Database Users

[DEV] Using nvflash

Does anyone was able to use nvflash with the A500 ?
All commands returns :
Code:
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
for me.
Drivers and bootloader.bin are Ok.
Any help is welcome.
How i boot in APX mode :
Open a command prompt and type
Code:
adb shell
$ su
# echo 5 > /sys/EcControl/RecoveryMode (where 5 is the number of seconds before it reboots in APX)

They have burned a SBK (Secure Boot Key). This key must be specified with --sbk parameter.
As Acer does not publish this key we are unable to use nvflash.

I have a bootloader.bin from an old leak (intended to be flash with nvflash), with all needed tools (but no SBK parameters in the flash.bat/.sh, so i assume this bootloader is not locked).
Can it be helpfull ?

vache said:
I have a bootloader.bin from an old leak (intended to be flash with nvflash), with all needed tools (but no SBK parameters in the flash.bat/.sh, so i assume this bootloader is not locked).
Can it be helpfull ?
Click to expand...
Click to collapse
Bootloader is locked and encrypted.. the leak sounds interesting. Where did you get this leak from? Can u upload it somewhere e.g. dropbox and send me a link via PM, please? I would like to check the bootloader.bin about it's checksum calculation.

No problem, i'll send you a link in PM.
The file is around 800Mo (containing many games with data), it was the system to present to tablet at the MWC.
Edit : PM sended with a link to the file.

Yay...new toys to play with =D

vache said:
No problem, i'll send you a link in PM.
The file is around 800Mo (containing many games with data), it was the system to present to tablet at the MWC.
Edit : PM sended with a link to the file.
Click to expand...
Click to collapse
can you pm me the link?

vache said:
No problem, i'll send you a link in PM.
The file is around 800Mo (containing many games with data), it was the system to present to tablet at the MWC.
Edit : PM sended with a link to the file.
Click to expand...
Click to collapse
send it to me too

Sended to both of you

Could I get it too?

Cant we try to brute force the sbk?
Sent from my GT-I9000 using XDA App

huxflux2003 said:
Cant we try to brute force the sbk?
Sent from my GT-I9000 using XDA App
Click to expand...
Click to collapse
Its a 128bit key = 2^128 possible keys.. no chance.

So has this leak been useful?
Sent from my HTC HD2 using XDA Premium App

M..N said:
So has this leak been useful?
Sent from my HTC HD2 using XDA Premium App
Click to expand...
Click to collapse
Wow...take it easy there fellah.
At least give them the time to look into it.
I know devs look like machines but they are actually like real humans with normal life's....
Be patient!

they are machines in human form because they are real genius and we all need to respect them.
they are very helpfull.
God Save The DEVs

tryed a few things played with the recovery from the a501 and now im stuck with it... any other recovery fails checksum...

Would you guys send me a copy of bootloader.bin and other interesting files, but not the whole 800 mb please?

thor2002ro said:
tryed a few things played with the recovery from the a501 and now im stuck with it... any other recovery fails checksum...
Click to expand...
Click to collapse
ok i fixed it with a backup of p7 so with this we can confirm that checksums are in p7

another way to boot into APX mode, is turning off the tablet.
push and hold the "reset" button and press power on and wait.. and you get APX enabled as well..
this is the bullitt proof solution as a software solution is not handy if boot or recovery is messed up. anyways we still need the sbk, i guess..

Some experienced DEVs here who want to play with nvflash?
Please PM me.

Full root for A50x ICS 4.0.3[LEAK]. Simple method.

Original article is published on this site and created by ZeroNull and vdsirotkin (4pda.ru).
For A500 and A501 ICS[LEAK] firmware.
How to:
1. The tablet should be already upgraded to stock ICS for A50x (or stock ICS A10x/A510 for other tablets).
2. Download this archive on the computer. Unpack it to any place.
3, On a tablet: "Settings" -> "Applications" -> "Development" -> "USB debugging" switch on.
4. Сonnect the tablet to the computer (Before connection it is recommended to update the driver for a tablet from here: A10x, A50x, A510).
5. Open the directory with the unpacked archive. Execute file: for windows - runit-win.bat; for Linux - runit-linux.sh.
The root is received!
6. Now you will have to install the following programs:
SuperUser APK
Titanium Backup
ATTENTION!
Don't install Busybox! It is already installed and established! If you reinstall it, some programs will become unable to access root permissions!
Change:
The error of final check of receiving root is corrected (The messaging that "root" isn't received, though it was not so)
Support of A510 of tablets is improved
This method uses the 'mempodroid' exploit and some workings out by ZeroNull and vdsirotkin (4pda.ru).
PS: Command "Mount ro/rw" for directory /system (partition) - works perfectly!
PS2: Sorry for the Russian language in the old executable file, the archive has been confused

ZeroNull said:
Original article is published on this site and created by ZeroNull and vdsirotkin (4pda.ru).
For firmware:
Acer_AV041_A500_0.019.00_WW_GEN1
Acer_AV041_A500_0.014.00_WW_GEN1
Acer_AV041_A500_0.009.00_WW_GEN1
How to:
1. The tablet should be already upgraded to ICS 4.0.3[LEAK] for A500.
2. Download this archive. Unpack it to any place.
3, On a tablet: "Settings" -> "Applications" -> "Development" -> "USB debugging" switch on.
4. Сonnect the tablet to the computer.
5. Open the directory with the unpacked archive. Execute file: for windows - runit-win.bat; for Linux - runit-linux.sh.
The root is received!
6. Now you will have to install the following programms:
SuperUser APK
Titanium Backup
ATTENTION!
Don't install Busybox! It is already installed and established! If you reinstall it, some programs will become unable to access root permissions!
This method uses the 'mempodroid' exploit and some workings out by ZeroNull and vdsirotkin (4pda.ru).
PS: Command "mount -o remount,rw /system" for directory /system (partition) - works perfectly!
Click to expand...
Click to collapse
I wrapped something like this up into a GUI ages ago Perhaps I'll make a linux & mac one at some point too. My GUI installs Superuser and allows the user to install Trebuchet, FaceLock (currently buggy) and other tweaks: http://forum.xda-developers.com/showthread.php?t=1520469

blackthund3r said:
I wrapped something like this up into a GUI ages ago Perhaps I'll make a linux & mac one at some point too. My GUI installs Superuser and allows the user to install Trebuchet, FaceLock (currently buggy) and other tweaks: http://forum.xda-developers.com/showthread.php?t=1520469
Click to expand...
Click to collapse
Ok. Read:
blackthund3r said:
exodusevil said:
You are wellcome! And if possible help me grow here in XDA using "Thanks button" (it's free lol).
Well, about the root is the same here, I can see superuser and su, and can go to shell and call #
But, when I try (for example) create a directory inside system the message "ready only" appear.
But it's my firts time trying to use root. Any help will be very glad!
Regards,
Click to expand...
Click to collapse
Simply fire up ICS Root and click "Remount /system rw" In the "Remount Tools" menu
Once you get the success message, feel free to unplug your tablet and play around with the system folder as you see fit
Click to expand...
Click to collapse
My method work "as it should".

ZeroNull said:
Ok. Read:
My method work "as it should".
Click to expand...
Click to collapse
How exactly?! Surely you'd need a patched kernel for that. The bash scripts in the zip file are incredibly complicated

Aw com'on. One of you guys install the full 500 ICS, and see if this works!
Then see if you can push a recovery image.

blackthund3r said:
How exactly?! Surely you'd need a patched kernel for that. The bash scripts in the zip file are incredibly complicated
Click to expand...
Click to collapse
Are you absolutely sure?

I just flash my Acer A500 with Acer_AV041_A500_0.019.00_WW_GEN1
This method works with my. I can use titanium backup and superuser. Thank you!
But I don't know how to test push a recovery image.
below is my way to root.
I use windows Vista.
1. On a tablet: "Settings" -> "Development" -> "USB debugging" switch on.
2. Сonnect the tablet to the computer.
3. Unpack the files. then put ICS_rooting folder in c:\ (I try unpack in other place not work)
4. then run runit-win.bat by run as adminstrator.
Done

This seemed to work for me on Acer_AV041_A500_0.009.00_WW_GEN1
Thanks a lot.

I have installed Acer_AV041_A500_0.019.00_WW_GEN1 and aquired root using this method.
I will try to push CWM or RA recovery.
The root access works perfectly. I just deinstalled all acer bloatware and other stuff.
Edit:
The strange part was, I could not get the ADB interface working on my laptop. When I switched my Acer from MTP (Media Device) to PTP (Camera device), found in storage settings, the ADB interface showed up in my device list under Windows 7. Then after a driver install, it worked perfectly.
When I switch back to MTP, the ADB interface disappears again.

Ping192 said:
I have installed Acer_AV041_A500_0.019.00_WW_GEN1 and aquired root using this method.
I will try to push CWM or RA recovery.
The root access works perfectly. I just deinstalled all acer bloatware and other stuff.
Edit:
The strange part was, I could not get the ADB interface working on my laptop. When I switched my Acer from MTP (Media Device) to PTP (Camera device), found in storage settings, the ADB interface showed up in my device list under Windows 7. Then after a driver install, it worked perfectly.
When I switch back to MTP, the ADB interface disappears again.
Click to expand...
Click to collapse
Maybe a reboot on the win system?

Moscow Desire said:
Maybe a reboot on the win system?
Click to expand...
Click to collapse
Hehe. I tried several windows installations. I think something is wrong with my acer. Like this, I have several strange things, like never get a fast fix on GPS. Whatever fix or GPS.conf I use... But it makes it challenging to het it working again

Pushing a custom recovery fails atm. I even get an error flashing the unlocked bootloader.bin
Code:
Loading bootloader...
Nvflash started
rcm version 0X20001
System Information:
chip name: t20
chip id: 0x20 major: 1 minor: 3
chip sku: 0x8
chip uid: 0xxxxxxxxxxxxxxxxxxxx
macrovision: disabled
hdcp: enabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 0
device config fuse: 0
sdram config strap: 0
sending file: bct.bct
- 4080/4080 bytes sent
bct.bct sent successfully
odm data: 0x300d8011
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: bootloader.bin
| 1192188/1192188 bytes sent
bootloader.bin sent successfully
waiting for bootloader to initialize
bootloader status: success (code: 0) message: flags: 1073840124
[COLOR="Red"]bootloader failed NvError 0x0
command failure: bootloader download failed[/COLOR]
All other nvflash commands fail afterwards.
After this command, the tablet enters "Entering OS download mode" with the acer logo in the middle.

Just update to Acer_AV041_A500_0.022.00_WW_GEN1.
After update Lost root. But use this method then got root again.
Thank you.

It didnt work for my acer, I meant it wasnt fully rooted. I saw superuser but when in Acer Receovery Installer, it says that Bootloader version 0.03.11-ISC is locked or something. Now I cant install any other rom as it got stucked at boot screen (receovery mode) with a message "Recovery verified failed". Anyone, please help me.
I need to use USB 3G on this tablet with this ISC or please help me downgrade to 3.2.1.
Many thanks

Jamesbond007vn said:
It didnt work for my acer, I meant it wasnt fully rooted. I saw superuser but when in Acer Receovery Installer, it says that Bootloader version 0.03.11-ISC is locked or something. Now I cant install any other rom as it got stucked at boot screen (receovery mode) with a message "Recovery verified failed". Anyone, please help me.
I need to use USB 3G on this tablet with this ISC or please help me downgrade to 3.2.1.
Many thanks
Click to expand...
Click to collapse
Take a look at my A500 APX Flash Tool with the patched bootloader, recovery and kernel package. That will get you ClockworkMod. To downgrade take a look at Timmydean's 3.2.1 downgrade package

Hi, will it work on ACER_AV041_A500_1.031.00_WW_GEN1 ?

CaH9 said:
Hi, will it work on ACER_AV041_A500_1.031.00_WW_GEN1 ?
Click to expand...
Click to collapse
+1 to this anyone try it yet and is their a simple way to unroot ics I need to send unit to Acer but its damaged so till its fixed I want root back!
Sent from my A500 using Tapatalk 2

I can confirm, that it works with ACER_AV041_A500_1.031.00_WW_GEN1 too

+1

How about the unroot part of things anyway to do that? For peeps that need warranty related things to be done?
Thanks
Sent from my A500 using Tapatalk 2

Possible Nvflash key found

I'm not trying to get my hopes up too high but i think i might of got my partial SBK.I was reading this guide i found on recovering it and decided to try it.
http://forum.xda-developers.com/showthread.php?t=1751978
This is what i came up with on my phone:
0x00000012a33080
Basically most of it seems correct besides all the zeros at the beginning.Not really sure why it won't connect the key in nvflash.Any ideas?When i run it in the sbcalc program i get something similar to the how it should look from an android device.The tutorial says you should have a 64 bit ubuntu/linux system,but there is an option to change the code for 32 bit.If someone out there that has a 64 bit machine maybe they could try it out:
make sure your phone is plugged into the usb port,and the phone is off.
open a terminal,then sudo su(make sure your root)
then this command watch -n2 lsusb (apx doesnt always show up so this keeps checking until it does)
hold down u+s+b plus power on the phone (sometimes i hold then let go of the power while holding the buttons)
once you see something like (Bus 001 Device 031: ID 0955:7416 NVidia Corp) you are in apx mode(ctrl + c to stop the watch command)
after that you need to make the apx.c file.Go back to this guide and follow the instructions on the top on how to make it.The most important thing to do is to change the code ( 0x0955, 0x7820 ) to whatever it says from the lsusb command.Mine is like this( 0x0955, 0x7416 )Once you make the .apx file just open another terminal (make sure its root)then run ./apx
It should pop out a number similar to mine.If you end up with a code something else besides all those zero at the beginning,then there is a chance it make work when we run it in Nvflash
From there goto this website and enter the code in there (delete the x)
http://a500bootloaderflash.tk/sbkcalc/
It should spit out a code like this: 0x07B91000 0x204AF201 0xD09B1103 0xF768F302
So after that you would go back into terminal (sudo su) then run nvflash like this:
./nvflash --sbk 0x07B91000 0x204AF201 0xD09B1103 0xF768F302
If were lucky then it should pop up a whole bunch of info.My hope is that someone will know a little bit more on what i might be doing wrong with the code to get this working correctly.I believe it must be doing something though as it will only display that code when in apx mode.It's getting late over here and spent too many hours trying to figure this out tonight.lol.Let me know if anyone needs help.Good luck.

update
I setup another computer with ubuntu 12.04 x64 and configured a new apx file once again:
0x00fcfe12a33080
It looks like i got closer but still need 15 digits past the 0x to make a correct SBK.Nvflash wasnt having anything i tried so far.I'm still looking for a way to fix this.

Keep up the good work. Glad to see some love coming back to the kin
Sent from my DROID RAZR using xda app-developers app

I found some new commands off a older version of nvflash i was using :
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
--updatebct <bctsection>
bctsection should refer to the section of the bct we are updating.
Curently we suport updates for following sections
<SDRAM> updates SdramParams and NumSdramSets fields
<DEVPARAM> updates DevParams, DevType and NumParamSets
<BOOTDEVINFO> updates BlockSizeLog2, PageSizeLog2 and PartitionSize
Apart from that i tried everything i could really think of for getting that key.This phone seems to be very locked down and without enough info on the system or where that sbk might be located,i think were back to a dead end again.I know on bitpim there are some files on there that can be downloaded and maybe decompiled or something.(maybe the key is in there)
I was figuring the key would be the same setup as the later tegra devices but i believe its different now.My only guess now is too have someone with a lot of electronics knowledge to find the uart on the board and we could read the nand like that.

[GUIDE] Rooting s3 mini from Linux with heimdall

Hey.
Just wanted to share my rooting experience.
My girlfriend just bought her S3 mini few days ago - and because Samsung Dive sucks balls (can be erased by doing factory reset), I felt the need to root, so cerberus anti-theft (http://cerberusapp.com, try it out, its awesome) could be written to /system (which requires root & survives factory resets).
Because I use Ubuntu Linux, I couldn't use Odin. Also from what I've read Odin reflashes whole phone, including bootloaders, recovery images and so on.
Because I've had XXALJL build originally in my phone, I've used this uk rooted rom as my rooting source.
Also, because the baseband is identical, I only flashed the system image, where /system/bin/su resides.
If you have a different baseband than your rooted image, this guide will not help you and you probably need to either: a) use odin to reflash everything. b) use your brain to figure your what to flash and where.
So here we go!
Flashing
I'm using ubuntu 12.10, 64 bit:
Code:
[email protected]:~/Downloads/rooted# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.10
DISTRIB_CODENAME=quantal
DISTRIB_DESCRIPTION="Ubuntu 12.10"
Code:
[email protected]:~/Downloads/rooted# uname -a
Linux cyrix 3.5.0-21-generic #32-Ubuntu SMP Tue Dec 11 18:51:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
The only thing you should be concerned about is whether you're using 32 or 64 bit OS.
I've used heimdall 1.3.1, because 1.3.2 has issues and I didn't want to risk. Perhaps 1.3.2 or 1.4-RC1 would work just fine too, but I've used 1.3.1 and that did work for me.
Get heimdall 1.3.1 from http://www.glassechidna.com.au/products/heimdall/ (choose 32 bit (i386) or 64 bit (x64) debian package appropriately). Install those. And lets get down to bussiness.
I RECOMMEND RUNNING ALL COMMANDS FROM ROOT USER
Some guides recommend rebooting your pc after heimdall install (it inserts some udev rules). I didn't do that (completely forgot), but do it, just to be on a safe side.
So first step is to determine what partition identifier does your system partition has. Put your device into download mode (power off. Then hold vol down + home + power & click vol up once).
After doing that, connect your usb cable to computer and run:
Code:
# heimdall detect
It should say:
Code:
Device detected
If it doesn't - none of the following commands will probably work.
Then - lets see what our PIT (partition information table? not sure about the acronym) looks like:
Code:
# heimdall print-pit
What we are looking for is system partition. Mine looked like this:
Code:
--- Entry #21 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 20
Partition Flags: 5 (R)
Unknown 1: 5
Partition Block Size: 524288
Partition Block Count: 2457600
Unknown 2: 0
Unknown 3: 0
Partition Name: SYSTEM
Filename: system.img
From this we can see that our partition identifier is 20.
So extract the downloaded .rar ROM file, then again, extract rooted.tar and go into that directory. And lets flash our system image (around 900mb).
If everything is fine it should look like this:
Code:
[email protected]:~/Downloads/rooted# heimdall flash --20 system.img
Heimdall v1.3.1, Copyright (c) 2010-2011, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Checking if protocol is initialised...
Protocol is not initialised.
Initialising protocol...
Handshaking with Loke...
Beginning session...
Session begun with device of type: 131072
Downloading device's PIT file...
PIT file download sucessful
Uploading SYSTEM
100%
SYSTEM upload successful
Ending session...
Rebooting device...
Re-attaching kernel driver...
Do not touch your PC while flashing. Do not move the phone. Do not fiddle with the cables. Hold your breath and wait. If all is fine, the phone should turn off itself. Wait until you get charging screen, then turn it back on.
You should have supersu installed. You can also install terminal emulator and try running su to make sure you have the root.
Congrats on having root!

Great tutorial! Thanks a lot, from a fellow Linux user!

Hi dudes,
I have mi SGS2 soft bricked and I'm trying to recover it.
I've already opened a post here.
The thing is that I have discovered Heimdall by chance.
Fed up with the errors from Odin I decided to try in Linux.
I think my System partition is missing.
Find attached my result for heimdall print-pit.
Hope you can help me.
Regards,
Mario.

thanks for remaind me about heimdall, that was long time since heard about this tool. :beer:

Thanks! (But should I backup something first?)
Thanks, exactly what I was looking for
One quick question: by rooting with Heimdall (on Linux), will I loose all my apps/accounts ? (It will take ages to recover them all..)
(also, where could I get updated as new Heimdall-friendly firmwares become available?)
Thank you again for your time.
arturaz said:
Hey.
Just wanted to share my rooting experience.
My girlfriend just bought her S3 mini few days ago - and because Samsung Dive sucks balls (can be erased by doing factory reset), I felt the need to root, so cerberus anti-theft (http://cerberusapp.com, try it out, its awesome) could be written to /system (which requires root & survives factory resets).
Because I use Ubuntu Linux, I couldn't use Odin. Also from what I've read Odin reflashes whole phone, including bootloaders, recovery images and so on.
Because I've had XXALJL build originally in my phone, I've used this uk rooted rom as my rooting source.
Also, because the baseband is identical, I only flashed the system image, where /system/bin/su resides.
If you have a different baseband than your rooted image, this guide will not help you and you probably need to either: a) use odin to reflash everything. b) use your brain to figure your what to flash and where.
So here we go!
Flashing
I'm using ubuntu 12.10, 64 bit:
Code:
[email protected]:~/Downloads/rooted# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.10
DISTRIB_CODENAME=quantal
DISTRIB_DESCRIPTION="Ubuntu 12.10"
Code:
[email protected]:~/Downloads/rooted# uname -a
Linux cyrix 3.5.0-21-generic #32-Ubuntu SMP Tue Dec 11 18:51:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
The only thing you should be concerned about is whether you're using 32 or 64 bit OS.
I've used heimdall 1.3.1, because 1.3.2 has issues and I didn't want to risk. Perhaps 1.3.2 or 1.4-RC1 would work just fine too, but I've used 1.3.1 and that did work for me.
Get heimdall 1.3.1 from http://www.glassechidna.com.au/products/heimdall/ (choose 32 bit (i386) or 64 bit (x64) debian package appropriately). Install those. And lets get down to bussiness.
I RECOMMEND RUNNING ALL COMMANDS FROM ROOT USER
Some guides recommend rebooting your pc after heimdall install (it inserts some udev rules). I didn't do that (completely forgot), but do it, just to be on a safe side.
So first step is to determine what partition identifier does your system partition has. Put your device into download mode (power off. Then hold vol down + home + power & click vol up once).
After doing that, connect your usb cable to computer and run:
Code:
# heimdall detect
It should say:
Code:
Device detected
If it doesn't - none of the following commands will probably work.
Then - lets see what our PIT (partition information table? not sure about the acronym) looks like:
Code:
# heimdall print-pit
What we are looking for is system partition. Mine looked like this:
Code:
--- Entry #21 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 20
Partition Flags: 5 (R)
Unknown 1: 5
Partition Block Size: 524288
Partition Block Count: 2457600
Unknown 2: 0
Unknown 3: 0
Partition Name: SYSTEM
Filename: system.img
From this we can see that our partition identifier is 20.
So extract the downloaded .rar ROM file, then again, extract rooted.tar and go into that directory. And lets flash our system image (around 900mb).
If everything is fine it should look like this:
Code:
[email protected]:~/Downloads/rooted# heimdall flash --20 system.img
Heimdall v1.3.1, Copyright (c) 2010-2011, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Checking if protocol is initialised...
Protocol is not initialised.
Initialising protocol...
Handshaking with Loke...
Beginning session...
Session begun with device of type: 131072
Downloading device's PIT file...
PIT file download sucessful
Uploading SYSTEM
100%
SYSTEM upload successful
Ending session...
Rebooting device...
Re-attaching kernel driver...
Do not touch your PC while flashing. Do not move the phone. Do not fiddle with the cables. Hold your breath and wait. If all is fine, the phone should turn off itself. Wait until you get charging screen, then turn it back on.
You should have supersu installed. You can also install terminal emulator and try running su to make sure you have the root.
Congrats on having root!
Click to expand...
Click to collapse

pminervini said:
Thanks, exactly what I was looking for
One quick question: by rooting with Heimdall (on Linux), will I loose all my apps/accounts ? (It will take ages to recover them all..)
(also, where could I get updated as new Heimdall-friendly firmwares become available?)
Thank you again for your time.
Click to expand...
Click to collapse
This only rewrites /system partition, while all your apps/accounts are stored in /data. So in theory you shouldn't lose things. However I do recommend you always backup your stuff with `adb backup` before doing this. You can never be too sure.
As for new firmwares - no idea. OTAs should probably work.

Thanks For the other Debian guys out there, I've just found out "adb" comes available for Sid ( packages debian org /sid/android-tools-adb -- there is a similar package in the Ubuntu repos) and requires MTP mode with USB debug on: bernaerts dyndns org /linux/245-ubuntu-precise-install-android-sdk
While the backup goes on (I'm doing "adb backup -apk -shared -all -f 08062013.ab", hope it's right), I'm looking for the right image file.
May this one fit? "Android 4.1.2 XXAMD3 official firmware"
www hotfile com /dl/209515302/bd1d1a3/I8190XXAMD3_I8190OXAAMD3_DBT.zip.html
UPDATE: no it's not, i should look for something fitting GT-I8190N; checking what I can do from OTA..
UPDATE 2: I've found this file: GT-I8190N-BTU-I8190NXXALL6-1356151513.rar ; I'm going to try to push its system.img with heimdall *crossed fingers*
Thank you again for all your help, you're awesome!
arturaz said:
This only rewrites /system partition, while all your apps/accounts are stored in /data. So in theory you shouldn't lose things. However I do recommend you always backup your stuff with `adb backup` before doing this. You can never be too sure.
As for new firmwares - no idea. OTAs should probably work.
Click to expand...
Click to collapse

After a weekend trying to revive the I8190N (at least it was raining..) I tried to sum up my problem with Heimdall here:
forum xda-developers com/showthread.php?t=2317198
pminervini said:
Thanks For the other Debian guys out there, I've just found out "adb" comes available for Sid ( packages debian org /sid/android-tools-adb -- there is a similar package in the Ubuntu repos) and requires MTP mode with USB debug on: bernaerts dyndns org /linux/245-ubuntu-precise-install-android-sdk
While the backup goes on (I'm doing "adb backup -apk -shared -all -f 08062013.ab", hope it's right), I'm looking for the right image file.
May this one fit? "Android 4.1.2 XXAMD3 official firmware"
www hotfile com /dl/209515302/bd1d1a3/I8190XXAMD3_I8190OXAAMD3_DBT.zip.html
UPDATE: no it's not, i should look for something fitting GT-I8190N; checking what I can do from OTA..
UPDATE 2: I've found this file: GT-I8190N-BTU-I8190NXXALL6-1356151513.rar ; I'm going to try to push its system.img with heimdall *crossed fingers*
Thank you again for all your help, you're awesome!
Click to expand...
Click to collapse

Is there any way to make Phone to original Samsung phone with heimdall? Unroot, Stockrecovery etc?

arturaz said:
Just wanted to share my rooting experience....
Click to expand...
Click to collapse
Thank you, arturaz!
Why did I waste so much of my valuable lifetime by trying to get Odin to work on XP/W7 in a VBox?
Gonna donate to Benjamin now. He really deserves a beer or two
BTW: heimdall can be found in the Debian testing branch now. Look out for "heimdall-flash" (Don't be confused by some "heimdal"-packages [only one 'L'], which are something completely different)

Hey I'm using Linux Mint 32bits, I wonder if I can use the ubuntu 32 version for the software Heimdall ? if so, which one ?
Thanks

I'm not sure I understand the question.

Hello,
lov8 said:
Hey I'm using Linux Mint 32bits, I wonder if I can use the ubuntu 32 version for the software Heimdall ?
Click to expand...
Click to collapse
because linux mint and fork ubuntu I would say yes
lov8 said:
if so, which one ?
Click to expand...
Click to collapse
????

Fred6681 said:
Hello,
????
Click to expand...
Click to collapse
Ah! I have the version 1.4 RC1 from the Linux mint repository. I hope this version is stable enough. I will give it a try in a few days .. :-/

Alternatively you can root your phone by flashing a custom recovery using heimdall, then going in recovery mode and installing supersu.
Tested with heimdall 1.40 and TWRP custom recovery, worked fine.
You have just to pay attention and find the right partition id for flashing "recovery.img".

Why no solution to "Device not detected" ?!
Im using Ubuntu 13.10 64, the S3 Mini is in download mode but not seen by Heimdall... any solutions?
Thanks

ateap0tist said:
Why no solution to "Device not detected" ?!
Im using Ubuntu 13.10 64, the S3 Mini is in download mode but not seen by Heimdall... any solutions?
Thanks
Click to expand...
Click to collapse
Which version of heimdall are you using?

Clostry said:
Which version of heimdall are you using?
Click to expand...
Click to collapse
Heimdall v. 1.4

Can you post the output of this commands? With phone in download mode attached ofc.
Code:
lsusb
heimdall detect --usb-log-level debug

heimdall tar gz error
When I try to load the system.img file (from cm10.2_golden.maclaw.20140118.ODIN_TWRP.tar.md5) from heimdall, before beginning to flash, I get the following error: Tar header contained an invalid file size.
I tried to load the uncopressed file too, then the file cm10.2_golden.maclaw.20140119.zip not for odin and I get the same error, what am I doing of wrong?
Thanks

[R&D][UNBRICKING] - Thread for trying to solve the OTA brick problem

Intro
Someone contacted me because of my work unbricking Amlogic tablets and sent me their bricked Nexus 7 2013 32GB Wifi version tablet. I have the same tablet and I’ve been exploring unbricking options and looking at the devices. I have not found a solution yet but I have found a lot of interesting things. I worked on several models of Ainol's AML8726-MX SoC tablets and unbricked them in from various states, including having no signs of life and jumping some pins on the nand chip to get it recognized by the computer. Some tablets had similar problems to the Nexus when the bootloader was corrupted from a bad flash. The internal memory showed as zero in TWRP and the tablets wouldn't boot into the system. Checking debug logs showed the memory chip was not initializing. The Ainol tablets don't have a bootloader with a GUI but they did have a external SD card slot, so the tablet could boot from the SD card and run a "rescue flash". If that didn't work, Amlogic also had low-level USB Burning software to write to the tablet, although special files were needed and flashing was tricky.
I don’t know if we will be able to fix the Nexus tablets with this problem or if they are even fixable with the tools available but I’m providing all this information because I’m working on the problem in my spare time and maybe other people want to experiment with their bricked devices as well. There are a couple obvious routes to explore, one being Qualcomm's QPST and QFIL software, as well as other similar software programs for these chips, like the BoardDiag Tool. Another option is try and boot the tablet from a "rescue card" like I used for the Ainol tablets but to do it through an On-The-Go cable. Even if we don't unbrick any tablets, if anything, at least this thread might provide some documentation on the Nexus 7 2013 that doesn’t seem to be available elsewhere. I’ll keep updating this thread with new info and links to drivers, software, documentation and relevant websites. I’ll post what I’ve updated into the “Updates to this thread” section.
The problem
OTA update bricks device and we get one of the following scenarios:
Users can enter fastboot but can not flash, format or erase anything. Trying to start the device or boot into recovery gets stuck on the Google screen with the lock icon.
Same as above but when entering a recovery like TWRP, device hangs on the TWRP logo screen.
Users can not enter fastboot. Plugging the device into the computer shows QHSUSB_DLOAD in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB QDLoader 9008 in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB Diagnostics 9006 in the device manager
In 9006 mode the storage shows as Qualcomm MMC Storage USB Device in the Device Manager
---
Trying to flash or format in fastboot returns the following error:
Code:
FAILED <status read failed <Too many links>>
I’ve figured out a way to boot into TWRP and have started collecting logs and other information about the problem. I’ve also figured out the majority of fastboot oem commands which I’ll list below. The device is not initializing the MMC card when it starts up. In dmesg we can see the error:
Code:
mmc0: error -110 whilst initialising MMC card
Where on a working device we see:
Code:
mmc0: new HS200 MMC card at address 0001
mmcblk0: mmc0:0001 MMC32G 28.8 GiB
In the TWRP log we see:
Code:
[COLOR="Red"]E: Could not mount /data and unable to find crypto footer.
E: Unable to mount ‘/data’
E: Unable to recreate /data/media folder.[/COLOR]
Updating partition details…
[COLOR="Red"]E: Unable to mount ‘/system’
E: Unable to mount ‘/data’
E: Unable to mount ‘/cache’[/COLOR]
...done
[COLOR="Red"]E: Unable to mount storage
E: Unable to mount /data/media during GUI startup
E: Unable to mount ‘/cache’[/COLOR]
Full SELinux support is present.
[COLOR="Red"]E: Unable to mount ‘/cache’
E: Unable to set emmc bootloader message.
E: Unable to mount ‘/cache’
E: Unable to mount /data/media/TWRP/ .twrps when trying to read settings file.
E: Unable to mount ‘/data’[/COLOR]
MTP Enabled
Trying to wipe partitions or flash in TWRP fails because the card isn’t mounted at all and the partition table isn’t being read. Everything is running in the RAM and the only filesystems mounted are rootfs, tmpfs, devpts, proc, sysfs, selinuxfs and tmpfs.
Checking the partition table in fastboot using “fastboot oem gpt-info” does return the same results as a working device though. When booting into TWRP we can see “Nexus 7” as an MTP device but there is nothing on it. In Qualcomm’s 9006 Diagnostics mode we can see the device under disk drives in the device manager as Qualcomm MMC Storage USB Device but it doesn’t show up in Qualcomm’s 9008 Download mode. In disk management we can see it as an Unknown 28.81 GB Unallocated Disk. We can see the same thing in MiniTool Partition Wizard but neither Windows or MiniTool can initialize or format the disk. In HDD Raw Copy Tool the device shows as Qualcomm MMC Storage with a capacity of 30.93 GB. I was unable to write a RAW image of mmcblk0.img using HDD Raw Copy Tool, getting the error “Write Error occured at offset 0 (1)”.
My Working Theory
Looking at both the most recent reports of the OTA brick and past reports, it seems like the problem occurs when there is a bootloader update packaged in with the firmware update. It is possible that the eMMC chip is fried because we've seen bugs in the past but I'm working on the assumption that it is not since the chip is recognized, shows the correct capacity and gets registered it in by the kernel. We can also see that persistent_ram has an uncorrectable error in the header and no valid data in the buffer. This could mean a bad eMMC chip but it could also mean the parts of the bootloader are gone or corrupt. It could also mean the GPT is bad.
We can also see that the device is always booting into ttyHSL0 mode which is the UART Serial Console mode for debugging. I don't know a lot about Qualcomm architecture but I do know that there are several modes including diagnostics, download and emergency download mode. It's possible that the tablet is stuck in one of these modes. I read though some Qualcomm documents and it mentions using the NPRGxxxx.hex file to flash your device but it also mentions that, if the chipset supports it, changing the name of the NPRGxxxx.hex file to eNPRGxxxx.hex "allows you to download new images to a mobile device that has an empty or currupt flash device." That function was implemented in 2008 though and I'm unsure if the implementation has changed at all.
Getting Started
I’m not going to cover any of the basics like installing ADB and Fastboot on your computer. This thread is intended for people who already have a working knowledge of using these tools and want to try and work on the bricking problem. If you are don’t have that knowledge and would still like to experiment with your bricked device you can find lots of tutorials on XDA on how to install and use ADB and Fastboot.
I will mention a couple of things I ran into though. Since I hadn't been working on tablets for a while I wasn't able to use ADB in TWRP at first. I noticed that it only worked if I disabled MTP in the TWRP menu. However, updating the Android SDK solved this problem and the updated drivers allow both an MTP and ADB connected at the same time.
There may also be times when you need to disable Windows Driver Signature Verification to be able to install unsigned drivers. Here is a link showing how to do it temporarily. There is also a way to disable it permanently which I think is to run the Command Prompt as Admin and type:
Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Lastly, you'll probably want to stop Windows from automatically installing drivers for new hardware. You can do that by right clicking on your computer and then going to "properties -> advanced system settings -> hardware -> device installation settings -> no let me choose what to do -> never install driver software from windows update". There are also guides with screenshots on how to do this if you Google it.
---
We can get into a recovery like TWRP by using the fastboot command:
Code:
fastboot boot twrp.img
If booting into recovery fails and the you get stuck on the TWRP logo screen then go back to the bootloader and use the fastboot command:
Code:
fastboot oem reset-dev_info
---
To enter Qualcomm HS-USB QDLoader 9008 “download mode” you can hold down all three hardware buttons when the device is powered off and plugged in. You can also power down the device, hold the Vol+ and the Vol- buttons and then plug in the device. To enter Qualcomm HS-USB Diagnostics 9006 “diagnostic mode” you can press the power button repeatedly then wait around 30 seconds and see if it connects in the device manager. I don’t know what the speed you are supposed to press the button is but it seems to take at least 10 presses, sometimes more. You’ll have to test it out until you get used to doing it.
Tasks
Want to help out? Here are some things I'm working on. There's a good deal of research to do, so even if you don't have a working device you can help. If you have a device that you've totally given up on and are pretty much going to throw out but can still get into the bootloader, test those fastboot oem erase_ commands before tossing the tablet. It will be fastboot oem erase_"partition name". An example is fastboot oem erase_aboot. Just run through them and write down which ones work and which ones don't.
If someone with a bricked tablet has UART off in the bootloader and can boot into TWRP, please check "adb shell cat /proc/cmdline" and tell me if "console=ttyHSL0,115200,n8" is in the commandline. You can check if UART is on or off in the bootloader by using "fastboot getvar all".
Look into other APQ8064 devices to see if files relevant to QPST work. There is a list of devices below that have the same SoC but not the 1AA or FLO tag at the end. Its possible some of these files might work well enough to at least get the memory recognized.
Pull partition table from a working device and format it in partition.bin or partition.mbn for use in QPST.
Try to write partitions pulled from working device back to the tablet in fastboot.
Format partitions from a working device as .mbn files for QPST.
Pull first few raw GB from a bricked tablet and examine it to see if there is data present. If there is then it might mean that those partitions are corrupted and we can focus on writing working partitions back to those location. Try with RAW copy tool and with dd.
Testing QPST software to resurrect the device. Will need more files first, need to structure them as .xml files necessary for the software.
Test "fastboot oem erase_" on other partitions.
Test "fastboot flash" of partitions that aren't normally included in a firmware update, like sb1.img, rpm.img, aboot.img, etc.
General Device Info
Here is a spreadsheet with all the partition info that I've pulled and sorted.
The Nexus 7 2013 is an APQ8064 1AA/FLO Snapdragon 600 series device that is advertised as a S4 Pro. The APQ8064–1AA is the WiFi version and APQ8064-FLO is the LTE version. The ASUS MeMO Pad FHD 10 ME302KL LTE also has the same SoC according to wiki. The platform board is listed as MSM8960 in most of the code.
Here are other devices with an APQ8064 soc but aren't listed as 1AA or FLO:
LG Optimus G
MDP / T
Xiaomi MI-2
Pantech Vega R3
Sharp Aquos Phone Zeta SH-02E
Oppo Find 5
Asus MeMO pad 10 LTE
Asus padfone 2
HTC J Butterfly
HTC Droid DNA
Nexus 4
HTC Butterfly
ZTE Nubia Z5
ZTE Nubia Z5 Mini
ZTE Grand S
Sony Xperia Z
Xperia ZL Sony
Sony Xperia ZR
Fujitsu Arrows S
Sony Xperia Tablet Z
LG Optimus GJ
Nexus 7 2013 Tablet’s Vendor ID is 18d1 and Hexidecimal Syntax is 0x18D1 (used in fastboot). The USB device ID's for different connections are:
Qualcomm HS-USB Diagnostics 9006 (COM3) - USB\VID_05C6&PID_9006&MI_00
Qualcomm HS-USB Diagnostics 9008 (COM4) - USB\VID_05C6&PID_9008
Android Bootloader Interface - USB\VID_18D1&PID_4EE0
Android ADB Interface - USB\VID_18D1&PID_D002
Serial Numbers I've seen are:
Bricked Device - SERIAL NUMBER 2143658709BADCFE ← According to HDD Raw Copy Tool
Bricked Device - SERIAL NUMBER 049973d5 ← According to adb get-serialno
Dumps, Unpacked Partitions and Other Files
Here is a link to a MediaFire folder with various files. So far I have:
Unpacked the 4.04 Bootloader
aboot.img
bootloader.img
rpm.img
sbl1.img
sbl2.img
sbl3.img
tz.img
Pulled all partitions from HDD Raw Copy Backup of a working device
aboot.img
abootb.img
boot.img
DDR.im
first_131071_sectors.img
fsg.img
m9kefs.img
m9kefs2.img
m9kefs3.img
m9kefsc.img
metadata.img
misc.img
modemst1.img
modemst2.img
pad.img
radio.img
recovery.img
rpm.img
rpmb.img
sbl1.img
sbl2.img
sbl2b.img
sbl3.img
sbl3b.img
ssd.img
tz.img
tzb.img
QPST Memory Debug Dump from a bricked device
CODERAM.BIN
CPU_REG.BIN
CPU0_WDT.BIN
CPU1_WDT.BIN
CPU2_WDT.BIN
CPU3_WDT.BIN
EBICS0.BIN
ETB_ERR.BIN
ETB_REG.BIN
IMEM_A.BIN
IMEM_C.BIN
load.cmm
LPASS.BIN
MM_IMEM.BIN
PMIC_PON.BIN
RPM_MSG.BIN
RPM_WDT.BIN
RST_STAT.BIN
SPS_BUFF.BIN
SPS_PIPE.BIN
SPS_RAM.BIN
Unpacked Radio partition from a working device
ACDB.MBN
APPS.MBN
DSP1.MBN
DSP2.MBN
DSP3.MBN
EFS1.MBN
EFS2.MBN
EFS3.MBN
MDM_ACDB.IMG
RPM.MBN
SBL1.MBN
SBL2.MBN

Fastboot Commands
Click To Show Content for examples of each commands usage, partitions that are excepted by a command and additional info.
Regular fastboot commands
Code:
fastboot update
Code:
fastboot update update.img
Code:
fastboot flashall
Code:
fastboot flash
Code:
fastboot flash aboot aboot.img ?
fastboot flash bootloader bootloader.img
fastboot flash rpm rpm.img ?
fastboot flash sbl1 sbl1.img ?
fastboot flash sbl2 sbl2.img ?
fastboot flash sbl3 sbl3.img ?
fastboot flash tz tz.img ?
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
Code:
fastboot erase
Code:
fastboot erase all
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
Code:
fastboot format
Code:
fastboot format boot
fastboot format cache
fastboot format recovery
fastboot format system
fastboot format userdata
Example of advanced functions:
Code:
fastboot format cache:ext4:0x0000000023000000 cache
(hex value for 587202560 bytes (= 587 MB / 573440 don’t know what this value is but it equals a hex value of 008c000)
Code:
fastboot format cache:0x0000000023000000 cache
(skips fs type and uses default)
Code:
fastboot getvar
Code:
fastboot getvar all
fastboot getvar version-bootloader
fastboot getvar version-baseband
fastboot getvar version-hardware
fastboot getvar ersion-cdma
fastboot getvar variant
fastboot getvar serialno
fastboot getvar product
fastboot getvar secure_boot
fastboot getvar lock_state
fastboot getvar project
fastboot getvar off-mode-charge
fastboot getvar uart-on
fastboot getvar partition-type:<partition name>
fastboot getvar partition-size:<partition name>
Code:
fastboot continue
Code:
fastboot boot
Code:
fastboot boot recovery.img
fastboot boot boot.img
fastboot boot bootloader.img
Example of advanced functions:
Code:
fastboot boot <kernel> [ <ramdisk> [ <second> ] ]
Examples of booting the kernel and ramdisk:
Code:
fastboot boot zImage boot.img-ramdisk.cpio.gz
fastboot -c *cmdline* boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot flash:raw boot
Same command format as the advanced "fastboot boot" command:
Code:
fastboot flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
fastboot flash:raw boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot devices
fastboot continue
fastboot reboot
fastboot reboot-bootloader
fastboot help
Regular fastboot options that might be useful
-c <cmdline> override kernel commandline
Add -c followed by a kernel command. If more than one kernel command is in the line then they should have parenthesis around them like this "console=ttyHSL0,115200,n8 androidboot.hardware=flo". This is used for the "fastboot boot" command to boot into a kernel with different commandline parameters. Here are the kernel commandlines listed in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=flo user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 androidboot.emmc=true androidboot.serialno=049973d5 bootreason=PowerKey fuse_info=Y ddr_vendor=hynix androidboot.baseband=apq asustek.hw_rev=rev_e androidboot.bootloader=FLO-04.04
-i <vendor id> specify a custom USB vendor id
Add -i and then the vendor id you want to use. The Nexus 7 vendor id is 18d1 and Hexidecimal Syntax is 0x18D1. Fastboot wants the Hex value:
Code:
-i 0x18D1
-b <base_addr> specify a custom kernel base address.
I haven't done this in long enough that I've forgotten how to use it. The default is 0x10000000 and the BOARD_KERNEL_BASE is listed as 0x80200000 in the Nexus code.
-n <page size> specify the nand page size.
The default value is 2048. Add -n and then the value you want to use:
Code:
-n 2048
-S <size>[K|M|G] automatically sparse files greater than size. 0 to disable.
I've never used this. If anyone has any insight, let me know.
fastboot oem commands
I extracted the aboot.img and used Notepad++ to look at the commands. I’m not sure what the variables are for some of them but I’m working on testing some things out. This is how how I figured out “fastboot oem reset-dev_info” would allow “fastboot boot twrp.img” though.
Code:
fastboot oem unlock
fastboot oem lock
fastboot oem device-info
fastboot oem memtest_
fastboot oem gpt-info
fastboot oem fuse_blow
fastboot oem check-fuse
fastboot oem reset-dev_info
Code:
fastboot oem erase_
Usage is erase_<partition name>. I've only tested it on persist so far. I'm assuming this is for partitions that aren't supported by the regular "fastboot erase" command.
Code:
fastboot oem erase_persist
Code:
fastboot oem off-mode-charge 1
fastboot oem off-mode charge 0
fastboot oem uart-on
fastboot oem uart-off

Links
Drivers and Software
Qualcomm Drivers - The one marked 2012 seems to be the newest I could find and is the one I've been using the most.
Qualcomm Product Support Tools (QPST)
Qualcomm Documents
HDD Raw Copy Tool
Nexus 5 Boarddiag Tool
EFS Professional
Links to relevant threads
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[DEV][REF] El Grande Partition Table Reference

Logs
All logs posted to Pastebin.
Fastboot Logs
Nexus 7 2013 - fastboot getvar all
Nexus 7 2013 - fastboot oem gpt-info
ADB Logs
Nexus 7 2013 - Big Collection of Partition Info
Nexus 7 2013 - mmc error - kernel log snippet
Nexus 7 2013 - Bricked Tablet - dmesg
Nexus 7 2013 - Working Tablet - dmesg
Nexus 7 2013 - Bricked Tablet - last_kmsg
Nexus 7 2013 - Working Tablet - last_kmsg
Nexus 7 2013 - Bricked Tablet - Recovery Log
Nexus 7 2013 - Working Tablet - Recovery Log
Nexus 7 2013 - adb shell dmesg | grep mmc0
Nexus 7 2013 - adb shell cat /proc/devices
Nexus 7 2013 - adb shell tail ./etc/fstab
Nexus 7 2013 - adb shell tail ./etc/recovery.fstab
Nexus 7 2013 - adb shell mount
Nexus 7 2013 - adb shell df
Nexus 7 2013 - adb shell cat /proc/cmdline
Nexus 7 2013 - adb shell ls /dev/block
Nexus 7 2013 - adb shell cat /proc/partitions

Updates to this thread
1/24/2015
- Added a link to a spreadsheet with partition info to the original post under "General Info".
- Added a section to the original post for files. Added a link to a MediaFire folder with QPST memory debug of a bricked device as well as dumped and unpacked partitions from a working device. Listed all files in each folder.
- Added another build of the QPST software to the MediaFire folder.
- Edited "Tasks" in original post.
6/01/2015
- Added info on how to pull a full raw backup of a working Nexus 7.
- Added all fastboot and adb logs I have.
- Added more documents to the MediaFire folder.
05/28/2015
- Added a working theory to the initial post.
05/26/2015
- Added more info to the Intro section and the Problem section.
- Formatted the Fastboot Command section differently.
05/25/2015
- Added links to drivers, software and relevant websites.
- Added Qualcomm Documents to the links section.
- Added info about driver installation to the Getting Started section.
- Added a list of other APQ8064 devices.
- Reformatting some things to look better. I'll keep working on it.
05/24/2015
- Initial Post

Reserved
Reserved for if there is ever a solution.

I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
-----
Update: The info on how to make a full RAW backup of the entire device without having an external SD card to save it to can be found in this thread. I made some adjustments for the Nexus 7 and I did it all in Cygwin.
To make device backup in Cygwin and TWRP open a terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
adb shell
/sbin/busybox nc -l -p 5555 -e /sbin/busybox dd if=/dev/block/mmcblk0
Then open a second Cygwin Terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
cd /nexus
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.img
You can then mount the image you pulled with DiskInternals Linux Reader. It will show you all of the individual partitions, all of the unllocated gaps between partitions and some info about each one. You can open the EXT4 partitions like /system to explore them and you can also open the radio.img and see everything inside. You can then save all the partitions as individual images. This method doesn't work with the bricked tablet. I'm building a spreadsheet with info on all the partitions.

fuser-invent said:
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
Click to expand...
Click to collapse
From a working or an OTA-bricked device?

MattG987 said:
From a working or an OTA-bricked device?
Click to expand...
Click to collapse
I pulled them all from a working device so I can try to write them back to the bricked device but also so I can try and make the flash programming files for use in QFIL. On another note the bricked devices can show up in the Windows file manager as a single small partitions with a list of files. I found out today that those files are the contents of the radio partition. I have a folder with those files from a bricked and working device now and I'll do a hex comparison to see if they are still all intact on the bricked device. That also means the FAT partition at the very beginning of the eMMC chip is still there and working, so the whole chip isn't "dead".

Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.

yodtc said:
Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.
Click to expand...
Click to collapse
Still working on it but my job suddenly got really, really busy. Hoping to get back into it after the holiday rush. I wish there were other people trying to work on this problem too though.
Sent from my iPhone using Tapatalk

I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.

Andrew025 said:
I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.
Click to expand...
Click to collapse
Have you tried the multi-rom TWRP that fixes the mount point problems?

autocon said:
Have you tried the multi-rom TWRP that fixes the mount point problems?
Click to expand...
Click to collapse
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.

Andrew025 said:
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.
Click to expand...
Click to collapse
I've the same issue and used the Multirom to workaround, but what about ROMs that say "use the latest version of TWRP" ?
If this is a software-caused problem, has the Android team been notified with a bug report or something?

As owner of 2 N7 2013 devices, one of them bricked, I would like to thank you for your work and time.
I find this thread very instructive and I think I will try to follow the leads you provided and try to get my device back to life.
Alas, much study is needed on my part!
I also found some info that may or may not be useful here:
github.com/aureljared/unbrick_8960
I hope I can find and share something useful, and wish you all good luck!

N7 2013 32GB Bricked
I look forward to doing some testing my self with this tablet... Problem is, my bootloader is locked and I can't unlock it since it won't format the internal storage... can't even boot into TWRP because of that.
Anyway, I'm very interested in using DD to flash the partitions at some point if that's available. I can also get into download mode, so using the qualcomm utility to write that way. It's just sitting here, waiting to be revived!

Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!

orzem said:
Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!
Click to expand...
Click to collapse
I think we need to build our own flashing files using aureljared's method. I have a ton of partitions and data ripped. I'll try to upload it soon so everyone has access to expirement with.
Sent from my iPhone using Tapatalk

Yes, I think so too. Also considering the fact that those scripts are much more understandable than a closed source program, even to me and my scarce knowledge.
Just a thought: why try and rebuild the partition table and then copy each partition in its place? Wouldn't it be much easier to just "dd" the working device in one single file and then "dd" it back on the bricked one?
Of course, IF (and only if) the hex and mbn provided by aureljared succed in switching the device into Streaming Protocol and let us actually write to memory.
If there's anything I can do, I'll be glad to do it.
Have a nice day!