Develop Bugs

[CONCLUSIONS] S-OFF with Unlock/Lock Bootloader

Hi everyone!
What we need:
A kernel hacker!
Why?
Because of this:​
no.human.being said:
Yep this is great. This routine will definitely play a key part for our further investigation. The plan I have is the following ...
I'd like to dump the device's Flash memory (physically, via JTAG), disassemble its contents (e. g. with objdump, as I'm not familiar with IDA and it actually looks quite "advanced") and find where the ARM starts execution. This is probably a fixed address, might find it in the processor's datasheets. There are no datasheets available for the MSM7227, however, it is a replica of the ARM1136EJS for which there are no datasheets either, but there are extensive datasheets for the ARM1136JS, which is probably similar. Just search for the document "ARM DDI 0211K" on your favourite search engine. It's very extensive, so there's really not much that should be "undocumented" about this processor.
Once we know where execution starts, we should try to analyze the "initialization routine" of the processor's firmware, which initializes the uC, loads the vendor specific firmware (Radio, HBOOT) into memory and starts execution. This routine will load the firmware from persistent (Flash) into volatile (RAM) memory and it will probably "pull together" the RAM contents from different parts of the Flash. (Might it already set up some page tables for the MMU at this point?) This is probably why you don't see the "jump table" in the HBOOT image. It's probably not part of HBOOT at all, but from a section that just gets "loaded near HBOOT" into volatile memory during the controller's initialization. (Might it be part of the Radio?)
When we trace the code further through the "jump table" (I'd love to do this on the actual physical device so I really hope that the processor supports single-stepping), we'll hopefully find the actual physical address of the secu_flag. As soon as we have it, the most obvious thing to do is just flick it via JTAG and check whether the device is S-OFF afterwards.
Finally, when we know where the secu_flag resides on the WFS (which means we know its physical address), we can try to find a way to access it from within Android. There's almost certainly some more protection in place, possibly protection via MMU, so we might have to modify Android to set up different page tables during boot process, but once we got that far, this should not be what stops us.
If you have any questions/suggestions, just feel free to ask/propose them.
At least the...
Code:
fastboot -c "mtdparts=msm_nand:0x..." boot recovery.img
... works and it does not require S-OFF! However, the ...
Code:
fastboot oem listpartition
... fails ...
Code:
... INFO[ERR] Command error !!! OKAY [ 0.000s] finished. total time: 0.000s
So yes, we can change the mapping of memory to mtd devices, but we cannot find out how the partitions are laid out on the device (at least not via fastboot, can't we ask the operating system somehow?).
...
Now stop a moment and take a deep breath!
...
Wait! What have we just found out? We can load an arbitrary OS image (kernel + initrd) via fastboot into the device's RAM and execute it! This sounds like the key to total awesomeness, doesn't it? Can't we build an OS image that has just one purpose which is S-OFFing the device (either by asking the Radio to do it, remember it is OUR custom kernel we're executing here so WE can talk to the Radio, or by mapping the memory the way we need it, then doing it directly)?
This may turn out to be easier than we expected it to be. Any kernel hackers here that could aid us in building a kernel that maps the entire memory of the device (this will include the Radio where secu_flag resides) and sticking an initrd to it that does the S-OFF? Of course we'll still need to find the flag in memory, but at least we now have a concrete plan how we can map the memory in. This will also enable us to build a very "user friendly" utility for S-OFF. No more zergRush, no more privilege escalation. The S-OFF utility is a self-contained OS image. You boot it, it does all the work and reboots the phone when done. How cool is that?
Click to expand...
Click to collapse
​
You probably still remember me for my famous "S-OFF without XTC-Clip conclusions" thread. We all know that now, HTC has given us the privilege of unlocking our Bootloaders using HTC-Dev. This allows us to Root and flash Custom ROMS, and all that; so we're all happy with that. But there are others out there, like me, who want to take even more advantage of this, and still get S-OFF, just like before. Now, we have a deeper understanding of our WFSs, so S-OFF is now much, much easier. If we get S-OFF, then we will have many more privileges on our phones.
With S-OFF, we can get:
Our warranties back
The ability to resize our system partitions.
The ability to flash different HBOOTs.
And many other things!
Be sure to visit *se-nsei.'s campaign, click here!
no.human.being posts his latest findings there.
My thoughts on this is:
from another thread, I've seen that when the HTC-Dev RUU was flashing HBOOT, it froze, but it still managed to flash rom_01.zip. This means, that when flashing HBOOT, the phone needs to be made S-OFF, then, when rom_02.zip is flashed, it finishes flashing HBOOT, and finally changes the security flag on, again.
So, I did some experimenting of my own. I flashed rom_01.zip using many methods, but all my attempts miserably fail. Why? Because the file is not signed properly. This got me thinking, if it's an HTC ROM, then why won't it flash?!?! Probably, because HTC made it in such a way, that the phone rejects it, or it won't work properly without the other files, that maybe reside in the RUU.
Maybe, someone can look into it, and find the function that S-OFFs the phone.
Perhaps, it might flash if it's on a Goldcard, so we'll have to do some more experimenting.
There is a possibility though, that using no.human.being's C code that he made earlier, we could S-OFF the phone, as it will be able to access more "sections" of the phone. We'll just have to compile/convert it and run/flash it.
Like before, if you have any suggestions, please tell me (by posting in this thread, please only PM if you think it's a very close solution, or if it's very important)
Good Luck everyone!

Isn't anyone going to post here!
no.human.being, eoghan2t7, are you there!?!

I think you might want to try extracting the img file and use fastboot flash radio radio.img.

yjwong said:
I think you might want to try extracting the img file and use fastboot flash radio radio.img.
Click to expand...
Click to collapse
Thanks, I have tried this though, but I didn't rename it to radio.img. Perhaps I'll ry this if I got some time (I'm still in High School, and they give me way to much homework. They are so annoying!)

Ideas! Anyone!

Is there a similar way to boot into ENG-HBOOT(unsecured)
like fastboot -c "mtdparts=msm_nand:0x..." boot unsecuredhboot.img ?
Then if unsecuredhboot.img wil be on sdcard we have possibility to flash s-offed hboot.

Somebody help this guy....... This is not my level. I'm a bit lower. I doubt it will work though.
Sent from my HTC Wildfire S A510e using XDA

slavislavi said:
Is there a similar way to boot into ENG-HBOOT(unsecured)
like fastboot -c "mtdparts=msm_nand:0x..." boot unsecuredhboot.img ?
Then if unsecuredhboot.img wil be on sdcard we have possibility to flash s-offed hboot.
Click to expand...
Click to collapse
No, that won't work. The "boot" command takes an Android image, which consists of a kernel, an initrd and a special header. The header tells the bootloader of the phone where to load the kernel in memory, etc. It won't be present in an ENG-HBOOT image, so the phone's bootloader won't be able to boot it.
Furthermore, HBOOT expects the controller to be "uninitialized" and will then initialize it. When the kernel is executed via Fastboot, the controller has already been initialized by HBOOT, after all that's the actual purpose of a bootloader. The ENG-HBOOT probably won't behave correctly if it finds the controller already initialized by a "lower level" bootloader.
Last but not least, the "mtdparts=..." is a kernel parameter. Basically it's just a string (character sequence) that is passed to the kernel. What the kernel does with it is principally the kernel's thing. It's just that "mtdparts=..." can be used on an embedded Linux kernel to change the partition mapping. I doubt that HBOOT can take parameters, since it's not designed to be loaded by anything else (apart from possibly an extremely low-level processor-specific firmware that most likely won't have a facility for passing parameters).

Rooting Every Spreadtrum SC6820/SC8810 phones ! (1.5)

Hello,
In this thread I will teach you every method I had to use to root any Spreadtrum devices, Starting with the riskless ones to the reckless ones.
I have to warn you that the last root method (using ResearchDownload to load a modified system.img) may be dangerous ! (because of possible partition table changes)
The others methods are pretty safe, don't be afraid by them if you do exactly what I wrote.
Theses processors are also named SP6820 and SP8810, it's exactly the same processor, it's just some misnaming from Chinese sellers.
Theses methods do work on the newest Spreadtrum CPUs, like the SC7710 (the 3G WCDMA model), and the more powerful SC8825/SC6825 (dual core).
Why buying a Spreadtrum based phone ?
They are really cheap, and they work amazingly well ! They can play some games and emulators very well, that's unexpected for such low end devices (50$ or less)
They usually only have 256MB of RAM but despite that, they still runs well ! (I tested a lot of games and some 3D games are working flawlessly, pretty amazing) - I discovered that they are using zram (or other swap methods) to provide more RAM by compressing it when needed. That's pretty neat and really helps with such a small amount of RAM !
They are very good as a portable multimedia device, to read mails, browsing the web, play some games, mp3, videos.
As a 2G phone they are competent, but the 2G modem is not as good as the one in MTK processors. (It takes longer to load something in the same conditions)
Boot very fast, and have decent battery life. (3-4 hours of video out of a 1200 mAh battery - 5-6 hours out of a 1800 mAh)
Why you should not ?
Not true anymore, but they were extremely difficult to root in some cases.
They don't seem to be well tested ... You can have a microphone so quiet nobody will be able to ear you. But it's easy to fix as you can see here: http://forum.xda-developers.com/showthread.php?p=38731407
They don't have any form of usable 3G support. (except the SC7710 who have WCDMA 850/2100 compatibility)
They usually have only 256MB of RAM again. So that can be a problem when you are, for example, using Opera Mobile Classic with more than 3 tabs. And make the transition between apps longer.
SC6820 and SC8810 model are all using Android 2.x, even if some are marketed as Android 4.0 phone (very big and blatant lie !)
They usually use android 2.3, but some are only Android 2.2 phones ! (The fake Android 4.0.3 for instance is usually only android 2.2)
SC6825 and SC8825 seems to only have a (real this time) Android 4.0.3 firmware. 4.1 are better is often advertised, but it's again ... lies ... Android 4.0 is not really suitable for phones with only 256 MB of RAM, so SC6825/8825 phones are pretty rough on the edges. Using more than one tab on the default web browser is asking for troubles for example.
They all use the MocorDroid Firmware. It's some kind of fork of Android that use NON-Standards and sometime buggy Launchers and they often use alternative keyboards like Go Keyboard which is kind of a bad choice considering the RAM and ROM constraints on theses devices ...
The only difference between the SC6820 and the SC8810 is the support for the Chinese form of 3G.
If you don't live in china, that means this two processors are essentially the same. (Don't trust sellers, the 8810 is NOT WCDMA "3G" compatible)
Some phones with the fake Android 4.0.3 based on 2.3.5 will brick themselves nearly 2 months after you first used it. It's a really weird behavior of this early Spreadtrum firmware. So if you have this firmware, just do whatever it takes to root it, make a backup and install CWM as soon as possible to be able to recover from this possible breakage. It's only a problem with a fraction of Spreadtrum phones, but you will be very happy if you have installed CWM before encountering it ^^ (applicable only if you bought one in 2012)
A lot of fakery in the Spreadtrum scene. For example fake MTK6515/MTK6572 phones that are in fact just SC6820/SC6825 phones with a firmware modified to lie its processor ID to populars android benchmarking tools like Antutu Benchmark.
If you are searching for a 512MB RAM phone, you'd better go for an MTK(6575/6572 or better) Phone. As you will never find a real 512MB Spreadtrum phone in the jungle of lies you are looking at ...
On all model with 2.3.5 based firmware (SC6820 and SC8810 essentially), you can have a lot of problems with the SIM card detection on some sim cards. For example I can't call somebody with mine, but I can answer a call or send/receive SMS ... Very weird bug ...
This bug seems to be related on the type a sim card you have. With some their is no problem at all.
I can confirm that it's working flawlessly on SC6825 and 8825 based phones with the real 4.0.3 based firmware.
Why rooting it ?
Because a lot of them come with a lot of sh*tty softwares, including the bad launcher and keyboard.
Because they can come with a "Virus" that can send SMS messages to china (so you have to pay for unwanted international SMS cost)
I myself have this Virus on one of my phones, as of now, I haven't noticed anything unusual. Just the useless, unkillable com.android.caivs.app process eating 15 MB of RAM doing nothing. (It is a significant waste of ram on such devices)
(As of now I only seen this malware on Feiteng devices - You can share your experience with this thing down bellow)
More about CAIVS here: http://web.archive.org/web/20110812021151/http://www.cseed.cn/chinese/news/portfolio2.htm
That virus was on most of the earliest Spreadtrum phones but don't seem to be a worry nowadays. But I haven't tried any new Feiteng devices. They were so poor in quality that I will never buy feiteng again so find it by yourselves if you feel adventurous xD
How-to do that ?!
If you are lucky you will be able to root your phone by traditional means.
If you are not, you can root them by manually adding the root utilities to the ROM.
I will describe every methods that you should try in order of difficulty and risks.
Before doing any of that, go to the android setting -> applications -> Development -> Check USB Debugging.
Universal Root utilities
Theses methods are safe, and the second one is, as of now, working on every Spreadtrum phones flawlessly !
1.1 - Z4Root
Just try z4root !
http://forum.xda-developers.com/showthread.php?t=833953
z4root is a little tool to root Android 2.2 and sometime work on 2.3
It's known to work on devices with the fake Android 4.0.3 based on 2.2 and MocorDroid 2.2.2
It may work on more of them, just try, there is no risks at all.
Make sure you have at least 50 MB of available space on the /data partition before trying this. (not the SDCard, the Applications Space)
Try a temporary root to see if it works, then you can do the permanent root.
You will maybe have to try it 2 or 3 times before it works.
Even if it doesn't work, reboot the phone after this. Because it can eat your battery while running in the backgroung if it fails.
1.2 - vRoot
vRoot is a chinese tool to root many devices !
It's proved to work very well with Spreadtrum (and MTK) devices. I used it successfully on a lot of Spreadtrum devices, even the most recent ones (SC8825).
You only need a Windows Computer (I personally use it on Windows 7 32bits).
Then download it from here: http://www.mgyun.com/en/getvroot
Install it and then open it.
As of now you only need to plug your USB cable to your computer, and then click on the Root button. (you don't need to do anything else, don't touch your phone)
Once it's done and the phone rebooted you will be rooted !
The root app is some kind of custom chinese one, but it's working properly.
Don't try to replace it with SuperSU as SuperSU don't seem to work properly on Spreadtrum devices.
If you want to understand what the root app is saying, try to set the language on your device to English.
2 - Custom Firmware Flash
Please never use any custom firmware available in .pac file format ! Or at least, don't use them before doing a full backup of your current firmware !
Feiteng A7100 (only if you have the mt6515_c910_ht_en_4.0_v01 rom/firmware on it !!! If not, don't touch it, you will end up with a brick ! Or screen reversed, or other strange bugs): http://forum.xda-developers.com/showthread.php?t=2149396
If you have a Feiteng A7100 I really recommend NOT TO USE this rom ! Why ? Because it only works on a fraction of A7100, newer releases of the same phone don't use the same firmware. With this tutorial here, you can root your A7100 easily and way safer. Please go to "4-" on this tutorial to know how to root your A7100.
If you append to find some others Custom roms for spreadtrum devices, or are making one, please send me a PM, I will link them here.
3 - Fastboot to the rescue !
If every fast, simple and secure methods are not working, then this will be difficult my friend !
3.1 - Find Fasboot
First, let check if we have fastboot in your phone !
Fastboot is a little tool inside the bootloader. It's here to help you flash the firmware.
Not every Spreatrum phones have it, so let's check if you are lucky !
You can access it by powering on the phone up while holding a key.
First power off your phone.
Then hold some button like volume+
while pressing this button, press and hold down the power button.
Keep holding the two buttons until the screen light up.
You should now have something on your screen. Maybe a system diagnostic tool (a menu with a set of system tests, that's totally useless) or maybe the recovery mode (a screen with a warning sign, and now your phone is stuck here until you pull out the battery) or, and that means victory, a screen that says "Fastboot".
If you are not on fastboot, but are on the Recovery or the System Test, turn the phone off again and try another button press at boot time exactly like I said before.
This time, try the Home button if you have one, or the Volume-.
You should also try buttons combinations. Like volume up and down at the same time. Home + vol Up, etc and maybe the 3 at the same time ...
(if you just boot as if nothing was pressed, you maybe have to unplug the battery, wait for a while and put it back before powering the phone on. Theses things are also not working when the usb/charging cable is plugged in - if some keys combinations are not doing anything, it's perfectly fine, it means they don't trigger any hidden boot mode)
If nothing bring fastboot up, you have to use the Spreadtrum Debug tool "ResearchDownload" ...
So Skip to "4-" ! ^^
3.2 - Install the drivers
If you append to find Fastboot, we will have to install the PC part of it !
Like every android phone, you have to install adb and his drivers to access the Android Debug Bridge.
You can find them and learn how they work here: http://dottech.org/21534/how-to-ins...ows-computer-for-use-with-your-android-phone/
On Ubuntu or Debian Linux you just have to install them that way:
Code:
sudo apt-get install android-tools-adb android-tools-fastboot
You also have to install the phone drivers if you are using Windows:
ADB Drivers: http://www.mediafire.com/download.php?c5nf3rlhxmxhu4x
Debug Drivers: http://www.mediafire.com/download.php?2tyg0k2xp3ejgyg
Mirror: http://www.mediafire.com/?o9km8vl287ev24j
Then you will have to tell adb what phone to use. By that I mean adding the PCI ID to a text file to tell adb that this peripheral is compatible.
The Spreadtrum PCI ID is 0x1782
add this line to "Your user directory/.android/adb_usb.ini"
Code:
0x1782
3.3 - Using fastboot to load CWM (Clockwork Mod)
CWM work on some of theses Spreadtrum devices, most of the time, the screen is reversed, but it works !
On some phone, you will be presented with a blank screen, but CWM will work ... That will just be very difficult to navigate ... (don't bother and use another method if you append to be in this boat)
Here are the recovery images available for Spreadtrum device to my knowledge:
* http://www.mediafire.com/download.php?u6uyignmdcpillt - extracted from a random SC6820 that I don't remember
* http://www.mediafire.com/download.php?bosnfcq9n65mtc5 - i9270+
* http://www.mediafire.com/download.php?xem49dy5dh99ml0 - 5830, S5830, Q5830, Q206 and GT-N9300 (maybe more)
* http://www.mediafire.com/download.php?adfwq6b5268qb58 - S9300 (SC6820A S3 Clone)
* http://www.mediafire.com/download.php?y2f7aaan4b00l1m - Feiteng GT-A7100 and probably more Feiteng devices.
* http://www.mediafire.com/download.php?lg7m6v49efzpnjk - 6500-TV or S560
* http://www.mediafire.com/download.php?6xn977jjsuusjan - N9300 (I9300 Clone)
* http://www.mediafire.com/download.php?d68wc334qn47tdd - S930 or N8820
If your device is not listed or the one for your device doesn't work, try them all, even if your phone is SC6820 and the recovery was made for SC8810, if none are working, we will have to flash the entire system partition, which is a lot more difficult and dangerous ...
Flashing CWM to the phone:
Linux Only: Initialize ADB:
Code:
sudo adb kill-server
sudo adb start-server
Boot your phone in fastboot mode.
Be sure your device shows up:
Code:
fastboot devices
if your device show up, it's time to flash
Code:
fastboot flash recovery recovery.img
It's flashed ! Let's reboot now.
Code:
fastboot reboot
Start on CWM, if it works, you can start to root the phone !
Download this patch: http://www.mediafire.com/download.php?131nsw87afzwb5v
Put it on the root of your SD Card.
Now you will have to boot on CWM, he is on the same key combination than the old useless recovery was. (Most of the time Volume- and Power)
You can also try this command with adb:
Code:
adb reboot recovery
Now it's the perfect time to do a full backup of your firmware with CWM, so please do so, that can come in handy. (please go to the end of this tutorial after rooting your phone to know how to make a FULL backup. CWM will only make a partial one.)
choose apply update.zip
Choose the file you have put on your sd card before
Apply it then reboot.
This update.zip have pushed everything needed to root your phone in the right place, you should be rooted now !
If you have an error like:"Can't mount /sdcard" you may have to try with another SD Card and be sure your SD Card if formated as Fat32.
3.4 - Using Fastboot to load a modified system partition image
Please follow the instructions down bellow on how to "5 - Create a rooted system partition image"
When you have done your Rooted system partition image, flash it like that:
Code:
sudo fastboot devices
#if your device show up, it's time to flash
Code:
sudo fastboot flash system system.img
#It's flashed ... Now let's reboot with all the apprehension of the world
Code:
sudo fastboot reboot
If it boots (should boot), you will be up and rooting !
4 - Spreadtrum ResearchDownload tool to the rescue !
First, if you have fastboot, use fastboot ! It's simple, more reliable, faster. It's bottomline better !
If you don't have fastboot or can't figure out how to bring him up on your phone despite trying for about an hour. This tool will most likely work.
First, you should use Windows XP 32bits. Even real XP or in virtualbox.
It might work on windows 7 32 bits and 64 bits but you will have to tweak the system to allow installation of non signed devices drivers ...
ResearchDownload work as this:
First you start the Channelserver - This thing is here to make a bridge between the tools and the driver.
Then you start ResearchDownload.
Now you can make a full firmware flash (you should not !! It's a terrible idea !) or flash a single partition. But to do that, unfortunately, you should have a compatible set of fdl files.
Finding them on google is impossible, you have to extract them from your full firmware .pac file.
If you can't find your firmware on the Internet, you will have to try every single one you can find from others firmwares. I gathered all the fdl files I could find in a single package, so it won't be that difficult.
It's highly probable that you will find one that will work with your phone. This thing have to boot the phone and flash the Nand Flash chip. I'm pretty sure there is not a lot of different ways to do this on a single processor.
I really don't know the risks of using a wrong fdl set. But we haven't seen any risks at all yet. Some will work on your phone, others will just do nothing. You will just have to try every single one until one work.
I named the folders with the names of the phones I know working with theses. So it will be easier to find the good one. (A7100, 6500-TV, 5830, Q206 and S930 users will feel very lucky ^^)
4.1 - Learn how ResearchDownload Work
First you have to install the drivers, you can find them here:
ADB Drivers: http://www.mediafire.com/download.php?c5nf3rlhxmxhu4x
Debug Drivers: http://www.mediafire.com/download.php?2tyg0k2xp3ejgyg
Then you have to plug your phone to your computer with your micro usb cable. Your phone have to be powered on.
Be sure every pieces of hardware are detected and installed correctly.
As you can see, this phone is not just detected as an ADB device, or as a mass storage device.
It actually have an internal serial port to usb adapter !
In other words that means this processor provide a way to flash his nand very easily even if it is fully bricked. It's a rare and pretty good feature you don't see that often. In fact, most of the time you have to solder a real serial port yourself on the phone motherboard, then have to use a Serial to USB adapter to have this level of access to the hardware.
So yes, back to tutorial.
Now you will have to unplug your phone and turn it off.
You have to download the debug tools, you can download them here: http://www.mediafire.com/download.php?rngukh111vqfr8h
First you have to start the channel server, you will have to disable your firewall for this app, it's because this tool use a network protocol to communicate with the other tools.
Then open ResearchDownload.
ResearchDownload is a weird flashing utility, it can open a .pac firmware file and can make a .pac out of .img files. You also can flash .img files and that's what we will do. But unfortunately it can't make a full backup ... So be careful !
The cog logo is here to let you open a .pac file. We don't need that as we probably don't have it.
The "two cogs logo" let you configure the flash utility.
Click on this to bring a new window.
On the download settings window, click on select product then choose your type of phone. (SC8810 or SC6820, it doesn't really matters if you take the wrong one out of those two.)
Then uncheck "Select All Files" as you don't have any of theses.
You can see FDL1 and FDL2 are still checked, and you don't have those files ...
As they are needed to start the Flash utility, we will have to find them.
I came across only 3 different FDL1 files, but for theses FDL1 it seems every phone have his own FDL2.
You will have to find the ones that work for you.
Here is an archive of nearly every FDLs available: http://www.mediafire.com/download.php?c6q2gxobccv32oj
Choose one FDL1, and one FDL2 located in the same folder. (you can choose a File with a right click on the FileName blank space in front of FDL1)
Click on OK.
Then click on the "Play button" saying start download.
It may show some warning, it's not a problem.
Now, press Volume Down on your phone, then you have to plug it on the USB Port, still holding the button.
You can release the button when the flash begins.
You may have to press an other button than Volume-. Some phones are reported to use the Home Button instead.
You may also have to remove, wait a while, and reinsert the battery before holding volume- or after the flashing procedure to be able to start the phone.
If ResearchDownload shows you an error or timeout, try another set of FDLs Files. Keep trying until you find one pair that work !
If it works the flashing process should start right away. Just a millisecond after Windows have detected and initialized the device when you plugged it.
When you have the right FDLs, you can go to the next step, flashing something useful ^^ (we haven't flashed anything as of now, just been searching for a compatible flashing bios)
If your working FDLs folder does not have the name of your phone, please tell me what phone you have and what FDLs you used so I can rename them.
4.2 - Using ResearchDownload to load CWM (Clockwork Mod)
Do exactly as said before, but check the "Recovery" checkbox on Download Settings. and choose one of theses CWM images:
* http://www.mediafire.com/download.php?y2f7aaan4b00l1m - Feiteng GT-A7100 and probably more Feiteng devices.
* http://www.mediafire.com/download.php?lg7m6v49efzpnjk - 6500-TV or S560
* http://www.mediafire.com/download.php?6xn977jjsuusjan - N9300 (I9300 Clone)
* http://www.mediafire.com/download.php?d68wc334qn47tdd - S930 or N8820
* http://www.mediafire.com/download.php?xem49dy5dh99ml0 - 5830, S5830, Q5830, Q206 and GT-N9300 (maybe more)
* http://www.mediafire.com/download.php?bdl1qr7orsj4ebr - extracted from a random SC6820 that I don't remember
* http://www.mediafire.com/download.php?6g1t6057p6c8wpt - i9720+
* http://www.mediafire.com/download.php?adfwq6b5268qb58 - S9300 (SC6820A S3 Clone)
When you flashed one successfully, try to boot on recovery (Usually by holding Volume- while holding the power button until the screen light up).
If your device is not listed or the one for your device doesn't work, try them all, even if your phone is SC6820 and the recovery was made for SC8810, if none are working, we will have to flash the entire system partition, which is a lot more difficult and dangerous ...
Download this patch: http://www.mediafire.com/download.php?131nsw87afzwb5v
Put it on the root of your SD Card.
Now you will have to boot on CWM, remember, he is on the same key combination than the old useless recovery was.
You can also try this command with adb:
Code:
adb reboot recovery
Now it's the perfect time to do a full backup of your firmware with CWM, so please do so, that can come in handy. (please go to the end of this tutorial after rooting your phone to know how to make a FULL backup. CWM will only make a partial one.)
choose apply update.zip
Choose the file you have put on your sd card before
Apply it then reboot.
This update.zip have pushed everything needed to root your phone in the right place, you should be rooted now !
If you have an error like:"Can't mount /sdcard" you may have to try with another SD Card and be sure your SD Card if formated as Fat32.
4.3 - Using ResearchDownload to load a modified system partition image
Now we are in deep **** ! This can be tedious ... You will need to drink a lot of coffee, then you will probably pull your hair off, but it's possible to root every single Spreadtrum devices this way !
Please follow the instructions down bellow on how to "5 - Create a rooted system partition image"
When you have done your Rooted system partition image, reboot on Windows, then flash it like that:
Do exactly as said on the paragraph on how ResearchDownload works, but check the "System" checkbox on Download Settings, and choose your modified system.img file to flash it on the device.
As it is still not tested at all, you will have to pray some kind of Spreadtrum God and hope it will be successful ...
The first boot after the flash can be very VERY long. It's perfectly normal.
After the flash is done, please make a full backup (see bellow how you can do that), so I can make a Clockwork recovery partition working with your phone.
You may need to flush your data partition with CWM to avoid some crazy bugs after the flash. You will have theses bugs because of the partitions realignment that might occurs as a result of using a slightly different FDL set as the manufacturer.
Don't even try to do a factory settings reset before installing CWM, as I don't know what monster can lie ahead if you do a factory reset without any working recovery installed
(If your phone doesn't boot after the flash, it is possible to flush the data and cache partition with ResearchDownload. I will explain it, if needed !)
5 - Create a rooted system partition image
Please always try the CWM method first ! There is no risks at all to destroy your phone if the recovery is not working. Here we are making a new system image to flash on the system partition, this partition contain the Android operating system. I will try to explain everything as good as I can, but if you make a mistake, if you don't read my warnings, you can brick your phone very easily !
That will be difficult ... And you will have to use a Linux computer, or Linux in Virtualbox, or in a Live CD, basically you will need Linux somewhere on your computer ^^
Why ? Because we will have to preserve unix permissions on an extracted tar archive ! Trust me, you will probably brick your phone if you do that on windows ...
#Install ADB
Code:
sudo apt-get install android-tools-adb android-tools-fastboot
#Configure ADB
Code:
mkdir ~/.android
Code:
echo 0x1782 > ~/.android/adb_usb.ini
#Start the ADB server
Code:
sudo adb kill-server
sudo adb start-server
#Just let's check just in case if your device is already rooted
Code:
adb shell su -c id
Possible answers:
uid = 0 (root) gid = 0 (root) - your phone is already rooted ! (if you haven't noticed it, it's because superuser.apk is not installed, so just push it and install it via ADB and you are rooted !)
SU: Permission denied - You are not rooted ... Good luck then !
#Now we will backup the system partition !
Code:
adb shell tar -cf /mnt/sdcard/system.tar system
Please pay attention to the errors !
There will be missing files, and we will have to add theses by ourselves after the backup to pretend to have a full backup.
Here is the archive for the known missing files: http://www.mediafire.com/download.php?fm1z5ujc75bg268
If you have more than theses:
Code:
tar: can not open 'system/etc/dbus.conf': Permission denied
tar: can not open 'system/etc/bluetooth/audio.conf': Permission denied
tar: can not open 'system/etc/bluetooth/auto_pairing.conf': Permission denied
tar: can not open 'system/etc/bluetooth/input.conf': Permission denied
tar: can not open 'system/etc/bluetooth/main.conf': Permission denied
tar: system/lost+found: Permission denied
tar: Error exit delayed from previous errors
Then you should just give up, or tell me so I can send you the missing files.
Note: Lost+found is not important, it's just a folder automatically created by Linux to collect any corrupt files.
#Now we will pull this nearly full backup to our computer. Please keep it preciously somewhere secure.
Code:
adb pull /mnt/sdcard/system.tar
#Warning, theses next steps have to be made ONLY on Linux on an ext2/3/4 partition ! Please never attempts to do this on Windows or On Linux on a FAT32 partition.
#untar the archive
Code:
sudo tar -xvpf system.tar
#now we will restore the files we have not been able to backup.
#Download this archive if you haven't done this before: http://www.mediafire.com/download.php?fm1z5ujc75bg268
#Then extract it on the same folder as you extracted your system.tar file with this command:
Code:
sudo tar -xvpf btdbus.tar
#Now it's time to add the root utilities, you can download them from here: http://www.mediafire.com/download.php?v69nm172heos17o
Code:
sudo tar -xvpf root.tar
sudo cp Superuser.apk system/app/Superuser.apk
sudo install -m 06755 su system/xbin/su
#Now we will get rid of this virus ! (the file name can be something else. Like caivs.apk, or some random numbers at the end)
Code:
sudo rm system/app/eyuSales_20121116.apk
#And now you will have to make a flashable system image with this tool, included in the root.tar archive
Code:
sudo ./mkyaffs system system.img
#Now you can reboot your phone in fastboot or use researchdownload to flash your new System image.
6 - Do a full nand backup
Here is how to do a full nand backup of your beloved Spreadtrum: http://forum.xda-developers.com/showthread.php?p=39270468
7 - Don't forget to remove to caivs Virus
When you are rooted, you can remove the Virus or any preinstalled apps using Link2SD.
I suggest you to remove everything you have preinstalled if it is available on the Google Play Store (except the keyboard or the launcher !!!). For example if you have an old version of ES File Explorer on your phone preventing you from updating it, you can remove it safely, then install the updated version from the the Play Store.
Never try to remove something that you don't know what it is !
For the Launcher or keyboard. You can remove them only if you installed a new one on the System partition and tested it successfully !
-----
I want to thanks every peoples at http://forum.china-iphone.ru and Yekdall for being one of the first to type something in English about spreadtrum firmware modding !

Data missing?
First of all, thanks a lot for tutorial! Unluckily there is missing the data that i should copy back into the tar and then the img-file. Could you upload the btdbus.tar and the root.tar?
Thanks again, have a nice day!

keulepeter said:
First of all, thanks a lot for tutorial! Unluckily there is missing the data that i should copy back into the tar and then the img-file. Could you upload the btdbus.tar and the root.tar?
Thanks again, have a nice day!
Click to expand...
Click to collapse
I'm uploading them right now ^^
By the way, what phone are you rooting ? I will try to make a "compatibility list", so I need the model number, and the brand name if any.
Good luck !
EDIT: I added the missing links

Are the sc8810 and sp8810 the same processors?

lynnox said:
Are the sc8810 and sp8810 the same processors?
Click to expand...
Click to collapse
Yes exactly the same, just a different way to name it.

ElectronikHeart said:
3 recovery images are available for Spreadtrum device to my knowledge:
1 http://www.mediafire.com/download.php?u6uyignmdcpillt
2 http://www.mediafire.com/download.php?bosnfcq9n65mtc5
3 http://www.mediafire.com/download.php?xem49dy5dh99ml0
Try them all, if none are working, we will have to do that the other way ...
Download this patch: """"""Link missing as of now, I have to upload it"""""""
Put it on the root of your SD Card.
Now you will have to boot on CWM, he is on the same key combination than the old useless recovery was.
choose apply a update.zip
Choose the file you have put on your sd card before
Apply it then reboot.
This update.zip have pushed everything needed to root your phone in the right place, you should be rooted now !
Click to expand...
Click to collapse
patch pls. (update.zip)
I'll try to load CWM even though at the moment I can only get into recovery. I have the exact same model as H_Bler's which is why I've been focusing more on his thread. From your description on how to access fastboot, I assume that it's the diagnostic mode when UpVol + Pwr is pressed. I never saw anything that said fastboot. The only thing unusual when I was going through the menus was I always got an error when I try the 4th or 5th option. Unfortunately, I can't really try it again because I can't access it anymore. That goes without saying the I can't work with IMG files as well.
5 - Spreadtrum ResearchDownload tool to the rescue !
Now we are in deep **** ! This is not tested as of now ... So come help me ! You will need to drink a lot of coffee, then you will probably pull your hair off, but we will know if it's possible to root every single Spreadtrum devices !
5.1 - Using ResearchDownload to load CWM (Clockwork Mod)
5.2 - Using ResearchDownload to load a modified system partition image
Click to expand...
Click to collapse
Something to look forward too.
I want to thanks every peoples at http://forum.china-iphone.ru and Yekdall for being one of the first to type something in English about spreadtrum firmware modding !
Click to expand...
Click to collapse
I've also been going here. I even tried 3 of the ROMs but I always get the verification failed message. I know it might be too much, but exact links for the thread would really be much appreciated (to be honest, I can't even remember exactly where I got the ROMs. All I remember is that the thread had a lot of collapsible trees.
ElectronikHeart said:
I'm uploading them right now ^^
By the way, what phone are you rooting ? I will try to make a "compatibility list", so I need the model number, and the brand name if any.
Good luck !
EDIT: I added the missing links
Click to expand...
Click to collapse
If and when I get my phone fixed/replaced. I'll try your method first. =P

jvrey5 said:
[Lot of things ...]
Click to expand...
Click to collapse
Well the thing you have when you push up and power is the system test menu. It's located on the android system partition. It's not fastboot.
Fastboot should be something that says "Fastboot" in red letter, or something else unusual.
If you have not fastboot you should use Spreadtrum Researchdownload to flash your phone, I will write the tutorial about it soon.
I really can't link you the thread on the russian forum, first because it will probably confuse you, and also because it's spread everywhere on so many threads it's unbelievable ... That's why I'm doing this centralization work for you ^^
I will post a list of ROMS for recovery purpose. Your phone seem to be bricked. I don't know how you've done it (I really want to know what you phone is and how you've bricked it, that will help me to write the warnings necessary to avoid such cases).
I have 14 roms for Spreadtrum devices, maybe one will work for your phone.
I just want to know what your phone is ^^ Please tell the name of your phone on your posts everyone and if you know how to find it, the exact name of your firmware.
PS: I will upload the patch soon, I'm just searching for a file hosting service that will keep it up and not erasing it 2 hours after I uploaded it ^^
EDIT: Link to the update.zip for rooting you device via CWM added.

Tutorial updated: Spreadtrum debug tools method added.
It may now be possible to root even Spreadtrum devices without Fastboot mode available.
Please feel free to tell me if it works !

ElectronikHeart said:
Tutorial updated: Spreadtrum debug tools method added.
It may now be possible to root even Spreadtrum devices without Fastboot mode available.
Please feel free to tell me if it works !
Click to expand...
Click to collapse
need help

Question
Dear Spreadtrum Master!
Please, can you help me with this problem:
I have a Star I8160 phone with Spreadtrum 6820 and 256 MB ROM. It seems, that everything is working fine, the ROM and the phone is fast, and cool. But when i try to use the phone as a phone, i talk to the phone, and the others just only hearing pieces of my sentences. Sometimes the phone is very-very silent, i need to shout for the others to hear. I thought, that this is a microphone problem, so i replaced the microphone. But nothing changed. I had 2 phones from this type, and both produces the same fault, so i think maybe the problem will be with the ROM. What do you think, is it possible? If so, can i replace my normal rom, which is DM_BASE_12A_w12.43 (sc6820_modem) 11-02-2012?

question
Hi ElectronikHeart, i need help
I have a feiteng a7100, and i flash a rom with ResearchDownload.exe, in the flash operations tab i choose the option to erase all flash. Now i have a brick phone. Do you have a copy of nv.bin? Do you know how to recover from it? how can i reflash nand?
thanks

gtxphoenix said:
Dear Spreadtrum Master!
But when i try to use the phone as a phone, i talk to the phone, and the others just only hearing pieces of my sentences. Sometimes the phone is very-very silent, i need to shout for the others to hear. I thought, that this is a microphone problem, so i replaced the microphone. But nothing changed. I had 2 phones from this type, and both produces the same fault,
Click to expand...
Click to collapse
The Master hasn't been in the past few days so I'll try to answer your issue as best I can.
Usually, the phones are designed for a specific region/country. It's possible that your ROM was built for a different one. How sure are you that the ROM which you are replacing it with will work for you? (I assume that you have a backup and you know how to load ROMs) Also, you might want to try editing the build.prop it increase/maximize reception.
To be honest, this is actually a complicated approach. From what you said, it seems that you've made other troubleshooting steps on your own. Since you really did not mention all of them I'm basing my response on what you said.
Let's try to stick to the basics first. Why did you replace the microphone in the first place? If the same issue happens with 2 other phones from this type, I don't think the mic is the problem. Also, does this mean that you can hear them fine, but they have a hard time hearing you? Have you tried using the stock sound recorder on your phone? Is it also choppy? Have you tried using Skype? You don't really have to call anyone, you just need to make a test call.
When using the device as a phone (eg. making calls, sending SMS, MMS, or connecting to the internet using EDGE or 3G), you're actually relying mostly on your carrier/service provider. How many signal bars do you get? The easiest way to test signal related issues would be by using a different SIM or using a different phone. (When you try a different phone, I suggest using a GSM one - the ones that can only make calls or do SMS.) It's highly possible that there's already something wrong with your SIM.
---------- Post added at 01:17 AM ---------- Previous post was at 01:08 AM ----------
jmss said:
Hi ElectronikHeart, i need help
I have a feiteng a7100, and i flash a rom with ResearchDownload.exe, in the flash operations tab i choose the option to erase all flash. Now i have a brick phone. Do you have a copy of nv.bin? Do you know how to recover from it? how can i reflash nand?
thanks
Click to expand...
Click to collapse
ElectronikHeart hasn't checked in the past few days, so I hope you don't mind me butting in.
When you say brick, does it mean that you don't even have recovery mode? If you don't, try to see if you can put CWM. Once successful, you can try to use the A7100 ROM if your original one was a mt6515_c910_ht_en_4.0_v01 rom using the update.zip

jvrey5 said:
The Master hasn't been in the past few days so I'll try to answer your issue as best I can.
Usually, the phones are designed for a specific region/country. It's possible that your ROM was built for a different one. How sure are you that the ROM which you are replacing it with will work for you? (I assume that you have a backup and you know how to load ROMs) Also, you might want to try editing the build.prop it increase/maximize reception.
To be honest, this is actually a complicated approach. From what you said, it seems that you've made other troubleshooting steps on your own. Since you really did not mention all of them I'm basing my response on what you said.
Let's try to stick to the basics first. Why did you replace the microphone in the first place? If the same issue happens with 2 other phones from this type, I don't think the mic is the problem. Also, does this mean that you can hear them fine, but they have a hard time hearing you? Have you tried using the stock sound recorder on your phone? Is it also choppy? Have you tried using Skype? You don't really have to call anyone, you just need to make a test call.
When using the device as a phone (eg. making calls, sending SMS, MMS, or connecting to the internet using EDGE or 3G), you're actually relying mostly on your carrier/service provider. How many signal bars do you get? The easiest way to test signal related issues would be by using a different SIM or using a different phone. (When you try a different phone, I suggest using a GSM one - the ones that can only make calls or do SMS.) It's highly possible that there's already something wrong with your SIM.
---------- Post added at 01:17 AM ---------- Previous post was at 01:08 AM ----------
ElectronikHeart hasn't checked in the past few days, so I hope you don't mind me butting in.
When you say brick, does it mean that you don't even have recovery mode? If you don't, try to see if you can put CWM. Once successful, you can try to use the A7100 ROM if your original one was a mt6515_c910_ht_en_4.0_v01 rom using the update.zip
Click to expand...
Click to collapse
I dont have recovery mode, the phone doesnt turn on. I already try to put CWN but it doesnt work. I need nv.bin file for sc6820a for rewrite nand flash.

jmss said:
I dont have recovery mode, the phone doesnt turn on. I already try to put CWN but it doesnt work. I need nv.bin file for sc6820a for rewrite nand flash.
Click to expand...
Click to collapse
Now we really need the Master

gtxphoenix said:
Dear Spreadtrum Master!
Please, can you help me with this problem:
I have a Star I8160 phone with Spreadtrum 6820 and 256 MB ROM. It seems, that everything is working fine, the ROM and the phone is fast, and cool. But when i try to use the phone as a phone, i talk to the phone, and the others just only hearing pieces of my sentences. Sometimes the phone is very-very silent, i need to shout for the others to hear. I thought, that this is a microphone problem, so i replaced the microphone. But nothing changed. I had 2 phones from this type, and both produces the same fault, so i think maybe the problem will be with the ROM. What do you think, is it possible? If so, can i replace my normal rom, which is DM_BASE_12A_w12.43 (sc6820_modem) 11-02-2012?
Click to expand...
Click to collapse
Hi,
I had the same problem with one of mine. You just have to use a diagnostic tool from Spreadtrum and adjust the microphone amplification level. I will start a thread on that subject and link it there.
It seems to be a very common problem with Spreadtrum phones, but it is, most of the time, very easy to fix.
edit: here is the link: http://forum.xda-developers.com/showthread.php?p=38731407
WARNING: Don't ever flash if you don't have a working copy of the original firmware somewhere (a complete backup that you have tested your ability to flash back) The first step to do a complete backup, if the manufacturer don't want to send you the firmware, is to successfully root your firmware)
Don't flash if you have a microphone problem, nothing good will happen, this problem is not firmware related AT ALL.

jmss said:
Hi ElectronikHeart, i need help
I have a feiteng a7100, and i flash a rom with ResearchDownload.exe, in the flash operations tab i choose the option to erase all flash. Now i have a brick phone. Do you have a copy of nv.bin? Do you know how to recover from it? how can i reflash nand?
thanks
Click to expand...
Click to collapse
Oh god ! Why have you checked that option ^^
I may be able to dump my nv.bin file from the a7100 I just bought. (If I recall correctly, the nv.bin contain the imei so I will have to edit it to use your imei instead, imei are written in the battery compartment)
Can you try flashing it a second time entirely, It's possible that your uboot partition (what manage the early time boot operations), is not flashed properly.
Even without the nv partition you phone should be able to boot android, you will just not be able to use the phone as a phone. (make a call and everything)
Try with a better micro usb cable, Chinese ones can be very cheap and corrupt data on the way to the phone.
If your phone is still able to flash using ReasearchDownload that is.

Re: 4.5 - Do a full nand backup and help me make you a new CWM recovery
ElectronikHeart said:
4.5 - Do a full nand backup and help me make you a new CWM recovery
Please if you have rooted your phone using this method, and can't use the CWM method, that mean I can do a CWM that work on your device !
Now that you are rooted, you can make a full backup of your phone with ADB !
#open adb shell:
Code:
adb shell
Code:
I still have to explain this if someone needs it
Then send me you boot.img file and I will send you a recovery.img that you can flash to your recovery partition.
That will help new users to root a lot faster the same phone as you, and will make your life easier is you have to restore a backup.
Click to expand...
Click to collapse
>>>
I have also the same kind of chinese android phone, having a model # S930 with the same cpu chipset SP8810 (aka. samsung galaxy s3 clone), i've successfully rooted my chinese android phone, and installed some very usable apps like link2sd & titanium backup pro, i want also to have a full backup of my phone using your methods & ideas, can you help me? where can i find my boot.img so that you can make me my recovery image for my phone? my phone don't have any compatible clockworkmod recovery, but it have a native recovery mode option which work on an update.zip or fastboot....i hope you can help me make my phone recovery image with a rooted features... Thanks!

earl22online said:
where can i find my boot.img so that you can make me my recovery image for my phone?
Click to expand...
Click to collapse
So, you already have tested every recovery already posted ?
To make a backup of your boot.img, you will have to do a full backup manually using the Android shell. I will make a tutorial about this, and link it here.
It's pretty easy as you already rooted your phone.
When you have your backup I will, post a recovery.img file suitable to your phone.
Please keep an eye to this post. I will post the tutorial very soon.

ElectronikHeart said:
Oh god ! Why have you checked that option ^^
I may be able to dump my nv.bin file from the a7100 I just bought. (If I recall correctly, the nv.bin contain the imei so I will have to edit it to use your imei instead, imei are written in the battery compartment)
Can you try flashing it a second time entirely, It's possible that your uboot partition (what manage the early time boot operations), is not flashed properly.
Even without the nv partition you phone should be able to boot android, you will just not be able to use the phone as a phone. (make a call and everything)
Try with a better micro usb cable, Chinese ones can be very cheap and corrupt data on the way to the phone.
If your phone is still able to flash using ReasearchDownload that is.
Click to expand...
Click to collapse
I already try with tree micro usb cables. when i try to flash with researchDownload it failed at nvitem (after FDL2).
can you post a link to your nv.bin to test it ?

jmss said:
I already try with tree micro usb cables. when i try to flash with researchDownload it failed at nvitem (after FDL2).
can you post a link to your nv.bin to test it ?
Click to expand...
Click to collapse
I just bought my A7100, so you will need to wait 2 weeks for me to dump it. Maybe you should try asking to the guy who have made the rooted rom for the A7100 ?
I will, none the less, make a full backup of my phone as soon as I receive it.

[Q] Root available for ASUS MeMO Pad 10 (ME103K)?

Greetings!
First of all, I am sorry if this is on the wrong section of the forum. Nevertheless i've tried few rooting applications which are stated to be compatible with this ME103K model, but with no results.. Also many fake sites trying to lure you to purchase something.
Is there anyone who could provide me information on how to root my ASUS ME103K tablet? Should I also try every rooting application available out there or is this useless? Can I verify if they are compatible without all the way installing and running them on the device? (Sorry don't know much about this stuff =)! )
Thank you very much in advance

I rooted ME103K on my own - by compiling a custom kernel
Executive summary: Go to youtube and watch video with ID "gqubgQjqfHw" (I can't post links yet, sorry! ) - or search Youtube for "Rooting MemoPAD10 (ME103K) with my custom compiled kernel"
Analysis:
I hated the fact that my recently purchased MemoPAD10 (ME103K) tablet had no open process to allow me to become root. I don't trust the closed-source one-click root apps that use various exploits, and require communicating with servers in.... China. Why would they need to do that? I wonder...
I therefore decided this was a good opportunity for me to study the relevant documentation and follow the steps necessary to build an Android kernel for my tablet. I then packaged my custom-compiled kernel into my custom boot image, and the video shows how I boot from it and become root in the process.
Note that I didn't burn anything in my tablet - it's a 'tethered' root, it has no side-effects.
If you are a developer, you can read in detail about the steps I had to take to modify the kernel (and su.c) and become root - by reading the questions (and answers!) that I posted in the Android StackExchange forum ( can't post links yet, see the video description in Youtube ).
If you are not a developer, you can download my custom boot image from the link below - but note that this means you are trusting me to not do evil things to your tablet as my kernel boots and my /sbin/su is run
Honestly, I haven't done anything weird - I just wanted to run a debootstrapped Debian in my tablet, and succeeded in doing so. But I am also worried about the cavalier attitude I see on the web about rooting your devices - if you want to be truly safe, you must either do what I did (and recompile the kernel yourself) or absolutely trust the person that gives it to you. I do wish Google had forced a UI-accessible "become root" option in Android, just as Cyanogen does (sigh).
The image I created and used in the video to boot in rooted mode, is available from the link show in the Youtube video details.
Enjoy!

ttsiodras said:
Executive summary: Go to youtube and watch video with ID "gqubgQjqfHw" (I can't post links yet, sorry! ) - or search Youtube for "Rooting MemoPAD10 (ME103K) with my custom compiled kernel"
Analysis:
I hated the fact that my recently purchased MemoPAD10 (ME103K) tablet had no open process to allow me to become root. I don't trust the closed-source one-click root apps that use various exploits, and require communicating with servers in.... China. Why would they need to do that? I wonder...
I therefore decided this was a good opportunity for me to study the relevant documentation and follow the steps necessary to build an Android kernel for my tablet. I then packaged my custom-compiled kernel into my custom boot image, and the video shows how I boot from it and become root in the process.
Note that I didn't burn anything in my tablet - it's a 'tethered' root, it has no side-effects.
If you are a developer, you can read in detail about the steps I had to take to modify the kernel (and su.c) and become root - by reading the questions (and answers!) that I posted in the Android StackExchange forum ( can't post links yet, see the video description in Youtube ).
If you are not a developer, you can download my custom boot image from the link below - but note that this means you are trusting me to not do evil things to your tablet as my kernel boots and my /sbin/su is run
Honestly, I haven't done anything - I just wanted to run a deboot-strapped Debian in my tablet. But I am also worried about the cavalier attitude I see on the web about rooting your devices - if you want to be truly safe, you must either do what I did (and recompile the kernel yourself) or absolutely trust the person that gives it to you. I do wish Google had forced a UI-accessible "become root" option in Android, just as Cyanogen does (sigh).
The image I created and used in the video to boot in rooted mode, is available from the link show in the Youtube video details.
Enjoy!
Click to expand...
Click to collapse
Hello ttsiodras,
I had the same problem as OP and didn't want to go the "chinese route" either, especially since there seem to be conflicting reports on whether it works on the ME103k or not so I tried your solution - with mixed results...
Disclaimer: I'm totally new to Android (colour me unpleasantly surprised) and have little experience in Linux, so for further reference I would consider myself an advanced noob. Please keep this in mind when evaluating my claims or judging what I have done so far or am capable of doing by myself in the future.
What I did:
- become developer in the ME103k by tapping the system build repeatedly, then allowing debugging via USB
- use ADB to boot into the bootloader
- use fastboot to boot your boot.rooted.img
What happened:
- I did get root access
- the tab now always boots into the bootloader, even when told via ADB or fastboot to boot normally or into recovery. Pushing buttons etc doesn't seem to work either
- my attempts to do a recovery via the vanilla Asus method has failed due to the same fact that boot never gets past fastboot
Since you claimed in your description that there would be no side-effects since it is a tethered root I am somewhat puzzled as to what exactly happened. From what I understand - which admittedly isn't a lot - what should have happened is that your boot image is loaded, giving me root access until the next reboot without changing anything about the default boot process or image. I read somewhere else that this is how people test out different kernels with fastboot before deciding on which one they want to use on their devices. The whole boot process being changed and corrupted in a way that makes the tablet non-rebootable without having the cable and an adb- and fastboot-capable machine nearby is not really what I would have expected going by your description.
Of course it is entirely possible (and probably even rather likely) that I got something wrong along the way or there is a simple fix to my problem I am not aware of.
As for possible steps maybe you or someone else in the forum could point me to a way to return my tablet to factory settings before risking damaging it beyond repair. I'm assuming that it should be possible and rather straightforward to recover the original setup with the firmware provided by Asus (downloaded the newest version from the homepage) but to be honest I'm a bit scared to go ahead with it before knowing for sure how to do this safely.
One thing seems certain: I won't be able to do it the way Asus says I should unless I can somehow get into normal or recovery boot modes again. I do however still have root access and am able to run fastboot and ADB including shell on the tablet, so it should be possible.
I would certainly appreciate any help very much
Thanks

drsiegberterne said:
. . . From what I understand - which admittedly isn't a lot - what should have happened is that your boot image is loaded, giving me root access until the next reboot without changing anything about the default boot process or image. I read somewhere else that this is how people test out different kernels with fastboot before deciding on which one they want to use on their devices.
Click to expand...
Click to collapse
Your understanding is correct - that's exactly what should have happened.
I can assure you that the kernel I compiled is formed from the Asus sources with the 2 patches I made that have *nothing* to do with the bootloader - they patch the way that the kernel allows dropping privileges and thus allowing root level access.
Something else must have happened - did you by any chance "burn" the image? i.e. `(DONT DO THIS) fastboot flash boot boot.rooted.img` instead of `fastboot boot boot.rooted.img`?
I did not advocate for burning precisely because it is unpredictable - manufactures sometimes require signing images with their private keys before allowing a boot image to boot (AKA "locked bootloaders") which means that any attempt to burn may lead to weird configurations. . .
If you did burn it, maybe you can try burning the original "boot.img" from the Asus OTA (Over the Air) update .zip file (avaible as a big download at the ASUS site - "UL-K01E-WW-12.16.1.12-user.zip" )
I know of no way to help you with the current state of your tablet, except to "ease the pain" by saying that rebooting to fastboot is always "recoverable" - you can always boot into my own (rooted) kernel or the original (from the ASUS .zip file) with `fastboot boot <whatever_image>`. No "harm" can happen from this - as you correctly said, it's the way to try new kernels and images.
UPDATE - after more reverse engineering:
I had a look into the contents of the boot loader running inside the ME103K, and I am pretty sure that if you execute this at fastboot...
# fastboot oem reset-dev_info
# fastboot reboot
... you will get back to normal, un-tethered bootings of your ME103K.
Thanassis.

ttsiodras said:
Your understanding is correct - that's exactly what should have happened.
I can assure you that the kernel I compiled is formed from the Asus sources with the 2 patches I made that have *nothing* to do with the bootloader - they patch the way that the kernel allows dropping privileges and thus allowing root level access.
Something else must have happened - did you by any chance "burn" the image? i.e. `(DONT DO THIS) fastboot flash boot boot.rooted.img` instead of `fastboot boot boot.rooted.img`?
I did not advocate for burning precisely because it is unpredictable - manufactures sometimes require signing images with their private keys before allowing a boot image to boot (AKA "locked bootloaders") which means that any attempt to burn may lead to weird configurations. . .
If you did burn it, maybe you can try burning the original "boot.img" from the Asus OTA (Over the Air) update .zip file (avaible as a big download at the ASUS site - "UL-K01E-WW-12.16.1.12-user.zip" )
I know of no way to help you with the current state of your tablet, except to "ease the pain" by saying that rebooting to fastboot is always "recoverable" - you can always boot into my own (rooted) kernel or the original (from the ASUS .zip file) with `fastboot boot <whatever_image>`. No "harm" can happen from this - as you correctly said, it's the way to try new kernels and images.
Thanassis.
Click to expand...
Click to collapse
Hi Thanassis,
thanks for your quick reply and your efforts. I'm actually around 85% sure I did not flash the image but since I had no Linux on my computer at the time (I know shame on me) I used a Mac and the command line was a bit different. Since I had never used ADB or fastboot I relied on some guide that explained how to even get into the bootloader and might have gotten something wrong.
On the other hand I later read out the commands I used in the Mac shell and couldn't find anything other than the things I should have done and described earlier, so as far as I can tell this all should never have happened. It may be interesting to point out here that the "stuck in fastboot" mode happened immediately after the first time I loaded your kernel and I most definitely just wrote fastboot boot boot.rooted.img at that point.
As for fixing the problem now it's not only about the inconvenience of the whole thing. I also later (after I was already stuck in fastboot mode) installed some apps for helping me manage privileges of different apps (xposed framework and xprivacy) which turned out to not be compatible in some way or another. So now not only is my tablet not booteable in a normal way but its also cluttered with even more useless stuff than before and I would really like to just reset it before thinking about any other possibilities.
If I flash boot the original ASUS boot image found in the file you described and which i dowloaded already, shouldn't that fix the problem if I accidentally did flash your boot image? Or will there be even more trouble?
Alternatively isn't there a manual way to flash the whole zipped recovery image or am I misunderstanding what this ASUS file actually contains?
And which of the two options is safer to try first or in other words - which one might break the tablet once and for all?
Thanks again and sorry for my incompetence

drsiegberterne said:
Hi Thanassis,
If I flash boot the original ASUS boot image found in the file you described and which i dowloaded already, shouldn't that fix the problem if I accidentally did flash your boot image? Or will there be even more trouble?
. . .
Alternatively isn't there a manual way to flash the whole zipped recovery image or am I misunderstanding what this ASUS file actually contains?
. . .
Thanks again and sorry for my incompetence
Click to expand...
Click to collapse
No, don't be sorry We are all either choosing to learn in this world (i.e. make mistakes and learn from them), or choose to remain stuck in ignorance. I applaud your efforts in properly rooting the tablet. . .
To the point - remember, you are root now ; whatever apps you installed, you can definitely uninstall them. You don't necessarily need to wipe it.
If you do want to, I'd suggest booting in recovery and doing it the normal way that Asus recommends. Since you said "buttons don't work", you may want to try using the original recovery .img - i.e. "fastboot boot recovery.img". I'd love to suggest a link from ASUS, but they don't host it (which is bad - they really should) - so instead go to "goo" dot "gl" slash "noegkY" - this will point you to a discussion where a kind soul is sharing his ME103K recovery.img.
Booting from the recovery will allow you to install the ASUS OTA update - and probably try cleaning cache partition, etc
Good luck!

ttsiodras said:
No, don't be sorry We are all either choosing to learn in this world (i.e. make mistakes and learn from them), or choose to remain stuck in ignorance. I applaud your efforts in properly rooting the tablet. . .
To the point - remember, you are root now ; whatever apps you installed, you can definitely uninstall them. You don't necessarily need to wipe it.
If you do want to, I'd suggest booting in recovery and doing it the normal way that Asus recommends. Since you said "buttons don't work", you may want to try using the original recovery .img - i.e. "fastboot boot recovery.img". I'd love to suggest a link from ASUS, but they don't host it (which is bad - they really should) - so instead go to "goo" dot "gl" slash "noegkY" - this will point you to a discussion where a kind soul is sharing his ME103K recovery.img.
Booting from the recovery will allow you to install the ASUS OTA update - and probably try cleaning cache partition, etc
Good luck!
Click to expand...
Click to collapse
The problem here is that he doesn't seem to have the same version as on my tablet. I have the newest version with Lollipop while this seems to be at least a couple of patches earlier with a completely different version of Android. Won't I risk breaking things even more if I try to apply this - as in trying to recover a recovery that is not on my tablet since certainly the recovery.img doesn't contain all the information needed since it's only 10 MB.
As you can probably guess the whole discussion in your link about what part of the system is broken and how to fix it goes right over my head. It also seems like they did not find a satisfactory solution in the end (short of sending the tablet to ASUS). As you can imagine I'm at quite a loss what to try and what not out of fear to make things worse. At least for now I can still use the tablet to do the things I need it to do.
Thanks for your help anyway, I will try to read up more on the topic and decide what to do next.

drsiegberterne said:
The problem here is that he doesn't seem to have the same version as on my tablet. I have the newest version with Lollipop while this seems to be at least a couple of patches earlier with a completely different version of Android. Won't I risk breaking things even more if I try to apply this - as in trying to recover a recovery that is not on my tablet since certainly the recovery.img doesn't contain all the information needed since it's only 10 MB.
Thanks for your help anyway, I will try to read up more on the topic and decide what to do next.
Click to expand...
Click to collapse
I understand how you feel - your tablet is operational now (OK, with the annoyance that you need to boot it in "tethered mode") - so you rightfully fear that you may mess things up with further steps.
Just to clarify something - the recovery img is something that works on its own ; it has no dependency on what kind of Android image is installed in the /system partition.
If you do decide to do it, "fastboot boot recovery.img" will bring you to a spartan menu, showing options that allow you to apply an update (i.e. the ASUS update you downloaded!), clean the /cache partition, etc.
Choose "install update from SD card" (use volume up/down to choose, power btn to select), and navigate to your SD card, where you will have placed the big .zip file from ASUS.
The recovery process will begin, and your tablet will be "wiped" with the image from ASUS. Reboot, and be patient while the tablet boots up - it will be just like the first time you started it (i.e. install from scratch).
Whatever you decide - good luck!

ttsiodras said:
I understand how you feel - your tablet is operational now (OK, with the annoyance that you need to boot it in "tethered mode") - so you rightfully fear that you may mess things up with further steps.
Just to clarify something - the recovery img is something that works on its own ; it has no dependency on what kind of Android image is installed in the /system partition.
If you do decide to do it, "fastboot boot recovery.img" will bring you to a spartan menu, showing options that allow you to apply an update (i.e. the ASUS update you downloaded!), clean the /cache partition, etc.
Choose "install update from SD card" (use volume up/down to choose, power btn to select), and navigate to your SD card, where you will have placed the big .zip file from ASUS.
The recovery process will begin, and your tablet will be "wiped" with the image from ASUS. Reboot, and be patient while the tablet boots up - it will be just like the first time you started it (i.e. install from scratch).
Whatever you decide - good luck!
Click to expand...
Click to collapse
Okay, a little update from the battlefront:
I tried the recovery image and did get into the menu, however the recovery failed with the same two error messages as in your earlier link ("footer is wrong" and "signature verification failed"). My output from fastboot getvar all is also very similar to the one from that guy except I have a different bootloader version than him (3.03).
Another thing I noticed is that if I boot the standard boot.img found in the ASUS zip it will recognize the internal sdcard normally, however when I boot your rooted image the internal memory doesn't seem to be recognized, at least not through the pre-installed file manager. Downloading a file to the internal storage also failed while rooted but all the apps and the OS itself so far seem totally unaffected otherwise.
My last resort at the moment is the fastboot flash boot boot.img but I have little hope it would change anything since in the thread you linked they proposed just that and if it had worked they probably would have mentioned it.
Can it theoretically break the tablet even more? I would hate to have to send it in because I completely bricked it...

drsiegberterne said:
Okay, a little update from the battlefront:
Another thing I noticed is that if I boot the standard boot.img found in the ASUS zip it will recognize the internal sdcard normally, however when I boot your rooted image the internal memory doesn't seem to be recognized.
Click to expand...
Click to collapse
Not the case for me - everything works fine (including internal and external sdcard), so it's definitely not my kernel causing this.
drsiegberterne said:
My last resort at the moment is the fastboot flash boot boot.img but I have little hope it would change anything since in the thread you linked they proposed just that and if it had worked they probably would have mentioned it.
Can it theoretically break the tablet even more? I would hate to have to send it in because I completely bricked it...
Click to expand...
Click to collapse
Flashing is always dangerous (from what you've said, I actually theorize that you did, actually, flash already...)
I doubt this will solve the boot issue, to be honest - if I were you, I'd continue to boot tethered (with my image when you need root access, and (maybe) the Asus image when you don't). Myself, I always boot my own bootimage, since I have zero problems with it, and it allows me to run a complete Debian distro in a chroot (thus making my tablet a full-blown UNIX server - e.g. I run privoxy on it to filter all stupid ads in all apps on the tablet, etc).
No matter what you decide, good luck!
Thanassis.

ttsiodras said:
Not the case for me - everything works fine (including internal and external sdcard), so it's definitely not my kernel causing this.
Flashing is always dangerous (from what you've said, I actually theorize that you did, actually, flash already...)
I doubt this will solve the boot issue, to be honest - if I were you, I'd continue to boot tethered (with my image when I need root access, and (maybe) the Asus image when I don't). Myself, I always boot my own bootimage, since I have zero problems with it, and it allows me to run a complete Debian distro in a chroot (thus making my tablet a full-blown UNIX server - e.g. I run privoxy on it to filter all stupid ads in all apps on the tablet, etc).
No matter what you decide, good luck!
Thanassis.
Click to expand...
Click to collapse
I already tried to flash the original boot.img yesterday but it didn't change anything as you correctly assumed so I guess for now there is nothing more to do. I might write to the Asus support and maybe send the tablet in if it is free of charge for me (which I doubt). The only other option is to spend the next months to get sufficiently versed in Android to actually fix the problems myself but even for that I would probably need some files or source code from Asus. I find it rather disappointing the way these "closed" systems work nowadays, with the advancement of Linux and Open Source I really would have expected the opposite to be true but apparently people care more about convenience than actually being able to use the tools they buy in the way they want to.
Getting these Android devices like buying a hammer that can't hammer things in on Sundays.

drsiegberterne said:
I find it rather disappointing the way these "closed" systems work nowadays, with the advancement of Linux and Open Source I really would have expected the opposite to be true but apparently people care more about convenience than actually being able to use the tools they buy in the way they want to
Click to expand...
Click to collapse
I share the sentiment - it's really sad.

Undoing the tethered root
drsiegberterne said:
I already tried to flash the original boot.img yesterday but it didn't change anything as you correctly assumed so I guess for now there is nothing more to do. I might write to the Asus support and maybe send the tablet in if it is free of charge for me (which I doubt). The only other option is to spend the next months to get sufficiently versed in Android to actually fix the problems myself but even for that I would probably need some files or source code from Asus. I find it rather disappointing the way these "closed" systems work nowadays, with the advancement of Linux and Open Source I really would have expected the opposite to be true but apparently people care more about convenience than actually being able to use the tools they buy in the way they want to.
Getting these Android devices like buying a hammer that can't hammer things in on Sundays.
Click to expand...
Click to collapse
Hi drsiegberterne - I had a look into the contents of the boot loader running inside the ME103K, and I am pretty sure that if you execute this at fastboot...
# fastboot oem reset-dev_info
# fastboot reboot
... you will get back to normal, un-tethered bootings of your ME103K.
Hope this solves your problem!
Kind regards,
Thanassis.

Bricked Phone After Magisk Install

Today, my phone got bricked after I installed Magisk, am i am looking for a way of sorting it out. The phone was running Android 9 DP3 when rooted, and I was following HighOnAndroids root guide on Youtube for reference,
I unlocked my bootloader and successfully installed TWRP. After this, I installed Magisk, which went throuygh perfectly fine. However, after rebooting the phone, I am stuck on the google splash screen, with a small progress bar that stays for the duration of the time on this screen. After about 2 minutes, the phone reboots into TWRP again.
Does anyone know how I could return to stock Android or at least escape this issue?
Many thanks
James

Jameswebb97 said:
Today, my phone got bricked after I installed Magisk, am i am looking for a way of sorting it out. The phone was running Android 9 DP3 when rooted, and I was following HighOnAndroids root guide on Youtube for reference,
I unlocked my bootloader and successfully installed TWRP. After this, I installed Magisk, which went throuygh perfectly fine. However, after rebooting the phone, I am stuck on the google splash screen, with a small progress bar that stays for the duration of the time on this screen. After about 2 minutes, the phone reboots into TWRP again.
Does anyone know how I could return to stock Android or at least escape this issue?
Many thanks
James
Click to expand...
Click to collapse
Use duces script to flash June google factory image.

jlokos said:
Use duces script to flash June google factory image.
Click to expand...
Click to collapse
I followed the guide on the DeucesScript XDA page but the command window keeps saying "'fastboot' is not recognized as an internal or external command, operable program or batch file."

Jameswebb97 said:
I followed the guide on the DeucesScript XDA page but the command window keeps saying "'fastboot' is not recognized as an internal or external command, operable program or batch file."
Click to expand...
Click to collapse
You need this information (the stuff I made bold + the hyperlink):
Code:
If you are having issues with this script:
Download the latest fastboot and adb Platform Tools UPDATED Dec. 22, 2017!!! This is the most common problem!!!
Download/Update Google USB Drivers
Video: Force-Installing the Android USB Drivers Fastboot & ADB
[B]Verify you have the [URL="https://wiki.lineageos.org/adb_fastboot_guide.html"]environment variable (path)[/URL] set for adb and fastboot[/B]
Try a different USB port
Try a different cable
Format Userdata in Stock Recovery
Try to boot stock before doing mods like Locking Bootloader / Kernel / TWRP / Magisk

Jameswebb97 said:
I followed the guide on the DeucesScript XDA page but the command window keeps saying "'fastboot' is not recognized as an internal or external command, operable program or batch file."
Click to expand...
Click to collapse
umph....hate to tell you, but you have a long way to go...
so before going on this "journey", I would suggest you booting into TWRP again, and try installing (not adb sideloading, just in case you're doing that) Magisk again. Also, be sure you are using the latest (might be considered "beta") 16.4 for taimen... I'm thinking your boot.img or dtbo.img simply may have gotten glitchy and repatching (by installing Magisk again) might fix it...
Also, if you want to go a step further, you might want to consider using the official Magisk uninstaller. Since Magisk makes a copy of your stock boot and dtbo image, it may put that back so you can get it in working order to get into the system (although without root), and then figure things out and/or reinstall Magisk (through TWRP is best) while all things Magisk was removed...
Good luck and hope this helps....

Make sure you are trying to open from the correct location, and put .\fastboot

EvilDobe said:
You need this information (the stuff I made bold + the hyperlink):
Code:
If you are having issues with this script:
Download the latest fastboot and adb Platform Tools UPDATED Dec. 22, 2017!!! This is the most common problem!!!
Download/Update Google USB Drivers
Video: Force-Installing the Android USB Drivers Fastboot & ADB
[B]Verify you have the [URL="https://wiki.lineageos.org/adb_fastboot_guide.html"]environment variable (path)[/URL] set for adb and fastboot[/B]
Try a different USB port
Try a different cable
Format Userdata in Stock Recovery
Try to boot stock before doing mods like Locking Bootloader / Kernel / TWRP / Magisk
Click to expand...
Click to collapse
Ive tried all of this now, i got the script working, but now the phne says it is corrupt and i cannot get into recovery. Is this game over do you think?

simplepinoi177 said:
umph....hate to tell you, but you have a long way to go...
so before going on this "journey", I would suggest you booting into TWRP again, and try installing (not adb sideloading, just in case you're doing that) Magisk again. Also, be sure you are using the latest (might be considered "beta") 16.4 for taimen... I'm thinking your boot.img or dtbo.img simply may have gotten glitchy and repatching (by installing Magisk again) might fix it...
Also, if you want to go a step further, you might want to consider using the official Magisk uninstaller. Since Magisk makes a copy of your stock boot and dtbo image, it may put that back so you can get it in working order to get into the system (although without root), and then figure things out and/or reinstall Magisk (through TWRP is best) while all things Magisk was removed...
Good luck and hope this helps....
Click to expand...
Click to collapse
This is good advice, thanks. i have a new problem (ugh), where i got the script working through changing the paths, but now the phone says that it is corrupt and i cannot access TWRP. Game over?

Jameswebb97 said:
Ive tried all of this now, i got the script working, but now the phne says it is corrupt and i cannot get into recovery. Is this game over do you think?
Click to expand...
Click to collapse
With the unlocked bootloader it'll always say the device is corrupt. Manually put the device into the bootloader & flash the DeucesScript. You're basically starting over at this point but it is possible to get up & going again.

Jameswebb97 said:
This is good advice, thanks. i have a new problem (ugh), where i got the script working through changing the paths, but now the phone says that it is corrupt and i cannot access TWRP. Game over?
Click to expand...
Click to collapse
EvilDobe said:
With the unlocked bootloader it'll always say the device is corrupt. Manually put the device into the bootloader & flash the DeucesScript. You're basically starting over at this point but it is possible to get up & going again.
Click to expand...
Click to collapse
EvilDobe might be right...but I have a bit to offer before maybe starting all over...
I doubt you needed to edit the script and "change the paths." Most likely you merely did not have the images (you extracted from the .zip of the Full Factory image you got from the Google Developers site) inside the "platform-tools" folder with the adb & fastboot .exe and all the other files and folders.
In any case, I suggest you get the TWRP image file [.img] (NOT the installer .zip necessarily), put the .img file "... inside the "platform-tools" folder with the adb & fastboot .exe and all the other files and folders." (I've seen some users simply cut and paste those 2 .exe files only to the extracted folder -- this is why I state it this way) Then, power down your device. After it's off, hold down the Volume Down button and press & hold the Power button (this is the manual way to get into the Bootloader Mode). Once there, plug your phone into your computer (USB-A to USB-C would be best) and open a command prompt/powershell ("run as administrator" or with administrative priveleges) and direct it to the platform-tools folder (i.e. if I put it on my desktop, it would be "C:\Users\MyName\Desktop\platform-tools"), you can temporarily boot into TWRP via command
Code:
fastboot boot twrp-3.2.1-2-taimen.img
When in TWRP (hopefully), I suggest trying to do what I advised before -- try either Magisk installer to repatch the boot and dtbo image, or Magisk Uninstaller to attempt to replace your boot and dtbo to stock.
*NOTE: Of course, this is assuming you are running Microsoft Windows (if not, you will need to input .\ as @naiku suggested) and also the whole "device is corrupt" is due to "funky" boot image issues. If not, I/we can guide you to flashing the Full Factory back onto the phone (hopefully without losing data and settings)...
Good luck and hope this helps...

simplepinoi177 said:
EvilDobe might be right...but I have a bit to offer before maybe starting all over...
I doubt you needed to edit the script and "change the paths." Most likely you merely did not have the images (you extracted from the .zip of the Full Factory image you got from the Google Developers site) inside the "platform-tools" folder with the adb & fastboot .exe and all the other files and folders.
In any case, I suggest you get the TWRP image file [.img] (NOT the installer .zip necessarily), put the .img file "... inside the "platform-tools" folder with the adb & fastboot .exe and all the other files and folders." (I've seen some users simply cut and paste those 2 .exe files only to the extracted folder -- this is why I state it this way) Then, power down your device. After it's off, hold down the Volume Down button and press & hold the Power button (this is the manual way to get into the Bootloader Mode). Once there, plug your phone into your computer (USB-A to USB-C would be best) and open a command prompt/powershell ("run as administrator" or with administrative priveleges) and direct it to the platform-tools folder (i.e. if I put it on my desktop, it would be "C:\Users\MyName\Desktop\platform-tools"), you can temporarily boot into TWRP via command
Code:
fastboot boot twrp-3.2.1-2-taimen.img
When in TWRP (hopefully), I suggest trying to do what I advised before -- try either Magisk installer to repatch the boot and dtbo image, or Magisk Uninstaller to attempt to replace your boot and dtbo to stock.
*NOTE: Of course, this is assuming you are running Microsoft Windows (if not, you will need to input .\ as @naiku suggested) and also the whole "device is corrupt" is due to "funky" boot image issues. If not, I/we can guide you to flashing the Full Factory back onto the phone (hopefully without losing data and settings)...
Good luck and hope this helps...
Click to expand...
Click to collapse
Pleased to be editing this comment; managed to get it working following your step by step. Think i'm going to stay away from rooting something this expensive in the future! Thanks so much!

Jameswebb97 said:
Pleased to be editing this comment; managed to get it working following your step by step. Think i'm going to stay away from rooting something this expensive in the future! Thanks so much!
Click to expand...
Click to collapse
I wouldn't go that far with staying away. When I come across people IRL that want to start doing this stuff I always tell them to read the instructions, step through them, read the instructions again, ask questions (as you did here) BEFORE you get started, read the instructions again, and only when you're confident start messing with your device. This is a fun, and at times stressful, hobby. It's great when everything goes according to plan but it's an omg omg omg omg omg omg moment when you mess something up.
Start with baby steps. The straight upgrade to P is fairly simple provided your device is unlocked. Get that working & you'll be set. I have root on my DP3 & the only thing I've done so far is delete some apps from system that I know I don't want/need. If your main goal is to just enjoy your phone, test out Android P, and maybe go back... root isn't needed. Once everything is squared away & you're running for a day or so you can always fastboot to recovery, make a backup, and then try to add root. I hope you don't shy away & get deeper into the hobby. It truly starts to get fun when you begin to understand more of what is going on.

Jameswebb97 said:
Pleased to be editing this comment; managed to get it working following your step by step. Think i'm going to stay away from rooting something this expensive in the future! Thanks so much!
Click to expand...
Click to collapse
Hey I'm so glad you got it working! Leave me a "Thanks!" would make it up to me ... I'm always happy to help out and get things figured out...yet I don't get the satisfaction of knowing if it does end up helping a lot of the time because a good number don't come back with their experience...so thanks for that! Glad you got it going...
EvilDobe said:
I wouldn't go that far with staying away. When I come across people IRL that want to start doing this stuff I always tell them to read the instructions, step through them, read the instructions again, ask questions (as you did here) BEFORE you get started, read the instructions again, and only when you're confident start messing with your device. This is a fun, and at times stressful, hobby. It's great when everything goes according to plan but it's an omg omg omg omg omg omg moment when you mess something up.
Start with baby steps. The straight upgrade to P is fairly simple provided your device is unlocked. Get that working & you'll be set. I have root on my DP3 & the only thing I've done so far is delete some apps from system that I know I don't want/need. If your main goal is to just enjoy your phone, test out Android P, and maybe go back... root isn't needed. Once everything is squared away & you're running for a day or so you can always fastboot to recovery, make a backup, and then try to add root. I hope you don't shy away & get deeper into the hobby. It truly starts to get fun when you begin to understand more of what is going on.
Click to expand...
Click to collapse
And it's as @EvilDobe means.....
I remember back in the days of the Motorola Droids (OG Droid1, Droid 3, & Droid 4) where you could really mess things up and come out with a big ol' "brick" "paperweight" as there were many instances where you could not come back from (i.e. updating to a certain point, then attempting to downgrade when Google/Motorola/Verizon put blocks that breaks it). But this isn't the case these days. @Jameswebb97, at least with the Pixel 2's, Oreo and/or P(Android OS 9), it's actually more difficult than easy to get that too far gone. The only reason why I can help so many troubleshooting their issues is because I, myself, have wrecked my current device in some serious ways! So I can relate and have experience in helping in the same situations. I've gotten it to where it says "device is corrupt," (which isn't all that uncommon), BUT with the added desperate troubleshooting where I had to wipe/erase, changing partition types, format several partitions, even go about "resizing" the partition to match the "target extraction size" of the Full Factory flash, and even as far as learning to manually flash the various system partitions and that there are two (system_a & system_b) but, in Google's infinite wisdom(?), one flashes to system_a and the other to system_other!!! And I haven't even started on reading others' issues when going after the Slot A and Slot B complications -- I didn't even attempt to touch this in that troubleshooting story.
My point is: I think I've broken my device farther than most people and got it so close to the brink, and yet I was able to bring it back and am still using that same device today (most people would usually, at that point, go and get a RMA replacement). Honestly, as long as you have access to Bootloader Mode (which Google, in their infinite wisdom, seems to have placed it in the main board memory or separate memory rather than storage as to make it always accessible which makes it hard to "lose"), you have a really good (seemingly perfect) "safety net" in which you can always flash back to a working, stock state -- which is why it's the best policy to just make good backups before experimenting so, if anything, you get back to this state and restore all your data. I'm not trying to convince you to root or to try custom ROMs or anything -- even though there are many great reasons and capabilities of rooting -- I am simply appealingl to your sense of curiosity and reassure you so you aren't held back and you don't restrict and limit yourself if you don't want to, but are to fearful to experiment.
I hope you don't take this post as "lecturing" or anything, just some thoughts I hope you consider...
Glad it worked out in the end for you!

NOST - Improved Version of OST LA 6.0.4 (v0.6, 02. Mar 2019)

"NOST" - short for "No Service Tool" (or "Nokia Service Tool" but that sounds too official and boring ) is a small hobby project I've been working on in the last couple of days.
It aims to make the service tool for Nokia 8 (and HMD Phones in general) more useable, user-friendly, and straigtforward to use, and after having to test it myself, and also
making a small beta test in the Telegram group for Nokia 8, I feel like posting it here so others can try it out too if they want.
First, to be clear: NOST is not completely my work. It is based on OST LA 6.0.4, which was made by HMD/Foxconn. Unlike the previous OST Patches, NOST does not replace
the executable with a hacked one, but instead wraps it and patches the methods that need patching at runtime. The result is that the changes are completely opensource
and readable by others, while the underlying OST files are not modified at all. I tried to base it on a different (i.e. newer) version of OST, but those are pretty much unpatchable,
at least not with a serious amount of reverse engineering, which brings not only time issues but legal ones as well.
NOST changes a couple of things, compared to the unmodified OST LA:
It removes the need for authentification against HMD/FIH servers (really, shoutout to the one who made the original hack, even though I could not use their code)
Moved the logs folder to the same folder as the application, as opposed to somewhere on the system to make debugging easier
The options for flashing firmware images appear reliable now. (At least for me they only appeared sometimes if not never on the original OST).
Removed one of the options that if it appeared crashed the flashing process ("Check System AP Status")
One user of the Telegram group had issues where OST would crash because it detects an invalid locale setting in Windows. NOST just catches that issue and defaults to english
Removed the "Edit Phone Information" button. It never worked and it's only purpose was to make the "Next" button appear, which works like it should now as well.
NOST refuses to flash your phone if your bootloader isn't unlocked critically. The old OST would just try to flash but never make any progress which confuses inexperienced users.
Perhaps the most important change: NOST allows to flash modified firmware images without the need to extract and modify them by hand.
With the original OST, people who wanted to reflash their phone had to download a firmware bundle, extract and edit it to be able to use it with OST LA 6.0.4, since the newer versions
had unpatchable issues that prevent using them. Repacking the images in a format OST expects wasn't possible either since that enabled some sort of signature algorithm on the modified
images and caused the flashing to fail. NOST solves this problem by allowing the use of a different packaging format. Those binaries still need to be extracted but it is done transparently in
the background without the user having to download any other tools. The formats that can be used in images are .zip and .qlz
.zip Firmwares:
.zip firmware files are simply archives of the (edited) files that would normally be extracted from an .nb0 file. This means, if you extract a .nb0 with the extractor found on XDA, the contents
of the *_unpacked folder it creates should be the contents of your .zip.
.qlz Firmwares:
.qlz files are based on QuickLZ compression, which gives them a small size but also a low decompression time.
The tool to generate them is called exdupe. Generating these images is pretty straigtforward. Assuming you are on windows, download the exdupe
tool from the link above (or take it from the NOST Tools/ folder) and copy it into the folder that contains the unpacked .nb0.
Code:
- exdupe.exe
- <nb0 name>_unpacked/
- <nb0 name>.mlf
- ....
Open a commandline in that folder, and run the following command:
Code:
exdupe.exe <name of the folder to compress> <name of the firmware file>.qlz
You should already see how fast it compresses the firmware folder now. As a reference: Compressing the latest Nokia 8 firmware (about 4GB) takes maybe 30 seconds and yields a 2GB file.
Repacked Firmware Bundles:
I created .qlz images of the May and November firmwares, as well as one of the various Pie Maintainance Releases.
You can find them here: https://tmsp.io/fs/xda/nb1/firmware
I already successfully reverted from December Security Patch to November using NOST, and then updated back using OTA Sideloading without problems.
As always when working with flashing tools, proceed with caution!
How to unlock to critical:
KonikoO said:
For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.
Click to expand...
Click to collapse
Download:
The actual tool: https://github.com/StollD/NOST/releases
Drivers: https://github.com/StollD/nokia-driver-installer/tree/master/out
Source Code: https://github.com/StollD/NOST
License:
OST LA 6.0.4 is copyrighted by the respective authors. It is not modified permanently.
The custom NOST code is licensed under the GNU General Public License.
Icon by Freepik © Flaticon

I tried this is working,nice tool.
Thanks dev.

Thank you THMSP! very cool?
Sent from my TA-1004 using XDA Labs

Can flash the May and November update but cannot flash latest Pie with this tool. I flashed Pie but returned back to November update?

Lee Castro said:
Can flash the May and November update but cannot flash latest Pie with this tool. I flashed Pie but returned back to November update?
Click to expand...
Click to collapse
Yes, you can revert back from Pie to Oreo using this. What is the issue with Pie for you?

THMSP said:
Yes, you can revert back from Pie to Oreo using this. What is the issue with Pie for you?
Click to expand...
Click to collapse
What I mean is if I flash the Pie file you provided I just returned back to Android 8.1 Novemeber update no changes at all. Maybe there something wrong with the Pie file you uploaded. But the rests are all working fine with the tool.

Lee Castro said:
What I mean is if I flash the Pie file you provided I just returned back to Android 8.1 Novemeber update no changes at all. Maybe there something wrong with the Pie file you uploaded. But the rests are all working fine with the tool.
Click to expand...
Click to collapse
Thanks for the hint, I will take a look. Probably just derped when pulling partitions and renaming the images (might have worked in my November folder by accident).
EDIT: I repulled the images from Pie (I indeed somehow worked in my November folder when making the image), repackaged them and updated the version in the drive folder. You should now be able to flash Pie. Sorry for the mistake.

THMSP said:
Thanks for the hint, I will take a look. Probably just derped when pulling partitions and renaming the images (might have worked in my November folder by accident).
EDIT: I repulled the images from Pie (I indeed somehow worked in my November folder when making the image), repackaged them and updated the version in the drive folder. You should now be able to flash Pie. Sorry for the mistake.
Click to expand...
Click to collapse
Thanks again,This is really a big help.

Wow, this is something we've been all seeking for a long time now ! For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.

hey there! wonderful tool to have. Thank u so much

Not working in my laptop say a software need a to update

Blackhacker07 said:
Not working in my laptop say a software need a to update
Click to expand...
Click to collapse
If you have dependency issues I would suggest to install OST LA 6.0.4 first, so you get its dependencies, until I can make a proper installer for NOST.

THMSP said:
If you have dependency issues I would suggest to install OST LA 6.0.4 first, so you get its dependencies, until I can make a proper installer for NOST.
Click to expand...
Click to collapse
Could you perhaps figure out how to get rid of the unlocked bootloader message?

ironman38102 said:
Could you perhaps figure out how to get rid of the unlocked bootloader message?
Click to expand...
Click to collapse
Are you talking about the error message that appears when you press the Next button to start flashing?
If yes, your bootloader needs to be unlocked to critical, then the message won't appear.
If you are unsure if your bootloader is unlocked to critical, do "fastboot oem device-info", it will tell you.
If you mean the message that your phone displays when booting with an unlocked bootloader then sorry, I doubt that's possible (I think it is embedded into the bootloader).

THMSP said:
Are you talking about the error message that appears when you press the Next button to start flashing?
If yes, your bootloader needs to be unlocked to critical, then the message won't appear.
If you are unsure if your bootloader is unlocked to critical, do "fastboot oem device-info", it will tell you.
If you mean the message that your phone displays when booting with an unlocked bootloader then sorry, I doubt that's possible (I think it is embedded into the bootloader).
Click to expand...
Click to collapse
Actually its in splash.img that can be dumped. Its the hex editing possibly that might be a problem for someone not familiar with it

How to flash it's says this...

Blackhacker07 said:
How to flash it's says this...
Click to expand...
Click to collapse
What do you mean?

KonikoO said:
Wow, this is something we've been all seeking for a long time now ! For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.
Click to expand...
Click to collapse
Thank you so much for this advice. I wouldn't have ever figured out how to unlock critical on my own and that was the thing that was preventing me from flashing. I tried searching the other OST LA flashing threads as well but this info seemed to have been missing, or then i completely missed it. Thank you so much anyways. If anybody else is trying to figure out why their OST LA or NOST is giving them the se_err_adb_cmd_get_fail_result error, this should help. I just used the unlock.key in place of the *unlock.bin* in your command and it worked.

Can you please upload Oreo December update stock and patched boot image. TIA

Yesterday I noticed that my Pie Image was still not quite useable, since it contained a corrupted system partition.
This seems to have happened because of my Magisk Setup and me only replacing the boot partition image and not uninstalling Magisk completely.
I rebuilt the image, to be fully stock, and also included the latest B07 update that @hikari_calyx uploaded yesterday. You can get it from the drive link in the OP.