Database Users

[Q] Semi-Bricked Device Fix

So, prior to my stupidity, I made a system.img dump via dd
However, after my stupidity (tried flashing some lib files....), I am now stuck with only stock recovery mode, or download mode.
How can I flash back my system.img? I tried in download mode with heimdall... but it fails with
Code:
[email protected]:/media/MediaTwo/MyRom# heimdall flash --verbose --no-reboot --SYSTEM system.img
Heimdall v1.4.0
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Manufacturer: "Sasmsung"
Product: "MSM8960"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 0100
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.01
endpoint[0].address: 82
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.00
endpoint[0].address: 81
max packet size: 0200
polling interval: 00
endpoint[1].address: 01
max packet size: 0200
polling interval: 00
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Initialising protocol...
WARNING: Control transfer #1 failed. Result: -9
WARNING: Control transfer #2 failed. Result: -9
WARNING: Control transfer #3 failed. Result: -9
WARNING: Control transfer #4 failed. Result: -9
WARNING: Control transfer #5 failed. Result: -9
WARNING: Control transfer #6 failed. Result: -9
ERROR: Failed to receive handshake response. Retrying...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
PIT file download successful.
Uploading SYSTEM
0%
1%
ERROR: Failed to unpack received packet.
ERROR: Failed to confirm end of file transfer sequence!
ERROR: SYSTEM upload failed!
Ending session...
Releasing device interface...
Re-attaching kernel driver...
so I tried creating an update.zip that I could sideload flash in stock recovery, but that fails as well with
Code:
E: footer is wrong
E: signature verification failed
If I could get into adb shell, I'd be set... all I'd have to do is dd the system.img back (been there done that in SafeStrap), but when I try adb shell in stock recovery I just get "error: device not found", and in sideload mode, I get "error: closed"
Please help? :crying:

kevp75 said:
So, prior to my stupidity, I made a system.img dump via dd
However, after my stupidity (tried flashing some lib files....), I am now stuck with only stock recovery mode, or download mode.
How can I flash back my system.img? I tried in download mode with heimdall... but it fails with
Code:
[email protected]:/media/MediaTwo/MyRom# heimdall flash --verbose --no-reboot --SYSTEM system.img
Heimdall v1.4.0
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Manufacturer: "Sasmsung"
Product: "MSM8960"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 0100
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.01
endpoint[0].address: 82
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.00
endpoint[0].address: 81
max packet size: 0200
polling interval: 00
endpoint[1].address: 01
max packet size: 0200
polling interval: 00
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Initialising protocol...
WARNING: Control transfer #1 failed. Result: -9
WARNING: Control transfer #2 failed. Result: -9
WARNING: Control transfer #3 failed. Result: -9
WARNING: Control transfer #4 failed. Result: -9
WARNING: Control transfer #5 failed. Result: -9
WARNING: Control transfer #6 failed. Result: -9
ERROR: Failed to receive handshake response. Retrying...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
PIT file download successful.
Uploading SYSTEM
0%
1%
ERROR: Failed to unpack received packet.
ERROR: Failed to confirm end of file transfer sequence!
ERROR: SYSTEM upload failed!
Ending session...
Releasing device interface...
Re-attaching kernel driver...
so I tried creating an update.zip that I could sideload flash in stock recovery, but that fails as well with
Code:
E: footer is wrong
E: signature verification failed
If I could get into adb shell, I'd be set... all I'd have to do is dd the system.img back (been there done that in SafeStrap), but when I try adb shell in stock recovery I just get "error: device not found", and in sideload mode, I get "error: closed"
Please help? :crying:
Click to expand...
Click to collapse
Can't use heimdall or stock recovery because it isn't a signed file and stock recovery doesn't allow adb shell. Your only option is to reflash unless you have Safestrap.
Sent from my SGH-I337 running GPE

DeadlySin9 said:
Can't use heimdall or stock recovery because it isn't a signed file and stock recovery doesn't allow adb shell. Your only option is to reflash unless you have Safestrap.
Sent from my SGH-I337 running GPE
Click to expand...
Click to collapse
I had SafeStrap, but not aymore... only stock recovery and download mode.
Is there a Odin/Heimdall flashable version of SafeStrap floating around somewhere that I have not seen?

kevp75 said:
I had SafeStrap, but not aymore... only stock recovery and download mode.
Is there a Odin/Heimdall flashable version of SafeStrap floating around somewhere that I have not seen?
Click to expand...
Click to collapse
Is it really my only option to go back, Odin flash NB1, upgrade to NC1, install SELinux Mode Changer and SafeStrap, then restore my system.img from within SafeStrap?
I have my data "files" backed up as an image (which I'll need to un-image, because it's too big for my Fat32 SDCard clocking in at 8.7G LOL), but I can adb push those back in as well...
I'm going to end up doing this, but I would like to keep this open in case another solution comes along....

kevp75 said:
Is it really my only option to go back, Odin flash NB1, upgrade to NC1, install SELinux Mode Changer and SafeStrap, then restore my system.img from within SafeStrap?
I have my data "files" backed up as an image (which I'll need to un-image, because it's too big for my Fat32 SDCard clocking in at 8.7G LOL), but I can adb push those back in as well...
I'm going to end up doing this, but I would like to keep this open in case another solution comes along....
Click to expand...
Click to collapse
unfortunately I had to odin back... but up and running
Rockin' it from my Smartly GoldenEye 35 NF1 (muchas gracias:* @iB4STiD @loganfarrell @muniz_ri @Venom0642 @ted77usa @rebel1699* @iB4STiD) ~ 20GB free cloud https://copy.com?r=vtiraF
Check me out online @ http://kevin.pirnie.us

Yes I know to reflash but having reflashed for 10+ times and being returned the similar errors, these errors are probably the USB hw problems, and not likely to be phones-sided. The root solution is to renew the USB tethers, even the Macs.
DeadlySin9 said:
Can't use heimdall or stock recovery because it isn't a signed file and stock recovery doesn't allow adb shell. Your only option is to reflash unless you have Safestrap.
Click to expand...
Click to collapse

[BOOTLOADER] Analysis

Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.

Can you run binwalk with -e and post the 5.1.1 certs here

benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.

Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?

bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.

Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael

stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.

Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!

Help Rooting required - solved

Hi,
I've got a I9301I with build KOT49H.I9301IXXSAPG5
Cannot root it:
Kingroot crashes instantly with VerifyError exception
Heimdall cannot retrieve PIT from phone in download mode
Heimdall log:
Code:
$ heimdall print-pit --usb-log-level info --verbose
Heimdall v1.4.1
Copyright (c) 2010-2014 Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Manufacturer: "Sasmsung"
Product: "MSM8960"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 0100
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.01
endpoint[0].address: 82
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.00
endpoint[0].address: 81
max packet size: 0200
polling interval: 00
endpoint[1].address: 01
max packet size: 0200
polling interval: 00
Claiming interface...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
WARNING: Empty bulk transfer after sending packet failed. Continuing anyway...
Some devices may take up to 2 minutes to respond.
Please be patient!
WARNING: Empty bulk transfer after sending packet failed. Continuing anyway...
Session begun.
Downloading device's PIT file...
WARNING: Empty bulk transfer after sending packet failed. Continuing anyway...
....
WARNING: Empty bulk transfer after sending packet failed. Continuing anyway...
ERROR: libusb error -7 whilst sending bulk transfer. Retrying...
....
ERROR: libusb error -7 whilst sending bulk transfer.
ERROR: Failed to send request to end PIT file transfer!
ERROR: Failed to download PIT file!
Ending session...
ERROR: libusb error -7 whilst sending bulk transfer. Retrying...
...
ERROR: libusb error -7 whilst sending bulk transfer.
ERROR: Failed to send end session packet!
Releasing device interface...
I was able to read the I8730 (already rooted) pit without problems using the same cable and usb port.
Any idea? did they close all backdoors so rooting isn't possible anymore?
thanks

It is a new firmware. We have to wait for us to be root or return to a previous firmware.

Install a custom recovey...

sahilkhan9557 said:
Install a custom recovey...
Click to expand...
Click to collapse
how, if neither rooting apps nor reading PIT from download mode work? could you provide a PIT file?

JPT223 said:
how, if neither rooting apps nor reading PIT from download mode work? could you provide a PIT file?
Click to expand...
Click to collapse
U just need to flash twrp.zip using odin

Was an unknown problem with heimdall. using odin on windows 7 it worked. thanks

JPT223 said:
Was an unknown problem with heimdall. using odin on windows 7 it worked. thanks
Click to expand...
Click to collapse
root plese help

Unable to reflash ROM or install custom ROM

I've been screwing around with this for three weeks and I'm unable to make ANY headway no matter how much I search.
I had rooted my s7 edge when I first got it 6 months ago and followed a guide on here which I'm unable to locate. My phone started acting super crazy and losing running apps and apps closing unexpectedly. For example while watching Netflix, the card with the netflix controls in the dropdown would disappear after only a few minutes and netflix would forget it was connected to a chromecast, among other things.
I performed a factory reset. Upon reset and reinstalling my apps I went to try a system update in Settings. Clicking on it immediately results in "Unfortunately Settings has Stopped" and crashing out to the home screen. I recall the root method had some sort of add-on you could flash that disabled/removed many bloatwares and certain "features" and things on the phone including system update.
As I can't find the instructions I used I decided to simply flash the latest firmware using Odin 3.10.7 and 3.11.1 and this method: https://forum.xda-developers.com/verizon-s7-edge/how-to/odin-stock-nougat-firmware-t3570156
Odin checks the files just fine. When the start button is pressed odin sits for 3minutes attempting to set up the connection, then fails out with a red FAIL.
Attempting to install TWRP using heimdall on windows results in:
Code:
C:\Users\pl\Desktop\Heimdall Suite>heimdall flash --RECOVERY twrp-3.1.1-0-hero2lte.img --no-reboot --verbose
Heimdall v1.4.0
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Manufacturer: "Sasmsung"
Product: "MSM8996"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 0100
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.01
endpoint[0].address: 82
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.00
endpoint[0].address: 81
max packet size: 0200
polling interval: 00
endpoint[1].address: 01
max packet size: 0200
polling interval: 00
Claiming interface...
Setting up interface...
Initialising protocol...
WARNING: Control transfer #1 failed. Result: -9
WARNING: Control transfer #2 failed. Result: -9
WARNING: Control transfer #3 failed. Result: -9
WARNING: Control transfer #4 failed. Result: -9
WARNING: Control transfer #5 failed. Result: -9
WARNING: Control transfer #6 failed. Result: -9
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
PIT file download successful.
Uploading RECOVERY
0%
...
100%
RECOVERY upload successful
Ending session...
ERROR: Failed to unpack received packet.
ERROR: Failed to receive session end confirmation!
Releasing device interface...
A similar attempt on linux using Heimdall 1.4.1 results in dozens of warnings throughout
WARNING: Empty bulk transfer after sending packet failed. Continuing anyway..."
On the phone itself the little progress bar starts moving across the screen, but immediately stops and a red error appears
SECURE CHECK FAIL : recovery
The full text of the information on the screen is as follows
Code:
ODIN MODE (HIGH SPEED)
PRODUCT NAME: SM-G935V
CURRENT BINARY: Samsung Official
SYSTEM STATUS: Custom
FRP LOCK: OFF
QUALCOMM SECUREBOOT: ENABLE
AP SWREV: B2(2, 1, 1, 1, 1) K1 S1
SECURE DOWNLOAD : ENABLE
I have attempted to perform this on 3 separate machines, one each of windows, mac and linux, using all sorts of various versions of odin, and heimdall and I've been unable to get anything working. Any help is appreciated.
Click to expand...
Click to collapse
Click to expand...
Click to collapse

might seem like a stupid question but do you have the proper drivers installed and are you using the factory cable? You can also try a different Odin I know some people have luck with different ones.
I cant provide much input other than unplug replug see if your computer will recognize the phone as being attached...or try a different odin.

We can't install twrp on the s7 with the snapdragon processor. The bootloaders are locked tight.

Correct, the moment I read TWRP, I had a moment of silence for the OP's phone.

TWRP is a no go due to locked bootloader. The reason system update crashes is because the apps needed for the updater are removed during the root fix process. You can flash back to stock with Odin. Marshmallow and Nougat can both be rooted, so take your pick. As for Netflix, I have issues with it forgetting that it's connected to my Chromecast all the time. I'm currently on a non-rooted ROM, but I've had this issue when the phone was stock or rooted.

tacticalone said:
Code:
C:\Users\pl\Desktop\Heimdall Suite>heimdall flash --RECOVERY wrp-3.1.1-0-hero2lte.img t --no-reboot --verbose
Click to expand...
Click to collapse
Bit of a dredge, I realise, as I've just dug out an old 310F as a spare handset and had a similar problem
I fixed it by renaming the recovery image as recovery.img (as opposed to wrp-3.1.1-0-hero2lte.img, for example)
Code:
heimdall flash --RECOVERY recovery.img t --no-reboot --verbose

Backup S5 stockRom before TWRP & root? Possible? Which tool? How?

How to backup stockRom S5 before starting to follow any instructions to root + flash + LineageOS ...
What I want:
* backup my brand new stock ROM Galaxy S5 SM-G900F
* before I even start with TWRP, root, etc.
* with an apk, via USB on a PC ... any way that would work
* or if total backup does not exist, then at least the EFS partitions?
because:
* I might want to sell it later
* I might have to send it back
* flashing TWRP & LineageOS might fail
* I have lost mobileInternet on an LG-V20 already because something went strange when flashing
* I am careful
Is there any way to backup a Samsung S5 before I even start with following any instructions here?
Am I asking for something impossible?
Was I on the right way already (see below), but have done something wrong?
Is it perhaps only possible after rooting? If so, then which tool do you recommend then?
Thanks a lot!
What I have tried:
* xda developer galaxy-s5/general every thread title until page 5 https://forum.xda-developers.com/galaxy-s5/general/page5
* xda developer search for "S5 backup", "S5 EFS", and a few other searches. Sorry for being dumb, please help me search, thanks.
* Heimdall PIT, but "ERROR: Failed to send request to end PIT file transfer!"
* Odin PIT, but "Can't open the specified file. (Line: 1892)"
* Samsung Tool 5.0 com.sec.ricky310711.samsungtool.apk https://forum.xda-developers.com/showthread.php?t=2696153 but the app-->Backup-EFS hangs at "Please Wait..." <-- probably because I could not install busybox because no root yet.
* manual EFS backup with dd https://forum.xda-developers.com/showthread.php?t=2737448 but I get a "su: not found", obviously, because unrooted
Code:
Heimdall v1.4.0
...
Initialising connection...
Detecting device...
Claiming interface...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
ERROR: Failed to send request to end PIT file transfer!
ERROR: Failed to download PIT file!
Ending session...
ERROR: Failed to send end session packet!
Releasing device interface...
Code:
<ID:0/003> Added!!
<ID:0/003> Odin engine v(ID:3.1301)..
<ID:0/003> File analysis..
<ID:0/003> Total Binary size: 0 M
<ID:0/003> SetupConnection..
<ID:0/003> Initialzation..
<ID:0/003> Set PIT file..
<ID:0/003> DO NOT TURN OFF TARGET!!
<ID:0/003> Can't open the specified file. (Line: 1892)
<OSM> All threads completed. (succeed 0 / failed 1)

Anyone?

ankade said:
Anyone?
Click to expand...
Click to collapse
Though, I don't have your specific variant, the typical "just in case" files (that I personally always begin with) to obtain are the following:
1) Stock Firmware File (I just go with the latest and sometimes the 1 previously released).
2) Latest Odin PC Software.
3) Latest Samsung USB Drivers for the PC.
4) PIT file (PIT = Partition Information Table).
Those are usually the bare essentials that I begin with.
Good Luck!
~~~~~~~~~~~~~~~
UNLESS asked to do so, PLEASE don't PM me regarding support. Sent using The ClaRetoX Forum App on my Enigma Machine {aenigma = Latin for "Riddle"}.

Great, thanks a lot. That is a helpful list.
Ibuprophen said:
2) Latest Odin PC Software.
Click to expand...
Click to collapse
Which is the latest you are using? The version "Odin3-v3.13.1" does NOT work, see above.
How exactly do I extract the current state of my (still unrooted) SM-G900F ?
Thanks.

I have now tried again manually:
Code:
heimdall download-pit --output s5.pit
Is that the right command?
It only worked after overwriting the MSM8960 driver with zadig.exe
Then it looks like this:
Code:
Heimdall v1.4.0
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Claiming interface...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
then after a while:
Code:
ERROR: Failed to send request to end PIT file transfer!
ERROR: Failed to download PIT file!
Ending session...
ERROR: Failed to send end session packet!
Releasing device interface...

heimdall 1.4.2
Hooray, big progress. It was a version problem, older versions of heimdall seem faulty. And grrrmpf: the "heimdall" website which comes up at the top on search engines ... provides an outdated 1.4.0 version. Which seems broken. But hooray, the 1.4.2 version of heimdall works:
this looks good, no?
Code:
cd heimdall_1.4.2_win64
heimdall print-pit --no-reboot
Code:
Heimdall v1.4.2
Copyright (c) 2010-2017 Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is encouraged.
If you appreciate this software and you would like to support future development please consider donating: http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Claiming interface...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
PIT file download successful.
Code:
Entry Count: 30
Unknown 1: 1598902083
Unknown 2: 844251476
Unknown 3: 21325
Unknown 4: 14413
Unknown 5: 14137
Unknown 6: 52
Unknown 7: 0
Unknown 8: 0
now there are 30 such entries:
Code:
--- Entry #0 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 1
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 8192
Partition Block Count: 30720
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: APNHLOS
Flash Filename: NON-HLOS.bin
FOTA Filename:
I got the new heimdall 1.4.2 version from here:
https://github.com/Benjamin-Dobell/Heimdall/issues/295#issuecomment-364729538
and because he only provides the source, the binary from here
https://github.com/tothphu/heimdall_build/

this worked too:
Code:
heimdall download-pit --no-reboot --output S5-download-pit.pit
It resulted in a non-human-readable binary file of 8192 bytes.
But:
How to backup partitions?
with
Code:
heimdall --help
I can see that there I can flash ONTO the device with e.g.
Code:
heimdall flash --RECOVERY twrp-x.x.x-x-klte.img --no-reboot
but there does not seem to be a
Code:
heimdall read --RECOVERY --file recovery.img --no-reboot
?
how to READ a partition FROM the device?
?

Now I have tried it via USB debugging, with "minimal_adb_fastboot_1.4.3_portable.zip"
but
Code:
adb shell
ls -al /dev/block/platform/msm_sdcc.1/by-name/efs
lrwxrwxrwx root root 2014-05-24 16:36 efs -> /dev/block/mmcblk0p12
dd if=/dev/block/mmcblk0p12 of=/storage/3164-3234/S5/efs.img
results in
Code:
dd: /dev/block/mmcblk0p12: Permission denied
and
Code:
su -
/system/bin/sh: su: not found
so it looks as if my first hope has to be declared dead ...
No system backup without root, right?
?
But what I don't understand ... How did people extract these here then: https://www.sammobile.com/firmwares/galaxy-s5/SM-G900F/ ???
I have found instructions how to get back to stock rom, but I would like to use my own original stockROM for that. But I don't know how to back it up. Please help. Thanks.

how to root?
The phone is this one:
Samsung S5
SM-G900F
Android version 6.0.1
Android security patch level: 1 January 2017
I have tried these root tools:
Kingroot (NewKingrootV5.3.7_C197_B451_xda_release_2018_06_19_20180620193529_242043.apk) --> "Generating adaptation strategy, please come back later"
Towelroot v1.0 (tr.apk) --> "This phone isn't currently supported"
I did not want to try CF-Auto-Root because it says "If you have a Samsung-KNOX-enabled device, this package will trip the KNOX warranty flag. This flag cannot be reset, and will prevent some applications from working."
Is there really no way to get root without first installing TWRP ?
?