There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.
Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!
I fixed some spelling mistakes, now it should be easier to read.
Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!
Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland
morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..
Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)
It's weird that windows still can't mount such images.
Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]
I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com
No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.
I have no knowledge on this subject, so I can't help you with this.
Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!
Related
i have an lg g2 vs980 and i rooted it but have not yet installed a recovery like twrp it is only the very basic root with super user. it decided to install some ota update and now it will not boot past lg screen, white letters flash really fast all i could make out was secure boot error or something. i cannot get it into any kind of download or reset mode, iv tried absolutely everything anyone on this forum has recommended or suggested and nothing works, also when i connect it to my pc running windows 8 it is seen as QSUSB_BULK i have installed the correct updated drivers for my phone and iv manually installed them, nothing i have done will allow my pc to see my phone correctly. when i plug it in it under computer there are local drives f-u that pop up and say i have to format them in order to use them, but they are write protected so i cannot view whats in them, format them or anything. does anyone out there have any kind of suggestion to fix this or am i just completely stupid and missing some big major step? i am also very new to android this is my first android phone lol im a converted apple user haha so the more indept detailed instructions would be greatly appreciated
haeli said:
i have an lg g2 vs980 and i rooted it but have not yet installed a recovery like twrp it is only the very basic root with super user. it decided to install some ota update and now it will not boot past lg screen, white letters flash really fast all i could make out was secure boot error or something. i cannot get it into any kind of download or reset mode, iv tried absolutely everything anyone on this forum has recommended or suggested and nothing works, also when i connect it to my pc running windows 8 it is seen as QSUSB_BULK i have installed the correct updated drivers for my phone and iv manually installed them, nothing i have done will allow my pc to see my phone correctly. when i plug it in it under computer there are local drives f-u that pop up and say i have to format them in order to use them, but they are write protected so i cannot view whats in them, format them or anything. does anyone out there have any kind of suggestion to fix this or am i just completely stupid and missing some big major step? i am also very new to android this is my first android phone lol im a converted apple user haha so the more indept detailed instructions would be greatly appreciated
Click to expand...
Click to collapse
Did you resolve this? I'm having exactly the same problem
Daveg891 said:
Did you resolve this? I'm having exactly the same problem
Click to expand...
Click to collapse
nope still no fix yet i just found this bit havent tried yet
Now just boot into ubuntu and plug your LG G2 to the computer.
Put the downloaded files in the desktop or wherever you want. You just need to know the path to your files.
unplug any other usb device except your mouse, keyboard and lg g2.
Open terminal in ubuntu then type:
Code:
ls /dev/sd*
It should return something like this:
Quote:
/dev/sda /dev/sda1 /dev/sda2 /dev/sda5
/dev/sdb1 /dev/sdb2 /dev/sdb3 /dev/sdb4
/dev/sdb5 .......... /dev/sdb36
In this case your device is detected under sdb. you may have it under sdc. just look for the biggest number, in this case /dev/sdb36 so it is sdb.
Linux keeps poping up error message "unable to mount..."? follow this solution by @priority3
Quote:
Originally Posted by priority3
You can stop the "unable to mount..." error messages from popping up by disabling
the automount feature of Ubuntu.
"To enable or disable automount open a terminal and type dconf-editor followed by the [Enter] key.
Browse to org.gnome.desktop.media-handling."
now, according to the result of the first command type the following:
Code:
gdisk -l /dev/sdb
you will get result:
Code:
Number Start (sector) End (sector) Size Code Name
1 32768 163839 64.0 MiB 0700 modem
2 163840 165887 1024.0 KiB FFFF sbl1
3 165888 166911 512.0 KiB FFFF dbi
4 196608 197631 512.0 KiB FFFF DDR
5 229376 231423 1024.0 KiB FFFF aboot
6 231424 233471 1024.0 KiB FFFF rpm
7 262144 294911 16.0 MiB FFFF boot
8 294912 296959 1024.0 KiB FFFF tz
9 296960 296961 1024 bytes 0700 pad
10 327680 333823 3.0 MiB FFFF modemst1
11 333824 339967 3.0 MiB FFFF modemst2
12 339968 339969 1024 bytes FFFF pad1
13 360448 393215 16.0 MiB FFFF misc
14 393216 458751 32.0 MiB 0700 persist
15 458752 491519 16.0 MiB FFFF recovery
16 491520 497663 3.0 MiB FFFF fsg
17 524288 525311 512.0 KiB FFFF fsc
18 525312 526335 512.0 KiB FFFF ssd
19 526336 526337 1024 bytes FFFF pad2
20 526338 527361 512.0 KiB FFFF encrypt
21 557056 573439 8.0 MiB 0700 drm
22 573440 589823 8.0 MiB 0700 sns
23 589824 655359 32.0 MiB FFFF laf
24 655360 720895 32.0 MiB FFFF fota
25 720896 786431 32.0 MiB 0700 mpt
26 786432 787455 512.0 KiB FFFF dbibak
27 787456 789503 1024.0 KiB FFFF rpmbak
28 789504 791551 1024.0 KiB FFFF tzbak
29 791552 791567 8.0 KiB FFFF rct
30 819200 6488063 2.7 GiB 0700 system
31 6488064 7733247 608.0 MiB 0700 cache
32 7733248 7897087 80.0 MiB 0700 tombstones
33 7897088 7929855 16.0 MiB 0700 spare
34 7929856 8028159 48.0 MiB 0700 cust
35 8028160 30703615 10.8 GiB 0700 userdata
36 30703616 30777310 36.0 MiB 0700 grow
We will be interested by lines marked by red color here. those lines show us the partitions numbers of each file we have downloaded at the begining.
I'm talking about
1- sbl1.img
2- aboot.img
3- rpm.img
4- tz.img
5- openrecovery-twrp-2.6.3.2-g2d802
in our case the sbl1.img is located under sdb2
aboot.img under sdb5
rpm.img under sdb6
tz.img under sdb8
recovery under sdb15
now be careful and try to make it the right way.
we will use dd commands to push img files inside the right partitions.
So lets start:
if youare not logged on as root in ubuntu just open terminal and type
Code:
sudo -i
then type your password
now you must be under root access.
then type the following dd command:
Code:
dd if=/home/med/Desktop/sbl1.img of=/dev/sdb2
i put files in the desktop, so the path to the img files for me is /home/med/Desktop/. just replace this path by the appropriate path to your files. one done you will get some information about the file size you pushed and maybe time of the operation.
keep doing the samething for the other files:
Code:
dd if=/home/med/Desktop/aboot.img of=/dev/sdb5
dd if=/home/med/Desktop/rpm.img of=/dev/sdb6
dd if=/home/med/Desktop/tz.img of=/dev/sdb8
dd if=/home/med/Desktop/openrecovery-twrp-2.6.3.2-g2d802 of=/dev/sdb15
Once you finish just reboot your phone, if you did things as described you must boot into twrp recovery.
now just use twrp to flash your ROM and follow this tutorial to reboot into your ROM
http://forum.xda-developers.com/show....php?t=2451696
Good Luck.
haeli said:
nope still no fix yet i just found this bit havent tried yet
Now just boot into ubuntu and plug your LG G2 to the computer.
Put the downloaded files in the desktop or wherever you want. You just need to know the path to your files.
unplug any other usb device except your mouse, keyboard and lg g2.
Open terminal in ubuntu then type:
Code:
ls /dev/sd*
It should return something like this:
Quote:
/dev/sda /dev/sda1 /dev/sda2 /dev/sda5
/dev/sdb1 /dev/sdb2 /dev/sdb3 /dev/sdb4
/dev/sdb5 .......... /dev/sdb36
In this case your device is detected under sdb. you may have it under sdc. just look for the biggest number, in this case /dev/sdb36 so it is sdb.
Linux keeps poping up error message "unable to mount..."? follow this solution by @priority3
Quote:
Originally Posted by priority3
You can stop the "unable to mount..." error messages from popping up by disabling
the automount feature of Ubuntu.
"To enable or disable automount open a terminal and type dconf-editor followed by the [Enter] key.
Browse to org.gnome.desktop.media-handling."
now, according to the result of the first command type the following:
Code:
gdisk -l /dev/sdb
you will get result:
Code:
Number Start (sector) End (sector) Size Code Name
1 32768 163839 64.0 MiB 0700 modem
2 163840 165887 1024.0 KiB FFFF sbl1
3 165888 166911 512.0 KiB FFFF dbi
4 196608 197631 512.0 KiB FFFF DDR
5 229376 231423 1024.0 KiB FFFF aboot
6 231424 233471 1024.0 KiB FFFF rpm
7 262144 294911 16.0 MiB FFFF boot
8 294912 296959 1024.0 KiB FFFF tz
9 296960 296961 1024 bytes 0700 pad
10 327680 333823 3.0 MiB FFFF modemst1
11 333824 339967 3.0 MiB FFFF modemst2
12 339968 339969 1024 bytes FFFF pad1
13 360448 393215 16.0 MiB FFFF misc
14 393216 458751 32.0 MiB 0700 persist
15 458752 491519 16.0 MiB FFFF recovery
16 491520 497663 3.0 MiB FFFF fsg
17 524288 525311 512.0 KiB FFFF fsc
18 525312 526335 512.0 KiB FFFF ssd
19 526336 526337 1024 bytes FFFF pad2
20 526338 527361 512.0 KiB FFFF encrypt
21 557056 573439 8.0 MiB 0700 drm
22 573440 589823 8.0 MiB 0700 sns
23 589824 655359 32.0 MiB FFFF laf
24 655360 720895 32.0 MiB FFFF fota
25 720896 786431 32.0 MiB 0700 mpt
26 786432 787455 512.0 KiB FFFF dbibak
27 787456 789503 1024.0 KiB FFFF rpmbak
28 789504 791551 1024.0 KiB FFFF tzbak
29 791552 791567 8.0 KiB FFFF rct
30 819200 6488063 2.7 GiB 0700 system
31 6488064 7733247 608.0 MiB 0700 cache
32 7733248 7897087 80.0 MiB 0700 tombstones
33 7897088 7929855 16.0 MiB 0700 spare
34 7929856 8028159 48.0 MiB 0700 cust
35 8028160 30703615 10.8 GiB 0700 userdata
36 30703616 30777310 36.0 MiB 0700 grow
We will be interested by lines marked by red color here. those lines show us the partitions numbers of each file we have downloaded at the begining.
I'm talking about
1- sbl1.img
2- aboot.img
3- rpm.img
4- tz.img
5- openrecovery-twrp-2.6.3.2-g2d802
in our case the sbl1.img is located under sdb2
aboot.img under sdb5
rpm.img under sdb6
tz.img under sdb8
recovery under sdb15
now be careful and try to make it the right way.
we will use dd commands to push img files inside the right partitions.
So lets start:
if youare not logged on as root in ubuntu just open terminal and type
Code:
sudo -i
then type your password
now you must be under root access.
then type the following dd command:
Code:
dd if=/home/med/Desktop/sbl1.img of=/dev/sdb2
i put files in the desktop, so the path to the img files for me is /home/med/Desktop/. just replace this path by the appropriate path to your files. one done you will get some information about the file size you pushed and maybe time of the operation.
keep doing the samething for the other files:
Code:
dd if=/home/med/Desktop/aboot.img of=/dev/sdb5
dd if=/home/med/Desktop/rpm.img of=/dev/sdb6
dd if=/home/med/Desktop/tz.img of=/dev/sdb8
dd if=/home/med/Desktop/openrecovery-twrp-2.6.3.2-g2d802 of=/dev/sdb15
Once you finish just reboot your phone, if you did things as described you must boot into twrp recovery.
now just use twrp to flash your ROM and follow this tutorial to reboot into your ROM
http://forum.xda-developers.com/show....php?t=2451696
Good Luck.
Click to expand...
Click to collapse
Any luck? I have recently done the same thing to mine. I don't have ubunto and would be glad to hear if this works or not.
Rooted T-Mobile varriant.
Couldn't get Boombox to load.
Realized it is not supposed to work for my phone.
Went into TWRP.
Started a format on pretty much everything I could select.
4 hours later into my exfat format, I start thinking, yeah, this is... not... this is too long. I've destroyed it. SO, just to be sure it was a paperweight, I turned it off. Mid format... of every selectable partition in TWRP.
So anyway, it boots to fastboot now, and if I try to boot it into download mode, it starts TWRP but never loads. I put TWRP on my LAF partition as the root guide for H932 recommended it. The irony.
I CAN use ADB when I attempt to get the phone into download mode. Again, it does not actually have download mode, but instead a broken TWRP that never actually loads. The CLI TWRP found in sbin also will not actually start either.
If anyone could help me repartition this back to the point where I flash normal boot.img/system.img/recovery.img etc, well that would be, a godsend.
I will do, or answer any questions.
I do not know linux, but despite behavior that warrants wearing a helmet when I leaving the house, I promise I am competent enough to fix this, with some help.
Thanks people
--Edit--
cat /proc/partitions
major minor #blocks name
1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
8 48 8192 sdd
8 49 2048 sdd1
8 50 4 sdd2
8 51 8 sdd3
8 64 286720 sde
8 65 40960 sde1
8 66 41472 sde2
8 67 41472 sde3
8 68 2048 sde4
8 69 2048 sde5
8 70 4096 sde6
8 71 4096 sde7
8 72 512 sde8
8 73 512 sde9
8 74 512 sde10
8 75 512 sde11
8 76 512 sde12
8 77 512 sde13
8 78 128 sde14
8 79 128 sde15
259 0 112640 sde16
259 1 512 sde17
259 3 512 sde18
259 4 512 sde19
259 6 512 sde20
259 7 512 sde21
259 9 512 sde22
259 11 512 sde23
259 12 512 sde24
259 14 512 sde25
259 15 512 sde26
259 17 1024 sde27
259 18 1024 sde28
259 20 4 sde29
259 22 1024 sde30
259 23 8192 sde31
259 25 128 sde32
259 26 128 sde33
259 27 8 sde34
8 96 8192 sdg
8 97 2048 sdg1
8 98 8 sdg2
8 80 8192 sdf
8 81 2048 sdf1
8 82 2048 sdf2
8 83 512 sdf3
8 84 8 sdf4
8 0 62103552 sda
8 1 49152 sda1
8 2 49152 sda2
8 3 32768 sda3
8 4 10240 sda4
8 5 6144 sda5
8 6 1024 sda6
8 7 32768 sda7
8 8 16384 sda8
8 9 8192 sda9
8 10 40960 sda10
8 11 67584 sda11
8 12 512 sda12
8 13 512 sda13
8 14 512 sda14
8 15 512 sda15
259 2 512 sda16
259 5 32768 sda17
259 8 8192 sda18
259 10 24576 sda19
259 13 2048 sda20
259 16 6465536 sda21
259 19 1253376 sda22
259 21 54000080 sda23
259 24 4 sda24
8 16 32768 sdb
8 17 3584 sdb1
8 18 4096 sdb2
8 19 2048 sdb3
8 20 1024 sdb4
8 21 1024 sdb5
8 22 8 sdb6
8 32 8192 sdc
8 33 3584 sdc1
8 34 8 sdc2
179 0 31166976 mmcblk0
179 1 31165952 mmcblk0p1
If ADB is indeed working, have you tried reflashing twrp to the LAF n' seeing if that does anything to get you back to a working recovery?
ls -al /dev/block/platform/soc/1da4000.ufshc/by-name
send output of this with adb shell
---------- Post added at 08:29 AM ---------- Previous post was at 08:24 AM ----------
4 hours later into my exfat format, I start thinking, yeah, this is... not... this is too long. I've destroyed it. SO, just to be sure it was a paperweight, I turned it off. Mid format... of every selectable partition in TWRP.
By exfat format, what do you mean?
the easiest would be to adb dd / push the laf partition back and work with it then, means: write laf, boot into dl mode, flash kdz. should work :good:
btw: which recovery version do you use? for determining which partitions were erased.
next time: formatting *only* needed for the main partitions, which are boot (not formattable) and system. don't touch any other partition mext time pls (at least in terms of formatting)
I don't have time to post the details, but right now you can fix your phone using dd. If you wipe out what you currently have thinking download mode will save you .. it might, but it might not and then you are stuck.
Gimme a bit to type up exactly what you need to do before you make it worse.
-- Brian
Renwark-Zipper said:
So anyway, it boots to fastboot now, and if I try to boot it into download mode, it starts TWRP but never loads. I put TWRP on my LAF partition as the root guide for H932 recommended it. The irony.
Click to expand...
Click to collapse
"I put TWRP on my LAF partition as the root guide for H932 recommended it. The irony."
Yeah, the only thing that literally saved you right now......
GI, you messed up your device, then blame the dev for a suggestion that will help you.....
Sent from my LG-H932 using XDA Labs
wow, so many partitions.
anyways, the "HIDE" button or use of HIDE tags is how you create spoilers and the pound sign or CODE tags is for code:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Ends up coming out like this:
hidden text here
or for code inside of hide:
Code:
hidden text here
BROKEN1981 said:
"I put TWRP on my LAF partition as the root guide for H932 recommended it. The irony."
Yeah, the only thing that literally saved you right now......
GI, you messed up your device, then blame the dev for a suggestion that will help you.....
Sent from my LG-H932 using XDA Labs
Click to expand...
Click to collapse
Reading titles is fun. It says "I'm the big dumb" right at the top. Notice the "I'm" that stand for "I AM". Translation: I'm not blaming the dev for anything, I AM THE ONE WHO DID THIS, THE ENTIRE POST OUTLINES MY STUPIDITY. The ironic part is I flashed over the download mode. Ya know, the one that lets you plug it into the computer and simply reflash with LGUP. If download mode was on the phone, this post wouldn't exist. End of story. I fully agree with his recommendation to have it on there, which is why I did it. The FACT, that it turned out to be the thing holding me back from fixing the phone was IRONIC.
sneak310 said:
wow, so many partitions.
anyways, the "HIDE" button or use of HIDE tags is how you create spoilers and the pound sign or CODE tags is for code:
Ends up coming out like this:
hidden text here
or for code inside of hide:
Code:
hidden text here
Click to expand...
Click to collapse
You're awesome, thanks!
I reported my own thread because I did not realize I cannot simply delete it myself. Do you know how to get this post deleted? I fixed the problem, but to be honest I can not remember all of the steps I took to do so. If someone finds themselves in a similar situation it might be nice to have this thread here, but as far as I am concerned I can be removed.
seadersn said:
the easiest would be to adb dd / push the laf partition back and work with it then, means: write laf, boot into dl mode, flash kdz. should work :good:
btw: which recovery version do you use? for determining which partitions were erased.
next time: formatting *only* needed for the main partitions, which are boot (not formattable) and system. don't touch any other partition mext time pls (at least in terms of formatting)
Click to expand...
Click to collapse
This is what I did! This works!
TWRP-3.2.3-7-DataIMG.img was the exact recovery used.
JohnFawkes said:
ls -al /dev/block/platform/soc/1da4000.ufshc/by-name
send output of this with adb shell
---------- Post added at 08:29 AM ---------- Previous post was at 08:24 AM ----------
4 hours later into my exfat format, I start thinking, yeah, this is... not... this is too long. I've destroyed it. SO, just to be sure it was a paperweight, I turned it off. Mid format... of every selectable partition in TWRP.
By exfat format, what do you mean?
Click to expand...
Click to collapse
I went into the wipe tab of TWRP and thought it would be a super idea to select everything I could, then change the file system to exFAT.
I'm... not sure what in the world I was hoping to actually accomplish with this. I had it in my head that If I formatted everything to one format, then back to the original, It might be a quick fix to my never booting custom rom.
It was not quick, and it was not thought through.
BrandonB1218 said:
If ADB is indeed working, have you tried reflashing twrp to the LAF n' seeing if that does anything to get you back to a working recovery?
Click to expand...
Click to collapse
I did try that, It did not work.
What seadersn outlined in his post is route I took to repair. Quite simple actually, I just did not really know what I was doing.
Renwark-Zipper said:
You're awesome, thanks!
I reported my own thread because I did not realize I cannot simply delete it myself. Do you know how to get this post deleted? I fixed the problem, but to be honest I can not remember all of the steps I took to do so. If someone finds themselves in a similar situation it might be nice to have this thread here, but as far as I am concerned I can be removed.
Click to expand...
Click to collapse
Nope, they don't let you delete threads here.
Renwark-Zipper said:
Reading titles is fun. It says "I'm the big dumb" right at the top. Notice the "I'm" that stand for "I AM". Translation: I'm not blaming the dev for anything, I AM THE ONE WHO DID THIS, THE ENTIRE POST OUTLINES MY STUPIDITY.
The ironic part is I flashed over the download mode. Ya know, the one that lets you plug it into the computer and simply reflash with LGUP. If download mode was on the phone, this post wouldn't exist. End of story. I fully agree with his recommendation to have it on there, which is why I did it. The FACT, that it turned out to be the thing holding me back from fixing the phone was IRONIC.
Click to expand...
Click to collapse
There is nothing wrong with pointing out differences of opinion over flashing duplicate/redundant TWRP to over the partition that has download mode and thus deletes download mode. I disagree with doing that, as do some developers in this forum. Not going to bother posting quotes, as I'm not starting an argument. Has been discussed in depth in the TWRP thread. However, other respected people recommend it, and they have their reasons. Looking the history of that suggestion, it really seems to be tied to T-mobile variants for reasons I don't wish to delve into here, but which I concede may be relevant to those T-mobile models.
Regardless, in my opinion it's not needed for most people and then when you DO suddenly need download mode, it's not there. The opposite point of view is "If you have TWRP, why would you ever need download mode?" I can think of a few instances... and their response would be, "Then (if/when you need it) re-flash the partition to get download mode!"
So, it's up to the users themselves to determine the priority of their needs and what likelihood will be for disaster recovery, one way or the other -- needing extra copy of TWRP vs needing download mode. There's no right or wrong answer.
Renwark-Zipper said:
The ironic part is I flashed over the download mode. Ya know, the one that lets you plug it into the computer and simply reflash with LGUP. If download mode was on the phone, this post wouldn't exist. End of story. .
Click to expand...
Click to collapse
Congratulations on not knowing what you are talking about. I think you can STFU now.
Sent from my LG-H932 using XDA Labs
[GUIDE][TREBLE][LG-F400]Create a vendor partition & Let your LG-F400 support treble
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
Create a vendor partition for LG-F400 & Flash TWRP Recovery support treble[Author]: Cyborg2017 (Cyborg Yang)
Github: https://github.com/Cyborg2017
Email: [email protected]
Telegram: https://t.me/Cyborg2017
[Device Tree]:
https://github.com/lge-devs/twrp_treble_device_lge_f400
[Download]: TWRP Recovery support treble:
https://androidfilehost.com/?fid=1395089523397899645
[Guide PDF]:
https://www.androidfilehost.com/?fid=1395089523397899658
[Preparation]:
You need to flash twrp_recovery_treble_f400.img (which I provided);
Restart to the twrp recovery interface.
[Start](Make sure you do the following in the twrp recovery support treble interface):
1.
Code:
$ adb devices
2.
Code:
$ adb shell
3.
Code:
~# parted /dev/block/mmcblk0
4.
Code:
(parted) Unit MB // Set the unit to “MB”
5.
Code:
(parted) p // Print partition information
6.
Code:
(parted) rm 41 // delete “/cache”
7.
Code:
(parted) rm 42 //delete “/userdata”
8.
Code:
(parted) rm 43 //delete “/grow”(no use)
9.
Code:
(parted) mkpartfs 41 // create “/cache”
Code:
File system type? [ext2]? (Enter)
Start? 2953
End? 3142
10.
Code:
(parted) mkpartfs 42 // create “/userdata”
Code:
File system type? [ext2]? (Enter)
Start? 3142
End? 30568
11.
Code:
(parted) mkpartfs 43 // create “/vendor”
Code:
File system type? [ext2]? (Enter)
Start? 30568
End? 31269
12.
Code:
(parted) name 41 cache
13.
Code:
(parted) name 42 userdata
14.
Code:
(parted) name 43 vendor
15.
Code:
(parted) p // means “print”
16.
Code:
(parted) q // means “quit”
17.
Code:
~ # reboot recovery // reboot into twrp recovery
18. Restart your phone into TWRP RECOVERY (provided by me):
(1) Repair or convert file system: Convert file system: EXT4;
(2) Convert cache, data, and vendor partition to EXT4;
19. Congratulations! Your device already supports treble!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
20. If you need a more detailed tutorial (including image + text), please download the guide:
https://www.androidfilehost.com/?fid=1395089523397899658
Or contact me:
https://t.me/Cyborg2017
What ?
treble rom
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:
lokalkey said:
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:
Click to expand...
Click to collapse
Arm and A only
lokalkey said:
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:
Click to expand...
Click to collapse
A only,Thanks for your support, I will upload the basic Rom that supports treble soon.
yang_w said:
A only,Thanks for your support, I will upload the basic Rom that supports treble soon.
Click to expand...
Click to collapse
Are you planning bring to more g3 variants?
Thanhbat said:
Are you planning bring to more g3 variants?
Click to expand...
Click to collapse
If I can get the partition table information of other G3 devices, I am happy to do this.
yang_w said:
If I can get the partition table information of other G3 devices, I am happy to do this.
Click to expand...
Click to collapse
How can I get the partition table info from mine? D852
iloveoreos said:
How can I get the partition table info from mine? D852
Click to expand...
Click to collapse
Contact me directly with telegran, I will help you.
search: Cyborg2017
Here is a dump of the partition table everyone uses for the exploitable vs985 12B bootloader (can bypass recovery and system sigcheck with bump, don't bother with any other tables):
http://glacialsoftware.net/vs985tabledata.zip
(Everyone else please note that host is limited bandwidth, it's a small file but still don't kill my server please. )
So yeah, If you could add vs985 treble support for it that would be excellent! I am an experienced debricker and somewhat experienced developer and would be happy to test to further the efforts to add support to this device.
Thanks!
-RTB
R-T-B said:
Here is a dump of the partition table everyone uses for the exploitable vs985 12B bootloader (can bypass recovery and system sigcheck with bump, don't bother with any other tables):
http://glacialsoftware.net/vs985tabledata.zip
(Everyone else please note that host is limited bandwidth, it's a small file but still don't kill my server please. )
So yeah, If you could add vs985 treble support for it that would be excellent! I am an experienced debricker and somewhat experienced developer and would be happy to test to further the efforts to add support to this device.
Thanks!
-RTB
Click to expand...
Click to collapse
The txt shows garbled characters, you can contact me with telegram, so I can help you.
yang_w said:
The txt shows garbled characters, you can contact me with telegram, so I can help you.
Click to expand...
Click to collapse
Sorry about that, it appears the text file is some propietary LG format. The .bin files are raw partition table dumps though of the GPT... Maybe that can help you.
I would be happy to jump on Telegram but can't today. Birthday party for my brother, heh.
Will D855 ever be supported?
What are the advantages to have treble support on the LG G3?
something new @ other lg g3 verions?
@ yang_w
yang_w said:
If I can get the partition table information of other G3 devices, I am happy to do this.
Click to expand...
Click to collapse
LG G3 LS990 partition table
Code:
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /dev/block/mmcblk0: 61071360 sectors, 29.1 GiB
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 98101B32-BBE2-4BF2-A06E-2BB33D000C20
Partition table holds up to 44 entries
Main partition table begins at sector 2 and ends at sector 12
First usable sector is 34, last usable sector is 61071326
Partitions will be aligned on 1-sector boundaries
Total free space is 32734 sectors (16.0 MiB)
Number Start (sector) End (sector) Size Code Name
1 32768 163839 64.0 MiB 0700 modem
2 163840 165887 1024.0 KiB FFFF sbl1
3 165888 166911 512.0 KiB FFFF dbi
4 166912 167935 512.0 KiB FFFF DDR
5 167936 172031 2.0 MiB FFFF aboot
6 172032 174079 1024.0 KiB FFFF rpm
7 174080 176127 1024.0 KiB FFFF tz
8 176128 176135 4.0 KiB 0700 pad
9 176136 178183 1024.0 KiB FFFF sbl1b
10 178184 179207 512.0 KiB FFFF dbibak
11 179208 181255 1024.0 KiB FFFF rpmbak
12 181256 183303 1024.0 KiB FFFF tzbak
13 183304 185351 1024.0 KiB FFFF rpmf
14 185352 187399 1024.0 KiB FFFF tzf
15 187400 188423 512.0 KiB FFFF sdif
16 188424 192519 2.0 MiB FFFF abootf
17 192520 196607 2.0 MiB FFFF spare1
18 196608 229375 16.0 MiB FFFF boot
19 229376 294911 32.0 MiB 0700 persist
20 294912 327679 16.0 MiB FFFF recovery
21 327680 333823 3.0 MiB FFFF modemst1
22 333824 339967 3.0 MiB FFFF modemst2
23 339968 339975 4.0 KiB FFFF pad1
24 339976 346119 3.0 MiB FFFF fsg
25 346120 347143 512.0 KiB FFFF fsc
26 347144 348167 512.0 KiB FFFF ssd
27 348168 348175 4.0 KiB FFFF pad2
28 348176 349199 512.0 KiB FFFF encrypt
29 349200 350223 512.0 KiB FFFF eksst
30 350224 350239 8.0 KiB FFFF rct
31 350240 360447 5.0 MiB FFFF spare2
32 360448 393215 16.0 MiB FFFF misc
33 393216 458751 32.0 MiB FFFF laf
34 458752 524287 32.0 MiB FFFF fota
35 524288 557055 16.0 MiB 0700 spare3
36 557056 573439 8.0 MiB 0700 drm
37 573440 589823 8.0 MiB 0700 sns
38 589824 655359 32.0 MiB 0700 mpt
39 655360 737279 40.0 MiB 0700 carrier
40 737280 786431 24.0 MiB FFFF factory
41 786432 6684671 2.8 GiB 0700 system
42 6684672 8421375 848.0 MiB 0700 cache
43 8421376 61070324 25.1 GiB 0700 userdata
44 61070325 61071326 501.0 KiB 0700 grow
i have a question ! treble and none treble, what is different ?
---------- Post added at 02:40 PM ---------- Previous post was at 02:38 PM ----------
and who will update for LG G3 ???
mydarhieu97 said:
i have a question ! treble and none treble, what is different ?
Click to expand...
Click to collapse
https://www.computerworld.com/artic...ect-treble-android-upgrade-fix-explained.html
https://www.androidauthority.com/project-treble-818225/
https://www.google.com/search?q=treble+android
rahimali said:
https://www.computerworld.com/artic...ect-treble-android-upgrade-fix-explained.html
https://www.androidauthority.com/project-treble-818225/
https://www.google.com/search?q=treble+android
Click to expand...
Click to collapse
so, who will update for LG G3 ??? i know project treble is support for easy way to update, but who? who will update for our devices ? google ?
mydarhieu97 said:
so, who will update for LG G3 ??? i know project treble is support for easy way to update, but who? who will update for our devices ? google ?
Click to expand...
Click to collapse
No one. It is so we can flash custom roms easier.
Are there any tools / is it possible to download partitions (img files) from a Qualcomm device using emergency download mode? Simply boot_a / boot_b as I assume user will be encrypted.
I know there is QPST, but from hours of trying and what I have read, it seems to only support older MSM devices not newer Snapdragon? Am I wrong?
Well, if you have the firehose file for that particular soc and the rawprogram0.xml, you can. Usually the firehose file get leaked after the phone is released.
What model are you trying to work on?
HTC U19e
Snapdragon 710
outrage_uk said:
HTC U19e
Snapdragon 710
Click to expand...
Click to collapse
I found a link to a list of programmers. If you see your phone here, which I didn't (but try ctrl-f the processor, that should be in the filename, it's a good bet you'll be able to find it. As far as I know, my phone's MSM8998 does not have a leaked programmer. It's not as universally applicable as a lot of guides make it seem. If you do have the programmer and correct patches, they allow arbitrary read/write to a phone in edl mode. It's a major security backdoor, but very useful for users like us too. However, neither users like us, nor malicious agents are thought very highly of by American phone manufacturers.
Here's how to access partitions without rawprogram0.xml or patch0.xml
Hi,
If you have the correct prog_emmc_firehose_xxxx.mbn file for your QualComm SoC, you can extract the partition table and all partitions without having access to any rawprogram0.xml or patch0.xml.
The basics are in the excellent guide at https://forum.xda-developers.com/android/general/guide-how-to-dump-write-storage-t3949588
Summary:
- trigger EDL mode, which you have if your phone shows up as USB vendor 05c6, product 9008. Make sure you have "Qualcomm HS-USB QDLoader 9008" as the active driver, giving you a virtual COM port.
- use QFIL to load the prog_emmc_firehose_xxx.mbn file - chose Flat Build
- use QPST's fh_loader.exe to talk to the firehose to read or write the emmc at arbitrary sector offsets
With all that working, you can start by reading the GPT partition table, 34 sectors starting from sector 0:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=C:\my\extract\path --convertprogram2read --sendimage=gpt.bin --start_sector=0 --lun=0 --num_sectors=34 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
Replace COM8 with whatever COM port that Qualcomm HS-USB driver providers according to Windows Device Manager, and ensure that whatever you choose as C:\my\extract\path exists.
When the tool is done, you'll have a C:\my\extract\path\gpt.bin that you can examine to get the sector offsets and counts for each of your partitions. I used Linux' gdisk for that:
$ gdisk -l gpt.bin
...
Number Start (sector) End (sector) Size Code Name
1 131072 294911 80.0 MiB 0700 modem
2 294912 296959 1024.0 KiB FFFF bluetooth
3 296960 297215 128.0 KiB A01E pmic
4 297216 297471 128.0 KiB A01E pmicbak
5 297472 297473 1024 bytes A040 limits
6 297474 299521 1024.0 KiB A01A DDR
7 299522 299777 128.0 KiB A01D sec
8 393216 393727 256.0 KiB A022 apdp
9 393728 394239 256.0 KiB A023 msadp
10 394240 394241 1024 bytes A024 dpo
11 524288 527359 1.5 MiB A02A fsg
12 655360 655361 1024 bytes A029 fsc
13 655362 655377 8.0 KiB A02C ssd
14 655378 658449 1.5 MiB A027 modemst1
15 658450 661521 1.5 MiB A028 modemst2
16 661522 663569 1024.0 KiB A012 sbl1
17 663570 665617 1024.0 KiB A012 sbl1bak
18 665618 665809 96.0 KiB A019 sdi
19 665810 667857 1024.0 KiB A016 tz
20 667858 669905 1024.0 KiB A016 tzbak
21 669906 670905 500.0 KiB A018 rpm
22 670906 671905 500.0 KiB A018 rpmbak
23 671906 672929 512.0 KiB A017 hyp
24 672930 673953 512.0 KiB A017 hypbak
25 673954 740801 32.6 MiB FFFF splash
26 786432 796671 5.0 MiB A015 aboot
27 796672 806911 5.0 MiB A015 abootbak
28 806912 937983 64.0 MiB A036 boot
29 937984 1069055 64.0 MiB A025 recovery
30 1069056 7360511 3.0 GiB A038 system
31 7471104 10616831 1.5 GiB A039 cache
32 10616832 10682367 32.0 MiB A026 persist
33 10682368 10684415 1024.0 KiB A01F misc
34 10684416 10685439 512.0 KiB A02D keystore
35 10747904 10747905 1024 bytes A021 devinfo
36 10878976 10879999 512.0 KiB FFFF config
37 10880000 61071326 23.9 GiB A03A userdata
From there, you have enough information to back up each of your partitions, write a custom recovery, etcetera.
In my case, a Gigaset ME, both the system and userdata partitions were normal, unencrypted ext4 partitions with ample opportunities for forensics and data recovery.
Needless to say, there was no need to unlock bootloaders, install custom recovery, root the phone, or whatever.
I use crDrdoid v8.9 ROM (yes I know there's a newer version 8.11, but it didn't work for me for some reason). From time to time I visit xiaomifirmwareupdater.com/firmware/lancelot/ in order to check whether a newer firmware was released for my Xiaomi Redmi 9 (lancelot/galahad) phone. A couple days ago, I saw that there is V13.0.1.0.SJCEUXM for Android 12). I was using V12.5.4.0.RJCEUXM for Android 11, but this crDroid version offered Android 12.1. Everything was working well. Since there was a new version of the firmware, I downloaded it and flashed it via SHRP recovery. The flashing process went as usual, i.e. without any errors, but when I restarted the device, it didn't turn on. Only the fastboot mode was working.
Restoring the firmware
Fortunately, the firmware package consists only of a few images that are flashed to their corresponding partitions on the phone, for instance:
Code:
$ patool list fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip'
patool: Listing fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip ...
patool: running /usr/bin/7z l -- fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 40808894 bytes (39 MiB)
Listing archive: fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
--
Path = fw_lancelot_miui_LANCELOTEEAGlobal_V12.5.4.0.RJCEUXM_67a1671939_11.0.zip
Type = zip
Physical Size = 40808894
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 D.... 0 0 META-INF
2022-02-28 13:40:40 ..... 280488 171992 preloader_raw.img
2022-02-28 13:40:40 ..... 282536 172052 preloader_ufs.img
2022-02-28 13:40:42 ..... 1 3 type.txt
2022-02-28 13:40:40 ..... 859 364 scatter.txt
2022-02-28 13:40:40 ..... 282536 172052 preloader_emmc.img
2022-02-28 13:40:40 ..... 59329408 35869684 md1img.img
2022-02-28 13:40:42 ..... 2505440 2166963 tee.img
2022-02-28 13:40:42 ..... 37984 7454 spmfw.img
2022-02-28 13:40:40 ..... 352816 144110 scp.img
2022-02-28 13:40:42 ..... 505616 483321 sspm.img
2022-02-28 13:40:24 ..... 1302976 522804 lk.img
2022-02-28 13:40:22 D.... 0 0 META-INF/com
2022-02-28 13:40:44 ..... 1634 1144 META-INF/CERT.RSA
2022-02-28 13:40:42 ..... 2217 999 META-INF/MANIFEST.MF
2022-02-28 13:40:42 ..... 2270 1091 META-INF/CERT.SF
2022-02-28 13:40:42 D.... 0 0 META-INF/com/android
2022-02-28 13:40:22 D.... 0 0 META-INF/com/google
2022-02-28 13:40:24 D.... 0 0 META-INF/com/google/android
2022-02-28 13:40:24 ..... 2340536 1090127 META-INF/com/google/android/update-binary
2022-02-28 13:40:44 ..... 3559 863 META-INF/com/google/android/updater-script
2022-02-28 13:40:22 ..... 316 220 META-INF/com/android/metadata
2022-02-28 13:40:42 ..... 1594 1077 META-INF/com/android/otacert
------------------- ----- ------------ ------------ ------------------------
2022-02-28 13:40:44 67232786 40806320 18 files, 5 folders
So if the fastboot mode works well, you can use the images and flash them in order to restore the device. Where to flash the images? Just check the flash layout of your phone:
Code:
# gdisk -l mmcblk0-stock-original.img
GPT fdisk (gdisk) version 1.0.9
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk mmcblk0-stock-original.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
So:
- `md1img.img` -- goes to `md1img` (24)
- `tee.img` -- goes to `tee1` i `tee2` (36 and 37)
- `spmfw.img` -- goes to `spmfw` (25)
- `scp.img` -- goes to `scp1` i `scp2` (26 and 27)
- `sspm.img` -- goes to `sspm_1` i `sspm_2` (28 and 29)
- `lk.img` -- goes to `lk` i `lk2` (32 and 33)
- `preloader_raw.img` -- no idea what to do with it
- `preloader_ufs.img` -- no idea what to do with it
- `preloader_emmc.img` -- no idea what to do with it
From what I've read, the images sspm_1 , tee1 , scp1 and lk are responsible for the main loader, and images sspm_2 , tee2 , scp2, lk2 for the alternative loader. I flashed only the main loader images and forgot to flash the alt loader. Moreover, since I didn't know what to do with the preloader images (there are 3), so I didn't flash any of them. :]
The phone is dead
When I rebooted my phone, there was no sign of life -- no vibration, no sound, no screen, no charging animation, nothing. When I connected the device to my laptop's USB port (with Debian Linux onboard), there was no log at all -- the phone seemed to be dead for good.
The phone is not dead
Playing with the phone's buttons a little bit (while the device is connected to my laptop's USB port), I found out that the Power + VolumeDown button combination generates the following messages in the system log on my Debian:
Code:
kernel: usb 3-1: new high-speed USB device number 10 using xhci_hcd
kernel: usb 3-1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
kernel: usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
kernel: usb 3-1: Device is not authorized for usage
kernel: cdc_acm 3-1:1.0: ttyACM0: USB ACM device
kernel: usb 3-1: authorized to connect
kernel: usb 3-1: USB disconnect, device number 10
So the phone looks like to be partially dead, or not dead at all, or maybe even alive, but it only plays dead, just to force me to buy a new device. :]
SP Flash Tool and MTK Bypass Utility
Since Xiaomi Redmi 9 (lancelot/galahad) is a Mediatek device, there are some chances to restore its state using SP Flash Tool. So I downloaded SP_Flash_Tool_v5.2208_Linux and launched it. I also downloaded Redmi_9_Engineering_Rom.zip , but it looks like that the fastboot ROM is sufficient.
The is only one issue with SP Flash Tool -- it doesn't work without some authorized account. Without this account you won't be able to flash anything using SP Flash Tool. But there's the MTK Bypass Utility tool.
To make the tool work, you have to do the following steps:
Code:
$ git clone https://github.com/MTK-bypass/bypass_utility
$ cd bypass_utility/
$ git clone https://github.com/MTK-bypass/exploits_collection
$ cd exploits_collection/
$ cp ./default_config.json5 ../
$ cp -a ./payloads/ ../
$ cd ..
Then you launch the program:
Code:
$ python3 main.py
[2023-01-28 12:04:55.807367] Waiting for device
And now you plug the phone into the USB port and press the Power + VolDown buttons. The following messages should appear in the log:
Code:
[2023-01-28 12:05:06.892077] Found device = 0e8d:0003
[2023-01-28 12:05:07.012749] Device hw code: 0x707
[2023-01-28 12:05:07.012871] Device hw sub code: 0x8a00
[2023-01-28 12:05:07.012936] Device hw version: 0xca00
[2023-01-28 12:05:07.012994] Device sw version: 0x0
[2023-01-28 12:05:07.013076] Device secure boot: True
[2023-01-28 12:05:07.013140] Device serial link authorization: True
[2023-01-28 12:05:07.013232] Device download agent authorization: True
[2023-01-28 12:05:07.013301] Disabling watchdog timer
[2023-01-28 12:05:07.014062] Disabling protection
[2023-01-28 12:05:07.038921] Protection disabled
Now we can use SP Flash Tool to restore the bricked phone. To be sure, just check if the device /dev/ttyACM0 exists in your system:
Code:
# ls -al /dev/ttyACM0
crw-rw----+ 1 root dialout 166, 0 2023-01-28 11:38:45 /dev/ttyACM0
We have to configure SP Flash Tool to use this device:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
We need some DA file -- the one provided by SP Flash Tool, should be good, but I used the DA file provided by the Engineering ROM. We also need some scatter.txt file -- it can be found either in Engineering ROM, or in fastboot ROM. We have to provide paths to the two files in SP Flash Tool:
We can see that all the firmware partitions can be flashed, including preloader. So in this case, I used the firmware images from the fastboot ROM, with the exception for dtbo and boot, since they come from crDroid ROM. Now all we have to do is to press the Download button.
Chip mismatch!
I selected only one partition (just for testing purposes, to see whether it will work at all) and I pressed the Download button. I got the following error:
And it text version it says:
Code:
[error] Chip mismatch! scatter: platform[MT6768] type[]; device: hw_code[0xb8e8],
hw_subcode[0x9400], hw_ver[0x7fb2], sw_ver[0x0], chip_evolution[0] #(chip_mapping.cpp, line:259)
But when I pressed the Download button again, it worked:
and
So I checked all the firmware partitions and flashed them in one turn. But this didn't fix my phone. I had to flash the preloader image. I used preloader_lancelot.bin from the fastboot image. When I flashed it, the phone booted normally. None of the user data was lost.
Also, the article is written in Polish, so you can read it on my blog if you don't know English well.
Happy flashing. :]
Hey, this was great, thanks, but I have a problem, after doing this I get "NV data is corrupted" and cant get past recovery. Any idea why? thanks again
After doing what?
Hello! After I corrupted the boot partition and entered a bootloop, I tried to reflash the preloader partition from fastboot and ended up in this same situation. I've been following this post and everything seems to be going perfect, but at the end of the post you say that you flashed preloader_lancelot.bin, but in all the images I could find there were 3 versions of it (preloader_emmc.img, preloader_raw.img and preloader_ufs.img), which one did you use?
The only time I saw a preloader_lancelot.bin file was with a mtk command that extracted the current one (but mine is invalid I guess).
Sorry if the English is not perfect, it's not m native language.
The file is in the fastboot ROM.
morfikov said:
The file is in the fastboot ROM.
Click to expand...
Click to collapse
You are right, my bad, I just looked over the first file and didn't saw the second one.
Awesome post! I've just managed to boot, I'll see if I can update the system from some backups, idk in which moment I ended up falshing an old af android version that looks exactly like this (gotten from google):
@morfikov:
That A LOT for this detailed walkthrough!
FWIW, even though my phone appeared dead, I managed to start it by :
- plugging it in
- holding VolumeUP + Power for several seconds
That was enough to start it again and display the Mi logo. It didn't go much further but that was a great change to begin with!
I still haven't managed to flash it back to stock ROM, as the phone keeps rebooting before I can flash anything. :-/