Possible Nvflash key found - KIN One and Two General

I'm not trying to get my hopes up too high but i think i might of got my partial SBK.I was reading this guide i found on recovering it and decided to try it.
http://forum.xda-developers.com/showthread.php?t=1751978
This is what i came up with on my phone:
0x00000012a33080
Basically most of it seems correct besides all the zeros at the beginning.Not really sure why it won't connect the key in nvflash.Any ideas?When i run it in the sbcalc program i get something similar to the how it should look from an android device.The tutorial says you should have a 64 bit ubuntu/linux system,but there is an option to change the code for 32 bit.If someone out there that has a 64 bit machine maybe they could try it out:
make sure your phone is plugged into the usb port,and the phone is off.
open a terminal,then sudo su(make sure your root)
then this command watch -n2 lsusb (apx doesnt always show up so this keeps checking until it does)
hold down u+s+b plus power on the phone (sometimes i hold then let go of the power while holding the buttons)
once you see something like (Bus 001 Device 031: ID 0955:7416 NVidia Corp) you are in apx mode(ctrl + c to stop the watch command)
after that you need to make the apx.c file.Go back to this guide and follow the instructions on the top on how to make it.The most important thing to do is to change the code ( 0x0955, 0x7820 ) to whatever it says from the lsusb command.Mine is like this( 0x0955, 0x7416 )Once you make the .apx file just open another terminal (make sure its root)then run ./apx
It should pop out a number similar to mine.If you end up with a code something else besides all those zero at the beginning,then there is a chance it make work when we run it in Nvflash
From there goto this website and enter the code in there (delete the x)
http://a500bootloaderflash.tk/sbkcalc/
It should spit out a code like this: 0x07B91000 0x204AF201 0xD09B1103 0xF768F302
So after that you would go back into terminal (sudo su) then run nvflash like this:
./nvflash --sbk 0x07B91000 0x204AF201 0xD09B1103 0xF768F302
If were lucky then it should pop up a whole bunch of info.My hope is that someone will know a little bit more on what i might be doing wrong with the code to get this working correctly.I believe it must be doing something though as it will only display that code when in apx mode.It's getting late over here and spent too many hours trying to figure this out tonight.lol.Let me know if anyone needs help.Good luck.

update
I setup another computer with ubuntu 12.04 x64 and configured a new apx file once again:
0x00fcfe12a33080
It looks like i got closer but still need 15 digits past the 0x to make a correct SBK.Nvflash wasnt having anything i tried so far.I'm still looking for a way to fix this.

Keep up the good work. Glad to see some love coming back to the kin
Sent from my DROID RAZR using xda app-developers app

I found some new commands off a older version of nvflash i was using :
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
--updatebct <bctsection>
bctsection should refer to the section of the bct we are updating.
Curently we suport updates for following sections
<SDRAM> updates SdramParams and NumSdramSets fields
<DEVPARAM> updates DevParams, DevType and NumParamSets
<BOOTDEVINFO> updates BlockSizeLog2, PageSizeLog2 and PartitionSize
Apart from that i tried everything i could really think of for getting that key.This phone seems to be very locked down and without enough info on the system or where that sbk might be located,i think were back to a dead end again.I know on bitpim there are some files on there that can be downloaded and maybe decompiled or something.(maybe the key is in there)
I was figuring the key would be the same setup as the later tegra devices but i believe its different now.My only guess now is too have someone with a lot of electronics knowledge to find the uart on the board and we could read the nand like that.

Related

[Q] Issue with Acer Iconia A500 Flashing Bootloader and Entering Recovery

Alright I did find a forum where this should be posted but due to restrictions I said I would post it here the forum was http://forum.xda-developers.com/showthread.php?t=1622425
I have searched through all that forum and tested every method to try and get my issue resolved.
DEVICE INFO:
Device : Acer Iconia A500
Android version : 4.0.3
Kernal: 2.6..39.4+
Image Version: Acer _AV041_A500_RV03RC01_WW_GEN1
Build Number: Acer_AV041_A500_1.031.00_WW_GEN1
Image P/N: FM.S14A0.00U
Bootloader Version 0.03.12-ICS
Tablet is also Rooted
The issue is that when I attempt to enter recovery it says
" Erasing Cache beofre SD Update...
SD Update cmd: recovery
--update_package=SDCARD: Update.zip
Booting recovery kernal image
Recovery verified failed ... "
I have tried putting an update.zip file on both the internal and external SD card but issue still happens.
The next issue is that when I try flash the bootloader using the information in the above forum It just continously hangs and looking at the cmd output it has an error
Flashing bootloader: ics_boot_unlk_V4.bin ...
Nvflash started
[resume mode]
Formatting partition 4 please wait.. Command Execution failed cmd 13, error 0x12
0002
FAILED!
command failure: format partition failed (bad command)
bootloader status: unknown operation (code: 1) message: flags: 0
Nvflash started
[resume mode]
I have attempted to remove the batch script that formats the partitions but that still doesnt work.
I have attempted the bootloader flash both manually using the CMD and the automatically using the A500APXFlashing tool.
I have tried all issue resolutions in the forums above but still not working
Any help would be great
Thanks in advance
ADDITIONAL INFO:
In the normal operations the tablet works fine it is boots into android ICS without any problems
Issue with Acer Iconia A500 Flashing Bootloader and Entering Recovery
I been having the same problem as you with no soluton.
shenny585 said:
I been having the same problem as you with no soluton.
Click to expand...
Click to collapse
Have you tried all TS in the thread that I linked at the top of my post?
Issue with Acer Iconia A500 Flashing Bootloader and Entering Recovery
Yes I did
Ok well it seems that we need to see can we get a dev to look at this forum to see if there is any resolution.
Sounds like a dodgy SBK
OP: what app did you root woth!?
Sent from my Iconia A500 using Tapatalk 2
Issue with Acer Iconia A500 Flashing Bootloader and Entering Recovery
SBK is right
Used the blackthund3r apx flash utility and the simple method for rooting
shenny585 said:
SBK is right
Used the blackthund3r apx flash utility and the simple method for rooting
Click to expand...
Click to collapse
Try Skrilax's bundle market repo bundle #4 (see his boot loader thread for the URL, input it into the bundle market then choose bundle 4). Press yes to stage for flash when you download
Sent from my Iconia A500 using Tapatalk 2
Issue with Acer Iconia A500 Flashing Bootloader and Entering Recovery
Tried Skrilax's bundle market repo bundle #4 with no result.
The acer usb boot recovery drives disappears when entering download mode bootloader..
blackthund3r said:
Sounds like a dodgy SBK
OP: what app did you root woth!?
Sent from my Iconia A500 using Tapatalk 2
Click to expand...
Click to collapse
Firstly Id like to thank you for the rooting tool made it a breeze.
I have tested my SBK in CMD using the tool form the forum above and it seems to be right
I have tried uninstall and reinstall of Acer drivers to no aval.
Will try the latest post you put up and get back with an update
What is the output upon the initial command where you enter the SBK (when using nvflash manually)?
Skrilax_CZ said:
What is the output upon the initial command where you enter the SBK (when using nvflash manually)?
Click to expand...
Click to collapse
Here is the response after I enter the SBK. Is this the right response
**********************************************************
* Make your choise: *
*(1) HC bootloader with TWRP cwm (touch cwm) *
*(2) ICS bootloader V4 with TWRP-2.1.3-ICS cwm(touch cwm)*
*(3) ICS bootloader V4 with PubRecovery-ICS (BareBones) *
*(4) ICS bootloader V4 with Thor-1.7cwm (touch cwm) *
*(5) ICS bootloader V4 with Thor-1.7.2 NEW cwm(touch cwm)*
* with its compatible recoveries. *
**********************************************************
(1 2 3 4 5):5
Loading bootloader...
Nvflash started
rcm version 0X20001
System Information:
chip name: t20
chip id: 0x20 major: 1 minor: 3
chip sku: 0x8
chip uid: 0x0380624843c11517
macrovision: disabled
hdcp: enabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 0
device config fuse: 0
sdram config strap: 3
sending file: bct.bct
- 4080/4080 bytes sent
bct.bct sent successfully
odm data: 0x300d8011
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: bootloader.bin
| 714981/714981 bytes sent
bootloader.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
failed executing command 25 NvError 0x120002
command failure: sync failed (bad data)
bootloader status: partition table is invalid, missing required information (cod
e: 14) message: nverror:0x4 (0x4) flags: 0
**********************************************************
* Press any key when your A500 is in bootloader mode *
**********************************************************
Press any key to continue . . .
blackthund3r said:
Try Skrilax's bundle market repo bundle #4 (see his boot loader thread for the URL, input it into the bundle market then choose bundle 4). Press yes to stage for flash when you download
Sent from my Iconia A500 using Tapatalk 2
Click to expand...
Click to collapse
I have tried that method and it just hangs and doesnt do anything and the tablet says entering download mode not APX mode
Any other ideas?
steokeogh said:
I have tried that method and it just hangs and doesnt do anything and the tablet says entering download mode not APX mode
Any other ideas?
Click to expand...
Click to collapse
Well, the thing is that you have to dump your bct from the tablet and decrypt it with SBK and read odmdata from that. No real guide exists for this, BCT is first 4k bytes from mmcblk0 (w/o partition), and used method is aes. It's 2:46 AM now, so just very basic info:
A) dd if=/dev/block/mmcblk0 of=/sdcard/bct.enc bs=4096 count=1
B) Pull bct.enc to PC
C) Decrypt with AES using SBK as the key (remove the "0x" and join it)
D) odmdata parameter is on 0xFE4 in bct (little endian)
And if you repartition the tablet, you have do it again.
That's what causes the issues, blackthund3r's app uses the most common bct. Seems like we'll have to automate this.
Skrilax_CZ said:
Well, the thing is that you have to dump your bct from the tablet and decrypt it with SBK and read odmdata from that. No real guide exists for this, BCT is first 4k bytes from mmcblk0 (w/o partition), and used method is aes. It's 2:46 AM now, so just very basic info:
A) dd if=/dev/block/mmcblk0 of=/sdcard/bct.enc bs=4096 count=1
B) Pull bct.enc to PC
C) Decrypt with AES using SBK as the key (remove the "0x" and join it)
D) odmdata parameter is on 0xFE4 in bct (little endian)
And if you repartition the tablet, you have do it again.
That's what causes the issues, blackthund3r's app uses the most common bct. Seems like we'll have to automate this.
Click to expand...
Click to collapse
Thanks for the further TS but I cannot seem to find the files you mention above.
Would you be able to give me more broken down steps to try fix this? Thanks
Also I saw that blackthund3r has released a new version of the tool. It mentions in the post some of the things you mention in yours is the tool now updates to automate the process you were talking about.
Sent from my HTC Desire HD A9191 using XDA
Skrilax_CZ said:
Well, the thing is that you have to dump your bct from the tablet and decrypt it with SBK and read odmdata from that. No real guide exists for this, BCT is first 4k bytes from mmcblk0 (w/o partition), and used method is aes. It's 2:46 AM now, so just very basic info:
A) dd if=/dev/block/mmcblk0 of=/sdcard/bct.enc bs=4096 count=1
B) Pull bct.enc to PC
C) Decrypt with AES using SBK as the key (remove the "0x" and join it)
D) odmdata parameter is on 0xFE4 in bct (little endian)
And if you repartition the tablet, you have do it again.
That's what causes the issues, blackthund3r's app uses the most common bct. Seems like we'll have to automate this.
Click to expand...
Click to collapse
Hmm. Well the tool has ADB already integrated. If you have a copy of the bct decryption utility (its download link is currently down AFAIK) then I would happily work with you in producing the updated version of the flash tool to support this. I can easily get dd etc for windows and script the production of the data. Assuming the SBK is correct we should even be able to read raw bytes from the flash and produce the mmcblk0_start from APX Mode.
Would this help us? http://git.chromium.org/gitweb/?p=chromiumos/third_party/cbootimage.git
Sent from my Iconia A500 using Tapatalk 2
steokeogh said:
Thanks for the further TS but I cannot seem to find the files you mention above.
Would you be able to give me more broken down steps to try fix this? Thanks
Also I saw that blackthund3r has released a new version of the tool. It mentions in the post some of the things you mention in yours is the tool now updates to automate the process you were talking about.
Sent from my HTC Desire HD A9191 using XDA
Click to expand...
Click to collapse
I haven't worked on this yet but I would be interested in doing so. The decryption iirc is done with openssl. I'll look around and let you know when I find the steps. What we can do so far:
A) use a terminal emulator or adb shell to run
Code:
dd if=/dev/block/mmcblk0 of=/sdcard/mmcblk0_start bs=4096 count=1
B) copy /sdcard/mmcblk0_start to your PC
Sent from my Iconia A500 using Tapatalk 2
blackthund3r said:
Hmm. Well the tool has ADB already integrated. If you have a copy of the bct decryption utility (its download link is currently down AFAIK) then I would happily work with you in producing the updated version of the flash tool to support this. I can easily get dd etc for windows and script the production of the data. Assuming the SBK is correct we should even be able to read raw bytes from the flash and produce the mmcblk0_start from APX Mode.
Would this help us? http://git.chromium.org/gitweb/?p=chromiumos/third_party/cbootimage.git
Sent from my Iconia A500 using Tapatalk 2
Click to expand...
Click to collapse
Well, sp3dev posted a way here (for linux / cygwin):
http://forum.xda-developers.com/showthread.php?t=1514951
The openssl cmd is:
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in $FTMP -out $FOUT
About the decryption, in short:
I believe .NET AES decryptor is this: http://msdn.microsoft.com/en-us/library/system.security.cryptography.aes.aspx
Set initialization vector to all zeroes, and the key:
If your SBK is "0x09A81E00 0xD4531301 0x3B1AF703 0x9A052103" it becomes 09A81E00D45313013B1AF7039A052103.
Haven't tried the .NET way yet. But it works when the ouptut isn't just some random crap, say I dunno: 0xFD0 - 0xFDF should be all zeroes for instance?
Skrilax_CZ said:
Well, sp3dev posted a way here (for linux / cygwin):
http://forum.xda-developers.com/showthread.php?t=1514951
The openssl cmd is:
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in $FTMP -out $FOUT
About the decryption, in short:
I believe .NET AES decryptor is this: http://msdn.microsoft.com/en-us/library/system.security.cryptography.aes.aspx
Set initialization vector to all zeroes, and the key:
If your SBK is "0x09A81E00 0xD4531301 0x3B1AF703 0x9A052103" it becomes 09A81E00D45313013B1AF7039A052103.
Haven't tried the .NET way yet. But it works when the ouptut isn't just some random crap, say I dunno: 0xFD0 - 0xFDF should be all zeroes for instance?
Click to expand...
Click to collapse
Aha! That's the openssl command I was thinking of. I'll look into .Net cryptography and see if I can write a function for it but it might be easier to just script the Unix tools as-is. I'll play with it now and get back to you on it
EDIT: I get a bad decryption error with my SBK / openssl / mmcblk0_start
Sent from my Iconia A500 using Tapatalk 2
blackthund3r said:
EDIT: I get a bad decryption error with my SBK / openssl / mmcblk0_start
Click to expand...
Click to collapse
Your mmcblk0_start is probably not containing an even number of blocks, AES 128 work on blocks of 16 bytes (128 bits).
So if the size of the file is not a multiple of 16 bytes the decryption will fail in the end.
Decrypting like that will technically give an incorrect result as not all data is encrypted.
In the BCT the first block (of 16 bytes) is a hash for the following 4064 bytes, and since we are using cipher block chaining including this in the decryption will mess up the decryption of the second block (which should have been the first block). But in this case we probably do not really care about the 2nd block.

Help With Partition 2 on the Nook

Hello!
This is my first time posting, i normally am able to solve problems by looking through the forums, but this time not so i created an account and posted.
Any help that could be offered would be greatly appreciated.
The Story:
I have had the nook for around a year running CM7 or CM9, and last semester i took a programming class and programmed apps for android and ran them on my nook. i got acquainted to adb and am somewhat familiar with it. i remember when i started the serial number which adb used to Id the device was normal, but then around halfway through it simply became a string of zeros. so that is when the device lost its serial number I assume. Sadly this is not the main issue.
A week or so ago i was attempting to return my nook back to the stock Rom, and got it booting fine but it would not register because it was missing the serial number and Mac address. I looked through the forums and tried to fix it. i figured out it was stored in partition 2. looking in to it i could easy reflash other roms and they would work fine, and i tried restoring an old backup i had, which did not fix the problem ( i didn't think they affect that partition at all). eventually i stumbled upon lepinars repair partitions zip, and with nothing else working, i flashed the repair partition 2 zip in hopes the backup from partition 3 would have the correct serial number in it and restore the serial number. This put my device in a recovery bootloop. i am able to boot into cwm and talk to the device over adb, and i can flash new roms, but it will ONLY boot into recovery, no matter what rom it is ( i have tried CM7, CM9, sdcard install of CM7, and stock 1.0.1) . i figured out that it is because of a file on the mmcblk0p2 which i think was BCB, but there might be some other things affecting it.
So now you know what has happened, can anyone help me? I would like to get a Rom to boot into the normal mode, and then restore serial number / mac address so that it could be registered.
Once again, Thank you so much.
The problem is that without a valid serial number on partition 2, no rom will boot even if the recovery flag is set properly. It will just keep going to recovery.
If you have adb working, look at p2 and see if you have a devconf folder. If you do, look in it to see what files are there. There should be simple text files that have data in them. Like SerialNumber that has a 16 digit serial number in it (but the file is 17 bytes long so must have a linefeed on the end.) MACAddress is another, with a 12 digit number and no linefeed. 17 files total. All of them with rw-rw---- permissions.
Those files are usually backed up in partition 3 in a file named rombackup.zip. Unzip that zip manually and place them all in the devconf folder in partition 2. Set permissions as above.
Also you said you flashed my repair zip. Did it give you the message that it completed successfully? I have it set to abort if everything is not right.
Edit: Your serial number is stamped on the little flap that covers the micro SD card. It is also on your box the NC came in. If you cannot find the SerialNumber file in the backup zip, you could try manually creating it and putting in the right place.
Thanks. A week ago i was more familiar with this because i had just done a day or two of reading, but sadly a bit has slipped my mind.
ADB is working just fine when i boot into CWM, but i am having trouble finding partition 2. For some reason I recall a rom folder on the root level, but when i do an ls while in adb shell, all i see is this:
boot etc sd-ext
cache init sdcard
data init.rc sys
datadata proc system
default.prop res tmp
dev root ueventd.goldfish.rc
emmc sbin ueventd.rc
more random info still in adb shell)
when i do an fdisk -l /dev/block/mmcblk0
Disk /dev/block/mmcblk0: 7944 MB, 7944011776 bytes
255 heads, 63 sectors/track, 965 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/block/mmcblk0p1 * 1 9 72261 c Win95 FAT32 (LBA)
/dev/block/mmcblk0p2 10 18 72292+ c Win95 FAT32 (LBA)
/dev/block/mmcblk0p3 19 56 305235 83 Linux
/dev/block/mmcblk0p4 57 965 7301542+ 5 Extended
/dev/block/mmcblk0p5 57 114 465853+ 83 Linux
/dev/block/mmcblk0p6 115 236 979933+ 83 Linux
/dev/block/mmcblk0p7 237 281 361431 83 Linux
/dev/block/mmcblk0p8 282 965 5494198+ c Win95 FAT32 (LBA)
just in case any of that helps.
i have heard of partition two being /dev/block/mmcblk0p2 but that is not a directory, or at least it appears so to me and i cannot get any files from it. I recall when the nook was booting fine i did look into the rom folder and the serial number was there and was correct, but in the settings/about Tablet it was simply a string of zeros.
when i try to pull the rombackup.zip from p3, i get the error message "adb pull /dev/block/mmcblk0p3/rombackup.zip
remote object '/dev/block/mmcblk0p3/rombackup.zip' does not exist" , so i am assuming i am barking up the wrong tree there.
when i flashed the repair zip there were no error messages and i am fairly certain it completed successfully as i was not alarmed and simply tried to reboot it as normal. after I flashed the repair zip it would not boot into anything but recovery, and this is when the more serious issue ( it seems to me) arose.
I probably am simply doing something wrong here, still the same situation on my end.
you have to mount the partitions...
rom should have been automatically mounted to /dev/block/mmcblk0p2 but you can try to manually do it:
adb shell busybox mount /dev/block/mmcblk0p2 /rom
adb shell mkdir /backup
adb shell busybox mount /dev/block/mmcblk0p3 /backup
adb pull /backup/rombackup.zip
unzip rombackup to a folder..
push the files to /rom/devconf
DizzyDen -
Thank you for telling me about the partition mounting. this explains a lot.
i had to create the /rom folder as it was not there. when i mounted it and did an ls -a command, in /rom there was only a BCB file. in /backup there was only factory.zip and an empty folder called lost+found. so there was no rombackup.zip for me to pull and extract.
sert57 said:
DizzyDen -
Thank you for telling me about the partition mounting. this explains a lot.
i had to create the /rom folder as it was not there. when i mounted it and did an ls -a command, in /rom there was only a BCB file. in /backup there was only factory.zip and an empty folder called lost+found. so there was no rombackup.zip for me to pull and extract.
Click to expand...
Click to collapse
That probably is why my repair failed. Try creating the SerialNumber file I mentioned in my last post and put it in the folder devconf. You may have to make that directory first. Mkdir /rom/devconf.
leapinlar said:
That probably is why my repair failed. Try creating the SerialNumber file I mentioned in my last post and put it in the folder devconf. You may have to make that directory first. Mkdir /rom/devconf.
Click to expand...
Click to collapse
I successfully created the file SerialNumber and it was 17 bytes, i moved it to /rom/devconf and looked at its permissions, and for some reason a chmod wouldn't let me remove rwx from others and x from user and group, so the permissions were rwxrwxrwx (not sure if this would create an issue). i tried to re-install the repair zip. the text displayed is
(after finding, opening, and installing update)
Repair /rom partition (P2)
found /factory - be patient this could take a while
Done.
This is the same message i received earlier when i did this. so no failure message but i guess it aborted or something. After this is done the devconf folder is gone. rom is still there and i mount it, and once mounted the only file in Rom is the BCB file.
I did some testing and the SerialNumber file by itself is not enough to get it going. There are 16 others and one or more may be critical. I will keep playing and see if I can find which one it needs. I don't know why you don't have that backup file. It is really critical. I modified my partition 2 zip to give a little more information to the user.
Edit: I did some more testing and it booted only to recovery when I removed a file named BootCnt. It is a file with four bytes in it which are all null (00's). Try making one and pushing it to /rom/devconf and see if it will boot. There is also another file named BootCount also with four null characters, but it is still there and it is not booting to the rom. I think that is the one for 8 failed boots. (When I rebooted again it was ok, that file was back).
Edit2: I think I found it. There is a file named DeviceID that is identical to the SerialNumber file. When I delete that file it will no longer boot to a rom, only recovery. Try putting that file in /rom/devconf. I deleted everything in that folder but BootCnt and DeviceID and it booted to the rom.
Thank you so much!! The nook is finally able to boot successfully to a ROM. Major problem finished! I was originally intending to return it to stock, but I am not sure if that is now possible as I am missing all but 2 of the very important files. I'll give an update when I get closer to getting stock back. Hopefully it will work, but we will see. Thanks for helping me get at least this far.
I have a CWM flashable 1.4.3 stock zip here:
http://d01.megashares.com/index.php?d01=CiYdDmP
sert57 said:
Thank you so much!! The nook is finally able to boot successfully to a ROM. Major problem finished! I was originally intending to return it to stock, but I am not sure if that is now possible as I am missing all but 2 of the very important files. I'll give an update when I get closer to getting stock back. Hopefully it will work, but we will see. Thanks for helping me get at least this far.
Click to expand...
Click to collapse
I .have a complete recovery.zip file available when I get my PC monitor working again... complete with infllo about what files are edited... and how to edit them
I think they are in my deposit files share
That would be spectacular if you could provide that. I'm still attempting leapinlars download ( 3 failed times, WiFi here is VERY slow right now). Let you know what happens.
So I installed 1.4.3 to the nook. it got stuck at the silver n screen, so i did a volume up, power, and n button reset. after this it reset to factory and intalled an update. it booted sucessfully to the stock firmware. now when i try to register it it is missing the model number and mac address. im assuming i am just supposed to create the two files for the nook and place them in /rom/devconf. Could some more assistance be had for me about what goes into the files and such? Mac address has been missing since the problem began, so that is nothing new, but this is the first time ive booted to stock that model number was not there.
Model number is BNRV200 in ModelNumber. Product ID begins with P11 and ends with a linefeed and is 11 bytes total in ProductID. Event Type is Manufactured in EventType. Date manufactured is just a date. Mine was 01/29/2011 in DateManufactured. Device attribute is New in DeviceAttribute for me. MAC address is a 12 digit number in hex in MACAddress. Main board serial number is a 12 digit alphanumeric number in MainboardSN. Mine starts with QI11M. Backlight is a 6 digit alphanumeric number in backlight. Mine is 1476AY. Ean is a 13 digit number in ean. Mine starts with 97814005. There is an empty Platform file. There is BootCnt and BootCount, both with four nulls (00). There is a SerialNumber file identical to DeviceID. There are three other files. WiFiBackupCalibration with 468 bytes, PublicKey with 333 bytes and HashOfPrivateKey with 28 bytes.
Some of these you can make and some you can put phony info in them. Others, I don't know.
Could you provide more info on obtaining the Mac address and how to write it? After that I should be good, but we will see.
[edit]
install cm7.2 and it was in the settings, so i copied it down and put it on the device. reverting back to stock, i will see if it takes. i am assuming by your description the semicolons are not placed in the MACAddress file, so i did not do it.
[edit2]
looks like all i need is the hashprivatekey. when i went to the factory area a few were null, but that one said Not Okay. is there any way i can create this file? i tried registering but it would not, so i am assuming this is needed.
Unblock your private messaging on XDA. I want to send you a message. Or send me a private message with your email address in it.
Sent from my NookColor using Tapatalk
ok. it boots fine. when i register it will not let me, with the typical error, i look into the details and everything is green except battery percentage (which is low) and username which is nonexistant. when i check the factory tab it says that the battery type and backlight are !null, so i dont thing that would affect it. besides that i have everything.
One more thing to try. You can reset some of your settings like wifi calibration, etc by following this procedure. It may just re-populate some of those files in devconf. Use the one that resets things. Back up devconf first though.
http://nookdevs.com/NookColor_Factory_Mode/Skip_Out_of_Box_Experience
done that a few times. it doesnt really do anything but erase known wifi networks. would the fact its missing battery type and backlight mean anything for registration?
I would not think so. But I have a Nook Tablet that has different things in devconf, like BatteryType is MCNAIR and Backlight is 070B16730338ZN4AC15-4J8D6Y01577C5. (Notice it has a capital B in the name. I think I made a mistake in the earlier post.) The Tablet I think has the same screen as the newer Nook Colors.

[R&D][UNBRICKING] - Thread for trying to solve the OTA brick problem

Intro
Someone contacted me because of my work unbricking Amlogic tablets and sent me their bricked Nexus 7 2013 32GB Wifi version tablet. I have the same tablet and I’ve been exploring unbricking options and looking at the devices. I have not found a solution yet but I have found a lot of interesting things. I worked on several models of Ainol's AML8726-MX SoC tablets and unbricked them in from various states, including having no signs of life and jumping some pins on the nand chip to get it recognized by the computer. Some tablets had similar problems to the Nexus when the bootloader was corrupted from a bad flash. The internal memory showed as zero in TWRP and the tablets wouldn't boot into the system. Checking debug logs showed the memory chip was not initializing. The Ainol tablets don't have a bootloader with a GUI but they did have a external SD card slot, so the tablet could boot from the SD card and run a "rescue flash". If that didn't work, Amlogic also had low-level USB Burning software to write to the tablet, although special files were needed and flashing was tricky.
I don’t know if we will be able to fix the Nexus tablets with this problem or if they are even fixable with the tools available but I’m providing all this information because I’m working on the problem in my spare time and maybe other people want to experiment with their bricked devices as well. There are a couple obvious routes to explore, one being Qualcomm's QPST and QFIL software, as well as other similar software programs for these chips, like the BoardDiag Tool. Another option is try and boot the tablet from a "rescue card" like I used for the Ainol tablets but to do it through an On-The-Go cable. Even if we don't unbrick any tablets, if anything, at least this thread might provide some documentation on the Nexus 7 2013 that doesn’t seem to be available elsewhere. I’ll keep updating this thread with new info and links to drivers, software, documentation and relevant websites. I’ll post what I’ve updated into the “Updates to this thread” section.
The problem
OTA update bricks device and we get one of the following scenarios:
Users can enter fastboot but can not flash, format or erase anything. Trying to start the device or boot into recovery gets stuck on the Google screen with the lock icon.
Same as above but when entering a recovery like TWRP, device hangs on the TWRP logo screen.
Users can not enter fastboot. Plugging the device into the computer shows QHSUSB_DLOAD in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB QDLoader 9008 in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB Diagnostics 9006 in the device manager
In 9006 mode the storage shows as Qualcomm MMC Storage USB Device in the Device Manager
---
Trying to flash or format in fastboot returns the following error:
Code:
FAILED <status read failed <Too many links>>
I’ve figured out a way to boot into TWRP and have started collecting logs and other information about the problem. I’ve also figured out the majority of fastboot oem commands which I’ll list below. The device is not initializing the MMC card when it starts up. In dmesg we can see the error:
Code:
mmc0: error -110 whilst initialising MMC card
Where on a working device we see:
Code:
mmc0: new HS200 MMC card at address 0001
mmcblk0: mmc0:0001 MMC32G 28.8 GiB
In the TWRP log we see:
Code:
[COLOR="Red"]E: Could not mount /data and unable to find crypto footer.
E: Unable to mount ‘/data’
E: Unable to recreate /data/media folder.[/COLOR]
Updating partition details…
[COLOR="Red"]E: Unable to mount ‘/system’
E: Unable to mount ‘/data’
E: Unable to mount ‘/cache’[/COLOR]
...done
[COLOR="Red"]E: Unable to mount storage
E: Unable to mount /data/media during GUI startup
E: Unable to mount ‘/cache’[/COLOR]
Full SELinux support is present.
[COLOR="Red"]E: Unable to mount ‘/cache’
E: Unable to set emmc bootloader message.
E: Unable to mount ‘/cache’
E: Unable to mount /data/media/TWRP/ .twrps when trying to read settings file.
E: Unable to mount ‘/data’[/COLOR]
MTP Enabled
Trying to wipe partitions or flash in TWRP fails because the card isn’t mounted at all and the partition table isn’t being read. Everything is running in the RAM and the only filesystems mounted are rootfs, tmpfs, devpts, proc, sysfs, selinuxfs and tmpfs.
Checking the partition table in fastboot using “fastboot oem gpt-info” does return the same results as a working device though. When booting into TWRP we can see “Nexus 7” as an MTP device but there is nothing on it. In Qualcomm’s 9006 Diagnostics mode we can see the device under disk drives in the device manager as Qualcomm MMC Storage USB Device but it doesn’t show up in Qualcomm’s 9008 Download mode. In disk management we can see it as an Unknown 28.81 GB Unallocated Disk. We can see the same thing in MiniTool Partition Wizard but neither Windows or MiniTool can initialize or format the disk. In HDD Raw Copy Tool the device shows as Qualcomm MMC Storage with a capacity of 30.93 GB. I was unable to write a RAW image of mmcblk0.img using HDD Raw Copy Tool, getting the error “Write Error occured at offset 0 (1)”.
My Working Theory
Looking at both the most recent reports of the OTA brick and past reports, it seems like the problem occurs when there is a bootloader update packaged in with the firmware update. It is possible that the eMMC chip is fried because we've seen bugs in the past but I'm working on the assumption that it is not since the chip is recognized, shows the correct capacity and gets registered it in by the kernel. We can also see that persistent_ram has an uncorrectable error in the header and no valid data in the buffer. This could mean a bad eMMC chip but it could also mean the parts of the bootloader are gone or corrupt. It could also mean the GPT is bad.
We can also see that the device is always booting into ttyHSL0 mode which is the UART Serial Console mode for debugging. I don't know a lot about Qualcomm architecture but I do know that there are several modes including diagnostics, download and emergency download mode. It's possible that the tablet is stuck in one of these modes. I read though some Qualcomm documents and it mentions using the NPRGxxxx.hex file to flash your device but it also mentions that, if the chipset supports it, changing the name of the NPRGxxxx.hex file to eNPRGxxxx.hex "allows you to download new images to a mobile device that has an empty or currupt flash device." That function was implemented in 2008 though and I'm unsure if the implementation has changed at all.
Getting Started
I’m not going to cover any of the basics like installing ADB and Fastboot on your computer. This thread is intended for people who already have a working knowledge of using these tools and want to try and work on the bricking problem. If you are don’t have that knowledge and would still like to experiment with your bricked device you can find lots of tutorials on XDA on how to install and use ADB and Fastboot.
I will mention a couple of things I ran into though. Since I hadn't been working on tablets for a while I wasn't able to use ADB in TWRP at first. I noticed that it only worked if I disabled MTP in the TWRP menu. However, updating the Android SDK solved this problem and the updated drivers allow both an MTP and ADB connected at the same time.
There may also be times when you need to disable Windows Driver Signature Verification to be able to install unsigned drivers. Here is a link showing how to do it temporarily. There is also a way to disable it permanently which I think is to run the Command Prompt as Admin and type:
Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Lastly, you'll probably want to stop Windows from automatically installing drivers for new hardware. You can do that by right clicking on your computer and then going to "properties -> advanced system settings -> hardware -> device installation settings -> no let me choose what to do -> never install driver software from windows update". There are also guides with screenshots on how to do this if you Google it.
---
We can get into a recovery like TWRP by using the fastboot command:
Code:
fastboot boot twrp.img
If booting into recovery fails and the you get stuck on the TWRP logo screen then go back to the bootloader and use the fastboot command:
Code:
fastboot oem reset-dev_info
---
To enter Qualcomm HS-USB QDLoader 9008 “download mode” you can hold down all three hardware buttons when the device is powered off and plugged in. You can also power down the device, hold the Vol+ and the Vol- buttons and then plug in the device. To enter Qualcomm HS-USB Diagnostics 9006 “diagnostic mode” you can press the power button repeatedly then wait around 30 seconds and see if it connects in the device manager. I don’t know what the speed you are supposed to press the button is but it seems to take at least 10 presses, sometimes more. You’ll have to test it out until you get used to doing it.
Tasks
Want to help out? Here are some things I'm working on. There's a good deal of research to do, so even if you don't have a working device you can help. If you have a device that you've totally given up on and are pretty much going to throw out but can still get into the bootloader, test those fastboot oem erase_ commands before tossing the tablet. It will be fastboot oem erase_"partition name". An example is fastboot oem erase_aboot. Just run through them and write down which ones work and which ones don't.
If someone with a bricked tablet has UART off in the bootloader and can boot into TWRP, please check "adb shell cat /proc/cmdline" and tell me if "console=ttyHSL0,115200,n8" is in the commandline. You can check if UART is on or off in the bootloader by using "fastboot getvar all".
Look into other APQ8064 devices to see if files relevant to QPST work. There is a list of devices below that have the same SoC but not the 1AA or FLO tag at the end. Its possible some of these files might work well enough to at least get the memory recognized.
Pull partition table from a working device and format it in partition.bin or partition.mbn for use in QPST.
Try to write partitions pulled from working device back to the tablet in fastboot.
Format partitions from a working device as .mbn files for QPST.
Pull first few raw GB from a bricked tablet and examine it to see if there is data present. If there is then it might mean that those partitions are corrupted and we can focus on writing working partitions back to those location. Try with RAW copy tool and with dd.
Testing QPST software to resurrect the device. Will need more files first, need to structure them as .xml files necessary for the software.
Test "fastboot oem erase_" on other partitions.
Test "fastboot flash" of partitions that aren't normally included in a firmware update, like sb1.img, rpm.img, aboot.img, etc.
General Device Info
Here is a spreadsheet with all the partition info that I've pulled and sorted.
The Nexus 7 2013 is an APQ8064 1AA/FLO Snapdragon 600 series device that is advertised as a S4 Pro. The APQ8064–1AA is the WiFi version and APQ8064-FLO is the LTE version. The ASUS MeMO Pad FHD 10 ME302KL LTE also has the same SoC according to wiki. The platform board is listed as MSM8960 in most of the code.
Here are other devices with an APQ8064 soc but aren't listed as 1AA or FLO:
LG Optimus G
MDP / T
Xiaomi MI-2
Pantech Vega R3
Sharp Aquos Phone Zeta SH-02E
Oppo Find 5
Asus MeMO pad 10 LTE
Asus padfone 2
HTC J Butterfly
HTC Droid DNA
Nexus 4
HTC Butterfly
ZTE Nubia Z5
ZTE Nubia Z5 Mini
ZTE Grand S
Sony Xperia Z
Xperia ZL Sony
Sony Xperia ZR
Fujitsu Arrows S
Sony Xperia Tablet Z
LG Optimus GJ
Nexus 7 2013 Tablet’s Vendor ID is 18d1 and Hexidecimal Syntax is 0x18D1 (used in fastboot). The USB device ID's for different connections are:
Qualcomm HS-USB Diagnostics 9006 (COM3) - USB\VID_05C6&PID_9006&MI_00
Qualcomm HS-USB Diagnostics 9008 (COM4) - USB\VID_05C6&PID_9008
Android Bootloader Interface - USB\VID_18D1&PID_4EE0
Android ADB Interface - USB\VID_18D1&PID_D002
Serial Numbers I've seen are:
Bricked Device - SERIAL NUMBER 2143658709BADCFE ← According to HDD Raw Copy Tool
Bricked Device - SERIAL NUMBER 049973d5 ← According to adb get-serialno
Dumps, Unpacked Partitions and Other Files
Here is a link to a MediaFire folder with various files. So far I have:
Unpacked the 4.04 Bootloader
aboot.img
bootloader.img
rpm.img
sbl1.img
sbl2.img
sbl3.img
tz.img
Pulled all partitions from HDD Raw Copy Backup of a working device
aboot.img
abootb.img
boot.img
DDR.im
first_131071_sectors.img
fsg.img
m9kefs.img
m9kefs2.img
m9kefs3.img
m9kefsc.img
metadata.img
misc.img
modemst1.img
modemst2.img
pad.img
radio.img
recovery.img
rpm.img
rpmb.img
sbl1.img
sbl2.img
sbl2b.img
sbl3.img
sbl3b.img
ssd.img
tz.img
tzb.img
QPST Memory Debug Dump from a bricked device
CODERAM.BIN
CPU_REG.BIN
CPU0_WDT.BIN
CPU1_WDT.BIN
CPU2_WDT.BIN
CPU3_WDT.BIN
EBICS0.BIN
ETB_ERR.BIN
ETB_REG.BIN
IMEM_A.BIN
IMEM_C.BIN
load.cmm
LPASS.BIN
MM_IMEM.BIN
PMIC_PON.BIN
RPM_MSG.BIN
RPM_WDT.BIN
RST_STAT.BIN
SPS_BUFF.BIN
SPS_PIPE.BIN
SPS_RAM.BIN
Unpacked Radio partition from a working device
ACDB.MBN
APPS.MBN
DSP1.MBN
DSP2.MBN
DSP3.MBN
EFS1.MBN
EFS2.MBN
EFS3.MBN
MDM_ACDB.IMG
RPM.MBN
SBL1.MBN
SBL2.MBN
Fastboot Commands
Click To Show Content for examples of each commands usage, partitions that are excepted by a command and additional info.
Regular fastboot commands
Code:
fastboot update
Code:
fastboot update update.img
Code:
fastboot flashall
Code:
fastboot flash
Code:
fastboot flash aboot aboot.img ?
fastboot flash bootloader bootloader.img
fastboot flash rpm rpm.img ?
fastboot flash sbl1 sbl1.img ?
fastboot flash sbl2 sbl2.img ?
fastboot flash sbl3 sbl3.img ?
fastboot flash tz tz.img ?
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
Code:
fastboot erase
Code:
fastboot erase all
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
Code:
fastboot format
Code:
fastboot format boot
fastboot format cache
fastboot format recovery
fastboot format system
fastboot format userdata
Example of advanced functions:
Code:
fastboot format cache:ext4:0x0000000023000000 cache
(hex value for 587202560 bytes (= 587 MB / 573440 don’t know what this value is but it equals a hex value of 008c000)
Code:
fastboot format cache:0x0000000023000000 cache
(skips fs type and uses default)
Code:
fastboot getvar
Code:
fastboot getvar all
fastboot getvar version-bootloader
fastboot getvar version-baseband
fastboot getvar version-hardware
fastboot getvar ersion-cdma
fastboot getvar variant
fastboot getvar serialno
fastboot getvar product
fastboot getvar secure_boot
fastboot getvar lock_state
fastboot getvar project
fastboot getvar off-mode-charge
fastboot getvar uart-on
fastboot getvar partition-type:<partition name>
fastboot getvar partition-size:<partition name>
Code:
fastboot continue
Code:
fastboot boot
Code:
fastboot boot recovery.img
fastboot boot boot.img
fastboot boot bootloader.img
Example of advanced functions:
Code:
fastboot boot <kernel> [ <ramdisk> [ <second> ] ]
Examples of booting the kernel and ramdisk:
Code:
fastboot boot zImage boot.img-ramdisk.cpio.gz
fastboot -c *cmdline* boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot flash:raw boot
Same command format as the advanced "fastboot boot" command:
Code:
fastboot flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
fastboot flash:raw boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot devices
fastboot continue
fastboot reboot
fastboot reboot-bootloader
fastboot help
Regular fastboot options that might be useful
-c <cmdline> override kernel commandline
Add -c followed by a kernel command. If more than one kernel command is in the line then they should have parenthesis around them like this "console=ttyHSL0,115200,n8 androidboot.hardware=flo". This is used for the "fastboot boot" command to boot into a kernel with different commandline parameters. Here are the kernel commandlines listed in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=flo user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 androidboot.emmc=true androidboot.serialno=049973d5 bootreason=PowerKey fuse_info=Y ddr_vendor=hynix androidboot.baseband=apq asustek.hw_rev=rev_e androidboot.bootloader=FLO-04.04
-i <vendor id> specify a custom USB vendor id
Add -i and then the vendor id you want to use. The Nexus 7 vendor id is 18d1 and Hexidecimal Syntax is 0x18D1. Fastboot wants the Hex value:
Code:
-i 0x18D1
-b <base_addr> specify a custom kernel base address.
I haven't done this in long enough that I've forgotten how to use it. The default is 0x10000000 and the BOARD_KERNEL_BASE is listed as 0x80200000 in the Nexus code.
-n <page size> specify the nand page size.
The default value is 2048. Add -n and then the value you want to use:
Code:
-n 2048
-S <size>[K|M|G] automatically sparse files greater than size. 0 to disable.
I've never used this. If anyone has any insight, let me know.
fastboot oem commands
I extracted the aboot.img and used Notepad++ to look at the commands. I’m not sure what the variables are for some of them but I’m working on testing some things out. This is how how I figured out “fastboot oem reset-dev_info” would allow “fastboot boot twrp.img” though.
Code:
fastboot oem unlock
fastboot oem lock
fastboot oem device-info
fastboot oem memtest_
fastboot oem gpt-info
fastboot oem fuse_blow
fastboot oem check-fuse
fastboot oem reset-dev_info
Code:
fastboot oem erase_
Usage is erase_<partition name>. I've only tested it on persist so far. I'm assuming this is for partitions that aren't supported by the regular "fastboot erase" command.
Code:
fastboot oem erase_persist
Code:
fastboot oem off-mode-charge 1
fastboot oem off-mode charge 0
fastboot oem uart-on
fastboot oem uart-off
Links
Drivers and Software
Qualcomm Drivers - The one marked 2012 seems to be the newest I could find and is the one I've been using the most.
Qualcomm Product Support Tools (QPST)
Qualcomm Documents
HDD Raw Copy Tool
Nexus 5 Boarddiag Tool
EFS Professional
Links to relevant threads
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[DEV][REF] El Grande Partition Table Reference
Logs
All logs posted to Pastebin.
Fastboot Logs
Nexus 7 2013 - fastboot getvar all
Nexus 7 2013 - fastboot oem gpt-info
ADB Logs
Nexus 7 2013 - Big Collection of Partition Info
Nexus 7 2013 - mmc error - kernel log snippet
Nexus 7 2013 - Bricked Tablet - dmesg
Nexus 7 2013 - Working Tablet - dmesg
Nexus 7 2013 - Bricked Tablet - last_kmsg
Nexus 7 2013 - Working Tablet - last_kmsg
Nexus 7 2013 - Bricked Tablet - Recovery Log
Nexus 7 2013 - Working Tablet - Recovery Log
Nexus 7 2013 - adb shell dmesg | grep mmc0
Nexus 7 2013 - adb shell cat /proc/devices
Nexus 7 2013 - adb shell tail ./etc/fstab
Nexus 7 2013 - adb shell tail ./etc/recovery.fstab
Nexus 7 2013 - adb shell mount
Nexus 7 2013 - adb shell df
Nexus 7 2013 - adb shell cat /proc/cmdline
Nexus 7 2013 - adb shell ls /dev/block
Nexus 7 2013 - adb shell cat /proc/partitions
Updates to this thread
1/24/2015
- Added a link to a spreadsheet with partition info to the original post under "General Info".
- Added a section to the original post for files. Added a link to a MediaFire folder with QPST memory debug of a bricked device as well as dumped and unpacked partitions from a working device. Listed all files in each folder.
- Added another build of the QPST software to the MediaFire folder.
- Edited "Tasks" in original post.
6/01/2015
- Added info on how to pull a full raw backup of a working Nexus 7.
- Added all fastboot and adb logs I have.
- Added more documents to the MediaFire folder.
05/28/2015
- Added a working theory to the initial post.
05/26/2015
- Added more info to the Intro section and the Problem section.
- Formatted the Fastboot Command section differently.
05/25/2015
- Added links to drivers, software and relevant websites.
- Added Qualcomm Documents to the links section.
- Added info about driver installation to the Getting Started section.
- Added a list of other APQ8064 devices.
- Reformatting some things to look better. I'll keep working on it.
05/24/2015
- Initial Post
Reserved
Reserved for if there is ever a solution.
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
-----
Update: The info on how to make a full RAW backup of the entire device without having an external SD card to save it to can be found in this thread. I made some adjustments for the Nexus 7 and I did it all in Cygwin.
To make device backup in Cygwin and TWRP open a terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
adb shell
/sbin/busybox nc -l -p 5555 -e /sbin/busybox dd if=/dev/block/mmcblk0
Then open a second Cygwin Terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
cd /nexus
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.img
You can then mount the image you pulled with DiskInternals Linux Reader. It will show you all of the individual partitions, all of the unllocated gaps between partitions and some info about each one. You can open the EXT4 partitions like /system to explore them and you can also open the radio.img and see everything inside. You can then save all the partitions as individual images. This method doesn't work with the bricked tablet. I'm building a spreadsheet with info on all the partitions.
fuser-invent said:
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
Click to expand...
Click to collapse
From a working or an OTA-bricked device?
MattG987 said:
From a working or an OTA-bricked device?
Click to expand...
Click to collapse
I pulled them all from a working device so I can try to write them back to the bricked device but also so I can try and make the flash programming files for use in QFIL. On another note the bricked devices can show up in the Windows file manager as a single small partitions with a list of files. I found out today that those files are the contents of the radio partition. I have a folder with those files from a bricked and working device now and I'll do a hex comparison to see if they are still all intact on the bricked device. That also means the FAT partition at the very beginning of the eMMC chip is still there and working, so the whole chip isn't "dead".
Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.
yodtc said:
Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.
Click to expand...
Click to collapse
Still working on it but my job suddenly got really, really busy. Hoping to get back into it after the holiday rush. I wish there were other people trying to work on this problem too though.
Sent from my iPhone using Tapatalk
I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.
Andrew025 said:
I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.
Click to expand...
Click to collapse
Have you tried the multi-rom TWRP that fixes the mount point problems?
autocon said:
Have you tried the multi-rom TWRP that fixes the mount point problems?
Click to expand...
Click to collapse
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.
Andrew025 said:
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.
Click to expand...
Click to collapse
I've the same issue and used the Multirom to workaround, but what about ROMs that say "use the latest version of TWRP" ?
If this is a software-caused problem, has the Android team been notified with a bug report or something?
As owner of 2 N7 2013 devices, one of them bricked, I would like to thank you for your work and time.
I find this thread very instructive and I think I will try to follow the leads you provided and try to get my device back to life.
Alas, much study is needed on my part!
I also found some info that may or may not be useful here:
github.com/aureljared/unbrick_8960
I hope I can find and share something useful, and wish you all good luck!
N7 2013 32GB Bricked
I look forward to doing some testing my self with this tablet... Problem is, my bootloader is locked and I can't unlock it since it won't format the internal storage... can't even boot into TWRP because of that.
Anyway, I'm very interested in using DD to flash the partitions at some point if that's available. I can also get into download mode, so using the qualcomm utility to write that way. It's just sitting here, waiting to be revived!
Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!
orzem said:
Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!
Click to expand...
Click to collapse
I think we need to build our own flashing files using aureljared's method. I have a ton of partitions and data ripped. I'll try to upload it soon so everyone has access to expirement with.
Sent from my iPhone using Tapatalk
Yes, I think so too. Also considering the fact that those scripts are much more understandable than a closed source program, even to me and my scarce knowledge.
Just a thought: why try and rebuild the partition table and then copy each partition in its place? Wouldn't it be much easier to just "dd" the working device in one single file and then "dd" it back on the bricked one?
Of course, IF (and only if) the hex and mbn provided by aureljared succed in switching the device into Streaming Protocol and let us actually write to memory.
If there's anything I can do, I'll be glad to do it.
Have a nice day!

Complete Partition Backup Script

After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Try to flash twrp and clear internal memory as well
And after that flash dec security version of android 7..
dont try to lock the bootloader.
It worked for me ...
Best of luck
Resolved!
As posted on a related thread I just found, I have resolved the issue:
Moto G4 Plus's Model changed to G4,lost one imei and finger print.
Excellent tool, thank you very much.
So, in the unlucky case that i would lose fingerprint scanner, etc. due to bootloader downgrade or whatsoever that causes it. if i flash my previously backuped (with your script) hw.img partition with ' fastboot flash hw hw.img ', my device will be recognized as a Moto G4 plus?
And features like fingerprint, network, will be in working condition again?
I think that your script is a "must have" for every flashaholic that owns a G4 Plus. I did the backup, just in case. Thanks for sharing it.
moonlightdrive said:
Excellent tool, thank you very much.
So, in the unlucky case that i would lose fingerprint scanner, etc. due to bootloader downgrade or whatsoever that causes it. if i flash my previously backuped (with your script) hw.img partition with ' fastboot flash hw hw.img ', my device will be recognized as a Moto G4 plus?
And features like fingerprint, network, will be in working condition again?
I think that your script is a "must have" for every flashaholic that owns a G4 Plus. I did the backup, just in case. Thanks for sharing it.
Click to expand...
Click to collapse
That is the idea yes, but I haven't tested restoring anything - only done a binary patch of the first little bit of that partition - using dd. I wrote it mostly to get the MD5s of each partition from someone with a working phone so I could start looking for differences. There are lots of more professional backup tools out there which are likely all just wrappers around dd - but this will likely do the job with very basic requirements.
Nice work mate :good: @givitago
givitago said:
After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Click to expand...
Click to collapse
guys i dont understand what to do my pls help me can u describe in detail what are the steps to get back my moto g4 plus fingerprint can you make a video
or explain this
can anyone can upload their full backup of his moto g4 plus ? it will me really helpful because after 201-1 aka june security patch update totally bricked my phone and from since no bootloader and nothing is in my phone. and the blackflash method is also not working. so if I somehow use tour backup as emmc and bering my phone back to life ?!?! Thanks.....
Hello,
Please help me my moto g4 plus is dead after nougat update only white LED is blinking
i have try blankflash aslo but same issue...
error is.
Motorola qboot utility version 3.40
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2418 (0x972)
[ 0.003] ...cpu.sn = 30871031 (0x1d70df7)
[ 0.004] Opening singleimage
[ 0.012] Loading package
[ 0.016] ...filename = singleimage.pkg.xml
[ 0.018] Loading programmer
[ 0.019] ...filename = programmer.mbn
[ 0.019] Sending programmer
[ 0.240] Handling things over to programmer
[ 0.240] Identifying CPU version
[ 0.246] Waiting for firehose to get ready
[ 60.377] Waiting for firehose to get ready
[120.466] ...MSM8952 unknown
[120.466] Determining target secure state
[120.469] Waiting for firehose to get ready
[180.546] ...secure = no
[180.584] Flashing GPT...
[180.601] Flashing partition:0 with gpt_main0.bin
[180.602] Initializing storage
[180.606] Waiting for firehose to get ready
[240.617] Configuring device...
[240.622] Waiting for firehose to get ready
[300.634] Waiting for firehose to get ready
[360.651] Waiting for firehose to get ready
[420.661] Waiting for firehose to get ready
[480.668] ERROR: do_package()->do_recipe()->do_flash()->gpt_flash()->get_storage
()->init_storage()->firehose_do_fmt()->do_recipe()->do_configure()->buffer_read(
)->device_read()->IO error
[480.668] Check qboot_log.txt for more details
[480.668] Total time: 480.668s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->do_flash()->gpt_flash
()->get_storage()->init_storage()->firehose_do_fmt()->do_recipe()->do_configure(
)->buffer_read()->device_read()->IO error
please help
Hi, is there is any hardware partition for camera and flashlight???? Bcoz ny device camera hardwares are good but not opening. Camera says "camera is busy" and flashlight option is missing from my device ans it says flashlight not detected in flashlight app. Same issue i had for network and fingerprint. It is solved via hw partition image. Is there is any hardware partition for camera also???? If it is there, plz include in this thread...
Aashakmeeran said:
Hi, is there is any hardware partition for camera and flashlight???? Bcoz ny device camera hardwares are good but not opening. Camera says "camera is busy" and flashlight option is missing from my device ans it says flashlight not detected in flashlight app. Same issue i had for network and fingerprint. It is solved via hw partition image. Is there is any hardware partition for camera also???? If it is there, plz include in this thread...
Click to expand...
Click to collapse
This can be software related or hardware issue.. not any partition related..
For Hardware*
I don't know anything.. you can see fixing videos or go to service center..
For software* (two methods)
1) Try this app, https://f-droid.org/en/packages/info.aario.killcamera/
2) reflash ROM, try different ROM.
3) this is hardware issue.
Do you know if it was working before you flashed ROM and device changed to normal G4..??
____Mdd said:
This can be software related or hardware issue.. not any partition related..
For Hardware*
I don't know anything.. you can see fixing videos or go to service center..
For software* (two methods)
1) Try this app, https://f-droid.org/en/packages/info.aario.killcamera/
2) reflash ROM, try different ROM.
3) this is hardware issue.
Do you know if it was working before you flashed ROM and device changed to normal G4..??
Click to expand...
Click to collapse
Ya it works fine before the name I got g(4) but after doing frp flash it is not getting. Even the flashlight also not works.
Aashakmeeran said:
Ya it works fine before the name I got g(4) but after doing frp flash it is not getting. Even the flashlight also not works.
Click to expand...
Click to collapse
Tried app i mentioned ?
Tried reflashing other/stock rom?
If still not working, it's definitely hardware issue, because others with same issue (g4plus > g4) haven't reported any camera problem.
If you know hardware stuff, then go and check it. Otherwise service centers are best choice..
____Mdd said:
Tried app i mentioned ?
Tried reflashing other/stock rom?
If still not working, it's definitely hardware issue, because others with same issue (g4plus > g4) haven't reported any camera problem.
If you know hardware stuff, then go and check it. Otherwise service centers are best choice..
Click to expand...
Click to collapse
That app need root it seems. So root process is going on. Ill try my best and thank you:good:
By doing this I lost my Imei number plz help:crying: anyone
givitago said:
After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Click to expand...
Click to collapse
hey bro can u please explain me this actually my moto g4 plus isnt accepting new hw image

[Tutorial] Custom boot logo on 8227L head units

Greetings,
I'm new to these forums, but have been into the Android development/customization scene since the original Motorola Droid. I recently purchased one of the (in)famous Chinese 8227L head units and have started doing some things to it. I was surprised to find that there are a lot more people out there with questions than answers when it comes to these things. So I figured I'd introduce myself with a quick tutorial, a small utility release for now. I have work in progress on a ROM release for these things. There are quite a few issues to get past as well as different boards to account for, so stay tuned for that sometime in the coming weeks. For now, let's get started with customizing the boot screen.
One of the simplest, yet most satisfying modifications one can do to any Android device is changing logo image that is displayed when the unit boots. For units like ours, running MediaTek hardware there are a couple of extra steps involved, but the process is still very simple. I was able to find a few different utilities that could be downloaded online to do this, but none of them seemed to work for these head units. I suspect our units use a slightly different header than the MediaTek phones those utilities are designed for, but that is a technical issue beyond the scope of this tutorial.
Disclaimer: These steps have been tested repeatedly on my device, and it's my assumption that they will work on any head unit based on the ac8227l, but I have obviously not tested every single one of them. There is always an inherent risk when you modify the software on any device that you own. This risk is your own, and I am not responsible for any damage you do to your device by following this tutorial!
Your unit does not need to be rooted to do this mod, but you will need to have the bootloader unlocked.
Pre-requisites:
logo.bin file from your ROM backup (You DO have a backup, don't you?)
Ability to read and follow directions
Access to a Linux command line OR the ability to run python applications on your system
SP Flash Tool or one of its equivalents, or a custom recovery installed, such as TWRP.
The boot logo is contained in the logo.bin file from your ROM. More accurately, the logo.bin file IS the boot logo for your ROM, with a 512 byte header attached to it. We need to separate the two in order to change the image that gets displayed.
This can be done very simply from the linux command line via the following command:
Code:
dd if=logo.bin of=logo.bmp skip=1
This command simply reads in the logo.bin file and writes it back out after skipping the first 512 bytes. dd has an optional argument bs= which stands for block size. It defaults to 512 bytes. So the skip=1 is simply
telling dd to skip the first 512 bytes when it writes the file back out. The result is a 1024x600 pixel bitmap image. However, we're going to need that header in a later step, so write it out to its own file using:
Code:
dd if=logo.bin of=header.bin count=1
This command simply writes the first block (remember block size is 512 bytes by default) out to a file and then stops, so we have our 512 byte header saved for later.
Now, you can either edit the logo.bmp file or replace it with your own image file. However you do it, just ensure that you end up with a 1024x600 pixel bitmap image in 8-bit RGB color. The following steps assume we have generated such an image in the same directory we were just working in, and named it newlogo.bmp. To join the header file to your new image, use the following command:
Code:
cat header.bin newlogo.bmp > newlogo.bin
This command concatenates (puts together) the two files back into one file. The order is important. The header needs to be at the start of the resulting file, so it must be the first argument you pass to cat! The resulting newlogo.bin is ready to be flashed to your head unit. Congratulations, enjoy your new boot screen! If you save the header.bin file, you can always use it to make more boot logos later.
Alternative method for Windows users or Linux users who would prefer to have a utility:
I have written a simple command line utility in python to do this process for you. You will need to have python installed to utilize it. It's written in python 3.8 but will work on some earlier versions, I think. You can get it from my github repository at https://github.com/threadreaper/logobin.git or from your command prompt using the PyPi repository through pip3. pip3 should be installed automatically when you install python 3. Use this command to fetch the utility:
Code:
pip3 install logobin
If you've elected to clone the git repository instead of using PyPi, you need to cd to the directory you downloaded it to (this should be the directory with the setup.py file) and install using:
Code:
pip3 install .
Whichever method you used, if everything went correctly, the "logobin" utility should now be available to you from your command line. To unpack an existing logo.bin image:
Code:
logobin -u logo.bin
And to pack an image with a header file back into a flashable bin file:
Code:
logobin -p header.bin logo.bmp (filename)
The filename argument above is optional and defaults to logo.bin if you don't select one. The utility can also be used to check a file for the presence of a valid header, using the -c switch:
Code:
logobin -c logo.bin
In this manner, you can check your stock logo.bin file to make sure it will work with this method before you start. You can also use it to check an extracted header to make sure it's correct, and you may also want to use it to verify that your logo.bin file has been packed correctly before you flash it to your phone.
I have attempted to make both the utility and this tutorial as simple to follow as possible, but if you have any questions, feel free to ask.
Excellent tutorial? I have a non rooted Enon 8227 unit and I’m having problem with it, could you be so kind to point me to a tutorial to make a rom backup please? all the stuff in my unit are blocked and I can t almost change anything.
Thank you.
Sent from my iPhone using Tapatalk Pro
Good day sir.
Could you guide me as to how to extract the logo.bin file please? I couldn't really find it.
I have a PX6 STM32 device.
Thanks!
arturojgt said:
Excellent tutorial? I have a non rooted Enon 8227 unit and I’m having problem with it, could you be so kind to point me to a tutorial to make a rom backup please? all the stuff in my unit are blocked and I can t almost change anything.
Thank you.
Sent from my iPhone using Tapatalk Pro
Click to expand...
Click to collapse
I'm planning to do a full tutorial on this too, but the short version is as follows:
Get SP Flashtool, and find a scatter file that will work for your device. That can be difficult sometimes, as there is a quite a bit of variance between units. Fortunately, to make your initial backup the only info you need in your scatter file is for the preloader, and as far as I know that is always the same. So if you don't already have a scatter file copy this:
Code:
#########################################__WwR_MTK_2.50__###################################################
#
# General Setting
#
#########################################__WwR_MTK_2.50__###################################################
- general: MTK_PLATFORM_CFG
info:
- config_version: V1.1.2
platform: MT3367
project: 8227l_demo
storage: EMMC
boot_channel: MSDC_0
block_size: 0x20000
############################################################################################################
#
# Layout Setting
#
############################################################################################################
- partition_index: SYS0
partition_name: preloader
file_name: preloader_8227l_demo.bin
is_download: true
type: SV5_BL_BIN
linear_start_addr: 0x0
physical_start_addr: 0x0
partition_size: 0x40000
region: EMMC_BOOT_1
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: BOOTLOADERS
is_upgradable: true
empty_boot_needed: false
reserve: 0x00
And save it as scatter.txt
Select this file as your scatter file in SP Flashtool, and click on the memory test tab. Uncheck all the options under memory test except for RAM test. Remove external power from the unit entirely, click start on the memory test, and then connect the 4 pin usb to your PC. It should sync up and do the memory test. Once the memory test is complete you will have the sizes of BOOT_1, BOOT_2 and EMMC_USER. Use these values with the readback option to make your backup. Use 0x0 as the start address each time, and the size value you got from the memory test. Back up BOOT_1, BOOT_2 and EMMC_USER and save them somewhere. This is the most basic backup that you can always use to go back to stock. Using tools like MTK Droid Tools and WWR MTK it is possible to split EMMC_USER backup into all of your separate partition backups.
Good luck, and keep an eye out for a more detailed walkthrough coming up soon!
kingdew11 said:
Good day sir.
Could you guide me as to how to extract the logo.bin file please? I couldn't really find it.
I have a PX6 STM32 device.
Thanks!
Click to expand...
Click to collapse
See my reply above about making a backup of your device. You get your logo.bin file from the extracted backup.
Please add your PayPal account to your xda so we can buy you some beer for the amazing work you're doing
Sent from my MI 9 using Tapatalk
zetlaw01 said:
Please add your PayPal account to your xda so we can buy you some beer for the amazing work you're doing
Sent from my MI 9 using Tapatalk
Click to expand...
Click to collapse
I don't drink beer, but you can always buy me a coffee
Thanks for information.
I want to backup with Flastool or similar program, is that possible?
and how do I root.
thank you
bicer79 said:
Thanks for information.
I want to backup with Flastool or similar program, is that possible?
and how do I root.
thank you
Click to expand...
Click to collapse
I posted instructions on backing up a unit two posts above your reply ^^. To root, find a compatible twrp image and flash it, then install magisk from twrp. I will be doing more detailed tutorials on these steps in the near future, but as I mentioned there is a crash course on SP-flashtool backup in this very thread, and the root process is pretty much the same for these units as it is for many others, assuming you find a working twrp image for your particular device, so you shouldn't have too much trouble finding a walkthrough if you need one.
threadreaper said:
Greetings,
I'm new to these forums, but have been into the Android development/customization scene since the original Motorola Droid. I recently purchased one of the (in)famous Chinese 8227L head units and have started doing some things to it. I was surprised to find that there are a lot more people out there with questions than answers when it comes to these things. So I figured I'd introduce myself with a quick tutorial, a small utility release for now. I have work in progress on a ROM release for these things. There are quite a few issues to get past as well as different boards to account for, so stay tuned for that sometime in the coming weeks. For now, let's get started with customizing the boot screen.
One of the simplest, yet most satisfying modifications one can do to any Android device is changing logo image that is displayed when the unit boots. For units like ours, running MediaTek hardware there are a couple of extra steps involved, but the process is still very simple. I was able to find a few different utilities that could be downloaded online to do this, but none of them seemed to work for these head units. I suspect our units use a slightly different header than the MediaTek phones those utilities are designed for, but that is a technical issue beyond the scope of this tutorial.
Disclaimer: These steps have been tested repeatedly on my device, and it's my assumption that they will work on any head unit based on the ac8227l, but I have obviously not tested every single one of them. There is always an inherent risk when you modify the software on any device that you own. This risk is your own, and I am not responsible for any damage you do to your device by following this tutorial!
Your unit does not need to be rooted to do this mod, but you will need to have the bootloader unlocked.
Pre-requisites:
logo.bin file from your ROM backup (You DO have a backup, don't you?)
Ability to read and follow directions
Access to a Linux command line OR the ability to run python applications on your system
SP Flash Tool or one of its equivalents, or a custom recovery installed, such as TWRP.
The boot logo is contained in the logo.bin file from your ROM. More accurately, the logo.bin file IS the boot logo for your ROM, with a 512 byte header attached to it. We need to separate the two in order to change the image that gets displayed.
This can be done very simply from the linux command line via the following command:
Code:
dd if=logo.bin of=logo.bmp skip=1
This command simply reads in the logo.bin file and writes it back out after skipping the first 512 bytes. dd has an optional argument bs= which stands for block size. It defaults to 512 bytes. So the skip=1 is simply
telling dd to skip the first 512 bytes when it writes the file back out. The result is a 1024x600 pixel bitmap image. However, we're going to need that header in a later step, so write it out to its own file using:
Code:
dd if=logo.bin of=header.bin count=1
This command simply writes the first block (remember block size is 512 bytes by default) out to a file and then stops, so we have our 512 byte header saved for later.
Now, you can either edit the logo.bmp file or replace it with your own image file. However you do it, just ensure that you end up with a 1024x600 pixel bitmap image in 8-bit RGB color. The following steps assume we have generated such an image in the same directory we were just working in, and named it newlogo.bmp. To join the header file to your new image, use the following command:
Code:
cat header.bin newlogo.bmp > newlogo.bin
This command concatenates (puts together) the two files back into one file. The order is important. The header needs to be at the start of the resulting file, so it must be the first argument you pass to cat! The resulting newlogo.bin is ready to be flashed to your head unit. Congratulations, enjoy your new boot screen! If you save the header.bin file, you can always use it to make more boot logos later.
Alternative method for Windows users or Linux users who would prefer to have a utility:
I have written a simple command line utility in python to do this process for you. You will need to have python installed to utilize it. It's written in python 3.8 but will work on some earlier versions, I think. You can get it from my github repository at or from your command prompt using the PyPi repository through pip3. pip3 should be installed automatically when you install python 3. Use this command to fetch the utility:
Code:
pip3 install logobin
If you've elected to clone the git repository instead of using PyPi, you need to cd to the directory you downloaded it to (this should be the directory with the setup.py file) and install using:
Code:
pip3 install .
Whichever method you used, if everything went correctly, the "logobin" utility should now be available to you from your command line. To unpack an existing logo.bin image:
Code:
logobin -u logo.bin
And to pack an image with a header file back into a flashable bin file:
Code:
logobin -p header.bin logo.bmp (filename)
The filename argument above is optional and defaults to logo.bin if you don't select one. The utility can also be used to check a file for the presence of a valid header, using the -c switch:
Code:
logobin -c logo.bin
In this manner, you can check your stock logo.bin file to make sure it will work with this method before you start. You can also use it to check an extracted header to make sure it's correct, and you may also want to use it to verify that your logo.bin file has been packed correctly before you flash it to your phone.
I have attempted to make both the utility and this tutorial as simple to follow as possible, but if you have any questions, feel free to ask.
Click to expand...
Click to collapse
did you build twrp from source or port it for your device?
I was able to build TWRP from source, but I haven't released it due to some rather annoying bugs I haven't had time to sort out with it just yet.
threadreaper said:
I was able to build TWRP from source, but I haven't released it due to some rather annoying bugs I haven't had time to sort out with it just yet.
Click to expand...
Click to collapse
which bugs?
I am so delighted to see someone hitting on the hot iron. Looking forward to the detailed tutorial to take backup, unlock bootloader, customize my radio.

Categories

Resources