Database Users

Nexus 7 3G RADIO ISSUE

I am sorry for opening this thread.
After 2 days of waiting, it seems that the 3G forum section is useless in terms of helping the ones in need.
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
My request, if someone knows, on which emmc partition is stored the radio i would be very grateful.
Also a dump of that partition would help also.
I cannot flash the radio via fastboot
apia-1231_0.17.0_1205.img
sending 'radio' (16384 KB)...
OKAY [ 2.001s]
writing 'radio'...
FAILED (remote: (BadParameter))
finished. total time: 2.018s
Also trying to dump the partition on the usual mount point results this
dd if=/dev/block/platform/sdhci-tegra.3/by-name/RDO of=/sdcard/RDO.img
/dev/block/platform/sdhci-tegra.3/by-name/RDO: cannot open for read: No such file or directory
In theory i should be able to restore by using the dd on the emmc partitions, but i don`t know which one it is.
ls /dev/block/mmcblk*
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
In my first look this is what i found, if someone can assist me with this, there are multiple users with this issue, so also others at some moment will be grateful if we fix this.
1) On which partition is the radio stored
2) Can someone dump that partition using dd ?
Again, sorry for creating this post, i don`t usually do things like this (old user, know how the things work around here), but i am a little bit desperate.
Managed to fix partially the issue.
In bootloader the Baseband still appears as N/A
What I did.
1) Mounted radio-tilapia-1231_0.18.0_0409.img
2) Copied the radio_update.zip
3) Rebooted the Tablet in RECOVERY
4) Presse Power Key and Volume Key Plus (first power key, while you keep the power pressed, press the volume key for 2 seconds, release)
5) Select "Apply Update From ADB"
6) Issue the command "adb sideload radio_update.zip
7) Wait till the update goes to end,, and select Reboot system now.
Now when you check in Settings/About Tablet/Baseband, you should have the Baseband which you applied via adb
For those in need, here is the radio_update.zip
http://globula.arctablet.com/Nexus7/radio_update.zip
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?

Hello
I have exactly the same issue reported by globula neagra.
In my case the issue started just after Nexus came back from Asus repair center with the motherboard replaced. .
As the radio cannot be flashed, the ota procedure fails.
Any idea how to recover the radio partition in order to flash the correct radio image file?
Regards.

My N7 2012 has the same symptoms (Baseband N/A in fastboot) after getting it back from Asus a couple of weeks ago. I believe they replaced the motherboard of my N7 if that matters. I was able to adb sideload the radio from 4.3 then fastboot all factory images from the latest update and then relock. Not sure if I should send it back since it will not install otas on its own, and I will have to adb sideload the radio every update. Thanks op for the info on adb radio update.
Sent from my Nexus 7 using xda app-developers app

My Nexus 7 2012 has the same problem. I could not update OTA and also fastboot update fails, because of Baseband N/A. Now I'm on 4.3 but with old Baseband. I didn't update it, because looks like everything is running.
Before my one was two times in service at Asus. One time they replaced the mainboard.

For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....

flaps1970 said:
For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....
Click to expand...
Click to collapse
UP
Can someone dump that partition using dd, as asked by Globula Neagra?

I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear

Blown_ouT said:
I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear
Click to expand...
Click to collapse
So it will erase all apps and data on N7?

vndnguyen said:
So it will erase all apps and data on N7?
Click to expand...
Click to collapse
Yes in that case executing the flash-all.bat it will wipe all the data and apps but you can try to manualy flash the radio and the bootloader with that latest version...and like I understand your problem you can`t lose much...still you can`t use your device

@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio

globula_neagra said:
@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio
Click to expand...
Click to collapse
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.

flaps1970 said:
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.
Click to expand...
Click to collapse
I do think is an issue on a software level.
Google/Asus don`t want to admit that the updates are "braking" the tablets.

Geez, I have the same problem, I also got my Nex7 GSM from the repair with the new motherboard.
They had one job....

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
Click to expand...
Click to collapse
When ASUS replaced my device's motherboard they reinstalled the factory 4.2 instead of the 4.4.4 it was on at the time. During the 4.3 OTA upgrade the device hung and now the baseband is N/A in the bootloader menu. Trying to flash factory images or just the radio itself obviously doesn't work.
Other than your excellent sideload work-around, have you found a proper fix for the radio partition itself?

globula_neagra said:
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
Click to expand...
Click to collapse
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?
Click to expand...
Click to collapse
By now it's probably common knowledge to you and others with this problem that when the Nexus 7 3G gets into this state, the radio partition doesn't show up in the list anymore. My tablet broke before I could have a look at what correct partition information looks like, and there isn't much about it on the Internet either. However, these seem to agree:
http://forum.xda-developers.com/showpost.php?p=35103211&postcount=16
http://www.0jl.com/blog/?p=2196
http://forum.xda-developers.com/showthread.php?p=45045265#post45045265
E.g.:
Code:
Device "/ dev / block / mmcblk0p1", the name of "SOS", format emmc, capacity 12M, mount --- storage recovery
Device "/ dev / block / mmcblk0p2", the name "LNX", format emmc, capacity 8M, mount --- storage boot
Device "/ dev / block / mmcblk0p3", the name "APP", format ext4, the capacity of 650M, mount "/ system", the storage system
Device "/ dev / block / mmcblk0p4", the name "RDO", format emmc, capacity 16M, mount --- store radio
Device "/ dev / block / mmcblk0p5", the name "CAC", format ext4, the capacity of 443M, mount "/ cache", storage cache
Device "/ dev / block / mmcblk0p6", the name "MSC", format emmc, capacity 512K, mount --- storage misc
Device "/ dev / block / mmcblk0p7", the name "USP", format, capacity 10M, mount --- storage ---
Device "/ dev / block / mmcblk0p8", the name "PER", format, capacity 5M, mount --- storage ---
Device "/ dev / block / mmcblk0p9", the name "MDA", format, capacity 512K, mount --- storage ---
Device "/ dev / block / mmcblk0p10", the name "UDA", format ext4, capacity 28G, mount "/ data", storage userdata
and
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
IOW, compared to grouper the tilapia has an extra 16M radio partition inserted at mmcblk0p4.
Tablets in this state had this partition corrupted or deleted. Would it be correct to deduce that the problem can therefore be fixed by correctly recreating the partition table and then reflashing the machine?
I'm only familiar with working with Windows partitions and haven't been able to find instructions for recreating the Nexus 7 3G's partition table specifically. Is the above information sufficient for doing that, and what commands are needed? My tablet's currently on 4.2.2 and comes with both fdisk and parted.
Thanks in advance,
Francois

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition
Click to expand...
Click to collapse
This seems to be the common experience with radio partition corruption. It also seems the process that leads to this corruption could involve a corrupt bootloader.
It turns out that both recent factory images as well as at least the 4.3 OTA for the Nexus 7 3G contain a corrupt bootloader, see http://forum.xda-developers.com/nexus-7/general/info-nexus-7-3g-ota-bootloader-corrupt-t3033513. This means whether Android software is being installed manually or automatically, the target machine is potentially exposed to the corrupt bootloader.
Most firmware installs that include a new bootloader and radio software first install the bootloader, then boot into that, then next proceed with installation of the radio software, and then whatever else.
This opens up the possibility that failure to install and activate the new bootloader contributes to corruption of the radio partition when its upgrade is attempted. If I manage to test this once my machine is returned from repairs I hope to update. Any other thoughts or contributions in the meantime will be appreciated. Especially towards fixing the radio partition.

QD 9008 FIX!! Tested on LG-V410(G Pad 7.0 US ATT)

I am beyond ecstatic, after 3 months of research, trial and error, I fixed my tablet!!
I am pleased to announce a fix to the dreaded QDLOAD 9008 brick! I've written this tutorial on the one tablet experimented on (LG-V410 aka Gpad 7.0 LTE US ATT), but I'm pretty certain others may find this helpful to other qualcomm msm based devices.
Background: I maintain that I can fix anything I break so I did the worst thing and corrupted the data on my LG GPAD LTE 7.0 (V410). As a result the tablet wouldn't go into any mode, no lights, even when charging, no screen image or light, nothing. When I plugged it into my computer, it wasn't even recognized, windows told me the device was having a problem. After a little experimentation I got it recognized (held power while connected to power cycle) by the computer as "QD BULK". Further research I found some drivers for Qualcomm devices and got the computer to recognize it as "QDLOADER 9008". I thought this was great news but from there got no where. I tried qpst, qfuse, hyperterminal, LG B2C, LG SUPPORT TOOL, EFS Professional, miflash, blankflash, etc... everything I tried got me nowhere. After 3 months, It is now fully operational and apparently CARRIER UNLOCKED, talk about a pot of gold at the end of a rainbow!!
WORD OF WARNING: This is not a simple matter, 9008 most likely means your Grand Partition Table is corrupted, and the poor thing doesn't have a clue how to function. My method is NOT GUARANTEED in any way, I will not be responsible if you turn your paper weight of a device into permanent paper weight or half functioning paper weight etc...PROCEED WITH CAUTION, this is not for the feint of heart nor a simple fix!! You've been warned!
PreRequisites:
-Windows (for expanding the KDZ) (there may be a linux alternative to LGFirmwareExtract)
-Linux and some basic experience with dd and navigating the terminal (I used ubuntu) --(again, nearly everything I'm about to explain can probaly be translated to another os.)
-KDZ for your device. http://forum.xda-developers.com/g-pad-10/general/kdz-lg-g-pad-7-0-v410-t3224867
-Replacement aboot and boot (see attached)
-KDZ Extractor ---http://forum.xda-developers.com/showthread.php?t=2600575
-TWRP http://forum.xda-developers.com/g-pad-10/development/recovery-twrp2-8-5-0lgv400-410-t3049568
-Fasboot and ADB http://forum.xda-developers.com/showthread.php?t=2588979
-A modified rom like Cyanogen mod etc... http://download.cyanogenmod.org/?device=v410
-16GB microsd card + a way of directly writing to it (i.e. usb card reader etc..) a second one is helpful but not required.
-Most important, Patience, beer, more patience, and more beer...
To teach a man to fish, some pertinent understanding: First thing to understand is how your main board works. Personally I disassembled my device and cross referenced every chip to do this, Good news is you don't have to. When power goes to the device, the SoC (system on a chip) looks to built in storage media for booting instructions (think low level here) and that in turn fires up everything else and then loads your kernel etc... You may be aware, there are two different types of computer systems out there, the old method used a BIOS, and the current uses UEFI. Older machines, when power was given to the system, the BIOS was responsible for firing up peripherals and finding the bootloader etc... UEFI (Unified Extended Firmware Instruction) however, relies on firmware on storage media to do all that.
For example, an x86 PC with a bios, when power is given to the board, the bios runs the show, testing equipment and waking up devices, then when it's ready, it looks to external media for a little magic byte at the end of the first sector of that media to indicate that it is bootable and in turn will boot (let those instructions take over). This style of booting media is called MBR or Master Boot Record.
Modern machines and most mobile devices use GPT or global partition table. There are quite a few advantages to GPT one primary being the possibility of many many more primary partitions, (MBR was very limited). The GPAD 7 LTE has 34 partitions to put things in perspective. When your device is stuck in 9008 mode, it is because it doesn't have a clue how to boot, most likely your GPT is corrupted. Fortunately, at least with the Gpad 7.0 this information does not have to be on the onboard internal memory chip. For this fix we will be constructing an sdcard to have all this info to get into a mode capable of writing to the emmc.
Without Further Ado, Here are the steps:
]PLUG THE TABLET INTO A CHARGER while you do the following (you may think it's been off and fully charged, but in reality it's probably been trying to boot over and over again while looking lifeless)
1.) Get the KDZ for your device (stock firmware)
2.) Extract the DZ using LGFirmwareExtractor
3.) Extract all the .bin files from the DZ using LGFirmwareExtractor
3b.) V410 US LTE ONLY - Replace aboot and boot with the files I attatched --I was fortunate enough to back them up before I hosed my tablet and they proved invaluable as the ones in the KDZ I linked to were causing strange graphic issues.
4.) open a terminal in linux and dd the sdcard with the file you extracted called "PrimaryGPT...."
I.E. "sudo dd if=/PATHTODZFILES/PrimaryGPT_0.bin of=/dev/sdx" (BE CERTAIN of the of= path, you can find yourself with more problems if you get that wrong) (run "sudo fdisk -l | less" first to verify what your sdcard's path is.)
This is where it gets tedious...:
5.) Do some hand stretches and start charting all 34 partitions on paper. Your sdcard is now partitioned with GPT and you need to know the name of each partition and its path. I.e. ("Partition name: LAF Located at /dev/sdXx")
6.) now for the fun part: dd every .bin to the corresponding partition EXCEPT: laf.bin and any of the system_xxxxx.bin files. (laf disables fastboot and the next step will bring you to a useless LG firmware download mode)( I.e. sudo dd if=/PATHTODZFILES/laf_xxx.bin of=/dev/sdXx) If some fail out, don't fret too much, I'm currently uncertain which ones are required and don't feel like corrupting my tablet again to figure that out. If the next step doesn't work you may need to revisit this step and ensure everything was accurate. It's easy to write down the wrong location for a partition and throw everything off
7.)Unmount your sdcard and put it in the tablet
8.) Press and hold power and volume up...If all went well, there is suddenly life to your paperweight!! Congratulate yourself and prepare for more fun... If nothing happened, revisit the above steps, more than likely something got flashed to the wrong partition.
9.)Now that you have fastboot, plug your tablet into the computer and use the following command: "fastboot boot TWRP.img" (or whatever the name or path is for your downloaded TWRP image.
10.) You should now be in TWRP and now your device is ADB ready, we are close to the home stretch...
11.) Now we need to load up an sdcard with all those dz files (except for laf and system images) and the custom rom like cyanogen mod. (if you only have the one sdcard you can unmount it and remove it while the table is in TWRP...crazy right?, if you opt for this, reformat the sdcard to ext or fat or whatever you please so the tablet can see all the bin files) Then put the sdcard into the tablet. You may need to remount the card in twrp before proceeding...
12.) Now from your computer type the following command "adb shell".
13.) now just like you did with the sd card dd PrimaryGPT_0.bin to the internal memory card, with the following command: dd if=/sdcard/PrimaryGPT_0.bin of=/dev/block/mmcblk0
14.) Grab the paper you wrote all the partitions down on and start doing the same thing you did to the sdcard to your tablet. You'll adjust the following command accordingly: "dd if=/sdcard/PARTITIONNAME.bin of=/dev/block/mmcblkpX (X being the partition number)
(again skip all system bin's and laf_xxxx.bin. Flashing laf disables fastboot on LG devices.)
15.) now time to install your custom rom, go through the prompts, clear your cache, and delvik cache and choose power off.
If all went well, you now have a tablet again, that's unlocked too!!!!! If not, don't lose faith, revisit the steps and ensure you didn't mistype or overlook something, this is so tedious it's easy to do. For instance, if you mistype your of=xxx it will create the file instead and give no error.
Post with your success stories, questions or difficulties and I'll try to help.
Yours Truly,
TheKiln
UPDATE/WARNING: Do not at any time under any circumstances dd directly from your host computer to the internal memory on your tablet, only do this via the asb shell. This may render a mode that I have not yet found a fix to, I will be working on it soon but from initial observation may be more complicated then the above instructions. With any invasive hacks like this tutorial there is always the possibility of making matters worse, so exercise caution and patience.

Quick Update/Revision : I am actively experimenting with this device and wanted to share that if your sbl1 and sbl1b partition is corrupt I have confirmed it will also cause 9008 mode. Therefore, it may be best to determine if the table is corrupt (try "parted /dev/block/mmcblk print"), and if not instead of wiping rewriting mmcblk0 try restoring sbl1 and sbl1b first. The V410 boots in the following order from what I can tell slb1->aboot->boot->system. So far I haven't found a downside to my prior instructions but to be less invasive just in case it might be wise to try this amendment.

I know my grand partition is corrupt, because after doing fastboot erase, basically everything, it came up as /dev/sdb. In a panic, I had deleted all the partitions, so now obviously my emmc storage is one big formated 16gb HD that cannot be seen in windows or linux no longer.
I just tried your method, found this post by doing a google search for:
sudo dd if=PrimaryGPT_0.bin
Had been doing just this, including the laf and many other ways. Am still getting the same thing though when putting the sdcard in the tablet, shows a 0% battery.
with the sdcard in the tablet I do get:
Bus 003 Device 063: ID 05c6:f006 Qualcomm, Inc.
Then after a few minutes, leaving it plugged into the USB I get:
Bus 003 Device 058: ID 1004:61a1 LG Electronics, Inc.
Also, with the sdcard in I do get KDZ_FW_UPD_EN to start updating but then get a perimeter error.

bethnesbitt said:
I know my grand partition is corrupt, because after doing fastboot erase, basically everything, it came up as /dev/sdb. In a panic, I had deleted all the partitions, so now obviously my emmc storage is one big formated 16gb HD that cannot be seen in windows or linux no longer.
I just tried your method, found this post by doing a google search for:
sudo dd if=PrimaryGPT_0.bin
Had been doing just this, including the laf and many other ways. Am still getting the same thing though when putting the sdcard in the tablet, shows a 0% battery.
with the sdcard in the tablet I do get:
Bus 003 Device 063: ID 05c6:f006 Qualcomm, Inc.
Then after a few minutes, leaving it plugged into the USB I get:
Bus 003 Device 058: ID 1004:61a1 LG Electronics, Inc.
Also, with the sdcard in I do get KDZ_FW_UPD_EN to start updating but then get a perimeter error.
Click to expand...
Click to collapse
Ive seen the exact mode you are referring to. Three possibilities:
1.) unplugged, hold down the power button for 30 seconds (or less if fastboot comes up)
2.) your sd card does not have all the necessary partitions to boot (which i just confirmed are specifically rpm, rpmb, tz, tzb, sbl1, sbl1b, PrimaryGpt(has to be done first), aboot and abootb)
3) They didn't dd quite right. from my active testing Ive found if you script the dd'ing it doesn't quite flash right, unless you add a delay after each step.
Its actually a very good sign you are seeing the 0% battery logo, sounds like you are almost there. Let me know what happens. Ill be happy to help guide you. Ive dedicated my v410 as a dev board so Im constantly running tests and reverse engineering it.

The 0% only shows up with the sdcard in, after I remove it, nothing. Tried wall charging it all night, that did nothing.
My theory is that if there was some way to mount the raw emmc and dd the primarygpt.bin to the raw emmc hd then the rest would be not problem.
I deleted the original EMMC partitions in gparted under linux after doing an erase fastboot -w laf, system, etc... something like that. After that the tablet did not show up again in gparted as soon as I unplugged it.
Right now I'm zero dd'ing my 16gb sd card, dang dd'ing seems to glue the partitions to the sdcard, If I try to fdisk the sdcard or delete the partitions using gparted, as soon as I dd the primarygpt.bin the old files reappear. Need to start fresh with 0s to the card.
In windows I can actually install specific lg drivers while in qualcomm hs_usb 9008 mode. The interesting thing with the sdcard in I can install the LG Android Net USB serial driver, which will not work while in 9008 mode.

bethnesbitt said:
The 0% only shows up with the sdcard in, after I remove it, nothing. Tried wall charging it all night, that did nothing.
My theory is that if there was some way to mount the raw emmc and dd the primarygpt.bin to the raw emmc hd then the rest would be not problem.
I deleted the original EMMC partitions in gparted under linux after doing an erase fastboot -w laf, system, etc... something like that. After that the tablet did not show up again in gparted as soon as I unplugged it.
Right now I'm zero dd'ing my 16gb sd card, dang dd'ing seems to glue the partitions to the sdcard, If I try to fdisk the sdcard or delete the partitions using gparted, as soon as I dd the primarygpt.bin the old files reappear. Need to start fresh with 0s to the card.
In windows I can actually install specific lg drivers while in qualcomm hs_usb 9008 mode. The interesting thing with the sdcard in I can install the LG Android Net USB serial driver, which will not work while in 9008 mode.
Click to expand...
Click to collapse
The 0% comes up when your sdcard is inserted because you are close to getting it done. You're going to have your computer running all night on the zero'ing but I can assure you that will be in vein. The whole point of this tutorial is so you can get into a mode in which you can flash the emmc. I can tell you are a little lost in the steps so pm me and I'll help you out. Also a word to the wise, you can try all you want with windows and the 9008 drivers, but seriously there is nothing out there specific to the v410 thats going to help you "engage" the 9008 mode. Not being stubborn I've just literally tried it all. If it's any credit I am clinically OCD. I can't sleep till I figure things out.

Finally, I see a hope is shining here!
I bricked my LG VK810, when I was trying to flash twrp, I refered to v500 pad instead and I flashed wrong img files (aboot, boot, sb1, sb2, sb3, tz & twrp.img) "only those 6 files" so I only need to replace those with the correct files, which I downloaded now.
I do not have Ubuntu, however I have CentOS, which i have not used for couple of years, so I forgot how to use it. also do I still need to use the LG Firmware Extractor?
please help

thekiln said:
This is where it gets tedious...:
5.) Do some hand stretches and start charting all 34 partitions on paper. Your sdcard is now partitioned with GPT and you need to know the name of each partition and its path. I.e. ("Partition name: LAF Located at /dev/sdXx")
6.) now for the fun part: dd every .bin to the corresponding partition EXCEPT: laf.bin and any of the system_xxxxx.bin files. (laf disables fastboot and the next step will bring you to a useless LG firmware download mode)( I.e. sudo dd if=/PATHTODZFILES/laf_xxx.bin of=/dev/sdXx) If some fail out, don't fret too much, I'm currently uncertain which ones are required and don't feel like corrupting my tablet again to figure that out. If the next step doesn't work you may need to revisit this step and ensure everything was accurate. It's easy to write down the wrong location for a partition and throw everything off
Click to expand...
Click to collapse
Please please please help, how to do those steps!

nmnm4alll said:
Please please please help, how to do those steps!
Click to expand...
Click to collapse
I am not certain exactly which partitions have to be flashed, the attached note I made was from what I can tell so far. I was simply noting that it may be best to try one partition at a time vs doing them all at once, it is at your own descretion. So as far as listing the partitions, I'm not familuar with the centos distro but in Ubuntu it is something to the effect of fdisk /dev/sdb -l or gdisk /dev/sda then p. I hope that answers your question, If not please be more specific to your exact question.

thekiln said:
I am not certain exactly which partitions have to be flashed, the attached note I made was from what I can tell so far. I was simply noting that it may be best to try one partition at a time vs doing them all at once, it is at your own descretion. So as far as listing the partitions, I'm not familuar with the centos distro but in Ubuntu it is something to the effect of fdisk /dev/sdb -l or gdisk /dev/sda then p. I hope that answers your question, If not please be more specific to your exact question.
Click to expand...
Click to collapse
Thank you very much for your response, I am sorry I have never flashed partitions before, sbut I noticed gparted is not on CentOS, so I downloaded Puppy precise Linux as I was able to find gparted and I tried using it as shown in this video, https://www.youtube.com/watch?v=6z1Tu9l8WNc
But I am confused now about how big and what are the formats for the 34 partitions which need to be created?

nmnm4alll said:
Thank you very much for your response, I am sorry I have never flashed partitions before, sbut I noticed gparted is not on CentOS, so I downloaded Puppy precise Linux as I was able to find gparted and I tried using it as shown in this video, https://www.youtube.com/watch?v=6z1Tu9l8WNc
But I am confused now about how big and what are the formats for the 34 partitions which need to be created?
Click to expand...
Click to collapse
Flashing PrimaryGPT_0.bin will automatically create the partitions. Flashing the individual partitions will give each partition the data needed. There should be no need to manually create partitions, if no partitions show up in gparted, the problem goes back to primarygpt, as that is the partition table.

I am not quite sure what you mean by:
thekiln said:
5.) Do some hand stretches and start charting all 34 partitions on paper. Your sdcard is now partitioned with GPT and you need to know the name of each partition and its path. I.e. ("Partition name: LAF Located at /dev/sdXx")
Click to expand...
Click to collapse
how to can I get the Partition names?
Edit: I finally was able to get Ubuntu installed on my computer, so please instruct accordingly, sorry I have been googling everything you have mentioned in your OP with no luck!
Thanks in advance.

nmnm4alll said:
I am not quite sure what you mean by:
how to can I get the Partition names?
Edit: I finally was able to get Ubuntu installed on my computer, so please instruct accordingly, sorry I have been googling everything you have mentioned in your OP with no luck!
Thanks in advance.
Click to expand...
Click to collapse
For the names I like to use "parted /dev/sdb" then "print" (sdb being the location of the sd card, might be sdc, sdd, etc..)

thekiln said:
For the names I like to use "parted /dev/sdb" then "print" (sdb being the location of the sd card, might be sdc, sdd, etc..)
Click to expand...
Click to collapse
Thanks for the command line, I came up with this 36 partitions
https://www.dropbox.com/s/bw8nj317y3v7pw6/VirtualBox_Ubunto_05_01_2016_08_59_03.png?dl=0
now how do I know each partition's path?
you have mentioned "I.e. ("Partition name: LAF Located at /dev/sdXx")"
so do I type for example: "modem: LAF located at /dev/sdb1" (sdb1 is my sdcard's path)?
thekiln said:
6.) now for the fun part: dd every .bin to the corresponding partition EXCEPT: laf.bin and any of the system_xxxxx.bin files. (laf disables fastboot and the next step will bring you to a useless LG firmware download mode)( I.e. sudo dd if=/PATHTODZFILES/laf_xxx.bin of=/dev/sdXx) If some fail out, don't fret too much, I'm currently uncertain which ones are required and don't feel like corrupting my tablet again to figure that out. If the next step doesn't work you may need to revisit this step and ensure everything was accurate. It's easy to write down the wrong location for a partition and throw everything off
Click to expand...
Click to collapse
Those are the files got extracted from the DZ file
https://www.dropbox.com/s/z3ebiy4vvnsy9oo/Untitled.png?dl=0
and this is a screenshot in Ubuntu after copying the file on a 64 memory stick and mounting it
https://www.dropbox.com/s/gqn35n1npklq8ld/VirtualBox_Ubunto_05_01_2016_09_30_15.png?dl=0
Do I just type: "sudo dd if=/media/mike/MEMORY/aboot_153600.bin of=/dev/sdb1" and so on for all .bin files?
Please try to write command lines as I do not have experience with Linux

I'll be honest and blunt, if you do not have experience with linux, a simple keystroke mistake could wipe your entire computer. I can't in good conscience recommend touching dd if you're not familiar with it. Not trying to be condescending or anything just really dangerous tools we are working with here.

it have problem
wow !!! i can see the LG logo in my tablet !!!
but i can't run next step !!!
pushed power + volume up button but i never changed screen !!
This is written on the screen.
"boot certification verify"

please help me i copy 34 partition on SDcard after that what can i do? please answer , this does not work (( 8.) Press and hold power and volume up...If all went well, there is suddenly life to your paperweight!! Congratulate yourself and prepare for more fun... If nothing happened, revisit the above steps, more than likely something got flashed to the wrong partition.

Issue
Hello, I've successfully followed the tutorial until step 9. When i flash TWRP it reboots and comes back to the fastboot screen.
If I hold the vol+ button when it is booting, the download mode screen flashes for a second and then it comes back to the fastboot.
I haven't been able to to anything else and would be very grateful if someone could help me with this.
Apparently there is no bootloader so it is stuck
I attached a picture of my screen

LG G Pad 7.0 V400
Is there a way to unlock Qualcomm 9008 from LG V400?

Finally my dead tablet went into fastboot mode.
Except windows cannot find a fastboot driver and fastboot command can't locate the device either. Any suggestions?

[DISCUSSION][S7-SNAPDRAGON]Unlock Bootloader - R&D

Models: SM-G930_, SM-G935_ (Flat & Edge, all Snapdragon variants, NOT Exynos)
Developer thread only!
Work in Progress!
DONT flash anything on your phone unless you either a)Dont care of the result or b)Know what you're doing! I will take NO RESPONSIBILITY for you breaking your phone! Know the risks!
Research & Development Thread for Unlocking S7 bootloader
What is this thread?
This is a thread with all information (research) I can find regarding the locked bootloader for the S7 Snapdragon (Exynos has been unlocked so this thread will NOT cover that.) There are a lot of great seasoned Devs out there, but it seems all have given up, or remained in the dark. Flagships like the S7 we all bought because they're amazing phones, but it appears the future is locked bootloaders; if you're here then you're interested in custom ROMs. If we give up and can't 'crack this', then I'm afraid amazing phones like this will never get custom ROMs, ie, that will be a thing of the past.
In other words, there doesn't appear to be any development anymore on trying to unlock the bootloader. Hope is lost... or is it? Therefore, we need new talent. We need a new generation of developers walking into the game knowing that what they're trying to do is almost impossible. I'm hoping this thread will quickly bring any developer up to speed so we can get some "unlocking Dev rookies". We are recruiting! Come here and ask questions regarding this so hopefully you can figure this out!
I'm going to update from time to time the first few posts with critical info, links to info, etc. My goal with this thread is to put all of the great information from the community in one place. I don't way people to have to search this entire thread, rather get the info quick so they can begin developing quick, so we can get an unlocked bootloader, QUICK!
Remember, there were previous locked bootloaders, but many of them have been cracked so let's take away the 'impossibility factor'!
Who is this thread for?
Anyone that wants to quickly be brought up to speed on the S7 locked bootload status, all the hurdles, etc
Developers that want to be part of the future of locked bootloaders and something great!
Who can post and what posts are allowed?
Anyone with PRODUCTIVE comments towards unlocking the bootloader or efforts already completed (regarding of fail or success)
Developers working on this initiative
Developers with questions for other developers regarding this
Wanna-be developers with questions (There is no shame, and you never know if YOU just might be the rookie dev we're looking for to unlock this! If you're willing to try something to potentially brick your device, then you can play here Or maybe you might throw out an idea that might spark an idea with someone else that leads to an unlock.)
Links to things that have been attempted
Information you think people should know regarding this, that's not already listed. Or information you think should be in the original post so people can easily see it. (I don't want great info hidden deep in the thread, rather on the first page)
Keep me honest! If I post nonsense or inaccurate information, WE NEED you to correct me! Last thing I want to do is steer anyone in the wrong direction!
What NOT to post:
"+1"
"Thanks"
Petitions
Bounties
ANYTHING NEGATIVE! Negative Nancy, PLEASE go away!!
Etc. In other words, DONT waste thread space with nonsense. (Don't let that comment confuse you however with the 'very welcoming' questions from developers; This SHOULD be a collaborative thread. Productive input certainly welcome.) The idea is to QUICKLY allow someone to read this and get ALL the info to start trying to crack this. Going through pages and pages of irrelevant or useless comments will only make the goal more difficult, or prevent our new rookies from coming up to speed and trying to unlock this bootloader.
Who am I and what am I trying to get out of this?
I'm an application engineer and developer that bought an S7 from Tmobile and found out the hard way it had no way to get a custom rom, despite TMobiles past of typically allowing this. I'm frustrated like you all & want my phone unlocked, pure and simple! Besides, this is a community, and what better of an agenda than to try and conquer what others have said, "that's impossible"!
Other Notes:
MANY, many thanks to all the contributors out there!!! I got most of this information from other forums on XDA!
Following few posts will have resources and additional links. This thread is new so I'll find a good organization method in time.
PLEASE subscribe if you are (or want to be) a contributing developer, or have anything to add - or if you can answer others questions. I think a lot of this knowledge will expand to other devices, and not just Samsung, but future devices as well.
Please let me know of anything to fix with this thread, like tags, thread description, etc.
Make sure to send the link to this thread to people you think might be interested (but don't spam them!) Or post a link to this thread in other seemingly dead threads on unlocking this bootloader. Alone it just may be impossible to do this...but as a community, sharing all of our knowledge...we can do this!
Still not motivated to do this? Try this: https://www.google.com/webhp?source...=1&espv=2&ie=UTF-8#q=s7+bootloader+bounties&*
If you found this thread useful hit "Thanks"!
.

Information
Quick facts
Exynos bootloader is unlockable, which is why we won't talk about that here!
S7 Variants https://en.wikipedia.org/wiki/Samsung_Galaxy_S7#Variants
US & China use a Snapdragon processor, all other locations use the Exynos
Knox counter: will void warranty (if you still have one!) Most could careless if there's a remote possibility of unlocking the bootloader. Methods or tampering could possibly trip this counter.
Mostly when people say a phone is "locked", they mean locked to a CARRIER. That is NOT what we're talking about here - we're talking about a locked bootloader which allows you to install a custom ROM.
FRP: (Factory Reset Protection) Requires username/pass after factory resetting http://www.androidcentral.com/factory-reset-protection-what-you-need-know Reset: https://forum.xda-developers.com/galaxy-s7/how-to/samsung-factory-reset-protection-gmail-t3446788
Bootloader version: PhoneSettings->AboutPhone->Baseband version: 5th from last number.
Ex: Bbaseband: G935UUES4AQC1 = Bootloader version 4 @thescorpion420 (Tmobile & U = ver4, China=ver2)
Locked bootloader
Easy way to tell you bootloader locked status(?)
What is the bootloader? Part of the Android boot process. See all about it here: http://newandroidbook.com/
Why can't we currently unlock the bootloader? There is something called the chain of trust, whereby 'everything' from when the phone first turns on, through each 'piece' it verifies the contents of the flash is legit and from a listed trusted source (either Samsung or carrier). What controls this is the current, existing software/FW on your phone. So if we took what's there and removed these checks, we currently don't have a way to write this to your phone, since "we" aren't from the list of trusted sources. How do they enforce this? The images need to be digitally signed.
What does it mean to digitally sign a file (or image, FW in our case)? There is a private key and public key. Samsung and/or Carrier have the private key, your phone has the public key. Author writes a new SW package, then uses a tool to get a checksum. The checksum gets encrypted with the private key. The encrypted checksum gets appended to the SW package. Using OTA (over the air deployment) or ODIN, we push the package to the phone. The phone decrypts the appended encrypted checksum using its public key, does a checksum on the remaining package, and makes sure they both match. Now you can see why we can't fake this! Only way would be to find an exploit or get the private key so we can sign these ourselves!

Links (relevant threads)
Potential way to unlock bootloader? https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
ROOT DISCUSSION / TEKXv2 Dev Thread Extension SM-G935T - Dev Section / Discoveries https://forum.xda-developers.com/tmobile-s7-edge/how-to/root-discussion-future-sticky-root-t3327399
G935AVPT cross bootloader, flash Chinese Version , support ALL lte band,Knox stil 0!! https://forum.xda-developers.com/ve...ross-bootloader-flash-chinese-t3432190/page15 or
https://forum.xda-developers.com/att-s7-edge/how-to/g935avpt-cross-bootloader-flash-chinese-t3435043
High-level explanation on whats going on with this locked bootloader: https://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
Resources
Android Internals: A Confectioner's Cookbook http://newandroidbook.com/
Many thanks to Jonathan Levin for releasing that to the public for free, but please support his work via the other listed means. Also Reverse Engineering Aboot: http://newandroidbook.com/Articles/aboot.html
Samsung Source (Tmobile) http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G930T
Bootloaders, Encryption, Signing http://www.androidpolice.com/2011/0...ncryption-signing-and-locking-let-me-explain/
LOCK download mode (opposite but might have useful info) https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

Tools
Phone Apps
Root Browser app (doesnt need root) access all files on phone (across ALL partitions?) https://play.google.com/store/apps/details?id=com.jrummy.root.browserfree&hl=en
Phone INFO (get info about phone) https://play.google.com/store/apps/details?id=org.vndnguyen.phoneinfo&hl=en
Other
S7 USB driver http://samsungodin.com/SamsungUSBDriver/USB_Drivers_1.5.27.0.rar
ADB (Install Android SDK)
DD: https://forum.xda-developers.com/showthread.php?t=1153991 (can be "disk destroyer" if used stupidly)
Sandbox: Possible to make a virtual S7 to test on? (including ALL partitions such as aboot, etc)
Ubunto VM: How to build a Linux VM for Dev & testing on this: http://imicrov.com/small-tech/android-development/android-development-with-ubuntu-in-virtualbox VMWare: http://www.vmware.com/products/player/playerpro-evaluation.html Ubunto image: http://www.osboxes.org/ubuntu/

Flashing
Info https://code.tutsplus.com/articles/an-introduction-to-android-firmware--cms-26791
Firmware (Android ROM) is stored in a writable form of memory called NAND flash memory, the same type of memory that is used in storage devices, such as USB sticks and SD cards
Bootloader more info
Ways to Flash
ODIN - Odin3_v3.12_PrinceComsy (ODIN is Samsungs replacement of Fastboot) https://www.androidfilehost.com/?fid=24591023225177749 or http://samsungodin.com/ (?)
ODIN is the only possible way (that we know of). You push a download from PC to phone, it runs checksum and signature verification, if it doesnt match what it expects, it never writes from memory to phone and throws away image. This intense security likely due to Samsung pay.
ADB - No standard way to do this, but maybe something creative might work...
Heimdall https://forum.xda-developers.com/galaxy-s7/how-to/guide-heimdall-to-flash-firmware-t3452904 (still work? couple years since updated) Sourcecode: https://github.com/Benjamin-Dobell/Heimdall
USB jig: https://forum.xda-developers.com/galaxy-s7/accessories/usb-jig-t3347793/page4 eBay: http://www.ebay.com/sch/i.html?_odk....H0.Xusb+jig+s7.TRS0&_nkw=usb+jig+s7&_sacat=0 Or make your own: http://www.instructables.com/id/USB-JIG-to-give-life-to-your-Bricked-mobile/
SD card: https://forum.xda-developers.com/showpost.php?p=69235306&postcount=38
Z3X Box: eBay: http://www.ebay.com/itm/2016-Z3X-BO...I-Unlock-Flash-Tool-C3300KCable-/291810363162
Safestrap(?)
Flash Errors & What they mean:
Failed aboot Fused 2> binary 1 - bootloader error: ?
SECURE CHECK FAIL: No Bueno! You're trying to flash something that's not digitally signed correctly
Firmware/Files:
AP (Application Processor or PDA or Android Partition): Android. System partition with recovery, etc. Recovery, kernel and ROM will be in this file. This is the only FW that is open source.
Typical contents of update.zip:
android-info.txt: Text file specifying the prerequisites of the build, such as the version numbers of the bootloader and the radio firmware that the build needs
boot.img: Binary file that contains both a Linux kernel and a ramdisk in the form of a GZIP archive. The kernel is a boot executable zImage that can be used by the bootloader. The ramdisk, on the other hand, is a read-only filesystem that is mounted by the kernel during the boot process. It contains the well known init process, the first process started by any Linux-based operating system. It also contains various daemons such as adbd and healthd, which are started by the init process More info
recovery.img: Very similar to boot.img. It has a boot executable kernel file the bootloader can use and a ramdisk. Consequently, the recovery image too can be used to start an Android device. When it is used, instead of Android, a very limited operating system is started that allows the user to perform administrative operations, such as resetting the device's user data, installing new firmware, and creating backups.
system.img: Partition image thats mounted on the empty system directory from boot.img. Contains the Android OS binaries as well as system apps, fonts, framework JAR files, libraries, media codecs, bloatware, etc. (Most used for flashing a custom ROM)
userdata.img: Partition image that will be mounted on the empty data directory from boot.img. Custom ROMs typically come with this image as blank so that it resets the contents of the data directory.
BL (Bootloader): Proprietary code that is responsible for starting the Android operating system when an Android device is powered on. Typically, it checks if the operating system it is starting is authentic as well. (Checks if the boot partition has been signed using a unique OEM key, which belongs to the device manufacturer, & is private.) Ie, Locked bootloader. Fastboot, IF allowed on a device, disables this check.
CP (Core Processor): Modem. This proprietary Radio firmware is another operating system on an independent processor called a baseband processor, independent of Android. This adds the cellular radio capabilities of the device like 3g & LTE. Qualcomm, etc develop this FW.
CSC (Consumer Software Customization): It is specific to geographical region and carriers. It contains the software packages specific to that region, carrier branding and APN setting. Eg Wi-Fi Calling. Flashing will lose your data (factory reset). Variations of CSC may retain data.
PIT files (Partition Information Tables) (Danger! Dont flash these unless you know what youre doing!)
Different variants of the S7 have different partition sizes; same phone/same carrier with different storage size have different PIT. One issues people were having flashing images for other variants is that the partition would fill up. A workaround would be to reformat with a correct PIT file and check "repartition" in ODIN. More info via @[Ramad] https://forum.xda-developers.com/sho...d.php?t=999097
"Get PIT for mapping" error while flashing (indicates you need a PIT file to flash what youre trying to flash)
-Extract current PIT file from phone: http://www.**********.com/how-to-ext...alaxy-devices/ (need root)

Unlock Methods
High-Level Ways to Unlock:
Get leaked private key so we can sign our own images
Find exploits
Dev bootloader gets leaked
?
What does work:
Can flash digitally signed images
Can write to partitions with engineering kernel
Ideas:
Use engineering kernel that has root to somehow modify bootloader partition to remove digital signature checks - at level/entry point can or should this be done? (ie, where in boot process at a minimum do we need to remove the check?)
Thread on installing LineageOS on bootloader locked Note 3: (this possible on our device?) https://forum.xda-developers.com/redmi-note-3/how-to/kate-guide-install-lineage-os-locked-t3546154
Thread on Recovery for locked bootloaders by @hsbadr : (work on our device?) https://forum.xda-developers.com/an...g/tool-multirom-recovery-replacement-t3102395
...Reading sdd10 line by line. I did find an entry "Device is unlocked! Skipping verification...". I'm starting to think we need to look into recovery-side exploits" @Flippy125 https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220/page2
Back rev bootloader version (or other partition) to reintroduce security exploits (dont believe you can backrev though, easily) dd Chinese version? (Hard brick?) https://forum.xda-developers.com/showpost.php?p=70977356&postcount=39 @thescorpion420
Exploits: (known existing)
SD card most vulnerable?
Samsung Source available I believe (in its entirety though? See Resources links above) Perhaps viewing this may reveal exploits
?
Attempted Methods:
OEM Unlock in Android Settings menu: YES! We tried that!
Flashed Chinese images via ODIN. People used PIT (Partition Information Table) files and checked reformat partitions in ODIN and still failed.
Result: Errors during flash process, won't take, "Thread Failed" error
Chinese bootloader is v2 where all US models are v4(? How to determine?)
Convert Chinese ROM to another variant: https://forum.xda-developers.com/android/general/guide-how-to-convert-chinese-roms-based-t3577469
Use CROM app (Chinese phones have this app to unlock their phones):
Result: This app communicates to Samsung servers and ends up writing a flag (kiwibird?) to STEADY partition. US phones dont have this partition so this currently wont work.
Dirty cow exploit - (didnt work) indicated by @Binary100100

Android OS & Everything about it
Engboot kernel write protection seems to be off, so it appears you can use dd to write to normally write protected partitions such as the bootloaders (ex: "dd if=/sdcard/aboot of=/dev/block/sdd10"). In my testing I was successfully "dd" a backed up aboot (secondary bootloader) partition and also write to the modem partition and have it stick @qwewqa
MBN files: Multi boot binary firmware. Mostly used with Samsung, binary data for storing the device's memory partitions, such as the resources and power manager, secondary boot loader, AP boot loader, and trust zone. Can't just edit, need source then compiling creates mbn files? Info: https://www.quora.com/What-is-mbn-file-format-where-is-it-used https://forum.xda-developers.com/showpost.php?p=29787988&postcount=31
Create MBN: https://forum.xda-developers.com/showpost.php?p=28145975&postcount=198 Moreinfo: https://forum.xda-developers.com/showpost.php?p=28149932&postcount=212
Cook custom ROM: https://forum.xda-developers.com/showthread.php?t=901417
Extract mbn files using unyaffsmbn: https://forum.xda-developers.com/showpost.php?p=6303911&postcount=827
How to get existing versions, eg, bootloader version? (Many versions are in Phone->Settings->About device)
Partitions... needed to be modified(?) @qwewqa https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
- rpm (Resource and Power Manager / Primary Bootloader) located at /dev/block/sdd1 (/dev/block/bootdevice/by-name/rpm)
- aboot (AP Bootloader / Secondary Bootloader) located at /dev/block/sdd10 (/dev/block/bootdevice/by-name/aboot)
- xbl (Extended Bootloader) located at /dev/block/sdb1 (/dev/block/bootdevice/by-name/xbl)
- ? located at /dev/block/sdc1
- Sdd1 is the primary bootloader
Boot Process @qwewqa
RPM = Resource and Power Manager = Primary Bootloader
ABoot = AP Bootloader = Secondary Bootloader
I believe the boot process is "RPM > ABoot > boot.img (Main OS)", so both the rpm and aboot file would be needed
Partitions (Correct? via @silentwind827)
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://source.android.com/devices/bootloader/partitions-images
http://davinci-michelangelo-os.com/2017/01/22/edit-init-rc-android/
ls -l /dev/block/bootdevice/by-name/
cat /proc/partitions
/dev/block/sda1 => modemst1
/dev/block/sda2 => modemst2
/dev/block/sda3 => fsc
/dev/block/sda4 => ssd
/dev/block/sda5 => persist
/dev/block/sda6 => efs
/dev/block/sda7 => param
/dev/block/sda8 => misc
/dev/block/sda9 => keystore
/dev/block/sda10 => devcfg
/dev/block/sda11 => frp
/dev/block/sda12 => bota
/dev/block/sda13 => fota
/dev/block/sda14 => persistent [edited]
/dev/block/sda15 => apnhlos
/dev/block/sda16 => modem
/dev/block/sda17 => boot (Kernel, RAMdisk, & boot images get flashed here see link above for details)
/dev/block/sda18 => recovery
/dev/block/sda19 => persdata
/dev/block/sda20 => system
/dev/block/sda21 => cache
/dev/block/sda22 => userdata
/dev/block/sdb1 => xbl
/dev/block/sdd1 => rpm
/dev/block/sdd2 => tz
/dev/block/sdd3 => hyp
/dev/block/sdd4 => fsg
/dev/block/sdd5 => sec
/dev/block/sdd6 => pmic
/dev/block/sdd7 => dsp
/dev/block/sdd8 => dip
/dev/block/sdd9 => mdtp
/dev/block/sdd10 => aboot
/dev/block/sdd11 => devinfo
/dev/block/sdd12 => bluetooth
/dev/block/sdd13 => lksecapp
/dev/block/sdd14 => keymaster
/dev/block/sdd15 => cmnlib
/dev/block/sdd16 => cmnlib64
/dev/block/sdd17 => apdp
/dev/block/sdd18 => msadp
/dev/block/sdd19 => dpo
/dev/block/sdd20 => ddr
/dev/block/sdd21 => pad

Restore Stock Methods
(Since we need a way to fix a bricked phone while we're trying to break it!)
Hard bricks likely not restorable though?)
Note: Not all of these methods will work, depending on how bad you bricked your phone.
https://www.androidsage.com/2016/03/...ware-download/
How to Fix a Bootloop: Turn off your device and reboot into recovery mode by press and holding Power + Volume down + Home keys for a few seconds. From the Recovery, select Wipe Data / Factory Reset. Confirm the action and reboot once done. Your device should now boot up.
Samsung Kies & Samsung Smart Switch https://forum.xda-developers.com/galaxy-s7/how-to/guide-revert-to-stock-anytime-kies-t3396314
Stock Files
Stock Files Collection https://forum.xda-developers.com/galaxy-s7/how-to/s7-s7e-stock-rom-bootloader-modem-t3383963
[Collection] Firmware/ROM Full, PIT Files https://forum.xda-developers.com/galaxy-s7/how-to/collection-firmware-rom-pit-files-t3326707

Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
[ROM][TMOBILE][S7_SM-G930T][Oreo Rooted]
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017

kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (This still work?) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
Not on the newer versions of Android unless rooted, then it does.

Does anyone know if the phone boots differently when using a)the SD card boot & b)USB jig? Or z3x box? If so, how? (I'm guessing the jig boots the same as button pressing into download mode, but wanted to leave no leaf unturned!) Knowing this might open some doors of vulnerability if it boots differently. All the reading I did about this, I haven't read about anyone trying to flash an image via either of these methods. (I'm assuming & hoping this is even possible & you can actually boot off the SD card, if not at least install via SD) Testers?! (Reference "Flashing -> Ways to Flash" above for details, links.)

can try on your phone 7 edge

kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.

kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
The 935f bootloader is for exynos, you want to flash the 9350 bootloader. Odds are if you succeeded in flashing the 935f bootloader you'd have a nice shiny paperweight.

kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
Where are you finding a "BL.mdf" file? I'm looking at stock images and see mostly mbn, bin, and img files. Is this an extraction of one of these files, images? Not sure this will help but here they talk about "brushing" (flashing) 'pick and choose' images making a compilation for a full flash (like pick US modem, with chinese bl, etc) & the Chinese are successful using US "pieces"/images despite having a different phone variant https://forum.xda-developers.com/ve...g935v-cross-bootloader-flash-chinese-t3432190 Another possible way could be the opposite of what you're trying: implant the international device ID on our phone so the image can flash without your error. (via engineering kernel possible to change this value, wherever it sits?)
Also, another thought: I wonder if there's a way to modify the PC ODIN tool (or Heimdall since that source is easily available) to add functions to talk to "hidden functions" on ODIN (on the phone) to unlock it that way. Or modify it to turn it more into an interactive console so we can navigate and investigate the phone's ODIN program. Does anyone know if the ODIN source for the phone side has been leaked? If not, any intelligent folks out there know how to 'reveal' all methods so we can go through it and maybe find exploits? (This been done already?)
One more thing: Those thinking the S8 is nearly out now so let's give up... Well, can anyone predict the future like I can?!! I'm SURE it will be locked as well. I wouldn't be surprised however if any exploit we can find for the S7 will be relevant on the S8!
Thanks for the efforts kenshin6106 ! And all the viewers of this thread make sure to hit the "Thanks" button on the bottom right of the developers posts to show your support. Remember, most think this is a dead subject, let's change that mentality!!

Can anyone please indicate what images or partitions are allowed to be downgraded, version-wise (if any)? I'm reading conflicting information - or its hard to tell if the bl rejected it due to a fundamental error or because it will not allow down-reving, whereby it would be possible had an acceptable image been used. eg, I read the bootloader cannot go from ver4 (US) to ver2 (Chinese). I'm not sure what's accurate. And Does ODIN/bootloader allow you to go from Nougat to Marshmellow? Knowing this will help with our unlocking methods...

Any instructions on how to flash g930p to u firmware I get errors

Bump.

I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.

Chiller252 said:
I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.
Click to expand...
Click to collapse
Check out this thread - https://forum.xda-developers.com/s7...heoretical-variant-bootloader-unlock-t3627286
We need testers!!

[HOW-TO]Android 8.1 for Z00VD/ZC500TG

Hello people of XDA,
as I promised here, here's a tutorial for getting Android Oreo 8.1 up and running to your device.
NOTE: I DID NOT MAKE THIS TUTORIAL! This is a translated guide from 4PDA by nik-kst. I've also rehosted some of the files on Google Drive so you won't have to register on 4PDA(hopefully).
Code:
[B]Your warranty is now void. [/B]
I am not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed. Please do some research if you have any concerns about features included in this ROM before flashing it! YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you.
Now that the disclaimer is dealt with, let's get on with this tutorial shall we?
First things first, we need to grab a bunch of things:
SP Flash Tool;
MediaTek VCOM Drivers;
The Stock Kernel(it will make sense to you soon!);
Scatter file for repartitioning, drop it inside the stock kernel folder(credit to fca.sjc);
ADB and Fastboot of your choice;
New recovery;
Oreo's Backup, drop it inside a MicroSD card or drop it once you have re-partitioned the device successfully;
Once you have everything setup and extracted, you're ready to go!
First, we gotta go ahead and install VCOM drivers - we won't be able to do anything to our phone without them.
If you're running Windows 8/10, make sure to disable Driver Signature Verification.
Go to Device Manager, click Action at the top and click Add legacy hardware. A new wizard window will appear.
Choose Install the hardware that I manually select from a list(Advanced);
In the next window, choose Show all devices and click Next, then click Have disk...
Then you will be prompted to direct to the driver install info, so click Browse...
Now go to the folder of drivers and select the Setup Information file that's fitting for your computer, x86 for 32-bit and x64 for 64-bit.
You should now find 5 new devices in the list, add them one by one by repeating steps 2 to 6 until you have all of them installed.
Windows might complain about unsigned drivers, just allow their installation and proceed.
If your ports list looks similar to the picture below, then you're set for the next step!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Next, we'll want to back up the NVRAM partition, because AFAIK, it keeps important unique data about your device such as WiFi, IMEI etc. data.
Note: You may want to take out your MicroSD card and SIM cards prior to this just in case. Also, might be the possible fix if readback for NVRAM fails(needs confirmation).
First, open up Flashtool.exe as admin and go to Readback tab;
Click on Add, a new item in the list will appear. You want to double-click on it, so that a Save File window would appear.
Save that file anywhere you want, name it whatever you like, for convenience I've named mine ROM_NVRAM.
Now, you'll want to find the address in the memory for NVRAM partition. To do this, open up the stock firmware(credit to fca.sjc) scatter file in a text editor(like Notepad++), and find line partition_name: nvram
In that paragraph, find two values: linear_start_addr and partition_size they should be 0x380000 and 0x500000 respectively.
Punch in those values into the Readback block start address window, so it should look something like this:
Now, click Read Back, it should gray out along with Add and Remove.
Now, turn off your device, pull out the battery for about 30 seconds, reinsert it and DO NOT TURN IT ON YET! With the Volume Down "-" button pressed, plug in your device into the USB port.
The NVRAM partition should've been read and you'll get a giant green tick sign when it's done.
Now that that's done, we can start repartitioning our device.
Make sure your SP FlashTool is running as admin, otherwise restart it as admin.
Open up the Download tab and in the line Scatter-loading File click Choose and navigate to the 8.1 scatter file, it should be named MT6580_Android_scatter_8.1.txt.
From the dropdown list, select Format All + Download.
Again, take out the battery for 30 seconds and put it back in WITHOUT turning it back on.
Now click Download, and with the Volume down "-" button held down, plug the device into your PC. There should be a bunch of colored progress bars at the bottom of the window.
Once it's done, you should get the giant tick pop-up, after which you can disconnect the device, and start it normally.
NOTE: it takes a while for the first launch, so give it some time!
Once it starts up into the first launch wizard, we can now restore the NVRAM.
In order to activate the memory writing function of SP FlashTool, re-start it with admin and press Ctrl + Alt + V, the window header should have (Advanced mode) now.
From the Window drop-down, select Write Memory, it should redirect you to a new tab named accordingly.
In the File Path field, browse to the ROM_NVRAM backup that you made earlier.
In the Begin Address (HEX) field, copy the linear_start_addr value off the scatter file.
The region should be left at EMMC_USER.
Now, click the Write memory button, turn off the device, re-insert the battery just like before, and connect the device with the Volume Down "-" button pressed.
It should begin the writing of the NVRAM and once it's done a giant tick pop-up will appear.
Now after that is done, boot into the OS, check that everything works, including IMEI and WiFi.
Also, during the setup wizard or later in the settings setup a screen lock with a pattern or a PIN or a password(credit to fca.sjc), because the partitions may remain encrypted and show 0mb(needs confirmation)
Now you'll want to unlock the bootloader and flash the TWRP recovery.
Now this is a standard recovery flash, but for a quick summary:
Enable Developer options;
Enable OEM unlocking;
Reboot into bootloader mode(I like to use ADB for adb reboot-bootloader);
Make sure your device is detected via fastboot devices, if not, google some drivers for ADB;
Unlock the bootloader via fastboot oem unlock, and press the Volume up button to confirm the bootloader unlocking.
Now, reboot the phone, it will take a while to reboot, DO NOT PANIC AND WAIT.
Now that we have bootloader unlocked, we can flash the TWRP:
Go into bootloader mode;
Confirm you are being detected again by fastboot devices;
Flash the recovery with fastboot flash recovery [twrp recovery name].img;
now, WITHOUT booting into system we boot into recovery and confirm it works.
Now that you've done all this, you propably want to run Oreo now, eh? Well, here's what we do now:
Note: make sure you have the Oreo's backup zip extracted at it's own folder inside your MicroSD card or inside the phone's internal storage by now(thanks @ZappaDong for letting me know)
From recovery, select Wipe > Advanced Wipe and select system and vendor, and wipe them. Logs may complain about not seeing vendor, ignore that message.
Then, we restore everything from the Oreo backup;
Finally, do a factory reset(aka wipe Data, Dalvik and cache);
And reboot!
Now, fingers crossed, you should be booting into a fully functional 8.1 Oreo! if you did, congratulations!
Please let me know if I've made any mistakes and/or this has worked for you.
All credits go to the awesome people at 4PDA, especially nik-kst(if you're reading this, you the real MVP!), below I've linked the sources I've written this guide from.
Nik-kst's guide to repartitioning the device for Oreo;
Nik-kst's post about the Stable Oreo ROM.

Reserved for possible FAQ in the future

@aurismat, Hey man it worked as expected ! However, I was a bit confused on the repartitioning part when selecting ''Format all+download'' option then clicking ''start'' will only give an error stating that the IMG file of ''vendor'' is missing. (I am using SP FLASH v5.1744)
But nevertheless, I tried the ''Download only'' option and lucky it worked as well. I just wanted to clarify should it be Format all +download or Download only? Or is there a missing corresponding IMG file for vendor ?

Hey @JustAnormalGuy,
It should've been Format All + Download.
Also I'm glad that my post has helped at least one person.
Thanks for pointing out this omitted detail though, I'll edit the post ASAP.

Thanks for the translation!
--- solved ---
I have tried it three times but never managed to back up the NVRAM partition.
Error: s_dl-get_fram_setting_fail (5054) see attached screenshot
-----------
I have used Win 10 on my Mac and it worked.
Now I am stuck at step "5. Unlock the bootloader via fastboot oem unlock, and press the Volume up button to confirm the bootloader unlocking."
this looks O.K. to me
----------------------------------
>fastboot oem unlock
...
(bootloader) Start unlock flow
OKAY [ 16.047s]
finished. total time: 16.047s
-----------------------------------
But now nothing happens after
-----------------------------------
> fastboot reboot
rebooting...
finished. total time: 0.000s
-----------------------------------
It's stuck in
[Fastboot Mode] <<==
=> FASTBOOT Moe ...
and nothing happens.
UPDATE
O.K. I have used the Power Button to switch it off and on again, there was a small Android for a few seconds and the phone rebooted the second time. Now I am waiting for it to finish booting.
UPDATE 2
TWRP is working now
And what TWRP.img should I use for
"3. Flash the recovery with fastboot flash recovery [twrp recovery name].img;"
in the next paragraph? Is this the "New recovery;" from the download section at the top?
Thank you!

Missing tips:
- Put both scatter files inside the stock kernel folder before starting.
-I used the stock scatter file for the NVRAM backup then the 8.1 scatter only for the Formal all+Download step.
- When you first run the stock ROM, set up a pin or a password, otherwise you will have failed to mount data in twrp and data will show as 0mb due to its encryption.

@aurismat does that WW file includes the new vendor release?
In the vendor, a bug was detected, the camera with the auto flash turned on, did not turn on (rather, it turned on and off immediately), the flash when shooting video.
Now everything works as it should: yes2:
Fixed vendor: 07/07/2018
https://yadi.sk/d/DUGRYLnc3YtADV

I did everything according with this tutorial. Sadly my mobile network is not connecting idk why. I get an error saying Simprocessor and it doesnt connect on mobile network. It detects the networks but wont connect. Im going back to stock until someone can help me fix it.

@ZappaDong:
Yes, you should use the one I provided the link at the list of downloads.
Also, a bit late and I may be wrong, but your DRAM reads may be hindered by a MicroSD card(confirmation needed). Try ejecting it before you read off the NVRAM.
@fca.sjc:
First of all, thanks for pointing out my missing tips.
I'm not really sure if it includes the fixed vendor. I didn't really have any issues with the camera's flash, so they already included it(?)(again, needs confirmation).
For failed connections, make sure you flashed the NVRAM correctly(hence why you should test the telephony after you've repartitioned to stock 5.0 with the NVRAM backup flashed).If you failed to do that, I was told you should be able to recover the NVRAM data with Maui(?) software(confirmation needed, once again).
Thanks to both of you for pointing out these tips, I'll update the guide and credit you when I'll have more time. Cheers!

[*]For failed connections, make sure you flashed the NVRAM correctly(hence why you should test the telephony after you've repartitioned to stock 5.0 with the NVRAM backup flashed).If you failed to do that, I was told you should be able to recover the NVRAM data with Maui(?) software(confirmation needed, once again).
[/LIST]
Click to expand...
Click to collapse
After repartition, wifi, 3g and mobile signal works fine. I just cant flash twrp after unlocking bootloader otherwise i get a bootloop (unable to mount data and storage). So after i installed twrp and wiped/restore vendor and system, i reflashed stock recovery to acess android and then, restarted again to recovery. At this point, i did the write memory step again, using old vendor and the new vendor. None seem to work. I even backed up NVRAM using TWRP at first to make sure i did it right and tried to restore from there and it doesnt seem to be an IMEI issue. Maybe it has something to do with the frequency. Im on Brazil right now and idk
It does recognize my Sim card, my number, it downloads the data operators and etc but it doesnt connect to the mobile signal idk why. The bug starts at the restore step so it has something to do with this part.
I just test stuff but im pretty experienced at flashing and reflashing, etc. I guess only a dev can help and i actually went back to 7.1 UHANS rom, wich i got from 4pda.ru. Before using this rom, I was having a bluetooth audio stream bug and Ive tested like 4-5 roms, one for each kernel that was there. Lets see if someone can help me with this, cause i want oreo for better bluetooth audio stream.
Thanks for your help so far. I really apreciate it. This device is very good and we dont see many mods here on xda for it.

aurismat said:
@ZappaDong:
Yes, you should use the one I provided the link at the list of downloads.
Also, a bit late and I may be wrong, but your DRAM reads may be hindered by a MicroSD card(confirmation needed). Try ejecting it before you read off the NVRAM.
Click to expand...
Click to collapse
Thanks again!
I am using Windows 10 (bootcamp on the iMac) now and I have read the description in the 'old' [ROOT/TWRP] thread but used the files you have provided.
TWRP is working now, but I got an error that the ZIP file on the SD card was corrupted. Maybe I have damaged it when copying it to the SD card under OS X.
I am just redownloading it with Windows 10 and give it another try. (Yandex is very slow now, about 60 KB/s)
------------------------------------------------------------------
UPDATE
I have downloaded "WW_Phone-user_810_O11019_1528478718_release.zip" again, put in on the SD card, booted into Recovery, wiped system and vendor and chose "Install" , selected the "WW_Phone-user_810_O11019_1528478718_release.zip" file.
But I still get an error message.
Installing zip file '/external_SD/WW ... release.zip'
Checking for digest file
Skipping Digest Check: no Digest file found
[IN RED]Invailid zip file format!
Error installing zip file '/ 'external_SD/WW ... release.zip' [/IN RED]
Updating partion details...
...done
I have just copied the zip file from the download folder to the SD card - have I missed anything?

ZappaDong said:
And what TWRP.img should I use for
"3. Flash the recovery with fastboot flash recovery [twrp recovery name].img;"
in the next paragraph? Is this the "New recovery;" from the download section at the top?
Thank you!
Click to expand...
Click to collapse
Yup that one

@ZappaDong, yeah I kind of forgot to mention again - you should've extracted the .zip in which the backup came in. It's a backup, not an installation zip.
It needs to be extracted into its own folder inside the MicroSD card, so that then it could be used by TWRP to recover the partitions.
Thanks for pointing this out to me though, gonna edit it ASAP.

@fca.sjc bro AFAIK that problem of yours could be because of one or more of the following:
1. Your IMEI is missing or null. I would suggest SN Write tool (since I already tried it). Is quite effective, it is comparable to Maui Meta although I haven't tried it yet. (Tutorial here ==> https://forum.hovatek.com/thread-12306.html )
It is better to use PC restore tools since it writes directly to the nvram unlike apks like Chamelephon which (according to what I know) writes only to nvdata.
2. You need to switch the sims. What i mean is just if you have 2 sims on your phone, switch sim 1 in with sim 2. I forgot the explanation on it but it helps.
3. You need to switch off data connection on the other sim. On the several roms I tried on 4pda including this 8.1 pixel based rom, upon first bootup, the data connection on both sims are already on, therefore 3G cannot work. So first turn both sim's connection off then check if network mode is set to 3G. If not do the Solution #2.

JustAnormalGuy said:
@fca.sjc bro AFAIK that problem of yours could be because of one or more of the following:
1. Your IMEI is missing or null. I would suggest SN Write tool (since I already tried it). Is quite effective, it is comparable to Maui Meta although I haven't tried it yet. (Tutorial here ==> https://forum.hovatek.com/thread-12306.html )
It is the best IMEI restore tool since it writes directly to the nvram. (Meaning it retains even after wipes to data, system etc. via twrp)
2. You need to switch the sims. What i mean is just if you have 2 sims on your phone, switch sim 1 with sim 2. I forgot the logic on how that helps but I've seen it as a solution as the phone rereads the sims.
3. You need to switch off data connection on the other sim. On the several roms I tried on 4pda including this 8.1 pixel based rom, upon first bootup, the data connection on both sims are already on, therefore 3G cannot work. So first turn both sim's connection off then check if network mode is set to 3G. If not do the Solution #2.
Click to expand...
Click to collapse
Thanks for your help bro. I did check the IMEI while i was on this oreo rom. It seem to be ok. Number was there but i did not check if it was the right number. I might check it when i try to flash again. Probably later today when i'm home.
The problem wasnt just data connection, it was the connection itself. I couldnt call or receive SMS to activate whatsapp, for example. Like i said previously, those features were ok after repartitioning (on stock repartitioned). After the restore step, i did check all network options, including data, network mode, network connections available,etc. I'll follow your tutorial to restore the IMEI if the numbers are different then. I'll remember to take some screenshots next time so you guys can help me figure out what the problem is. Thanks again

aurismat said:
@ZappaDongIt's a backup, not an installation zip.
Click to expand...
Click to collapse
Yes, that did the trick. The installation went through and everything seems to work now.
Thank you again for your patience.

I saw there in the forum 4pda that are doing roms project treble pro zenfone go, only that I can not understand the mode of installation, you know how?

Ricardo Flowers said:
I saw there in the forum 4pda that are doing roms project treble pro zenfone go, only that I can not understand the mode of installation, you know how?
Click to expand...
Click to collapse
Yeah, it is possible -
FIrstly you'd need a vendor image that has fixed RIL(telephony) - vendor off this thread's 8.1 has RIL broken in Treble ROMs.
Luckily you can get it off any 8.1 custom ROM off ska-vova in 4pda. Just download any of his .zips(i.e. his ResurrectionRemix ROM(which imo is just official ResRemix with their Russian preference for a browser, but fine)), flash them and then backup the /vendor off it(and /boot for good measure)
Buuuuut then you need a TWRP that supports system image flashing - not sure if the one I provided here has it, if it hasn't - I'll post it here.
Then all you need to do is flash the Treble image, restore the /vendor(and /boot if you need to) and hope for the best!
Sadly the Havoc OS 2.0, the only ARM A-Only Pie-based ROM available here didn't work for me - just straight bootloops.
Your mileage may vary - if you get the Havoc OS 2.0 instaled, I'd love to read about it.

aurismat said:
Yeah, it is possible -
FIrstly you'd need a vendor image that has fixed RIL(telephony) - vendor off this thread's 8.1 has RIL broken in Treble ROMs.
Luckily you can get it off any 8.1 custom ROM off ska-vova in 4pda. Just download any of his .zips(i.e. his ResurrectionRemix ROM(which imo is just official ResRemix with their Russian preference for a browser, but fine)), flash them and then backup the /vendor off it(and /boot for good measure)
Buuuuut then you need a TWRP that supports system image flashing - not sure if the one I provided here has it, if it hasn't - I'll post it here.
Then all you need to do is flash the Treble image, restore the /vendor(and /boot if you need to) and hope for the best!
Sadly the Havoc OS 2.0, the only ARM A-Only Pie-based ROM available here didn't work for me - just straight bootloops.
Your mileage may vary - if you get the Havoc OS 2.0 instaled, I'd love to read about it.
Click to expand...
Click to collapse
Can you do a tutorial? I did not quite understand how it installs. Sorry, google translate does not help.

Deleted

Did I brick my v20 H910/H915?

Bought an LG v20 H910.
One of the methods to change from standard ROM involved altering the phone to an H91510e.
Although the expected results from those instructions did not happen on this phone, afterward the phone WAS working as an H915.
Tried again with a different method to add TWRP to the (now) H915 but I fear it bricked.
1) I can get [fastboot mode] (vol-, then plug USB in) to come up but I have no idea from here how to get to install TWRP (or even it it did get installed).
2) Trying to enter [download mode] just gives me a colorful garbled screen.
3) Just trying now to turn on the phone says OS corrupted.
In [download mode] LGUP does run but it cannot determine the phone's model, so it won't do anything.
In [fastboot mode] the screen just has tiny writing that says "1140 fastboot mode" started, and above that it that has some data about the phone:
product_name - msm8886 64GB
variant - msm8886 64GB
bootloaded version -
baseband version -
carrier_info - N/A
serial_number - [serial number here]
signing - production
secure_boot - disabled
lock_state - locked
PS - The msm# above (8886) *could be* 9996 or 8996, etc. The print is way tiny and characters too close together. Can't really tell
Can anyone help?

ElMudshark said:
Bought an LG v20 H910.
One of the methods to change from standard ROM involved altering the phone to an H91510e.
Although the expected results from those instructions did not happen on this phone, afterward the phone WAS working as an H915.
Tried again with a different method to add TWRP to the (now) H915 but I fear it bricked.
1) I can get [fastboot mode] (vol-, then plug USB in) to come up but I have no idea from here how to get to install TWRP (or even it it did get installed).
2) Trying to enter [download mode] just gives me a colorful garbled screen.
3) Just trying now to turn on the phone says OS corrupted.
In [download mode] LGUP does run but it cannot determine the phone's model, so it won't do anything.
In [fastboot mode] the screen just has tiny writing that says "1140 fastboot mode" started, and above that it that has some data about the phone:
product_name - msm8886 64GB
variant - msm8886 64GB
bootloaded version -
baseband version -
carrier_info - N/A
serial_number - [serial number here]
signing - production
secure_boot - disabled
lock_state - locked
PS - The msm# above (8886) *could be* 9996 or 8996, etc. The print is way tiny and characters too close together. Can't really tell
Can anyone help?
Click to expand...
Click to collapse
Finish the H910 root guide and you'll be fine
Sent from my ONEPLUS A6010 using Tapatalk

clsA said:
Finish the H910 root guide and you'll be fine
Click to expand...
Click to collapse
Following the instructions at:
https://forum.xda-developers.com/v20/how-to/root-h910-v10m-t3664500
Do I have the wrong instructions? At one point the instructions say :
"Download this modified ... DirtySanta root package: [link] - Extract this somewhere that you can run adb and fastboot from."
But that [link] is dead so I found what I assumed to be the right "LG V20 Root Package.zip" and ran that, but later problems (where the instruction on what to manually type in and run) are obviously for different files than what came in my ZIP download. The instructions call for .BAT files, but I have .CMD files, and they're in a sub-folder.
Also, even though the next link also seems dead I managed to find and D/L h910-10r.zip.
Anyway, running "adb logcat -s dirtysanta" does open a CMD window that freezes after "beginning of system & beginning of main, then nothing.
In the other CMD window I'm supposed to run the .BAT files I do not have and the .CMD files will not run.
So, going back now to the instructions If I want to pick up where it failed, where do I go?
I suppose I must start the phone in fastboot mode but even so STEP1.CMD will not run.
I can run "JustRunMe.cmd" which opens a couple of DOS windows but in there steps 1 & 2 both fail.
Step 3 does /something/ on the phone (files transfers?) then the phone reboots to that LG logo screen and stays there forever.
Thanks. (Hoping that helps you to help me!)

ElMudshark said:
Following the instructions at:
https://forum.xda-developers.com/v20/how-to/root-h910-v10m-t3664500
Do I have the wrong instructions? At one point the instructions say :
"Download this modified ... DirtySanta root package: [link] - Extract this somewhere that you can run adb and fastboot from."
But that [link] is dead so I found what I assumed to be the right "LG V20 Root Package.zip" and ran that, but later problems (where the instruction on what to manually type in and run) are obviously for different files than what came in my ZIP download. The instructions call for .BAT files, but I have .CMD files, and they're in a sub-folder.
Also, even though the next link also seems dead I managed to find and D/L h910-10r.zip.
Anyway, running "adb logcat -s dirtysanta" does open a CMD window that freezes after "beginning of system & beginning of main, then nothing.
In the other CMD window I'm supposed to run the .BAT files I do not have and the .CMD files will not run.
So, going back now to the instructions If I want to pick up where it failed, where do I go?
I suppose I must start the phone in fastboot mode but even so STEP1.CMD will not run.
I can run "JustRunMe.cmd" which opens a couple of DOS windows but in there steps 1 & 2 both fail.
Step 3 does /something/ on the phone (files transfers?) then the phone reboots to that LG logo screen and stays there forever.
Thanks. (Hoping that helps you to help me!)
Click to expand...
Click to collapse
all the correct files to do the root guide are in my AFH here > https://www.androidfilehost.com/?w=files&flid=281250
theirs a Noob version of this guide here also > https://forum.xda-developers.com/showthread.php?t=3932999

clsA said:
all the correct files to do the root guide are in my AFH here > https://www.androidfilehost.com/?w=files&flid=281250 theirs a Noob version of this guide here also > https://forum.xda-developers.com/showthread.php?t=3932999
Click to expand...
Click to collapse
Trying to download the (15) files at that drop but (so far) one of the 1st several I've clicked on fails to d/l every time.
h910_root_pkg.zip seems to complete then I get a network error and the ZIP is corrupted. I tried mirrors, same result and I still have 13 files to go! The "full stock" d/l is another hour it says... Do you have another file drop or maybe all files in one ZIP?
Thanks. You're doing (as they say) the lord's work
PS 2 questions after looking over the instructions:
1) Nougat vs Oreo?
2) Once I have all the files can you tell me at what step in the instructions I should pick up at? The phone seems to be completely wiped out and I can only boot to "fastboot". Also, LGUP (that I have) will not recognize the model. The SDK says at the top left corner H910 and in the top right corner H915.

ElMudshark said:
Trying to download the (15) files at that drop but (so far) one of the 1st several I've clicked on fails to d/l every time.
h910_root_pkg.zip seems to complete then I get a network error and the ZIP is corrupted. I tried mirrors, same result and I still have 13 files to go! The "full stock" d/l is another hour it says... Do you have another file drop or maybe all files in one ZIP?
Thanks. You're doing (as they say) the lord's work
PS 2 questions after looking over the instructions:
1) Nougat vs Oreo?
2) Once I have all the files can you tell me at what step in the instructions I should pick up at? The phone seems to be completely wiped out and I can only boot to "fastboot". Also, LGUP (that I have) will not recognize the model. The SDK says at the top left corner H910 and in the top right corner H915.
Click to expand...
Click to collapse
Yes AFH is having issue today
The root package is all you need their
All the other links in the guide work fine
Sent from my ONEPLUS A6010 using Tapatalk

Have u been able to fix your phone???? This is me kn telegram @princedede . U can hala me

I have not. The one package I need AFH fails on me ("network error") every time I try to download it.

ElMudshark said:
I have not. The one package I need AFH fails on me ("network error") every time I try to download it.
Click to expand...
Click to collapse
why didn't you ask ?
here's your file > https://drive.google.com/open?id=1Vn6HUGMwCX8vZ48M6AZloikCMD82De7j
I just downloaded it again from AFH no problems

So, I have moved to a new v20. I was never able to get that file from AFH.
Anyone want to buy a (maybe not) bricked v20?
There's an insignificant crack in the lower right corner.
I *would* like to root the phone, primary reason being to get a real backup saved but once bitten...

clsA said:
why didn't you ask ?
here's your file > https://drive.google.com/open?id=1Vn6HUGMwCX8vZ48M6AZloikCMD82De7j
I just downloaded it again from AFH no problems
Click to expand...
Click to collapse
I just tried that link, maybe I waited too long but it fails me too.

ElMudshark said:
I just tried that link, maybe I waited too long but it fails me too.
Click to expand...
Click to collapse
Try now
https://www.androidfilehost.com/?fid=1395089523397955603
https://drive.google.com/file/d/1D79WTkqifCXciSWHTFNJJXpw99lzLWWO/view?usp=sharing
Sent from my ONEPLUS A6010 using Tapatalk

Still no good.
Chrome:
Google Drive
We're sorry. You can't access this item because it is in violation of our Terms of Service.
FireFox:
Google Drive
Sorry, the file you have requested does not exist.

ElMudshark said:
Still no good.
Chrome:
Google Drive
We're sorry. You can't access this item because it is in violation of our Terms of Service.
FireFox:
Google Drive
Sorry, the file you have requested does not exist.
Click to expand...
Click to collapse
I reuploaded it try now

AFH and Google Drive both each still fail me in the same way they have. No difference