Better Mobile App

Shield TV 7.2 developer update, downgrade and other things

Important notice! : iLLNiSS made me aware of a serious risk!
If you play with the firmwares manually and not with the flash all bat then DO NOT flash the blobs!
These are the actual bootloader files and stuffing up here will cause a hard brick!
I have to stress this out as it is serious thanks to not having working APX drivers a flshing programs for the Shield!
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
I have done some extensive tests since the first block based update wrecked my rooted Shield.
Some of it will end up in this post as info for everyone.
But lets start with what seems to be the problem for a lot of users right now who run a rooted Shield : Fixing the problem
A downgrade is officially not supported by Nvidia but my tests showed it works just fine if you only go back to the 7.1.
So far my tests showed differen sources for a Shield no longer working after the OTA.
1. The device had an unlocked bootloader and you got the 422mb block update.
This would have stuffed your bootloader and the Shield won't go past 1/4 on the progress bar for the update.
You are in luck as just flashing the 7.1 bootloader will fix it.
After that just dismiss the update and change the settings to manual updates.https://forum.xda-developers.com/editpost.php?do=editpost&p=78466377
2. Your device was already fully rooted and you got the full update that resulted in your Shield doing all sorts of thing but nothing properly anymore.
As long as your apps are still there and the Shield is still somhow usable you are lucky again.
A downgrade to 7.1 will fix it, I will explain the steps required further down.
3. You made bid mods, used Magisk or other rooting tools and now your Shield complains that your system is corrupt.
Bad luck if your bootloader is locked as you loose it all.
Lucky if the bootloader is unlocked as you might be able to keep most if not all during the downgrade.
General words of warning:
Even if your bootloader was unlocked from day one I can not garantee that the downgrade will keep all settings, apps, databases and so on.
For me it works fine as I kept all vital databases on external storage.
The procedures are all based on the developer firmware, on the stock firmware some things can still be done but then again you should not have more than software problems.
On the stock firmware the bootloader is locked by default and you can use some things required to owngrade due to the restrictions of a stock system.
General downgrade procedure for the developer firmware to get back to 7.1 :
If the update did get stuck on the progess bar early on and a reboot won't fix it so you can dismiss the update you just follow the steps.
If you can reboot into the 7.1 then just dismiss the update.
Trust issues or curruption warnings at boot but an otherwise working shield on 7.1 require to flash the 7.1 bootloader again.
In some cases it is possible to skip the corruption warning with a connected controller.
A reboot once you got to the homescreen will determine how bad it is.
Reboot goes fine: You are good.
Reboot keeps nagging with warnings other than the unlocked bootloader: Downgrade.
The downgrade is only required if you have problems or the Shield already runs on the 7.2!
In almost all other cases just flashing the 7.1 bootloader is sufficient.
Fixing a stuffed Shield by sideloading the 7.1 firmware while keping all apps and things:
Enable USB debugging and allow the connections for the computer if you still have access to the settings.
Otherwise you need to flash the 7.1 fresh and might loose vital things that need to install again.
Reboot into the stock recovery, if you use TWRP flashed on the Shield already then please flash the recovery from the 7.1 firmware first.
Hook up the controller and pressing A or B should get you into the normal recover screen past the dead droid.
ADB sideload XXX - where the xxx stands for the filename you have for the developer ZIP.
After the rebbot you should be back on your 7.1 homescreen and can dismiss the 7.2 update.
Also change the update settings while at it
Fixing a fully stuffed Shield and then downgrading to the 7.1 firmware:
If all went down south then you tried a few things and realised there is no way to get your data back and even less to prevent the 7.2 update.
Installing the 7.1 from scratch forces the setup wizard and before you can get anywhere you need to update to 7.2
So much easier to use the linked 7.2 update from above until Nvidia provides it on their download servers.
A vital thing to do is to keep the bootloader locked!!
Same for NOT having TWRP installed on the Shield!
If in doubt flash the 7.1 boot and recovery partitions first then go back into the stock recovery and wipe the cache.
Coming from a stock developer firmware with just an unlocked bootloader you are good to go.
Sideload the 7.2 update.
Unplug when the reboot starts and go into fastboot to lock the bootloader: Fastboot oem lock.
This is a vital step as the new kernel otherwise could ruin the completion of the install.
Ignore the double hassles and go through the wizard so you can enter the settings again to enable the developer mode and USB debugging.
Unlock the bootloader so you can do it all again Last time I promise!
Once you have both the bootloader unlocked AND the Shield in a usable condition past the setup wizard:
Reboot into the recovery to sideload the 7.1 firmware.
After the next reboot you are back on the 7.1 homescreen drirectly and can dismiss the update.
Possible tricks that can help you to prevent the installation of the 7.2 update if you come from a fresh 7.1 install instead:
Don't allow the reboot and instead use ADB to reboot into the recovery.
Wipe the cache - this will remove the scripts required to start the update after the reboot.
The next reboot should bring you back to the homescreen where you can stop the new download of the update and change the update settings.
TWRP, full root and new security measures in 7.2:
The 4.9 kernel used also makes use of a Fstab configuration that no longer includes the system partition.
This and other restrictions currently make the normal use of Magisk impossible.
With no system partition available to Magisk the changes in the boot process come to a stop and the Shield gets stuck during boot.
The added restrictions also make it very, very hard to manually add SU and busybox.
At least without getting the currupt system popup on every boot and finding out that a lot of things still don't work properly.
A final 7.2 firmware is said to be available on the download servers today.
If this final is no different from the current OTA then it will not be of any use for users requiring a fully rooted devices.
With the stock recovery still using the old kernel all attempts to use recovery functions to alter the system for rooting fail as well.
Can't blame the company as all this is part of Google revamp og security and closing backdoors and loopholes for possible attackers.
Personally I think it is Googles way of keeping control over devices they don't actually own.
Anyways I did make some little progress:
Plans for the near future:
Security is good but I like to know what my Android devices are doing and especially what Google likes to collect if I can not find ways to stop it.
So I will not try to use any backdoors or secrurity vulnerablilites in the new kernel to allow a full root on my Shield.
I will go the route I know best: Manual labour
The bootloader is already fixed to allow what we are used to from previous developer firmwares.
As SU and busybox can not be manually entered at this stage I will try to include them directly in the stock 7.1 firmware while renaming the OTA updater to have it a bit easier.
Assuming that works as expected I will do the same on the 7.2 firmware and compare the corresponding scripts and so on.
If the standard SU still works on an "unlocked" 7.2 I should be able to adjust the Magisk ZIP accordingly to implement it into the bootloader.
Only need to figure out if Magisk then has enough rights to work and the system is still happy to accept the changes.
I noly have the 16Gb 2017 model to work with but since the bootloader seems to be same for all Shield models I think if it works then it should do so for all models.
In the meantime I hope the infos here will help some pople to get their shield back without the need to sent it in.
Update 25/12/18: I got TWRP working on 7.2
This is only true for the 2017 model though as I have only this for testing.
Currently creating a backup to the internal storage.
If the restore works then I will upload the new TWRP - for the said model only!
Give me a day or two to fix it for the other models too.
There is progress on the rooting front as well.
Created new scripts for my kitchen to be able to handle the new file_context thing.
A fully pre-rooted and totally unsecure (in terms of ABD, DM-verity and such) is already cooked, just did not dare yet to try it out as I have a real life job too.
As for the pre-rooted firmware:
Things have changed quite a bit with the new kernel in terms of "just adding SU or Magisk".
Magisk might see an update for this problem soon, SU however seems to tally fail on two levels.
So far I was unable to do a full install of the modded firmware.
Flashed all at once and the boot just hangs.
Bootloader, reboot, then the rest seems to work.
At least for the basic install of the system.
If I add SU and busybox the system still ends up with a corrup notice during boot and then it fails.
Tune in over the next few days for progress updates at the end of the thread.
Major developments will be added right here.
Just a matter of finding the last restrictions.
Once that is done Magisk should be possible as well.
Ok, TWRP boot fine, does a backup but fails to restore the system to a bootable state.
Will now check if at least installing a zip works.
Well, it did not, so TWRP has to wait a few more days
I edited post 3 with instructions on how to "unbrick" and go back to 7.1.
Update 27/12/18: A friend of mine found some intersting stuff.
A 7.2 firmware offering a pure Android without any TV stuff but also a full root possible.
I hope he will share his finding here soon or allow me post it all in his name.
For now lets just say: It really works if done the rght way!
Full write rights, installing Magisk modules and all.
All thanks to an undocumented flaw in the device security structures, so even without any hidden backdoors or such LOL
Update: Whiteak was so kind to provide a working root solution in post 36, please check it.
I can confirm it is working as promised.
So the credits for this one go to Whiteak and the credits for the idea and use of the DTB file to Zulu99 - great idea!
To prevent any problems I advise to perform a factory wipe after the install and before the first boot.
Switch to the stock recovery to do this then boot as normal an enjoy.
A complete firmware with the required mods is sitting on my PC just waiting for idiot behing the keyboard to figure out how to pack it properly for flashing.
Once that problem is sorted and also TWRP working again things will get a lot easier.
Annoying update:
I was not able to confirm my web findings on the 7.2 firmwares bootloader but it seems other devices running the same type of kernel and bootloader and a bit lost now.
AVB is fully implemented on the latest level.
(Again I am working on confirming or denying these findings!)
This means any alteration to vital parts of the system will fail with a corruption warning or worse.
Custom recovery access is limited if not fully restricted.
But even if it works you still need a firmware to flash that either is able to disable all this crap, hoping the bootloader alone will allow it, or
to hope Nvidia will provide a future bootloader update with these restrictions removed.
We can not downgrade the bootloader and even if there is some old one out there that would actually be flashable the risk is high to end with a brick anyway.
The DTB, at least in my tests gives us the required system wide write access but I have no information about the AVM verfified boot other than that Zulu99's firmware works.
But if it was compiled with the NVidia developer suite then it will be signed accordingly so the bootloader accepts it.
Could not find any info on how his firmware was actually created.
It gives me the hope though that once I have a fully working TWRP again that my modded 7.2 will work as expected and with no restrictions anymore.

Thanks for the info.

Edit: Will use this post to list options to recover the Shield is all seems lost.
As a result of far too much rom cooking and mods I needed a 100% working way to recover the Shield in case things turn very ugly.
So lets sum up what I define as very ugly when playing with firmwares:
1. Firmware installed but the Shield just hangs on the logo.
2. Firmware installed and now the system is corrupt and even it is boots it takes forever to get around the nag screens.
3. Firmware downgrade attempted but now the Shield won't even boot anymore.
4. Anything that would qualify for a soft brick.
My worst case when I only got a flashing white screen after trying to restore a TWRP backup under 7.2.
There any many way that work for a variety of boot problems but it takes too long to list all cases I encountered with a list of fixes that work or a comment that only the below way works.
So just to be clear here: This is not for any recovery purpose other than fixing what can't be fixed through a factory reset or fresh flashing of the firmware!
1. Get the Shield into Fastboot mode: Connect wired controller and male to male USB cable.
2. Power the Shield up while holding A and B on the controller.
Keep holding until you see the fastboot menu on the screen.
3. Install the 7.1 recovery firmware for your Shield type after unpacking it.
With Fastboot connection working type: flash-all.bat and hit enter.
4. Keep an eye on the progess!
5. Once the Shield is finnished and reboots, hold the A and B buttons on the controller again to enter fastboot mode!
Do not let the Shield boot up other than into the fastboot mode!
6. Lock the bootloader! Fastboot oem lock
Confirm with the controller, then go down and select the recovery kernel.
7. Once the dead droid is on the screen press B on the controller to enter the real recovery.
If B does not work try A
8. Select the factory reset option to wipe all!
9. Once the wipe is done you can boot into 7.1 as normal again.
10. With a bit of chance you might even get directly to the homescreen if the previous setup was completed.
If you need the full seup wizard again and are forced to update to 7.2 then at least the update will work fine this time around.
In case you desire to go back to the 7.1:
If you just finnished the above only to end with the 7.2 then set it up and flash the 7.1 - you won't get the setup wizard again and can skip the update.
If you are on a working 7.2 that was update the OTA way but want to go back:
1. Install the 7.1 firmware.
2. Lock the bootloader.
3. Boot and then skip the update to 7.2.

Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.

psycho_asylum said:
Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.
Click to expand...
Click to collapse
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.

Downunder35m said:
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.
Click to expand...
Click to collapse
I have not been able to get to the dead droid screen.

Downunder35m said:
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
(snip)
Click to expand...
Click to collapse
Thanks for posting this, but please note that this firmware is only for the 2017 16GB model and cannot be used with a 2015 or Pro model.

I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.

Weird, I am not getting the 7.2.1 at all here.
And since yesterday the OTA only tries the block based but not the full image.

AthieN said:
I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.
Click to expand...
Click to collapse
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates

Thanks downunder this kind of in-depth info is always appriciated man........i like to learn these kind of things, having bits here and bits there gives a better picture of the whole, while also giving us upto date current info.
Thanks for taking the time to write this :good:
---------- Post added at 07:35 AM ---------- Previous post was at 07:27 AM ----------
Edit
Hi downunder, could you confirm i have this correctly
With no access to fastboot thus no twrp or root, are you implying, assuming your able to inject root into stock firmware, that, i'd be able to flash this stock+root rom in STOCK recovery, which i do have access to?
Edit: im under the impression that stock firmware zips are checked by stock recoveries, so modifying a stock firmware zip tends to fail this check and thus wont install/flash.......which makes me think im misunderstanding here......or just hoping im not
If so, im interested
Edit
i just read your second post which near enought answers my curiousity, so that'll teach me to read beyond the first post before asking answered questions ........even if the post excites me............ahhh, who am i kidding, ill probabably do it again........the equivelancy of a mental post boner........not controllable
Sorry for the disgusting analogy

SyberHexen said:
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates
Click to expand...
Click to collapse
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?

ErAzOr2k said:
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?
Click to expand...
Click to collapse
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.

As long as we don't jump to Android 9 we should always be able to downgrade through a full factory firmware.
Once Android 9 comes this might not work anymore due to the massive changes involved for the boot and system checks.
@banderos101: Unless you really did something bad you should always be able to enter the fastboot mode to flash a full firmware.
If I have some time after xmas I will have another look on the options of signing the zip properly or simply to fake it.
Biggest problem will be to generate the corret SHA checksums ince all is installed so I can use the same checksums in the check files.
The bootloader needs them to identify the system and vendor as genuine.
The system needs them to confirm all is actually unmodified as otherwise all fails to boot at some stage.
Modding a proper userdebug firmware is not really that hard, but converting a release version that also is a true and secure user release...
Lets just say that it won't be an easy task.
As it looks like the kernel is a keeper I might have to figure something out unless TopJohnWu won't enjoy a break after his exams and works on a way to get Magisk working with out kernel.
At least I figured out why the recovery trick isn't working for me.
The system partition is not mounted for the sideload mode.
To apply an update the stuff is written directly onto the partition, so no file level access left to play with and break things
In comparison you could say the shield is now like a modern car with keyless operation only.
You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door

SyberHexen said:
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.
Click to expand...
Click to collapse
Just wondering what is achieved by going back to 7.2?

What do you mean "going back"?
Right now the 7.2 is the official and latest firmware.
I was unable to get my hands in the 7.2.1 but guess it might have been a testversion for certain models only.
I wasted a few hours trying to fix the system image.
First stage was only to get the basic "features" back, like full ADB support, enabling the support to use SU and busybox....
Just what is required to actually allow these nice apps we like to gain root to work.
This backfired badly as right after the start the bootloader complained about the system being corrup and no override to get past this worked.
So of course I then removed the known restrictions from the bootloader...
As you guessed it the damn thing then did not even boot at all, just jumped right into the (locked) recovery mode.
A half decent comparision with my last manual root on a tv box that was a success showed I still did the right things...
If anyone wondered why we needed a new bootloader for the support of smart helpers an some codes stuff:
We didn't as all this could have been done with the 7.1 bootloader as well.
Since my root attempts so far all ended either in disaster or in a root access that failed shortly after/corrupted the system, I took a look of the general kernel changes that were published for other devices.
Before I could find anything meaningful I realised the 4.9 kernel is actually a requirement for Android Pie!
With that info sorted I started digging inti the new "security" features Pie can offer.
I will try to keep it simple and to the stuff that actually concerns us for rooting purposes:
The new boot process with Pie is aimed at being secure from the hardware level up and all the way into the system partion once the boot is completed.
So the hardware checks if the bootloader is actually usable - we had that for a long time, nothing new.
Once the bootloader starts and reaches the point of actually getting somewhere, all partitions required will be checks by either a hash check or a trusted certificate gererated at boot time that is compared to the previous certificate.
Only if that is fine the bootloader will call upon the system and vendor partitions.
The handover of control from bootloader to the system is made far more secure as well.
SELinux is called early on to ensure that only trusted apps and tasks can work but also to all a new control level.
System related apps no longer run as root or with special permissions.
Instead every single app and service runs as its own user!
And under SELinux conditions this means nothing can access anything that it is not entitled to unless included as a user for the other app.
And with that sorted the vendor stuff is called to ensure all hardware and vendor related stuff is still genuine - this include the required certs but also the recovery and bootloader hash codes and certs.
So if something is fishy either SELinux will stop us or the vendor stuff will just overwrite it all.
Once we finally reach the system stage the recovery is checked if called from within the system, if fully implemented it could mean that using an official update on a modded firmware will delete all data as the encryption from the old system is declared invalid.
Sadly it does not stop there because even with full rigths (faked or otherwise) to access the system partition with write access we still can not just change things.
If something belongs to a user (a secure app) than a change will corrupt the system.
To overcome all this without using vulnerabilities that so far no one has found, a compatible userdebug release has to be created from the official user firmware.
DM-Verity needs to be disabled as well as all partition encryption stuff.
The bootloader needs to be adjusted to reflect these changes and the required turst certificates generated and included in both system and boot images.
The only problem here is that the kernel won't allow these changes unless it itself is a userdebug kernel.
After that it is only the little efford to go through about 60 different scripts to remove or redirect the calls for all boot and system security related things.
If then by some chance all this actually boots up and goes all the way into a usable homescreen the entire stuff needs to be secured again.
This time so that the final system has a correct cert and checksum that matches those we need to include in the bootloader.
Anyone knows how to gain full access to the trusted keystore on the 4.9 kernel? LOL
For the moment I don't really care about all the stuff above.
I would be happy to figue out what to make out of these new fstab configurations without the vital partitions listed.
The real aprtitions used have not changed but it is impossible include them in the fastab, doing so causes the bootloader to fail.
Presumably because the kernel realised we try to get around the verification process.
This and some other minor things are also the reason TWRP fails so badly, same for the stock recovery by the way.
Since TWRP is toy a lot us like:
TWRP and 7.2....
Without a system partion in the bootloader fastab TWRP can not mount it.
Same for all other things TWRP needs to mount as it simply does not have the right to access these areas.
To make things worse, we need system access to even start TWRP through fastboot.
So, now matter if we flash or start it through fastboot: The bootloader and system will realise our recovery does not match the checksum.
What does al this now mean in terms a lot more people are able to understand?
Let me try...
Imagine the 7.2 in a running version would be just some encrypted file with a lot of folders in it.
And like PGP or other encryptions software we know there is a private and a public key.
With the public key you can see a lot and use most the encrypted file - but only to a level that is required, nothing above your low level clearance.
For every attempt to write into this file or to make changes we need the private key.
If you follow so far then lets just say the recovery (stock) and Fastboot can be, to some extent, used for this access.
But since every folder in the encrypted file also uses private and public keys it is like tracing a tree.
Although it is getting too long, let me give you the example of just adding SU to the sytem partition:
Adding SU into the system image is no big deal.
Singing this image to get a usable key and including this key into the keystore is.
Assume we would just be able to do it....
SU needs to be called quite early in the boot process.
It then elevates the access level for certain things and also intercepts all root related requests from apps and services.
Except of course those that already had these rights by default.
Problem here is that adding the scripts we need plus changing some others means violating the tree of trust on the device and we get locked out.
Finding a spot to add the required rights for SU might be still possible.
On the other hand it will be impossible to give SU any rights or access to "trusted user" owned parts, files, folders, partitions....
The entire concept of SU just fails.
I will have to check how much of the new features are active in the 7.2 kernel that hinder us.
If I find enough it might be possible it enough to call for a Magisk update.
But I guess it is of little use for just one set of devices, so maybe once more devices on the 4.9 kernel fail to work with Magisk it will be easier to spot a usable pattern.
In case someone else if already working ona mdified system: Please let me know how you made it boot after the changes

Shield Tv 16 2017 - OTA update 7.2.1 Ready for updating
Im on 7.1. I have been waiting for 7.2 developer image, which is now out and just noticed 7.2.1 is available OTA. I'm really confused what to do. I want to keep root without bricking my Shield. Should I Stay with what I have as it is running well.
I am not even sure if it is safe trying to update to dev 7.2 image (or if I would want to) by hooking to computer and using ADB Fastboot tools.
Is there any good reason to update to 7.2 or 7.21? and if so how would I go about doing it? Which program is good for flashing developer images or OTA updates. I used to use flash-fire, which seems to be obsolete now and have heard TWRP is incompatible rooting with SU with OREO updates????
Should I play it safe and stay with what I have rather than experiment and end up with a brick? (wouldn't be the first time)
Anyone know if 7.21 is some-kind of bug fix?
Alot of questions but hope someone has some answers.
Thanks for any info.

"You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door "
My fastboot issue
Yeah, i think i busted the microusb somehow with a faulty usb hub, whenever i plug the usb to my raspberrypi/windows box(for adb/fastboot) now, it turns off all usb ports on the pi aswell as the windows box, even when the shield is unplugged, some sort of earth problem maybe
......all i have is adb over network, adb reboot bootloader simply reboots back to system, adb reboot recovery works though.
ive read that fastboot over tcp(ethernet) had been introduced a couple of android versions ago, but i dont think its been implemented in our shields
infact heres a link
https://www.androidpolice.com/2016/...-capabilities-wireless-flashing-isnt-far-off/
Looks like it needs to be specifically added onto a build
As far as you making a stock root build, if you can, that would awesome, more then awesome, but if it becomes more work then you thought dont worry about it, its not like their making it easy
Also, sounds like 4.9/future android is gonna be a nightmare for root......... having the ability to root so that the option is there to see whats going on in the background of these devices, these devices posessing cameras/microphones/old+latest sensors/personal files/personal info, which reside on our personal beings or in our homes........is just one reason why i dont want to see root go away

So what is the purpose of the developer image of 7.2?
Rather, I know the stated purpose of the developer image, but if it is locked in the way described it sounds like the benefit is negated for typical developers.
(e.g. sometimes I debug an application without permissions in order to benchmark or debug a problem).
For casual users of the shield, using ad blockers and whatnot, is there any benefit to derive from installing the developer rom over stock? Does "adb root" still work?
What is left as the difference. It doesn't sound like they produced a userdebug build of the OS.
Thanks

The 2 new updates are horrible. I have gone back to 7.1. They have crippled my shield. I'll wait for a new update.

How to Update after Root

Hello everyone,
i am new to the device and i have read the threads on unlocking BL & rooting. However, I am still unsure about how to update the device after rooting. Can someone please write out a high level few lines?

You flash the stock firmware then root it again.

Well Id though Id done this enough for that to be a simple job (I did manage to root the device the day I bought it..) But I seem to be having an issue reflashing the boot.img back to the device using Fastboot after updating OTA to 12 .Any ideas?

Well I'm completely out of ideas. I've tried Canary build of Magisk, I've tried using the patched boot.img (waiting on any device eternally in Fastboot).I've tried patching the AP file (as .md5 and as .tar) Process fails each time.....
I was on Rooted 11 but I thought I could UNroot then grab 12 and REroot. Well I did actually have 12 installed (briefly) but now I've got an UNrooted 11, that just sux ,and I should've have never tried to get 12 lol. My BL is still unlocked of course so I just really want to go back to where I started if rooted 12 is a no-go for now. Any help would be greatly appreciated .
Ahalol I'm sorry for high jacking your thread but it said exactly what I wanted to ask :/
Thanks XDA as always!

I finally got it, all good.

ahalol said:
Hello everyone,
i am new to the device and i have read the threads on unlocking BL & rooting. However, I am still unsure about how to update the device after rooting. Can someone please write out a high level few lines?
Click to expand...
Click to collapse
For future reference for anybody who may read this in the future, updating a rooted Tab S7 / S7+ without losing your data is pretty much outlined step by step in the official Magisk installation guide.
Installation
The Magic Mask for Android
topjohnwu.github.io
Scroll down to the Samsung section, and then "Upgrading the OS". It's basically the same as Odin flashing the firmware as you normally would to restore to stock, except you're flashing the Magisk patched AP file in the AP slot instead, and using HOME_CSC instead of CSC in the CSC slot. CSC wipes data, HOME_CSC does not.
With the exception of a few weird Samsung devices (like the S6 Lite), don't listen to ppl who tell you to extract the boot image and flash separately. Just follow the *official* (I felt the emphasis was necessary here, again) Magisk installation guide in this case... Download the firmware file via Frija or whatever your source for firmware is (honestly dude.. just use Frija), extract the files, copy the AP file to your tablet (recommend adb push, not MTP), and use the Magisk app to patch the ENTIRE AP file. This is important because Magisk will also patch out other parts of the firmware like vbmeta, which is what allows it to work around avb restrictions. If you attempt to flash the full bone stock firmware and then a patched boot image separately, you will likely get an error that results in the need to wipe data, because avb (Android Verified Boot) has been violated without having had vbmeta patched among possibly other things, and then have fun with the misery of wiping and starting over... Anyway, after patching the FULL AP file in Magisk app, make sure there were no errors in the log (btw, this is where you can clearly see that Magisk is patching more than just the boot image...) and copy it back to your computer (again, like adb push was recommended before, use adb pull to move to computer), and then flash the BL / Magisk patched AP / HOME_CSC files in their respective slots (and CP if you have LTE model) in download mode. It'll reboot probably twice, then optimize apps before finishing booting to your updated system.
tl;dr - read the official Magisk guide I linked above (notice yet that I keep mentioning this?? lol)
My post is assuming you are on bone stock rooted ROM without custom recovery and/or encryption disabled mods and stuff (e.g. multidisabler mod). Every update for me goes without a hiccup, and I am fairly heavily modded with SafetyNet passing and everything (LSposed / GravityBox / Firefds kit / a bunch of Magisk modules). Loving that these tablets keep Widevine L1 even after rooting.. was my primary reason for buying! I also like / prefer the fact that my tablet is still encrypted without custom recovery so that the chances are my data is still safe should the tablet ever be lost or stolen. Anyway, if you do have custom recovery or flashed multidisabler already, I would definitely do your due diligence and research / ask questions to find out if there's anything different you have to do (different in relation to the official Magisk installation guide resource, or any pre-/post-install quirks).
Sorry, I know I rambled a bit but I hope this post is somewhat informative and able to be followed. Typing it from phone and browser is kinda glitching out. But I just felt the need to type this all out. It seems I don't see so much more misinformation on XDA than on the Samsung subforums lol. D:

i5lee8bit said:
For future reference for anybody who may read this in the future, updating a rooted Tab S7 / S7+ without losing your data is pretty much outlined step by step in the official Magisk installation guide.
Installation
The Magic Mask for Android
topjohnwu.github.io
Scroll down to the Samsung section, and then "Upgrading the OS". It's basically the same as Odin flashing the firmware as you normally would to restore to stock, except you're flashing the Magisk patched AP file in the AP slot instead, and using HOME_CSC instead of CSC in the CSC slot. CSC wipes data, HOME_CSC does not.
With the exception of a few weird Samsung devices (like the S6 Lite), don't listen to ppl who tell you to extract the boot image and flash separately. Just follow the *official* (I felt the emphasis was necessary here, again) Magisk installation guide in this case... Download the firmware file via Frija or whatever your source for firmware is (honestly dude.. just use Frija), extract the files, copy the AP file to your tablet (recommend adb push, not MTP), and use the Magisk app to patch the ENTIRE AP file. This is important because Magisk will also patch out other parts of the firmware like vbmeta, which is what allows it to work around avb restrictions. If you attempt to flash the full bone stock firmware and then a patched boot image separately, you will likely get an error that results in the need to wipe data, because avb (Android Verified Boot) has been violated without having had vbmeta patched among possibly other things, and then have fun with the misery of wiping and starting over... Anyway, after patching the FULL AP file in Magisk app, make sure there were no errors in the log (btw, this is where you can clearly see that Magisk is patching more than just the boot image...) and copy it back to your computer (again, like adb push was recommended before, use adb pull to move to computer), and then flash the BL / Magisk patched AP / HOME_CSC files in their respective slots (and CP if you have LTE model) in download mode. It'll reboot probably twice, then optimize apps before finishing booting to your updated system.
tl;dr - read the official Magisk guide I linked above (notice yet that I keep mentioning this?? lol)
My post is assuming you are on bone stock rooted ROM without custom recovery and/or encryption disabled mods and stuff (e.g. multidisabler mod). Every update for me goes without a hiccup, and I am fairly heavily modded with SafetyNet passing and everything (LSposed / GravityBox / Firefds kit / a bunch of Magisk modules). Loving that these tablets keep Widevine L1 even after rooting.. was my primary reason for buying! I also like / prefer the fact that my tablet is still encrypted without custom recovery so that the chances are my data is still safe should the tablet ever be lost or stolen. Anyway, if you do have custom recovery or flashed multidisabler already, I would definitely do your due diligence and research / ask questions to find out if there's anything different you have to do (different in relation to the official Magisk installation guide resource, or any pre-/post-install quirks).
Sorry, I know I rambled a bit but I hope this post is somewhat informative and able to be followed. Typing it from phone and browser is kinda glitching out. But I just felt the need to type this all out. It seems I don't see so much more misinformation on XDA than on the Samsung subforums lol. D:
Click to expand...
Click to collapse
cheers mate. I am leaning towards rooting my tab s7 now. it dont sound to hard.
Edit I did it did you also have to install safety net module to get safety check working

How To Guide How to root any N20

**Edit: Be sure to read comments at the end of this post******
I've already posted this a few times but I figured I would try to save some people time who want/need to root from any security patch. This is a copy and paste from an answer I gave in another thread but it's a basic how to.
Install DSU sideloader app from playstore to boot a prerooted GSI then use Partitions Backup and Restore app from playstore to save copies on your device. Install magisk app and patch the extracted boot.img and then transfer backups along with the patched boot image to your PC for safekeeping and flash the patched boot.img in fastboot. You can rename any .bin files to .img to flash them if they get extracted as a .bin file. Check your settings in the partitions Backup and Restore app before starting the backup process. You can choose to save them in an easy to find directory and for me it was better to choose to save them RAW/uncompressed then just compress them all into a single archive rather than having a hundred separate archives for each individual partition because it makes it easier if you have to reflash things if you need to recover. You may want to disable battery optimization for the app because it takes a while to extract all the images doing a full backup but its well worth the wait time if it saves you from a brick later on.
I wish I had time to elaborate but hopefully someone else can take the time to elaborate and add to this for anyone needing step by step. I'm surprised nobody has done this already.
Credits to AndyYan for giving advice on the root method. I stole this from him and just made a post with a title that makes it easier to find since so many are still asking how to go about rooting their devices.
*****REQUEST TO COMMUNITY********
There are many who are already on August Security patch and i dont have time to update and post the newest images. So if you are on august patch and pull backups I ask that someone please be so kind as to upload a copy of your backup to Google Drive or a filehosting server of choice and post a new thread so that others can unbrick their devices.
*Please ***DO NOT include**** the following partitions*:
DEVINFO
DINFO
FRP
KEYMASTER_A
KEYMASTER_B
KEYSTORE
LOGDUMP
***MDM1M9KEFS1
***MDM1M9KEFS2
***MDM1M9KEFS3
***MDM1M9KEFS4
MODEMDUMP
OPLUS_SEC_A
OPLUS_SEC_B
RAWDUMP
SECDATA
STORSEC
USERDATA
VM-KEYSTORE
*** These partitions may/contain YOUR personal device info, DO NOT make these public***
You can make a new Google account for the sole purpose of uploading these for the community so as not to fill your own GDrive. Be sure to change permissions for the images to share with anyone who has the link. This would be very much appreciated by many.
*****Update 09/18/2022*****
Thanks to ctschrodinger88 & dmtec for posting more detailed instructions!!! you can find ctschrodinger88's instructions below, scroll down to the 5th post.
dmtec also posted instructions in another thread linked here: https://forum.xda-developers.com/t/august-boot-img.4491831/post-87426877
we are still in need of august modems if anyone cares to upload them to their drive and link them or any other filehosting service.

can you suggest me a pre rooted gsi rom please?
thanks

fictisio said:
can you suggest me a pre rooted gsi rom please?
thanks
Click to expand...
Click to collapse
i used crdroid but its buggy, launcher crashes but its useable, atleast to get this done and then be sure to discard it in the DSU sideloader notification when you reboot so the inactive slot is empty, it will make for easier updates/mods later

has anyone had luck flashing the file in this article? https://www.getdroidtips.com/oneplus-nord-2t-5g-firmware-flash-file-2/#google_vignette

I used the info provided and referenced here as a guide and some external pieces and have things working.
I'll caveat the following, I don't remember the current firmware version I started with, but I'll try to remember to update.
I have the Nord N20 5g, but not the T-mo branded one, though in looking at this, the concepts should be the same.
Base assumptions:
- If you haven't done these beforehand, stop and take care of it. Research if you need, but please DO NOT just keep going or copy, paste, and run, without understanding to some extent what you're doing. If you just run commands it can be much harder to fix later.
a. Your phones bootloader is unlocked. (If you haven't already done it, when you do, your data will be gone, so if you care, back it up NOW)
b. You have access to an Android terminal of some sort (adb or on-device terminal) and you know how to use it. Unless you absolutely can't use a computer for some reason, I would use adb, it makes data backup easier (IMO).
c. You have somewhere to store your backed up partitions (THIS IS IMPORTANT)
Step 0: Download a pre-rooted Generic System Image (GSI) to use. Put it in a good working directory. This page links to several. https://github.com/phhusson/treble_experimentations/wiki/Generic-System-Image-(GSI)-list
I used the LineageOS image by @AndyYan
If you are wondering about the various file endings this is the basic version
Code:
<ARCH>_xyZ
<ARCH> can either be arm, a64 (arm32_binder64) or arm64
x can either be a or b
y can either be v, o, g or f
Z can be N or S
b = a/b
a = a-only
g = gapps
o = gapps-go
v = vanilla (no gapps included)
f = floss (free & open source apps instead gapps)
N = no superuser
S = superuser included
From: https://forum.xda-developers.com/t/teclast-t30-t1px-suitable-gsi-roms.4211427/
Step 1: Enable the Dynamic System Update (DSU) feature flag, you can follow the exact steps for this in this section https://developer.android.com/topic/dsu#feature-flag
If you are unsure, just run the `adb shell` command.
Step 2:
If the image you downloaded needs to be in ".gz" format. Some of the tools will handle alternate types, but that's because it rebundles it at ".gz", you can save some effort doing it yourself.
Code:
gzip -c [IMG_NAME]..img> [IMG_NAME].gz
Step 3: Push the image to the device
`adb push [IMG_NAME].gz /storage/emulated/0/`
This is where I switched from ADB to on-the-device.
Step 4: Download the DSU Sideloader: https://github.com/VegaBobo/DSU-Sideloader
You can do this with adb but I wasn't able to get it to run, so I went with the DSU Sideloader app above which made it much simpler.
Step 5: Run DSU Sideloader. You can follow the instruction there in the README. You will need to run a command that the app provides, either via adb or an emulator. Then you will reboot via the notification.
Step 6: [Once you reboot] Enable Developer tools in phone settings.
Step 7: BACKUP, BACKUP, BACKUP (Please do this now. It will help make life much, much better if you ever have an issue and need to reset.)
This was my process:
Bash:
adb shell
su
mkdir /sdcard/partitions
cd /dev/block/by-name/
for x in *; do dd if=/dev/block/by-name/$x of=/sdcard/partitions/$x ; done
# Note the collective size will be greater than the default space on the GSI boot, so you will want to separate things
# Back on local machine
mkdir [working_dir]
cd [working_dir]
adb pull /sdcard/partitions
# Your files from the adb command should populate the folder
mv [working_dir]/partitions/* [working_dir]/
# On device
rm /sdcard/partitions/*
# repeat the commands above as often as needed.
I don't know for sure all the files you will want to backup, but I pulled everything just to be safe. Keep them safe, because it is your safety net if you fall.
Step 8: Get boot_a or boot_b back on the device along with Magisk.apk (Please only download from here: https://github.com/topjohnwu/Magisk/releases)
Step 9: Install Magisk.apk (you can do this via
Code:
adb install ./magisk.apk
)
Step 10: Launch Magisk and install it to the book image stored on your sdcard.
Step 11: Pull the patched image to your local machine.
Code:
adb pull /sdcard/Download/magisk_patched-[stuff].img
Step 12: Boot phone to fastboot
Code:
adb reboot bootloader
Step 13: This is where there is an ideal and a real.
Ideal command
Code:
fastboot boot magisk_patched.img
where fastboot transfers the files and things just work, and if you reboot the system the regular boot.img is used. I haven't been able to get that to with this device.
I instead just ran
Code:
fastboot flash boot magisk_patched.img
which replaced the existing boot image, which is good, if it works, but if it doesn't, this is why you have backups!!!! Reboot the phone.
Step 14: When you boot, finish installing Magisk and you'll be ready to go.
If I remember other steps I'll add, or if you have questions I will try to help answer.

I just got a MetroPCS nord n20 (gn2200) and will try to root in the next couple days.

ScarletWizard said:
n20
Click to expand...
Click to collapse
Have they removed the unlock portal?

Damn, it's been a long time. Glad to be back.

ScarletWizard said:
No. My serial is 7 digits
Click to expand...
Click to collapse
seems to be a common defect.... if ur device is paid off oneplus can generate you a token but it takes weeks of back-and-forth with support to get it escalated...tmobile may or may not allow you to do that on a device that isnt paid off but i wouldnt even ask tmobile about it if your not paid off already, will only make it harder for those who are trying to unlock theirs if it IS the case that tmobile doesnt want you to unlock it until youve paid the device off in full....oneplus will probably uphold tmobiles decision if your device isnt paid off. for now, we are able to unlock tmobile devices through the portal regardless of the financial status of the device. though you will still be SIM locked unless tmobile unlocks that for you. and their definitely NOT gonna do THAT til it gets paid off.
U.S. carriers dont like customers having unlocked devices and is against most user-agreement policies and can get your service terminated leaving you owing for a device you cant use and for the price of the contract you were on for service

your device is a CPH2459 and not a GN2200?

fictisio said:
can you suggest me a pre rooted gsi rom please?
thanks
Click to expand...
Click to collapse
Andy Yan's Lineage18 or 19..

DrScrad said:
Andy Yan's Lineage18 or 19..
Click to expand...
Click to collapse
pixel experience, crdroid... havent gotten kaleidoscope to work yet. Have heard that someone got aosp a13 going.... There are so many and so long as u use a matching security patch ur good. might work with a newer patch but of the ones ive tried i got thw matching patches to work. If you find one thats on a newer patch in the gsi page you should be able to follow the link and find an older release to match the patch ur on. If ur on may patch try to find a may patch just to make it pess likepy that there will be priblems. If on july or august, likewise find july or august sec patch release. newer patched systems MIGHT work with ur older patched bootloader and other partitions(modems etc...) but def would not advise just straight flashing mismatching security patches... Best to sideload first and see if u can get it working first. Its not very simple to dual boot these devices but i think someone did some work and posted a work around for doing that on a/b devices somewhere on xda......

Am willing to share my stock image with anyone willing to help. I am on the September security update on a OnePlus Nord N20 5G unlocked (Non-Carrier). I am running version 11 and android security update 2022-09-05.
I am having real issues getting LineageOS through DSU. It fails immediately on start every time. Bootloader is unlocked, it even shows through fastboot (Secure boot = on though), flag is set per instructions, and I am trying to install lineage-19.1-20221011-UNOFFICIAL-arm64_bvS.gz . I tried two different versions of the DSU app but nada.

oromis995 said:
Am willing to share my stock image with anyone willing to help. I am on the September security update on a OnePlus Nord N20 5G unlocked (Non-Carrier). I am running version 11 and android security update 2022-09-05.
I am having real issues getting LineageOS through DSU. It fails immediately on start every time. Bootloader is unlocked, it even shows through fastboot (Secure boot = on though), flag is set per instructions, and I am trying to install lineage-19.1-20221011-UNOFFICIAL-arm64_bvS.gz . I tried two different versions of the DSU app but nada.
Click to expand...
Click to collapse
make sure u r using a lineage version with the same security patch as your current OS if your on September u need a GSI on september. i personally gave up on lineage after trying a couple but was successful with a few others while dsu sideloader still worked for me, im not sure what i did to break it on my devices but i havent been able to get it to work on either device in a while.

i have yet to try the october firmware but it should be easy to downgrade and root if you think its the new updates. although make sure ur disabling verity. u might wanna disable the checks on vbmeta_boot too... i usually just disable it on all 3 vbmeta's to be safe.... i have a full july dump and someone else has posted the august dump on TG but that doesnt help in your case since you have the CPH2459 and we are on GN2200's nobody has been able to successfully crossflash them yet and im not sure if it will be possible or not but everyone that has tried it has bricked their devices so far. most have gotten them running again but have lost fingerprint

ScarletWizard said:
im on gn2200
Click to expand...
Click to collapse
Ok my last upload didn't upload correctly for some reason. I will re upload tomorrow I think..... I need to figure out exactly which partitions are device-specific.... I know which partitions get updated in the incrementals so if all of them don't get flashed then everything won't match but I have a feeling that the incrementals update a device-specific partition or two and if so then u will lose fingerprint at minimum...... I think I should just pull full backup of all partitions and then go for it. Worst case so long as u do everything right. U just don't boot and have to reflash the stock boot image... Be sure to flash the stock image to both slots just in case and then switch back to ur active slot and flash the patched boot image. I mean if it was me I would b comfortable doing it but that's completely ur call, I don't wanna encourage anything because there ALWAYS a risk something could go wrong. Power outage or something and it's screwed up but any time u r flashing u will always be taking a risk. Though I think the risk is minimal so long as u do everything right and there's not much to the simple root process, patch the boot image and flash, if it doesn't work then reflash the stock one. If it DIES work out for u we would b grateful for the October firmware if u wanna share it, we didn't get October yet.

ScarletWizard said:
If it dies. Lol scary.
I'm in the process of doing the partition thing
Click to expand...
Click to collapse
If it DOES.. Sry

ScarletWizard said:
who is the ADMIN of this n20 thread?
Click to expand...
Click to collapse
Just look.for the moderator edits lol

PsYk0n4uT said:
seems to be a common defect.... if ur device is paid off oneplus can generate you a token but it takes weeks of back-and-forth with support to get it escalated...tmobile may or may not allow you to do that on a device that isnt paid off but i wouldnt even ask tmobile about it if your not paid off already, will only make it harder for those who are trying to unlock theirs if it IS the case that tmobile doesnt want you to unlock it until youve paid the device off in full....oneplus will probably uphold tmobiles decision if your device isnt paid off. for now, we are able to unlock tmobile devices through the portal regardless of the financial status of the device. though you will still be SIM locked unless tmobile unlocks that for you. and their definitely NOT gonna do THAT til it gets paid off.
U.S. carriers dont like customers having unlocked devices and is against most user-agreement policies and can get your service terminated leaving you owing for a device you cant use and for the price of the contract you were on for service
Click to expand...
Click to collapse
One small problem, although Metron PCS uses T-Mobile towers, they are their own entity and T-Mobile does not have their Bootloader codes. Only OnePlus and Metro PCS have the Metro PCS unlock.bin file. That's what I came here was to try and find a dedicated metro bootloader unlock web page. Like the T-Mobile dedicated page. There is not one so it's going too take several calls over several weeks unless some one here knows a different way or a link to a metro PCS bootloader unlock page? Anyone chime in on this and save all of us that are running in circles back down the straight path to an unlocked bootloader..

jayram1408 said:
One small problem, although Metron PCS uses T-Mobile towers, they are their own entity and T-Mobile does not have their Bootloader codes. Only OnePlus and Metro PCS have the Metro PCS unlock.bin file. That's what I came here was to try and find a dedicated metro bootloader unlock web page. Like the T-Mobile dedicated page. There is not one so it's going too take several calls over several weeks unless some one here knows a different way or a link to a metro PCS bootloader unlock page? Anyone chime in on this and save all of us that are running in circles back down the straight path to an unlocked bootloader..
Click to expand...
Click to collapse
I'm about to file a FCC complaint to get mine then.

How To Guide [GN2200] simple recovery guide from fastboot + obtain root + more

in this thread i am going to outline the method i used to restore my device to may security patch after completely botching my current install after trying to root, on august security patch.
a major hand to PsYk0n4uT for the suggestions he's posted in response to my problems, giving me the ability to figure out what's really going on here amongst other things.
(this is compatible with metropcs branded devices, therefore is compatible with t-mobile branded devices and so on)
anyways.
download this may OTA i discovered somewhere online. (hint: if download quota is exceeded. make a copy to your gdrive, then put it in a folder. download the folder and you will bypass the quota)
the OTA will contain msmdownloadtool, but it is unusable in it's current form because it's an internal tool. you're gonna want to download this tool off github to help assist in decrypting the .ofp file and flashing it's complete contents over automatically.
extract the OTA zip, and place the tool from github in the same folder. if using linux, install the python requirements and if you're on windows, i would suggest replacing the adb/fastboot executables with current versions. probably shouldn't matter, but i did in this case.
put your phone into fastboot and run the tool. further instructions depending on OS, are on the repository's page.
after flashing i had to switch my active slot over to the prior inactive slot before i could boot.
now that you've got your device downgraded, get through the initial setup, set it up offline, and put your phone into power saving mode so it can't automatically update (just in case)
instead of using DSU sideloader to extract the files we need, we can use the same .ofp file that our images came from and extract its contents with this tool
install magisk, copy your boot image over, patch the boot image, return it back to your computer, and enter fastboot mode.
proceed to flash the boot image, and all 3 vbmeta images. (important: be sure to disable verification and disable verity when flashing your vbmetas)
???
profit
i hope this can help anyone that's got a paperweight for a device at the moment, and help anyone who wants to root their device without a bunch of possible nonsense. in turn, hoping this can accelerate any possible development with this device.
protip: after getting everything installed and set up, install the systemless debloater module in magisk and download de-bloater from f-droid. "remove" the update service application (com.oplus.romupdate) and the software update tab in settings will now think you're on the latest security patch and will prevent your device from accidentally being updated. unless you want that to happen.

mirrors:
[vngsm.vn] GN2200export_11_A.05_2022050718170202.zip | VietNam GSM Services
vngsmservices.com
OnePlus Nord N20 5G Flash File (Official Firmware) GSMMAFIA
OnePlus Nord N20 5G Qualcomm Snapdragon 695 5G Flash File available here with MSM download tool to download via Direct link.
www.gsmmafia.com
And no problem man. Im glad others are sharing their knowledge and experience here. I've been focused on other things trying to make some progress on the device but still having to learn a lot along the way.
Hopefully we will have custom recovery soon. Looking promising so far and the real devs have given more time than I could possibly ever expect towards a device they don't even own.
For anyone wanting to know more about the people that are doing the leg work check out the team at https://t.me/Android_General_Chat The devs work hard to make these things happen so if you wanna help the cause consider making a contribution to them.

dmtec said:
in this thread i am going to outline the method i used to restore my device to may security patch after completely botching my current install after trying to root, on august security patch.
a major hand to PsYk0n4uT for the suggestions he's posted in response to my problems, giving me the ability to figure out what's really going on here amongst other things.
oneplus seems to be weakly supporting this device because i tried to ask them again for the OTA (i mean, it's pulling from somewhere, right) and they told me that i'd need to send it into a service center for repair. what's the point of unlockable bootloaders if user error can't be corrected in some way.
(this is compatible with metropcs branded devices, therefore is compatible with t-mobile branded devices and so on)
anyways.
download this may OTA i discovered somewhere online. (hint: if download quota is exceeded. make a copy to your gdrive, then put it in a folder. download the folder and you will bypass the quota)
the OTA will contain msmdownloadtool, but it is unusable in it's current form because it's an internal tool. you're gonna want to download this tool off github to help assist in decrypting the .ofp file and flashing it's complete contents over automatically.
extract the OTA zip, and place the tool from github in the same folder. if using linux, install the python requirements and if you're on windows, i would suggest replacing the adb/fastboot executables with current versions. probably shouldn't matter, but i did in this case.
put your phone into fastboot and run the tool. further instructions depending on OS, are on the repository's page.
after flashing i had to switch my active slot over to the prior inactive slot before i could boot.
now that you've got your device downgraded, get through the initial setup, set it up offline, and put your phone into power saving mode so it can't automatically update (just in case)
instead of using DSU sideloader to extract the files we need, we can use the same .ofp file that our images came from and extract its contents with this tool
install magisk, copy your boot image over, patch the boot image, return it back to your computer, and enter fastboot mode.
proceed to flash the boot image, and all 3 vbmeta images. (important: be sure to disable verification and disable verity when flashing your vbmetas)
???
profit
i hope this can help anyone that's got a paperweight for a device at the moment, and help anyone who wants to root their device without a bunch of possible nonsense. in turn, hoping this can accelerate any possible development with this device.
protip: after getting everything installed and set up, install the systemless debloater module in magisk and download de-bloater from f-droid. "remove" the update service application (com.oplus.romupdate) and the software update tab in settings will now think you're on the latest security patch and will prevent your device from accidentally being updated. unless you want that to happen.
Click to expand...
Click to collapse
BROOOO you are EFFING AWESOME! MUCH LOVE!

bumping my own thread because people are being real extra after "bricking" their phones trying to get them working again

Really glad people are still working on this device. I've been away for a while and no longer have access to mine right now so just wanted to say thanks to those of you continuing the efforts

Careful with this. Windows Defender flagged a virus when I tried to download it.

[SOLVED] Any way to save my data on bootloop phone without root?

Yesterday, decided to remove bloatware(mostly Google) on my Huawei p8 lite using ADB. And somehow removed this.
:/ $ pm uninstall -k --user 0 com.android.location.fused
Restarted.
Boot Loop.
Before I rebooted my phone usb debugging was on.
Phone boots into eRecovery with 4 options
1)Download latest version and recovery(usuless gives my an "Getting package info failed")
2)Wipe data/factory reset
3)Reboot
4)Shutdown
When I'm connected to pc I allways get a message "Unable to open MTP device".
I don't have the root privalage so I can't folow these steps in this guide below.
Bootloop after removing com.android.location.fused [SOLVED]​My questions is:
1. Any method of saving data on bootloop phone without root?
2. Should I try factory reset?
​

I don't understand what you want, but you can't root in boot loop.
But I hear you will root, it's really easy to root Huawei!
Guide.
1. Get your firmware, with hisuite, after install downgrade or update, will firmware file be saved in document folder on PC.
2. Extract files inside the firmware file, and find the boot.img, system.img or boot.img and opened it and modified, some you will and repack it again.
3. Update hash's for partition controller.
4. Make a form of server and port forward your device to think this is the server there get updating from and see request some your phone ask for or read source of Huaweis update.apk.
4. Configure your server, with coding and upload the firmware to your server.
5. Now just install your update and you have custom os

JonasHS said:
But I hear you will root, it's really easy to root Huawei!
Click to expand...
Click to collapse
This guide is missing most important predecessor step: unlocking bootloader (and therefore useless)

JonasHS said:
I don't understand what you want, but you can't root in boot loop.
Click to expand...
Click to collapse
Thanks for reply. Sorry that I not spicified. My problem is that I unistalled com.android.location.fused witch resulted in boot loop. My phone is not rooted and I don't know what to do next. Only think I can is factory reset, becouse eRecovery gives me an error. I just looking right now for any way to save my data. I found a similar problem solved, but person rooted phone before boot loop. So I guess I only have 1 option then?

You can try to start you Huawei in back up mode,

JonasHS said:
You can try to start you Huawei in back up mode,
Click to expand...
Click to collapse
Yes my phone in recovery mode. Should I try "Wipe data/factory reset"? Because "Download latest version and recovery" option gives me an error"Getting package info failed".

You don't need to unlock bootloader for edit system, i making my own exploit and do it.
O just look at this:
We say you can't edit Any software file on your device, because you don't has permission, like Linux nonroot user.
There are only 1 way to get this permission, it's unlocking bootloader and add your code to software.
NOT TRUE.
if we put this together with a door that's locked and you don't have the key, what do you do?
I will find another way to open the door.
so to show what i mean: update.apk ask server for download the update and send it back too your phone, and your phone will install. Inside an update package, where are boot.img and system.img, what if we edit this file before update, and put a code some will give your user on system the highest privilege. But we can't edit this file, because they are saved on folder, we don't has permission too?
For do this, can we manipulate the data server send back too us.
Prot forwarding.

JonasHS said:
You don't need to unlock bootloader for edit system, i making my own exploit and do it.
Click to expand...
Click to collapse
So you're a hacker and found method to properly sign system.img with huawei's private oem key? you're a genius!
https://android.googlesource.com/platform/external/avb/+/master/README.md#The-VBMeta-struct
Unfortunately the repair has to be done in /data/system/users/0/package-restrictions.xml and requires root access. Furthermore /data is encrypted therefore that modification can't be done offline, it requires booted android to stage where we can enter screen unlock pin (or at least to stage where /data/system is decrypted)

JonasHS said:
You don't need to unlock bootloader for edit system, i making my own exploit and do it.
O just look at this:
We say you can't edit Any software file on your device, because you don't has permission, like Linux nonroot user.
There are only 1 way to get this permission, it's unlocking bootloader and add your code to software.
NOT TRUE.
if we put this together with a door that's locked and you don't have the key, what do you do?
I will find another way to open the door.
so to show what i mean: update.apk ask server for download the update and send it back too your phone, and your phone will install. Inside an update package, where are boot.img and system.img, what if we edit this file before update, and put a code some will give your user on system the highest privilege. But we can't edit this file, because they are saved on folder, we don't has permission too?
For do this, can we manipulate the data server send back too us.
Prot forwarding.
Click to expand...
Click to collapse
That sounds awesome. I guess we can try.

aIecxs said:
So you're a hacker and found method to properly sign system.img with huawei's private oem key? you're a genius!
https://android.googlesource.com/platform/external/avb/+/master/README.md#The-VBMeta-struct
Unfortunately the repair has to be done in /data/system/users/0/package-restrictions.xml and requires root access. Furthermore /data is encrypted therefore that modification can't be done offline, it requires booted android to stage where we can enter screen unlock pin (or at least to stage where /data/system is decrypted)
Click to expand...
Click to collapse
Dahm.

The easiest way to fix bootloop is factory reset. There is no way to safe userdata without fixing bootloop, sorry. it's a hen and egg dilemma.

aIecxs said:
The easiest way to fix bootloop is factory reset. There is no way to safe userdata without fixing bootloop, sorry. it's a hen and egg dilemma.
Click to expand...
Click to collapse
I agree.

Just reset its easiest.
Think about this here: your PC has SSD or HDD and you can take it off and take it into new pc, and edit everythiny on the disk without admin and make a backup.
The true is, you can do the same with a phones chip, but it's hard to do

Next time, before playing with packages, do a backup of your pictures.
Btw you can unlock bootloader with PotatoNV and root with Magisk. rooted devices you can backup with Migrate or TWRP.

New to said:
Yes
Huawei don't store theres OEM keys on devices chip, so they will never could control if i replaced it with my own, and avb will still work in offline mode, so I can just read vbmeta.img with avbtool.py and generate the same vbmeta.img with different size or hash of partitions, some is benn modified.
Click to expand...
Click to collapse

You could me a hacker, i am not a hacker, i have just a good kwoning of code and dissembling

JonasHS said:
Just reset its easiest.
Think about this here: your PC has SSD or HDD and you can take it off and take it into new pc, and edit everythiny on the disk without admin and make a backup.
The true is, you can do the same with a phones chip, but it's hard to do
Click to expand...
Click to collapse
aIecxs said:
Next time, before playing with packages, do a backup of your pictures.
Btw you can unlock bootloader with PotatoNV and root with Magisk. rooted devices you can backup with Migrate or TWRP.
Click to expand...
Click to collapse
Thanks for replys(they gived me alot of ideas what I can learn about phone and hacking).I will be more careful about deleting packages in future.
I just did Factory reset and my phone is working fine again.

JonasHS said:
Huawei don't store theres OEM keys on devices chip, so they will never could control if i replaced it with my own, and avb will still work in offline mode, so I can just read vbmeta.img with avbtool.py and generate the same vbmeta.img with different size or hash of partitions, some is benn modified.
Click to expand...
Click to collapse
Of course they don't. No, you can't flash own vbmeta.img on locked bootloader as the bootloader verifies the hash of vbmeta which is oem signed (you don't have key).
If you know about any flash tool for HiSilicon Kirin exist (IDT?) it would probably easier to flash magisk patched (properly avb signed) ramdisk.img to get root access and adb (osm0sis AIK is capable of signing AVBv2) instead of modifying system.
Nevertheless this won't fix bootloop therefore it's pointless, as the culprit lies in package-restrictions.xml. it's impossible to decrypt userdata partition offline, so there is no hope sorry.

Who has told you this here, i am developer and has readers the source code, yes you can make your own sign keys with openssl

yes, that is called user-settable root of trust and requires you to compile own complete ROM, for example LineageOS. In any case that is impossible with stock EMUI as again you can't cheat Android Verified Boot chain of trust per design. That's the whole purpose of locked bootloader.