Related
Hi Guys,
I got a Samsung Galaxy S-Plus from a buddy. He brokes the screen of the phone, it stays all time black and touch don't work. (Keys don't light up when you touch the screen). All Keys, the two touch-key including are working. I was able to flash CWM 6.0.2.8 on this phone using ODIN. From CWM I installed Cyanogenmod 9 over adb with the commands
Code:
recovery --update_package=/sdcard/update.zip
(update.zip was the CM9 zip file.
After that, I enabled abd access from CWM by adding
Code:
persist.service.adb.enable=1
persist.service.debuggable=1
persist.sys.usb.config=mtp,adb
to /system/build.prop. That works fine, I am able to boot the phone and log in to adb. The problem is: I want root access to play a little bit more around with that phone. So I added
Code:
persist.service.adb.root=1
persist.sys.root_access=3
to /system/build.prop. Those propertys seemed to be setted correctly,
Code:
[email protected]:/ $ getprop persist.sys.root_access
3
[email protected]:/ $ getprop persist.service.adb.root
1
but
Code:
[email protected]:~$ adb root
adbd cannot run as root in production builds
[email protected]:~$ adb shell
[email protected]:/ $ su
Permission denied
Please help me to find a solution to enable adb-root-access from the recovery without screen-access.
NOTE: I don't pursue a specific target with that phone, I am only playing a little bit around.
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Glad to see sum positive progress in the right direction....
BigCountry907 ,
Since the MarshaMallow update gives us the developer options OEM unlock switch, shouldn't we just update to it first, to get the bootloader unlock?
OEM Update
You won't find the option to turn on OEM in the device.
You can enable it! Here's how:
Go to the Google Play Store.
Search secret codes revealer.
Search codes
Look for 759
Click launch code
Confirm launch
Under oem click on.
Congrats. You've just enabled oem on your desire 526!
Happy hunting.
BigCountry907 said:
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Click to expand...
Click to collapse
Good to know about the 759 code webag.youtag.
But without buying the clip device we are still stuck.
So hopefully BigCountry907 can find a way to unlock the bootloader and root without the clip.
Sidenote: I tried changing my PRL but couldn't get the changes to stick. I tried DFS and QPST. Am I missing something?
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
I was looking around and saw a post! (Rare I know)
Have you tried hboot instead of fastboot?also, I have no computer (sad). I am able to get temp root with "kingroot-4.8.2" I am able to use hex edit to change frp from 00 to 01. Is there a way to get identifier token without a PC? Maybe in configuration files or prop files?
BigCountry907 said:
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
Click to expand...
Click to collapse
Can you please upload your unlocked boot loader bigcountry907?
Any more progress on this, gentlemen?
When I follow the OP and get to the step:
"fastboot flash recovery Twrp-526-NO-TOUCH.img"
I receive the following error:
FAILED (remote: 9: SD_SECURITY_FAIL recovery and bootloader isn't BL_UNLOCK)
finished. total time: 2.762s
Steps taken:
-frp.img (Pulled from the device, edited & reflashed back with dd command, adb shell reports successful)
-pushed super.zip to device
-rebooted using fastboot to download mode
-attempted to flash TWRP & get the fail with the same error multiple times
Any suggestions or clues? I've attempted this several times, following the OP step by step.
Thanks for the help
@rfunderburk39
You have to unlock the BOOTLOADER first.
Currently I can only unlock it with the xtc-2 clip.
But I'm working on it.
Surprisingly my desire 530 was able to be s-off using TWRP recovery.
If i can somehow capture the commands passed from the xtc-2 clip to the twrp recovery we can replicate it.
Other than that were looking at cooking a qfil / qpst flashable rom.
Not easy.
does anyone know how to log all commands sent to TWRP?
BigCountry907, is the desire 530 you were able to root with twrp the verizon version? If so, did you have to unlock the bootloader first? Because I don't see it on htcdev.
@BigCountry907 I misunderstood the OP, I thought the frp.img edit was a work around of the Java Card.
I will look into the logging of the the TWRP commands. Let me know if I can help out in other ways.
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
Tommorrow my time will be limited during the day, but I can look into "qcom msm8909 source + manuals" & the ability to log TWRP commands and see what I can find.
Interesting about the 530, I was not aware that was possible.
I've used linux for about 20 years, and would consider my knowledge to be good, with the ability to usually get to source of a problem and/or find a solution slash work around.
I've never created a partition.xml, but would be happy to look into it.
I do have quite a bit of past JTAG experience but that was using a serial port not USB, which I assume you are referencing.
@supermaxkato
No my Desire 530 is Metro-Pcs.
I took one of the verizon 526 and activated it then used the phone number to port to Metro Pcs.
With the port it cost $70 for the Desire 530 + 1 month of unlimited service. Essentially the Desire 530 was free.
Any Verizon HTC most likely will have the same security scheme.
@rfunderburk39
This is good news. I would be grateful to have help on this.
It is difficult to know what kind of experience people have some don't even know how to use adb.
I will start another thread with all the information I know so far.
And I have the MSM8909 source code. Not just the kernel but the "Qualcomm Chipcode" Board Support Package.
And many qcom manuals.
This should be very helpful to us.
I will name the new thread "{WIP} {ROM} MSM8909 Service Rom From Source / QPST Root + Unlock + Unbrick"
I will post all current information there.
Something potentially worth trying:
-Grab the Settings.apk (and .odex) from the 526+ or 626, just make sure its the same version of android.
-Push those to device
-adb shell
-su
-mount -o rw,remount,rw /system
-exit
-exit
-adb push Settings.apk /system/priv-app/Settings/
-adb push Settings.odex /system/priv-app/Settings/arm/
-Open >settings>developer options on the device
-check and see if the option “OEM Unlock” appears
-reboot into "download mode" and see if the settings stick.
-run fastboot oem get_identifier_token
Granted this holds the possibility of bricking the phone, but more than likely will not stick on a reboot & the Settings.apk will be replaced with the device original.
I will test on mine.
Give me an hour
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
BigCountry907 said:
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
Click to expand...
Click to collapse
I didn't think it would work, just an outside chance. Hoped it may give a different token, that in turn would pass over at HTC-DEV.
Back when I had other HTC devices, I used a tool here on XDA [TOOL] HTC Easy Unlock Bootloader Tool. It doesn't appear to be maintained any longer, its based around Windows *.bat files (easy enough to edit)
https://forum.xda-developers.com/showthread.php?t=2133336
and SimpleGoldCard
https://forum.xda-developers.com/showthread.php?t=970157
SimpleGoldCard would access a site, after downloading that, you select it in the SimpleGoldCard application & it would create the image.
https://huygens.hoxnet.com/goldcard.html
I haven't had time to read through these post just yet, the method may no longer be valid. But worth a look, and I will be reading through these today to see.
Also I will see what I can find about a work-a-round of the the writing to pg2fs partition
This procedure supplements what was posted on 2ch.
this procedure is for firmware v3.3.18 or less.
If your firmware is v3.3.20, you may be able to downgrade to v3.3.18 with the procedure described at the end of this post.
for necessary files, download from the follwoing URL.
hZtZtpsZ://wZwZwZ.axfc.net/u/3777377
Z←remove
(PASS Z581KL) (差分=Difference,キーワード=KEYWORD,ダウンロード=Download,こちら=HERE,cacheに置くもの=Things to put in the cache)
1.extract boot image
turn on debug mode.
then, reboot recovery mode.
Code:
$ adb reboot recovery
after that, mount the system using the terminal volume button and the power button.
Code:
$ adb push dirtycow /tmp/
$ adb push run-as /tmp/
$ adb shell
[email protected]_1:/ $ cd /tmp
[email protected]_1:/tmp $ chmod 777 dirtycow
[email protected]_1:/tmp $ chmod 777 run-as
[email protected]_1:/tmp $ ./dirtycow ./run-as /system/bin/run-as
[email protected]_1:/tmp $ run-as
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
transfer boot.img to PC.
Code:
$ adb pull /tmp/boot.img ./
2.unpacking the boot.img
"mkbootimg_tools-master" is useful because it outputs log of ramdisk size.
(However, binary "mkbootfs" and "mkbootimg" are 32-bit versions.
if your environment is 64-bit, you need to bring 64-bit binaries from CarlivImageKitchen64 etc)
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_source/boot.img bootimg_output
Unpack & decompress bootimg_source/boot.img to bootimg_output
kernel : kernel
ramdisk : ramdisk
page size : 2048
kernel size : 29041019
[COLOR="Red"]ramdisk size : 2924316 <- refer to this value later[/COLOR]
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Unpack completed.
directories after unpacking boot.img looks like this:
bootimg_output
|--ramdisk
|--kernel
`--others(img_info,ramdisk.packed,etc)
3.install SuperSU manually
overwrite the contents of "initrd差分.7z" under directory "ramdisk".
("su" is an empty directory, but also to put it under "ramdisk")
(for "sbin", you only need to add launch_daemon.sh without deleting the existing files)
(permissions on files/directories should be the same as original or other file/directories)
4.repacking the boot.img
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_output boot_patched.img
mkbootimg from bootimg_output/img_info.
kernel : kernel
ramdisk : new_ramdisk
page size : 2048
kernel size : 29041019
ramdisk size : 2924316
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Repack image utility by [email protected]
Check and add the kernel
Check and add the ramdisk
Build the new image
'boot_patched.img' successfully repacked
Kernel size: 29041019, [COLOR="Magenta"][COLOR="Red"]new ramdisk size: 2924316[/COLOR][/COLOR], test_patched.img: 31969280.
test_patched.img has been created.
...
at this time, it is necessary to adjust so that the value of "new ramdisk size" becomes
the same value as "ramdisk size" when unpack.
if the size of "ramdisk" is different from when unpacked, Z581KL will not start.
therefore, deleting unnnecessary files stored under ramdisk/res/images/charger and adding dummy files.
(the difference of about several bytes seems to be no problem)
(once wrong boot.img is written, Z581KL will no start until you write the original boot.img)
however, the size of the original boot.img and the modified boot.img can be different.
(in my environment, the original boot.img was about 67MB, while the modifyed boot.img was
about 32MB)
5.insert modified boot.img
using dirtycow, adb push, and dd, insert the modified boot.img into the /dev/block/mmcblk0p41
also, put "su.img" and "SuperSU.apk" in /cache
then,reboot Z581KL.
"Verification Error" is always displayed when starting up, but if you wait for a while
it will start normally.
that's all.
**********************
Firmware downgrade procedure
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or it is displayed when restarted )
If the firmware is v 5 or higher (currently v 5.3.9.0 is published),
this procedure may indicate an error and the downgrade may fail.
In that case, for now I have no choice but to give up ...
I am sorry if my comment sounds unprofessional. Can you express steps 2-5 in a vulgar manner. Is mkbootimg a tool? ttps://forum.xda-developers.com/android/software-hacking/development-mkbootimg-tools-t2895954
I am experiencing permission denied while performing: adb pull /tmp/boot.img ./
i.imgur.com/TSO0v1g.png
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )
yamada_2501 said:
By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )
Click to expand...
Click to collapse
Correct. This is exactly what I've done. My factory firmware was v3.3.20.0. I downloaded the 3.3.18.0 firmware from ASUS website and rename it to the 5.3.9.0 firmware. I was able to downgrade the system using the standard procedures.
---------- Post added at 04:11 AM ---------- Previous post was at 03:55 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
Thank you. I was able to successfully pull that boot.img. However, is there any mkbootimg alternative for windows. It seems like a linux system tool.
---------- Post added at 04:20 AM ---------- Previous post was at 04:11 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
I was able to find this post (ttps://forum.xda-developers.com/redmi-1s/general/guide-unpack-repack-kernel-t2908458). I am not sure if it work. Would you please verify and please post the steps. When I use this tool, I am getting a intrid folder instead of ramdisk folder as describe in your post. The link below is what I have. The red boxed files are the original files. Green arrowed file is the original boot.img
i.imgur.com/8d05Zis.png
Also, would you please provide the codes you used in step 5.
Update:
I was somehow able to push boot.img and the other two files in by modifying step 1's code. However, I think the boot.img I created has an error. Perhaps because of sizing error. I am not able to start the machine. Now, is stuck at fastboot options menu. How can I get back to the recovery menu and perhaps push the original boot.img back.
If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?
yamada_2501 said:
If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?
Click to expand...
Click to collapse
No, when I execute that command, it shows me a bunch of options as shown in the screenshot below.
i.imgur.com/ZJsh5Ub.png
Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
1.Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img
yamada_2501 said:
Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
1.Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img
Click to expand...
Click to collapse
The combination button will not get me to the recovery mode. USB debugging mode requires a OS system. I've been trying to flash/boot the original boot.img from my computer but it has some permission error.
i.imgur.com/rmK65Z9.png
Is it possible to get this permission error fix and flash or boot the original boot.img?
I already upgraded to Nougat 5.3.9.0. Could I downgrade to 3.3.18 without bricking it?
I could get blueborne to work on JP_V5.5.0_220170616.
But shell whose uid=bluetooth is seemingly useless for rooting...
Does anyone know how to get root from bluetooth shell?
is there any guide to flash a ww rom over operator rom?
thanks
How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?
tomo_ward said:
How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?
Click to expand...
Click to collapse
His original instruction left out commands to acquire permission to access boot.img. Read the reply threads between yamada and me. He addressed the instruction to acquire the permission. In order to insert the modified boot.img, you re-execute step 1, but instead of doing an adb pull on the last command of step 1, do an adb push.
However, the issue of this guide is the fact that you need to push the boot.img out, unpack and repack it. The risk of this is that the chance of you getting wrong modified size boot.img. There is no way to re-acquire permission to replace the wrong boot.img with the original one once you can't boot into the system; therefore, you end up with a Z581Kl that just do not boot. I had to send mine Z581KL back to factory in order to fix the effect.
If you are willing to take the risk and does success, please provide the boot.img you have successfully modified. That will definitely be a gospel.
thank you.
I'll try to get Root my Z581KL
Should I change file permission of patched_boot.img before run "dd" command?
[email protected]_1:/tmp # chmod 777 /tmp/patched_boot.img #Do I need?
[email protected]_1:/tmp # dd if=/tmp/patched_boot.img of=/dev/block/mmcblk0p41
Was anyone able to get a boot.img that works?
Cannot download the needed ZIP file.
Any backup?
Uqbar said:
Cannot download the needed ZIP file.
Any backup?
Click to expand...
Click to collapse
None has it any more?
Im Using C432 .. Rom 9.1.0.147 Newest Stock Update Here In Denmark
First Unlock Bootloader : flash oem unlock ********code******
Enter Bootloader Again, Now Flash Modded_recovery_ramdisk : fastboot flash recovery_ramdisk r.ram.mod.img
And Flash Erecovery_ramdisk with TWRP.img From kilroystyx
Do NOT Remove USB Cable But Hold Power Untill You See Black Screen
Then Quickly Pres And Hold VOL + Untill You Read "Your Device Is Booting Now..."
Now You Should See/Enter Your TWRP Recovery , Now Wipe And Format Data, Then Reboot Recovery "Force Close With Power" .. Again When You See Black Screen Then Quickly Pres And Hold VOL + Untill You Read "Your Device Is Booting Now..."
And You Should ReEnter TWRP Again.. now Mount Vendor then Start Terminal In Recovery under advanced
In Terminal Type :
mount -o remount,rw /dev/block/mmcblk0p55
mount -o remount,rw /dev/block/mmcblk0p37
mount -o remount,rw /dev/block/mmcblk0p53
"patition name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
Now Use File Manager In Recovery Under Advanced To Copy fstab.modem , fstab.hi6250 And recovery.fstab From /vendor/etc/ to /sdcard/ And from /sdcard/ Over To a PC .. Edit fstab.* With Notepad++ One By One Remove The Word "verify" including the comma and replace ALL "ro" with "rw" Also Remove The Words With fileencryption***************** Including The Comma ...
Do This in ALL 3 Files When Done Copy Back The 3 Files To Sdcard And Use File Manager To Move The Edited Files Back To /vendor/etc/ Overwriting The Old Files Now Do The Same With The 2 Files In The Root /fstab.hi6250.data And /fstab.hi6250
THEN FROM RECOVERY Select REBOOT And RECOVERY .... AND YOUR DONE .. You Should Now Automaticly Enter The Rom..
YOU ARE NOW MAGISK ROOTED "Use 19.3 Stable Settings In Magisk Only" Dont Directly Update Magisk ! Clear Repo!
From Now On To Enter The TWRP You Need To Put The USB Cable In The Phone And Hold VOL- And Power To Enter Bootloader From Here Force Power Off " Hold Power Untill Black Screen Then Quickly Hold VOL+ Alone Untill You Read "Your Device Is Booting Now..." Only Way To Enter TWRP Using "ERECOVERY_RAMDISK" Partition.. And Always Use Reboot Then Recovery to Enter Rom From TWRP .. If Not You Need To Reflash recovery_ramdisk with r.ram.mod.img
Now You Can Backup Data And Restore Data With Out Fork Errors We Should Also Be Able To Both Backup/Restore Cust , Modem_fw And Vendor. But We Only Need Data, System , Erecovery_ramdisk And Recovery_ramdisk To Get A Good Complete Backup.
Peace MarsDroid/BrokenWorm
Unlock Bootloader
First Unlock Bootloader : flash oem unlock ********code******???????
The question is, will it unlock the bootloader? . This is what i need, plis
KenynTM said:
First Unlock Bootloader : flash oem unlock ********code******???????
The question is, will it unlock the bootloader? . This is what i need, plis
Click to expand...
Click to collapse
Becoes your new ill be nice.. but plz dude.. u got to read more before you use this guide or you will end up with a pretty door stopper.
To unlock your bootloader use this DC UNLOCKER CLIENT : https://www.dc-unlocker.com/downloads
This is the 1 and only solution .
I cant flash Erecovery, i got
Writing 'Erecovery_ramdisk'
FAILED (remote: Comand not allowed)
My bootloader is unlocked, please help
I'm also stuck here^^^
Flash erecovery_ramdisk from twrp recovery... Sry forgot to mention that..
I recomend following or reading this post i wrote .. https://forum.xda-developers.com/showpost.php?p=80044263&postcount=9 .. about the same stuff
Welp, i managed to flash twrp to Erecocery, it's pretty easy
1 download twrp and patched recovery_ramdisk (i strongly recomend to extract the one from update.app with huawei firmware finder and huawei firmware extractor and pacth it with magisk manager)
2 copy twrp.img into your minimal adb folder and copy twrp and patched recovery_ramdisk into your micro sd
3 connect p20 lite (in fastboot Mode) to pc and open minimal adb and fastboot (cmd here) and flash twrp (fastboot flash recovery_ramdisk twrp.img)
3 Disconect and force power off, turn p20 lite and boot into recovery (power off and vol +) it Will boot into twrp
4 go to install and go to external storage, also select "Install image"
5 select your twrp.img, it will you ask where to Install, select "Erecocery_ramdisk" and Install it
6 repeat step 4 and now select your patched recovery_ramdisk.img and Install it on "recovery_ramdisk"
7 ???
8 profit
And now i'm stuck with the fstabs, i do all the steps on first post but when i try to move the modified ones shows an error, so what now?
RyogaIgnored said:
Welp, i managed to flash twrp to Erecocery, it's pretty easy
1 download twrp and patched recovery_ramdisk (i strongly recomend to extract the one from update.app with huawei firmware finder and huawei firmware extractor and pacth it with magisk manager)
2 copy twrp.img into your minimal adb folder and copy twrp and patched recovery_ramdisk into your micro sd
3 connect p20 lite (in fastboot Mode) to pc and open minimal adb and fastboot (cmd here) and flash twrp (fastboot flash recovery_ramdisk twrp.img)
3 Disconect and force power off, turn p20 lite and boot into recovery (power off and vol +) it Will boot into twrp
4 go to install and go to external storage, also select "Install image"
5 select your twrp.img, it will you ask where to Install, select "Erecocery_ramdisk" and Install it
6 repeat step 4 and now select your patched recovery_ramdisk.img and Install it on "recovery_ramdisk"
7 ???
8 profit
And now i'm stuck with the fstabs, i do all the steps on first post but when i try to move the modified ones shows an error, so what now?
Click to expand...
Click to collapse
i would try remounting the partitions rw
brokenworm said:
i would try remounting the partitions rw
Click to expand...
Click to collapse
Hi. The code I wrote from the twrp terminal window gives an error.
mount -o remount,rw /dev/block/mmcblk0p55
mount: can't find /dev/block/mmcblk0p55 in /proc/mounts
akif688 said:
Hi. The code I wrote from the twrp terminal window gives an error.
mount -o remount,rw /dev/block/mmcblk0p55
mount: can't find /dev/block/mmcblk0p55 in /proc/mounts
Click to expand...
Click to collapse
When you enter "ls -l /dev/block/mmcblk*" in the terminal, what does it say then?
I want to transfer this procedure to Honor 7X. Can someone please send output from the following commands (first to get list of names of partitions, second to get list of mounted filesystems) executed via adb shell on the P20 lite:
ls -l /dev/block/by-name
mount
Thanks a lot in advance.
ZB2016 said:
I want to transfer this procedure to Honor 7X. Can someone please send output from the following commands (first to get list of names of partitions, second to get list of mounted filesystems) executed via adb shell on the P20 lite:
ls -l /dev/block/by-name
mount
Thanks a lot in advance.
Click to expand...
Click to collapse
the partitons change from rom build to rom build and is useless. ..
i moved on to new device sry ..
but this is the partitions i was playing with :
"patition name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
im guessing this answers your question
brokenworm said:
the partitons change from rom build to rom build and is useless. ..
...
im guessing this answers your question
Click to expand...
Click to collapse
perfect! Thanks a lot!
Does anyone have a working link to the r.ram.mod.img file?
EDIT: Nevermind... figured out I had to extract it from my firmware.
Guys tell me how to decrypt huawei p20 lite, i.e. turn off encryption.
and this parameter is not quite clear what it is and how - disable verity.
The device - the data folder is already encrypted, of the more comprehensible methods are of interest to me these two
this 1) "https://forum.xda-developers.com/t/...tion-on-emui-9-1-stock-roms-and-root.3953946/"
and this 2)
"https://forum.xda-developers.com/t/...-mediapad-t3-10-ags-w0.3843728/#post-78558329 "
but the first method does not show what to do after you mount it
In Terminal Type :
mount -o remount,rw /dev/block/mmcblk0p55
mount -o remount,rw /dev/block/mmcblk0p37
mount -o remount,rw /dev/block/mmcblk0p53
"name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
i don't know if it's necessary to go through these commands, when i can copy these files, edit them and replace them back via TWRP, do i understand correctly that these commands will unlock the partition to overwrite the files inside it?
but i don't know if this method will work with emui 9.1 yet and the links to img are broken. + i'm afraid to overwrite TWRP with erecovery, because i figured out that i can't flash emui from fastboot erecovery, it is closed for him, only with TWRP and i'm not sure if i can? "+ it's not clear, replaced the files and that's it? "
the second way I stopped
I don't understand why I can't see the boot img from the extracted firmware Anne-L01 9.1.0.370(C432E7R1P7T8)
Is it locked or what? but i saw verity in FASTBOOT.img - or should i edit it to disable verity? and the question is different things recovery and boot? so i doubt in the correct execution.
and in this video i saw how to remove veirty, but what is it ?
as i understand this will not remove the forced encryption , but as i understand this will move me one step closer to the goal of disabling all verity and encryption too.
I don't understand what vbmeta is either, do I have to dig around in my target just to remove this forced encryption or is it an extra parameter, I mean vbmeta ?
A long time ago, I posted in a forum thread about my difficulty in trying to revive my M2003J15SG and after having my ethereal Windows install bricked. I switched to Fedora and tried my hand there, where surprisingly, things worked very well. I'm not calling this a guide because I'm basically piecing this together from my bash_history and recollection. I have used the word guide too many times to keep that sentence but yeah, it may be shaky in some places.
Disclaimer
Code:
/*
* Your warranty is... still valid?
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns.
*
* I have removed the part about laughing at you because I'm not a meanie :3
*
* But yeah, this text is as-is. We provide this work to you without
* warranty of any kind, express or implied and in no event shall the authors
* be liable for any claim, damages or other liability in any way, shape or form,
* arising from, out of, in connection with the work
*
*/
A few things to note
This is an attempt to document my experience with BROM recovery of a phone that I bricked because I flashed an incorrect littlekernel image. If you're able to use other methods (using fastboot, recovery mode, hell, even preloader mode, you should probably go with that, this is a last resort).
This guide does involve opening your device, you will need a heat gun, a few picks and a screwdriver. No, this is not optional.
If you've read the excellent guide by VD171 on bypassing authentication and flashing, you may notice the important text that states
> Once you get "Protection disabled" at the end, without disconnecting phone and usb, run SP Flash Tool
That's because if you do disconnect and attempt to reconnect your device, it won't be recognized anymore. On Windows, this manifests as the infamous "USB device not recognized" error. This isn't you installing incorrect drivers, that's the device behaving erratically.
To have a second go at it, you have to press Vol Up + Power for about 60 seconds before you can retry.
To enter BROM mode, you need to press Vol Down and no other key, and then plug in your device.
This guide while being Fedora-specific, could be translated to other Linux distros assuming you have the necessary packages installed and have the appropriate permissions and udev rules set
This model of device doesn't need the kamakiri-specific kernel patch
On RHEL-like distros like Rocky Linux and... RHEL, you may need to disable SELinux. I have mine disabled at install so I'm not sure how this guide will behave with SELinux enforcement enabled.
Click to expand...
Click to collapse
Ingredients
Stock MIUI ROM V11.0.5.0.QJOMIXM (the fastboot variant), which you can get from XiaomiFirmwareUpdater
SP Flash Tool v5.2020 for Linux, which you can get from SPFlashTools
VD171's readback_ui_bak.xml, which you can get from their XDA Forums thread
VD171's scatterfiles for V11.0.5.0.QJOMIXM, which you can get from their XDA forums thread
You'll specifically need MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt and MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
mtkclient, an MTK device exploit kit, which you can find on their GitHub (you'll need their master branch, not their releases, so there'll be instructions on how to fetch it)
A box of chocolate chip cookies
Click to expand...
Click to collapse
a) Preparing the computer
Step 0: Extract all ingredients and put them into one directory for ease of access
You can do this via the command line or through your file manager, it's just for convinence. This guide will assume that everything is done in one neat folder.
Click to expand...
Click to collapse
Step 1: Install all the dependencies you'll need
Bash:
sudo dnf install android-tools git libusb-devel python3 python3-pip systemd-udev
Step 2: Prevent Linux from interfering with MediaTek serial connections
Bash:
sudo touch /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"0e8d\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"6000\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee -a /etc/udev/rules.d/20-mm-blacklist-mtk.rules
Step 3: Clone mtkclient and install its dependencies
Bash:
git clone https://github.com/bkerler/mtkclient
cd mtkclient
pip3 install -r requirements.txt
python3 setup.py build
sudo python3 setup.py install
Step 4: Install mtkclient's bundled udev rules
Bash:
sudo usermod -a -G dialout $USER
sudo cp Setup/Linux/*.rules /etc/udev/rules.d
Step 5: Reload udev rules
Bash:
sudo udevadm control --reload-rules
sudo udevadm trigger
Step 6: Return to previous directory
Bash:
cd ..
b) Preparing the device
This is where you basically follow this iFixit guide for the purposes of just disconnecting the battery cable. So, just stop at Step 12, then put the back cover on just flush enough that you can now click the volume and power buttons and insert a cable into the USB-port but not too much so that you have to go through the effort of reopening it again (because, well, you'll have to).
Attempting to skip this will yield you STATUS_EXT_RAM_EXCEPTION.
Click to expand...
Click to collapse
c) Backing everything up
Alongside ROM and userdata, your EMMC contains your IEMI, your bootloader lock state, MAC addresses, calibration data, the whole nine yards. It's always a good idea to back things up before we get started.
Step 1: Copy readback_ui_bak.xml to the SP Flash Tool directory
Bash:
cp ./readback_ui_bak.xml ./SP_Flash_Tool_v5.2020_Linux/readback_ui_bak.xml
Step 2: Connecting your device and applying the exploit
Start off by running the exploit.
Bash:
cd mtkclient
chown +x mtk
./mtk payload
Once it says Preloader - Status: Waiting for PreLoader VCOM, please connect mobile, hold down Vol Down and connect your phone to the computer. If everything goes according to plan, you'll get an output similar to this.
Code:
Port - Device detected :)
Preloader - CPU: MT6768/MT6769(Helio P65/G85 k68v1)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x707
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: [redacted]
Preloader - SOC_ID: [redacted]
PLTools - Loading payload from mt6768_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: [redacted]/mtkclient/mtkclient/payloads/mt6768_payload.bin
Click to expand...
Click to collapse
Step 3: Open SP Flash Tool
Bash:
cd ../SP_Flash_Tool_v5.2020_Linux
chmod +x flash_tool
sudo ./flash_tool
Yes, I'm aware, it's technically not advisable to grant superuser privileges to, a flashing tool but... I can't get it to work otherwise, if you know how to make it work on Fedora, drop a comment.
Click to expand...
Click to collapse
Step 4: Load the Download Agent (DA)
Click "Choose" and go to (common directory)/mtkclient/mtkclient/Loader/xiaomi_9_DA_6765_6785_6768_6873_6885_6853.bin
Click to expand...
Click to collapse
Step 5: Configure SP Flash Tool
Go to Options > Option
In General, uncheck "Storage Lifecycle Check"
In Connection, select "UART"
COM Port: /dev/ttyACM0 (it may not be the exact number, it'll just look something similar to this)
Baud rate: 921600
In Download
Uncheck "USB Checksum"
Uncheck "Storage Checksum"
Click to expand...
Click to collapse
Step 6: Backup device contents
Start by going to the "Readback" tab, it should already be populated with values that correspond to images from pgpt to otp. If you are presented with an empty table, you've need to go back and check if you've copied readback_ui_bak.xml to the correct directory.
If it shows up, then click "Read Back" and if all goes according to plan, you should see the green checkmark show up eventually.
Click to expand...
Click to collapse
d) Flashing stock firmwareStep 1: Copy scatterfiles to ROM directory
Bash:
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
Step 2: Flash the firmware
Return to the "Download" tab and select the MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt scatterfile we just copied in the ROM's images directory
Select "Firmware Upgrade" from the drop-down menu and then hit "Download". If all goes according to plan, you should see a green checkmark.
Click to expand...
Click to collapse
Step 3: Restore bootloader status (optional)
In case you had an unlocked bootloader before imploding your phone and don't want to bother with Xiaomi's rigmarole, then by restoring seccfg, you should get it back.
Step 3.1: Copy over seccfg from our backup
You're probably going to be using a new terminal window because SP Flash is still running, navigate to your common directory first. The backup we did earlier stored all the images within the SP Flash Tool directory. We need to use sudo because flash_tool was running with root privileges and so, was writing with root privileges as well.
Bash:
sudo cp ./SP_Flash_Tool_v5.2020_Linux/seccfg ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/seccfg
Step 3.2: Change the scatterfile, select the image and flash it
Change the scatterfile to MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt and un-select everything except seccfg
Select "Download Only" from the drop-down menu and then hit "Download". Fingers crossed, green checkmark, you should get your unlock back.
Click to expand...
Click to collapse
Step 4: Reconnect your battery and first boot
If you've reached this point and everything has worked as expected, reconnect your battery, long press the Power button and you should be greeted with a boot animation and hopefully a functioning phone.
Click to expand...
Click to collapse
e) Packing it up
Basically, just... follow the iFixit guide from Step b) in reverse and seal up your phone. I don't use this phone regularly so I never bothered sealing it, relying only on the plastic clips. You probably should but that's outside the scope of this journal.
Click to expand...
Click to collapse
f) Upgrading to Android 11 (optional)
As of this writing, LineageOS supports this device under the codename merlinx (the x is because of a conflict with the Moto G3 Turbo, which shares the same codename) and according to their install documentation, they expect a base of Android 11 and this guide flashes Android 10.
I personally used the V12.5.4.0.RJOMIXM firmware (available from XiaomiFirmwareUpdater, again, use the fastboot version) but I did an ever-so-slight change. The entire song-and-dance of needing the bypass exploit is because of "upgrades" made to the payload. I modified flash_all.sh to omit flashing the payload and the modification looks something like this (the other comment-outs were already there in the file)
Bash:
(...)
#fastboot $* flash preloader `dirname $0`/images/preloader_merlin.bin
#if [ $? -ne 0 ] ; then echo "Flash preloader error"; exit 1; fi
#fastboot $* flash efuse `dirname $0`/images/efuse.img
#if [ $? -ne 0 ] ; then echo "Flash efuse error"; exit 1; fi
fastboot $* flash logo `dirname $0`/images/logo.bin
if [ $? -ne 0 ] ; then echo "Flash logo error"; exit 1; fi
fastboot $* flash tee1 `dirname $0`/images/tee.img
"Flash preloader error"; exit 1; fi
(...)
I also commented out the reboot command at the end so I could flash LineageOS's recovery and flash the OS that I wanted.
Bash:
(...)
#fastboot $* reboot
#if [ $? -ne 0 ] ; then echo "Reboot error"; exit 1; fi
(...)
Of course, you need to boot into fastboot mode (by taking a turned off device and pressing Power + Vol Down) before you execute the script
Code:
cd merlin_global_images_V12.5.4.0.RJOMIXM_20220325.0000.00_11.0_global
chmod +x flash_all.sh
./flash_all.sh
Click to expand...
Click to collapse
Sources
https://github.com/bkerler/mtkclient
https://github.com/bkerler/mtkclient/issues/94
https://www.hovatek.com/blog/my-experience-unbricking-a-dead-boot-lg-stylo-6/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4221065/
https://forum.xda-developers.com/t/...for-merlin-redmi-10x-4g-redmi-note-9.4238149/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223107/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223093/
Wow !
Really amazing guide !
Nice, nice
Thank you very much for contribution