Better Mobile App

[REQ] Toshiba folio 100 BCT and partition dumps

I have somehow messed up my folio 100, and its BCT and bootloader information.
So im hoping someone else with little experience, knows how to use the nvflash utilities and dump the information for me and send me a link on where to get it.
the combo to get into bootloader mode is: POWER button pressed 4 times + VOL- key and it will go into bootloader mode.

I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...

tshoulihane said:
I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...
Click to expand...
Click to collapse
well, i dont think you should try it..!!
another user did, he ended up with a semi-bricked device too.. so thanks but now the fun stops.. it seems that Toshiba included a very,very bad key combo that terminates the device to a deadlocked machine..
so ill just figure out another way to get the partitions off it.. but my 4xpower + vol- is really scary, do NOT try it
at least until is cleared on how to get out of this bootloader state again.

I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.

tshoulihane said:
I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.
Click to expand...
Click to collapse
so you mean, you can extract all partitions from a shell?
ie. bootloader of partition2 and so forward?
i didnt notice that all 8 partitions were accessable there?
can you upload the dump of them somewhere?

A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)

bootoo said:
A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)
Click to expand...
Click to collapse
i have the dump of the /system i need all of the other partitions ie. 0 to 8
i cannot restore system, as i got no bootable tablet at all, i need raw partition dumps which i hope can be used using nvflash

Is it possible to extract opera mobile 10.1 apk?

toca79 said:
Is it possible to extract opera mobile 10.1 apk?
Click to expand...
Click to collapse
look for it here

Dexter_nlb said:
look for it here
Click to expand...
Click to collapse
Thx a lot found it.
I think the resolution is too high though.

Hi Dex, did you was able to restore your bricked folio?

roglio said:
Hi Dex, did you was able to restore your bricked folio?
Click to expand...
Click to collapse
decided to get another one..

ok!
I was hoping you did it because I'm a little tired of android (apple fan ).
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
But if there isn't a way to restore the factory default (bootloader, etc.), I'll give up.

roglio said:
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
Click to expand...
Click to collapse
when i was debugging bootloader configs, i was provided some config files that Ac100 users said would work on our folio, but i see now partition setup is very different, so we need to make proper configs for our folio before experimenting with the bootloader..
again, as you metion backup seems to do , when recover seems unavailable currently. it will be hard to verify if the parition table layout is working.

Hi,
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
1. I have opened / disassembled my Filio 100. And like I have suspected there is a 16GB micoSD card connected (soldered) to the PCB and fixed with glue. One could read out the whole flash in a card reader.
2. You have fully access to the microSD card out of Android:
/dev/block/mmcblk0
sh-4.1# cd /dev/block
cd /dev/block
sh-4.1# pwd
pwd
/dev/block
sh-4.1# ls -l
ls -l
brw------- root root 254, 1 2010-12-07 08:46 dm-1
brw------- root root 254, 0 2010-12-07 08:46 dm-0
drwxr-xr-x root root 2010-12-07 08:45 vold
brw------- root root 179, 17 2010-12-07 08:45 mmcblk1p1
brw------- root root 179, 16 2010-12-07 08:45 mmcblk1
brw------- root root 7, 7 2010-12-07 08:45 loop7
brw------- root root 7, 6 2010-12-07 08:45 loop6
brw------- root root 7, 5 2010-12-07 08:45 loop5
brw------- root root 7, 4 2010-12-07 08:45 loop4
brw------- root root 7, 3 2010-12-07 08:45 loop3
brw------- root root 7, 2 2010-12-07 08:45 loop2
brw------- root root 7, 1 2010-12-07 08:45 loop1
brw------- root root 7, 0 2010-12-07 08:45 loop0
brw------- root root 179, 8 2010-12-07 08:45 mmcblk0p8
brw------- root root 179, 7 2010-12-07 08:45 mmcblk0p7
brw------- root root 179, 6 2010-12-07 08:45 mmcblk0p6
brw------- root root 179, 5 2010-12-07 08:45 mmcblk0p5
brw------- root root 179, 4 2010-12-07 08:45 mmcblk0p4
brw------- root root 179, 3 2010-12-07 08:45 mmcblk0p3
brw------- root root 179, 2 2010-12-07 08:45 mmcblk0p2
brw------- root root 179, 1 2010-12-07 08:45 mmcblk0p1
brw------- root root 179, 0 2010-12-07 08:45 mmcblk0
sh-4.1#
Regards, Artem

Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?

DerArtem said:
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
Click to expand...
Click to collapse
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...

I just got back from my business trip, and finally had some more time to take a closer look at the device.
roglio said:
Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?
Click to expand...
Click to collapse
The device has a warranty seal inside. If you open the device completly the seal will break. I have just opened the device soo far, that the seal will not break. To make photos I will have to open it copletly. I will think about it....
Dexter_nlb said:
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...
Click to expand...
Click to collapse
Ok, I see. I have duped the mmc and mounted the partitions on my pc:
Here is the partition table on my PC:
Code:
[email protected] ~/bin/folio $ /sbin/fdisk -u -l folio.img
Platte folio.img: 15.9 GByte, 15920005120 Byte
1 Köpfe, 63 Sektoren/Spur, 493551 Zylinder, zusammen 31093760 Sektoren
Einheiten = Sektoren von 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Gerät boot. Anfang Ende Blöcke Id System
folio.img1 2048 526335 262144 83 Linux (/system)
folio.img2 526336 2623487 1048576 83 Linux (/cache)
folio.img3 2623488 2627583 2048 83 Linux (/misc)
folio.img4 2627584 31093759 14233088 5 Erweiterte
folio.img5 2628608 2644991 8192 83 Linux (???)
folio.img6 2646016 4743167 1048576 83 Linux (/data)
folio.img7 4744192 4754431 5120 83 Linux (???)
folio.img8 4755456 31093759 13169152 83 Linux (13G - storage)
Now you can mount the partitions on your pc:
Code:
sudo mount -o loop,ro,offset=$((512*2048)) folio.img /mnt/floppy/
I was not able to find the kernel or the bootloader or the root partition in the dump. I have also checked it with a hex editor.
Is the Folio using an other storage for kernel and bootloder? Does it have more NOR/NAND flash inside?
While looking at the size of the microSD (15920005120 bytes) I think that the bootloader is hiding a part of the microSD from the OS where the kernel and the bootloader are...
Where is the .cfg file you are talking about located?

DerArtem said:
Where is the .cfg file you are talking about located?
Click to expand...
Click to collapse
its a file assoiciated with the nvflash utility. search for the toshiba AC100 or here for more details for them it works fine.
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.

Dexter_nlb said:
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.
Click to expand...
Click to collapse
So, I have checked part 5 and 7. The content is the same like in boot.img and recovery.img. So the BCT is somewhere else...

[Q] Nexus 4 | IMEI/Baseband unknown | BootLoop with 4.3

Hello,
I think this is a hard one for you.
My unrooted Nexus 4 (Android 4.3) worked perfectly fine until the day I (randomly?) lost the signal (couldn't make phone calls or browse the internet ). I thought, hey that's not too bad, make a restart and it will work again.
Well instead of booting again it was stuck in a bootloop. So I reflashed stock 4.3, again bootloop, I tried to flash CM, bootloop, I cleared caches/wiped files constantly with twrp and CWM. Then finally I flashed stock 4.2, hey it booted!
But I had no IMEI number, nor a baseband version! So I flashed several baseband versions, neither worked (the bootloader-start screen showed the flashed versions though!).
So far I am searching for a solution all over the internet on how to restore the IMEI without a backup! Is there any hope for me? I have the IMEI number and tbh from my understanding this number has to be saved somewhere in hardware as well.
Any help appreciated!
- David
Btw. update from 4.2 to 4.3 -> Bootloop.

Just flashed 4.4 and it bootloops.

Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!

hi...im having the same issue ...i tried almost everything without luck... i was thinking why google developers wont give us a solution for those who are outside the U.S. ...cause its real pain in the a** trying to send it to their service.

Same problem
dav1dde said:
Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!
Click to expand...
Click to collapse
What you have in "/dev/block" ?
This is mine:
~ # cd dev/block
cd dev/block
/dev/block # ls
ls
loop0 mmcblk0 mmcblk0p16 mmcblk0p23 mmcblk0p8 ram13 ram7
loop1 mmcblk0p1 mmcblk0p17 mmcblk0p24 mmcblk0p9 ram14 ram8
loop2 mmcblk0p10 mmcblk0p18 mmcblk0p25 platform ram15 ram9
loop3 mmcblk0p11 mmcblk0p19 mmcblk0p3 ram0 ram2 vold
loop4 mmcblk0p12 mmcblk0p2 mmcblk0p4 ram1 ram3
loop5 mmcblk0p13 mmcblk0p20 mmcblk0p5 ram10 ram4
loop6 mmcblk0p14 mmcblk0p21 mmcblk0p6 ram11 ram5
loop7 mmcblk0p15 mmcblk0p22 mmcblk0p7 ram12 ram6

News
I saved my "m9kefs1.img" & "m9kefs2.img"!
They are 2 files of 780KB with a lot of information, are they corrupted?

The problem are not the "files" in /dev/block but the contents of these 2 files:
Code:
m9kefs1 (/dev/block/mmcblk0p8)
m9kefs2 (/dev/block/mmcblk0p9)
I don't know if they are corrupted, because I can't compare them to mine, which are definitly broken.

News? On eBay I found an engineering sample with a "Repair EFS" program, where can I download it?
Thanks!

Help me! :banghead:

Android 4.4.1
Anyone have tried if Android 4.4.1 have bugfixed this problem?

PN.ItalyGirl said:
Anyone have tried if Android 4.4.1 have bugfixed this problem?
Click to expand...
Click to collapse
neither 4.4.1 or 4.4.2 factory images solve this unknow baseband / imei problem

[ROM][PORT][JB 4.1.2] Nabixus 0.1beta for Nabi 2

This is a port of stock the Nexus7 (Grouper) 4.1.2 ROM with the Nabi 2 OTA 2.4.6 as the base. Everything seems to be working but as the title says it is a beta and so not fully tested....FLASH AT YOUR OWN RISK!!!!
Couple of things to be aware of: You have to update some of the apps before they work (Chrome for instance) and when adjusting the brightness it is possible to turn the screen all the way black, don't panic, just slide it back to the right...oh, and if you try to skip turning on the wifi it still tries to connect but it will eventually time out. If anyone actually uses the Nabi camera I have found that the Nexus 7 Camera app from the play store will work, other ones might also but I tested that one. There are no HDMI settings right now because the Nexus didn't have that port but the HDMI does work.
Screenshot:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Instructions:
1. Make a full TWRP backup to external sdcard!!! AND make sure your backup works!!!
2. Download the zip and place it on your external sdcard.
3. Wipe everything except external sdcard.
4. Install the zip.
5. Wipe cache and davlik again for good measure.
6. Reboot and do a little happy dance!!! (First boot takes a while so don't freak after 30 secs, lol)
Download: Nabixus_beta0.1.zip , Mirror1, or Mirror2
MD5: b334707cf14b2ad4e552d6a7a3b48fcd
Let me know what you think, I know there's room for improvement....and I'll fix this post up some at some point, give me a break it's my first time!!

reserved

reserved 2

First! LOL. Glad you got it going. If you need any help or any stock files from my newly acquired Nexus 7, let me know. I can make a complete nandroid if needed.

Additional screenshots!
Can't spend too much time fooling around with it before the kids get up, but looks good for now! Thanks for the awesome work!

Just to report, all is well with the port. Just getting a bit of screen flicker but that is due to the low brightness level. It has gone away since I have raised it up all the way. All apps updating fine via Playstore and OTG USB working great as well. Side loading a lot of what I call my "Power Rooting Apps". This reminds me of the nexus 7 I just got LOL. Great job!

Dude! YOU ROCK....
Now when my son upgrades, I'll be able to use the nabi for kodi (xbmc) on the tv.
Sent from my Nexus 7 using Tapatalk

Awesome, can't wait till I have a moment free to give this a try!
Sent from my Nexus 10 using Tapatalk

@n3wt GREAT job, just wanted to know if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?

katinatez said:
@n3wt GREAT job, just wanted to know if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?
Click to expand...
Click to collapse
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.

katinatez said:
if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?
Click to expand...
Click to collapse
maybe. aicjofs suggested that the kernel might be too different though. I have a cm with tablet ui for the Nexus that I was looking at but I'm toying with the idea of trying to get a working kernel compiled. ... That way we could just build a rom for the nabi.
It took a lot of hours to get to this point though so whatever comes next will be after a bit of rest.
I'm really happy that you guys are liking this one, feel free to take it and mod it and what not.

SMcC2 said:
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.
Click to expand...
Click to collapse
Do you have adb working?

ROFL
Anyone else get the email
"Hello from Google: Get the most out of your Nexus 7" ?

n3wt said:
Do you have adb working?
Click to expand...
Click to collapse
I had it working at one point, but don't remember how I had gotten there.
I've been using these links as resources:
How to Build CyanogenMod for Grouper
How to Port CyanogenMod to new Devices
Kernel Building for CyanogenMod
The instructions for building on Grouper say to pull the proprietary blobs from a device with CyanogenMod already installed. I don't have that option.
Note:
Your device should already be running a build of CyanogenMod for the branch you wish to build for the extract-files.sh script to function properly. Nexus users: While it maybe be tempting to run the script on stock Android, and in fact it may succeed, realize that some of the blobs CyanogenMod uses are modified or otherwise different from stock blobs (e.g. Adreno graphics libraries). Save yourself some trouble and install a copy of CyanogenMod on your device before extracting blobs.
Click to expand...
Click to collapse
The instructions for porting to new devices says
Create extract-files.sh and setup-makefiles.sh scripts to pull those blob files from the device using adb and put them in the right /vendor/ directory. There are plenty of examples available for other devices.
Create an .mk Makefile to copy those files to the $OUT folder during the build process and put them in the right place. Again, use other devices as a guide for what this Makefile should look like. An example filename might be BoardConfigVendor.mk
Make sure that the Makefile you just created is included from your main BoardConfig.mk via a command such as -include vendor/[vendor]/[codename]/BoardConfigVendor.mk. Again, existing devices can illustrate how this is done.
Click to expand...
Click to collapse
I don't think I'm getting everything when I do that and that's where my problem is...

maybe. aicjofs suggested that the kernel might be too different though.
Click to expand...
Click to collapse
The Nabi kernel should be based on AOSP, so that is the best ROM's to work with for best compatibility. AOKP, and CM being there own breed might need some kernel mods. For example on current Qualcomm devices CM is using CAF code and AOSP is using google kernel code. Just an example
Anyone else get the email
Click to expand...
Click to collapse
Could be this in build.prop.
ro.build.fingerprint=google/nakasi/grouper:4.1.2/JZO54K/485486:user/release-keys
or a special bit of code in email program.
Create extract-files.sh and setup-makefiles.sh scripts to pull those blob files from the device using adb and put them in the right /vendor/ directory. There are plenty of examples available for other devices.
Click to expand...
Click to collapse
Yeah you have to do it all manually(make proprietary-files.txt). I did it once but it was all manual, and I could have missed something, it took hours. I also remember having a failure pulling the firmware files in the /vendor directory. You can look at what I did in attached
@n3wt You should write up some of your secret sauce, would help those guys mimic what you did on other ROM's

aicjofs said:
Yeah you have to do it all manually(make proprietary-files.txt). I did it once but it was all manual, and I could have missed something, it took hours. I also remember having a failure pulling the firmware files in the /vendor directory. You can look at what I did in attached
Click to expand...
Click to collapse
I was afraid it might have to be done manually.

SMcC2 said:
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.
Click to expand...
Click to collapse
Same here LOL. I have been trying to port CleanRom 4.0.0 JB 4.3 from my Nexus 7 but am stuck at the 4 rotating orbs. I have the boot image decompiled and the complete System files from my Nexus 7 if anyone would like to give it a try.
aicjofs said:
@n3wt You should write up some of your secret sauce, would help those guys mimic what you did on other ROM's
Click to expand...
Click to collapse
Yes please, I have dissected the rom to see the differences and have gotten as far as I have so far. It is very time consuming for sure. I have 4.1.2 Modded to the bone at the moment.
In case anyone wants the info:Off my Nexus 7 Running CleanRom 4.0.0 4.3 JB.
Code:
(dev/block/platform/sdhci-tegra.3/by-name)
[email protected]:/ $ cat /proc/partitions
cat /proc/partitions
major minor #blocks name
7 0 2111 loop0
7 1 11466 loop1
7 2 9387 loop2
7 3 4190 loop3
7 4 28098 loop4
7 5 61362 loop5
7 6 8348 loop6
7 7 53046 loop7
179 0 31178752 mmcblk0
179 1 12288 mmcblk0p1
179 2 8192 mmcblk0p2
179 3 665600 mmcblk0p3
179 4 453632 mmcblk0p4
179 5 512 mmcblk0p5
179 6 10240 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 512 mmcblk0p8
179 9 30014464 mmcblk0p9
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
254 0 2110 dm-0
254 1 11466 dm-1
254 2 9387 dm-2
254 3 4189 dm-3
254 4 28098 dm-4
254 5 61362 dm-5
254 6 8347 dm-6
254 7 53046 dm-7
7 8 2111 loop8
254 8 2110 dm-8
=============================================
[email protected]:/ $ ls -al /dev/block/platform/sdhci-tegra.3/by-name
ls -al /dev/block/platform/sdhci-tegra.3/by-name
lrwxrwxrwx root root 2014-10-04 12:29 APP -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2014-10-04 12:29 CAC -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2014-10-04 12:29 LNX -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2014-10-04 12:29 MDA -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2014-10-04 12:29 MSC -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2014-10-04 12:29 PER -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2014-10-04 12:29 SOS -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2014-10-04 12:29 UDA -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2014-10-04 12:29 USP -> /dev/block/mmcblk0p6
[COLOR=Red]=============================================[/COLOR]
[COLOR=DarkRed][B]( fstab.grouper )[/B][/COLOR]
[COLOR=Red]==================================[/COLOR]
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
/dev/block/platform/sdhci-tegra.3/by-name/APP /system ext4 noatime,nodiratime,nodev,noauto_da_alloc wait
/dev/block/platform/sdhci-tegra.3/by-name/CAC /cache ext4 noatime,nodiratime,nosuid,nodev,data=writeback,noauto_da_alloc,nomblk_io_submit,errors=panic wait
/dev/block/platform/sdhci-tegra.3/by-name/UDA /data ext4 noatime,nodiratime,nosuid,nodev,data=writeback,noauto_da_alloc,nomblk_io_submit,errors=panic wait,encryptable=/dev/block/platform/sdhci-tegra.3/by-name/MDA
/dev/block/platform/sdhci-tegra.3/by-name/MSC /misc emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/LNX /boot emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/SOS /recovery emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/USP /staging emmc defaults defaults
/devices/platform/tegra-ehci /storage/usbdisk vfat defaults voldmanaged=usbdisk:auto
[COLOR=Red]---------------------------------------------[/COLOR]
[B][COLOR=DarkRed]( fstab.grouper~ )[/COLOR][/B]
[COLOR=Red]-------------------------------------[/COLOR]
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
/dev/block/platform/sdhci-tegra.3/by-name/APP /system ext4 ro wait
/dev/block/platform/sdhci-tegra.3/by-name/CAC /cache ext4 noatime,nosuid,nodev,nomblk_io_submit,errors=panic wait
/dev/block/platform/sdhci-tegra.3/by-name/UDA /data ext4 noatime,nosuid,nodev,nomblk_io_submit,errors=panic wait,encryptable=/dev/block/platform/sdhci-tegra.3/by-name/MDA
/dev/block/platform/sdhci-tegra.3/by-name/MSC /misc emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/LNX /boot emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/SOS /recovery emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/USP /staging emmc defaults defaults
/devices/platform/tegra-ehci /storage/usbdisk vfat defaults voldmanaged=usbdisk:auto

SMcC2 said:
I was afraid it might have to be done manually.
Click to expand...
Click to collapse
Well look over the zip I posted maybe it can save some time.
DarkAngel said:
Same here LOL. I have been trying to port CleanRom 4.0.0 JB 4.3
Click to expand...
Click to collapse
Above 4.2 you will need SElinux support in kernel, so I don't 4.3 is going to work.

aicjofs said:
Well look over the zip I posted maybe it can save some time.
Above 4.2 you will need SElinux support in kernel, so I don't 4.3 is going to work.
Click to expand...
Click to collapse
I know but I had to try.

You think I could just ls the vendor file and copy it in to a text file with the right format?
Here is an example from my HTC...
[email protected]:/ $ cd system
[email protected]:/system $ cd vendor
[email protected]:/system/vendor $ ls */*
etc/audio_effects.conf
firmware/acdb.mbn
firmware/apps.mbn
firmware/bcm4335_prepatch.hcd
firmware/dsp1.mbn
firmware/dsp2.mbn
firmware/dsp3.mbn
firmware/efs1.mbn
firmware/efs2.mbn
firmware/efs3.mbn
firmware/htc61.mbn
firmware/htc62.mbn
firmware/htc63.mbn
firmware/htc64.mbn
firmware/htc65.mbn
firmware/htccdma.mbn
firmware/htcnvbak.mbn
firmware/htcrcust.mbn
firmware/htcrfnv.mbn
firmware/htcsmem.mbn
firmware/htcssmem.mbn
keymaster.b00
keymaster.b01
keymaster.b02
keymaster.b03
keymaster.mdt
firmware/mdm_acdb.img
firmware/q6.b00
firmware/q6.b01
firmware/q6.b03
firmware/q6.b04
firmware/q6.b05
firmware/q6.b06
firmware/q6.mdt
firmware/rpm.mbn
firmware/sbl1.mbn
firmware/sbl1_82.mbn
firmware/sbl1_92.mbn
firmware/sbl1_96.mbn
firmware/sbl2.mbn
eglsubAndroid.so
libEGL_adreno.so
libGLESv1_CM_adreno.so
libGLESv2S3D_adreno.so
libGLESv2_adreno.so
libq3dtools_adreno.so
power.msm8960.so
lib/libC2D2.so
lib/libQSEEComAPI.so
lib/libRSDriver_adreno.so
lib/libWVStreamControlAPI_L1.so
lib/libadreno_utils.so
lib/libbt-vendor.so
lib/libc2d30-a3xx.so
lib/libc2d30.so
lib/libgsl.so
lib/libllvm-a3xx.so
lib/libqc-opt.so
lib/librs_adreno.so
lib/librs_adreno_sha1.so
lib/libsc-a3xx.so
lib/libwvm.so
detection
recognition
[email protected]:/system/vendor $

[GUIDE] How to unlock and root Xiaomi Redmi 9 (Galahad/Lancelot)

There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad​
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock​
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image​
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image​
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash​
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop​
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app​
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet​
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.

Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!

I fixed some spelling mistakes, now it should be easier to read.

Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris

It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?

morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!

Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland

morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..

Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)

It's weird that windows still can't mount such images.

Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]

I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com

No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.

I have no knowledge on this subject, so I can't help you with this.

Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.

Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64

morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3

Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.

morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.

lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!

[GUIDE] How to unbrick a Xiaomi Redmi 9 (lancelot/galahad) phone via SP Flash Tool

I use crDrdoid v8.9 ROM (yes I know there's a newer version 8.11, but it didn't work for me for some reason). From time to time I visit xiaomifirmwareupdater.com/firmware/lancelot/ in order to check whether a newer firmware was released for my Xiaomi Redmi 9 (lancelot/galahad) phone. A couple days ago, I saw that there is V13.0.1.0.SJCEUXM for Android 12). I was using V12.5.4.0.RJCEUXM for Android 11, but this crDroid version offered Android 12.1. Everything was working well. Since there was a new version of the firmware, I downloaded it and flashed it via SHRP recovery. The flashing process went as usual, i.e. without any errors, but when I restarted the device, it didn't turn on. Only the fastboot mode was working.
Restoring the firmware
Fortunately, the firmware package consists only of a few images that are flashed to their corresponding partitions on the phone, for instance:
Code:
$ patool list fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip'
patool: Listing fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip ...
patool: running /usr/bin/7z l -- fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 40808894 bytes (39 MiB)
Listing archive: fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
--
Path = fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
Type = zip
Physical Size = 40808894
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 D.... 0 0 META-INF
2022-02-28 13:40:40 ..... 280488 171992 preloader_raw.img
2022-02-28 13:40:40 ..... 282536 172052 preloader_ufs.img
2022-02-28 13:40:42 ..... 1 3 type.txt
2022-02-28 13:40:40 ..... 859 364 scatter.txt
2022-02-28 13:40:40 ..... 282536 172052 preloader_emmc.img
2022-02-28 13:40:40 ..... 59329408 35869684 md1img.img
2022-02-28 13:40:42 ..... 2505440 2166963 tee.img
2022-02-28 13:40:42 ..... 37984 7454 spmfw.img
2022-02-28 13:40:40 ..... 352816 144110 scp.img
2022-02-28 13:40:42 ..... 505616 483321 sspm.img
2022-02-28 13:40:24 ..... 1302976 522804 lk.img
2022-02-28 13:40:22 D.... 0 0 META-INF/com
2022-02-28 13:40:44 ..... 1634 1144 META-INF/CERT.RSA
2022-02-28 13:40:42 ..... 2217 999 META-INF/MANIFEST.MF
2022-02-28 13:40:42 ..... 2270 1091 META-INF/CERT.SF
2022-02-28 13:40:42 D.... 0 0 META-INF/com/android
2022-02-28 13:40:22 D.... 0 0 META-INF/com/google
2022-02-28 13:40:24 D.... 0 0 META-INF/com/google/android
2022-02-28 13:40:24 ..... 2340536 1090127 META-INF/com/google/android/update-binary
2022-02-28 13:40:44 ..... 3559 863 META-INF/com/google/android/updater-script
2022-02-28 13:40:22 ..... 316 220 META-INF/com/android/metadata
2022-02-28 13:40:42 ..... 1594 1077 META-INF/com/android/otacert
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 67232786 40806320 18 files, 5 folders
So if the fastboot mode works well, you can use the images and flash them in order to restore the device. Where to flash the images? Just check the flash layout of your phone:
Code:
# gdisk -l mmcblk0-stock-original.img
GPT fdisk (gdisk) version 1.0.9
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk mmcblk0-stock-original.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
So:
- `md1img.img` -- goes to `md1img` (24)
- `tee.img` -- goes to `tee1` i `tee2` (36 and 37)
- `spmfw.img` -- goes to `spmfw` (25)
- `scp.img` -- goes to `scp1` i `scp2` (26 and 27)
- `sspm.img` -- goes to `sspm_1` i `sspm_2` (28 and 29)
- `lk.img` -- goes to `lk` i `lk2` (32 and 33)
- `preloader_raw.img` -- no idea what to do with it
- `preloader_ufs.img` -- no idea what to do with it
- `preloader_emmc.img` -- no idea what to do with it
From what I've read, the images sspm_1 , tee1 , scp1 and lk are responsible for the main loader, and images sspm_2 , tee2 , scp2, lk2 for the alternative loader. I flashed only the main loader images and forgot to flash the alt loader. Moreover, since I didn't know what to do with the preloader images (there are 3), so I didn't flash any of them. :]
The phone is dead
When I rebooted my phone, there was no sign of life -- no vibration, no sound, no screen, no charging animation, nothing. When I connected the device to my laptop's USB port (with Debian Linux onboard), there was no log at all -- the phone seemed to be dead for good.
The phone is not dead
Playing with the phone's buttons a little bit (while the device is connected to my laptop's USB port), I found out that the Power + VolumeDown button combination generates the following messages in the system log on my Debian:
Code:
kernel: usb 3-1: new high-speed USB device number 10 using xhci_hcd
kernel: usb 3-1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
kernel: usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
kernel: usb 3-1: Device is not authorized for usage
kernel: cdc_acm 3-1:1.0: ttyACM0: USB ACM device
kernel: usb 3-1: authorized to connect
kernel: usb 3-1: USB disconnect, device number 10
So the phone looks like to be partially dead, or not dead at all, or maybe even alive, but it only plays dead, just to force me to buy a new device. :]
SP Flash Tool and MTK Bypass Utility
Since Xiaomi Redmi 9 (lancelot/galahad) is a Mediatek device, there are some chances to restore its state using SP Flash Tool. So I downloaded SP_Flash_Tool_v5.2208_Linux and launched it. I also downloaded Redmi_9_Engineering_Rom.zip , but it looks like that the fastboot ROM is sufficient.
The is only one issue with SP Flash Tool -- it doesn't work without some authorized account. Without this account you won't be able to flash anything using SP Flash Tool. But there's the MTK Bypass Utility tool.
To make the tool work, you have to do the following steps:
Code:
$ git clone https://github.com/MTK-bypass/bypass_utility
$ cd bypass_utility/
$ git clone https://github.com/MTK-bypass/exploits_collection
$ cd exploits_collection/
$ cp ./default_config.json5 ../
$ cp -a ./payloads/ ../
$ cd ..
Then you launch the program:
Code:
$ python3 main.py
[2023-01-28 12:04:55.807367] Waiting for device
And now you plug the phone into the USB port and press the Power + VolDown buttons. The following messages should appear in the log:
Code:
[2023-01-28 12:05:06.892077] Found device = 0e8d:0003
[2023-01-28 12:05:07.012749] Device hw code: 0x707
[2023-01-28 12:05:07.012871] Device hw sub code: 0x8a00
[2023-01-28 12:05:07.012936] Device hw version: 0xca00
[2023-01-28 12:05:07.012994] Device sw version: 0x0
[2023-01-28 12:05:07.013076] Device secure boot: True
[2023-01-28 12:05:07.013140] Device serial link authorization: True
[2023-01-28 12:05:07.013232] Device download agent authorization: True
[2023-01-28 12:05:07.013301] Disabling watchdog timer
[2023-01-28 12:05:07.014062] Disabling protection
[2023-01-28 12:05:07.038921] Protection disabled
Now we can use SP Flash Tool to restore the bricked phone. To be sure, just check if the device /dev/ttyACM0 exists in your system:
Code:
# ls -al /dev/ttyACM0
crw-rw----+ 1 root dialout 166, 0 2023-01-28 11:38:45 /dev/ttyACM0
We have to configure SP Flash Tool to use this device:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
We need some DA file -- the one provided by SP Flash Tool, should be good, but I used the DA file provided by the Engineering ROM. We also need some scatter.txt file -- it can be found either in Engineering ROM, or in fastboot ROM. We have to provide paths to the two files in SP Flash Tool:
We can see that all the firmware partitions can be flashed, including preloader. So in this case, I used the firmware images from the fastboot ROM, with the exception for dtbo and boot, since they come from crDroid ROM. Now all we have to do is to press the Download button.
Chip mismatch!
I selected only one partition (just for testing purposes, to see whether it will work at all) and I pressed the Download button. I got the following error:
And it text version it says:
Code:
[error] Chip mismatch! scatter: platform[MT6768] type[]; device: hw_code[0xb8e8],
hw_subcode[0x9400], hw_ver[0x7fb2], sw_ver[0x0], chip_evolution[0] #(chip_mapping.cpp, line:259)
But when I pressed the Download button again, it worked:
and
So I checked all the firmware partitions and flashed them in one turn. But this didn't fix my phone. I had to flash the preloader image. I used preloader_lancelot.bin from the fastboot image. When I flashed it, the phone booted normally. None of the user data was lost.
Also, the article is written in Polish, so you can read it on my blog if you don't know English well.
Happy flashing. :]

Hey, this was great, thanks, but I have a problem, after doing this I get "NV data is corrupted" and cant get past recovery. Any idea why? thanks again

After doing what?

Hello! After I corrupted the boot partition and entered a bootloop, I tried to reflash the preloader partition from fastboot and ended up in this same situation. I've been following this post and everything seems to be going perfect, but at the end of the post you say that you flashed preloader_lancelot.bin, but in all the images I could find there were 3 versions of it (preloader_emmc.img, preloader_raw.img and preloader_ufs.img), which one did you use?
The only time I saw a preloader_lancelot.bin file was with a mtk command that extracted the current one (but mine is invalid I guess).
Sorry if the English is not perfect, it's not m native language.

The file is in the fastboot ROM.

morfikov said:
The file is in the fastboot ROM.
Click to expand...
Click to collapse
You are right, my bad, I just looked over the first file and didn't saw the second one.

Awesome post! I've just managed to boot, I'll see if I can update the system from some backups, idk in which moment I ended up falshing an old af android version that looks exactly like this (gotten from google):

@morfikov:
That A LOT for this detailed walkthrough!
FWIW, even though my phone appeared dead, I managed to start it by :
- plugging it in
- holding VolumeUP + Power for several seconds
That was enough to start it again and display the Mi logo. It didn't go much further but that was a great change to begin with!
I still haven't managed to flash it back to stock ROM, as the phone keeps rebooting before I can flash anything. :-/