Better Mobile App

[HOWTO] Deploy your own QDLTool

Hey all,
I've been looking into how QDLTool works a bit and figured out how to swap the images that it flashes. Please note that QDLTool verifies image hashes for a good reason. You should understand the risks before attempting to meddle with QDLTool for any reason. Anything you do is at your own risk.
I would *strongly* recommend not flashing anything but amss, system, recovery and boot from any custom builds. Any time you flash a partition image, dbl, fsbl or osbl, you run the risk of bricking your device beyond recovery.
Important note: The information below is based entirely on analysis of QDLTool. I haven't used this to flash an image yet. If you plan on using this for development, you'll have to take that step.
Let's get to the details:
QDLTool automatically determines what to flash from the images/ directory. It stores a hash internally for each of the files that it will flash. This hash is basically just a 32-bit XOR of the bytes in the file:
Code:
#!/usr/bin/python
import sys
x = open(sys.argv[1], "rb").read()
print "%02x%02x%02x%02x" % (reduce(lambda x,y: x^ord(y), x[3::4], 0), reduce(lambda x,y: x^ord(y), x[2::4], 0), reduce(lambda x,y: x^ord(y), x[1::4], 0), reduce(lambda x,y: x^ord(y), x[0::4], 0))
To swap out an image, you need to patch the old hash of a file that was previously flashed with the new hash of the file that you'd like to flash.
For this post, I'll assume you're looking at QDLTool from streakflash.zip with MD5 = 63b64ba6a9d1ee770998d2a0e4a19df1.
In this file, the hashes start at offset 0x5fa90. There are 14 of them:
Code:
0005fa90 0b b0 a7 5c 3e e9 bb 29 17 4e 8d ac a0 dc 43 62
0005faa0 2c 3f 4e f1 fb 6b fc 80 11 9d 22 07 66 70 22 4a
0005fab0 bc 38 64 95 d2 c6 72 29 6d f8 99 e2 cc 74 14 49
0005fac0 1b ad 7a 9c 77 fb ee cc
As 32-bit words, they are:
5CA7B00B
29BBE93E
... etc ...
9C7AAD1B
CCEEFB77
In order, they are:
00. Partition (hash = 5CA7B00B)
04. Dbl (hash = 29BBE93E)
08. Fsbl
0c. Osbl
10. Amss
14. Dsp1
18. DT
1c. Appsbl
20. Boot
24. System
28. Userdata
2c. Recovery
30. Logfilter
34. RCFile
So, if I wanted to flash a new recovery, I'd take the hash of my recovery file via the Python script above, then replace the bytes at 0x5fa90 + 2c = 0x5fabc with my hash (stored in little-endian, of course).
It's a bit of manual work at this point, but I think a lot of this could be automated. You'd probably be better off and safer using batch files and fastboot though.

we discovered batch files to flash the images is a bad idea as some images cant be flashed using the normal fastboot mode

Thanks,
i'am looking some infomation about QDLTool also.
but i've no idea what hash was
i'll probatly wait for some "automated" way

QDLTools has so much potention. Somebody that knows coding should make it a automated system for us the little people...
Sent from my Dell Streak using XDA App

Yes, it would be nice if someone could figure out a way to insert new "roms" into the QDL tool, so when new updates are release, it would be a no brainer to do the updates without having to go through a bunch of command lines, or hocus-pokus to get an updated rom (minus the bloated carrier rom) onto the device.
Years ago, I played around with Linux, and found the same issue. A lot of command line knowledge is required. My command line stopped at dos 6.x, going all the way back to dos 2.x
Windows spoiled everyone

UPX exe and dll files to speed up your TG01

Its been very quiet in these forums recently, probably because everyone has bought a Galaxy S2 or a HTC Sensation!
I recently came across UPX, this is a compression utility that can shrink exe and dll files quite dramatically, saving space and increasing application launch speed quite dramatically.
I am currently using Mirom8 and even though this Sense 2021 rom is protected have decided to list exe and dll files that can (I think) be UPXed for speed
Here is a list of exe and dlls from the \windows folder and their UPXed size:
AdjustMotionSensor.exe 109k
AdobeReaderLE.exe 1050k
AlarmPopUp.exe 105k
AlbumSearcher.exe 135k
AudioBooster.exe 87k
AudioManager_Eng.exe 76k
BackupRestoreUI.exe 220k
Camera.exe 161k (nice increase in launch speed here)
CommManager.exe 152k
ConnectionSetup.exe 112k
ConnectionSetupAuto.exe 115k
ContactEditor.exe 66k
EmailSetupWizard.exe 97k
Facebook.exe 206k
HTCAlbum.exe 400k
HTCAppointment.exe 105k
HTCBookmark.exe 123k
HTCDRMEngine.exe 949k
HTCMsgEnhance.exe 110k
HTCPhotoPicker.exe 358k
OneNoteMobile.exe 268k
PPCPimBackup.exe 147k
PPT.EXE 687k
PushClient.exe 137k
PWORD.EXE 128k
PXL.EXE 291k
RSSHub.exe 266k
ServiceMode.exe 160k
SettingImprovement.exe 90k
SIM_MGR.EXE 82k
SimLockP.exe 49k
SimMgr.exe 117k
SPMC.EXE 117k
StreamingPlayer.exe 165k
Uploader.exe 97k
WiFiNetwork.exe 67k
wma9prodecoder.dll 236k
wmv9decoder.dll 258k
WMVDMOE.DLL 238k
YouTube.exe 145k
And other useful savings
Opera 10, 2 largest files can be UPXed, flashlite, the large dll can be UPXed
S2U2, all exe's can be UPXed, makes the unlock screen quite smooth to use
Its not worth UPXing files less that 200k although it might help a slow launching app around the 150k size, and normally its not worth UPXing files that stay resident in ram all the time, as it can use quite a lot more ram than normal, but if you launch apps a lot, then it can really make a difference to the speed of opening your favourite applications. Apps that use .net cannot be UPXed either, so that is a limiation otherwise more files could be UPXed.

Very good work!!! Have you send me all the files? I will over weekend swap the files and re cook mirom8.

mirolg said:
Very good work!!! Have you send me all the files? I will over weekend swap the files and re cook mirom8.
Click to expand...
Click to collapse
Hi Miro
I will send you a rar file again via email today at some point.
This can be done to other rom releases too you know, i am unsure of total rom savings space wise, possibly 20MB-30MB, not huge but we are talking a whole 20MB plus of internal storage free for something else.
Also it would be useful to know whereelse in the rom there are exe files i can try to upx, must be other places.

(InsertNameHere) said:
Its been very quiet in these forums recently, probably because everyone has bought a Galaxy S2 or a HTC Sensation!
Click to expand...
Click to collapse
Yes, it seems that only few person are on the forum. Maybe drupad will show up after return from vacation. It is over
Regards
fxdjacentyfxd

(InsertNameHere) said:
Hi Miro
I will send you a rar file again via email today at some point.
This can be done to other rom releases too you know, i am unsure of total rom savings space wise, possibly 20MB-30MB, not huge but we are talking a whole 20MB plus of internal storage free for something else.
Also it would be useful to know whereelse in the rom there are exe files i can try to upx, must be other places.
Click to expand...
Click to collapse
miROM1 and miROM8 are good ROMs and if we can save 20 - 30 MB Storage, then will be much better! i try it and give you a feedback!
good work, tnx

mirolg said:
miROM1 and miROM8 are good ROMs and if we can save 20 - 30 MB Storage, then will be much better! i try it and give you a feedback!
good work, tnx
Click to expand...
Click to collapse
How about coking this with latest manila u had in mind??

thanks for this!!!

nikola92 said:
How about coking this with latest manila u had in mind??
Click to expand...
Click to collapse
Miro is working on it for us

hi, a short statement:
my sense 2021 package i have compressed with cfc.method the result is sense and sense tabs starts quicker and works really faster. ok. miROM1 and mirom8 are in the lastest relases also fast, but all starts 0,5 sec. quicker. UPX method compress the exe + dll files and the result is from app to app different- but i mean the most works better and we save few MB storage. miROM8 has now 270 MB and miROM1 has 256 MB free Storage.
Both ROMs are with all fixes and updates incl. cam-button and toshiba power + wifi settings.
I would test it and will upload it next days
cheers, miRO

mirolg said:
hi, a short statement:
my sense 2021 package i have compressed with cfc.method the result is sense and sense tabs starts quicker and works really faster. ok. miROM1 and mirom8 are in the lastest relases also fast, but all starts 0,5 sec. quicker. UPX method compress the exe + dll files and the result is from app to app different- but i mean the most works better and we save few MB storage. miROM8 has now 270 MB and miROM1 has 256 MB free Storage.
Both ROMs are with all fixes and updates incl. cam-button and toshiba power + wifi settings.
I would test it and will upload it next days
cheers, miRO
Click to expand...
Click to collapse
Good news and sounds quite exciting, i am glad you found a way to get CFC working with 2021, i had read it was somewhat more difficult than previous versions like 2012, and UPX saves some space, thats good too.
270MB user storage is incredible i would say!
Great job!

Which version of UPX did you use ?
can i have a link ?

lesscro said:
Which version of UPX did you use ?
can i have a link ?
Click to expand...
Click to collapse
Any version above 3.03 supplied with this batch utility works fine, but i used the latest version 3.07
Best to do all compression on your pc rather than use a PPC version, it can take quite a long time to compress a large exe file.

thx for all... i will test myself on my TG !

Actually i tried this files to perform a speed test :
Code:
Explorer.exe 268 288 2010-09-07 20:46 -a---
GoogleMaps.exe 2 354 176 2010-06-25 19:47 -a---
iGo.exe 8 613 376 2011-05-08 09:07 -a---
iManager.exe 356 352 2011-02-21 17:00 -a---
InfoTrafic Trains.exe 319 488 2010-03-17 23:28 -a---
Opera10-armv4i.exe 623 400 2010-03-15 20:48 -a---
PhotoManPro.exe 1 108 480 2010-04-26 16:29 -a---
player.exe 1 894 672 2009-09-17 11:14 -a---
RCapture.exe 90 112 2010-04-26 16:28 -a---
s2p.exe 364 032 2010-07-17 05:35 -a---
SKTools.exe 2 657 208 2010-03-02 15:09 -a---
ThemeChanger.exe 113 912 2007-04-18 07:43 -a---
Weather-iGo-PPC-v2.exe 264 192 2010-11-11 17:49 -a---
And only a few Exe seems to be work like my old test with my P535 long time ago...
it appear too somes EXE manage in .NEt/win32 are not supported actually !
But when it work... it s soooooooooooooooooo fastest !
Working file compression :
Code:
Explorer.exe 252 928 2010-09-07 20:46 -a---
GoogleMaps.exe 855 040 2010-06-25 19:47 -a---
iManager.exe 203 264 2011-02-21 17:00 -a---
Opera10-armv4i.exe 246 568 2010-03-15 20:48 -a---
PhotoManPro.exe 499 712 2010-04-26 16:29 -a---
RCapture.exe 53 248 2010-04-26 16:28 -a---
then i have seen on Mirolg ROM thread you manage a complete suite with standard TG exe... can you share this package, i think system files (*.exe) is universal...
And maybe you win when i will finish my new SKIN in test !
other nice idea to still use this tool always updated... i forgot it ! but it s very usefull !

lesscro said:
Actually i tried this files to perform a speed test :
Code:
Explorer.exe 268 288 2010-09-07 20:46 -a---
GoogleMaps.exe 2 354 176 2010-06-25 19:47 -a---
iGo.exe 8 613 376 2011-05-08 09:07 -a---
iManager.exe 356 352 2011-02-21 17:00 -a---
InfoTrafic Trains.exe 319 488 2010-03-17 23:28 -a---
Opera10-armv4i.exe 623 400 2010-03-15 20:48 -a---
PhotoManPro.exe 1 108 480 2010-04-26 16:29 -a---
player.exe 1 894 672 2009-09-17 11:14 -a---
RCapture.exe 90 112 2010-04-26 16:28 -a---
s2p.exe 364 032 2010-07-17 05:35 -a---
SKTools.exe 2 657 208 2010-03-02 15:09 -a---
ThemeChanger.exe 113 912 2007-04-18 07:43 -a---
Weather-iGo-PPC-v2.exe 264 192 2010-11-11 17:49 -a---
And only a few Exe seems to be work like my old test with my P535 long time ago...
it appear too somes EXE manage in .NEt/win32 are not supported actually !
But when it work... it s soooooooooooooooooo fastest !
Working file compression :
Code:
Explorer.exe 252 928 2010-09-07 20:46 -a---
GoogleMaps.exe 855 040 2010-06-25 19:47 -a---
iManager.exe 203 264 2011-02-21 17:00 -a---
Opera10-armv4i.exe 246 568 2010-03-15 20:48 -a---
PhotoManPro.exe 499 712 2010-04-26 16:29 -a---
RCapture.exe 53 248 2010-04-26 16:28 -a---
then i have seen on Mirolg ROM thread you manage a complete suite with standard TG exe... can you share this package, i think system files (*.exe) is universal...
And maybe you win when i will finish my new SKIN in test !
other nice idea to still use this tool always updated... i forgot it ! but it s very usefull !
Click to expand...
Click to collapse
I know .NET files cannot be UPXed, i did say this in my other post about UPX, but this thread was to state what i found could be done on mirom8.
Also bear in mind small files less than maybe 100k are not worth doing, because there is a latency involved with getting file off of storage, and then decompressing it in ram.
Also there is a downside, files UPXed have a higher memory footprint than files not compressed, so for instance, Imanager.exe that would always be resident in ram, is a bad idea, it will use more ram than it would if it wasn't compressed, its more useful for the config program, as that would make it open faster, any program that starts with the phone, don't bother UPXing it, any program thats always running, don't UPX it.
Glad you found the post useful.

then i will try to tes Mirom8 Rom and extract desired system files compresses based on your discussion with Mirolg...
thx for all !

lesscro said:
then i will try to tes Mirom8 Rom and extract desired system files compresses based on your discussion with Mirolg...
thx for all !
Click to expand...
Click to collapse
Mirom8 cfc is a beta and is not protected, so you can either ask Miro for what can and can't be done, or dump it in a kitchen and use it as a guide as to what to UPX and with what settings, not everything can be -Brute compessed, especially dll files, i believe there is a -Best switch, you will have to do a lot of trial and error, Miro has made leaps and bounds in finding what can be done, if you find things he has missed, let him know, anything to get a smaller, faster rom. My favourite example is the camera application, it fles, it opens in about 3 seconds.
Adding to your list of what you found could be done, i can tell you both of the largest files in the Opera application can be UPXed, so thats the exe and the largest dll file, in flashlite the largest dll can also be UPXed.

i will tru one by one Windows Exe files...
but i repeat i m pretty sure system base system is same on all rom especially system configuration files...
and All TG tool file, like camera and more other indispensable application...
You know what i m looking for... that's why i ask you to send me a package with already identified files system 'UPX transformed'...
I will won lot of time...
indeed, i will report your technic 'UPX' to a French Rom Cooker...
Actually my ROM, maybe it will try it himself too... and more tester more report !
have fun !

lesscro said:
i will tru one by one Windows Exe files...
but i repeat i m pretty sure system base system is same on all rom especially system configuration files...
and All TG tool file, like camera and more other indispensable application...
You know what i m looking for... that's why i ask you to send me a package with already identified files system 'UPX transformed'...
I will won lot of time...
indeed, i will report your technic 'UPX' to a French Rom Cooker...
Actually my ROM, maybe it will try it himself too... and more tester more report !
have fun !
Click to expand...
Click to collapse
Some components cannot be UPXed, cprog.exe, unless you first compress the png files, and gwes.exe, will eat more memory than ever if upxed, however if you found a technique to make it work postively on memory usage, please share how you did it.
I read some of this thread, maybe useful to you.
Only files i have are the ones listed in the first post, better off looking at miros roms as he has a lot of files upxed there.

Damn ! Beautifull... all your idea is awesome !
All your link is so cool...
i will try to test some new files... another tester is in place now... we will report all files we can test here !
Thx...

[RECOVERY][DUALBOOT][Unified][A10][A11][OOS11]Orangefox-DualBoot-Unified-Reborn[21-03-2021]

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Orangefox-DualBoot-Guac-Unified - Android 10/11 version
THANKS TO:
- Zackptg5 - The father of this mod
- DrakePL (Orangefox Recovery)
- Ae3NerdGod, Neel P, Whismasterflo
- Muphetz, Varun Soma, Pranav - for testing
#include <std_disclaimer.h>
/*
*
* We are not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at us for messing up your device, we will laugh at you.
*
*/
Click to expand...
Click to collapse
Modified recovery and installer script for all OP7/Pro/5G variants that re-purposes userdata for true dual booting. You can still use this as a regular stock twrp zip - one stop shop for magisk, verity, and/or forced encryption modifications
Disclaimer
I am not responsible for anything bad that happens to your device. Only experienced users should be using this mod
This is no walk in the park mod. Although I have extensively tested it, there is always the possibility of a brick with anything that involves repartitioning. Make sure you have a backup and know how to reparititon your phone back to stock (there's a guide at the end of this readme with the basics)
YOU'VE BEEN WARNED - Use at your own risk
Click to expand...
Click to collapse
Limitations
If you set a password, regardless of encryption status, it'll corrupt the other slot if it's also password protected.
Note that some roms set one automatically Either don't use a password on one slot, or leave one slot (I'll use 'a' in this example) unencrypted and:
Setup rom, password, and everything on slot a
Boot back into twrp, choose common data as storage, and backup userdata (if not using a/b/c layout, backup TWRP folder to your computer)
Setup rom, password, and everything on the other slot (b)
Boot back into twrp, switch back to slot a (reboot back into twrp), and restore the twrp backup
If you messed this up and are unencrypted - delete these files in /data/system if present: locksettings.db gatekeeper.password.key password.key gatekeeper.pattern.key pattern.key gatekeeper.gesture.key gesture.key
If you messed this up and are encrypted - you lost the data on that slot:
Unmount metadata in twrp gui
Format metadata with this command:
Code:
mke2fs -t ext4 -b 4096 /dev/block/sda$metadata_partnum
where metadata_partnum is the partition number of the current metadata partition (you can find this with sgdisk /dev/block/sda --print). DO NOT FORGET THE PARTITION NUMBER. If you do, you'll format all of sda which results in a brick
Reboot into twrp and format data in gui
Storage settings only supports 128 and 256gb userdata partitions
Just a cosmetic issue as it'll say that system is taking up the difference
Some other features/notes
Can choose between stock layout, a/b userdata, or a/b/c userdata where 'c' is a common data partition that'll show up in both roms - it's quite handy
Option to choose between ext4 and f2fs
Disables verity - fstabs are modified for dual boot and so this is a must unless you choose stock layout in which case it's optional
Option to disable forced encryption
Option to install magisk
Quickmode for faster rom testing
Failsafe to keep from changing slots automatically when used in conjunction with rom install
Common Data
If you choose a/b/c layout - you'll have a/b userdata, but you'll also get a 3rd userdata partition I call 'Common Data'
The name 'Common Data' gives away its purpose - to store files that you'll access on both slots/roms. So stuff like zips, pictures, music, TWRP backups, etc.
In TWRP, this shows up as another storage option for backup/restore and on your pc as well - your phone will have 'Common Storage' and 'Internal Storage'
In order to be accessible when booted, some parts of the system are modified so that the it'll be accessible WITHOUT root by the following mechanisms:
​
The common data partition is mounted to /sdcard/CommonData
.nomedia file is placed in CommonData so files in it won't be picked up twice if you decide to mount over internal storage as outlined below
Furthermore, if your use case is like mine where my music files are in common data, you can make 'mounts.txt' file in /datacommon containing a list of every FOLDER to mount directly over top of sdcard. So for example:
/datacommon/Music -> /sdcard/Music
This of course mounts over anything there (overwrites it for as long as it's mounted) so make sure that you don't have the same folder in both datacommon and regular data
Note that there are 3 exceptions to this folder mounting rule:
All - if this is the FIRST line, ALL folders in datacommon will be mounted
Android
lost+found
The reasoning should be obvious - lost+found isn't something you should need to mess with and Android is for regular data partition only - that's OS specific and should be on separate slots
Note that you should have 1 folder listed on every line, for example:
PHP:
Music
Pictures
ViPER4AndroidFX
Flashing Instructions (if Android 11, see second post)
You MUST be booted into TWRP already when flashing this zip (you can grab a bootable twrp image from here)
Since this modifies data - the zip CANNOT be on sdcard or data at all UNLESS you do not want to repartition/format
If you flash from data, the zip will copy itself to /tmp and instruct you to flash it from there OR you can just install twrp/magisk/disver-fec
You could do the above or copy it to a place like /dev or /tmp and flash it from there
Alternatively, you can adb sideload it
Read through ALL the prompts - there's lots of options
How to Flash Roms
Nothing changes here except ONLY FLASH IN TWRP
Roms always flash to the opposite slot. Keep that in mind and you'll be fine
So don't take an OTA while booted - boot into twrp, switch slots, reboot into twrp, flash rom
Normal flash procedure:
Boot into twrp
reboot into twrp selecting slot you do NOT want rom installed to
Flash rom
Flash this zip
Reboot into twrp
When using failsafe mode,
TWRP will boot into the slot you were in BEFORE you flashed the rom.
TWRP will almost certainly show the incorrect "current slot" at the reboot menu.
The slot selection buttons still work. If youve kept track in youre head, and the zip didnt fail; pick the correct slot now
or reboot to recovery, then switch into the slot which contains the new rom youve just installed
Flash everything else
Quickmode usage NOT RESPONSIBLE FOR BUGS, BRICKS OR MISTAKES! USE AT OWN RISK!
Change the zip name to enable quickmode options (Case Sensitive!)
keeps current layout
add the words fast or quick in the zip file to enable quickmode with the following default options:
ForceEncryption disabled for both slot
s​
Magisk installed to both slots
add any of the following options to the name of the zipfile to custimize quickmode to your liking, capitilizing the letter of the slot youd like to enable that option for:
fec.ab will ENABLE force encrytion for the capitalized slot letter
su.ab or magisk.ab will ENABLE the installation of magisk for the capitalized slot letter
Example: if the file is named Orangefox-DualBoot-fast-fec.AB-su.aB.zip then:
ForceEncryption will be ENABLED on both slot _a and slot _b
Magisk will be installed on slot _b, but NOT installed on slot _a
ADVANCED USERS ONLY NOT RESPONSIBLE FOR BUGS, BRICKS OR MISTAKES! USE AT OWN RISK!
confirm.y will skip the final confirmation before any work is done, and run the options chosen or defaults if none specified
the word warp this can be used instead of fast or quick and confirm.y if you'd also like to use quickmode without confirmation
Failsafe usage / explaination
I've had a few instances where a rom doesnt agree with whats going on, and the dualboot zip gets stuck on a slot and never finishes. This results in forcing the phone off, and leaves the phone in a non bootable state, with an unprepared slot. Not to mention a stock, or worse, no recovery at all. Bootloop city.
Enter the failsafe option: just add ` nofail ` or ` failsafe ` (case sensitive) to the zip name like above, and the zip will revert the slot change caused by the rom install and keep you able to boot back into the current slot's TWRP so you can sort out the slot youre working on. Pair this with a usb drive or commondata, and youre (relatively) safe to flash on the go, or from your bed with the computer off.
Notes
After applying the failsafe, the reboot screen in TWRP will ALMOST CERTANLY show the incorrect slot until you either manually select a slot or reboot recovery.
This adds a step or two to the flashing process, make sure you've read that.
[/QUOTE]
Help! I Can't Boot!
Usually this is because you switched roms without formatting data first. This should be flashing 101 but we all forget sometimes. Plus this slot stuff can get confusing
If it only happens with a/b/c and not any other layout, there's a good chance it's selinux related. Try setting selinux to permissive at kernel level with this mod (source here).
Click to expand...
Click to collapse
How to Manually Repartition Back to Stock
In the event any step in the repartioning fails, the entire installer aborts. The good news is that this prevents a potential brick. The bad is that you need to manually revert back
Boot into twrp. If sgdisk is not present in sbin, grab it from this zip (in tools) and adb push it to /sbin and chmod +x it
sgdisk /dev/block/sda --print Note that /dev/block/sda is the block that userdata and metadata are stored on - no other block is touched by this mod. This will show up the current partition scheme. Stock looks something like this (on OP7 Pro):
PHP:
Number Start (sector) End (sector) Size Code Name
1 6 7 8.0 KiB FFFF ssd
2 8 8199 32.0 MiB FFFF persist
3 8200 8455 1024.0 KiB FFFF misc
4 8456 8711 1024.0 KiB FFFF param
5 8712 8839 512.0 KiB FFFF keystore
6 8840 8967 512.0 KiB FFFF frp
7 8968 74503 256.0 MiB FFFF op2
8 74504 77063 10.0 MiB FFFF oem_dycnvbk
9 77064 79623 10.0 MiB FFFF oem_stanvbk
10 79624 79879 1024.0 KiB FFFF mdm_oem_dycnvbk
11 79880 80135 1024.0 KiB FFFF mdm_oem_stanvbk
12 80136 80263 512.0 KiB FFFF config
13 80264 969095 3.4 GiB FFFF system_a
14 969096 1857927 3.4 GiB FFFF system_b
15 1857928 1883527 100.0 MiB FFFF odm_a
16 1883528 1909127 100.0 MiB FFFF odm_b
17 1909128 1913223 16.0 MiB FFFF metadata
18 1913224 1945991 128.0 MiB FFFF rawdump
19 1945992 61409274 226.8 GiB FFFF userdata
You may have different size userdata - mine is 256gb - depending on your device but that doesn't matter. You just need to see where they're located
Take note of the number (I'll call userdata_num for the sake of this tutorial) and start sector (userdata_start) for the first partition AFTER rawdump, and the end sector (userdata_end) of the last parititon on sda
sgdisk /dev/block/sda --change-name=17:metadata - renames metadata partition back to non-ab stock
sgdisk /dev/block/sda --delete=19 - this deletes the entire partition - use this command for each user/metadata partition after rawdump (ones generated by this zip)
sgdisk /dev/block/sda --new=$userdata_num:$userdata_start:$userdata_end --change-name=$userdata_num:userdata - this creates the new userdata partition
Final step is to format the new userdata partition: mke2fs -t ext4 -b 4096 /dev/block/sda$userdata_num $userdata_size - where userdata_size can be calculated with this shell command: sgdisk /dev/block/sda --print | grep "^ *$userdata_num" | awk '{print $3-$2+1}'
​
MAKE SURE YOU VERIFY ALL VARIABLES HERE ARE SET PROPERLY - if you mess this up, you could format all of sda resulting in a brick
Run sgdisk /dev/block/sda --print again to make sure everything is correct and then reboot back into twrp
Changelog
Click to expand...
Click to collapse
21/03/2021 - V1.8
Updated companion app to 2.8.7
05/03/2021 - V1.6
Updated init.mount_datacommon.sh to support the application sharing
Updated the dual boot companion app V2.6 BETA
Added mounting inactive system to sdcard/DualBoot/
Added mounting inactive SDcard to sdcard/DualBoot/
EXPERIMENTAL - Added application sharing between ROMs (Only A/B/C Layout)
Localizations update
Minor bugfix here and there.
13/02/2021- V1.5
Updated the dual boot companion app V1.7.2
Updated Orangefox recovery to latest git
06/02/2021- V1.3
Updated the dual boot companion app
Fixed the Orangefox full screen bug on OP7 pro
05/02/2021- V1.1
Added the dual boot companion app
Fixed the OOS11 flashing bug
20/01/2021- V1.0
It works with OxygenOS 11 ( WARNING: --- Stay unencrypted! --)
Magisk 21.4 updated
New version of Orangefox recovery (R11) - 20-01-2021 update
Know bug: Flashing from OOS11 slot can overwrite the same slot.
19/11/2020 - A11-0.4
Fixed root install for Android 11
Minor improvement
21/10/2020 - A11-0.4
Root not installed if Android 11 - Please do it manually.
CommonData mount fix in Android 11
Minor improvement
Android 11: please install Magisk 20422 and MagiskManager 297
16/10/2020 - A11-0.2
Changed to OrangeFox Recovery
Added check to get the right initrc (Android 11 compliant)
16/10/2020 - A11-0.1
Initial release
Click to expand...
Click to collapse
Download
Orangefox-DualBoot-Guac-Unified-A11-V1.8
GitHub
https://github.com/Invernomut0/OrangeFox-DualBoot-Guac-Unified
Telegram support chat: https://t.me/OrangeFoxDualBootRebornOnePlus7
XDA:DevDB Information
Orangefox-DualBoot-Unified, Tool/Utility for the OnePlus 7
Contributors
invernomut0
if you like my work, send me a beer
Click to expand...
Click to collapse

DUALBOOT COMPANION APP
FLASH PROCEDURE - Android 11
Related to Orangefox-DualBoot-Guac-Unified-A11.zip
WARNING: OOS11 --- Stay unencrypted! ---
Example (starting point)
Slot A A10 Rom
Slot B A10 Rom
1 - Flash from slot A A11/OOS11 rom
2 - Flash Orangefox-DualBoot-Guac-Unified-A11.zip
3 - Reboot to recovery (Now you are in slot B automatically)
4 - Format data
5 - Flash Orangefox-DualBoot-Guac-Unified-A11.zip
7 - Reboot to system
Install magisk manager attached
Ending point
Slot A A10 rom
Slot B A11/OOS11 rom
Now you should have a working A10 rom on slot A and a working A11/OOS11 rom on slot B.
Please report any problems.

Reserved

I am on oos a10, rooted, twrp and encrypted... Can i use this for dual boot oos a10 with some custom a11 without having to decrypt/data loss???

kpmohamedhussain said:
I am on oos a10, rooted, twrp and encrypted... Can i use this for dual boot oos a10 with some custom a11 without having to decrypt/data loss???
Click to expand...
Click to collapse
Hi. All your data will be wiped and you have to reinstall both slots OS since this is repartitioning your userdata into A and B so do a Backup of all your data before.

It works great with A10 and A11. I had a little issue because I had A10 on A and B slot and when flashed this, then A11 ROM, rebooted to other slot flashed this again A11 was working great, but when tried to switch back to the slot with A10, after boot my pin wouldn't work anymore, so needed to delete locksettings.* an *.key files from /data/system.
Thanks for the great job!

vladvlad12 said:
It works great with A10 and A11. I had a little issue because I had A10 on A and B slot and when flashed this, then A11 ROM, rebooted to other slot flashed this again A11 was working great, but when tried to switch back to the slot with A10, after boot my pin wouldn't work anymore, so needed to delete locksettings.* an *.key files from /data/system.
Thanks for the great job!
Click to expand...
Click to collapse
Only set a PIN on one of the slots. Otherwise you will have that issue that your PIN does not work anymore on the other slot if you set it on both!!

Does anyone have OOS Open Beta 17 or 18 working with this recovery?

ImamBukhari said:
Does anyone have OOS Open Beta 17 or 18 working with this recovery?
Click to expand...
Click to collapse
I will try it for you, be back in like 10 minutes with edit.
Back, is not working. It stuck at patching fstabs.

vladvlad12 said:
I will try it for you, be back in like 10 minutes with edit.
Back, is not working. It stuck at patching fstabs.
Click to expand...
Click to collapse
Take a look at the recovery.log in /tmp then to check while it is getting stuck.

Wishmasterflo said:
Take a look at the recovery.log in /tmp then to check while it is getting stuck.
Click to expand...
Click to collapse
Ok, just give me a minute, already installed another ROM, will try to give info u asked in a few minutes. Someone told me when i tried to do same with twrp dual boot that twrp can't yet decrypt OOS Beta 17 and 18
IDK what happened but now my touchscrren is not working...
After stuck at patching I rebooted into fastboot changed active slot to other slot, rebooted into recovery, it enter in OrangeFox Recovery but no touch...
Got a bit scared there... Rebooted to system then back to recovery and touch is working now...
But there is no /tmp folder...

vladvlad12 said:
I will try it for you, be back in like 10 minutes with edit.
Back, is not working. It stuck at patching fstabs.
Click to expand...
Click to collapse
Could you please also provide the postition of init.rc. look at /init.rc and check if the file exists.

invernomut0 said:
Could you please also provide the postition of init.rc. look at /init.rc and check if the file exists.
Click to expand...
Click to collapse
Dualboot still no work with oos beta 17 and 18,,its always stuck when patching fstab ( decrypt).
There's init process called High Assurance Boot (HAB) that verify your system's integrity. Check the script "/vendor/etc/init/hw/init.mmi.hab.rc".

This command show many values, which one to pick.
gdisk /dev/block/sda --print | grep "^ *$userdata_num" | awk '{print $3-$2+1}'
edit: typo, worked fine now...

Tried it with Beta 19 and doesn't work with that either

Download link not working - Magisk 20422 and MagiskManager 297

ImamBukhari said:
Tried it with Beta 19 and doesn't work with that either
Click to expand...
Click to collapse
Do you have OP7 or OP7 pro/T?

invernomut0 said:
Do you have OP7 or OP7 pro/T?
Click to expand...
Click to collapse
I'm using a 7 Pro

kpmohamedhussain said:
Download link not working - Magisk 20422 and MagiskManager 297
Click to expand...
Click to collapse
Files restored

Works great, tested with multiple ROMs...
Having below issues
1. Even if pin not setup in secondary ROM, need to delete files otherwise pin in primary is not accepted
2. After every flash of this recovery, all my magisk settings, modules are all lost
3. Images and videos in common data not visible in gallery

[GUIDE] How to unlock and root Xiaomi Redmi 9 (Galahad/Lancelot)

There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad​
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock​
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image​
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image​
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash​
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop​
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app​
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet​
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.

Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!

I fixed some spelling mistakes, now it should be easier to read.

Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris

It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?

morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!

Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland

morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..

Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)

It's weird that windows still can't mount such images.

Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]

I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com

No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.

I have no knowledge on this subject, so I can't help you with this.

Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.

Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64

morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3

Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.

morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.

lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!

PX5 Maskrom flash error prepare idb fail

Hello folks,
I've been fighting for three days with my PX5 board from my Xtrons radio.
As the first I tried to flash the core board with OTP USB cable with Android 10.
First I did it with the loader that I connected to the RK Dev Tool and then I clicked on RUN!
Everything went to the end without Fefler. Log file here:
20:27:03 217 RKDevTool v2.7.1.0 start run
20:29:23 860 RKDevTool v2.7.1.0 start run
20:38:00 243 Layer<>: RunProc is ending, ret=0
21:14:18 490 Layer<>: RunProc is ending, ret=0
21:25:10 623 RKDevTool v2.7.1.0 start run
21:33:09 243 RKDevTool v2.7.1.0 start run
22:20:46 879 Layer<1-4>:Test Device Start
22:20:46 886 Layer<1-4>:Test Device Success
22:20:46 890 Layer<1-4>:Check Chip Start
22:20:46 895 Layer<1-4>: Check Chip Success
22:20:46 899 Layer<1-4>:Get FlashInfo Start
22:20:46 902 <LAYER 1-4> INFO:FlashInfo: 00 00 A4 03 00 04 04 00 28 00 01
22:20:46 906 <LAYER 1-4> INFO:GetFlashInfo-->Emmc storage.
22:20:46 911 Layer<1-4>:Get FlashInfo Success
22:20:46 915 Layer<1-4>repare IDB Start
22:20:46 918 <LAYER 1-4> INFO:CS(1) (29824MB) (SAMSUNG)
22:20:46 929 Layer<1-4>repare IDB Success
22:20:46 931 Layer<1-4>ownload IDB Start
22:20:47 056 Layer<1-4>ownload IDB Success
22:20:47 058 Layer<1-4>:Wait For Loader Start
22:20:47 633 Layer<1-4>:Wait For Loader Success
22:20:47 635 Layer<1-4>:Test Device Start
22:20:47 641 Layer<1-4>:Test Device Success
22:20:47 649 Layer<1-4>: Download gpt...
22:20:47 666 Layer<1-4>: Download uboot at 0x00004000...
22:20:47 848 Layer<1-4>: Download trust at 0x00006000...
22:20:48 007 Layer<1-4>: Download misc at 0x00008000...
22:20:48 020 Layer<1-4>: Download dtbo at 0x0000c000...
22:20:48 030 Layer<1-4>: Download vbmeta at 0x0000e000...
22:20:48 044 Layer<1-4>: Download boot at 0x0000e800...
22:20:49 208 Layer<1-4>: Download recovery at 0x0001e800...
22:20:51 116 Layer<1-4>: DownloadSparse super at 0x00150c00...
22:20:51 116 INFOownloadSparseImage-->erase start,file=..\rockdev\Image\super.img,unsparse=9437184,partition=9437184
22:20:53 460 INFOownloadSparseImage-->write sparse start,total_chunk=3084
22:22:08 987 Layer<1-4>: DownloadSparse oem at 0x00a50c00...
22:22:08 987 INFOownloadSparseImage-->erase start,file=..\rockdev\Image\oem.img,unsparse=2097152,partition=2097152
22:22:09 435 INFOownloadSparseImage-->write sparse start,total_chunk=14
22:22:12 927 Layer<1-4>: RunProc is ending, ret=1
22:25:41 358 Layer<>: RunProc is ending, ret=0
Click to expand...
Click to collapse
Then I unplugged the USB cable and I no longer have a connection.
Today I tried again and with the help of short circuits from contact to ground and I have Maskrom connection.
Like HERE
Then I clicked on erase under UPDATE FIRMWARE and everything went to the end without any problems. Then I tried to UPDATE the appropriate inage but keep getting the error "prepare idb fail" and connection are lost.
Can someone help me?
Does anyone have what idea how do I get ahead?
thanks

Try different versions of rktool, Ive experienced this problem before.

Unfortunately does not help! I tried with 3-4 versions of rktool and also with RockChip_Batch_Tool_v1.8.
Always the same.

I would try two different thing, first see if you have a USB 2 only port and test using that one, second trick that has worded many times for me is using a VM under virtualbox, i find the client(1/2 cpu's only) being a little slower helps and setting usb 2 under settings.
darkspr1te

Hello people,
I reinstalled my core board, but without an operating system it is practically empty.
Then the radio switched on and booted from SD card with Android 10 installation.
The radio boots from the SD card and the display shows ANDROID 10 lettering and then the Androird 10 is being installed and "the circle" can be seen.
After a short time you can see Android male on the display and it says "ERROR".
Then the picture below appears.
What does that mean?
And what am i doing wrong?

vouager said:
Hello people,
I reinstalled my core board, but without an operating system it is practically empty.
Then the radio switched on and booted from SD card with Android 10 installation.
The radio boots from the SD card and the display shows ANDROID 10 lettering and then the Androird 10 is being installed and "the circle" can be seen.
After a short time you can see Android male on the display and it says "ERROR".
Then the picture below appears.
View attachment 5426343
What does that mean?
And what am i doing wrong?
Click to expand...
Click to collapse
While I have never had sent to me a SOM with defective storage, it's entirely possible. Every SOM sent to me was recoverable.
You're welcome to send the SOM to me in New Zealand with return freight. No cost other than freight.

Hello marchnz ,
Thank you for your offer, but unfortunately because of our distance and postage costs it does not pay off that I send you the part to NZ.
I bought a new PX5 and my radio works again.
1 week ago everything was ok with the old PX5 and worked perfectly with Android 9
Then I tried to install Android 10 and this mistake happened.
think I'm doing something wrong.
Maybe I have to format flash memory first, but how? Or do I need special files.
I don't want to give up on that part, especially because of my job as an electronics technician and of pure curiosity.
If you can help me in any way it will be great. But shipping and returning really doesn't pay off.
Thanks,

At least it happens to you about test devices, I always fail, I don't know what to do anymore, we have the same board.
Could you upload the files you have to see if I have something that I should not or how you tried to flahse it.
What is a new plate worth and where did you get it? Sorry for my English I use the google translator. greetings from Spain

i have this case, i try lot of many things but nothing happen. so i try plug usb to other port on my computer and it's work. so i think, may be it have some trouble on usb port. or please try on other computer or laptop