Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?
{Temp_User} said:
Hello community, I need some explanation first if my approach is incorrect. I am trying to downgrade to Android 10, but i was soul-crashed after reading some information about the bit/binary value that samsung uses on its firmware(basically you cant downgrade if this value is not equal to your targeted frimware). However even though i feel scammed by Samsung, i would like to ask you the community as my final resort to guide me.
Is there some way i can trick SW REV checker or delete this partition containing this binary file?. Does "deleting" it affect my ability to boot into the download mode?
Click to expand...
Click to collapse
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Hi, thank you for the reply.
Sorry for the late reply. I will try this today
JuanTamqd21 said:
you can downgrade by simply flashing system,kernel and vendor from android 10 on twrp
Click to expand...
Click to collapse
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?
{Temp_User} said:
Okay. I am may be misunderstanding something because this way did not work for me. Do I have to manually extract files from the lz4 files?
Click to expand...
Click to collapse
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware
I have with me the latest (previous) android 10 . I have extracted correctly ( used 7-zip zstd ) the lz4 files and flashed the vendor, system and kernel in that order.
upon reboot, I can not get past the splash screen. However i do see that an error appears on top left of my screen as CHECK FAIL binary 7(BOOT). The words are not clear though.
What did i do wrong?
JuanTamqd21 said:
well, I can provide vendor and kernel in telegram. You can also get them by extracting lz4 files
make sure its from Android 10/Q/one ui 2.x firmware
Click to expand...
Click to collapse
please provide an in-depth process?
Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORSYou cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)Boot into system normally.(make sure the OEM unlock is greyed out.Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.Pay attention to what exactly you are wiping.With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.Flash/Install the image files in your recovery. Be patient.
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
{Temp_User} said:
Okay, so after a number of attempts i finally have android 10/Q on my phone. Keep in mind that i am not tech savvy, as all this was a guessing game(well not all of it)
I will share my story and hope it may be useful to others who intend to downgrade their android version.
SW REV ERRORSYou cannot and you should not change the bit version. If you see this error, it means you tried to flash a firmware or maybe just a boot file that is outdated or incompatible with the current secure boot loader.
With my limited knowledge, I went with what was easier for me at the time of writing this,
Flash latest firmware for model A505F,(yours may differ) using Odin.(SUCCESS)Boot into system normally.(make sure the OEM unlock is greyed out.Flash the latest custom recovery(TWRP or 'sky hawk recovery project', I chose the latter. )Boot into your recovery and Format data., also make advanced wipes. System kernel vendor Dalvik Cache Data.Pay attention to what exactly you are wiping.With your targeted firmware (A10) somewhere nearby, I recommend to use a reliable tool to extract the lz4 compressed file. I used this to get 'system.img' 'vendor.img' 'boot.img' . If you are on windows, look at the type column in your file explorer or enable 'view filename extension'.Flash/Install the image files in your recovery. Be patient.
Here is the tricky part for me. the boot loader wont accept this older kernel.(thus the boot loops).
A faster way to work around this, is installing a custom kernel that supports android 10. e.g. quantum kernel.
You may have to reboot a number of times before you can get past the splash screen. Be patient.Success, you now have a weird but working system. (I call it weird because the kernel you will use will carry along with its bugs e.g. camera fails, random reboots.)You can not update the system. this may be due to the different AP/CP/CSC/ match. This is not a step by step guide, i am only sharing with the public what i did to get my final point.
Of course this goes without saying that you are attempting a risky route and you the user shall carry all responsibility.
Click to expand...
Click to collapse
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:
Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).
vmirrimv said:
Of course, the reason is, that the binaries of newer updates are higher, than 7 (A505FNPUU7CUC2).
Click to expand...
Click to collapse
So long as we both happy and got what we wanted. I finally have a working android 10 on my device(coming from a11)
vmirrimv said:
Hello, you will not be able to downgrade your phone to Android 11, if it is not on theese firmware updates:
Click to expand...
Click to collapse
You are correct. I gave up on changing the binaries after seeing it was impossible.
Camera should still work on custom android 10 one ui roms and GSI. I think I tested them before.
Related
DO NOT USE THIS ON THE GINGERBREAD RELEASES ! THE SAMSUNG GINGERBREAD RELEASES DO HAVE SIGNED BOOTLOADERS, BUT THEY ARE NOT LOCKED. In other words, you can still flash custom kernels and such, and the bootloader patch will only break things, not fix them.
To read the history of this problem, see the 2nd post of this thread (scroll down).
A number of new firmwares for the Samsung Galaxy Tab come with "signed / protected" bootloaders. These new bootloaders prevent you from flashing custom or otherwise unsigned kernels on the device. Trying to do so anyway will result in errors and usually requires you to reflash your ROM completely.
I hope everybody here has learned the lesson not to just flash anything that SamFirmware releases
The patch
After a great many hours of researching, testing and coding, myself (Chainfire) and Rotohammer have come up with a patch that works on most devices (currently all known GSM Tab variants), and flashes back unprotected JJ4 (T-Mobile ?) bootloaders, or the original P1000N bootloaders for the Latin models. The app only patches when it finds protected bootloaders, and you have to press a button for that, so the app can also be used to look at your current status.
The patch has been tested repeatedly and with success on (0 bricks so far):
- GT-P1000 Euro/International/Unbranded Galaxy Tab
- SGH-I987 AT&T Galaxy Tab
- SGH-I987 Rogers Galaxy Tab
- SGH-T849 T-Mobile Galaxy Tab
- GT-P1000L Latin Galaxy Tab (use LATIN version!)
- GT-P1000N Latin Galaxy Tab (use LATIN version!)
Additional thanks to: koush, neldar, richardtrip, AColwill, farahbolsey, deezid, wgery, tmaurice, rmanaudio, crisvillani, alterbridge86, ivannw, themartinohana, luisfer691 (in no particular order!)
Please note that even though there have not been any bricks so far, replacing bootloaders is a very dangerous operation that may BRICK your device, and you should think twice before using the patch. Using the patch is completely AT YOUR OWN RISK!
Instructions
Download the attached APK, install it on your device, and run it. It will show you a status screen, and if your device is compatible and you have protected bootloaders, the bottom entry "Patch bootloaders" will become available. Tapping it will start the patch procedure.
Note that the patch requires root !
Mini-FAQ
--- After the fix, my "zImage" still shows signed ! Is this a problem ?
No, this is perfectly fine! What matters is that "PBL", "SBL" and "SBL_Backup" are not signed. If "zImage" is signed, it means this ROM can be flashed onto a device that has signed bootloaders. UNsigned "zImage"s can NOT be flashed on signed bootloaders. This is the origin of the problem, because custom kernels are always UNsigned "zImage"s !
--- Can I now flash any ROM and just use this application to fix the bootloaders ?
Technically yes. But it would be stupid to do so. Flashing bootloaders (what this app does) is VERY dangerous, it is the only way to really brick a Tab. If you want to flash a new ROM, make sure it DOES NOT contain bootloaders. Remove them yourself, or wait for somebody else (like Rotohammer) to remove the bootloaders and post the "safe" ROM. Even though this patch is available, if at all possible, you should always try to avoid having to use it.
CDMA tabs
There is currently no support for CDMA Galaxy Tabs, nor do we know if support is needed at this time.
LINKING
You are expressly forbidden to repost the APK elsewhere. If you post about this, post a link to this thread, not to the download (or a repost of the download).
Download
Don't forget to donate and/or press the thanks button!
For non-XDA members who cannot access the attachment, here are multiupload links:
Euro / International / Unbranded / AT&T / Rogers / T-Mo: http://www.multiupload.com/EMOCU1S0V2
Latin (P1000L and P1000N): http://www.multiupload.com/3TJ3YWMWJR
MAKE SURE TO SELECT THE RIGHT DOWNLOAD!
WARNING! Do not flash JM6/9/A/C/D/E/F... Before reading this !
THIS POST, #2 OF THIS THREAD, IS HISTORICAL AND LEFT HERE "FOR THE RECORD". SEE THE FIRST POST FOR WHAT IS CURRENT!
BREAKING NEWS / JAN 15: A fix has been found ! See this post. Also see the bounty thread: http://forum.xda-developers.com/showthread.php?t=906464.
This really applies to other ROMs as well, but the "new" JM6/9/A/C/D/E/F ROMs specifically.
Some of these ROMs include new bootloaders. These bootloaders check checksums/signatures in various parts of the firmwares. The "normal" Samsung ROMs, nor custom ROMs and kernels, have these checksums.
The result is that once flashed, you cannot revert to older/official/custom Samsung ROMs, and you are pretty much stuck using one of these four ROMs, as they are the only ones containing the right checksums.
At least TRIPLE CHECK if you want to flash one of these ROMs, that what you are flashing DOES NOT include the new bootloaders ( boot.bin and sbl.bin ). I know from the CF-Root thread that a fair number of you are already too late, but I thought to warn new users anyways. Some modders (like rotohammer) already usually remove these parts, but still triple check everything to make sure.
There is no known fix. I know, I've tried all of them some people suggested in other threads. None of them really works. Sure, with some effort, you can get a different firmware to somewhat run, but you'll still be using the "checksum" bootloaders and the kernel will not be modified. You will still be running the kernel from the "checksum" firmware you loaded earlier. You will not be able to do full flashes, nor will KIES updates work.
Hopefully somebody will find a real solution for this issue for those already affected. If so, please post it in this thread.
Are you affected ?
NEW DEC 28: See SGTBootloaderCheck script below!
It is hard to say for sure without actually trying to flash a non-JM6/A/C/D kernel without the correct checksum. Here's a screenshot of the error you'll get:
If you still have the original files for the ROM you flashed, but do not want to try flashing a non-Samsung-stock kernel, there are some indicators:
- Rename all .tar.md5 files to .tar
- Extract all the .tar files with WinRAR
- Look at the resulting files:
--- Includes "boot.bin" (primary bootloader)
--- Includes "sbl.bin" (secondary bootloader)
If one or both are present, this indicates new bootloaders are being flashed. That does not make it certain if they are "protected" or not, though. But if a large zImage is also present (see the next item), it is very likely they are.
- Look at the resulting files:
--- "zImage" (kernel)
If zImage is about 7800 kb (as opposed to 4000 - 5500 kb that is normal), it is very likely this kernel includes a checksum. If you want to be 100% sure, open zImage in a hex editor, and go all the way to the end. There will be a few mb of 0's, followed by 128 bytes checksum - the very last 128 bytes in the file.
Such a zImage can be flashed both on "original" and the new "protected" bootloaders. The "protected" bootloaders can only flash these zImage, not the smaller variants.
If you have boot.bin, sbl.bin and a 7800 kb zImage, it is 99% likely flashing this ROM will give you a "protected" bootloader.
Some tech
Once these ROMs are flashed, it is required updates to "boot", "sbl", "zImage" have a 128-byte checksum/signature. In boot.bin and sbl.bin these are near the end, in zImage (7800 kb files) they are the very last 128 bytes. Only firmwares with a zImage that have this signature will be flashable (which at the time of this writing are only JM6/A/C/D).
I have no idea how this signature is generated as of yet, so "faking it" is also not an option. If somebody figures that out, please post it in this thread. Then we could just insert the signatures in the older bootloaders and flash them back (still a dangerous effort by itself).
I think, and possible others will correct me on this, the verification goes as follows, on a running device:
- PBL ( boot.bin ) checks SBL ( sbl.bin ) signature
- SBL checks kernel ( zImage ) signature
While flashing, I think it's the SBL that verifies the PBL/SBL/kernel flash, and refuses to write if the signature isn't correct.
Possible solutions
Flashing back "unprotected" bootloaders from older ROMs through either Odin or Heimdall does not work. These older bootloaders do not have the required signatures/checksums and thus the flash will fail.
A possible solution would be rooting the device, using Koush' bmlunlock, and dd'ing back bml1 and bml4 from backups, complete bypassing the flash checks. This is a very very dangerous to be trying out though, and unless you really know what you are doing, I wouldn't attempt it. Maybe someone has Samsung repair center contacts or a JTAG unit close by ?
Personal note
I have tried to flash back older bootloaders and kernels several times and in several ways (from for example JJ4) but this fails. Odin said it succeeded the very last time I tried, however it really didn't, as my device is now a full (user-wise) brick. It doesn't even turn on to show me the "phone --- | --- pc" error screen. So I guess I need to make a trip to the nearest Samsung repair center (200 miles away). Too bad my car also broke down today Guess it'll be some time (and money) before I have a working Tab again. Note that the brick was a problem with Odin, probably, not directly caused by the protected bootloaders themselves.
Update: Tab is back and working Replaced mobo, so I no longer have the signed bootloaders myself.
NEW DEC. 28: SGTBootloaderCheck
Attached is also SGTBootloaderCheck. This is a script run on your Windows PC through ADB to check your bootloaders. It requires root, SuperUser, and a working ADB connection.
Just unzip the archive to a new folder, and double-click "check.bat". That should dump your bootloaders and kernel, copy them to your computer, check the content for signatures, and let you know the result.
I can't guarantee it works, but it should
Attached
An archive with some relevant files for those who want to do some research. DON'T FLASH THESE FILES !!!
( 467, 909 )
I'm sorry about your Tab man.
After flashing JM6, I have "zImage" and "Sbl.bin" but no "boot.bin" in my internal SD. Am I affected?
Also, is it safe to delete these files from my internal SD? I'm guessing they were put there temporarily and are now stored somewhere else already?
hey chainfire,
i'm sorry about the brick :/
my english seems to be very bad... could u explain me why ur tab is bricked now?
i think i understood why its not possible to flash to another firmware but why ur tab is bricked now? yesterday i flashed to jm6 from an old arabic fw (i think it was JJ1) with pit p1 and code, modem and csc file with re-part. on. so is anything there i have to look out now?
codewisp said:
After flashing JM6, I have "zImage" and "Sbl.bin" but no "boot.bin" in my internal SD. Am I affected?
Also, is it safe to delete these files from my internal SD? I'm guessing they were put there temporarily and are now stored somewhere else already?
Click to expand...
Click to collapse
You could be affected, I can't say for sure. The only way to be sure is trying to flash a custom kernel and see if Odin gives an error. See the CF-Root thread for screenshots of the error that is produced if you are affected. If there's no error and it boots, you have probably not been affected. Note that you can flash back the original JM6 kernel with both the "protected" as well as the "original" bootloaders.
I'll update the first post to add a bit more information.
Also yes, those files on your internal SD are temporary, you can delete them.
DubZyy said:
hey chainfire,
i'm sorry about the brick :/
my english seems to be very bad... could u explain me why ur tab is bricked now?
i think i understood why its not possible to flash to another firmware but why ur tab is bricked now? yesterday i flashed to jm6 from an old arabic fw (i think it was JJ1) with pit p1 and code, modem and csc file with re-part. on. so is anything there i have to look out now?
Click to expand...
Click to collapse
The brick is a result of a bad bootloader flash... it's not something any of you are likely to encounter (unless you are trying to fix this issue).
If you successfully flashed to JJ1 - Odin did not produce any errors - you are probably safe!
Thanks for the information, but a little bit late for me --> bricked
My luck: Next samsung repair center is 5 kilometers away.
But I don't know what i should tell him.
The truth?
@chainfire
Have your tried hexediting the version of the SBL to a "fake" newer version? or does the check only care about the checksum ? on older phone we used to be able to do this....
I'm unpacking my dev. tab as we speak so I hope to have some time to play between x-mas dinners
chinchen said:
Thanks for the information, but a little bit late for me --> bricked
My luck: Next samsung repair center is 5 kilometers away.
But I don't know what i should tell him.
The truth?
Click to expand...
Click to collapse
Damned lucky the repair center is close!
You wouldn't happen to be living near me and I just never heard of this service center, would ya ?
How exactly is it a brick ? It's only a brick if it doesn't turn on at all anymore (like mine). If you can get anything on screen, you can bring it back to life (although maybe with protected bootloaders).
Jesterz said:
@chainfire
Have your tried hexediting the version of the SBL to a "fake" newer version? or does the check only care about the checksum ? on older phone we used to be able to do this....
I'm unpacking my dev. tab as we speak so I hope to have some time to play between x-mas dinners
Click to expand...
Click to collapse
As far as I have been able to deduce (I have not done a full decompile yet, and not sure if I'm going to) it's only the checksum that matters. But I could be wrong there.
I'll upload some files for you in a minute, so you can look at them yourself as well.
chinchen said:
Thanks for the information, but a little bit late for me --> bricked
My luck: Next samsung repair center is 5 kilometers away.
But I don't know what i should tell him.
The truth?
Click to expand...
Click to collapse
Anything besides truth - tell them that you turn off Tab at evevning, and at the morning he doesnt start... they believe
Chainfire - my condolence... i also cannot flash CF-Root on JMC so i think i have new bootloader - im waiting for next steps when yours Galaxy Tab alive
sorry for my english
@Jesterz:
Some files you might want to look at attached to first post.
Is there any way to check what version of bootloader i have installed? I cannot install CF-Root on JMC -its enough to say i upgrade bootloader in my Tab?
faust86 said:
Is tehere any way to check what version of bootloader i have installed? I cannot install CF-Root on JMC -its enough to say i upgrade bootloader in my Tab?
Click to expand...
Click to collapse
If you get the same error as in the screenshot linked to in the first post, yes, you have the protected bootloaders.
good to know i am not effected. and for people who has effected roms i think as we know the reason there will be a quick solution for this.
Chainfire said:
If you get the same error as in the screenshot linked to in the first post, yes, you have the protected bootloaders.
Click to expand...
Click to collapse
So i install this *** bootloader... maybe i brick my Tab and take it to service point... i have 100 meters :>
Me too
Chainfire said:
If you get the same error as in the screenshot linked to in the first post, yes, you have the protected bootloaders.
Click to expand...
Click to collapse
I have the error and I cant change ROM (a part from switching between JM6, JMA and JMC)... Hope someone soon find a fix!
My tab some ago was in a similar state (complete black and didnt show in ODIN).
My luck was that it was stuck in some kind of download mode. Leaving it connected to the computer has made a miracle: after more than 15 minutes it has appeared as connected in ODIN and was possible to flash back a ROM).
patomas said:
I have the error and I cant change ROM (a part from switching between JM6, JMA and JMC)... Hope someone soon find a fix!
My tab some ago was in a similar state (complete black and didnt show in ODIN).
My luck was that it was stuck in some kind of download mode. Leaving it connected to the computer has made a miracle: after more than 15 minutes it has appeared as connected in ODIN and was possible to flash back a ROM).
Click to expand...
Click to collapse
I'll just try that. I have no hope of it working, but hey, it's not like I'm using the Tab for anything else right now
patomas said:
My tab some ago was in a similar state (complete black and didnt show in ODIN).
My luck was that it was stuck in some kind of download mode. Leaving it connected to the computer has made a miracle: after more than 15 minutes it has appeared as connected in ODIN and was possible to flash back a ROM).
Click to expand...
Click to collapse
While the Tab was at a black screen, did you ever press the power button or did you just leave it alone for Odin to eventually find it?
rotohammer said:
While the Tab was at a black screen, did you ever press the power button or did you just leave it alone for Odin to eventually find it?
Click to expand...
Click to collapse
While you're here... any chance of both STL and BML dumps of your (hopefully proper) PBL and SBL ?
Chainfire said:
While you're here... any chance of both STL and BML dumps of your (hopefully proper) PBL and SBL ?
Click to expand...
Click to collapse
Of course. I have dumps of everything. I'm just about to run some diffs to make sure my current bootloaders are ok, I can't remember what Ive flashed
Since K10 is now rootable for MTK variants. Anyone who try to enter TWRP recovery using an app called Root Rashr Flash Tool to enter the recovery without using adb and PC. I use it before but not a 100% sure if I do it in a right way. So anyone? This may help a lot of us to know if K10 may enter TWRP without PC
As far as I remember rashr doesn't have option to boot recovery from storage, but have only options to install recovery or boot to installed one. For K10 fastboot is required to boot to twrp. I'm not sure why twrp can't be flashed..?
Professor Woland said:
As far as I remember rashr doesn't have option to boot recovery from storage, but have only options to install recovery or boot to installed one. For K10 fastboot is required to boot to twrp. I'm not sure why twrp can't be flashed..?
Click to expand...
Click to collapse
There is a security signature in the stock recovery image that would be required to be pasted into the twrp (like in case of Bump! but it's smarter on newer lg phones). Without it phone gets bricked. I guess this signature is also there in the boot image and after making systemless root this signature probably gets corrupted so i don't know how can our device boot up after systemless root . I read some comments that newer security level firmwares (december and january) can't be rooted and maybe this is the reason (i mean maybe in newer firmwares the boot partition is also verified by this signature).
We would need something like bump. I tried some hex editors and pasted the final lines to the end of the twrp from the stock recovery but it didn't work. I guess this signature is like a crc code so it might be generated from the image base but i have no idea how...
gottlasz said:
There is a security signature in the stock recovery image that would be required to be pasted into the twrp (like in case of Bump! but it's smarter on newer lg phones). Without it phone gets bricked. I guess this signature is also there in the boot image and after making systemless root this signature probably gets corrupted so i don't know how can our device boot up after systemless root . I read some comments that newer security level firmwares (december and january) can't be rooted and maybe this is the reason (i mean maybe in newer firmwares the boot partition is also verified by this signature).
We would need something like bump. I tried some hex editors and pasted the final lines to the end of the twrp from the stock recovery but it didn't work. I guess this signature is like a crc code so it might be generated from the image base but i have no idea how...
Click to expand...
Click to collapse
I really don't get them, if they want to sell phones which won't get much updates, than they should make it easyer to instal twrp/unlock bootloader/make custom rom.
Hm I would like to help but my reverse engineering/developing skils are poor. Any hints how to find that signature?
I tought twrp couldn't be flashed because of size, but that won't be big trouble however.
Professor Woland said:
I really don't get them, if they want to sell phones which won't get much updates, than they should make it easyer to instal twrp/unlock bootloader/make custom rom.
Hm I would like to help but my reverse engineering/developing skils are poor. Any hints how to find that signature?
I tought twrp couldn't be flashed because of size, but that won't be big trouble however.
Click to expand...
Click to collapse
Size is not a problem anymore. The recovery partition is 16Mb while the 3.0.2 TWRP is approx 11-12Mb. However i already gave up on searching the signature. I spent days on it and i found a signature (quite long one actually) in the end of each partition (boot, recovery, laf,...). I succesfully added the same signature from the stock recovery to the TWRP but it bricked the phone after i flashed it. Then i found that each signature differs a bit depending on firmware security level and the partition itself so i believe the signature is generated like a crc code or some secret way and totally firmware and partition dependent... no way to generate it by ourselves if we don't know the method.
P.S. i don't care if they sell phones i'm unable to root etc... but why on earth can we not delete unnecessary stock apps to free up space and memory...
gottlasz said:
Size is not a problem anymore. The recovery partition is 16Mb while the 3.0.2 TWRP is approx 11-12Mb. However i already gave up on searching the signature. I spent days on it and i found a signature (quite long one actually) in the end of each partition (boot, recovery, laf,...). I succesfully added the same signature from the stock recovery to the TWRP but it bricked the phone after i flashed it. Then i found that each signature differs a bit depending on firmware security level and the partition itself so i believe the signature is generated like a crc code or some secret way and totally firmware and partition dependent... no way to generate it by ourselves if we don't know the method.
P.S. i don't care if they sell phones i'm unable to root etc... but why on earth can we not delete unnecessary stock apps to free up space and memory...
Click to expand...
Click to collapse
In that case probably signature is from more parts one part is to verify to the phone, and one part is to verify the name or some other specific from recovery so you can't just paste signature to any recovery. If we only could "decrypt" signature. And find a way to create it. Could you upload that signature you found to pastebin or whatever you like?
Professor Woland said:
In that case probably signature is from more parts one part is to verify to the phone, and one part is to verify the name or some other specific from recovery so you can't just paste signature to any recovery. If we only could "decrypt" signature. And find a way to create it. Could you upload that signature you found to pastebin or whatever you like?
Click to expand...
Click to collapse
I'll send it to you tomorrow or on Monday in pm.
TL;DR: I have an Australian unlocked Pixel 3 XL (disabled eSIM), and want to try flashing the US unlocked modem firmware to my phone to see if it will unlock the eSIM.
I believe that the command
Code:
adb pull /dev/block/by-name/modem_a modem.img
(or modem_b for boot slot b) will work from a connected computer w/ ADB and a rooted phone. (Please let me know if this command wouldn't work!)
Full post:
Hey guys, new to XDA, been browsing every now and then for a while though
I'm also no expert in modding, ROMs etc.
It appears that Google has disabled the eSIM on Australian unlocked models of the Pixel 3/3 XL. To my knowledge, there is only one hardware variant of the p3, meaning that the eSIM chip itself is present, but cannot be used, either due to firmware or software limitations.
I have a hunch that it's due to the modem firmware. Why? When it was still on Android 9, the eSIM setup was accessible through the Settings menu, although once a QR code was scanned, a generic error message would pop up - indicating that Android itself had no clue why it didn't work. In Android 10, the option has been removed from Settings.
This makes me think that flashing the modem driver from a model with working eSIM may enable its functionality in software - and there doesn't seem to be any harm in trying. It seems like cross-flashing modems was possible on the original Pixel XL, which similarly had only one hardware variant. This brings me to my issue; I've been unable to find a modem.img file anywhere for the Pixel 3. I've downloaded Google's factory system images, as well as the driver binaries, to decompress and poke around for a modem.img to no avail. I suspect this is because flashing a new image leaves the modem partitions untouched, and the modem firmware from factory remains on the device. (This also makes sense because Google only offers one system image version on its site)
So I'd like an image of the modem partition from a US unlocked pixel 3/3XL, preferably already running the latest version of Android 10 (QQ1A.191205.008) to try out on my phone. Who knows - if this works, maybe other features can be enabled, like FeliCa functionality on non-JP models! (Wishful thinking, I know)
If anyone has any other ideas or thinks I'm on the wrong track let me know - I'm sure we'll find some way to access these locked features
Thanks!
Sidenote: the images I mention above include a radio.img file - what's the difference between this and modem.img? There doesn't seem to be a partition named radio (when looking at `ls /dev/block/by-name`) - is this identical to modem.img??
BigBoy47 said:
So I'd like an image of the modem partition from a US unlocked pixel 3/3XL, preferably already running the latest version of Android 10 (QQ1A.191205.008)
Click to expand...
Click to collapse
I am US, unlocked, rooted - I flash the factory image monthly from https://developers.google.com/android/images
I can pull the files tomorrow but I can't imagine they will be different than what's included in the factory image you can download from the link.
Edit to add: I would suspect this is a regional limitation Google implements with the system based information about the devices location. Maybe on a combination of geo location, ip addresses, or cellular providers.
Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.
BigBoy47 said:
Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.
Click to expand...
Click to collapse
There is no modem.img in the factory image even if you extract the image .zip to get boot.img, etc. Clearly, it gets installed as part of one of the other files. I am not on stock, or I would try a pull.
BigBoy47 said:
Thing is, I couldnt find the modem.img anywhere in the official factory images, leading me to believe that it never gets flashed/updated - meaning the factory version is there to stay. Again, just a hunch though.
I doubt it's Internet-based at all - as I mentioned, it seems like Android had no clue why eSIM registration was failing, making it seem like a firmware thing.
Regardless, thanks so much for the offer! I'll give it a shot when you upload your modem image.
Click to expand...
Click to collapse
Radio.... img is the modem image you're looking for. You'll find it in the root folder after you've extracted the factory image.
This wil be a list of firmware sources and a bit of explanation in different firmware versions and builds. This information has been gathered over the past few weeks, mainly by helping others to find the proper stock roms.
First of all, there seem to be multiple regions that have different firmware’s, and there seem to be different software channels per region or per region per provider. ( for instance vfeu vs reteu )
The phone model is XT2041-X where the X can stand for 1 to 4
The development name / moto name is called: Sofiar ( XT2041-1/3)
the development name for the US name is: Sofia ( xt2041-4 )
The easiest way to find the proper firmware would be via the Lenovo rescue and smart assistant ( LMSA)
you can download it from here: https://download.lenovo.com/consumer/mobiles/rescue_and_smart_v5.0.0.25_setup.exe
Since a few days support has been added to rescue the g8 power
you can download the current firmware for your device via the rescue page.
Manual selection of firmware sources:
So far, every source on the internet points to the lolinet mirror
see https://mirrors.lolinet.com/firmware/moto/sofiar/official/
US version: https://mirrors.lolinet.com/firmware/moto/sofia/official/
a 2nd source would be the moto updates tracker, but I expect that everything you find here Will appear on lolinet
US: https://t.me/s/MotoUpdatesTracker?q=#sofia
The rest of the world: https://t.me/s/MotoUpdatesTracker?q=#sofiar
so far I have not been able to find any other sources. I hope this helps a bit in downloading / finding the stock firmware for your phone.
If you find any other / better source, please let me know, I'll add it to this first post.
Thanks
I successfully updated mine and regained root.
I will post manual update guide later.
A side note: the following must be flashed in fastbootd (fastboot reboot fastbootd or adb reboot fastboot)
boot.img, recovery.img, vbmeta.img, super, dtbo.img
@mingkee Pls can you share manual update guide? THX
endva3 said:
@mingkee Pls can you share manual update guide? THX
Click to expand...
Click to collapse
There's a simple method using LMSA rescue method, but make sure you backup your phone because your phone will be wiped during the process.
Hi, I'm running into a little problem. I used the lolinet link to download the factory ROM for my Moto G Power (Best Buy unlocked, on Verizon). I downloaded the sofia VZW factory ROM first (thinking because I'm on Verizon). I used Magisk to patch the boot.img and fastbooted it. After reboot, I lost the touch screen and cell service -- could not unlock the phone. So I thought no big deal, I'll just reflash the unpatched boot.img from the sofia retus ROM this time. However, I still do not have touch screen. Does anyone have the factory boot.img for QPM30.80.50-1 that originally came with this G Power? Thanks in advance.
quangtran1 said:
Hi, I'm running into a little problem. I used the lolinet link to download the factory ROM for my Moto G Power (Best Buy unlocked, on Verizon). I downloaded the sofia VZW factory ROM first (thinking because I'm on Verizon). I used Magisk to patch the boot.img and fastbooted it. After reboot, I lost the touch screen and cell service -- could not unlock the phone. So I thought no big deal, I'll just reflash the unpatched boot.img from the sofia retus ROM this time. However, I still do not have touch screen. Does anyone have the factory boot.img for QPM30.80.50-1 that originally came with this G Power? Thanks in advance.
Click to expand...
Click to collapse
You may have patched unmatched build number.
Solution: flash full ROM
LMSA rescue is the simplest method but it will wipe the phone
Thanks! That was what I ended up doing.
Is it possible to change fw xt2041-3 (PAHF0004PL) to XT2041-3 (PAHF0006GB)? I'm on the PL version (andoid security January 2020) and the GB version is May 2020. If possible, the bootloader must be unlocked? Can it be changed via any tool (mototool) or via adb commands?
Anyone have the boot.img for QPMS30.80-51-3?
I cant download the latest May update from their server. Some reason the link to download expired a few days after. So if anyone has another link or can just hook it up with the boot.img please
I couldnt get it with the rescue app either it was a lower version.
EDIT
Found it here
https://forum.xda-developers.com/showpost.php?p=82865201&postcount=73
Some lessons learned
pjottrr said:
The easiest way to find the proper firmware would be via the Lenovo rescue and smart assistant ( LMSA)
you can download it from here: https://download.lenovo.com/consumer/mobiles/rescue_and_smart_v5.0.0.25_setup.exe
Since a few days support has been added to rescue the g8 power
you can download the current firmware for your device via the rescue page.
Click to expand...
Click to collapse
In my case, you in fact cannot exactly download the "current" firmware via the rescue page - the phone's updater app thinks QPM30.80-51-3 is the latest version, but the rescue app installs the newer QPM30.80-109. Both are 5/1/2020 security patch level, but the boot.img files are most certainly not interchangeable.
I ended up in a bootloop which I had to rescue the phone to escape. I'd advise anyone wanting to root this phone to just rescue it first.
Also it's essential that you install the Motorola Device Manager/USB drivers in addition to LRSA, otherwise LRSA will incorrectly insist your phone is not in fastboot flash mode if you have to resort to rescuing from fastboot mode.
Finally, the rescue process will not work from a Windows VM under KVM, whether you have the USB device redirected or shared with the host. You need Windows running on bare metal.
Hope this saves someone the hours of annoyance I just went through trying to unbrick the damn thing.
Can jump from a carrier Rom to a unlocked version? And if yes, what's the unlocked phone rom? Cause I only see carrier versions.
Mikael1013 said:
Can jump from a carrier Rom to a unlocked version? And if yes, what's the unlocked phone rom? Cause I only see carrier versions.
Click to expand...
Click to collapse
Switching from a carrier rom to an unlocked version won't SIM unlock a phone (at least not to my knowledge), if that's your objective. But if you're looking to switch the retail flavor rom, try RETUS, specifically XT2041-4_SOFIA_RETUS_10_QPM30.80-13-2_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip.
rlrevell said:
In my case, you in fact cannot exactly download the "current" firmware via the rescue page - the phone's updater app thinks QPM30.80-51-3 is the latest version, but the rescue app installs the newer QPM30.80-109. Both are 5/1/2020 security patch level, but the boot.img files are most certainly not interchangeable.
I ended up in a bootloop which I had to rescue the phone to escape. I'd advise anyone wanting to root this phone to just rescue it first.
Also it's essential that you install the Motorola Device Manager/USB drivers in addition to LRSA, otherwise LRSA will incorrectly insist your phone is not in fastboot flash mode if you have to resort to rescuing from fastboot mode.
Finally, the rescue process will not work from a Windows VM under KVM, whether you have the USB device redirected or shared with the host. You need Windows running on bare metal.
Hope this saves someone the hours of annoyance I just went through trying to unbrick the damn thing.
Click to expand...
Click to collapse
Also a good word of advice before flashing a boot.bin
run the command
fastboot boot boot.bin
or whatever your boot.bin is called
Then you can test your patched file before patching it. Also even better once you get into Android you can open MAGISK and use direct install
TNS201 said:
Also a good word of advice before flashing a boot.bin
run the command
fastboot boot boot.bin
or whatever your boot.bin is called
Then you can test your patched file before patching it. Also even better once you get into Android you can open MAGISK and use direct install
Click to expand...
Click to collapse
I've never actually had this work on any device I've tried to root. Command not implemented or some such error was always the result. Does it work for you on this device?
The download link for the latest Google Fi firmware works again if anyone wants to grab it before it expires...again heh.
SOFIA_RETAIL_QPMS30.80-51-3
CodyF86 said:
The download link for the latest Google Fi firmware works again if anyone wants to grab it before it expires...again heh.
SOFIA_RETAIL_QPMS30.80-51-3
Click to expand...
Click to collapse
Do you have stock boot IMG by any chance? Thx in advance
freddienuxx said:
Do you have stock boot IMG by any chance? Thx in advance
Click to expand...
Click to collapse
sofia_80-51-3boot.img
CodyF86 said:
sofia_80-51-3boot.img
Click to expand...
Click to collapse
Thx man
rlrevell said:
I've never actually had this work on any device I've tried to root. Command not implemented or some such error was always the result. Does it work for you on this device?
Click to expand...
Click to collapse
yea when you are in bootloader with phone attached to the PC it should work
It worked on my pixel 2 xl and this phone
Does anybody have this file available? (Sorry for the spaces, I can't post a link...). The download link has expired.
t.me /motoupdatestracker/ 2752
filename: SOFIA_RETAIL_QPMS30.80-51-5_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
What's the difference between that and RETUS on lolinet? Is there any? Reason I'm asking is that I don't have any radios after that OTA (Google Fi) and flashing the boot.img from RETUS QPMS-30.80-51-5.
I think I understand the idea behind the device-specific Treble system, and the device-agnostic GIS images, which can work on any phone that has Treble. The app "Treble Check" says that the Sony Xperia 10 III is fully supported.
Here's my questions / educated guesses, please tell me if they're wrong or right:
1. This phone already comes with a Treble-compliant hardware layer (kernel+drivers) and GSI-compliant user-facing ROM, directly from Sony.
2. I can install any other GSI ROM (or from XDA) as long as it's an A/B arm64 ROM, and the hardware should work perfectly.
3. Can the phone still get OTA vendor updates for the hardware stuff after I unlock bootloader/install 3rd party GIS, or do I have to get the new images and flash them manually? Or do I get cut off from them altogether?
4. The original bootloader can take commands from the standard fastboot util in the Android SDK Platform Tools.
5. I understand I need to unlock the bootloader in order to be able to flash anything, but why is it necessary to overwrite the vbmeta partition?
6. Is the procedure to get Magisk working still patching the bootloader, regardless what GSI ROM I install?
7. Did anybody pass Safety Net with Magisk and a 3rd-party GIS ROM? Can it be passed anymore after unlocking bootloader?
8. I see there's no TWRP recovery for this device. Does it matter? Are there alternatives? In theory, if I have Magisk->root I can do pretty much anything so it doesn't sound like a big deal.
wirespot said:
1. This phone already comes with a Treble-compliant hardware layer (kernel+drivers) and GSI-compliant user-facing ROM, directly from Sony.
Click to expand...
Click to collapse
Yes.
wirespot said:
2. I can install any other GSI ROM (or from XDA) as long as it's an A/B arm64 ROM, and the hardware should work perfectly.
Click to expand...
Click to collapse
In theory. In practice it still depends on how the GSI ROM was implemented, there can still be issues.
wirespot said:
3. Can the phone still get OTA vendor updates for the hardware stuff after I unlock bootloader/install 3rd party GIS, or do I have to get the new images and flash them manually? Or do I get cut off from them altogether?
Click to expand...
Click to collapse
Not totally sure about this one. I think you don't get to install OTA updates anymore. You can probably download a new firmware with XperiFirm and flash pieces of it but no idea how that would work or what would happen.
wirespot said:
4. The original bootloader can take commands from the standard fastboot util in the Android SDK Platform Tools.
Click to expand...
Click to collapse
Yes. Sony did a great job going for standard things.
wirespot said:
5. I understand I need to unlock the bootloader in order to be able to flash anything, but why is it necessary to overwrite the vbmeta partition?
Click to expand...
Click to collapse
The original vbmeta partition contains a mechanism that checks for the other partitions to not be modified. The image downloaded from Google disables that mechanism, so you can put whatever you want on any partition.
wirespot said:
6. Is the procedure to get Magisk working still patching the bootloader, regardless what GSI ROM I install?
Click to expand...
Click to collapse
Yes, it's for the best. A large amount of what Magisk does is based on it being "hidden" from the regular system. Not just for hiding from SafetyNet, since you may not care about that with a 3rd party GSI ROM, but because keeping system modifications separate and keeping the original ROM is a very, very good practice.
wirespot said:
7. Did anybody pass Safety Net with Magisk and a 3rd-party GIS ROM? Can it be passed anymore after unlocking bootloader?
Click to expand...
Click to collapse
You can pass SafetyNet on the stock ROM, with unlocked bootloader and boot image patched to load Magisk. See my how to guide. I don't know about 3rd party GIS ROMs.
wirespot said:
8. I see there's no TWRP recovery for this device. Does it matter? Are there alternatives? In theory, if I have Magisk->root I can do pretty much anything so it doesn't sound like a big deal.
Click to expand...
Click to collapse
I've looked into this some more. The biggest downsides seem to be inability to restore backups of the userdata, and inability to disable problematic Magisk modules. There are modules such as Magisk Bootloop Protector which will disable all modules if it detects a bootloop, but if the problem is not a bootloop and still prevents your access you're out of luck...
Please feel free to add more info.