Better Mobile App

[Q&A] USB soft brick + how i fixed it.

I'm Working on a HTC Legend for a friend.
And after Rooting and Installing a Custom rom, I sudenly could not access the sdcard annymore. So I revert ( STUPID ) to 1.31 rom.
And start over. But I could not get the USB port to work anny more. Getting errors like: error: device not found ,with adb commands. and in windows Unknown Device ( error 43 ) no driver helped.
sollution:
Source: http://android.modaco.com/topic/309961-usb-brickrickrolledb0rked-fixed/
...
Also, SD card functionality has to work. For this, do 'fastboot oem enableqxdm 0' in fastboot mode.
Steps involved:
1. Find out your CID. Go into fastboot mode, and do 'fastboot oem boot'.
The log will say something like the following:
Code:
#INFOTAG:Ramdisk OK
#INFOTAG:smi ok, size = 0
#INFOTAG:hwid 0x0
#INFOTAG:skuid 0x21F04
#INFOTAG:hero panel = 0x0
#INFOTAG:engineerid = 0x0
#INFOMCP dual-die
#INFOMCP dual-die
#INFOTAG:mono-die = 0x0
#INFODevice CID is not super CID
#INFOCID is HTC__E11
In this specific case, the CID is HTC__E11.
2. Get the following mtd0.img from here or from here: mirror provided by SgtDavePwnage.
Edit this image to the CID you found above with a hex editor.
3. Get flash_image from here or from here: mirror provided by SgtDavePwnage.
Move this to /data/ , and flash the modified image using:
"/data/flash_image misc /data/mtd0.img"
You can move both mtd0.img and flash_image by putting it on your sdcard, and issueing the following command in a terminal emulator:
'cat /sdcard/flash_image > /data/flash_image'
'cat /sdcard/mtd0.img > /data/mtd0.img'
You might have to do 'chmod u+x /data/flash_image' before you run the commands (or chmod 755 /data/flash_image)
4. Repeat step 3 a couple of times if it doesn't seem to work well.
5. All done! Reboot, you should have normal usb connectivity. Post your 'fastboot oem boot' log and intermediate steps if it fails.
...
Click to expand...
Click to collapse
After that I followed the r4-legend-root Step 1 and skipped step two by placing Clockworkmod as update.zip on the SD.
Recovery Vol up + power. And I was back in the game. { I lost that other game while typing this }
It took me a while to learn all this. In 24 Hours 5 hours of actual work and even more frustration. But I'm There.
I hope this helps you as it did me.
Right now I'm fiddeling with customisations to
[ROM][RC1][17.07.2011] Gingerbread 2.3.3 with HTC Sense 2.1
Getting all his apps in the Rom, saves space in data.

[DEV] Custom MTD Partitions for the N1

With the advent of Blackrose custom HBOOT which gives us S-OFF, we can now resize the MTD partitions of our N1. This method is the one used by lbcoder in the Desire thread where you patch the recovery and boot in order to pass modified MTD partition information which supersedes the one provided by the SPL. Using this, I've managed to increase my userdata partition by ~50 MB by taking ~50 MB from the cache partition.
These instructions are for advanced users only. This will involve hex calculations and command line instructions that are not for the faint of heart. I don't believe it's dangerous though so anyone could still try since I will try to make these instructions as detailed as I possibly can.
What you need:
N1 with Blackrose HBOOT (I'm not sure this is needed though after I read more in-depth about the patch)
hex calculator (or a pencil & paper if you want to do it manually)
adb
fastboot
unpack-bootimg.pl
mkbootimg
recovery.img <- in my case I used ClockWorkMod 5.0.2 from here
boot.img <- taken from CM zip (in my case my KANG)
Partition Layout:
0x000003ee0000-0x000003fc0000 : "misc"
0x000004240000-0x000004640000 : "recovery"
0x000004640000-0x0000049c0000 : "boot"
0x0000049c0000-0x00000dac0000 : "system"
0x00000dac0000-0x0000139c0000 : "cache"
0x0000139c0000-0x00001fe00000 : "userdata"
Partition Sizes in Hex:
0x0000000e0000 : "misc"
0x000000400000 : "recovery"
0x000000380000 : "boot"
0x000009100000 : "system"
0x000005f00000 : "cache"
0x00000c440000 : "userdata"
Step-by-step Instructions:
A>Backup your current system: (OPTIONAL)
*I'm assuming you're using CWM 5.0.2 for the backup step since I tried using 3.X and the restore didn't work
1.) Boot your N1 into recovery using either adb reboot recovery or through the bootloader
2.) Backup your current system (I'm going to assume you know how to use your recovery for this)
B>Calculate new MTD parameter values:
*For this example I'm going to transfer ~50MB of cache space to my userdata partition:
1.) Since I know the cache partition is ~100MB in size, I'll just divide the hex size in 2:
0x5f00000 / 2 = 0x2f80000 <= this will be our new cache size
**Note that there is a minimum of 0x20000 (128k) for a partition and the size must be divisible by it which is why I'm playing safe and just dividing the original number in order to get an easier value for this example.
2.) Add the new cache partition size to the original cache partition starting address to get the new starting address of the userdata partition:
0xdac0000 + 0x2f80000 = 0x10a40000 <= this will be the new starting address for userdata
3.) Get the new userdata size by subtracting the new starting address of userdata with the ending address:
0x1fe00000 - 0x10a40000 = 0xf3c0000 <= this will be the new userdata size
C>Create a new recovery.img file which uses the new values:
1.) Breakdown the recovery.img file into it's kernel and ramdisk components using unpack-bootimg.pl:
.\unpack-bootimg.pl recovery.img
*This will yield 2 files and 1 directory. You can delete the directory since we only need the files.
2.) Rename the kernel from the recovery.img-kernel.gz made from unpack-bootimg.pl to recovery.img-kernel.
3.) Create the recovery-new.img file using mkbootimg with the new MTD command embedded:
mkbootimg --cmdline 'no_console_suspend=1 console=null mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected](system),[email protected](cache),[email protected](userdata)' --kernel recovery.img-kernel --ramdisk recovery.img-ramdisk.cpio.gz -o recovery-new.img --base 0x20000000
*Note that the values for cache starting address, userdata starting address and userdata size have been changed to the newly calculated values in the previous step.
**This will yield recovery-new.img which will be used in the next steps.
D>Create a new boot.img file which uses the new values:
1.) Breakdown the boot.img file into it's kernel and ramdisk components using unpack-bootimg.pl:
.\unpack-bootimg.pl boot.img
*This will yield 2 files and 1 directory. You can delete the directory since we only need the files.
2.) Rename the kernel from the boot.img-kernel.gz made from unpack-bootimg.pl to boot.img-kernel.
3.) Create the boot-new.img file using mkbootimg with the new MTD command embedded:
mkbootimg --cmdline 'no_console_suspend=1 wire.search_count=5 mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected](system),[email protected](cache),[email protected](userdata)' --kernel boot.img-kernel --ramdisk boot.img-ramdisk.cpio.gz -o boot-new.img --base 0x20000000
*Note that the values for cache starting address, userdata starting address and userdata size have been changed to the newly calculated values in the previous step.
**This will yield boot-new.img which will be used in the next steps.
E>Flash the recovery-new.img:
1.) Boot into bootloader and use fastboot command to flash the new recovery:
fastboot flash recovery recovery-new.img
F>Make system operational:
1.) Boot into recovery mode.
2.) Erase everything (factory reset)
3.) Either:
- Flash the ROM you took the original boot.img from OR
- Restore the backup you made previously (this only works (or has been tested) on CWM 5.0.2)
4.) DO NOT REBOOT YET!!!
G>Flash modified boot.img:
1.) Use adb to reboot to bootloader directly from recovery: (this is for safety since if you boot from an unmodified boot.img you'll have to start from F again.
adb reboot bootloader
2.) Use fastboot to flash the new boot image:
fastboot flash boot boot-new.img
3.) You may restart normally.
For those who've read this far, everything above has been rendered obsolete! Here's an editor for the SPL itself for the partition sizes:
http://intersectraven.euroskank.com/tools/SPLHexEditor.exe
*Instructions are in dla5244's thread 2nd post.
Try it at your own risk though!
Credits:
dla5244 - for bringing S-OFF to our N1 even after a looong time since its release
Firerat - for the original patch idea
Lbcoder - for coming up with the idea in the Desire thread

Reserved!
(I'm learning to reserve now... )

2 Questions:
Is the userdata space where downloaded apps go?
why didn't you choose any other partition to transfer empty space from?

drzplaya1121 said:
2 Questions:
Is the userdata space where downloaded apps go?
why didn't you choose any other partition to transfer empty space from?
Click to expand...
Click to collapse
1.) Yes.
2.) This is a sample. If you want to transfer from system or to system from cache, this example will show you how to do so.

thank U. Now I have no need to buy a new phone because of constantly running out of memory

Does it mean that every time I flash a new kernel, the whole effort will go waste?
Also, can I use the same procedure for Amon RA recovery??

rjmohit said:
Does it mean that every time I flash a new rom (which obviously has a different boot.img), the whole effort will go waste?
Also, can I use the same procedure for Amon RA recovery??
Click to expand...
Click to collapse
For that you need to do only steps D, F and G. If you flash only a kernel which uses koush's anykernel updater, you don't need to do anything.

intersectRaven said:
For that you need to do only steps D, F and G. If you flash only a kernel which uses koush's anykernel updater, you don't need to do anything.
Click to expand...
Click to collapse
Thanks.
One more silly question
Will the following procedure work.
1. Flash any ROM.
2. Then flash the modified boot.img (which may not belong to that ROM).
3. Then optionally flash the desired kernel.

rjmohit said:
Thanks.
One more silly question
Will the following procedure work.
1. Flash any ROM.
2. Then flash the modified boot.img (which may not belong to that ROM).
3. Then optionally flash the desired kernel.
Click to expand...
Click to collapse
Yeah. That would work since you're replacing the kernel anyways. What's important is that the kernel is compatible with the ROM.

Well done IR cannot wait to resize my data partition..

Okay, I extracted the recovery.img file, now when I try to extract recovery.img-kernel.gz, it gives the following error: not in gzip format. Exactly same happens for boot.img. I tried extracting it with different extractors on windows and ubuntu, nothing worked. Pls help.

I don't like using MTD because over time you will notice lag. If your already using sd-ext then your data is basically not being used. And I believe that cache never gets past 50% usage. Just putting in my two cents

rjmohit said:
Okay, I extracted the recovery.img file, now when I try to extract recovery.img-kernel.gz, it gives the following error: not in gzip format. Exactly same happens for boot.img. I tried extracting it with different extractors on windows and ubuntu, nothing worked. Pls help.
Click to expand...
Click to collapse
That's odd. In my installation, it worked flawlessly. Were there no errors during the run of unpack?
blahbl4hblah said:
I don't like using MTD because over time you will notice lag. If your already using sd-ext then your data is basically not being used. And I believe that cache never gets past 50% usage. Just putting in my two cents
Click to expand...
Click to collapse

intersectRaven said:
That's odd. In my installation, it worked flawlessly. Were there no errors during the run of unpack?
Click to expand...
Click to collapse
Nope. No errors. :-/

rjmohit said:
Nope. No errors. :-/
Click to expand...
Click to collapse
Found the problem. It seems it was never compressed in the first place. Ark sees this and just copies the file without the .gz extension.
*Instructions edited accordingly.

I may sound a bit noobish, but I'm facing one more hindrance:
How exactly do I run the mkbootimg file in the ubuntu terminal? I mean, can you give me the exact syntax?
I was facing a similar problem with the perl script, but then I found a solution on google, but didnt find anything for the mkbootimg. Can I run it under windows cmd?

rjmohit said:
I may sound a bit noobish, but I'm facing one more hindrance:
How exactly do I run the mkbootimg file in the ubuntu terminal? I mean, can you give me the exact syntax?
I was facing a similar problem with the perl script, but then I found a solution on google, but didnt find anything for the mkbootimg. Can I run it under windows cmd?
Click to expand...
Click to collapse
I already posted the syntax in the instructions. You just need to make sure the mkbootimg file has execute permissions in order for it to run.

Updated OP with SPL editor program.

intersectRaven said:
Updated OP with SPL editor program.
Click to expand...
Click to collapse
I tried your program. Everything worked fine. Just that my /cache now shows 290 MB free, while I had resized it to 20 MB!! Is that a bug? /system & /data show proper sizes though. thanks.

rjmohit said:
I tried your program. Everything worked fine. Just that my /cache now shows 290 MB free, while I had resized it to 20 MB!! Is that a bug? /system & /data show proper sizes though. thanks.
Click to expand...
Click to collapse
Is it the display on the program or display on the Android device when booted?
Wait, I found it. It's a bug. Thanks! I'll edit it when I get home. For now, please double check the values by reopening the made file before flashing. If the values are incorrect, please DON'T FLASH!!!

How to use nvflash to flash clean system?

Hallo, now that we have the tool, how can we make a full clean system restore, because i did, wipe my prime, and i cannot flash via Fastboot then it came up with this message
C:\Users\Benjamins\Desktop>fastboot flash system system.blob
sending ‘system’ (524288 KB)…
OKAY [ 97.339s]
writing ‘system’…
FAILED (remote: (InvalidSize))
finished. total time: 159.786s
I have a optimus 2x where i could restore with nvflash, but it seems i cannot find anyway of doing that on the prime yet :/

butbhgyt said:
Hallo, now that we have the tool, how can we make a full clean system restore, because i did, wipe my prime, and i cannot flash via Fastboot then it came up with this message
C:\Users\Benjamins\Desktop>fastboot flash system system.blob
sending ‘system’ (524288 KB)…
OKAY [ 97.339s]
writing ‘system’…
FAILED (remote: (InvalidSize))
finished. total time: 159.786s
I have a optimus 2x where i could restore with nvflash, but it seems i cannot find anyway of doing that on the prime yet :/
Click to expand...
Click to collapse
if im not mistaken you have to flash via apx mode, to enter apx mode begin booting your tablet like normal, then while it is attempting to boot hold both the powerbutton and up vol key this will send you into apx mode where the screen just goes blank.
Next type the following command
wheelie --blob blob.bin to boot strap into nvflash
now proceed as you normally would with nvflash
(i believe the commands may be slightly altered in this version of nvflash so you may want to run nvflash help to make sure you are using the right commands)
- Cheers

shreddintyres said:
if im not mistaken you have to flash via apx mode, to enter apx mode begin booting your tablet like normal, then while it is attempting to boot hold both the powerbutton and up vol key this will send you into apx mode where the screen just goes blank.
Next type the following command
wheelie --blob blob.bin to boot strap into nvflash
now proceed as you normally would with nvflash
(i believe the commands may be slightly altered in this version of nvflash so you may want to run nvflash help to make sure you are using the right commands)
- Cheers
Click to expand...
Click to collapse
Thanks for the quick answer.
I got to the nvflash part, but from here i don't know what commands i should use to flash my ROM to my prime.
I think maybe that my partitions tables is broken, is there a way to fix that, because every time i try to format whit Fastboot i get this message
Code:
C:\Users\Benjamins\Desktop>fastboot format data
formatting 'data' partition...
Formatting is not supported for filesystem with type ''.
FAILED ()
finished. total time: 0.014s

butbhgyt said:
Thanks for the quick answer.
I got to the nvflash part, but from here i don't know what commands i should use to flash my ROM to my prime.
I think maybe that my partitions tables is broken, is there a way to fix that, because every time i try to format whit Fastboot i get this message
Code:
C:\Users\Benjamins\Desktop>fastboot format data
formatting 'data' partition...
Formatting is not supported for filesystem with type ''.
FAILED ()
finished. total time: 0.014s
Click to expand...
Click to collapse
Unfortunately im not very well versed in NVflash or fastboot yet, however if you were able to successfully able to generate the files in AndroidRoot's guide you should be able to perform a full system recovery, how is an entirely different issue
hopefully these help:
Code:
c:\>nvflash --help
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--dumpbit [options] {debug|regress|force}
dumps the structure of bit on terminal in text form --getbct
reads back the BCT from mass storage
--odm C Data
ODM custom command 'C' with associated data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--rcm file1 file2
specifies the encrypted and signed RCM message data files
got from nvsbktool for talking to bootrom in odm secure mode
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config fil
e,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--setblhash <bct file>
send encrypted bct file got from nvsbktool to miniloader to support
downloader bootloader or microboot in secure mode
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
--deviceid N
sets the device ID of the target either hex or decimal
--transport <transportname>
transportname should be <jtag> for emulation platforms and <usb> for othe
r platforms
or it can be <simulation> for doing whole Nvflash process on host side,de
vice not needed
--instance <n>
instance number of the device
--updatebct <bctsection>
bctsection should refer to the section of the bct we are updating.
Curently we suport updates for following sections
<SDRAM> updates SdramParams and NumSdramSets fields
<DEVPARAM> updates DevParams, DevType and NumParamSets
<BOOTDEVINFO> updates BlockSizeLog2, PageSizeLog2 and PartitionSize
--devparam <P> <B> <N>
P is the logical page_size of the device. Default size is 2048 bytes
B is the erase group size of the device.
N is total number blocks of the device (erase group units)
you could try the following but keep in mind im completely guessing and there is no guarantee this will work
first to see if your partitiontable is whack run
nvflash --getpartitiontable <insertwhatyouwantonamethepartitiontable>
---------- Post added at 12:58 PM ---------- Previous post was at 12:26 PM ----------
I just realized that you are trying to flash .blob files, with the bootloader that comes with the NVflash mod you must use .img files you will need to get blob unpacking tools from Android Root to unpack blob files then flash them partition by partition
see this post
http://forum.xda-developers.com/showpost.php?p=28969489&postcount=126

shreddintyres said:
Unfortunately im not very well versed in NVflash or fastboot yet, however if you were able to successfully able to generate the files in AndroidRoot's guide you should be able to perform a full system recovery, how is an entirely different issue
hopefully these help:
Code:
c:\>nvflash --help
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--dumpbit [options] {debug|regress|force}
dumps the structure of bit on terminal in text form --getbct
reads back the BCT from mass storage
--odm C Data
ODM custom command 'C' with associated data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--rcm file1 file2
specifies the encrypted and signed RCM message data files
got from nvsbktool for talking to bootrom in odm secure mode
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config fil
e,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--setblhash <bct file>
send encrypted bct file got from nvsbktool to miniloader to support
downloader bootloader or microboot in secure mode
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
--deviceid N
sets the device ID of the target either hex or decimal
--transport <transportname>
transportname should be <jtag> for emulation platforms and <usb> for othe
r platforms
or it can be <simulation> for doing whole Nvflash process on host side,de
vice not needed
--instance <n>
instance number of the device
--updatebct <bctsection>
bctsection should refer to the section of the bct we are updating.
Curently we suport updates for following sections
<SDRAM> updates SdramParams and NumSdramSets fields
<DEVPARAM> updates DevParams, DevType and NumParamSets
<BOOTDEVINFO> updates BlockSizeLog2, PageSizeLog2 and PartitionSize
--devparam <P> <B> <N>
P is the logical page_size of the device. Default size is 2048 bytes
B is the erase group size of the device.
N is total number blocks of the device (erase group units)
you could try the following but keep in mind im completely guessing and there is no guarantee this will work
first to see if your partitiontable is whack run
nvflash --getpartitiontable <insertwhatyouwantonamethepartitiontable>
---------- Post added at 12:58 PM ---------- Previous post was at 12:26 PM ----------
I just realized that you are trying to flash .blob files, with the bootloader that comes with the NVflash mod you must use .img files you will need to get blob unpacking tools from Android Root to unpack blob files then flash them partition by partition
see this post
http://forum.xda-developers.com/showpost.php?p=28969489&postcount=126
Click to expand...
Click to collapse
Thank you very much, I managed to flash all my partition in Fastboot now, when i unpacked them with blobunpack, my prime is back alive thanks to you

People have to remember they are no longer using asus bootloader/fastboot, when they AndroidRoot.
sent from my tf201

Oops

[Q] Using fastboot -c

Hello everybody. I need help figuring out what command line configuration to put inside of the parentheses of
Code:
fastboot -c " "
How can I find out what command line to put in so that I can use
Code:
fastboot boot
Apparently since Android 4.4 you can no longer simply do the command
Code:
fastboot boot img.mg
and you have to do it something like
Code:
fastboot -c "console=ttyHSL0,115200,n8 androidboot.hardware=mako lge.kcal=0|0|0|x" img.img
or
Code:
fastboot -c "lge.kcal=0|0|0|x" boot img.img
or else it won't boot. The above commands work for the nexus 4. I do not have the source for my device but I do have the boot.img and zimage. I need this info to help me root the HD6!

can you put the boot and zimage somewhere so i can download them.

HT123 said:
can you put the boot and zimage somewhere so i can download them.
Click to expand...
Click to collapse
Yes I will do that later today

[quote name="AdamOutler" post=57883049]So that is your CMDLINE. You can get the default CMDLINE from the stock boot.img. If you are on Ubuntu, you can
apt-get install abootimg
Click to expand...
Click to collapse
, then
abootimg -x path/to/boot.img
Click to expand...
Click to collapse
The file named something.cfg will contain the stock CMDLINE. Hope that helps.[/QUOTE]
I appreciate your reply. Neat tool. Before I was using unpackbootimg and it would create a blank boot.img-cmdline file. I just tried out your method and got similar results:
bootsize = 0x51f100
pagesize = 0x800
kerneladdr = 0x10008000
ramdiskaddr = 0x11000000
secondaddr = 0x10f00000
tagsaddr = 0x10000100
name =
cmdline =
Click to expand...
Click to collapse
I am guessing that the image should not require an additional command line param. But I am unable to boot even the stock boot img with fastboot boot. Is this a result of a locked bootloader?

kernel
Any progress? may be you can give us the kernel binary, so we can also test together

senzhk said:
Any progress? may be you can give us the kernel binary, so we can also test together
Click to expand...
Click to collapse
HT123 said:
can you put the boot and zimage somewhere so i can download them.
Click to expand...
Click to collapse
https://drive.google.com/open?id=0Bx_94ujbh0qoTm5rd0R5a041Ymc&authuser=0

Tried fastboot boot boot.img. It said Downloaded, and booting, but nothing happened.
I remember you have UART output, do you get any output whille 'booting'?

senzhk said:
Tried fastboot boot boot.img. It said Downloaded, and booting, but nothing happened.
I remember you have UART output, do you get any output whille 'booting'?
Click to expand...
Click to collapse
It shows some log about kernel size and ram size and then stops loging

iplay 7t (sc9832e processor) root / unlock bootloader suggestions

Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.
I entered fastboot, then I attempted to flash the modified boot.img and was told:
Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [ 0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:
Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s
> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s
> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s
> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s
> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s
> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s
> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader
> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.
As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.
I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.
I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?

in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.

DR.Doyle said:
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
Click to expand...
Click to collapse
Yes ... I have that enabled.

Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.

jwehle said:
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
Click to expand...
Click to collapse
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.
Click to expand...
Click to collapse
Thanks for supplying the modified PAC and for explaining the changes.
Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.
Your time and effort in explaining things is appreciated.

What's the significance of removing the encryption for the vendor partitions?

jwehle said:
What's the significance of removing the encryption for the vendor partitions?
Click to expand...
Click to collapse
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10：
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="DarkOrange"]fileencryption[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]fileencryption[/COLOR]=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts

wangyiling said:
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
Click to expand...
Click to collapse
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.

jwehle said:
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
Click to expand...
Click to collapse
Just for twrp to read the data partition, convenient for personal use。

It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Code:
vbmeta
boot
recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.
By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.
Here's an outline of what I did to successfully root the device:
Use the Qin 2 Pro instructions / tools to unlock the boot loader.
Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:
Code:
avbtool info_image --image vbmeta-sign.img.
Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
Flashed vbmeta, boot, and recovery.
Booted into recovery, saw that it worked, and did a factory reset.
Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
Proceed to finish installing magisk in the normal fashion.
Notes:
rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.
Code:
--- avbtool 2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys 2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
Arguments:
o: The object to write the output to.
"""
+ kfd = open(self.partition_name, "w");
+ kfd.write(self.public_key);
+ kfd.close();
+
o.write(' Chain Partition descriptor:\n')
o.write(' Partition Name: {}\n'.format(self.partition_name))
o.write(' Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
avbtool add_hash_footer --image recovery-sign.img \
--partition_name recovery --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096

@ jwehle，Very grateful for your detailed sharing

Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.

MissAyako said:
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
Click to expand...
Click to collapse
Seems the issue was with Windows. I thought I would be able to get the unlock token with Windows and then use WSL to do the rest of the signing, but apparently not.
Luckily I had an old laptop lying around. I threw Linux Mint on it and it worked just fine.
It didn't seem to work just using a live USB; I had to install Linux to the hard disk, but YMMV.

jwehle said:
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Click to expand...
Click to collapse
This was wonderful, thank you! I've added some of my own notes below as an experience of what I encountered when attempting this process myself (spoiler'd because it is a lot).
I do not have enough post count to add links, but titles to the relevant articles has been added.
Follow steps in Article "Guide: How to Unlock Xiaomi Qin 2 (Pro) and Install Custom ROMs" from step 1 to (and including) step 10 (Unlocking section).
Notes:
- A Linux PC is necessary.
- You'll have to mark the "fastboot" file from the "Android_device_unlock.rar" archive as executable (chmod +x).
- Run the "fastboot" file as root.
- Getting the "SPD Research Tool" to pick up the tablet and not let the tablet try to move to either the charging
screen or the bootlogo is difficult, but do-able. Press and hold Power+Vol_Up and release when Windows does its
USB device detected chime.
- Flashing takes a few minutes (I think around 300 seconds).
- The SPD Research Tool extracts the PAC file contents into a folder. Grab the system images from there.
- The "avbtool" is available to be cloned via git from Google's repo
- The avbtool is a python script that is patched with three lines of code at line 1776:
Code:
kfd = open(self.partition_name, "w");
kfd.write(self.public_key);
kfd.close();
- When you use the patched avbtool on the vbmeta-sign.img file you copied (avbtool info_image --image vbmeta-sign.img)
it will produce several partitions with relative public keys that need to be stored in separate files for the next step.
The contents of the files are simply the public key and the partition name as the file name. Store the files in a folder named "keys".
- When creating the makefile, ensure that proper indentation is used. The code segment below is properly formatted (hopefully). If you get make errors, remove and re-indent the lines.
- If your "rsa4096_vbmeta.pem" keyfile is not placed alongside the makefile, ensure the --key flag points to this file.
- The makefile exists in the same directory as the system images.
- I had to insert local paths to the avbtool, as it was not installed to the system PATH.
- The dhtbsign-vbmeta.py command is located below. Make sure to mark this as executable as well.
Everything else is rather straightforward.
# makefile
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
./dhtbsign-vbmeta.py vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
# dhtbsign-vbmeta.py file (from "How I Unlocked Xiaomi Qin 2 Pro and Installed Phh GSI")
Code:
#!/usr/bin/env python
import hashlib
import sys
f = open(sys.argv[1], "rb")
b = f.read()
sha = hashlib.sha256(b).digest()
f.close()
f = open("vbmeta_signed.img", "wb")
f.write(b)
f.seek(1048576 - 512)
f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00')
f.seek(1048576 - 1)
f.write(b'\x00')
f.close()

wuxianlin has build a twrp device for T701.
i think this will be a help .

Help me
Sir help pliz same problem my device ,same chipset , Symphony i95 ,pliz sir modify my pac file pliz....

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Click to expand...
Click to collapse
can i just flash the pac without unlocking the bootloader.
thanks in advances

hidroela said:
can i just flash the pac without unlocking the bootloader.
thanks in advances
Click to expand...
Click to collapse
yes,just falsh pac

wangyiling said:
yes,just falsh pac
Click to expand...
Click to collapse
i did unlocked the bootloader and flash the pac and follow the instructions for magisk to work, but after a third reboot Root was gone.
i don't know what I am missing.