Develop Bugs

[GUIDE][ROOT] Custom Splash Screen (Remove unlocked bootloader warnings)

Custom Splash Screen
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Requirements: Rooted Samsung Galaxy A50 (ONEUI 1 or 2 & GSI)
Splash screens:
A50 Dark
A50 Light
A50 Dark No Knox
A50 Light No Knox
Google Dark
Google Light
No Recovery Button:
A50 Dark
A50 Light
A50 Dark No Knox
A50 Light No Knox
Google Dark
Google Light
Steps:
Download the file you want from the list above (or on the mobile app, the list below... for some reason)
Rename the downloaded file to up_param.tar
Start terminal (you can try this one)
Gain root access using
su
Type / copy this command into the terminal
dd if=/storage/emulated/0/Download/up_param.tar of=/dev/block/platform/13520000.ufs/by-name/up_param
Mission accomplished
If you need any help or have any ideas for other splash screens i could create, please comment down below. Thanks
Thanks to yamen_tn for the installation instructions

I'm going to make versions without the recovery button.

Working Awesome...got rid of that annoying unlocked bootloader warning msg with a cool new look...thnz bro...

Albermarle said:
I tried to remove the "Hold for recovery" messages with Photoshop and repacked the .tar with 7z and it shows some corrupted-ass lines lol better leave this to the pros
Click to expand...
Click to collapse
Ah, dw, i'm gonna upload the ones without recovery now. Just needs some trailing zero's in hex tis all

Albermarle said:
I tried to remove the "Hold for recovery" messages with Photoshop and repacked the .tar with 7z and it shows some corrupted-ass lines lol better leave this to the pros
Click to expand...
Click to collapse
New versions without recovery button now uploaded

Thanks for sharing with us
flashed your dark splash screen w/o knox, looks fine and i'm very happy to get rid of the annoying samsung messages :highfive:

A50 is getting alot of development started. Is this something that is kind of cross compatible with the a70 now that twrp is out?

ykjae said:
A50 is getting alot of development started. Is this something that is kind of cross compatible with the a70 now that twrp is out?
Click to expand...
Click to collapse
It does not require you to have TWRP, just root. I can Look into it, I'd just need to find the a70 stock up_param file

Hi!
Fellow A70 user here. Great job on getting this working. We were also try something similar out, but have failed yet.
If I haven't interpreted wrong, it seems that the up_params partition on the A50 is a simple tar archive with all the splash pngs. Well unfortunately the A70 does not have an 'up_params' partition, it instead has a 'params' partition that isn't a tar apparently. (Probably because it's a Snapdragon and this is an exynos).
Here's the ls of the bootdevice:
abl cmnlib efs logfs persistent system
aop cmnlib64 em misc pmic tz
apdp ddr fota modem product uefisecapp
apnhlos debug fsc modemst1 qupfw userdata
bksecapp devcfg fsg modemst2 recovery vbmeta
bluetooth devinfo hidden msadp sec_efs vendor
boot dpo hyp omr secdata vk
bota dqmdbg keymaster pad ssd xbl
btd dsp keystore param steady xbl_config
cache dtbo limits persist storsec
I'll try to upload the params image and send it in a couple hours.
Any idea what might be going on? Any help is appreciated
---------- Post added at 06:46 PM ---------- Previous post was at 06:30 PM ----------
@randomajl Here's the param: https://anonfile.com/g944Wc7cnc/param

FriendlyNeighborhoodShane said:
Hi!
Fellow A70 user here. Great job on getting this working. We were also try something similar out, but have failed yet.
If I haven't interpreted wrong, it seems that the up_params partition on the A50 is a simple tar archive with all the splash pngs. Well unfortunately the A70 does not have an 'up_params' partition, it instead has a 'params' partition that isn't a tar apparently. (Probably because it's a Snapdragon and this is an exynos).
Here's the ls of the bootdevice:
abl cmnlib efs logfs persistent system
aop cmnlib64 em misc pmic tz
apdp ddr fota modem product uefisecapp
apnhlos debug fsc modemst1 qupfw userdata
bksecapp devcfg fsg modemst2 recovery vbmeta
bluetooth devinfo hidden msadp sec_efs vendor
boot dpo hyp omr secdata vk
bota dqmdbg keymaster pad ssd xbl
btd dsp keystore param steady xbl_config
cache dtbo limits persist storsec
I'll try to upload the params image and send it in a couple hours.
Any idea what might be going on? Any help is appreciated
---------- Post added at 06:46 PM ---------- Previous post was at 06:30 PM ----------
@randomajl Here's the param: https://anonfile.com/g944Wc7cnc/param
Click to expand...
Click to collapse
The param file is something different, on A50 we also have param. Hmm

RandomAJL said:
The param file is something different, on A50 we also have param. Hmm
Click to expand...
Click to collapse
Considering that we don't have the UP_param the param.bin is the safest bet to find the pictures since thats how it stored the png files on older Samsung devices

Hi, thanks for these amazing splash screens!
Could you make one where the "Press to continue" tab is between the logo and the "powered by android"?
Now it overlaps the logo and I think it will look cleaner when it's centered and lower.
I was thinking about something like this:
Thanks!
Edit: it looks like the image server is down atm, but i hope you understand what i mean

Chris3007 said:
Hi, thanks for these amazing splash screens!
Could you make one where the "Press to continue" tab is between the logo and the "powered by android"?
Now it overlaps the logo and I think it will look cleaner when it's centered and lower.
I was thinking about something like this:
Thanks!
Edit: it looks like the image server is down atm, but i hope you understand what i mean
Click to expand...
Click to collapse
I know what you mean. The reasoning for that placement is that it is telling you what button to press.

awsome!!! And it works!! Thank you very much!

FriendlyNeighborhoodShane said:
Hi!
Fellow A70 user here. Great job on getting this working. We were also try something similar out, but have failed yet.
If I haven't interpreted wrong, it seems that the up_params partition on the A50 is a simple tar archive with all the splash pngs. Well unfortunately the A70 does not have an 'up_params' partition, it instead has a 'params' partition that isn't a tar apparently. (Probably because it's a Snapdragon and this is an exynos).
Here's the ls of the bootdevice:
abl cmnlib efs logfs persistent system
aop cmnlib64 em misc pmic tz
apdp ddr fota modem product uefisecapp
apnhlos debug fsc modemst1 qupfw userdata
bksecapp devcfg fsg modemst2 recovery vbmeta
bluetooth devinfo hidden msadp sec_efs vendor
boot dpo hyp omr secdata vk
bota dqmdbg keymaster pad ssd xbl
btd dsp keystore param steady xbl_config
cache dtbo limits persist storsec
I'll try to upload the params image and send it in a couple hours.
Any idea what might be going on? Any help is appreciated
---------- Post added at 06:46 PM ---------- Previous post was at 06:30 PM ----------
@randomajl Here's the param: https://anonfile.com/g944Wc7cnc/param
Click to expand...
Click to collapse
Same with galaxy fold. Any idea?

A30 please!
I am A30, i need a bootlogo for my please. Light versión.

would this work on the a20

The first question here is: How to gain root access in TERMUX ? "apt install tsu" doesn't work.
Is it necessary to install root repo ?

jasoncardeira said:
The first question here is: How to gain root access in TERMUX ? "apt install tsu" doesn't work.
Is it necessary to install root repo ?
Click to expand...
Click to collapse
Just use su

nahuelarias17 said:
I am A30, i need a bootlogo for my please. Light versión.
Click to expand...
Click to collapse
I'd need your stock file then

[Tool] NFT - Nokia Flash Tool to flash stock ROM (For Unlocked Bootloader)

NFT 2.0.7 & 1.2.3- Nokia Flash Tool to flash stock ROM
This tool can make you easier to install stock roms
This program is made for Windows, with .NET Framework 4.5.1 This is VB.net program
v.1.1.0
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What the tool can do:
- Flash phone - the tool supports the following phones out of the box: Nokia 8.1, Nokia 9 PureView, Nokia 7.2, all Nokia phones on the SDM_660 family, And other Nokia Phones
- Requires the bootloader to be unlocked.
- Support for more phone models can be easily added by adding a new profile and defining the partitions to flash and matching it to file names to be flashed.
- Able to create custom flash process
- Able to import profile (partition and flash data) from a txt file (check sample format)
- Can dump your current partitions to create a flashable file for recovery (this function needs root access)
- Switch slot on A/B devices which support slot change
Thanks to:
- Hikari Calyx (hikaricalyx.com)
- Narender Singh (TechMesto.com)
System requirements:
- Windows 7, 8, 8.1,10 or higher, 32bit or 64bit
- .NET Framework 4.5.1
- USB Data Cable
- Phone
Downloads:
NFT v.1.2.4 (Stable)
NFT v.2.0.8 ( Stable )
NFT v.2.0.9 ( Stable ) - new 08 Dec 2020
NFT v.2.1.0 ( Stable ) - new 11 nov 2021
Firmware :
Firmware 7.2 (1_390)
Firmware 6.2 (1_160)
*Work with Payload
- install python 3
- make sure user Environment variables link to Python folder and Python folder\script
Bugs:
v.1.1.1
-nokia 9 profile & dump (fix on 1..1.2)
v.1.1.2
- language failed to saved on second times ( fix on 1.1.3)
- some word failed to translate to CN ( fix on 1.1.3)
v1.1.3
- abl skip not work after add language (fix on 1.1.3a)
v1.1.3a
-none
v1.1.4
- on some case Nokia 8.1 switch to A slot After flash (fix on 1.1.5)
v.1.1.5
- dump on nokia 7.2, 6.2 because new naming process (fix on 1.1.6 )
v.2.0.7
- ota flash not work (fix on 2.0.8 )

Update & change Logs
NFT v1.1.0
- New design
- Add support phone
- Add auto-detect mode
- Add some feature on profile management
NFT v.1.1.1
- Fix detect Device for MTK & A-only Device
- Fix dump for nokia 8.1
- add dump profile for nokia 8 & Sirocco
NFT v1.1.2
- FIx Nokia 9 profile and dump
- now dump partition Work on FTM mode And Normal mode
- Add Language Setting : Simplified Chinese & English...
NFT v1.1.3
- fix save language in setting
- Fix some translate in CN language
- Add warning when flash Payload.bin
- Now NFT only process payload.bin with size more than 1Gb
(make sure use full system update payload.bin..)
NFT v1.1.3a
-fix minor bugs
NFT v1.1.4
- support more python name (for multiple python installed) default : python3, python, py . can add more
- add install protobuf on script
- add check slot on dump
- add custom dump setting..
- to change saved filename partition double click file name
*for best restore dump please use default file name for splash partition
NFT v1.1.5
- Fix auto-switch to slot A, after Flashing Nokia 8.1
- add Russian Language
- add Indonesia Language
- dump files Now naming Base installed Rom.
27 Des.
- fix auto-detect for new devices (7.2 ,6.2 , etc)
29 Des
- add Donate link... for donate
- add logs
v1.1.6
- fix dump problem on nokia 6.2, nokia 7.2
- new menu - Create homebrew from OTA FILES (extracted)
3 januari 2020
- fix name file Homebrew ( Minor)
- add error handle homebrew Clean temp files
- update Logs
27 januari 2020
- fix naming dump for some devices... when dump inactive slot
-fix minor bugs
V2.0.0
- New UI
- Restore Partition from ADB
28 januari 2020
V2.0.1
- Fix restore partition From ADB
- Tweak Side menu animation(Faster)
- now support flash partition structure (for convert CN - Global)
V.1.1.7
- now support flash partition structure (for convert CN - Global)
v2.0.2 & v1.1.8
- fix 4.2 & 3.2 Support
- note for nokia 4.2 & 3.2: Before do anything on flash form set profile to nokia 4.2 and nokia 3.2
v2.0.3 & v1.1.9
- fix minor bug for nokia 9
- fix nokia 7.2/6.2 didn't boot after flash ( Vbmeta problem)
v2.0.4 & v1.2.0
- NOw Support .zip file ( Ota File & Cutom rom )
- fix English translate
v2.0.5 & v1.2.1
- NOw Support .zip file ( Ota File & Cutom rom )
- fix English translate
- add separate setting For vbmeta flash script ( because -disabled-verify on some device will cause failed to update ota )
v2.0.8 & v1.2.4
- add support raghu vagma Homebrew Firmware
v2.0.9
- remove unused messagebox
* note for nokia 4.2 & 3.2: Before do anything on flash form set profile to nokia 4.2 and nokia 3.2

Reserved
How to :
* Flash phone
- Open NFT
- Choose Flash Normal
- Select Folder which Contain Firmware File
- Select Profile ( U can create Your Own profile In manage button)
- Flash
* Flash phone With Payload.bin
- Extract Full Ota FIle .zip
- Open NFT
- Choose Payload.bin File
- Choose Slot
- FLash
* Create Dump Partition Profie
- Open NFT
- Select Tools
- Select Dump partition
- Select manage
- Connected Phone with USB Debuging SET ON With Root Permision Granted
- Add New
- Select Which Partition Do you Want to backup
- Naming Profile
- Save
* Dump Partition
- Open NFT
- select Tools
- Select Dump Partition
- Connected Phone with USB Debuging SET ON With Root Permision Granted
- Select Profile
- Select Slot
- Dump Partition
* Homebrew From FULL OTA FIle
- Extract Full Ota FIle .zip
- Open NFT
- select Tools
- Select Make HomeBrew From Full OTA FILES
- Select Payload.bin File
- Choose Folder To save Homebrew
- Make Homebrew
* HomeBrew Security update
- Root Phone
- Follow instruction How to update phone on Magisk forum
- after update don't restart and don't Pacth boot.img to other slot
- Open NFT - Tools -Dump Partition
- Select Profile Homebrew For your Device
- Set inactive Slot on Slot option (if active Slot 'a' then choose 'b' , if active Slot 'b' then choose 'a')
- dump partition

Thank you ? Now I can mod my Nokia 7.2 without worrying too much.

Nice work!

anyone have valid link to stock firmware? thank you in advance

pattiandy said:
anyone have valid link to stock firmware? thank you in advance
Click to expand...
Click to collapse
Click hikari calyx name in NFT to download firmware

I tried flashing OTA using payload mode. After the operation was finished, my devise's screen turned black and now it does not turn on anymore. Is there anything I can do to fix it?
so it's some sort of 9008 mode I guess. and I couldn't find any nb0 firmware. I am absolutely clueless about what to do now.

lilmonkw said:
I tried flashing OTA using payload mode. After the operation was finished, my devise's screen turned black and now it does not turn on anymore. Is there anything I can do to fix it?
so it's some sort of 9008 mode I guess. and I couldn't find any nb0 firmware. I am absolutely clueless about what to do now.
Click to expand...
Click to collapse
i put information in about button
for payload mode...it only for full rom OTA.. size about 1,5GB or more..
let me know what payload u use..
and what devices???
firmware download click on hikari name on NFT tools...
for 7.2 u need extract every zip in firmware and put it in one folder..
Flash using normal flash

lilmonkw said:
I tried flashing OTA using payload mode. After the operation was finished, my devise's screen turned black and now it does not turn on anymore. Is there anything I can do to fix it?
so it's some sort of 9008 mode I guess. and I couldn't find any nb0 firmware. I am absolutely clueless about what to do now.
Click to expand...
Click to collapse
Which device did you flash? And didn't you understand that you need a full OTA to use the payload method?
Check if the device is in QdLoader 9008 mode, then you can still recover it. But if it is in some other mode, then the recovery needs disassembly.

sayaoks said:
i put information in about button
for payload mode...it only for full rom OTA.. size about 1,5GB or more..
let me know what payload u use..
and what devices???
firmware download click on hikari name on app...
for 7.2 u need extract every zip in firmware and put it in one folder..
Flash using normal flash
Click to expand...
Click to collapse
I missed that payload information, and it's my fault. My device is in the 9008 mode now. Nokia 7.2.
I did not use the full OTA, and then I pretty much broke things. The OTA I used was the one I pulled out after it automatically downloaded on my phone. The device had August security patched firmware (the only one on the hikari website) installed.
---------- Post added at 12:49 PM ---------- Previous post was at 12:47 PM ----------
singhnsk said:
Which device did you flash? And didn't you understand that you need a full OTA to use the payload method?
Check if the device is in QdLoader 9008 mode, then you can still recover it. But if it is in some other mode, then the recovery needs disassembly.
Click to expand...
Click to collapse
I messed up with flashing not full OTA, and it's my fault. My device is Nokia 7.2. It's in the QdLoader 9008 mode.

lilmonkw said:
I messed up with flashing not full OTA, and it's my fault. My device is Nokia 7.2. It's in the QdLoader 9008 mode.
Click to expand...
Click to collapse
From QDLoader, we should be able to fix it, but unfortunately, Nokia has not released a rawprogram and patch0.xml files. But you can likely use the one from Nokia X71 after slightly modifying it. Then flash abl and xbl using QFIL tool. Once you have a working bootloader (fastboot mode), you will be able to flash the stock ROM again.
I think @hikari_calyx will have a better idea about which files to use.

singhnsk said:
From QDLoader, we should be able to fix it, but unfortunately, Nokia has not released a rawprogram and patch0.xml files. But you can likely use the one from Nokia X71 after slightly modifying it. Then flash abl and xbl using QFIL tool. Once you have a working bootloader (fastboot mode), you will be able to flash the stock ROM again.
I think @hikari_calyx will have a better idea about which files to use.
Click to expand...
Click to collapse
What would I need to modify in those files? And is there a possibility of Nokia releasing rawprogram and patch0.xml for 7.2 ever?

"use Payload.bin" not support Python3 for Windows Store

[email protected] said:
"use Payload.bin" not support Python3 for Windows Store
Click to expand...
Click to collapse
u need install python 3.
and install protobuf "python install protobuf"
for payload flash
if your python use "python3 / py" for running python...
use latest v1.1.4 its support

On my 7.2 im trying to go back to stock from Lineage 16.0 (unofficial) so that some things will work again and im getting:
"Flash abort!! Phone Looked Bootloader" (not a typo)
"ALL TASK COMPLETE"

Talon Pro said:
On my 7.2 im trying to go back to stock from Lineage 16.0 (unofficial) so that some things will work again and im getting:
"Flash abort!! Phone Looked Bootloader" (not a typo)
"ALL TASK COMPLETE"
Click to expand...
Click to collapse
Hi, is your device critical unlocked? If not, please do it.
Code:
fastboot oem device-info

singhnsk said:
Hi, is your device critical unlocked? If not, please do it.
Code:
fastboot oem device-info
Click to expand...
Click to collapse
The bootloader is, how do you think i got the Lineage on it? I dont how to unlock anything else, this is all new to me on the Android side, im a Windows guy. I have TWRP on it, will that matter?
Nvm, i figured it out, got it unlocked.

It gets to "Flashing system.img to system_b" and aborts. Same thing happens if i switch to system_a.

Talon Pro said:
It gets to "Flashing system.img to system_b" and aborts. Same thing happens if i switch to system_a.
Click to expand...
Click to collapse
You unpacked the system, boot and vendor image to the same folder as well, right? And not to some other folder. The file exists in the same directory?

Repacked boot.img is half the size of stock boot.img

Hi everyone,
I'm having trouble generating a boot.img using Android Image Kitchen to be the same size as the stock boot.img that I first unpacked! The stock boot.img is 69.1MB and if I unpack that and immediately repack it reduces to 39.1MB.
Specs
Samsung S20 Ultra 5G (G988B)
Android 10
PDA: G988BXXU4BTH5 (August 2020)
What I've Done So Far
I've compiled a custom kernel using source straight from Samsung's open source repo. For testing purposes I have made no changes and simply compiled with the relevant toolchains.
To take my compiled kernel and package it up into a boot.img I can flash with Odin, I have followed this guide how-to-unpack-and-edit-android-boot-img using osm0sis' Android Image Kitchen tools (AIK)
I have done the following:
Download custom firmware (PDA: G988BXXU4BTH5) and extract boot.img from AP archive
Unpack boot.img using AIK
Bash:
unpackbootimg -i ./boot.img
Construct arguments for mkbootimg based on above step's output
Run mkbootimg with arguments:
Bash:
#!/bin/bash
set -e
set -x
./bin/linux/x86_64/mkbootimg \
--kernel ./boot.img-kernel \
--ramdisk ./boot.img-ramdisk.gz \
--dtb ./boot.img-dtb \
--cmdline "$(cat ./boot.img-cmdline)" \
--base "$(cat ./boot.img-base)" \
--kernel_offset "$(cat ./boot.img-kernel_offset)" \
--ramdisk_offset "$(cat ./boot.img-ramdisk_offset)" \
--tags_offset "$(cat ./boot.img-tags_offset)" \
--dtb_offset "$(cat ./boot.img-dtb_offset)" \
--os_version "$(cat ./boot.img-os_version)" \
--os_patch_level "$(cat ./boot.img-os_patch_level)" \
--board "$(cat ./boot.img-board)" \
--pagesize "$(cat ./boot.img-pagesize)" \
--header_version "$(cat ./boot.img-header_version)" \
--hashtype "$(cat ./boot.img-hashtype)" \
--output ./new-boot.img \
For some reason the resulting boot.img file is 39.1MB whereas the stock boot.img is 69.1MB
To confirm it wasn't my custom kernel, I simply unpacked the stock boot.img and then repacked the extracted files. The output is again 39.1MB. This leads me to believe that AIK is either not extracting all the required files from the stock boot.img or is not packing all the required files into the generated boot.img
I came across this post in which someone successfully built a Samsung S21 boot.img, without size issues, using a fork of AIK however all projects I've used to generate boot.img give me the exact same size inconsistency.
I tried seeing what would happen if I flashed the 39.1MB boot.img on anyway and after succesfully flashing, I got a boot error:
ODIN MODE (DT Load Fail)!
[DTH] dt table header check Fail: FDT_ERR_BADMAGIC
[UFDT] DTB LOAD FAIL
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Does this suggest AIK is not packaging the dtb file correctly? Given boot.img-dtb is only 340.1KB, it must be missing more than just this.
I seem to be at an impasse and would be deeply appreciative if the smart people on XDA could lend some advice!
Thank you!
Update #1:
I was able to flash 39.1MB boot.img (with both stock and custom kernel) on and avoiding above DTB Load Fail by:
1. Ensuring name/dir structure is boot.img inside boot.img.tar
2. Using stock dtb file
It then bootloops until I am presented with recovery and error:
From this post it seems like repacking changes hash leading to 'integrity_failed' error above.
Update #2:
I managed to successfully load generated boot.img with custom kernel. I had to disable Android Verified Boot by flashing vbmeta_disabled.tar in the UserData tab in ODIN. This disables integrity checking in the bootloader sequence when the ROM bootloader passes control to the kernel in boot.img
I hope this helps others!

i have the same problem
I created custom kernel as I couldn't provide selinux permissions,but now i have error [DTH] dt table header check Fail: DFT_ERR_BADMAGIC
[UFDT] DTB LOAD FAIL.
-- phone properties --
Samsung Note 20 (exnos990)
Can you please help me? ^^

Please read the Forum Rules before posting.
Questions belong in the Questions and Answers section.
15. Keep threads / posts on-topic
Whilst a minor amount of off-topic posting may be overlooked, the general rule is that your posts / threads must be relevant to the Forum / thread in which you are posting.
General Forums - For news and announcements relating to your device.
Q&A Help & Troubleshooting Forums - For all question / request threads and posts. If there is no Q&A Help & Troubleshooting forum, use the General Forum of the relevant device
Accessories Forum - For posts related to accessories relevant to the device
Development Forums (ones with the word development in the title) - For Developers to post release threads e.g. ROMs and Kernels including modifications to kernels, bootloaders, ROMs, etc., as well as R&D development discussion threads designed with an end goal
Themes and Apps Forums - For the posting of Themes and / or Apps as well as announcements & discussions including modifications made to Themes and Apps.
Click to expand...
Click to collapse
Thread moved.

Question how to unlock the bootloader ?

how to unlock the bootloader, I read about some program "indeepth test", but did not find it on this phone

You need to wait till realme/Oppo releases the app specific to this phone. If you google the app, you will find plenty of sites say that the app for realme 3 or X will work but just a waste of time. Has to be for this phone
Though I am looking into a possible way to root device without unlocking bootloader.

Sorry for the stupid question, but I'm not even able to enter fastboot mode: pressing Volume Up + Power buttons simply reboots the system and sending "adb reboot bootloader" gives me a terminal message ending with "the serial is not match, fastboot_unlock_verify fail"...
What's wrong?

As per my my previous comment. Realme releases an apk file that then allows you to unlock the bootloader
While the bootloader is locked on any android devices, you will not be able to boot to fastboot.
I have managed to flash a magisk patched boot.img file by other means but wasn't successful, ass need to patch Vbmeta and can't do that without fastboot or two(or equivalent).
The apk they release is called deep testing. If you go on realme forums they are generally pretty open and quick to release. The app Is pretty much the equivalent of applying to Sony on the xperia's the app does the unlocking et
If I can find a way to get pasted the red state boot screen iI will defiantly post the instructions and all files etc

@smiley.raver
Hello, I bought this device and have been using it for exactly 1 week,
I searched the internet and found this article, but I'm not sure if the article is Trustworthy, can you check it?

MrMiyamo said:
@smiley.raver
Hello, I bought this device and have been using it for exactly 1 week,
I searched the internet and found this article, but I'm not sure if the article is Trustworthy, can you check it?
Click to expand...
Click to collapse
Ok i found this one too, and it is looks more trustworthy .
Well, i believe to you, so i will wait your response.

MrMiyamo said:
Ok i found this one too, and it is looks more trustworthy .
Well, i believe to you, so i will wait your response.
Click to expand...
Click to collapse
That will be the method, though realme still have not released the unlock tool for this device.
If you check the realme community forums, and see h bootloader unlock for this device on a periodical basis realme will eventually release it, just not sure on their time frames. This is only my second realme device of which the first one I once the c3 had already been out for a while and unlock tool was already released.
Once it has been. I will create. Thread with the process and attach the files here in xda

@smiley.raver
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Should we wait realme or look at this?
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com

MrMiyamo said:
@smiley.raver
View attachment 5426883
Should we wait realme or look at this?
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
I am checked the tool and i have couldn't done anythink so far.

Sorry have been flat out at home doing renovations
I will have a look at it sometime over the next couple of days.

smiley.raver said:
Sorry have been flat out at home doing renovations
I will have a look at it sometime over the next couple of days.
Click to expand...
Click to collapse
Yes, i am also will look at it in a few days,
I will install a linux distro on my laptop and try again,
BTW we should look at this video for referance;

MrMiyamo said:
@smiley.raver
View attachment 5426883
Should we wait realme or look at this?
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
I have had a read through. Getting to brom bootloader and bypassing da was the way I was attempting it I am curious as to what is different between his magisk all and the app release he does.
I haven't had a look at the other one yet. WL do that tomorrow

smiley.raver said:
I have had a read through. Getting to brom bootloader and bypassing da was the way I was attempting it I am curious as to what is different between his magisk all and the app release he does.
I haven't had a look at the other one yet. WL do that tomorrow
Click to expand...
Click to collapse
I installed a linux distro today and tried again, i get same result as on windows.
If you get the same result, we'll assume it's caused by the device.
In this case, there is nothing left except creating a new issue on the github repo.

@
MrMiyamo are you successfully booting into the brom bootloader? as the instructions on github are only saying to power + vol up or down - when it is power + vol up + vol down and then plug in usb. I have just had to reinstall windows so i will give this a go as just installed python.​
give me a few hours to play around and see what i can do - i maybe able to do it the way i was doing it with the magisk app released on github page

@MrMiyamo while phone is turned on - push an hold power + vol + + vol - and continue to hold while it reboots, continue holding while you see at bottom of the screen rebooting to recovery - continue holding the keys down and plug usb in with other end connected to the computer
mind you im getting stuck at the da sync - try doing same process on linux - as i havent installed it yet and awaiting for it to download
C:\mtkclient>python mtk rl out
Capstone library is missing (optional).
Keystone library is missing (optional).
MTK Flash/Exploit Client V1.42 (c) B.Kerler 2020-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected
Preloader - CPU: MT6765(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - BROM mode detected.
Preloader - ME_ID: BA8A36E4EDC2EC489BA44EEA0F809354
Preloader - SOC_ID: 5A9501C1148E3B36CD3B173E1EBE166257EBA2069333EFF7A1CE20EAD189884F
Main - Device is unprotected.
Main - Device is in BROM mode. Trying to dump preloader.
PLTools - Loading payload from C:\mtkclient\mtkclient\config\..\payloads\mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\mtkclient\mtkclient\config\..\payloads\mt6765_payload.bin
Port - Device detected
DAXFlash - Uploading stage 1...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
DAXFlash - Successfully received DA sync

@smiley.raver
I am run "sudo mtk rl out" and it looks like does the job, it currently dumping all partitions.
Edit:
Ok, i did something stupidly and installed linux system on 24 GB partition
so I had to stop the process before it complete,
It's probably fine as long as we don't want a backup, but I'll install the system on a 64gb partition and look again later.

MrMiyamo said:
@smiley.raver
I am run "sudo mtk rl out" and it looks like does the job, it currently dumping all partitions.
Click to expand...
Click to collapse
thats awesome - so it appears to be a windows issue - i will create the issue on github soon - we have progress
also i found out that it only needs to be phone switched off and vol + & vol - held while plugging in usb
with that working -then the rest of the instrcutinos should work - so give it a try - i just finished downlaoding linux- so i will be a little while off trying it
i think i know what the windows issue is - its not picking up vcom drivers in the transition from bootloader to vcom - so therefor it stalls -

I am edited my message, can you check it?

@smiley.raver
BTW my phone has a pending OTA update, i keep to not update since i worry about that method will not work.
Can i apply OTA update without worry?
Else how can i remove pending update files?

smiley.raver said:
thats awesome - so it appears to be a windows issue - i will create the issue on github soon - we have progress
also i found out that it only needs to be phone switched off and vol + & vol - held while plugging in usb
Click to expand...
Click to collapse
MrMiyamo said:
@smiley.raver
BTW my phone has a pending OTA update, i keep to not update since i worry about that method will not work.
Can i apply OTA update without worry?
Else how can i remove pending update files?
Click to expand...
Click to collapse
while your phone is not updated - lets leave it like that - as mine is latest firmware - hence we maybe getting to different issues.,
this way we can attack 2 different firmware versions. yep saw your editted mesage - i had to install another hdd to install just for the moment ...
but at least the mtk rl command worked and got further then I did on windows - im about halfway through linux install (just have to remember how to use the bloody thing now haha)

Learning About AVB Android Verified Boot (Boot.img dtb.img, vbmeta.img, and the "staging blob")

Edit-- after studying a couple days I understand why no modification to the images would work, which is due to AVB. I have a lot more studying to do and I will explain better. This thread is currently a mess of notes from a noob picking a kind lady's brain
Hello All~!
This is an effort to understand what exactly is going on with the files contained in the boot.img from our shield --edit to understand this on the shield, we must understand the other images as well (dtb, vbmeta. and the "staging blob" that comes with the shield)
ImgUtil
Miss @Renate has developed a wonderful tool to allow us to see the contents of our boot.img by placing her tool in the same folder as the boot.img and running this code:
Code:
imgutil.exe /v /l boot.img
Spoiler: SHOW
STOCK BOOT IMAGE:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DEV BOOT IMAGE:
IMAGES THAT COME WITH SHIELD
This was only possible Thanks to Renate.
AVB NOTES:
Finally figured out how to actually use the avb tool.. I feel stupid. Copy this script and make a new file called avbtool
Per this link I learned how to make an empty vbmeta with the tool, i had to add "python" to the front
Code:
python avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
That allowed me to generate an empty vbmeta
The avbtool help menu:
View attachment 5792745
Signing boot images for Android Verified Boot (AVB) [v8]
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally...
forum.xda-developers.com
super helpful
Boot Flow | Android Open Source Project
source.android.com

There can be image signing with vbmeta and/or AVB on the image itself.
Whether these are enforced is another question and can most easily be determined by experimenting.
Most people grab a boot image out of a partition. The whole partition.
In the days before AVB0 signing this meant you might copy a 64M partition and get 24M of actual image and 40M of zeroes.
In the days after AVB0 signing this meant you get 24M of actual image, 2k of signing, 40M of zeroes and an itty-bitty AVB0 footer.
That AVB0 footer is a pesky detail.
You can see it if you have the whole partition and use a hex editor at the very end (size-4096).
As Magisk deals with boot images I should double check what they do. I believe they don't modify the AVB0 footer at all.
Using my EDL client edl.exe there is the /t option to trim an image to the real ~24M live bit.
In imgutil.exe there is the /p option to strip padding.
If your fastboot works fine, you have a nice recovery and you feel confident you can experiment.
You can trim your stock boot image of its padding using imgutil.exe (which I believe leaves the AVB0 header intact), then:
Code:
fastboot erase boot
fastboot flash boot mytrimmedstock.img
You can even trim away the AVB0 header (using the address shown in imgutil.exe) and see if that works with erase, flash.
Then there is the vbmeta. That is a check on things too, whether enforced or not is also a question.
You can often replace it with an disabled vbmeta image.
Your dtb is in a separate partition.
On my main device it's on the kernel. I modify (in hex instead of dtc round-tripping) it to not verify /vendor.

@Renate Thank You, Seriously For Your Time. I was Just Looking at your EDL tool! I am going to play with all of this now. I cannot even begin to tell you how happy this has made me.
This is the link to her edl tool
EDL Utility

i deleted the vbmeta link that was originally listed here. ordinarily i would leave the comment up for knowledge, but I don't want anyone to get off the path. We need to learn the avb tools and generate our own, not use others due to the cryptographic hashes associated with each image that chains to the "staging" blob

Hi @Renate May I bother you again? I am stuck on two parts,
You mention editing the dtb to not verify /vendor could you help me to understand how to do that?
I threw my dtb.img into HXD and searched for "vendor" and it brought up this
Spoiler: SHOW
but I am unsure if this is what I need or what to change it to?
Also I wanted to try to do what you say here "You can even trim away the AVB0 header (using the address shown in imgutil.exe) and see if that works with erase, flash."
I took that to mean use imgutil.exe to /d the Header1 file? Is that wrong? I tried all these but I cannot figure out on my own how to do it
Spoiler: SHOW
>.> i at least figured out the padding part

No, I'm not saying that you have to change dtb.
In today's world you can "modify" things by using Magisk modules (and not modifying /system) or by burning your bridges and just modifying /system.
If you do that you'll have to get rid of all verification (and FEC if present) and you it make updates impossible without reverting back to stock.
Your choices are influenced by what the OEM offers for updates and how much you want to sink your teeth into swamp critters.
Looking at a dtb in raw hex will make you go blind.
You should use dtc to disassemble/assemble.
It's probably not on your device but it is in any Linux.
I use my own dtbview.exe (not ready for prime-time) to get a dump with addresses.
If you like (for learning) post your dtb.

@Renate this is the dtb image, and thank you for telling me about dtc LOL I will get that installed in my ubuntu VM.

Also @Renate is this the right tool?
Spoiler: SHOW

Yeah, that's the right tool.
I don't know if the mysterious new header on Android is part of Linux or not.
So your dtb partition is 2M
The end of actual data is 7c394, so basically 1/4 of the partition.
But it's also AVB signed, look at offset 7d000
And its silly footer at 1fffc0
Here's the listing for your edification

Spoiler: DTC FOR WINDOWS
I came across this dtc tool for windows made by amlogic, it was originally shared here, bundled with other things
How to Extract a Device Tree File from Android Firmware Files - CNX Software
Up to now, all our cheap Android devices were based on older Linux kernel (3.0.x, 3.4.x) that still used board files (arch/arm/board, but we've recently
www.cnx-software.com
Spoiler: SHOW
I extracted just it
dtc-tool.exe
drive.google.com
I checked it on virus total
VirusTotal
VirusTotal
www.virustotal.com

@Renate Hi, I'm going to probably bother you till you block me...
But could you explain to me how you were able to take that dtb image I shared with you to turn it into the text file? I tried to use the dtc tool in linux and on windows but I cannot figure out how to get the listing like you did.
Here's what I was trying

jenneh said:
Blob has incorrect magic number
Click to expand...
Click to collapse
Yeah, it does!
That's what I've been fighting about. They decided to add some header.
Some dtb's have multiple separate models built in. Why? I have no idea.
Instead of ye olde fashioned "a dtb is that period" they decided to put in a header.
I'm sure that's it's documented somewhere.
If you are just doing this for your own amusement, knock the first 128 bytes off the file and it can be disassembled.

@Renate I Really Am doing this for my own fun. But For A Total Noob, can you explain what this means? "knock the first 128 bytes off the file and it can be disassembled" I'm so very sorry. I have always been intrigued with disassembly but I do not know very much

Somebody at Android decided for whatever reason to extend the Linux DTB by putting another header before it.
Obviously Linux doesn't know or care what Android does.
If you look at offset 0x80 you'll see the normal signature of 0xd00feed (in bigend).
We can discuss whether that's politically questionable, but that's the way it is.

@Renate I guess what I am having trouble understanding, is where are these offsets that you are pointing me to with all this valuable information? Like you said here "If you look at offset 0x80 you'll see the normal signature of 0xd00feed (in bigend)."
When I look at the offsets in the text file I don't see anything called 0x80 it's the same trouble for me to fully understand what you were telling me earlier
Spoiler: SHOW
"But it's also AVB signed, look at offset 7d000
And its silly footer at 1fffc0"
How do I see these offsets that you so awesomely took the time to point out?

jenneh said:
When I look at the offsets in the text file I don't see anything called 0x80...
Click to expand...
Click to collapse
When you look at something like this you're looking at a raw chunk of memory.
As such, every bit of it, err, every byte of it has an address.
The first byte is zero and it goes up from there.
"0x80" is hex 80, (i.e. 128 bytes) into the file.

Renate said:
When you look at something like this you're looking at a raw chunk of memory.
As such, every bit of it, err, every byte of it has an address.
The first byte is zero and it goes up from there.
"0x80" is hex 80, (i.e. 128 bytes) into the file.
Click to expand...
Click to collapse
Does that mean these first 8 lines of offsets are the the first bytes? Is this what I would want to blank out to remove the header?

So, look at the line with 00000080: d0 0d fe ed, "doodfeed"!
It's not a question of "blanking" it's a question of "skipping".
Although I don't o-fish-ally release it, here is modfile.exe: modfile
Code:
C:\>copy dtb dtb-short
C:\>modfile dtb-short /s 80

Renate said:
So, look at the line with 00000080: d0 0d fe ed, "doodfeed"!
Click to expand...
Click to collapse
Gosh, Thank You. "d0 0d fe ed, "doodfeed"!" This, this did it for me to Understand. Haha. Thank You for the modfile tool as [email protected]@!
I got to get some sleep, but rest assured I will be back tomorrow to bother you even more!

@Renate Good Morning!! THANK YOU for helping me to learn how to "Skip" the erroneous header! This is something I Literally would never have learned Without You! Your modfile tool is so Neat! Also appreciate the Semantics!!
FIRST QUESTION! How do I produce a text output file similar to the one you shared with me? As in one that has all the offsets at the beginning of the line?
I ran this command after the skip (It finally worked yay!! No magic number problem!!):
Code:
dtc-tool.exe -I dtb -o dtb.txt dtb.img
I got this output text, which is noticeably missing the offsets that your copy provided.
Spoiler: SHOW
Spoiler: DTC MANUAL
Here is the manual for other people learning:
manual.txt « Documentation - dtc/dtc.git - The Device Tree Compiler
git.kernel.org
Spoiler: I SAW BOOTLOADER.
SECOND QUESTION! Theoretically, if I wanted to add a new Bootloader to be able to run windows, Would that be done in here? Or more specifically, somewhere in the DTS? We don't have to go into technical specifics yet... unless you want to but is it possible?
THIRD QUESTION! When I was learning how to flash the images onto the Shield, Nvidia made mentions to use this command to flash the "staging blob" I have always wondered Why and What is this, is it needed do you know?
Spoiler: SHOW
Thank you as always for your time