Develop Bugs

Can you identify this ROM file?

Hi there,
I got my hands on a phone that appears to be a copycat of the HTC Diamond 2. It’s running WM6.5. There is no volume button on it so they have some other trick to get into the boot loader. In order to flash it, the vendor is using a simple process:
1. Put a Loader.bin and Flash.bin file on the SD Card.
2. Turn on the phone while holding the “hang-up” and “back” buttons.
3. The boot loader then kicks in and installs the new ROM.
What I’m trying to figure out is what is the file format for Flash.bin and how can to recreate it myself? Basically I’d like to be able to take an nbh from an official ROM file and convert it to that Flash.bin thing.
Using an HEX editor, I see that the first part of Flash.bin looks very similar to an OS partition that can be extracted from an nbh file (e.g. using NBHExtract) but one difference is that the header of Flash.bin starts with a few more bytes B0B0FF etc.:
B 0 B 0 F F …
42 30 42 30 46 46 0A 00 0C 0C 00 00 8A 90 06 00 0C 0C 00 00 02 02 00 2C 53 4E
I’ve uploaded both Loader.bin and Flash.bin here if you want to look further.
http://rapidshare.com/files/328271954/FLASH.zip
http://rapidshare.com/files/328259421/LOADER.BIN
Any tips greatly appreciated.
Thanks,
Bob

[Q] Unlock Galaxy S

Hello,
I am trying to unlock my sgs, that I bought in Croatia. It is locked to VIP carrier, but none of the metods described in the forums work for me.
I have copied my nv_data. bin file to my computer and extracted the unlock code from it with SGUX utility for windows by rbnet.it and marcopon. But when I reboot the phone with my SIM and enter the unlock code it says unsucsessful unlocking...
I also installed Sgs_Unlock.apk to my phone, witch gave me the same unlock code that doesent work.
Than I tryed to edit nv_data.bin file with hex editor, but it doesent seem to include an address 0x181468.
Thank you wery much!!!
Luka

Try using super one click.
Sent from my GT-I9000 using XDA App

Done
I´ve managed to unlock it with editing nv_data.bin file, that was slightly diferent that the one in this threathttp://forum.xda-developers.com/showthread.php?t=761045 .
Ehtoeh the phone was allready rooted with Super One Click so i could retrive the nv_data.bin file, but that doesent unlock it to other carriers.
This is how i did it:
Follow step 1. from the mentioned thread (retrive the nv_data.bin file).
Open the file with 010 Editor (trial version), go to view, linefeeds and set it to 8 bytes.
Go to mentioned adress (ctrl+g) and see the slightly different line ( ff 01 00 00 00 00 33 35)
Edit it to ff 00 00 00 00 00 33 35 and save.
Follow step 3. from the mentioned (How to unlock/unfreeze all SGS Models) thread, reboot and the phone was unlocked.
Oh i forgot it was running the 2.1 update1 Eclair when i unlocked it.
Luka

I've hosted the file nv_data without've managed to find the line you need to change. whether we could to help;

Let`s think,
Maybe the lock is located at some other address, you just have to find it.
As mentioned in this thread http://forum.xda-developers.com/showthread.php?t=761045 there are 5 different types of locks in 5 different bytes:
network lock, subset lock, sp lock, cp lock and data lock (don`t know if that`s true because i can find only four locks in my phone:network, subset, sp and cp but no data). The locks are defined with byte 00 for lock off and 01 for lock on.
Now enter *#7465625# to phone. It will display the locks and weather they are on or off. (see attachment)
You can now put together a string from the values that you get from the phone 00 for lock off and 01 for lock on.
It should begin with ff followed by the bytes you got from your phone, for example if you have active network lock and all other locks inactive you should have:
ff 01 00 00 00 00 xy xy
As you can see there are two other bytes xy, but we can live without knowing their values as they seem to be differ from phone to phone but they should allways be digits.
Now open your nv_data file with hex editor and search for the string you`ve put together without the last two bytes. You can get more than one result, but the right place is the one where the last two bytes will de digits.
Edit it to ff 00 00 00 00 00 xy xy to turn all the locks off.
I hope you`ll unlock your phone this way and let us know how it goes.
Luka

because I can not find the line you say ,can you find if there is to please;

Can you post a screencapture like i did so i can find that string.

like this ...i quote and the file...I found this address that is similar to saying that

try editing that one to ff 00 00 00 00 00 00 05, but be careful and have your nv_data backed up first cause this can brick your phone.
Iment a screencapture from your phone.
Luka

ok I did the treatment. I just want to tell me exactly, step by step how to switch back to back in mobile

Did you edit your nv_data.bin file and now the phone doesent work?
If so you have to restore your backup like this:
1. Copy the file from the backup (nv_data.bin) to your sdcard.
2. In ADB type the following commands one by one:
su
cp /sdcard/nv_data.bin /efs/nv_data.bin
rm -rf /efs/nv_data.bin.md5 (OR)
busybox rm -rf /efs/nv_data.bin.md5​3. Reboot your phone.
4. Most probably, now your SIM will not work and you will not be able to login into your phone. Please don’t be panic. We are with you
5. Pop off the SIM.
6. Boot your smartphone.
7. Run the below commands through ADB:
su
busybox chown 1001:1001 /efs/nv_data.bin or
chown 1001:1001 /efs/nv_data.bin​
8. Your phone should be OK now.
There is a whole thread on this topic on this forum http://forum.xda-developers.com/showthread.php?t=859914

thnaks for the reply, unfortunately i did not meant that.
i would like to explain me, how you can insert in the sd memory card the nv_data (edit) that i have already processed. In order to sumarize, i would like to know the orders.

Sorry, I didn´t understand you.
So you need to push nv_data.bin file that you have edited back to your phone.
you need to follow the instructions from this thread http://forum.xda-developers.com/showthread.php?t=761045
First copy your nv_data.bin file to root of your sdcard and then use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands:
su
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot​
Post if it worked.
Luka

i can not, look the foto

This happened to me allso, try rooting your phone with superoneclick (ignore message device seem to be rooted) just before entering adb. If that still doesen`t work try with terminal emulator.

Well we made it and unlock it!
The procedure followed was about as I said it.
1. Follow step 1. from the mentioned thread (retrive the nv_data.bin file).
2.Open the file with 010 Editor (trial version), go to view, linefeeds and set it to 8 bytes.
3.Go to mentioned adress (ctrl+g) and see the slightly different line ( ff 01 00 00 00 00 33 35) may be different numbers from device to device
4.Edit it to ff 00 00 00 00 00 33 35 and save.
5.Follow step 3. from the mentioned (How to unlock/unfreeze all SGS Models) thread, reboot and the phone was unlocked.
When I did the procedure I had a mobile unroot!

Nice to hear you`ve managed to unlock it, I knew you`ll do it soon or later
If it`s unrooted now, you can just root it again, but i don`t know why this happened.
All i would like to know is at wich address the lock was located as your nv_data.bin file didn`t have the address mentioned in the first post. It could help other people to unlock their phones.
Luka

Well you do it again root, I changed my kernel and Rom are all ok!
The address for nv_data.bin is of the form FF 01 00 00 00 00 xx xx to me was
FF 01 00 00 00 00 00 05.

[Q] AT&T LG Optimus G Pro problem-Please Help

Hello All,
I have searched the forums but can find no solution specifically for this phone, so here I am.
Awhile back AT&T offered a minor update, (not KitKat), for my LG e980. No problem, updated just fine. I have never flashed this phone and it is not rooted, but my IMEI # is now 0 and I don't know why? With the upgrade to KitKat coming out, I won't be able to get it with my IMEI # gone. This was a new phone out of the box and I did nothing to the phone other than that small upgrade. I don't want to get a replacement because of all the stuff I have on this phone. Is there anyway to reset, recover, or restore my missing IMEI #? I'm running Androud 4.1.2. Software V e98010p. Any help or a point to the right forum to fix this will be greatly appreciated. Thank you.

Go to Menu --> General--> Backup & Reset--> Factory data reset. This should fix the problem. If it doesn't, bring the phone back for a replacement.

Knvsmom said:
Hello All,
I have searched the forums but can find no solution specifically for this phone, so here I am.
Awhile back AT&T offered a minor update, (not KitKat), for my LG e980. No problem, updated just fine. I have never flashed this phone and it is not rooted, but my IMEI # is now 0 and I don't know why? With the upgrade to KitKat coming out, I won't be able to get it with my IMEI # gone. This was a new phone out of the box and I did nothing to the phone other than that small upgrade. I don't want to get a replacement because of all the stuff I have on this phone. Is there anyway to reset, recover, or restore my missing IMEI #? I'm running Androud 4.1.2. Software V e98010p. Any help or a point to the right forum to fix this will be greatly appreciated. Thank you.
Click to expand...
Click to collapse
No way to reset if you didn't back up anything
Sent from my LG-E980 using XDA Premium 4 mobile app

Factory reset makes the phone like it was when he left AT&T or recieved in the mail. Doesn't need a backup.
Sent from my LG-E980 using Tapatalk

Hmmm... it's my understanding that a reset will not fix this as it has to with the EFS which could be corrupted.... I went through this on my last phone and a reset did not work nor did going back to stock... my phone was toast...the only is to restore from an EFS back up which sounds like he didn't do or take it in and have it fixed... as for losing everything on the phone just copy everything over to your ext sd ...
Sent from my LG-E980 using XDA Free mobile app

Lg optimus g pro iemi repair
Knvsmom said:
Hello All,
I have searched the forums but can find no solution specifically for this phone, so here I am.
Awhile back AT&T offered a minor update, (not KitKat), for my LG e980. No problem, updated just fine. I have never flashed this phone and it is not rooted, but my IMEI # is now 0 and I don't know why? With the upgrade to KitKat coming out, I won't be able to get it with my IMEI # gone. This was a new phone out of the box and I did nothing to the phone other than that small upgrade. I don't want to get a replacement because of all the stuff I have on this phone. Is there anyway to reset, recover, or restore my missing IMEI #? I'm running Androud 4.1.2. Software V e98010p. Any help or a point to the right forum to fix this will be greatly appreciated. Thank you.
Click to expand...
Click to collapse
I had same problem n i reset my imei within 1 hour by below method This mathod is for lg optimis g but ALSO WORK FOR
LG OPTIMUS G PRO E980 AT&T
Here is the link
http://forum.xda-developers.com/showthread.php?t=1942417
The following instructions are to be used to repair your G2X/P999 phone's IMEI number if it has been changed to all zeros which can happen due to a bad flash. Your phone's actual IMEI number is printed on the box your phone came in and it is on a sticker located under the battery.
1) Download QPST
http://hosting.ecap-droid.com/Droid/...pub=bxfo8sfkv6
2) Install QPST and pin it to the Start Menu
3) Download LG Drivers
4) Install LG Drivers
5) In the phone’s Settings -> Applications -> Development -> enable USB debugging
6) Access the phone's hidden menu using the phone keypad (dialer), enter: 3845#*980#
7) In Port Setting enable CP USB (do not enable Retain ...) then press: OK ( SKIP THIS STAP )
8) Plug your phone into the USB port and wait a few seconds until the USB drivers install.
9) Access the LGE Mobile USB Modem driver through Control Panel -> Device Manager -> LGE Mobile USB Modem -> Advanced -> Advanced Port Settings
10) Click on the box next to “Append to Log” so that a checkmark is in that box.
11) Click on: Query Modem
The window above “Query Modem” should fill up with (the following data is from my phone, your phone’s Revision may be and IMEI will be somewhat different):
“ATQ0V1E0 - OK
AT+GMM - 0
AT+FCLASS=? - +FCLASS: (0-1)
AT#CLS=? - COMMAND NOT SUPPORTED
AT+GCI? - COMMAND NOT SUPPORTED
AT+GCI=? - COMMAND NOT SUPPORTED
ATI1 - Manufacturer: QUALCOMM INCORPORATED
Model: 0
Revision: M6600A-SCAUTNZ-2.0.9720T 1 [MAR 11 2012 10:00:00] MP:TRULGE_08.09.02R_MDM
IMEI: 0127XXXXXXXXXXXXXXX (I’ve X’d out my IMEI for security reasons)
+GCAP: +CGSM,+DS,+ES
ETC…”
If that doesn’t happen, then the Port Setting has probably reverted back to “AP USB” and will need to be changed back to “CP USB” or the LG drivers didn't install fully or correctly or the computer's usb connection or the usb cable has a problem. Check the phone’s screen and see if the Port Setting is still at “CP USB”. If it’s not (back on “AP USB”) redo step 7. If the setting is still at "CP USB" then reinstall the LG drivers. If there's still a problem, it may be the computer's USB port or the USB cable.
12) Click on: View log
The phone’s current IMEI is listed in the information.
a) If the IMEI is the same as the original one, that means it hasn’t really changed from the original IMEI and it should be OK after the phone is reflashed with a .kdz update file. Flash the phone with a .kdz file by using the offline method.
b) If the IMEI is not the same as the original one, that means it needs to be changed back to the original one. If the IMEI has to be changed, continue from step 13 (the next step).
13) In the terminal port setting, get the LGE Mobile USB Modem COM Port number by accessing the USB driver through Control Panel -> Device Manager -> LGE Mobile USB Modem -> Advanced -> Advanced Port Settings -> COM Port Number
Write down the port number.
14) Close the LGE Mobile USB Modem Properties window.
15) Run QPST Configuration from QPST folder in the Start Menu
16) In QPST Configuration, click on: Ports tab
17) In Ports window, click on the Port which has the phone listed as FFA-QSC6295 (DEAD00D) with the USB Link
18) Write down the COM port number with USB Link. For example: COM44 = 44 It should match the COM Port Number you previously wrote down in step 13.
19) In QPST Configuration, click on: Phone tab
20) In Active Phones window, click on the phone listed as FFA-QSC6295 DEAD00D ZRF6500 with the same COM port as you wrote down previously
21) In the QPST Configuration menu, click on: Start Clients, and click on: Software Download
22) In QPST Software Download, click on the: Backup tab
23) A dialog box should appear with the same COM port number as you selected previously and there should be a name for the QCN File which has the ESN number in it (DEAD00D_1.qcn) and an SPC (Service Programming Code) number of 000000
24) If you want to, add information to the QCN File name to make it more explanatory. For example:
DEAD00D_1_BEFORE_IMEI_Fix.qcn
25) Browse to a location you want to save the QCN backup file to
26)Click on: Start
27) Run RF NV Manager from the QPST folder in the Start Menu
28) In the RF NV Manager menu, click on: Setting, and click on: Comport
29) In the Comport Configuration dialog box, click on the arrow in the selection window and select the port number you wrote down from step and click on: OK
30) In the RF NV Manager menu, click on: File, and click on: Read From Phone
31) The RF NV Manager window should fill up with the NV items from your phone
32) Click on item number: 550 NV_UE_IMEI_I
33) Next to the list of NV items, the IMEI number currently in your phone will appear as list of 9 boxes with numbers in it.
34) Above the IMEI number list, enable Hex so that a checkmark appears in the selection box
35) The IMEI number is listed in Hex in reverse order from the bottom up
36) Prepare your 15 digit IMEI number as in the following example but use your own IMEI number:
The example IMEI used is: 012766-00-012345-2
If you're lazy, download the IMEI Converter from http://www.sendspace.com/file/a3spfh and use it then jump to step 36.5
If you're not lazy, or the IMEI Converter download isn't working, here's how to do it manually.
36.1) Rewrite your IMEI number without dashes.
For example: 012766-00-012345-2 becomes 012766000123452
36.2) Rewrite your 15 digit IMEI so it's separated into a list of 8 groups, with the first number by itself and the rest in two number pairs.
For example: 012766000123452 becomes 0 12 76 60 00 12 34 52
36.3) Reverse the numbers in each pair.
For example: 0 12 76 60 00 12 34 52 becomes 0 21 67 06 00 21 43 25
36.4) Add 08 and a to the number.
For example: 0 21 67 06 00 21 43 25 becomes 08 0a 21 67 06 00 21 43 25
36.5) Rearrange the pairs of hex numbers into a vertical list so that the first pair on the left of the string of Hex numbers is at the top of the list and continue with each successive pair downwards.
For example: 08 0a 21 67 06 00 21 43 25 becomes:
08
0a
21
67
06
00
21
43
25
36.6) Enter the pairs of hex numbers into the list of IMEI boxes starting from the top.
37) Click on: Write NV
38) After the IMEI is written to the phone, click on: File, in the menu and click on: Read From Phone
39) The NV Item data will be reread from the phone
40) Click on: NV item 550 NV_UE_IMEI_I which, when highlighted, should show the IMEI number.
41) Above the IMEI number list, enable Hex so that a checkmark appears in the selection box
42) The IMEI you previously entered in the boxes to the right of the NV item list should be there in HEX. The IMEI will be missing some leading zeros such as the 0 in 08 and 0a in the first two boxes and may also be missing in other boxes but that's nothing to worry about.
43) Write out the hex digits, adding the missing leading zero to each single hex digit and check it against the pairs of numbers in the list you entered. They should be the same.
44) If the IMEI is correct, you're done with fixing the IMEI
45) Make another NV backup as you did before but use a new file name such as:
DEAD00D_1_AFTER_IMEI_Fix.qcn
46) Exit all the programs you used, unplug the phone from the computer, reboot the phone and check the IMEI number
This is what the NV Item 550 where the IMEI number is located looks like as a block of memory:
00550 (0x0226) - OK
08 0A 21 67 06 00 21 43 25 00 00 00 00 00 00 00 | ..xx..xxxxx.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

call att they will prob send you a new one if its been less than a year since purchase they have to if not you may be able to talk them into it anyway if they cant fix the problem

sidmax10 said:
I had same problem n i reset my imei within 1 hour by below method This mathod is for lg optimis g but ALSO WORK FOR
LG OPTIMUS G PRO E980 AT&T
Here is the link
http://forum.xda-developers.com/showthread.php?t=1942417
The following instructions are to be used to repair your G2X/P999 phone's IMEI number if it has been changed to all zeros which can happen due to a bad flash. Your phone's actual IMEI number is printed on the box your phone came in and it is on a sticker located under the battery.
1) Download QPST
http://hosting.ecap-droid.com/Droid/...pub=bxfo8sfkv6
2) Install QPST and pin it to the Start Menu
3) Download LG Drivers
4) Install LG Drivers
5) In the phone’s Settings -> Applications -> Development -> enable USB debugging
6) Access the phone's hidden menu using the phone keypad (dialer), enter: 3845#*980#
7) In Port Setting enable CP USB (do not enable Retain ...) then press: OK ( SKIP THIS STAP )
8) Plug your phone into the USB port and wait a few seconds until the USB drivers install.
...............
Click to expand...
Click to collapse
Basically, the E980 does not have CP Modem under "Port Settings"

[GUIDE] Creating TWRP Flashbale Stock roms

This project is inspired by the thread here by Q9Nap
TWRP Flashable Stock Builds
In that thread, Q9Nap (and later me, although in an unofficial capacity) has created TWRP Flashable builds of the stock rom. These would have been based upon the full fastboot flashable stock images, and then OTA patches from those roms.
Although the tools used have been provided in that thread, there isn't a guide saying how to use them. (I originally posted parts of this guide in that thread, but this is to consolidate it all into one project.) So in the below posts, I'll go through the actual process of generating the TWRP flashable builds themselves.
This project is divided into the following posts:
Tools required
Creating a TWRP flashable build from an existing TWRP flashable build + OTA patch
Creating a TWRP flashable build from the fastboot iamges
Here is the link to the builds that I have created. Other older ones are in the thread mentioned at the top of this post.
https://www.androidfilehost.com/?w=files&flid=273039
Finally, this guide could also be used in principle for other devices, however there may be some device or vendor-specific differences.
XDA:DevDB Information
[GUIDE] Creating TWRP Flashbale Stock roms, ROM for the Moto G5 Plus
Contributors
NZedPred
ROM OS Version: 7.x Nougat
Version Information
Status: Stable
Created 2018-06-16
Last Updated 2018-06-16

Tools and other pre-requisites
Pre-requisites
This has been done entirely on Linux, Debian Stretch to be precise. Other 64 bit modern distros should work fine.
In all cases, it is assumed that you have extract or copy the relevant files into somewhere in your PATH.
1) IMG Patch Tools
The link to the IMG Patch Tools is here:
https://forum.xda-developers.com/an...ev-img-patch-tools-sdat2img-ota-zips-t3640308 - credits to @erfanoabdi
Repo is here:
https://github.com/erfanoabdi/imgpatchtools
The first post is a description of what the tool does. The second explains usage. The third contains download links.
Download the Release version from the first link in the third post. Note that the tools are only available for Linux_x64 and MacOS.
In my case I needed to compile them on my system. Follow the instructions as per the second post. I needed to install the development libraries for zlib and libbz2, and openssl:
sudo apt-get install libbz2-dev zlib1g-dev openssl
2) IMG Repack Tools
The link to the Android img Repack Tools is here:
https://forum.xda-developers.com/android/general/tool-android-rom-repack-tools-t3763986 - credits to @rkhat
Releases:
https://github.com/rkhat2/android-rom-repacker/releases
Source:
https://github.com/rkhat2/android-rom-repacker/tree/android-7
Download and extract the android-7 / nougat version
3) IMG to SDAT and SDAT to IMG tools
The link to the img2sdat and sdat2img tools is here:
https://forum.xda-developers.com/an.../how-to-conver-lollipop-dat-files-to-t2978952 - credits to @expirt
Repos are here:
https://github.com/xpirt/img2sdat
https://github.com/xpirt/sdat2img
4) Boot image tools
Get the mkbootimg tools available here:
https://github.com/xiaolu/mkbootimg_tools
Don't know of any XDA thread or developer for these.
5) SparseConverter
SparseConverter is needed to convert the Fastboot sparse chunks into an image file. This is only required for creating a TWRP flashable build from the Fastboot image files. It is not needed for an existing TWRP flashable build.
The link to SparseConverter, both the binary and source code, is here:
https://forum.xda-developers.com/showthread.php?t=2749797 - credits to @tal.aloni
In my case, I downloaded the source code and compiled it using MonoDevelop. You can open the Visual Studio Solution file (.sln) in MonoDevelop and compile. It may also be possible to download the binary and execute it using mono. If you choose this route, adjust commands below to suit. I haven't tried this myself, so if it doesn't work try compiling it from source.
6) TWRP Flashable Template zip
Another requirement for building a TWRP flashable zip from the Fastboot images is to have a suitable template zip. I have created one and placed it here:
https://www.androidfilehost.com/?fid=5862345805528045057
7) Brotli
Brotli is a loss-less compression format that is now being used in the Oreo OTAs. Its file extension is br. You can get the latest release/source code from here:
https://github.com/google/brotli/releases
8) lz4
In some cases, device tree images are compressed using lz4. This is a standard part of many linux distributions. Use the following on Debian/Ubuntu:
Code:
sudo apt install liblz4-tool
9) A hex editor
Editing the device tree binary/blob needs a hex editor. I have used dhex because it can be used over the command line. Use the following on Debian/Ubuntu:
Code:
sudo apt install dhex
Any other hex editor will suffice.
Change log of this post
2018-06-17 - add in SparseConverter details, TWRP template zip.
2018-07-10 - change link to TWRP Flashable template - new one is edited to NOT erase modemst1 and modemst2.
2018-08-19 - add in Brotli, required for new Oreo OTAs.
2018-09-09 - add in lz4 and hex editor requirements.
2018-10-14 - add in link to sdat2img repo. Properly tag the authors of the different tools that I use (where available).

Create TWRP Flashable from existing TWRP Flashable
Create TWRP Flashable zip from Existing TWRP Flashable
1) Get an existing TWRP flashable
You can download the latest TWRP Nougat flashables for Potter from here:
[Nougat][Stock][Rom] TWRP Flashable Stock Builds
The latest TWRP Oreo flashables for Potter are here:
[Oreo][Stock][Rom] TWRP Flashable Stock Builds
I also put together some TWRP flashables for other devices, such as Cedric (G5) and Sanders (G5S Plus). Have a search under my profile at Android File Host:
Downloads for Android Devices by nzedpred
Extract it to a folder, e.g. "next", that represents the next version that you will be creating. Enter the folder.
All commands are run from within this folder. If a folder is created as part of the instructions, I assume that the folder is not entered.
2) Convert sparse data images to img
With the sdat2img tool, convert the system, oem, and modem images to raw images:
Code:
sdat2img.py system.transfer.list system.new.dat system.img
sdat2img.py oem.transfer.list oem.new.dat oem.img
sdat2img.py modem.transfer.list modem.new.dat modem.img
3) Analyse the OTA and apply patching and updates
Unzip the ota upgrade files into a sub-folder ota.
Code:
unzip path/to/ota/Blur_Version.x.y.z.zip -d ota
In the OTA extract, open up the updater-script in a text editor
Code:
ota/META-INF/com/google/android/updater-script
The first parts of the script are to check for valid OEM, Recovery and System partitions from the previous version. The parts we're interested in start below the line:
Code:
# ---- start making changes here ----
New in Oreo
In Nougat, many of the files below are named e.g. system.new.dat. Oreo may have these files named e.g. system.new.dat.br. These "br" files are Brotli compressed files. Look for any files that are named as such, e.g.
Code:
ls ota/*.br
ota/dsp.new.dat.br ota/system.new.dat.br
In the example above, I get two files that are Brotli compressed. Decompress these using the following:
Code:
brotli --decompress --input ota/dsp.new.dat.br --output ota/dsp.new.dat
brotli --decompress --input ota/system.new.dat.br --output ota/system.new.dat
** System **
The first line that makes updates to the system image is this one for Nougat:
Code:
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat")
or Oreo:
Code:
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat.br", "system.patch.dat")
The only difference between Nougat and Oreo is the "br" in system.new.dat.br. As we have decompressed the Brotli files in the previous steps, we only need to use sytem.new.dat.
The equivalent command to imitate this command is the following:
Code:
BlockImageUpdate system.img ota/system.transfer.list ota/system.new.dat ota/system.patch.dat
Check that the error code returned is 0.
** Boot **
The next line that makes updates to the boot image is this one:
Code:
apply_patch("EMMC:/dev/block/bootdevice/by-name/boot:16777216:f6ee50c0900378319080912820b5c20f4bb7051c:16777216:19b3ba799fd8f57588ff3736f1a1c0070417f4c2",
"-", 19b3ba799fd8f57588ff3736f1a1c0070417f4c2, 16777216,
f6ee50c0900378319080912820b5c20f4bb7051c,
package_extract_file("patch/boot.img.p"))
The equivalent command to imitate this is the following:
Code:
ApplyPatch boot.img - 19b3ba799fd8f57588ff3736f1a1c0070417f4c2 16777216 f6ee50c0900378319080912820b5c20f4bb7051c ota/patch/boot.img.p
NOTE: You will need to update the strings above to match what is in the OTA update script, which will differ from OTA to OTA.
NOTE: This will fail if we use the version straight from the previous flashable zip, as that version may have already been patched to disable dm-verity and disable forced encryption. We need to get a version from the stock image.
Also note, that as part of creating these zips, I leave the original unmodified boot.img file as a copy, boot-stock.img or similar. When patching, simply rename it to boot.img before doing the ApplyPatch command
Code:
mv boot-stock.img boot.img -fv
Check that the error code returned is 0.
** Bootloader **
The bootloader also gets updated quite often. Note that as part of making these zips safer, we don't update the bootloader, so skip right past them. These lines look something like this:
Code:
ui_print("updating sbl1 ...");
assert(package_extract_file("sbl1.mbn", "/tmp/sbl1.mbn"),
apply_raw_image("/tmp/sbl1.mbn", "sbl1"),
delete("/tmp/sbl1.mbn"));
Refer to post #13 to see details of how to work out which partitions are bootloader-related. In brief, the following are bootloader-related:
aboot
rpm
tz
devcfg
cmnlib
cmnlib64
keymaster
prov
sbl1
** MODEM **
When the modem is updated, it tends to be done using a few different techniques. Sometimes it uses one of the approaches above, other times it is untouched, and finally it can have a combination of deleting, patching and copying new files.
To apply changes that are done by deleting, patching and copying, first set up a mount point, mount the image, and make sure you have any of the tools in the path of the root user, as these need to be run as root.
Code:
mkdir modem
sudo su
mount modem.img modem
export PATH=$PATH:/path/to/tools
An example of deleting:
Code:
ui_print("Removing unneeded files from modem...");
delete("/modem/image/Ver_Info.txt", "/modem/image/cmnlib.b04",
"/modem/image/fpctzappfingerprint.b04",
"/modem/image/fpctzappfingerprint.b05", "/modem/image/modem.b17",
"/modem/image/qdsp6m.qdb", "/modem/image/dhsecapp.b00",
etc...
The equivalent of these are:
Code:
rm modem/image/Ver_Info.txt
rm modem/image/cmnlib.b04
rm modem/image/fpctzappfingerprint.b04
etc...
Take very special care to remove the leading slash before modem. You don't want to risk deleting files on your PC's filesystem.
An example of patching:
Code:
ui_print("Patching modem files...");
apply_patch("/modem/image/adsp.b00", "-",
42ae9e4a8a04b70938c6fda6bef2ad7063ccba15, 532,
6df377596db8273c268691fb87380c416128502c,
package_extract_file("patch/modem/image/adsp.b00.p")) ||
abort("E3008: Failed to apply patch to /modem/image/adsp.b00");
apply_patch("/modem/image/adsp.b01", "-",
13500067ce0564e2d45780d5511271f8d195a598, 6920,
3ee7f84d3e81a44725554ac24d001cff21a636ab,
package_extract_file("patch/modem/image/adsp.b01.p")) ||
abort("E3008: Failed to apply patch to /modem/image/adsp.b01");
etc...
The equivalent of these are:
Code:
ApplyPatch modem/image/adsp.b00 - 42ae9e4a8a04b70938c6fda6bef2ad7063ccba15 532 6df377596db8273c268691fb87380c416128502c ota/patch/modem/image/adsp.b00.p
ApplyPatch modem/image/adsp.b01 - 13500067ce0564e2d45780d5511271f8d195a598 6920 3ee7f84d3e81a44725554ac24d001cff21a636ab ota/patch/modem/image/adsp.b01.p
etc...
An example of copying:
Code:
ui_print("Unpacking new files in modem ...");
assert(package_extract_dir("modem", "/modem"));
The equivalent of this is:
Code:
cp -rv ota/modem/* modem/
You will probably also see something like:
Code:
ui_print("Symlinks and permissions in modem ...");
set_metadata_recursive("/modem/", "uid", 0, "gid", 0, "dmode", 0755, "fmode", 0644, "capabilities", 0x0);
That sets permissions of folders and files to 0755 and 0644 respectively. This can be achieved by:
Code:
find modem/ -type d -exec chmod 0755 {} \;
find modem/ -type f -exec chmod 0644 {} \;
When finished, unmount modem.img, exit the root shell, and remove the mount folder:
Code:
umount modem
exit
rmdir modem
** OEM **
The line that updates the oem image is this one:
Code:
block_image_update("/dev/block/bootdevice/by-name/oem", package_extract_file("oem.transfer.list"), "oem.new.dat", "oem.patch.dat")
The equivalent command to imitate this is the following:
Code:
BlockImageUpdate oem.img ota/oem.transfer.list ota/oem.new.dat ota/oem.patch.dat
Check that the error code returned is 0.
** DSP **
Occasionally the dsp partition is also updated. It will use one of the techniques above, e.g.
Code:
block_image_update("/dev/block/bootdevice/by-name/dsp", package_extract_file("dsp.transfer.list"), "dsp.new.dat.br", "dsp.patch.dat")
Has the equivalent command:
Code:
BlockImageUpdate adspso.bin ota/dsp.transfer.list ota/dsp.new.dat ota/dsp.patch.dat
Note that the equivalent of the dsp partition is the adspso.bin file.
** FSG **
If FSG is updated, you will often see something like this:
Code:
assert(package_extract_file("fsg.mbn", "/tmp/fsg.mbn"),
apply_raw_image("/tmp/fsg.mbn", "fsg"),
delete("/tmp/fsg.mbn"));
This doesn't represent a patch being applied. Instead the file would just be copied from the OTA folder into the base folder. This applies to any other file that hasn't been patched in one of the ways above (except the bootloader).
** Others **
At this point, check if there are other (non-bootloader) partitions in the updater-script. This should have covered off all, but a future device may have other partitions that follow this (or a new) technique.
One that is present that I haven't used here, is logo.bin being copied over the logo partition. I tend to leave this as-is, as I prefer/recommend that people flash the logo as a one-off, and preferably grab a "Hidden N/A" from the themes forum.
4) Disable dm-verity and forced encryption
There are two different techniques to disabling dm-verity and forced encryption, one for Nougat and one for Oreo. Refer to the appropriate section below.
4a) Nougat - Disable dm-verity and forced encryption in boot
Nougat has the flags for enabling/disabling dm-verity and forced encryption in the boot image. These instructions are based upon looking at the scripts in the files here:
https://build.nethunter.com/android-tools/no-verity-opt-encrypt/
Make a copy of the boot.img file, so that we have the original for the next ota. This is important, as without the original, the next time we try to apply the patch, it will fail.
Code:
cp boot.img boot-stock.img
Extract the boot image:
Code:
mkboot boot.img bootimg
Modify the fstab file in a text editor:
Code:
bootimg/ramdisk/fstab.qcom
Remove any instances of verify. For example, the below line:
Code:
/dev/block/bootdevice/by-name/system /system ext4 ro,barrier=1,discard wait[U],verify[/U]
Can be changed to:
Code:
/dev/block/bootdevice/by-name/system /system ext4 ro,barrier=1,discard wait
If the section "wait,verify" was in fact just "verify", we would need to replace it with "defaults"
Replace any instances of forceencrypt or forcefdeorfbe with encryptable
E.g. the below line:
Code:
/dev/block/bootdevice/by-name/userdata /data f2fs rw,discard,nosuid,nodev,noatime,nodiratime,nobarrier,inline_xattr,inline_data wait,check,formattable,[U]forceencrypt[/U]=/dev/block/bootdevice/by-name/metadata
Can be changed to:
Code:
/dev/block/bootdevice/by-name/userdata /data f2fs rw,discard,nosuid,nodev,noatime,nodiratime,nobarrier,inline_xattr,inline_data wait,check,formattable,[U]encryptable[/U]=/dev/block/bootdevice/by-name/metadata
Save and close the file.
Repack the boot image:
Code:
mkboot bootimg boot.img
Note the above line will replace your previous boot.img file, but that's OK because we made the copy to boot-stock.img.
4b) Oreo - Disable dm-verity and forced encryption
Oreo is different to Nougat with respect to these flags. Oreo uses a "device tree" in the boot image to mount the vendor partition. In the case of potter, and presumably the other recent Moto devices, vendor is actually a symlink to a folder in system. So, we need to make a change to the boot image, and the system partition.
4b) i) Oreo - Disable dm-verity
The process in broad terms is this:
Backup the boot image
Unpack the boot image
Decompress the dt.img file (if applicable), to get the underlying dtb file (device tree blob)
Hexedit the device tree blob, removing instances of verify
Compress the dtb file
Pack the boot image
To assist with the next OTA, make a copy of the boot image. Then use mkboot to extract the boot image to its component parts:
Code:
cp -v boot.img boot-stock.img
mkboot boot.img bootimg
Look at the extracted boot image:
Code:
ls -l bootimg/
-rw-r--r-- 1 user user 418560 Sep 9 09:12 dt.img
-rw-r--r-- 1 user user 466 Sep 9 09:12 img_info
-rw-r--r-- 1 user user 9211208 Sep 9 09:12 kernel
drwxr-xr-x 21 user user 4096 Sep 9 09:12 ramdisk
-rw-r--r-- 1 user user 1273390 Sep 9 09:12 ramdisk.packed
The dt.img is the device tree, which holds the mount information that we need to edit. Note that dt.img may be compressed - for Potter it is lz4 compressed, for Cedric for example, it is not compressed - it is raw data. To find out whether or not it is compressed, use the following command and check the output
Code:
file bootimg/dt.img
The output could be one of the following:
Code:
bootimg/dt.img: LZ4 compressed data (v1.4+)
bootimg/dt.img: data
If the output says that it is LZ4 compressed, use the following to decompress - we will call the decompressed file dtb.img:
Code:
lz4 -d bootimg/dt.img bootimg/dtb.img
Now we need to use a hex editor to view and manipulate the dtb.img (or dt.img if not compressed) file. Note that the dtc command (device tree compiler) should be able to convert these dtb files into source files. However I have had no success even with the latest versions. In future it may be possible (and preferable) to convert to source, and edit the source text and recompile to dtb.
Code:
dhex bootimg/dtb.img
or
Code:
dhex bootimg/dt.img
Now, search for instances of ",verify" (without the quotes). When they are found, you can also scroll up to see what the previous lines were, to make sure they are editing instances of "fstab", for example:
Code:
32E44 00 00 00 01 61 6e 64 72 6f 69 64 00 00 00 00 03 00 00 00 11 00 00 00 21 ....android............!
32E5C 61 6e 64 72 6f 69 64 2c 66 69 72 6d 77 61 72 65 00 00 00 00 00 00 00 01 android,firmware........
[COLOR="red"] 32E74 66 73 74 61 62 00 00 00 00 00 00 03 00 00 00 0e 00 00 00 21 61 6e 64 72 fstab..............!andr[/COLOR]
32E8C 6f 69 64 2c 66 73 74 61 62 00 00 00 00 00 00 01 73 79 73 74 65 6d 00 00 oid,fstab.......system..
32EA4 00 00 00 03 00 00 00 0f 00 00 00 21 61 6e 64 72 6f 69 64 2c 73 79 73 74 ...........!android,syst
32EBC 65 6d 00 00 00 00 00 03 00 00 00 35 00 00 03 72 2f 64 65 76 2f 62 6c 6f em.........5...r/dev/blo
32ED4 63 6b 2f 70 6c 61 74 66 6f 72 6d 2f 73 6f 63 2f 37 38 32 34 39 30 30 2e ck/platform/soc/7824900.
32EEC 73 64 68 63 69 2f 62 79 2d 6e 61 6d 65 2f 73 79 73 74 65 6d 00 00 00 00 sdhci/by-name/system....
32F04 00 00 00 03 00 00 00 05 00 00 00 71 65 78 74 34 00 00 00 00 00 00 00 03 ...........qext4........
32F1C 00 00 00 15 00 00 69 bc 72 6f 2c 62 61 72 72 69 65 72 3d 31 2c 64 69 73 ......i.ro,barrier=1,dis
32F34 63 61 72 64 00 00 00 00 00 00 00 03 00 00 00 0c 00 00 69 c6 77 61 69 74 card..............i.wait
[COLOR="Red"] 32F4C 2c 76 65 72 69 66 79 00 00 00 00 03 00 00 00 03 00 00 02 b4 6f 6b 00 00 ,verify.............ok..[/COLOR]
There will be several instances of this. In all cases, we want to overwrite the ",verify" with zeroes. So the last line above would become:
Code:
32F4C 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 02 b4 6f 6b 00 00 ....................ok..
Make sure to repeat for all, then save and exit the hex editor.
Now complete the last few steps - the first set of commands if the dt.img file was compressed:
Code:
rm -v bootimg/dt.img
lz4 -9 bootimg/dtb.img bootimg/dt.img
rm -v bootimg/dtb.img
mkboot bootimg boot.img
Or the following if dt.img was not compressed:
Code:
mkboot bootimg boot.img
The boot image has now been recreated with dm-verity disabled.
4b) ii) Oreo - Disable forced encryption
The process here is similar to what is done in Nougat, just that we need to mount system.img first, and then apply to a file at system/vendor/etc/fstab.qcom.
It is important to know that merely mounting system.img will result in changes to the file. This could cause a future OTA to not work. The approach below will work, however it is now recommended that system.img is mounted read-only, the fstab.qcom file is copied and edited, and a script is used to replace the fstab.qcom file at install time. This way system.img is kept intact, there is no need to keep a > 1 GB file as a backup, and there will be no issues with future OTAs. This is the approach taken by the latest flashable zips with the Aroma installer.
In the below, I use vim to edit, but you can use any other text editor. I also create a backup of system.img, just in case I make a mistake. Note that it is a large file so you wouldn't want to keep it in the final zip.
Another thing to note is that this change appears to have no effect if dm-verity is not disabled.
Code:
cp -v system.img /path/to/keep/system.img.backup
mkdir system
sudo su
mount system.img system
vim system/vendor/etc/fstab.qcom
Here, apply the same approach as Nougat - replace "forceencrypt" with "encryptable". Close and save, then unmount system.img, and exit the root shell. Then remove the system folder.
Code:
umount system
exit
rmdir -v system
Installing Magisk immediately after flashing the rom, and before rebooting, will also disable dm-verity and forced encryption.
5) Convert images to sparse images, then to sparse data
Make a temporary folder for the spasre image files that we will create:
Code:
mkdir tmp
img2simg system.img tmp/system.img
img2simg oem.img tmp/oem.img
img2simg modem.img tmp/modem.img
Create the sparse data files from the sparse images:
Code:
img2sdat.py tmp/system.img -v 4 -p system
img2sdat.py tmp/oem.img -v 4 -p oem
img2sdat.py tmp/modem.img -v 4 -p modem
6) Update the actual updater-script
Use your text editor to update the updater-script file:
Code:
vim META-INF/com/google/android/updater-script
Update any lines that refer to the version being installed. It's good to have these lines in there, but are optional. They could be removed entirely if so desired...
Code:
ui_print("Target: motorola/potter/potter:7.0/NPNS25.137-93-8/10:user/release-keys");
As it is information only, it isn't necessary to get the values exactly right. You can get the correct values from the ota updater script here:
Code:
ota/META-INF/com/google/android/updater-script
Update - remove format of modemst1 and modemst2
The builds that I have provided to date erase the modemst1 and modemst2 partitions. Whilst that is fine for devices normally as they get recreated on boot, in cases where users have flashed a custom Oreo rom and then reverted to stock, there have been reports of losing IMEI and other capabilities. Whilst this is caused by Oreo roms changing ownership of the /persist/rfs folder, the fact that these partitions are erased can leave people without IMEI, relying upon a backup to get back. So, if the previous flashable zip has lines to format the modemst1/2 partitions, remove them. The lines look like the following, with the format commands being the ones that do the erase:
Code:
ui_print("Erasing modemst1 ...");
format("raw", "EMMC", "/dev/block/bootdevice/by-name/modemst1", "0", "/modemst1");
ui_print(" ");
ui_print("Erasing modemst2 ...");
format("raw", "EMMC", "/dev/block/bootdevice/by-name/modemst2", "0", "/modemst2");
ui_print(" ");
7) Remove working files and folders and zip
The folders we created in previous steps can now be removed:
Code:
rm -rf ota tmp bootimg
The temporary img files can now be removed:
Code:
rm system.img oem.img modem.img
Zip up the remaining files into the parent folder (I like to keep the update tree clean) - replace version_info with an appropriate string, e.g. NPNS25.137-93-14, OPS28.85-13:
Code:
zip ../twrp-flashable-potter-[i]version_info[/i].zip -r *
Note - this will also include the boot-stock.img file. Best to keep it there so we can use it for the next patch!
8) Prepare for flashing
Copy the newly created zip into your phone's SD card
BACKUP BACKUP BACKUP!!! Do a TWRP backup of course! NO EXCUSES!
Flash the zip file.
Voila!
Edit log
2018-07-07 - Added reference to post #10, as it details how to do a modem update for the NPNS25.137-93-14 OTA
2018-07-10 - Added recommendation to remove lines from OTA updater-script that erase modemst1 and modemst2
2018-08-19 - Updated for Oreo.
2018-09-09 - Tidied up the steps to disable dm-verity for Oreo, other tidying up. Catered for dt.img being either compressed (e.g. Potter) or not (e.g. Cedric).

Create TWRP from full fastboot image
Create TWRP Flashable from Fastboot Image
First off, make sure you have the SparseConverter and TWRP template zip from the second post. These weren't needed for building from an existing TWRP flashable zip, but are necessary for this.
1) Get an appropriate starting firmware
At the time of writing this, the April 2018 security patches are available for the Indian variant (NPNS25.137-92-10) and US variant (NPNS25.137-93-10). Note that these firmwares are used on other regions as well (e.g. the US firmware can be used on retapac). Refer to other threads in the forum if you aren't sure. Ideally you should stick with the firmware for your region, as e.g. there may be differences in the modems, etc.
Indian (NPNS25.137-92-10) https://mirrors.lolinet.com/firmware/moto/potter/official/RETAIL/POTTER_RETAIL_7.0_NPNS25.137-92-10_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
US (NPNS25.137-93-10) - refer to this thread https://forum.xda-developers.com/g5-plus/development/april-security-patch-xt1687-npns25-137-t3796797
Extract the zip file and enter the folder (rename it if you want for convenience).
2a) Convert the sparse chunk files into a (Motorola) image file
Use SparseConverter to convert the sparse chunks into an image file:
Code:
SparseConverter.exe /decompress system.img_sparsechunk.0 system.img.moto
The first parameter says that we are decompressing (obvious). The second is the name of the very first sparse chunk file - we only need to specify the first. The third and last parameter is the destination file to be created.
The reason for naming it system.img.moto (i.e. with moto on the end) is because Motorola have added a 128KB header and 4KB trailer. These will need to be removed later.
2b) Convert oem.img from sparse image to raw image
Confusingly, sparse image files and raw image files typically have the same extension - img. oem.img is a sparse image file, and must be converted to raw image. Similarly to the system image, it has a 128KB header and 4KB trailer.
Code:
mv oem.img oem.simg.moto
simg2img oem.simg.moto oem.img.moto
2c) Convert the modem (NON-HLOS.bin) to raw image
The modem file, although it has a .bin extension, is in sparse image format.
Code:
simg2img NON-HLOS.bin modem.img
This particular file does not have a header or trailer.
3) Remove header and trailer from image files
We will use dd and truncate to remove the header and trailer respectively from the system and oem image files:
Code:
dd if=system.img.moto of=system.img bs=131072 skip=1
truncate -s -4096 system.img
dd if=oem.img.moto of=oem.img bs=131072 skip=1
truncate -s -4096 oem.img
4) Extract template and copy files
In a separate folder, extract the TWRP Template zip file into a folder, and rename the folder to something more reasonable, e.g. twrp-flashable-NPNS.25.137-xx-xx.
Copy each of the following files into the template folder:
system.img
oem.img
modem.img
boot.img
fsg.mbn
adspso.bin
logo.bin
E.g. use a command like the following, adjusting the paths as necessary (the last parameter is the location of the template folder that I renamed in this case):
Code:
cp -fv adspso.bin boot.img fsg.mbn logo.bin modem.img oem.img system.img ../twrp-flashable-NPNS25.137-92-10/
Note that of those above, the first three were created in our previous steps, the others (boot.img etc) were already there with the other fastboot files.
The updater-script, located at META-INF/com/google/android/updater-script is already set up to take the steps that are done in the fastboot images, except it does not update the bootloader-related files.
At this stage, you could just go and zip up all of the files and flash. However, there are a few things you may want to do first. Ensure you are in the template folder before doing any of the following.
5) Disable dm-verity and forced encryption in boot
To do this, follow the same instructions as the previous post - step 4. Note the two different methods, one for Nougat, one for Oreo.
6) Change the logo image
Note that the logo.bin file is from stock, and therefore it will have the unlocked bootloader warning. You could replace it with the logo.bin from the other TWRP flashables, or you may want to grab one from the Themes forum, and (as I did) pick a nice one that hides the N/A.
7) Convert images to sparse images, then to sparse data
This step is the same as the previous post, step 5. It is repeated here for convenience.
Make a temporary folder for the sparse image files that we will create:
Code:
mkdir tmp
img2simg system.img tmp/system.img
img2simg oem.img tmp/oem.img
img2simg modem.img tmp/modem.img
Create the sparse data files from the sparse images:
Code:
img2sdat.py tmp/system.img -v 4 -p system
img2sdat.py tmp/oem.img -v 4 -p oem
img2sdat.py tmp/modem.img -v 4 -p modem
8) Remove working files and folders and zip
The folders we created in previous steps can now be removed:
Code:
rm -rf tmp bootimg
The temporary img files can now be removed:
Code:
rm -fv system.img oem.img modem.img
9) Create the zip file
Ensuring that you are in the template folder, execute the following command to create the zip:
Code:
zip twrp-flashable-NPNS25.137-92-10.zip -r *
Make sure to change the zip filename as appropriate.
10) Flash
Copy to your phone's SD Card
BACKUP BACKUP BACKUP Yes, the same warning as per usual!
Flash the zip file as usual.
Edit log
2018-06-29 - fixed references to logo.img, as they are actually logo.bin. Added -fv to remove temporary files.

Hi.... Will work with Oreo stock ROM too?

david.gs.gm said:
Hi.... Will work with Oreo stock ROM too?
Click to expand...
Click to collapse
We'll find out for sure once we get the OTA. I'd expect it will work, given that it is coming from a nougat base for the first one anyway.

Thanks for putting this together. It's a good resource.

Thank you OP keep up the great work I always keep latest on my ext so I can flash in case of custom rom issues

Hi all - the Fastboot to TWRP Flashable guide in post #4 is now complete.
I'd be really interested if anyone has tried following the guide and had success.
All the best.

Modem update via OTA
The update I did of NPNS25.137-93-14 (from NPNS25.137-93-10) had something I hadn't seen in previous updates. The modem was updated, but rather than the partition as a whole being patched, individual files within the partition were patched. The relevant parts of the updater-script from the OTA were as follows:
Code:
ui_print("Patching modem files...");
apply_patch("/modem/image/cmnlib.b01", "-",
6fa3c6b7659a838aba82f079794a9ac46b74651b, 6632,
720b36038ee0c7152dac051d7f4bb13dfdd3fb15,
package_extract_file("patch/modem/image/cmnlib.b01.p")) ||
abort("E3008: Failed to apply patch to /modem/image/cmnlib.b01");
apply_patch("/modem/image/cmnlib.b02", "-",
155983f129c89d1c8fb96df20e069e388a23c2c2, 178690,
6e0951d9fab22276dd772cb96ae91eff850b5bf1,
package_extract_file("patch/modem/image/cmnlib.b02.p")) ||
abort("E3008: Failed to apply patch to /modem/image/cmnlib.b02");
apply_patch("/modem/image/cmnlib.mdt", "-",
41fdff0863ac1215135802499433644f2b030b92, 6876,
1e7c7b75c2aec4cecfea538b93350975160ce0b5,
package_extract_file("patch/modem/image/cmnlib.mdt.p")) ||
abort("E3008: Failed to apply patch to /modem/image/cmnlib.mdt");
etc - there were a total of 51 patches applied
The other images have been patched directly, rather than individual files within the image. So the approach had to be slightly different:
Create a folder and mount the modem.img file into it
Use ApplyPatch on each of the folders
Unmount the image
Remove the folder
The resulting code to apply the changes looked like this:
Code:
# Make a folder to mount the image in
mkdir modem
# Change to a root shell
sudo su
# Mount the modem image to the modem sub-folder
mount modem.img modem
# ensure the ApplyPatch executable is in the path
export PATH=$PATH:"path to ApplyPatch"
ApplyPatch modem/image/cmnlib.b01 - 6fa3c6b7659a838aba82f079794a9ac46b74651b 6632 720b36038ee0c7152dac051d7f4bb13dfdd3fb15 ota/patch/modem/image/cmnlib.b01.p
ApplyPatch modem/image/cmnlib.b02 - 155983f129c89d1c8fb96df20e069e388a23c2c2 178690 6e0951d9fab22276dd772cb96ae91eff850b5bf1 ota/patch/modem/image/cmnlib.b02.p
ApplyPatch modem/image/cmnlib.mdt - 41fdff0863ac1215135802499433644f2b030b92 6876 1e7c7b75c2aec4cecfea538b93350975160ce0b5 ota/patch/modem/image/cmnlib.mdt.p
etc... for the remainder of the patches
# Unmount the modem image
umount modem
# Exit the root shell
exit
# Remove the modem folder
rmdir modem
Because the updater-script was consistently formatted, after doing the first 20 manually to make sure I was doing it right, I used a spreadsheet to extract the relevant hashes and filenames, and turned them into the commands above. This could have been done using a script or similar, but I'm a master of spreadsheets so chose to do it that way

@NZedPred is it possible to make a flashable zip to update only the firmware? I'm on custom rom and only would like the upgrade my firmware....would i only have to delete system boot and recovery from the zip?

Tech_Savvy said:
@NZedPred is it possible to make a flashable zip to update only the firmware? I'm on custom rom and only would like the upgrade my firmware....would i only have to delete system boot and recovery from the zip?
Click to expand...
Click to collapse
Hi - yes it's possible. Not 100% sure what you mean by "only the firmware" (modem/network related?), but you can alter the update the zip to only update the partitions that you want. These are the current steps in the updater-script (META-INF/com/google/android/updater-script):
modem
fsg
Erase modemst1 and modemst2
dsp
logo
boot
system
oem
Erase ddr
I've read that the modem and fsg are relating to the network. See the thread here for more information: Motorola Moto G Partitions Explained.
Not sure if custom roms would use oem. I know that Treble roms use oem in place of vendor, so if you're using a treble rom you wouldn't want to update that.
So all you need to do is remove the commands you don't want in the updater-script.
Hope this helps a bit.

Bootloader partitions
This is a quick guide on determining which partitions are related to the bootloader.
Using a full fastboot firmware, extract the bootloader.img file. Although it is a binary file, it has sections that are text, e.g. the following is using the less command
Code:
SINGLE_N_LONELY^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@index.xml^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<82>^@^@^@^@^@^@^@<?xml version="1.0"?>
<index>
<package compatible="cpu.name:MSM8953 protocol:fastboot" filename="bootloader.pkg.xml"/>
</index>
Scrolling down a few pages, you'll find the following:
Code:
<?xml version="1.0" ?>
<recipe>
<flash partition="aboot" filename="emmc_appsboot.mbn"/>
<flash partition="rpm" filename="rpm.mbn"/>
<flash partition="tz" filename="tz.mbn"/>
<flash partition="devcfg" filename="devcfg.mbn"/>
<flash partition="cmnlib" filename="cmnlib.mbn"/>
<flash partition="cmnlib64" filename="cmnlib64.mbn"/>
<flash partition="keymaster" filename="keymaster.mbn"/>
<flash partition="prov" filename="prov.mbn"/>
<flash partition="sbl1" filename="sbl1.mbn"/>
</recipe>
So, that tells us exactly which partitions are updated when we update the bootloader. The filenames and partitions are the same as those that we would see in an OTA, e.g. when we see commands like this:
Code:
ui_print("updating rpm ...");
assert(package_extract_file("rpm.mbn", "/tmp/rpm.mbn"),
apply_raw_image("/tmp/rpm.mbn", "rpm"),
delete("/tmp/rpm.mbn"));
show_progress(0.100000,0);
assert(set_backup_flag());
ui_print("updating tz ...");
assert(package_extract_file("tz.mbn", "/tmp/tz.mbn"),
apply_raw_image("/tmp/tz.mbn", "tz"),
delete("/tmp/tz.mbn"));
show_progress(0.050000,0);
ui_print("updating devcfg ...");
assert(package_extract_file("devcfg.mbn", "/tmp/devcfg.mbn"),
apply_raw_image("/tmp/devcfg.mbn", "devcfg"),
delete("/tmp/devcfg.mbn"));
show_progress(0.050000,0);
etc...

Wow, great thread. Thank you so much for providing all of this info. I have been curious about how this works for quite some time. I can't wait to give it a try this coming weekend.
Thanks again mate!!

[HELP] unable to unlock bootloader in normal way

So i have redmi note 8 pro with chinese rom stable 12.5 .. the phone bootloader is locked , i tried to unlock the bootloader in normal way by bining an MI account but i am unable to bind mi account to device in developer settings BECAUSE ( the phone IMEI is changed) so its always gives an error of request timeout upon clicking bind account.. morever i tried evry vpn and other possible way to bind my account to unlock bootloader but unable to do it..
Can anyone help me out of this . Because i want to use global rom with google play which i cant do until unlocking bootloader.
I need any possible official or UNofficial way to unlock my redmi note 8 pro bootloader..
Your help would be appreciated. Thankyou

This error.. and it comes after 1-2 mins of clikcing "add device and account"

Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
can you please give me discord and guide me there. i am not so much pro in these.
i am waiting for help for soo many long time if you help me it will be really appreciated man please

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
Bro, can you teach me on what basis did you give the hex values?
Is it that they are translated using tools such as HxD?
Are they device specific?

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
seccfg is unreadable on MIUI 12.5.1 GLOBAL

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse
i am getting this error

josephmh said:
View attachment 5448767
i am getting this error
Click to expand...
Click to collapse
Use mtkclient. Google it, read and do.

Kirasu2080 said:
Use mtkclient. Google it, read and do.
Click to expand...
Click to collapse
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail

josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
I didn't see anyone report that error until now (many tested).
Try again like this:
Join Telegram group and ask for help if not work.

josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
Almost EVERY smartphone manufacturer sets a Fastboot verification flag to verify if the Fastboot is really unlocked or not. As in the case of Redmi the bootloader unlock verification is done by the devinfo partition by verifying the flag. Since using the tool you just unlocked the bootloader, Fastboot can't be accessed. Just flash anything u want through SP Flash Tool. Or ask any kind human here for their devinfo and set the unlock flag yourself.

llxxVENOMxxll said:
Almost EVERY smartphone manufacturer sets a Fastboot verification flag to verify if the Fastboot is really unlocked or not. As in the case of Redmi the bootloader unlock verification is done by the devinfo partition by verifying the flag. Since using the tool you just unlocked the bootloader, Fastboot can't be accessed. Just flash anything u want through SP Flash Tool. Or ask any kind human here for their devinfo and set the unlock flag yourself.
Click to expand...
Click to collapse
Don't try this if your a noob and mess your phone.

llxxVENOMxxll said:
Don't try this if your a noob and mess your phone.
Click to expand...
Click to collapse
I was on android 11 i couldn't enter even recovery and i was having that dm-verity corruption, i downloaded the oldest firmware i can get which is android 10 nd flash it with sp flash tool now i can access recovery (colorOs recovery) nd i tried unofficial twrp recovery the phone can't boot to recovery until i reflashed the stock recovery by the way i have Oppo reno 3 cph2043 not redmi note 8

josephmh said:
I was on android 11 i couldn't enter even recovery and i was having that dm-verity corruption, i downloaded the oldest firmware i can get which is android 10 nd flash it with sp flash tool now i can access recovery (colorOs recovery) nd i tried unofficial twrp recovery the phone can't boot to recovery until i reflashed the stock recovery by the way i have Oppo reno 3 cph2043 not redmi note 8
Click to expand...
Click to collapse
The DM-Verity error is due to the unlock is not official. So it will happen. The device should normally boot after showing you the error for 5 seconds. If it doesn't then you're doomed.

llxxVENOMxxll said:
The DM-Verity error is due to the unlock is not official. So it will happen. The device should normally boot after showing you the error for 5 seconds. If it doesn't then you're doomed
Click to expand...
Click to collapse
As i said that error doesn't show on android 10 i downgraded the phone to colorOs7 which is android 10 not 11 but not i have fastboot_unlock_verify fail .. and when i go to developer options -> oem unlock it shows that bootloader is unlocked

Even my OPPO (A31 CPH2015) shows the same problem. We need to find a workaround or get rid of ColorOS forever.

Someone had that problem in Redmi note 8 pro also even official way. Some said press power 1 time whenever that dm-verity show (they just accept and live with it). Some used global one then clean flash China rom, patch vbmeta,... and it gone. Some flash random custom roms and it disappear. Hope these info can help you guys.

RahanCrau said:
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback" of the "seccfg" partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
Click to expand...
Click to collapse

Syed Abdul Sami said:
So i have redmi note 8 pro with chinese rom stable 12.5 .. the phone bootloader is locked , i tried to unlock the bootloader in normal way by bining an MI account but i am unable to bind mi account to device in developer settings BECAUSE ( the phone IMEI is changed) so its always gives an error of request timeout upon clicking bind account.. morever i tried evry vpn and other possible way to bind my account to unlock bootloader but unable to do it..
Can anyone help me out of this . Because i want to use global rom with google play which i cant do until unlocking bootloader.
I need any possible official or UNofficial way to unlock my redmi note 8 pro bootloader..
Your help would be appreciated. Thankyou
Click to expand...
Click to collapse
josephmh said:
Thnx dude.
Bootloader is unlocked but i can't access fastboot mode
I get this message :
The serial is not match fastboot_unlock_verify fail
Click to expand...
Click to collapse
josephmh: how you did it?? please help.

nijat1122 said:
josephmh: how you did it?? please help.
Click to expand...
Click to collapse
Use bypass-utility to enter BROM mode nd then unlock with mtkclient or mtkuniversal google it u'll find the how to use them