Develop Bugs

Bring me up to speed (Trying to root) - LG V35 Guides, News, & Discussion

I just got my AT&T V35 so I can try and help you guys get root.
However, I don't have time to try and track down all the information so far. So, Someone with knowledge needs to bring me up to speed.
Here are the questions I need answered:
Is there a model that has FULL fast boot (fastboot flash, fastboot boot, etc). This is VERY important because it will make life much easier.
Where is the engineering abl?
Has LG UP already been patched for lab mode (partition DL, DUMP)?
How many models of the V35 are there?
How many of those have KDZs available?
We will start with that.
When it comes to rooting an extremely locked down phone there are several things that are involved. Now there are multiple ways to get to them, but I prefer doing through lafd for writing / temp root.
You have to be able to write to the phone while it is secure. This means having a patched LG UP that can handle writing say laf from the G7
You need temp root. This (in the past for my root processes) has meant flashing a laf partition that is signed, but has a root exploit
once you have temp root, you have to be able to unlock the bootloader. This was accomplished on the V20 with an engineering aboot (abl). It was accomplished on the G6 by taking a donor US997 with an unlock.bin
I await the answers....
Please don't get me wrong, now that I have the phone in my hands, I will start from scratch if I have to, but it is in your best interests, if you want root, to help me out (it will go MUCH faster -- since I know what I do and don't have to do).
-- Brian

Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE

vlad48 said:
Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE
Click to expand...
Click to collapse
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian

vlad48 said:
Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE
Click to expand...
Click to collapse
Thanks for all this.
I flashed my AT&T V35 to the LMV350ULM variant using LGUP. Can I then flash it with the LMV350AWM version and do I need to reset the phone firsthand before flashing in order to get a newer build with security updates?

@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.

vlad48 said:
@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.
Click to expand...
Click to collapse
Yeah, I'm in Canada and got the V35 for a great price off Ebay. I found out exactly what you said regarding updates and knew I was toast so I flashed to the Fi version after reading a post on Reddit similar to yours, for those who aren't on AT&T.
I just didn't know you could crossflash all of the firmwares except for the Korean version so at least I have a means to keep my phone with the latest security updates.
Again, thanks.

runningnak3d said:
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian
Click to expand...
Click to collapse
Hey Brian. Super psyched you're here. I just nabbed a v35 as well as it seemed like a worthy upgrade from the v30 for what they are going for on eBay now.
I read that @b8engl has a v35 with an unlocked bootloader. Perhaps you two are already in touch.
Good luck fellas. I see great things happening here.
-Adam

X-Nemesis said:
Yeah, I'm in Canada and got the V35 for a great price off Ebay. I found out exactly what you said regarding updates and knew I was toast so I flashed to the Fi version after reading a post on Reddit similar to yours, for those who aren't on AT&T.
I just didn't know you could crossflash all of the firmwares except for the Korean version so at least I have a means to keep my phone with the latest security updates.
Again, thanks.
Click to expand...
Click to collapse
So you CAN cross flash V35. Someone with Octopus box told me you couldn't.
Sent via open market LG US998 V30/V30+
---------- Post added at 12:42 PM ---------- Previous post was at 12:42 PM ----------
vlad48 said:
@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.
Click to expand...
Click to collapse
Thank you for the information!
Sent via open market LG US998 V30/V30+

runningnak3d said:
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian
Click to expand...
Click to collapse
I already reached out to help... didn't receive anymore message.
---------- Post added at 07:22 PM ---------- Previous post was at 07:22 PM ----------
ChazzMatt said:
So you CAN cross flash V35. Someone with Octopus box told me you couldn't.
Click to expand...
Click to collapse
Yes, it's possible!
---------- Post added at 07:37 PM ---------- Previous post was at 07:22 PM ----------
bacon612 said:
Hey Brian. Super psyched you're here. I just nabbed a v35 as well as it seemed like a worthy upgrade from the v30 for what they are going for on eBay now.
I read that @b8engl has a v35 with an unlocked bootloader. Perhaps you two are already in touch.
Good luck fellas. I see great things happening here.
-Adam
Click to expand...
Click to collapse
Yes, we were. But I'm guessing that he alredy has his V35 in hands now... must be testing!
I haved request help for extracting the Qualcomm loader from a data file, perhaps you would like to take a look to the file and tell me what you think I could do?
Link here: https://forum.xda-developers.com/showpost.php?p=79074150&postcount=39

@b8engl It would really make things go quicker if you could fastboot boot every V35 and G7 laf partition that is available. The purpose being to find one that can have the toybox backdoor triggered.
Boot it, run lglaf, and type whoami, and then !EXEC /system/bin/toybox whomai\0
I could extract and decompile *every* one of them, but it quicker to just boot and test.
The G7 has an SD845 so laf images should boot on the V35. We don't care about things like the screen working, touch, the modem or anything else. As long as it boots, and lafd runs, we are good. As for you worrying about bricking your phone or something else nasty -- the fastboot boot command doesn't write anything to the phone. It extracts the boot image, loads it into RAM and runs it. If it boots -- great -- if not, no harm.
-- Brian

@runningnak3d your version from lglaf didn't work for me, I use lekensteyn version.
- git pull, then:
PHP:
[[email protected] lglafng]$ python lglaf.py
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whomai\0
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'/system/bin/toybox'
#

b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.

byran7 said:
b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.
Click to expand...
Click to collapse
hey dude, what's up with that big mouth!
what are you talking about, by you sent some files... I receive a lot of junk, especially about files or help. did I not respond or what?! take a pill and calme down!

b8engl said:
@runningnak3d your version from lglaf didn't work for me, I use lekensteyn version.
- git pull, then:
PHP:
[[email protected] lglafng]$ python lglaf.py
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whomai\0
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'/system/bin/toybox'
#
Click to expand...
Click to collapse
Use @steadfasterX's repo: https://github.com/steadfasterX/lglaf.git that is where all the latest development work is going.
Also, use Python3
Code:
git clone https://github.com/steadfasterX/lglaf.git
git checkout develop
python3 lglaf.py
whoami
!EXEC toybox whoami\0
!EXEC /system/bin/toybox whoami\0
There are TWO spaces after the EXEC.
However, it is a good sign that you didn't get any output from whoami alone....
-- Brian

b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.
Ask for forgiveness and do not deceive more people here on the forum.
I will ask to make a photo of the phone in fastboot.Then all doubts will disappear.

@runningnak3d how to import cryptography?
PHP:
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.

b8engl said:
@runningnak3d how to import cryptography?
PHP:
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
Click to expand...
Click to collapse
Code:
sudo pip3 install cryptography
But if that is FWUL (and it looks like it is from the prompt), it should have all the Python modules installed. Weird.
-- Brian

PHP:
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:665: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: name 'laf_crypto' is not defined
# !EXEC toybox whoami\0
LGLAF.py: WARNING: name 'laf_crypto' is not defined
# !EXEC /system/bin/toybox whoami\0
LGLAF.py: WARNING: name 'laf_crypto' is not defined
#
---------- Post added at 10:44 PM ---------- Previous post was at 10:37 PM ----------
Downloading new version from FWUL...
---------- Post added at 11:07 PM ---------- Previous post was at 10:44 PM ----------
well...I switch to lekensteyn version, and this happened:
PHP:
[[email protected] lglafng]$ python3 lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC toybox whoami\0
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whoami\0
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
#
Then I try:
PHP:
[[email protected] lglafng]$ git pull
remote: Enumerating objects: 118, done.
remote: Counting objects: 100% (116/116), done.
remote: Compressing objects: 100% (59/59), done.
remote: Total 103 (delta 69), reused 77 (delta 44), pack-reused 0
Receiving objects: 100% (103/103), 46.09 KiB | 1.18 MiB/s, done.
Resolving deltas: 100% (69/69), completed with 6 local objects.
From https://github.com/steadfasterX/lglaf
* [new branch] develop -> origin/develop
b012319..c68c778 ufs-test -> origin/ufs-test
Already up to date.
[[email protected] lglafng]$ git checkout develop
Branch 'develop' set up to track remote branch 'develop' from 'origin'.
Switched to a new branch 'develop'
[[email protected] lglafng]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
#

Well I just got an LG v35 from AT&T a couple days ago and I was just getting on here to find out if there is a easy way of rooting I'm not technically not knowledgeable like everybody else here is so I was just looking for an easy way something that I could understand some way that I can root I also have the LG V10 the from AT&T that from my understanding you're not able to root those

@runningnak3d I've managed to get this working on gnome... what do you need next?
PHP:
[email protected]:~/lglaf$ sudo python3 lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# whoami
Hello, I am LAF. Nice to meet you.# !EXEC toybox whoami\0
Hello, I am LAF. Nice to meet you.# !EXEC /system/bin/toybox whoami\0

Related

SOLUTION: S-ON HTC Wildfire S Downgrade Error "Main Version is Older. Update fail."
Like a few people I have been trying to debrand my S-ON Wildfire S by flashing an official HTC ROM. Since my phone shipped with a later version number (1.34.110.3), the bootloader would refuse to flash the latest Official HTC ROM (1.33.401.2) even with a gold card!
Luckily I've now managed to bypass this error by hex editing and reflashing the misc partition. The following method should allow you to downgrade to any signed HTC ROM no matter what version you currently have installed, even if your phone is S-ON.
Warning: You could probably brick your phone if you flash an invalid misc partition. So follow these steps carefully (or not at all)! Also, if you flash a very recent ROM, you may not be able to use these steps to downgrade again!
Ensure you have the HTC Sync USB drivers installed then download the zip at mediafire.com/?wxf6y4yq6d6nc8d containing the tools you need, and an official HTC ROM executable. I used the ROM at filefactory.com/file/cbd7165.
Connect your phone via USB and select the HTC sync option when prompted. Also ensure that USB debugging is enabled (this is the default).
Extract the zip and open a windows command prompt and browse to the directory where you extracted the files.
Execute the following commands in the command prompt:
Code:
adb push flash_image /sdcard/flash_image
adb push GingerBreak /data/local/tmp/GingerBreak
adb shell chmod 777 /data/local/tmp/GingerBreak
Now enter the interactive shell mode with the following command:
Code:
adb shell
Gain temporary root access by executing the following command within the interactive shell:
Code:
./data/local/tmp/GingerBreak
Ensure that it has worked successfully (the shell prompt should change from $ to #).
As root now execute the following commands:
Code:
cat /dev/mtd/mtd0 > /sdcard/misc.img
cat /sdcard/flash_image > /data/flash_image
chmod 777 /data/flash_image
Now exit from root permissions. The shell prompt should change back to a $.
Code:
exit
Clean up a few files and exit from adb.
Code:
rm /data/local/tmp/sh
rm /data/local/tmp/boomsh
exit
Copy the image file from your SD card using the command:
Code:
adb pull /sdcard/misc.img misc.img
Run HxD.exe, select "OK" at the prompt then File -> Open and locate misc.img (which is in the current directory). On the 11th line you should see the version number of your current ROM, change this to a lower number. I set my version number to 1.30.401.0 since this was the version number of the previous official HTC ROM. The changes made will be highlighted in red. File -> Save As and name it misc2.img.
Copy misc2.img to your SD card using the following command:
Code:
adb push misc2.img /sdcard/misc2.img
Reboot your phone so that you can use GingerBreak again to attain temporary root privileges. (This may not be strictly necessary, but I think it's worthwhile just in case.)
Once it's back and you've connected via USB using the HTC Sync option again, issue the following commands in your command prompt:
Code:
adb shell
./data/local/tmp/GingerBreak
/data/flash_image misc /sdcard/misc2.img
Now run the official ROM installer executable as normal. Note that the installer may state your current version number but this is ignored and you should be able to downgrade successfully!
Let me know if you have any problems.
Confirmed Working on:
TMobile UK 1.34.110.3 + HBOOT 0.90.0.0
TMobile Polska 1.30.401.2 + HBOOT 0.90.0.0

You also have/had the 1.03.0000 hboot?
I get:
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 0000 GOT start: 0x00014360 GOT end: 0x000143a0
And it stays there...

The hboot version I have is 0.90.0000, but I don't see why this wouldn't work for any version.
How long are you waiting for it to complete? Like it says, it can sometimes take a while for the exploit to take effect. Sometimes it took up to a minute for me.
Every time you use GingerBreak you should make sure that you remove sh, boomsh and crashlog if they exist, reboot your phone then push and chmod GingerBreak again.
Code:
adb shell
rm /data/local/tmp/sh
rm /data/local/tmp/boomsh
rm /data/local/tmp/crashlog
exit
** restart phone **
adb push GingerBreak /data/local/tmp/GingerBreak
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak

11 row
In my misc.img 11th row look like this:
should I change 9.0.0.0 to 1.30.401.0 ?? My current rom is TMobile PL 1.30.401.2.

m3ritum said:
should I change 9.0.0.0 to 1.30.401.0 ?? My current rom is TMobile PL 1.30.401.2.
Click to expand...
Click to collapse
It seems unusual that your ROM has a 9.0.0.0 version number
But, yes, as long as 1.30.401.0 is lower than the version number of the RUU you are intending to flash, it should be fine. If it doesn't work you can use flash_image to reflash misc.img to get back the old version number.

I tried it again after remove commands and rebooting but no luck... Waited +5mins and nothing happened.
I guess the new HBOOT is the problem.

sammyke007 said:
I tried it again after remove commands and rebooting but no luck... Waited +5mins and nothing happened.
I guess the new HBOOT is the problem.
Click to expand...
Click to collapse
Maybe the GingerBreak exploit is patched on your ROM...

Beer for U mphi it works great !!!

If this has worked for you, please can you post your previous ROM version number and your HBOOT version? I'll keep a list of working version numbers updated in the first post. Thanks!

Sure, ROM was branded TMobile Polska 1.30.401.2 and Hboot is 0.90.0.0.
Now I have unbranded 1.30.401.2.

m3ritum said:
Sure, ROM was branded TMobile Polska 1.30.401.2 and Hboot is 0.90.0.0.
Now I have unbranded 1.30.401.2.
Click to expand...
Click to collapse
Hey there, I flashed my phone with
RUU_Marvel_Sasktel_Canada_WWE_1.58.669.2_Radio_47.10c.35.3030_7.47.36.19M_release_199460_signed
hoping it would be unlocked, but now it means I cannot use your method which I previously used. I think I'm stuck on this until a new ROM comes out.. D:
Just giving people a heads up so they don't hit a wall like I did, and hope you can create a work around THANKS!!
//Edit
The only way to fix this is to get S-OFF right? *Looks like I'm forking out the cash lol*

snowie72 said:
Hey there, I flashed my phone with
RUU_Marvel_Sasktel_Canada_WWE_1.58.669.2_Radio_47.10c.35.3030_7.47.36.19M_release_199460_signed
hoping it would be unlocked, but now it means I cannot use your method which I previously used. I think I'm stuck on this until a new ROM comes out.. D:
Just giving people a heads up so they don't hit a wall like I did, and hope you can create a work around THANKS!!
//Edit
The only way to fix this is to get S-OFF right? *Looks like I'm forking out the cash lol*
Click to expand...
Click to collapse
Ahh, the GingerBread exploit must have been patched in that ROM then. It's a double-edged sword really; if you were running a ROM that is unpatched a malicious app could take full control of your phone...
Having said that, it still might be possible to enter recovery mode and reflash without S-OFF, but I really haven't done much research and wouldn't know where to start

Its just a shame there is not much going on in this section compared to other phones, lol.
I'm just going to take it into to town and get it unlocked for cash on the weekend, then save for a Galaxy S2.

Does not work for me with Wildfire S HBoot 0.90 and European T-Com ROM 1.34.11.5

Hi!
I had the same 11th line as on picture - 9.0.0.0.
I put the tutorial values and a solutions works 4 me as well.
I don't remember ROM version but was branded for tmobile polska, and I'm sure that was never than 1.30.401.2. - something like 1.33.xxxx or even 1.35.xxxx
After all I tried a goldcard method - now works fine.
Many thanks for a solution!!

Chinese to european ROM
Hi
I'm trying to install the euro ROM (1.33...) using the goldcard metod in my Wildfire S but I get the downgrade error (now I'm running a 1.38... version and 0.90.0000 HBOOT).
Now I'm in China and I don't know why can't visit mediafire for download the zip with the files that I need for follow this tuto. Is there some alternative web for get this files?
Another question is if in the future will be a euro version newer than the chinese one that allow me to change the ROM without do the practice of this tuto.
I have not a lot of experience doing this, so it will be grat and easier for me
Thanks in advance!!

There's no way to tell if there will be a newer official HTC ROM > 1.38..., but if there is, you should be able to download without this tutorial.
I've re-uploaded the files to a few more filehosts, hopefully you can access at least one of them:
http://www.megaupload.com/?d=OKI8MVO1
http://depositfiles.com/en/files/fodci19ux
http://www.zshare.net/download/926497736bd36c1c/
http://uploading.com/files/9fa81218/tools.zip/
http://www.filesonic.com/file/1452304874/tools.zip
http://hotfile.com/dl/124169210/fc79b70/tools.zip.html

Thanks mphi!!
Yesterday was my first post. Im very lucky to enjoy this comunity

hi i get an error after part 11 i get access denied

Can't get root permissions
sammyke007 said:
I get:
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 0000 GOT start: 0x00014360 GOT end: 0x000143a0
And it stays there...
Click to expand...
Click to collapse
Same problem
I'm running HBOOT 0.90.0000 an my rom is 1.38.1400.5, official HTC chinese ROM

Hi!
As with Galaxy S2, I have ported the u-boot bootloader to the Galaxy Nexus. It can be chainloaded from samsung bootloader (loaded instead of linux kernel) safely.
It could be useful to have multiple ROMs on one device or test other OS like Ubuntu or Genode.
Detailed installation guide is available at Ksys Labs LLC wiki http://ksyslabs.org/doku.php?id=gnex_uboot .I'll just copy-paste it here
Happy hacking and don't forget to visit our wiki at http://ksyslabs.org !
===== Rationale ======
There were a couple reasons to port u-boot to Galaxy Nexus
* Security: we cannot trust the proprietary samsung bootloader
* Implementing dual-boot for original and custom firmware
* Booting Genode operating system
===== Demo =====
===== Compilation from source =====
Source code is in https://github.com/Ksys-labs/uboot-tuna
There exist two branches of interest
* master - contains the official stable releases. may be force-pushed and rebased, beware
* tuna-fosdem-hacks contains the u-boot that was used for FOSDEM 2013 to demo booting Genode
To compile, you need to have the ARM cross-compiler. I recommend codesourcery 2010q1-188 because that's what I'm using and some users reported that newer compilers produce broken binaries.
There are two ways to use the u-boot. One is flashing it instead of the Samsung SBL bootloader. The other one is chainloading it from the SBL.
Flashing instead of SBL has the following advantages
* Faster boot time than chainloading
* Ability to use the standard partitioning layout
There is a number of issues and therefore we do not recommend flashing it instead of SBL
* No Fastboot support (preliminary USB RNDIS and DHCP BOOTP support is available), you'll have to use OMAPFlash to restore the device if you flash a non-working kernel
* No display initialization. You'll have to disable the "Check for Bootloader initialization" option in kernel config
By default, the chainloaded version is compiled. It is loaded (by the SBL) to the address **0x81808000**.
If you want to build the SBL replacement version, edit the **include/configs/omap4_tuna.h** file and uncomment the **#define TUNA_SPL_BUILD** line. X-loader loads the bootloader to the address **0xa0208000**.
Code:
export PATH=/home/alexander/handhelds/armv6/codesourcery/bin:$PATH
export ARCH=arm
export CROSS_COMPILE=arm-none-eabi-
U_BOARD=omap4_tuna
make clean
make distclean
make ${U_BOARD}_config
make -j8 ${U_BOARD}
mkbootimg --kernel u-boot.bin --ramdisk /dev/null -o u-boot.aimg
===== Installation =====
==== Chainloaded Mode ====
You'll need the root access to your device.
You can take the prebuilt u-boot here. http://ksyslabs.org/lib/exe/fetch.php?media=gnex-uboot-chainloaded.img
The u-boot has the support for android boot images. When flashed instead of the SBL, it boots the kernel off the "Boot" partition. When chainloaded, it looks for the kernel in **/system/boot/vmlinux.uimg** . Additionally, it first looks for the **/system/boot/boot.scr.uimg** so you can put custom commands there and override the kernel image.
It also supports booting custom images from **/sdcard/boot/vmlinux.uimg** and **/sdcard/boot/boot.scr.uimg**
If you need larger images, I suggest that you use the **tuna-fosdem-hacks** branch, format the cache partition to ext2 and put the files to **/cache/media/boot/**
push the files to your device via adb
Code:
adb push gnex-uboot-chainloaded.img /sdcard/
adb hell
now, in the device shell, do the following
Code:
su
cat /dev/block/platform/omap/omap_hsmmc.0/by-name/boot > /sdcard/vmlinux.uimg
mount -o remount,rw /system
mkdir /system/boot
cp /sdcard/vmlinux.uimg /system/boot/
cat /sdcard/gnex-uboot-chainloaded.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
sync
reboot
Instead of installing gnex-uboot-chainloaded.img via dd, you can use fastboot
Code:
fastboot flash:raw boot u-boot.img
===== Replacing samsung bootloader =====
OMAP4 devices cannot be bricked completely because the CPU has a firmware loader in the OTP (one-time programmable) memory. When the device is powered, it tries booting from USB.
Make sure to have an old version of x-loader (PRIMEKK14) because newer ones have the security hole which allowed booting unsigned bootloaders fixed. The installation procedure is roughly the same, but use **sbl** partition. And also install xloader from http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
Code:
adb push gnex-xloader-working.img /sdcard/
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
There exists a Samsung recovery tool which can unbrick the devices with corrupted xloader/SBL. You will need a computer running Windows XP.
Search the internet for the archive named "OMAPFlash_tuna.zip" which has md5 "ddbf07a1d36b044c40af5788a83b5395". We cannot upload it here because of the unclear license status.
===== Making images =====
You can either use Android's mkbootimg to produce ANDROID! type images (not recommended) or u-boot's mkimage (in the u-boot tools directory) to make boot images. Using ANDROID! format is discouraged because the loader code in the u-boot is buggy and may fail in some corner cases such as large images.
==== making a custom boot image ====
Code:
mkimage -A arm -O linux -T kernel -C none -a 0x80008000 -e 0x80008000 -n linux -d zImage vmlinux.uimg
#alternatively, just do that when compiling linux
#do not forget to add mkimage to your PATH variable
make uImage
==== making a custom boot script ====
Code:
mkimage -A arm -O linux -T script -C none -a 0x84000000 -e 0x84000000 -n android -d boot.scr boot.scr.uimg
===== Booting Modes =====
The bootloader supports several boot modes. Each boot mode is indicated by the color of the LED and activated by a combination of hardware buttons. It also supports the Android "reboot to recovery" and "reboot to bootloader" features
* Normal Boot -> no keys are pressed, cyan LED
* Recovery Boot -> Volume Up key pressed, green LED
* Custom Boot -> Volume Down key pressed, blue LED
* USB RNDIS mode -> both Volume keys pressed, purple LED
===== Pitfalls =====
* No Fastboot or DFU (RNDIS BOOTP is untested) -> not a big deal if you're chainloading, right?
* Serial number is always 0123456789abcdef or sth like that. Anyone to fix that?
* UART support is quirky. The device will likely hang if booted with the UART cable. Workaround: boot without the UART cable and plug right after the purple LED flashes.
===== A sample boot script for android =====
Make a boot.scr.uimg from it and push it to the correct location.
Code:
setenv bootargs "mem=1G vmalloc=768M omap_wdt.timer_margin=30 mms_ts.panel_id=18
no_console_suspend console=ttyFIQ0";
setenv loaddaddr 0x82000000;
setenv devtype mmc;
setenv devnum 0;
setenv kernel_part 0xc;
setenv kernel_name /media/boot/vmlinux.uimg;
echo Load Address: ${loaddaddr};
echo cmdline:${bootargs};
if ext4load ${devtype} ${devnum}:${kernel_part} ${loaddaddr} ${kernel_name}; then
bootm ${loaddaddr};
exit 0;
elif ext2load ${devtype} ${devnum}:${kernel_part} ${loaddaddr} ${kernel_name}; then
bootm ${loaddaddr};
exit 0;
else
echo failed to boot custom image;
fi

Nice!
Before there actually wasn't any dual boot stuff for Nexus but now there is really much....
I will laugh if someone ports still another dual boot loader to Nexus, E.g BootiQi dual boot loader or what it is..., (for Jét it is JétQi) but I don't remember the original dual boot files names...

Any toro support?
Sent from my Galaxy Nexus using xda app-developers app

saber.srod said:
Any toro support?
Sent from my Galaxy Nexus using xda app-developers app
Click to expand...
Click to collapse
You may try it out. It is flashed instead of kernel, not overwriting the bootloader, so should be safe. As we don't have any Toro devices, we're not particularly interested in providing support for them unless someone steps up with a patch

Also, make sure to have an old version of x-loader (PRIMEKK14) because newer ones have the security hole which allowed booting unsigned bootloaders fixed.
Click to expand...
Click to collapse
do you have PRIMEKK14 file?
cause I couldn't find it on this thread:
http://forum.xda-developers.com/showthread.php?t=1587498
or this one is PRIMEKK14?
http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
any enlightenment please?

savantist said:
do you have PRIMEKK14 file?
cause I couldn't find it on this thread:
http://forum.xda-developers.com/showthread.php?t=1587498
or this one is PRIMEKK14?
http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
any enlightenment please?
Click to expand...
Click to collapse
The latter one is the one I'm using on my phone so it should work.

sp3dev said:
The latter one is the one I'm using on my phone so it should work.
Click to expand...
Click to collapse
I wanna use the chainloaded method, so first thing I should do is fastboot-ing that .img just like another bootloader file? then chainload the u-boot file?
but it looks like I'm replacing samsung SBL (replacing SBL method) if I do that, doesn't it?

savantist said:
I wanna use the chainloaded method, so first thing I should do is fastboot-ing that .img just like another bootloader file? then chainload the u-boot file?
but it looks like I'm replacing samsung SBL (replacing SBL method) if I do that, doesn't it?
Click to expand...
Click to collapse
Yes, you can actually fastboot it via
"fastboot flash:raw boot u-boot.img"
and no, you don't need to mess with xloader for chainloading

sp3dev said:
Yes, you can actually fastboot it via
"fastboot flash:raw boot u-boot.img"
and no, you don't need to mess with xloader for chainloading
Click to expand...
Click to collapse
so it's ok to do chainloading in PRIMELC03 bootloader? If yes, I'm success...

finally "The Great Sp3dev"
nice work like always,
playing with it now,let's see where it goes
Sent from my Galaxy Nexus using xda premium

sp3dev said:
The latter one is the one I'm using on my phone so it should work.
Click to expand...
Click to collapse
ah, I bricked my phone with your gnex-xloader-working using following script... It is only 128K. Is that right?
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
Is PRIMEKK14 bootloader the only one to work since we only have http://forum.xda-developers.com/showthread.php?t=1587498 this thread for bootloader and there's no flashable version of PRIMEKK14?
I use OMAPFlash to save it having PRIMEKK15 bootloader and I do not have the courage to do it again...

dlhxr said:
ah, I bricked my phone with your gnex-xloader-working using following script... It is only 128K. Is that right?
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
Is PRIMEKK14 bootloader the only one to work since we only have http://forum.xda-developers.com/showthread.php?t=1587498 this thread for bootloader and there's no flashable version of PRIMEKK14?
I use OMAPFlash to save it having PRIMEKK15 bootloader and I do not have the courage to do it again...
Click to expand...
Click to collapse
Oh well, I specially edited the post so that chainloaded users don't flash loader. You only need the xloaded if you flash u-boot instead of SBL. Otherwise, treat u-boot just as linux kernel.
As for replacing bootloader, I guess PRIMEKK15 should also work, I just didn't notice when the security check was introduced. Yeah, use OMAPFlash to recover anyway. And note that you cannot use my precompiled u-boot to replace SBL. As written in the beginning of the post, you need to change a define in config and recompile because the load address and partition layout are different for chainloading and direct booting cases.

Very nice! Keep the good work up! :good:

sp3dev said:
Oh well, I specially edited the post so that chainloaded users don't flash loader. You only need the xloaded if you flash u-boot instead of SBL. Otherwise, treat u-boot just as linux kernel.
As for replacing bootloader, I guess PRIMEKK15 should also work, I just didn't notice when the security check was introduced. Yeah, use OMAPFlash to recover anyway. And note that you cannot use my precompiled u-boot to replace SBL. As written in the beginning of the post, you need to change a define in config and recompile because the load address and partition layout are different for chainloading and direct booting cases.
Click to expand...
Click to collapse
Some feedback here. I flashed u-boot to boot partition and save the original boot image to /system/boot/vmlinux.uimg.
Without any key pressed it shows
Code:
Wrong Image Format for boot command
Error: can't get kernel image!
Not booting xxxxxxxxx
Fail to boot
The characters on the screen does not show well and some of them can't be recognized....
When I press the volume up, it boot into recovery.
When I press the volume down, it shows
Code:
File not found /media/boot/vmlinux.uimg
Unrecognized filesystem type
Fail to boot
Something is wrong with my procedure?

Another small question. I want to make a zip to flash the U-boot, but always failed. I have to use fastboot command to flash gnex-uboot-chainloaded.img to boot.img.
What is in my updater-script.
Code:
mount("ext4", "EMMC", "/dev/block/platform/omap/omap_hsmmc.0/by-name/system", "/system");
package_extract_file("gnex-uboot-chainloaded.img", "/tmp/gnex-uboot-chainloaded.img");
package_extract_file("META-INF/com/google/android/switch_boot.sh", "/tmp/switch_boot.sh");
set_perm(0, 0, 0777, "/tmp/switch_boot.sh");
run_program("/tmp/switch_boot.sh");
set_perm(0, 0, 0777, "/system/boot/vmlinux.uimg");
unmount("/system");
What is in my switch_boot.sh
Code:
#!/sbin/sh
cat /dev/block/platform/omap/omap_hsmmc.0/by-name/boot > /tmp/vmlinux.uimg
mkdir /system/boot
cp /tmp/vmlinux.uimg /system/boot/
cat /tmp/gnex-uboot-chainloaded.img /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
It seems the last line doesn't work...
Code:
cat /tmp/gnex-uboot-chainloaded.img /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
If I use the following command in updater-script,
Code:
package_extract_file("gnex-uboot-chainloaded.img", "/dev/block/platform/omap/omap_hsmmc.0/by-name/boot");
The device enters bootloader directly showing no boot image after reboot....

dlhxr said:
If I use the following command in updater-script,
Code:
package_extract_file("gnex-uboot-chainloaded.img", "/dev/block/platform/omap/omap_hsmmc.0/by-name/boot");
The device enters bootloader directly showing no boot image after reboot....
Click to expand...
Click to collapse
That's because SBL expects the boot partition to contain the image in ANDROID! format. It creates the image itself when you flash via fastboot with the ":raw" suffix.
Try that
Code:
mkbootimg --kernel gnex-uboot-chainloaded.img --ramdisk /dev/null -o u-boot.aimg
Not sure why the original boot image didn't work for you. Are you copying the boot.img to vmlinux.uimg or the raw zImage? you should do the former, the u-boot expects either the "ANDROID!" image or the one made with mkimage.
If anything, you could try repacking the boot image yourself or try mine to see if it boots (it's for jb 4.1.1 though)
http://rghost.ru/44686398

chainloading method, in fact it works on PRIMELC03 too...
btw,
if I flash the xloader (replacing bootloader method), then how am I gonna back to original samsung bootloader/PRIMELC03 since there isn't fastboot support in your u-boot bootloader?
using odin? or omapflash? :crying:
thanks.

savantist said:
chainloading method, in fact it works on PRIMELC03 too...
Click to expand...
Click to collapse
ok, I probably didn't make it clear enough. chainloading works with any bootloader and is safe.
savantist said:
btw,
if I flash the xloader (replacing bootloader method), then how am I gonna back to original samsung bootloader/PRIMELC03 since there isn't fastboot support in your u-boot bootloader?
using odin? or omapflash? :crying:
thanks.
Click to expand...
Click to collapse
if you can boot android or recovery, thenuse dd it to /dev/block/blah-blah-blah, otherwise - omapflash.

sp3dev said:
ok, I probably didn't make it clear enough. chainloading works with any bootloader and is safe.
if you can boot android or recovery, thenuse dd it to /dev/block/blah-blah-blah, otherwise - omapflash.
Click to expand...
Click to collapse
you wrote it on wrong part on first page yesterday, makes me little bit confused, but it's corrected now...
but to do "replacing bootloader method", one should flash PRIMEKK14 or PRIMEKK15 bootloader before, right?
wow... omapflash...

savantist said:
you wrote it on wrong part on first page yesterday, makes me little bit confused, but it's corrected now...
but to do "replacing bootloader method", one should flash PRIMEKK14 or PRIMEKK15 bootloader before, right?
wow... omapflash...
Click to expand...
Click to collapse
well, some bootloaders after PRIMEKK may work, but I have not tested and we had some new phones with the recent firmware versions from stock, and u-boot failed to work there until xloader was downgraded

The Teclast X70 3G SoFIA Atom x3-C3130 Quad Core 7 Inch Android 4.4 Tablet is a very cheap tablet with some pretty good specifications, lets have a look on these here:
- Android 4.4 OS
- 7 inch 1024x600 IPS capacitive touch screen
- SoFIA Atom x3-C3130 Quad Core Max 1.8GHz
- 512MB LPDDR2 RAM and 4GB EMMC
- Support Bluetooth/WIFI/GPS/OTG/3G Phone Call function
- Front 0.3MP + Rear 2.0MP camera
- 187*113*8.9mm and 270g
What I especially like about it is the very cool slim design. Typical for other cheap tablets is that they are normally bulky and cheaplooking. But not the Teclast X70, it still looks really nice.
It should come with preinstalled Youtube/Facebook/Twitter/MSN/Android market/Skype/Calculator/Google Mail/Google maps/iReader/Quick Office. And support audio types like MP3/WMA/FLAC/OGG/AAC/WAV/APE.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Great device, How about battery life?

Battery life sucks, at least on mine, the 2nd available Intel Atom x3 AKA SoFIA on the market but what more can you ask for; an approx USD 79 Android device from Intel...
Been hunting & trying to root this sucker, nothing seems to work ATM & i found the Flash Tool/ USB driver/ Firmware for X70 here mirrored here just in case it disappear... Updates : Found quite a few more here...
More info...
Hacking
After some hex editing, X70 recovery.fls can be unpack, at least there are some leads as adb command only list out its path but not its partition name, this means custom recoveries such as PhilZ Touch or TWRP is possible... Updates : The included FlsTool won't repack it back to the correct fls format...
Intel SoFIA uses 2ndbootloader
Code:
[COLOR="blue"]mkbootimg[/COLOR]
usage: mkbootimg
--kernel <filename>
--ramdisk <filename>
[ [COLOR="Blue"]--second <2ndbootloader-filename>[/COLOR] ]
[ --cmdline <kernel-commandline> ]
[ --board <boardname> ]
[ --base <address> ]
[ --pagesize <pagesize> ]
-o|--output <filename>
Use osm0sis's AIK or Carliv's CIK to unpack/ repack... :good:
adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name
Code:
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID001 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID022 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID068 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID069 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID070 -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID071 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID074 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID076 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID115 -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID118 -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID119 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID120 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID121 -> /dev/block/mmcblk0p13
recovery.fstab
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 defaults defaults
/dev/block/mmcblk1p1 /sdcard vfat defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID074 /misc emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID071 /boot emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 /recovery emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID120 /recoverym emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID001 /mobilevisor emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID013 /splash_screen emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID115 /mvconfig emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID118 /secvm emmc defaults defaults
fstab.sofia3g
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 ro wait
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 nosuid,journal_async_commit,nodev,nodiratime,noatime,noauto_da_alloc,discard,data=ordered wait,encryptable=footer
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 nosuid,nodev wait
/devices/soc0/e0000000.noc/ef010000.l2_noc/e1000000.ahb_per/e1400000.sd/mmc_host/mmc1 auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd
/devices/soc0/e0000000.noc/ef010000.l2_noc/e2000000.ahb_per/e2100000.usb/usb1 auto auto defaults voldmanaged=usbdisk:auto
#/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 nosuid,nodev,data=journal wait,check
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it boots up the stock 3e recovery.
To reboot to fastboot
There is no button combination to boot to fastboot however with the adb command -> adb reboot fastboot, you can boot to fastboot with correct adb driver installed at all the 3 modes...
At fully booted up Android OS
Even while the device at off-state ! (Charger init)
And the unknown Safe mode
There is no Intel Droidboot only distorted yellow screen but fastboot command works.
fastboot
fastboot getvar all
Code:
(bootloader) version-baseband: 23569
(bootloader) version-bootloader: 1525.100_M1S1
(bootloader) product: SF_3G
(bootloader) secure: NO
(bootloader) [COLOR="Blue"]unlocked: [B]NO[/B][/COLOR]
(bootloader) off-mode-charge: 1
(bootloader) ========== parition type ==========
(bootloader) system parition type: ext4
(bootloader) userdata parition type: ext4
(bootloader) cache parition type: ext4
(bootloader) radio parition type: raw
(bootloader) dsp parition type: raw
(bootloader) hypervisor parition type: raw
(bootloader) boot parition type: raw
(bootloader) recovery parition type: raw
(bootloader) splash parition type: raw
(bootloader) mvconfig parition type: raw
(bootloader) secvm parition type: raw
(bootloader) prg parition type: raw
(bootloader) psi parition type: raw
(bootloader) slb parition type: raw
(bootloader) nvm parition type: raw
(bootloader) ucode_patch parition type: raw
(bootloader) ===================================
(bootloader) ========== parition size ==========
(bootloader) system parition size: 0x40000000
(bootloader) userdata parition size: 0x4b960000
(bootloader) cache parition size: 0x40000000
(bootloader) radio parition size: 0x0
(bootloader) dsp parition size: 0x0
(bootloader) hypervisor parition size: 0x100000
(bootloader) boot parition size: 0x1080000
(bootloader) recovery parition size: 0x1180000
(bootloader) splash parition size: 0xa80000
(bootloader) mvconfig parition size: 0x80000
(bootloader) secvm parition size: 0x400800
(bootloader) prg parition size: 0x800
(bootloader) psi parition size: 0x20000
(bootloader) slb parition size: 0x100800
(bootloader) nvm parition size: 0x180000
(bootloader) ucode_patch parition size: 0x3800
(bootloader) ===================================
(bootloader) max-download-size: 0x38fff00
all:
finished. total time: 0.215s
fastboot oem unlock
Code:
...
(bootloader) Unlocking the bootloader means the following:
(bootloader) All user data will be deleted
(bootloader) Any securely stored data will be inaccessible
(bootloader) Warranty will be void
(bootloader) After unlocking you have to execute
(bootloader) > fastboot format userdata
(bootloader) > fastboot format cache
(bootloader) or carry out a factory reset from recovery
(bootloader) To confirm the unlock, please execute the command
(bootloader) > fastboot oem unlock confirm
OKAY [ 0.050s]
finished. total time: 0.050s
i don't intend to unlock mine yet as it will be getting LP update soon or i won't be able to update it, i donno... Initial look at the Flash Tool, tutorial, it seems SoFIA devices should be unbrickable & should be upgradable too, in spite of unlocked bootloader & rooting however i wouldn't want to risk it...
Updates : fastboot flash recovery twrp-recovery.img doesn't work... Flashing the Firmware doesn't overwrite the bootloader, it will remain unlock if you have unlocked it, fastboot oem lock doesn't work...
Unknown PTEST mode
To boot to PTEST mode => With the device at power off state, USB cable unplug, press & hold both Volume Up + Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding both volume button until you see boot logo then let go & it boots up to a screen that says...
Code:
Press volume up or down key to exit PTEST Mode
Now plug-in USB cable to PC
Unknown device at Device Manager
For adb, you can use google adb driver
One of the CDC is Intel USB, use the one included in the Flash USB Driver folder
i've tried alot of CDC driver, non-worked, except for MediaTek CDC driver that i have, seems compatible, attach below CDC.zip...
All the drivers needed for Flash Tool to work are installed
As the device i own is not X70, i only tried the upload, seems to be working except for a compatible ebl.fls is needed for a successful upload...
Final Note
Use this guide at your own risk !
Unknown Safe mode
With the device at power off state, USB cable unplug, press & hold Volume Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Down until it boots up
View attachment 3417538
Safe mode at the bottom left corner
Manage to unpack X70 system.img too...
Updates
Hmm, Chuwi Vi7 seems to be the exact clone, wonder if the firmware can be used on X70 or mine... Not compatible... Even X70 system.img won't boot on mine...
Further digging, its a single SIM device C3230 with better spec...
Cross-comparison
Found a few more X3...
Vido M7S
Onda V719 3Gs
Digma Plane 7.7
4good T700i
mediacom smartpad iPro 3G
iBall Slide Brillante
BLUEING S706
Updates - 08-Aug-2015
Found out my device is in fact actually an oem of X70 & damn Intel for making such cheap device while you can't even use fastboot to install custom recoveries to root it...
Updates : Hmm, it seems to be an oem of an oem, found it on default.prop...
There seems to be some headers needed to boot up the recovery, found out the included FlashTool has a back-end DOS program that can unpack & extract image parts from the FLS file.
Code:
[COLOR="Blue"]FlsTool -x recovery.fls[/COLOR]
FlsTool v.1.20
[Loading] recovery.fls (Fls2)
[Extract] 13905 recovery/meta.json
[Extract] 844 recovery/recovery.fls_inj_PSI_ver.txt
[Extract] 914 recovery/recovery.fls_inj_EBL_ver.txt
[Extract] 64320 recovery/recovery.fls_inj_PSI.bin
[Extract] 144084 recovery/recovery.fls_inj_EBL.bin
[Extract] 2048 recovery/recovery.fls_ID0_CUST_SecureBlock.bin
[Extract] 617168 recovery/recovery.fls_ID0_CUST_LoadMap0.bin
[Extract] 32430 recovery/recovery.fls_ID0_CUST_LoadMap1.bin
[Extract] 7786496 recovery/[COLOR="Blue"]recovery.fls_ID0_CUST_LoadMap2.bin[/COLOR]
recovery.fls_ID0_CUST_LoadMap2.bin is the stock 3e recovery.img
Need to figure out the correct way to repack the stock 3e recovery.fls & when it boots then will try it out on the ported TWRP, hopefully it boots too...
In the mean time, i have also contacted Intel, hopefully they'll respond or we'll have to figured ourselves how to repack custom recoveries so that it'll boot on our device to root it or wait for exploit root software to work on our SoFIA x3 device... Updates : They never respond...
Anyone wants to explore then here is the Guide, FlashTool & Firmware for my device... Not compatible for X70
Updates - 10-Aug-2015
Feedback from our Russian counterpart seems true that X70 recovery partition size is only 8MB only, no custom recoveries would fit except old version !
Code:
FlsTool v.1.20
This tool can do several different operations of FLS files.
Use the 'Action' option to select to required operation.
Actions:
-p [ --pack ] Packing multiple FLS files into one
-i [ --inject ] Inject NVM, Certificates or Security into FLS file
-x [ --extract ] Extract all image parts from the FLS file(s)
--extract-fls Extract embedded files from the FLS file(s)
--extract-prg Extract PRG file
-b [ --to-bin ] Convert a single Hex file to binary file
--hex-to-fls Create an Fls from a Prg file
--sign Formerly known as FlsSign
--to-fls2 [ arg ] Force output file format to Fls2
--to-fls3 [ arg ] Force output file format to Fls3
-d [ --dump ] Dump the meta data of an FLS file.
--sec-pack Dump all SecPack data of an FLS file.
HexToFls options:
--prg arg Choose a PRG file to create the Fls from
--psi arg Add a PSI to the Fls file (replaces if '-r' option)
--ebl arg Add an EBL to the Fls file (replaces if '-r' option)
--meta arg Inject any meta file to the Fls file (Equal to --version or -v in HexToFls)
--xml arg Add an XML file to the Fls file (replaces if '-r' option)
--zip arg Add a ZIP file to the Fls file (replaces if '-r' option)
--script arg Add a Script file to the Fls file (replaces if '-r' option)
--tag arg Specifies the memory region tag to insert the input file (replaces if '-r' option)
Inject options:
-n [ --nvm-path ] arg Path to the NVM input files
Generic Options:
-o [ --output ] arg Output path
-r [ --replace ] [ arg ] Defaults to replace when trying to add a section which is already existing
-v [ --verbose ] [ arg ] Set verbosity
--prompt [ arg ] Prompt before quitting
--version Show the version of this tool
-h [ --help ] Show command line help
Please specify an input file
Code:
FlsTool -d recovery.fls > partlist.txt
Code:
{
"addr": "0x1CC00000",
"length": "[COLOR="Blue"]0x00800000[/COLOR]",
"class": "Cust",
"tag": "RECOVERY:3#77",
"options": [ ],
},
recovery partition size of 0x00800000 in decimal is 8388608 = 8MB only...
X70 Flash Tool Driver Installation & firmware download
Typically, installing the Intel USB driver that comes with the firmware will work ( right-click it & Run as Administrator ) & if it doesn't then follow below guide.
With the device at power off state, USB cable unplug, open Device Manager, plugin the USB cable & an unknown device will appear, quickly double-click it & manually install the FlashUSB.inf included in the FlashUSB_Driver folder.
To download the firmware successfully, follow the guide that comes with it.
Again : Use at your own risk
Great product interview/ review by armdevices.net
Updates
Hmm, even Asus Zenpad 7.0 uses the x3 too AKA SoFIA but with better spec, the Z170 series & Z370 series
Updates - 17-08-2015 Finally, got ROOT access
Use FlsTool to download the x70-unsecured-boot.fls then most of the existing exploit rooting software will work, i think...
Updates
WARNING : For heaven sack's, noobs & newbies, pls READ EVERYTHING FIRST before hands on ! On & off, i got just too many pm regarding brick devices... There is only one post so pls read it, unlock your bootloader first before flashing the unsecured boot fls...
If you're using JOI then use JOI-unsecured-boot.fls...
Updates
Feedback seems some are not able to root with existing exploit rooting software, fyi, i manually root mine using adb commands then unroot & only tried iroot/ vroot & it works so i presume Kingo, Baidu & others will work too... Try giving the exploit software a helping hand first before using it...
Code:
adb root
adb remount
Updates - 23-08-2015 Since many still couldn't root it...
i'll share my manual rooting script here...
On Linux
Code:
adb root
sh root.bat
[COLOR="blue"]OR[/COLOR]
chmod 777 root.bat
./root.bat
On Windows
Code:
adb root
root.bat
[COLOR="blue"]OR[/COLOR]
Double-click root.bat
If you don't have a working adb then use the one from here... :good:
What to do once you got ROOT :good:
Install Xposed Installer => XDA :good:
Install GravityBox [KK] => XDA => youtube overviews & tutorials :good:
[GUIDE] Extreme Battery Life Thread ( Greenify+Amplify+Power Nap ) :good:
More info here, enjoy your New Custom ROM with Extreme Battery Life :laugh:
Must have Modules
More Modules
All Modules
Updates - 07-09-2015
Got just too many miss call, i can hardly hear it so i purchase this inexpensive mini bluetooth speaker strap to my sling bag & problem solved... :laugh:
Updates - 09-09-2015 => 4pda users IMEI problem
i've already told you guys here that i'm not able to login b'cos of that site super unreasonable Russian captcha but still nobody post reply here...
i wouldn't even bother to reply when i saw his thread here while the previous user ask exactly the same problem & he don't even bother to reply with the solution that he had...
Funny though, i don't have such IMEI problem after so many flashing on my X70 clone...
Possible other Solutions
Xposed IMEI Changer
Repair imei number in android => On x3, to check IMEI No. is *#06#
Others possible solutions
Updates
Thanks to Invisibot for sharing his findings & solutions for IMEI... :good: Mirrored here the software & the manual just in case it disappear
Updated JOI 7 lite unsecured boot.fls - 13-09-2015
i can't believe oem actually disabled the swap partition until i unpack Chuwi vi7 & discovered how it is enabled...
Huge apks now start up almost immediately though it takes quiet awhile for the OS to stabilize after every reboot but i guess its worth it as apps are more responsive after that...
Updated X70 unsecured boot.fls with swap enabled - 15-09-2015
Added X70 C6F9 unsecured boot.fls with swap enabled - 24-09-2015
X70 C5F9 => 512MB RAM
X70 C6F9 => 1GB RAM
Updates - 2016
Refer to here for TWRP & flash SuperSU to ROOT...

I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.

MacArthur67 said:
I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.
Click to expand...
Click to collapse
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.

s7yler said:
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.
Click to expand...
Click to collapse
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!

MacArthur67 said:
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!
Click to expand...
Click to collapse
"If people can read your echo here they can also read the original news where you found it"
No not always, I get info directly from the manufactures sometimes. And sometimes I write texts myself. That you can't read somewhere else. Of course it is not always so, depends on the info/news and devices. I love phones and tablets, and that's why I like to be a news poster. If I don't post, someone else would do.
You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less
No, I follow every single thread I make (else I would probably also not answer in this old thread here now) and if people have real interest in the device I also answer or follow up with news. If people ask something already answered I don't reply, that's right. Else I could spend the whole day answering questions from people. And I would say on 80% of the threads I make, I also always follow up with a full video review of the device.
Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review.
Doesn't work that way, as the manufactures already post info before the device is released. And many want info as soon it is possible, not 1 month after when the device already is old again.
a great advantage if the OP of a tread has a real interest in the device
Well, it is not really up to you to judge if I have real interest in a device or not. If I am going to test it I will have real interest in it. But some devices are more interesting than others, also after they have been received.
I don't see anything bad in creating threads that can gather people around a device. In these people can help, discuss & develop the device. I see that in my Elephone P8000 thread, my Jiayu S3 thread and UMI ZERO thread, for some devices like for example the UMI IRON it doesn't happen but that's not really my fault. I personally still love the phone.
And PS. I'm from Denmark, so you should really try to be a little more nice to one from your neighbouring country.

Teclast 3G x70
Hello freinds
Please could someone help me, because i am very stuck with the problem and no one over the internet doesnt know how to help me.
My tablet Teclast 3G x70 suddenly become dead and I have luck to repair it by reflashing procedure, but the IMEI has been lost
Please maybe somebody know how to repair it, because I have already tried everything I know...
Thank you

You guy always said already tried everything, what actually have you tried, list out everything so its easier to trouble-shoot & to narrow things down...
First of all, did you guys even read the included guide/ tutorial, i flash so many times on my X70 clone, never even once loose the IMEI, try rebooting to stock 3e recovery & do a Factory Reset or using fastboot to do that, that should reset everything back to normal ...
Code:
adb reboot fastboot
fastboot format userdata
fastboot format cache
Refer to here for more IMEI repair info....

to : yuweng TECLAST X70 3G
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you

Your username ends with il then only i try 012.net.il then only realize it... :laugh: All Android OS comes from Google so this means all Android devices are more or less the same, i guess its just a corrupted partition or file missing that causes this IMEI issues, same as many Android devices are experiencing...
Ok, try below command, give me a download link to it & i'll make a comparison to see which file is missing...
Code:
adb shell su -c "ls -R" > myx70.txt
After that, try to follow exactly as the FlashTool_E2 guide to download the firmware all over again, one of the pdf stated single-threaded download mode, multi-threaded download mode, try & see if that makes a different.... :fingers-crossed: Russian translated version here...
Updates
Hmm, that pdf stated 15 firmware files, that means modem.fls, mvconfig.fls & thread.fls is missing, wonder if that causes the IMEI to disappear...
[email protected] said:
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you
Click to expand...
Click to collapse

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
Please check it, Thank you

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
https://www.mediafire.com/?0iskyl3hazaketo
Please check it, Thank you
By the way it is some softwareprogram I have been informed in that can do everything including restoring IMEI
But I cant use it bacause it is in CHINESE
it called Rabbit Root and it is web page is: http://www.7to.cn/#

When i ask you to do a Factory Reset using the stock 3e recovery & you said you did it but your myx70.txt says otherwise... Few files missing, seems like it is not initialize properly...
Code:
./data/media/0:
91 WireLess
Alarms
Android
AppGame
DCIM
Download
GOLauncherEX
GoStore
MIUI
Mihome
Movies
Music
Notifications
Pada
Pictures
Podcasts
Ringtones
XPOSED IMEI Changer_1.3_apk-dl.com.apk
baidu
com.91.channel.repository
dianxin
libs
mgyun
nd
system
system.info
tencent
tmp
xutils
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it'll boots up the stock 3e recovery.
Click to expand...
Click to collapse
Press the power button once & you'll see the stock 3e recovery menu
Use the volume down key to go to wipe data/ factory reset & press power button
Use the volume down key to go to Yes -- delete all user data & press power button
Do the same for cache partition
reboot system now
* Manually format the internal sdcard as well if Factory Reset doesn't remove it
That software you pointed out, the IMEI repair is for MTK devices only.
Updates
Check with dAverk how he did it, every detail like where he got the firmware from, the step by step that he took on flashing the firmware, this will narrow things down as why IMEI is lost on you guy's x70 & not him... i believe if you guys follow his steps exactly, you should be able to get the IMEI working again... :fingers-crossed:
Firmware flashing bricks the device, Factory Reset corrupts the IMEI was a thing in the past ( Jellybean/ ICS/ GB issues ), it shouldn't happened on KitKat/ Lollipop devices, i believe...

OK I have reflashed this tablet with all FIRMWARES i have found on this forums
I cant get to Boot Menu ( Power ON+Volume UP) - tablet continue to load and nothing happens
And the ADB command doesnt help
adb reboot fastboot
fastboot format userdata
fastboot format cache
The tablet reboots and I get GREEN screen
https://www.mediafire.com/?0pkb7pk89d8c33s

What have you done to yourself, that green screen is the fastboot screen, you'll need adb driver & fastboot.exe for it to work...
i already mentioned, be specific, all FIRMWARES, which one ? JOI, X70 from geekbuying or chinagadgetsreviews & etc, may be they are all different, i donno, i didn't download all to check if they are identical, may be thats the cause of your green screen problem & IMEI problem ?
This is a General not Development thread, i don't intend to start a new one, i shouldn't even be sharing these infos here...
Warnings : Use this guide at your own risk ! For Developers ONLY
These infos are the results of spending many hours with FlsTool( linux version ) & flstool.exe
Code:
./FlsTool -x recovery.fls
./FlsTool --extract-prg recovery.fls
./FlsTool -x system.fls
./FlsTool --extract-prg system.fls
./FlsTool -x mvconfig_smp.fls
./FlsTool --extract-prg mvconfig_smp.fls
./FlsTool -x mobilevisor.fls
./FlsTool --extract-prg mobilevisor.fls
After unpack, these individual fls files contains PRG, EBL, PSI, meta files & the actual Android img file or binary files. Each of these extracted files, PRG, EBL, PSI, meta files are identical.
When you use dd command to backup these partition, it is not an Android image file nor a fls file & a dd restore with either the dd backed up or the fls file won't boot or work correctly
Eg.
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 of=storage/sdcard1/recovery.img"
adb shell su -c "dd if=storage/sdcard1/recovery.img of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
adb shell su -c "dd if=storage/sdcard1/recovery.[COLOR="Blue"]fls[/COLOR] of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
fastboot flash recovery recovery.img
fastboot flash recovery recovery.[COLOR="blue"]fls[/COLOR]
[COLOR="blue"]OR[/COLOR]
fastboot flash system system.img
fastboot flash system system.[COLOR="blue"]fls[/COLOR]
When Hex edit/ compare those files, they are totally different. Eg. dd backed up recovery.img with recovery.fls is not the same.
The recovery.fls when unpack has three different regions, i think the existing FlsTool version 1.20 has bugs, it doesn't repack it back to the correct format.
recovery.fls_ID0_CUST_LoadMap0.bin is identical to mobilevisor.fls_ID0_CODE_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap1.bin is identical to mvconfig_smp.fls_ID0_CUST_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap2.bin is the actual Android recovery.img that can be unpack with AIK or CIK as already explained on this post here
Even if it works, custom recoveries such as PhilZ Touch or TWRP which is also using the dd command for backups, will not be able restore it correctly as it is not a fls file or an Android image file.
As for the boot.fls, what i did was change the default.prop & repack it back.
Code:
ro.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
ro.allow.mock.location=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.debuggable=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.adb.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
Unpack boot.fls
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
After unpack/ repack with AIK, copy image-new.img to the same folder.
Repack boot.fls
Code:
./FlsTool --psi boot/boot.fls_inj_PSI.bin --prg boot_0.fls --ebl boot/boot.fls_inj_EBL.bin image-new.img --tag BOOT_IMG -o new-boot.fls
After this, any exploit rooting software should work.
Found two new link for X70 (C6F9) -Android4.4.4-V1.05-5726 may be this one will solved the IMEI issues, i donno...
Source 1
Source 2
Conclusion : You can't do much on Intel x3 but to bug your device manufacturer to release the firmware then only rooting is possible otherwise forget it, its file system is not regular Android image, use the device as it is or you'll brick it in doing so...
4Good T700i 3G users
Since you guys confirmed X70 firmware can be downloaded successfully & the camera doesn't work after that, meaning the firmware is almost compatible except for the camera driver.
Since 4Good doesn't release the firmware, the correct way is to create an ebl.fls file, upload the boot.bin then port an unsecured-boot.fls & root it...
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
./FlsTool --hex-to-fls boot/boot.fls_inj_EBL.bin --prg boot_0.fls --psi boot/boot.fls_inj_PSI.bin --tag BOOT_IMG -o ebl.fls
View attachment 3475319
View attachment 3475321
Hex edit boot.bin & extract the boot.img( look for the header ANDROID! ), with above mentioned technique to make an unsecured boot.fls, unlock the bootloader, download this unsecured boot.fls then root it & the firmware stays as stock with both camera working.
View attachment 3475504
Or upload the boot.bin & i'll port an unsecured-boot.fls for you guys...
View attachment C5F9-ebl.fls.zip
View attachment C6F9-ebl.fls.zip
Or after rooting, copy all 4Good camera *.so files, flash x70 system.fls ONLY then manually use any ROOT Explorer to copy back these 4Good camera *.so files over & both cameras should work on 4Good after a reboot...
Theoretically, you can also dd the system.img, mount it, make changes then repack it back to fls file but then again, these files will be huge & i don't even know whether it works, never try that...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 of=storage/sdcard1/system.img"
adb pull storage/sdcard1/system.img
mkdir sys
sudo mount -t ext4 -o loop system.img sys/
Do whatever you want with the files & folders at [COLOR="Blue"]sys/[/COLOR]
sudo ./make_ext4fs -s -l 1024M -a system new.img sys/
sudo umount sys
./FlsTool --prg system_0.fls --ebl system/system.fls_inj_EBL.bin --psi system/system.fls_inj_PSI.bin new.img --tag SYSTEM -o new-system.fls
Download it with FlashTool_E2
Updates - Nov 2015
Thanks to benderit for sharing his detailed findings & how-tos for backing up/ creating a restored boot.img/ system.img via fastboot for x3 devices without FlashTool_E2 ROM... :good:
Updates - Jan 2016
Refer to here on how to create system.img on Win OS & using fastboot to flash it... :good:
Updates
The adb command adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name correspond to recovery.fstab as shared on this post here EXCEPT for ImcPartID022 & ImcPartID121.
Hex editing the partition ImcPartID121 show that it is empty while ImcPartID022 shows there are some data inside it, i cannot tell whether its the bootloader or the IMEI info.
Those that lost their IMEI can use below command to backup & check whether there is data in it or its empty( all zero ). If its empty means the IMEI info might be at this partition...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID022 of=storage/sdcard1/ImcPartID022.img"
adb pull storage/sdcard1/ImcPartID022.img

To yuweng
Everything seems to be OK. And now after a week of try I finally understand that it was not worth trying. Because it finally become clear that it is nothing to do with IMEI. Very good yuweng.
It is seems that actually no one know how to resolve it.
And what is about trying different firmwares?
I just don't understand how would it help.
And about that all android systems are similar it also mistake.
If you want to restore IMEI on Nexus 4 you need special equipment.

The reason for your case i guess is everyone is new on your side, as the saying too many cooks spoil the broth...
Fyi, my previous device, the MTK, bcos of one Russian DEV shared his findings, thousands of users save hundreds of dollars each.... :good:
Bcos of one DEV shared his unpack/ repack script, i discovered that MTKs ROM can ported over to hundreds if not thousands of similar devices...
And Yes, i've also seen many that says they will never use PhilZ Touch or TWRP ever again bcos it corrupts their device, the reason for this is bcos no DEV is working on that device & end users just blindly installing it & complaining after that... The same at 4pda, few that swear to throw away their X70 too... :laugh: We need more DEVs to look into it then it will become a better Android device...
OT : And Yes, you can actually port 4Good firmware to work on X70 & vice-versa, when DEVs starts to work on it, if there is one, bcos it is an exact clone while mine is different, i donno, may be the newer X70 (C6F9) is compatible, i didn't try it...
Port means identify & taking parts of the firmware from other similar device & make it work on yours while flashing the whole firmware will normally leads to a brick device...

at now we tried flash 7 block of mmc (because we found many diffs in this block) from working device on dead[imei] - but nothing happens. Try work with whole mmc.

it seems that InvisiBot have already made the discovery... :good:
Haven't took a deep look at InvisiBot's findings yet, but found out my device is indeed an exact clone of x70 (C6F9), first flash the recovery.fls, got a landscape 3e stock recovery instead of the original portrait, then proceed to flash the system.fls, everything works except for bluetooth & wifi, last flash the boot.fls & now i got x70 (C6F9) ROM fully working on my device... :laugh:
i guess intel/ Teclast must have made some improvement to libhoudini, overall, it performs better than the original stock ROM with Xposed installed & with zram enabled ...
Updates
Guys, as i've always mentioned it on my other threads, users always feedback it doesn't work, pls describe every little steps that you took, it will be easier to trouble-shoot, narrow things down & solve your problems....
According to InvisiBot, he began experiment by Hex editing partition ImcPartID022 & that bricks his x70 & in doing so he found out there is a hidden feature that you can still download by holding the Power button for 10 seconds then release it & FlashTool_E2 will automatically start to download on your brick device, this mean intel x3 is truly unbrickable... :good:
Thats where he discovered that you guys use the erase whole flash at FlashTool_E2 & that erases the IMEI info, luckily he manage to get his IMEI back...
View attachment 3478674
WARNING : Never use both the erase whole flash option, it will delete your IMEI info ! You guys with the IMEI problem never even once mentioned that...
Conclusion
Indeed the partition ImcPartID022 contains both the IMEI info, device serial number & adb command => adb devices serial no. which is the same as SIM 1, good job InvisiBot... :good:
Code:
[COLOR="blue"]Setttings[/COLOR] => [COLOR="blue"]About tablet [/COLOR]=> [COLOR="blue"]Status [/COLOR]=> [COLOR="blue"]SIM 1[/COLOR]/ [COLOR="blue"]SIM 2[/COLOR]
On my x70 clone or shall i say an actual x70 (C6F9) rebrand, the offset is at different location.
Device serial no => 0x1AAC8
SIM 1 => 0x24360
SIM 2 => 0x2436C
adb command => adb devices serial no => 0x2549C
So do make a backup of partition ImcPartID022, this is the only partition that FlashTool_E2 cannot restore if you brick it.
Attention to InvisiBot
Since you said you're making a How-to Guide i'm not going to spoil the soup... :laugh: Don't forget to make one in English Language for sharing with XDA member here too... :good:
Attach below is my empty IMEI for your R&D, i think it should be the same as X70 C6F9...
View attachment EMPTY-C6F9-IMEI.zip
Search for the reference text as below
#IMEI01#
#IMEI02#
#ADB-SN#
##INTEL-X3-S/N## <= This is the 16 digit alphanumeric Serial number display at Settings => SIM1/ SIM2
Updates - Restore invalid IMEI
For those who lost their IMEI, you can try this Thanks to Invisibot & buxbux for the link... :good:
Don't ask me how-to, i've never loose my IMEI before so i donno how to use it, you'll have to find that out yourself...

How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders

Glad to see sum positive progress in the right direction....

BigCountry907 ,
Since the MarshaMallow update gives us the developer options OEM unlock switch, shouldn't we just update to it first, to get the bootloader unlock?

OEM Update
You won't find the option to turn on OEM in the device.
You can enable it! Here's how:
Go to the Google Play Store.
Search secret codes revealer.
Search codes
Look for 759
Click launch code
Confirm launch
Under oem click on.
Congrats. You've just enabled oem on your desire 526!
Happy hunting.
BigCountry907 said:
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Click to expand...
Click to collapse

Good to know about the 759 code webag.youtag.
But without buying the clip device we are still stuck.
So hopefully BigCountry907 can find a way to unlock the bootloader and root without the clip.
Sidenote: I tried changing my PRL but couldn't get the changes to stick. I tried DFS and QPST. Am I missing something?

@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.

I was looking around and saw a post! (Rare I know)
Have you tried hboot instead of fastboot?also, I have no computer (sad). I am able to get temp root with "kingroot-4.8.2" I am able to use hex edit to change frp from 00 to 01. Is there a way to get identifier token without a PC? Maybe in configuration files or prop files?
BigCountry907 said:
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
Click to expand...
Click to collapse

Can you please upload your unlocked boot loader bigcountry907?

Any more progress on this, gentlemen?

When I follow the OP and get to the step:
"fastboot flash recovery Twrp-526-NO-TOUCH.img"
I receive the following error:
FAILED (remote: 9: SD_SECURITY_FAIL recovery and bootloader isn't BL_UNLOCK)
finished. total time: 2.762s
Steps taken:
-frp.img (Pulled from the device, edited & reflashed back with dd command, adb shell reports successful)
-pushed super.zip to device
-rebooted using fastboot to download mode
-attempted to flash TWRP & get the fail with the same error multiple times
Any suggestions or clues? I've attempted this several times, following the OP step by step.
Thanks for the help

@rfunderburk39
You have to unlock the BOOTLOADER first.
Currently I can only unlock it with the xtc-2 clip.
But I'm working on it.
Surprisingly my desire 530 was able to be s-off using TWRP recovery.
If i can somehow capture the commands passed from the xtc-2 clip to the twrp recovery we can replicate it.
Other than that were looking at cooking a qfil / qpst flashable rom.
Not easy.
does anyone know how to log all commands sent to TWRP?

BigCountry907, is the desire 530 you were able to root with twrp the verizon version? If so, did you have to unlock the bootloader first? Because I don't see it on htcdev.

@BigCountry907 I misunderstood the OP, I thought the frp.img edit was a work around of the Java Card.
I will look into the logging of the the TWRP commands. Let me know if I can help out in other ways.

@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.

BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
Tommorrow my time will be limited during the day, but I can look into "qcom msm8909 source + manuals" & the ability to log TWRP commands and see what I can find.
Interesting about the 530, I was not aware that was possible.
I've used linux for about 20 years, and would consider my knowledge to be good, with the ability to usually get to source of a problem and/or find a solution slash work around.
I've never created a partition.xml, but would be happy to look into it.
I do have quite a bit of past JTAG experience but that was using a serial port not USB, which I assume you are referencing.

@supermaxkato
No my Desire 530 is Metro-Pcs.
I took one of the verizon 526 and activated it then used the phone number to port to Metro Pcs.
With the port it cost $70 for the Desire 530 + 1 month of unlimited service. Essentially the Desire 530 was free.
Any Verizon HTC most likely will have the same security scheme.
@rfunderburk39
This is good news. I would be grateful to have help on this.
It is difficult to know what kind of experience people have some don't even know how to use adb.
I will start another thread with all the information I know so far.
And I have the MSM8909 source code. Not just the kernel but the "Qualcomm Chipcode" Board Support Package.
And many qcom manuals.
This should be very helpful to us.
I will name the new thread "{WIP} {ROM} MSM8909 Service Rom From Source / QPST Root + Unlock + Unbrick"
I will post all current information there.

Something potentially worth trying:
-Grab the Settings.apk (and .odex) from the 526+ or 626, just make sure its the same version of android.
-Push those to device
-adb shell
-su
-mount -o rw,remount,rw /system
-exit
-exit
-adb push Settings.apk /system/priv-app/Settings/
-adb push Settings.odex /system/priv-app/Settings/arm/
-Open >settings>developer options on the device
-check and see if the option “OEM Unlock” appears
-reboot into "download mode" and see if the settings stick.
-run fastboot oem get_identifier_token
Granted this holds the possibility of bricking the phone, but more than likely will not stick on a reboot & the Settings.apk will be replaced with the device original.

I will test on mine.
Give me an hour

Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.

BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
BigCountry907 said:
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
Click to expand...
Click to collapse
I didn't think it would work, just an outside chance. Hoped it may give a different token, that in turn would pass over at HTC-DEV.
Back when I had other HTC devices, I used a tool here on XDA [TOOL] HTC Easy Unlock Bootloader Tool. It doesn't appear to be maintained any longer, its based around Windows *.bat files (easy enough to edit)
https://forum.xda-developers.com/showthread.php?t=2133336
and SimpleGoldCard
https://forum.xda-developers.com/showthread.php?t=970157
SimpleGoldCard would access a site, after downloading that, you select it in the SimpleGoldCard application & it would create the image.
https://huygens.hoxnet.com/goldcard.html
I haven't had time to read through these post just yet, the method may no longer be valid. But worth a look, and I will be reading through these today to see.
Also I will see what I can find about a work-a-round of the the writing to pg2fs partition

The battery of a rooted, UsUed LG G4 running LineageOS 14.1 was accidentally allowed to drain to zero. After re-charging above 50%, the device failed to boot. The LOS boot screen "bubble on a string" animation would continue indefinitely.
The phone still booted to TWRP, download mode, and fastboot mode.
Originally, it was suspected that this was ILAPO. However, this suspicion was incorrect.
After extensive work creating a boot sector that would allow logging and a ton of help from @steadfasterX, it was discovered that various files in /data/system had been corrupted and had sizes of zero. Android would try to read values from these files, fail, and repeat.
First, a full TWRP backup of the phone was made and copied off-device. Then, I made a second backup of /data/system. Next, I deleted the following zero-byte files from /data/system using TWRP (or ADB after launching TWRP).
packages.list
packages.xml
profiles.xml
netpolicy.xml
notification_policy.xml
If this doesn't work, I would have considered deleting other zero-byte files in /data/system. I used "ls -laS" to get a size-ordered list of files in my current directory.
After a reboot, android re-created the files and booted to the lockscreen.
All of the apps in /data/data had already been cleared. Otherwise, Android would probably have choked on the differences between the user IDs that it wanted to assign to apps and the ownership of the various app folders.
The following links suggest ways to restore some apps from previously created backups
GitHub - joshuabragge/twrp-manual-restore: Automate individual app restores from an android TWRP backup
Automate individual app restores from an android TWRP backup - GitHub - joshuabragge/twrp-manual-restore: Automate individual app restores from an android TWRP backup
github.com
https://www.semipol.de/posts/2016/07/android-manually-restoring-apps-from-a-twrp-backup/
(Permanent archive: https://web.archive.org/web/2019083.../android-restoring-apps-from-twrp-backup.html)
There is no warranty on this solution. It was a makeshift effort created by an amateur. If you choose to duplicate it, you do so at your own risk. You may permanently destroy your phone.
Old post below:
I'm trying to understand whether a particular G4 (H815) has ILAPO. Its been sneezing, has a sore throat, and now can't taste anything^H^H oops, I mean:
- Previously, the phone would get hot during use.
- The phone has been UsUed.
- The battery was accidentally allowed to discharge to zero.
- After the battery was recharged, the phone was unable to boot past the Lineageos "bubble on a string" animation. The animation simply continues forever.
- The phone can boot to TWRP, fasboot, download mode, etc.
Attempts to fix:
- Tried renaming /sdcard/Android to /sdcard/Android.old but this had no effect.
- Tried clearing cache and dalvik cache but this had no effect
- (NEW) Tried attaching to computer and launching "adb logcat" during animation. Device is never found. If I remember correctly, "USB debugging" was off when the device died. (ADB does work in TWRP.)
- (NEW) Tried creating a custom 4-core (2 core for boot) boot image using the instructions here https://forum.xda-developers.com/t/...tom-x-cores-boot-image-ilapo-tempfix.3718389/ and used "fastboot flash boot boot.img" to flash it. This doesn't seem to work.
-- If I reboot into TWRP after a long period of waiting for the lineageos splash screen, I get a CPU temperature of 46 C. I don't know what temperature was generated in the same situation the modified boot image was installed.
Most of the info on ILAPO suggests that phones with it can't get past the LG logo. That is not the case here. Is this ILAPO or something different? Does anyone have ideas as to what might be an appropriate fix?
Is it possible to retrieve boot logs using TWRP in order to figure out when/where/why the boot hangs?

electricfield said:
I'm trying to understand whether a particular G4 (H815) has ILAPO. Its been sneezing, has a sore throat, and now can't taste anything^H^H oops, I mean:
- Previously, the phone would get hot during use.
- The phone has been UsUed.
- The battery was accidentally allowed to discharge to zero.
- After the battery was recharged, the phone was unable to boot past the Lineageos "bubble on a string" animation. The animation simply continues forever.
- The phone can boot to TWRP, fasboot, download mode, etc.
Attempts to fix:
- Tried renaming /sdcard/Android to /sdcard/Android.old but this had no effect.
- Tried clearing cache and dalvik cache but this had no effect
- (NEW) Tried attaching to computer and launching "adb logcat" during animation. Device is never found. If I remember correctly, "USB debugging" was off when the device died. (ADB does work in TWRP.)
- (NEW) Tried creating a custom 4-core (2 core for boot) boot image using the instructions here https://forum.xda-developers.com/t/...tom-x-cores-boot-image-ilapo-tempfix.3718389/ and used "fastboot flash boot boot.img" to flash it. This doesn't seem to work.
-- If I reboot into TWRP after a long period of waiting for the lineageos splash screen, I get a CPU temperature of 46 C. I don't know what temperature was generated in the same situation the modified boot image was installed.
Most of the info on ILAPO suggests that phones with it can't get past the LG logo. That is not the case here. Is this ILAPO or something different? Does anyone have ideas as to what might be an appropriate fix?
Is it possible to retrieve boot logs using TWRP in order to figure out when/where/why the boot hangs?
Click to expand...
Click to collapse
Sounds like the ilapo. Is the battery charged now? I don't know which LOS version you have installed but if you use mine:
follow FAQ #7 of my LOS thread

steadfasterX said:
Sounds like the ilapo. Is the battery charged now? I don't know which LOS version you have installed but if you use mine:
follow FAQ #7 of my LOS thread
Click to expand...
Click to collapse
Thank you for your reply. You seem to know more about G4 issues than anyone. I really appreciate your help.
The battery is charged now.
Unfortunately, I am using the microg version of LOS 14.1, rather than your 16.0.
I tried following the instructions in your FAQ #7, but I can't do step 1 (boot android). The only way for me to exit the bootloop is by removing the battery. There is no "debug" in /cache after I mount cache in TWRP.
I also looked at FAQ #1. ADB never finishes waiting for the device. In fact "lsusb" doesn't show the phone during OS boot (ADB is fine when TWRP is loaded).
Any other ideas?

electricfield said:
Thank you for your reply. You seem to know more about G4 issues than anyone. I really appreciate your help.
The battery is charged now.
Unfortunately, I am using the microg version of LOS 14.1, rather than your 16.0.
I tried following the instructions in your FAQ #7, but I can't do step 1 (boot android). The only way for me to exit the bootloop is by removing the battery. There is no "debug" in /cache after I mount cache in TWRP.
I also looked at FAQ #1. ADB never finishes waiting for the device. In fact "lsusb" doesn't show the phone during OS boot (ADB is fine when TWRP is loaded).
Any other ideas?
Click to expand...
Click to collapse
As written in my mentioned FAQ taken battery out is needed in your case. Step 2 iirc.
If you dont use my LOS then no way. The cache/debug is something I've added and no one else has.
Option1:
You can just flash my LOS 16 or /e/ ROM (take a full backup before in TWRP) and use that for debugging your current issue. Why using microg btw? /e/ is great
Option2:
The other option would be pulling the boot img of your current LOS (in TWRP: adb pull /dev/block/bootdevice/by-name/boot ) and rebuilding it as insecure (i.e. usb debug on and adb root ) but if you never did that before it it will be hard i guess. AiK might work here or using mAid which includes bootimgtool.
Option3:
Also you can attach that boot img here and if i ever find the time i can do option2 for you but don't expext that this happens soon .

Thank you again for your help.
I'm a little afraid that installing a new & different ROM will increase the level of complexity. I'll do it if I must, though.
I started looking at option #2. Retrieving the boot image was fine, but unpacking presents a problem.
$ ./unpack-bootimg.sh boot.img.original
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
Is there a guide anywhere?

electricfield said:
Thank you again for your help.
I'm a little afraid that installing a new & different ROM will increase the level of complexity. I'll do it if I must, though.
I started looking at option #2. Retrieving the boot image was fine, but unpacking presents a problem.
$ ./unpack-bootimg.sh boot.img.original
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
Is there a guide anywhere?
Click to expand...
Click to collapse
thousands.. But the problem is that our device is sensitive when it comes to packaging the boot.img again. Bootimgtool is working in 9 of 10 times though.
Boot mAid . Open a terminal. Type bootimgtool --help .important is to use "-v qcom". Then extract the ramdisk with gzip and cpio, then modding the default.prop to make it insecure , then using gzip and cpio again to rebuild the ramdisk, finally using bootimgtool to construct the boot.img again. Sounds harder than it is but i have no access to my pc until monday so i cannot give all the needed cmds atm. There are plenty of guides out there and tools ofc which allow unpack,repack etc. That's why i mentioned AIK which does exactly the above but it fails sometimes to build a correct working boot.img.
So my suggestion is try your luck with one of the tools or wait until I've access to my pc. Consider joining my TG group then for easier support (see my sig)

steadfasterX said:
thousands.. But the problem is that our device is sensitive when it comes to packaging the boot.img again. Bootimgtool is working in 9 of 10 times though.
Boot mAid . Open a terminal. Type bootimgtool --help .important is to use "-v qcom". Then extract the ramdisk with gzip and cpio, then modding the default.prop to make it insecure , then using gzip and cpio again to rebuild the ramdisk, finally using bootimgtool to construct the boot.img again. Sounds harder than it is but i have no access to my pc until monday so i cannot give all the needed cmds atm. There are plenty of guides out there and tools ofc which allow unpack,repack etc. That's why i mentioned AIK which does exactly the above but it fails sometimes to build a correct working boot.img.
So my suggestion is try your luck with one of the tools or wait until I've access to my pc. Consider joining my TG group then for easier support (see my sig)
Click to expand...
Click to collapse
Thank you once again. I'm really impressed by how much help you have been able to give so far.
Unfortunately, I have no phone with which to join the Telegram group.
I made the modified boot image, but adb is still unable to speak to the phone during boot. I note that lsusb does not show the phone during boot -- maybe the system hangs before USB is activated. However, I could have made the boot image incorrectly.
Here is what I did:
[[email protected] extract]$ bootimgtool -i boot
Image size: 41943040
Page size: 4096
Kernel size: 22456976
Ramdisk size: 1672742
Second stage size: 0
Device tree size: 0
Kernel load address: 0x00008000
Ramdisk load address: 0x01000000
Second stage load address: 0x00f00000
Device tree load address: 0x00000000
Tags load address: 0x00000100
Product name:
Command line: maxcpus=4 boot_cpus=0-1 console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 msm_rtb.filter=0x37 boot_cpus=0-1 buildvariant=userdebug
[[email protected] extract]$ bootimgtool -x boot -v qcom
[[email protected] extract]$ gunzip ramdisk
[[email protected] ex]$ cpio -i < ../ramdisk
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
In default.prop, I added:
persist.service.adb.enable=1
persist.service.debuggable=1
[[email protected] ex]$ find > /tmp/filelist
[[email protected] ex]$ cpio -o < /tmp/filelist > ../ramdisk.modified
This produces
-rw-r--r-- 1 android users 4166400 Jan 2 17:29 ramdisk.gunzip.original
-rw-r--r-- 1 android users 4162048 Jan 2 17:31 ramdisk.modified
-rw-r--r-- 1 android users 1672742 Jan 2 17:16 ramdisk.img.original
I don't understand why the "modified" gunzipped file is slightly smaller than the original.
[[email protected] extract]$ mv ramdisk.modified.gz ramdisk.img
[[email protected] extract]$ cp boot boot.original
[[email protected] extract]$ bootimgtool -v qcom -c boot
Overwrite 'boot'? [y/N] y
-rw-r--r-- 1 android users 25370624 Jan 2 17:38 boot
-rw-r--r-- 1 android users 41943040 Jan 2 17:37 boot.original
I am wary because I don't understand why the new file is so much smaller than the original. However, I decided to proceed. Uploaded modified boot to /sdcard/boot.modified
Inside adb:
/dev/block/platform/soc.0/f9824900.sdhci/by-name # ls -al boot
lrwxrwxrwx 1 root root 21 Jan 1 04:16 boot -> /dev/block/mmcblk0p38
/dev/block/platform/soc.0/f9824900.sdhci/by-name # cp /sdcard/boot.modified /dev/block/mmcblk0p38
Plugged in device. On computer "adb wait-for-device". Reboot device.
Unfortunately, no action from adb.

electricfield said:
Thank you once again. I'm really impressed by how much help you have been able to give so far.
Unfortunately, I have no phone with which to join the Telegram group.
I made the modified boot image, but adb is still unable to speak to the phone during boot. I note that lsusb does not show the phone during boot -- maybe the system hangs before USB is activated. However, I could have made the boot image incorrectly.
Here is what I did:
[[email protected] extract]$ bootimgtool -i boot
Image size: 41943040
Page size: 4096
Kernel size: 22456976
Ramdisk size: 1672742
Second stage size: 0
Device tree size: 0
Kernel load address: 0x00008000
Ramdisk load address: 0x01000000
Second stage load address: 0x00f00000
Device tree load address: 0x00000000
Tags load address: 0x00000100
Product name:
Command line: maxcpus=4 boot_cpus=0-1 console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 msm_rtb.filter=0x37 boot_cpus=0-1 buildvariant=userdebug
[[email protected] extract]$ bootimgtool -x boot -v qcom
[[email protected] extract]$ gunzip ramdisk
[[email protected] ex]$ cpio -i < ../ramdisk
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
In default.prop, I added:
persist.service.adb.enable=1
persist.service.debuggable=1
[[email protected] ex]$ find > /tmp/filelist
[[email protected] ex]$ cpio -o < /tmp/filelist > ../ramdisk.modified
This produces
-rw-r--r-- 1 android users 4166400 Jan 2 17:29 ramdisk.gunzip.original
-rw-r--r-- 1 android users 4162048 Jan 2 17:31 ramdisk.modified
-rw-r--r-- 1 android users 1672742 Jan 2 17:16 ramdisk.img.original
I don't understand why the "modified" gunzipped file is slightly smaller than the original.
[[email protected] extract]$ mv ramdisk.modified.gz ramdisk.img
[[email protected] extract]$ cp boot boot.original
[[email protected] extract]$ bootimgtool -v qcom -c boot
Overwrite 'boot'? [y/N] y
-rw-r--r-- 1 android users 25370624 Jan 2 17:38 boot
-rw-r--r-- 1 android users 41943040 Jan 2 17:37 boot.original
I am wary because I don't understand why the new file is so much smaller than the original. However, I decided to proceed. Uploaded modified boot to /sdcard/boot.modified
Inside adb:
/dev/block/platform/soc.0/f9824900.sdhci/by-name # ls -al boot
lrwxrwxrwx 1 root root 21 Jan 1 04:16 boot -> /dev/block/mmcblk0p38
/dev/block/platform/soc.0/f9824900.sdhci/by-name # cp /sdcard/boot.modified /dev/block/mmcblk0p38
Plugged in device. On computer "adb wait-for-device". Reboot device.
Unfortunately, no action from adb.
Click to expand...
Click to collapse
Ok i haven't followed every step bc I'm in half sleep mode already but you did one step wrong : you cant use cp like you did to copy the boot img. Either use the IMG button within TWRP flash menu or use fastboot flash boot boot.img to actually flash the modded boot img

Thank you, once again.
I think that something must be wrong with the boot image.
After "fastboot flash boot boot.modified", I get a blue light. The screen is blank with a cursor in the upper-left hand corner.
"fastboot flash boot boot.original" restores it to its previous state. i.e., it gets to the first lineageos splash screen bubble.
I'm suspicious of the difference between the file sizes of the original and modified boot images.

electricfield said:
Thank you, once again.
I think that something must be wrong with the boot image.
After "fastboot flash boot boot.modified", I get a blue light. The screen is blank with a cursor in the upper-left hand corner.
"fastboot flash boot boot.original" restores it to its previous state. i.e., it gets to the first lineageos splash screen bubble.
I'm suspicious of the difference between the file sizes of the original and modified boot images.
Click to expand...
Click to collapse
Ignore the size diff. That's bc of diff compressing tools but does not matter. Your cpio cmd is unusual . Cpio has switches to create directories and that is not used in yours above . Thats likely the reason why it does not boot at all. Again sorry that i can't help better atm but without my pc..

Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1

electricfield said:
Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1
Click to expand...
Click to collapse
ro.debuggable=1 is better (allows adb root)
security.perf_harden shouldn't be added (or.changed if it was there)
Rest looks ok. At least as long as you really changed these values directly or added them at the top (ro. values can be set only once)
Otherwise you should wait until tomorrow then i can share a 100% working way

electricfield said:
Thanks.
I changed the ramdisk extraction command to:
gzip -dc ../ramdisk.img | cpio -imd
and the creation command to:
find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz
Bootimgtool then produced a boot image that booted. After fastboot flash, the device is in the same state as before (splash screen).
Unfortunately, "adb wait-for-device" produces nothing. "lsusb" does not show the phone.
Can you confirm the lines to change in default.prop?
In default.prop, I changed:
ro.adb.secure=0
ro.secure=0
security.perf_harden=0
ro.debuggable=0
persist.sys.usb.config=mtp,adb
I added:
persist.service.adb.enable=1
persist.service.debuggable=1
Click to expand...
Click to collapse
Oh wait! Pls share the bootimgtool command you are using to create the new boot.img

Thank you, again.
The bootimgtool command is the same one as I used before (no change). Before running it, I renamed the new ramdisk to ramdisk.img.
bootimgtool -v qcom -c boot.modified3
Followed by bringing the phone into fastboot mode and running
fastboot flash boot boot.modified3
The phone boots to the lineageos splash screen but no response to "adb wait-for-device".
I'll try ro.debuggable=1 and get rid of security.perf_harden in a few minutes, but I wonder if they are unlikely to change anything given that the device does not show up in (linux) lsusb.

electricfield said:
Thank you, again.
The bootimgtool command is the same one as I used before (no change). Before running it, I renamed the new ramdisk to ramdisk.img.
bootimgtool -v qcom -c boot.modified3
Followed by bringing the phone into fastboot mode and running
fastboot flash boot boot.modified3
The phone boots to the lineageos splash screen but no response to "adb wait-for-device".
I'll try ro.debuggable=1 and get rid of security.perf_harden in a few minutes, but I wonder if they are unlikely to change anything given that the device does not show up in (linux) lsusb.
Click to expand...
Click to collapse
That wont change anything if adb does not come up. Just for completeness.
Ok so if you renamed it to ramdisk.img then all.good that was the thing i had in mind (that you didn't and not.used the -r switch). Well ok then without my pc the only thing i can think of might be the USB cable but thats very unlikely

Thanks again for your help.
The boot image that was flashed is definitely the correct one. I extracted it to another folder and checked it before flashing.
I re-made the boot image, but the result is the same (no adb, no device in lsusb).
What "-r switch" are you referring to in your previous message?
The USB cable works fine for ADB in TWRP, so I doubt it is the problem.

electricfield said:
Thanks again for your help.
The boot image that was flashed is definitely the correct one. I extracted it to another folder and checked it before flashing.
I re-made the boot image, but the result is the same (no adb, no device in lsusb).
What "-r switch" are you referring to in your previous message?
The USB cable works fine for ADB in TWRP, so I doubt it is the problem.
Click to expand...
Click to collapse
The -r (iirc) switch was related to bootimgtool. That way you can choose your newly created ramdisk.img but when you renamed it to ramdisk.img it works without.

Thanks.
I would deeply appreciate if you were able to guide me in making the boot image correctly when you have your computer on Monday.
On the other hand, if this method won't work, its best if I know that so that I can try the next thing....

electricfield said:
Thanks.
I would deeply appreciate if you were able to guide me in making the boot image correctly when you have your computer on Monday.
On the other hand, if this method won't work, its best if I know that so that I can try the next thing....
Click to expand...
Click to collapse
ok here you go, this must be added /changed in default.prop:
Code:
ro.adb.secure=0
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
persist.service.debuggable=1
persist.sys.usb.config=adb
thumbs pressed

Thank you.
I rebuilt the boot image with these entries, but "adb wait-for-device" still does not work during boot.
Any other ideas?