Better Mobile App

[Q] My device (16GB) seems to be completely broken and ID in adb is 0000000000000000

Unfortunately, I don't have a backup of mmcblk0p5, but even if I try (out of desperation) to flash someone else's mmcblk0p5, ID doesn't change from zeros. I managed to run CM7 from external sdcard, but installing CM onto mmc doesn't seem to work.
Ubuntu Total Reflash from this forum flashed al successfully, but failed on recovering stage and since then it just bootloops to that point (boot -> factory reset fails -> reboot).
Now trying to flash stock ROM 1.4.0, but don't think it'll work. Any advice?
P.S. Now found something strange: mmcblkp7 (seventh partition is gone, and that seem to repeat after every recovery option I try).
Code:
Number Start (sector) End (sector) Size Code Name
1 256 511 128.0 KiB 8300 xloader
2 512 1023 256.0 KiB 8300 bootloader
3 1024 31743 15.0 MiB 8300 recovery
4 32768 65535 16.0 MiB 8300 boot
5 65536 163839 48.0 MiB 8300 rom
6 163840 262143 48.0 MiB 8300 bootdata
8 1019904 2273279 612.0 MiB 8300 system
9 2273280 3145727 426.0 MiB 8300 cache
10 3145728 5242879 1024.0 MiB 8300 media
11 5242880 30535639 12.1 GiB 8300 userdata
UPD.: Paste from parted's print after I create partition 7 (factory):
Code:
(parted) print
print
Model: MMC SEM16G (sd/mmc)
Disk /dev/block/mmcblk0: 15.9GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 131kB 262kB 131kB xloader
2 262kB 524kB 262kB bootloader
3 524kB 16.3MB 15.7MB recovery
4 16.8MB 33.6MB 16.8MB boot
5 33.6MB 83.9MB 50.3MB rom
6 83.9MB 134MB 50.3MB fat32 bootdata
7 134MB 522MB 388MB ext4 factory
8 522MB 1164MB 642MB ext4 system
9 1164MB 1611MB 447MB ext4 cache
10 1611MB 2684MB 1074MB fat32 media
11 2684MB 15.6GB 12.9GB ext4 userdata

Your NT's factory installed device info (ProductID, manufactured data, etc.) and individual device data (serial no., MAC address, security encryption keys, etc.) are stored in p5 and p7, if you reformatted these two partitions all that info was wiped out and the individual device data can't be replaced with data from another NT. See http://forum.xda-developers.com/showpost.php?p=37515697&postcount=31 for more details.

digixmax said:
Your NT's factory installed device info (ProductID, manufactured data, etc.) and individual device data (serial no., MAC address, security encryption keys, etc.) are stored in p5 and p7, if you reformatted these two partitions all that info was wiped out and the individual device data can't be replaced with data from another NT. See http://forum.xda-developers.com/showpost.php?p=37515697&postcount=31 for more details.
Click to expand...
Click to collapse
Oh, that's unfortunate. I didn't wipe it by myself, it just suddenly got stuck after i got ~4% of battery charge the other day. Can I do something for it?
P.S. Or, if nothing can be done, what's the most simplistic/minimalistic yet full-[stock]-feature ROM for sdcard available? Disregarding Android verion.

digixmax said:
Your NT's factory installed device info (ProductID, manufactured data, etc.) and individual device data (serial no., MAC address, security encryption keys, etc.) are stored in p5 and p7, if you reformatted these two partitions all that info was wiped out and the individual device data can't be replaced with data from another NT. See http://forum.xda-developers.com/showpost.php?p=37515697&postcount=31 for more details.
Click to expand...
Click to collapse
Huh, seems like I did it. I even can't recall all the steps I performed, but it included just little more messing up with gdisk/parted, trying to wipe all data and caches through CWM and install CM10.1, but that failed as usually, so I just uploaded Veronica's mmcblk0p5 again, then I thought "wtf, let's give it another try" and applied Ubuntu Total Reflash procedure and it worked! All of a sudden, I have my factory-state Nook (saying nothing about case cracks and fractures ^_^).
So, now I'm going to share link to this post with all the people I think are relevant to this question and ask them: is that normal? Can I try to flash CM 10.1 now without *too much* risk of getting my dear brick again? Thanks in advance.
UPD: Checked ID, MAC and so on - seems to be different from 00...0, but I'm not sure whether it's still unique (i reckon that they are like Veronica's now).
UPD2: Installed CM 10.1 rather successfully. I guess, someone can add to FAQ that even with broken mmcblk0p5 one still could help himself.

Need help getting moto e partition block start and ending block

Hello.
Anyone know anything about partition table for moto e xt1021 or xt1022.
I am trying to make singleboot file for moto e i tried qboot utility to unbrick my moto e but fail because of that qboot utility i downloaded is packed with moto g singleimage.bin and programer.
I am tried making singleimage.bin by comparing moto g file but i failed.
May be moto e xt1021 or xt1022 partition table block address may help to get my phone back from hardbrick
If anyone has information about starting and ending block of partition than share with me.

hiten7236 said:
Hello.
Anyone know anything about partition table for moto e xt1021 or xt1022.
I am trying to make singleboot file for moto e i tried qboot utility to unbrick my moto e but fail because of that qboot utility i downloaded is packed with moto g singleimage.bin and programer.
I am tried making singleimage.bin by comparing moto g file but i failed.
May be moto e xt1021 or xt1022 partition table block address may help to get my phone back from hardbrick
If anyone has information about starting and ending block of partition than share with me.
Click to expand...
Click to collapse
Here you go :
Number Start End Size File system Name Flags
1 131kB 67.2MB 67.1MB ext4 modem
2 67.2MB 67.8MB 524kB sbl1
3 67.8MB 67.8MB 32.8kB DDR
4 67.9MB 68.4MB 524kB aboot
5 69.4MB 69.6MB 205kB rpm
6 69.9MB 70.4MB 410kB tz
7 70.5MB 70.5MB 32.8kB sdi
8 70.5MB 71.0MB 524kB utags
9 71.0MB 73.1MB 2097kB logs
10 73.1MB 75.5MB 2388kB padA
11 75.5MB 76.0MB 524kB abootBackup
12 77.0MB 77.2MB 205kB rpmBackup
13 77.5MB 78.0MB 410kB tzBackup
14 78.1MB 78.1MB 32.8kB sdiBackup
15 78.1MB 78.6MB 524kB utagsBackup
16 78.6MB 79.7MB 1077kB padB
17 79.7MB 81.3MB 1573kB modemst1
18 81.3MB 82.8MB 1573kB modemst2
19 82.8MB 83.3MB 500kB hob
20 83.3MB 83.4MB 32.8kB dhob
21 83.5MB 85.1MB 1573kB ext2 fsg
22 85.1MB 85.1MB 1024B fsc
23 85.1MB 85.1MB 8192B ssd
24 85.1MB 86.1MB 1049kB sp
25 86.1MB 86.3MB 131kB cid
26 86.3MB 89.4MB 3146kB ext3 pds
27 89.4MB 93.6MB 4194kB logo
28 93.6MB 97.8MB 4194kB clogo
29 97.9MB 106MB 8389kB ext4 persist
30 106MB 107MB 524kB misc
31 107MB 117MB 10.4MB boot
32 117MB 128MB 10.5MB recovery
33 128MB 604MB 476MB ext4 cache
34 604MB 1544MB 940MB ext4 system
35 1544MB 1552MB 8389kB kpan
36 1552MB 3908MB 2357MB ext4 userdata

I have made it unbricked..
Soon i'll post it with tool

hiten7236 said:
I have made it unbricked..
Soon i'll post it with tool
Click to expand...
Click to collapse
Wow! That's great. I've a hard bricked Moto E and have been working on a project to unbrick it.
Eagerly waiting for your upcoming thread...

hiten7236 said:
I have made it unbricked..
Soon i'll post it with tool
Click to expand...
Click to collapse
dude you said the same thing long time ago and still nothing.

I am out of station..
I am not at home.

hiten7236 said:
I am out of station..
I am not at home.
Click to expand...
Click to collapse
please share the steps atleast of how you used that partition table to unbrick we will do it and help them too..Please its request.. @hiten7236
---------- Post added at 10:53 AM ---------- Previous post was at 10:06 AM ----------
206bone said:
Wow! That's great. I've a hard bricked Moto E and have been working on a project to unbrick it.
Eagerly waiting for your upcoming thread...
Click to expand...
Click to collapse
any success bro?

Help us bro
Bro, can you please share the method here.
hiten7236 said:
I have made it unbricked..
Soon i'll post it with tool
Click to expand...
Click to collapse

Hello everyone, You need to prepare sdcard to brick your phone and boot your phone from sdcard. You have to create sdcard as same as emmc, like gpt drive. Your phone can boot from sdcard.

[GUIDE][TREBLE][LG-F400]Create a vendor partition & Let your LG-F400 support treble

[GUIDE][TREBLE][LG-F400]Create a vendor partition & Let your LG-F400 support treble
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
Create a vendor partition for LG-F400 & Flash TWRP Recovery support treble​[Author]: Cyborg2017 (Cyborg Yang)
Github: https://github.com/Cyborg2017
Email: [email protected]
Telegram: https://t.me/Cyborg2017
[Device Tree]:
https://github.com/lge-devs/twrp_treble_device_lge_f400
[Download]: TWRP Recovery support treble:
https://androidfilehost.com/?fid=1395089523397899645
[Guide PDF]:
https://www.androidfilehost.com/?fid=1395089523397899658
[Preparation]:
You need to flash twrp_recovery_treble_f400.img (which I provided);
Restart to the twrp recovery interface.
[Start](Make sure you do the following in the twrp recovery support treble interface):
1.
Code:
$ adb devices
2.
Code:
$ adb shell
3.
Code:
~# parted /dev/block/mmcblk0
4.
Code:
(parted) Unit MB // Set the unit to “MB”
5.
Code:
(parted) p // Print partition information
6.
Code:
(parted) rm 41 // delete “/cache”
7.
Code:
(parted) rm 42 //delete “/userdata”
8.
Code:
(parted) rm 43 //delete “/grow”(no use)
9.
Code:
(parted) mkpartfs 41 // create “/cache”
Code:
File system type? [ext2]? (Enter)　
Start? 2953
End? 3142
10.
Code:
(parted) mkpartfs 42 // create “/userdata”
Code:
File system type? [ext2]? (Enter)
Start? 3142
End? 30568
11.
Code:
(parted) mkpartfs 43 // create “/vendor”
Code:
File system type? [ext2]? (Enter)
Start? 30568
End? 31269
12.
Code:
(parted) name 41 cache
13.
Code:
(parted) name 42 userdata
14.
Code:
(parted) name 43 vendor
15.
Code:
(parted) p // means “print”
16.
Code:
(parted) q // means “quit”
17.
Code:
~ # reboot recovery // reboot into twrp recovery
18. Restart your phone into TWRP RECOVERY (provided by me):
(1) Repair or convert file system: Convert file system: EXT4;
(2) Convert cache, data, and vendor partition to EXT4;　
19. Congratulations! Your device already supports treble!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
20.　If you need a more detailed tutorial (including image + text), please download the guide:
https://www.androidfilehost.com/?fid=1395089523397899658
Or contact me:
https://t.me/Cyborg2017

What ?

treble rom
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:

lokalkey said:
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:
Click to expand...
Click to collapse
Arm and A only

lokalkey said:
Which kind of treble rom must I use?
arm or arm64?
A or AB?
A little bit more information would be nice.
Thanks for your work. :good:
Click to expand...
Click to collapse
A only,Thanks for your support, I will upload the basic Rom that supports treble soon.

yang_w said:
A only,Thanks for your support, I will upload the basic Rom that supports treble soon.
Click to expand...
Click to collapse
Are you planning bring to more g3 variants?

Thanhbat said:
Are you planning bring to more g3 variants?
Click to expand...
Click to collapse
If I can get the partition table information of other G3 devices, I am happy to do this.

yang_w said:
If I can get the partition table information of other G3 devices, I am happy to do this.
Click to expand...
Click to collapse
How can I get the partition table info from mine? D852

iloveoreos said:
How can I get the partition table info from mine? D852
Click to expand...
Click to collapse
Contact me directly with telegran, I will help you.
search: Cyborg2017

Here is a dump of the partition table everyone uses for the exploitable vs985 12B bootloader (can bypass recovery and system sigcheck with bump, don't bother with any other tables):
http://glacialsoftware.net/vs985tabledata.zip
(Everyone else please note that host is limited bandwidth, it's a small file but still don't kill my server please. )
So yeah, If you could add vs985 treble support for it that would be excellent! I am an experienced debricker and somewhat experienced developer and would be happy to test to further the efforts to add support to this device.
Thanks!
-RTB

R-T-B said:
Here is a dump of the partition table everyone uses for the exploitable vs985 12B bootloader (can bypass recovery and system sigcheck with bump, don't bother with any other tables):
http://glacialsoftware.net/vs985tabledata.zip
(Everyone else please note that host is limited bandwidth, it's a small file but still don't kill my server please. )
So yeah, If you could add vs985 treble support for it that would be excellent! I am an experienced debricker and somewhat experienced developer and would be happy to test to further the efforts to add support to this device.
Thanks!
-RTB
Click to expand...
Click to collapse
The txt shows garbled characters, you can contact me with telegram, so I can help you.

yang_w said:
The txt shows garbled characters, you can contact me with telegram, so I can help you.
Click to expand...
Click to collapse
Sorry about that, it appears the text file is some propietary LG format. The .bin files are raw partition table dumps though of the GPT... Maybe that can help you.
I would be happy to jump on Telegram but can't today. Birthday party for my brother, heh.

Will D855 ever be supported?

What are the advantages to have treble support on the LG G3?

something new @ other lg g3 verions?
@ yang_w

yang_w said:
If I can get the partition table information of other G3 devices, I am happy to do this.
Click to expand...
Click to collapse
LG G3 LS990 partition table
Code:
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /dev/block/mmcblk0: 61071360 sectors, 29.1 GiB
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 98101B32-BBE2-4BF2-A06E-2BB33D000C20
Partition table holds up to 44 entries
Main partition table begins at sector 2 and ends at sector 12
First usable sector is 34, last usable sector is 61071326
Partitions will be aligned on 1-sector boundaries
Total free space is 32734 sectors (16.0 MiB)
Number Start (sector) End (sector) Size Code Name
1 32768 163839 64.0 MiB 0700 modem
2 163840 165887 1024.0 KiB FFFF sbl1
3 165888 166911 512.0 KiB FFFF dbi
4 166912 167935 512.0 KiB FFFF DDR
5 167936 172031 2.0 MiB FFFF aboot
6 172032 174079 1024.0 KiB FFFF rpm
7 174080 176127 1024.0 KiB FFFF tz
8 176128 176135 4.0 KiB 0700 pad
9 176136 178183 1024.0 KiB FFFF sbl1b
10 178184 179207 512.0 KiB FFFF dbibak
11 179208 181255 1024.0 KiB FFFF rpmbak
12 181256 183303 1024.0 KiB FFFF tzbak
13 183304 185351 1024.0 KiB FFFF rpmf
14 185352 187399 1024.0 KiB FFFF tzf
15 187400 188423 512.0 KiB FFFF sdif
16 188424 192519 2.0 MiB FFFF abootf
17 192520 196607 2.0 MiB FFFF spare1
18 196608 229375 16.0 MiB FFFF boot
19 229376 294911 32.0 MiB 0700 persist
20 294912 327679 16.0 MiB FFFF recovery
21 327680 333823 3.0 MiB FFFF modemst1
22 333824 339967 3.0 MiB FFFF modemst2
23 339968 339975 4.0 KiB FFFF pad1
24 339976 346119 3.0 MiB FFFF fsg
25 346120 347143 512.0 KiB FFFF fsc
26 347144 348167 512.0 KiB FFFF ssd
27 348168 348175 4.0 KiB FFFF pad2
28 348176 349199 512.0 KiB FFFF encrypt
29 349200 350223 512.0 KiB FFFF eksst
30 350224 350239 8.0 KiB FFFF rct
31 350240 360447 5.0 MiB FFFF spare2
32 360448 393215 16.0 MiB FFFF misc
33 393216 458751 32.0 MiB FFFF laf
34 458752 524287 32.0 MiB FFFF fota
35 524288 557055 16.0 MiB 0700 spare3
36 557056 573439 8.0 MiB 0700 drm
37 573440 589823 8.0 MiB 0700 sns
38 589824 655359 32.0 MiB 0700 mpt
39 655360 737279 40.0 MiB 0700 carrier
40 737280 786431 24.0 MiB FFFF factory
41 786432 6684671 2.8 GiB 0700 system
42 6684672 8421375 848.0 MiB 0700 cache
43 8421376 61070324 25.1 GiB 0700 userdata
44 61070325 61071326 501.0 KiB 0700 grow

i have a question ! treble and none treble, what is different ?
---------- Post added at 02:40 PM ---------- Previous post was at 02:38 PM ----------
and who will update for LG G3 ???

mydarhieu97 said:
i have a question ! treble and none treble, what is different ?
Click to expand...
Click to collapse
https://www.computerworld.com/artic...ect-treble-android-upgrade-fix-explained.html
https://www.androidauthority.com/project-treble-818225/
https://www.google.com/search?q=treble+android

rahimali said:
https://www.computerworld.com/artic...ect-treble-android-upgrade-fix-explained.html
https://www.androidauthority.com/project-treble-818225/
https://www.google.com/search?q=treble+android
Click to expand...
Click to collapse
so, who will update for LG G3 ??? i know project treble is support for easy way to update, but who? who will update for our devices ? google ?

mydarhieu97 said:
so, who will update for LG G3 ??? i know project treble is support for easy way to update, but who? who will update for our devices ? google ?
Click to expand...
Click to collapse
No one. It is so we can flash custom roms easier.

[Q] Extract partition / img using Qualcomm EDL mode?

Are there any tools / is it possible to download partitions (img files) from a Qualcomm device using emergency download mode? Simply boot_a / boot_b as I assume user will be encrypted.
I know there is QPST, but from hours of trying and what I have read, it seems to only support older MSM devices not newer Snapdragon? Am I wrong?

Well, if you have the firehose file for that particular soc and the rawprogram0.xml, you can. Usually the firehose file get leaked after the phone is released.
What model are you trying to work on?

HTC U19e
Snapdragon 710

outrage_uk said:
HTC U19e
Snapdragon 710
Click to expand...
Click to collapse
I found a link to a list of programmers. If you see your phone here, which I didn't (but try ctrl-f the processor, that should be in the filename, it's a good bet you'll be able to find it. As far as I know, my phone's MSM8998 does not have a leaked programmer. It's not as universally applicable as a lot of guides make it seem. If you do have the programmer and correct patches, they allow arbitrary read/write to a phone in edl mode. It's a major security backdoor, but very useful for users like us too. However, neither users like us, nor malicious agents are thought very highly of by American phone manufacturers.

Here's how to access partitions without rawprogram0.xml or patch0.xml
Hi,
If you have the correct prog_emmc_firehose_xxxx.mbn file for your QualComm SoC, you can extract the partition table and all partitions without having access to any rawprogram0.xml or patch0.xml.
The basics are in the excellent guide at https://forum.xda-developers.com/android/general/guide-how-to-dump-write-storage-t3949588
Summary:
- trigger EDL mode, which you have if your phone shows up as USB vendor 05c6, product 9008. Make sure you have "Qualcomm HS-USB QDLoader 9008" as the active driver, giving you a virtual COM port.
- use QFIL to load the prog_emmc_firehose_xxx.mbn file - chose Flat Build
- use QPST's fh_loader.exe to talk to the firehose to read or write the emmc at arbitrary sector offsets
With all that working, you can start by reading the GPT partition table, 34 sectors starting from sector 0:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=C:\my\extract\path --convertprogram2read --sendimage=gpt.bin --start_sector=0 --lun=0 --num_sectors=34 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
Replace COM8 with whatever COM port that Qualcomm HS-USB driver providers according to Windows Device Manager, and ensure that whatever you choose as C:\my\extract\path exists.
When the tool is done, you'll have a C:\my\extract\path\gpt.bin that you can examine to get the sector offsets and counts for each of your partitions. I used Linux' gdisk for that:
$ gdisk -l gpt.bin
...
Number Start (sector) End (sector) Size Code Name
1 131072 294911 80.0 MiB 0700 modem
2 294912 296959 1024.0 KiB FFFF bluetooth
3 296960 297215 128.0 KiB A01E pmic
4 297216 297471 128.0 KiB A01E pmicbak
5 297472 297473 1024 bytes A040 limits
6 297474 299521 1024.0 KiB A01A DDR
7 299522 299777 128.0 KiB A01D sec
8 393216 393727 256.0 KiB A022 apdp
9 393728 394239 256.0 KiB A023 msadp
10 394240 394241 1024 bytes A024 dpo
11 524288 527359 1.5 MiB A02A fsg
12 655360 655361 1024 bytes A029 fsc
13 655362 655377 8.0 KiB A02C ssd
14 655378 658449 1.5 MiB A027 modemst1
15 658450 661521 1.5 MiB A028 modemst2
16 661522 663569 1024.0 KiB A012 sbl1
17 663570 665617 1024.0 KiB A012 sbl1bak
18 665618 665809 96.0 KiB A019 sdi
19 665810 667857 1024.0 KiB A016 tz
20 667858 669905 1024.0 KiB A016 tzbak
21 669906 670905 500.0 KiB A018 rpm
22 670906 671905 500.0 KiB A018 rpmbak
23 671906 672929 512.0 KiB A017 hyp
24 672930 673953 512.0 KiB A017 hypbak
25 673954 740801 32.6 MiB FFFF splash
26 786432 796671 5.0 MiB A015 aboot
27 796672 806911 5.0 MiB A015 abootbak
28 806912 937983 64.0 MiB A036 boot
29 937984 1069055 64.0 MiB A025 recovery
30 1069056 7360511 3.0 GiB A038 system
31 7471104 10616831 1.5 GiB A039 cache
32 10616832 10682367 32.0 MiB A026 persist
33 10682368 10684415 1024.0 KiB A01F misc
34 10684416 10685439 512.0 KiB A02D keystore
35 10747904 10747905 1024 bytes A021 devinfo
36 10878976 10879999 512.0 KiB FFFF config
37 10880000 61071326 23.9 GiB A03A userdata
From there, you have enough information to back up each of your partitions, write a custom recovery, etcetera.
In my case, a Gigaset ME, both the system and userdata partitions were normal, unencrypted ext4 partitions with ample opportunities for forensics and data recovery.
Needless to say, there was no need to unlock bootloaders, install custom recovery, root the phone, or whatever.

[GUIDE] How to unlock and root Xiaomi Redmi 9 (Galahad/Lancelot)

There are some posts on how to root the Xiaomi Redmi 9 (Galahad/Lancelot) phone, but since they have lots of "don't know" phrases (or files of unknown origin), I've managed to do the whole process from scratch.
Lancelot or Galahad​
Basically, the codename for Xiaomi Redmi 9 phone is Lancelot. But when you get shell via ADB, you will see Galahad. This can cause lots of confusion because you may think that Galahad and Lancelot are two different phones. In reality they're the same phone. Moreover, the specs of the Xiaomi Redmi 9 says that the phone has a MT6769T SoC (the info comes from the phone's /proc/cpuinfo). But it looks like the official ROM, TWRP, even CPU-Z treats the phone as if it had the MT6768 SoC. So keep that in mind when you look for some info concerning the phone.
The phone was bought in Europe/Poland last year (the black Friday, 2020) from the official source. Here's some more info:
Code:
galahad:/ # getprop | grep -i model
[ro.product.model]: [M2004J19C]
[ro.product.odm.model]: [M2004J19C]
[ro.product.product.model]: [M2004J19C]
[ro.product.system.model]: [M2004J19C]
[ro.product.vendor.model]: [M2004J19C]
galahad:/ # getprop | grep -i ro.build.version.
[ro.build.version.base_os]: [Redmi/galahad_eea/galahad:10/QP1A.190711.020/V12.0.0.1.QJCEUXM:user/release-keys]
[ro.build.version.incremental]: [V12.0.1.0.QJCEUXM]
[ro.build.version.security_patch]: [2021-01-05]
galahad:/ # getprop | grep -i baseband
[gsm.version.baseband]: [MOLY.LR12A.R3.MP.V98.P75,MOLY.LR12A.R3.MP.V98.P75]
[ro.baseband]: [unknown]
[vendor.gsm.project.baseband]: [HUAQIN_Q0MP1_MT6769_SP(LWCTG_CUSTOM)]
$ fastboot getvar all
...
(bootloader) product: lancelot
...
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V98.P75
(bootloader) version-bootloader: lancelot-2b1e22f-20201123162228-2021011
(bootloader) version-preloader:
(bootloader) version: 0.5
...
The bootloader unlock​
Before you even start thinking of flashing the TWRP image to the Xiaomi Redmi 9 (Galahad/Lancelot) phone, you have to unlock it's bootloader first. It's a straightforward operation, but you need some proper tools to achieve that. If you're using windows, use Mi Unlock, if you're on linux, use xiaomitool. I'm a linux user so I can't help with this process those of you who use windows. If you're going to use xiaomitool, there's a bug in the current version (20.7.28 beta), and you have to patch the source yourself to make it work again. It's not hard. There's an article step by step how to do it. It's in Polish, but all the necessary commands are included so you can just ctrl+c and ctrl+v.
When you unlock the bootloader, you can flash the TWRP image, so make sure you have the following in the Developer options:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The TWRP image​
There are some prebuilt TWRP images in the wild, but I wanted source of the files, and I couldn't get any. But I've managed to target this device tree. I attached the twrp-recovery.img (64MiB) file in this post. It looks like the TWRP image built from that source has everything that's needed, so you won't really have to build it yourself. If you want to build the TWRP image yourself from the provided source, you have to go through setting up the android build environment.
Flashing the TWRP image​
When you have the TWRP image, you can flash it to the Xiaomi Redmi 9 (Galahad/Lancelot) phone using fastboot. On Debian, you just install the fastboot package. To flash the TWRP image, turn off you phone, turn it on using volumeDown+power, plug the phone via USB to your desktop/laptop and issue the following command:
Code:
$ fastboot flash recovery twrp-recovery.img
Remember one thing. This flashing has only a temporary effect. When you boot the device in a normal mode, the recovery partition will be automatically regenerated and flashed by your phone. So when you issue the command above, boot to recovery via:
Code:
$ fastboot reboot recovery
After you boot into TWRP recovery, it will ask for password. This is the password that you use to unlock your phone's lock screen.
Backup the phone's flash​
The temporary TWRP recovery is needed to take the backup of the whole phone's flash. The only partition that has been changed is the recovery partition. Other partitions are intact. In this way, you can backup partitions that hold IMEI, WiFi/BT MACs, and other important stuff. If something goes wrong, you can restore the phone to it's default state (after unlocking) using fastboot and the partition images.
To make the backup of the whole phone's flash, use the following command:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
This command is issued from your desktop/laptop computer, and not from the phone. Of course you could just use the dd command and backup the flash to the external SD card, but my external SD was only 32G, and the phone's flash is 64G. Besides it's better to store the phone's flash on your computer for future use.
The process of taking a backup is rather slow. It took around 2h (14M/s). After it finishes, you can check whether everything with the image is OK by looking into the image using the gdisk tool:
Code:
$ adb pull /dev/block/mmcblk0 mmcblk0.img
/dev/block/mmcblk0: 1 file pulled. 14.0 MB/s (62537072640 bytes in 4266.682s)
# gdisk -l /media/Zami/mmcblk0.img
GPT fdisk (gdisk) version 1.0.7
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /media/Zami/mmcblk0.img: 122142720 sectors, 58.2 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 16-sector boundaries
Total free space is 61 sectors (30.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 64 131135 64.0 MiB 0700 recovery
2 131136 132159 512.0 KiB 0700 misc
3 132160 133183 512.0 KiB 0700 para
4 133184 174143 20.0 MiB 0700 expdb
5 174144 176191 1024.0 KiB 0700 frp
6 176192 192575 8.0 MiB 0700 vbmeta
7 192576 208959 8.0 MiB 0700 vbmeta_system
8 208960 225343 8.0 MiB 0700 vbmeta_vendor
9 225344 271631 22.6 MiB 0700 md_udc
10 271632 337167 32.0 MiB 0700 metadata
11 337168 402703 32.0 MiB 0700 nvcfg
12 402704 533775 64.0 MiB 0700 nvdata
13 533776 632079 48.0 MiB 0700 persist
14 632080 730383 48.0 MiB 0700 persistbak
15 730384 746767 8.0 MiB 0700 protect1
16 746768 770047 11.4 MiB 0700 protect2
17 770048 786431 8.0 MiB 0700 seccfg
18 786432 790527 2.0 MiB 0700 sec1
19 790528 796671 3.0 MiB 0700 proinfo
20 796672 797695 512.0 KiB 0700 efuse
21 797696 850943 26.0 MiB 0700 boot_para
22 850944 982015 64.0 MiB 0700 nvram
23 982016 998399 8.0 MiB 0700 logo
24 998400 1260543 128.0 MiB 0700 md1img
25 1260544 1262591 1024.0 KiB 0700 spmfw
26 1262592 1274879 6.0 MiB 0700 scp1
27 1274880 1287167 6.0 MiB 0700 scp2
28 1287168 1289215 1024.0 KiB 0700 sspm_1
29 1289216 1291263 1024.0 KiB 0700 sspm_2
30 1291264 1324031 16.0 MiB 0700 gz1
31 1324032 1356799 16.0 MiB 0700 gz2
32 1356800 1360895 2.0 MiB 0700 lk
33 1360896 1364991 2.0 MiB 0700 lk2
34 1364992 1496063 64.0 MiB 0700 boot
35 1496064 1528831 16.0 MiB 0700 dtbo
36 1528832 1539071 5.0 MiB 0700 tee1
37 1539072 1549311 5.0 MiB 0700 tee2
38 1549312 1582079 16.0 MiB 0700 gsort
39 1582080 1844223 128.0 MiB 0700 minidump
40 1844224 2630655 384.0 MiB 0700 exaid
41 2630656 4727807 1024.0 MiB 0700 cust
42 4727808 4744191 8.0 MiB 0700 devinfo
43 4744192 4767743 11.5 MiB 0700 ffu
44 4767744 19447807 7.0 GiB 0700 super
45 19447808 20332543 432.0 MiB 0700 cache
46 20332544 122021823 48.5 GiB 0700 userdata
47 122021824 122109887 43.0 MiB 0700 otp
48 122109888 122142655 16.0 MiB 0700 flashinfo
As you can see, there's the whole flash layout with all the partitions in their stock state (except for the recovery partition, of course). If something goes wrong, you can extract the individual partition by mounting the image on a linux system in the following way:
Code:
# losetup /dev/loop5 /media/Zami/mmcblk0.img
# losetup -a
/dev/loop5: [64769]:12 (/media/Zami/mmcblk0.img)
The above command uses the /dev/loop5 device to mount the image. Since the image has many partitions, the corresponding devices will be created for each partition, which looks like this:
Code:
# ls -al /dev/loop5*
brw-rw---- 1 root disk 7, 320 2021-08-29 02:54:11 /dev/loop5
brw-rw---- 1 root disk 7, 321 2021-08-29 02:54:11 /dev/loop5p1
brw-rw---- 1 root disk 7, 330 2021-08-29 02:54:11 /dev/loop5p10
brw-rw---- 1 root disk 7, 331 2021-08-29 02:54:11 /dev/loop5p11
brw-rw---- 1 root disk 7, 332 2021-08-29 02:54:11 /dev/loop5p12
brw-rw---- 1 root disk 7, 333 2021-08-29 02:54:11 /dev/loop5p13
brw-rw---- 1 root disk 7, 334 2021-08-29 02:54:11 /dev/loop5p14
brw-rw---- 1 root disk 7, 335 2021-08-29 02:54:11 /dev/loop5p15
brw-rw---- 1 root disk 7, 336 2021-08-29 02:54:11 /dev/loop5p16
brw-rw---- 1 root disk 7, 337 2021-08-29 02:54:11 /dev/loop5p17
brw-rw---- 1 root disk 7, 338 2021-08-29 02:54:11 /dev/loop5p18
brw-rw---- 1 root disk 7, 339 2021-08-29 02:54:11 /dev/loop5p19
brw-rw---- 1 root disk 7, 322 2021-08-29 02:54:11 /dev/loop5p2
brw-rw---- 1 root disk 7, 340 2021-08-29 02:54:11 /dev/loop5p20
brw-rw---- 1 root disk 7, 341 2021-08-29 02:54:11 /dev/loop5p21
brw-rw---- 1 root disk 7, 342 2021-08-29 02:54:11 /dev/loop5p22
brw-rw---- 1 root disk 7, 343 2021-08-29 02:54:11 /dev/loop5p23
brw-rw---- 1 root disk 7, 344 2021-08-29 02:54:11 /dev/loop5p24
brw-rw---- 1 root disk 7, 345 2021-08-29 02:54:11 /dev/loop5p25
brw-rw---- 1 root disk 7, 346 2021-08-29 02:54:11 /dev/loop5p26
brw-rw---- 1 root disk 7, 347 2021-08-29 02:54:11 /dev/loop5p27
brw-rw---- 1 root disk 7, 348 2021-08-29 02:54:11 /dev/loop5p28
brw-rw---- 1 root disk 7, 349 2021-08-29 02:54:11 /dev/loop5p29
brw-rw---- 1 root disk 7, 323 2021-08-29 02:54:11 /dev/loop5p3
brw-rw---- 1 root disk 7, 350 2021-08-29 02:54:11 /dev/loop5p30
brw-rw---- 1 root disk 7, 351 2021-08-29 02:54:11 /dev/loop5p31
brw-rw---- 1 root disk 7, 352 2021-08-29 02:54:11 /dev/loop5p32
brw-rw---- 1 root disk 7, 353 2021-08-29 02:54:11 /dev/loop5p33
brw-rw---- 1 root disk 7, 354 2021-08-29 02:54:11 /dev/loop5p34
brw-rw---- 1 root disk 7, 355 2021-08-29 02:54:11 /dev/loop5p35
brw-rw---- 1 root disk 7, 356 2021-08-29 02:54:11 /dev/loop5p36
brw-rw---- 1 root disk 7, 357 2021-08-29 02:54:11 /dev/loop5p37
brw-rw---- 1 root disk 7, 358 2021-08-29 02:54:11 /dev/loop5p38
brw-rw---- 1 root disk 7, 359 2021-08-29 02:54:11 /dev/loop5p39
brw-rw---- 1 root disk 7, 324 2021-08-29 02:54:11 /dev/loop5p4
brw-rw---- 1 root disk 7, 360 2021-08-29 02:54:11 /dev/loop5p40
brw-rw---- 1 root disk 7, 361 2021-08-29 02:54:11 /dev/loop5p41
brw-rw---- 1 root disk 7, 362 2021-08-29 02:54:11 /dev/loop5p42
brw-rw---- 1 root disk 7, 363 2021-08-29 02:54:11 /dev/loop5p43
brw-rw---- 1 root disk 7, 364 2021-08-29 02:54:11 /dev/loop5p44
brw-rw---- 1 root disk 7, 365 2021-08-29 02:54:11 /dev/loop5p45
brw-rw---- 1 root disk 7, 366 2021-08-29 02:54:11 /dev/loop5p46
brw-rw---- 1 root disk 7, 367 2021-08-29 02:54:11 /dev/loop5p47
brw-rw---- 1 root disk 7, 368 2021-08-29 02:54:11 /dev/loop5p48
brw-rw---- 1 root disk 7, 325 2021-08-29 02:54:11 /dev/loop5p5
brw-rw---- 1 root disk 7, 326 2021-08-29 02:54:11 /dev/loop5p6
brw-rw---- 1 root disk 7, 327 2021-08-29 02:54:11 /dev/loop5p7
brw-rw---- 1 root disk 7, 328 2021-08-29 02:54:11 /dev/loop5p8
brw-rw---- 1 root disk 7, 329 2021-08-29 02:54:11 /dev/loop5p9
To extract some partition (for instance the stock boot), use the following command:
Code:
# dd if=/dev/loop5p34 of=./34-stock-boot.img
Extracting any of the partitions from the backup creates a file that can be flashed via fastboot or directly via dd from TWRP recovery. So as long as fastboot (or TWRP recovery) works and you are able to switch to that mode, you shouldn't brick the phone for good. All the bricks should be only temporary and they go away when you flash the stock partitions to the changed ones. So pay attention what changes you commit to the phone's flash.
The Magisk app and a bootloop​
To sum up, we have a backup of the phone's flash on our computer, we have flashed a temp TWRP image to the recovery partition, and we are booted in the TWRP recovery mode. Now it's time to flash Magisk and get root on our Xiaomi Redmi 9 (Galahad/Lancelot) phone.
But not so fast. If you just flashed the Magisk apk file using TWRP, you will get a bootloop. This is because of the Android Verified Boot mechanism, which still works even after you unlock the phone. You can read about this AVB mechanism more here. Basically it's all about the boot partition hashes (and possibly other partition hashes as well) which are allowed by manufacturer of the phone to be valid. So only those boot images that have valid hashes can be used in the boot process of the device. Flashing Magisk changes the boot partition, and in this way the hash of the boot partition changes. So, when you try to boot the phone after you flashed Magisk from the TWRP recovery, it will bootloop. Also you will loose access to the recovery partition, so you won't be able to revert the change you did when you flashed the Magisk app. The only way to restore the phone in such state is to flash the stock boot partition. That's why you should make the phone's whole flash backup. I include the stock boot partition here for those who didn't have the backup, but pay attention that this boot image is for Android10/MIUI12 (see the specs above), and I don't know what will happen if you use the image with different software/firmware/ROM.
Install the Magisk app​
To avoid the unpleasant bootloop situation after flashing the Magisk app, you have to deactivate the AVB mechanism. You do this by flashing the stock vbmeta partition using fastboot, i.e. the following command:
Code:
# dd if=/dev/loop5p6 of=./6-stock-vbmeta.img
$ fastboot --disable-verity --disable-verification flash vbmeta 6-stock-vbmeta.img
You can proceed with flashing the Magisk app only after you disable the AVB mechanism.
If your phone restored the stock recovery, flash once again the TWRP recovery, and boot into the recovery mode. Download the most recent Magisk app, currently Magisk-v23.0.apk. Yes, I know it's an APK file, and yes, you have to flash the APK file via TWRP recovery. You're going to see some messages about repacking the stock boot and flashing it.
This is the step when the phone stops rewriting the custom recovery partition. So, after installing the Magisk app, the TWRP recovery will be persistent, and you won't have to flash it again.
After flashing the APK file, you have to boot to the phone's OS in order to finish installing Magisk (the OS part/app). You'll be prompted to do this step, so follow what it says and ultimatelly you get the Magisk installed:
SafetyNet​
The next thing is to open the Magisk App. After this, check the SafetyNet. It should fail. Go to the options and "Hide the Magisk app". You also have to activate MagiskHide. After this, check the SafetyNet again. It should pass now.
So now you have the root access on your Xiaomi Redmi 9 (Galahad/Lancelot) and also it passes the SafetyNet.
This HOWTO should work for the Xiaomi Redmi 9 (Galahad/Lancelot) phones, but I'm not sure whether I forgot to mention about something. Anyways, if you have any questions, or something doesn't work, ask.

Wow,realy great guide,good written and all infos are there,not bad!!!Cheers!!!

I fixed some spelling mistakes, now it should be easier to read.

Thanks a lot for this great guide.
Small problem here though ;-)
Entering
$ fastboot reboot recovery
leads to:
fastboot: usage: unknown reboot target recovery
Looking at fastboot --help there is no such parameter. Either bootloader or emergency (the latter doesn't work)
Thanks in advance - Chris

It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?

morfikov said:
It works just fine with my phone:
Code:
$ fastboot reboot recovery
Rebooting into recovery OKAY [ 0.001s]
Finished. Total time: 0.252s
Maybe you need a newer version of the tool?
Click to expand...
Click to collapse
Thank you, morfikov - that was it. Mine was nearly 12 years old :-D
Everyone else facing this issue: latest SDK Platform Tools always under https://developer.android.com/studio/releases/platform-tools
Thanks again for your fabulous guide!

Great guide! I even managed to compile latest TWRP from the devicetree you linked. The only thing that I would add is that I had to use losetup -fP <name>.img. The "P" flag forces the loop device to display partitions and "f" just takes the first available device. As for magisk, I had to use the Didgeridoohan's MagiskHide Props Config module in order to pass CTS check. I just had to "Force BASIC key attestation" using the default value "galahad". I suspect that has to do with the fact that i'm running latest EEA rom (Android 11), other than that I use the same phone - European version bought in Poland

morfikov said:
The process of taking a backup is rather slow. It took around 2h (14M/s)
Click to expand...
Click to collapse
You might have been using a USB 2.0 port.
It is advised that you use a USB 3.x Port. Throughput here was: 146.5 MB/s. It took around 10-15 Minutes.
Maybe you want to put that advise in your guide..

Another tipp which makes the the deavtivation of the AVB mechanism and flashing the stock vbmeta partition using fastbootmuch easier, fast - and also suitable to Windows machines. It takes all together only 2-3 minutes then:
When you're in TWRP after the first flash, instead of pulling the complete image of your Redmi 9 (which is not bad at all, but the image is not loadable under Win machines), you use the means of TWRP:
In TWRP you enter the section "Backup"
There you select the storage "Micro SD card"
In the list of partitions to be backed up ONLY select "vbmeta". It's only 8 MB. (This only takes a few seconds and requires not more than 9MB on your SD card ;-) )
Then "Swipe to Backup"
After that you stay in TWRP
Then you copy the tiny backup to your adb/fastboot folder on the PC (as you're in TWRP, you have full access):
Copy from your phone the files from Redmi's "External_SD/TWRP/BACKUPS/Redmi_9/<current date/time/ID>" to your adb/fastboot folder on the PC:
vbmeta.emmc.win
vbmeta.emmc.win.sha2
(recovery.log is not needed, it only contains the console output)
Within TWRP go back to the main menu and select "Reboot" and select "Fastboot"
The Smartphone reboots into TWRP / Fastboot mode
Now from the PC you turn the the AVB mechanism off by flashing:
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.emmc.win
Now you continue with the guide above - reflashing TWRP & booting in Recovery:
$ fastboot flash recovery twrp-recovery.img
$ fastboot reboot recovery
In TWRP back again, now flash Magisk-vXY.Z.apk and reboot to System after that (to clean Cache & Dalvik is not a bad idea).
The flash of TWRP is now permanent (can be entered anytime from device off --> Press and hold Power and Volume up buttons)

It's weird that windows still can't mount such images.

Any tip for me?
I have J19AG (lancelot at first). The problem is that I can't fix broken Google Play Protect on other roms than EEA. This phone came with EEA rom which had GPP. Then I unlocked bootloader and flashed non EEA rom. I have tried TR, ID, IN, RU fastboot roms but none worked with GPP.
Im now on ID rom and trying to fix it using Magisk modules to change props. But neither galahad or lancelot worked for Force Basic Key attestation. After changing galahad to lancelot my base_os prop is empty. Magisk CTS check is still failed.
Code:
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [V12.0.3.0.QJCIDXM]

I would suggest you to restore the phone stock state with fastboot ROM. You can find some here:
Download: MIUI 12 stable update rolling out to several Xiaomi, Redmi and POCO devices
MIUI 12 stable builds have begun rolling out to several Xiaomi, Redmi, and POCO devices. Head on over for Recovery ROM and Fastboot ROM download links!
www.xda-developers.com

No I do not want this.
I asked some certain question.
I know exactly what I'm doing and have skills for that.
My goal was to have galahad with rom other than EEA with Google Play protect on.
Currently only EEA <-> Galahad is possible. ID, TW, TR rom have no Google Play protect when unlocked or locked bootloader on galahad (Redmi 9 with NFC).
The trick is to fix Google Play protect with Magisk and TWRP. But above methods didnt work for me.

I have no knowledge on this subject, so I can't help you with this.

Hello.
I'm having a problem using the losetup command. After using
sudo losetup /dev/loop3 mmcblk0.img
and checking out the partitions created with
[I]ls -al /dev/loop3*[/I]
I only get ...
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop
When checking mmcblk0.img with command
[I]gdisk -l mmcblk0.img[/I]
I get the same as you.
I understand that losetup doesn't create the partitions other than one so I can't extract anyone in particular. Am I doing something wrong. I'm using an updated Ubuntu 20.04.
Thanks for your help.

Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64

morfikov said:
Use:
Code:
# modprobe -r loop
# modprobe loop max_part=64
Click to expand...
Click to collapse
After using the first command I get
modprobe: FATAL: Module loop is builtin.
The second one doesn't display anything.
Then again when using ls -al /dev/loop3* I get
brw-rw---- 1 root disk 7, 3 d’oct. 16 10:40 /dev/loop3

Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.

morfikov said:
Then edit the kernel cmd line in grub bootloader (or whatever ubuntu is using) and add to it loop.max_part=64 and restart the system.
Click to expand...
Click to collapse
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.

lotiopep said:
Thanks again. I'm still trying. In Ubuntu it's different and after doing it it didn't work (and somehow I broke the OS and had to reinstall it).
I think I will try to do it in a virtualised Debian system.
Click to expand...
Click to collapse
Finally it worked! Thanks!