editor (trial version), go to view, linefeeds and set it to 8 bytes.
3.Go to mentioned adress (ctrl+g) and see the slightly different line ( ff 01 00 00 00 00 33 35) may be different numbers from device to device
4.Edit it to ff 00 00 00 00 00 33 35 and save.
5.Follow step 3. from the mentioned (How to unlock/unfreeze all SGS Models) thread, reboot and the phone was unlocked.
When I did the procedure I had a mobile unroot!

Nice to hear you`ve managed to unlock it, I knew you`ll do it soon or later
If it`s unrooted now, you can just root it again, but i don`t know why this happened.
All i would like to know is at wich address the lock was located as your nv_data.bin file didn`t have the address mentioned in the first post. It could help other people to unlock their phones.
Luka

Well you do it again root, I changed my kernel and Rom are all ok!
The address for nv_data.bin is of the form FF 01 00 00 00 00 xx xx to me was
FF 01 00 00 00 00 00 05.

cm7 mac address fix

cm7 mac address fix
i rooted my kindle fire and my dads kindle fire and put cm7 on both
then when we both tried to get on wifi it didnt work after looking into it we found out that we both had the same ip address and also the same mac address
here is a quick quide for changing your mac address
original credit goes to jfb9301 over here
I AM NOT LIABLE IF YOU MESS SOMETHING UP
PROCEED AT YOUR OWN RISK
you need
root explorer
hexeditor
connect your fire
cmd.exe nav to your adb folder
> adb shell
> su
> wlan_cu -b
> / w p 1 l 2 f 2
> / t b v 21
> / t b t 1 0 0 0 0 0 0 0
> / q
now ctrl-C
exit cmd
now on kindle open root explorer
navigate to data/misc/wifi
copy nvs_map.bin
navigate to sdcard and paste
just for safety paste another copy and rename add .bak
" nvs_map.bin.bak "
now open the nvs_map.bin that is in the sdcard with hexeditor
edit the first line
for the mac address 08:00:28:12:34:56
0000: 01 6d 54 56 34 12 28 01 71 54 00 08 00 00
so for 11:22:33:44:55:66
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
save the file
now in root explorer copy nvs_map.bin from the sdcard and paste it into data/misc/wifi
long press on the file and set permissions to RW- RW- RW-
now reboot
open up wifi settings> menu>advanced and double check your new mac address
credit to jfb9301
good luck!

saving for later

Already posted
SEE HERE​

Also, someone in the thread posted an easier fix:
Download the attached .zip. Extract it. Copy the file to /system/bin/. Reboot.

tkalli said:
Already posted
SEE HERE​
Click to expand...
Click to collapse
You mean already posted as in the OP pointed out it was posted there? He was just putting it in the dev section since that is where most people would search for it and where the original thread poster wanted to put it, but couldnt...

[HELP] unable to unlock bootloader in normal way

So i have redmi note 8 pro with chinese rom stable 12.5 .. the phone bootloader is locked , i tried to unlock the bootloader in normal way by bining an MI account but i am unable to bind mi account to device in developer settings BECAUSE ( the phone IMEI is changed) so its always gives an error of request timeout upon clicking bind account.. morever i tried evry vpn and other possible way to bind my account to unlock bootloader but unable to do it..
Can anyone help me out of this . Because i want to use global rom with google play which i cant do until unlocking bootloader.
I need any possible official or UNofficial way to unlock my redmi note 8 pro bootloader..
Your help would be appreciated. Thankyou

This error.. and it comes after 1-2 mins of clikcing "add device and account"

Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
can you please give me discord and guide me there. i am not so much pro in these.
i am waiting for help for soo many long time if you help me it will be really appreciated man please

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
Bro, can you teach me on what basis did you give the hex values?
Is it that they are translated using tools such as HxD?
Are they device specific?

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
seccfg is unreadable on MIUI 12.5.1 GLOBAL

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
i am getting this error

josephmh said:
View attachment 5448767
i am getting this error
Click to expand...
Click to collapse
Use mtkclient. Google it, read and do.

Kirasu2080 said:
Use mtkclient. Google it, read and do.
Click to expand...
Click to collapse
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail

josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
I didn't see anyone report that error until now (many tested).
Try again like this:
Join Telegram group and ask for help if not work.

josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
Almost EVERY smartphone manufacturer sets a Fastboot verification flag to verify if the Fastboot is really unlocked or not. As in the case of Redmi the bootloader unlock verification is done by the devinfo partition by verifying the flag. Since using the tool you just unlocked the bootloader, Fastboot can't be accessed. Just flash anything u want through SP Flash Tool. Or ask any kind human here for their devinfo and set the unlock flag yourself.

llxxVENOMxxll said:
Almost EVERY smartphone manufacturer sets a Fastboot verification flag to verify if the Fastboot is really unlocked or not. As in the case of Redmi the bootloader unlock verification is done by the devinfo partition by verifying the flag. Since using the tool you just unlocked the bootloader, Fastboot can't be accessed. Just flash anything u want through SP Flash Tool. Or ask any kind human here for their devinfo and set the unlock flag yourself.
Click to expand...
Click to collapse
Don't try this if your a noob and mess your phone.

llxxVENOMxxll said:
Don't try this if your a noob and mess your phone.
Click to expand...
Click to collapse
I was on android 11 i couldn't enter even recovery and i was having that dm-verity corruption, i downloaded the oldest firmware i can get which is android 10 nd flash it with sp flash tool now i can access recovery (colorOs recovery) nd i tried unofficial twrp recovery the phone can't boot to recovery until i reflashed the stock recovery by the way i have Oppo reno 3 cph2043 not redmi note 8

josephmh said:
I was on android 11 i couldn't enter even recovery and i was having that dm-verity corruption, i downloaded the oldest firmware i can get which is android 10 nd flash it with sp flash tool now i can access recovery (colorOs recovery) nd i tried unofficial twrp recovery the phone can't boot to recovery until i reflashed the stock recovery by the way i have Oppo reno 3 cph2043 not redmi note 8
Click to expand...
Click to collapse
The DM-Verity error is due to the unlock is not official. So it will happen. The device should normally boot after showing you the error for 5 seconds. If it doesn't then you're doomed.

llxxVENOMxxll said:
The DM-Verity error is due to the unlock is not official. So it will happen. The device should normally boot after showing you the error for 5 seconds. If it doesn't then you're doomed
Click to expand...
Click to collapse
As i said that error doesn't show on android 10 i downgraded the phone to colorOs7 which is android 10 not 11 but not i have fastboot_unlock_verify fail .. and when i go to developer options -> oem unlock it shows that bootloader is unlocked

Even my OPPO (A31 CPH2015) shows the same problem. We need to find a workaround or get rid of ColorOS forever.

Someone had that problem in Redmi note 8 pro also even official way. Some said press power 1 time whenever that dm-verity show (they just accept and live with it). Some used global one then clean flash China rom, patch vbmeta,... and it gone. Some flash random custom roms and it disappear. Hope these info can help you guys.

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse

Syed Abdul Sami said:
So i have redmi note 8 pro with chinese rom stable 12.5 .. the phone bootloader is locked , i tried to unlock the bootloader in normal way by bining an MI account but i am unable to bind mi account to device in developer settings BECAUSE ( the phone IMEI is changed) so its always gives an error of request timeout upon clicking bind account.. morever i tried evry vpn and other possible way to bind my account to unlock bootloader but unable to do it..
Can anyone help me out of this . Because i want to use global rom with google play which i cant do until unlocking bootloader.
I need any possible official or UNofficial way to unlock my redmi note 8 pro bootloader..
Your help would be appreciated. Thankyou
Click to expand...
Click to collapse
josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
josephmh: how you did it?? please help.

nijat1122 said:
josephmh: how you did it?? please help.
Click to expand...
Click to collapse
Use bypass-utility to enter BROM mode nd then unlock with mtkclient or mtkuniversal google it u'll find the how to use them

Question system backup

Hoping I can get some assistance. Seeing as TWRP isn't a viable option right now for the OnePlus 11, I'm curious if there is a good way to do a full system backup/restore (mimic what TWRP did) using ADB or some other native way or application. When I last played around with Titanium I didn't see a good way of performing this task. It's possible I wasn't doing it correctly, but I was playing around with the batch options and couldn't get it to do anything.
Anyway, my thought was to write a powershell script and backup all the partitions that way, but here is my question. On my oneplus 11 (I have the CPH2451 model) I can go to "/dev/block/by-name" and see all the partitions. I can use the adb shell dd if of command to copy it to my sd card and then pull it on to my computer for example, but is this the proper process to back up the system, data, settings?
I notice in TWRP when you go through the backup process, you have the option to backup boot, system, vendor/OEM, data, modem, efs partitions. That leads me to my next question when I traverse through the path I posted above, there are a ton of partitions there, not to mention many duplicate for exable boot_a and boot_b. So when I back it up would I need to back up everything or is there a fast & clean way to backup the minimum required data without missing anything important?

Root and try Swift for app, phone, sms backups.
Otherwise, since almost none of the other partitions are writable anymore, it's pretty pointless backing them up. But you could with DD (again, you would need to be rooted)... fastboot and fastbootd should be capable of writing the partitions back to the device.

All you need to backup is /data since all others are included in your firmware. Problem when do a backup of /data: You need to perform the backup while system is running. You can't access /data from outside the system without TWRP. If you perform a backup use Termux and the tar command for it. The built in tar command of Android is very limited. Termux offers you a full version of tar.

kevp75 said:
Root and try Swift for app, phone, sms backups.
Otherwise, since almost none of the other partitions are writable anymore, it's pretty pointless backing them up. But you could with DD (again, you would need to be rooted)... fastboot and fastbootd should be capable of writing the partitions back to the device.
Click to expand...
Click to collapse
Thanks for your reply. My device is rooted so that's not a problem. It's just a shame that TWRP doesn't seem to be a viable option. As far as SMS back goes, I'm not too concerned about that because I primarily use google voice, so basically all my contacts and SMS/MMS is saved in the cloud. My biggest concern is just getting a working backup of the system/configurations because I tend to do quite a bit of customizations on my phone and it would suck having to redo everything.
WoKoschekk said:
All you need to backup is /data since all others are included in your firmware. Problem when do a backup of /data: You need to perform the backup while system is running. You can't access /data from outside the system without TWRP. If you perform a backup use Termux and the tar command for it. The built in tar command of Android is very limited. Termux offers you a full version of tar.
Click to expand...
Click to collapse
Thank you as well for your reply. I'm assuming termux is a android based terminal? if termux can do it; would adb/adb shell be able to? The only reason I ask is because it's much easier to type commands from a computer than on the phone. Also what commands would I use? Is there a tut I can follow?

m0d hipp¥ said:
termux can do it; would adb/adb shell be able to?
Click to expand...
Click to collapse
Yes, Termux is an app. ADB could do, but with ADB you have only access to Android's built in commands in /system/bin. Termux offers an own environment with full versions of all the limited built in ones.

WoKoschekk said:
Yes, Termux is an app. ADB could do, but with ADB you have only access to Android's built in commands in /system/bin. Termux offers an own environment with full versions of all the limited built in ones.
Click to expand...
Click to collapse
That makes sense. I'll have to play around with it after work and see what I can figure out. Thanks

There are a few things to take care of. I'll post them later here.

For those who are not rooted:
OnePlus Clone Phone app allows to create full backs by copying apps and their data to a different OnePlus/Oppo phone.
adb backup/restore has long stopped working "thanks" to Google.

Sorry I haven't had a chance to test the methods above, but just to be more clear on my end, I'm not super concerned about backing up apps because there are several ways of doing that. Lucky patcher among other tools allows you to backup apps & app settings. I'm a bit more concerned about system settings/configurations. For example if I wanted to do a backup of my current state the system is in. I have over 100 apps disabled and having to redo that is a bit tedious. Not only that, but also all the configurations I have made within the system settings I'd like to save those as well. So this is really what I'm targeting.
EDIT:
For starters I wrote this simple script in Powershell that gets all the partitions on my device.
Code:
$Partition_Path = "/dev/block/bootdevice/by-name"
foreach($Partition in $(adb shell ls $Partition_Path))
{
$Partition
}
The output is the following:
Code:
ALIGN_TO_128K_1
ALIGN_TO_128K_2
DRIVER
abl_a
abl_b
aop_a
aop_b
aop_config_a
aop_config_b
apdp
apdp_full
apdpb
bluetooth_a
bluetooth_b
boot_a
boot_b
cdt
connsec
cpucp_a
cpucp_b
ddr
devcfg_a
devcfg_b
devinfo
dinfo
dip
dsp_a
dsp_b
dtbo_a
dtbo_b
engineering_cdt_a
engineering_cdt_b
featenabler_a
featenabler_b
frp
fsc
fsg
hyp_a
hyp_b
imagefv_a
imagefv_b
init_boot_a
init_boot_b
keymaster_a
keymaster_b
keystore
last_parti
limits
limits-cdsp
logdump
logfs
mdcompress
mdm1oemnvbktmp
mdtp_a
mdtp_b
mdtpsecapp_a
mdtpsecapp_b
metadata
misc
modem_a
modem_b
modemst1
modemst2
multiimgoem_a
multiimgoem_b
multiimgqti_a
multiimgqti_b
ocdt
oplus_sec_a
oplus_sec_b
oplusdycnvbk
oplusreserve1
oplusreserve2
oplusreserve3
oplusreserve4
oplusreserve5
oplusstanvbk_a
oplusstanvbk_b
param
persist
preisp_dt
preisp_dt_bk
preisp_otp
qmcs
qupfw_a
qupfw_b
qweslicstore_a
qweslicstore_b
rawdump
recovery_a
recovery_b
rtice
rticmpdata_a
rticmpdata_b
secdata
shrm_a
shrm_b
splash_a
splash_b
splash_odm
spunvm
ssd
storsec
super
toolsfv
tz_a
tz_b
tzsc
uefi_a
uefi_b
uefisecapp_a
uefisecapp_b
uefivarstore
userdata
vbmeta_a
vbmeta_b
vbmeta_system_a
vbmeta_system_b
vbmeta_vendor_a
vbmeta_vendor_b
vendor_boot_a
vendor_boot_b
vm-bootsys_a
vm-bootsys_b
vm-data
vm-persist
xbl_a
xbl_b
xbl_config_a
xbl_config_b
xbl_ramdump_a
xbl_ramdump_b
xbl_sc_logs
xbl_sc_test_mode
My question is if I went the termux route or the adb shell route to try and do a backup using the command:
Code:
adb exec-out "su -c dd if=$Partition_Path/$Partition of=/sdcard/Backup/$Partition.img"
which of these partitions would be the ones I should focus on backing up? By the way, there are 3 partitions that are HUGE so I don't think they're necessary, but let me know if they are. The 3 partitions are super, userdata, and logdump. By the way userdata is like over 100Gb, and that's unrealistic because my phone def doesn't have that much data on there.

m0d hipp¥ said:
Sorry I haven't had a chance to test the methods above, but just to be more clear on my end, I'm not super concerned about backing up apps because there are several ways of doing that. Lucky patcher among other tools allows you to backup apps & app settings. I'm a bit more concerned about system settings/configurations. For example if I wanted to do a backup of my current state the system is in. I have over 100 apps disabled and having to redo that is a bit tedious. Not only that, but also all the configurations I have made within the system settings I'd like to save those as well. So this is really what I'm targeting.
EDIT:
For starters I wrote this simple script in Powershell that gets all the partitions on my device.
Code:
$Partition_Path = "/dev/block/bootdevice/by-name"
foreach($Partition in $(adb shell ls $Partition_Path))
{
$Partition
}
The output is the following:
Code:
ALIGN_TO_128K_1
ALIGN_TO_128K_2
DRIVER
abl_a
abl_b
aop_a
aop_b
aop_config_a
aop_config_b
apdp
apdp_full
apdpb
bluetooth_a
bluetooth_b
boot_a
boot_b
cdt
connsec
cpucp_a
cpucp_b
ddr
devcfg_a
devcfg_b
devinfo
dinfo
dip
dsp_a
dsp_b
dtbo_a
dtbo_b
engineering_cdt_a
engineering_cdt_b
featenabler_a
featenabler_b
frp
fsc
fsg
hyp_a
hyp_b
imagefv_a
imagefv_b
init_boot_a
init_boot_b
keymaster_a
keymaster_b
keystore
last_parti
limits
limits-cdsp
logdump
logfs
mdcompress
mdm1oemnvbktmp
mdtp_a
mdtp_b
mdtpsecapp_a
mdtpsecapp_b
metadata
misc
modem_a
modem_b
modemst1
modemst2
multiimgoem_a
multiimgoem_b
multiimgqti_a
multiimgqti_b
ocdt
oplus_sec_a
oplus_sec_b
oplusdycnvbk
oplusreserve1
oplusreserve2
oplusreserve3
oplusreserve4
oplusreserve5
oplusstanvbk_a
oplusstanvbk_b
param
persist
preisp_dt
preisp_dt_bk
preisp_otp
qmcs
qupfw_a
qupfw_b
qweslicstore_a
qweslicstore_b
rawdump
recovery_a
recovery_b
rtice
rticmpdata_a
rticmpdata_b
secdata
shrm_a
shrm_b
splash_a
splash_b
splash_odm
spunvm
ssd
storsec
super
toolsfv
tz_a
tz_b
tzsc
uefi_a
uefi_b
uefisecapp_a
uefisecapp_b
uefivarstore
userdata
vbmeta_a
vbmeta_b
vbmeta_system_a
vbmeta_system_b
vbmeta_vendor_a
vbmeta_vendor_b
vendor_boot_a
vendor_boot_b
vm-bootsys_a
vm-bootsys_b
vm-data
vm-persist
xbl_a
xbl_b
xbl_config_a
xbl_config_b
xbl_ramdump_a
xbl_ramdump_b
xbl_sc_logs
xbl_sc_test_mode
My question is if I went the termux route or the adb shell route to try and do a backup using the command:
Code:
adb exec-out "su -c dd if=$Partition_Path/$Partition of=/sdcard/Backup/$Partition.img"
which of these partitions would be the ones I should focus on backing up? By the way, there are 3 partitions that are HUGE so I don't think they're necessary, but let me know if they are. The 3 partitions are super, userdata, and logdump. By the way userdata is like over 100Gb, and that's unrealistic because my phone def doesn't have that much data on there.
Click to expand...
Click to collapse
All settings and apps and app data is stored on /data. If you backup /data and save it on /sdcard (which is the path /data/media/0) your backup runs infinitely

TWRP does a backup either by dd or with tar. The command dd creates an image and tar an archive. It doesn't make sense to create an image of /data for two reasons: encryption will be corrupt and you don't have enough storage space on /data to save an image of /data.

What TWRP does: Create an archive of /data with tar, but exclude /data/media. It looks like this in Termux:
Code:
tar -cv --exclude='media/*' --file=/storage/$EXT/data.ext4.win000 /data
This saves the backup on an external sd. You can change it to
Code:
tar -cv --exclude='media/*' --file=/data/media/0/data.ext4.win000 /data
for saving the backup in your internal storage.

WoKoschekk said:
All settings and apps and app data is stored on /data. If you backup /data and save it on /sdcard (which is the path /data/media/0) your backup runs infinitely
Click to expand...
Click to collapse
So basically infinite loop? Is there any way to break out of it? Or what if I back it up to another partition that has RW and then when it's done move it to the sdcard?
Also I'm trying to understand how to use tar with exec-out. Would it be something like this:
Code:
adb exec-out "su -c dd if=/dev/block/bootdevice/by-name/userdata && tar -cz -p --exclude='media*' --exclude='*-cache' /sdcard/userdata.tar"

it's also possible to split the archive in several parts:
Code:
tar -cv --exclude='media/*' -ML 1572864 --file=/data/media/0/data.ext4.win000 --file=/data/media/0/data.ext4.win001 --file=/data/media/0/data.ext4.win002 /data
this way you get 3 parts with a size of 1,5GB for each of it.

please wait, it's a bit more complicated

do you have a TWRP backup of any phone?

Unfortunately I don't have a phone with TWRP. I do have a oneplus 9 Pro (LE2125) on hand, but it doesn't have TWRP either. As far as I am aware TWRP isn't available for the OP9 pro.
By the way, I really appreciate your help and your examples. Thank you!

m0d hipp¥ said:
Unfortunately I don't have a phone with TWRP. I do have a oneplus 9 Pro (LE2125) on hand, but it doesn't have TWRP either. As far as I am aware TWRP isn't available for the OP9 pro.
By the way, I really appreciate your help and your examples. Thank you!
Click to expand...
Click to collapse
The 9 pro has twrp and it works on oos13 too.

m0d hipp¥ said:
Unfortunately I don't have a phone with TWRP. I do have a oneplus 9 Pro (LE2125) on hand, but it doesn't have TWRP either. As far as I am aware TWRP isn't available for the OP9 pro.
By the way, I really appreciate your help and your examples. Thank you!
Click to expand...
Click to collapse
Ok, here is a part of the recovery.log by TWRP. It starts with the beginning of a backup of /data:
Code:
I:operation_start: 'Nandroid'
Updating partition details...
I:Data backup size is 5760MB, free: 43310MB.
I:Unable to mount '/usb-otg'
I:Actual block device: '', current file system: 'auto'
...done
I:Backup Name is: '2023-06-07--22-01-50'
I:Backup_Folder is: '/external_sd/TWRP/BACKUPS/ZY322V8K28/2023-06-07--22-01-50'
I:Calculating backup details...
* Total number of partitions to back up: 1
* Total size of all data: 5760MB
* Available space: 53009MB
[BACKUP STARTED]
* Backup Folder: /external_sd/TWRP/BACKUPS/ZY322V8K28/2023-06-07--22-01-50
Invalid encryption mode file /data/unencrypted/mode
Backing up Data (excl. storage)...
Backups of Data do not include any files in internal storage such as pictures or downloads.
Invalid encryption mode file /data/unencrypted/mode
Breaking backup file into multiple archives...
I:Creating backup...
I:Creating tar file '/external_sd/TWRP/BACKUPS/ZY322V8K28/2023-06-07--22-01-50/data.ext4.win000'
I:addFile '/data/ota' including root: 1
==> set selinux context: u:object_r:ota_data_file:s0
Click to expand...
Click to collapse
TWRP does exclude the "storage" which is /data/media. This directory gets always mounted as /storage/emulated/0 for security reasons on every Android phone.The path /storage/emulated/0 is the sdcardfs (virtual filesystem, see here for more info). Additionally it's always linked as /sdcard in the system.
So, /data/media = /storage/emulated/0 = /sdcard!

The log shows also that TWRP saves the files of /data as a tar archive. But tar ≠ tar if you compare Android's tar with the one of Termux.
Android's tar:
Code:
usage: tar -[cxtjzhmvO] [-X FILE] [-T FILE] [-f TARFILE] [-C DIR]
Create, extract, or list files from a tar file
Operation:
c Create
f Name of TARFILE ('-' for stdin/out)
h Follow symlinks
j (De)compress using bzip2
m Don't restore mtime
t List
v Verbose
x Extract
z (De)compress using gzip
C Change to DIR before operation
O Extract to stdout
exclude=FILE File to exclude
X File with names to exclude
T File with names to include
Termux:
Code:
Usage: tar [OPTION...] [FILE]...
GNU 'tar' saves many files together into a single tape or disk archive, and can
restore individual files from the archive.
Examples:
tar -cf archive.tar foo bar # Create archive.tar from files foo and bar.
tar -tvf archive.tar # List all files in archive.tar verbosely.
tar -xf archive.tar # Extract all files from archive.tar.
Main operation mode:
-A, --catenate, --concatenate append tar files to an archive
-c, --create create a new archive
--delete delete from the archive (not on mag tapes!)
-d, --diff, --compare find differences between archive and file system
-r, --append append files to the end of an archive
--test-label test the archive volume label and exit
-t, --list list the contents of an archive
-u, --update only append files newer than copy in archive
-x, --extract, --get extract files from an archive
Operation modifiers:
--check-device check device numbers when creating incremental
archives (default)
-g, --listed-incremental=FILE handle new GNU-format incremental backup
-G, --incremental handle old GNU-format incremental backup
--hole-detection=TYPE technique to detect holes
--ignore-failed-read do not exit with nonzero on unreadable files
--level=NUMBER dump level for created listed-incremental archive
--no-check-device do not check device numbers when creating
incremental archives
--no-seek archive is not seekable
-n, --seek archive is seekable
--occurrence[=NUMBER] process only the NUMBERth occurrence of each file
in the archive; this option is valid only in
conjunction with one of the subcommands --delete,
--diff, --extract or --list and when a list of
files is given either on the command line or via
the -T option; NUMBER defaults to 1
--sparse-version=MAJOR[.MINOR]
set version of the sparse format to use (implies
--sparse)
-S, --sparse handle sparse files efficiently
Local file name selection:
--add-file=FILE add given FILE to the archive (useful if its name
starts with a dash)
-C, --directory=DIR change to directory DIR
--exclude=PATTERN exclude files, given as a PATTERN
--exclude-backups exclude backup and lock files
--exclude-caches exclude contents of directories containing
CACHEDIR.TAG, except for the tag file itself
--exclude-caches-all exclude directories containing CACHEDIR.TAG
--exclude-caches-under exclude everything under directories containing
CACHEDIR.TAG
--exclude-ignore=FILE read exclude patterns for each directory from
FILE, if it exists
--exclude-ignore-recursive=FILE
read exclude patterns for each directory and its
subdirectories from FILE, if it exists
--exclude-tag=FILE exclude contents of directories containing FILE,
except for FILE itself
--exclude-tag-all=FILE exclude directories containing FILE
--exclude-tag-under=FILE exclude everything under directories
containing FILE
--exclude-vcs exclude version control system directories
--exclude-vcs-ignores read exclude patterns from the VCS ignore files
--no-null disable the effect of the previous --null option
--no-recursion avoid descending automatically in directories
--no-unquote do not unquote input file or member names
--no-verbatim-files-from -T treats file names starting with dash as
options (default)
--null -T reads null-terminated names; implies
--verbatim-files-from
--recursion recurse into directories (default)
-T, --files-from=FILE get names to extract or create from FILE
--unquote unquote input file or member names (default)
--verbatim-files-from -T reads file names verbatim (no escape or option
handling)
-X, --exclude-from=FILE exclude patterns listed in FILE
File name matching options (affect both exclude and include patterns):
--anchored patterns match file name start
--ignore-case ignore case
--no-anchored patterns match after any '/' (default for
exclusion)
--no-ignore-case case sensitive matching (default)
--no-wildcards verbatim string matching
--no-wildcards-match-slash wildcards do not match '/'
--wildcards use wildcards (default for exclusion)
--wildcards-match-slash wildcards match '/' (default for exclusion)
Overwrite control:
--keep-directory-symlink preserve existing symlinks to directories when
extracting
--keep-newer-files don't replace existing files that are newer than
their archive copies
-k, --keep-old-files don't replace existing files when extracting,
treat them as errors
--no-overwrite-dir preserve metadata of existing directories
--one-top-level[=DIR] create a subdirectory to avoid having loose files
extracted
--overwrite overwrite existing files when extracting
--overwrite-dir overwrite metadata of existing directories when
extracting (default)
--recursive-unlink empty hierarchies prior to extracting directory
--remove-files remove files after adding them to the archive
--skip-old-files don't replace existing files when extracting,
silently skip over them
-U, --unlink-first remove each file prior to extracting over it
-W, --verify attempt to verify the archive after writing it
Select output stream:
--ignore-command-error ignore exit codes of children
--no-ignore-command-error treat non-zero exit codes of children as
error
-O, --to-stdout extract files to standard output
--to-command=COMMAND pipe extracted files to another program
Handling of file attributes:
--atime-preserve[=METHOD] preserve access times on dumped files, either
by restoring the times after reading
(METHOD='replace'; default) or by not setting the
times in the first place (METHOD='system')
--clamp-mtime only set time when the file is more recent than
what was given with --mtime
--delay-directory-restore delay setting modification times and
permissions of extracted directories until the end
of extraction
--group=NAME force NAME as group for added files
--group-map=FILE use FILE to map file owner GIDs and names
--mode=CHANGES force (symbolic) mode CHANGES for added files
--mtime=DATE-OR-FILE set mtime for added files from DATE-OR-FILE
-m, --touch don't extract file modified time
--no-delay-directory-restore
cancel the effect of --delay-directory-restore
option
--no-same-owner extract files as yourself (default for ordinary
users)
--no-same-permissions apply the user's umask when extracting permissions
from the archive (default for ordinary users)
--numeric-owner always use numbers for user/group names
--owner=NAME force NAME as owner for added files
--owner-map=FILE use FILE to map file owner UIDs and names
-p, --preserve-permissions, --same-permissions
extract information about file permissions
(default for superuser)
--same-owner try extracting files with the same ownership as
exists in the archive (default for superuser)
--sort=ORDER directory sorting order: none (default), name or
inode
-s, --preserve-order, --same-order
member arguments are listed in the same order as
the files in the archive
Handling of extended file attributes:
--acls Enable the POSIX ACLs support
--no-acls Disable the POSIX ACLs support
--no-selinux Disable the SELinux context support
--no-xattrs Disable extended attributes support
--selinux Enable the SELinux context support
--xattrs Enable extended attributes support
--xattrs-exclude=MASK specify the exclude pattern for xattr keys
--xattrs-include=MASK specify the include pattern for xattr keys
Device selection and switching:
--force-local archive file is local even if it has a colon
-f, --file=ARCHIVE use archive file or device ARCHIVE
-F, --info-script=NAME, --new-volume-script=NAME
run script at end of each tape (implies -M)
-L, --tape-length=NUMBER change tape after writing NUMBER x 1024 bytes
-M, --multi-volume create/list/extract multi-volume archive
--rmt-command=COMMAND use given rmt COMMAND instead of rmt
--rsh-command=COMMAND use remote COMMAND instead of rsh
--volno-file=FILE use/update the volume number in FILE
Device blocking:
-b, --blocking-factor=BLOCKS BLOCKS x 512 bytes per record
-B, --read-full-records reblock as we read (for 4.2BSD pipes)
-i, --ignore-zeros ignore zeroed blocks in archive (means EOF)
--record-size=NUMBER NUMBER of bytes per record, multiple of 512
Archive format selection:
-H, --format=FORMAT create archive of the given format
FORMAT is one of the following:
gnu GNU tar 1.13.x format
oldgnu GNU format as per tar <= 1.12
pax POSIX 1003.1-2001 (pax) format
posix same as pax
ustar POSIX 1003.1-1988 (ustar) format
v7 old V7 tar format
--old-archive, --portability
same as --format=v7
--pax-option=keyword[[:]=value][,keyword[[:]=value]]...
control pax keywords
--posix same as --format=posix
-V, --label=TEXT create archive with volume name TEXT; at
list/extract time, use TEXT as a globbing pattern
for volume name
Compression options:
-a, --auto-compress use archive suffix to determine the compression
program
-I, --use-compress-program=PROG
filter through PROG (must accept -d)
-j, --bzip2 filter the archive through bzip2
-J, --xz filter the archive through xz
--lzip filter the archive through lzip
--lzma filter the archive through lzma
--lzop filter the archive through lzop
--no-auto-compress do not use archive suffix to determine the
compression program
--zstd filter the archive through zstd
-z, --gzip, --gunzip, --ungzip filter the archive through gzip
-Z, --compress, --uncompress filter the archive through compress
Local file selection:
--backup[=CONTROL] backup before removal, choose version CONTROL
--hard-dereference follow hard links; archive and dump the files they
refer to
-h, --dereference follow symlinks; archive and dump the files they
point to
-K, --starting-file=MEMBER-NAME
begin at member MEMBER-NAME when reading the
archive
--newer-mtime=DATE compare date and time when data changed only
-N, --newer=DATE-OR-FILE, --after-date=DATE-OR-FILE
only store files newer than DATE-OR-FILE
--one-file-system stay in local file system when creating archive
-P, --absolute-names don't strip leading '/'s from file names
--suffix=STRING backup before removal, override usual suffix ('~'
unless overridden by environment variable
SIMPLE_BACKUP_SUFFIX)
File name transformations:
--strip-components=NUMBER strip NUMBER leading components from file
names on extraction
--transform=EXPRESSION, --xform=EXPRESSION
use sed replace EXPRESSION to transform file
names
Informative output:
--checkpoint[=NUMBER] display progress messages every NUMBERth record
(default 10)
--checkpoint-action=ACTION execute ACTION on each checkpoint
--full-time print file time to its full resolution
--index-file=FILE send verbose output to FILE
-l, --check-links print a message if not all links are dumped
--no-quote-chars=STRING disable quoting for characters from STRING
--quote-chars=STRING additionally quote characters from STRING
--quoting-style=STYLE set name quoting style; see below for valid STYLE
values
-R, --block-number show block number within archive with each message
--show-defaults show tar defaults
--show-omitted-dirs when listing or extracting, list each directory
that does not match search criteria
--show-snapshot-field-ranges
show valid ranges for snapshot-file fields
--show-transformed-names, --show-stored-names
show file or archive names after transformation
--totals[=SIGNAL] print total bytes after processing the archive;
with an argument - print total bytes when this
SIGNAL is delivered; Allowed signals are: SIGHUP,
SIGQUIT, SIGINT, SIGUSR1 and SIGUSR2; the names
without SIG prefix are also accepted
--utc print file modification times in UTC
-v, --verbose verbosely list files processed
--warning=KEYWORD warning control
-w, --interactive, --confirmation
ask for confirmation for every action
Compatibility options:
-o when creating, same as --old-archive; when
extracting, same as --no-same-owner
Other options:
-?, --help give this help list
--restrict disable use of some potentially harmful options
--usage give a short usage message
--version print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
The backup suffix is '~', unless set with --suffix or SIMPLE_BACKUP_SUFFIX.
The version control may be set with --backup or VERSION_CONTROL, values are:
none, off never make backups
t, numbered make numbered backups
nil, existing numbered if numbered backups exist, simple otherwise
never, simple always make simple backups
Valid arguments for the --quoting-style option are:
literal
shell
shell-always
shell-escape
shell-escape-always
c
c-maybe
escape
locale
clocale
*This* tar defaults to:
--format=gnu -f- -b20 --quoting-style=escape
--rmt-command=/data/data/com.termux/files/usr/libexec/rmt
You see the difference...
Download Termux here.
Open it and first of all run pkg update