Related
Phone: Alcatel Onetouch 991D
I extracted the system.img(ANDROID partition) following this guide on windows: Creating a ROM dump of your MT65x3 device (easily found by searching google, since I can't post links yet)
I then copied the system.img over to linux(ubuntu 12.10).
opened terminal and invoked the command below to see the type of image.
mkimage -l system.img
Code:
Image Type : Davinci UBL Boot Image
UBL magic : 00720019
Entry Point: 00730065
nr of pages: 0064002f
start block: 00610072
start page : 00610077
Then dried: ./simg2img system.img sys.raw
And the result...
Code:
Bad magic
Anyone know how to unpack this type of image or convert it to a raw image so then I can mount it?
If you're looking for a Tool like unpacking and repacking .img files such as boot.img maybe this helps:
http://forum.xda-developers.com/showthread.php?t=1241005
Hi there!
Currently I am trying to extract and modify a boot.img from my car stereo (to set ro.secure=0 in default.prop - its a AV7) from MIC. ( http://www.shop.mic-deutschland.de/shop/article_W005/AV7.html?shop_param=cid=6&aid=W005& )
I did my exercises by studying the specs of a normal boot.img and learned that there should be a 2k header, followed by the gzipped kernel. I should be able to identify the kernel starting after those 2k of header and ending with some zeros finished with 1F 8B. The rest should be the ramdisk, gzipped and cpioed.
So far the theory - but apparently, I am not able to extract the kernel. I also tried some different scripts floating around - none of them ended up with an extractable kernel.
Example:
/unpackbootimg -i ../boot.img -o .
BOARD_KERNEL_CMDLINE
BOARD_KERNEL_BASE e3e0ff00
BOARD_PAGE_SIZE 1768697202
-> Kernel size 0, pretty everything ends up in the ramdisk which is NOT a gzip file.
This is the boot.img: http://ul.to/ivggomon
So you see me pretty clueless at the moment - any suggestion is highly appreciated!
Noone any idea?
unmkbootimg output:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
File ../boot.img not a plain boot image, seeking for embedded image ... not found.
boot_info (from bootimg_Toolset):
.
Code:
/boot_info ../boot.img
Android Magic not found in ../boot.img. Giving up.
The hread may be deleted. It was a uImage multi file with a gzipped cpio in it...
Nexus 7 (2013) Repartition
No one is responsible for your actions except yourself. Everything written further may potentially brick your device, although risk is reduced to minimum.
This repartition package offers 1.5G /system; a /vendor partition and it is fully backward compatible with any ROM (including stock system.img).
Known-issues
HTML:
- If repartition pack says that device isn't correct,
than, if partition table wasn't modified before,
congrats! your device has different memory chip
that those I worked with. No worry, PM me and
I'll add support for it.
DO THE BACKUPs. Repartition will erase all your data
USB connection to PC is MANDATORY else you will not have opportunity to push ROM to your device
Backup
# Before processing further we highly recommend you backup persist and EFS using adb
# Or you might lose your IMEI/WIFI + BT mac addresses
Code:
adb root
adb shell
dd if=/dev/block/mmcblk0p2 of=/sdcard/modemst1.img
dd if=/dev/block/mmcblk0p3 of=/sdcard/modemst2.img
dd if=/dev/block/mmcblk0p4 of=/sdcard/persist.img
Now you can find 3 *.img files at path /sdcard. Copy them to your PC since internal memory will be erased.
Installation
HTML:
# This mod is backwards compatible with any ROM so we highly recommend NOT to reverse it if repartition went well.
# You should use ONLY recovery from this thread since other don't support all benefits of this mod.
# When installing ROM just after you flashed zip and before installing GAPPs you MUST make a resize in TWRP since all roms are build for ~800M system.
# Package is unified for flo and deb. To restore stock layout use same zip and steps as for repartition.
1. Boot into recovery (You need to allow system partition modification to be able resize /system in recovery).
2. Backup your data & Move your files from flash to your PC.
3. Flash repartition pack zip.
4. Do the actions asked by repartition pack (go to Terminal in ordinary recovery and input word that pack will tell you. Everything else will be done automatically).
5. Phone will reboot into recovery.
6. Install TWRP from below (it is build with support of new partitions layout and sizes. It can be differed from official TWRP by next format 3.x.x-1 UA).
7. Format everything. (mount errors will not affect formatting!)
- In TWRP: Wipe > Format data
- Type yes
- Once this completes go to: Wipe > Advanced Wipe
- Tick all the boxes and wipe. There should be no further mount errors. (Thanks [user=7694808]@mr_rubbish[/user] for corrections in formatting).
8. Install ROM which you like.
9. Enjoy better flash partition layout.
If something gone wrong - we recommend you NOT to do anything by yourself. Write here for help, else you may do only worse.
Downloads:
Repartitioning package: GitHub
Credits:
Special thanks to
- Unlegacy-Android team;
- Sudokamikaze;
- rlw6534 for Kingston MMC layout;
- surfrock66 for his gide for Nexus 5;
As usual, feedback is appreciated
XDA:DevDB Information
Nexus 7 (2013) Repartition, Tool/Utility for the Nexus 7 (2013)
Contributors
Clamor
Source Code: https://github.com/clamor95/android_device_unlegacy_recovery
Version Information
Status: Stable
Created 2018-09-19
Last Updated 2019-01-18
Common issues and F. A. Q.
Repartition pack should be safe for most devices. Common mistakes, issues and their solution will be published here.
1. You shouldn't flash any internal parts of repartition pack (*.sh files) only flash whole zip using TWRP. You may use my scripts for personal use or projects but authorship should to be kept.
2. If something isn't mounting after repartition try to format partitions that don't mount using Wipe -> Advanced Wipe in TWPR. Ideally you should format in that way all partitions in Advanced Wipe menu (see 5-th step of installation guide).
3. If you want to be sure that repartition went well I enclose loging zip. Flash it after repartition (when device reboots into TWRP). It won't modify anything only generates a partition.log in root of internal storage and outputs your current partition layout to screen. You should check if your layout is same as those fragments I provide under spoiler (file systems doesn't matter). If there are any differences you have to describe what you did and enclose partition.log to your post.
FLO/DEB STOCK
Code:
22 671088640B 1551892479B 880803840B system
23 1551892480B 2139095039B 587202560B cache
FLO/DEB MODIFIED
Code:
22 614429696B 2187293695B 1572864000B system
23 2187293696B 2270167039B 82873344B cache
...
30 2348843008B 2610987007B 262144000B vendor
4. After flashing most ROMs system size will reduce to stock, you need to resize /system in TWRP or use flashable resize zip for ROMs that support addon.d (automatic resize when dirty flashing updates).
5. After returning to stock partition table you won't be able to get into the Recovery from the bootloader anymore, but when you start the tablet normally it goes straight in the Recovery. It is normal state. New partition table proposes larger /recovery size (16MB) while stock gives only 10MB. During restoring stock process, it is impossible to restore larger recovery backup into new smaller partition. Whether not to leave user without recovery excess, recovery backup restores into /boot partition. Just flash ordinary TWRP and install ROMs from it.
6. Don't install the zip file from the USB OTG. Copy them into the /sdcard. Else you will get message after flashing repartition pack.
Code:
"Can not extract updater-script. Do you have it in package?
Updating partition details...
...done"
Link not working for the repartitioning package...
@rlw6534 should be fine now
Any chance you give details on backing up persist and EFS with dd command? I'm not really a noob but I also don't want to mess up my tab...
@rlw6534 You actually should't brake anything. Added an instruction how to backup EFS and persist.
OK. Tried to flash on a clean, freshly wiped system (Flo 32G), all stock, ext4 on cache and Data, TWRP 3.2.3-0. Got the following:
******Applying dark magic******
This is not a Nexus 7 (2013)
Updater process ended with ERROR: 1
How to restore files, that we copied from our tablet using dd command ? (I haven't done anything yet. Just asking)
Sent from my whyred using XDA Labs
@rlw6534 your partition table was modified.
@MikiGry same commands, just switch paths.
Clamor said:
@rlw6534 your partition table was modified.
@MikiGry same commands, just switch paths.
Click to expand...
Click to collapse
Do you mean that despite this error message:
******Applying dark magic******
This is not a Nexus 7 (2013)
Updater process ended with ERROR: 1
The partition table has been modified correctly?
@lollyjay No it wasnt. Package has 2 step security system. It checks if partition table was modified and in what way (by package itself, by user or it is stock). Second step is that package itself doesn't modify anything, it needs manual confirmation in terminal, else no changes will be applied.
Clamor said:
@lollyjay No it wasnt. Package has 2 step security system. It checks if partition table was modified and in what way (by package itself, by user or it is stock). Second step is that package itself doesn't modify anything, it needs manual confirmation in terminal, else no changes will be applied.
Click to expand...
Click to collapse
Thanks
So do I NOT flash the modded twrp first?
Your instructions said to flash it after reboot to recovery
@lollyjay actually it shouldn't metter, but after would be better
Clamor said:
@lollyjay actually it shouldn't metter, but after would be better
Click to expand...
Click to collapse
I'm going to do this when I get home. This might mean that flo/deb will get Android 9 Pie
@lollyjay look through UA ROM thread I wrote there about P on flo/deb
Clamor said:
@lollyjay look through UA ROM thread I wrote there about P on flo/deb
Click to expand...
Click to collapse
Sorry but can you give me a link?
Clamor said:
@rlw6534 your partition table was modified.
@MikiGry same commands, just switch paths.
Click to expand...
Click to collapse
I have previously used sysrepart.zip and sysrepartundo.zip from this thread, although not recently:
https://forum.xda-developers.com/showpost.php?p=76278047&postcount=19
I returned it to stock a while back (827MB). Perhaps I need to sgdisk a stock partition table?
@rlw6534 Every manual repartition or repartition made not by my pack needs an individual look and partition table restore.
@lollyjay here
Clamor said:
@rlw6534 Every manual repartition or repartition made not by my pack needs an individual look and partition table restore.
@lollyjay here
Click to expand...
Click to collapse
OK. Here is my partition layout. My userdata appears to be smaller than stock, but there isn't enough room on mmcblk0 to increase it to the size that your script is looking for. I have no idea how that could have been changed without bricking the tab. Everything else looks normal. Ideas?
Code:
Model: MMC MMC32G (sd/mmc)
Disk /dev/block/mmcblk0: 30937186304B
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 67108864B 156745727B 89636864B fat16 radio
2 201326592B 204472319B 3145728B modemst1
3 204472320B 207618047B 3145728B modemst2
4 268435456B 283795455B 15360000B ext4 persist
5 335544320B 336343039B 798720B m9kefs1
6 336343040B 337141759B 798720B m9kefs2
7 402653184B 403451903B 798720B m9kefs3
8 403451904B 406597631B 3145728B fsg
9 469762048B 471298047B 1536000B sbl1
10 471298048B 472834047B 1536000B sbl2
11 472834048B 474931199B 2097152B sbl3
12 474931200B 480174079B 5242880B aboot
13 480174080B 480698367B 524288B rpm
14 536870912B 553648127B 16777216B boot
15 603979776B 604504063B 524288B tz
16 604504064B 604505087B 1024B pad
17 604505088B 606041087B 1536000B sbl2b
18 606041088B 608138239B 2097152B sbl3b
19 608138240B 613381119B 5242880B abootb
20 613381120B 613905407B 524288B rpmb
21 613905408B 614429695B 524288B tzb
22 671088640B 1551892479B 880803840B ext4 system
23 1551892480B 2139095039B 587202560B ext4 cache
24 2147483648B 2148532223B 1048576B misc
25 2214592512B 2225078271B 10485760B recovery
26 2281701376B 2281709567B 8192B DDR
27 2281709568B 2281717759B 8192B ssd
28 2281717760B 2281718783B 1024B m9kefsc
29 2348810240B 2348843007B 32768B metadata
30 2415919104B 30937169407B 28521250304B ext4 userdata
@rlw6534 Thanks!
Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.
I entered fastboot, then I attempted to flash the modified boot.img and was told:
Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [ 0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:
Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s
> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s
> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s
> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s
> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s
> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s
> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader
> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.
As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.
I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.
I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
DR.Doyle said:
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
Click to expand...
Click to collapse
Yes ... I have that enabled.
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
jwehle said:
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
Click to expand...
Click to collapse
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.
Click to expand...
Click to collapse
Thanks for supplying the modified PAC and for explaining the changes.
Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.
Your time and effort in explaining things is appreciated.
What's the significance of removing the encryption for the vendor partitions?
jwehle said:
What's the significance of removing the encryption for the vendor partitions?
Click to expand...
Click to collapse
the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10:
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="DarkOrange"]fileencryption[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]fileencryption[/COLOR]=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts
wangyiling said:
the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
Click to expand...
Click to collapse
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
jwehle said:
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
Click to expand...
Click to collapse
Just for twrp to read the data partition, convenient for personal use。
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Code:
vbmeta
boot
recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.
By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.
Here's an outline of what I did to successfully root the device:
Use the Qin 2 Pro instructions / tools to unlock the boot loader.
Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:
Code:
avbtool info_image --image vbmeta-sign.img.
Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
Flashed vbmeta, boot, and recovery.
Booted into recovery, saw that it worked, and did a factory reset.
Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
Proceed to finish installing magisk in the normal fashion.
Notes:
rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.
Code:
--- avbtool 2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys 2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
Arguments:
o: The object to write the output to.
"""
+ kfd = open(self.partition_name, "w");
+ kfd.write(self.public_key);
+ kfd.close();
+
o.write(' Chain Partition descriptor:\n')
o.write(' Partition Name: {}\n'.format(self.partition_name))
o.write(' Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
avbtool add_hash_footer --image recovery-sign.img \
--partition_name recovery --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
@ jwehle,Very grateful for your detailed sharing
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
MissAyako said:
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
Click to expand...
Click to collapse
Seems the issue was with Windows. I thought I would be able to get the unlock token with Windows and then use WSL to do the rest of the signing, but apparently not.
Luckily I had an old laptop lying around. I threw Linux Mint on it and it worked just fine.
It didn't seem to work just using a live USB; I had to install Linux to the hard disk, but YMMV.
jwehle said:
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Click to expand...
Click to collapse
This was wonderful, thank you! I've added some of my own notes below as an experience of what I encountered when attempting this process myself (spoiler'd because it is a lot).
I do not have enough post count to add links, but titles to the relevant articles has been added.
Follow steps in Article "Guide: How to Unlock Xiaomi Qin 2 (Pro) and Install Custom ROMs" from step 1 to (and including) step 10 (Unlocking section).
Notes:
- A Linux PC is necessary.
- You'll have to mark the "fastboot" file from the "Android_device_unlock.rar" archive as executable (chmod +x).
- Run the "fastboot" file as root.
- Getting the "SPD Research Tool" to pick up the tablet and not let the tablet try to move to either the charging
screen or the bootlogo is difficult, but do-able. Press and hold Power+Vol_Up and release when Windows does its
USB device detected chime.
- Flashing takes a few minutes (I think around 300 seconds).
- The SPD Research Tool extracts the PAC file contents into a folder. Grab the system images from there.
- The "avbtool" is available to be cloned via git from Google's repo
- The avbtool is a python script that is patched with three lines of code at line 1776:
Code:
kfd = open(self.partition_name, "w");
kfd.write(self.public_key);
kfd.close();
- When you use the patched avbtool on the vbmeta-sign.img file you copied (avbtool info_image --image vbmeta-sign.img)
it will produce several partitions with relative public keys that need to be stored in separate files for the next step.
The contents of the files are simply the public key and the partition name as the file name. Store the files in a folder named "keys".
- When creating the makefile, ensure that proper indentation is used. The code segment below is properly formatted (hopefully). If you get make errors, remove and re-indent the lines.
- If your "rsa4096_vbmeta.pem" keyfile is not placed alongside the makefile, ensure the --key flag points to this file.
- The makefile exists in the same directory as the system images.
- I had to insert local paths to the avbtool, as it was not installed to the system PATH.
- The dhtbsign-vbmeta.py command is located below. Make sure to mark this as executable as well.
Everything else is rather straightforward.
# makefile
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
./dhtbsign-vbmeta.py vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
# dhtbsign-vbmeta.py file (from "How I Unlocked Xiaomi Qin 2 Pro and Installed Phh GSI")
Code:
#!/usr/bin/env python
import hashlib
import sys
f = open(sys.argv[1], "rb")
b = f.read()
sha = hashlib.sha256(b).digest()
f.close()
f = open("vbmeta_signed.img", "wb")
f.write(b)
f.seek(1048576 - 512)
f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00')
f.seek(1048576 - 1)
f.write(b'\x00')
f.close()
wuxianlin has build a twrp device for T701.
i think this will be a help .
Help me
Sir help pliz same problem my device ,same chipset , Symphony i95 ,pliz sir modify my pac file pliz....
wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Click to expand...
Click to collapse
can i just flash the pac without unlocking the bootloader.
thanks in advances
hidroela said:
can i just flash the pac without unlocking the bootloader.
thanks in advances
Click to expand...
Click to collapse
yes,just falsh pac
wangyiling said:
yes,just falsh pac
Click to expand...
Click to collapse
i did unlocked the bootloader and flash the pac and follow the instructions for magisk to work, but after a third reboot Root was gone.
i don't know what I am missing.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Disclaimer:
The user takes sole responsibility for any damage that might arise due to use of this tool.
This includes physical damage (to device), injury, data loss, and also legal matters.
This project was made as a learning initiative and the developer or organization cannot be held liable in any way for the use of it.
Click to expand...
Click to collapse
Kitchen for working with Amlogic firmwareUsed for unpacking/packing amlogic images
Supported features
Unpack/repack Amlogic images
Unpack/repack partitions (system,product,system_ext,oem and odm)
Create flashable zip from amlogic image
Unpack/repack recovery,boot,logo and dtb
Create aml image from supported flashable zips
Support for super image unpack/repack
Dump os from device through /mask mode
Note:
Ignore some errors with dtb (some conditions are missing), decompiling/compiling dtb should work fine.
This tool is tested only in some firmwares and devices.
Theres no guarantee that packed flashable zips or amlogic images will flash successfully.
TODO:
....
Download : https://github.com/althafvly/AmlogicKitchen
Report issues: https://github.com/althafvly/AmlogicKitchen/issues
Flash-tool : https://github.com/althafvly/aml-flash-tool (Use Amlogic USB Burning Tool on windows)
Credits:
Base kitchen (vtx_kitchen) - Vortex
gnuwin32 and cygwin for linux binary ports
aml update tool - osmc
7-Zip - Igor Pavlov
ImgExtractor - unix3dgforce, blackeange and xiaoxindada
AIK - osm0sis
SuperImage tools - LonelyFool
Aml dtb, unpack tools - LineageOS
simg2img - anestisb
img2sdat, sdat2img - xpirt
simg2img - A.S._id
let me know if i missed anyone
Contribution:
If you want to contribute or fix something i broke, just fork and give a pull request with your changes
Support:
XDA is preferred for main discussion. But if you need any other support, check support group.
Reserved
How can I download it? It seems very similar to Vortex's kitchen.
kalehrl said:
How can I download it? It seems very similar to Vortex's kitchen.
Click to expand...
Click to collapse
You can clone the repo or download as zip from github. Yes this was done on top of vtx_kitchen
I just tried it. I unpacked level1 fine. When I tried level2, the terminal window didn't open. I realised I needed python for Windows so I installed it and level2 unpacked fine. Maybe add a notification to install Python. Level3 unpacked boot, logo and recovery but no dtb:
Spoiler: level3
1 file(s) copied.
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
Supplied image: recovery.img
Setting up work folders . . .
Image type: AOSP
Splitting image to "split_img/" . . .
ANDROID! magic found at: 0
BOARD_KERNEL_CMDLINE androidboot.dtbo_idx=0 --cmdline root=/dev/mmcblk0p18 buildvariant=userdebug
BOARD_KERNEL_BASE 0x01078000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0xfff88000
BOARD_SECOND_OFFSET 0xffe88000
BOARD_TAGS_OFFSET 0xfef88100
BOARD_OS_VERSION 9.0.0
BOARD_OS_PATCH_LEVEL 2018-08
BOARD_HEADER_VERSION 1
BOARD_RECOVERY_DTBO_SIZE 438
BOARD_RECOVERY_DTBO_OFFSET 15835136
BOARD_HEADER_SIZE 1648
Unpacking ramdisk to "ramdisk/" . . .
Compression used: gzip
20266 blocks
Done!
Failed
1 dir(s) moved.
1 dir(s) moved.
1 file(s) copied.
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
Supplied image: boot.img
Setting up work folders . . .
Image type: AOSP
Splitting image to "split_img/" . . .
ANDROID! magic found at: 0
BOARD_KERNEL_CMDLINE androidboot.dtbo_idx=0 --cmdline root=/dev/mmcblk0p18 buildvariant=userdebug
BOARD_KERNEL_BASE 0x01078000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0xfff88000
BOARD_SECOND_OFFSET 0xffe88000
BOARD_TAGS_OFFSET 0xfef88100
BOARD_OS_VERSION 9.0.0
BOARD_OS_PATCH_LEVEL 2018-08
BOARD_HEADER_VERSION 1
BOARD_HEADER_SIZE 1648
Warning: No ramdisk found to be unpacked!
Done!
Failed
1 dir(s) moved.
1 dir(s) moved.
dbg:res-img ver is 0x2
dbg:item level3\logo/bootup
dbg:item level3\logo/bootup_X3
dbg:item level3\logo/upgrade_bar
dbg:item level3\logo/upgrade_error
dbg:item level3\logo/upgrade_fail
dbg:item level3\logo/upgrade_logo
dbg:item level3\logo/upgrade_success
dbg:item level3\logo/upgrade_unfocus
dbg:item level3\logo/upgrade_upgrading
FATAL ERROR: Blob has incorrect magic number
Done.
Press any key to continue . . .
I tried _pack_zip_to_aml.bat but it says to install python from Microsoft store. I uninstalled the existing python, installed python 3.10 from MS store but it still doesn't work.
kalehrl said:
I just tried it. I unpacked level1 fine. When I tried level2, the terminal window didn't open. I realised I needed python for Windows so I installed it and level2 unpacked fine. Maybe add a notification to install Python. Level3 unpacked boot, logo and recovery but no dtb:
Spoiler: level3
1 file(s) copied.
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
Supplied image: recovery.img
Setting up work folders . . .
Image type: AOSP
Splitting image to "split_img/" . . .
ANDROID! magic found at: 0
BOARD_KERNEL_CMDLINE androidboot.dtbo_idx=0 --cmdline root=/dev/mmcblk0p18 buildvariant=userdebug
BOARD_KERNEL_BASE 0x01078000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0xfff88000
BOARD_SECOND_OFFSET 0xffe88000
BOARD_TAGS_OFFSET 0xfef88100
BOARD_OS_VERSION 9.0.0
BOARD_OS_PATCH_LEVEL 2018-08
BOARD_HEADER_VERSION 1
BOARD_RECOVERY_DTBO_SIZE 438
BOARD_RECOVERY_DTBO_OFFSET 15835136
BOARD_HEADER_SIZE 1648
Unpacking ramdisk to "ramdisk/" . . .
Compression used: gzip
20266 blocks
Done!
Failed
1 dir(s) moved.
1 dir(s) moved.
1 file(s) copied.
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
Supplied image: boot.img
Setting up work folders . . .
Image type: AOSP
Splitting image to "split_img/" . . .
ANDROID! magic found at: 0
BOARD_KERNEL_CMDLINE androidboot.dtbo_idx=0 --cmdline root=/dev/mmcblk0p18 buildvariant=userdebug
BOARD_KERNEL_BASE 0x01078000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0xfff88000
BOARD_SECOND_OFFSET 0xffe88000
BOARD_TAGS_OFFSET 0xfef88100
BOARD_OS_VERSION 9.0.0
BOARD_OS_PATCH_LEVEL 2018-08
BOARD_HEADER_VERSION 1
BOARD_HEADER_SIZE 1648
Warning: No ramdisk found to be unpacked!
Done!
Failed
1 dir(s) moved.
1 dir(s) moved.
dbg:res-img ver is 0x2
dbg:item level3\logo/bootup
dbg:item level3\logo/bootup_X3
dbg:item level3\logo/upgrade_bar
dbg:item level3\logo/upgrade_error
dbg:item level3\logo/upgrade_fail
dbg:item level3\logo/upgrade_logo
dbg:item level3\logo/upgrade_success
dbg:item level3\logo/upgrade_unfocus
dbg:item level3\logo/upgrade_upgrading
FATAL ERROR: Blob has incorrect magic number
Done.
Press any key to continue . . .
I tried _pack_zip_to_aml.bat but it says to install python from Microsoft store. I uninstalled the existing python, installed python 3.10 from MS store but it still doesn't work.
Click to expand...
Click to collapse
i have made some changes now. download or pull from git and check. fixed python missing error not showing in windows. if its still not extracting your dtb then, link me you firmware or _aml_dtb.PARTITION
I reinstalled Python but this time I selected 'add to path' option which is not selected by default. _pack_zip_to_aml.bat now works but I didn't try the resulting image. DTB still isn't extracted with the updated version of the tool. Vortex's kitchen extracts it fine.
I tried to test the image I made from ota.zip and when I try to unpack level2, I get this error while extracting odm partition while other partitions extract fine. Maybe because my ota.zip is encrypted so maybe you can add some type of detection.Vortex''s edition also errors out when unpacking odm with the same error.
Spoiler: log
.....................
Amlogic Kitchen
.....................
Select level 1,2 or 3: 2
Python 3.10.2
imgextractor: Vortex Edition
Traceback (most recent call last):
File "imgextractor.py", line 374, in <module>
File "imgextractor.py", line 360, in main
File "imgextractor.py", line 346, in __getTypeTarget
File "imgextractor.py", line 338, in checkSignOffset
OSError: [WinError 8] Not enough memory resources are available to process this command
[2700] Failed to execute script imgextractor
imgextractor: Vortex Edition
Convert product.PARTITION to product.raw.img
Extraction from product.PARTITION to product
imgextractor: Vortex Edition
Convert vendor.PARTITION to vendor.raw.img
Extraction from vendor.PARTITION to vendor
kalehrl said:
I reinstalled Python but this time I selected 'add to path' option which is not selected by default. _pack_zip_to_aml.bat now works but I didn't try the resulting image. DTB still isn't extracted with the updated version of the tool. Vortex's kitchen extracts it fine.
I tried to test the image I made from ota.zip and when I try to unpack level2, I get this error while extracting odm partition while other partitions extract fine. Maybe because my ota.zip is encrypted so maybe you can add some type of detection.Vortex''s edition also errors out when unpacking odm with the same error.
Spoiler: log
.....................
Amlogic Kitchen
.....................
Select level 1,2 or 3: 2
Python 3.10.2
imgextractor: Vortex Edition
Traceback (most recent call last):
File "imgextractor.py", line 374, in <module>
File "imgextractor.py", line 360, in main
File "imgextractor.py", line 346, in __getTypeTarget
File "imgextractor.py", line 338, in checkSignOffset
OSError: [WinError 8] Not enough memory resources are available to process this command
[2700] Failed to execute script imgextractor
imgextractor: Vortex Edition
Convert product.PARTITION to product.raw.img
Extraction from product.PARTITION to product
imgextractor: Vortex Edition
Convert vendor.PARTITION to vendor.raw.img
Extraction from vendor.PARTITION to vendor
Click to expand...
Click to collapse
i have pushed a fix for dtb now. odm error is mostly because its an empty partition
2 other kitchens extract the odm partition just fine. The one from CRB: https://forum.xda-developers.com/t/tool-windows-kitchen-crb-v3-0-0-beta14.3947779/ and another one from a Russian developer from 4pda. The partition isn't empty. How does this kitchen handle encrypted partitions? I think in the ota.zip I mentioned, boot and dt.img are encrypted. Vortex's kitchen recognises encrypted partitions and they have .enc suffix at the end. I tested with encrypted factory img for X99 Max + box.
kalehrl said:
2 other kitchens extract the odm partition just fine. The one from CRB: https://forum.xda-developers.com/t/tool-windows-kitchen-crb-v3-0-0-beta14.3947779/ and another one from a Russian developer from 4pda. The partition isn't empty. How does this kitchen handle encrypted partitions? I think in the ota.zip I mentioned, boot and dt.img are encrypted. Vortex's kitchen recognises encrypted partitions and they have .enc suffix at the end. I tested with encrypted factory img for X99 Max + box.
Click to expand...
Click to collapse
i havent tried any firmware with encrypted partitions yet. i will check soon
I can send you my ota.zip if you need it. Here you can find X99 max plus firmware: http://geekbuying.mediafire.com/fil...3_d4_sp6330_100m_20200917_r1(x99max+).7z/file
kalehrl said:
I can send you my ota.zip if you need it. Here you can find X99 max plus firmware: http://geekbuying.mediafire.com/fil...3_d4_sp6330_100m_20200917_r1(x99max+).7z/file
Click to expand...
Click to collapse
Now you can extract odm. i was using an old binary from Vortex. now using python script, same as linux one. and
i think your dtb is encrypted, not sure. im not able extract yours. i can extract meson1 (also dtb). added support for that.
The dtb I attached is not encrypted. It is from a SlimBox custom rom. I will send you the link to my ota.zip in which some files are encrypted, probably boot.img and dt.img. Other files should be fine.
EDIT: With the new version, dtb is decompiled successfully
althafvly said:
Dump os from device through adb/flash/mask mode
Click to expand...
Click to collapse
I've stumbled upon an interesting script for dumping fw via adb from [email protected] I think. Maybe I can send it to you to have a look and improve on it and make it available on github.
It seems that it doesn't extract Android 7.1 images correctly.
system/usr folder isn't extracted and the terminal window closes prematurely.
I tried this image which extracts fine with another tool:
0 byte folder on MEGA
mega.nz
New changes
- Allow user to select vortex/python for extracing firmware in windows
- Added support to dump firmware from mask mode
- Added support for firmwares with super.img
Note: i have only test this in some firmware/device. report if theres any issues.
Create flashable zip from amlogic image
i created a zip can I flash this with or without wiping anything in twrp ?
failed with error 6
cali.s said:
Create flashable zip from amlogic image
i created a zip can I flash this with or without wiping anything in twrp ?
failed with error 6
Click to expand...
Click to collapse
Not sure which device and firmware your are talking about. Its better if you wipe before flashing and its best to flash amlogic image if you have one.
I tried to dump_to_aml.sh Android 6 image but it failed:
[email protected]:/home/kalehrl/Templates/android/AmlogicKitchen# ./dump_to_aml.sh
Code:
.....................
Amlogic Dumper
.....................
Unpacking system
Repacking system
Repacking boot
Repacking recovery
Repacking logo
Enter a name for aml package:
ott
[ERR]f(AmlImagePack.cpp)L1312:Open pack image out/ott.img failed
Image pack FAILED
.....................
Done.
I can send you my TWRP backup of the original iamge to try if you have time.
kalehrl said:
I tried to dump_to_aml.sh Android 6 image but it failed:
[email protected]:/home/kalehrl/Templates/android/AmlogicKitchen# ./dump_to_aml.sh
Code:
.....................
Amlogic Dumper
.....................
Unpacking system
Repacking system
Repacking boot
Repacking recovery
Repacking logo
Enter a name for aml package:
ott
[ERR]f(AmlImagePack.cpp)L1312:Open pack image out/ott.img failed
Image pack FAILED
.....................
Done.
I can send you my TWRP backup of the original iamge to try if you have time.
Click to expand...
Click to collapse
dump to aml script isn't ready yet. Im still testing it. I will check on free time. This error is because script isn't able to create ott.img. Try different name or close any apps which using that ott.img file.