Hey everybody,
I skimmed the threads and it seems nobody tried to extract the boot.img from a device that´s been updated to November firmware.
So at the moment there´s no easy way to root devices where users took the november firmware update already, since factory images are only available for October firmware.
TLDR: Attached to this post are boot.img and vbmeta.img of November firmware that will allow you to root your pixel 6 pro running the updated firmware.
If you´re interested how these were obtained here´s a rough guideline:
Starting point is being a Pixel 6 pro on October firmware rooted.
Taking OTA will fail as boot and vbmeta partitions are altered due to the rooted installation.
Solution: restore those partitions to stock while the device is running, take the OTA but don´t reboot (this will flash OTA to the inactive slot), backup the now updated but still inactive partitions again.
I´ll write a quick mockup how this works, but it´s for advanced users only. So if you´re not comfortable with this I´d suggest to not attempt this.
I was on slot B with October firmware as starting point.
So the goal is to restore original B partitions while the OS is running, apply OTA (which would fail if you´re running altered partitions, boot/vbmeta) and backup updated inactive slot, in my case A.
First problem: Partitions to restore while OS is running need to be unblocked via the command:
Code:
blockdev --setrw <block>
Otherwise you get this error:
Code:
1|raven:/ # dd if=/data/local/tmp/boot.img of=/dev/block/by-name/boot_b
dd: /dev/block/by-name/boot_b: write error: Operation not permitted
1+0 records in
0+0 records out
0 bytes (0 B) copied, 0.002125 s, 0 B/s
To determine which partition you need to unblock run:
Code:
126|raven:/ # cd dev/block/platform/14700000.ufs/by-name/
raven:/dev/block/platform/14700000.ufs/by-name # ls -al
total 0
drwxr-xr-x 2 root root 1020 2021-10-28 21:58 .
drwxr-xr-x 3 root root 1120 2021-10-28 21:58 ..
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 abl_a -> /dev/block/sdb5
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 abl_b -> /dev/block/sdc5
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl1_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl1_b -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl2_a -> /dev/block/sdb3
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl2_b -> /dev/block/sdc3
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl31_a -> /dev/block/sdb6
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 bl31_b -> /dev/block/sdc6
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 boot_a -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 boot_b -> /dev/block/sda21
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 devinfo -> /dev/block/sdd1
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 dpm_a -> /dev/block/sdb10
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 dpm_b -> /dev/block/sdc10
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 dram_train_a -> /dev/block/sdb4
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 dram_train_b -> /dev/block/sdc4
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 dtbo_a -> /dev/block/sda10
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 dtbo_b -> /dev/block/sda18
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 efs -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 efs_backup -> /dev/block/sda6
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 fips -> /dev/block/sda9
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 frp -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 gsa_a -> /dev/block/sdb8
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 gsa_b -> /dev/block/sdc8
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 klog -> /dev/block/sda2
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 ldfw_a -> /dev/block/sdb9
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 ldfw_b -> /dev/block/sdc9
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 metadata -> /dev/block/sda8
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 mfg_data -> /dev/block/sdd2
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 misc -> /dev/block/sda3
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 modem_a -> /dev/block/sda12
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 modem_b -> /dev/block/sda20
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 modem_userdata -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 pbl_a -> /dev/block/sdb2
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 pbl_b -> /dev/block/sdc2
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 persist -> /dev/block/sda1
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 pvmfw_a -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 pvmfw_b -> /dev/block/sda25
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 super -> /dev/block/sda26
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 tzsw_a -> /dev/block/sdb7
lrwxrwxrwx 1 root root 15 2021-10-28 21:58 tzsw_b -> /dev/block/sdc7
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 userdata -> /dev/block/sda27
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_a -> /dev/block/sda14
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_b -> /dev/block/sda22
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_system_a -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_system_b -> /dev/block/sda23
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_vendor_a -> /dev/block/sda16
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vbmeta_vendor_b -> /dev/block/sda24
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vendor_boot_a -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 2021-10-28 21:58 vendor_boot_b -> /dev/block/sda19
Example how to restore changed partitions: (if you flashed a modified boot.img and vbmeta.img to root, you need to restore those two while the device is running otherwise the OTA will fail.)
Code:
raven:/ # blockdev --setrw /dev/block/sda21
raven:/ # dd if=/data/local/tmp/boot.img of=/dev/block/by-name/boot_b
131072+0 records in
131072+0 records out
67108864 bytes (64 M) copied, 8.790461 s, 7.2 M/s
This will restore boot_b to the original one so that partition won´t fail to apply the incremental OTA to.
After the OTA was successfully flashed we want to backup the updated boot slot. That would be boot_a in my case.
Command for doing so:
Code:
dd if=/dev/block/bootdevice/by-name/boot_a of=/storage/emulated/0/boot_a.img
I backed up november boot.img and vbmeta.img that way. Please note that I had to flash vbmeta again and disable verity to obtain those imgs. OTA won´t flash if partitions are altered in any way. This wiped my device.
Attached to this post are completely stock boot.img and vbmeta.img from the November build I´m on.
This will allow people to root their devices on November firmware if they took the OTA.
Please note that those boot.imgs are from build SD1A.210817.036.
It´s a european Pixel 6 pro. I don´t think there should be a difference to the factory images from the other carriers like verizon etc regarding the boot.img. If you want to be absolutely sure, somebody on a different firmware needs to follow this process or we just wait for the factory images with nov security patch to drop.
That's the firmware I'm currently running.
I can confirm it works with the provided November vbmeta / boot images.
Thank you !!
Thibale said:
I can confirm it works with the provided November vbmeta / boot images.
Thank you !!
Click to expand...
Click to collapse
thanks for reporting back
So you had to wipe data to Root the October stock firmware and then wipe again to upgrade to November firmware?
Nekromantik said:
So you had to wipe data to Root the October stock firmware and then wipe again to upgrade to November firmware?
Click to expand...
Click to collapse
Yes, but due to the process I used to obtain boot.img and vbmeta.img if you read through the first post.
Pixel 5 process for updating, once full OTA/factory images are available like usual, will make that redundant.
(after initial vbmeta wipe)
Great job @Freak07 nice to see you've joined us
Thanks for this tutorial. But its also very annoying that you can't update the system while rooted lol
So it there's no way to update once rooted without wiping?
I used to download factory images and do flash all bat minus the -w flag.
Cares said:
So it there's no way to update once rooted without wiping?
I used to download factory images and do flash all bat minus the -w flag.
Click to expand...
Click to collapse
No confirmed way for this phone yet. When the new factory images (likely .036 or maybe another one) are released on Monday, people who are currently rooted on .015 can update and see if the manual OTA installation method works without having to wipe. I guess there have been mixed results with this method on the Pixel 5.
Man having to wipe every update might be a deal breaker for me. Might resort to locking bootloader if that's the case.
Cares said:
Man having to wipe every update might be a deal breaker for me. Might resort to locking bootloader if that's the case.
Click to expand...
Click to collapse
Yeah, sad to say it might be for me too. I'm unrooted at the moment (had already set up on the 26th so didn't want to wipe and do it all over again) so we'll see how long I can stand it.
Can't believe I'm actually saying this
Cares said:
Man having to wipe every update might be a deal breaker for me. Might resort to locking bootloader if that's the case.
Click to expand...
Click to collapse
Unfortunately the same for me. I have been going back and forth between unlocking or not. Even if the work around can be used on the P6 it is really more involved than I want it to be and not something I really want to do every month. Really disappointing Google has made it such a pain.
I don't mind any amount of workaround, as long as it's stable, consistent, and doesn't require wiping every time.
roirraW edor ehT said:
I don't mind any amount of workaround, as long as it's stable, consistent, and doesn't require wiping every time.
Click to expand...
Click to collapse
Yeah, flashing OTAs & factory images with the -w removed, disabling dm-verity, patching boot images, etc., I don't mind at all. I like doing that stuff. But I don't like having to wipe and set up anew every month. That just might break this old man's back
Agree, wiping all the time is not my idea of ota update fun!
galaxys said:
Agree, wiping all the time is not my idea of ota update fun!
Click to expand...
Click to collapse
I got so used to it with the S21 Ultra. Backups restore pretty quick (google backups)
You got the phone...Nice!
Hope all is well buddy!
Ok, time for a dumb question. If I unlock my bootloader, but don't root, my device will still break the basic integrity of safety net, correct?
mkhcb said:
Ok, time for a dumb question. If I unlock my bootloader, but don't root, my device will still break the basic integrity of safety net, correct?
Click to expand...
Click to collapse
Yes
Related
I've bought an Italian TIM branded H815, got root access through send_command.exe exploit, and within the root shell I got, I've made a backup of the system and "cust" (the branding) partitions; then downloaded the image, injected root and used dd to overwrite the sytem partition with the rooted one.
After that, I've disabled OTAs, installed ssh server (dropbear), removed TIM branding and put back the stock unbranded stuff, removed all the bloatware, changed the dialer with the one shipped with the lollipop nexus 5 and everything works very nicely.
That's when, while exploring the partitions, I've found that the recovery seems to be in /dev/block/mmcblk0p39.
Being the bootloader still locked (and I'd like to keep it that way), I was pretty sure I couldn't write to the partition, BUT I've run dd to fetch the first bytes of the partition, wrote that to a file, and flashed the file back, overwriting what was there. *So, it was possible*.
Here's what I've done:
dd if=/dev/block/platform/f9824900.sdhci/by-name/recovery bs=1 count=70 of=/sdcard/recovery.partial.img
dd of=/dev/block/platform/f9824900.sdhci/by-name/recovery if=/sdcard/recovery.partial.img
Now here're the questions:
- What would happen if I would just write TWRP through dd over the partition from the running system? (ex.: dd if=/sdcard/twrp.img bs=8192 of=/dev/block/mmcblk0p39)... it seems I wouldn't be blocked by anything in doing so!
- Can you see my very same partitions inside the directory /dev/block/platform/f9824900.sdhci/by-name/ ? (at the end of the post the node listing) -- in case you can't, I've tought they could be useful to you to determine where they are in first place: I've read of people that couldn't find the node "recovery", thus couldn't write to it. Anyway, in that case, there are some tools to explore drive images in GPT form like testdisk and they could be used to find the location of that partition and write over it through dd using the "seek=" parameter.
- In case you already know all that, I presume there is a protection system that runs a checksum of the recovery partition on boot and would argue "hey, what's that? here, eat this bootloop!", otherwise I really can't imagine why I can't change the bootloader.
Thanks in advance!
Alessio
PS, here are the GPT partitions:
Code:
lrwxrwxrwx 1 root root 21 Jan 4 2015 DDR -> /dev/block/mmcblk0p30
lrwxrwxrwx 1 root root 20 Jan 4 2015 aboot -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 21 Jan 4 2015 abootbak -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 Jan 4 2015 apdp -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 21 Jan 4 2015 boot -> /dev/block/mmcblk0p38
lrwxrwxrwx 1 root root 21 Jan 4 2015 cache -> /dev/block/mmcblk0p49
lrwxrwxrwx 1 root root 21 Jan 4 2015 cust -> /dev/block/mmcblk0p48
lrwxrwxrwx 1 root root 21 Jan 4 2015 devinfo -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 Jan 4 2015 dpo -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 Jan 4 2015 drm -> /dev/block/mmcblk0p40
lrwxrwxrwx 1 root root 21 Jan 4 2015 eksst -> /dev/block/mmcblk0p33
lrwxrwxrwx 1 root root 21 Jan 4 2015 encrypt -> /dev/block/mmcblk0p32
lrwxrwxrwx 1 root root 21 Jan 4 2015 factory -> /dev/block/mmcblk0p43
lrwxrwxrwx 1 root root 21 Jan 4 2015 fota -> /dev/block/mmcblk0p44
lrwxrwxrwx 1 root root 21 Jan 4 2015 fsc -> /dev/block/mmcblk0p27
lrwxrwxrwx 1 root root 21 Jan 4 2015 fsg -> /dev/block/mmcblk0p26
lrwxrwxrwx 1 root root 21 Jan 4 2015 grow -> /dev/block/mmcblk0p51
lrwxrwxrwx 1 root root 20 Jan 4 2015 hyp -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 Jan 4 2015 hypbak -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 21 Jan 4 2015 keystore -> /dev/block/mmcblk0p29
lrwxrwxrwx 1 root root 21 Jan 4 2015 laf -> /dev/block/mmcblk0p37
lrwxrwxrwx 1 root root 21 Jan 4 2015 limits -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 21 Jan 4 2015 misc -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 20 Jan 4 2015 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 21 Jan 4 2015 modemst1 -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 Jan 4 2015 modemst2 -> /dev/block/mmcblk0p25
lrwxrwxrwx 1 root root 21 Jan 4 2015 mpt -> /dev/block/mmcblk0p42
lrwxrwxrwx 1 root root 21 Jan 4 2015 msadp -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root 21 Jan 4 2015 persist -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 Jan 4 2015 persistent -> /dev/block/mmcblk0p35
lrwxrwxrwx 1 root root 20 Jan 4 2015 pmic -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 Jan 4 2015 pmicbak -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 Jan 4 2015 raw_resources -> /dev/block/mmcblk0p45
lrwxrwxrwx 1 root root 21 Jan 4 2015 raw_resourcesbak -> /dev/block/mmcblk0p46
lrwxrwxrwx 1 root root 21 Jan 4 2015 rct -> /dev/block/mmcblk0p34
lrwxrwxrwx 1 root root 21 Jan 4 2015 recovery -> /dev/block/mmcblk0p39
lrwxrwxrwx 1 root root 20 Jan 4 2015 rpm -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 21 Jan 4 2015 rpmbak -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root 20 Jan 4 2015 sbl1 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 Jan 4 2015 sbl1bak -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 20 Jan 4 2015 sdi -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 21 Jan 4 2015 sdibak -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 21 Jan 4 2015 sec -> /dev/block/mmcblk0p31
lrwxrwxrwx 1 root root 21 Jan 4 2015 sns -> /dev/block/mmcblk0p41
lrwxrwxrwx 1 root root 21 Jan 4 2015 spare1 -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 21 Jan 4 2015 spare2 -> /dev/block/mmcblk0p36
lrwxrwxrwx 1 root root 21 Jan 4 2015 ssd -> /dev/block/mmcblk0p28
lrwxrwxrwx 1 root root 21 Jan 4 2015 system -> /dev/block/mmcblk0p47
lrwxrwxrwx 1 root root 20 Jan 4 2015 tz -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 21 Jan 4 2015 tzbak -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 Jan 4 2015 userdata -> /dev/block/mmcblk0p50
you can write to any partition.. bootloader locked or not.. as long as you have root. but that doesn't mean the newly written partition will actually boot afterwards.
locked bootloader = bootloader checking for valid boot/recovery partition signatures.
if you do not have LG's signing key to sign TWRP or custom boot.img.. then whatever custom image you write to recovery or boot partition will not boot.
Oh, I see, so there's a sort of DRM; nevermind, thanks for your clarification by the way
One last question: do you know if after the bootloader unlock any partition changes? I wonder if I could just change my whole firmware with an unlocked one, but I guess it's IMEI-dependent and an internal cryptochip would notice it and refuse to boot, right?
autoprime said:
you can write to any partition.. bootloader locked or not.. as long as you have root. but that doesn't mean the newly written partition will actually boot afterwards.
locked bootloader = bootloader checking for valid boot/recovery partition signatures.
if you do not have LG's signing key to sign TWRP or custom boot.img.. then whatever custom image you write to recovery or boot partition will not boot.
Click to expand...
Click to collapse
do you think it would work modifying the boot.img ( adding gov , overclocking, etc) using the any kernel method which extracts the img and modify the boot.img and then repacks it..or would that mess with the lg signing
autoprime said:
you can write to any partition.. bootloader locked or not.. as long as you have root. but that doesn't mean the newly written partition will actually boot afterwards.
locked bootloader = bootloader checking for valid boot/recovery partition signatures.
if you do not have LG's signing key to sign TWRP or custom boot.img.. then whatever custom image you write to recovery or boot partition will not boot.
Click to expand...
Click to collapse
What's stopping you from writing to the bootloader partition? Is it encrypted or something?
bigalex said:
... After that, I've disabled OTAs, installed ssh server (dropbear), removed TIM branding and put back the stock unbranded stuff, removed all the bloatware, changed the dialer with the one shipped with the lollipop nexus 5 and everything works very nicely.
Click to expand...
Click to collapse
Could you please outline the steps necessary to exchange the dialer?
Thanks in advance.
@dogroll: The bootloader is signed, so tampering with it will cause a bootloop, or brick the device anyway.
@Google~Android: Yeah, tampering with about anything will cause the kernel to know your device has been tampered, and it will complain about it in ways I just don't want to know (probably will surprise you with a nice brick).
@Jens1969: Yeah, and very happy to have been asked it: you can just install the Nexus 5 "Dialer.apk" you can get from any n5 firmware into the /system partition (it can't be installed into /data).
Doing so will cause, however, logcat messages about "hey, I can't find com.google.android.dialer.support library!".
So, you will also need the library, and you can find it in any gapps flashable package (I've used this one for example: CyanogenMod hxxp://d-h.st/dGPA).
The library is called com.google.android.dialer.support.jar and must be placed into /system/framework.
You also need to put the /system/etc/permissions/com.google.android.dialer.support.xml file in place. Once I have a minute, I will make a package for it
bigalex said:
@dogroll: The bootloader is signed, so tampering with it will cause a bootloop, or brick the device anyway.
@Google~Android: Yeah, tampering with about anything will cause the kernel to know your device has been tampered, and it will complain about it in ways I just don't want to know (probably will surprise you with a nice brick).
@Jens1969: Yeah, and very happy to have been asked it: you can just install the Nexus 5 "Dialer.apk" you can get from any n5 firmware into the /system partition (it can't be installed into /data).
Doing so will cause, however, logcat messages about "hey, I can't find com.google.android.dialer.support library!".
So, you will also need the library, and you can find it in any gapps flashable package (I've used this one for example: CyanogenMod hxxp://d-h.st/dGPA).
The library is called com.google.android.dialer.support.jar and must be placed into /system/framework.
You also need to put the /system/etc/permissions/com.google.android.dialer.support.xml file in place. Once I have a minute, I will make a package for it
Click to expand...
Click to collapse
I tried the method found here. But my Google Phone FCs and I can't use it for incoming calls. Since my Bootloader is still locked (don't want to void my warranty), I can't use a Zip package. But I could extract the contents and simply copy files and change permissions.
Jens1969 said:
I tried the method found here. But my Google Phone FCs and I can't use it for incoming calls. Since my Bootloader is still locked (don't want to void my warranty), I can't use a Zip package. But I could extract the contents and simply copy files and change permissions.
Click to expand...
Click to collapse
Yep, that's exactly what I did (and I forgot to mention the permissions thing that caused it to crash).
Did you check logcat to see why was it causing FC?
My bootloder is locked too, but still I was able to replace the dialer, so don't worry!
Just, remember to disable the LG dialer, and since you're there, debloat everything! (first line in the code below)
LG G4 debloat :
Code:
pm disable com.android.contacts;
pm disable com.android.LGSetupWizard;
pm disable com.lge.sizechangable.weather.platform;
pm disable com.lge.launcher2.theme.tim;
pm disable com.lge.cloudhub;
pm disable com.lge.remote.lgairdrive;
pm disable com.lge.eltest;
pm disable com.android.browser;
pm disable com.lge.bioitplatform.sdservice.service;
pm disable com.lge.sizechangable.favoritecontacts;
pm disable com.lge.wapservice;
pm disable com.lge.wfds.service.v3;
pm disable com.lge.gcuv;
pm disable com.lge.sync;
pm disable com.lge.livewallpaper.multiphoto;
pm disable com.lge.concierge;
pm disable com.lge.musicshare;
pm disable com.lge.pcsyncui;
pm disable com.lge.updatecenter;
pm disable com.lge.lgfota.permission;
pm disable com.lge.mlt;
pm disable com.lge.appwidget.dualsimstatus;
pm disable com.lge.sizechangable.musicwidget.widget;
pm disable com.lge.cic.eden.service;
pm disable com.lge.music;
pm disable com.lge.hiddenpersomenu;
autoprime said:
you can write to any partition.. bootloader locked or not.. as long as you have root. but that doesn't mean the newly written partition will actually boot afterwards.
locked bootloader = bootloader checking for valid boot/recovery partition signatures.
if you do not have LG's signing key to sign TWRP or custom boot.img.. then whatever custom image you write to recovery or boot partition will not boot.
Click to expand...
Click to collapse
I had the same question, as I'm sure many others have too, so I'm glad I found this post. So taking this a little further would it be possible to pull the bootloader from an unlocked device and overwrite the bootloader on a locked device? I'm a little unclear on the boot sequence so perhaps this question doesn't make sense. I'm running on the thought that the bootloader is "boot -> /dev/block/mmcblk0p38", or is it actually buried a bit deeper and not part of the file system at all?
Apologies if this has already been discussed in another thread (can be difficult to think of the right magic search phrase)
EDIT: actually it looks like the bootloader is "aboot -> /dev/block/mmcblk0p8"
@Ferga2790 seems to have found the answer! You can flash the Canadian H873 kdz and unlock it. Files are located here: https://forum.xda-developers.com/showpost.php?p=76312669&postcount=10. Good luck! :cyclops: :highfive:
Download mode: power off, hold vol +, plug USB cable into phone
Recovery mode: power off, hold vol - and power, plug USB cable into phone
When you select "reboot to bootloader" in the recovery main menu, it just boots up the phone as normal. ADB nor Fastboot work in either of these modes.
All partitions (after running py lglaf.py --unlock -c "!EXEC ls -la /dev/block/bootdevice/by-name ")
/dev/block/bootdevice/by-name:
total 0
drwxr-xr-x 2 root root 1380 2017-04-28 18:02 .
drwxr-xr-x 4 root root 1560 2017-04-28 18:02 ..
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 aboot -> /dev/block/sde6
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 abootbak -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 apdp -> /dev/block/sde26
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 boot -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 cache -> /dev/block/sda16
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 carrier -> /dev/block/sda13
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 cdt -> /dev/block/sdd3
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 cmnlib -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 cmnlib64 -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 cmnlib64bak -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 cmnlibbak -> /dev/block/sde23
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 ddr -> /dev/block/sdd1
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 devcfg -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 devcfgbak -> /dev/block/sde17
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 devinfo -> /dev/block/sdb6
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 dip -> /dev/block/sdb5
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 dpo -> /dev/block/sde28
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 drm -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 eksst -> /dev/block/sda9
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 encrypt -> /dev/block/sda8
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 factory -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 fota -> /dev/block/sdb3
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 fsc -> /dev/block/sdf3
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 fsg -> /dev/block/sdb4
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 grow -> /dev/block/sda18
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 grow2 -> /dev/block/sdb7
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 grow3 -> /dev/block/sdc3
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 grow4 -> /dev/block/sdd4
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 grow5 -> /dev/block/sde29
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 grow6 -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 grow7 -> /dev/block/sdg2
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 hyp -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 hypbak -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 keymaster -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 keymasterbak -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 keystore -> /dev/block/sda12
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 laf -> /dev/block/sda1
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 lafbak -> /dev/block/sda2
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 misc -> /dev/block/sda6
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 modem -> /dev/block/sde18
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 modemst1 -> /dev/block/sdf1
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 modemst2 -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 mpt -> /dev/block/sda3
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 msadp -> /dev/block/sde27
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 persist -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 persistent -> /dev/block/sdg1
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 pmic -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 pmicbak -> /dev/block/sde15
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 raw_resources -> /dev/block/sde8
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 raw_resourcesbak -> /dev/block/sde9
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 rct -> /dev/block/sda10
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 recovery -> /dev/block/sde2
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 recoverybak -> /dev/block/sde3
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 reserve -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 rpm -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 rpmbak -> /dev/block/sde11
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 sec -> /dev/block/sde19
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 sns -> /dev/block/sda5
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 ssd -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 system -> /dev/block/sda15
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 tz -> /dev/block/sde4
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 tzbak -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 2017-04-28 18:02 userdata -> /dev/block/sda17
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 xbl -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 xbl2 -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 xbl2bak -> /dev/block/sdc2
lrwxrwxrwx 1 root root 15 2017-04-28 18:02 xblbak -> /dev/block/sdb2
User @l33tlinuxh4x0r has gotten Download Mode to somewhat work with a modified lglaf, as seen in this post.
Thanks to @Flippy125 for explaining how to access Download Mode in this thread.
Reserved
I have gotten download mode to work somewhat using lglaf.py from this post located here
I am using windows 10 pro
Python 3.6
and the above file.
I have managed to get ls and lsmod commands working.
lsof and lsusb also work.
examples are:
Code:
python lglaf.py --unlock -c "!EXEC ls / "
python lglaf.py --unlock -c "!EXEC ls /system/bin/ "
note that there are 2 spaces between !EXEC and ls and one space after the command ending in /. Capitalization is also important.
I will work on more but I really don't want to mess up my phone.
EDIT: I forgot one of the most important things. How to get your phone to reboot back to normal. Run the following command.
Code:
python lglaf.py --unlock -c "!CTRL RSET"
Figured it out on Windows.
Mr nerd said:
Figured it out on Windows.
Click to expand...
Click to collapse
No updates afaik. I don't have a second device that I am willing to brick to test anything else, but as far as I can tell we are locked down so tight that we will probably never see root on this device unless the rooting methods change 100% and don't require filesystem access and even if that were the case root would be useless as the main reason for root is writing to the filesystem.
EDIT: IF lg allows us to root or unlocks this phone we could have root but I don't see that happening either. Also if we had a tot file for this phone we could have root access but it would be dangerous and if you change anything with it you would get a secure boot error. All we can hope for is that lg releases an engineering build or makes some other major mistake or something else leaks.
l33tlinuxh4x0r said:
No updates afaik. I don't have a second device that I am willing to brick to test anything else, but as far as I can tell we are locked down so tight that we will probably never see root on this device unless the rooting methods change 100% and don't require filesystem access and even if that were the case root would be useless as the main reason for root is writing to the filesystem.
EDIT: IF lg allows us to root or unlocks this phone we could have root but I don't see that happening either. Also if we had a tot file for this phone we could have root access but it would be dangerous and if you change anything with it you would get a secure boot error. All we can hope for is that lg releases an engineering build or makes some other major mistake or something else leaks.
Click to expand...
Click to collapse
Ahh ok ok so do you know how we could start looking for Vulns? I never understood how to debug a phone
Mr nerd said:
Ahh ok ok so do you know how we could start looking for Vulns? I never understood how to debug a phone
Click to expand...
Click to collapse
There is a site that lists all of the known vulnerabilities for linux and android but I forgot what it is. Google probably knows though. However even with a vulnerability root will probably throw an secure boot error. We need a venerability for the bootloader.
Ahh i see what you mean. Well do you know how to debug or fuzz a bootloader?
http://hexdetective.blogspot.com/2017/02/exploiting-android-s-boot-getting.html
Sent from my LG-LS993 using Tapatalk
Hi!
Possible downgrade ZVA to ZV9 or ZV6?
On old model LS996 method to write partitions: https://forum.xda-developers.com/g-flex2/development/lg-g-flex-2-ls996-zv6-sprint-5-1-1-t3169212
I dont' know what to do whith python I cant get to work I enter the codes that are in the instructions and all I get is error after error. telling me that the path is wrong but i got to that path and the file is there .
Problem: My beloved 32GB Pixel XL froze while I was typing the other night and I hard reset it. It froze during the boot animation, then rebooted, and then froze during the boot animation again. Done this ~30 times with no joy. It's just over a year old so no warranty.
Background: Bootloader unlocked. Stock rom v 7.1 (build NPF26J). Rooted.
What I've tried:
Clearing Dalvik/cache in TWRP
Factory reset through recovery (both TWRP and stock)
Begging it to work
Flashing factory images for 7.1 and 8.1
locking and unlocking the bootloader multiple times before flashing above factory images
Formatting Data and doing an Advanced Wipe in TWRP to recreate partitions then flashing both of the above factory stock images
At this point, it won't even go to the boot animation. It just goes to black after the white screen that says, "Google" then reboots. If it's rebooting for the first time after a factory image flash, it reboots into stock recovery.
Tried running e2fsck -cfv on userdata and system. This is the output:
userdata:
Code:
e2fsck 1.43.3 (04-Sep-2016)
sh: badblocks: not found
userdata: Updating bad block inode.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
userdata: ***** FILE SYSTEM WAS MODIFIED *****
172 inodes used (0.01%, out of 1630208)
2 non-contiguous files (1.2%)
0 non-contiguous directories (0.0%)
# of inodes with ind/dind/tind blocks: 0/0/0
Extent depth histogram: 165
146606 blocks used (2.25%, out of 6509568)
0 bad blocks
1 large file
21 regular files
141 directories
0 character device files
0 block device files
0 fifos
0 links
1 symbolic link (1 fast symbolic link)
0 sockets
------------
163 files
system:
Code:
/dev/block/platform/soc/624000.ufshc/by-name # [6n[Je2fsck -cfv system
e2fsck 1.43.3 (04-Sep-2016)
sh: badblocks: not found
/: Updating bad block inode.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 3A: Optimizing directories
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/: ***** FILE SYSTEM WAS MODIFIED *****
2517 inodes used (1.95%, out of 129024)
13 non-contiguous files (0.5%)
4 non-contiguous directories (0.2%)
# of inodes with ind/dind/tind blocks: 0/0/0
Extent depth histogram: 2310/7
472130 blocks used (91.48%, out of 516099)
0 bad blocks
1 large file
2043 regular files
273 directories
0 character device files
0 block device files
0 fifos
0 links
192 symbolic links (192 fast symbolic links)
0 sockets
------------
2508 files
Noticed something very odd about the partition table--there's no /cache! Gonna try to create it somehow.
Code:
/dev/block/platform/soc/624000.ufshc/by-name # [6nls -al
total 0
drwxr-xr-x 2 root root 1340 1970-01-01 02:09 .
drwxr-xr-x 4 root root 1440 1970-01-01 02:09 ..
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 aboot_a -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 aboot_b -> /dev/block/sda18
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 apdp_a -> /dev/block/sda29
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 apdp_b -> /dev/block/sda30
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 board_info -> /dev/block/sdf1
lrwxrwxrwx 1 root root 36 1970-01-01 02:09 boot -> /dev/block/bootdevice/by-name/boot_b
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 boot_a -> /dev/block/sda19
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 boot_b -> /dev/block/sda20
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 bootlocker_a -> /dev/block/sda1
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 bootlocker_b -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 cdt -> /dev/block/sdd12
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 cmnlib32_a -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 cmnlib32_b -> /dev/block/sda14
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 cmnlib64_a -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 cmnlib64_b -> /dev/block/sda16
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 ddr -> /dev/block/sdd11
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 devcfg_a -> /dev/block/sda23
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 devcfg_b -> /dev/block/sda24
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 devinfo -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 devinfobak -> /dev/block/sdd5
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 dip -> /dev/block/sdd7
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 dpo -> /dev/block/sdd6
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 frp -> /dev/block/sde1
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 fsc -> /dev/block/sdd8
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 fsg -> /dev/block/sdf3
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 hosd_a -> /dev/block/sda21
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 hosd_b -> /dev/block/sda22
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 hyp_a -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 hyp_b -> /dev/block/sda12
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 keymaster_a -> /dev/block/sda3
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 keymaster_b -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 metadata -> /dev/block/sde5
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 mfg -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 misc -> /dev/block/sdd1
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 modem_a -> /dev/block/sda25
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 modem_b -> /dev/block/sda26
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 modemst1 -> /dev/block/sdd9
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 modemst2 -> /dev/block/sdd10
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 msadp_a -> /dev/block/sda27
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 msadp_b -> /dev/block/sda28
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 persist -> /dev/block/sdd3
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 pg1fs -> /dev/block/sde3
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 pg2fs -> /dev/block/sde4
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 pmic_a -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 pmic_b -> /dev/block/sda10
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 ramdump -> /dev/block/sde2
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 reserve0 -> /dev/block/sda36
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 reserve3 -> /dev/block/sdd13
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 reserve4 -> /dev/block/sde6
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 reserve5 -> /dev/block/sdf5
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 rpm_a -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 rpm_b -> /dev/block/sda8
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 sec -> /dev/block/sdd4
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 ssd -> /dev/block/sdd2
lrwxrwxrwx 1 root root 38 1970-01-01 02:09 system -> /dev/block/bootdevice/by-name/system_b
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 system_a -> /dev/block/sda33
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 system_b -> /dev/block/sda34
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 tz_a -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 tz_b -> /dev/block/sda6
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 userdata -> /dev/block/sda35
lrwxrwxrwx 1 root root 38 1970-01-01 02:09 vendor -> /dev/block/bootdevice/by-name/vendor_b
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 vendor_a -> /dev/block/sda31
lrwxrwxrwx 1 root root 16 1970-01-01 02:09 vendor_b -> /dev/block/sda32
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 xbl_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1970-01-01 02:09 xbl_b -> /dev/block/sdc1
Edit: NVM. Looks like the /cache partition is gone for the Pixel XL.
Do you work for the FBI?
I should also mention that I haven't been able to flash TWRP permenantly, either. I can get it to boot temporarily through fastboot but when flashing the zip in TWRP, it hangs and reboots at "Running boot image patcher on slot A". Not sure if that's because I haven't been able to get into Android and set a pin, though.
nabbed said:
Do you work for the FBI?
Click to expand...
Click to collapse
lol wut
Have you tried the Skipsoft Unified Android Toolkit? I have no association with the dev whatsoever, but I purchased the pro version, or whatever you call it, and it works flawlessly to update, install, backup, flash, etc. my Pixel.
https://skipsoft.net/skipsoft-unified-android-toolkit/
Sent from my SM-G955U using Tapatalk
Edit: double-post.
I tried that out earlier today. Tried out flashing just the recovery and a 8.0 stock ROM. No joy. Doesn't even get to boot animation. Is there a particular option I should try in the pro version?
RT Wolf said:
I tried that out earlier today. Tried out flashing just the recovery and a 8.0 stock ROM. No joy. Doesn't even get to boot animation. Is there a particular option I should try in the pro version?
Click to expand...
Click to collapse
Have you tried to install factory update, using flash-all and edit flash-all by removing the -w
Make sure you open cmd and type fastboot reboot bootloader. Then just double click flash-all, a new cmd will open and just let it run, it will stop for a few minutes, let it sit, it will start again.
I know this is pretty old but im curious as to if anyone has had this problem and fixed it. Believe it or not Ive had this exact problem for a week now. This may seem like a joke when i say this but i actually fixed this by banging the phone against my knee out of frustration. I tried everything...diff boot slots, every factory image from 7 to 10, flash anything and everything in TWRP. TWRP would freeze anytime a ROM was flashed almost immediately. Factory images would never get passed the white screen with the single "G" on the sreen. Then one time i tapped the screen and the phone booted further. So i banged it against my knee and finshed the setup and made it to stock 8.1 with the bootloader locked *shrugs*
This kind of behavior looks like UFS failure. It's mostly caused by either condensation, liquid damage, or moisture. It can be none of these, and naturally happen with just time. The least you could try is putting it to a heat gun where the UFS chip is. If you live in US you can take it to a uBreakiFix center to repair, they know how to do chipset repair. If you dont, try to take a look around for shop, ask them if they know how to do chip repair.
Hey guys and girls,
I couldn´t find any guide on how to root the U12+ without twrp yet, so I thought maybe it´s good to have one. It´s also useful for people who don´t like to boot/flash the recovery but want root access.
I also decided now to do a little write up about the A/B slot partition system on the U12+.
General Information about the A/B slot partition system and seamless updates
Google firstly introduced seamless updates on the Pixel Phones and with it the A/B partition system.
So this means, contrary to non A/B devices, there are two copys of most partitions except userdata.
We have two system (system_a and system_b), two boot (boot_a and boot_b) and two vendor (vendor_a and vendor_b) partitions, amongst others (can be found further down in the partition list but let´s concentrate on these).
When booted in the OS, one slot is actively used and the other is "inactive".
The main advantage that emerges now is, that in case an OTA arrives the "inactive" partitions get updated, while the OS is running. That means while the actual OTA is happening you can use your phone just like you always do.
The following reboot will boot into the former "inactive" slot and use the seamless updated partitions. This happens seamless and just with a reboot. So OTAs are much faster!
If you are interested further here are some links:
https://www.xda-developers.com/list-android-devices-seamless-updates/
https://source.android.com/devices/tech/ota/ab/
https://source.android.com/devices/tech/ota/ab/ab_faqs
Here’s another writeup from the XDA portal!
https://www.xda-developers.com/how-...ess-updates-affect-custom-development-on-xda/
However there comes some confusion. I will try to update the thread as best as I can when development, ROMs, Kernels etc kick in.
But here are a few tips and tricks:
NOTE:
For most of the commands that are slot specific like changing the active slot etc,download mode is the preferred method!
Code:
fastboot flash boot_a boot.img
and commands like this only work in download mode on standard production devices.
See below for these.
However fastboot boot boot.img is not working in download!
How to reboot to bootloader to be able to use fastboot:
From anywhere with buttons:
Long press (sometimes really long!) the Power button until you feel the vibration motor (not the haptic feedback) kick in. When it kicks in let go of power button quickly and push volume down to boot into bootloader.
thanks to @tbalden for figuring it out intially.
From the OS or recovery via ADB:
Code:
adb reboot bootloader
How to reboot to download mode to be able to use fastboot:
From anywhere with buttons:
Long press (sometimes really long!) the Power button until you feel the vibration motor (not the haptic feedback) kick in. When it kicks in let go of power button quickly and push volume down to boot into bootloader.
Now choose your option with volume buttons until you see reboot to download and confirm the option by pressing the power button.
thanks to @tbalden for figuring it out intially how to get into bootloader!
From the OS or recovery via ADB:
Code:
adb reboot download
How to get the active slot:
Code:
fastboot getvar current-slot
How to set the active slot:
A word of advice. If you don´t know what you´re doing you should probably not change slots. Because my U12+ only has a working A Slot. The B slot is without the first OTA or flashing a RUU unbootable.
Set active slot to a:
Code:
fastboot --set-active=a
Set active slot to b:
Code:
fastboot --set-active=b
How to fastboot flash system, boot, vendor and dtbo to only one partition:
Fastboot with A/B devices allow to flash certain files to a specific Slot. I will list here a few of the most common commands. However be warned that not all of them work on the U12+ currently.
It´s currently a WIP to determine why and if it´s possbile with temp S-Off.
These commands seem to work on Standard retail Units only in download mode.
How to flash boot.img to Slot A:
Code:
fastboot flash boot_a boot.img
How to flash boot.img to Slot B:
Code:
fastboot flash boot_b boot.img
How to flash system to Slot A:
Code:
fastboot flash system_a system.img
How to flash system to Slot B:
Code:
fastboot flash system_b system.img
How to flash vendor to Slot A:
Code:
fastboot flash vendor_a vendor.img
How to flash vendor to Slot B:
Code:
fastboot flash vendor_b vendor.img
How to flash dtbo to Slot A:
Code:
fastboot flash dtbo_a dtbo.img
How to flash dtbo to Slot B:
Code:
fastboot flash dtbo_b dtbo.img
for other partitions the general rule is being obvious in these examples I guess
Partition List / Overview for A/B Partitions
Here is a partition list. So you can check if there is an A/B system available for said partition:
Code:
htc_imedugl:/dev/block/platform/soc/1d84000.ufshc/by-name # ls -al
total 0
drwxr-xr-x 2 root root 1880 1970-02-05 04:16 .
drwxr-xr-x 4 root root 2040 1970-02-05 04:16 ..
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 abl_a -> /dev/block/sde9
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 abl_b -> /dev/block/sde30
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 aop_a -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 aop_b -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 apdp -> /dev/block/sde46
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 avb_rec -> /dev/block/sde56
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 bluetooth_a -> /dev/block/sde6
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 bluetooth_b -> /dev/block/sde27
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 board_info -> /dev/block/sdf1
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 boot_a -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 boot_b -> /dev/block/sde34
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 carrier -> /dev/block/sda16
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 cdt -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 cmnlib64_a -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 cmnlib64_b -> /dev/block/sde37
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 cmnlib_a -> /dev/block/sde15
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 cmnlib_b -> /dev/block/sde36
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 control -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 cota -> /dev/block/sda17
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 ddr -> /dev/block/sdd3
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 devcfg_a -> /dev/block/sde17
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 devcfg_b -> /dev/block/sde38
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 devinfo -> /dev/block/sde44
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 devlog -> /dev/block/sda10
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dip -> /dev/block/sde45
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dpo -> /dev/block/sde48
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dsp_a -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dsp_b -> /dev/block/sde31
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dtbo_a -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 dtbo_b -> /dev/block/sde42
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 extra -> /dev/block/sda12
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 fataldevlog -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 frp -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 fsc -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 fsg -> /dev/block/sdf3
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 hosd_a -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 hosd_b -> /dev/block/sde35
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 hvbmeta -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 hyp_a -> /dev/block/sde3
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 hyp_b -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 keymaster_a -> /dev/block/sde11
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 keymaster_b -> /dev/block/sde32
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 limits -> /dev/block/sde50
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 local -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 lockbooter_a -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 lockbooter_b -> /dev/block/sde33
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 logdump -> /dev/block/sde54
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 logfs -> /dev/block/sde52
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 mdtp_a -> /dev/block/sde8
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 mdtp_b -> /dev/block/sde29
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 mdtpsecapp_a -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 mdtpsecapp_b -> /dev/block/sde28
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 mfg -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 misc -> /dev/block/sda6
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 modemst1 -> /dev/block/sdf5
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 modemst2 -> /dev/block/sdf6
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 msadp -> /dev/block/sde47
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 oem_misc -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 padding0 -> /dev/block/sda1
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 padding3 -> /dev/block/sdd1
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 persist -> /dev/block/sda3
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 pg1fs -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 pmic_a -> /dev/block/sde4
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 pmic_b -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 qupfw_a -> /dev/block/sde18
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 qupfw_b -> /dev/block/sde39
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 radio_a -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 radio_b -> /dev/block/sde26
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 ramdump -> /dev/block/sda8
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 reserve0 -> /dev/block/sda21
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 reserve4 -> /dev/block/sde57
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 reserve5 -> /dev/block/sdf7
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 sec -> /dev/block/sde43
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 sp1 -> /dev/block/sde49
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 ssd -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 sti -> /dev/block/sde53
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 storsec -> /dev/block/sde55
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 system_a -> /dev/block/sda18
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 system_b -> /dev/block/sda19
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 tool_diag -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 toolsfv -> /dev/block/sde51
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 tz_a -> /dev/block/sde2
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 tz_b -> /dev/block/sde23
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 userdata -> /dev/block/sda20
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 vbmeta_a -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 vbmeta_b -> /dev/block/sde41
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 vendor_a -> /dev/block/sde19
lrwxrwxrwx 1 root root 16 1970-02-05 04:16 vendor_b -> /dev/block/sde40
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 xbl_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 xbl_b -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 xbl_config_a -> /dev/block/sdb2
lrwxrwxrwx 1 root root 15 1970-02-05 04:16 xbl_config_b -> /dev/block/sdc2
How to root your phone with TWRP
Prerequisites:
- unlocked bootloader
- enabled USB-Debugging in Developer Options
- latest adb and fastboot binaries
- working adb and fastboot environment
How to root by flashing the magisk zip:
1. Download magisk zip from here:
https://github.com/topjohnwu/Magisk/releases
2. Download TWRP from here: https://forum.xda-developers.com/u12-plus/development/recovery-unofficial-twrp-3-2-2-0-htc-t3819343
3.
Code:
fastboot boot nameoftwrp.img
the TWRP Image! The process is described in the thread I linked above
or simply flash the magisk Zip from permanently installed TWRP
4. Flash magisk.zip
5. Reboot, profit and enjoy a rooted phone
How to with flashing a patched boot.img:
1. Download the latest magisk manager apk from here and install it on your phone: https://github.com/topjohnwu/MagiskManager/releases
2. Get a boot.img that fits your current firmware. You can find one in the firmware zips provided by the kind and helpful @5m4r7ph0n36uru here:
https://forum.xda-developers.com/showpost.php?p=76606102&postcount=2
it´s usually called boot_signed.img
Or extract it from a RUU! the process is described here:
https://forum.xda-developers.com/chef-central/android/tool-universal-htc-ruu-rom-decryption-t3382928
3. Copy the boot_signed.img to your phone
4. Open the magisk manager app and tap two times on install
5. Now choose patch boot.img file and select the boot(_signed).img you copied to your phone in the upcoming file chooser
6. Wait for the boot.img to be patched
7. Copy the patched boot.img to your device
8. Download TWRP from here: https://forum.xda-developers.com/u12-plus/development/recovery-unofficial-twrp-3-2-2-0-htc-t3819343
9. fastboot boot the TWRP! The process is described in the thread I linked above.
Or use the permanently installed TWRP
10. Important: Tap on reboot. It will show the active slot! Now switch to the inactive slot and back to your active slot!
11. Tap on install and navigate to the patched boot.img
12. Tap on install img at the bottom
13. Flash the patched.img
14. Tap on reboost system and boot back to system
15. You´re now rooted!
How to root your phone without TWRP
Prerequisites:
- unlocked bootloader
- USB-Debugging in developer options enabled
- latest adb and fastboot binaries
- working adb and fastboot environment
How to:
1. Download the latest magisk manager from here and install: https://github.com/topjohnwu/MagiskManager/releases
2. Get a boot.img that fits your current firmware. You can find one in the firmware zips provided by the kind and helpful @5m4r7ph0n36uru here:
https://forum.xda-developers.com/showpost.php?p=76606102&postcount=2
it´s usually called boot_signed.img
Or extract it from a RUU! the process is described here:
https://forum.xda-developers.com/chef-central/android/tool-universal-htc-ruu-rom-decryption-t3382928
3. Copy the boot_signed.img to your phone
4. Open the magisk manager app and tap two times on install
5. Now choose patch boot.img file and select the boot(_signed).img you copied to your phone in the upcoming file chooser
6. Wait for the boot.img to be patched
7. Now connect your phone to your pc and make sure usb debugging is enabled in developer options
8. Open up a terminal in your fastboot folder and make sure adb is working by typing
Code:
adb devices
into terminal which should return your serial number
9. Pull the patches boot.img to your fastboot folder via:
Code:
adb pull /sdcard/MagiskManager/patched_boot.img
10. Reboot to download mode:
Code:
adb reboot download
11. Check your active slot while in the bootloader mode with
Code:
fastboot getvar current-slot
output of this command will show your active slot
12. Depending on the active slot do
For active slot a do:
Code:
fastboot flash boot_a patched_boot.img
For active slot b do:
Code:
fastboot flash boot_b patched_boot.img
13. If the flash was successful do:
Code:
fastboot reboot
14. Congratulations you´re now rooted.
15. You will see a message stating there is an internal problem. That is nothing to worry about and will be resolved on a later stage.
IMPORTANT NOTICES
1. After rooting, the option to enable face unlock from htc will be greyed out.
How to fix:
a. Open Magisk Manager
b. Open the side menu and tap on magisk hide
c. Tick faceunlock to be hidden
d. Go to settings apps and delete data of faceunlock app
e. reboot!
I will refine this thread in the future and include a few more things to it when the time comes.
Drop a thanks if it helped you
And have a nice day
Here is described how to get adaway working after rooting the U12+
How to:
1. Download and install latest (at the time of writing 3.3) adaway apk from here:
https://forum.xda-developers.com/showthread.php?t=2190753
2. Please don´t download adaway apk elsewhere or from xda labs because 3.2 will not work.
3. Download busybox installer here:
https://play.google.com/store/apps/details?id=stericson.busybox
4. Open the app, grant root access and install busybox
5. Now open adaway and grant root access.
6. Let adaway do its thing and say yes when you will be asked for symlinking.
7. Reboot and profit!
So one more.
Have you ever wondered if it´s possible to adjust the HTC, Google or Dragonfly USB - C to 3,5mm Adapter/DAC more fine grained to your liking. Like controling analog gain of the phone and hardware gain of the dac seperately to achieve the best audio signal possible?
Fine, because here I have a nifty little tweak for you!
I came across this nice little mod and asked the kind @bjrmd if it was possible to adjust his app for the U11. He agreed and I got him the logs. Eventually he worked it out and got it running. Luckily enough this mod still works on the U12+
Prerequisites:
- Root (see above )
- A supported USB DAC (HTC U11 dongle, google dongle or dragonfly red)
Steps:
1. Visit the thread here: https://forum.xda-developers.com/pixel-2-xl/themes/pixel-2-usb-audio-control-t3704024
2. Read the thread!
3. Drop a thanks!
4. Download the latest pixel 2 audio.apk and install it
5. Download the tinymix32.zip, extract the tinymix32 file and place it in the Download folder of your internal SDCARD!
6. Place it nowhere different!
7. Open the previously installed app and grant root permission
8. Reboot your phone!
9. Let the phone boot up fully. The app will copy the file automatically
10. After you saw the toast message plug in the USB DAC with the headphones inserted. You notice the app will automatically open
11. Choose your favorite volume in the slider menu! (Analog (first row) should be maxed out, hardware dac gain (second row) adjusted to your liking but below max)
12. Play music without plugging the headphones to your ear. It may be loud!
13. Enjoy
14. For further questions visit the linked thread! It is full of interesting info!
and one
updated post #2 with how to get adaway working
Hey mate,
thanks for that brilliant guide. Great job!
Sent from my HTC U12+ using XDA Labs
5m4r7ph0n36uru said:
Hey mate,
thanks for that brilliant guide. Great job!
Click to expand...
Click to collapse
Thank you if you find any niggles I’m always open to suggestions or improvements
Would this method work on an HTC U11+? Given that the correct boot img is used ofcourse...
I have made a TWRP for U12+ , but cannot gain root using supersu, unfortunately.
robieNL said:
Would this method work on an HTC U11+? Given that the correct boot img is used ofcourse...
Click to expand...
Click to collapse
Yes it should work just fine
goodman_east said:
I have made a TWRP for U12+ , but cannot gain root using supersu, unfortunately.
Click to expand...
Click to collapse
Did you try to use the magisk flashable zip? Supersu is deprecated as it stands now. And magisk is more than capable to be a worthy successor
maybe open a thread for your twrp here and publish your sources so we can all start working on it?
Freak07 said:
Did you try to use the magisk flashable zip? Supersu is deprecated as it stands now. And magisk is more than capable to be a worthy successor
maybe open a thread for your twrp here and publish your sources so we can all start working on it?
Click to expand...
Click to collapse
yep, I flashed magisk.zip to gain root.
My twrp has some bugs:
1 data decrtytion failed
2 mtp not working
I don't know how to modify stock kernel to enable touch function, so I use kernel file from @sabpprook, but resulting in flashable twrp zip not working properly.
goodman_east said:
yep, I flashed magisk.zip to gain root.
My twrp has some bugs:
1 data decrtytion failed
2 mtp not working
I don't know how to modify stock kernel to enable touch function, so I use kernel file from @sabpprook, but resulting in flashable twrp zip not working properly.
Click to expand...
Click to collapse
Could you get us a dmesg and logcat?
And the recovery log too?
Freak07 said:
Hey guys and girls,
I couldn´t find any guide on how to root the U12+ without twrp yet, so I thought maybe it´s good to have one. It´s also useful for people who don´t like to boot/flash the recovery but want root access.
Prerequisites:
- unlocked bootloader
- latest adb and fastboot binaries
- working adb and fastboot environment
How to:
1. Download the latest magisk manager from here and install: https://github.com/topjohnwu/MagiskManager/releases
2. Get a boot.img that fits your current firmware. You can find one in the firmware zips provided by the kind and helpful @5m4r7ph0n36uru here:
https://forum.xda-developers.com/showpost.php?p=76606102&postcount=2
it´s usually called boot_signed.img
3. Copy the boot_signed.img to your phone
4. Open the magisk manager app and tap two times on install
5. Now choose patch boot.img file and select the boot(_signed).img you copied to your phone in the upcoming file chooser
6. Wait for the boot.img to be patched
7. Now connect your phone to your pc and make sure usb debugging is enabled
8. Open up a terminal in your fastboot folder
9. Pull the patches boot.img to your fastboot folder via:
Code:
adb pull /sdcard/MagiskManager/patched_boot.img
10. Reboot to bootloader:
Code:
adb reboot bootloader
11. Check your active slot in the bootloader/download mode on your phone.
12. Depending on the active slot do
For active slot a do:
Code:
fastboot flash boot_a patched_boot.img
For active slot b do:
Code:
fastboot flash boot_b patched_boot.img
13. If the flash was successful do:
Code:
fastboot reboot
14. Congratulations you´re now rooted.
I will refine this thread in the future and include a few more things to it when the time comes.
Drop a thanks if it helped you
And have a nice day
Click to expand...
Click to collapse
Would you mind writing a fool-proof all-in-one version of guide?
I'm sorry but seems like I am already encountering lots of confusion while reading the first few lines.
For instance, I know how to unlock my u12+'s bootloader and have already done so but I don't understand what boot.img means and also, the firmware version of my u12+ is 1.15.708 and there's only 401/617 for me so what can I do? Also what is adb and fastboot binaries? and does acquiring these 2 necessarily means acquiring both working adb and fastboot environment at the same time? if not, what are the difference?
Sorry but I am really a noob at rooting I would like to spend more time to learn about it but whenever I try to look up the forum the fact that there are too many articles to read from bombards me :crying:
Then you shouldn't be trying this. Not to be a pain, but if you don't learn about this stuff, you shouldn't play with it. The OP is quite articulate and easy to understand if you understand the entire process and Android architecture.
hgoldner said:
Then you shouldn't be trying this. Not to be a pain, but if you don't learn about this stuff, you shouldn't play with it. The OP is quite articulate and easy to understand if you understand the entire process and Android architecture.
Click to expand...
Click to collapse
Just like the essential phone now.
Hi people, I can not unlock my Phone
Anyone have an idea, whats the problem?
C:\adb>fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.004s]
finished. total time: 0.004s
Click to expand...
Click to collapse
ok, got it!
had to ennable aditional to unlock the bootloader in developers menu in the phone
---------- Post added at 08:42 PM ---------- Previous post was at 08:34 PM ----------
next Problem ,
Unlocking Bootloader Failed!
Sorry it didn't work out. Here's why:
Required Resources
Please make sure all items are installed and up to date.
We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: Invalid Bootloader Token Length.
Error Reason: The submitted Token appears to be the wrong length and won't work.
Click to expand...
Click to collapse
Edit: solved too, copied too much , deleted all (bootloader)
ataf said:
Hi people, I can not unlock my Phone
Anyone have an idea, whats the problem?
ok, got it!
had to ennable aditional to unlock the bootloader in developers menu in the phone
---------- Post added at 08:42 PM ---------- Previous post was at 08:34 PM ----------
next Problem ,
Click to expand...
Click to collapse
You probably copied something from the token you shouldn’t have copied?
Updated post #3 with another interesting mod! for all you audio guys out there!
https://forum.xda-developers.com/showpost.php?p=76781657&postcount=3
Freak07 said:
2. Get a boot.img that fits your current firmware. You can find one in the firmware zips provided by the kind and helpful @5m4r7ph0n36uru here:
https://forum.xda-developers.com/showpost.php?p=76606102&postcount=2
it´s usually called boot_signed.img
Click to expand...
Click to collapse
My firmware's version is 1.15.708.6, which is not available in that post for download. What can I do to root my phone?
Hİ GUYSSSS
Thank you all for your patience.
I'm sorry for my bad english.
Because it is not a twrp yet working correctly,fastboot rom is dangerous for a very risky person.So we will add multi language support to the whole device with a completely safe and easy way.
Please note that only 8.11.15 version and bootloader lock will work on open devices.all responsibility belongs to you...
Lets start
1> Download this file first https://drive.google.com/open?id=1k3fSUz9yLk4cQ6cIcDX5F-fYnviEC_tz
2> Extract the zip file,extract the zip file, extract the file from the (eu lang system) and place it in the device memory
3> Activate the device developer settings (security settings) and OEM lock, connect to PC in fastboot mode
4> Open cmd in the adb fastboot folder and enter the following command
<fastboot flash boot patched_boot.img> Enter
<fastboot reboot> Enter
5> Phone will reopen.open the file manager, install magisk and root explorer
6> open magisk device must be root,open root explorer and allow root permission.
7> The file with root explorer and replace all files,and set the required permissions.there video https://www.youtube.com/watch?v=Xf1P_kSXHSY
8> Rebooting devices,adjust your language and enjoy
9> don't forget to thank
MI MIX 3 perseus
MIUI 8.11.15 beta
Sabirsizlikla bekliyorum usta Bakalim yapabilcekmiyiz hemen telefon öyle kösede duruyor
I hope it works like a charm.
SacredSovL said:
Sabirsizlikla bekliyorum usta Bakalim yapabilcekmiyiz hemen telefon öyle kösede duruyor
I hope it works like a charm.
Click to expand...
Click to collapse
Thanks
tomorrow the link will be ready
Bende sabırsızlıkla bekliyorum inşallah yapabilirim sadece fastboot üzerinden 7-8 sefer rom yükledim detaylı paylasiminizi bekliyoruz şimdiden elinize sağlık teşekkürler
Please speak English. Thank you!
I'm already waiting...like a child in the xmas night
Isnt tomorrow now today?
Any updates on this OP ?
Sorry Guys
Framework.res. apk
Services. jar
SystemUI. apk
need some more editing
will try to solve the weekend
Good job
还没弄好吗??等待着
there is danger of people getting their devices brick,I am working on an installation process that is easier loading sample ota.
When will it be ok?
18579439638 said:
还没弄好吗??等待着
Still not done? ? waiting
Click to expand...
Click to collapse
He is waiting for TWRP, to be finish, first. What good is this if it cannot be flashed on the phone.
Hey gents (and ladies if any are here), be patient with z.v.a.a.h.i. If you want faster releases then participate in the development. Rushing will lead to bricked devices. As far as TWRP is concerned, i used the one from this link: https://mega.nz/#!BYU0nCKT!GbgSiJAdmr8-445IAqd8MfhmGu05gn6NhXKMQeauVb4 I couldnt test it out prior to flashing; however, flashing it lead to no problems whatsoever.
xreactx said:
Hey gents (and ladies if any are here), be patient with z.v.a.a.h.i. If you want faster releases then participate in the development. Rushing will lead to bricked devices. As far as TWRP is concerned, i used the one from this link: https://mega.nz/#!BYU0nCKT!GbgSiJAdmr8-445IAqd8MfhmGu05gn6NhXKMQeauVb4 I couldnt test it out prior to flashing; however, flashing it lead to no problems whatsoever.
Click to expand...
Click to collapse
So, can that TWRP be flashed into the boot loader partition of the phone and stay there with the china rom installed with no boot looping?
vq8acsxht said:
So, can that TWRP be flashed into the boot loader partition of the phone and stay there with the china rom installed with no boot looping?
Click to expand...
Click to collapse
Flash it to the recovery partition.
fastboot flash recovery name_of_twrp.img
to OP
i have working twrp without encryption running . also some more things.
in your apks are the strings for all languages. if you would i can make a flashable zip for all these things. so everytime a new update from the dev rom is out you only flash the zip.
or i can tell you how you make a system.img that can be flashed via fastboot (dd)
just send me a pm
. i personally wait for the global rom. when it is released , i start to make my eragon rom for our phone and do more stuff
here you see our mi mix 3 partitions/by-name table
Code:
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 ImageFv -> /dev/block/sdf4
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 abl_a -> /dev/block/sde32
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 abl_b -> /dev/block/sde33
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 aop_a -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 aop_b -> /dev/block/sde15
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 apdp -> /dev/block/sde6
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk01 -> /dev/block/sda3
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk02 -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk03 -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk04 -> /dev/block/sda8
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk05 -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk31 -> /dev/block/sdd1
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk32 -> /dev/block/sdd3
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk33 -> /dev/block/sdd5
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk41 -> /dev/block/sde3
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk42 -> /dev/block/sde9
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk43 -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk44 -> /dev/block/sde17
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk45 -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk46 -> /dev/block/sde29
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk51 -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk52 -> /dev/block/sdf3
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 bk53 -> /dev/block/sdf5
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk54 -> /dev/block/sde26
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bk55 -> /dev/block/sde27
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 bluetooth -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 boot -> /dev/block/sde45
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cache -> /dev/block/sda21
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 cdt -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cmnlib64_a -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cmnlib64_b -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cmnlib_a -> /dev/block/sde18
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cmnlib_b -> /dev/block/sde19
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 cust -> /dev/block/sda19
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 ddr -> /dev/block/sdd4
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 devcfg_a -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 devcfg_b -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 devinfo -> /dev/block/sda12
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 dip -> /dev/block/sde28
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 dsp -> /dev/block/sde44
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 dtbo -> /dev/block/sde37
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 frp -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 fsc -> /dev/block/sdf1
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 fsg -> /dev/block/sde36
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 hyp_a -> /dev/block/sde38
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 hyp_b -> /dev/block/sde41
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 ifaa -> /dev/block/sde40
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 keymaster_a -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 keymaster_b -> /dev/block/sde23
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 keystore -> /dev/block/sda6
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 limits -> /dev/block/sde2
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 logdump -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 logfs -> /dev/block/sda10
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 logo -> /dev/block/sde43
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 minidump -> /dev/block/sda18
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 misc -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 modem -> /dev/block/sde46
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 modemst1 -> /dev/block/sdf6
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 modemst2 -> /dev/block/sdf7
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 msadp -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 oops -> /dev/block/sda11
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 persist -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 persistbak -> /dev/block/sda16
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 qupfw_a -> /dev/block/sde4
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 qupfw_b -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 recovery -> /dev/block/sda20
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 sec -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 splash -> /dev/block/sde42
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 spunvm -> /dev/block/sde39
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 ssd -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 sti -> /dev/block/sde30
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 storsec_a -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 storsec_b -> /dev/block/sde11
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 switch -> /dev/block/sda1
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 system -> /dev/block/sde48
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 toolsfv -> /dev/block/sde31
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 tz_a -> /dev/block/sde34
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 tz_b -> /dev/block/sde35
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 userdata -> /dev/block/sda22
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 vbmeta -> /dev/block/sde8
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 vendor -> /dev/block/sde47
lrwxrwxrwx 1 root root 16 1970-01-30 05:22 vm-data -> /dev/block/sda13
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 xbl_a -> /dev/block/sdb2
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 xbl_b -> /dev/block/sdc2
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 xbl_config_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1970-01-30 05:22 xbl_config_b -> /dev/block/sdc1
perseus:/ #
skeleton1911 said:
to OP
i have working twrp without encryption running . also some more things.
in your apks are the strings for all languages. if you would i can make a flashable zip for all these things. so everytime a new update from the dev rom is out you only flash the zip.
or i can tell you how you make a system.img that can be flashed via fastboot (dd)
just send me a pm
. i personally wait for the global rom. when it is released , i start to make my eragon rom for our phone and do more stuff
here you see our mi mix 3 partitions/by-name table
Click to expand...
Click to collapse
maybe you're right but i haven't tried the fastboot and twrp repeatedly because of the vendor and lib files I tried. this is the safest way for impatient friends.
z.v.a.a.h.i said:
Hİ GUYSSSS
Thank you all for your patience.
I'm sorry for my bad english.
Because it is not a twrp yet working correctly,fastboot rom is dangerous for a very risky person.So we will add multi language support to the whole device with a completely safe and easy way.
Please note that only 8.11.15 version and bootloader lock will work on open devices.all responsibility belongs to you...
Lets start
1 Download this file first https://drive.google.com/open?id=1k3fSUz9yLk4cQ6cIcDX5F-fYnviEC_tz
2 Extract the zip file,extract the zip file, extract the file from the (eu lang system) and place it in the device memory
3 Activate the device developer settings (security settings) and OEM lock, connect to PC in fastboot mode
4 Open cmd in the adb fastboot folder and enter the following command
<fastboot flash boot patched_boot.img> Enter
<fastboot reboot> Enter
5 Phone will reopen.open the file manager, install magisk and root explorer
6 open magisk device must be root,open root explorer and allow root permission.
7 Remove the file with root explorer and replace all files,and set the required permissions.
8 Rebooting devices,adjust your language and enjoy
9 don't forget to thank
MI MIX 3 perseus
MIUI 8.11.15 beta
MIUI 8.11.23 Coming Soon
Click to expand...
Click to collapse
Hi. Is playstore already inside your mod?