Alcatel 1T10 [need ROOT,no custom RECOVERY, but UNLOCKED bootloader] - Android Q&A, Help & Troubleshooting

Hello,
I have tablet Alcatel 1T10 (chipset MT8321, Android 8.1) and I am trying to get root access, however, there is no custom recovery for this device yet so im looking for other way to get root access.
I succesfully unlocked bootloader from PC with fastboot command, so i think it should be easy now, but i failed to actually find out how to root it, one-click root apps always fail, I read about Magisk that i could make patched boot.img to get root acccess, but I am not able to find the original boot.img of my device, it looks almost like it doesn't exist, I only found some firmware for (probably) this tablet, but it was older Android version, but when i have unlocked bootloader, there should be some way to root it right? For example is it possible to flash from fastboot directly supersu.zip or something like that?
Thanks for any help

Would this work?
Check that the older scatter file is correct: cat /proc/parti* (if not, modify).
Pull the recovery using SP_FlashTool. (Or why not do a full backup while at it...)
Edit the recovery. Change the keys file to test one and add busybox to sbin (rename to sh, enough??, if not, add the soft links too).
Push the recovery using SP_FlashTool (or fastboot - or just boot it??).
Flash the Magisk zip file

CXZa said:
Would this work?
Check that the older scatter file is correct: cat /proc/parti* (if not, modify).
Pull the recovery using SP_FlashTool. (Or why not do a full backup while at it...)
Edit the recovery. Change the keys file to test one and add busybox to sbin (rename to sh, enough??, if not, add the soft links too).
Push the recovery using SP_FlashTool (or fastboot - or just boot it??).
Flash the Magisk zip file
Click to expand...
Click to collapse
Sorry but what do you mean by check and modify scatter file? When i cat /proc/parti* a get this:
254 0 731652 zram0
179 0 15155200 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 384 mmcblk0p6
179 7 16384 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 294912 mmcblk0p13
179 14 1024 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 5120 mmcblk0p16
179 17 32768 mmcblk0p17
179 18 38272 mmcblk0p18
179 19 2048 mmcblk0p19
179 20 6144 mmcblk0p20
179 21 8192 mmcblk0p21
179 22 1572864 mmcblk0p22
179 23 114688 mmcblk0p23
179 24 12959232 mmcblk0p24
179 25 16384 mmcblk0p25
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
This is obviously different format for scatter file than it is used in SP_Flash Tool, and when i put this in .txt file to SP flash tool, it writes STATUS_SCATTER_FILE_INVALID

No, the idea wasn't to make a scatter file, but just to check it.
It should have shown you the partinfo too. Or isn't there such thing anymore?
Try just "cat /proc/partinfo" ...
edit: Checked, older tablet (Lollipop) has partinfo, new (Nougat) doesn't...
Then one can try to get partition names like this
ls -al /dev/block/platform/*/by-name (or ls -al /dev/block/platform/*/*/by-name )
then multiply blocks by 1024 and convert to Hex.

>Alcatel 1T10 (chipset MT8321, Android 8.1)
Scatter file in the package that I found: MT6580_Android_scatter.txt
If the one you found is the same, it might be wrong.

CXZa said:
>Alcatel 1T10 (chipset MT8321, Android 8.1)
Scatter file in the package that I found: MT6580_Android_scatter.txt
If the one you found is the same, it might be wrong.
Click to expand...
Click to collapse
when i did ls -al /dev/block/platform/*/*/by-name i got this:
total 0
drwxr-xr-x 2 root root 580 2019-01-15 17:10 .
drwxr-xr-x 4 root root 660 2019-01-15 17:10 ..
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 cache -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 expdb -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 flashinfo -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 frp -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 keystore -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 lk -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 logo -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 metadata -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 nvdata -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 nvram -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 odmdtbo -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 oemkeystore -> /dev/block/mmcblk0
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 para -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 23 2019-01-15 17:10 preloader_a -> /dev/block/mmcblk0
t0
lrwxrwxrwx 1 root root 23 2019-01-15 17:10 preloader_b -> /dev/block/mmcblk0
t1
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 proinfo -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 protect1 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 protect2 -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 recovery -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 seccfg -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 secro -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 system -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 tee1 -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 tee2 -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 userdata -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 2019-01-15 17:10 vendor -> /dev/block/mmcblk0p13

ExternalDeveloper said:
when i did ls -al /dev/block/platform/*/*/by-name i got this:
total 0
drwxr-xr-x 2 root root 580 2019-01-15 17:10 .
drwxr-xr-x 4 root root 660 2019-01-15 17:10 ..
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 2019-01-15 17:10 recovery -> /dev/block/mmcblk0p8
Click to expand...
Click to collapse
So, now you know which blocks to dump. And maybe also which ones to skip.
These and then there is usually pgpt partition (table?) not showing, 512 blocks
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 384 mmcblk0p6
(179 7 16384 mmcblk0p7 if recovery)
Click to expand...
Click to collapse
So, you could calculate the start address and size, but I think you can
use that old scatter for the dump (or readback). There might be some
partition less in it, IDK, but what I checked the start of the file matches to the
info you gave, so you can just take those values from it.
partition_index: SYS8
partition_name: boot
file_name: boot.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x1d20000
physical_start_addr: 0x1d20000
partition_size: 0x1000000
region: EMMC_USER
partition_index: SYS9
partition_name: recovery
file_name: recovery.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x2d20000
physical_start_addr: 0x2d20000
partition_size: 0x1000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
Click to expand...
Click to collapse

CXZa said:
So, now you know which blocks to dump. And maybe also which ones to skip.
These and then there is usually pgpt partition (table?) not showing, 512 blocks
So, you could calculate the start address and size, but I think you can
use that old scatter for the dump (or readback). There might be some
partition less in it, IDK, but what I checked the start of the file matches to the
info you gave, so you can just take those values from it.
Click to expand...
Click to collapse
So, if i understand it correctly, i should modify the MT6580_Android_scatter.txt with these mentioned information? and if yes, how i am supposed to get my boot.img from my device using SP flash tool? I don't have much experience with this tool, i never downloaded anything from my device to my computer using this tool so could you please describe me how to do that?

That was the original idea. But that scatter file seems to match with those partitions
of yours. I checked it up to the recovery partition, you can check the rest if sizes are the same.
How to readback boot --> 5. Launch SP Flash Tool : https://forum.hovatek.com/thread-526.html
Drivers: https://forum.hovatek.com/thread-440.html
What usually causes problems is how to get into update mode - depends the device, and the drivers.
As you see the readback will ask you a scatter file and the start address and the partition size.
The info I gave in those quotes. One value you might have to change in the scatter file and that is
the platform: MT6580 to MT8321...
edit: More info from the same site that I posted earlier to someone else...
https://forum.xda-developers.com/showpost.php?p=78647685&postcount=18

ExternalDeveloper said:
So, if i understand it correctly, i should modify the MT6580_Android_scatter.txt with these mentioned information?
Click to expand...
Click to collapse
CXZa said:
That was the original idea. But that scatter file seems to match with those partitions
of yours. I checked it up to the recovery partition, you can check the rest if sizes are the same.
Click to expand...
Click to collapse
Tested using totally wrong scatter file. When reading back it doesn't matter.
Just the address and size i.e. length matters. But when flashing the scatter
should match to one's device. Or use fastboot - if it works.

CXZa said:
Tested using totally wrong scatter file. When reading back it doesn't matter.
Just the address and size i.e. length matters. But when flashing the scatter
should match to one's device. Or use fastboot - if it works.
Click to expand...
Click to collapse
I tried Read Back with putting correct Start adress and Lenght, clicked Read Back and nothing happened, i have feeling like its not even possible to do anything with this tablet using SP Flash Tool, this tablet is not even detected with MTK Droid Tool software, its detected only with ADB(fastboot)..what am i supposed to do now?

ExternalDeveloper said:
MTK Droid Tool software, its detected only with ADB(fastboot)..what am i supposed to do now?
Click to expand...
Click to collapse
You have installed the drivers? Then it is the MediaTek PreLoader USB VCOM you want to see in device manager. When you connect usb it might show there just
seconds. So, click the readback button and right after that connect usb.
Some tabs vol- has to kept down when plugging in, or vol+. Pressing power
one or two times at the same time might help also. (And removing battery might help too.)
In my tablet vol- with power when connecting the usb helps but not always needed...
It might take several tries to figure out the right way to do it.
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Here is picture which shows where that PreLoader is in device manager.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
from https://indofirmware.site/download-firmware-alcatel-1t-10/

CXZa said:
You have installed the drivers? Then it is the MediaTek PreLoader USB VCOM you want to see in device manager. When you connect usb it might show there just
seconds. So, click the readback button and right after that connect usb.
Some tabs vol- has to kept down when plugging in, or vol+. Pressing power
one or two times at the same time might help also. (And removing battery might help too.)
In my tablet vol- with power when connecting the usb helps but not always needed...
It might take several tries to figure out the right way to do it.
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Here is picture which shows where that PreLoader is in device manager.
from https://indofirmware.site/download-firmware-alcatel-1t-10/
Click to expand...
Click to collapse
i know about these sites, however, my tablet was never released with Android 7.x (this firmware contains Android 7.x from year 2017,but my tablet is made from 2018). My tablet full name is on some sites as "Alcatel 1T 10 WiFi" and has probably even different chipset than mine(mine doesnt have 6580), i have installed this driver, but i think the problem here is probably this difference between 2 different devices, i honestly dont understand how is it possible that there are 2 devices with same name, but one with (probably) different chipset, and with different Android version

ExternalDeveloper said:
i have installed this driver, but i think the problem here is probably this difference between 2 different devices, i honestly dont understand how is it possible that there are 2 devices with same name, but one with (probably) different chipset, and with different Android version
Click to expand...
Click to collapse
The flash tool works with 6580. About 8321 I don't know really...
One possibility is that the Nougat is meant for a faked tablet.
It has the custom partition that fakes use , but maybe it's used some real ones too... IDK.
Here is its build.prop and imported /custom/cip-build.prop
Is there anything similar in your /system/build.prop?
Many of the values are a bit strange...
import /custom/cip-build.prop
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=NRD90M
ro.build.display.id=NRD90M test-keys
ro.build.version.incremental=G11
ro.build.version.sdk=24
ro.build.version.preview_sdk=0
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=7.0
ro.build.version.security_patch=2016-12-05
ro.build.version.base_os=
ro.build.date=2017年 12月 29日 星期五 10:23:28 CST
ro.build.date.utc=1514514208
ro.build.type=user
ro.build.user=emdoor
ro.build.host=emdoor-OptiPlex-9020
ro.build.tags=test-keys
ro.build.flavor=full_tg101t-user
ro.product.model=tg101t
ro.product.brand=TCL
ro.product.name=full_tg101t
ro.product.device=tg101t
ro.product.board=
# ro.product.cpu.abi and ro.product.cpu.abi2 are obsolete,
# use ro.product.cpu.abilist instead.
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.cpu.abilist=armeabi-v7a,armeabi
ro.product.cpu.abilist32=armeabi-v7a,armeabi
ro.product.cpu.abilist64=
ro.product.manufacturer=TCL
ro.product.locale=en-US
ro.wifi.channels=
ro.board.platform=mt6580
# ro.build.product is obsolete; use ro.product.device
ro.build.product=tg101t
# Do not try to parse description, fingerprint, or thumbprint
ro.build.description=full_tg101t-user 7.0 NRD90M G11 test-keys
ro.build.fingerprint=TCL/full_tg101t/tg101t:7.0/NRD90M/G11:user/test-keys
ro.build.characteristics=tablet
# end build properties
#
# from device/emdoor/tg101t/system.prop
#
#
# system.prop for generic sdk
#
rild.libpath=mtk-ril.so
rild.libargs=-d /dev/ttyC0
# MTK, Infinity, 20090720 {
wifi.interface=wlan0
# MTK, Infinity, 20090720 }
# MTK, mtk03034, 20101210 {
ro.mediatek.wlan.wsc=1
# MTK, mtk03034 20101210}
# MTK, mtk03034, 20110318 {
ro.mediatek.wlan.p2p=1
# MTK, mtk03034 20110318}
# MTK, mtk03034, 20101213 {
mediatek.wlan.ctia=0
# MTK, mtk03034 20101213}
#
wifi.tethering.interface=ap0
#
wifi.direct.interface=p2p0
dalvik.vm.heapgrowthlimit=128m
dalvik.vm.heapsize=256m
# USB MTP WHQL
ro.sys.usb.mtp.whql.enable=0
# Power off opt in IPO
sys.ipo.pwrdncap=2
ro.sys.usb.storage.type=mtp
# USB BICR function
ro.sys.usb.bicr=yes
# USB Charge only function
ro.sys.usb.charging.only=yes
# audio
ro.camera.sound.forced=0
ro.audio.silent=0
ro.zygote.preload.enable=0
# temporary enables NAV bar (soft keys)
qemu.hw.mainkeys=0
ro.kernel.zio=38,108,105,16
#ro.kernel.qemu=0
#ro.kernel.qemu.gles=0
ro.opengles.version=131072
#ro.boot.selinux=disable
# Disable dirty region for Mali
debug.hwui.render_dirty_regions=false
ro.sf.lcd_density=213
persist.service.drm.enable=1
persist.emdoor.isoneline.enable=1
ro.emmc.size=32
persist.operator.optr=CUST
persist.sys.timezone=Europe/Amsterdam
persist.sys.country=NL
ro.product.locale.region=NL
ro.sys.ntp.server=europe.pool.ntp.org
persist.sys.switch_on=CUST
ro.sys.auto.correction=true
ro.sys.timezone.area=MEXICO
persist.browser.mark=es
persist.browser.mark=es
ro.shutdown.dialog=0
ro.shutdown.dialog=0
# clientID
ro.com.google.clientidbase=android-alcatel
ro.com.google.clientidbase.ms=android-alcatel
ro.com.google.clientidbase.yt=android-alcatel
ro.com.google.clientidbase.am=android-alcatel
ro.com.google.clientidbase.gmm=android-alcatel
ro.sys.enabled.input.methods=com.android.inputmethod.latin/.LatinIME;1067440414;-921088104
ro.sys.selected.input.method=1067440414
ro.sys.default.input.method=com.android.inputmethod.latin/.LatinIME
ro.sys.select.language=ru-RU,en-US
ro.sys.haptic.time.support=true
ro.sys.haptic.time=100
ro.sys.time.12.24=24
ro.sys.is.mute.no.disturb=true
ro.bluetooth.name=ALCATEL 1T 10
ro.product.usb.name=ALCATEL 1T 10
ro.screen.timeout=tenMIN
#
# ADDITIONAL_BUILD_PROPERTIES
#
ro.config.ringtone=Ring_Synth_04.ogg
ro.config.notification_sound=pixiedust.ogg
ro.carrier=unknown
ro.config.alarm_alert=Alarm_Classic.ogg
dalvik.vm.heapgrowthlimit=128m
dalvik.vm.heapsize=256m
ro.mediatek.chip_ver=S01
ro.mediatek.platform=MT6580
ro.telephony.sim.count=2
persist.radio.default.sim=0
ril.specific.sm_cause=0
bgw.current3gband=0
ril.external.md=0
ro.sf.hwrotation=0
persist.radio.fd.counter=150
persist.radio.fd.off.counter=50
persist.radio.fd.r8.counter=150
persist.radio.fd.off.r8.counter=50
drm.service.enabled=true
fmradio.driver.enable=1
ril.first.md=1
ril.flightmode.poweroffMD=1
ril.telephony.mode=0
dalvik.vm.mtk-stack-trace-file=/data/anr/mtk_traces.txt
mediatek.wlan.chip=CONSYS_MT6735
mediatek.wlan.module.postfix=_consys_mt6735
ril.radiooff.poweroffMD=0
ro.frp.pst=/dev/block/platform/mtk-msdc.0/11120000.msdc0/by-name/frp
ro.mtk_protocol1_rat_config=W/G
ro.mtk_support_mp2_playback=1
ro.mtk_audio_alac_support=1
ro.mediatek.version.branch=alps-mp-n0.mp2
ro.mediatek.version.release=alps-mp-n0.mp2-V1.23.1_emdoor8321.tb.n
ro.mediatek.version.sdk=4
ro.num_md_protocol=2
persist.radio.multisim.config=dsds
ro.mtk_besloudness_support=1
ro.mtk_bt_support=1
ro.mtk_wappush_support=1
ro.mtk_agps_app=1
ro.mtk_audio_tuning_tool_ver=V1
ro.mtk_wlan_support=1
ro.mtk_ipo_support=1
ro.mtk_gps_support=1
ro.mtk_omacp_support=1
ro.mtk_search_db_support=1
ro.mtk_dialer_search_support=1
ro.mtk_dhcpv6c_wifi=1
ro.have_aacencode_feature=1
ro.mtk_fd_support=1
ro.mtk_oma_drm_support=1
ro.mtk_cta_drm_support=1
ro.mtk_widevine_drm_l3_support=1
ro.mtk_eap_sim_aka=1
ro.mtk_audio_ape_support=1
ro.mtk_wmv_playback_support=1
ro.mtk_send_rr_support=1
ro.mtk_rat_wcdma_preferred=1
ro.mtk_emmc_support=1
ro.mtk_tetheringipv6_support=1
ro.telephony.default_network=0,0
ro.mtk_shared_sdcard=1
ro.mtk_enable_md1=1
ro.mtk_flight_mode_power_off_md=1
ro.mtk_pq_support=2
ro.mtk_pq_color_mode=1
ro.mtk_miravision_support=1
ro.mtk_wifi_mcc_support=1
ro.mtk_bip_scws=1
ro.mtk_world_phone_policy=0
ro.mtk_perfservice_support=1
ro.mtk_cta_set=1
ro.mtk_cam_mfb_support=0
ro.mtk_cam_cfb=1
ro.sim_refresh_reset_by_modem=1
ro.mtk_external_sim_only_slots=0
ro.mtk_hotknot_support=1
ro.mtk_bg_power_saving_support=1
ro.mtk_bg_power_saving_ui=1
ro.have_aee_feature=1
ro.sim_me_lock_mode=0
ro.mtk_dual_mic_support=0
ro.mtk_is_tablet=1
persist.mtk_nlp_switch_support=1
persist.mtk_vilte_support=0
ro.mtk_vilte_ut_support=0
ro.mediatek.hotknot.module=GT9XX
wfd.dummy.enable=1
wfd.iframesize.level=0
ro.mediatek.project.path=device/emdoor/tg101t
persist.mtk.wcn.combo.chipid=-1
persist.mtk.wcn.patch.version=-1
persist.mtk.wcn.dynamic.dump=0
service.wcn.driver.ready=no
service.wcn.coredump.mode=0
persist.mtk.connsys.poweron.ctl=0
ro.com.android.mobiledata=true
persist.radio.mobile.data=0,0
persist.meta.dumpdata=0
persist.radio.mtk_ps2_rat=G
persist.radio.mtk_ps3_rat=G
ro.boot.opt_c2k_lte_mode=0
ro.boot.opt_md1_support=3
persist.log.tag.AT=I
persist.log.tag.RILMUXD=I
persist.log.tag.RILC-MTK=I
persist.log.tag.RILC=I
persist.log.tag.RfxMainThread=I
persist.log.tag.RfxRoot=I
persist.log.tag.RfxRilAdapter=I
persist.log.tag.RfxController=I
persist.log.tag.RILC-RP=I
persist.log.tag.RIL-DATA=I
ro.boot.opt_using_default=1
ro.mtk_multiwindow=1
mtk.vdec.waitkeyframeforplay=1
ro.sys.sdcardfs=1
persist.runningbooster.support=1
persist.runningbooster.upgrade=1
ro.media.maxmem=500000000
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=7.0_r5
ro.product.first_api_level=24
persist.sys.dalvik.vm.lib.2=libart.so
dalvik.vm.isa.arm.variant=cortex-a7
dalvik.vm.isa.arm.features=default
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
import /custom/cip-build.prop
ro.expect.recovery_id=0xc8c8948d4d2dc3418f5a954abe50fb27519e06f3000000000000000000000000
Click to expand...
Click to collapse
ro.cip.build.date=2017年 12月 28日 星期四 21:31:09 CST
persist.mtk_clr_code_support=0
persist.mtk_epdg_support=0
persist.mtk_volte_support=0
persist.mtk.volte.enable=0
persist.dbg.volte_avail_ovr=0
persist.mtk_ims_support=0
persist.mtk_wfc_support=0
persist.mtk.wfc.enable=0
persist.dbg.wfc_avail_ovr=0
persist.mtk_vilte_support=0
persist.mtk.ims.video.enable=0
persist.dbg.vt_avail_ovr=0
persist.flight_mode_md_off=1
persist.radio.multisim.config=dsds
persist.mtk_rcs_ua_support=0
persist.data.cc33.support=0
ro.bluetooth.name=ALCATEL 1T 10
ro.product.usb.name=ALCATEL 1T 10
ro.screen.timeout=tenMIN
Click to expand...
Click to collapse

CXZa said:
BTW, 6580 seems to be the same as 8321, or very close:
Porting firmware to MTK6580 / MTK8321 (in Russian)
Click to expand...
Click to collapse
Для тех кто не в курсе, MTK8321 - это тот же MTK6580, только для планшетов.
Click to expand...
Click to collapse
"For those who do not know, MTK8321 is the same MTK6580, only for tablets."
(Google translation)
So, maybe you could try to boot that recovery.img using fastboot.
Or find one that is taken some 8321 oreo.
If it boots then back to plan A....
edit: Alcatel buttons mentioned somewhere else, connect usb, Vol+ and Vol- at the same time.
Same, but also the Power button.

CXZa said:
"For those who do not know, MTK8321 is the same MTK6580, only for tablets."
(Google translation)
So, maybe you could try to boot that recovery.img using fastboot.
Or find one that is taken some 8321 oreo.
If it boots then back to plan A....
edit: Alcatel buttons mentioned somewhere else, connect usb, Vol+ and Vol- at the same time.
Same, but also the Power button.
Click to expand...
Click to collapse
i tried boot recovery from that Alcatel_1T_10_MT6580_20171229_7.0 with the same result as from other not supported custom recoveries i tried:it just writes on the screen USB Transferring...,USB Transmission OK Time:xxxms Vel:xxxxxxKB/s
then i wait for about 1-2 minutes with this shown at the screen and then the tablet reboots.
about build.prop: i am not able to read it from adb, when i cat /system/build.prop it writes Permission denied
i tried pressing vol+ and vol- with power button and without power button after connecting via USB to PC and nothing happened..

Hi!
Try to flash it..
indofirmware.site/download-firmware-alcatel-u3a-10-wifi
The tablet has many names:
1T 10 ; U3A.
We have the official name in Russia: 8082_RU.

Ayuda!! alguien que sea tan amable de compartir firmware stock para tablet alcaltel 1
[I need a copy of your firmware stock, to install on my tablet, can I help you? The original system that I had was oreo go edition. thank you, I leave my mail is [email protected]

has anyone managed to safely root this tablet ,any help would be appreciated

nissasnzx said:
has anyone managed to safely root this tablet ,any help would be appreciated
Click to expand...
Click to collapse
i really need to get root on this device please ..........

Related

[REQ] Toshiba folio 100 BCT and partition dumps

I have somehow messed up my folio 100, and its BCT and bootloader information.
So im hoping someone else with little experience, knows how to use the nvflash utilities and dump the information for me and send me a link on where to get it.
the combo to get into bootloader mode is: POWER button pressed 4 times + VOL- key and it will go into bootloader mode.
I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...
tshoulihane said:
I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...
Click to expand...
Click to collapse
well, i dont think you should try it..!!
another user did, he ended up with a semi-bricked device too.. so thanks but now the fun stops.. it seems that Toshiba included a very,very bad key combo that terminates the device to a deadlocked machine..
so ill just figure out another way to get the partitions off it.. but my 4xpower + vol- is really scary, do NOT try it
at least until is cleared on how to get out of this bootloader state again.
I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.
tshoulihane said:
I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.
Click to expand...
Click to collapse
so you mean, you can extract all partitions from a shell?
ie. bootloader of partition2 and so forward?
i didnt notice that all 8 partitions were accessable there?
can you upload the dump of them somewhere?
A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)
bootoo said:
A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)
Click to expand...
Click to collapse
i have the dump of the /system i need all of the other partitions ie. 0 to 8
i cannot restore system, as i got no bootable tablet at all, i need raw partition dumps which i hope can be used using nvflash
Is it possible to extract opera mobile 10.1 apk?
toca79 said:
Is it possible to extract opera mobile 10.1 apk?
Click to expand...
Click to collapse
look for it here
Dexter_nlb said:
look for it here
Click to expand...
Click to collapse
Thx a lot found it.
I think the resolution is too high though.
Hi Dex, did you was able to restore your bricked folio?
roglio said:
Hi Dex, did you was able to restore your bricked folio?
Click to expand...
Click to collapse
decided to get another one..
ok!
I was hoping you did it because I'm a little tired of android (apple fan ).
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
But if there isn't a way to restore the factory default (bootloader, etc.), I'll give up.
roglio said:
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
Click to expand...
Click to collapse
when i was debugging bootloader configs, i was provided some config files that Ac100 users said would work on our folio, but i see now partition setup is very different, so we need to make proper configs for our folio before experimenting with the bootloader..
again, as you metion backup seems to do , when recover seems unavailable currently. it will be hard to verify if the parition table layout is working.
Hi,
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
1. I have opened / disassembled my Filio 100. And like I have suspected there is a 16GB micoSD card connected (soldered) to the PCB and fixed with glue. One could read out the whole flash in a card reader.
2. You have fully access to the microSD card out of Android:
/dev/block/mmcblk0
sh-4.1# cd /dev/block
cd /dev/block
sh-4.1# pwd
pwd
/dev/block
sh-4.1# ls -l
ls -l
brw------- root root 254, 1 2010-12-07 08:46 dm-1
brw------- root root 254, 0 2010-12-07 08:46 dm-0
drwxr-xr-x root root 2010-12-07 08:45 vold
brw------- root root 179, 17 2010-12-07 08:45 mmcblk1p1
brw------- root root 179, 16 2010-12-07 08:45 mmcblk1
brw------- root root 7, 7 2010-12-07 08:45 loop7
brw------- root root 7, 6 2010-12-07 08:45 loop6
brw------- root root 7, 5 2010-12-07 08:45 loop5
brw------- root root 7, 4 2010-12-07 08:45 loop4
brw------- root root 7, 3 2010-12-07 08:45 loop3
brw------- root root 7, 2 2010-12-07 08:45 loop2
brw------- root root 7, 1 2010-12-07 08:45 loop1
brw------- root root 7, 0 2010-12-07 08:45 loop0
brw------- root root 179, 8 2010-12-07 08:45 mmcblk0p8
brw------- root root 179, 7 2010-12-07 08:45 mmcblk0p7
brw------- root root 179, 6 2010-12-07 08:45 mmcblk0p6
brw------- root root 179, 5 2010-12-07 08:45 mmcblk0p5
brw------- root root 179, 4 2010-12-07 08:45 mmcblk0p4
brw------- root root 179, 3 2010-12-07 08:45 mmcblk0p3
brw------- root root 179, 2 2010-12-07 08:45 mmcblk0p2
brw------- root root 179, 1 2010-12-07 08:45 mmcblk0p1
brw------- root root 179, 0 2010-12-07 08:45 mmcblk0
sh-4.1#
Regards, Artem
Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?
DerArtem said:
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
Click to expand...
Click to collapse
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...
I just got back from my business trip, and finally had some more time to take a closer look at the device.
roglio said:
Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?
Click to expand...
Click to collapse
The device has a warranty seal inside. If you open the device completly the seal will break. I have just opened the device soo far, that the seal will not break. To make photos I will have to open it copletly. I will think about it....
Dexter_nlb said:
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...
Click to expand...
Click to collapse
Ok, I see. I have duped the mmc and mounted the partitions on my pc:
Here is the partition table on my PC:
Code:
[email protected] ~/bin/folio $ /sbin/fdisk -u -l folio.img
Platte folio.img: 15.9 GByte, 15920005120 Byte
1 Köpfe, 63 Sektoren/Spur, 493551 Zylinder, zusammen 31093760 Sektoren
Einheiten = Sektoren von 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Gerät boot. Anfang Ende Blöcke Id System
folio.img1 2048 526335 262144 83 Linux (/system)
folio.img2 526336 2623487 1048576 83 Linux (/cache)
folio.img3 2623488 2627583 2048 83 Linux (/misc)
folio.img4 2627584 31093759 14233088 5 Erweiterte
folio.img5 2628608 2644991 8192 83 Linux (???)
folio.img6 2646016 4743167 1048576 83 Linux (/data)
folio.img7 4744192 4754431 5120 83 Linux (???)
folio.img8 4755456 31093759 13169152 83 Linux (13G - storage)
Now you can mount the partitions on your pc:
Code:
sudo mount -o loop,ro,offset=$((512*2048)) folio.img /mnt/floppy/
I was not able to find the kernel or the bootloader or the root partition in the dump. I have also checked it with a hex editor.
Is the Folio using an other storage for kernel and bootloder? Does it have more NOR/NAND flash inside?
While looking at the size of the microSD (15920005120 bytes) I think that the bootloader is hiding a part of the microSD from the OS where the kernel and the bootloader are...
Where is the .cfg file you are talking about located?
DerArtem said:
Where is the .cfg file you are talking about located?
Click to expand...
Click to collapse
its a file assoiciated with the nvflash utility. search for the toshiba AC100 or here for more details for them it works fine.
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.
Dexter_nlb said:
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.
Click to expand...
Click to collapse
So, I have checked part 5 and 7. The content is the same like in boot.img and recovery.img. So the BCT is somewhere else...

[Q] Nexus 4 | IMEI/Baseband unknown | BootLoop with 4.3

Hello,
I think this is a hard one for you.
My unrooted Nexus 4 (Android 4.3) worked perfectly fine until the day I (randomly?) lost the signal (couldn't make phone calls or browse the internet ). I thought, hey that's not too bad, make a restart and it will work again.
Well instead of booting again it was stuck in a bootloop. So I reflashed stock 4.3, again bootloop, I tried to flash CM, bootloop, I cleared caches/wiped files constantly with twrp and CWM. Then finally I flashed stock 4.2, hey it booted!
But I had no IMEI number, nor a baseband version! So I flashed several baseband versions, neither worked (the bootloader-start screen showed the flashed versions though!).
So far I am searching for a solution all over the internet on how to restore the IMEI without a backup! Is there any hope for me? I have the IMEI number and tbh from my understanding this number has to be saved somewhere in hardware as well.
Any help appreciated!
- David
Btw. update from 4.2 to 4.3 -> Bootloop.
Just flashed 4.4 and it bootloops.
Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!
hi...im having the same issue ...i tried almost everything without luck... i was thinking why google developers wont give us a solution for those who are outside the U.S. ...cause its real pain in the a** trying to send it to their service.
Same problem
dav1dde said:
Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!
Click to expand...
Click to collapse
What you have in "/dev/block" ?
This is mine:
~ # cd dev/block
cd dev/block
/dev/block # ls
ls
loop0 mmcblk0 mmcblk0p16 mmcblk0p23 mmcblk0p8 ram13 ram7
loop1 mmcblk0p1 mmcblk0p17 mmcblk0p24 mmcblk0p9 ram14 ram8
loop2 mmcblk0p10 mmcblk0p18 mmcblk0p25 platform ram15 ram9
loop3 mmcblk0p11 mmcblk0p19 mmcblk0p3 ram0 ram2 vold
loop4 mmcblk0p12 mmcblk0p2 mmcblk0p4 ram1 ram3
loop5 mmcblk0p13 mmcblk0p20 mmcblk0p5 ram10 ram4
loop6 mmcblk0p14 mmcblk0p21 mmcblk0p6 ram11 ram5
loop7 mmcblk0p15 mmcblk0p22 mmcblk0p7 ram12 ram6
News
I saved my "m9kefs1.img" & "m9kefs2.img"!
They are 2 files of 780KB with a lot of information, are they corrupted?
The problem are not the "files" in /dev/block but the contents of these 2 files:
Code:
m9kefs1 (/dev/block/mmcblk0p8)
m9kefs2 (/dev/block/mmcblk0p9)
I don't know if they are corrupted, because I can't compare them to mine, which are definitly broken.
News? On eBay I found an engineering sample with a "Repair EFS" program, where can I download it?
Thanks!
Help me! :banghead:
Android 4.4.1
Anyone have tried if Android 4.4.1 have bugfixed this problem?
PN.ItalyGirl said:
Anyone have tried if Android 4.4.1 have bugfixed this problem?
Click to expand...
Click to collapse
neither 4.4.1 or 4.4.2 factory images solve this unknow baseband / imei problem

[ROM][PORT][JB 4.1.2] Nabixus 0.1beta for Nabi 2

This is a port of stock the Nexus7 (Grouper) 4.1.2 ROM with the Nabi 2 OTA 2.4.6 as the base. Everything seems to be working but as the title says it is a beta and so not fully tested....FLASH AT YOUR OWN RISK!!!!
Couple of things to be aware of: You have to update some of the apps before they work (Chrome for instance) and when adjusting the brightness it is possible to turn the screen all the way black, don't panic, just slide it back to the right...oh, and if you try to skip turning on the wifi it still tries to connect but it will eventually time out. If anyone actually uses the Nabi camera I have found that the Nexus 7 Camera app from the play store will work, other ones might also but I tested that one. There are no HDMI settings right now because the Nexus didn't have that port but the HDMI does work.
Screenshot:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Instructions:
1. Make a full TWRP backup to external sdcard!!! AND make sure your backup works!!!
2. Download the zip and place it on your external sdcard.
3. Wipe everything except external sdcard.
4. Install the zip.
5. Wipe cache and davlik again for good measure.
6. Reboot and do a little happy dance!!! (First boot takes a while so don't freak after 30 secs, lol)
Download: Nabixus_beta0.1.zip , Mirror1, or Mirror2
MD5: b334707cf14b2ad4e552d6a7a3b48fcd
Let me know what you think, I know there's room for improvement....and I'll fix this post up some at some point, give me a break it's my first time!!
reserved
reserved 2
First! LOL. Glad you got it going. If you need any help or any stock files from my newly acquired Nexus 7, let me know. I can make a complete nandroid if needed.
Additional screenshots!
Can't spend too much time fooling around with it before the kids get up, but looks good for now! Thanks for the awesome work!
Just to report, all is well with the port. Just getting a bit of screen flicker but that is due to the low brightness level. It has gone away since I have raised it up all the way. All apps updating fine via Playstore and OTG USB working great as well. Side loading a lot of what I call my "Power Rooting Apps". This reminds me of the nexus 7 I just got LOL. Great job!
Dude! YOU ROCK....
Now when my son upgrades, I'll be able to use the nabi for kodi (xbmc) on the tv.
Sent from my Nexus 7 using Tapatalk
Awesome, can't wait till I have a moment free to give this a try!
Sent from my Nexus 10 using Tapatalk
@n3wt GREAT job, just wanted to know if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?
katinatez said:
@n3wt GREAT job, just wanted to know if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?
Click to expand...
Click to collapse
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.
katinatez said:
if I build CyanogenMod for Nexus 7 2012; could you port CyanogenMod over to Nabi?
Click to expand...
Click to collapse
maybe. aicjofs suggested that the kernel might be too different though. I have a cm with tablet ui for the Nexus that I was looking at but I'm toying with the idea of trying to get a working kernel compiled. ... That way we could just build a rom for the nabi.
It took a lot of hours to get to this point though so whatever comes next will be after a bit of rest.
I'm really happy that you guys are liking this one, feel free to take it and mod it and what not.
SMcC2 said:
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.
Click to expand...
Click to collapse
Do you have adb working?
ROFL
Anyone else get the email
"Hello from Google: Get the most out of your Nexus 7" ?
n3wt said:
Do you have adb working?
Click to expand...
Click to collapse
I had it working at one point, but don't remember how I had gotten there.
I've been using these links as resources:
How to Build CyanogenMod for Grouper
How to Port CyanogenMod to new Devices
Kernel Building for CyanogenMod
The instructions for building on Grouper say to pull the proprietary blobs from a device with CyanogenMod already installed. I don't have that option.
Note:
Your device should already be running a build of CyanogenMod for the branch you wish to build for the extract-files.sh script to function properly. Nexus users: While it maybe be tempting to run the script on stock Android, and in fact it may succeed, realize that some of the blobs CyanogenMod uses are modified or otherwise different from stock blobs (e.g. Adreno graphics libraries). Save yourself some trouble and install a copy of CyanogenMod on your device before extracting blobs.
Click to expand...
Click to collapse
The instructions for porting to new devices says
Create extract-files.sh and setup-makefiles.sh scripts to pull those blob files from the device using adb and put them in the right /vendor/ directory. There are plenty of examples available for other devices.
Create an .mk Makefile to copy those files to the $OUT folder during the build process and put them in the right place. Again, use other devices as a guide for what this Makefile should look like. An example filename might be BoardConfigVendor.mk
Make sure that the Makefile you just created is included from your main BoardConfig.mk via a command such as -include vendor/[vendor]/[codename]/BoardConfigVendor.mk. Again, existing devices can illustrate how this is done.
Click to expand...
Click to collapse
I don't think I'm getting everything when I do that and that's where my problem is...
maybe. aicjofs suggested that the kernel might be too different though.
Click to expand...
Click to collapse
The Nabi kernel should be based on AOSP, so that is the best ROM's to work with for best compatibility. AOKP, and CM being there own breed might need some kernel mods. For example on current Qualcomm devices CM is using CAF code and AOSP is using google kernel code. Just an example
Anyone else get the email
Click to expand...
Click to collapse
Could be this in build.prop.
ro.build.fingerprint=google/nakasi/grouper:4.1.2/JZO54K/485486:user/release-keys
or a special bit of code in email program.
Create extract-files.sh and setup-makefiles.sh scripts to pull those blob files from the device using adb and put them in the right /vendor/ directory. There are plenty of examples available for other devices.
Click to expand...
Click to collapse
Yeah you have to do it all manually(make proprietary-files.txt). I did it once but it was all manual, and I could have missed something, it took hours. I also remember having a failure pulling the firmware files in the /vendor directory. You can look at what I did in attached
@n3wt You should write up some of your secret sauce, would help those guys mimic what you did on other ROM's
aicjofs said:
Yeah you have to do it all manually(make proprietary-files.txt). I did it once but it was all manual, and I could have missed something, it took hours. I also remember having a failure pulling the firmware files in the /vendor directory. You can look at what I did in attached
Click to expand...
Click to collapse
I was afraid it might have to be done manually.
SMcC2 said:
I've been trying to port CM the past few days and keep getting stuck at a never ending boot animation. So yeah, if you guys could give it a shot that would be great, lol.
Click to expand...
Click to collapse
Same here LOL. I have been trying to port CleanRom 4.0.0 JB 4.3 from my Nexus 7 but am stuck at the 4 rotating orbs. I have the boot image decompiled and the complete System files from my Nexus 7 if anyone would like to give it a try.
aicjofs said:
@n3wt You should write up some of your secret sauce, would help those guys mimic what you did on other ROM's
Click to expand...
Click to collapse
Yes please, I have dissected the rom to see the differences and have gotten as far as I have so far. It is very time consuming for sure. I have 4.1.2 Modded to the bone at the moment.
In case anyone wants the info:Off my Nexus 7 Running CleanRom 4.0.0 4.3 JB.
Code:
(dev/block/platform/sdhci-tegra.3/by-name)
[email protected]:/ $ cat /proc/partitions
cat /proc/partitions
major minor #blocks name
7 0 2111 loop0
7 1 11466 loop1
7 2 9387 loop2
7 3 4190 loop3
7 4 28098 loop4
7 5 61362 loop5
7 6 8348 loop6
7 7 53046 loop7
179 0 31178752 mmcblk0
179 1 12288 mmcblk0p1
179 2 8192 mmcblk0p2
179 3 665600 mmcblk0p3
179 4 453632 mmcblk0p4
179 5 512 mmcblk0p5
179 6 10240 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 512 mmcblk0p8
179 9 30014464 mmcblk0p9
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
254 0 2110 dm-0
254 1 11466 dm-1
254 2 9387 dm-2
254 3 4189 dm-3
254 4 28098 dm-4
254 5 61362 dm-5
254 6 8347 dm-6
254 7 53046 dm-7
7 8 2111 loop8
254 8 2110 dm-8
=============================================
[email protected]:/ $ ls -al /dev/block/platform/sdhci-tegra.3/by-name
ls -al /dev/block/platform/sdhci-tegra.3/by-name
lrwxrwxrwx root root 2014-10-04 12:29 APP -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2014-10-04 12:29 CAC -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2014-10-04 12:29 LNX -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2014-10-04 12:29 MDA -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2014-10-04 12:29 MSC -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2014-10-04 12:29 PER -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2014-10-04 12:29 SOS -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2014-10-04 12:29 UDA -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2014-10-04 12:29 USP -> /dev/block/mmcblk0p6
[COLOR=Red]=============================================[/COLOR]
[COLOR=DarkRed][B]( fstab.grouper )[/B][/COLOR]
[COLOR=Red]==================================[/COLOR]
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
/dev/block/platform/sdhci-tegra.3/by-name/APP /system ext4 noatime,nodiratime,nodev,noauto_da_alloc wait
/dev/block/platform/sdhci-tegra.3/by-name/CAC /cache ext4 noatime,nodiratime,nosuid,nodev,data=writeback,noauto_da_alloc,nomblk_io_submit,errors=panic wait
/dev/block/platform/sdhci-tegra.3/by-name/UDA /data ext4 noatime,nodiratime,nosuid,nodev,data=writeback,noauto_da_alloc,nomblk_io_submit,errors=panic wait,encryptable=/dev/block/platform/sdhci-tegra.3/by-name/MDA
/dev/block/platform/sdhci-tegra.3/by-name/MSC /misc emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/LNX /boot emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/SOS /recovery emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/USP /staging emmc defaults defaults
/devices/platform/tegra-ehci /storage/usbdisk vfat defaults voldmanaged=usbdisk:auto
[COLOR=Red]---------------------------------------------[/COLOR]
[B][COLOR=DarkRed]( fstab.grouper~ )[/COLOR][/B]
[COLOR=Red]-------------------------------------[/COLOR]
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
/dev/block/platform/sdhci-tegra.3/by-name/APP /system ext4 ro wait
/dev/block/platform/sdhci-tegra.3/by-name/CAC /cache ext4 noatime,nosuid,nodev,nomblk_io_submit,errors=panic wait
/dev/block/platform/sdhci-tegra.3/by-name/UDA /data ext4 noatime,nosuid,nodev,nomblk_io_submit,errors=panic wait,encryptable=/dev/block/platform/sdhci-tegra.3/by-name/MDA
/dev/block/platform/sdhci-tegra.3/by-name/MSC /misc emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/LNX /boot emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/SOS /recovery emmc defaults defaults
/dev/block/platform/sdhci-tegra.3/by-name/USP /staging emmc defaults defaults
/devices/platform/tegra-ehci /storage/usbdisk vfat defaults voldmanaged=usbdisk:auto
SMcC2 said:
I was afraid it might have to be done manually.
Click to expand...
Click to collapse
Well look over the zip I posted maybe it can save some time.
DarkAngel said:
Same here LOL. I have been trying to port CleanRom 4.0.0 JB 4.3
Click to expand...
Click to collapse
Above 4.2 you will need SElinux support in kernel, so I don't 4.3 is going to work.
aicjofs said:
Well look over the zip I posted maybe it can save some time.
Above 4.2 you will need SElinux support in kernel, so I don't 4.3 is going to work.
Click to expand...
Click to collapse
I know but I had to try.
You think I could just ls the vendor file and copy it in to a text file with the right format?
Here is an example from my HTC...
[email protected]:/ $ cd system
[email protected]:/system $ cd vendor
[email protected]:/system/vendor $ ls */*
etc/audio_effects.conf
firmware/acdb.mbn
firmware/apps.mbn
firmware/bcm4335_prepatch.hcd
firmware/dsp1.mbn
firmware/dsp2.mbn
firmware/dsp3.mbn
firmware/efs1.mbn
firmware/efs2.mbn
firmware/efs3.mbn
firmware/htc61.mbn
firmware/htc62.mbn
firmware/htc63.mbn
firmware/htc64.mbn
firmware/htc65.mbn
firmware/htccdma.mbn
firmware/htcnvbak.mbn
firmware/htcrcust.mbn
firmware/htcrfnv.mbn
firmware/htcsmem.mbn
firmware/htcssmem.mbn
keymaster.b00
keymaster.b01
keymaster.b02
keymaster.b03
keymaster.mdt
firmware/mdm_acdb.img
firmware/q6.b00
firmware/q6.b01
firmware/q6.b03
firmware/q6.b04
firmware/q6.b05
firmware/q6.b06
firmware/q6.mdt
firmware/rpm.mbn
firmware/sbl1.mbn
firmware/sbl1_82.mbn
firmware/sbl1_92.mbn
firmware/sbl1_96.mbn
firmware/sbl2.mbn
eglsubAndroid.so
libEGL_adreno.so
libGLESv1_CM_adreno.so
libGLESv2S3D_adreno.so
libGLESv2_adreno.so
libq3dtools_adreno.so
power.msm8960.so
lib/libC2D2.so
lib/libQSEEComAPI.so
lib/libRSDriver_adreno.so
lib/libWVStreamControlAPI_L1.so
lib/libadreno_utils.so
lib/libbt-vendor.so
lib/libc2d30-a3xx.so
lib/libc2d30.so
lib/libgsl.so
lib/libllvm-a3xx.so
lib/libqc-opt.so
lib/librs_adreno.so
lib/librs_adreno_sha1.so
lib/libsc-a3xx.so
lib/libwvm.so
detection
recognition
[email protected]:/system/vendor $

[GUIDE] How to unlock and root Xiaomi Redmi 9 (Galahad/Lancelot)

There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad​
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock​
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image​
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image​
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash​
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop​
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app​
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet​
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.
Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!
I fixed some spelling mistakes, now it should be easier to read.
Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!
Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland
morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..
Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)
It's weird that windows still can't mount such images.
Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]
I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com
No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.
I have no knowledge on this subject, so I can't help you with this.
Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!

[GUIDE] How to unbrick a Xiaomi Redmi 9 (lancelot/galahad) phone via SP Flash Tool

I use crDrdoid v8.9 ROM (yes I know there's a newer version 8.11, but it didn't work for me for some reason). From time to time I visit xiaomifirmwareupdater.com/firmware/lancelot/ in order to check whether a newer firmware was released for my Xiaomi Redmi 9 (lancelot/galahad) phone. A couple days ago, I saw that there is V13.0.1.0.SJCEUXM for Android 12). I was using V12.5.4.0.RJCEUXM for Android 11, but this crDroid version offered Android 12.1. Everything was working well. Since there was a new version of the firmware, I downloaded it and flashed it via SHRP recovery. The flashing process went as usual, i.e. without any errors, but when I restarted the device, it didn't turn on. Only the fastboot mode was working.
Restoring the firmware
Fortunately, the firmware package consists only of a few images that are flashed to their corresponding partitions on the phone, for instance:
Code:
$ patool list fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip'
patool: Listing fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip ...
patool: running /usr/bin/7z l -- fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 40808894 bytes (39 MiB)
Listing archive: fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
--
Path = fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
Type = zip
Physical Size = 40808894
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 D.... 0 0 META-INF
2022-02-28 13:40:40 ..... 280488 171992 preloader_raw.img
2022-02-28 13:40:40 ..... 282536 172052 preloader_ufs.img
2022-02-28 13:40:42 ..... 1 3 type.txt
2022-02-28 13:40:40 ..... 859 364 scatter.txt
2022-02-28 13:40:40 ..... 282536 172052 preloader_emmc.img
2022-02-28 13:40:40 ..... 59329408 35869684 md1img.img
2022-02-28 13:40:42 ..... 2505440 2166963 tee.img
2022-02-28 13:40:42 ..... 37984 7454 spmfw.img
2022-02-28 13:40:40 ..... 352816 144110 scp.img
2022-02-28 13:40:42 ..... 505616 483321 sspm.img
2022-02-28 13:40:24 ..... 1302976 522804 lk.img
2022-02-28 13:40:22 D.... 0 0 META-INF/com
2022-02-28 13:40:44 ..... 1634 1144 META-INF/CERT.RSA
2022-02-28 13:40:42 ..... 2217 999 META-INF/MANIFEST.MF
2022-02-28 13:40:42 ..... 2270 1091 META-INF/CERT.SF
2022-02-28 13:40:42 D.... 0 0 META-INF/com/android
2022-02-28 13:40:22 D.... 0 0 META-INF/com/google
2022-02-28 13:40:24 D.... 0 0 META-INF/com/google/android
2022-02-28 13:40:24 ..... 2340536 1090127 META-INF/com/google/android/update-binary
2022-02-28 13:40:44 ..... 3559 863 META-INF/com/google/android/updater-script
2022-02-28 13:40:22 ..... 316 220 META-INF/com/android/metadata
2022-02-28 13:40:42 ..... 1594 1077 META-INF/com/android/otacert
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 67232786 40806320 18 files, 5 folders
So if the fastboot mode works well, you can use the images and flash them in order to restore the device. Where to flash the images? Just check the flash layout of your phone:
Code:
# gdisk -l mmcblk0-stock-original.img
GPT fdisk (gdisk) version 1.0.9
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk mmcblk0-stock-original.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
So:
- `md1img.img` -- goes to `md1img` (24)
- `tee.img` -- goes to `tee1` i `tee2` (36 and 37)
- `spmfw.img` -- goes to `spmfw` (25)
- `scp.img` -- goes to `scp1` i `scp2` (26 and 27)
- `sspm.img` -- goes to `sspm_1` i `sspm_2` (28 and 29)
- `lk.img` -- goes to `lk` i `lk2` (32 and 33)
- `preloader_raw.img` -- no idea what to do with it
- `preloader_ufs.img` -- no idea what to do with it
- `preloader_emmc.img` -- no idea what to do with it
From what I've read, the images sspm_1 , tee1 , scp1 and lk are responsible for the main loader, and images sspm_2 , tee2 , scp2, lk2 for the alternative loader. I flashed only the main loader images and forgot to flash the alt loader. Moreover, since I didn't know what to do with the preloader images (there are 3), so I didn't flash any of them. :]
The phone is dead
When I rebooted my phone, there was no sign of life -- no vibration, no sound, no screen, no charging animation, nothing. When I connected the device to my laptop's USB port (with Debian Linux onboard), there was no log at all -- the phone seemed to be dead for good.
The phone is not dead
Playing with the phone's buttons a little bit (while the device is connected to my laptop's USB port), I found out that the Power + VolumeDown button combination generates the following messages in the system log on my Debian:
Code:
kernel: usb 3-1: new high-speed USB device number 10 using xhci_hcd
kernel: usb 3-1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
kernel: usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
kernel: usb 3-1: Device is not authorized for usage
kernel: cdc_acm 3-1:1.0: ttyACM0: USB ACM device
kernel: usb 3-1: authorized to connect
kernel: usb 3-1: USB disconnect, device number 10
So the phone looks like to be partially dead, or not dead at all, or maybe even alive, but it only plays dead, just to force me to buy a new device. :]
SP Flash Tool and MTK Bypass Utility
Since Xiaomi Redmi 9 (lancelot/galahad) is a Mediatek device, there are some chances to restore its state using SP Flash Tool. So I downloaded SP_Flash_Tool_v5.2208_Linux and launched it. I also downloaded Redmi_9_Engineering_Rom.zip , but it looks like that the fastboot ROM is sufficient.
The is only one issue with SP Flash Tool -- it doesn't work without some authorized account. Without this account you won't be able to flash anything using SP Flash Tool. But there's the MTK Bypass Utility tool.
To make the tool work, you have to do the following steps:
Code:
$ git clone https://github.com/MTK-bypass/bypass_utility
$ cd bypass_utility/
$ git clone https://github.com/MTK-bypass/exploits_collection
$ cd exploits_collection/
$ cp ./default_config.json5 ../
$ cp -a ./payloads/ ../
$ cd ..
Then you launch the program:
Code:
$ python3 main.py
[2023-01-28 12:04:55.807367] Waiting for device
And now you plug the phone into the USB port and press the Power + VolDown buttons. The following messages should appear in the log:
Code:
[2023-01-28 12:05:06.892077] Found device = 0e8d:0003
[2023-01-28 12:05:07.012749] Device hw code: 0x707
[2023-01-28 12:05:07.012871] Device hw sub code: 0x8a00
[2023-01-28 12:05:07.012936] Device hw version: 0xca00
[2023-01-28 12:05:07.012994] Device sw version: 0x0
[2023-01-28 12:05:07.013076] Device secure boot: True
[2023-01-28 12:05:07.013140] Device serial link authorization: True
[2023-01-28 12:05:07.013232] Device download agent authorization: True
[2023-01-28 12:05:07.013301] Disabling watchdog timer
[2023-01-28 12:05:07.014062] Disabling protection
[2023-01-28 12:05:07.038921] Protection disabled
Now we can use SP Flash Tool to restore the bricked phone. To be sure, just check if the device /dev/ttyACM0 exists in your system:
Code:
# ls -al /dev/ttyACM0
crw-rw----+ 1 root dialout 166, 0 2023-01-28 11:38:45 /dev/ttyACM0
We have to configure SP Flash Tool to use this device:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
We need some DA file -- the one provided by SP Flash Tool, should be good, but I used the DA file provided by the Engineering ROM. We also need some scatter.txt file -- it can be found either in Engineering ROM, or in fastboot ROM. We have to provide paths to the two files in SP Flash Tool:
We can see that all the firmware partitions can be flashed, including preloader. So in this case, I used the firmware images from the fastboot ROM, with the exception for dtbo and boot, since they come from crDroid ROM. Now all we have to do is to press the Download button.
Chip mismatch!
I selected only one partition (just for testing purposes, to see whether it will work at all) and I pressed the Download button. I got the following error:
And it text version it says:
Code:
[error] Chip mismatch! scatter: platform[MT6768] type[]; device: hw_code[0xb8e8],
hw_subcode[0x9400], hw_ver[0x7fb2], sw_ver[0x0], chip_evolution[0] #(chip_mapping.cpp, line:259)
But when I pressed the Download button again, it worked:
and
So I checked all the firmware partitions and flashed them in one turn. But this didn't fix my phone. I had to flash the preloader image. I used preloader_lancelot.bin from the fastboot image. When I flashed it, the phone booted normally. None of the user data was lost.
Also, the article is written in Polish, so you can read it on my blog if you don't know English well.
Happy flashing. :]
Hey, this was great, thanks, but I have a problem, after doing this I get "NV data is corrupted" and cant get past recovery. Any idea why? thanks again
After doing what?
Hello! After I corrupted the boot partition and entered a bootloop, I tried to reflash the preloader partition from fastboot and ended up in this same situation. I've been following this post and everything seems to be going perfect, but at the end of the post you say that you flashed preloader_lancelot.bin, but in all the images I could find there were 3 versions of it (preloader_emmc.img, preloader_raw.img and preloader_ufs.img), which one did you use?
The only time I saw a preloader_lancelot.bin file was with a mtk command that extracted the current one (but mine is invalid I guess).
Sorry if the English is not perfect, it's not m native language.
The file is in the fastboot ROM.
morfikov said:
The file is in the fastboot ROM.
Click to expand...
Click to collapse
You are right, my bad, I just looked over the first file and didn't saw the second one.
Awesome post! I've just managed to boot, I'll see if I can update the system from some backups, idk in which moment I ended up falshing an old af android version that looks exactly like this (gotten from google):
@morfikov:
That A LOT for this detailed walkthrough!
FWIW, even though my phone appeared dead, I managed to start it by :
- plugging it in
- holding VolumeUP + Power for several seconds
That was enough to start it again and display the Mi logo. It didn't go much further but that was a great change to begin with!
I still haven't managed to flash it back to stock ROM, as the phone keeps rebooting before I can flash anything. :-/

Categories

Resources