Hi! So I'm wondering if anyone know if there is\have been any development for
the Tizzbird Stick N1 (M\G) ?
We have this Android-stick in stock at my store, but I'm not sure if I'm going to get it or not yet. Depends the development, as I'd really like to see the capabilities for it. I believe it's a lowbrand tho. so I might be out of luck.
Anyone know anything?
I searched the forums, and did a google search. Didnt find much.
regards,
Dag M.
Hi there!
I own one of those, and there are a handful of (german-speaking) people activly posting in this forum http://forum.tizzbird-tv.de/ about the Tizzbird N1. - The problem with that forum is that they heavily censor it - as soon as anyone posts info on how to "get in", or if someone asks uncomfortable questions - those posts gets deleted.
They sell it really cheap for 30€ (not all the time, but twice for one day @ redcoon) and although the Wifi-Chip (or the drivers for it) are really crappy, the media player part is really nice.
update: I've did a little research, and here is a little list of relevant links about the tizzbird n1:
==== Marketing Product Pages ====
http://valueplus.co.kr/english/product/product_player_n1.html
http://www.tizzbird.com/eng/index.php?mm_code=719&sm_code=755
http://tizzbird-tv.de/tizzbird/tizzbird-n1.html
==== Official Firmware ====
http://www.tizzbird.com/eng/index.php?mm_code=726&sm_code=727&board_search_head_word=stick+n1
http://download.tizzbird-tv.de/TizzBird_N1G_update_GMS_V3_20_13072719.tzbird
==== German Support Forum (posting info about root-access prohibited) ====
http://forum.tizzbird-tv.de/viewforum.php?f=11
==== GPL-Code for Tizzbird N10, N20 & N30 - but not for N1? ====
http://www.tizzbird.com/eng/index.php?mm_code=752&sm_code=754
==== Kernel Sources ? ====
http://www.cnx-software.com/2012/03...k-n1-android-ics-hdmiusb-dongle-media-player/
http://www.cnx-software.com/2012/07...hips-tcc8925-mini-pcs-cx-01-z900-tizzbird-n1/
https://github.com/cnxsoft/telechips-linux
Yeah, the pretend to be "community friendly and supportive" but once you actually start digging in, they get quite agressive and boot you out.
Anyways, I got a N1 a couple of days myself now (snagged it for 30 bucks at another RedCoon sale ) and I am surprised.
Got it pretty much only to tinker around with it and this thing suits more perfectly for that than I imagined.
Esp. that fact they used a simple SD card as "internal flash storage" - my guess is because a simple SD is cheaper than an actual eMMC flash chip, but it's so cool on so many levels for us.
I already found out how to replace the 4GB SD with a bigger one (have a 16GB in mine ATM).
I'll post some more details about it here later, got a few things I want to test and/or prepare first (thinking of some "easy to use cloning script"), but long story short:
You need to copy the bootloader to the very end (last few blocks) of the SD you want to use.
Once the BL is at the proper place it already boots from the new SD again, to be sure everything is as it's supposed to be one should apply an update via USB (I'm not 100% sure about a possible pointer to the BL that needs to be corrected, which the update does).
After that the partition information has to be edited to make the userdata partition larger and you're done.
thanks for the info HellcatDroid!
It would be great if you could elaborate on how to put the bootloader at the end of the sd-card.
Also I would love to get info how to get root into the stock firmware, that crippled down root-firmware that they allow to exist in the official tizzbird forum doesn't really satisfy my needs
I did it via a hex editor, but it should be doable with a few "dd" commands as well - that's one of the things I still want to try, find the propper dd params to copy the BL over.
If you dumped the original SD into a file using dd, at the very end of the image file you will find the bootloader and the very last block of the SD is a "header" telling the bootrom of the N1 a few things about it, so it can properly locate and load it.
So what you got to do is to copy those last ~230k from the image to the end of the new SD card.
As said, I'll try to write a small shell script that does it.
The rooting is even more easy (Stonecold would kill me if he'd read this, lol):
For when running on Linux (no can do on Windows, as Windows doesn't know the ext4 FS):
Since you got the SD in your PC anyways already, just mount partition 2 (e.g. if the SD is sdc on your PC, mount /dev/sdc2).
That is the partition where the Android system is sitting on.
Then just copy over the files needed for root to where they need to go, chown/chmod them properly, unmount and done
I used the "update-supersu.zip" I had for my Nexus7 to grab the required files.
But I'm planning to make a simple rooting script as well.
So if all goes as planned it'll come down to
- insert original SD
- run script 1
- insert new SD
- run script 2
- to root run script 3
brilliant! I would love to see those scripts
way easier than start tinkering with that stuff myself
One thing I wonder about - over at the official forum you said that a simple dd copy didn't work - is that if the target sd-card is bigger or also for an sd-card of equals size? because with equal size simple dd copy of the sd-card should still work, even if some things need so be exactly at the end.
Yup, just a dd didn't work because the new SD card was larger and the bootloader ended up being somewhere in the middle of the card instead of at the end.
While your thought of "dd to equal size cards" is totally correct, it might still fail due to the fact every card is not 100% exact same size counting down to last byte.
There ususally is a tiny size difference (a few bytes to kbytes) between cards, even if they are supposed to be same, so the bootloader might end up truncated or not exactely at the end.
If, however, the size of the cards is 100% the same, down to the last byte, then yes, a simple dd clone would work.
HellcatDroid said:
... There ususally is a tiny size difference (a few bytes to kbytes) between cards, even if they are supposed to be same, so the bootloader might end up truncated or not exactely at the end. ...
Click to expand...
Click to collapse
Oh! Didn't know that. I thought same marketing size means not the same size they write on the box, but at least the same size between those that are marketed with the same GB numbers on their stickers.
OK, here we go, I slapped together a few scripts for prepping a new (and larger) SD card to work in the N1 and while having the SD in the PC to aplly some root.
* hints at attachment of this post
The scripts might still have problems and not work on any Linux out there, but it's a start.
If there's more people interested and joining in on this I might continue but for now I got what I wanted - more storage and root.
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
somade said:
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
Click to expand...
Click to collapse
Could you post how you got there? what did you do to the sd-card that destroyed it?
Hi.
If you got a dump from a working state of the SD you can just dd it back onto the card.
If you don't, it can still be recovered but might need bit more work.
Two options:
find someone who gives you a dump of their card and use the write-card script from my above post to write it to your SD.
Problem with this: a working dump contains copyrighted code, like the bootloader, it technically it's "not OK" to share it
we come up with another script that only contains an "empty" image (i.e. only partitioning information) and that takes the bootloader and recovery from the official update and gets the card into a state that it boots into recovery and lets you install a working system using the official update from USB (option in the recovery menu)
Option 2 would be nicer, IMO.
I'll try to make up said script
Thank you for your immediate answer!.
Actually I dont know what has happened, maybe the sharp instrument I used to remove the plastic cover scratch it...But now when I put it in a card reader the led of the reader switch off and the card is heated!!!. And also when I put it in the N1 the blue led turns off!.
So I bought a new empty micro Sd .
Waiting for your script to partition the new card and then boot in recovery mode and install a firmware....
Because I am not expert to linux please give me a lot of details how to do this.
Thanks again!
HellcatDroid said:
we come up with another script that only contains an "empty" image (i.e. only partitioning information) and that takes the bootloader and recovery from the official update and gets the card into a state that it boots into recovery and lets you install a working system using the official update from USB (option in the recovery menu
Click to expand...
Click to collapse
Do you think the bootloader is even part of the offical updates? wouldn't it be "best practice" to leave the bootloader partition alone as long as possible (and normally firmware updates don't need to change the bootloader)
update: something else I've just found, those might be kernel sources for our Tizzbird N1:
http://www.cnx-software.com/2012/07...hips-tcc8925-mini-pcs-cx-01-z900-tizzbird-n1/
-->
https://github.com/cnxsoft/telechips-linux
Yep, the bootloader is in the update - at least in the 3.20 one.
And yes, usually the bootloader shouldn't be touched because that's usually the one thing that can "perma-brick" Android devices.
However, sometimes the manufacturer updates it (fixing bugs, adding functionality) - on my Nexus7 they updated the bootloader on pretty much every update and also Samsung updates their bootloaders every now and then (and every single update flashes the current one).
Last, not least, on the N1 the bootloader isn't on a partition but at unpartitioned space at the very last blocks of the SD (=> reason for a simple dd to a larger card not booting).
Ohyay at the possible kernel sources!
It'd be so cool if that's really sources able to build a kernel for the N1 with - I think we might be able to even get custom recovery (CWM and the likes) on the N1 if those sources work
OK, while trying to recreate a working SD card w/o using a dump of a working one I found out a few more things - some of them still need figuring out if we wanna do it properly.
There seem to be TWO bootloaders!
A stage1 bootloader of ~1kB size located at the third and second last block of the SD. If it's missing the N1 can't boot and it looks like ARM code (haven't tried to disassamble it yet), I assume the bootrom loads and executes that piece of code which in turn parses the header (see below) and load/starts the stage2 bootloader (the one also found in the FW update).
The very last block of the SD is a "header block" with some information beeing parsed either by the bootrom or (more likely) the stage1 bootloader.
The headerblock contains (among numerous other unkown data) the size of the ("stage2") bootloader (the one that then actually loads and boots the Linux kernel of the Android OS, this is also the one contained in the FW update) and the usable size of the SD card! (everything works fine though if the SD size is wrong and a proper FW update updates the header during writing of the bootloader and also sets the correct size).
Also, the headerblock has a checksum of which I have no clue on how it is generated.
All that is just educated guesses and might be totally off, but for now it looks like it's not too far off.
So, for now we can assume the following boot sequence:
Boot-ROM
-> loads stage1 bootloader from fixed position "SDsize - 3 blocks" (1 block = 512bytes)
stage1 bootloader at fixed position on SD
-> checks checksum of headerblock (?), gets size of stage2 bootloader from headerblock, locates stage2 bootloader based on it's size and loads/executes it
stage2 bootloader on variable position on SD
-> base initialisation of hardware
-> checks for recovery trigger (the red button on the remote control) and boots kernel from partition 6 if trigger present
-> boots kernel from partition 1 if recovery was not triggered
-> enters fastboot mode when booting the kernel fails
Kernel
-> loads base drivers and boots up the system
you're brilliant Hellcat!
And did you also find both bootloader stages inside the firmware updates?
Another question that came to my mind while reading your post (fastboot..)
Is there a way to use the Tizzbird as USB-slave? So to make use of adb and fastboot and such stuff? Okey adb could also be used via network I guess..
somade said:
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
Click to expand...
Click to collapse
Somade, do you have a linux running on your pc? If no, download and get a knoppix running. and then contact me via pm. I have the original n1 image so no problem to recover the n1.
sebastian.heyn said:
Somade, do you have a linux running on your pc? If no, download and get a knoppix running. and then contact me via pm. I have the original n1 image so no problem to recover the n1.
Click to expand...
Click to collapse
Welcome to our rouge and non-censored Tizzbird N1 forum Sebastian!
I wonder if you found us here, if the German Tizzbird support also already knows about us
update: I just remembered, I've sent you the link as PM over in the official forums, thats how you landed here.
Sharing your sd-card image might be a copyright violation, and if you're profile name is strongly linked to you're real identity you should definitly be cautious with such things on public forums...
kaefert said:
And did you also find both bootloader stages inside the firmware updates?
Click to expand...
Click to collapse
Nope, unfortunately the stage1 bootloader is not in the update :-/
kaefert said:
Is there a way to use the Tizzbird as USB-slave? So to make use of adb and fastboot and such stuff? Okey adb could also be used via network I guess..
Click to expand...
Click to collapse
Yeah, it works, even officially XD
Go to the TizzBird settings -> "System Settings" -> "Advanced Settings"
It has an option "OTG Mode" there, set it to "Debug".
If you have your N1 connected to your PC via the micro-USB port (and hence your PC powering the N1!) you can use ADB and fastboot just as usual
I have not yet tried if that option is persistant, i.e. it survives a power loss.
When booting the kernel fails it should fall back to fastboot mode, so flashing a new kernel w/o pulling the SD should be possible - need to test this a bit more, though.
What works is, if you're rooted and and you fire the command "reboot bootloader" from a root shell, that gets you into fastboot mode no matter what (given you applied above mentioned setting first).
But needing a running system to get into fastboot mode kinda defeats the purpose of it - this aint Ouya which is a total fail when it comes to fastboot XD
---------- Post added at 09:26 AM ---------- Previous post was at 09:05 AM ----------
kaefert said:
I wonder if you found us here, if the German Tizzbird support also already knows about us
Click to expand...
Click to collapse
Eventually they will, I'd say.
And I'd love to see their faces when they do XD
Related
I've seen a number of requests for this functionality and recently it became necessary for one user who had a disabled Home Key to clear cache and data without the use of ClockworkMod. I have reserached two methods to address this issue. These instructions require some familiarity of android, computer and tablet terminology and usage. Feel free to ask for clarifications in comments. Here we go...
Method I - Stock Recovery Command File
Technical: Stock Recovery command file can be used to perform a few additional functions as well as to alter the path to update files. These commands will execute with all privileges available to recovery mode.
Advantages: Very easy to use. Very little technical knowledge required. No third party software is required for use.
Prerequisites: You will need a MicroSD card formatted FAT32 and a method for transferring files from your computer to the MicroSD.
Usage:
1) Prepare a text file named "command" (no file extension) with one of the following commands on a single line. The wipe data command will wipe both data and cache. Wipe cache will wipe cache only.
--wipe_data
--wipe_cache
2) Place the file in a folder named "recovery" in the root directory of your MicroSD card.
3) From a powered down state, insert the MicroSD card into your tablet and boot into recovery by powering it on while holding down the Volume Up key.
4) Allow the command to execute completely then the tablet should reboot (this may not occur automatically depending on firmware installed).
Method II - Updater Script
Technical: The attached "Updater Scripts" perform delete commands (recursively if necessary) on the named directory or file(s). The directories are mounted automatically by the system before the script executes but it could be easily revised to include that step if necessary. The partitioning, formatting and directory structure are left untouched. Only files are deleted.
Advantages: No third party software is necessary for execution. Relatively easy to modify for more surgical precision (i.e. leaving installed apps but clearing possibly corrupted system data). Included example: "Clear Battery Stats"
Prerequisites: You will need a MicroSD card formatted FAT32 and a method for transferring files from your computer to the MicroSD.
Usage:
1) Download the attached archive (ClearData.zip) to your computer.
2) Extract the files to your computer. You should then have a folder named "recovery" (which contains a file named "command") and an additional archive named "update.zip"
3) Place the recovery folder and the update.zip in the root directory of the MicroSD card.
4) From a powered down state, insert the MicroSD card into your tablet and boot into recovery by powering it on while holding down the Volume Up key.
5) Allow the script to execute completely then reboot the tablet (this may occur automatically depending on firmware installed).
This will become handy someday.
Thanks for sharing your knowledge.
You're welcome. One quick note... the new stock recovery adds a menu simiilar to ClockworkMod. These methods will still work since the recovery folder/command file are checked first but it really isn't as necessary any more.
Need Help
Tried both methods above but either way I get to the viewsonic splash with the message "Booting recovery kernel image" in the upper left and it just stays there, stuck there, I left it for a long time to see and it never leaves that screen.
Any ideas?
Me too
I can't get into clockworkmod either. My machine is running faster. I almost hate to mess it more.
lrgche said:
Tried both methods above but either way I get to the viewsonic splash with the message "Booting recovery kernel image" in the upper left and it just stays there, stuck there, I left it for a long time to see and it never leaves that screen.
Any ideas?
Click to expand...
Click to collapse
That's an indication that you may have more serious problems. nvflash will be required. http://forum.xda-developers.com/showthread.php?t=861950
Once done you will likely need to install ClockworkMod and repartition your internal storage.
Loukoebel said:
I can't get into clockworkmod either. My machine is running faster. I almost hate to mess it more.
Click to expand...
Click to collapse
If your tablet boots properly but you can't get into CWM then it probably isn't installed properly (or at all). http://forum.xda-developers.com/showthread.php?t=865245
Keep in mind that CWM is NOT compatible with all ROMs. Make sure the developer for your chosen ROM recommends it before installing it.
Does your method in opening post have to be run from external micro sdcard?
Both methods are performed with an external MicroSD card. They will work from internal also but it is a little more difficult to get the files in place if your tablet is not booting properly.
K J Rad said:
Both methods are performed with an external MicroSD card. They will work from internal also but it is a little more difficult to get the files in place if your tablet is not booting properly.
Click to expand...
Click to collapse
so your method is a simple way to replace one of the main uses of Clockword MOD?--Plus you stay stock more or less.
That is correct. Method II can also be modified to be less intrusive (leave user apps installed) or embedded into update scripts to perform a wipe during new ROM installs.
K J Rad said:
That is correct. Method II can also be modified to be less intrusive (leave user apps installed) or embedded into update scripts to perform a wipe during new ROM installs.
Click to expand...
Click to collapse
Wipe data does what--remove the apps installed?
And the partitions?
Your post is very interesting. It implies that you have a knowledge of the g-tabs partition structure. I have played with Linux off and on for the last 10+ years. When I began, I used Slackware and when you set it up you had to manually create partition tables using fdisk. You were only required to create two - the data partition and a swap partition but it was often recommended that you create several others - one to contain the home directory to prevent users from using all the disk space (in the days of small disks) for example. It appears that there are a lot of partition on the g-tab. Up to now, I have used various wiping tools like clockwork or calkulins wipe all on faith. I would really like to know what all the partitions are and what is in them. I have used terminal to get to the root folder and tried to do an fdisk to display the partitions but try as I might everything remains hidden. It would seem that a script like yours could be adapted to do many things but I would certainly want to understand the structure a little better before I did anything. I have searched and been unable to find that information. Can you point a way for the curious to learn more about the partition structure on the g-tab?
Wish I had a direction I could point you in. What I've found so far has mostly been stumbled upon while looking for something else. What I can tell you is this...
1) When using fdisk in Android you must specify the device to look at. Try something like: fdisk /dev/block/mccblk3 That should list the current partitions as defined by CWM or whatever was used originally.
2) Within one of those partitions in the list generated above are sub-partitions holding the bootloader, system, data, etc partitions. You can see how they're described in the .cfg files in the nvflash restores that are lying about.
lsu205 said:
Wipe data does what--remove the apps installed?
Click to expand...
Click to collapse
Removes user apps and their associated data as well as system related data and settings.
K J Rad - any idea if the partition size can be set with these methods (2048 & 0) in case I can't get clockwork installed?
CodeNamePapa said:
K J Rad - any idea if the partition size can be set with these methods (2048 & 0) in case I can't get clockwork installed?
Click to expand...
Click to collapse
I'm looking for a solution to that problem. Unfortunately these methods still require the ability to get into recovery mode which likely won't work if you're having trouble getting CWM installed.
If, however, you can get into recovery... then it is theoretically possible to create a script that would accomplish that. As soon as I have one I'll be adding it to the mix ;-)
Edit: I've found something I think will work. Will do some testing tonight. It will still require access to recovery.
I wasn't sure if you saw my other post but I am seeing no partition 0 when I NVFlash with a verifypartition.
http://forum.xda-developers.com/showpost.php?p=13059520&postcount=57
I haven't yet but I will. Let's try to keep this thread on topic. Thanks.
More thoughts:
because I went w/ cyan7 is it possible i have a "bad" kernel and that the stock bekit-1105 or the roebeet-3588 files are crashing w/ the kernel in place already?
I know custom ROMs can have a custom kernel applied separately, but I have no idea whether cyan7 loads it's own kernel...
I have yet to try the nvflash_gtablet_46 version, as I see the img files w/in are different from the original 1105 .zip
Also:
read on another thread that part 2 and part 3 aren't loading for other users when doing nvflash - I did notice that it pauses, runs some stuff, then starts loading part 4 through to the last part, then success. - do part 2 and 3 run for you?
edit: I see a 4349 downgrade.zip in another thread for those who got the OTA update but want to go back to stock 3588 prior to jumping off somewhere else - I can't expect that would help me as I can't do squat w/ recovery yet, but could that possibly "reset" any bad kernel problems? - again, I'm just thinking out loud.
This is well outside the scope of this thread but I find some of what you mention interesting so I'll address it and then end any further off topic discussions.
I did not build nor have I ever used Cyan7 so I have no basis for an opinion on the matter other than this... Each ROM comes with a kernel installed so if properly done an nvflash should overwrite any "bad" kernel.
Part2 and Part3 do indeed load, they are just displayed differently than the other Parts. Just minutes ago I flashed down from Mountain Laurel (4349 based with the new bootloader and recovery) with absolutely no trouble. I can, and have, read back those partitions after an nvflash to prove that point.
The 4349 downgrade will only work for you if recovery is working. Having never used it I don't know that it would "reset" the kernel but any subsequent flashing of a new ROM image would.
I am working on a stock recovery solution for partitioning but it isn't likely to help anyone who is stuck in an APX loop. I do have some ideas on what might help for that condition but I haven't been able to get my hands on one for testing and trying to help people here is like being a consulting mechanic for a car repair that's in someone else's shop having work done on it that you're not being told about.
I'll be happy to address any further comments or questions regarding your specific issue in an appropriate thread or via PM. Thanks.
I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
Please excuse asking questions as a first post, but I'm at the stage where I'm stumped and a search isn't helping.
Mlais MX28 fresh from MM pre-rooted. Managed to get the ROM backed up and CWM installed with Rua1's excellent MTK Droid Root & Tools. However, removing the Chinese useless (for me - no offence intended) apks proved not to be happening from the one-click button in that excellent piece of software. No bother, thought I, I'll just use adb and remove the relevant apks manually from /system/app. Famous last words.
Here's where things get really odd. I can mount root fine using the usual procedure but mount -o rw,remount /[email protected] /system works once and once only. Even stranger is that the first time gets you a rw mounted filesystem for about 10 seconds, at which point it gets remounted ro and no amount of faff will get it back to rw without a full power off and restart. All it does is spits out
Code:
mount: Read-only file system
Any ideas, please? I suspect there's some write protection going on but I haven't the first idea where to look.
Edit: Having done a little more searching on this issue, it seems there's a few Acers with the same behaviour, caused by a compiled-in kernel option. Looks like it may well be "wait for a custom ROM" is the answer. Not sure if rolling our own is possible unless anyone knows where to get the Mediatek sources for this device from?
Anyway, :good: to all those who have viewed my question. It's appreciated.
Edit 2: There's an S4UI ROM on needrom<dot>com that is rumoured to have solved this issue. Note that if you have installed CWM using the "magic" MTK Droid Root & Tools method, chances are you can't mount /system rw using ADB in CWM either - I suspect they share the same kernel. I haven't tried the S4UI ROM myself as the recovery needed to install it seems to be in Chinese. Possible solution for anyone with a grasp of that language and script but that someone isn't me
[Q] Mlais MX28 Recovery in Chinese Any help with translation
Hello, bud Any help yet also gut stuck in this.
I'm afraid not at the moment. The S4UI ROM on needrom does indeed enable /system rw but the WiFi and Bluetooth will not activate. Replacing mtk_stp_wmt.ko in /system/lib/modules/ with the version from the stock ROM that should fix this issue, doesn't fix this issue. It's a shame as the S4UI ROM is rather pleasant to use and if I could get that fully operational I expect I would be quite happy with this device. Oddly, the stock ROM came back with a different MAC for the WiFi. As I restored from a backup created with MTKDR&T, this is a little perplexing.
I'll update if I find any more clues.
{Possible solution/nasty hack]
Here's a way to get full /system access on the stock ROM. It requires
Clockwork Mod recovery
ADB
Courage
Install/create Clockwork Mod with MTKDR&T. Now boot into recovery by holding Vol+ and power until the boot selection screen appears and then select recovery with Vol+ and press Vol- to accept.
Do not mount /system in CWM.
On your ADB equipped computer, start
Code:
adb shell
Now issue the following at the root shell prompt:
Code:
tune2fs -e continue /dev/block/mmcblk0p5
Reboot the system and enjoy the power of full root.
This may well be a nasty hack. I was convinced the issue was a protected kernel module but it seems the ext4fs image of the system block is corrupt in some way and the default error action is to mount -o ro. We're disabling that default action and letting the mount remain unchanged.
As always with these things, proceed at your own risk. If you break it, you have the privilege of keeping both bits.
Good way around mate, but risky as no CWM yet installed, seem's the mobile gut some bug problem, should expect an official update rom soon enough, Root method you used for this? i intend flashing Clockwork Mod can seem to understand fully as i'm new to android development and customizing, again problem with battery do you get a full day (few moment on screen) light usage? Feel its no actual 25000mah on board.
codedmax said:
Good way around mate, but risky as no CWM yet installed, seem's the mobile gut some bug problem, should expect an official update rom soon enough, Root method you used for this? i intend flashing Clockwork Mod can seem to understand fully as i'm new to android development and customizing, again problem with battery do you get a full day (few moment on screen) light usage? Feel its no actual 25000mah on board.
Click to expand...
Click to collapse
It appears there's an fsck implementation in the shell of CWM as well.
Code:
e2fsck -pfv /dev/block/mmcblk0p5
That should fix most of the errors in the filesystem.
The device came with su and SuperSU installed but it was fairly useless without /system access.
CWM can be easily installed using MTK Droid Root & Tools to extract the boot image, auto-patch, build CWM and install the lot. It really is a slick piece of software.
As for the battery, an even bigger issue is the supplied charger which is puny. Of course, looking at the battery and then looking at a proper, honest-to-goodness 2.2Ah Panasonic 18650 cylindrical cell you have to wonder if 2.5Ah isn't awfully optimistic.
Chron0s said:
It appears there's an fsck implementation in the shell of CWM as well.
Code:
e2fsck -pfv /dev/block/mmcblk0p5
That should fix most of the errors in the filesystem.
The device came with su and SuperSU installed but it was fairly useless without /system access.
CWM can be easily installed using MTK Droid Root & Tools to extract the boot image, auto-patch, build CWM and install the lot. It really is a slick piece of software.
As for the battery, an even bigger issue is the supplied charger which is puny. Of course, looking at the battery and then looking at a proper, honest-to-goodness 2.2Ah Panasonic 18650 cylindrical cell you have to wonder if 2.5Ah isn't awfully optimistic.
Click to expand...
Click to collapse
Very Well concerned,
once again good job, but how do i go about implementing this,
would you be kind enough to put in some more details on the file system code and CWM flashing with MTK Droid root & Tool did you manage to get a translation on the chinese langauage recovery problem,
(a tutorial is just fine) Thanks alot bud.
Okay, give me a little time to set it all up for screenshots as I don't generally use Windows unless I have to. It's all fairly straightforward. The CWM installation is four clicks and some waiting and repairing the /system block is a couple of commands.
Oscarblue48 has a tutorial on installing CWM on Mediatek devices here or here if your MX28 isn't rooted which is the procedure I followed. Then it's just a case of booting into CWM, connecting your device to USB and using adb's shell to fsck the filesystem on that block.
really nice, okay as you say,
i would look forward to it (some screen shots aid), in the main time with full study & concentration on the CWM tutorial you gave, quite interesting if you ask me.
#back to studying, looking forward to a bug free final optimization of the Mlais MX28 as its a great buy for such a price.
codedmax said:
really nice, okay as you say,
i would look forward to it (some screen shots aid), in the main time with full study & concentration on the CWM tutorial you gave, quite interesting if you ask me.
#back to studying, looking forward to a bug free final optimization of the Mlais MX28 as its a great buy for such a price.
Click to expand...
Click to collapse
Sorry for the delay, I ran into a few issues and had to work out what was going on. Basically the e2fsck in CWM cannot write back to the block device so is useless. I extracted the system.ext4.img, added it as a file backed memory disk on my main computer and ran an e2fsck from there, which found and fixed the errors in the FS image. Writing that back after changing a few MD5sums in the file MTKDR&T creates allowed me to flash it back.
However it makes absolutely no difference to the mount behaviour. It still drops back to ro without the tune2fs -e continue set so that is, barring someone else coming up with a more elegant fix, the workaround. In a nutshell, follow the guide for either root or CWM recovery installation that others have posted linked above (no point wasting board space on repetition) and then simply follow my instructions for setting the error behaviour on the mmcblk0p5 slice and you should be good to go.
It's still an awful hack IMHO but, since there's nothing else so far that works, it's the uncomplicated way to get full root. Most of us will install CWM anyway, so it's no big chore just to boot into recovery and type one command "tune2fs -e continue /dev/block/mmcblk0p5" at the ADB shell.
Chron0s said:
Sorry for the delay, I ran into a few issues and had to work out what was going on. Basically the e2fsck in CWM cannot write back to the block device so is useless. I extracted the system.ext4.img, added it as a file backed memory disk on my main computer and ran an e2fsck from there, which found and fixed the errors in the FS image. Writing that back after changing a few MD5sums in the file MTKDR&T creates allowed me to flash it back.
However it makes absolutely no difference to the mount behaviour. It still drops back to ro without the tune2fs -e continue set so that is, barring someone else coming up with a more elegant fix, the workaround. In a nutshell, follow the guide for either root or CWM recovery installation that others have posted linked above (no point wasting board space on repetition) and then simply follow my instructions for setting the error behaviour on the mmcblk0p5 slice and you should be good to go.
It's still an awful hack IMHO but, since there's nothing else so far that works, it's the uncomplicated way to get full root. Most of us will install CWM anyway, so it's no big chore just to boot into recovery and type one command "tune2fs -e continue /dev/block/mmcblk0p5" at the ADB shell.
Click to expand...
Click to collapse
Greetings bud, gut CWM installed, all thanks to you (indeed greatful), have you been lucky with any custom rom as of now that works efficently on your device?
I seem to find a few bug here and there on the manufacturer stock, puny wifi & gps lock in, slight screen maulfuctions a little times.
As with most mtk gps can not finding a lock in hows it with your device.
codedmax said:
Greetings bud, gut CWM installed, all thanks to you (indeed greatful), have you been lucky with any custom rom as of now that works efficently on your device?
Click to expand...
Click to collapse
None of the custom ROMs on needrom work correctly which is a shame. The stock ROM's UI is awful.
codedmax said:
I seem to find a few bug here and there on the manufacturer stock, puny wifi & gps lock in, slight screen maulfuctions a little times. As with most mtk gps can not finding a lock in hows it with your device.
Click to expand...
Click to collapse
Now you have root you can use FasterGPS from FDroid to intialise the gps.conf file with appropriate settings for your location. My GPS is rock solid now, even in a moving vehicle. Not had any screen malfunctions. What version is your stock ROM? Mine's the 20140221 update.
Chron0s said:
None of the custom ROMs on needrom work correctly which is a shame. The stock ROM's UI is awful.
Now you have root you can use FasterGPS from FDroid to intialise the gps.conf file with appropriate settings for your location. My GPS is rock solid now, even in a moving vehicle. Not had any screen malfunctions. What version is your stock ROM? Mine's the 20140221 update.
Click to expand...
Click to collapse
Hello great bud,
Sorry for late reply, been up with alot on my plate from work lately, gps has been improved upon using that wonderful app "FasterGPS" now able lock in under a split couple of min not as before were it take like forever *Nice*
gut the same stock version "20140221" gusse its down to my own unit with the screen ish
Did a little searching around found a recent update from a online retailer outlet via their forum "merimobiles"
forum.merimobilesdotcom.previewdnsdotcom/showthread.php?465-Unified-thread -for-Mlais-MX28-stock-ROM-updates
Hope im not infringing on any xda TOS as i just seek some help.
Thanks
Please i need help, i have a mlais mx28 buy in buyincoins, with the refer gordete200, it´s all ok.
i´m very happy with the mlais mx28, but i used a 8 gigas sd card, it´s all ok.
My problem: i have install with flashtools the new rom stock update : mx28_0312_N2.rar from the official mlais mx28 web
When i have install this ultimate ( update ) ROM, it´s was with reebots, and the wifi and blutooth crash 0_0 !!! what happend?
I back to the Rom stock : 0115 but the sd partitions was changed : 1 gb for apps, and 1.75 gb for internal memory, it´s very strange, before install the Update, i had 2,3 gb for apps and 256 gb for internal memory...
I´m very worry, the actual problem is the sd card:
With 8 gb sd card class 10, it´s all ok, all correct, but when i put the 16 gb sd card class 10, it´s don´t mount sd correctly always.
I´m very crazy for all...
codedmax said:
Hello great bud,
Sorry for late reply, been up with alot on my plate from work lately, gps has been improved upon using that wonderful app "FasterGPS" now able lock in under a split couple of min not as before were it take like forever *Nice*
Click to expand...
Click to collapse
Good stuff. Once you have the gps.conf set up, try using Mobileuncle Tools to pull in the EPO (extended prediction orbit, basically a nice big list of keplers for the satellites so it knows which to expect to be in view at a given time without having to scan the sky for what's actually there) data which should stabilise the GPS even further.
codedmax said:
gut the same stock version "20140221" gusse its down to my own unit with the screen ish
Did a little searching around found a recent update from a online retailer outlet via their forum "merimobiles"
forum.merimobilesdotcom.previewdnsdotcom/showthread.php?465-Unified-thread -for-Mlais-MX28-stock-ROM-updates
Hope im not infringing on any xda TOS as i just seek some help.
Thanks
Click to expand...
Click to collapse
I wonder if it's the bodged Trebuchet they're using? It's a bit of a disaster as they've taken the CM launcher, bodged bits of MIUI into it and given the whole thing a "that'll do" look and feel. I replaced it with the real Trebuchet after a thorough decrapify, along with the AOSP stock keyboard. There's a "modified" apk of Trebuchet (all the dev did was lower the base API level so it would install on 4.1) floating about on the 'net somewhere. The various KitKat-alikes work fairly well but I wanted something open source that I could slam into /system/app without worrying.
It has taken a lot of faff to get to this stage but I now have a very usable and fast device for not a great deal of outlay.
gordo100 said:
Please i need help, i have a mlais mx28 buy in buyincoins, with the refer gordete200, it´s all ok.
i´m very happy with the mlais mx28, but i used a 8 gigas sd card, it´s all ok.
My problem: i have install with flashtools the new rom stock update : mx28_0312_N2.rar from the official mlais mx28 web
When i have install this ultimate ( update ) ROM, it´s was with reebots, and the wifi and blutooth crash 0_0 !!! what happend?
I back to the Rom stock : 0115 but the sd partitions was changed : 1 gb for apps, and 1.75 gb for internal memory, it´s very strange, before install the Update, i had 2,3 gb for apps and 256 gb for internal memory...
I´m very worry, the actual problem is the sd card:
With 8 gb sd card class 10, it´s all ok, all correct, but when i put the 16 gb sd card class 10, it´s don´t mount sd correctly always.
I´m very crazy for all...
Click to expand...
Click to collapse
Do you have a backup of the original ROM and scatter (partition layout) file? You really should (read: MUST) back up these devices before flashing new firmware as there's often bits missing, as you found with the WiFi and Bluetooth issue. MTK Droid Root & Tools will create a useful backup of the partition layout and contents for you without too much difficulty.
Please do not write to the preloader partition with the SP flash tool. Once the preloader is corrupt, your device is a brick which only JTAG will recover. I seriously doubt anyone has a JTAG solution for this device right now. There is no need to rewrite the preloader at all in any case so simply deselect the preloader block in SP Flash tool before downloading.
As for the SD cards, you need to make sure your card is formatted FAT, not NTFS, and the card must be partitioned correctly, i.e. the FAT partition must be the first primary. The MX28 will accept a card of up to 32GB if I recall correctly, which is the limit of SD-HC. Clockwork Mod can format your card for you.
Chron0s said:
Do you have a backup of the original ROM and scatter (partition layout) file? You really should (read: MUST) back up these devices before flashing new firmware as there's often bits missing, as you found with the WiFi and Bluetooth issue. MTK Droid Root & Tools will create a useful backup of the partition layout and contents for you without too much difficulty.
Please do not write to the preloader partition with the SP flash tool. Once the preloader is corrupt, your device is a brick which only JTAG will recover. I seriously doubt anyone has a JTAG solution for this device right now. There is no need to rewrite the preloader at all in any case so simply deselect the preloader block in SP Flash tool before downloading.
As for the SD cards, you need to make sure your card is formatted FAT, not NTFS, and the card must be partitioned correctly, i.e. the FAT partition must be the first primary. The MX28 will accept a card of up to 32GB if I recall correctly, which is the limit of SD-HC. Clockwork Mod can format your card for you.
Click to expand...
Click to collapse
Many thanks for your help. I have a back up of my mlais, i have a back up with mtk droid and tools 2.5.3 ( new version ), but when i put it on the flash tools, the cache and user is missing, and it´s imposible to download it. and then i put a recovery CWM on the mlais with droid and tools ( very easy ), and use a nandroid back up, it´s no problem, but the internal sd partition is always changed : 1 gb for apps and 1.75 for sd internal, i´m very sad because i would like back to the 2,3 gb for apps ( original partition )
Yes... always fat32 sd cards of course, but i have problems with the sd up to 8 gb, the mlais freeze, or sd desmount ( it´s imposible sometimes write in sd external ) i don´t find the problem with this... i have the rom stock : 115.
Other problem, i would like to up the ultimate ROM stock 221. but the wifi and bluetooth crash, and reboot the phone sometimes ( terrible...) , what can i do ? your solution is don´t stick the PRELOADER on the Flashtool when i upload the firmware ? it´s correct? ( i think that if don´t mark the preloader it´s imposible flash... ?¿ )
Many thanks for your help !
gordo100 said:
Other problem, i would like to up the ultimate ROM stock 221. but the wifi and bluetooth crash, and reboot the phone sometimes ( terrible...) , what can i do ? your solution is don´t stick the PRELOADER on the Flashtool when i upload the firmware ? it´s correct? ( i think that if don´t mark the preloader it´s imposible flash... ?¿ )
Click to expand...
Click to collapse
No, what I'm saying is we don't yet know why the WLAN and Bluetooth stop working when a different ROM from the one flashed at the factory is installed. There is clearly some mechanism at work here that is blocking those two devices after an update and it's not the usual shared objects as it is on other devices. It also doesn't seem to be NVRAM related as the MAC and BDaddr remain once the old firmware is re-flashed.
This same problem occurs with all the custom ROMs on needrom.
The reason I say do not needlessly flash the preloader is the danger of a full brick from which you cannot recover. The preloader code very rarely changes - its only purpose is to provide an interface to SP flash tools or boot; think "BIOS" in PC terms - so it is a pointless risk. You most certainly can flash the other blocks with the preloader block deselected.
The bottom line right now is stick with the factory ROM, install CWM, apply the system mount fix and use Xposed and suchlike to customise until we come up with something a little more sensible or at least find out why the WLAN and Bluetooth stop working.
Given that the Wiko Darkmoon is based on the same SoC and has full sources available <EDIT: It isn't. It's just the kernel as usual.>, it may be prudent to wait until someone with more clue than I has a look at what makes these things tick.
Chron0s said:
No, what I'm saying is we don't yet know why the WLAN and Bluetooth stop working when a different ROM from the one flashed at the factory is installed. There is clearly some mechanism at work here that is blocking those two devices after an update and it's not the usual shared objects as it is on other devices. It also doesn't seem to be NVRAM related as the MAC and BDaddr remain once the old firmware is re-flashed.
This same problem occurs with all the custom ROMs on needrom.
The reason I say do not needlessly flash the preloader is the danger of a full brick from which you cannot recover. The preloader code very rarely changes - its only purpose is to provide an interface to SP flash tools or boot; think "BIOS" in PC terms - so it is a pointless risk. You most certainly can flash the other blocks with the preloader block deselected.
The bottom line right now is stick with the factory ROM, install CWM, apply the system mount fix and use Xposed and suchlike to customise until we come up with something a little more sensible or at least find out why the WLAN and Bluetooth stop working.
Given that the Wiko Darkmoon is based on the same SoC and has full sources available <EDIT: It isn't. It's just the kernel as usual.>, it may be prudent to wait until someone with more clue than I has a look at what makes these things tick.
Click to expand...
Click to collapse
Many thanks Chronos!, The problem is also with the official ROMS on mlais.com/mlaismx28 i don´t understand it...
Please i need help to back restore the partitions of my sd internal ( ROM ), i would like back to 2,3 gb for apps, actually i have only 0,98 gb and 1,75 gb internal store.
I think that the solution is back up for flash tools and reflash with the rom stock ( the back up of mlais mx28 of my friend, he have other new mx28 )
But my BIG problem with the flash with flash tools is the USER DATA and CACHE is always empty, and then it´s imposible to reflash it it´s always and error : Rom changed PTM ...
Please, what can i do for have USER DATA and CACHE with mtk droid and tools 2.5.3 versión?? ( in this version to click User data and Cache with to do the back it´s imposible, this option is missing in 2.5.3. version )
http://dl.xda-developers.com/attachdl/b2f11c741aab592a8f66616d932af983/533c2dcc/2/6/6/4/5/2/2/Sin_t_tulo.jpg
[ROM] Official Update
Hello guys, there's a new rom update for the mx28
Official Mlais MX28 version: Mlais_MX28_20140312
www.needrom.com/mobile/mlais-mx28-2/
Try it out seems, it works perfect.
Cheers!!
Summary
Uses an external micro sd as "internal storage". Accomplished by a ramdisk edit to the boot image. The bootloader must be unlocked to use this tool and unlocking the bootloader will erase all personal data, game saves, etc on your device. For devices that already have their bootloader unlocked there is an option to transfer the current data to the external microsd card.
Considerations
-The bootloader needs to be unlocked. The unlocking procedure erases all data on the device. If games saves, etc, are important use a tool that can back them up first.
-If you already have an unlocked bootloader the script allows you to transfer the data over and it should be like nothing ever happened but an increase in space. However, scripts are not perfect, nor can I take in to account every situation that might arise. If you have an unlocked bootloader and your data is important, please, please, please make a backup before trying this script.
-Micro SD card quality. All data will be read and written to the micro sd card. Not all cards are created the same. Many have very poor write performance, especially 4K writes. I tested about 6 or 7 cards and found the Samsung EVO+ as the best performing card. I didn't test the SanDisk extreme but it will likely be good as well. Increasing the size available is of no use if the speed is terrible and the tablet is laggy.
-Drivers. You must have fastboot and ADB drivers already set up and ready to go. The drivers are always a pain because so many different computers have different setups, previous drivers installed, conflicting drivers, etc. I attached the NabiLab2017 drivers to the post, even they can be buggy but provided an option if you choose. More about driver setup can be found here https://forum.xda-developers.com/nabi-2/general/nabi-information-t3229119
Procedure
ONLY FOR NVIDIA NV08B
Video: https://www.youtube.com/watch?v=aka8nUu7qQY
Video with data transfer: https://www.youtube.com/watch?v=ZbxqtzV33jI
ADB and fastboot drivers setup and tested
Micro SD card you want to use installed
Device connected and booted to Android
Unzip and run convert.bat
________________________
Thanks (again) @aicjofs for all the work you continue to do on these Nabi Dreamtab HD8s. TWRP, fsck fixes, stock 137 TWRP backups, and now this (which cures my biggest gripe about these tablets).
My kids are rough on them, but, because of the work you do, I've been able to keep them going & they grow with my kids. I just picked up 2 more refurbs from eBay today for $50 each. I'll be applying this internal storage fix as soon as they arrive.
I'm a Linux guy, not Windows. Would it help if I contributed a bash script that mimics your convert.bat? I'd have to assume that adb & fastboot are already installed & running, but I could probably script most of if from that point.
jvonhoff said:
Thanks (again) @aicjofs for all the work you continue to do on these Nabi Dreamtab HD8s. TWRP, fsck fixes, stock 137 TWRP backups, and now this (which cures my biggest gripe about these tablets).
My kids are rough on them, but, because of the work you do, I've been able to keep them going & they grow with my kids. I just picked up 2 more refurbs from eBay today for $50 each. I'll be applying this internal storage fix as soon as they arrive.
I'm a Linux guy, not Windows. Would it help if I contributed a bash script that mimics your convert.bat? I'd have to assume that adb & fastboot are already installed & running, but I could probably script most of if from that point.
Click to expand...
Click to collapse
Absolutely contribute, I don't do this for fame or money, just try to help others. Any and all additions are always welcome.
It should be easy enough to convert as most of the magic happens on the tablet itself, I think I only pushed a couple files to the tablet and made the ramdisk changes on the tablet too to keep the file size down. Weird how TWRP, the kernel, the tablet itself is all done in Linux but I only make windows scripts/apps.
I have quite a few of these tablets too, 5 maybe?. Kind of weird because Fuhu/Nabi screwed up that fsck thing so many people dump the tablet for next to nothing because they seem like garbage and crash all the time with loss of all the kids data but they are really a solid tablet. Try and find a screen of the HD8 quality on a modern kids tablet for $50. Shame about the crappy source code, if I could have got the camera to work right in the kernel I think I would have pressed on with the lollipop ROM and instead lost interest. This mod though breathes a lot of life into it still though. I have 3 of these running the mod and the kids still use it all the time with 64GB cards as their main storage and have had no issues.
aicjofs said:
Any and all additions are always welcome.
Click to expand...
Click to collapse
I've attached my attempt at a bash script for the swap. I got time to run one of my tablets through the gauntlet with this version, and only hit a snag at the check for fsck. Since I was that far, I just fixed the bug & applied the rest by hand. So, beware.
aicjofs said:
if I could have got the camera to work right in the kernel I think I would have pressed on with the lollipop ROM and instead lost interest.
Click to expand...
Click to collapse
I hear you there. I was hoping to see you get Lollipop going (even w/o a camera), just to have the battery saver. But, Greenify does a pretty good job keeping the battery going a while. So, again, thank you, and let me know if this script needs fixing.
Thanks for the work on this tablet. I am trying to salvage our dreamtab with your method. Unfortunately, I have a card inserted but the convert.bat never gave me any information about the sdcard like it did for you in the youtube video. Any idea what I might be doing wrong?
Thanks again!
WARNING - THESE TOOLS WRITE TO THE DEVICE PARTITIONS DIRECTLY
If you don't know what that means...
THIS CAN REALLY SCREW UP YOUR ---
I HAVE ONLY TESTED THESE ON THE A2020U (NON-5G) - I CANNOT SAY THEY ARE SAFE ON ANY OTHER VERSION OF THE PHONE (YET)(If you want to test it on a specific model you own, send a PM or post and I can tell you to run a few (safe) things from these tools to make them compatible your phone.)
See my next post down for some more "beginner friendly" general tips and tricks for this phone, including some fixes for common problems and a quick guide for installing Magisk!
If you can't afford to brick your phone, these tools aren't made for you.
There aren't really any protections from doing damage. I made them for myself because doing them on a command line constantly is a pain. I'm just sharing them for two reasons:
1) So myself or other people have tools available to make it easier when advising someone on how to fix their phone.
2) For tinkerers who are okay taking the risk that they'll mess something up.
Thanks to @djkuz / @Unjustified Dev for the EDL tool. These scripts really just expand the use of fh_loader commands in that tool. If you are able to read C++ and want to understand fh_loader I suggest searching on google, the source code is available and from that you can better understand what the tool does / what the command line options do. Feel free to ask here too, I'll do my best to share what I know.
Anyway - below I'll go into plenty of detail of what each "tool" does and some helpful information about using them.
I write in a kind of permanent verbose mode, so if you're impatient and need a TL;DR for these... tough. =)
CURRENT VERSION: Version 1.1d
Changelog:
Version 1.1d:
- Fixed reset scripts
Version 1.1c:
- Fixed a typo in backup_GPT ¯\_(ツ)_/¯
Version 1.1b:
- Fixed errors in GPT_Tools - apparently these existed since v1.0 DO NOT USE PREVIOUS VERSIONS
- Removed the v1.1a download (use 1.1b)
Version 1.1a:
- Added script to find the COM port automatically
- Updated all scripts to use the COM port in the file COMPort (created by the above script)
- Added the missing AB Partition manipulation files (accidentally left out of v1.0)
- Added script to run the phone reset EDL command
- Fixed all the filename inconsistency in the XML files - HOPEFULLY. Please post any errors you find. Unfortunately this will make this version incompatible with v1.0 backups without some work - either rename your backup files to match the new format or use the old XML files included.
-- Especially fixed the XML typo of "uefi_sec.mbn" being backed up from both A and B to the same file (overwriting the A copy with B during an ALL backup).
- Added support for installing firmware packages created for this tool. Put them in the Firmware_Package_Restore directory and use the scripts included with them.
Basic Instructions:
1) Download zip (See attachment at the bottom, or here - Download from AndroidFileHost)
2) Unpack zip
3) Move folder to the root directory, or inside any chain of directories that do NOT have spaces in any of the names
4) Right-click on scripts and select "Run with Powershell" to run
5) If running scripts fails due to permissions, see these instructions: https://superuser.com/questions/106360/how-to-enable-execution-of-powershell-scripts
Make a "Complete Backup" (minus userdata):
1) Run Load Programmer
2) Run "backup_all"
3) Check the backup directory and verify the files were backed up and sizes make sense - a full backup should be 10,387,202,048 bytes / 39 files for the critical files and 1,626,697,728 bytes / 64 files for the non-critical (Don't include the port_trace log file when checking size)
Note: You will see a lot of "warnings" before the files begin to download, the program checking if the files already exist.
How to Use These Tools:
Important:
When the scripts run there will be a lot of information dumped to the console. It's not necessary to read all of that BUT - IF YOU DO NOT SEE THE ASCII ART "DONE" AT THE END of running any of these scripts it is likely the script encountered a serious issue. "WARNING" art is normal for some scripts, but "ERROR" means something went wrong.
None of these find the COM port automatically. It is possible (the EDL tool does) but it's just extra work I'm not paid to do =P
You will need to edit each program and change the variable at the top (usually $COMPort = "6") to whatever port number your phone shows up on.
Sorry that's inconvenient, but it should just be once per script - my port number never changes so it wasn't worth implementing automatic port finding.
This is no longer needed after v1.1a.
1. Load Programmer
This is a simple but extremely important tool! You need to run this before running anything else. This script will open a window that runs a command to open a connection to the phone (when it is in EDL / "9008" mode). The window will stay open until you close it. When working on backups I often need to re-connect the programmer, so this makes that easy - just alt-tab to it and hit enter. If you look at the script, it's fairly straightforward - just read the instructions on the screen after running it. The "secret sauce" for this is really the firehose protocol for our chipset that Unjustified Dev provided in the EDL tool.
2. Backup / Restore:
backup_all: This will backup everything on the phone EXCEPT for the huge userdata partition. It will create a backup in two directories, which I'll explain.."critical" / "non-critical": You can see that I have scripts to run these two "types" of backups. Non-critical DOES NOT MEAN NOT IMPORTANT. It means that it is not critical TO ME to back up those files EVERY time I do a backup, because they rarely change. They're EXTREMELY important to have at least one backup of for your phone. The "critical" backup files are files that change often, although some of them are extreme non-critical (cache for example). Use a different name than "critical" if you like, but the point is that only with BOTH backups run (which is what backup_all does) will you have a complete backup.restore_all: This will restore a full (both critical and non-critical) backup set. The backup files have to be in the "restore_critical" and "restore_non-critical" directories respectively. If you didn't make the backup you're trying to restore with this tool CHECK THE FILENAMES, e.g. if you used Unjustified's EDL tool you have to rename the "abl.elf" file his backup generates to "abl_a.elf" for mine. I put _a and _b on every partition that has an a/b version because I got tired of getting them confused. Of course you can always install a backup to either slot.Files moved to the "restore_" directories won't be changed at all by the restore process so you can cut/paste the files from your backup into the directory instead of copying them.
3. A/B Partition Manipulation
These are no more complicated than the backup/restore tools. But they are written to make manipulations of the A/B partitions easier.My main use for these is when I know I have a good, working ROM setup on slot A, I run A2B copy. Then no matter which slot I end up booting I'm sure it will work. (That is, if you have a working, booting slot, copying all the files from that slot to the other slot using this tool will make both slots the same.)Backup/Copy:run_AB-partition-backup: As it says, it will backup both the A/B partition files - WARNING this is NOT a full backup of the phone.run_AB-partition-swap: This will backup all the A/B partition files, then it will write the B files to A and A to B, effectively swapping the partitions and leaving you with a backup in case it screwed up. This backup is ONLY OF THE A/B FILES.. NOT the whole device!run_A2B-partition-copy (and run_B2A-partition-copy): These will do a backup of both A/B partition files, then write the A partition onto the B partition (A2B) or vice versa (B2A), effectively mirroring that partition.
Write/Restore:All the restore scripts try to find their files in the "restore_Partitions" directory - place the files from one of the backups to be restored there.restore_AB-partition-backup: Restore a backup of both the A and B partition files.restore_A-partition-backup (and B): Restore just the backup of one partition to the same partition it was taken from (A to A and B to B).restore_A2B-partition-backup (and B2A): These write from one partition backup to the other partition as the name suggests.
4. GPT Tools
These are some basic tools to directly interact with the partition tables - these are not going to be of any use to 99% of people, so just ignore them if you don't know what they do.run_fixGPT: This issues the --fixgpt command to each of the LUNs. USE AT YOUR OWN RISK. As I understand it, this will use the onboard device configuration information from each LUN (e.g. logical size) and try to rebuild the GPTs. It's similar to running patch XMLs, it can clean up flashing messes. It isn't magic and won't fix everything.Rarely will anyone need it unless they've been messing around with the flash tools recklessly... I certainly don't know anyone who would do something that dumb backup_GPT: Backup all of the header and footer (main/backup) GPTs for all the partitions (lun 0-5). I am not aware of whether any other models of the phone have more LUNs, so be careful if you're using this on a non A2020U phone.restore_GPT: Simply write an entire GPT backup set (both main and backup 0-5) onto the phone. The backups must be in the restore_GPT folder. This DOES NOT BACKUP before it runs so make sure you did your backup.
6. Set Bootable Partition:
Alright this one is important for everyone. There are two scripts here - one for slot A and one for slot B. These just run a simple command, but they will fix a common problem I (and probably others) have - when the ROM active-slot information does NOT match the partition (hard drive) bootable flag, the phone will bootloop EVEN THOUGH EVERYTHING IS GOOD.So when you flash an EDL backup (depending on which files you flash, I believe this happens because of either the bootloader or the GPT files) there is a chance the backup you're flashing was originally from a different slot than the one you're restoring it to. The config thinks it should be on slot A while the hardware thinks slot B should be booting.This will result in a fast ~3 second bootloop as the two disagree and reset.This tool changes which partition is expecting to boot - "1" for slot A and "2" for slot B.This does NOT change the active slot - the phone will continue to boot the same slot it's trying to boot. You just need to make the partition that it is trying to boot has a bootable flag.AFAIK there is no way to change the active slot (the one XBL (I think) is trying to boot), except through fastboot or when the phone fails to load the OS 8 times in a row (note - if it fail to load the OS - if the phone bootloops before "boot" is called it won't ever switch slots on its own).This was a common cause of fast bootloops for me before I figured this fix out.
It does no harm to try this as you can always switch again. If neither one works for you, then it's something wrong with the files you're flashing. If you know which slot the phone is trying to boot (the one it was on last), run the script that matches that slot.
7. Write "Unlocked" Bootloader and FRP:
Just like the original EDL tool, these very simply overwrite your existing (probably stock) bootloader (abl) files with the fastboot enabled version, and/or your FRP with the "unlocked" flag on (see description below). This will allow you to enter the bootloader menu (Vol+/- on booting) and use fastboot to unlock the bootloader.backup_FRP-and-bootloaders: As it says, this will make backups of both the FRP file and current bootloader files (ABLs).run_all: Literally just runs both of the below scripts *shrug*write_UD-bootloader: This automatically backs up both your existing A/B bootloaders before overwriting them (BOTH) with the unlocked/fastboot bootloader.WARNING - an unfortunate fact is that if you're using the stock ROM and you have this bootloader installed, it borks the USB mode so it's stuck in charge only. There's a way to fix it temporarily, I'll post it in my "tips" thread, but you have to do it every time you boot, very annoying. I can't fix it permanently because I don't know how the bootloader file was built!WARNING 2 - Android 10 will NOT BOOT with this bootloader installed. You can still install it, trying to boot will bootloop, but you can get into the bootloader menu and use fastboot - but there are no recoveries I know of that work with Android 10 right now, so there's very limited use to having fastboot right now. Hopefully we can get a port of TWRP 3.4 going for this phone..write_unlock-frp: This is also in the EDL tool, but maybe poorly explained - the FRP file holds the flag you change in the OS Developer Options to designate "allow bootloader unlock". If you FORGOT to switch that flag on and unlock, as I understand it, you get bootlooped. This can fix that for you without having to go through all the work of undoing that mess.WARNING - I have only tested this with a brand new factory reset OS WITHOUT any fingerprint/code set. It may not work if you set one. I warn against using this if you are not ready to lose your data. It's convenient if you just forgot, but if you set a pattern/fingerprint security and encrypted the filesystem overwriting the FRP might remove your ability to decrypt which would force you to factory reset. Again, I haven't tested it for that so it may work, but be careful.If you already screwed up and ran this to set the flag - the script runs a quick backup of your old FRP just in case. So you can try to restore that FRP and pray lol)
8. Specific Files:
This is just a generic program to backup/write(restore) "specific files".I include a "Reference.XML" which has a full <program> line for every partition you might want to write/read on the phone. To use this, you need to copy the lines from the reference XML into "rawprogram-specific-files.xml" for the files you want to read/write.As an example I already set up "rawprogram-specific-files.xml" with the two lines for "abl_a" and "abl_b" in it. So the script will backup or restore those files (provided you put the abl's you want to restore in the restore_files directory).I personally use this template a lot - I have one for ABLs, one for AOPs, one for BOOTs, and so on. If you are trying to fix a specific file(s) it's convenient.
9. Userdata Backup:
I put this last because, to be honest, I'm not sure how good of an idea including this even is.VERY IMPORTANT - DO NOT USE THIS USERDATA TOOL IF YOUR PHONE IS NOT THE 256GB VERSION!!!!!I will need someone with the 128GB version to send me their GPT files if they want me to make an XML that works for them. Because the userdata size for SURE depends on your phone version.Also, I wrote a script that breaks up the file into download slices (and can be written back to the phone in slices, of course) - one, to see if I could do it and if it would work (it does)... and two, so that in the horrible case that something goes wrong during the... nearly 2hrs of transfer time, for my 256gb image ... that I can at least not have to start all over. If something happens, you should be able to remove the entries in the XML for what you already have and start again.Finally - is it even worth doing? Is backing up the userdata even useful?I don't know yet.For an unecrypted pre-A10 phone I do know it works to fully flash ALL the files on the phone + the userdata all at the same time to return the phone to the exact "state" it was backed up in - all the apps and settings and everything, exactly as they were.But A10 is encryption enabled always, and it uses file encryption which sounds even worse for this idea.. and I don't know if the crypto keys change and when. So flashing an entire encrypted partition might just leave you unable to decrypt all, some, or none and you lose everything.OR it might just work - you throw the whole image on there and the decrypt key is the same, boom, easy backup.If anyone tries it, let me know how it goes (or doesn't). I'll update with any results I find.Update 1: I have confirmed that for the 256gb A2020U backing up the full phone and userdata allows you to restore the phone to that exact state. Doesn't matter if it's encrypted, password set or not, etc. If you backup the entire userdata image and reflash it that is where the phone will be. In most cases you also need all the other partitions too, but if they have not changed they don't have to be reflashed. (I confirmed going from encrypted with password -> encrypted with no password -> back up encrypted with password.. This is on Android 10 with its more complicated encryption).Another nice thing to note - of course the image of the phone will be the size of the partition (ie. 256gb for mine, 128gb for others). But if your phone storage is largely empty, you compress the backup using something like 7z once the image has been backed up. It won't take up so much space then. How much less? My 256gb image compressed is 4.5gb. lol.... it makes sense, the phone is new and there's basically no information on the userdata. Many of the pieces of my userdata backup have the same exacty hashes - meaning they are literally just all 0's... 260gb of zeros. Unfortunately you can't get away with just backing up part of the image as data could be anywhere. And over time as the sectors get written to, it will get more difficult to compress.Anyway, if anyone has a 128GB version they want to donate to science (kidding - I just need backups of the GPT) I can make the XML file to use for backing those up too.
Extra Note: All the programs automatically build a log of the console window, so if something goes by too fast just check the log. The fh_loader also creates a log and dumps it somewhat randomly about... lol.. the filename is port_trace.txt. This tends to get deleted and overwritten easily so if you want to keep it, move it when the script finishes,. it does often contain more information than the console shows - it can be useful understanding what's going on.
Extra Note 2: You'll notice a script "Create Hash List" in practically every directory. That's to strongly hint that using that script is super useful. All the files backed up through these tools, by definition, have the exact same size. If you hash your files though, you can tell if they have changed at all. This is extremely useful in troubleshooting problems.
How to install an EDL firmware package:
Note: This tool is specifically made for the firmware packages I posted. It won't work with any other package (although it can, with a little work).
1. Install the EDL tools
2. Run a backup of your phone! Even if it isn't booting.
3. Download a firmware package from this thread: [ROM][STOCK] Stock Firmware Packages (For Expanded EDL Tools)
4. Unpack the firmware archive into the tool directory "Firmware_Package_Restore"
5. Put phone in EDL mode and run Load Programmer
6. Run whichever "Write Firmware vX to Y.ps1" you want (X = firmware version, Y = A or B partition) (If you don't know which partition is currently booting, just install both.)
7. Wait for the install to finish ("done"), then reset the phone with either the power button or the reset tool
8. You might see a few bootloops and then the phone ask you to do a factory reset / system wipe.
9. Done.
PLEASE POST IN THE FIRMWARE THREAD _NOT HERE_ IF YOU RUN INTO ANY ISSUES!
Enjoy!
Also, while I'm here... some other helpful notes for this phone:
-------------------------------
General Information:
As of right now there are a lot of working options for Android 9 and quickly expanding thanks to work @Unjustified Dev did and work @rafyvitto is continuing to do! Check out some of his sGSI ROMs, lots of options!
Thanks to Unjustified LOS 16 is available for Android 9 also, and is the base install for most ROMs. See his threads for that. I may write up an install guide here that's a little more in depth than his.. not today though.
Upgrading to Android 10 with the bootloader unlocked is possible but requires a workaround:
You must unlock on Android 9 then use recovery to side-load the Android 10 update available from ZTE USA (HERE).
This will remove the fastboot enabled bootloader and requires a complete system wipe.
You will retain bootloader unlock.
Once you have updated to A10 you can run OTA updates to get up to the latest version.
Downsides to A10 include - NO RECOVERY (yet), NO CUSTOM ROMs (yet), and if you flash the fastboot enabled bootloader you CAN use fastboot, but you cannot boot- the phone will be in a bootloop until you restore the stock A10 bootloader.
-------------------------------
Resetting the phone manually:
In EDL Loop - Hold power for 20 seconds
In EDL Not-Looped - Hold power for 5 seconds
In System (booted after ZTE logo) - Hold power for 10 seconds
----------------------------------
Entering Modes:
All of these start by using reset above, THEN the button(s) below - in all except one case (EDL), when the phone resets it will vibrate and then show the blue ZTE logo.
When you feel the vibration you want to immediately release the power button and press the mode buttons.
This can be confusing and tricky - most people say "hold power + button" - that is incorrect. Most cases if you hold any button other than power the phone will not finish resetting until you release that button.
What you want to do is right before or as the phone vibrates, then you hold the button. Once the ZTE screen is up it is probably too late if you missed it. So hold power for your reset and be ready to push the button you want when you feel the vibration.
The one exception - EDL mode. For EDL mode you can (and must) hold the key combo just before/during the restart.
Recovery Mode: Vol+ Button
Factory Test Mode: Vol- Button
Bootloader/Fastboot Mode: Vol+/- Button (both) when phone is NOT plugged into USB (if you are too early pressing the combo, even with the USB unplugged, you will get EDL mode)
Emergency Download Mode: Vol+/- Button (both) when phone IS plugged into USB
--------------------------------
EDL Flash Errors (esp. when EDL looped):
There is NO indication the phone is even ON when you are EDL stuck/looped. Other than when you plug into the computer with the right drivers it shows up as a 9008 device (9008 mode is EDL for Qualcomm).
Even when you can see the phone on your computer, it can often "freeze" in EDL if it is left idle for too long (not connected to and being used by a Sahara programmer).
If you try the EDL tool or another flash tool and they give you errors related to the Sahara programmer not loading or no "hello", do this:
Reset the phone - use a clock to count if you need, has to be accurate since there's no indication of when it resets. Press down Vol+/- and the power button, count to 20sec, then release JUST the power button. Keep holding both of the volumes for another 5 sec, then release them. That will get you back into a fresh EDL. You can watch your Device Manager to see the phone disconnect as an indicator when to let go of the power button. If you mess up the timing, wait a bit before trying again so the phone isn't in the middle of rebooting.
Easiest way to tell if you're in EDL is to watch the Device Manager while you do it. Otherwise there is just a lot of guess work, since there's no logo or vibration when you get it right, phone just appears off.
--------------------------------
USB Mode Stuck After Unlocking:
Something about the fastboot/"unlocked" bootloader causes the USB mode when you boot in the OS to be stuck on "Charge Only" mode.
Luckily I found @meow sir 's comment tucked away in this thread, and he knew a way to fix it (thanks!):
1. Open the phone dialer
2. Dial in "*#*#DEBUG#*#*" (debug = 33284)
(Sometimes takes a little bit to open, but a debugger menu will open)
3. Select the 2nd option for USB
4. Pick the only option - this will unset some strange "testing" mode and you can use MPT again.
Unfortunately this fix doesn't stick, you have to do it every time unless you switch back to the stock ABL. =(
--------------------------------
Installing Magisk, Quick Guide:
- You must have your bootloader unlocked already! This works on both A9 and A10.
1. Use this tool to create a full backup! (backup_all)
2. Go into the "critical" directory created by the backup and find the files for boot_a.img and boot_b.img - rename them to boot_a_bak.img and boot_b_bak.img and keep that window open, need them in a second
2. Boot into the OS. Download the Magisk Manager APK from HERE
3. Copy the APK and both of those boot files to your phone, open a file manager and install the APK
4. Open Magisk Manager and click on "Install" for Magisk (upper right)
5. Select "Patch Boot ROM" (or whatever it says.. something like that..)
6. Navigate to boot_a_bak.img and patch it.
7. Go to your Downloads directory (where Magisk dumps the patched file) and rename it to boot_a_magisk
8. Go back to Magisk and repeat those steps for boot_b
9. Copy the two patched Magisk boot files to your computer, into the folder with your "critical" files backup.
10. Rename the Magisk files to "boot_a.img" and "boot_b.img"
11. Move all the files from the "Backup\backup_all-critical-(...)" directory to the "Restore\restore_critical" directory in my tools
12. Finally, reboot into EDL.. almost there!
13. Run "restore_all-critical" (don't forget to run Load Programmer first..)
14. It will restore all you files, kinda a waste of time - if you know how to use the "Specific Files" tool this is a perfect time to use it to flash JUST the boot files. But anyway - this will get it done.
15. When done flashing, reboot the phone and open Magisk Manager to confirm it is installed!
The Magisk team recommend you DO NOT FLASH your stock boot files back to uninstall it, instead they say you should run their uninstaller.zip. However, I am not sure how to uninstall it if you're on A10 since we don't have a recovery that can flash zips? (Unless the stock recovery works for that, I don't think it would..)
I suspect (but have not tried) that on our phone flashing the boot files back over Magisk will not really be a problem since the recovery and ramdisk are all wrapped up into the boot image. But I don't recommend trying it if you value your data! Fair warning.
---------------------------
Alright that's everything. Good luck!
This will be useful for a lot of folks on here, thanks for taking the time to look for a work around.
rafyvitto said:
This will be useful for a lot of folks on here, thanks for taking the time to look for a work around.
Click to expand...
Click to collapse
Glad to be helpful! Usually I lurk the forums getting information I need to unlock/root/etc lol.. but I saw I actually could contribute something to this forum so hopefully it encourages people to get interested in this phone. It's looking pretty sweet now that I'm not spending days fighting with bootloops!
Indeed,on the note of attracting more users. im going to be releasing something for the pixel lovers very soon ?
Thanks Bob!
I'm on A10 with unlocked bootloader. I made all EDL tool backups when on A9 but these were done before correcting the typos as suggested. So I am not confident of successfully flashing back to A9 (preference).
Therefore I will likely flash the magisk-patched boot files to attempt root and report my experience...
Sent from my ZTE A2020U Pro using Tapatalk
big thx, glad to see some life to this almost dev-dead device
Hey thanks for the post. I'm thinking about buying the phone but have a quick question. Can I update to the latest version of Android 9 before unlocking or will the OTA be Android 10. How would I go about updating to the latest version version of Android 9 and not go to Android 10. Can I download the Android 9 OTA from somewhere and flash that one? Thanks in advance for the help!
Crackass said:
Hey thanks for the post. I'm thinking about buying the phone but have a quick question. Can I update to the latest version of Android 9 before unlocking or will the OTA be Android 10. How would I go about updating to the latest version version of Android 9 and not go to Android 10. Can I download the Android 9 OTA from somewhere and flash that one? Thanks in advance for the help!
Click to expand...
Click to collapse
:good: I think your question borderlines on needing its own thread in the Q&A section but I'll answer you anyway...
Currently as long as you are on A9 when you get the phone you can just do OTA updates from firmware version 1.10 to 1.11 to 1.13 (not sure what android security update that is), after 1.13 it goes to A10.
There is an A10 firmware available from ZTE to SD card sideload. Once installed it has to be updated to the latest A10 via a couple OTA updates.
Going directly from A9 to A10 via OTA goes directly to the latest version.
You cannot flash the A9 OTA... because flashing an OTA is an oxymoron... but I guess you mean can you download the A9 firmware and flash them. The answer is... maybe. ZTE does not offer official downloads any A9 firmware for A2002U (USA version), only A10.
They do offer A9 firmware for A2020G (european) and I think other foreign versions (RU, CN). These cannot be interchanged, if you have the US or EU or CN phone you need to use that firmware... from what I have read. I could be wrong, I don't have those phones.
But there is an unofficial stock A9 firmware for the A2020U here on the forums, uploaded by @rafyvitto . That will get you to.. I forget.. 1.11? That can be flashed using the original EDL tool or, with a little modification, the EDL tools in this thread.
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread. Not sure if it's really necessary, but I have them.. it's just a matter of figuring out hosting them and spending the time to upload them.
bobthenormal said:
:good: I think your question borderlines on needing its own thread in the Q&A section but I'll answer you anyway...
Currently as long as you are on A9 when you get the phone you can just do OTA updates from firmware version 1.10 to 1.11 to 1.13 (not sure what android security update that is), after 1.13 it goes to A10.
There is an A10 firmware available from ZTE to SD card sideload. Once installed it has to be updated to the latest A10 via a couple OTA updates.
Going directly from A9 to A10 via OTA goes directly to the latest version.
You cannot flash the A9 OTA... because flashing an OTA is an oxymoron... but I guess you mean can you download the A9 firmware and flash them. The answer is... maybe. ZTE does not offer official downloads any A9 firmware for A2002U (USA version), only A10.
They do offer A9 firmware for A2020G (european) and I think other foreign versions (RU, CN). These cannot be interchanged, if you have the US or EU or CN phone you need to use that firmware... from what I have read. I could be wrong, I don't have those phones.
But there is an unofficial stock A9 firmware for the A2020U here on the forums, uploaded by @rafyvitto . That will get you to.. I forget.. 1.11? That can be flashed using the original EDL tool or, with a little modification, the EDL tools in this thread.
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread. Not sure if it's really necessary, but I have them.. it's just a matter of figuring out hosting them and spending the time to upload them.
Click to expand...
Click to collapse
Just wanted to chime in, interchanging firmware between each model is possible, you would only need to reflash your model/nonhos/tz partitions to the ones of your variant to have working ril/fod fp/sensors.
Ok Bob I gave it a go and successfully rooted my A2020U running stock A10 v2.09. This is my experience...
Firstly, my A2020U could not connect so I used the @Unjustified Dev Tool ("original tool") to easily determine my com port (i.e. 3). I edited the your scripts accordingly (using Notepad++) and got connected.
I'd rather not fiddle with the hardware buttons to change modes so I used the CLI to "adb reboot edl" to get into EDL mode.
I executed the backup_all.ps1 script.
It echoed several "warnings" indicating that it could not find files. However, the created backup folders did in fact include those files.
I noted that none of the "A" slot files include the "_a" postfix; the "B" slot files did include "_b".
Now I needed to transfer those boot files to my device by first rebooting my device and connecting via MTP.
I noted that the original tool offered a reboot menu option (but sadly only after executing a successful operation). So, not wanting to fiddle, I used the original tool to backup my boot files, then used the menu option to reboot; On my device I then manually selected it to connect via MTP.
After transferring the "boot.img" and "boot_b.img" files to my device, and installing Magisk Manager. I patched them and transferred them back to my PC.
To "flash" (restore) the patched files I decided to cut 'n' paste the two lines regarding them from your Reference.xml file into your rawprogram-specific-files.xml file, replacing your example lines.
I executed your run_write-files.ps1 script and it completed successfully.
Not wanting to fiddle again with the hardware buttons (just so that I can get the reboot option), I backed up the patched files using the original tool and rebooted. Now my device is successfully rooted.
Thank you!
Additional notes and suggestions:
1. Can you please investigate the "false" warnings? See my (redacted) log file attached;
2. It would be great if you could create/duplicate a script within your expanded tool set (or main program) to determine and set the appropriate COMPort (and teach us non-coders the actual commands);
3. Would you also consider investigating and including a reboot device script? (It looks like the original tool calls reset.xml);
4. Note that, at the time of reporting this, the latest versions for the Manager and Magsk are 8.02 (307) and 21.0 (21000) respectively, and that I had to switch the update channel to "beta" for the patched files to pass SafetyNet;
5. Because rooting is a likely use of your tool I am attaching my modified rawprogram-specific-files.xml file which targets the boot files for convenience.
bobthenormal said:
...
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread....
Click to expand...
Click to collapse
If this can help me get my A10 device to a state where I can install a custom recovery and cutom ROMs, I would appreciate it!
eKeith said:
Ok Bob I gave it a go and successfully rooted my A2020U running stock A10 v2.09. This is my experience...
Firstly, my A2020U could not connect so I used the @Unjustified Dev Tool ("original tool") to easily determine my com port (i.e. 3). I edited the your scripts accordingly (using Notepad++) and got connected.
I'd rather not fiddle with the hardware buttons to change modes so I used the CLI to "adb reboot edl" to get into EDL mode.
I executed the backup_all.ps1 script.
It echoed several "warnings" indicating that it could not find files. However, the created backup folders did in fact include those files.
I noted that none of the "A" slot files include the "_a" postfix; the "B" slot files did include "_b".
Now I needed to transfer those boot files to my device by first rebooting my device and connecting via MTP.
I noted that the original tool offered a reboot menu option (but sadly only after executing a successful operation). So, not wanting to fiddle, I used the original tool to backup my boot files, then used the menu option to reboot; On my device I then manually selected it to connect via MTP.
After transferring the "boot.img" and "boot_b.img" files to my device, and installing Magisk Manager. I patched them and transferred them back to my PC.
To "flash" (restore) the patched files I decided to cut 'n' paste the two lines regarding them from your Reference.xml file into your rawprogram-specific-files.xml file, replacing your example lines.
I executed your run_write-files.ps1 script and it completed successfully.
Not wanting to fiddle again with the hardware buttons (just so that I can get the reboot option), I backed up the patched files using the original tool and rebooted. Now my device is successfully rooted.
Thank you!
Additional notes and suggestions:
1. Can you please investigate the "false" warnings? See my (redacted) log file attached;
2. It would be great if you could create/duplicate a script within your expanded tool set (or main program) to determine and set the appropriate COMPort (and teach us non-coders the actual commands);
3. Would you also consider investigating and including a reboot device script? (It looks like the original tool calls reset.xml);
4. Note that, at the time of reporting this, the latest versions for the Manager and Magsk are 8.02 (307) and 21.0 (21000) respectively, and that I had to switch the update channel to "beta" for the patched files to pass SafetyNet;
5. Because rooting is a likely use of your tool I am attaching my modified rawprogram-specific-files.xml file which targets the boot files for convenience.
Click to expand...
Click to collapse
Nice! :good:
For the questions..
0. Thanks for the heads up on filenames! I completely missed that the _a files don't have the labels... As you probably noticed all the files are backed up correctly still (no missing/overwritten files), but I removed the _a from all the A slot files. That was my original "fix", so I guess I started building this package before I got annoyed by not having the _a/_b consistency. I'll update the correct XML file and upload it as a new version.
1. Don't worry about those! They're part of using the fh_loader interface. Warnings are usually just fine, ERRORS are bad. I'll add a note to the post when I get a chance so people don't get scared by that.
It's only when you do a backup the program is really only designed in the "writing" sense, for backups you literally run an identical XML to writing but you send a flag that reverses the process. So it weirdly checks if the files it is going to copy (which of course don't exist) exist, and it throws the standard warning, but then it just creates them (of course).
I can't turn those off without lowering the verbosity setting for that tool. I decided to leave it set to high because if someone has a problem and they post their log file (like so!) it's very useful to troubleshoot.
2. I'll think about it / try. Not very hard to program but a little time consuming.
I'll throw a copy of lsusb.exe in the next version. Windows port of the linux command. People can simply run that on a command prompt and it will list all the active COM ports/devices. If you're not familiar with it - you can also find out by clicking on the windows start bar or pressing the windows key and typing in "Device Manager". In the hardware list there is a category for COM ports where it lists them.
3. Yeah that's very easy I'll put one in the next version as well.
4. Helpful to know. Interesting that you needed beta to pass... I didn't think to mention I use the canary builds (not really recommended... the current one crashes when I try to hide Magisk Manager lol)
5. Thanks! Maybe I should make a directory specific to boot backup/write... but I do think anyone not comfortable doing the change you did might not want to be flashing their boot files anyway haha.. things to consider I guess.
As for getting you back from A10, definitely. I'll figure out how to upload them to one of those file sharing sites in a week or two.
In the mean time, with a backup from this tool you're safe (as far as bricking goes, you'll have to system wipe) to try rafy's EDL backup to revert to A9. I'll find the actual post... I should have been less lazy and linked it in my post lol... HERE - rafyvitto's EDL.
If flashing his backup doesn't boot right away try the tool I included to fix the bootable partition. If it still doesn't work after that (maybe mention here what happened) then just restore your backup.
Do you have the 128gb phone by chance?
Thanks much, especially for your detailed clarifications and convenient link!
I have the 8/256GB (P855A03_NA) model.
PS
I want to spend more time on ensuring I have a complete device backup before nuking with another EDL; will dedicate some time this week...
Sent from my ZTE A2020U Pro using Tapatalk
eKeith said:
Thanks much, especially for your detailed clarifications and convenient link!
I have the 8/256GB (P855A03_NA) model.
PS
I want to spend more time on ensuring I have a complete device backup before nuking with another EDL; will dedicate some time this week...
Sent from my ZTE A2020U Pro using Tapatalk
Click to expand...
Click to collapse
Oh nice, with the 256gb model you're good to use the userdata backup program too. Sounds ideal for you since, like me, you want a really bulletproof backup. If you run a full backup and then run the userdata backup you literally have a "phone state" so you can return your phone back to exactly where it was, not have to wipe system or anything.
Of course I'd hate to be wrong so as usual, do at your own risk! Lol. But I am using that method and it has worked great. The downside being over an hour of waiting for the userdata to download or upload... and having to store 256gb (for long term storage you can compress it down to literally a few gb).
I've been kinda busy, but working on getting some of those things from my last post done hopefully this week.
bobthenormal said:
Oh nice, with the 256gb model you're good to use the userdata backup program too. Sounds ideal for you since, like me, you want a really bulletproof backup. If you run a full backup and then run the userdata backup you literally have a "phone state" so you can return your phone back to exactly where it was, not have to wipe system or anything.
Of course I'd hate to be wrong so as usual, do at your own risk! Lol. But I am using that method and it has worked great. The downside being over an hour of waiting for the userdata to download or upload... and having to store 256gb (for long term storage you can compress it down to literally a few gb).
I've been kinda busy, but working on getting some of those things from my last post done hopefully this week.
Click to expand...
Click to collapse
That's great to know! Your user data backup option has simplified my life.
I will wait for your next revision to do a full backup plus user data before nuking.
I am looking forward to moving on from ZTE's A10 to one of Ray's ROMs...
Sent from my PH-1 using Tapatalk
Updated to 1.1a - kind of had to rush on some things so keep an eye out for mistakes, especially in the XML files, and let me know if you find any.
Should have an 1.09 (A9) firmware package up "Soon(TM)", just have to make the xml files then upload the file somewhere.
EDIT: Already needed to update to 1.1b - I found that the GPT_Tools had a big error that probably was there since 1.0 and no one noticed! Backups of the GPT should now actually work...
Thank you @bobthenormal !
Looking forward to your A9 EDL backup...
Sent from my PH-1 using Tapatalk
eKeith said:
Thank you @bobthenormal !
Looking forward to your A9 EDL backup...
Sent from my PH-1 using Tapatalk
Click to expand...
Click to collapse
It's up -- see the new thread.
I didn't have time to test it so make sure you backup but I'm 99,99% sure it will work. I tested it several times in the past, but to make the firmware package I took out all the (I hope) unnecessary files.
There's one thing I'm not sure of - whether you'll need to use the Fix Bootable tool after installing it. IF you need to, then I believe you will have to install it to partition B and then run fix bootable B. (The 1.10 backup was taken originally from the B partition).
If you find that it works without having to do that, let me know... it may not be necessary if wherever that bootable flag is stored didn't get included in the firmware package.
bobthenormal said:
It's up -- see the new thread.
I didn't have time to test it so make sure you backup but I'm 99,99% sure it will work. I tested it several times in the past, but to make the firmware package I took out all the (I hope) unnecessary files.
There's one thing I'm not sure of - whether you'll need to use the Fix Bootable tool after installing it. IF you need to, then I believe you will have to install it to partition B and then run fix bootable B. (The 1.10 backup was taken originally from the B partition).
If you find that it works without having to do that, let me know... it may not be necessary if wherever that bootable flag is stored didn't get included in the firmware package.
Click to expand...
Click to collapse
Thank you @bobthenormal !
I should be able to give it a go this weekend and inform...
Sent from my PH-1 using Tapatalk