I downloaded firmware (G8441_Service Exchange Unit_1309-6969_47.1.A.2.281_R2B) using flashtool 64 and extracted the newflasher files to the folder. When I run newflasher.exe I get the following error:
Code:
Device path: \\?\usb#vid_0fce&pid_b00b#6&df2ee03&0&6#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: Universal Serial Bus devices
Device Instance Id: USB\VID_0FCE&PID_B00B\6&DF2EE03&0&6
Optional step! Type 'y' and press ENTER if you want dump trim area, or type 'n' and press ENTER to skip.
Do in mind this doesn't dump drm key since sake authentifiction is need for that!
n
ERROR: GetOverLapped_out_Result: failed with error code 1 as follows:
Incorrect function.
- Error write! Need nBytes: 0x18 but done: 0x0
nBytes[0x0]:
- Error writing command getvar:max-download-size!
End. You can disconnect your device when you close newflasher.exe
Press any key to continue . . .
Related
Hello everybody, I am new here and I hope that you can help me with this issue.
My device
HTC Desire HD
Android-Version 2.3.5
HTC-Sense-Version 3.0
Software-Number 3.12.405.1
If you need some other information, please ask me.
I want to root my device but have too less knowledge to solve the upcomming issues.
How I tried
I firstly read the effen manual several times. (I really read it completely)
I activated USB-Debugging and turned charge only to default (so that I wont be asked anymore)
Than I run the aahk-12062012 on a Ubuntu-32 Live-CD.
My problem
The problems appear when the kit tries to downgrade.
It seems that the RUU-download isnt available on the Internet anymore. And my hboot file (PD98IMG\PD98IMG.zip) cant be found.
I tried several versions of PD98IMG.zip files containing several hboot.nb0 files but It never worked.
Here is the wohle content of the Terminal I got during my latest try.
I hope you can tell me what to do.
(I am sorry but I had to censore the links)
Ace Advanced Hack Kit [Linux/OSX/Windows] attn1 2011/2012
___________________________
MAIN MENU | |
| Only ONE Menu Step to: |
1 - Hack Ace <----------------------------+ * S-OFF |
| * SIM Unlock |
2 - DONATE (Encouraged, but optional) | * SuperCID |
link | * Root |
link | * Busybox |
| |
**********************************************************************
o - Options Menu (Return to Stock, Flash radios, etc)
**********************************************************************
t - Toggle Flash Method - current method is: hbootPD98IMG
*********************************************************************
q - Quit
Input Selection and press ENTER : 1
This version of Android cannot use the hack kit at this time.
You can downgrade if you like, then rerun the hack step.
WARNING: THIS WILL WIPE DATA
Would you like to DOWNGRADE? y/n y
Download this RUU? (y/n) y
--2013-04-02 15:06:31-- tau.shadowchild.nl/files/PD98IMG-GB2.zip
Resolving tau.shadowchild.nl (tau.shadowchild.nl)... 176.9.40.154
Connecting to tau.shadowchild.nl (tau.shadowchild.nl)|176.9.40.154|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2013-04-02 15:06:31 ERROR 404: Not Found.
Flash this RUU? (y/n) y
This version of Android cannot use the hack kit at this time.
You can downgrade if you like, then rerun the hack step.
WARNING: THIS WILL WIPE DATA
Would you like to DOWNGRADE? y/n y
Woah dude[tte] - bogus md5sum! Bad mojo.... skipping flash.
Check it out - renamed the file to PD98IMG/PD98IMG-GB2.zip-20130402:150635
You can re-download the file and keep going....
Download this RUU? (y/n) n
pushing rom to sdcard - this takes time, please be patient.
cannot stat 'PD98IMG/PD98IMG-GB2.zip': No such file or directory
Setting up to temproot....
519 KB/s (21215 bytes in 0.039s)
2230 KB/s (572752 bytes in 0.250s)
470 KB/s (19240 bytes in 0.039s)
going for temproot using zergRush....
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00017118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219c4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd26019 0xafd39ef7
[*] Poping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
setting mainver lower for downgrade...
--set_version set. VERSION will be changed to: 1.31.405.6
Misc partition is "/dev/block/mmcblk0p17"
Patching and backing up misc partition...
Creating goldcard....
HTC android goldcard tool Copyright (C) 2011, Wayne D. Hoxsie Jr.
Original code by B. Kerler. Special thanks to ATTN1 and the XDA team.
Donations can be made to the Electronic Frontier Foundation:
eff.org/
or to B. Kerler:
psas.revskills.de/
0+1 records in
0+1 records out
384 bytes transferred in 0.001 secs (384000 bytes/sec)
starting downgrade...
** The phone will now reboot into HBOOT.
** It will then check the file just sent.
** If everything is okay, the phone will
** prompt you to continue by pressing
** VOLUME UP. It will reboot, flashing twice.
**** PUSH POWER WHEN THIS STEP COMPLETES ****
If downgrade is successful, you may set up the phone and try to hack it again.
Once the downgrade is successful, press a key to return to the menu......
Otherwise, cut and paste the output to the screen into a text file for evaluation.... then press a key.
pushing rom to sdcard - this takes time, please be patient.
error: device not found
Setting up to temproot....
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
Starting stock recovery the first time to init....
Steps:
1. When you see the ugly red triangle, push/hold vol-UP and then push power to start stock recovery.
2. When you get to the blue stock recovery menu, choose reboot and push power.
/data/local/tmp/tacoroot: not found
Starting stock recovery for the last time....
Steps:
1. When you see the ugly red triangle, push/hold vol-UP
and then push power to start stock recovery.
2. When you get to the blue stock recovery menu, choose
reboot and push power.
/data/local/tmp/tacoroot: not found
allowing time for the rom to settle.....
Creating goldcard....
HTC android goldcard tool Copyright (C) 2011, Wayne D. Hoxsie Jr.
Original code by B. Kerler. Special thanks to ATTN1 and the XDA team.
Donations can be made to the Electronic Frontier Foundation:
eff.org/
or to B. Kerler:
psas.revskills.de/
/dev/block/mmcblk1: cannot open for write: Permission denied
setting mainver lower for downgrade...
--set_version set. VERSION will be changed to: 1.31.405.6
Misc partition is "/dev/block/mmcblk0p17"
Patching and backing up misc partition...
Error opening input file.
rm failed for /data/local.prop, No such file or directory
starting downgrade...
** The phone will now reboot into HBOOT.
** It will then check the file just sent.
** If everything is okay, the phone will
** prompt you to continue by pressing
** VOLUME UP. It will reboot, flashing twice.
**** PUSH POWER WHEN THIS STEP COMPLETES ****
If downgrade is successful, you may set up the phone and try to hack it again.
Once the downgrade is successful, press a key to return to the menu......
Otherwise, cut and paste the output to the screen into a text file for evaluation.... then press a key.
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
error: device not found
************* PROBLEM PROBLEM PROBLEM ************
** SD card is either damaged or not mounted.
** Are you sure Charge Only mode is DEFAULT
** and not just switched on? READ THE EFFEN MANUAL
************* PROBLEM PROBLEM PROBLEM ************
**************** PRESS ENTER ****************
error: device not found
************* Downgrade failed *************
** Either:
** GoldCtixiard/SDCard failed
** USB connections are not working 100%
************* Downgrade failed *************
**************** PRESS ENTER ****************
Click to expand...
Click to collapse
AAHK is retired. Server hosting the files is gone.
bananagranola said:
AAHK is retired. Server hosting the files is gone.
Click to expand...
Click to collapse
I don't know what I could use else.
Unlock bootloader.
This is my usb log. Plz help me!
PPP Widget version 1.3.3
USB_ModeSwitch log from Tue Oct 01 17:36:52 ICT 2013
Raw args from udev: 1-1/1-1:1.0
Using top device dir /sys/bus/usb/devices/1-1
----------------
USB values from sysfs:
manufacturer HSPA,Incorporated
product HSPA WCDMA Technologies MSM
serial MF190SVIED010000
----------------
bNumConfigurations is 1 - don't check for active configuration
SCSI attributes not needed, moving on
checking config: /data/data/de.draisberghof.pppwidget/app_tmp/19d2.2000
! matched. Reading config data
devList 1:
config: TargetVendor set to 19d2
config: TargetProductList set to 0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
Command to be run:
usb_modeswitch -I -W -D -s 20 -u -1 -b 1 -g 2 -v 19d2 -p 2000 -f $cB
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are to be expected in the process)
--------------------------------
Reading long config from command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.7 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x19d2
DefaultProduct= 0x2000
TargetVendor= 0x19d2
TargetProduct= not set
TargetClass= not set
TargetProductList="0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
QuantaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
BlackberryMode=0
PantechMode=0
MessageEndpoint= not set
MessageContent="5553424312345678000000000000061e000000000000000000000000000000"
MessageContent2="5553424312345679000000000000061b000000020000000000000000000000"
MessageContent3="55534243123456702000000080000c85010101180101010101000000000000"
NeedResponse=1
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/002 ...
Looking for default devices ...
bus/device number matched
searching devices, found USB ID 19d2:2000
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Skipping the check for the current configuration
Using interface number 0
Using endpoints 0x01 (out) and 0x81 (in)
USB description data (for identification)
-------------------------
Manufacturer: HSPA,Incorporated
Product: HSPA WCDMA Technologies MSM
Serial No.: MF190SVIED010000
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 1 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 2 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 2 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 3 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 3 (CSW) ...
Response reading got error -32
Device is gone, skipping any further commands
Bus/dev search active, referring success check to wrapper. Bye.
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Checking success of mode switch for max. 20 seconds ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Waiting for device file system (5 sec.) ...
Reading attributes ...
Mode switch has completed
Mode switching was successful, found 19d2:0108 (HSPA,Incorporated: HSPA WCDMA Technologies MSM)
Device class of first interface is ff
Now checking for bound driver ...
No driver has bound to interface 0 yet
Module loader is /system/bin/insmod
Trying to find and install main driver module "option"
Checking for active driver path: /sys/bus/usb-serial/drivers/option1
Driver not active, try to find module "option"
Can't find module "option"
Existing path found:
No way to use driver "option"
- try falling back to "usbserial"
Module "usb_serial" not found, can't do more here
Driver binding did not work for this device
All done, exiting
Hello I'm trying to root my gpad v500 and during the root.bat steps I get this error,
error: more than one device and emulator
- waiting for device -
error: protocol fault <status read>
This happens after the step warning about invalidating the warranty
I'm following this root method
http://forum.xda-developers.com/showthread.php?t=2553192
Code:
**************************************************
Easy root for LG G Pad 8.3
Modified By Dalingrin
Originally By IOMonster (thecubed on XDA)
See [url]http://tinyw.in/mXhw[/url] for details
**************************************************
Original root idea from [url]http://optimusforums.com/threads/how-to-root-the-lg-g2-f[/url]
320.8846/
Enable Developer Settings on the G Pad:
--Go to Settings->About tablet->Software information
--Tap on Build number until Developer Settings are unlocked
In Developer Settings:
--Enable USB debugging
Plug in the G Pad via USB to a PC.
Press any key to continue . . .
Looking for device...
error: protocol fault (status read)
Pushing g_security...
error: more than one device and emulator
*******************************************************
Now, please unplug usb, go to developer options and
disable USB debugging and re-enable it.
Once you've done that, re-plug your usb...
*******************************************************
Press any key to continue . . .
Waiting for device...
error: protocol fault (status read)
Now it's time to install su and superuser.
Please note! This will trip LG's rootchecker!
This means your phone will show ROOTED in the settings menu,
and in the LG Download mode.
If you do not want to possibly invalidate your warranty
press CTRL-C to stop this script.
You will have a rooted ADB, but no apps on the phone will be able
to access root functions.
Press any key to continue . . .
Mounting system RW and pushing SU, then remounting system RO again
error: more than one device and emulator
error: more than one device and emulator
error: more than one device and emulator
Installing superuser
error: more than one device and emulator
- waiting for device -
error: protocol fault (status read)
- waiting for device -
error: protocol fault (status read)
- waiting for device -
error: protocol fault (status read)
- waiting for device -
error: protocol fault (status read)
- waiting for device -
error: protocol fault (status read)
- waiting for device -
error: protocol fault (status read)
- waiting for device -
Ignore this thread please, I managed to fix the issue myself by rebooting both, PC and Tablet.
Hi all, my S9 is now on stock Android 10 and there is no switch/icon for mobile data, which I need to turn on and off often.
I've installed ADB and am running Dev Options but getting error messages from this guide:
appeditmobile.com/2019/12/23/mobile-data-icon-missing-on-notification-bar-how-to-solve/?unapproved=94&moderation-hash=56b00597d5763a973b0f7f301345af32#comment-94
Error from this step:
Now copy the command in step 6 settings get secure sysui_qs_tiles and add it to the beginning of the notepad text (put a space between the command and the list). The command on the note pad must look something like this settings get secure sysui_qs_tiles "<<here comes the comma separeted icon list>>"
Errors:
/system/bin/sh: syntax error: unexpected '('
-bash: syntax error near unexpected token `('
Changed command to 'set' but still error:
1|starqltesq:/ $ settings set secure sysui_qs_tiles
Invalid command: set
Any help much appreciated!
A long time ago, I posted in a forum thread about my difficulty in trying to revive my M2003J15SG and after having my ethereal Windows install bricked. I switched to Fedora and tried my hand there, where surprisingly, things worked very well. I'm not calling this a guide because I'm basically piecing this together from my bash_history and recollection. I have used the word guide too many times to keep that sentence but yeah, it may be shaky in some places.
Disclaimer
Code:
/*
* Your warranty is... still valid?
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns.
*
* I have removed the part about laughing at you because I'm not a meanie :3
*
* But yeah, this text is as-is. We provide this work to you without
* warranty of any kind, express or implied and in no event shall the authors
* be liable for any claim, damages or other liability in any way, shape or form,
* arising from, out of, in connection with the work
*
*/
A few things to note
This is an attempt to document my experience with BROM recovery of a phone that I bricked because I flashed an incorrect littlekernel image. If you're able to use other methods (using fastboot, recovery mode, hell, even preloader mode, you should probably go with that, this is a last resort).
This guide does involve opening your device, you will need a heat gun, a few picks and a screwdriver. No, this is not optional.
If you've read the excellent guide by VD171 on bypassing authentication and flashing, you may notice the important text that states
> Once you get "Protection disabled" at the end, without disconnecting phone and usb, run SP Flash Tool
That's because if you do disconnect and attempt to reconnect your device, it won't be recognized anymore. On Windows, this manifests as the infamous "USB device not recognized" error. This isn't you installing incorrect drivers, that's the device behaving erratically.
To have a second go at it, you have to press Vol Up + Power for about 60 seconds before you can retry.
To enter BROM mode, you need to press Vol Down and no other key, and then plug in your device.
This guide while being Fedora-specific, could be translated to other Linux distros assuming you have the necessary packages installed and have the appropriate permissions and udev rules set
This model of device doesn't need the kamakiri-specific kernel patch
On RHEL-like distros like Rocky Linux and... RHEL, you may need to disable SELinux. I have mine disabled at install so I'm not sure how this guide will behave with SELinux enforcement enabled.
Click to expand...
Click to collapse
Ingredients
Stock MIUI ROM V11.0.5.0.QJOMIXM (the fastboot variant), which you can get from XiaomiFirmwareUpdater
SP Flash Tool v5.2020 for Linux, which you can get from SPFlashTools
VD171's readback_ui_bak.xml, which you can get from their XDA Forums thread
VD171's scatterfiles for V11.0.5.0.QJOMIXM, which you can get from their XDA forums thread
You'll specifically need MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt and MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
mtkclient, an MTK device exploit kit, which you can find on their GitHub (you'll need their master branch, not their releases, so there'll be instructions on how to fetch it)
A box of chocolate chip cookies
Click to expand...
Click to collapse
a) Preparing the computer
Step 0: Extract all ingredients and put them into one directory for ease of access
You can do this via the command line or through your file manager, it's just for convinence. This guide will assume that everything is done in one neat folder.
Click to expand...
Click to collapse
Step 1: Install all the dependencies you'll need
Bash:
sudo dnf install android-tools git libusb-devel python3 python3-pip systemd-udev
Step 2: Prevent Linux from interfering with MediaTek serial connections
Bash:
sudo touch /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"0e8d\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee /etc/udev/rules.d/20-mm-blacklist-mtk.rules
echo "ATTRS{idVendor}==\"6000\", ENV{ID_MM_DEVICE_IGNORE}=\"1\"" | sudo tee -a /etc/udev/rules.d/20-mm-blacklist-mtk.rules
Step 3: Clone mtkclient and install its dependencies
Bash:
git clone https://github.com/bkerler/mtkclient
cd mtkclient
pip3 install -r requirements.txt
python3 setup.py build
sudo python3 setup.py install
Step 4: Install mtkclient's bundled udev rules
Bash:
sudo usermod -a -G dialout $USER
sudo cp Setup/Linux/*.rules /etc/udev/rules.d
Step 5: Reload udev rules
Bash:
sudo udevadm control --reload-rules
sudo udevadm trigger
Step 6: Return to previous directory
Bash:
cd ..
b) Preparing the device
This is where you basically follow this iFixit guide for the purposes of just disconnecting the battery cable. So, just stop at Step 12, then put the back cover on just flush enough that you can now click the volume and power buttons and insert a cable into the USB-port but not too much so that you have to go through the effort of reopening it again (because, well, you'll have to).
Attempting to skip this will yield you STATUS_EXT_RAM_EXCEPTION.
Click to expand...
Click to collapse
c) Backing everything up
Alongside ROM and userdata, your EMMC contains your IEMI, your bootloader lock state, MAC addresses, calibration data, the whole nine yards. It's always a good idea to back things up before we get started.
Step 1: Copy readback_ui_bak.xml to the SP Flash Tool directory
Bash:
cp ./readback_ui_bak.xml ./SP_Flash_Tool_v5.2020_Linux/readback_ui_bak.xml
Step 2: Connecting your device and applying the exploit
Start off by running the exploit.
Bash:
cd mtkclient
chown +x mtk
./mtk payload
Once it says Preloader - Status: Waiting for PreLoader VCOM, please connect mobile, hold down Vol Down and connect your phone to the computer. If everything goes according to plan, you'll get an output similar to this.
Code:
Port - Device detected :)
Preloader - CPU: MT6768/MT6769(Helio P65/G85 k68v1)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x707
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: [redacted]
Preloader - SOC_ID: [redacted]
PLTools - Loading payload from mt6768_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: [redacted]/mtkclient/mtkclient/payloads/mt6768_payload.bin
Click to expand...
Click to collapse
Step 3: Open SP Flash Tool
Bash:
cd ../SP_Flash_Tool_v5.2020_Linux
chmod +x flash_tool
sudo ./flash_tool
Yes, I'm aware, it's technically not advisable to grant superuser privileges to, a flashing tool but... I can't get it to work otherwise, if you know how to make it work on Fedora, drop a comment.
Click to expand...
Click to collapse
Step 4: Load the Download Agent (DA)
Click "Choose" and go to (common directory)/mtkclient/mtkclient/Loader/xiaomi_9_DA_6765_6785_6768_6873_6885_6853.bin
Click to expand...
Click to collapse
Step 5: Configure SP Flash Tool
Go to Options > Option
In General, uncheck "Storage Lifecycle Check"
In Connection, select "UART"
COM Port: /dev/ttyACM0 (it may not be the exact number, it'll just look something similar to this)
Baud rate: 921600
In Download
Uncheck "USB Checksum"
Uncheck "Storage Checksum"
Click to expand...
Click to collapse
Step 6: Backup device contents
Start by going to the "Readback" tab, it should already be populated with values that correspond to images from pgpt to otp. If you are presented with an empty table, you've need to go back and check if you've copied readback_ui_bak.xml to the correct directory.
If it shows up, then click "Read Back" and if all goes according to plan, you should see the green checkmark show up eventually.
Click to expand...
Click to collapse
d) Flashing stock firmwareStep 1: Copy scatterfiles to ROM directory
Bash:
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt
cp ./MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt
Step 2: Flash the firmware
Return to the "Download" tab and select the MT6768_Android_scatter--V11.0.5.0.QJOMIXM--boundary_false.txt scatterfile we just copied in the ROM's images directory
Select "Firmware Upgrade" from the drop-down menu and then hit "Download". If all goes according to plan, you should see a green checkmark.
Click to expand...
Click to collapse
Step 3: Restore bootloader status (optional)
In case you had an unlocked bootloader before imploding your phone and don't want to bother with Xiaomi's rigmarole, then by restoring seccfg, you should get it back.
Step 3.1: Copy over seccfg from our backup
You're probably going to be using a new terminal window because SP Flash is still running, navigate to your common directory first. The backup we did earlier stored all the images within the SP Flash Tool directory. We need to use sudo because flash_tool was running with root privileges and so, was writing with root privileges as well.
Bash:
sudo cp ./SP_Flash_Tool_v5.2020_Linux/seccfg ./merlin_global_images_V11.0.5.0.QJOMIXM_20200609.0000.00_10.0_global/images/seccfg
Step 3.2: Change the scatterfile, select the image and flash it
Change the scatterfile to MT6768_Android_scatter--V11.0.5.0.QJOMIXM--download_true--boundary_false.txt and un-select everything except seccfg
Select "Download Only" from the drop-down menu and then hit "Download". Fingers crossed, green checkmark, you should get your unlock back.
Click to expand...
Click to collapse
Step 4: Reconnect your battery and first boot
If you've reached this point and everything has worked as expected, reconnect your battery, long press the Power button and you should be greeted with a boot animation and hopefully a functioning phone.
Click to expand...
Click to collapse
e) Packing it up
Basically, just... follow the iFixit guide from Step b) in reverse and seal up your phone. I don't use this phone regularly so I never bothered sealing it, relying only on the plastic clips. You probably should but that's outside the scope of this journal.
Click to expand...
Click to collapse
f) Upgrading to Android 11 (optional)
As of this writing, LineageOS supports this device under the codename merlinx (the x is because of a conflict with the Moto G3 Turbo, which shares the same codename) and according to their install documentation, they expect a base of Android 11 and this guide flashes Android 10.
I personally used the V12.5.4.0.RJOMIXM firmware (available from XiaomiFirmwareUpdater, again, use the fastboot version) but I did an ever-so-slight change. The entire song-and-dance of needing the bypass exploit is because of "upgrades" made to the payload. I modified flash_all.sh to omit flashing the payload and the modification looks something like this (the other comment-outs were already there in the file)
Bash:
(...)
#fastboot $* flash preloader `dirname $0`/images/preloader_merlin.bin
#if [ $? -ne 0 ] ; then echo "Flash preloader error"; exit 1; fi
#fastboot $* flash efuse `dirname $0`/images/efuse.img
#if [ $? -ne 0 ] ; then echo "Flash efuse error"; exit 1; fi
fastboot $* flash logo `dirname $0`/images/logo.bin
if [ $? -ne 0 ] ; then echo "Flash logo error"; exit 1; fi
fastboot $* flash tee1 `dirname $0`/images/tee.img
"Flash preloader error"; exit 1; fi
(...)
I also commented out the reboot command at the end so I could flash LineageOS's recovery and flash the OS that I wanted.
Bash:
(...)
#fastboot $* reboot
#if [ $? -ne 0 ] ; then echo "Reboot error"; exit 1; fi
(...)
Of course, you need to boot into fastboot mode (by taking a turned off device and pressing Power + Vol Down) before you execute the script
Code:
cd merlin_global_images_V12.5.4.0.RJOMIXM_20220325.0000.00_11.0_global
chmod +x flash_all.sh
./flash_all.sh
Click to expand...
Click to collapse
Sources
https://github.com/bkerler/mtkclient
https://github.com/bkerler/mtkclient/issues/94
https://www.hovatek.com/blog/my-experience-unbricking-a-dead-boot-lg-stylo-6/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4221065/
https://forum.xda-developers.com/t/...for-merlin-redmi-10x-4g-redmi-note-9.4238149/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223107/
https://forum.xda-developers.com/t/...omi-redmi-10x-4g-xiaomi-redmi-note-9.4223093/
Wow !
Really amazing guide !
Nice, nice
Thank you very much for contribution