Database Users

[Q] Building SGT Firmware from Source (VZW CDMA)

So to get to the point... I bricked my friend's SGT after trying to put a dialer app onto it. A series of stupid moves leaves it at the Samsung logo on bootup and only able to access Download Mode (No recovery). He's getting a replacement through warranty (oops) but in the meantime I'd love to learn/experiment with building my own ROM.
I've been an avid Linux user for a couple years, learning more and more as time goes by. I've done extensive modding on the Motorola Droid and Droid 2 (modding, no programming, dev'ing or cooking). Basic familiarity with the Android system and how it works.
However, it's been a huge learning experience trying to build my own ROM from source. I downloaded the SGH-I800 VZW and also the GT-P1000 sources from opensource.samsung.com and also the android source from source.android.com
following the instructions from the README inside the I800 source .tar, I wrote the GT-P1000 files over the android source, then wrote the I800 files over the combined GT-P1000/android source. After some configuring to make this work on a 32-bit system with java1.6 lib's, I finally arrived with a working "make" command in my ~/bin folder (where repo stuck the android source). before running make I did run "make update-api" and it seemed to go off without a hitch.
It's currently running and has been for quite some time (around 45 mins or so, which is normal on my centrino 4 year old laptop. However, I'm seeing quite a few warnings about parenthesis and various other syntax-related issues.
Is this going to be a huge problem with the final .img files? I can't imagine it working perfectly... Is there any way to debug this compilation procedure? I'm just using terminal and obviously there are far too many to stay in the lines history of terminal app.
Thanks for the help guys, I'm hoping to at least get this tablet bootable so I can apply a more advanced rom or (depending on the difficulty) revise my own rom into a fully working one.
-Garrett
P.S.- If I understand this correctly, it will output a few .img files into the /out folder. How am i to flash these using ODIN? can I just put them into a .tar archive and select that under the PDA option of ODIN? I've already compiled the kernel for the SGT, it seemed very straightforward and I've got the zImage file. I also read somewhere that the kernel should be included in the main platform compilation. However, the zImage file is just thrown into one of the other .tar's downloaded for a different device (just to get a feel of what format files should be where). Some advice would be much appreciated! Thanks.

update:
it compiled and produced three files of standard format (*.img) which would be used to
a) extract the /system folder, etc. to produce a flashable update.zip in CWM or some other custom recovery.
or
b) flash directly using some other program, with target booted into the bootloader,
if I recall correctly. The problem with the former is that this tablet will not boot into recovery, and with the latter, no suitable program seemingly exists. There must be some method of converting or repackaging these *.img files into Samsung's proprietary *.rfs format, but extensive google searching has yielded nothing of value.

ok, update #2
flashed a zImage and factoryfs.rfs from a sprint ROM, and of course data doesn't work on this verizon tab (actually not a big deal since I'd be wifi tethering from my Droid 2 anyway) but it does have all the sprint applications and settings and all that.
I have a full /system dump from a completely stock verizon tablet, what is the most straightforward way of flashing this onto this frankenstein tablet?
I'd imagine it entails flashing clockworkmod recovery and flashing an update.zip that contains the entire /system folder, would this work?
I've tried simply
adb push ~/Galaxy/system /data/sysbackup
then
busybox cp -rf /data/sysbackup/* /system
however this just results in a lot of disk full errors and an unbootable tablet.
thanks for the tips guys, and wondering what's so bad about the vzw tablet? there seems to be a lot more threads/roms/support for (of course) the GSM tablets and even Sprint's but none for big red.

Not sure if this would work, but maybe creating a VFAT image in Linux and dumping the contents into it then saving the file as factoryfs.rfs and flashing it?
Or, mount a known good factoryfs.rfs, rip out the contents and replace it with the VZW stuff. (Since RFS images can be mounted as VFAT in Linux/Unix)
As far as getting data up and running, you would probably need a dump of a radio from another VZW Tab. (/dev/block/btl12 if it's anything like the GSM Tabs)

gfrancis306 said:
thanks for the tips guys, and wondering what's so bad about the vzw tablet? there seems to be a lot more threads/roms/support for (of course) the GSM tablets and even Sprint's but none for big red.
Click to expand...
Click to collapse
I can only answer for myself on this one, I always prefer the GSM devices because they often have Euro/Asian counterparts, thus bigger modding communities. The GSM models will definitely have more presence solely because the majority of markets for the device are GSM-based.

thanks guys, I definitely understand the GSM tabs getting more traffic but couldn't figure out why Sprint was attended to while VZW went overlooked.
Either way, I had a friend of mine .tar up a rotohammer backup from his VZW tablet and send it to me through dropbox. un-tar'd and flashed using heimdall and it booted right up with VZW service and everything. the only problem I notice is there are no google apps (Market, Gmail, Maps, etc.) I know there's a quick fix for most android phones by just flashing gapps.zip through CWM recovery, but since there's no way to fash CWM on the VZW tab, how would I go about getting my google apps back?
Thanks

Do a factory reset or try one of the market fixes in the main galaxy section. Should be fixable.
Does your GPS function?

gfrancis306 said:
thanks guys, I definitely understand the GSM tabs getting more traffic but couldn't figure out why Sprint was attended to while VZW went overlooked.
Either way, I had a friend of mine .tar up a rotohammer backup from his VZW tablet and send it to me through dropbox. un-tar'd and flashed using heimdall and it booted right up with VZW service and everything. the only problem I notice is there are no google apps (Market, Gmail, Maps, etc.) I know there's a quick fix for most android phones by just flashing gapps.zip through CWM recovery, but since there's no way to fash CWM on the VZW tab, how would I go about getting my google apps back?
Thanks
Click to expand...
Click to collapse
Did you get the dbdata.rfs or cache.rfs? I think they play a part into stuff like the market. Check for the apps in /system/app though.
Sent from my SGH-I987 using XDA App

I bricked VZW SGT by flashing another rom accidently and now it wont go further than the Samsung logo on bootup
is there any way to flash back the orginal rom?

On my sprint gt. I am able to get to clockwork mod recovery by doing
Code:
adb reboot recovery
as far as I can tell there is no way to get to recovery with the device off. But if it gets as far as the samsung screen you still might be able to use adb to reboot to recovery. I've been trying to build froyo myself and as a proof of concept compiled the stock kernel from samsung open source. Then put it in a modified update.zip from one of monks kernels and flashed it from clockwork recovery. The flash was a success and the device booted fine. I dont see why the same shouldnt work for the system folder. The boot.img would be more difficult cause I dont think the gt uses the same partition layout as other android phones.

Helo my name is robert an im new to this. Im looking for some roms for my vzw galaxy tab. Dose anyone have any suggestions ? An is there a stable gingerbread or honeycomb roms out there for the galaxy tab for vzw ? Thanks to all that can help me
Sent from my SCH-I800 using XDA App

Archos gen8 bootloader crack (disable signature check)

" PWNED " :-D
As you know, Archos bootloaders check digital signatures of init and recovery kernels, so you need to install SDE to use custom kernels, and it somehow "watermarks" the device.
Good news everyone! I've disassembled both bootloaders, found the code which checks signature, and replaced it (first instructions of verify_hash function) with "return 0" which is "mov r0, #0; bx lr" in ARM assembly. It's much the same hack as on Archos 5, thanks EiNSTeiN from archos.g3nius.org for reverse engineering previous generation.
Archos gen8 boots using OMAP boot ROM from internal eMMC card. Primary bootloader ("boot0") is in 0x20000 bytes after the first sector of internal flash (i.e. at 0x200) and secondary bootloader is written into rawfs, /mnt/rawfs/avboot. boot0 contains image size and loading address in first 8 bytes.
So, here is the patch:
1) boot0: replace 8 bytes at 0x7520 from the beginning of mmcblk0 from 7F402DE9003091E5 to 0000A0E31EFF2FE1.
2) avboot: replace 8 bytes at 0x14424 in avboot from 7F402DE9003091E5 to 0000A0E31EFF2FE1 (same patch). 0x14424 from avboot beginning is usually 0x14824 from the beginning of mmcblk0p1 (avboot comes first in rawfs, just after 2 blocks of header).
Of course you need root to do it. I've done it on my Archos 101, then changed 1 byte in recovery image - it boots into recovery without problem (before the hack it didn't boot into this 1-byte changed recovery).
And of course do it with caution and at your own risk DO NOT replace the bytes if you find other original data at these offsets! Bad boot0 or avboot means bricked Archos. There must be some sort of test point (something connected to OMAP SYS_BOOT5 pin) to boot from USB, or a boot UART interface, so debricking the device must be possible, but it would require some effort to find it, find a proper bootloader and use it.
If someone wants to see IDA database, I'll send my.
P.S: I do not have enough messages to post inside Development subforum, so I'm posting here.

Great work! With this base, can yout get something like CW to run?

I'm so waiting for him to come back and say April fools.

I'm gonna screw him up if this was an april fool

First, if this is an April fools, I will find you and hurt you.
Second, what does all that mean anyway? Does that mean Cyanogen on Gen8 is near? Does it have anything to do with roms?

vitalif said:
P.S: I do not have enough messages to post inside Development subforum, so I'm posting here.
Click to expand...
Click to collapse
Maybe you should increase that number of post by explaining how you did this.

)))) No it isn't an April fool, my device now really has a modified recovery. Ridiculously modified (1 byte changed), but that's the proof!
Check the patch by yourself )) all you need to write to mmcblk0 is a standard linux dd tool... which is included into standard Archos busybox...
wdl1908 said:
Maybe you should increase that number of post by explaining how you did this.
Click to expand...
Click to collapse
In fact, it was not hard, and if I knew ARM assembly language before, it would be even easier... All I had to do is to find bootloader on the flash (boot0 is obviously in its beginning, and avboot is on /mnt/rawfs), copy it to computer, download IDA, feed bootloader to it and find functions similar to ones described on archos.g3nius.org (BigInteger_ModulusEnter, RSADecipher, etc). It also could be simpler, as BigInteger_ModulusEnter is mentioned inside an ASCII string inside data section... But I've found them by text search also there is a magic "ZMfX" in first 4 bytes of avboot and some other magic inside init and recovery... One also could use them to find interesting points in bootloader.
At first I've started disassembling with the wrong base address, but bootloader has code which copies itself to the correct one in the very beginning, so I've changed it and started over. In fact, it has size and address in first 8 bytes, so this also could be simpler...
So the hack is done, what needs to be done by now - utilize it and create some custom ROM or simply flash urukdroid without SDE...
chulri said:
Great work! With this base, can you get something like CW to run?
Click to expand...
Click to collapse
CW == ClockWorkMod recovery? I don't have any experience with CWM porting yet, but in theory yes, the hack gives us the ability to run custom recovery images.

Don't know alot about the bootloader, but what advantage does this have?

SWFlyerUK said:
Don't know alot about the bootloader, but what advantage does this have?
Click to expand...
Click to collapse
Hm. I'll explain... Bootloader is the program which starts up the device, similar to bootloader on your PC signature check in bootloader prevents us installing modified Linux kernel, initial ramdisk and recovery images. So, for example, we can't have netfilter in kernel without installing SDE, we can't have ClockWorkMod recovery on Archos at all, and we can't, for example, change MMC card splitting into 512M mmcblk0 for system + remaining for "internal SD" with data.
With signature check removed, all this is possible.
The underlying idea of all this signature checking is probably protecting f**king DRM... I HATE IT !!!!!! And hate companies promoting it =) When you install SDE on previous generation archos (5it), it removes drm keys from device memory (this is the "watermarking" mentioned on Archos site). It makes device unable to play the content buyed for it anymore... Not a big deal, but unpleasant. I don't know if this is the same on gen8.
In detail: Archos 101 has OMAP3630 processor. The "0-stage" (very-very first stage) bootloader, i.e. program which gains control after processor power-up, is hard-coded into one-time programmable area on the processor itself and is named "OMAP boot ROM" (similar to PC BIOS). The boot ROM can continue device booting process from different devices including SD/MMC card, NAND flash, UART (serial port) or USB interfaces. The boot sequence is determined from physical pin connection configuration. Our Archos boots from internal eMMC card.
So, OMAP boot ROM loads primary Archos bootloader, without checking any signatures or checksums, and simply transmits control to it. Primary bootloader sets up some processor configuration and then reads secondary bootloader (avboot) from flash. Then, it checks its MD5-RSA digital signature using Archos public key. If signature is incorrect, it hangs the device (goes to infinite loop). So if we modify avboot without removing signature check from boot0, device would be bricked. If signature is correct, control is transmitted to avboot. Avboot determines what system we want to start by pressing different keys, loads it, checks signature if system is init (normal system) or recovery, sets up configuration for Linux kernel and transmit control to Linux.
Interesting facts:
* According to the code, boot0 can use rawfs or FAT filesystems for boot partition.
* During boot process, various messages are printed to serial console. avboot even has some code for receiving commands over serial connections.
* OMAP processor boot sequence can be configured via special memory area which remains unchanged after soft reset, and this configuration will override one determined by physical pin configuration. This does not give us much profit, but is also interesting...

Thanks for the explanation, so is it worth doing for a noticable difference in performance etc?

SWFlyerUK said:
Thanks for the explanation, so is it worth doing for a noticable difference in performance etc?
Click to expand...
Click to collapse
Whats being done will have no affect on performance of the device. It will however, allow a lot of work that can contribute to better performance on the device. That is assuming that we can put on a modified clockworkmod recovery on these devices without bricking them.

He says the only way to do this is with root but in order to have root with r/w access at this point is SDE....right? Don't get me wrong custom recovery with the ability to make backups would be awesome but it seems SDE will still be necessary unless a new rooting option comes along.
*on a side note about root has anyone tried using psneuter to gain temp root through ADB? I really am not super knowledgeable about this stuff but this was used on the thunderbolt to aid in getting full root and s-off.
Sent from my ADR6400L using XDA App

JBO1018 said:
He says the only way to do this is with root but in order to have root with r/w access at this point is SDE....right? Don't get me wrong custom recovery with the ability to make backups would be awesome but it seems SDE will still be necessary unless a new rooting option comes along.
*on a side note about root has anyone tried using psneuter to gain temp root through ADB? I really am not super knowledgeable about this stuff but this was used on the thunderbolt to aid in getting full root and s-off.
Sent from my ADR6400L using XDA App
Click to expand...
Click to collapse
Archangel will give you temp root without using SDE.

He said root with r/w access. Archangel won't do that, the file system is still protected.

pbarrett said:
He said root with r/w access. Archangel won't do that, the file system is still protected.
Click to expand...
Click to collapse
Nope r/w access is not needed the only changes to be made are on /dev/mmcblk0p1 which is mounted on /mnt/rawfs the read-only is on the root file system so they are seperate. Archangel will do just fine for this.

wdl1908 said:
Nope r/w access is not needed the only changes to be made are on /dev/mmcblk0p1 which is mounted on /mnt/rawfs the read-only is on the root file system so they are seperate. Archangel will do just fine for this.
Click to expand...
Click to collapse
To be correct, there is no write protection on internal MMC at all, there is readonly rootfs which is mounted from a squashfs archive (squashfs is compressed readonly filesystem commonly used on Linux Live CDs), so you can't modify _files_ on it while it is mounted. But, nothing stops you from updating it as a whole.

Urukdroid
Someone should give a shout out ro $auron, creator of the Urukdroid project about this, he might find it useful.

So, if your hack is confirmed, that would give us the possibility to port CW recovery and Cyanogen to Gen8 devices... am I right ?

shrewdlove said:
Someone should give a shout out ro $auron, creator of the Urukdroid project about this, he might find it useful.
Click to expand...
Click to collapse
I think he has already seen this thread but you can ask him
lechuckthepirate said:
So, if your hack is confirmed, that would give us the possibility to port CW recovery and Cyanogen to Gen8 devices... am I right ?
Click to expand...
Click to collapse
Yes you are^^ but the thing is you have to port cyanogen to our gen8^^ and this must be done by a or more devs
i heard the biggest problem is that our touchscreen is connected by an usb controller inside the archos thats why the honeycomb port by luisivan is not recognize our touchscreen ( but when the source code is released, finally, we will get a hc port )

Lennb said:
i heard the biggest problem is that our touchscreen is connected by an usb controller inside the archos thats why the honeycomb port by luisivan is not recognize our touchscreen ( but when the source code is released, finally, we will get a hc port )
Click to expand...
Click to collapse
this isn't a problem for cyanogen (v7 = Android 2.3.3) because we have the source.

[NEED HELP with e2fsck] Soft-Brick : corrupted /data/ & /sdcard/ partitions

----------- FIXED ----------
Hey guys,
I'm encountering a terrible problem with my P6810 tab. Here is the story :
At first, I just did format /system/ (and /data/, cache and dalvik) in CWM before flashing a new Rom.
After reboot, the tab just got stuck on the "Galaxy Tab 7.7" logo. no bootloop, just stuck on static logo.
At this stage i could go to download mode and recovery, which I did.
I tried to reflash the rom, no success so then i tried to flash stock ICS firmware through Odin 1.85 : Stuck on flashing Factoryfs.img for several hours, so i had no choice but to reboot the tab. (i had no kies-related software running, neither my antivirus)
There, the tab got stuck on the "Firmware upgrade encountered an issue. please select recovery in Kies" screen, no way to go to either recovery or download mode (not even worth saying Kies didn't recognize the tab).
I've been struggling a few hours with that brick and finally managed to get acces to download and recovery modes again by flashing CWM with Odin alongside a PIT file with "repartition" ticked in Odin.
So there I could access recovery, I flashed CM9, everything went smooth. The tab rebooted and got passed the Galaxy tab 7.7 logo and went to the cm9 bootscreen but got stuck there (big desillusion right there).
So now in recovery, i can mount every partition but those two : /data/ and /sdcard/
I figured out by reading similar threads that the solution to my issue might be e2fsck through adb. I'm a complete noob to adb.
I can acces the adb shell but here are what the commands i've been reading about return me : (mmcblk0p9 is /data/ partition on P6810)
# e2fsck -fDC0 /dev/block/mmcblk0p9 :
e2fsck : Superblock invalid, trying backup blocks...
The superblock could not be read or does not describe as a correct ext2 filesystem.
If the device is valid and it really contains an ext2 filesystem (and not swap or ufs or something else),
then the superblock is corrupt and you might try running e2fsck with an alternate superblock : e2fsck -b 8193 <device>
also had this once with this command :
bad magic number in superblock while trying to open /dev/block/mmcblk0p9
# e2fsck -b 8193 /dev/block/mmcblk0p9 :
Attempt to read block from filesystem resulted in short read while trying to open /dev/block/mmcblk0p9
Could this be a zero-length partition ?
# e2fsck -c /dev/block/mmcblk0p9 :
same as above
can you guide me with e2fsck or give me a link to a specific tutorial related to android e2fsck?
is there not a way in adb to like replace the corrupt partitions with freshly created ones ? or any other workaround ?
Any help will be appreciated a lot, i'm willing to donate to whoever provides me with a solution to get my tab running again.
Thanks for reading.

check this thread, very informative, helped me before
http://forum.xda-developers.com/showthread.php?t=1625675&highlight=bootscreen

Thanks a lot, already checked that one though.
Everything that worked for the guys in that thread doesn't work for me, or I'm too ignorant to find out the right e2fsck command...

Still no one able to provide some help please ?
It's weird that so many people are having the same issue on 7.7 these days, could it be related to the EU ban of this tab ?^^
Anyway, last day before i send it to Samsung

check this thread here it may help you solve your issue. All problems are coming from a brick bug in the ICS Kernel thats trigerred by wiping.

Thanks a lot, trying this right now

Can someone please post a (parted) print of a safe and working Galaxy Tab 7.7 (either of the two models) ?
I need the exact size of the /data partition

ISSUE FIXED Thanks to Zorbakun's last post. A million thanks dude.
However, the actual internal storage of my tab is now 50mb :silly: anyway i'll find a way to fix that too.

the actual internal storage of my tab is now 50mb
Hello Androguide.fr.
Did you manage to find a way to fix your shrink of internal storage? If so, would you mind to share the method. Thanks
Regards
Budi

cakrabayu said:
Hello Androguide.fr.
Did you manage to find a way to fix your shrink of internal storage? If so, would you mind to share the method. Thanks
Regards
Budi
Click to expand...
Click to collapse
Well yeah, didn't recover the 16gb but you can try to earn yourself some extra gigs by doing this once you created a fresh /data partiton :
this is an example for p6810, replace resize 9 with resize 10 if on a p6800
Code:
adb shell
parted /dev/block/mmcblk0
print
resize 9
It will ask you for start/end values, keep the same start value otherwise it will give you an error. A good idea is to resize the partition like + 500mb at a time, to avoid i/o errors you might get when creating/resizing large file systems.
Hope it helps, good luck.

I am about to have to do this myself, and i'm not a developer. i have accessed and navigated around my device through adb, but this level of complexity *almost* over my head. i just want to make sure i'm not going to permanently mess this up. also, someone in another thread tried flashing ICS with an older version of ODIN and now his tab won't even power on. which i'm trying to avoid... so after reading around these forums for a few days (it happened saturday morning--and i KNEW to avoid flashing from stock ICS recovery--i think i wiped /data-cache-dalvik with CWM 5.0.1) i'm pretty sure that failure to mount /data seems to be the super brick bug everybody's talking about. i bought the p6800 as an import in the US so i am without warranty... if anyone can help with a step by step guide for the masses or something... i'm intelligent, and quite computer literate/net saavy, but i'm not a mentat ("dune" reference)...
like, i'm having trouble figuring out how to install adb on windows. and how do i use parted when it's linux software? i've repartitioned HD's before, and i'm familiar with some command-line basics, but....
--going to bed now...my head hurts--

aletheus said:
I am about to have to do this myself, and i'm not a developer. i have accessed and navigated around my device through adb, but this level of complexity *almost* over my head. i just want to make sure i'm not going to permanently mess this up. also, someone in another thread tried flashing ICS with an older version of ODIN and now his tab won't even power on. which i'm trying to avoid... so after reading around these forums for a few days (it happened saturday morning--and i KNEW to avoid flashing from stock ICS recovery--i think i wiped /data-cache-dalvik with CWM 5.0.1) i'm pretty sure that failure to mount /data seems to be the super brick bug everybody's talking about. i bought the p6800 as an import in the US so i am without warranty... if anyone can help with a step by step guide for the masses or something... i'm intelligent, and quite computer literate/net saavy, but i'm not a mentat ("dune" reference)...
like, i'm having trouble figuring out how to install adb on windows. and how do i use parted when it's linux software? i've repartitioned HD's before, and i'm familiar with some command-line basics, but....
--going to bed now...my head hurts--
Click to expand...
Click to collapse
Try the .PIT file for the P6800 located here. You will lose all data, and part of your internal SD space. Looks like the brick happens consistently at the same point of the memory chip, so the same .PIT works for most people. If that doesn't help, you will need parted.
How can you use parted? It's a Linux program that runs in your tablet. You will adb shell to it, then you will have a Linux shell. Everything you put down there will run in your tablet, as if you were typing on it (think ssh, or remote desktop). I can't help you much more, because (knocks on wood) my tablet is still very much alive, and I don't use ADB that much.
Now, I don't know how it works in your country, but here in Brazil the Samsung service accepts warranties issued anywhere. It may be worth a shot.

aletheus said:
I am about to have to do this myself, and i'm not a developer. i have accessed and navigated around my device through adb, but this level of complexity *almost* over my head. i just want to make sure i'm not going to permanently mess this up. also, someone in another thread tried flashing ICS with an older version of ODIN and now his tab won't even power on. which i'm trying to avoid... so after reading around these forums for a few days (it happened saturday morning--and i KNEW to avoid flashing from stock ICS recovery--i think i wiped /data-cache-dalvik with CWM 5.0.1) i'm pretty sure that failure to mount /data seems to be the super brick bug everybody's talking about. i bought the p6800 as an import in the US so i am without warranty... if anyone can help with a step by step guide for the masses or something... i'm intelligent, and quite computer literate/net saavy, but i'm not a mentat ("dune" reference)...
like, i'm having trouble figuring out how to install adb on windows. and how do i use parted when it's linux software? i've repartitioned HD's before, and i'm familiar with some command-line basics, but....
--going to bed now...my head hurts--
Click to expand...
Click to collapse
I am working on writing a specific 7.7 guide to teach people the parted/e2fsck technique I use to revive my bricked p6810 everytime I want to flash a new rom or test my builds.
First, as pointed out, try to Odin the PIT file for your particular model (eg : P6800 16gb).
You got to know that the parted technique is a pain in the ass, that you'll have to do it quite often if you like flashing roms, and that your tab will have a much smaller internal storage.
I think the guide will be ready in a couple days but you can pm be if you need help before that, no problem.
Good luck with this superbrick curse

thanks guys for your help, i'm going to try to figure this out this afternoon. i'm in the US, so they don't even offer warranties on imports. i was told by a samsung rep in the US that they don't grant warranties to imported models. i will first try the modified PIT file, then i will try the more complex method. @Androguide.fr i will PM you if i have trouble with the more complicated method later. thanks!!!!

aletheus said:
thanks guys for your help, i'm going to try to figure this out this afternoon. i'm in the US, so they don't even offer warranties on imports. i was told by a samsung rep in the US that they don't grant warranties to imported models. i will first try the modified PIT file, then i will try the more complex method. @Androguide.fr i will PM you if i have trouble with the more complicated method later. thanks!!!!
Click to expand...
Click to collapse
I just finished writing the guide, it's here : forum.xda-developers.com/showthread.php?t=1862294

A comprehensive guide to the Lenovo Yoga Tab 3 Pro (YT3-X90*) and a Cooked ROM

THESE COOKED ROMS ASSUME YOU HAVE ALREADY AN UNLOCKED BOOTLOADER AND TWRP AS RECOVERY SYSTEM. You can flash them using TWRP, after wiping ART, cache, data, boot and system partitions.
FINAL RELEASE: Well... this is the final release from me and it is specifically for the WiFi model. I hope it is worth it for you. It is more stable and somewhat updated, anyway, if you use a X90F (wifi model) you will probably like it. The other versions are still up for whatever reason. Here's the link. Follow this guide by @Quardah if you are coming from a factory ROM. Go to post 46 if you can't get past the setup wizard. A barely tested (by @Nuihc88) version for the 3G (X90L) model can be found here.
NOTICE: If you find this work useful, mirror it. I won't be hosting it for free forever and it is becoming a burden to my Nextcloud installation. One would say this is a pretty much forgotten thread, but I'm seeing almost daily download activity. I'm putting the ROM files offline now and getting away from XDA for a while. Please don't DM me for the files. If you are looking for them, ask others in this thread. Good bye.
||||||||||||||||||| FROM HERE IS JUST INFORMATION YOU PROBABLY DON'T NEED |||||||||||||||||||
Spoiler: NEWS THAT ARE NOT ANYMORE.
APRIL 9, 2021: You can find in these links a new version of the cooked ROM.
The link for the updated cooked ROM is: https://centsoarer.ddns.net/s/Y8o3eoBK4Ryx5RP. This is a version with GAPPS updated: https://centsoarer.ddns.net/s/FPKjgQcmW3CHZCw. Feel free to mirror, unless you are afraid of Lenovo's lawyers, but don't forget to share the link.
My personal version... even more debloated (if you don't need chinese, japanese, korean, or russian input support/apps) and with CPU tweaks for my own usage: https://centsoarer.ddns.net/s/jcCDAgNedryGRjo
KNOWN ISSUES AND SOLUTIONS:
1) One random reboot after the first boot will happen and it is normal.
2) I'd reccommend to stay with Magisk 21.4 for a while, Magisk Manager >21.4 won't manage your extensions.
3) If you can't get past the initial Setup Wizard check post 46. Basically you have to boot into bootloader, erase the config partition and format it again.
4) Needs confirmation, but versions with signature spoofing patches seem to break Lenovo's SmartSide Bar.
JUNE 12: Fast update on the Cooked ROM and TWRP and KERNEL. They are not as universal as I implied before. Proceed carefully since they may not work four your device/firmware. Make a Nandroid backup and only flash with testing purposes.
JUNE 5: So, I know this is not what everybody who owns this tablet wants to have (that is Android 9 or 10 of course) but, in recent weeks Lenovo updated the firmware of this tablets. It still is a Marshmallow one and it still sucks big time but I took it as a base and cooked it to deliver a newer TWRP recovery with compression, a flashable modified kernel and a cooked flashable stock ROM to free the owners of this tablets from the treacherous path of making this hardware to work properly. If you want a better overall experience and are in stock firmware you just need to Unlock your bootloader, flash TWRP, Format data partition (not only wipe), Wipe Cache, Dalvik/ART, System and DATA and flash the Cooked ROM to put this tablet in a sweeter spot. For details go to post #2!
JUNE 3: Been trying to get to know some of the source code available for Cherry Trail devices and I am fairly lost at building TWRP from source. Anyway, I ported a newer TWRP recovery IMG file for the YT3-X90F (maybe L, X, Y and Z) from the TWRP image for the Chuwi Hi10 Pro tablet from here, using AIK-Linux. The result is in the second post labeled as beta, since I only tested in the YT3-X90F model, running lollipop firmware. So far, it works fine flashing ZIP archives, backing up and restoring backups. Advantages? Well, backups are way lighter if you enable compression (like half the size), higher resolution, twrp turns off the screen with a timeout and whatever made them bump from version 2 to 3. While I could port a newer TWRP version, I just wanted to have lighter backups with compression... so maybe it is what it is .
ORIGINAL POST STARTS HERE. This is general information that I collected for geeks or desperate users that bricked their tablets. When I started this post it wasn't intended to produce a cooked ROM that would include most of these hacks. You don't need this if your tablet boots to Android or TWRP. You also don't need this if you are ready to flash the cooked ROM.
(This is a lenghty post. I suggest you to navigate by section header and find the one you might need.)
There are several Lenovo Yoga 3 tablet models out there and, while some of them enjoy of prime community support as the Yoga Tab 3 Plus, this Intel Atom powered tablet is pretty much forgotten and, at the same time, users were recently buying this tablet, which is a great piece of hardware but has the most terrible support by Lenovo.
Spoiler: WHAT LENOVO TABLET(S) IS THIS GUIDE FOR?
Basically, this is that Lenovo tablet with an attached projector and an Intel Atom Cherry Trail x5 Z8500. There are several models, though, to my knowledge they vary in their code names in the last letter, the two most basic ones (2GB RAM, 32 GB ROM) are the YT3-X90F and the YT3-X90L, the former connects to the internet by WiFi and the latter being the one with LTE/Phone capabilities. There are other models, though, and they vary on the amount of RAM and internal storage. Apparently, the YT3-X90[YX] models (the 4/64 GB refresh) have some use for these firmwares we describe, but in a very specific way, if you own a Y or X model, keep reading, especially the next section.
Spoiler: EXPLAINING HOW TO FIND THE RIGHT STOCK FIRMWARE
Lenovo support has been terrible (there are no words to describe it, really), so they launched this tablet with Android 5.1 Lollipop and they maintained it for a while but were very slow to deliver Android 6.0 Marshmallow. In fact, there was already Android Nougat, when they sent the Marshmallow update. Nevertheless, the update was bad. Performance issues were always a thing and some functionality went lost in the update (less intuitive multiple windows, a crippled recents activity/screen, and a laggy overall experience). Bottom line, they launched a curated Android Lollipop 5.1 firmware with security updates until March 2016 (striked because the last lollipop update f*cks up my sensors, except the light one) and a half-assed Android Marshmallow 6.0.1 firmware.
Of course, at the time, I'm guessing most of us upgraded to Android Marshmallow 6.0.1, hoping the upgrade would fix the issues in Lollipop or with security patches in mind. The reality was that Android 6.0.1 wasn't nearly as maintained as 5.1 and security ambitions went nowhere. So, we got the upgrade all right, but at this point, both Android versions can be considered inherently insecure and we really shouldn't be using it for sensitive work.
OK, there are several Android 5.1 and 6.0 firmwares, you can recognize them because they are all over the internet typically in a compressed format. For example, this firmware hosted in androidhost.ru named:
YT3-X90F_ENG_S100265_1601281130_WW24_ROW
Is a firmware for the Lenovo Yoga Tab 3 (YT3) Pro (X90) Wifi Version (F). The ENG part is an indication of the build type, ENG is an engineer build while USR is probably a firmware for the end user (this is common now that I know a bit more about AOSP source code), it is a Lollipop firmware (S1, Marshmallow would be a S2) with update version (00265), date of compilation and a good estimate of its security patch (1601281130), the WW24 is the weekly release version of the Android kernel for Intel devices (the latest, in May 2020, being WW31 which is exactly the same as WW28 and not updated since 2016), the final part means it is the global ROM version (ROW, opossed to the Chinese version CN). This is the latest Lollipop firmware I am aware of, so, as an example, an imaginary Android Marshmallow Chinese firmware for the LTE version of the Yoga Tab 3 would look like:
YT3-X90L_USR_S200013_1610141535_WW24_CN
As an additional note the Chinese ROMS, I presume, are not trusty but they are also Google-free for what it's worth. On the other hand, they ship with a "Lenovo Services Framework" that should be as intrusive as the Google Play Services. Oh, also, baidu and yandex, and, really, any less traditional search engine can help you find a fitting firmware.
Spoiler: EXPLAINING HOW TO FLASH A STOCK FIRMWARE (DOWNGRADE TO LOLLIPOP AND UNBRICK)
I did test several firmwares, chinese and global, lollipop and marshmallow and the safest and easiest way to flash them is by using the Intel Platform Flash Tool Lite . I can't say I trust in this site, but it hosts a handy tutorial on how to use it, though, is pretty intuitive. The software exists for Mac, Windows and Linux, be sure you are in, at least, the 5.8.x version, this is important to avoid the need to install some special drivers separately as a pre-requisite. Grossly, Intel Flash Tool Lite works like this:
0) Turn off your tablet if it is on.
1) Launch Intel Platform Flash Tool Lite.
2) If your downloaded firmware is in zip format load it with the blue "Browse..." button.
2 bis) OR, if your firmware is in other compressed formats, uncompress it first. After this use the "Browse..." button to load the "flash.json" file.
3) In Configuration option select "blank" if it isn't set already. Optionally, un-tick the "On-demand flash" option to have more control of this process. Also, maybe you can use the "erase" configuration here.
4) Start your tablet in DNX mode. To do this, press Vol- and hold it, then Vol+ and keep holding both, then press the Power button until it turns on and you see the Lenovo logo and some text indicating you are in said mode.
5) Connect your Yoga Tablet with a USB cable and your Intel Platform Flash Tool Lite windows should show it as detected. Now you can proceed using the blue "Start to flash" button.
6) Keep an eye on your tablet, since some firmwares will prompt to set some more options. Unless you know what you are doing, answer "Yes" to any question.
7) Reboot and wait.
If a couple hours have passed and the tablet hasn't booted, maybe you should try another firmware.
IMPORTANT NOTE AND INSTRUCTIONS FOR YT3-X90Y AND POTENTIALLY YT3-X90X USERS: I don't know the rules in xda about linking to other forums but in certain forum there is an answered question about the Y model (the 4/64 GB WiFi only refresh) on how to flash a firmware. Instructions are the same as I gave in this section, except, apparently, you need to do it twice, first with the ENG version and the second time with the USR version except you are not using the flash.json file, this time you'll browse for the flash_factory_1st_stage.json one and the factory1st configuration in fastboot. It is not clear what are the consequences of not doing it this way or what if you combine different firmware versions (it would be interesting to have a tester here). Notice please, these firmwares are marked for the YT3-X90F model. So, clarifying:
1) Follow the instructions above to flash the YT3-X90F_ENG firmware.
2) Power off your tablet.
3) Boot into bootloader (not in DNX, you need to boot into bootloader by powering on while holding Vol+).
4) From the YT3-X90F_USR firmware folder use Intel Platform Flashing Tool Lite to load the flash_factory_1st_stage.json and select the factory1st configuration.
5) After flashing the USR firmware, reboot and you should be good to go.
METANOTE: This wasn't tested by me, please do this only when you are hopeless with your hardware. This is just an educated guess but I bet it works the same with the YT3-X90L (the LTE version 2/32 GB Yoga Tab 3 Pro) and the YT3-X90X (the 4/64 GB refresh).
ALTERNATIVE WAY TO FLASH A STOCK FIRMWARE (ADVANCED USERS, requires fastboot)
Well, there is no need, really, to use that Intel tool. In my search for a lollipop firmware (I wanted to downgrade from Marshmallow) I found the firmware YT3-X90F_USR_S100195_1512052308_WW24_ROW in www.firmware247.com or www.androidfilehost.com (IMPORTANT: please read the note on downgrading to Android 5.1 Lollipop in the note at the end of this section). This firmware was special since, if you are in Windows and have fastboot executable ready and in place, you can run a script (run_me.bat) in the Windows terminal (CMD) or Powershell to flash the firmware semi-automatically. I think this firmware was modified, though, since I found differences in the boot.img when compared with stock firmwares. This script is credited to XDA members @ionioni and @joesnose and you can replicate its steps if you:
0) Turn off your tablet if it is on.
1) Start your tablet in DNX mode. To do this, press Vol- and hold it, then Vol+ and keep holding both, then press the Power button until it turns on and you see the Lenovo logo and some text indicating you are in said mode.
2) Connect your tablet to your fastboot enabled PC using a USB cable.
3) Input "fastboot flash osloader loader.efi"
4) Wait 5 seconds to be sure the loader flash finishes.
5) Reboot into Bootloader. If you don't know how, one way is to hold Vol+ and Power on your tablet.
6) Input "fastboot oem unlock" and confirm using Vol keys to select the right option and the Power button to enter it.
7) Input "fastboot flash system system.img"
8) Input "fastboot flash boot boot.img"
9) Input "fastboot flash recovery recovery.img"
10) Input "fastboot flash bootloader bootloader.img"
Follow your instincts, since I don't know if these IMG files are always named the same. You can get these IMG files from downloaded sources or dump them yourself using dd command.
NOTE ON DOWNGRADING TO ANDROID LOLLIPOP 5.1: So, one of my main concerns has been to go back to Android Lollipop. There is a last version of Lollipop from where you can upgrade to Marshmallow with a security patch from March 2016. Nevertheless, you MAY end up loosing other sensors except the light one. If this happens, you need to use a complete firmware flash using Intel Platform Flash Tool Lite. In my experience, some boot images are not compatible with other weird partitions like country or misc.
Spoiler: TWEAKS ALREADY IN THE COOKED ROM
The first boot takes some time even amounting for the time of the setup itself. By the time you are in the launcher tapping on app's icons you think there's nothing wrong with our device, but after some apps are in memory, you notice some lag. You think "OK, it is updating, but soon it'll settle", but it does not. So, you reboot again after updates and fire up a terminal emulator and connect to your tablet using a USB cable with USB debugging turned on and issue a free command to find something like this:
Code:
total used free shared buffers
Mem: 1950372 1820964 129408 0 7756
Swap: 524284 10740 513544
Total: 2474656 1831704 642952
Which means you have a total of ~2.5 GB (this is the 2 GB model). So, did I download that extra half GB of RAM or Lenovo was feeling generous? Well, no. The issue here is Lenovo built the kernel with zRAM support which is a technology included in Linux that reserves space in RAM to quickly compress and uncompress pages of data exceeding our physical amount of RAM installed (2 GB). This is not Virtual Memory as in a swap file/partition or Windows' Page File inside storage media. zRAM literally reserves a fixed amount of physical RAM space (blocks) to expand it by compressing data. The consequence is you loose "fast RAM" (THE RAM) and gain some "slow RAM" (the zRAM). You also sacrifice some CPU power to compress/decompress data and, with this, some battery juice is also lost.
That does not sound like a terrible trade-off for a RAM-limited device, one would think. Another interesting thing would be WHEN to send this piling data in "fast RAM" to the compressed space and WHEN to get it back. Two parameters control the WHENS, one is called "swappiness" (when to send it to the compressed space, the "slow RAM") and the other may be the "vfs_cache_pressure" (when to uncompress it and send it back to the "fast RAM"). And this is where the main problem is, really, because the kernel, Linux, is pressing the RAM constantly to send some less prioritary data to "slow RAM" and, at the same time, is trying constantly to send compressed data back to the "fast RAM". Summarizing, this kernel behavior is practically minimizing the fast RAM amount and usage while maximizing the "slow RAM" usage. This is nuts, by default a swappiness and a vfs_cache_pressure of 100 are not even default for servers, these parameters extremely prioritize that processes can get done no matter how slow they get, and they are even more nuts when Android is designed to work without swap space.
What that free command is telling us is the tablet is using the "slow RAM" even when we only just turned it on. Fortunately there are two ways to fix this problem: one is to completely disable zRAM, the other one is to use ZRAM a whole lot less by tweaking the swappiness and vfs_cache_pressure parameters. This can be easily done with the following sentences in a rooted tablet:
Code:
# echo 5 > /proc/sys/vm/swappiness
# echo 50 > echo 5 > /proc/sys/vm/vfs_cache_pressure
Or, to regain the whole fast RAM:
Code:
# swapoff /dev/block/zram*
One caveat of the first method, reducing swappiness, is there is still a lot of RAM (one quarter of the whole RAM in a 2 GB device) reserved as "slow RAM".
SOME ROMS DID NOT ENABLE KERNEL SAMEPAGE MERGING, UNFORTUNATELY
Additional to the sorry implementation of zRAM, some firmwares support a fabulous Linux tool to reduce RAM usage called Kernel Samepage Merging (KSM) but they don't use it by default. This software runs at kernel level, so, it really is CPU-wise inexpensive and, opposite to zRAM it can actually recover some RAM usage by reducing the amount of data flagged as redundant in physical RAM by merging it. KSM is good for you and you should have it always enabled by issuing the following command as root:
Code:
# echo 1 > /sys/kernel/mm/ksm/run
STOP WRITING AND FIX MY RAM! PLEASE!
Well... are there any people interested on this? With the above information you can write a script to execute at boot. Something like this should work in any version of the firmware:
Code:
#!/system/bin/sh
# Mount system as rw
busybox mount -o remount,rw -t auto /system
# Tweaking swappiness in zram
echo "5" > /proc/sys/vm/swappiness
echo "50" > /proc/sys/vm/vfs_cache_pressure
# Activating Kernel Samepage Merging
echo 1 > /sys/kernel/mm/ksm/run
# Remount system as ro. noatime option for faster and volatile system
# busybox mount -o ro,remount,noatime /system
busybox mount -o ro,remount /system
exit 1
Or, you can unpack the boot.img and modify the init.cht_ffd.rc (lollipop) or the init.r2_cht_ffd.rc (marshmallow) files to write these values as default... or, if there is interest for something easier, I can produce this boot.img files for you to flash using fastboot.
ROOTING THE LENOVO YOGA TAB 3 PRO (YT3-X90[FL])
Here I am not gonna write a lot. Instructions were given in this thread. I'd only recommend to put vm.targetutilization at 0.8 top 0.85 in system/build.prop
After rooting, debloat your firmware. I use the app "/system/app mover" from Fdroid to convert to user apps and uninstall them. Also, if rooting is not your cup of tea, you can install AppOps software to freeze all those apps that you don't use regularly. Also, I couldn't patch my services.jar for Signature Spoofing with Nanodroid patcher in the most recent lollipop firmware, but it did work in Marshmallow... anyway I'll do it manually.
ARE YT3-X90F AND YT3-X90L FIRMWARES INTERCHANGEABLE?
I own a WiFi only device (YT3-X90F) so I can't assert they are interchangeable. If I owned the LTE version and use a WiFi firmware I would expect to loose LTE functionality. Now, on the other direction is more interesting because I've been using a LTE firmware version for weeks (as a matter of fact, the one joesnose linked in his How-To debrick this tablet, flashed with the instructions I posted for advanced users it even updated to recent 2020 firmwares). The only tweak you need for this to work well is to add "ro.ril.disable=1" in the build.prop file. So, yes, firmware for the LTE version work in the WiFi version but kind of not vice versa.
Spoiler: YT3-X90(FL) UN-DEVELOPMENT
No news here. All capable people interested on developing for this device are all done with Lenovo and their attitude against Open Source. Don't expect your situation to change.
I'm happy to know there are still a couple of developers interested on this device. I won't cite them by linking their names but they are OOEvil and alquez, the first guy is trying to make a Generic System Image (GSI) ROM compatible with our tablet, I don't know the details so I wouldn't go further. Alquez has been active in this thread and, while he is trying to figure out how to build a kernel, he believes the best way to start having some alternative to official Lenovo firmware is by using a firmware kernel (a prebuilt kernel) to, first, build a more up-to-date TWRP recovery.img and from there try to build CyanogenMod 13, which was based on Android Marshmallow 6.0.1. My guess is newer Android versions wouldn't work if we can't build the kernel from source.
PHOTO ALBUM OF YT3/X90Y BIOS
This photo album documenting every screen option in the BIOS of the Yoga Tab 3 Pro may or may not help someone, but it contains a lot of useful hardware information and guidance for those attempting to boot something else than the original Android 5 or 6 firmware. Using this options, that are accessible through F2 at boot with an attached USB keyboard, you could try Linux distributions on the tablet or even attempt to run Windows, @alquez informs it works fine with a recent distro but the mainline kernel is lacking touchscreen and battery support. This is absolutely his work and he asked me to share it. I hope it serves someone. It is hosted in a rather obscure website but it was the only reasonable placeholder I could find for the 321 photos.
Hope this helps someone, I just didn't want to keep it to myself. Have a nice day!

Just remember, if your tablet is 3G capable I strongly suggest that you modify the line "ro.lenovo.tablet=wifi" to "ro.lenovo.tablet=3gdata" and remove the line "ro.radio.noril=true" to your build.prop file in /system. To do this you can use the section Build.prop Editor of the Kernel Adiutor app or you can do it manually if you have already a method to modify system files. If you do not use mobile data at all, you may leave the build.prop as it is, you'll save a lot of battery by using only wifi.
Spoiler: Some old info here, but maybe useful
ONLY FOR TESTING: Cooked ROM, newer TWRP and tweaked kernel
ONLY TRY THESE FOR TESTING PURPOSES, THE TWEAKS ARE ALL SAFE TO USE BUT ONLY FLASH FOR TESTING PURPOSES, PLEASE. FIRST, TRY TO USE FASTBOOT TO BOOT THE boot.img FILE WITHOUT FLASHING: IF IT BOOTS GO AHEAD AND TRY THE OTHER FILES (fastboot boot boot.img). THE TWRP IS NOT AS STABLE AS THE OTHER ONE HERE AT XDA BUT ALLOWS TO USE ZIP COMPRESSION IN BACKUPS. I AM NOT GONNA BE AROUND. IF YOU TRY SOMETHING MAKE A BACKUP FIRST. THIS DEVICE IS MESSY AS F*CK.
Spoiler: Some old info here, but maybe useful
I wrote a very detailed guide about these files I uploaded to my Nextcloud that include the newer TWRP-3.0.2, a TWRP flashable Cooked ROM and a separate kernel (boot.img) in case your system is already setup, but the post went to some XDA void and didn't upload. These are based on the YT3-X90L latest firmware, but they work on the X90F model too. The TWRP should work with Lollipop and Marshmallow firmwares.
I can't write everything again, so, the kernel contains better management of RAM and emmc (internal) memory, a 256 MB zRAM space instead of 512 and a more conservative approach to LowMemoryKiller.
The cooked ROM includes the described kernel and debloated apps, it's already rooted with Magisk (you can unroot with Magisk Uninstaller), an updated Busybox build, su.d support (I plan to use it with AFWall+), zipaligned apps, etc. It is for the X90L but possibly works for the other Yoga Tab 3 Pro models. It works for the X90F but it will reboot once after the first boot because the RIL configuration times out. To install the cooked ROM you need to:
0) Know that by doing this you will loose pretty much everything in your tablet. You start from scratch if everything goes smooth, if not you could possibly end up with a system without an OS. The usual stuff when you are customizing your system.
1) Boot into TWRP and make a Nandroid backup. IT IS IMPORTANT because @joesnose had problems with a "random reboot" and lost Bluetooth/WiFi after it. I am trying to look into this. The only difference is his tablet has 4 GB RAM and probably a different firmware.
2) Wipe cache, Dalvik/ART, System and Data in TWRP - Wipe, Advanced Wipe menu. If your tablet is encrypted, or in factory firmware you also need to explicitly use the button "Format Data partition" and confirm writing "yes" in the format procedure prompt. You will loose any configuration made to your tablet.
3) Install the superr_stockMM.zip wich is flashable by selecting the file from your Internal tablet memory, using the Install button in the main TWRP interface.
FOUR IMPORTANT NOTES TO COMMON ISSUES:
If you come from a stock firmware your data partition is encrypted. You need to pass a blank password in TWRP to continue to use the custom recovery. You also need to format data partition before flashing the cooked ROM.
If your tablet is WiFi-only I strongly suggest that you modify the line "ro.lenovo.tablet=3gdata" to "ro.lenovo.tablet=wifi" and add the line "ro.radio.noril=true" to your build.prop file in /system. To do this you can use the section Build.prop Editor of the Kernel Adiutor app or you can do it manually if you have already a method to modify system files. In Lollipop firmware you use "ro.ril.disable=1" instead of "ro.radio.noril=true" to get the same effect: sort of a conversion to WIFI-only tablet from LTE models. I'd argue this is useful to do if you are gonna be without LTE connection/service for long periods of time and I can think a couple of other uses.
Do not use stock Lenovo launcher unless you uninstall Magisk... they are incompatible for reasons I don't care to know and the Launcher will constantly FC (it is a pain in the arse).
If you are still expecting better performance I am sure there are some tweaks left in RAM management but it wont go too much further in 2 GB devices. Instead, you may consider to lower your display resolution and pixel density to something reasonable as 1400x2240 or even 1200x1920 maintaining the same aspect ratio. To do this you do not need to have root but you need to interact with the tablet using ADB. First change the size of your display:
Code:
adb shell wm size 1400x2240
Then adjust your density:
Code:
adb shell wm density 260
If still is not enough you can go even further with 1200x1920 and 224, use the same method to go back to stock with 1600x2560 and 300 to 302. This won't need a reboot but will probably cause an inconsistent UI that will lead to FCs and random reboot. You can just reboot after applying these tweaks. Unless you are really sight-gifted you won't notice a lot has changed but you will be dealing with 2.x Mpixels instead of 4.x Mpixels and that will help with your overall performance as well as your battery life sacrificing a pixel count that most of the people wouldn't even notice. If you did this correctly, in the next boot sequences you'll notice an offset on the Lenovo orange logo.
It is important to say that your display supports 1600x2560 pixels physically, but I'm assuming the GPU has no dedicated RAM and uses the device's, so, by reducing the quantity of pixels the GPU needs to deal with, the pressure on the device's RAM is also reduced.
EXTRA TIP: If boot annoys you just delete /system/media/boot.wav, bootanimation.zip and shutdownanimation.zip and you'll get a silent boot and the generic android boot animation.
Hope you enjoy your tablet!
TWRP-3.0.2.0- BETA: Again, this is not a flashable zip. Uncompress first and test the recovery system using "fastboot boot twrp_yt3-x90f_beta.img". If everything works for you, you may want to flash it permanently rebooting to bootloader and flashing with "fastboot flash recovery twrp_yt3-x90f_beta.img". Remember I did not test this in Marshmallow yet.
FEATURES:
- Fixed RAM issues (swapiness 10, vfs_cache_size 50 and disabled dynamic low memory killer tweaks and minfree values).
- Reduced zRAM size to only 256 MB.
- Tweaked interactive CPU scheduler to use other than min and max frequencies (but still responsive). The tweaks are based on the Advanced Interactive Governor Tweaks Guide. This may save battery life.
- Max frequency capped to 2.08 GHz (this is not great if you are a gamer). This tablet throttles when using max frequency for a long time, so, to save battery and keep it cooler I tweaked the CPU to run slower.
- Tweaked I/O schedulers to use deadline governor and read ahead cache to 640 kb (used benchmarks to get to this value).
- Force encryption disabled (to avoid applying ionioni script after flashing). Still needs to format data partition. You can encrypt your data partition later through Configuration -> Security user interface.
- Implemented native init.d support (not su.d anymore and no need to root the main OS).
- Busybox updated.
- Rooted with Magisk by default ( you can use Magisk uninstaller to unroot).
- Debloated apps. I also deleted Lenovo User Experience Program which was asking for root privileges even when you don't opt in to the Lenovo UE Program at setup wizard. I find this behavior shady.
-Multi-window mode is available in Developer Options and needs to be activated by you. In this mode if an app is compatible with multi-window mode you can double-tap on its title bar to enable Window mode. This function was more transparent in Lollipop firmware but it is still there in Marshmallow firmware if you change the build type to userdebug instead of user in build.prop (that's how I enabled it in the Cooked ROM).
- There are also other tweaks in VM and KSM.
And that's it, I'm not trying to change a lot, only the fundamental issues. But I suggest some other tweaks up there.

Such a shame. I love my Yoga Tab 3 Pro. Great hardware. But the software. Thanx anyway for your work.

Very nice write up. Thanks.

joesnose said:
Very nice write up. Thanks.
Click to expand...
Click to collapse
You're welcome. Thanks to you, while learning about this hardware your username pops everywhere.
jahfaby said:
Such a shame. I love my Yoga Tab 3 Pro. Great hardware. But the software. Thanx anyway for your work.
Click to expand...
Click to collapse
It really, really sucks. Let's hope something interesting happens after these strange and recent updates.

CENTSOARER said:
V1: The zip name boot_mod_mm.zip is based on the latest boot IMG provided by Lenovo. You need to first uncompress and flash it using fastboot (this is not a TWRP flshable zip). If you are uncomfortable flashing, you can test it only by issuing "fastboot boot boot_mm_march20_mod.img" once uncompressed, or, if you feel fine using it you can flash it permanently by using the command "fastboot flash boot boot_mm_march20_mod.img". This boot IMG will only work with Marshmallow firmwares in both YT3-X90(FL).
FEATURES:
- Fixed RAM issues (swapiness, vfs_cache_size and low memory killer tweaks).
- Reduced zRAM size to only 128 MB.
- Tweaked interactive CPU scheduler to use other than min and max frequencies (but still responsive). This saves battery life.
- Max frequency capped to 2.08 GHz (this is not great if you are a gamer). This tablet throttles when using max frequency for a long time, so, to save battery and keep it cooler I tweaked the CPU to run slower.
- Tweaked I/O schedulers to use deadline governor.
- Force encryption disabled (it's unnecesary to apply ionioni script now). Still needs to format data partition. You can encrypt your data partition later through Configuration->Security user interface.
Click to expand...
Click to collapse
Thanks for this. Going to take it for a spin.

joesnose said:
Thanks for this. Going to take it for a spin.
Click to expand...
Click to collapse
Please, please provide feedback and don't forget to wipe caches.

alquez said:
"No news here. All capable people interested on developing for this device are all done with Lenovo and their attitude against Open Source. Don't expect your situation to change."
https://github.com/intel/ProductionKernelQuilts this repository containts patches necessary to create base 3.14.55 and 3.14.64 uefi/cht-m1stable kernel tree. The same tree that was butchered by Lenovo in their OPEN_SOURCE "release".
Check this file https://github.com/intel/ProductionKernelQuilts/blob/master/uefi/cht-m1stable/ChangeReport.md and the WW24 part in the "YT3-X90F_ENG_S100265_1601281130_WW24_ROW" will become more clear
Quilt manual: https://elinux.org/images/7/74/Maintaining_Multiple_Android_Linux_Kernels_at_Intel.pdf
If someone would be looking for a good piece to start: the best would be to recreate 3.14.55 or 3.14.64 from the quilts, use the x86_64 defconfig and build a kernel which can be booted. In order to test this, the best solution is to repack TWRP with the new kernel and do "fastboot boot" without flashing, until it boots and the touch screen is working. There's no other way i'm afraid.
I have prepared complete photo documentation of UEFI Bios, i can share, currently moving to different google photos account. Its over 300 photos.
Please, set up a Discord channel if you want to proceed. The first month will be quite boring and daunting because it's going to be build -> repack -> boot -> rant
Click to expand...
Click to collapse
In my defense, when I wrote that sentence was after taking a peek on your github profile, I figured you were just done with the Yoga Tab 3 Pro. I am really, really glad you're still trying and I recognize you are very capable of changing things for this device. I appreciate the sources you link but I am afraid I am useless as a developer, partly because of a lack of time and partly because of a lack of adequate training. I will try to help as much as I can, though. Thanks for the post.

alquez said:
No worries, however if anyone is interested how to actually crunch this one: we have a working prebuild kernel which can be pulled of boot image, and we have a working TWRP, however it looks like TWRP wasn't actually built from source, but cooked using android kitchen so we're still missing a device tree, which in my opinion is a good place to start, because you can use prebuilt kernel to build recovery and lineageos/aosp (it's deprecated but we're talking about android 6 aka cm-13.0/lineage 13.0). If I can create a most basic device tree which is capable of building recovery from scratch useing binary kernel and modules, i'd say were' good, because the next part would be adding more binary blobs from the official software, and we can skip the kernel source part for now until we have lineageos build 13 working). I started experimenting on xiaomi latte tree because it wasnt split like Z00A. It's not gonna be a proper port but it should work from now (i think)
@joesnose did you cook or compile TWRP? It's important
Ok, I'm at the stage i have two folders. The one is unpacked working TWRP, the other one is unpacked compilation i'm building, which means im able to build TWRP from source with binary kernel, but it's not working yet. The goal is make the left one look like the right one by adjusting various parts in BoardConfig.mk and copying files.. If someone has right partition sizes for BoardConfig.mk that would be really helpful, the values i calculated suck and don'y boot yet
Click to expand...
Click to collapse
Uhmmm, I've been there and took some notes with some "GNU shell Fu". What sizes are you using right now?
And regarding the WW part of the name I've noticed the recent updates are marked as WW17 opposed to WW28 which was the latest stable with any changes. Any idea why Lenovo used WW17 to update the Yoga Tab 3 Pro recently?

alquez said:
update, ive managed to boot vanilla android-x86 x64 6.0.1 build without touching the kernel yet and different TWRP (3.1.1.0) with kernel swap
Click to expand...
Click to collapse
Geez, I was excited because I read Ubuntu booted on this hardware but then I realized it was the Yoga 3 tablet but not the Yoga Tab 3, goddamnit. Keep up the good work!

alquez said:
Um Ubuntu 20.04 boots with working accelerometer so the screen rotation works + wifi, and probably audio i forgot to play youtube video, the stuff missing is battery, touchscreen and projector.
To test it you need to connect a usb hub using usb otg, put ubuntu and a keyboard in the hub, boot, and press f2 really fast if you haven't enabled slow boot yet. You can even boot
Xubuntu to ram and remove flash drive. It's a pc architecture after all and most of the processor related stuff is in the linux mainline since 4.11
Recently i was checking why the Windows 10 installer crashes on ACPI Error.
Click to expand...
Click to collapse
Oh, I will have fun doing this kind of stuff at the end of the year. It must run swiftly with i3, provided you won't get touchscreen support.

alquez said:
Geting TS and a battery running is a mandatory, the next is the projector. The rest is pretty much working. I'm building generic celadon x86 atm and the beast is huge it's like 18% now after two hours on -j8 on i7. Maybe we can give this old monster a new life
edit:
And i need to add 480gb drive ;/
Code:
/dev/sdc1 229G 210G 6,7G 97% /home/android
Click to expand...
Click to collapse
I am afraid those are the peripherals that will keep you in 3.14.55/64 Linux, at least for a while , unless you know something more (wouldn't be surprised).
Are those GB for source code or for cache? Both? Jesus... the thing is huge but reading the unpacked boot.img makes much more sense now.

It was ionioni who made the twrp for the device. I dont have the foggiest how he did it.
---------- Post added at 01:23 AM ---------- Previous post was at 01:18 AM ----------
Wow! I missed lot, looks like you have made some serious progress here. very well done.

alquez said:
I contacted my friend and he told me to compare these two folders:
https://github.com/alquez/lenovo_yt...l/cht/arch/x86/platform/intel-mid/device_libs
https://github.com/torvalds/linux/tree/master/arch/x86/platform/intel-mid/device_libs
the new files in "lenovo tree" are the modules we're after, mostly and it's a place to start
I need to ask inioni about twrp.
Click to expand...
Click to collapse
I will guess it was ported from the Yoga Tab 2. I will edit this post soon.

alquez said:
Nice! There's big chance the modules are reused somewhere. We can compare these. I think the two folders in
https://github.com/alquez/lenovo_yt3_x90_osc/tree/master/kernel/cht/drivers/input/touchscreen
which are missing from vanilla tree are two separate drivers and one is for "any pen" driver. Can you ask someone porting modules recently
to help us refresh my memory
[edit]
I've got in touch with TeamBliss of BlissRoms , they are working on cherrytrail tree
Click to expand...
Click to collapse
Nah, I couldn't confirm it was ported. A lot of posts were removed when XDA enforced the GPL measures to its developers.
About BlissRoms, it just makes sense they are working on Cherry trail. I hope you and those guys can achieve something soon. I mean, it's a 2 GB RAM device but the display, projector and dolby audio system are worth for a better fate than Lenovo's plans.

alquez said:
4GB of ram 4 cpu cores, Hardware virtualization support, fast gpu and fast emmc memory. It's a beast, way ahead of it's time.
Click to expand...
Click to collapse
Well, I have the 2 GB RAM model, so my expectations are conservative. Anyway, don't believe I'm a hardcore user, so it's plenty enough for me, considering I won't even flash Google apps. I am now settled with Lollipop, since I need apps not getting killed by damn Doze. It is a shame how OEMs can limit a device like this one. Crond, init.d, bad zRAM, shell, even busybox... frequently the OS is crippled. I read somewhere Doze can be disabled in build.prop or something but one thing I just hate is the recents screen in Marshmallow firmware (my God, is terrible!) and can't be easily changed for something like OmniSwitch. I mean, for a mobile device you have an unusual architecture, why limit it further? Damn, I wish BlissRoms come up with a working build.
Hey, @alquez, have you tried Linux 5.7 on the tablet? I saw this article and seems like the touchscreen may work with the next mainline kernel release. I mean, right now is on RC7, should be stable enough to compile and try (I'd try it, but can't get to my workstations thanks to the virus).
EDIT: Ah... I was looking into my device and it comes with a HiDeep touchscreen (cat /dev/input/event3), the linked news is for the Goodix driver / devices. At least, I guess, it will attract others to this platform... anyway, I was wondering and also confused, shouldn't touch screen work with the hideep driver using this config already?

Thanks for the new feel.
This is great, glad to see a developer picking up this tablet. It's a fine machine with an unfortunately small user base and has never really seen any development apart from ionioni s efforts and he didn't even own one, lol.
Edit: *Thank for the new twrp * auto correct!

I love this device! For me it's the perfect device for vacation just because of the projector!
I am so happy that you guys are working on it again. the ram and display tweak works like a charme for me. Had to reset my background screen though
thx for all your help. As soon as you guys have light rom, i'll install it on my 2GB device.

hello how to flash your twrp please ?

can someone upload adb drivers for the yt3-x90f please ? because i try to flash in dnx fastboot mode but commands don't work, even "fastboot devices" don't show me the yoga tab 3 pro

YT9213AJ 2gb/16gb rooting/recovery

Do not blindly flash this device without knowing what you are doing. While the device is hard to brick in general, it is very easy for someone new to brick it by flashing the wrong partitions.
I will write a generalized tutorial that will cover the basics and hopefully make everyone feel better about flashing the device. At first I was skeptical but after understanding everything, I have to say it really isn't that bad, and I am here doing all the leg work for these fake 2gb (its really 1gb ram) and 16gb hdd
OK I am goin gto try and put all of this information in one place because these units say android 10 or 10.1 but in reality cpu-z they are android 9 with api of 27 (will double check to be sure. This unit says it is 2gb ram but it is indeed 1024 MB (q GB). I am not sure if the other custom firmwares dumps from 1gb yt9213aj models will work without problems on these yt9213aj units that say 2gb.
In order to try anything you need to first make a scatter file for your unit. I messaged the manufacture of my unit for a firmware and they sent it. I unzipped it and looked at the scatter file and it is of a different formatting than one that comes from mtk droid tool.
So, mtk droid tool doesn't work with OS versions 9 or higher. It is the problem of adb. But we can follow this guide https://forum.xda-developers.com/t/...not-revealed-error-in-mtkdroid-tools.3582571/ and get it to work.
Once you have your device connected and recognized in droid tools you should first create the scatter file, as this is the most important step to do a full readback in SP flash tools.
Once you have a backup, you are in the clear for the most part. I am still trying to figure out how to backup preloader and etc if possible.
Now you will also need to connect some kind of wire or some small buttons taken from something disassembled. Just something that you can use as a mock button because there is no hardware button on the device for up/down and OK and you cannot use the touch buttons. So you need to short these traces while in recovery in order to get further/
The main point of this thread is to update the existing ones and to add tools and stuff nmeeded in one location because it has taken me over 5 days to search for all fo this, and I am still not done, so lets make it a little easier on the new comers because the last thing we want to do is brick each others devices by using old outdated guides that don't fully work.
Flow chart of process: install mtk droid tools and sp flash tools ->enable oem debugging and oem unlock on device -> follow guide to get mtk droid tools to work -> get scatter file using mtk droid tools -> make a full readback in sp flash tools -> solder wires/buttons onto test points -> boot to fastboot and unlock bootloader -> fastboot flash recovery <image name> -> boot into recovery and install root and/or custom firmware.
Anyone more skilled knows any better?
This post is a WIP and will be updated periodically as I source information. The main idea behind this post is to bring all resources for yt9213aj in one spot. There is plenty of information, its just very hard to navigate especially for someone new to flashing these devices, and even worse to someone who has never flashed any device

OK after trying what seems like 300 twrp's I finally found one that does work with this device. I thin kthe main difference here is that the board is a new revision and some arch changes caused older version that were ported to not work. This one booted right into it but was in russian, which is easily fixable within the twrp gui.
I will add all of these files to the op when I have collected everything.
I do not think that this version board I have has hifi? Maybe I am mistaken? I have an audio glitch at 19-20 when playing music, the sound will get louder and sound good for a fraction of a second then return to sounding ****ty. So I will look into this more. What sucks is that there are so many of the same **** that doesn't work for this model so its like... I would rather garggle gasoline than have to sift through forums that were translated on the fly
Anyway here is the twrp for this particular device - https://www.dropbox.com/s/vogg7854a7ln2zu/twrp-9213aj.img?dl=0
EDIT: also you can boot to fastboot (adb reboot bootloader) and use fastboot getvar all to get factory partition sizes that's needed to create scatter file (you will need to use a hex calculator to create it, or wait for me to upload my scatter file once I have it done). You need to be making dumps in sp flash tool way before you are ever writing anything. Make plenty of readbacks and get to know how to read it before you write anything. Blindly flashing is not what you really want to do lol
Mtk drivers for pc
to install, you will need to disable signature verification and I had to turn on test signing as well

I have successfully rooted this thing. I did encounter something kind of strange though. When I patched the boot.img I had from the device and the one I got in ota update and patched with magisk. When I booted and checked the root with magisk it said there was an unsupported root using su already. It did this for both boot.imgs.
Anyone ever heard of this on stock firmwares? I am able to grant root permissions to busybox and etc so it seems to be working OK. Maybe the root that is there is the chinese root for backdoor tracking and surveillance xD
Wonder how to see what unsupported su commands are being sent?
EDIT: i also took a lot of pictures of the board. It is yt9213aj v1.2 board. I will update the original post in the few days with everything needed for this model including testpoints etc. The test points are a little different but its pretty much the same. The only two you need in the end are the two bigger ones (for unlocking bootloader) then your set. You could drill some holes and run wire down to the trace and put some hardware buttons for the mcu to use to select things in fastboot and official recovery.
There is also another port/connector on this thing above the touch sensor board. I think we could buy a ribbon cable to connect here and run it to another board with hardware button. Actually I think the connector is for hardware buttons specifically but I don't know for sure. Must do more research

These things have are rooted from the factory. When I try to use magisk it says there is another unsupported su. The Unsu.zip floating around cures that. Then you can install magisk.
Also another thing about these things being prerooted... I think you can dump and flash without any extra sp flash tools or mtkdroid. I was dumping the partitions using adb pull function. Adb pull /dev/block/platform/soc/11230000.mmc/by-name/<insert partition name here>"
And
"/dev/block/mmcblk0pxx" where xx is the specific partition to read/write to.
I had got a scatter.txt in the ota update I obtained from the manufacturer which had all the partition layouts. I used this and a log from a failed supersu.zip install to create a scatter.txt for this particular device. The supersu log can be obtained by trying to flash the supersu zip in recovery, then in adg just pull the log file adb shell cat /tmp/recovery.log. Once you have this, you will have to use brain.exe to make your own scatter for sp flash tools.
All in all its pretty easy to actually root the device, and they are actually rooted from the factory, most likely for some functions within the os to work (like surveillance and spying xD) but that can easily be removed with the unsu.zip then install magisk.
I will be writing up a guide for this specific model in a few more days. If you read this thanks for listening to the rumbling of a mad man

Just discovered another problem. When I try to edit anything in /system it says its read only. Mounting is or remounting it shows as successful with no errors, but something is blocking it from mounting as system. I am trying to rename this audio_effects.conf and it willnt let me. I think it might be some proprietary code in the kernel designed to block mounting or remounting of certain or all partitions.
I think that a lot of them are software locked, like the fader and balance and volume level. Notice how some of these have glitches when turning the volume up and down. I think that there is some code that disables some functions of higher end units, depending on the model. If you buy a cheaper 100 dollar head unit, maybe it is indeed just software locked down.
I know for fact the amp chip in my head unit, YD7388, sec sheet says 4 channel. But my device is only 2 channel, no fader. Also the spec sheet says it needs no output capacitor but mine has one I think (there is a huge capacitor soldered next to the chip. I have some pics of the board and test points and chip markers etc. Once I have everythign ready I will make a nice guide

Wow I think I found the reason this thing outputs as 2 channel on 4 speakers. I need someone with a real 4 channel version to message me so I can get a few files for comparison. If this is the case, a simple magisk module would fix the fixed 2 channel problem we have. In the audio_policy_configuration.xml they have all output set as
XML:
<devicePort tagName="FM Tuner Out" type="AUDIO_DEVICE_OUT_FM" role="sink">
<profile name="" format="AUDIO_FORMAT_PCM_16_BIT"
samplingRates="44100" channelMasks="AUDIO_CHANNEL_OUT_STEREO"/>
</devicePort>
I wonder if you set AUDIO_CHANNEL_OUT_STEREO to multichannel or maybe like "AUDIO_CHANNEL_OUT_QUAD " as described in the official android docs say, I wonder if that would enable true 4 channel (or 5.1)?
If someone who has a 4 real 4 channel stereo and it is around the model of yt9213aj, then send me a message so we can collaborate. If you are not rooted do not worry I will help you