[GSM/CDMA] HOW TO Install a ROM From Scratch - XT910, XT912 - Motorola Droid RAZR

I am putting this together because, after three weeks of study and four days of full-time work I have finally pulled together the information needed to do this. I will also offer a lead on how to make your phone a Development phone. Sorry, no pictures or vids for the kids, just solid useful information.
You will start with an XT910 or XT912 which is locked to a carrier somewhere in the world. To unlock you must buy an unlock code from one of the sellers on eBay. This will cost from 49 cents to 5 dollars, depending on your phone. I assumed that all the sellers could get all the codes, so I bought the cheapest one and sent him my IMEI. He responded that he does not do Motorola and refunded my 49 cents. So I found a seller who does the XT910, and bought his cheapest auction (for an Atria unlock code). He responded that I had bought the wrong auction as I have an XT910. So I ended up having to buy his XT910 unlock auction and got the code. Now the phone will work with any GSM carrier in the world.
Next is the firmware. I knew the phone is running Gingerbread because in Settings|AboutPhone it said the Android version is 2.3.6. I wanted to upgrade to Ice Cream Sandwich (4.0.4) or higher, and to the MIUI ROM which I've used happily for a year. I went through the (scattered) RSD insctructions to flash ICS, but it always failed on the first file. I finally discovered that the RSD method does not work with many phones at v2.3.6, so I went to an alternative method developed by kholk, which I'll describe here. This method will work when others fail.
The first thing to know is that I'm a Linux type, but kholk also offers a Windows method which I have not tested. His Linux script has a few bugs, which I have corrected in the script attached hereto. Also his Linux fastboot binary is an older version which can not handle the larger image sizes we have now, so I have attached hereto a newer one which the source code was recently leaked from Motorola;
The next thing to know is that when posts mention "Fastboot files" they mean the ROM image files which are divided so they can be installed with the fastboot executable. OTA files are not the same, nor are they desirable. I gather that an OTA file is installed -after- the fastboot files, and provide an incremental upgrade.
Stock and ICS fastboot image files for our phone are here:
http://sbf.droid-developers.org/umts_spyder/list.php
I am in Seattle, WA, and I bought my phone on eBay locked to Rogers Canada. So I and my phone are in the North American region. My stock Rogers is 'Rogers Canada' Gingerbread v2.3.6:
Rogers_XT910_SignedLATAM_167-SLC-M33.1_P042_A014_CFC_1FF_fastboot.xml.zip
http://sbf.droid-developers.org/umt...-SLC-M33.1_P042_A014_CFC_1FF_fastboot.xml.zip
My Rogers ICS is 'Unknown Carrier' Ice Cream Sandwich v4.0.4:
6.7.2-180_SLC-35_R02_SIGNLATAM_SPYDERICSROGERS_P012_A012_HWp2b_CFC_fastboot.xml.zip
http://sbf.droid-developers.org/umt...CSROGERS_P012_A012_HWp2b_CFC_fastboot.xml.zip
North American users, use these. If you're in Europe you want the Central Europe image, ninth from the bottom, for ICS.
It's important to understand that the software you have in the phone at the moment, is "signed" for your specific region of the world. So you can not install a European image to a Canadian phone -- it will fail with "Preflash validation failure". The individual files you unzip from the image zip file will be transferred to their specific locations in the phone, -after- signatures are checked, to make sure you have files for the correct region.
So, choose your image file from the above list, unzip the image file, and put the fastboot executable and script in that resulting directory. I have modified the attached script to work for the Rogers images, basically by adding a couple files which were missing in the original script.
Side Bar: In the file list above, you will also find Development images, and if the fastboot executable could be rigged to ignore signatures, you could install the Dev image and voila, have yourself a development phone! The fastboot source code is available, so maybe some talented coder could make that (dangerous) change. This is dangerous because a n00b could flash a Euro image on his Canadian phone and it wouldn't work. (This error is easily reversable by flashing the right image) Comment by Vatazhka: The signature check is implemented in the bootloader. Unauthorized image gives preflash validation error and causes the bootloader to stop booting with an appropriate message. Moreover, the bootloader can't be unlocked as it lacks support for appropriate fastboot commands. The only way to get around these restrictions is to get a Motorola-signed version of a bootloader which doesn't implement checks, which luckily happened to Atrix guys (Clueless Motorola employees put it into a regular SBF, which was subsequently leaked.).
- Make sure your phone is --fully charged-- or else it could run out of battery and leave you with an expensive brick. Comment by Vatazhka: There are $6 cables to repair bricked devices with no juice left on eBay. Been there, done that It's the standard USB data cable with two pins shorted and ideally should also include a resistor to bring voltage from 5 V supplied by USB down to 3.8 V as supplied by the battery.
- Put the phone in fastboot mode by turning off, then holding Vol+- and power on. Select Fastboot and Vol+.
- Connect the -original- USB cable (some USB cables do not have data lines, only power, and you must have data lines for this) and connect to
your computer. On the phone Fastboot screen it should say "Connected" at the bottom.
- On the Linux computer in a Terminal window, cd to the image directory and # ./FlashLNX.sh It should flash away with no errors. The phone will
reboot and you'll get the Android with rotating polyhedral heart; it will reboot a couple more times and you have ICS!
- Root the phone.
- If you have an XT910, for Recovery you want BootMenu Manager, and if an XT912 you want SafeStrap. Install from the Market. You MUST NOT jump the gun and try to install BMM or SS to Gingerbread. It will brick you. Get up to ICS, then lay down your recovery. Comment by Vatazhka: Not true. SS2 and SS3 can be installed to both XT910 and XT912 (just be sure to install the correct SS2 variant). Developer of BMM actually owns an XT909, which is similar to XT912, and uses BMM on it. Simply choose the one which works with a given firmware (Hopefully this will be solved soon, so you could install whichever suits you, not the firmware.). One caveat: If you intend to try or install MIUI, it WILL NOT WORK with SafeStrap. You need BMM (which includes CWM) for MIUI.
- Now flash whatever image you want.
http://forum.xda-developers.com/showthread.php?t=1792955
I like MIUI:
http://forum.xda-developers.com/showthread.php?t=1756659
- If you ever want to go back to stock, just use the above process and flash GB 2.3.6.
Comment by Vatazhka: This is usually not possible. Most ICS updates bump some of the partition version counters which are stored in the "partition table", which doesn't allow you to go back. You can forget about resetting it - there is a digital signature (eFuse as well?) on guard again. You can only flash partition images with version number which is not lower than embedded in the "partition table".
I'm also not sure about this fastboot update stuff, but I may have used different fastboot variants which haven't had implemented this.
- If you install MIUI directly to the first slot by rebooting to Custom Recovery and installing zip, you will lose Custom Recovery when done so it needs to be reinstalled. The newer MIUIs do not come with GApps (this Play) so you have to get them here:
http://www.miuiandroid.com/community/forums/miui-weekly-rom-releases.103/
... and get BMM here:
http://forum.xda-developers.com/showthread.php?t=1720351
Since I don't have phone service yet I downloaded these to my PeeCee, put them on a microSD card and popped them into the phone. Install BMM with File Manager, and use it to reboot to Custom Recovery to install GApps. Then I used Titanium Backup to remove all G**gle apps except for Play, Framework, and one or two others. (I don't trust the Greatest Data Mining Operation In The History Of The World) Speaking of which, I always install DroidWall and only allow the minimum apps to access The Internets.
Then I used BMM to install CM10 JB to the second slot, just for fun. So now I have dual-boot! MIUI and CM10. Either one can be set to default. Caution though, for the zip you will install to the second slot you must convert it, as per the link above. The resulting file will begin with BM, and -that- is the one you will install. At the same time you can add GApps to be installed right after the ROM. You can -name- your two bootable OS' like this: BMM|BootMenuSettings then tap the very name and a cursor will come up. Delete and rename; Mine are MIUI 2.10.19 ICS and CM10 16.56.44 JB.
MIUI is already rooted, always.
One pleasant surprise in all this is that the new ICS MIUI Backup app does recognize old GB MIUI Backup savesets. I had to install Android Terminal and cp -r them over by hand, but it did restore all my old logs, SMS, apps, etc, thankfully.. I notice that the new MIUI Backup offers Encryption! Well, this really means that you are enabling backups to their "Cloud". In Red China. Where they can pore over your contacts, texts, logs, calls, and friends at their leisure. Encryption? Pshaw. ('shared key') Velly ingenirous.
Recommended apps: DroidWall, AdFree, Snowstorm, RadarNOW!
Some additional tips:
To reboot the phone and put it in FASTBOOT mode.
# adb reboot bootloader
To reboot the phone and put it in RECOVERY mode. Still need to push Vol up + Vol down to use the stock recovery.
# adb reboot recovery
For normal reboot
# adb reboot
For OTA updates (normally not needed), try
# fastboot update ota_update.zip
If low battery and not flashed:
1. Connect your phone using ORIGINAL USB cable to to ORIGINAL wall charger
2. Press and hold both Vol+ and Vol- buttons at the same time and then press and hold Power button until bootloader menu appears with Normal boot already highlighted
3. Use Vol- to highlight BP Tools and press Vol+ to select it
4. Screen with red M will appear followed by a screen with the battery and number undeneath showing how much charge your battery has now which means phone is now in the battery charge only mode
5. Wait for a battery to charge which should take over 3 hours
CAUTION: This method will FAIL if you have not completely flashed the system image. When your battery gets down to about 1/3, fastboot will refuse to flash images and you'll be screwed. There is no way to charge it unless it's booted. If you get in this predicament like I was, put your phone on a hot item, like a laptop power brick, and pray it recovers the battery enough to flash at least system and boot images. Flash them manually (copying lines in the script) if you have to.
Much gratitude to kholk, eval-, and to Jack'O who got me through this.

Well done dude.
Sent from my XT910 using xda premium

Thanks for your help and support Jack'O.
This thread already has 248 views in its first hour of life, LOL.

Wow, that's one comprehensive guide. Just a few corrections:
Side Bar: In the file list above, you will also find Development images, and if the fastboot executable could be rigged to ignore signatures, you could install the Dev image and voila, have yourself a development phone! The fastboot source code is available, so maybe some talented coder could make that (dangerous) change. This is dangerous because a n00b could flash a Euro image on his Canadian phone and it wouldn't work. (This error is easily reversable by flashing the right image)
Click to expand...
Click to collapse
The signature check is implemented in the bootloader. Unauthorized image gives preflash validation error and causes the bootloader to stop booting with an appropriate message. Moreover, the bootloader can't be unlocked as it lacks support for appropriate fastboot commands. The only way to get around these restrictions is to get a Motorola-signed version of a bootloader which doesn't implement checks, which luckily happened to Atrix guys (Clueless Motorola employees put it into a regular SBF, which was subsequently leaked.).
- Make sure your phone is --fully charged-- or else it could run out of battery and leave you with an expensive brick.
Click to expand...
Click to collapse
There are $6 cables to repair bricked devices with no juice left on eBay. Been there, done that It's the standard USB data cable with two pins shorted and ideally should also include a resistor to bring voltage from 5 V supplied by USB down to 3.8 V as supplied by the battery.
- If you have an XT910, for Recovery you want BootMenu Manager, and if an XT912 you want SafeStrap. Install from the Market. You MUST NOT jump the gun and try to install BMM or SS to Gingerbread. It will brick you. Get up to ICS, then lay down your recovery.
Click to expand...
Click to collapse
Not true. SS2 and SS3 can be installed to both XT910 and XT912 (just be sure to install the correct SS2 variant). Developer of BMM actually owns an XT909, which is similar to XT912, and uses BMM on it. Simply choose the one which works with a given firmware (Hopefully this will be solved soon, so you could install whichever suits you, not the firmware.).
- If you ever want to go back to stock, just use the above process and flash GB 2.3.6.
Click to expand...
Click to collapse
This is usually not possible. Most ICS updates bump some of the partition version counters which are stored in the "partition table", which doesn't allow you to go back. You can forget about resetting it - there is a digital signature (eFuse as well?) on guard again. You can only flash partition images with version number which is not lower than embedded in the "partition table".
I'm also not sure about this fastboot update stuff, but I may have used different fastboot variants which haven't had implemented this.
Sent from my XT910

Thanks Vatazhka, I've added your remarks.

So what carrier are you going to use it with? Prepaid of some sort?
Sent from my XT912 using xda app-developers app

N, TMobile USA. It was locked to Rogers Canada but I unlocked it. It's working great. Been with TMo for seven years, and this time I asked them for a credit to buy the phone. (Last contract renewal I got $100 for the Nexus One) They wouldn't give me cash, but put me on a new "Value" plan with unlimited everything and $25 less than I've been paying, for $64/mo. Saving $25/mo over two years works out to alot more than the $280 I paid for the phone.
Here in Seattle we have HSPA+ and I've got fast internet. Supposed to have LTE next year, but HSPA+ is fine. TMo is moving everything to 1900MHz as fast as they can for iPhone compatibility, so we benefit.
Voice quality on this phone is far better than any HTC. The screen is so large I'm not used to it. Concerned that when I sit down I'll crack it in my back pocket, or it will slip out.
MIUI only allows 4x5 icons on the screen and I think I could use 5x7 so I've posted a request on miuiandroid.com.

Thanks
i want to upgrade my just bought vzn razr xt912 to ics and want to use as gsm phone here in india
can anyone help
which ICS ota file should choose from the list mentioned at the OP
and how to proceed.
regards

Get the one for Verizon Droid RAZR XT912.
Sent using a touch screen
Napisane na ekranie dotykowym

Related

[Firmware] Razr XT910 bricked. OMAP4430 in Device Manager.

Title pretty sums it all. Need some advice and some crazy ideas to try. Anyone?
p34c3m4k3r said:
Title pretty sums it all. Need some advice and some crazy ideas to try. Anyone?
Click to expand...
Click to collapse
I've done a fair bit of this stuff, and ended up having to send my phone into warranty before.
There is a program called OMAPFlash which motorola uses, and they send off the correct signed firmware onto the device. I was only able to get so far. Your device must have bricked when you were writing the mbmloader...
You need to write the mbmloader. Let me see if I can find anythign for you.
Who is the carrier of the phone?
danifunker said:
I've done a fair bit of this stuff, and ended up having to send my phone into warranty before.
There is a program called OMAPFlash which motorola uses, and they send off the correct signed firmware onto the device. I was only able to get so far. Your device must have bricked when you were writing the mbmloader...
You need to write the mbmloader. Let me see if I can find anythign for you.
Who is the carrier of the phone?
Click to expand...
Click to collapse
Thanks for the reply. I bought it unlocked. Managed to find omapflash, but only for windows. Did you find it for linux?
About the device...
- If I plug it in, the white light comes up, for sometime, then shuts off. During this period there is no activity on the usb bus.
- If I plug it in, and press power, the light shuts off and the unit starts being recognized as OMAP4430.
- I tried usbboot from the LG session, since there are some models that use the same cpu. No go. Couldn't upload the code.
- One thing to notice, the file called by OMAP MLO, that carries the signed code, is mbmloader_xx.bin. Tried also with usbboot. No go.
- Formating a 4GB SD with a GPT partition table and two partitions: FAT32 and EXT3 respectively, copying the mbmloader_hs.bin as MLO and mbm.bin as u-boot.bin, to the first partition and trying to boot. No go.
- Using a Windows pc with Windows XP SP3 and the Motorola suite + the OMAP driver, didn't do anything. The phone keeps reseting the bus and it's just recognized as a device without any communication ports.
I'm have some spare time & I will keep trying even the most crazy ideas. I don't think it's something so complex. I have a DD backup of some partitions by the way.
Peace.
I have restored a RAZR XT912 from such a state using the Linux omap_flash binary and a boot loader repair kit that includes the pbrdl.bin and brdl.bin needed to make the TI OMAP device be recognized by adb and then fast boot can flash the mbmloader.bin and mbm.bin.
These files are specific to the device and we have kits for the XT912, XT894, XT875 and XT862.
We do not have them for the XT910 unfortunately, and everything we know about them indicates they are hardware and boot loader revision specific files and not at all cross compatible. Given that you have no other choice and a completely bricked device, it may be worth considering trying the files anyway.
You seem very well versed in the techniques required and would have an excellent chance of success if it works at all.
You may want to use the mbmloader.bin and mbm.bin from available XML.zip firmware files that are current for your device as those will definitely be the right files for the phone rather than the XT912 versions. If you are lucky, the pbrdl.bin and brdl.bin maybe compatible and flash successfully.
The procedure is like that which you have attempted and much easier than trying uboot from sdcard, which would not work from my understanding.
You must have a factory cable though, to power the device directly and that initializes a timed event during which the TI OMAP device is presented to the usb interface.
You run lsusb to be sure its there and then quickly run the first command with omap_flash and then the subsequent commands with fast boot.
If you are successful you will see the boot loader come up after brdl.bin is flashed and then fast boot the mbmloader.bin and mbm.bin and reboot.
If you PM me I will send you links to the files.
Good luck! This should be very interesting, but I have my doubts that the RDL files will be compatible.
cellzealot said:
I have restored a RAZR XT912 from such a state using the Linux omap_flash binary and a boot loader repair kit that includes the pbrdl.bin and brdl.bin needed to make the TI OMAP device be recognized by adb and then fast boot can flash the mbmloader.bin and mbm.bin.
These files are specific to the device and we have kits for the XT912, XT894, XT875 and XT862.
We do not have them for the XT910 unfortunately, and everything we know about them indicates they are hardware and boot loader revision specific files and not at all cross compatible. Given that you have no other choice and a completely bricked device, it may be worth considering trying the files anyway.
You seem very well versed in the techniques required and would have an excellent chance of success if it works at all.
You may want to use the mbmloader.bin and mbm.bin from available XML.zip firmware files that are current for your device as those will definitely be the right files for the phone rather than the XT912 versions. If you are lucky, the pbrdl.bin and brdl.bin maybe compatible and flash successfully.
The procedure is like that which you have attempted and much easier than trying uboot from sdcard, which would not work from my understanding.
You must have a factory cable though, to power the device directly and that initializes a timed event during which the TI OMAP device is presented to the usb interface.
You run lsusb to be sure its there and then quickly run the first command with omap_flash and then the subsequent commands with fast boot.
If you are successful you will see the boot loader come up after brdl.bin is flashed and then fast boot the mbmloader.bin and mbm.bin and reboot.
If you PM me I will send you links to the files.
Good luck! This should be very interesting, but I have my doubts that the RDL files will be compatible.
Click to expand...
Click to collapse
Thanks a lot for your reply and the technical insights! I appreciate your effort.
:good:
Can you tell me the difference between those 2 files? brdl and pbrdl? Are those OMAP model specific?
Yesterday I was able to make omapflash in Windows recognize the device but I need the address of the mbmloader.bin and mbm.bin in the emmc. I think it's the only part missing in my puzzle. The omap4430, according to the specs, first looks for MLO and u-boot.bin when you turn it on. Is the cpu rom somehow modified to look for mbm and mbmloader, by motorola? Using a hex editor you can find the string "MLO" right in the beginning of "mbmloader_hs.bin" and "mbmloader_ns.bin". Does it mean anything related to this matter? I still don't know why motorola provides a secure and non-secure loaders with the firmware package of a phone that "theoretically" can't be unlocked.
I tried uart over the p2_stereo headphone port without success a couple minutes ago.
I will be looking for the service cable in case my battery drained bellow the specs for the flashing process.
Thanks for cellzealot and danifunker, for your replies and your time.
Peace.
PS: I searched for omap_flash binary for linux all over without success, let alone the source code, of course.
I think the OP has some good news to announce and will be posting up how he successfully repaired the bootloader on his XT910 using the files I sent him from the XT912 repair kit. This is very good news and will be very useful for other users with corrupt bootloader devices.
Thank you cellzealot, Once again a great contribution to the community from you !
Nice upload tutorial
Sent from my MZ601 using XDA Premium HD app
As is often the case with these things, many people had a hand in this solution and the files and methods came from various sources.
I think the number of people who manage to corrupt the bootloader is actually quite small, but it is nice to have the right tools and files to fix it if and when the situation arises.
The bootloader repair kit files themselves are Level 4 access Motorola internal files and the Linux binary was posted by a user in a thread on the Bionic XDA forum.
We originally received the level 4 repair kits in bare form without any instructions whatsoever nor the proper binaries to use, and we were rather confused as to what they were.
Being unfamiliar with the two critical components pbrdl.bin and brdl.bin, we assumed they were to be flashed in fastboot and the kits also included the allow_mbmloader_flashing_mbm.bin (which is not actually required to complete the procedure).
In light of all this and rampant rumors about an engineering bootloader that was unlockable, we very unwisely gave in to the temptation after examining them to imagine these were those secret files, and I quickly hosed a friend's Razr that he had lent me for testing GSM stuff on by writing the pbrdl.bin to the mbmloader partition with fastboot !
Fast forward months later after many attempts to recover the device with the Windows binaries and a set of instructions that we received after the fact, and finally the Linux binary surfaced in the Bionic thread and it all fell together.
The key is the Linux binary because the Win binaries and device interfaces are so glitchy. In 32bit Ubuntu everything just works and the timed event is just long enough to perform the required initial command with the omapflash-lnx binary that then allows adb and fastboot to do the rest.
So, as I said...many hands and many missteps later to arrive at success.
It's very gratifying that this can be applied to the XT910 as well and as I told the OP in PM, I would like to have him write up what he did in this case as it may differ somewhat from my experience.
I expect he will do that very shortly and we can post the files as well.
Good to know these files are applicable to RAZR XT910.
cellzealot said:
I think the OP has some good news to announce and will be posting up how he successfully repaired the bootloader on his XT910 using the files I sent him from the XT912 repair kit. This is very good news and will be very useful for other users with corrupt bootloader devices.
Click to expand...
Click to collapse
cellzealot, sorry for the delay and I didn`t forget the topic. Have been busy lately. I will update it later today.
Peace.
:good:
I created a specific topic on the "Development Section". Go take a look and leave some feedback if you like it.
Peace.
:good:
cellzealot said:
I have restored a RAZR XT912 from such a state using the Linux omap_flash binary and a boot loader repair kit that includes the pbrdl.bin and brdl.bin needed to make the TI OMAP device be recognized by adb and then fast boot can flash the mbmloader.bin and mbm.bin.
These files are specific to the device and we have kits for the XT912, XT894, XT875 and XT862.
We do not have them for the XT910 unfortunately, and everything we know about them indicates they are hardware and boot loader revision specific files and not at all cross compatible. Given that you have no other choice and a completely bricked device, it may be worth considering trying the files anyway.
You seem very well versed in the techniques required and would have an excellent chance of success if it works at all.
You may want to use the mbmloader.bin and mbm.bin from available XML.zip firmware files that are current for your device as those will definitely be the right files for the phone rather than the XT912 versions. If you are lucky, the pbrdl.bin and brdl.bin maybe compatible and flash successfully.
The procedure is like that which you have attempted and much easier than trying uboot from sdcard, which would not work from my understanding.
You must have a factory cable though, to power the device directly and that initializes a timed event during which the TI OMAP device is presented to the usb interface.
You run lsusb to be sure its there and then quickly run the first command with omap_flash and then the subsequent commands with fast boot.
If you are successful you will see the boot loader come up after brdl.bin is flashed and then fast boot the mbmloader.bin and mbm.bin and reboot.
If you PM me I will send you links to the files.
Good luck! This should be very interesting, but I have my doubts that the RDL files will be compatible.
Click to expand...
Click to collapse
cellzealot, I have a question here.
Would it be possible to use your repair kit for the XT912 to flash a new, freshly compiled mbmloader.bin in order to completely replace the locked Motorola bootloader with an unlocked version? I understand that the source for mbmloader.bin is available in the repo's -- I would think that it would be a simple matter to compile & package an unlocked version and use your low-level OMAP4 utility to flash it onto the phone, thereby replacing the locked bootloader with a new unlocked version.
Or is there an even lower-level bootloader embedded in the device that checks mbmloader.bin for security at boot time? If so, would it be possible to replace THAT lower-level bootloader with an unlocked version in similar fashion to what I described? I am pretty new to this, but to my way of thinking, there has to be a way to get around Motorola's cryptographic verification of succeeding bootloader stages.
I have an off-contract Verizon XT912, running 9.8.20-72_VZW_16, that I am using as a test-bed for a new ROM I want to develop that will contain native real-time RSA voice encryption built right into the image as a part of the kernel or using a kernel module; I need to get rid of Mororola's entire scheme of cascading locked bootloaders in order to have the freedom to do the development I want -- once I have it developed, I can later implement locking for security purposes in my own bootloader.
Do you see any way that what I described about replacing Motorola's locked bootloader(s) can be accomplished?
Thanks in advance for any help you may be able to offer!
xt862 (droid 3 Verizon) repair kit (pbrdl.bin and brdl.bin) pleeeeease
Hi dear Cellzealot,
You are my last hope to unbrick my xt862 which just repeatedly connects and disconnected via USB as OMAP4430 device. (what I can view via dmesg). Also it apparently responds on ./omapflash-lnx pbrdl.bin from razor repair kit by instantly stopping to connect-disconnect and leaving in disconnected state (i.e. no more usb device via dmesg or lsusb). Also above command returns "OK XXXX bytes sent" in command prompt (what is another indicator that hardware is alive and just waits for bootloader). But so far I have understood from your post - above files are specific for each device. I even contacted Motorolla US service centre but they refused me to provide above files saying they are not available publicly.
Thanks in advance,
With last hope,
Sergiy
PM sent with xt862 repair kit!
droid bionic bootloader repair kit
I tried repairing my bionic with the files I found on xda.. It boots to the AP fastboot screen but shows errors, cant flash with rsd lite. I would appreciate any help. thank you
pbrdl.bin for Defy (MB525)?
Hi Cellzealot and all,
I have a properly bricked Motorola Defy (MB525), which has a locked bootloader. Do you know if there's a signed pbrdl.bin (ie. USB 1st stage bootloader) in existence for this device? (I've tried sending it the droid file - it uploads OK but doesn't run).
Please could you point me in the right direction? Thanks!
(By the way, the Defy is an OMAP3630 device).

[Firmware] Recovery from a corrupted/missflahed bootloader.

First of all, ALL THE CREDITS go to CellZealot from TeamBlackHat !
This was only possible with the files that he provided!
I was just a simple "guinea pig" that killed a Razr testing theories about downgrading it back to Gingerbread ! :angel:
So lets, f.... do it.
<Warning> By continuing to read and deciding to start this procedure, YOU ARE ON YOUR OWN! I, CellZealot, TeamBlackHat & XDA-Developers WILL NOT be held responsible for any personal or material damage that might incur from the actions described here! That's your decision to go on, so deal with it! YOU ARE WARNED! <Warning>
Requirements:
- Stock ICS SBF fastboot firmware package. Google is your friend.
- a PC x86 computer with a usb port
- Linux operating system. (Ubuntu, Arch, Gentoo, Slackware, Debian, whatever distro you choose...)
- Linux O.S. knowledge. You must be familiar with the command prompt (Bash Shell) and the commands! That's up to you.
- This software package -> http://www.multiupload.nl/VL33M4I4A3
- The "fastboot" program from the Android SDK (latest version that you can find.)
- a software bricked Razr, that only shows itself as a "OMAP4430" device, under Win. "Device Manager", when plugged. Give it a try under a Windows computer, just to make sure.
- MicroUSB to USB cable. The one that came with your Razr.
- The Razr must be charge to the minimum required the bootloader to enable the flashing process. There are other ways to charge your phone without the stock charger. You can search here on XDA for it.
PS: The factory service cable, allows you to bypass the battery check, by allowing the Razr to receive 5v straight from the usb port. As per CellZealot explanation on third post.
Optional but HIGHLY RECOMMENDED !
- a Motorola Factory/Service Cable. You can build your own or buy one! I recommend buying from "TeamBlackHat" as they make high quality cables and adapters! If you prefer, you can just buy the adapter and use your own MicroUSB cable with it.
About the expected end result: your Razr in FastBoot mode, ready to be flashed with a stock firmware.
<Procedure>
- download the package "spyder_bl.7z" and unpack to a empty directory to avoid any confusion.
- you will end up with 3 files - "omapflash-lnx", "pbrdl.bin" & "brdl.bin"
- make the "omapflash-lnx" file executable
- plug the phone to pc and press the power button for 2 seconds, till it apears as a "Texas Instruments" device under the usb list (lsusb) or in the kernel log.
Now you must be quick and start typing in this order:
sudo ./omapflash-lnx pbrdl.bin
sudo ./fastboot flash brdl brdl.bin
You should get a "Okay" status on both of them.
Check your Razr screen and it shall be on "FastBoot AP Mode". From here, you can keep flashing on Linux or boot up Windows and use RSD, wich is more user friendly besides being GUI-Oriented.
Some facts about the 3 files: they are all "signed files" by Motorola, that's why it is safe to use. The OMAP4430 cpu on the Razr is factory programmed to only execute signed code, that's why we needed to find an exploit to execute unsigned code. Examples are the KExec, Boot Manager & Safestrat. All of them available here on XDA in their respective threads.
Peace.
:good:
PS: Do not thank me or my posts. This guide was only possible due to CellZealot support. You must thank him, if for some reason it helped you recover your phone. Copy that?
PS: Thanks also XDA-Developers for this amazing community!
EDIT: Corrected the part about the Factory Service Cable. It does not allow you to charge the Razr but rather supply the necessary juice for the phone to work without a minimum charge. Thanks again, CellZealot!!!
I've tried & failed to brick my phone~ It's now nearly impossible to brick this phone :good:
Just some notes from my journey,
pbrdl.bin only accept few commands... so no oem unlock
pbrdl.bin is 1st-loader for USB boot (mbmloader.bin is for NAND boot)
brdl.bin is just mbm.bin (motorola boot manager)
Thank you for the excellent writeup and for the recommendations for TBH Factory Cable/Adapters!
You are very welcome and congratulations on fixing your phone and being in a very exclusive club of users who have brought their devices back from the brink of the abyss...the truly bricked phone. Also big kudos for going to great lengths to research and attempt many complex means to fix a device you had broken yourself rather than returning it to your carrier under warranty. Your ultimate success is richly deserved.
A couple of points I wanted to clarify.
The Factory Cable/Adapter does not charge the device at all, but bypasses the battery and smart charging circuit altogether and powers the device directly by supplying +5v on pins 1 and 4. It will always power on the device no matter what state the battery is in or without a battery at all.
The other thing is that depending what the circumstances are that lead to the corrupt boot loader, restoring the device can be even easier and not require flashing the firmware.
In my case, I had specifically overwritten the mbmloader and as soon as I repaired that successfully the phone booted up perfectly fine and fully rooted with everything exactly as I had left it the night I hosed it!
cellzealot said:
Thank you for the excellent writeup and for the recommendations for TBH Factory Cable/Adapters!
You are very welcome and congratulations on fixing your phone and being in a very exclusive club of users who have brought their devices back from the brink of the abyss...the truly bricked phone. Also big kudos for going to great lengths to research and attempt many complex means to fix a device you had broken yourself rather than returning it to your carrier under warranty. Your ultimate success is richly deserved.
A couple of points I wanted to clarify.
The Factory Cable/Adapter does not charge the device at all, but bypasses the battery and smart charging circuit altogether and powers the device directly by supplying +5v on pins 1 and 4. It will always power on the device no matter what state the battery is in or without a battery at all.
The other thing is that depending what the circumstances are that lead to the corrupt boot loader, restoring the device can be even easier and not require flashing the firmware.
In my case, I had specifically overwritten the mbmloader and as soon as I repaired that successfully the phone booted up perfectly fine and fully rooted with everything exactly as I had left it the night I hosed it!
Click to expand...
Click to collapse
Thanks once again, my friend. Corrected as per your definition, the section about the FS Cable.
Peace.
:good:
Thank you for this valuable guide, it is a true unbricking solution for the RAZR. Some mirrors of the spyder_bl.7z file. Just in case
http://www.mediafire.com/?z5gp1ztvwj81qr4
http://www.4shared.com/archive/BtfH6ML8/spyder_bl.html
Sorry my english so bad
My droid razr can't to flash brdl.bin
Just show waiting device
How to fix it?
I'm has do all procedure...
Tq b4...
prue said:
Sorry my english so bad
My droid razr can't to flash brdl.bin
Just show waiting device
How to fix it?
I'm has do all procedure...
Tq b4...
Click to expand...
Click to collapse
Ehm...Why did you try this??? Have you read careful enough what this is about?? I'm pretty sure your problem can be solved much easier than this way. Depending on your problem you have with your device I suggest you to open up a new thread in general section (or Q&A Section) and ask for help. BUT:
Don't flash anything to your phone if you don't know exactly what you're doing!.
dtrail1 said:
Ehm...Why did you try this??? Have you read careful enough what this is about?? I'm pretty sure your problem can be solved much easier than this way. Depending on your problem you have with your device I suggest you to open up a new thread in general section (or Q&A Section) and ask for help. BUT:
Don't flash anything to your phone if you don't know exactly what you're doing!.
Click to expand...
Click to collapse
problem solved master
i'm forget to use latest version of fastboot
now mw droid razr has startup normaly
tq all...
but now get new problem device always on fastboot n show "recipe failed"
maybe you can help me 4 this case...
Have same problem with other omap device Huawei U9500 (OMAP4440), but your advice not working unfortunately.
After the message about sending a file, nothing happens, the phone to mode fastboot not pass.
Any advice?
Hi all! XT926 is here)
Tell me please can I restore bootloader on my xt926 through this method? Right now when i connect common usb cable to moto and type "lsusb" i see:
ID: 05c6:f006 Qualcomm, Inc.
But when I connect the cable on Windows, the device appears and disappears in the system (I can hear the sound) infinite time, until I remove the cable.

[ROM][KK][4.4.2][STOCK]Omate TrueSmart IRONMAN Firmware

KitKat for the Omate TrueSmart
Congratulations, you made it this far and managed to keep your unit alive long enough to upgrade it to the next level!
4.4.2 Changelog:
================
Fixed glitch in boot animation to make it smoother
BTLE profile and PAN profiles added
Full Settings Menu
Functional Accessibility Menu
Updated Wi-Fi Drivers, now supports ip6, ip4, and low-power mode
Updated GPS Drivers, lock-on after initial lock and AGPS update should be quicker
Kernel updated from 3.4.5 to 3.4.67, supports SELinux
Unlocked bootloader and insecure kernel allows for root access through SU
Google Play Services included
Google Talkback/Voice Search integrated
Fixed glitch where Voice Search would not complete spoken sentences
TWRP updated to 2.8.3.0 with full features and MTP support
Camera now operates at 5MP/720P without force closing
Security holes have been closed
MALI 400 drivers updated
Battery management integrated; after first boot battery readings should be accurate
Sound issues fixed; microphone should no longer sound muffled
Soft reset implemented, holding both buttons for 10-15 seconds should power down or reset unit
ART mode implemented, allowing for faster and more efficient performance
Known Issues:
=============
Sensors are non-functional until updated drivers are available (if they become available)
Settings is not accessible from status bar icon
1900MHz units are unable to access 3G data currently (if a modem becomes available this should change)
Bluetooth connectivity may occasionally drop out depending on data load
APNs are not automatically added
IMEI may be lost or corrupted after installation
Instructions:
=============
REQUIRED PROGRAMS:
1) SP FLASH TOOL
2) MTK DROID TOOL
3) WINDOWS OS XP or HIGHER
The All Tools suite for MTK devices can be found here:
MTK All Tools Suite
****** You must install the preloader drivers for your device using the 32-bit or 64-bit installer (dpinst) for your operating system before you continue. ******
I suggest making a full backup of your device either in TWRP or in MTK DROID TOOLS (1:1) to preserve valuable data or in case of a failed upgrade. You should always back up your IMEI/NVRAM in DROID TOOLS for safe-keeping and this is no different.
Download the full set of factory images here:
Omate 4.4.2 Factory Image RAR
Extract the contents of the ZIP file to a known directory and proceed to the next step.
Next, navigate to the Settings menu on your Omate TrueSmart and, under Accessibility, disable Quick Boot. This is the only way to enter Download mode reliably. With that completed, power down your watch.
Finally, open the scatter file (mt6572_scatter_emmc.txt) found in the directory you extracted the ZIP file to in SP FLASH TOOL and check to make sure each file is present. You may need to manually add the system.img and recovery.img. To do this, double click on the empty box and select the file.
Once you've made sure each file matches, go to the drop-down menu where it says "Download" and select "Firmware Upgrade". Take one last look to make sure every file is selected and press the Download button on the top left of the screen.
With the watch powered off, go ahead and plug it in. THEN WAIT. It will take between 5-10 minutes to fully upgrade your unit. You should see a red bar, then green, then purple, then yellow. If you get any error that says "BROM DLL ERROR" note down the error number and send me a message. If it gives you a green checkbox, you're done with this step.
Now you're ready to boot the watch. Press and hold the power button until it powers on. The first boot will take approximately 5 minutes to complete while it assembles all of the information. Once it finishes, power down the watch. Hold the home (bottom) button and press and hold the power (top) button simultaneously (at the same time). You'll see a recovery menu. Press the power button to boot into TWRP. From there, select "Wipe" followed by "Factory Reset". You will want to reset the watch to factory settings. You can either make a backup or go ahead and reboot the system.
Congratulations! You should now be on Android 4.4.2 for your Omate TrueSmart.
NOTES
=====
If you're missing APN information I suggest you either restore previously saved APNs or add them manually if they disappear. Currently 3G data will not work on 1900MHz units.
This firmware was designed for UMEOX smart watches operating on the x201-series MT6572 chipset. I am not responsible if you damage your watch because you flashed the firmware incorrectly or to the incorrect watch.
If you have any questions as to whether your watch is compatible, please message me.
It is IMPOSSIBLE to brick your watch if you are flashing this firmware. If for some reason you think your watch is bricked or you feel uncomfortable flashing this firmware you are welcome to send your unit to me (if you pay shipping) or I am available to help over Chrome Remote Desktop to flash it for you.
If you are having issues getting the firmware to work, please send the following information to me:
Watch Manufacturer
Date Received
Last Known Firmware
Case Material
And I will answer on a case-by-case basis to help you troubleshoot. I never make guarantees but I promise to help as much as I am able.
Finally, please take the time to thank the brave soul who voided his warranty to get me the prototype firmware for this. I won't reveal his name for security's sake, but he obtained a developer unit from another company who uses the x201 chipset and was kind enough to upload the system dump in September of last year. I would have presented this sooner to you guys, but until the method for flashing the S8 firmware was released I had no idea why I couldn't get it to work.
SPECIAL THANKS
==============
Laurent LePen, for giving me the tools from UNOVA to make this possible
@Dees_Troy, for having the patience to flash the firmware, assemble a system image, and update TWRP
Derek Serianni, for flashing his watch 42 times to test the firmware
Christos Vorkas, for testing SIM functions and the early firmware
@AdamOutler, for advice operating Linux and troubleshooting errors
The Anonymous Firmware donor, who voided his warranty and bravely e-mailed me about 1.5GB worth of files
XDA, for always having that clinch moment where someone has a breakthrough that helps the rest of us
KNOWN COMPATIBLE UNITS:
IconBit:
Callisto 100, 300
SimValley:
Pearl AW414, AW420/1
UMEOX
X201
Omate
TS-1/TrueSmart 512MB/4GB Edition
TS-1/1900MHz 1GB/8GB Extreme Edition
TS-1/2100MHz 1GB/8GB Extreme Edition
For Root, download Chainfire's latest SuperSU package and flash in TWRP:
SuperSU 2.44
Derek Serianni, for flashing his watch 42 times to test the firmware
Click to expand...
Click to collapse
I think that number is a lot higher actually..... but, 42 is quite fitting as this is now the answer to the ultimate question...
It has been an exciting couple of days testing and flashing.
Despite all the trial and errors, not once did the watch become unrecoverable.
If you load Google Now Launcher and the latest Google Search APK (and setting it up properly) you can use the "Ok Google" feature from the lock menu as well as in the OS.
I stopped wearing my LG G and am now wearing the TS daily....
Kudos for all the hard work!
I knew there was light at the end of the tunnel!
D.
Great job!
hi dan,
i have tried to flash this to my EU 1/8G Pre May Omate TS.
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware - EU Ensec Stock 0706
Case Material - Steel
A few questions:
1) the downloaded KK Omate rar file does not include UBOOT.BIN or a BOOT.IMG file. Am I supposed to leave it blank or use the UBOOT / BOOT IMG from my current Omate's backup?
EDIT: I have tried using the UBOOT.bin and BOOT.IMG from another KK thread but still run into the same "CheckSum Failed" error i mentioned below: http://forum.xda-developers.com/showpost.php?p=57433563&postcount=189.
2) under FLash Tool: the ANDROID file is usually blank - i have selected system.img from the rar file for the file to be flashed for this. Is this correct?
3) When flashing via FlashTool, about 27 seconds into the flash (i see a RED Bar, then it changes to a couple of BLUE "Read Back" bars), I keeping getting a error saying "CheckSum Failed". I have tried redownloading the KK Omate rar file and trying again but to no avail.
EDIT: I have tried with different ports, different cables, including cleaning the Omate TS's ports with no luck. Just prior to the flash, i was able to do a full backup so it does seem strange and does not seem specific to the cables/ports/contacts on the TS.
UPDATE: Seems to be working - TRY Flash Tool v3.1332 instead of the latest V5.1352. It is now flashing fine as mentioned by Dan.
FINAL: My TS boots up fine with KK now! If you face the checksum error as i did, try using SP Flash Tool v3.1332 instead! - LINK HERE: http://androidxda.com/smart-phone-flash-tool
Any advice on the above?
NO UBOOT
Trying to flash this on my Omate 2100 unit but the UBOOT is missing for me? Got the system.img and recovery.img added but no uboot.
I am also not sure what to select as "BOOTIMG".
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware -ZGPAX S8
Case Material - Steel
I have made it.
But Attention:
No baseband is included.
Baseband for EU, 2100 is not included in this ROM.
So you can not use the phone to call.
I am back to ZGPAX S8.
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware - RSR 0.8
Case Material - Steel
Same as aeron16 with the KK Omate rar file not including UBOOT.IMG or a BOOT.IMG and using system.img for the ANDROID file.
I've tried via Win7 & Win 8.1, Win7 didn't install the preload drivers but Win8 did..
..could anyone that has sucessfully installed it create a flashable image we could use directly in TWRP?
Caboose1979 said:
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware - RSR 0.8
Case Material - Steel
Same as aeron16 with the KK Omate rar file not including UBOOT.IMG or a BOOT.IMG and using system.img for the ANDROID file.
I've tried via Win7 & Win 8.1, Win7 didn't install the preload drivers but Win8 did..
..could anyone that has sucessfully installed it create a flashable image we could use directly in TWRP?
Click to expand...
Click to collapse
Mike? hehe did you get the same error i had? with the CheckSum failed as well?
Isn't the baseband included under "0 Needed files -> NA/World Baseband"?
I can not check if valid files. My TS is not booting/reacting to Flash tool anymore...
Not sure if I did it correctly but because I could not find the boot.img within the supplied files I took the boot.img from the other kitkat rom here on xda. Have at least a working TS now .
Only problem right now is that the home button is not functioning as the home button. It sets the volume to max.
seppen said:
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware -ZGPAX S8
Case Material - Steel
I have made it.
But Attention:
No baseband is included.
Baseband for EU, 2100 is not included in this ROM.
So you can not use the phone to call.
I am back to ZGPAX S8.
Click to expand...
Click to collapse
I had the same issue as well!
Thanks. Works well like the other early ROMs and is a bit better prepared including Google Play etc. Can we remove the extra apps like QQ etc from the image for a future release? Edit that might have been my fault from not wiping after flashing although I was pretty sure I had already removed them from the ROM whilst creating a flashable zip.
When turning on Wifi I do get an NVRAM error initially in the list of Wifi items. It fairly quickly finds real ones and it connects fine to my AP.
I have the issue with the second button turning up the volume too. There is a fix in the other thread for this.
Also I had to manually select system.img, the recovery, uboot.img and boot.img (the latter two weren't in the archive so I took from the X202 image in the original KK thread).
Glad to see Omate somewhat taking credit on Facebook. It seems I'm banned on Facebook from recently posting after commenting that they probably shouldn't be taking credit for this. The initial announcement a few days back has 14 missing/hidden comments. Oh so childish LLP - I'm sure you're reading.
I'd like the sensors if possible, mainly for a shake/rotate to wake up function..
---------- Post added at 11:43 PM ---------- Previous post was at 11:38 PM ----------
Caboose1979 said:
could anyone that has sucessfully installed it create a flashable image we could use directly in TWRP?
Click to expand...
Click to collapse
I'm going to take a look at doing this when I get a chance in the next couple of days. I had a basic one working with just system and boot images of the KK ROMs. It should be possible but I'm kinda new to this so not sure if there are any limitations when flashing everything like this. I do need to make sure I know all of the device names to flash.
Hi Guys,
Not sure where I am going wrong, can't make head nor tails so far.
Truesmart doesn't look to be detected in SPFlash, is SPflash what is meant about mtktools? i can find an application in that folder..
On from that i am also missing the .img files that the others are.
sorry to be a hassle, i will do my best to work it out, but just need a bit of help getting off in the right direction please,
also i haven't done any other flashing etc with my truesmart, is there anything i should be doing prior for brick protection?
it is a 2100mhz model
Cheers
burlyoaf said:
Truesmart doesn't look to be detected in SPFlash, is SPflash what is meant about mtktools? i can find an application in that folder..
Click to expand...
Click to collapse
MTKDroidTools is different to SP Flash Tool. They are 1 and 2 respectively in the All Tools folder.
Follow the instructions exactly particularly the order. Turn the watch completely off (disable Quick boot), click download and *then* plug the cable in.
Quick Update:
My EU 1/8G Omate TS-1 Pre-May is up and running fine (see my earlier post for some tips / advice based on the issues i had).
1 major issue as below:
However, under Baseband - it shows unknown, and similarly in IMEI - it also shows unknown.
i tried to flash the old 2100 World Baseband.zip in TWRP, but no luck,
tried to use MKT Tools to restore my NVRAM but no luck either (just shows install\data\nvram) and then nada.
minor issue: home button is defaulting to UP Volume instead of HOME function. I will try to flash the FIX_HOME.zip in the other thread and report back.
any advice Dan or anyone else who has theirs working?
If it says uboot, that's the lk.bin.
seppen said:
Watch Manufacturer - Omate
Date Received - Pre May
Last Known Firmware -ZGPAX S8
Case Material - Steel
I have made it.
But Attention:
No baseband is included.
Baseband for EU, 2100 is not included in this ROM.
So you can not use the phone to call.
I am back to ZGPAX S8.
Click to expand...
Click to collapse
Stop with the attentions. The baseband is included. I've had at least 5 people flash it with no issues.
IF you are missing a baseband, sit tight. Try flashing the UNOVA system image, then flash this again.
IF you are having checksum issues, either use an older version of flash tool OR format and flash the stock firmware.
The LK and Kernel must have been a goof on my part. I'll fix that.

Lenovo Tab3 8" (2016) Custom Recovery / or any modern Tablet in UK under £100

Hi @Tzul / All,
You got me all excited when I saw you had created the custom recovery for the Lenovo Tab3... only to find out that Lenovo have another Tablet called the Tab3 that came out later this year, and it was this one that I was interested in getting.
The Tablet has a model No: ZA170136GB
Any idea if it is possible to create a custom recovery for this too?? Or does anyone know a decent Tablet in the UK for under £100, that has a Custom Recovery, and some fairly recent roms for it...
Mainly need the recovery to backup the current rom, and once I have set the Tablet up for my father, to make an image of that too...
Cheers, Lister
Hi @Tzul / All,
Just found this link, not sure if its for the same (newer Tablet) just the smaller 7" version, instead of the 8" version. But it mentions Android 6.0x which is the default OS on the newer Tablet.
https://webcache.googleusercontent....or-lenovo-tab3.html+&cd=7&hl=en&ct=clnk&gl=uk
The only thing I can't work out, is what the model number is for the newer 2016 8" model, as I've been told its "ZA170136GB" which seems a bit long... Where as most like the 7" version appears to be just "TB3-730X" and makes sense.
Cheers, Lister
Lenovo has quite a few tablets called "Tab3" / "TB3". There are at least 4 or 5 different versions of 7 inch models. Plus 8 inch and 10 inch models.
As far as I know, all of them are based on MediaTek chips, meaning if you need to create and restore backups of entire partitions, you don't even need a custom recovery, as you can use the MediaTek SmartPhone Flash Tool (SPFT) for that. However, in order to use the SPFT, you'll need a "scatter file" that matches the device in question. The scatter file contains details about the device's partitioning (start addresses, sizes, and more). You can create one manually, taking an existing one from a similar device as template, but that requires some specific knowledge and experience.
Creating a custom recovery isn't easy either, particularly if you don't have the device in question at hand. For starters, you need an existing firmware update or backup (e.g. a readback made with the SPFT), from which some required data can be extracted.
Hi @Tzul,
LOL, just found you in this thread too... spooky/small world...
https://forums.lenovo.com/t5/Lenovo...-me-unbrick-Lenovo-Tab3-850f-pls/td-p/3433458
Click to expand...
Click to collapse
Corr, they don't like to make it easy for their users... do they!!! There's even more than I first suspected then, talk about confusing!!! lol
Yeah this one I've spotted is also a MediaTek chipset too...
Does this SPFT tool belong to Lenovo/MediaTek, or apply to many different hardware configurations? Where would I obtain a Scatter file for this Tablet? I've done a bit more Google'ing, and think the unit could be a TB3-850F (although that links to an American version of the one Ive seen in the UK). Its a fairly good Tablet as it is anyway, so do you think its best just to get it anyway, and hope development / support comes for it at a later date??
Once I get the Tablet, I would be able to know what the EXACT model is for sure then... If so, is there anything I can do, in the way of dumping a rom... I believe I may of found the official rom for it on Lenovo's website earlier today at work too. So maybe able to get a rom dump that way...
If I could, do you think it would be possible to make a TWRP based on the Recovery.IMG dumped from the rom.... Or do you still need the device to actually develop and test on...??
Just wonna try get a good Tablet, that I can then create a backup/image of stock build (inc TWRP recovery) and one that I've customised App-wise for my dad to use and back that up. So if he messes it up, I can restore it quickly...
Many thanks for getting back to me so promptly, and so detailed reply.
Cheers, Lister
The SPFT software is by MediaTek and generally works with all MediaTek-based phones and tablets - provided you have a suitable scatter file.
Once you have the tablet, it should be easy to determine the exact type by going to the Android system settings, about the tablet, and check the values there; primarily model and build number. It should also be on the packaging.
I can build TWRP without owning the tablet, but it's more difficult that way as I basically have to do it "blind". I have done it for the TB3-710I, because a firmware dump was available, and someone provided me with all the info I needed. I guess I could do it for the TB3-850F as well, if I find the time and have all necessary data.
Is that the same tool that would or could be used, if ever I wish to factory reset it (if can't get TWRP onto it) or do you think Lenovo have another method, if things go really screwy?? lol
As for the model, I shall certainly be picking it up tomorrow... As I've spent many-a-days now trying to find an ideal one for my dad, and this one comes in really cheap esp for the spec. So if TWRP can go on it, it will make it an even bigger BONUS...
So will find out tomorrow what the exact model is, I'm hoping it will be a TB3-850F... As did a bit of Google'ing from the 7" model, came across that model for the 8" which appears to be exactly the same as the UK model... The website is the same, except the cpu seems to be 300mhz faster.. Im sure the UK model is 1GHz, where as they USA is 1.3GHz. Hopefully so, as that will be easier for you too I'm guessing, as it looks like you already have the Scatter file in the other forum... or at least a close template, with luck..
I'll do my best to get what ever, and as much info to you as possible... And really really appreciate any efforts you could spare to try and get TWRP on it. No worries if you can't and appreciate you're busy with other things in your life, so absolutely no rush... As said, any effort at all is really appreciated!!!
Thank you for even taking the time to read and reply to my request/info... thanks
Cheers, Lister
Hi @Tzul,
Ok, I picked the Tablet up from the shop yesterday for my dad and although we've not unboxed it yet. It is indeed the same model you appeared to be helping the use in the thread here. TB3-850F
Hopefully I'll be on it tonight, to find out more information. It appears there are at least 3 or 4 different models sold, WiFi and LTE versions, and they differ from USA to UK.
The USA version features a QuadCore 1.3 Ghz CPU
The UK vesion features a QuadCore 1.0 Ghz CPU
So not sure if that's gonna cause issues, I'll run some software on it tonight to find out the exact CPU inside it... (I have the UK version, 1.0 Ghz... if thats any use?)
I'm also gonna try ask Lenovo (not expecting a speedy response from that company, if I'm honest) to see if they have a factory restore image/tool.... Like all Samsung phones/Tablets have, and even the Tesco's Hudl. They should make it easy for end users to restore their devices, should disaster occur...
If can get a firmware dump, that may help in getting the Boot.Img and Recovery.Img in order to help make a TWRP. As that will be the preferred way of backing up and restoring the device...
How would one flash this to the Tablet, if it's possible...?? Through ADB fastboot?? What's the risk factor of BRICKING the device, outta of 100% say...? Such as Samsung have a Download Mode (which seems they are indestructible) and can always force a stock rom too them...
Cheers, Lister
I doubt that the CPU frequency differs between the US and UK version. They should be exactly the same. I wouldn't trust the info on websites. For my Tab 2 A10-70F, figures differed as well (some sources said 1.5 GHz, others 1.7 GHz; but in reality, it's 1.69 GHz).
Typically, the back of the box should list the correct specs. Does it say anything about the used MediaTek chip (MTxxxx)?
You can use the fastboot flash command to flash at least some partitions, but you might have to "unlock" the bootloader first (there should be an option in the Android developer settings). Alternatively, I can easily patch the bootloader to allow fastboot flash, but in order to install the patched bootloader, you need the SPFT or TWRP.
If you mess up something, you'll "brick" the tablet, but with the SPFT you can almost always restore the firmware.
Hi @Tzul,
Yeah, was just going via what the website says for both devices. Seems a little silly to change the builds, for different parts of the world. Prolly the same CPU and then either under or overclocked in various regions.
Just got home, and on the back of the box it says... CPU: MT8161P QC 1.0GHZ 64Bit
I'll have to wait an hour or so, as my dad is round our elderly neighbours house helping him out. But when he is back, I'll open the Tablet with him, then enable the "Android Developer Settings" through double/tapping the Build No 7x times. Once I'm in there, I assume it's "USB Debugging" you want me to enable/turn on...??
How will I know if the Bootloader is locked / unlocked? Is there a command / test, to fastboot the device and see if it responds, says anything back?? I don't know much about Fastboot, as my my flashing experience is either done through programs/utilities of via the device itself... Is there anyway to pull the Boot.Img / Recovery.Img via Fastboot?? Or is that done via that SPFT app...?
So you saying, no matter what happens/goes wrong... I can pretty much restore/recover it like Factory via the use of SPFT... There will always be a way to PUSH a firmware to the device???
I'm fully use to using Odin (not sure if you know/aware/used that App) but if SPFT is anything like that... I know that Samsung is almost indestructible via flashing with Odin... Is SPFT the same???
I'm trying to contact Lenovo to see if they have a Factory Image, or process to see if they can have a Restore Image too... That way maybe able to pull those partition from the image file??
Cheers, Lister
Lister Of Smeg said:
Just got home, and on the back of the box it says... CPU: MT8161P QC 1.0GHZ 64Bit
Click to expand...
Click to collapse
Thanks, that's what I expected. The actual CPU frequency might be 988 MHz, but rounded up it's 1.0 GHz.
Lister Of Smeg said:
Once I'm in there, I assume it's "USB Debugging" you want me to enable/turn on...??
Click to expand...
Click to collapse
USB debugging is required for ADB, which is a useful tool. But I was thinking about the option "OEM unlocking - Allow the bootloader to be unlocked", which might or might not be present in the developer menu on your tablet.
Lister Of Smeg said:
How will I know if the Bootloader is locked / unlocked? Is there a command / test, to fastboot the device and see if it responds, says anything back?? I don't know much about Fastboot, as my my flashing experience is either done through programs/utilities of via the device itself... Is there anyway to pull the Boot.Img / Recovery.Img via Fastboot?? Or is that done via that SPFT app...?
Click to expand...
Click to collapse
Strictly speaking, a locked bootloader performs integrity checks and refuses to start the system when it was tampered with. A locked system wouldn't boot an unofficial boot.img or recovery.img (such as TWRP). That's rarely the case with MediaTek-based devices, i.e. they are usually "unlocked". However, they often have the fastboot flash command restricted/disabled, meaning you can't use fastboot to flash TWRP or other stuff, until you "unlock" the bootloader, or use a patched bootloader.
To make backups of boot.img, recovery.img, etc. you can use the SPFT or a custom recovery. Or you can do it from within Android, provided you have root.
I suggest you first try this:
Open an ADB shell (USB debugging enabled, tablet running Android connected to PC via USB), or use a terminal app, then type
Code:
getprop ro.build.version.incremental
getprop ro.product.ota.model
and tell me the output. I might be able to use that information to find Lenovo's official firmware packages for your tablet.
For my TB3-710F for example, the values are ro.build.version.incremental=Lenovo_TB3-710F_S000026 and ro.product.ota.model=LenovoTB3-710F_L.
Furthermore, boot the tablet by pressing and holding power+volume_up. That should either display a little boot menu ("normal, recovery, fastboot"), or take you directly to the recovery. In the former case, choose "fastboot", in the latter case, the recovery menu should have a "reboot to bootloader" entry at the bottom.
That should take you into fastboot mode. Connect the tablet to PC via USB, and use a fastboot client to run "fastboot getvar all". That'll dump a lot of info, including partition info, which could help with creating a scatter file.
With "fastboot reboot" you can leave fastboot mode.
Lister Of Smeg said:
So you saying, no matter what happens/goes wrong... I can pretty much restore/recover it like Factory via the use of SPFT... There will always be a way to PUSH a firmware to the device???
Click to expand...
Click to collapse
Yes, if you have a complete firmware backup including scatter file.
The MediaTek SPFT is comparable to Samsung's Odin, except that it also allows to make backups (readbacks). But again, you always need a proper scatter file first. You might be interested in reading this.
Hi @Tzul,
First of all, Wow... oh WOW!!!! Are you an Android developer, as in OS specialist.... that post was epic in both detail and knowledge. Wow, you really know you're stuff... Do you work for a big company, or just a very clever/gifted hobbyist?? WOW Thanks for pointing me to that post, very interesting and giving me a heads up in the process of Lenovo architecture...
Ok, I've unboxed dad's Tablet (he doesn't know this yet... LOL). Turned it on, wow... what an experience, this is the best Android/Tablet (and we've had several over the years, from ZTE phones... to Samsung phones and HP/Tesco Hudl Tablets)... Beautiful experience!
Ok,
1) I've enabled Developer Tools (tapped Build No 7x times)
2) I've enabled [ADB Debugging]
3) I've turned on / enabled "OEM Unlocking".
Will this trigger Lenovo software to feel it's been tampered with? Or will it just be normal and allows the bootloader to passthrough / flash a modified recovery to it?
4) getprop ro.build.version.incremental = TB3-850F_S100025_160608_ROW
getprop ro.product.ota.model = LenovoTB3-850F_ROW
5) I couldn't do the Power button + Holding Volume Up button, as when holding both down... The Tablet keeps rebooting, and not loading anything up other than the Lenovo logo, then reboots again...
So I tried Power button + Holding Volume Down button, and it appears to show a menu... But it was ALL in Chinese, other than the word eMMC. I had no idea how to get out of it, other than holding "Vol Up and Power button" as I found from previous, it just boots/reboots loop until let go. I did so, then it said something about SD.. and the rest in Chinese and made a loud beep, before rebooting...
So not sure if I've done anything to an SD Card, internal...?? As we've not put in an external one yet...
So not sure how to get into Bootloader / Recovery yet? As it keeps restarting...
Interestingly, when I first turned this device on and connected it to the network, it wants to pull down a small update....
TB3-850F_S100025_160608_ROW_TO_TB3-850F_S100026_160923_ROW
What it currently is...
What it wants to go too...
The update is only 22Mb in size....
I hope this helps?
Cheers, Lister
My job doesn't really involve Android, but I've studied this, more or less.
Glad to hear that the tablet is good. I'm still satisfied with my Tab 2 as well.
Lister Of Smeg said:
3) I've turned on / enabled "OEM Unlocking".
Will this trigger Lenovo software to feel it's been tampered with? Or will it just be normal and allows the bootloader to passthrough / flash a modified recovery to it?
Click to expand...
Click to collapse
The latter, as far as I know.
Thanks for the property values. With those, I could find the small update you mentioned. Unfortunately it doesn't contain a complete boot.img file, but at least it contains a barebones scatter file (just the partition start addresses):
Code:
preloader 0x0
pgpt 0x0
proinfo 0x80000
nvram 0x380000
protect1 0x880000
protect2 0x1280000
lk 0x1c80000
para 0x1d00000
boot 0x1d80000
recovery 0x2d80000
logo 0x3d80000
expdb 0x4580000
seccfg 0x4f80000
oemkeystore 0x5000000
secro 0x5200000
keystore 0x5800000
tee1 0x6000000
tee2 0x6500000
frp 0x6a00000
nvdata 0x6b00000
metadata 0x8b00000
system 0xb000000
cache 0xcb000000
userdata 0xe5800000
flashinfo 0xFFFF0084
sgpt 0xFFFF0004
Exactly the same values I used for the preliminary scatter file that you found on the Lenovo forums.
If you like, you can try to use it with the SPFT to make a readback.
Download the latest SPFT, unzip it, find its "option.ini" file, open it, and at the very end change "ShowByScatter=false" to "ShowByScatter=true".
Download and install the USB Preloader driver (cdc-acm).
Finally, run the SPFT, load my scatter file, and make a readback.
Lister Of Smeg said:
5) I couldn't do the Power button + Holding Volume Up button, as when holding both down... The Tablet keeps rebooting, and not loading anything up other than the Lenovo logo, then reboots again...
Click to expand...
Click to collapse
If you hold down the power button for too long, the tablet will probably reboot.
Try this: Shut down the tablet. Hold volume up, then hold power. When the screen turns on, release the power button, but keep holding volume up.
That should take you to the boot menu or recovery. If not, you can still try to get there via "adb reboot recovery" or "adb reboot-bootloader" (for fastboot).
Lister Of Smeg said:
So I tried Power button + Holding Volume Down button, and it appears to show a menu... But it was ALL in Chinese, other than the word eMMC. I had no idea how to get out of it, other than holding "Vol Up and Power button" as I found from previous, it just boots/reboots loop until let go. I did so, then it said something about SD.. and the rest in Chinese and made a loud beep, before rebooting...
Click to expand...
Click to collapse
Yeah, on these MediaTek-based devices, that key combination usually takes you to the factory test menu. Avoid going there, you could mess something up.
The bottom-most menu entry gets you out of there (reboot). The menu entry with "eMMC" is "wipe eMMC" - sounds as if it would delete the entire internal flash memory (the eMMC chip), but in actuality, it just does as factory reset, i.e. it only wipes the /data partition (where all user apps and settings are stored). At least it's like that on every device I've tested so far.
Hi @Tzul,
Well, ya certainly know what ya talking about... was a great read. I am technically minded. I do (and have done for about 15/20 years) IT Support. I understand the talk, sometimes we all gotta re-learn new tricks...
Ok, you'll love this... I spoke to Lenovo today... Actually very good support really, much better than when we phone up about PCs not working in our company. Anyway, they were still unable to help me with the Tablet.
I spoke to them about not being able to get into Recovery / Bootloader. Didnt tell them why of course, but explained that I wanted to know if there was an official firmware I could download if I wished to return the Tablet to fully stock without any Apps. Blamed my dad messing it up, which is kinda true... even though he has not touched it yet. Anyway, they talked me through many things, BASICALLY WHAT YOU'VE ALREADY TOLD ME.... About holding down Vol Up and Power button. After many attempts, still not working. So I said there is a 22mb update pending, I'll try that and see if that allows me to do the key combo... Still no joy. He told me to do a factory reset in the Android OS (which I knew anyway). And so did that, and sure enough it wiped everything, even Developer Settings. However after re-enabling it again, the OEM Bootloader was STILL UNLOCKED? lol.
Anyway, needless to say... I still cannot get into recovery on this device, and he seems certain I should be able too. He thinks the device may be faulty, and suggests returning it... Apart from not being able to get into Recovery, I dont think it is faulty as seems fine everywhere else.
I also tried "Lenovo Smart Assistant" as it seems that can download firmware from there site. After spending a couple of hours trying to get all the (10x different Android device drivers installs, MTP, ADB, MIDI, blah blah) it still didnt automatically detect in their Smart App. So I tried to select the "Dead Device" mode, where you have to enter "Model No" and Hardware ID, typed in various things... but neither showed up the Tablet??? lol
Anyway, going back to above....
1) Installed the suggested signed drivers for the PreLoader
2) Downloaded, edited Options.ini and ran the latest SPFT
3) Opened the Scatter file, nice to see all the partitions.
4) Tried to do a ReadBack of just Boot.img and Recovery.img but nothing downloaded or seemed to happen. But was doing this in a hurry on my lunch break. Shall have another go at home, or back at work tomorrow.
Ah, think I've seen where I went wrong... I didnt double click on the [File] column. I just assumed the path was already correct, looking at it. Also, can't remember the state of the device, think that was also on at the time. So will have a proper go later... and upload the boot.img and recovery.img
-- Just out of interest, if I was making a STOCK ROM backup. What partitions do I need to select / include / tick, for that??
And assume if I wanted to restore it, just do the exact same. Select the partitions, select the files in the [File] tab as to what I want to restore and use DOWNLOAD only mode? Or would it be best just to make the backups in TWRP once/if it's possible...??
As I'm having no joy with the key combo, I'm gonna try the ADB commands in a sec, and let you know how those go....
Yeah, I wont be going there again in a hurry... Didnt have a clue what any of it was, and it wasn't clear at the time how to get out of it either... Sadly I selected the very first open, no idea what that was / is ???? but couldn't get out of it either and had to wait till it finished...
I saw eMMC and panicked, as I have 3x Samsung devices that all suffer from the eMMC brickbug issue. Where the chip dies if using a faulty kernel. Thankfully this kernel is all but disappeared, as only came about in an official LEAKED Samsung build. And all previous/after official kernels and all custom kernels had this faulty switch removed... But whenever I see eMMC, I worry now... lol
Many thanks, Lister
Hi @Tzul,
Well, after my chat to Lenovo and doing some more testing last night... I think my Tablet could be genuinely faulty...
You know I said how I can't enter Recovery (Power & Vol Up) despite you and Lenovo saying that it should work. Well Lenovo think and said it could be faulty and return to place of purchase.
I tried the ADB commands last night, the Reboot Bootloader worked and sent me into Fastboot. However the Reboot Recovery gives me this error...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Which I am wondering if I don't have a Recovery or it's corrupted...??
I am also failing to get those ReadBacks of either Boot.img or Recovery.img, as depsite having the Tablet off and clicking on the file names, and pointing it where to save. Nothing appears to happen, no data transfers...??
Do you think I'll be able to get those files if I root the device, and use a Root File Manager???
Also, without any official firmware from Lenovo yet... If I root it, will I be able to unroot it by just doing a simple "Factory Reset" within Android OS, or does this keep the root do you know?? Never really used Factory Reset, as always wipe the device in a custom recovery....
Cheers, Lister
Lister Of Smeg said:
You know I said how I can't enter Recovery (Power & Vol Up) despite you and Lenovo saying that it should work. Well Lenovo think and said it could be faulty and return to place of purchase.
Click to expand...
Click to collapse
That sounds quite unlikely to me. Have you tried what I wrote before? Start holding the volume up button before you turn on the tablet. Then press the power button to turn it on, release the power button again, but keep holding volume up all the time.
Lister Of Smeg said:
I tried the ADB commands last night, the Reboot Bootloader worked and sent me into Fastboot. However the Reboot Recovery gives me this error...
Click to expand...
Click to collapse
That's not an error, that is in fact the stock recovery! The menu is missing, but that's normal for some devices. There's a "secret" key combination you need to press to activate the menu. Try power+volume up again (or to be more specific, hold down the power button, then "click" the volume up button, then release the power button; do not hold down the power button for 10 seconds or longer, that'll probably reboot the tablet).
Lister Of Smeg said:
I am also failing to get those ReadBacks of either Boot.img or Recovery.img, as depsite having the Tablet off and clicking on the file names, and pointing it where to save. Nothing appears to happen, no data transfers...??
Click to expand...
Click to collapse
Are you sure you're doing everything correctly? When the tablet is off and you connect it to the PC via USB, Windows should play the "USB device connected" sound effect, quickly followed by the "USB device disconnected" sound effect. Take a look at the Windows device manager - the Preloader VCOM device should appear there for this brief period, and it must not have a warning triangle (that would be a sign of missing drivers).
Lister Of Smeg said:
Do you think I'll be able to get those files if I root the device, and use a Root File Manager???
Click to expand...
Click to collapse
Yes, that should work, BUT I would not advise it. Looking at the update file, I saw it uses the newer block-based format. That means if you change the system partition in any minor way, e.g. by installing root / su binaries there, future updates will fail! Therefore, you shouldn't do anything that could modify the system partition (installing root, or even running TWRP), until you have a backup of the original state.
Lister Of Smeg said:
Also, without any official firmware from Lenovo yet... If I root it, will I be able to unroot it by just doing a simple "Factory Reset" within Android OS, or does this keep the root do you know?? Never really used Factory Reset, as always wipe the device in a custom recovery....
Click to expand...
Click to collapse
No, a factory reset will not unroot! Root is either installed on the system partition (the old way), which Android considers read-only, or it is installed in a modified boot.img (the new way), which also won't be touched by Android. A factory reset, regardless whether performed by Android or a custom recovery, just wipes the data and cache partitions.
That sounds quite unlikely to me. Have you tried what I wrote before? Start holding the volume up button before you turn on the tablet. Then press the power button to turn it on, release the power button again, but keep holding volume up all the time.
Click to expand...
Click to collapse
Yes, I tried that... no matter what order/process I take. It each ends up in the same result. I did the holding of the Vol Up, then pressing Power (waited it for it to Vibrate, before letting go of Power... as instructed by Lenovo tech Support) and still would not get past the white screen, with Lenovo logo.
That's not an error, that is in fact the stock recovery! The menu is missing, but that's normal for some devices. There's a "secret" key combination you need to press to activate the menu. Try power+volume up again (or to be more specific, hold down the power button, then "click" the volume up button, then release the power button; do not hold down the power button for 10 seconds or longer, that'll probably reboot the tablet).
Click to expand...
Click to collapse
I thought that was recovery, as I've seen the ill looking Android collapse on other Android devices when a flash has failed, but normally I see more of a menu... Like to Apply Update (I guess official internal OS updats). I shall try that trick in a second, to see if I can get the menu to appear. May have to do it at home, as I know ADB app sends our works AV to thinking its a virus, when it's safe... lol
Are you sure you're doing everything correctly? When the tablet is off and you connect it to the PC via USB, Windows should play the "USB device connected" sound effect, quickly followed by the "USB device disconnected" sound effect. Take a look at the Windows device manager - the Preloader VCOM device should appear there for this brief period, and it must not have a warning triangle (that would be a sign of missing drivers).
Click to expand...
Click to collapse
The drivers installed correctly here (work, running Windows 10 x64), all went smoothly. When I plugged the Tablet in, it came up saying something about PreLoader driver... However at home, the drivers failed... But that could be my old screwy build of Windows 7x x64.... So gonna try again at work for that part.
Yes, that should work, BUT I would not advise it. Looking at the update file, I saw it uses the newer block-based format. That means if you change the system partition in any minor way, e.g. by installing root / su binaries there, future updates will fail! Therefore, you shouldn't do anything that could modify the system partition (installing root, or even running TWRP), until you have a backup of the original state.
Click to expand...
Click to collapse
Oh great, terrific... So I gotta be extra careful then!! lol. No rooting or mods until at least I can pull this ReadBack backup off... Oh I do love my Xposed!!
So once I've got my first official ReadBack backup, with no mods or alterations. Then I'm safe to do whatever...??
Providing I've got my first ReadBack before I do anything, if we are able to get TWRP into the Recovery Partition of the Tablet. Will this TWRP Recovery affect /System and OTA updates?? or is that only the Recovery partition affected, and System will stay intact??
Also, once (or, IF) I have TWRP, could I do a full system backup there. Prior to any mods, and can fully restore to stock (with the addition of TWRP recovery and not Stock) via the TWRP Recovery then... As wonna get an as close to stock backup as poss in TWRP. And then a fully setup with all the Apps, Mods, Tweaks and root Apps setup and then back that up. I assume I can always restore to the first TWRP backup without root at a later.
/ If any of that ^ makes sense? lol
No, a factory reset will not unroot! Root is either installed on the system partition (the old way), which Android considers read-only, or it is installed in a modified boot.img (the new way), which also won't be touched by Android. A factory reset, regardless whether performed by Android or a custom recovery, just wipes the data and cache partitions.
Click to expand...
Click to collapse
Fair enough, I kinda assumed that a Factory Reset within the Android OS will keep the root, and only wipe user added data, such as Apps, Pictures, Music, Files... and anything added to the /System would be left behind. My old devices (N7000 and i9100) only use the old way at the moment for rooting, as in writing to the system partition. When trying to use the new Boot.img way (as in Systemless root) causes both devices to crash, as they don't have the pre-modded Boot.img yet.
But assuming if I made a previous backup of the whole Tablet in TWRP before rooting (or do I need root, to push TWRP). Then go onto root the Tablet afterwards, if I then restore the Tablet to the first pre-root backup in TWRP will over write the root files back to stock??
/ sorry for all the questions, and what-if's.... ? I understand Android, and fully know my Samsung models inside out... Just not sure when it comes to Lenovo, as it seems to use a different structure, and partition layout. And at moment, till I get my head around it, seem as stable/fool-proof in not making non-changeable choices, that can be corrected at a later date. Just it's my dads Tablet, and don't want to mess anything up as yet... As I'll prolly have to buy it off him lol
Anyway, thanks for your continued help on this.... I'll let you know how I get on...
Cheers, Lister
Lister Of Smeg said:
The drivers installed correctly here (work, running Windows 10 x64), all went smoothly. When I plugged the Tablet in, it came up saying something about PreLoader driver... However at home, the drivers failed... But that could be my old screwy build of Windows 7x x64.... So gonna try again at work for that part.
Click to expand...
Click to collapse
The driver I linked can be installed with a simple right-click in Windows 8 and later. But in Windows 7, the installation procedure is more involved, as described in the included readme.
Lister Of Smeg said:
Oh great, terrific... So I gotta be extra careful then!! lol. No rooting or mods until at least I can pull this ReadBack backup off... Oh I do love my Xposed!!
So once I've got my first official ReadBack backup, with no mods or alterations. Then I'm safe to do whatever...??
Click to expand...
Click to collapse
Yes, if you get the SPFT to work with your tablet, you can make a backup and restore it anytime you want.
Lister Of Smeg said:
Providing I've got my first ReadBack before I do anything, if we are able to get TWRP into the Recovery Partition of the Tablet. Will this TWRP Recovery affect /System and OTA updates?? or is that only the Recovery partition affected, and System will stay intact??
Click to expand...
Click to collapse
The first time you run TWRP, it asks you whether or not you'd like to allow changes to the system partition. If you choose yes, TWRP will rename a certain system file on exit, and will also offer to install a SuperSU stub for root. You see, Android has a mechanism that restores the stock recovery on every Android boot! Therefore, TWRP will be automatically replaced by the stock recovery again, unless you allow TWRP to rename that file, or install SuperSU. Both these things will intentionally break that Android restore mechanism.
On your tablet, you should probably forbid TWRP to make those changes. But even if you do, other things in TWRP can still change the system partition regardless. Installing the zip files for Xposed or SuperSU, for example. Or even restoring a TWRP backup of the system partition (because they are file based, but a block-based update doesn't just care about the file contents, but also about where exactly the files are located on the partition/disk, which will change with a file-based restore).
That's why "systemless" Root and Xposed are a thing these days. They don't install the files to the system partition anymore like they used to, but somewhere else (the ramdisk of the boot image, as far as I know), and use some trickery to make the files appear in the filesystem where they are expected.
Concerning OTA updates: they will fail if the system partition was modified. So if you want to install one, you either have to roll back to an unmodified system and stock recovery, then install the update, then install root, Xposed, etc. again (tedious). Or you can modify the updater-script inside the update, and make it work with modified systems, then install the adjusted update with TWRP. But that requires know-how and will only work with the old file-based updates, not the new block-based ones.
Lister Of Smeg said:
Also, once (or, IF) I have TWRP, could I do a full system backup there.
Click to expand...
Click to collapse
No. As just mentioned, TWRP backs up the files (their content), which is not enough for block level accuracy. You need a system image backup. Which can also be made with TWRP, if it has been configured properly.
Lister Of Smeg said:
But assuming if I made a previous backup of the whole Tablet in TWRP before rooting (or do I need root, to push TWRP). Then go onto root the Tablet afterwards, if I then restore the Tablet to the first pre-root backup in TWRP will over write the root files back to stock??
Click to expand...
Click to collapse
Yes, but again, you need to backup and restore the system image (the entire partition, including "empty" space, not just the files as TWRP normally does).
Lister Of Smeg said:
/ sorry for all the questions, and what-if's.... ? I understand Android, and fully know my Samsung models inside out... Just not sure when it comes to Lenovo, as it seems to use a different structure, and partition layout. And at moment, till I get my head around it, seem as stable/fool-proof in not making non-changeable choices, that can be corrected at a later date. Just it's my dads Tablet, and don't want to mess anything up as yet... As I'll prolly have to buy it off him lol
Click to expand...
Click to collapse
It has nothing to do with Samsung vs. Lenovo. It's about the chipset - MediaTek in your case. A Lenovo device with a Qualcomm chip, for example, will have a different partition layout and obviously won't work with the SPFT. And most of the things I just talked about (file-based vs. block-based updates, the "sanctity" of the system partition, etc.) are general Android things and not specific to the chipset.
Hi @Tzul,
Ok, slowly making progress here... Yippie!! lol
Still can't enter recovery via hardware buttons... No matter how many times I try, and in whatever order and timing. I even tried holding Power & Vol Up, then when it FREEZES on white screen with Lenovo logo. Then tried releasing Vol Up also, and then holding it down again... like how to reveal 'Secret Menu'. But still nothing appears for recovery!!
However, that said... I am now able to enter Recovery... via using ADB Fastboot Recovery, then using those key combo commands to reveal the secret menu. Which that all now works, and get a full list of options to choose from there... So thank you for that!!
I've had another go at trying to install PreLoader driver again on my home PC (Win7 x64) and it now appears to do something, more than previously done... But errors, and still does not pull those files. Maybe you might be able to see where going wrong via the screenshot??
Yes, if you get the SPFT to work with your tablet, you can make a backup and restore it anytime you want.
Click to expand...
Click to collapse
Once I get this App working, and working reliably... I think I'd feel a lot more comfortable and happier, knowing I have a decent back up to rely on. Just this App is new to me, and at moment (with difficulties of entering Recovery and getting this App to work). Where as comparison to Odin. Just have to put phone into Download Mode, add the Firmware File... and thats it. By the looks of things, this App is very very similar. Just with its hit/miss at moment, till I've ironed out why its not working... Just want to know I have STOCK rom to return too, in aid of firmware updates.
Concerning OTA updates: they will fail if the system partition was modified. So if you want to install one, you either have to roll back to an unmodified system and stock recovery, then install the update, then install root, Xposed, etc. again (tedious). Or you can modify the updater-script inside the update, and make it work with modified systems, then install the adjusted update with TWRP. But that requires know-how and will only work with the old file-based updates, not the new block-based ones.
Click to expand...
Click to collapse
I've seen TWRP (more specifically, TWRP 3.x) mention about allowing System modifications with my Samsung device. I think in the past, I've answered both ways... Allow / Do Not Allow when switching Roms every so often.
So basically it's a toss up of whats more important...? Receiving OTA updates, or running Root on the device. As long as I can get this first initial ReadBack backup, then should be happy either way... As can always restore back to fully STOCK, run the update, then flash TWRP and Root apps again??
No. As just mentioned, TWRP backs up the files (their content), which is not enough for block level accuracy. You need a system image backup. Which can also be made with TWRP, if it has been configured properly.
Click to expand...
Click to collapse
Will have a look on my current Samsung / TWRP about making full system based images. But that said, I still won't receive OTA updates restoring back to this way, as already modified the device/OS with TWRP... preventing this. But could be quicker/easier way to return to STOCK (minus updates). And this would be safe to do, based on the BLOCK BASED partition on this device? (Only ever been used to FILE BASED twrp backups).
It has nothing to do with Samsung vs. Lenovo. It's about the chipset - MediaTek in your case. A Lenovo device with a Qualcomm chip, for example, will have a different partition layout and obviously won't work with the SPFT. And most of the things I just talked about (file-based vs. block-based updates, the "sanctity" of the system partition, etc.) are general Android things and not specific to the chipset.
Click to expand...
Click to collapse
Yeah I hear you on Samsung vs Lenovo, being Exynos vs MediaTek... What I mean't, is I'm just more used too and comfortable with the way things work on Samsung. I know (so far... lol) that I can never really brick my Samsung devices (other than the leaked ICS kernel) as I can restore fully with STOCK rom in Odin. And that all my devices (Samsung, HP Touchpad, ZTE Blade) all use partitions one way or another... as it was a curve to learn Samsung shares Recovery with its Kernel and vice versa... Where as the Blade, they were both separated... I'll get there slowly with MediaTek devices... lol... But most of all, I thank you, for all your time, patience and support guiding me along this way... MUCH APPRECIATED!!!
Edit: I am amazed that Lenovo don't have anything public on their website regarding firmware, to allow customers to restore themselves. I've downloaded their "Lenovo Smart Assistant" App which is supposed to support phones and Tablets. But does not detect mine, either alive or dead mode. When searching for it within the App, nothing shows for it either... Or the Tab2 family either..?? May try another cheeky online chat support call to them again, see if they can release anything firmware wise lol
Many thanks, Lister
Lister Of Smeg said:
I've had another go at trying to install PreLoader driver again on my home PC (Win7 x64) and it now appears to do something, more than previously done... But errors, and still does not pull those files. Maybe you might be able to see where going wrong via the screenshot??
Click to expand...
Click to collapse
That's the same error the other person on the Lenovo forum had. I have a feeling that the driver isn't installed correctly. Have you looked at the Windows device manager, Ports (Com & LPT) section? Does a new device appear there after connecting the powered-off tablet, and does that device NOT have a warning triangle?
Maybe you could try the SPFT on a Windows 8 or 10 machine, where the signed driver can be installed with the simple right-click method. Otherwise, you could find an install an unsigned driver for Windows 7, and try again. Maybe this error is also caused by an incorrect scatter file, wrong download agent, or bug in the specific SPFT version. You could try an older version such as v5.1516. Here's someone who encountered the same error and "fixed" it by using this older version and a slower PC...
Lister Of Smeg said:
So basically it's a toss up of whats more important...? Receiving OTA updates, or running Root on the device. As long as I can get this first initial ReadBack backup, then should be happy either way... As can always restore back to fully STOCK, run the update, then flash TWRP and Root apps again??
Click to expand...
Click to collapse
Yes. You should probably go with systemless root on this tablet, but whether the system or boot image get modified, an OTA update will fail either way if it does integrity checks. So there's no way around making backups of the untouched partitions and restoring them when necessary.
Lister Of Smeg said:
Will have a look on my current Samsung / TWRP about making full system based images. But that said, I still won't receive OTA updates restoring back to this way, as already modified the device/OS with TWRP... preventing this. But could be quicker/easier way to return to STOCK (minus updates). And this would be safe to do, based on the BLOCK BASED partition on this device? (Only ever been used to FILE BASED twrp backups).
Click to expand...
Click to collapse
That option might or might not exist in your Samsung's TWRP. Usually, newer TWRPs are configured to have a "System Image" entry in the Install -> Install Image partition list, so that it is possible to flash a system.img file easily from within TWRP. This same "System Image" entry can also be made visible in the Backup/Restore partition list, but normally it isn't.
Lister Of Smeg said:
I am amazed that Lenovo don't have anything public on their website regarding firmware, to allow customers to restore themselves. I've downloaded their "Lenovo Smart Assistant" App which is supposed to support phones and Tablets. But does not detect mine, either alive or dead mode. When searching for it within the App, nothing shows for it either... Or the Tab2 family either..?? May try another cheeky online chat support call to them again, see if they can release anything firmware wise lol
Many thanks, Lister
Click to expand...
Click to collapse
Well, you're not supposed to mess with these devices. Only a fraction of users install root or Xposed anyway. I've never tried the "Lenovo Smart Assistant", so I can't say anything about that.
Anyway, you're welcome.
Hi @Tzul,
Still not having any luck with this... Boo-hoo.... As below, is what happened and what I've tried..
Tzul said:
That's the same error the other person on the Lenovo forum had. I have a feeling that the driver isn't installed correctly. Have you looked at the Windows device manager, Ports (Com & LPT) section? Does a new device appear there after connecting the powered-off tablet, and does that device NOT have a warning triangle?
Maybe you could try the SPFT on a Windows 8 or 10 machine, where the signed driver can be installed with the simple right-click method. Otherwise, you could find an install an unsigned driver for Windows 7, and try again. Maybe this error is also caused by an incorrect scatter file, wrong download agent, or bug in the specific SPFT version. You could try an older version such as v5.1516. Here's someone who encountered the same error and "fixed" it by using this older version and a slower PC...
Click to expand...
Click to collapse
Installed at home, old dual core computer running Windows 7 x64. Installed driver as per instructions (Installed to Com18 port). On first install, it shows a new device with yellow explanation mark. So I delete the device, but keep the driver software files installed. Same error...
At work, Quad Core i5 running Windows 10 x64. Installed the driver using Right Click / Install option... Driver installs fine, no errors (Installed to Com15 port). Same error.
Tried with the very latest version of SPFT, and with the other older version as quoted on that website. At first the older one wouldnt show the partition on ReadBack mode, even with the ScatterFile=true remark at the end. So I just copied contents out of one of the other option.ini files and then it did. But still no joy. Tried various versions of SPFT (not all of them, will do some more tonight). Tried different USB cables, including the original official one at of the box.
Only thing not tried, finding a really really old computer...
Tzul said:
Yes. You should probably go with systemless root on this tablet, but whether the system or boot image get modified, an OTA update will fail either way if it does integrity checks. So there's no way around making backups of the untouched partitions and restoring them when necessary.
Click to expand...
Click to collapse
I'm assuming there will never be a Systemless root for this device. As that requires someone to mod the Boot.img. And other than your good self, not seen anyone else offer support (or even use) this device, and I can't expect you to do that. Not to mention, can't even get the files off or access a firmware file for it.
I was hoping if I could get a STOCK firmware of backup of this device. Then if there was news of an update coming out. I could reflash back to STOCK, loosing all my mods and changes. Just to get the update, then attempt to re-root and tweak again... Gonna be a cat-n-mouse game me thinks... If I can ever get this backup to work in the first place...?? lol
Tzul said:
That option might or might not exist in your Samsung's TWRP. Usually, newer TWRPs are configured to have a "System Image" entry in the Install -> Install Image partition list, so that it is possible to flash a system.img file easily from within TWRP. This same "System Image" entry can also be made visible in the Backup/Restore partition list, but normally it isn't.
Click to expand...
Click to collapse
Didnt get chance to check TWRP last night on Samsung devices, by time I went to bed... was too knackered and straight asleep... lol. Will check tonight...
Tzul said:
Well, you're not supposed to mess with these devices. Only a fraction of users install root or Xposed anyway. I've never tried the "Lenovo Smart Assistant", so I can't say anything about that.
Anyway, you're welcome.
Click to expand...
Click to collapse
No, it appears your not... I tried to speak to Lenovo again today... (sob story... Need to access a backup firmware in case Tablet dies under dads use, which is not too far from the truth...) However he was under the impression I could restore fully to STOCK if I access the Recovery (which I told him only works via ADB commands. He suggested again I should take it back to shop and get it replaced).
Anyway, I said... So does that mean the Lenovo Tablet has a hidden recovery image / rom / partition. And that if I was to "root the device, in order to make some Apps/Tweaks work" I could enter Recovery, and run the recovery option in the hidden menu and restore Tablet back to STOCK.
To which sadly I had to go back to work, and told him this. I said if he could leave me the reply, I'd check when back. Which he then said, "If the Tablet is rooted, it will then delete the recovery partition, meaning no recovery would be possible" which to me sounds a little far fetched... that rooting will actually DELETE a hidden recovery image/partition???
I'm sadly starting to think, have I picked the wrong device for my dad?? Same as with all mine, and what I did for my mums... I was able to install custom recovery easily. Especially in the case of my mum's Tesco's Hudl, I set it all up with STOCK rom (as there are no custom roms), however there is custom recovery which I flashed, rooted, and installed all rooted Apps. However, I have since been able to reflash it back to fully STOCK without any Root, and able to go back and fourth as often as like without fear of bricking, or potentially damaging any future updates/recovery....
Gonna try a few more times to get this to recognise and accept SPFT backing/restoring... Otherwise next week, I may consider taking back to the shops. Pity, as the Tablet itself is seems really nice so far (even though barely used it yet). But just worried cannot make backup images, or can easily break Updates/Stock Restoring....
Cheers, Lister

The impossible mission of rooting or oem unlocking BLU NEO XL (120K phones affected!)

Hello XDA Forums,
I have been a guest on the website for a while now when looking for android knowledge and I usually grasp a good amount of whatever I am trying to accomplish. However, the issue I am currently having I feel is considered IMPOSSIBLE to fix and I want to confirm that by this community.
Phone: Blu
Model: NEO XL N110U
Android build version: 6.0
Custom build version (It’s a stock a downloaded, ill explain in a sec)” BLU_N110U_V10_GENERIC_MARSHMALLOW 05-08-2016 16:30
What happened is that about a year ago or so I updated the android version from lollipop to marshmallow using the OTA update (which is the wireless update). Worst decision ever as I found out that this update gave me 4 specific viruses that sends my information over to a Chinese server. Here are links on the virus:
https://www.droid-life.com/2016/11/15/blu-security/
https://blog.malwarebytes.com/cybercrime/2016/11/mobile-menace-monday-adups-old-and-new/
https://android.gadgethacks.com/new...be-affected-by-adups-chinese-spyware-0175014/
With this problem, I thought “I can just root my device and delete the files… right”? I never rooted a device before, but I have jail broken iphones, modded psps, and ds so I felt like this would be easy……Turns out its impossible if you already updated to that wireless update with marshellow. I also tried unlocking bootloader and that failed super hard as well! Here is what I tried:
1. Tried Kingroot app – failed
2. Tried kingroot on pC – failed
3. Went into developer options and enabled usb debugging and oem unlocking to TRY and unlock the bootloader. – that part worked……HOWEVER
4. Went into the recovery and choice reboot to bootloader. Then connected my Blu phone to my PC, went into Command prompt and typed, “fastboot oem unlock” (I believe I had to download fastboot and adb tools first). – This was painful for me. It gave me the option to unlock the bootloader using the up and down volume buttons. I need to press “Volume up” on my phone to confirm the OEM unlock……..HOWEVER THAT HAS BEEN COMPLETELY DISABLED. The buttons work, but when I need to confirm the oem unlock, it doesn’t allow me to do this. THIS I BELIEVE HAS BEEN PURPOSELY DONE.
5. I downloaded a stock version of my phone’s rom but at a lower android number (5.1) and tried to flash it to the phone using SP Flash tools. – Failed. It would stay illuminated black and the intro sound would come on but I wouldn’t see anything. I looked into that and I believe that is because there is something called version binding where if I update the version build, I can’t downgrade to use the same exploit.
6. Since the phone was bricked, I wanted to try to bring it back to life by downloading the stock rom for my phone at the same virus build version I’m at now and flash it to the phone. – It worked with viruses and all.
7. I Then thought, “Can’t I use open the rom file and delete the viruses I want, then flash it to the phone?” So I tried that by using mtk extractor which allowed me to open the system.img file for the stock rom which contains the android data. From there I went into the apps folder and deleted the 4 virus apps. Then I packaged the system.img back together into one file and then used that system.img when I used sp flash tool to flash the rom onto the phone. – It was stuck on the logo……I can still access the recovery fine and still doesn’t allow me to oem unlock.
This is where I have given up. At this point, I feel like I would need to learn more about the system.img file and what it looks for in the beginning. I just want to fool it into booting without those apps. I know there is something stopping it from booting because when I go into the recovery part and select the option to do a “root integrity check” it tells me those specific apps are missing. Is there any way to change the root integrity check to not look for those apps?
So I know this a lot of information but I need to write this down for all the steps I toke. I hope that this thread can help anyone with a Blu Neo XL device come to some information. If I can confirm from this forum that there is nothing that can be done. I feel then a law suit with Blu is in order and everyone should throw out there compromised phones. I have seen numerous other posts on this subject and so far NO ONE HAS ANSWERED EVEN ONCE. One pore guy had to keep bumping his thread of months until he gave up; atleast tell me its not possible! Here are the link I saw on this from here:
https://forum.xda-developers.com/android/help/tried-to-root-sort-blu-neo-xl-t3559702
Here are my main questions:
Is it possible to access the root (either via pc with command prompt or linux with terminal or even on the device itself) without rooting or unlocking the bootloader (since both seem to be impossible).
Can you extract a system.img file, modify it, then put it back to get together to flash it to a device without unlocking bootloader?
Infact can you modify any part of the rom or .imgs and flash it to spflash tools? (Or maybe I was doing wrong?)
Is there anyway to figure out how to modify the tamper bit if I have to find a way to get around the virus bug on my device that doesn’t allow me to use the “Volume up” button to confirm that I want to unlock the bootloader? (I’m not even sure if this phone has that, I just saw that for this oneplus and thought maybe it can be on all phones in a different way?) Here is a link on that-
https://forum.xda-developers.com/oneplus-one/development/mod-reset-unlock-tamper-bit-t2820912
The goal is get rid of the virus that sends my data back to Chinese servers. Also, the goal is to get an answer from the community here to put this to rest.
If you need any information on this or want me to upload anything please let me know.
Thank you for your time!
Bump as I need hope.
I understand people may not have this phone but I need some sort of reply to confirm that this isn't possible. I want this thread to be the first post anyone sees if they type in "Blu Neo XL" for rooting purposes.
Even if anyone that has a phone that is similar that is affected, that would be anyone who has:
R1 HD
Energy X Plus 2
Studio Touch
Advance 4.0 L2
Neo XL
Energy Diamond
bump
Waited around for awhile but now its time be obnoxious. I will bump my other thread as well and just start hi-jacking other threads until mods ban me or someone answers me for once.
bump
bump
bump again and again and ****ing again!
another day, another bump
another day, another bump
another day, another bump
another day, another bump
another day, another bump
another day, another bump
another day, another bump
another day, another bump
Also, I got a Moto G5S Plus instead finally. It toke me awhile to save the money because I don't make much but atleast I have phone that isn't sending my data over to china.....or maybe it still is sending my data who knows where. Either way, Bump.
Hey man, I didnt read through your entire post. But can't you just downgrade the version to one that is possible to root?
Or you can also get another phone that does have root as an option. Also, I don't think you should bump your own threads. Just wait it out, or ask in other threads for help.
Edit: Oh Man, I didn't even notice someone responded to this! Awesome.
It says in the rules to ask here. So I decided to ask here espcially since this phone doesn't have its own dedicated forum. I got a new phone about a month ago and its pretty good so far.
This is more of a lost cause but I bring this up just in cause other people get affected. I believe the Blu company had to pay the Justice department for this so they got away with it and thats no big deal now of days. lol
erickkg said:
Hey man, I didnt read through your entire post. But can't you just downgrade the version to one that is possible to root?
.
Click to expand...
Click to collapse
Also for those of you out there suffering, the above statement is not possible because the newer versions of Android OS have "version binding" so downgrading to an OS that is lower that way you upgraded to wont allow the phone to get pass the bios or whatever the android bios recovery start name is. (I don't remember right now) Even if you mod the recovery or bios file.
So here it is almost a year later from you writing this post and I have found myself in the same predicament you were once in and was hoping there was answers somewhere, but from the looks of it I am guessing I'm better off just breaking this phone in half and getting myself a new, virus free, root-able phone. Am I correct?

Categories

Resources