Related
Hi! After latest OTA update I was left with an unbootable Galaxy Nexus (zygote couldn't start) and I lost root (su needed activitymanager up). So I needed to unlock to revive the phone, but I really didn't want to lose my data. After some exploration I could come up with a way to unlock bootloader without wipe and without root. I have seen several questions about this here and this was deemed impossible, so I decided to share my findings and expect they might help someone. Should work with GSM tuna phones.
Components for success:
— unlocking without wipe via putting a byte in param partition (needs root):
[1] http://forum.xda-developers.com/showthread.php?t=1650830&page=15
— OMAPFlash, a low-level utility for manipulating and flashing chipset (usually used to unbrick phones)
[2] http://forum.gsmhosting.com/vbb/f63...9250-galaxy-nexus-gt-i9100g-gt-i9300-1465412/
Take the two of them and you have a solution. I could successfully flash unlock byte to param partition using OMAPFlash.
A sketch of a guide:
1. Boot windows xp, download OMAPFlash (http://d-h.st/XNv), connect a turned off phone without battery, install drivers for omap device. (Mod edit: I've updated the download link.)
2. Dump a part of param partition. You don't need to dump the whole partition, but I think it is safer if you dump a sector-aligned area (512*n). I used 4KB (8 sectors).
Code:
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_upload [email protected] 1000 param.img
chip_upload is for downloading data from device memory
[email protected] is the start of params partition (check /sys/block/mmcblk0/mmcblk0p4/start, multiply by sector size 512 and convert to hex)
1000 is to copy 4KB.
Sometimes the process stalls (esp if you try to download larger dumps), just reconnect and retry.
3. Verify that the content is similar to first 4 KB of the dumps of param partitions attached in the thread [2]. For me they matched entirely.
4. Change the byte at offset 124 (0x7C) from 01 to 00.
Code:
echo -ne "\x00" | dd obs=1 count=1 seek=124 of=param.img conv=notrunc
5. Flash it back to the device.
Code:
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_download [email protected] param.img
Reboot, you are unlocked.
Additional links:
[3] http://forum.gsmhosting.com/vbb/f634/gt-i9250-pinout-enjoooy-1463061/ GT-I9250 JTAG pinout. Not directly releavant to the guide, but I found it while searching for solution, thought that can help someone in future.
Additional reading
The dangers of OTA when you have root, or why I was stuck with an unbootable phone at all
I learned the hard way that OTA may cause unpleasant results if you are trying to preserve root and mess with filesystem.
I was trying to preserve root in a way similar to one used by rootkeeper apps: put a copy of su somewhere in /system and make it immutable. So I went and put my su to /tts (thought that it's unprobable that OTA will do something there), and made it immutable.
And then the update came. As part of the the update process it copied a new version of /system/usr/share/zoneinfo/zoneinfo.version file and the file got 660 perms (package_extract_dir("system", "/system") in the update_script). Then it went on to recursively fix permissions so that the mentioned file would be made readable (set_perm_recursive(0, 0, 0755, 0644, "/system")). But the set_perm_recursive was met by immutable su in tts directory, chmod returned error and the recursive process was stopped before it got to zoneinfo.version file. So the latter file remained unreadable.
Unfortunately during startup zygote preloadsClasses, static constructor in some sqlite class needs DateFormat, and DateFormat reads zoneinfo. And fails cause it's unreadable. Exception, System.exit. Phone boot stuck.
To work my copy of su needs to send a message to ActivityManager service using binder. I wrote a dirty mock for AM but servicemanager didn't accept my fraud, it checked uid. I tried to bypass preloadClasses with overflowing system file descriptors count to prevent zygote from reading preload class list, but somehow it didn't succeed. Thus the only option I had was unlocking bootloader.
So it may end bad if you mess with /system on a stock rom with locked bootloader and want to receive OTA. It may seem natural, but sometimes the changes seem irrelevant, and then a chain of small failures leads you to loss of everything: boot, root, and data.
This is great work! Kudos to you for figuring it out.
By the way, where did you find the syntax for OMAPFlash commands?
efrant said:
This is great work! Kudos to you for figuring it out.
By the way, where did you find the syntax for OMAPFlash commands?
Click to expand...
Click to collapse
There are some docs in OMAPFlash_tuna.zip package. The most interesting is OMAPFlash.txt that lists options and commands and has some examples.
Also I was lucky that there is a complete example for unbricking GT-I9250 in Targets/Projects/tuna. This is where I took the options specific for this device.
nichtverstehen said:
There are some docs in OMAPFlash_tuna.zip package. The most interesting is OMAPFlash.txt that lists options and commands and has some examples.
Also I was lucky that there is a complete example for unbricking GT-I9250 in Targets/Projects/tuna. This is where I took the options specific for this device.
Click to expand...
Click to collapse
Exactly. I haven't needed this yet, but i had looked in those board files, cross examining with omap 4460 manual that can be found on the web. Thanks for sharing.
I was not aware that JTAG method had been found. Great news.
Sent from my i9250
Works!
Awesome - this worked for me! Unlocked, unrooted, TAKJU Galaxy Nexus w/JB 4.2.2. I used OMAPFlash_tuna.zip (download link).
I had issues when the downloaded param.img file was long, so I replaced 1000 with 200 in the commands. Regardless, it still took me probably 5-10 tries on each command to get it working (unplugging and replugging the phone in between), and sometimes it would freeze up and I'd have to restart Windows. If it takes longer than 5 seconds, you should press Ctrl+C and restart that step.
My problem was that one of my volume buttons is messed up, and as a result the fastboot screen doesn't work - Windows doesn't detect a fastboot device, and none of the hardware buttons or the touchscreen works either. As a result I needed to unlock the bootloader without using fastboot (oem unlock), and this did the trick!
Also, on Windows, I downloaded a hex editor (i.e., HxD) to do the editing. My modified param.img (only 512 bytes) is attached as well.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thank you!!! It worked for me too!
The volume buttons on my Galaxy Nexus didn't work and I can't recharge the battery via USB. The USB works only as data connection. Despite all these issues on my phone, it worked for me too!!
I replaced the size in the commands from 1000 to 400 (1024 bytes = 2*512), and I had to put the battery on the phone.
Sweet jesus I cannot express enough gratitude for this post. While I was a little worried about bricking my device, it would up working perfectly.
A couple of confusing points for anyone out there trying to do this:
- The dump / reflash should only take a few seconds each. If it hangs, cancel and re-start the process.
- Install the drivers with the device OFF but plugged in. You will have an OMAP device without a driver in your device manager. Update the device driver and you're good to go.
- I didn't know how to get the dd command to work on windows, so I also went the Hex editor route it it worked flawlessly
- The only snag I ran into was that it did not boot into my flashed CWM after doing an "adb reboot recovery" from the stock rom. It went back to the stock android recovery. From there I did "fastboot boot cwmrecovery.img" and installed my rom and gapps. After that initial boot, it rebooted into recovery just fine! It seems like a weird glitch (maybe just a one-off).
Cheers
techobrien said:
- Install the drivers with the device OFF but plugged in. You will have an OMAP device without a driver in your device manager. Update the device driver and you're good to go.
Click to expand...
Click to collapse
This is a critical step right here. This thread either should be linked on the 101 FAQ if it's not already or stickied.
a maguro wrote this.
techobrien said:
- The only snag I ran into was that it did not boot into my flashed CWM after doing an "adb reboot recovery" from the stock rom. It went back to the stock android recovery. From there I did "fastboot boot cwmrecovery.img" and installed my rom and gapps. After that initial boot, it rebooted into recovery just fine! It seems like a weird glitch (maybe just a one-off).
Cheers
Click to expand...
Click to collapse
Sounds like you are getting hit with the /system/recovery-from-boot.p file. When you boot into Android, this file checks to see if you have stock recovery...if not, it replaces it with stock recovery. You can rename, move, delete the file safely. It shouldn't exist in custom ROMs, which would explain why after installing a ROM and Gapps you were fine.
This is pretty cool. Nice find OP.
cupfulloflol said:
Sounds like you are getting hit with the /system/recovery-from-boot.p file. When you boot into Android, this file checks to see if you have stock recovery...if not, it replaces it with stock recovery. You can rename, move, delete the file safely. It shouldn't exist in custom ROMs, which would explain why after installing a ROM and Gapps you were fine.
This is pretty cool. Nice find OP.
Click to expand...
Click to collapse
This post thread have not been getting the attention it deserves..
Beamed from my Maguro.
cupfulloflol said:
Sounds like you are getting hit with the /system/recovery-from-boot.p file. When you boot into Android, this file checks to see if you have stock recovery...if not, it replaces it with stock recovery. You can rename, move, delete the file safely.
Click to expand...
Click to collapse
Good to know for next time round. The flimsy headphone ribbon cable is the bane of my existence and it seems like a somewhat common problem. I didn't think that the custom rom would touch the bootloader so I was confused, but /system/ makes sense. Thanks for the tip.
Just in case anybody was wondering, this method also worked for my Verizon GNex LTE. I also used a HEX editor.
Hi,
i'm thinking to use this method to unlock my Nexus' bootloader, in order to gain root privileges without wiping the memory.
This because i need to try and undelete files i have lost on my phone, to do this i need the root but i can't use the normal procedure that would wipe forever all the data i need to restore.
As i am new to this kind of operations, i never even rooted my Android phones, i wanted to ask if this procedure can fit my situation, and if there are any risks....
Thank you very much
EDIT: It worked perfectly!!
Thank you very much!!
Did anybody try it on MAGURO device? Does it require any change in the procedure?
Um... The op (and others) did it on a maguro? After all, the title says "on GT-I9250".
Isn't a i9250 a Maguro?
Beamed from my Grouper
Mod edit: removed quote of the OP.
Is WinXP really required for this process or will it work on newer versions of Windows ie Win8?
mielli1 said:
Is WinXP really required for this process or will it work on newer versions of Windows ie Win8?
Click to expand...
Click to collapse
Please do not quote the first post of threads when you reply.
As for your question, if you can get the driver to install on Windows 8, the program will work fine. The driver installs fine in Windows 7 by the way.
Don't forget to disable driver signature verification if you are trying to install drivers in Windows 8.
Windows 8 - stuck at installing drivers
beekay201 said:
This is a critical step right here. This thread either should be linked on the 101 FAQ if it's not already or stickied.
a maguro wrote this.
Click to expand...
Click to collapse
I have a Nexus with a broken volume up button, so am trying this method as a way of unlocking the bootloader and rooting my device.
When I plug the powered off device into the usb port, constantly get the sounds of a device being inserted, and then unplugged (two different beeps.) This continues until I unplug the phone.
Is this the step where I should get a "found new hardware" notification? It is not happening for me, and I'm wondering if this is Windows 8 related.
FYI - I have already disabled driver signature verification.
LG Pro Lite D680
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Boot On Charge
Non-generic feature for commercial purposes
URGENT NEED! - WILL DONATE
What we need:
I am looking for an urgent solution to boot-on-charge LG D680 cell phone, I am asking for help to developers who have experience on this area. The subject is related to unlock the bootlaoder, fastboot and custom rom. I understand the task is not simple, I am looking forward to donate whoever hacks the non generic feature.
What we do:
We provide video service through LG D680 cell phone (Also known as LG Pro Lite D680), the phone has 3G connection and is plugged to the power supply when is working.
Problem:
Most of the day the phone is plugged and working properly, however when the weekend comes the cell phone is unplugged and the energy is completely consumed. Currently, when the power is back to the cell phone we need to start the cell phone MANUALLY by pressing the power on button.
Goal:
We need the phone to be booted into the OS automatically when is plugged into the power USB cable (the phone initial status is powered off).
Possible Solutions / Alternatives:
Unlock the bootloader and run fastboot command fastboot oem off-mode-charge 0.
Continue our research, based on the steps described below (see LG D680 experience)
Replace charge animation with boot file command /system/bin/reboot (see Huawei experience below replacing ipod file).
Finding a custom ROM that already contains a Boot on Charge behaviour.
Finding a custom ROM that at least has “Power On Schedule” feature (AOSP certificate permissions level).
Finding a generic Android vestion with “Power On Schedule”.
Cellphone specifications:
PLATFORM
OS - Android OS, v4.1.2 (Jelly Bean), upgradаble to v4.4.2 (KitKat)
Chipset - Mediatek MT6577
CPU - Dual-core 1 GHz Cortex-A9
GPU - PowerVR SGX531
Previous work and research:
We did this "boot on charge" research in two types of cell phones. One is HUAWEI G730 and the other is LG D680. Fortunately, it worked fine in G730, but we haven’t the same results up to now on LG D680.
In Huawei G730, we replaced charging animation located at /system/bin/ipod with an ipod file containing “/system/bin/reboot” and worked like charm!
LG D680, we could not find the animation file, but we found that it might be inside the boot image. We did some research in order to modify it, but we got blocked (someone might continue our steps if useful).
HUAWEI G730 Extended Procedure:
Since this phone has a Mediatek chipset, the “battery animation” app is running on /system/bin folder. Is running with the filename ipod. The main task is to exchange ipod content (which is originally binary) to an ipod file with this content: /system/bin/reboot.
So, create a brand new file called ipod, and wrote the line in there. We transferred the file to the phone via adb push, as shown in next steps below.
Copy procedure: So, we set our phone to USB Debugging Mode, then we connected it to the PC, and run the following script:
adb shell mkdir /storage/sdcard0/carga/ (We created a folder to store files being pushed from the PC to the phone)
adb push ipod /storage/sdcard0/carga/ (We are pushing the file to the storage folder within the phone)
adb shell "su -c 'mount -o rw,remount -t ext4 /dev/block/mmcblk0p5 /system'" (This step is very important, here we remount the /system folder with read-write permissions. Only doing this we will be able to copy programmatically the “hacked” file ipod to /system/app. Look out that we used mmcblk0p5 because the system folder is mapped there in this phone. You can check this running cat /proc/dumchar_info)
adb shell "su -c 'chattr -i /system/bin/ipod'" (doing this we took out immutability to the original file ipod)
adb shell "su -c 'cp /system/bin/ipod /storage/sdcard0/carga/ipod.old'" (just creating a backup file from the original ipod)
adb shell "su -c 'rm /system/bin/ipod'" (here we are removing original ipod file)
adb shell "su -c 'cp /storage/sdcard0/carga/ipod /system/bin/'" (now we copy the new file ipod to the destination folder)
adb shell "su -c 'chmod 755 /system/bin/ipod'" (change the permission ro rwx-rx-rx)
adb shell "su -c 'mount -o ro,remount -t ext4 /dev/block/mmcblk0p5 /system'" (we remount the /system folder with read-only permissions)
adb shell "su -c 'reboot'" (Finally we reboot the phone)
RESULT: Whenever you plug in the phone to the charger when it is off, it will try to boot on the battery animation, but instead, it will be redirected to a “reboot” command, which in turn will be redirecting execution to the O.S.
LG D680 Procedure:
We found that this phone also has a Mediatek chipset. Moreover, it also has a file called ipod within /system/bin. But in this case, the bootloader image doesn’t call ipod whenever it displays the battery animation. So we had to check where is mapped the boot image on the phone by executing adb shell "cat /proc/dumchar_info". As the picture shows, the boot image (bootimg) is mapped in /dev/block/mmcblk0, from offset 0x1200000, and with size 0x900000.
We tried the following steps, in order to test if we were able to download / upload booting without bricking the phone:
We copy bootimg partition to boot.img by doing adb shell "su -c dd if=/dev/block/mmcblk0 of=/storage/sdcard0/boot.img bs=1024 skip=18432 count=9216’. (Skip and Count are measured on KBytes, and those values are offset and size translated from hexa to dec).
Then we did the inverse operation by executing: adb shell "su -c dd if=/storage/sdcard0/boot.img of=/dev/block/mmcblk0 bs=1024 seek=18432”
RESULT: The phone WASN’T bricked, and reboot normally (obviously without any change on bootimg).
Because these steps worked, we went even further, this time by unpacking and repacking boot.img file. The steps done were:
Same as (b)
We pulled boot.img file from the phone to a folder within the PC, and then we unpacked the image with bootimg.exe as the picture shows below. One interesting fact is that the pulled file sized almost 9MB.
Then we repacked it without any change inside the image, as the picture shows below. The “repacked” image is now on file “boot-new.img”, but its size is almost 7.4MB. We don’t know why we have this difference.
Same as step (ii) on (b).
RESULT: The phone resulted in a SECURITY_ERROR. It is weird because we didn’t change anything. We didn’t tried further since we are not able to unpack-repack the same image, and loading it successfully.
Edited: The security error can be avoided please follow the just below instructions.
Avoid Security Error:
In order to avoid the security error above mentioned, you need to edit the default.prop file (located at /bootimg/initrd)
Change the value from 1 to 0.
FastBoot Note LG:
Fastboot is a solution performing these commands, the problem is that the bootloader is locked for these operations on the generic vesion:
fastboot oem unlock
fastboot oem off-mode-charge 0
fastboot oem lock
fastboot reboot
The command "adb reboot bootloader" does not enter on fastboot upon reboot. There seems to be an opened option while booting on "Download Mode". What I did find out is that when you go into "Download Mode" a new ADB Device is detected on my computer however no driver matched the device. I assume fastboot could be avilable on Download Mode. I have been suggested by romulocarlos to Install the drivers on LG's website however did not work out.
Files:
For making the tests your will need the system.img, boot.img images files. If you brick your phone and want to un-brick the phone please follow this guide [Guide] LG G PRO LITE- Unroot/Unbrick - flash official factory firmware. Currently we are using this kdz image.
Forum:
G Pro Lite D680 Android Development at Android General.
XDA considered the case and opened a new forum for the phone. Thanks very much laufersteppenwolf (aka Wolf), MikeChannon (forum moderator) and svetius.
Conclusion:
We have reached this spot and need help from more advanced hackers. As you guys can see, we have been working hard to trying to hack the boot-on-charge feature on the D680 however has not been yet possible. There is no precedent on this phone on custom CWM & TWRP and custom roms yet therefore the is no out of the box solution as on many other phones (i.e. cyanogen list). We have also tried XDA University practices with no results.
I am ready to donate whoever would help us in solving this problem, its an urgent matter that needs to be solved as soon as possible. I will reward a developer by making a donation.
Appreciate very much the help in advance and reading.
Best,
Jose
Well, it's not that easy without having the actual device, but it'd help quite a bit if you could upload a system dump as well as the boot.img
laufersteppenwolf said:
Well, it's not that easy without having the actual device, but it'd help quite a bit if you could upload a system dump as well as the boot.img
Click to expand...
Click to collapse
Hi laufersteppenwolf,
Congratulations for your achievements and career, amazing.
I am hereby sharing two link resoruces to download what you have asked for, system.html containing the system.img and boot.html containing boot.img. Please let me know if you have problems downloading.
I understand the side effects of not having the cellphone by your side, hope we can mitigate it with the image files you are asking. As extended solution I can open a vnc session or whatever remote tool you can consider.
Thanks so much for the answer and support.
Best,
Jose
JoseVigil said:
Hi laufersteppenwolf,
Congratulations for your achievements and career, amazing.
I am hereby sharing two link resoruces to download what you have asked for, system.html containing the system.img and boot.html containing boot.img. Please let me know if you have problems downloading.
I understand the side effects of not having the cellphone by your side, hope we can mitigate it with the image files you are asking. As extended solution I can open a vnc session or whatever remote tool you can consider.
Thanks so much for the answer and support.
Best,
Jose
Click to expand...
Click to collapse
I am DL'ing the files now, but please use another hoster, as 4shared is not allowed on XDA
laufersteppenwolf said:
I am DL'ing the files now, but please use another hoster, as 4shared is not allowed on XDA
Click to expand...
Click to collapse
Hi laufersteppenwolf,
Thanks for clarifying, I was not aware 4shared was not allowed. I am changing the hosting and updating the link.
Cheers,
Jose
Alright, what I have done so far is I have unpacked the boot image and the ramdisk, edited the ramdisk so it shoud execute /system/bin/reboot when the phone boots because of the charger. Then I repacked both and signed the boot.img again so the bootloader would accept it.
The result, however, is a bootloop. I am just not yet sure whether it is caused by a "false alarm" (the ramdisk always thinking the phone is being booted because of a plugged in charger) or caused by either the bootloader or other low-level security checks. But I also doubt that, as the bootloader seems to accept the repacked image (doesn't show the security error screen).
But I currently do not have any logs, which is why all this is wild guessing. So the highest priority now is to get some proper logs so I know what's going on
laufersteppenwolf said:
Alright, what I have done so far is I have unpacked the boot image and the ramdisk, edited the ramdisk so it shoud execute /system/bin/reboot when the phone boots because of the charger. Then I repacked both and signed the boot.img again so the bootloader would accept it.
The result, however, is a bootloop. I am just not yet sure whether it is caused by a "false alarm" (the ramdisk always thinking the phone is being booted because of a plugged in charger) or caused by either the bootloader or other low-level security checks. But I also doubt that, as the bootloader seems to accept the repacked image (doesn't show the security error screen).
But I currently do not have any logs, which is why all this is wild guessing. So the highest priority now is to get some proper logs so I know what's going on
Click to expand...
Click to collapse
Hi Wolf,
Great advance! Keep the great work up .
I have made some modifications on the original post. Yes you are right, the bootloader friendly accepts the original image and we have figured out the security error. We have found on our end that you need to edit the default.prop file (located at /bootimg/initrd) and set ro.secure to value 0. I also added the files to the post (yet to change the server origin on the boot.image though), added the kdz image to unbrick. Also appended the new forum for the phone.
I appreciate that you have favored to create the forum for the G Pro Lite D680 Android Development. Its great that we can help the community with our achievements.
Best,
Jose
JoseVigil said:
Hi Wolf,
Great advance! Keep the great work up .
I have made some modifications on the original post. Yes you are right, the bootloader friendly accepts the original image and we have figured out the security error. We have found on our end that you need to edit the default.prop file (located at /bootimg/initrd) and set ro.secure to value 0. I also added the files to the post (yet to change the server origin on the boot.image though), added the kdz image to unbrick. Also appended the new forum for the phone.
I appreciate that you have favored to create the forum for the G Pro Lite D680 Android Development. Its great that we can help the community with our achievements.
Best,
Jose
Click to expand...
Click to collapse
ro.secure doesn't trigger the security checks, this prop is only for other things like adb on early boot, enabling adb remount, adb as root by default,...
I also set ro.secure to 0 in the builds I sent you, so that's not the cause of the issue
@JoseVigil
I have some pretty good news The phone now does exactly what you want it to do, as soon as you plug in the charger, the phone boots into offline charging mode, but then directly reboots again into the normal system.
The reboot is not that nice, but it's by far the easiest, as well as safest, way to do it.
Turns out, LG did a pretty sloppy job, giving me adb access to the device when in offline charging mode, giving me the chance to read which process is running and patching the binary to run my hack before actually executing the binary. And that's it. A few lines of bash code and you're good to go
Now my question, do you want me to write a tiny script to do all the work patching the system, or shall I just explain what to do?
laufersteppenwolf said:
@JoseVigil
I have some pretty good news The phone now does exactly what you want it to do, as soon as you plug in the charger, the phone boots into offline charging mode, but then directly reboots again into the normal system.
The reboot is not that nice, but it's by far the easiest, as well as safest, way to do it.
Turns out, LG did a pretty sloppy job, giving me adb access to the device when in offline charging mode, giving me the chance to read which process is running and patching the binary to run my hack before actually executing the binary. And that's it. A few lines of bash code and you're good to go
Now my question, do you want me to write a tiny script to do all the work patching the system, or shall I just explain what to do?
Click to expand...
Click to collapse
You are the man Wolf!
Its great that you have been able to find a workaround.
Yes, ideally both. I would appreciate if you can write the script so we can run it on our rooted phones pragmatically and a brief description of what it does (comprehensive from reading the script too) with implementation steps to reproduce too.
With the script I will do the proper test on my end and provide you feedback in case we have an issue. I will place the donation the coming week early on right after the test, I will be pleased that you get your reaward .
Once that, I think It would be pertinent though that we can expose how far we have reached with our research. If you agree, we can set the ground for someone (either me or you or anyone) to get a bootable customized boot image and unlock the door for CM.
I would love to see this running on CM. But I also know we have to be realistic, as you mentioned, this could be a hell of a work to have a working custom recovery, the device tree and blobs with kernel (almost XDA University I have not been able to deal with too).
It has been a lot of fun and a pleasure to know you and interact with you. I hope this is our first experience.
Thanks very much for the great work.
Best,
Jose
JoseVigil said:
You are the man Wolf!
Its great that you have been able to find a workaround.
Yes, ideally both. I would appreciate if you can write the script so we can run it on our rooted phones pragmatically and a brief description of what it does (comprehensive from reading the script too) with implementation steps to reproduce too.
With the script I will do the proper test on my end and provide you feedback in case we have an issue. I will place the donation the coming week early on right after the test, I will be pleased that you get your reaward .
Once that, I think It would be pertinent though that we can expose how far we have reached with our research. If you agree, we can set the ground for someone (either me or you or anyone) to get a bootable customized boot image and unlock the door for CM.
I would love to see this running on CM. But I also know we have to be realistic, as you mentioned, this could be a hell of a work to have a working custom recovery, the device tree and blobs with kernel (almost XDA University I have not been able to deal with too).
It has been a lot of fun and a pleasure to know you and interact with you. I hope this is our first experience.
Thanks very much for the great work.
Best,
Jose
Click to expand...
Click to collapse
Alright, in the attachment I have uploaded the script, including all needed files in order to execute it. The script will also tell you what it's about to do before doing it, so in case you run into issues, you know where to look into
So, what the installer script is going to do:
It will first of all push a script temporarily to the internal sdcard, then it will back up /system/bin/rtcd to /system/bin/rtcd_original, as we need to execute it later again. Next it will copy the script over from the sdcard to /system/bin/rtcd, replacing the original binary (and setting the correct permissions to both modified files). As the last step it will delete the temp file from the sdcard again.
That's all the installer script does.
The actual "magic" is inside the script being pushed to /system. It gets executed before starting chargemon and reads out the devices boot mode. If the boot mode is charger, it executes /system/bin/reboot. Otherwise it executes the original binary in /system/bin/rtcd_original.
And that's about it As simple as it could only be
Regarding further development, up until now, every device I own received a werewolf kernel, and I'm not planning on making an exception for this phone
I will definitely keep on looking into it, though it will not be as high on my priorities list as this workaround was
I will most likely open a new thread in the next couple of days, stating my findings regarding the phone/boot image/bootloader.
@JoseVigil @laufersteppenwolf
I'm New In Rom Developing . But I Think This Can Help You To Find Security Checks
I need lg g pro lite dual d686 custom twrp recovery i cant find anywhere plz provide working recovery link for d686 as iam new it seems custom recovery for specific d686 dosnt exits so share tested link for d686
Sent from my LG-D686 using xda Forums PRO
Hello I need boot on charge on my LG E460 with MTK. I done ipod change, rctd replace from laufersteppenwolf file without results. I can't went into fastboot mode of course to set oem mode charge for 0
Phone have root, bootloader unlock, busybox and supersu. Any suggestions?
Maxjimme said:
I need lg g pro lite dual d686 custom twrp recovery i cant find anywhere plz provide working recovery link for d686 as iam new it seems custom recovery for specific d686 dosnt exits so share tested link for d686
Sent from my LG-D686 using xda Forums PRO
Click to expand...
Click to collapse
TWRP RECOVERY
http://forum.xda-developers.com/optimus-g-pro/d680-development/d686-unsecured-boot-img-twrp-2-8-7-x-t3163144
Same Problem here with LG E460. Is there a solution for fastboot mode with this device?
hi, do you think this script could work on a LG G Pro 2 ?
hi guys, any chance i could get this working on a chinese mediatek device running kitkat 4.4.2 ??
This thread is superseeded by: https://tinyurl.com/SALTatXDA
NO FURTHER SUPPORT HERE!
DLM Backup is a NANDROID BACKUP IN DOWNLOAD MODE!
(DLM Backup = [D]own[l]oad [M]ode Backup)
The following does not require an unlocked device and so even no TWRP.
Believe it or not but you are able to backup full partitions nevertheless!!! :victory:
.. and all this even for partitions you usually have NO ACCESS TO (e.g. laf, aboot etc) and all this even without root ! wtf its not a dream its true! :victory:
It's really awesome especially for those having a locked device but still wanted to have a nandroid backup
or for those encountering the ILAPO (Infinite Loop Auto Power off or just called "bootloop issue") wanting to save their data!
The following will make full disk dumps of all or only the system essential ones of your device. Choose whichever option you need.
Preparation
First of all you should download FWUL ( https://tinyurl.com/FWULatXDA ).
Every other Linux is fine as well as long as you can handle it! (do not expect support from me then - I support FWUL only)
You may still should consider FWUL as it has everything onboard and is preconfigured to work with Android devices out-of-the-box.
Keep in mind the FWUL password as you need it for the sudo commands within the terminal later.
Once FWUL is running open a terminal (little black icon in the panel):
Code:
git clone [url]https://github.com/steadfasterX/lglaf.git[/url]
cd lglaf
Leave this terminal window open - we need it in the next step.
Then boot your phone into download mode --> the following guide is 100% working and bulletproof:
take out battery and unplug USB cable
plugin USB cable to your PC (while battery ist still out)
wait until you see the missing battery icon (question mark within a battery symbol)
press Volume up and while keeping it pressed put battery in (take care that you do not press the power button)
keep pressing Volume up until you see "Download mode"
If that does not work for you try it this way instead:
unplug USB cable
power down device or pull out battery
put battery back
press Volume up and while keeping it pressed plugin USB cable to your PC (take care that you do not press the power button)
keep pressing Volume up until you see "Download mode"
Your phones screen should look similar to this afterwards:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You need a USB stick or disk which is big enough to hold the backup.
Depending on the method you need either a ~8 GB one or a 64 GB..
Plugin the USB stick and find out the path to it by just double clicking on the USB stick icon which appears on the desktop after plugging in the stick.
Then write down / copy the path to the stick as shown in the screenshot:
If you encounter problems with the above (e.g. no icon appears after plugging in the USB stick) you can do this in a terminal instead:
Code:
df
Filesystem 1K-blocks Used Available Use%[COLOR="Red"] Mounted on[/COLOR]
dev 16439340 264744 16174596 2% /dev
[............]
/dev/sdd3 2978320 9532 2797780 1%[COLOR="red"] [B]/run/media/android/myusb-stick[/B][/COLOR]
When you are running LL you can skip this step but when you are on MM (or higher...) you need to do the following:
Execute this in your terminal left open from the "Preparation" topic:
Code:
sudo python2 auth.py
you should see something like:
LGLAF.py: DEBUG: Detaching kernel driver for intf 0
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
auth: DEBUG: Challenge: c0:45:6c:78
auth: DEBUG: Response: b4:1d:1e:cd:e8:f1:5f:b5:fa:78:9e:f8:2d:c6:83:86
Click to expand...
Click to collapse
Now you are authenticated with the download mode and we can continue:
Option A) FULL backup (includes everything e.g. system, cache and userdata / internal storage)
When to use:
if you want to flash new ROMs or bootloader stacks
if you want to backup all your internal storage (e.g. pictures, videos and stuff) - keep in mind TWRP does NOT backup your internal storage!!
if you want to have a real FULL NANDROID (e.g. TWRP will not backup partitions like misc, persistent, persistent-lg etc)
Requirements:
- FWUL
- a 64 GB or bigger USB stick / disk
Execute this in your terminal left open from the "Preparation" topic:
Code:
sudo python2 extract-partitions.py --max-size 0 -d [I]YOURUSBSTICKpath[/I]
(replace YOURUSBSTICKpath with the path you discovered in the Preparation topic!)
Be patient.. this can take a loooong time!
You can watch the progress e.g with executing this in a NEW terminal (just click the terminal icon in the panel again):
Code:
watch 'ls -lathr [I]YOURUSBSTICKpath[/I] | tail '
(replace YOURUSBSTICKpath with the path you discovered in the Preparation topic!)
Once finished you can reboot by either taking out the battery or typing:
Code:
sudo python2 lglaf.py --skip-hello -c '!CTRL RSET'
Option B) system essentials backup (does *NOT* include system, cache and userdata / internal storage!!)
When to use:
if you want to flash new bootloader stacks
if you want to backup your current lock/unlock state
if you want to backup your IMEI and EFS
Requirements:
FWUL
a 4 - 8 GB or bigger USB stick / disk
Execute this in your terminal left open from the "Preparation" topic:
Code:
sudo python2 extract-partitions.py -d [I]YOURUSBSTICKpath[/I]
(replace YOURUSBSTICKpath with the path you discovered in the Preparation topic!)
Be patient.. this can take some time!
You can watch the progress e.g with executing this in a NEW terminal (just click the terminal icon in the panel again):
Code:
watch 'ls -lathr [I]YOURUSBSTICKpath[/I] | tail '
(replace YOURUSBSTICKpath with the path you discovered in the Preparation topic!)
Once finished you can reboot by either taking out the battery or typing:
Code:
sudo python2 lglaf.py --skip-hello -c '!CTRL RSET'
... and the last 2 things which need to be done
1) Click the thanks button here
2) Enjoy
Restore a DLM Backup
Checkout Post #2 for the restore howto
Credits
Peter Wu for his absolutely awesome job on reverse engineering the LAF protocol and offering the lglaf code as python code.
Main thread for lglaf: https://forum.xda-developers.com/android/software-hacking/tool-lg-download-mode-laf-t3285946/page1
Donations: https://forum.xda-developers.com/member.php?u=4790426
.
Restore a previously taken backup or partitions of an already extracted KDZ
There are 2 methods available - choose the one matching your needs:
A) Restore a previously taken DLM Backup
B) Flash a KDZ / LGUP NG by sfX
Unfortunately this may not work on every firmware so you may try different firmwares then and you will receive the same error regarding communication port closing but in general it should work this way.
A) Restore a previously taken DLM Backup / Restore partitions from an extracted KDZ
To restore single partitions use the following
sudo python2 auth.py
sudo python2 partitions.py --restore /path/to/dumpfile partitionname
e.g.
sudo python2 auth.py
sudo python2 partitions.py --restore /tmp/misc misc (would restore the misc partition)
To restore ALL partitions in a folder
For this the best is to use the new LGUP NG kdzmanager which is explained in the next topic.
Install LGUP NG but skip the steps to extract a KDZ if you don't need it.
Then:
bash kdzmanager.sh --test --flash /path/to/imagefiles
(/path/to/imagefiles must contain your previously taken DLM backup files or an extracted KDZ)
This will just test flashing and not actually flash.
If that looks fine do it again but without --test parameter:
bash kdzmanager.sh --flash /path/to/imagefiles
B) Flash a KDZ / LGUP NG (next generation) by sfX
Forget LGUP to flash a KDZ from now on!
Just use my KDZManager
Features:
No worries anymore about those crappy DLL issues
Extract a KDZ
Test flashing partitions (dry run without actually flashing anything)
Flash partitions from a KDZ
when flashing avoid erasing/wiping userdata (keep your data between KDZ flashes)
Hint: not wiping userdata can occur in a bootloop when its not compatible with the ROM! So use that option with care.
will work on any Linux (but FWUL is the only supported)
Keep in mind that this is an early release and there are NO CHECKS like ARB or even if the device model matches with the KDZ but THIS WILL ALL COME (even with an option to override and flash regardless)
Roadmap:
GUI
Check for matching device model
Check for ARB
Instructions:
Boot FWUL (or your Linux but keep in mind that only FWUL is supported), choose language & login
Download the KDZ file you want to flash (we need to know the path later e.g. /home/android/Downloads/)
Open the folder LG
Connect device in download mode to the PC
Double click "LG laf NG" icon
Type in the new opened terminal:
sudo python2 auth.py
[*]sudo python2 partitions.py --list
If this lists your partitions then we can proceed with flashing.
Download my brand new kdzmanager tool in FWUL: (right click and save as)
When you are not using the persistent mode of FWUL: plug in a big USB stick (e.g. 32 GB or more) into FWUL and extract the attached file there
When you are using the persistent mode of FWUL: just extract it in your download folder
You need to know the full path so best is copying the path from the file manager (e.g. /home/android/Downloads/ ) or leave the file manager open there
Open another terminal (black little icon in the panel)
cd and directly behind this paste the path you copied (e.g. cd /home/android/Downloads/ )
press ENTER
bash kdzmanager.sh -x FILLINFULLPATH-TO-DOWNLOADED-KDZ
(e.g. bash kdzmanager.sh -x /home/android/Downloads/h811blablubb.kdz)
WARNING-1: Keep in mind that atm kdzmanager is not able to proof if you choose a compatible KDZ file for your device!
Check your device model and the KDZ twice!
WARNING-2: Keep in mind that atm kdzmanager is not able to proof your current ARB version so flashing an smaller ARB then your current one will BRICK your device.
Check ARB first: CLICK
If you understood the above 2 warnings proceed like this:
bash kdzmanager.sh --test --flash extracteddz/
(just like this as "extracteddz" is the path generated by the kdzmanager)
This will just test flashing and not actually flash. Let me know the results of this (copy & paste output)
if you can't wait the next step would be actually flashing ofc:
WARNING: by default the kdzmanager will not overwrite userdata (which would be like a factory reset) and I would recommend to leave it out always and better choose the LG factory reset menu (after flashing completed) if required. If you still want to flash it use --with-userdata as a parameter (can take a loooong time then btw).
bash kdzmanager.sh --flash extracteddz/
last step ( will be included in the next release): wipe your userdata:
sudo partitions.py --wipe userdata
Or just use the factory reset hardware key combo to do the same.
If you skip this step you may encounter a bootloop. If that happens you can at any time use the hardware key combo to boot into factory reset to fix that.
sfX
FAQ
1. Q: You get the error message: "Expected arrow in ls output" when executing lglaf
A: update to the latest version of lglaf (thx to @tulen_kobi for this patch!). For updating lglaf on FWUL check Q4.
If the error still persists your download mode version is not supported by lglaf. Its very likely that your carrier has a very strict policy activated in download mode. The only chance is to try other download mode version meaning to flash different KDZ files (on locked devices) or just the laf.img in fastboot (on unlocked devices).
On Nougat and when unlocked it is enough to just flash the laf.img of MM and you can use lglaf again.
2. Q: You get not an error but messages or files containing just "Hello, I am LAF. Nice to meet you."
A: your download mode version is not supported by lglaf. Its very likely that your carrier has a very strict policy activated in download mode. The only chance is to try other download mode version meaning to flash different KDZ files (on locked devices) or just the laf.img in fastboot (on unlocked devices).
On Nougat and when unlocked it is enough to just flash the laf.img of MM and you can use lglaf again.
3. Q: All seems fine but at the end of a command you see: "comm.call(close_cmd) [....someotherstuff...] Command failed with error code 0x8000010a"
A: This is known and not a serious issue. Once I have the time I will fix it but in the meanwhile pls ignore..
This has been fixed. please update your LGlaf like described in the next FAQ
4. Q: I want to update lglaf on FWUL v2 or higher
ok here is the correct way to achieve this on FWUL v2:
cd ~programs/lglafng/
git pull
git checkout g4
then you're up2date and can try again while in this folder!
sfX
I'm so happy that you were able to finally get this working. It's dumping my system partition right now. I'll report back when it's done.
Also. You should note that the sudo password is "linux" and to view progress on the dump, you should specify that the command should be opened in a new terminal window.
Over all. Awesome tutorial!
EDIT: Was able to retrieve 7gb of lost pictures thanks to this method! Thank you!
How to restore? Is it possible?
mateus.sc said:
How to restore? Is it possible?
Click to expand...
Click to collapse
Yes even that.. I will write down a restore guide soon.
.
Sent from my LG-H815 using XDA Labs
I cannot Auth with my device.
I get the first 2 lines from the auth.py command
No challenge or response.
Using Virtualbox.
OllieD said:
I cannot Auth with my device.
I get the first 2 lines from the auth.py command
No challenge or response.
Using Virtualbox.
Click to expand...
Click to collapse
what Android version is installed currently?
.
steadfasterX said:
what Android version is installed currently?
.
Click to expand...
Click to collapse
20G Stock Locked Bootloader.
Rebooted into live environment and worked.
Extract partitions errored out
Traceback (most recent call last):
File "extract-partitions.py", line 63, in <module>
main()
File "extract-partitions.py", line 60, in main
dump_partitions(comm, disk_fd, args.outdir, args.max_size * 1024)
File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
File "/home/android/lglaf/partitions.py", line 78, in laf_open_disk
comm.call(close_cmd)
File "/home/android/lglaf/lglaf.py", line 176, in call
raise RuntimeError('Command failed with error code %#x' % errCode)
RuntimeError: Command failed with error code 0x8000010a
After Dumping, Option B
Also the Firefox installer although it installs Firefox it wont launch and gives a SQLite Version Error so it will not run.
Chromium works fine.
Now i've backed up i can try and install V29
OllieD said:
20G Stock Locked Bootloader.
Rebooted into live environment and worked.
Extract partitions errored out
Traceback (most recent call last):
File "extract-partitions.py", line 63, in <module>
main()
File "extract-partitions.py", line 60, in main
dump_partitions(comm, disk_fd, args.outdir, args.max_size * 1024)
File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
File "/home/android/lglaf/partitions.py", line 78, in laf_open_disk
comm.call(close_cmd)
File "/home/android/lglaf/lglaf.py", line 176, in call
raise RuntimeError('Command failed with error code %#x' % errCode)
RuntimeError: Command failed with error code 0x8000010a
After Dumping, Option B
Also the Firefox installer although it installs Firefox it wont launch and gives a SQLite Version Error so it will not run.
Chromium works fine.
Now i've backed up i can try and install V29
Click to expand...
Click to collapse
well it sounds like u have not much RAM attached to your VM then. 4 GB are recommended.
The dump error can be ignored as long as auth.py has worked before and everything gets dumped..
.
steadfasterX said:
Just a quick note:
I completely re-worked the guide and fixed an issue for devices running MM!
Just re-do the guide if you encountered an issue before.
.
Click to expand...
Click to collapse
what if .. i dont have USB.? am planning of backing up my IMEI. as i been reading this on the new N roms..
what can i do.?
raptorddd said:
what if .. i dont have USB.? am planning of backing up my IMEI. as i been reading this on the new N roms..
what can i do.?
Click to expand...
Click to collapse
If you have an unlocked device you have luck and you could use dd commands in TWRP. I know that yours is unlocked so you could use dd on every partition available on your device.
Tbh the most important seems to be persistent, fsg, misc but until I know for sure I would just backup EVERY partition. It's only needed once in the phones life usually so it doesn't hurt..
I need to have my device repaired before I can test it further so this can take a while.. Until then the backup of every partition is the best choice.
if the device is locked and on LL then TWRP in FIsH plus the mentioned dd commands can be used as well. I would still recommend the download mode backup though..
if the device is locked and on MM or N (haven't tested N in download mode though) then USB plus download mode is the only choice.
.
Sent from my LG-H815 using XDA Labs
Similar question. What's the quick and dirty way to backup these partitions from terminal app / busybox?
Dd if=??? Etc
not sure if different between models but mines h815 international running 'stock' nougat
steadfasterX said:
If you have an unlocked device you have luck and you could use dd commands in TWRP. I know that yours is unlocked so you could use dd on every partition available on your device.
Tbh the most important seems to be persistent, fsg, misc but until I know for sure I would just backup EVERY partition. It's only needed once in the phones life usually so it doesn't hurt..
I need to have my device repaired before I can test it further so this can take a while.. Until then the backup of every partition is the best choice.
if the device is locked and on LL then TWRP in FIsH plus the mentioned dd commands can be used as well. I would still recommend the download mode backup though..
if the device is locked and on MM or N (haven't tested N in download mode though) then USB plus download mode is the only choice.
.
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
OMG so basically if this works in locked N, can I flash the korean v30 kdz and then restore a backup the modem.img from v29a made for my H815 with this method?
The possibilities are amazing
obvious said:
Similar question. What's the quick and dirty way to backup these partitions from terminal app / busybox?
Dd if=??? Etc
not sure if different between models but mines h815 international running 'stock' nougat
Click to expand...
Click to collapse
I will add it in the TWRP thread ASAP
mateus.sc said:
OMG so basically if this works in locked N, can I flash the korean v30 kdz and then restore a backup the modem.img from v29a made for my H815 with this method?
The possibilities are amazing
Click to expand...
Click to collapse
Technically this method can provide that (as said I can't test N atm though so I don't know if this works in general for N but if LG hasn't changed anything.. )
but:
keep in mind that cross flashing partitions can result in a soft brick on locked devices!! I don't know how N behaves here tbh so it may just work or it may soft brick in the specific case of modem.
So it would be nice to have someone trying to use the auth command on a N bootloader stack. This will not harm anything but then we know for sure if this is usable for N or not
.
Sent from my LG-H815 using XDA Labs
steadfasterX said:
If you have an unlocked device you have luck and you could use dd commands in TWRP. I know that yours is unlocked so you could use dd on every partition available on your device.
Tbh the most important seems to be persistent, fsg, misc but until I know for sure I would just backup EVERY partition. It's only needed once in the phones life usually so it doesn't hurt..
I need to have my device repaired before I can test it further so this can take a while.. Until then the backup of every partition is the best choice.
if the device is locked and on LL then TWRP in FIsH plus the mentioned dd commands can be used as well. I would still recommend the download mode backup though..
if the device is locked and on MM or N (haven't tested N in download mode though) then USB plus download mode is the only choice.
.
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
yes unlocked.. i downloaded FWUL but on step to place the command for python i had directiry not found and gave up use twrp for EFS.
for DD what are commands is this using ternimal? where can i find all the command to extract say boot ,system modem ect.?
raptorddd said:
yes unlocked.. i downloaded FWUL but on step to place the command for python i had directiry not found and gave up use twrp for EFS.
for DD what are commands is this using ternimal? where can i find all the command to extract say boot ,system modem ect.?
Click to expand...
Click to collapse
just try my new twrp version which will be uploaded in 5 minutes..
.
Hey I'm getting an error in running this - phone is in download mode and connected. Using FWUL on my machine and trying to dump to an extrernal HD (path below in first line).
Code:
[[email protected] lglaf]$ sudo python2 extract-partitions.py --max-size 0 -d /run/media/android/16a064ee-96de-4c4d-8c30-29cbcc2e5441/
Traceback (most recent call last):
File "extract-partitions.py", line 63, in <module>
main()
File "extract-partitions.py", line 60, in main
dump_partitions(comm, disk_fd, args.outdir, args.max_size * 1024)
File "extract-partitions.py", line 24, in dump_partitions
parts = partitions.get_partitions(comm)
File "/home/android/lglaf/partitions.py", line 41, in get_partitions
assert arrow == '->', "Expected arrow in ls output"
AssertionError: Expected arrow in ls output
ReeS86 said:
Hey I'm getting an error in running this - phone is in download mode and connected. Using FWUL on my machine and trying to dump to an extrernal HD (path below in first line).
Click to expand...
Click to collapse
Yea... I saw that on another phone as well. Weird.
I need your help to fix it..
Could you come into IRC on Monday?
sfX
Sent from my LG-H815 using XDA Labs
steadfasterX said:
Yea... I saw that on another phone as well. Weird.
I need your help to fix it..
Could you come into IRC on Monday?
sfX
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Ya I'll try to pop on after work. Can also see if the secure boot thing works once I get that backup.
I found some firmware files for the Asus Zenpad Z8 ZT581KL for Verizon. Neither Asus or Verizon host any firmware for this device, despite having other similar device firmware available (like the ZT500KL, etc), which sucks.
VZW_ZT581KL_V3.4.16_all_user_M101901_16.0.0_160519.zip
ASUS Factory VZW_ZT581KL_V5.4.1_all_user_M101901_16.0.0_170202 androidhost.ru.zip
ZT581KL_T3.3.8_pre_burn_image_20160516.zip
ZT581KL_Z581KL_EMERGENCY_DLOAD.7z
ZT581KL_FUSE_Security_Keybox_160728.rar
Z581KL_initrd_diff.zip
ASUS.Flash.Tool.v1.0.0.45.zip
Running a stock, factory reset device, I was able to flash VZW_ZT581KL_V3.4.16_all_user_M101901_16.0.0_160519.zip using Asus Flash Tool 1.0.0.45, which successfully downgraded Tablet from V3.4.23 to V3.4.16.
I tried flashing ZT581KL_T3.3.8_pre_burn_image_20160516.zip but it did not work and error-ed out with no brick or anything. Usually the firmware is in a .raw format so you can flash either via zip file which has raw file in root folder of archive, or via the raw file itself. I tried both and was not successful. For some reason this archive had a .bin file instead of a .raw file. I tried renaming them but still didn't work. However, I was able to extract the .bin to find the firmware files inside just like the other version firmwares (that were in raw). One thing I have not tried yet, is to try manually flashing the individual firmware files from the extracted bin, and see if that works--or if someone else with this tablet wants to try, here are the files. If successful, it might lower kernel version down more to allow root exploits to root device.
I have not tried flashing V5.4.1, but I'm confident it will work. I do not know if via the Asus Flash Tool/Asus Tablet will allow doing a flash to V5.4.1 and downgrade back down to V3.4.16, but just did V.3.4.23 (stock orig fw already on device) to V.3.4.16 and it worked. I did receive an OTA to upgrade to V3.4.18 (or was it V.3.4.21, I can't remember) and took the upgrade (then flashed back to V.3.4.16), so it appears that when doing an OTA it will "leap-frog" to the next higher version release until you are on the newest build, so the first OTA you get won't do a direct upgrade from V3.4.16- to V5.4.1 or V5.4.5, but will upgrade it in an incremental way, via the next higher version release.
Hopefully someone can try to root their tablet if any of these files are of any help. I might work up courage to try 3.38 again via manual fastboot, but if you do it and succeed, I would love to hear about it.
The other files hosted ZT581KL_Z581KL_EMERGENCY_DLOAD.7z and ZT581KL_FUSE_Security_Keybox_160728.rar have to do with re-flashing the Qualcomm Snapdragon SoC (un-bricking), and the other one something to do with clearing/setting FUSE when the phone leaves factory or something, I'm not sure. Hopefully they can be of some use to someone to unlock this device. It would be nice. So here u go.
https://www.androidfilehost.com/?w=files&flid=289525 - link to ASUS_ZenPad_Z8_ZT581KL_P008_Verizon files
Has anyone tried flashing 'ZT581KL_T3.3.8_pre_burn_image_20160516' yet? Just wondering if it was successful; I haven't tried it yet.
smokejumper76 said:
Has anyone tried flashing 'ZT581KL_T3.3.8_pre_burn_image_20160516' yet? Just wondering if it was successful; I haven't tried it yet.
Click to expand...
Click to collapse
can you tell me how to extract the .raw from .bin, I will try to flash the device.
fuyangui said:
can you tell me how to extract the .raw from .bin, I will try to flash the device.
Click to expand...
Click to collapse
I used 7zip to extract the firmware from the archive.. Open 'ZT581KL_T3.3.8_pre_burn_image_20160516.zip' with 7zip. It should come up with a folder named 'ZT581KL_T3.3.8_pre_burn_image_20160516'. Go in that folder. There will then be a file shown called 'userdata.bin'. In 7zip, if you right click that file, then select 'Open Inside', it should open inside the .bin file and show the firmware files. From there, you can extract them somewhere. Hopefully, you can try to apply each .img file separately (fastboot), one at a time, and see if it works. Thank you!
Sorry to resurrect this old thread but I might have some info that will help others.
First off thanks for the OP for the download links as I cannot find the OEM ROMS anywhere for this device.
Second here are some more instructions that you may need if you are having issues with this device.
Use ASUS FLash Tool v1.0.0.45, it has the device model that you need and was the one that worked for me. Then download ASUS Factory VZW_ZT581KL_V5.4.1_all_user_M101901_16.0.0_170202 androidhost.ru.zip from the link the OP posted, it should be the first file, then this is the step that I missed and took forever to figure out. You have to open that zip file and extract the .raw file, so you should have a file called ZT581KL_all_VZW_user_V5.4.1.raw. That is the file that you need to select in the Asus Flash Tool by clicking the little box with a down arrow inside it, then boot your tablet into Fastboot (Hold down the Power and Volume Down buttons) then once in fastboot, make sure you select the right model for this tablet it should be, ZT581KL, then I left Wipe Data as no, then connect your tablet to your computer with a USB cable, and you should see your Serial Number and a round icon under the State column. Then once that is all correct click the Start button, you may get an error about some FPS thing that can't be downloaded or something just hit OK, then you should see under the Description column that it's flashing the ROM, wait for a while and you should then have a "Flash Image Successfully (The serial number for your device will show here)" under the description and your tablet will reboot.
My tablet was originally on v5.4.5, this ROM will take you back to v5.4.1 but then through the tablet settings you can do an upgrade to v5.4.4 then do another one and it will be at v5.4.5 then you are all set.
So the issue I was having with the tablet was after a factory reset it would freeze at the setup screen and not let me continue, it took me forever to find out how to get it fixed and the instructions above worked for me, so if anyone else is having similar issues then hopefully this will help. I literally spent days and searched through about 70 forums to try and find a fix for it, I even reached to Asus for help, which they basically told me I had to pay to send it in and have it fixed, I was just about to give up when I came upon this thread and the OP's download links, so thanks again smokejumper76. If anyone has any questions about my instructions feel free to reply/comment.
Thanks!
Downgrade success
I used the files provided by OP and was able to successfully flash from 5.4.1 to 3.4.16. I got this tablet from a friend a few years back that he acquired from his work when it went out of business. It has the frp lock on it and im looking at the few available options. So, since this tablet had been sitting for two years. Its Guinea pig time. I'll flash the 3.3.8 and check back. It seems you can go forward or backward in so versions with the flash tool. So I'm not too worried about brick. If I can just get usb debugging on I'll be gold. Possible exploits if it runs.
Well. The 3.3.8 is not packaged properly for flashing. And that 600mb file expands to 9gb. There is a file "system.img" inside that's roughly the right size as the system and has the correct file structure. I have a friend who is going to help me repack that rom correctly for flashing. Meanwhile I am going to look into the 3.4.16 rom and see if I can't set usb debug to on and flash the modded image. From there I should be able to sideload su. I'll report back.
mofugggz said:
Well. The 3.3.8 is not packaged properly for flashing. And that 600mb file expands to 9gb. There is a file "system.img" inside that's roughly the right size as the system and has the correct file structure. I have a friend who is going to help me repack that rom correctly for flashing. Meanwhile I am going to look into the 3.4.16 rom and see if I can't set usb debug to on and flash the modded image. From there I should be able to sideload su. I'll report back.
Click to expand...
Click to collapse
Any update? Thank you for your efforts!
smokejumper76 said:
Any update? Thank you for your efforts!
Click to expand...
Click to collapse
I have the same tablet as well. Root would be great, any chance of unlocking the BL?
klister said:
I have the same tablet as well. Root would be great, any chance of unlocking the BL?
Click to expand...
Click to collapse
hi
any advance with this?
Enviado desde mi P008 mediante Tapatalk
WHat is the password to the files
I used the emergency download file to unbrick the Japanese version of z581kl. However, maybe the partition structure is different, when I try to write to the system partition, it says that there is no partition. What should i do? I'm sorry for my bad English.
allisondanielle said:
WHat is the password to the files
Click to expand...
Click to collapse
https://www.asusflashtool.com/ - Description Page with Password
Unzip Password: asusflashtool.com
I installed ZT581KL_T3.3.8_pre_burn_image_20160516.zip on my z581kl.
That resulted in Android 6.0 AOSP working!
There is a bug that screen rotation is not possible, but everything else is fine.
There is a bug that the screen cannot be rotated, but other than that, everything is fine. After installing TWRP, you need to mount /system and the location of system.img, and then execute the following command from the TWRP terminal.
mkdir new-system
mount system.img new-system
cp -a -R -p new-system/* /system
Translated with www.DeepL.com/Translator (free version)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
清水侑磨 said:
I installed ZT581KL_T3.3.8_pre_burn_image_20160516.zip on my z581kl.
That resulted in Android 6.0 AOSP working!
There is a bug that screen rotation is not possible, but everything else is fine.
There is a bug that the screen cannot be rotated, but other than that, everything is fine. After installing TWRP, you need to mount /system and the location of system.img, and then execute the following command from the TWRP terminal.
mkdir new-system
mount system.img new-system
cp -a -R -p new-system/* /system
Translated with www.DeepL.com/Translator (free version)View attachment 5251235View attachment 5251237View attachment 5251239
Click to expand...
Click to collapse
I flashed the zt581kl image using EDL mode as described in this blog because the partition structure of the zt581kl is different from that of the zt581kl.
z581klでEDLモードに入る方法
xxxxx
itgameinfo.blogspot.com
Hi. New to the forum. I’m looking to downgrade my asus zt581kl so that I can root. Can someone show me the exactly step by step to downgrade my table? The above replies are a bit confusing to follow.
Tmupt said:
Hi. New to the forum. I’m looking to downgrade my asus zt581kl so that I can root. Can someone show me the exactly step by step to downgrade my table? The above replies are a bit confusing to follow.
Click to expand...
Click to collapse
Maybe start here:
https://www.getdroidtips.com/v5-4-1-nougat-verizon-asus-zenpad-z8/
I've been messing around with some of the files, and I was able to brick and unbrick the device following the firehose SOP PDF instructions. It basically flashes a barebones boot w/o any OS, and you have to flash a complete firmware to it to restore it back.
I was also able to install TWRP but it showed 0 space avail, I think because I didn't wipe it. I'll play with that later.
Used these links (use google translate)
z581klでEDLモードに入る方法
xxxxx
itgameinfo.blogspot.com
zenpad 3 8.0に簡単にTWRPを導入する+fastbootの裏技
xxxxx
itgameinfo.blogspot.com
I need to ask @清水侑磨 about how to flash ZT581KL_T3.3.8_pre_burn_image_20160516.zip. I think the userdata.bin file is a NAND dump created by Chinese Miracle 2 / Infinity Box but I'm having problems getting it to read the partitions. I was able to get the tablet in EDL mode, so I'm not sure what I'm doing wrong.
Anyone have a QPST .QCN file for ZT581KL for this device? Flashing 3.3.8 from that preburn file will nuke your IMEI. Mine got changed to all 1s and lost provisioning connectability w/ carrier. in fastboot/adb, so I need to restore it. If anyone could make a QCN (with your IMEI removed of course) so I can do that I would be most appreciative.
smokejumper76 said:
I've been messing around with some of the files, and I was able to brick and unbrick the device following the firehose SOP PDF instructions. It basically flashes a barebones boot w/o any OS, and you have to flash a complete firmware to it to restore it back.
I was also able to install TWRP but it showed 0 space avail, I think because I didn't wipe it. I'll play with that later.
Used these links (use google translate)
z581klでEDLモードに入る方法
xxxxx
itgameinfo.blogspot.com
zenpad 3 8.0に簡単にTWRPを導入する+fastbootの裏技
xxxxx
itgameinfo.blogspot.com
I need to ask @清水侑磨 about how to flash ZT581KL_T3.3.8_pre_burn_image_20160516.zip. I think the userdata.bin file is a NAND dump created by Chinese Miracle 2 / Infinity Box but I'm having problems getting it to read the partitions. I was able to get the tablet in EDL mode, so I'm not sure what I'm doing wrong.
Click to expand...
Click to collapse
Sorry for the late reply.
To boot AOSP, instead of burning the system.img from edl or fastboot, use adb.
The method is as follows
1、Start TWRP.
2、Connect your PC to USB.
3、Go to the directory where system.img is located, and press
adb push system.img /sdcard/
4、Enter the shell
adb shell
5、Mount system.img.
mkdir new-system
mount system.img new-system
6、Copy the contents of the mounted system.img to the system partition.
cp -a -R -p new-system/* /system
(If this fails, check that the system partition is mounted. If the system partition is mounted but you cannot write to it, format the system partition.)
7、After rebooting, you should see an Android message
Translated with www.DeepL.com/Translator (free version)
==== READ THIS POST BEFORE ROOTING ====https://www.reddit.com/r/surfaceduo/comments/wn5joi/a_warning_to_wouldbe_developers_and_hobbyist/
(ORIGINAL GUIDE BELOW)Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again, you will likely also need to do a "pip install protobuf" to get the required python libraries for payload-dumper
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!
special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com
Nice work!
NTchrist said:
special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com
Click to expand...
Click to collapse
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?
LocBox said:
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?
Click to expand...
Click to collapse
Magisk updates are based on the git channel it's fed. Best guess is you don't have the same git repo as in the guide. If you feed it a repo link to a static version it should never be aware of any updates ever. As far as the app is concerned you're on the latest version.
On vacation until Wed, then I'll push through the new patch and update the guide
update process works successfully and is unchanged from previous versions
update process for 2021.525.62 works successfully and is unchanged from previous versions
This is incredibly helpful! I didn't even know you could unpack the payload.bin lol. I'll be doing some work in the kitchen thanks to this!
For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63
nevergrownup said:
For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63
Click to expand...
Click to collapse
Can you send the link or tell me how you were able to get the boot.img? When I try to download the factory image from MS, it is still giving me 2021.419.71.
EDIT: The new "Surface Duo - 256GB - Android 10 - ATT - 2021.525.63" recovery image is available on the "Surface Recovery Image Download" page. Thanks nevergrownup for giving me the heads up on Reddit
Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.
Veritas06 said:
Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.
Click to expand...
Click to collapse
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.
LocBox said:
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.
Click to expand...
Click to collapse
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\
Veritas06 said:
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\
Click to expand...
Click to collapse
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B
NTchrist said:
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B
Click to expand...
Click to collapse
Thanks. I never even got far enough to see failed touch input, but may try rooting again this weekend. I wasn't able to ever get past the MS logo on boot, after attempting to fastboot boot the Magisk-modified boot.img.
I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?
ThrowARoot said:
I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?
Click to expand...
Click to collapse
It should, yes. Unfortunately I do not have an ATT phone to test against. You'd have to have someone else in the thread confirm it works on the ATT build. About the only thing you can do is boot to stock, and check that settings>about>build number matches the images you downloaded from microsoft (2021.525.62) at time of writing
Actually in checking my settings I noticed there was a new update available, so ignore the build number above just make sure the image you download matches the image on your device
NTchrist said:
Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!
Click to expand...
Click to collapse
Ok I am not sure what I am doing wrong and before anyone says anything is not my first or 10th phone I have rooted, first the so called image that you download from Microsoft is nothing but folders of useless text docs. and the patched magisk image in this thread says it works. I went through the whole set up it says the boot image was successfully done yet upon rebooting my device is not rooted. Can anyone help with this.