Better Mobile App

Wacom serial touchscreen not working

I have an old laptop with Wacom touch panel (Penabled). I am able to boot Remix OS fine but touch isn't working.
How to make touchscreen work?
Edit: Fixed by myself
View post #6 link: http://forum.xda-developers.com/showpost.php?p=65159778&postcount=6

The hardware must be unsupported.

TheBasterd said:
The hardware must be unsupported.
Click to expand...
Click to collapse
Nevermind, I fixed it myself

Care to share with the rest of us in case this issue comes up more often?

I would also be happy to know how to make a Wacom digitizer work on Remix OS as I'm looking into getting a Lenovo X61t to use with Remix OS.

YassinTP said:
I would also be happy to know how to make a Wacom digitizer work on Remix OS as I'm looking into getting a Lenovo X61t to use with Remix OS.
Click to expand...
Click to collapse
My laptop (Fujitsu T730) has Wacom digitizer with both touch input and pen. Using my method only touchscreen works (pen doesn't but I don't care )
You need to create live usb pendrive from official Android-X86 4.4 r4, run it live (without install) and copy from it inputattach file inside system/bin folder to Remix OS system/bin folder (you need rooted Remix OS for this) and set correct permissions.
Download from Play Store Terminal Emulator for Android and run:
su
inputattach --w8001 /dev/ttyS0 &
And touchscreen works
I have no idea why this file is missing in Remix OS while it is present in Android-X86 (Remix is based on Android-X86 after all)
It would be great if Remix developers could include it in next releases because as it is now you have to copy it every time you upgrade os.

Thank you very much!
Only thing is, the convertible I'm planning on buying only has a pen guess I'll just have to try if I get it working.

This is no working on my HP 2760p.

jarek3460 said:
This is no working on my HP 2760p.
Click to expand...
Click to collapse
I also tested it on HP 2760p. And it was working fine. I no longer use Remix OS so I can't confirm if this works on recent rom versions.
Remember that after copying file you have to set correct file permissions using any root capable file browser. (Try setting it to: rwxrwxrwx to be sure it works )

jarek3460 said:
This is no working on my HP 2760p.
Click to expand...
Click to collapse
were you able to ever get this working? I have a 2740p as well with only pen support

Rafostar said:
My laptop (Fujitsu T730) has Wacom digitizer with both touch input and pen. Using my method only touchscreen works (pen doesn't but I don't care )
You need to create live usb pendrive from official Android-X86 4.4 r4, run it live (without install) and copy from it inputattach file inside system/bin folder to Remix OS system/bin folder (you need rooted Remix OS for this) and set correct permissions.
Download from Play Store Terminal Emulator for Android and run:
su
inputattach --w8001 /dev/ttyS0 &
And touchscreen works
I have no idea why this file is missing in Remix OS while it is present in Android-X86 (Remix is based on Android-X86 after all)
It would be great if Remix developers could include it in next releases because as it is now you have to copy it every time you upgrade os.
Click to expand...
Click to collapse
I tried X86 Marshmellow and the Nought Beta versions, but touch is not working on them.
It is still working on Ubuntu Live and Debian. I ran lsusb and lsmod on them and got this result.
Code:
[email protected]:/home/ubuntu# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 009: ID 0bda:5830 Realtek Semiconductor Corp.
Bus 001 Device 007: ID 0bda:b720 Realtek Semiconductor Corp.
Bus 001 Device 005: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller
Bus 001 Device 003: ID 0bda:5830 Realtek Semiconductor Corp.
Bus 001 Device 008: ID 05e3:0718 Genesys Logic, Inc. IDE/SATA Adapter
Bus 001 Device 006: ID 04d9:e200 Holtek Semiconductor, Inc.
Bus 001 Device 004: ID 090c:1000 Silicon Motion, Inc. - Taiwan (formerly Feiya Technology Corp.) Flash Drive
Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Code:
[email protected]:/home/ubuntu# lsmod
Module Size Used by
rfcomm 69632 2
bnep 20480 2
joydev 20480 0
rtsx_usb_ms 20480 0
memstick 20480 1 rtsx_usb_ms
intel_rapl 20480 0
x86_pkg_temp_thermal 16384 0
intel_powerclamp 16384 0
coretemp 16384 0
hid_multitouch 20480 0
kvm_intel 172032 0
kvm 536576 1 kvm_intel
irqbypass 16384 1 kvm
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
aesni_intel 167936 0
aes_x86_64 20480 1 aesni_intel
lrw 16384 1 aesni_intel
gf128mul 16384 1 lrw
btusb 45056 0
uvcvideo 90112 0
videobuf2_vmalloc 16384 1 uvcvideo
videobuf2_memops 16384 1 videobuf2_vmalloc
videobuf2_v4l2 28672 1 uvcvideo
glue_helper 16384 1 aesni_intel
btrtl 16384 1 btusb
ablk_helper 16384 1 aesni_intel
btbcm 16384 1 btusb
btintel 16384 1 btusb
cryptd 20480 2 aesni_intel,ablk_helper
bluetooth 520192 29 bnep,btbcm,btrtl,btusb,rfcomm,btintel
videobuf2_core 36864 2 uvcvideo,videobuf2_v4l2
v4l2_common 16384 1 videobuf2_v4l2
serio_raw 16384 0
videodev 176128 4 uvcvideo,v4l2_common,videobuf2_core,videobuf2_v4l2
input_leds 16384 0
media 24576 2 uvcvideo,videodev
intel_pch_thermal 16384 0
snd_hda_codec_realtek 86016 1
snd_hda_codec_hdmi 53248 1
snd_hda_codec_generic 77824 1 snd_hda_codec_realtek
snd_soc_rt5640 114688 0
snd_hda_intel 36864 5
snd_soc_ssm4567 16384 0
snd_soc_rl6231 16384 1 snd_soc_rt5640
snd_hda_codec 135168 4 snd_hda_codec_realtek,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_intel
snd_soc_core 212992 2 snd_soc_rt5640,snd_soc_ssm4567
snd_hda_core 73728 5 snd_hda_codec_realtek,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel
snd_hwdep 16384 1 snd_hda_codec
snd_seq_midi 16384 0
snd_seq_midi_event 16384 1 snd_seq_midi
snd_compress 20480 1 snd_soc_core
ac97_bus 16384 1 snd_soc_core
snd_rawmidi 32768 1 snd_seq_midi
snd_pcm_dmaengine 16384 1 snd_soc_core
snd_seq 69632 2 snd_seq_midi_event,snd_seq_midi
snd_pcm 106496 7 snd_soc_rt5640,snd_soc_core,snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel,snd_pcm_dmaengine,snd_hda_core
int3403_thermal 16384 0
mei_me 36864 0
snd_seq_device 16384 3 snd_seq,snd_rawmidi,snd_seq_midi
mei 98304 1 mei_me
kxcjk_1013 20480 0
elan_i2c 36864 0
snd_timer 32768 2 snd_pcm,snd_seq
industrialio_triggered_buffer 16384 1 kxcjk_1013
dw_dmac 16384 0
lpc_ich 24576 0
8250_dw 16384 0
snd 81920 23 snd_hda_codec_realtek,snd_soc_core,snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_pcm,snd_seq,snd_rawmidi,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel,snd_seq_device,snd_compress
dw_dmac_core 24576 1 dw_dmac
int3400_thermal 16384 0
int3402_thermal 16384 0
processor_thermal_device 16384 0
acpi_als 16384 0
intel_soc_dts_iosf 16384 1 processor_thermal_device
acpi_thermal_rel 16384 1 int3400_thermal
int340x_thermal_zone 16384 3 int3402_thermal,processor_thermal_device,int3403_thermal
kfifo_buf 16384 2 industrialio_triggered_buffer,acpi_als
snd_soc_sst_acpi 16384 0
soundcore 16384 1 snd
i2c_designware_platform 16384 0
i2c_designware_core 20480 1 i2c_designware_platform
spi_pxa2xx_platform 24576 0
industrialio 57344 4 industrialio_triggered_buffer,acpi_als,kxcjk_1013,kfifo_buf
mac_hid 16384 0
acpi_pad 20480 0
parport_pc 32768 0
ppdev 20480 0
lp 20480 0
parport 49152 3 lp,ppdev,parport_pc
autofs4 40960 2
overlay 49152 1
nls_iso8859_1 16384 3
dm_mirror 24576 0
dm_region_hash 24576 1 dm_mirror
dm_log 20480 2 dm_region_hash,dm_mirror
mmc_block 36864 2
hid_generic 16384 0
usbhid 49152 0
rtsx_usb_sdmmc 28672 0
rtsx_usb 24576 2 rtsx_usb_sdmmc,rtsx_usb_ms
uas 24576 0
usb_storage 69632 4 uas
i915 1208320 5
i2c_algo_bit 16384 1 i915
drm_kms_helper 147456 1 i915
syscopyarea 16384 1 drm_kms_helper
sysfillrect 16384 1 drm_kms_helper
ahci 36864 0
sysimgblt 16384 1 drm_kms_helper
libahci 32768 1 ahci
fb_sys_fops 16384 1 drm_kms_helper
drm 360448 6 i915,drm_kms_helper
video 40960 1 i915
i2c_hid 20480 0
hid 118784 4 i2c_hid,hid_multitouch,hid_generic,usbhid
sdhci_acpi 16384 0
sdhci 45056 1 sdhci_acpi
fjes 28672 0

Rafostar said:
I also tested it on HP 2760p. And it was working fine. I no longer use Remix OS so I can't confirm if this works on recent rom versions.
Remember that after copying file you have to set correct file permissions using any root capable file browser. (Try setting it to: rwxrwxrwx to be sure it works )
Click to expand...
Click to collapse
Thank you so much Rafostar this helped getting my touch screen working on my hp 2740p
although it worked after the command was inputted. it failed to work after reboot
to fix this I needed to edit system/etc/init.sh
edit init.sh function init_misc
add command to line 18
inputattach --w8001 /dev/ttyS0 &

Redesterdragon said:
Thank you so much Rafostar this helped getting my touch screen working on my hp 2740p
although it worked after the command was inputted. it failed to work after reboot
to fix this I needed to edit system/etc/init.sh
edit init.sh function init_misc
add command to line 18
inputattach --w8001 /dev/ttyS0 &
Click to expand...
Click to collapse
I forgot to mention that you have to do this every time after reboot or create/add it to a startup script like you did

Rafostar said:
I forgot to mention that you have to do this every time after reboot or create/add it to a startup script like you did
Click to expand...
Click to collapse
I noticed that after falling asleep the touchscreen stops working again till reboot or manually entering the command within the command line

Rafostar said:
I forgot to mention that you have to do this every time after reboot or create/add it to a startup script like you did
Click to expand...
Click to collapse
what would I do to activate inputattach during wake?

Redesterdragon said:
what would I do to activate inputattach during wake?
Click to expand...
Click to collapse
I found one method of disabling sleep using a wake_lock command by placing it within the init.sh file under the function_misc section line 19
echo lock_me > /sys/power/wake_lock
this will dim the screen but not turn off the CPU so the digitizer will remain active now.
Please let me know if this might cause any other unfavorable issues.

MediaPad T2 8.0 PRO JDN-l01 No WIFi - infamous 02:00:00:00:00:00

Hi,
recently I tried to make my MP T2 a bit smoother so I've decide to go with a root, clear some apps and maybe oc the cpu. So I've unlocked the bootlader, ported TWRP and finally rooted the device but I've stayed with stock rom (of course couple of times I had that feeling that now i have a nice plant pad).
Everything was looking great but at some point my WIFI got broken and I don't really know when, if it was after unlocking bootloader, after modifying it or after flashing the TWRP recovery. Currently when I click on wifi it doesn't turn on, it's just grayed and the MAC Address has changed to 02:00:00:00:00:00. I am out of ideas so maybe someone will be able to give me a hint, things that I've tried were:
taking out the sim card and rebooting
wiping caches
checking for the WCNSS_qcom_wlan_nv.bin file in the /persist (I've went through it with a hex editor and tried to find my MAC address but I don't see anything looking like a MAC)
installing stock boot.img and recovery.img extracted from the official firmware.
I've found 3 different MAC addresses trails that could be mine
EMUI Recovery, in EMUI 4 I am able to boot into recovery (even though I have TWRP) and there's an option to download and restore the firmware, here my WIFI starts and connects to my home network and I was able to check the MAC with fing.
/system/etc/firmware/wlan/prima/WCNSS_qcom_cfg.ini Intf0MacAddress
logcat mac_param
From the logcat (bellow) it seems that the driver wasn't loaded but I don't have a clue why. Especially that it's being loaded fine in the recovery.
I would appreciate for any hints.
Additional info:
Content of /persist is as follows:
Code:
-rw------- bluetooth bluetooth 9 1970-01-01 01:00 .bt_nv.bin
-rw-rw-r-- system system 128 1970-01-01 15:29 .sn.bin
-rw------- system system 3 1970-01-01 12:23 RUNIN.FLG
-rw-r--r-- root root 31723 2016-10-11 14:10 WCNSS_qcom_wlan_nv.bin
-rw-r--r-- root root 10419 2016-10-11 14:10 WCNSS_wlan_dictionary.dat
-rw------- system system 12 1970-01-01 01:03 acc_avg
drwxr-xr-x root root 2016-10-11 14:10 aost
drwx------ system system 1970-01-01 01:00 data
drwxrwx--- system graphics 1970-01-01 01:00 display
-rwx------ root root 1 1970-01-01 21:32 log_flag
drwx------ root root 1970-01-01 01:00 lost+found
-rw------- system system 2 1970-01-01 01:04 prox_avg
LogCat:
Code:
I/ToolBoxView( 1535): onItemClick name=com.android.systemui.statusbar.toolbox.control.WifiTracker
I/ConnectPermission( 1221): allowOpenWifi blocked:false
D/WifiService( 1221): setWifiEnabled: true pid=1535, uid=10024, name=com.android.systemui
D/WifiHW ( 1221): Check driver status: not loaded
I/ ( 1221): hw_wifi_get_mac enter;
E/ ( 1221): get_decryption_wifi_mac:decrypt_wifi_mac in.
D/OEMINFO_NVM_SERVER( 262): Accept connection from pid 1221 (******), uid: 1000, gid: 1000
D/OEMINFO_NVM_SERVER( 262): Receive: opr = 2, idx = 52, len = 128, name()
I/OEMINFO_NVM_CORE( 262): compat_oeminfo_read: version v6
E/BD.Reporter( 1535): Can't getService HwBDService
I/OEMINFO_NVM_CORE( 262): find oeminfo device /dev/block/mmcblk0p9
I/OEMINFO_NVM_CORE( 262): read oeminfo 52, offset 0x33000, total byte: 128
E/OEMINFO_NVM_SERVER( 262): pid 1221, opration oeminfo_read OK
E/ ( 1221): hw_wifi_get_mac:read nv and decrypt mac successfully.
E/ ( 1221): mac_check enter mac is:208;
E/WifiHW ( 1221): qcom_wifi_load_customcode domain_param ok, value is 1;
E/WifiHW ( 1221): hw_wifi_load_driver mudule_arg is mac_param=D0:XX:XX:XX:XX:XX country_code=DE domain_param=1 ;
E/WifiHW ( 1221): get_driver_debug_level open the config file:data/misc/wifi/wifi_log_level.conf failed
W/WifiHW ( 1221): load modle :/system/lib/modules/wlan.ko mac_param=D0:XX:XX:XX:XX:XX country_code=DE domain_param=1 module_debug_param=
E/WifiStateMachine( 1221): Failed to load driver
W/ContextImpl( 1221): Calling a method in the system process without a qualified user: android.app.ContextImpl.sendBroadcast:869 com.android.server.wifi.WifiStateMachine.startWifiFailed:3877 com.android.server.wifi.WifiStateMachine.access$4600:171 com.android.server.wifi.WifiStateMachine$InitialState.processMessage:6052 com.android.internal.util.StateMachine$SmHandler.processMsg:968
I/SendBroadcastPermission( 1221): action:com.android.server.wifi.action.START_WIFI_FAILED, mPermissionType:0

Fixed
In the end I've re-flashed the stock rom through dload and WIFI started to work. Formated userdata as it was encrypted went into bootloop, flashed TWRP and then SuperSu. It seems that supersu flash fixes userdata partition which made the phone go out of loop so now I have WIFI and Root :victory:. Time for kernel tweaks to ramp up the cpu limits . Qualcomm claims this cpu should be working at 1.7 while it's working on 1.5 so it's underclocked.

genesiscoupe said:
In the end I've re-flashed the stock rom through dload and WIFI started to work. Formated userdata as it was encrypted went into bootloop, flashed TWRP and then SuperSu. It seems that supersu flash fixes userdata partition which made the phone go out of loop so now I have WIFI and Root :victory:. Time for kernel tweaks to ramp up the cpu limits . Qualcomm claims this cpu should be working at 1.7 while it's working on 1.5 so it's underclocked.
Click to expand...
Click to collapse
Is there any custom ROMs for our tablet??
huawei mediapad t2-8 pro
Thanks

Hi,
This is actually my first post/reply. I was wondering if you could let me know which twrp you flashed? I tried the one for the t2 7 pro but it did not work.
Thanks I appreciate it.

genesiscoupe said:
Hi,
recently I tried to make my MP T2 a bit smoother so I've decide to go with a root, clear some apps and maybe oc the cpu. So I've unlocked the bootlader, ported TWRP and finally rooted the device but I've stayed with stock rom (of course couple of times I had that feeling that now i have a nice plant pad).
Everything was looking great but at some point my WIFI got broken and I don't really know when, if it was after unlocking bootloader, after modifying it or after flashing the TWRP recovery. Currently when I click on wifi it doesn't turn on, it's just grayed and the MAC Address has changed to 02:00:00:00:00:00. I am out of ideas so maybe someone will be able to give me a hint, things that I've tried were:
taking out the sim card and rebooting
wiping caches
checking for the WCNSS_qcom_wlan_nv.bin file in the /persist (I've went through it with a hex editor and tried to find my MAC address but I don't see anything looking like a MAC)
installing stock boot.img and recovery.img extracted from the official firmware.
I've found 3 different MAC addresses trails that could be mine
EMUI Recovery, in EMUI 4 I am able to boot into recovery (even though I have TWRP) and there's an option to download and restore the firmware, here my WIFI starts and connects to my home network and I was able to check the MAC with fing.
/system/etc/firmware/wlan/prima/WCNSS_qcom_cfg.ini Intf0MacAddress
logcat mac_param
From the logcat (bellow) it seems that the driver wasn't loaded but I don't have a clue why. Especially that it's being loaded fine in the recovery.
I would appreciate for any hints.
Additional info:
Content of /persist is as follows:
Code:
-rw------- bluetooth bluetooth 9 1970-01-01 01:00 .bt_nv.bin
-rw-rw-r-- system system 128 1970-01-01 15:29 .sn.bin
-rw------- system system 3 1970-01-01 12:23 RUNIN.FLG
-rw-r--r-- root root 31723 2016-10-11 14:10 WCNSS_qcom_wlan_nv.bin
-rw-r--r-- root root 10419 2016-10-11 14:10 WCNSS_wlan_dictionary.dat
-rw------- system system 12 1970-01-01 01:03 acc_avg
drwxr-xr-x root root 2016-10-11 14:10 aost
drwx------ system system 1970-01-01 01:00 data
drwxrwx--- system graphics 1970-01-01 01:00 display
-rwx------ root root 1 1970-01-01 21:32 log_flag
drwx------ root root 1970-01-01 01:00 lost+found
-rw------- system system 2 1970-01-01 01:04 prox_avg
LogCat:
Code:
I/ToolBoxView( 1535): onItemClick name=com.android.systemui.statusbar.toolbox.control.WifiTracker
I/ConnectPermission( 1221): allowOpenWifi blocked:false
D/WifiService( 1221): setWifiEnabled: true pid=1535, uid=10024, name=com.android.systemui
D/WifiHW ( 1221): Check driver status: not loaded
I/ ( 1221): hw_wifi_get_mac enter;
E/ ( 1221): get_decryption_wifi_mac:decrypt_wifi_mac in.
D/OEMINFO_NVM_SERVER( 262): Accept connection from pid 1221 (******), uid: 1000, gid: 1000
D/OEMINFO_NVM_SERVER( 262): Receive: opr = 2, idx = 52, len = 128, name()
I/OEMINFO_NVM_CORE( 262): compat_oeminfo_read: version v6
E/BD.Reporter( 1535): Can't getService HwBDService
I/OEMINFO_NVM_CORE( 262): find oeminfo device /dev/block/mmcblk0p9
I/OEMINFO_NVM_CORE( 262): read oeminfo 52, offset 0x33000, total byte: 128
E/OEMINFO_NVM_SERVER( 262): pid 1221, opration oeminfo_read OK
E/ ( 1221): hw_wifi_get_mac:read nv and decrypt mac successfully.
E/ ( 1221): mac_check enter mac is:208;
E/WifiHW ( 1221): qcom_wifi_load_customcode domain_param ok, value is 1;
E/WifiHW ( 1221): hw_wifi_load_driver mudule_arg is mac_param=D0:XX:XX:XX:XX:XX country_code=DE domain_param=1 ;
E/WifiHW ( 1221): get_driver_debug_level open the config file:data/misc/wifi/wifi_log_level.conf failed
W/WifiHW ( 1221): load modle :/system/lib/modules/wlan.ko mac_param=D0:XX:XX:XX:XX:XX country_code=DE domain_param=1 module_debug_param=
E/WifiStateMachine( 1221): Failed to load driver
W/ContextImpl( 1221): Calling a method in the system process without a qualified user: android.app.ContextImpl.sendBroadcast:869 com.android.server.wifi.WifiStateMachine.startWifiFailed:3877 com.android.server.wifi.WifiStateMachine.access$4600:171 com.android.server.wifi.WifiStateMachine$InitialState.processMessage:6052 com.android.internal.util.StateMachine$SmHandler.processMsg:968
I/SendBroadcastPermission( 1221): action:com.android.server.wifi.action.START_WIFI_FAILED, mPermissionType:0
Click to expand...
Click to collapse
Hello how can I root my phone Huawei JDN-L01?
Please teach me thank you!

Working kdz extractor for V30

Hello,
is there any working linux script for extracting v30 kdz firmware and dz files?
Big thanks for help

H930g - lgv30 - kdz extract - linux
djsven said:
Hello,
is there any working linux script for extracting v30 kdz firmware and dz files?
Big thanks for help
Click to expand...
Click to collapse
Yes sir , I have found one
https://github.com/ehem/kdztools
Here are the output from my first test:
[email protected]:~/Android/kdztools-master$ ./unkdz -f H93011m_00_OPEN_EU_OP_1229.kdz -l
[!] Warning: Data between headers and payload! (offsets 826 to 83768)
[+] KDZ Partition List (format v2)
=========================================
0 : H93011m_00.dz (3563995785 bytes)
1 : LGUP_c.dll (3079120 bytes)
2 : LGUP_c.dylib (1229456 bytes)
[email protected]:~/Android/kdztools-master$ ./unkdz -f H93011m_00_OPEN_EU_OP_1229.kdz -x
[!] Warning: Data between headers and payload! (offsets 826 to 83768)
[+] Extracting all partitions from v2 file!
[+] Extracting H93011m_00.dz to kdzextracted/H93011m_00.dz
[+] Extracting LGUP_c.dll to kdzextracted/LGUP_c.dll
[+] Extracting LGUP_c.dylib to kdzextracted/LGUP_c.dylib
[+] Extracting extra data to kdzextracted/kdz_extras.bin
So far this is the only steps I have tried, I will give a later try to extract the whole DZ file
For your information I m running Ubuntu 16.04 LTS
I wish you good luck
Edit : Unfortunately I got this error when I try to list the DZ file
[email protected]:~/Android/kdztools-master$ ./undz -f H93011m_00.dz -l
[!] Error: Value supposed to be zero in field "reserved5" is non-zero (0x5900)
Sorry For this deception, maybe you know what this error is meaning ?

The format changed slightly, but the extraction still works. I didn't feel like figuring out what the data in the reserved field is for, so just comment out the two sys.exit(1).
You can use this patch...
Code:
diff --git a/undz.py b/undz.py
index 1078248..aa386a0 100755
--- a/undz.py
+++ b/undz.py
@@ -74,7 +74,7 @@ class UNDZUtils(object):
dz_item[key] = dz_item[key].rstrip(b'\x00')
if b'\x00' in dz_item[key]:
print("[!] Error: extraneous data found IN "+key, file=sys.stderr)
- sys.exit(1)
+ #sys.exit(1)
elif type(dz_item[key]) is int:
if dz_item[key] != 0:
print('[!] Error: Value supposed to be zero in field "'+key+'" is non-zero ('+hex(dz_item[key])+')', file=sys.stderr)
@@ -86,7 +86,7 @@ class UNDZUtils(object):
# To my knowledge this is supposed to be blank (for now...)
if len(dz_item['pad']) != 0:
print("[!] Error: pad is not empty", file=sys.stderr)
- sys.exit(1)
+ #sys.exit(1)
return dz_item
@@ -195,7 +195,7 @@ class UNDZChunk(dz.DZChunk, UNDZUtils):
zdata = self.dz.dzfile.read(self.dataSize)
# Decompress the data
- buf = zlib.decompress(zdata)
+ buf = zlib.decompress(zdata)
crc = crc32(buf) & 0xFFFFFFFF
-- Brian

runningnak3d said:
The format changed slightly, but the extraction still works. I didn't feel like figuring out what the data in the reserved field is for, so just comment out the two sys.exit(1).
You can use this patch...
Code:
diff --git a/undz.py b/undz.py
index 1078248..aa386a0 100755
--- a/undz.py
+++ b/undz.py
@@ -74,7 +74,7 @@ class UNDZUtils(object):
dz_item[key] = dz_item[key].rstrip(b'\x00')
if b'\x00' in dz_item[key]:
print("[!] Error: extraneous data found IN "+key, file=sys.stderr)
- sys.exit(1)
+ #sys.exit(1)
elif type(dz_item[key]) is int:
if dz_item[key] != 0:
print('[!] Error: Value supposed to be zero in field "'+key+'" is non-zero ('+hex(dz_item[key])+')', file=sys.stderr)
@@ -86,7 +86,7 @@ class UNDZUtils(object):
# To my knowledge this is supposed to be blank (for now...)
if len(dz_item['pad']) != 0:
print("[!] Error: pad is not empty", file=sys.stderr)
- sys.exit(1)
+ #sys.exit(1)
return dz_item
@@ -195,7 +195,7 @@ class UNDZChunk(dz.DZChunk, UNDZUtils):
zdata = self.dz.dzfile.read(self.dataSize)
# Decompress the data
- buf = zlib.decompress(zdata)
+ buf = zlib.decompress(zdata)
crc = crc32(buf) & 0xFFFFFFFF
-- Brian
Click to expand...
Click to collapse
hey , this doesnt work at all, its still showing the same error as before , im trying to extract G7 ThinQ kdz
[email protected]:~/kdztools-master$ ./undz.py -x -f G71010b_00.dz
[!] Error: Value supposed to be zero in field "reserved5" is non-zero (0x5900)
[email protected]:~/kdztools-master$
Click to expand...
Click to collapse

This was a quick hack to get V30 Nougat KDZs to extract. V30 Oreo KDZs require additional work, and I haven't even looked at G7 KDZs yet.
-- Brian

Encounter the same issue, patched the sys.exit() calls and flipped this line to avoid the error with reserved5:
('reserved5', ('I', False)), # currently always zero
But still errors. Further info at: hxxxs://github.com/ehem/kdztools/issues/16#issuecomment-435356938

SALT works perfectly fine with V30 oreo kdzs, doesnt work though with G7/V40 kdzs ?
i mean... SALT actually can do way more than just extracting kdzs ... but thats the only use i have for it atm

SGCMarkus said:
SALT works perfectly fine with V30 oreo kdzs, doesnt work though with G7/V40 kdzs ?
i mean... SALT actually can do way more than just extracting kdzs ... but thats the only use i have for it atm
Click to expand...
Click to collapse
Managed to unpack a modem partition LG changed the compression algorithm from zlib to zstd on LG V40 kdzs

SGCMarkus said:
SALT works perfectly fine with V30 oreo kdzs, doesnt work though with G7/V40 kdzs ?
i mean... SALT actually can do way more than just extracting kdzs ... but thats the only use i have for it atm
Click to expand...
Click to collapse
Thank you very much for posting this.
It turns out I had a corrupt download of the H932 20o KDZ and no -- LG hasn't made any additional changes to the KDZ format.
When I saw that SALT was working for you, then I knew my extractor should work as well and that lead me to start looking elsewhere.
-- Brian

BINGO! LGV40 unpacked!
Code:
[20:10 [email protected] dzextracted] > sudo mount -t ext4 vendor_a.image /media/edu/ext4_tmp
[sudo] password for edu:
[20:10 [email protected] dzextracted] > cd /media/edu/ext4_tmp
[20:10 [email protected] ext4_tmp] > ll
total 220K
drwxr-xr-x. 10 root 2000 4.0K Dec 31 2008 app
drwxr-xr-x. 6 root 2000 8.0K Dec 31 2008 bin
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 carrier
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 dsp
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 els
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 eri
drwxr-xr-x. 23 root 2000 4.0K Dec 31 2008 etc
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 ffu
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 firmware
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 fota
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 framework
drwxr-xr-x. 11 root 2000 16K Dec 31 2008 lib
drwxr-xr-x. 9 root 2000 16K Dec 31 2008 lib64
drwx------. 2 root root 16K Dec 31 2008 lost+found
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 media
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 mpt
drwxr-xr-x. 83 root 2000 4.0K Dec 31 2008 overlay
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 package
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 persdata
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 persist-lg
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 power
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 priv-app
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 radio
drwxr-xr-x. 5 root 2000 4.0K Dec 31 2008 rfs
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 sns
drwxr-xr-x. 2 root 2000 4.0K Dec 31 2008 srtc
drwxr-xr-x. 3 root 2000 4.0K Dec 31 2008 vzw
-rw-------. 1 root root 8.8K Dec 31 2008 build.prop
-rw-r--r--. 1 root root 1.9K Dec 31 2008 compatibility_matrix.xml
-rw-------. 1 root root 684 Dec 31 2008 default.prop
lrw-r--r--. 1 root root 12 Dec 31 2008 factory_data -> /system/data
lrw-r--r--. 1 root root 19 Dec 31 2008 factory_etc -> /system/factory_etc
lrw-r--r--. 1 root root 19 Dec 31 2008 factory_lib -> /system/factory_lib
lrw-r--r--. 1 root root 21 Dec 31 2008 factory_lib64 -> /system/factory_lib64
-rw-r--r--. 1 root root 36K Dec 31 2008 manifest.xml
-rw-r--r--. 1 root root 16K Dec 31 2008 ueventd.rc

runningnak3d said:
Thank you very much for posting this.
It turns out I had a corrupt download of the H932 20o KDZ and no -- LG hasn't made any additional changes to the KDZ format.
When I saw that SALT was working for you, then I knew my extractor should work as well and that lead me to start looking elsewhere.
-- Brian
Click to expand...
Click to collapse
I PM you with the URL. I guess you don't need it but figured you would want an official link from LG Bridge.
Sent from my LG-H932 using XDA Labs

eduuk said:
Managed to unpack a modem partition LG changed the compression algorithm from zlib to zstd on LG V40 kdzs
Click to expand...
Click to collapse
Hello eduuk,
What did you do to get V40 to unpack? I have a feeling it could work for the LG G7. Thanks for any help.

Dvalin21 said:
Hello eduuk,
What did you do to get V40 to unpack? I have a feeling it could work for the LG G7. Thanks for any help.
Click to expand...
Click to collapse
I am also unable to get a useful unpack of a G7 or V40 KDZ.
@eduuk You don't even need to share your code, but if you could just point out the differences between the V30 and V40 KDZ format it would be appreciated.
-- Brian

@eduuk i got passed the reserved5 but now i get this error: [!] Error: extraneous data found IN pad
Also, if you can provide help with changing the compression algorithm from zlib to zstd i would appreciate it.

Dvalin21 said:
@eduuk i got passed the reserved5 but now i get this error: [!] Error: extraneous data found IN pad
Also, if you can provide help with changing the compression algorithm from zlib to zstd i would appreciate it.
Click to expand...
Click to collapse
I hate doing work that someone else has already done -- it is just a waste of time, but since it seems that he isn't willing to share the changes, I am spending the day mapping out the structure of the G7 / V40 KDZ format, and updating the extractor so that it can deal with the new version.
As soon as I have it functional, I will post a link to the repo.
-- Brian

runningnak3d said:
I hate doing work that someone else has already done -- it is just a waste of time, but since it seems that he isn't willing to share the changes, I am spending the day mapping out the structure of the G7 / V40 KDZ format, and updating the extractor so that it can deal with the new version.
As soon as I have it functional, I will post a link to the repo.
-- Brian
Click to expand...
Click to collapse
You rock sir, thank you

Dvalin21 said:
You rock sir, thank you
Click to expand...
Click to collapse
Well, that was more of a pain in the butt than it needed to be, but repo is incoming once I clean up some of my debug code:
Code:
[swango:~/dev/kdztools/kdzextracted] master(+11/-8)* ± ../undz2.py -f G71010f_00.dz -l
[+] DZ Partition List
=========================================
0/ 0 : PrimaryGPT_0.bin (1363 bytes)
0/ 1 : PrimaryGPT_0.bin (277 bytes)
0/ 2 : PrimaryGPT_0.bin (277 bytes)
0/ 3 : PrimaryGPT_0.bin (335 bytes)
0/ 4 : PrimaryGPT_0.bin (2355 bytes)
0/ 5 : PrimaryGPT_0.bin (404 bytes)
0/ 6 : PrimaryGPT_0.bin (213 bytes)
1/?? : mpt (<empty>)
2/?? : drm (<empty>)
3/?? : sns (<empty>)
4/?? : ssd (<empty>)
5/ 7 : persist_13446.bin (743 bytes)
6/?? : misc (<empty>)
7/ 8 : ftm_21894.bin (75 bytes)
8/?? : power (<empty>)
9/?? : encrypt (<empty>)
10/?? : eksst (<empty>)
11/?? : rct (<empty>)
12/?? : fota (<empty>)
13/?? : srtc (<empty>)
14/?? : pstore (<empty>)
15/?? : els (<empty>)
16/?? : carrier (<empty>)
17/?? : persdata (<empty>)
18/ 9 : oem_a_77574.bin (738 bytes)
<snip>
and
Code:
θ78° [swango:~/dev/kdztools/kdzextracted] master(+11/-8)* 3s ± ../undz2.py -f G71010f_00.dz -s 20
[+] Extracting single slice^Wpartition!
[+] Extracting vendor_a_81670.bin to vendor_a.image
[+] Extracting vendor_a_114503.bin to vendor_a.image
[+] Extracting vendor_a_147206.bin to vendor_a.image
[+] Extracting vendor_a_147701.bin to vendor_a.image
<snip>
[swango:~/dev/kdztools/kdzextracted] master(+11/-8)* 130 ± cd dzextracted/
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± mkdir mnt
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± sudo mount vendor_a.image ./mnt
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± cd mnt
[swango:~/dev … kdzextracted/dzextracted/mnt] $ ls -al
total 208
drwxr-xr-x 27 root root 4096 Dec 31 1969 .
drwxr-xr-x 3 swango swango 4096 Dec 15 10:29 ..
drwxr-xr-x 8 root 2000 4096 Dec 31 2008 app
drwxr-xr-x 6 root 2000 8192 Dec 31 2008 bin
-rw------- 1 root root 8664 Dec 31 2008 build.prop
drwxr-xr-x 2 root 2000 4096 Dec 31 2008 carrier
<snip>
The quick and dirty is that the header changed -- which is why there was data in the pad (that is the zero padding at the end of the header to make it 512 bytes) -- so I defined those, and they also changed the compression from zlib to zstandard (you need version 0.9 or greater) NOT zstd.
Lastly, when the compress, they don't include the size in the zstandard header, so I just picked a value that was big enough to decompress the largest partition.
Again, I have a lot of cleanup to do, and then I will commit this. Eventually I will make it so you can pass something like --zlib or --zst so that one file can be used to extract both old and new format KDZs, but for now there is undz2.py
-- Brian

OK - thread and link are here.
Please let me know if you come across any KDZs that you can't extract, but please post the errors in that thread.
-- Brian

Dvalin21 said:
Hello eduuk,
What did you do to get V40 to unpack? I have a feeling it could work for the LG G7. Thanks for any help.
Click to expand...
Click to collapse
runningnak3d said:
OK - thread and link are here.
Please let me know if you come across any KDZs that you can't extract, but please post the errors in that thread.
-- Brian
Click to expand...
Click to collapse
hey guys,
sorry but I didnt get the time to answer you. Took me an entire day to patch the python code. It's so so ugly code, so I would prefer not share it if anyone can code it better than me
There was a guy who was sending me private messages to do the same as me, and he got it too. The only thing to do is to change the algorithm and patch out asserts and other checks.
Please let me know if you can do it without my ugly code. Otherwise, I will share it of course.
---------- Post added at 12:54 AM ---------- Previous post was at 12:51 AM ----------
runningnak3d said:
Well, that was more of a pain in the butt than it needed to be, but repo is incoming once I clean up some of my debug code:
Code:
[swango:~/dev/kdztools/kdzextracted] master(+11/-8)* ± ../undz2.py -f G71010f_00.dz -l
[+] DZ Partition List
=========================================
0/ 0 : PrimaryGPT_0.bin (1363 bytes)
0/ 1 : PrimaryGPT_0.bin (277 bytes)
0/ 2 : PrimaryGPT_0.bin (277 bytes)
0/ 3 : PrimaryGPT_0.bin (335 bytes)
0/ 4 : PrimaryGPT_0.bin (2355 bytes)
0/ 5 : PrimaryGPT_0.bin (404 bytes)
0/ 6 : PrimaryGPT_0.bin (213 bytes)
1/?? : mpt (<empty>)
2/?? : drm (<empty>)
3/?? : sns (<empty>)
4/?? : ssd (<empty>)
5/ 7 : persist_13446.bin (743 bytes)
6/?? : misc (<empty>)
7/ 8 : ftm_21894.bin (75 bytes)
8/?? : power (<empty>)
9/?? : encrypt (<empty>)
10/?? : eksst (<empty>)
11/?? : rct (<empty>)
12/?? : fota (<empty>)
13/?? : srtc (<empty>)
14/?? : pstore (<empty>)
15/?? : els (<empty>)
16/?? : carrier (<empty>)
17/?? : persdata (<empty>)
18/ 9 : oem_a_77574.bin (738 bytes)
<snip>
and
Code:
θ78° [swango:~/dev/kdztools/kdzextracted] master(+11/-8)* 3s ± ../undz2.py -f G71010f_00.dz -s 20
[+] Extracting single slice^Wpartition!
[+] Extracting vendor_a_81670.bin to vendor_a.image
[+] Extracting vendor_a_114503.bin to vendor_a.image
[+] Extracting vendor_a_147206.bin to vendor_a.image
[+] Extracting vendor_a_147701.bin to vendor_a.image
<snip>
[swango:~/dev/kdztools/kdzextracted] master(+11/-8)* 130 ± cd dzextracted/
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± mkdir mnt
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± sudo mount vendor_a.image ./mnt
[swango:~/dev … ols/kdzextracted/dzextracted] master(+11/-8)* ± cd mnt
[swango:~/dev … kdzextracted/dzextracted/mnt] $ ls -al
total 208
drwxr-xr-x 27 root root 4096 Dec 31 1969 .
drwxr-xr-x 3 swango swango 4096 Dec 15 10:29 ..
drwxr-xr-x 8 root 2000 4096 Dec 31 2008 app
drwxr-xr-x 6 root 2000 8192 Dec 31 2008 bin
-rw------- 1 root root 8664 Dec 31 2008 build.prop
drwxr-xr-x 2 root 2000 4096 Dec 31 2008 carrier
<snip>
The quick and dirty is that the header changed -- which is why there was data in the pad (that is the zero padding at the end of the header to make it 512 bytes) -- so I defined those, and they also changed the compression from zlib to zstandard (you need version 0.9 or greater) NOT zstd.
Lastly, when the compress, they don't include the size in the zstandard header, so I just picked a value that was big enough to decompress the largest partition.
Again, I have a lot of cleanup to do, and then I will commit this. Eventually I will make it so you can pass something like --zlib or --zst so that one file can be used to extract both old and new format KDZs, but for now there is undz2.py
-- Brian
Click to expand...
Click to collapse
Yeah 0x200 bytes of header, i removed that first with dd and then I coded in python changing offsets. Sorry but I dont have the time of coding this properly.
---------- Post added at 12:59 AM ---------- Previous post was at 12:54 AM ----------
eduuk said:
hey guys,
sorry but I didnt get the time to answer you. Took me an entire day to patch the python code. It's so so ugly code, so I would prefer not share it if anyone can code it better than me
There was a guy who was sending me private messages to do the same as me, and he got it too. The only thing to do is to change the algorithm and patch out asserts and other checks.
Please let me know if you can do it without my ugly code. Otherwise, I will share it of course.
---------- Post added at 12:54 AM ---------- Previous post was at 12:51 AM ----------
Yeah 0x200 bytes of header, i removed that first with dd and then I coded in python changing offsets. Sorry but I dont have the time of coding this properly.
Click to expand...
Click to collapse
The best way is to do a pull request at the main repo https://github.com/ehem/kdztools
---------- Post added at 01:00 AM ---------- Previous post was at 12:59 AM ----------
runningnak3d said:
I hate doing work that someone else has already done -- it is just a waste of time, but since it seems that he isn't willing to share the changes, I am spending the day mapping out the structure of the G7 / V40 KDZ format, and updating the extractor so that it can deal with the new version.
As soon as I have it functional, I will post a link to the repo.
-- Brian
Click to expand...
Click to collapse
Dude, did you read this by any chance? https://github.com/ehem/kdztools/issues
Cheers mate

Thanks for the answer @eduuk, however Brian did a kdztool working that I was able to fully extract all the image files for the G710TM10n firmware for T-Mobile. Still with that said we still appreciate all your work!

Alcatel 1T10 [need ROOT,no custom RECOVERY, but UNLOCKED bootloader]

Hello,
I have tablet Alcatel 1T10 (chipset MT8321, Android 8.1) and I am trying to get root access, however, there is no custom recovery for this device yet so im looking for other way to get root access.
I succesfully unlocked bootloader from PC with fastboot command, so i think it should be easy now, but i failed to actually find out how to root it, one-click root apps always fail, I read about Magisk that i could make patched boot.img to get root acccess, but I am not able to find the original boot.img of my device, it looks almost like it doesn't exist, I only found some firmware for (probably) this tablet, but it was older Android version, but when i have unlocked bootloader, there should be some way to root it right? For example is it possible to flash from fastboot directly supersu.zip or something like that?
Thanks for any help

Would this work?
Check that the older scatter file is correct: cat /proc/parti* (if not, modify).
Pull the recovery using SP_FlashTool. (Or why not do a full backup while at it...)
Edit the recovery. Change the keys file to test one and add busybox to sbin (rename to sh, enough??, if not, add the soft links too).
Push the recovery using SP_FlashTool (or fastboot - or just boot it??).
Flash the Magisk zip file

CXZa said:
Would this work?
Check that the older scatter file is correct: cat /proc/parti* (if not, modify).
Pull the recovery using SP_FlashTool. (Or why not do a full backup while at it...)
Edit the recovery. Change the keys file to test one and add busybox to sbin (rename to sh, enough??, if not, add the soft links too).
Push the recovery using SP_FlashTool (or fastboot - or just boot it??).
Flash the Magisk zip file
Click to expand...
Click to collapse
Sorry but what do you mean by check and modify scatter file? When i cat /proc/parti* a get this:
254 0 731652 zram0
179 0 15155200 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 384 mmcblk0p6
179 7 16384 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 294912 mmcblk0p13
179 14 1024 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 5120 mmcblk0p16
179 17 32768 mmcblk0p17
179 18 38272 mmcblk0p18
179 19 2048 mmcblk0p19
179 20 6144 mmcblk0p20
179 21 8192 mmcblk0p21
179 22 1572864 mmcblk0p22
179 23 114688 mmcblk0p23
179 24 12959232 mmcblk0p24
179 25 16384 mmcblk0p25
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
This is obviously different format for scatter file than it is used in SP_Flash Tool, and when i put this in .txt file to SP flash tool, it writes STATUS_SCATTER_FILE_INVALID

No, the idea wasn't to make a scatter file, but just to check it.
It should have shown you the partinfo too. Or isn't there such thing anymore?
Try just "cat /proc/partinfo" ...
edit: Checked, older tablet (Lollipop) has partinfo, new (Nougat) doesn't...
Then one can try to get partition names like this
ls -al /dev/block/platform/*/by-name (or ls -al /dev/block/platform/*/*/by-name )
then multiply blocks by 1024 and convert to Hex.

>Alcatel 1T10 (chipset MT8321, Android 8.1)
Scatter file in the package that I found: MT6580_Android_scatter.txt
If the one you found is the same, it might be wrong.

CXZa said:
>Alcatel 1T10 (chipset MT8321, Android 8.1)
Scatter file in the package that I found: MT6580_Android_scatter.txt
If the one you found is the same, it might be wrong.
Click to expand...
Click to collapse
when i did ls -al /dev/block/platform/*/*/by-name i got this:
total 0
drwxr-xr-x 2 root root 580 2019-01-15 17:10 .
drwxr-xr-x 4 root root 660 2019-01-15 17:10 ..
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 cache -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 expdb -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 flashinfo -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 frp -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 keystore -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 lk -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 logo -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 metadata -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 nvdata -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 nvram -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 odmdtbo -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 oemkeystore -> /dev/block/mmcblk0
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 para -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 23 2019-01-15 17:10 preloader_a -> /dev/block/mmcblk0
t0
lrwxrwxrwx 1 root root 23 2019-01-15 17:10 preloader_b -> /dev/block/mmcblk0
t1
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 proinfo -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 protect1 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 protect2 -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 recovery -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 seccfg -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 secro -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 system -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 tee1 -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 tee2 -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 userdata -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 vendor -> /dev/block/mmcblk0p13

ExternalDeveloper said:
when i did ls -al /dev/block/platform/*/*/by-name i got this:
total 0
drwxr-xr-x 2 root root 580 2019-01-15 17:10 .
drwxr-xr-x 4 root root 660 2019-01-15 17:10 ..
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 recovery -> /dev/block/mmcblk0p8
Click to expand...
Click to collapse
So, now you know which blocks to dump. And maybe also which ones to skip.
These and then there is usually pgpt partition (table?) not showing, 512 blocks
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 384 mmcblk0p6
(179 7 16384 mmcblk0p7 if recovery)
Click to expand...
Click to collapse
So, you could calculate the start address and size, but I think you can
use that old scatter for the dump (or readback). There might be some
partition less in it, IDK, but what I checked the start of the file matches to the
info you gave, so you can just take those values from it.
partition_index: SYS8
partition_name: boot
file_name: boot.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x1d20000
physical_start_addr: 0x1d20000
partition_size: 0x1000000
region: EMMC_USER
partition_index: SYS9
partition_name: recovery
file_name: recovery.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x2d20000
physical_start_addr: 0x2d20000
partition_size: 0x1000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
Click to expand...
Click to collapse

CXZa said:
So, now you know which blocks to dump. And maybe also which ones to skip.
These and then there is usually pgpt partition (table?) not showing, 512 blocks
So, you could calculate the start address and size, but I think you can
use that old scatter for the dump (or readback). There might be some
partition less in it, IDK, but what I checked the start of the file matches to the
info you gave, so you can just take those values from it.
Click to expand...
Click to collapse
So, if i understand it correctly, i should modify the MT6580_Android_scatter.txt with these mentioned information? and if yes, how i am supposed to get my boot.img from my device using SP flash tool? I don't have much experience with this tool, i never downloaded anything from my device to my computer using this tool so could you please describe me how to do that?

That was the original idea. But that scatter file seems to match with those partitions
of yours. I checked it up to the recovery partition, you can check the rest if sizes are the same.
How to readback boot --> 5. Launch SP Flash Tool : https://forum.hovatek.com/thread-526.html
Drivers: https://forum.hovatek.com/thread-440.html
What usually causes problems is how to get into update mode - depends the device, and the drivers.
As you see the readback will ask you a scatter file and the start address and the partition size.
The info I gave in those quotes. One value you might have to change in the scatter file and that is
the platform: MT6580 to MT8321...
edit: More info from the same site that I posted earlier to someone else...
https://forum.xda-developers.com/showpost.php?p=78647685&postcount=18

ExternalDeveloper said:
So, if i understand it correctly, i should modify the MT6580_Android_scatter.txt with these mentioned information?
Click to expand...
Click to collapse
CXZa said:
That was the original idea. But that scatter file seems to match with those partitions
of yours. I checked it up to the recovery partition, you can check the rest if sizes are the same.
Click to expand...
Click to collapse
Tested using totally wrong scatter file. When reading back it doesn't matter.
Just the address and size i.e. length matters. But when flashing the scatter
should match to one's device. Or use fastboot - if it works.

CXZa said:
Tested using totally wrong scatter file. When reading back it doesn't matter.
Just the address and size i.e. length matters. But when flashing the scatter
should match to one's device. Or use fastboot - if it works.
Click to expand...
Click to collapse
I tried Read Back with putting correct Start adress and Lenght, clicked Read Back and nothing happened, i have feeling like its not even possible to do anything with this tablet using SP Flash Tool, this tablet is not even detected with MTK Droid Tool software, its detected only with ADB(fastboot)..what am i supposed to do now?

ExternalDeveloper said:
MTK Droid Tool software, its detected only with ADB(fastboot)..what am i supposed to do now?
Click to expand...
Click to collapse
You have installed the drivers? Then it is the MediaTek PreLoader USB VCOM you want to see in device manager. When you connect usb it might show there just
seconds. So, click the readback button and right after that connect usb.
Some tabs vol- has to kept down when plugging in, or vol+. Pressing power
one or two times at the same time might help also. (And removing battery might help too.)
In my tablet vol- with power when connecting the usb helps but not always needed...
It might take several tries to figure out the right way to do it.
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Here is picture which shows where that PreLoader is in device manager.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
from https://indofirmware.site/download-firmware-alcatel-1t-10/

CXZa said:
You have installed the drivers? Then it is the MediaTek PreLoader USB VCOM you want to see in device manager. When you connect usb it might show there just
seconds. So, click the readback button and right after that connect usb.
Some tabs vol- has to kept down when plugging in, or vol+. Pressing power
one or two times at the same time might help also. (And removing battery might help too.)
In my tablet vol- with power when connecting the usb helps but not always needed...
It might take several tries to figure out the right way to do it.
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Here is picture which shows where that PreLoader is in device manager.
from https://indofirmware.site/download-firmware-alcatel-1t-10/
Click to expand...
Click to collapse
i know about these sites, however, my tablet was never released with Android 7.x (this firmware contains Android 7.x from year 2017,but my tablet is made from 2018). My tablet full name is on some sites as "Alcatel 1T 10 WiFi" and has probably even different chipset than mine(mine doesnt have 6580), i have installed this driver, but i think the problem here is probably this difference between 2 different devices, i honestly dont understand how is it possible that there are 2 devices with same name, but one with (probably) different chipset, and with different Android version

ExternalDeveloper said:
i have installed this driver, but i think the problem here is probably this difference between 2 different devices, i honestly dont understand how is it possible that there are 2 devices with same name, but one with (probably) different chipset, and with different Android version
Click to expand...
Click to collapse
The flash tool works with 6580. About 8321 I don't know really...
One possibility is that the Nougat is meant for a faked tablet.
It has the custom partition that fakes use , but maybe it's used some real ones too... IDK.
Here is its build.prop and imported /custom/cip-build.prop
Is there anything similar in your /system/build.prop?
Many of the values are a bit strange...
import /custom/cip-build.prop
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=NRD90M
ro.build.display.id=NRD90M test-keys
ro.build.version.incremental=G11
ro.build.version.sdk=24
ro.build.version.preview_sdk=0
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=7.0
ro.build.version.security_patch=2016-12-05
ro.build.version.base_os=
ro.build.date=2017年 12月 29日 星期五 10:23:28 CST
ro.build.date.utc=1514514208
ro.build.type=user
ro.build.user=emdoor
ro.build.host=emdoor-OptiPlex-9020
ro.build.tags=test-keys
ro.build.flavor=full_tg101t-user
ro.product.model=tg101t
ro.product.brand=TCL
ro.product.name=full_tg101t
ro.product.device=tg101t
ro.product.board=
# ro.product.cpu.abi and ro.product.cpu.abi2 are obsolete,
# use ro.product.cpu.abilist instead.
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.cpu.abilist=armeabi-v7a,armeabi
ro.product.cpu.abilist32=armeabi-v7a,armeabi
ro.product.cpu.abilist64=
ro.product.manufacturer=TCL
ro.product.locale=en-US
ro.wifi.channels=
ro.board.platform=mt6580
# ro.build.product is obsolete; use ro.product.device
ro.build.product=tg101t
# Do not try to parse description, fingerprint, or thumbprint
ro.build.description=full_tg101t-user 7.0 NRD90M G11 test-keys
ro.build.fingerprint=TCL/full_tg101t/tg101t:7.0/NRD90M/G11:user/test-keys
ro.build.characteristics=tablet
# end build properties
#
# from device/emdoor/tg101t/system.prop
#
#
# system.prop for generic sdk
#
rild.libpath=mtk-ril.so
rild.libargs=-d /dev/ttyC0
# MTK, Infinity, 20090720 {
wifi.interface=wlan0
# MTK, Infinity, 20090720 }
# MTK, mtk03034, 20101210 {
ro.mediatek.wlan.wsc=1
# MTK, mtk03034 20101210}
# MTK, mtk03034, 20110318 {
ro.mediatek.wlan.p2p=1
# MTK, mtk03034 20110318}
# MTK, mtk03034, 20101213 {
mediatek.wlan.ctia=0
# MTK, mtk03034 20101213}
#
wifi.tethering.interface=ap0
#
wifi.direct.interface=p2p0
dalvik.vm.heapgrowthlimit=128m
dalvik.vm.heapsize=256m
# USB MTP WHQL
ro.sys.usb.mtp.whql.enable=0
# Power off opt in IPO
sys.ipo.pwrdncap=2
ro.sys.usb.storage.type=mtp
# USB BICR function
ro.sys.usb.bicr=yes
# USB Charge only function
ro.sys.usb.charging.only=yes
# audio
ro.camera.sound.forced=0
ro.audio.silent=0
ro.zygote.preload.enable=0
# temporary enables NAV bar (soft keys)
qemu.hw.mainkeys=0
ro.kernel.zio=38,108,105,16
#ro.kernel.qemu=0
#ro.kernel.qemu.gles=0
ro.opengles.version=131072
#ro.boot.selinux=disable
# Disable dirty region for Mali
debug.hwui.render_dirty_regions=false
ro.sf.lcd_density=213
persist.service.drm.enable=1
persist.emdoor.isoneline.enable=1
ro.emmc.size=32
persist.operator.optr=CUST
persist.sys.timezone=Europe/Amsterdam
persist.sys.country=NL
ro.product.locale.region=NL
ro.sys.ntp.server=europe.pool.ntp.org
persist.sys.switch_on=CUST
ro.sys.auto.correction=true
ro.sys.timezone.area=MEXICO
persist.browser.mark=es
persist.browser.mark=es
ro.shutdown.dialog=0
ro.shutdown.dialog=0
# clientID
ro.com.google.clientidbase=android-alcatel
ro.com.google.clientidbase.ms=android-alcatel
ro.com.google.clientidbase.yt=android-alcatel
ro.com.google.clientidbase.am=android-alcatel
ro.com.google.clientidbase.gmm=android-alcatel
ro.sys.enabled.input.methods=com.android.inputmethod.latin/.LatinIME;1067440414;-921088104
ro.sys.selected.input.method=1067440414
ro.sys.default.input.method=com.android.inputmethod.latin/.LatinIME
ro.sys.select.language=ru-RU,en-US
ro.sys.haptic.time.support=true
ro.sys.haptic.time=100
ro.sys.time.12.24=24
ro.sys.is.mute.no.disturb=true
ro.bluetooth.name=ALCATEL 1T 10
ro.product.usb.name=ALCATEL 1T 10
ro.screen.timeout=tenMIN
#
# ADDITIONAL_BUILD_PROPERTIES
#
ro.config.ringtone=Ring_Synth_04.ogg
ro.config.notification_sound=pixiedust.ogg
ro.carrier=unknown
ro.config.alarm_alert=Alarm_Classic.ogg
dalvik.vm.heapgrowthlimit=128m
dalvik.vm.heapsize=256m
ro.mediatek.chip_ver=S01
ro.mediatek.platform=MT6580
ro.telephony.sim.count=2
persist.radio.default.sim=0
ril.specific.sm_cause=0
bgw.current3gband=0
ril.external.md=0
ro.sf.hwrotation=0
persist.radio.fd.counter=150
persist.radio.fd.off.counter=50
persist.radio.fd.r8.counter=150
persist.radio.fd.off.r8.counter=50
drm.service.enabled=true
fmradio.driver.enable=1
ril.first.md=1
ril.flightmode.poweroffMD=1
ril.telephony.mode=0
dalvik.vm.mtk-stack-trace-file=/data/anr/mtk_traces.txt
mediatek.wlan.chip=CONSYS_MT6735
mediatek.wlan.module.postfix=_consys_mt6735
ril.radiooff.poweroffMD=0
ro.frp.pst=/dev/block/platform/mtk-msdc.0/11120000.msdc0/by-name/frp
ro.mtk_protocol1_rat_config=W/G
ro.mtk_support_mp2_playback=1
ro.mtk_audio_alac_support=1
ro.mediatek.version.branch=alps-mp-n0.mp2
ro.mediatek.version.release=alps-mp-n0.mp2-V1.23.1_emdoor8321.tb.n
ro.mediatek.version.sdk=4
ro.num_md_protocol=2
persist.radio.multisim.config=dsds
ro.mtk_besloudness_support=1
ro.mtk_bt_support=1
ro.mtk_wappush_support=1
ro.mtk_agps_app=1
ro.mtk_audio_tuning_tool_ver=V1
ro.mtk_wlan_support=1
ro.mtk_ipo_support=1
ro.mtk_gps_support=1
ro.mtk_omacp_support=1
ro.mtk_search_db_support=1
ro.mtk_dialer_search_support=1
ro.mtk_dhcpv6c_wifi=1
ro.have_aacencode_feature=1
ro.mtk_fd_support=1
ro.mtk_oma_drm_support=1
ro.mtk_cta_drm_support=1
ro.mtk_widevine_drm_l3_support=1
ro.mtk_eap_sim_aka=1
ro.mtk_audio_ape_support=1
ro.mtk_wmv_playback_support=1
ro.mtk_send_rr_support=1
ro.mtk_rat_wcdma_preferred=1
ro.mtk_emmc_support=1
ro.mtk_tetheringipv6_support=1
ro.telephony.default_network=0,0
ro.mtk_shared_sdcard=1
ro.mtk_enable_md1=1
ro.mtk_flight_mode_power_off_md=1
ro.mtk_pq_support=2
ro.mtk_pq_color_mode=1
ro.mtk_miravision_support=1
ro.mtk_wifi_mcc_support=1
ro.mtk_bip_scws=1
ro.mtk_world_phone_policy=0
ro.mtk_perfservice_support=1
ro.mtk_cta_set=1
ro.mtk_cam_mfb_support=0
ro.mtk_cam_cfb=1
ro.sim_refresh_reset_by_modem=1
ro.mtk_external_sim_only_slots=0
ro.mtk_hotknot_support=1
ro.mtk_bg_power_saving_support=1
ro.mtk_bg_power_saving_ui=1
ro.have_aee_feature=1
ro.sim_me_lock_mode=0
ro.mtk_dual_mic_support=0
ro.mtk_is_tablet=1
persist.mtk_nlp_switch_support=1
persist.mtk_vilte_support=0
ro.mtk_vilte_ut_support=0
ro.mediatek.hotknot.module=GT9XX
wfd.dummy.enable=1
wfd.iframesize.level=0
ro.mediatek.project.path=device/emdoor/tg101t
persist.mtk.wcn.combo.chipid=-1
persist.mtk.wcn.patch.version=-1
persist.mtk.wcn.dynamic.dump=0
service.wcn.driver.ready=no
service.wcn.coredump.mode=0
persist.mtk.connsys.poweron.ctl=0
ro.com.android.mobiledata=true
persist.radio.mobile.data=0,0
persist.meta.dumpdata=0
persist.radio.mtk_ps2_rat=G
persist.radio.mtk_ps3_rat=G
ro.boot.opt_c2k_lte_mode=0
ro.boot.opt_md1_support=3
persist.log.tag.AT=I
persist.log.tag.RILMUXD=I
persist.log.tag.RILC-MTK=I
persist.log.tag.RILC=I
persist.log.tag.RfxMainThread=I
persist.log.tag.RfxRoot=I
persist.log.tag.RfxRilAdapter=I
persist.log.tag.RfxController=I
persist.log.tag.RILC-RP=I
persist.log.tag.RIL-DATA=I
ro.boot.opt_using_default=1
ro.mtk_multiwindow=1
mtk.vdec.waitkeyframeforplay=1
ro.sys.sdcardfs=1
persist.runningbooster.support=1
persist.runningbooster.upgrade=1
ro.media.maxmem=500000000
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=7.0_r5
ro.product.first_api_level=24
persist.sys.dalvik.vm.lib.2=libart.so
dalvik.vm.isa.arm.variant=cortex-a7
dalvik.vm.isa.arm.features=default
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
import /custom/cip-build.prop
ro.expect.recovery_id=0xc8c8948d4d2dc3418f5a954abe50fb27519e06f3000000000000000000000000
Click to expand...
Click to collapse
ro.cip.build.date=2017年 12月 28日 星期四 21:31:09 CST
persist.mtk_clr_code_support=0
persist.mtk_epdg_support=0
persist.mtk_volte_support=0
persist.mtk.volte.enable=0
persist.dbg.volte_avail_ovr=0
persist.mtk_ims_support=0
persist.mtk_wfc_support=0
persist.mtk.wfc.enable=0
persist.dbg.wfc_avail_ovr=0
persist.mtk_vilte_support=0
persist.mtk.ims.video.enable=0
persist.dbg.vt_avail_ovr=0
persist.flight_mode_md_off=1
persist.radio.multisim.config=dsds
persist.mtk_rcs_ua_support=0
persist.data.cc33.support=0
ro.bluetooth.name=ALCATEL 1T 10
ro.product.usb.name=ALCATEL 1T 10
ro.screen.timeout=tenMIN
Click to expand...
Click to collapse

CXZa said:
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Click to expand...
Click to collapse
Для тех кто не в курсе, MTK8321 - это тот же MTK6580, только для планшетов.
Click to expand...
Click to collapse
"For those who do not know, MTK8321 is the same MTK6580, only for tablets."
(Google translation)
So, maybe you could try to boot that recovery.img using fastboot.
Or find one that is taken some 8321 oreo.
If it boots then back to plan A....
edit: Alcatel buttons mentioned somewhere else, connect usb, Vol+ and Vol- at the same time.
Same, but also the Power button.

CXZa said:
"For those who do not know, MTK8321 is the same MTK6580, only for tablets."
(Google translation)
So, maybe you could try to boot that recovery.img using fastboot.
Or find one that is taken some 8321 oreo.
If it boots then back to plan A....
edit: Alcatel buttons mentioned somewhere else, connect usb, Vol+ and Vol- at the same time.
Same, but also the Power button.
Click to expand...
Click to collapse
i tried boot recovery from that Alcatel_1T_10_MT6580_20171229_7.0 with the same result as from other not supported custom recoveries i tried:it just writes on the screen USB Transferring...,USB Transmission OK Time:xxxms Vel:xxxxxxKB/s
then i wait for about 1-2 minutes with this shown at the screen and then the tablet reboots.
about build.prop: i am not able to read it from adb, when i cat /system/build.prop it writes Permission denied
i tried pressing vol+ and vol- with power button and without power button after connecting via USB to PC and nothing happened..

Hi!
Try to flash it..
indofirmware.site/download-firmware-alcatel-u3a-10-wifi
The tablet has many names:
1T 10 ; U3A.
We have the official name in Russia: 8082_RU.

Ayuda!! alguien que sea tan amable de compartir firmware stock para tablet alcaltel 1
[I need a copy of your firmware stock, to install on my tablet, can I help you? The original system that I had was oreo go edition. thank you, I leave my mail is [email protected]

has anyone managed to safely root this tablet ,any help would be appreciated

nissasnzx said:
has anyone managed to safely root this tablet ,any help would be appreciated
Click to expand...
Click to collapse
i really need to get root on this device please ..........

[GUIDE] How to unlock and root Xiaomi Redmi 9 (Galahad/Lancelot)

There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad​
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock​
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image​
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image​
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash​
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop​
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app​
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet​
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.

Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!

I fixed some spelling mistakes, now it should be easier to read.

Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris

It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?

morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!

Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland

morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..

Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)

It's weird that windows still can't mount such images.

Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]

I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com

No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.

I have no knowledge on this subject, so I can't help you with this.

Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.

Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64

morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3

Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.

morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.

lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!