Database Users

NTCODE Error Solution

1. Go to secret menu of your phone (*#546368#*850#)
2. Tap SVC menu, then Version Info.
3. In Version info find NT Code.
4. Change wbatever code you have there to "1","FFF,FFF,FFFFFFFF,FFFFFFFF,11" - that is open europe.
After pasting the above code, the NT Code should display something like code write done, or similar, instead of your old NT Code.
This info is from MrBeem, he sent to me. I have this error but it did not work for me, i get Write Error maybe because i I dont have root. If you are rooted can work for you.

I get write error too. I think you have to have root to make this work.
Talking of which, has anyone got root on 7.0 yet?

stuclark said:
I get write error too. I think you have to have root to make this work.
Talking of which, has anyone got root on 7.0 yet?
Click to expand...
Click to collapse
From Mrbeem:
Hello. Got an update on the version error you have/had.
1. yes, you do have to be rooted, to get root u must het twrp-3.2.0-1-beta1-H850.img and SuperSu2.78 SR4. You flash twrp via minimal adb and fastboot, instructions on XDA forum, after flash, pull battery out, back in and you MUST get to recovery by Vol Down+POWER combination and you only get 1 try. If you don't manage to get to recovery and your system starts booting, you must flash twrp all over again. Once in TWRP, press skip if it prompts for password, enable read/write by swiping right, and install SuperSu zip file you have to have on your external sd card. With all that done, reboot and voila, you're rooted.
2. After boot, go to hidden menu, to ntcode. In the ntcode put "1","FFF,FFF,FFFFFFFF,FFFFFFFF,FF" notice, last 2 are FF, not 11. you should get NTCODE WRITE OK
3. with root acces granted go to cust folder and enable R/W option. I recommend using root explorer 4.0.4
4. Check subfolder list in cust folder. You will have folders like VDF_OP, EUR_OP or something like that. Pick any and memorize its name. this will become your soft ver. after you finish.
5. Find file named cust_path_mapping.cfg and open it with TEXT EDITOR!
6. at the end of the document, add a following line: FFFFFF,FF=/cust/name of subfolder in cust folder you memorized in step 4
7. save file, close it and reopen to check if your added line sticks. if it doesn't you haven't pressed "mount R/W" button in root explorer. Press "mount R/W" and repeat steps 5 to 7 .
8. Reboot, and now you should get your system branded (if you chose a specific carrier subfolder in /cust) or no brand and no version error (if you chose open europe in /cust).

Error
yken said:
From Mrbeem:
Hello. Got an update on the version error you have/had.
1. yes, you do have to be rooted, to get root u must het twrp-3.2.0-1-beta1-H850.img and SuperSu2.78 SR4. You flash twrp via minimal adb and fastboot, instructions on XDA forum, after flash, pull battery out, back in and you MUST get to recovery by Vol Down+POWER combination and you only get 1 try. If you don't manage to get to recovery and your system starts booting, you must flash twrp all over again. Once in TWRP, press skip if it prompts for password, enable read/write by swiping right, and install SuperSu zip file you have to have on your external sd card. With all that done, reboot and voila, you're rooted.
2. After boot, go to hidden menu, to ntcode. In the ntcode put "1","FFF,FFF,FFFFFFFF,FFFFFFFF,FF" notice, last 2 are FF, not 11. you should get NTCODE WRITE OK
3. with root acces granted go to cust folder and enable R/W option. I recommend using root explorer 4.0.4
4. Check subfolder list in cust folder. You will have folders like VDF_OP, EUR_OP or something like that. Pick any and memorize its name. this will become your soft ver. after you finish.
5. Find file named cust_path_mapping.cfg and open it with TEXT EDITOR!
6. at the end of the document, add a following line: FFFFFF,FF=/cust/name of subfolder in cust folder you memorized in step 4
7. save file, close it and reopen to check if your added line sticks. if it doesn't you haven't pressed "mount R/W" button in root explorer. Press "mount R/W" and repeat steps 5 to 7 .
8. Reboot, and now you should get your system branded (if you chose a specific carrier subfolder in /cust) or no brand and no version error (if you chose open europe in /cust).
Click to expand...
Click to collapse
Can't pass the step 2, it gives an error.

fmartins29 said:
Can't pass the step 2, it gives an error.
Click to expand...
Click to collapse
You can flash your countries Rom, not EU

I've installed TWRP ans SuperSU as shown above, but I still get Write Error.
Looking in the SuperSU app, it says under "Install SuperSU into /system" - "Not (currently) available in system-less mode".
How can I fix the SuperSU issue, as I'm guessing that's why I haven't got write access to the NTT code?

Hi. What exactly do you get in your ntcode error? Mine was FFFFFF,FF is not a proper code or something like that. Now, if your error is something else but not '0', you can just do the following:
1. Memorize or write down your error code ( in my case it was FFFFFF,FF)
2. go to /cust folder, mount it as R/W
3. Check what carrier subfolders folders you have in your cust solder (i had OPEN_EU, P4P_PL and a couple more)
4. Open file cust_path_mapping.cfg with TEXT EDITOR
5. Change the number/letter string before = of your desired carrier in the above mentioned cfg file to whatever it says in your ntcode error (my error message said FFFFFF,FF, i wanted the P4P_PL to be my carrier so i changed 26006,06=/cust/P4P_PL to FFFFFF,FF=/cust/P4P_PL).
6. Save changes, close, reopen the cfg file to check if your changes stick (if not, make sure you've enabled the R/W option in your cust folder).
7. Reboot
This should fix your problem. I tried this on 5 different devices and always worked.

Help changing NT using SVC menu
yken said:
You can flash your countries Rom, not EU
Click to expand...
Click to collapse
The NT code showing for me on my LG G5 H850 from the SVC menu is
"3","234,30F,
28000000,FFFFFFFF,FF","234,38F,
28000000,FFFFFFFF,FF","234,33F,
28000000,FFFFFFFF,FF"
(I'm on UK Virgin I believe - 234,38) and my stock Android 7.0 Rom is H85020k_00_VMC_GB_OP_0501.kdz Now,
I want to update to Oreo using the open EU oreo kdz H85030a_00_OPEN_EU_OP_0910.kdz as an upgrade file is not yet available for my phone but I get the customer not found errors on boot even if I first flash the phone using the original stock open EU Android 7.0 file H85020a_00_OPEN_EU_OP_1030.kdz.
I have my phone unlock code so if I unlock the bootloader will that allow me to enter a new NT code in the SVC menu to stop the customer error message without me having to root the phone and edit the root CUST folder? Thanks in anticipation.

wimmerfield said:
The NT code showing for me on my LG G5 H850 from the SVC menu is
"3","234,30F,
28000000,FFFFFFFF,FF","234,38F,
28000000,FFFFFFFF,FF","234,33F,
28000000,FFFFFFFF,FF"
(I'm on UK Virgin I believe - 234,38) and my stock Android 7.0 Rom is H85020k_00_VMC_GB_OP_0501.kdz Now,
I want to update to Oreo using the open EU oreo kdz H85030a_00_OPEN_EU_OP_0910.kdz as an upgrade file is not yet available for my phone but I get the customer not found errors on boot even if I first flash the phone using the original stock open EU Android 7.0 file H85020a_00_OPEN_EU_OP_1030.kdz.
I have my phone unlock code so if I unlock the bootloader will that allow me to enter a new NT code in the SVC menu to stop the customer error message without me having to root the phone and edit the root CUST folder? Thanks in anticipation.
Click to expand...
Click to collapse
Just wondered if you got any further with this? Oreo is now released for VM branded G5, but I'm wanting to use my VM branded phone on Three with WiFi calling. I was thinking about changing 1 of the 3 NT Codes (30,33,38) to 20 for Three but not sure if that's the best path forwards.

No progress with changing NT code
cancunia said:
Just wondered if you got any further with this? Oreo is now released for VM branded G5, but I'm wanting to use my VM branded phone on Three with WiFi calling. I was thinking about changing 1 of the 3 NT Codes (30,33,38) to 20 for Three but not sure if that's the best path forwards.
Click to expand...
Click to collapse
Sorry - I wasn't able to resolve that issue but as you say the G5 has now received its Oreo upgrade which is really all I wanted. Good luck anyway

Thank you! It worked for me. I have an h850ar running Android 8.0 without root. Finally the damn sign went away every time I started my phone ...

my device 860 h GCC middle East
I FLASH OREO VERSION sg (Singapore)
everything is work but ( NTCODE) PROBLEM ? ANY solution ? your discussion work for my device?
thank you
sorry bad English ?

WARNİNG
1 - WARNİNG - Current version is not available for user. Can't find matched cust for NTCODE = (23430,02)
2- WARNİNG _ Current OP name by Buyer-code is (EEO_GB). But cannot find matched NT-code mcc/mnc (23430), subset (02)
Telefon yeniden başlatıldığında bu hatalar çıkıyor bir çözüm var mı acaba LG G5 H850 model cihaz

Did anyone work out how to change the NT Code via the hidden menu? I tried downgrading to Marshmallow but still get a write error.
Thanks

This is a solution that worked for me, on a Wind branded phone with an OPEN_EU rom (root required):
go to /cust/ folder and edit cust_path_mapping.cfg, adding a new line with the code you see in the NTCODE error (22288,FF in my case), pointing it to the OPEN_COM folder:
22288,FF=/cust/OPEN_COM
Then do the same with open_path_mapping.cfg, but here you should put OPEN_EU instead of OPEN_COM:
22288,FF=OPEN_EU
Then, after saving both files, reboot the phone, and the NTCODE error will be gone.

LG VoLTE FIX [ Rooted Stock Based Rom] [JIO]

You are Responsible for what you do to your phone. Don't Blame me for ANYthing. BACKUP before making any changes
NOTE-
-This method consists of Editing Build.prop & Volte configuration file in cust folder.
- This method may not work for all but it will give you some idea about how things are going on.
- Im not a Developer and English is not my native language.
Complete method and explanation-
Step 1- (For fulmics rom you can skip this step as volte in build.prop is already enabled)
Editing build.prop file
GO to build.prop file in System folder via any root explorer and paste this command at last.
Code:
ro.lge.supportvolte=1
After pasting this command , leave a blank line at last and save. Now reboot your phone , it will enable Volte option in call or network setting. Some people achieve volte services only by doing this step but if volte button in setting dont do anything , proceed to step 2.
Step 2(General)-
Editing a file in cust folder.
Go to Cust > open_com >_config > config_open_eu > vo_config.xml
In this file replace MCC and MNC values according to your region and network. Reboot.
Step 2 (For fulmics rom , guided by @xpirt )-
A-Add following 2 lines at the end of build.prop with a blank line at last
Code:
ro.lge.capp_cupss.rootdir=/cust
ro.build.sbp=1
B- Flash the zip in attachment.( It will add cust folder contents with correct permissions. If this method fails or you face any issues you can delete all the files and folders from cust folder)
C- Follow step 2 (General)
Step 2 with Explanation and Guidance
Maximum time we don't have volte services because we are using a phone of different region or with a carrier other than default.
Cust folder consists of settings and configurations related to the region and carrier. Whenever our phone boots up it detects the carrier or region in which we are using our phone and load the settings according to the network or region. For detection and loading desired configuration phone use 2 codes MCC (mobile country code) and MNC (mobile network code ). You can find mcc and mnc from apn setting or just google including your country and carrier.
For example i am having european h850. so the configurations for all the european countries and their carriers are stored in cust folder. Now what if i boot up the phone in the region other than europe or started using a carrier not included in cust folder or delete all files in cust folder. In this case phone loads the " Open Com " configuration which are not specific to any carrier or region.
So for this method our phone must have all files in cust folder ( in fulmics rom cust folder is empty ) and our phone must be booted with 'opencom' configurations . If you are using any customised stock rom (for h850) or if in software version (under 'about phone' ) you see 'euroxx' it may be means your phone is booted up with '' open com '' configurations.
Now via any root explorer go to -> Cust > open_com >_config > config_open_eu > vo_config.xml
In this file replace MCC and MNC values according to your region. and reboot. That's it
All this worked for me on h850. I dont know about other models.. You can use theory in your own way.
Thanks to @xpirt
Hit thanks if helped

Nice explanation.
Im using genisis mm rom with working volte (edited build.prop). I tried to flash fullmics rom & there is no jio network. Edited build.prop as per the steps mentioned but multiple reboots occur.

vignesh_may28 said:
Nice explanation.
Im using genisis mm rom with working volte (edited build.prop). I tried to flash fullmics rom & there is no jio network. Edited build.prop as per the steps mentioned but multiple reboots occur.
Click to expand...
Click to collapse
Thats because you are not on nougat modem.
For coming to fulmics from marshmallow rom... You first have to flash nougat kdz or full 20a nougat zip from autoprime's thread. Instead of flashing full nougat rom you can also try flashing nougat bootloader and modem from same autoprime thread ( but i only tried with flashing full nougat 20a zip when shifting from marshmallow to nouagt )

Volte is just an option to enable from mobile or is it necessary the network should have the support for VoLTE service?
I'm on LTE network, but every time when I receive call it, always shift to 3G or 2G network, but I don't know my network support Volte service.

arfan.chatha said:
Volte is just an option to enable from mobile or is it necessary the network should have the support for VoLTE service?
I'm on LTE network, but every time when I receive call it, always shift to 3G or 2G network, but I don't know my network support Volte service.
Click to expand...
Click to collapse
VoLTE( Voice over LTE)
Volte is an option that can be enabled from handset and it is also necessary that the network should support volte.

Is there any way to obtain volte (reliance jio) in custom roms? Feel stock is heavy.

vignesh_may28 said:
Is there any way to obtain volte (reliance jio) in custom roms? Feel stock is heavy.
Click to expand...
Click to collapse
Not yet.. But i directed some developers to volte patch thread.. At this point all are busy to make custom roms fully stable , once stability is achieved ...they may work to solve volte issue .

akki7636 said:
Not yet.. But i directed some developers to volte patch thread.. At this point all are busy to make custom roms fully stable , once stability is achieved ...they may work to solve volte issue .
Click to expand...
Click to collapse
brother, a long shot im trying this in my g2. It may not work. i understand. but i just dont want to miss the minute chance it might..
the problem is direct flash wouldn`t help as the /cust position is not in /dev/block/bootdevice/by-name/cust. the actual position is in /dev/block/platform/msm_sdcc.1/by-name/ folder. so i changed the flashing script to such a place but it didnt work. besides i tried "dd if= of=" flashing cust.img to /cust. but it didnt help either, now my cust folder seen in root folder in file explorer is empty. i think the mount command is not suitable for g2. please help in changing. thank you

gpkumaran said:
brother, a long shot im trying this in my g2. It may not work. i understand. but i just dont want to miss the minute chance it might..
the problem is direct flash wouldn`t help as the /cust position is not in /dev/block/bootdevice/by-name/cust. the actual position is in /dev/block/platform/msm_sdcc.1/by-name/ folder. so i changed the flashing script to such a place but it didnt work. besides i tried "dd if= of=" flashing cust.img to /cust. but it didnt help either, now my cust folder seen in root folder in file explorer is empty. i think the mount command is not suitable for g2. please help in changing. thank you
Click to expand...
Click to collapse
This method works when volte support is embedded in the rom ( framework). Can you see volte settings in hidden menu ?

akki7636 said:
This method works when volte support is embedded in the rom ( framework). Can you see volte settings in hidden menu ?
Click to expand...
Click to collapse
Yes sir. Cust is also getting flashed with dd command / by your zip. Only problem is the folder doesn't get mounted.I've even tried mount -o remount,rw -t ext4 command. But it doesn't mount. Please help me im a noob in this aspect

gpkumaran said:
Yes sir. Cust is also getting flashed with dd command / by your zip. Only problem is the folder doesn't get mounted.I've even tried mount -o remount,rw -t ext4 command. But it doesn't mount. Please help me im a noob in this aspect
Click to expand...
Click to collapse
Sending PM

akki7636 said:
Sending PM
Click to expand...
Click to collapse
Tried contacting him. No response.

Provide the files
Please provide the files of cust folder who have working voLTE.

braindeductions said:
Please provide the files of cust folder who have working voLTE.
Click to expand...
Click to collapse
Post 1 explains everything.

akki7636 said:
Post 1 explains everything.
Click to expand...
Click to collapse
Did you get it to have a fully functional voLTE?

braindeductions said:
Did you get it to have a fully functional voLTE?
Click to expand...
Click to collapse
Yes..that's why i made this thread.

Link to the rom version you are on
(exact one)
Have tried open_eu versions 20a/c/d
Vdf 20d

braindeductions said:
Link to the rom version you are on
(exact one)
Have tried open_eu versions 20a/c/d
Vdf 20d
Click to expand...
Click to collapse
Im using fulmics rom.
I used this method on v20a and v20d.
You just have to enable volte in build.prop and edit cust folder's according to your carrier configuration. ( explained in first post ). This method not works on tmobile variants having international roms like fulmics. If this method fails for you it means you need extra ims libraries accoring to your carrier.

akki7636 said:
Im using fulmics rom.
I used this method on v20a and v20d.
You just have to enable volte in build.prop and edit cust folder's according to your carrier configuration. ( explained in first post ). This method not works on tmobile variants having international roms like fulmics. If this method fails for you it means you need extra ims libraries accoring to your carrier.
Click to expand...
Click to collapse
I have the same model h850 unbranded variant. I tried with fulmics and edited all those configuration files as mentioned but when I dial the number I don't hear dial tone instead I get pulse tone. the same problem you mentioned earlier in other threads.

braindeductions said:
I have the same model h850 unbranded variant. I tried with fulmics and edited all those configuration files as mentioned but when I dial the number I don't hear dial tone instead I get pulse tone. the same problem you mentioned earlier in other threads.
Click to expand...
Click to collapse
May be you need to modify some extra settings and configurations which i don't know. Im not a developer and found this method by hit and trial after spending many nights by tweaking each and every configuration related to volte.
Dont forget to add cust enabling lines (mentioned in first post ) in build.prop when you u r using fulmics rom

[Guide] Flash Oreo Update Package and Downgrade Nougat

Manually Install Full-OTA Files-Upgrade or Downgrade
Steps:
Prepare and Notice
A. Warning! Flash phone might get it bricked. I am not responsible for it.
B. Backup your data, it might be restore factory default setting especially using downgrade ROM version.
C. Unlock bootloader before flash steps. If already unlocked it is OK.
D. After update successfully, device might be locked again. Unlock again if needed.
E. HWOTA--hi6250-7-8.zip Download
F.Download Update files for your device from Pro-teammt.ru
Process
A. Extract HWOTA package(Step E. from above). Copy both HWOTA7 and HWOTA8 folders onto root of (ext-sdcard, decrypted internal sdcard, usb flash otg).
B. Add your Three (3) update files to HWOTA* folder; HWOTA7 if on Nougat: HWOTA8 if on Oreo.
C. (if have twrp already skip to E)Connect phone and enable adb , Use Replace_Recovery.bat in HWOTA to flash TWRP recovery.
D. Disconnect USB cable, use Vol-Up + Power to boot into TWRP.
E. From in TWRP install sdcard hwota7-8-auto.zip-- If using USB-otg or decrypted internal , flash hwota7-8-auto-internal.zip
F. Watch twrp screen for the message to press volume button to continue.
*******************************************************************************************************
*******************************************************************************************************
To Downgrade Back to Nougat from OREO --
A. Download roll-back update for your device (not all versions have roll-back yet, many do) from Pro-teammt.ru
B. Roll-backs have only two (2) files, other than that difference, follow directions same as above.
PARTIAL ROLL-BACK LIST --
A. BND-L21c432 http://pro-teammt.ru/firmware-database/?firmware_model=BND-L21C432B124&firmware_page=0
B. BND-L24c567 http://pro-teammt.ru/firmware-database/?firmware_model=Bond-l24c567b150&firmware_page=0
C. BND-L34c567 (MATE se) http://pro-teammt.ru/firmware-database/?firmware_model=Bond-l34c567b&firmware_page=0
D. BND-al10c675 (BND-L22)http://pro-teammt.ru/firmware-database/?firmware_model=BND-al10c675b161&firmware_page=0
E. BND-L21C636 https://pro-teammt.ru/firmware-database/?firmware_model=BND-L21C636B158CUSTC636D001&firmware_page=0
*******************************************************************************************************
Updated(Nov 2018) Version V17 (Can run built in updater on Older V) on Firmware downloader
Beta Tool Folder ==> Download
Tool checks version of phone with "getprop" or also with input from user.
Tool only gets available listed FullOTA for your device Model and Region code. Then you choose from that list.
Tool also verifies md5 of downloaded files and saves them onto your desktop in device/version sub folders.
Can Be used to extract the downloaded zip. and extract the update.app into separate images.
Last step gives option to push updates to phone to help with HWOTA
************************************
************************************
Alternate HWOTA with full rebrand
HWOTA with RE-brand
************************************
************************************
FILE INTEGRITY IS IMPORTANT, Please be in good Habit and always check numbers after a download.
My download links above are on Android file host. they all show MD5 on the download site.
The update files from http://pro-teammt.ru do not have MD5 listed.
Here are the MD5 numbers for the USA L24 update files
Code:
e75a21769f049430840ea900b11600c4 update.zip
73414b5383e5fb3391e77a13c17dca53 update_data_full_public.zip
122f0e91d77fba6e399300926d1ef289 update_full_bnd-l24_hw_usa.zip
Old thread. Not continued.
Search emui-flasher instead
.

---------RESERVED-----

Contents of HWOTA7-8-auto-V3.1.zip
Replace recovery batch file
Code:
@echo off
if not defined in_subprocess (cmd /k set in_subprocess=y ^& %0 %*) & exit )
title Lazy Recovery Auto Launcher
echo Waiting For device to be recognized by ADB
adb wait-for-device
adb shell getprop ro.build.version.emui > %~dp0\version-info.txt
for /f %%i in ('FINDSTR "EmotionUI_" %~dp0\version-info.txt') do set emui=%%i
echo %emui%
set str=%emui:~10,1%
echo.%str%
pause
if %str% equ 8 call HwOTA8\Replace_Recovery.bat
if %str% equ 5 call HWOTA7\Replace_Recovery.bat
echo THIS SCRIPT SHOULD BE FINISHED
pause
exit
HwOTA8\Replace_Recovery.bat contents
Code:
@echo off
title Recovery Replace Oreo
echo Waiting For device to be recognized by ADB
adb wait-for-device
adb shell getprop ro.build.version.emui > %~dp0\version-info.txt
for /f %%i in ('FINDSTR "EmotionUI_" %~dp0\version-info.txt') do set emui=%%i
echo %emui%
set str=%emui:~10%
echo.%str%
pause
if %str% lss 5.3 (goto Nougat
)else (
echo ok to continue)
echo Next will reboot to Fastboot Mode (bootloader)
pause
adb reboot bootloader
echo Wait Here untill fastboot mode Loads On Phone
pause
fastboot oem get-build-number 2> %~dp0\build-info.txt
for /f "tokens=2" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Device=%%i
for /f "tokens=3" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Build=%%i
echo Your Current Device is = %Device% %Build%
echo next will flash Oreo twrp
pause
fastboot flash recovery_ramdisk HWOTA8\complete_twrp_ramdisk.img
echo RECOVERY SHOULD NOW BE FLASHED
echo GET READY TO PULL USB PLUG OUT AND HOLD VOLUME UP
echo RIGHT AFTER YOU PRESS BUTTON TO CONTINUE
pause
fastboot reboot
exit
:Nougat
echo You are On NOUGAT DO NOT USE THIS
pause
exit

Contents of restore-package
Replace recovery batch file
Code:
adb reboot bootloader
pause
fastboot flash recovery twrp-honor.img
pause
Update-binary from restore.zip
Code:
#!/sbin/sh
dd if=/external_sd/restore-package/boot.img of=/dev/block/mmcblk0p28
dd if=/external_sd/restore-package/cust.img of=/dev/block/mmcblk0p45
dd if=/external_sd/restore-package/product.img of=/dev/block/mmcblk0p48
dd if=/external_sd/restore-package/system.img of=/dev/block/mmcblk0p44
dd if=/external_sd/restore-package/vendor.img of=/dev/block/mmcblk0p47
dd if=/external_sd/restore-package/version.img of=/dev/block/mmcblk0p46
.

Hi !
Does it work on L21C432 for rollback to Nougat ?
Thanks !

DaRkLinK_35 said:
Hi !
Does it work on L21C432 for rollback to Nougat ?
Thanks !
Click to expand...
Click to collapse
It should. I had couple chats in telegram group for 7x dev with users doing this. But they ran into trouble because they did not have good emui-5 backup images. The first part of flashing the cn nougat roll-back worked fine.

mrmazak said:
It should. I had couple chats in telegram group for 7x dev with users doing this. But they ran into trouble because they did not have good emui-5 backup images. The first part of flashing the cn nougat roll-back worked fine.
Click to expand...
Click to collapse
So it's not guaranteed to work? Is it better if I wait or flash?

DaRkLinK_35 said:
So it's not guaranteed to work? Is it better if I wait or flash?
Click to expand...
Click to collapse
Up ?

DaRkLinK_35 said:
Up ?
Click to expand...
Click to collapse
I used it . It worked for me.
Ymmv

Works for BND-AL10?

verma.avesh said:
Works for BND-AL10?
Click to expand...
Click to collapse
Yes it should

In futures if huawei release new modem say do I need to revert to stock first then flash treble aosp? Thx

optionalmgrr.la said:
In futures if huawei release new modem say do I need to revert to stock first then flash treble aosp? Thx
Click to expand...
Click to collapse
I expect , in order to take advantage of ota improvements such as updated modem you will need to be back on stock, yes

I was able to successfully update to orea form nouguat following your guide without issue. so do now can i relock or do i need to do the first part of the guide also

shadowsiul said:
I was able to successfully update to orea form nouguat following your guide without issue. so do now can i relock or do i need to do the first part of the guide also
Click to expand...
Click to collapse
Umm, No.
The guide is for going both ways (upgrade, and downgrade).
No need to relock bootloader either. Unless you want to.

mrmazak said:
Umm, No.
The guide is for going both ways (upgrade, and downgrade).
No need to relock bootloader either. Unless you want to.
Click to expand...
Click to collapse
if i relock bootloader after going total stock will i get official ota and if so will i able install thos ota since i saw verification failed for many people

Mohan0004 said:
if i relock bootloader after going total stock will i get official ota and if so will i able install thos ota since i saw verification failed for many people
Click to expand...
Click to collapse
Someone else has already posted that they received the ota while unlocked, so not nessisary

Nougat to Oreo FullOTA
successfully done the upgrade from Nougat to Oreo on AL-10 Indian version with the method on page-1

kavena78 said:
successfully done the upgrade from Nougat to Oreo on AL-10 Indian version with the method on page-1
Click to expand...
Click to collapse
Let me ask you something, please.
Did it work in one step, or did you have to do install a second time from Oreo in order to get it fully done?
I ask because my first time I used this I had to repeat the install process again from Oreo to get the data part of install to flash. I made changes (no longer shortening the file names to fit the script, instead change the script to fit the file names) and second time it worked for me.
If confirmed worked for you the new way, then I can remove the large warning (somewhat confusing) text from the first post.

mrmazak said:
Let me ask you something, please.
Did it work in one step, or did you have to do install a second time from Oreo in order to get it fully done?
I ask because my first time I used this I had to repeat the install process again from Oreo to get the data part of install to flash. I made changes (no longer shortening the file names to fit the script, instead change the script to fit the file names) and second time it worked for me.
If confirmed worked for you the new way, then I can remove the large warning (somewhat confusing) text from the first post.
Click to expand...
Click to collapse
It's worked in 1st attempt used the HWOTA7. Appreciate your efforts

[GUIDE] Enable VoLTE for your non operator handset

I have finally been able to get VoLTE working on my X Performance despite my carrier never having 'supported' my handset (they never sold it here).
What you will need?
Windows Computer with Flashtool and minimal ADB and fastboot (if you have already downloaded fimrware as below you can use flashtool on whatever platform your prefer)
Bootloader Unlocked
TWRP
ROOT (Magisk Preferred)
VoLTE enabled firmware (not sure about this one I think you can edit build.prop appropriately)
To unlock Bootloader, TWRP, and ROOT follow this guide
I will first describe how I did it and then how anyone else should be able to achieve the same outcome. Now includes a less convoluted way to do this allowing you to keep all data thanks to those who tested
1) First using a root file browser - I recommend this one browse to /system/etc/customisations/modem/
2) Check to see if there is any reference to your operator's modem in your model firmware. They are all in the format of amss_fsg_dora_xxx_tar.mbn
3) Once you have a spotted your operator you need to take note of what's in between 'dora_' and '_tar' so for example if I use china mobile - I would find amss_fsg_dora_china_mobile_hk_ims_tar.mbn I would need to take note of china_mobile_hk_ims
4) Once you have this you need to connect your phone via ADB to your PC (I found this much easier on a computer).
5) Enter the following commands adb root then adb shell
6) mount -o rw,remount /oem
7) vi /oem/modem-config/modem.conf
8) press 'i' on your keyboard to enter edit mode and delete whatever is in the file and replace it with your operator modem from step 3 - (china_mobile_hk_ims in this example) then press 'ESC' and then ':wq'
9) make a backup of your important data
10) Turn off your phone, connect it into Flashmode to your PC (hold vol- while plugging in to the PC)
11) Flash your firmware with these options - do a wipe of all partitions. Tick the OEM box in the 'Exclude SIN' section. Alternatively follow this and avoid factory reset as per @pbarrette and @SGH-i200
12) Once you have completed reboot your phone and you should pickup VoLTE settings at setup.
IF you don't have root follow the guide earlier on how to backup TA, unlock bootoader
Flash a VoLTE enabled firmware. Install TWRP. Enter recovery (hold Vol- and power to start phone) install your preferred root option. Then connect your phone via ADB (step 5) to find your operator modem per step 3. Continue with Step 6&7. Start your phone.
I have tested this using existenZ 5.5. Theoretically should work for any Xperia phones with an OEM partition, however each phone might have a different modem name for the same operator ( I know this to be the case between the XZP and the XXP), however if you get the bit in between 'modelname_' and '_tar' and follow the same process for editing the modem.conf file you should get the same results.
Credit to
@sdugoten for Unlock, TWRP and ROOT guide
@akshay2shah for informing me of the modem selector tool for other Xperias
@VeixES for informing me of the oem.sin partition and modem.conf files
@niaboc79 for existenZ ROM (highly recommended)
@SGH-i200 and @pbarrette for testing and coming up with an easier way to use this (step 11)

Wipe all partition. It's too difficult.

Is it possible to enable VoWiFi for this device.? My phone carrier supports both VoWiFi and VoLTE on newer Sony Model. But only supports VoLTE on X Performance......

would not be a more detailed guide?
do not know how to copy ...
I did not find my operator ,,amss_fsg_dora_xxx_tar.mbn"
there is a link "default"

kodein said:
would not be a more detailed guide?
do not know how to copy ...
I did not find my operator ,,amss_fsg_dora_xxx_tar.mbn"
there is a link "default"
Click to expand...
Click to collapse
Is your operator an MVNO? You could try and see if using the underlying carrier modem is present? Otherwise see if another operator in your country's modem settings work ( unlikely but your only other option is to try till you have a modem setting that works). You could try looking at the apns-conf.xml file and see if there is an operator with similar settings if you know them.

bluesky1126 said:
Is it possible to enable VoWiFi for this device.? My phone carrier supports both VoWiFi and VoLTE on newer Sony Model. But only supports VoLTE on X Performance......
Click to expand...
Click to collapse
I have the same problem. Unfortunately I don't think there is any way unless you know the VoWiFi settings. I'll look into it. For me at least I'm no longer having dropped calls or missing out on important calls

chris_j26 said:
I have the same problem. Unfortunately I don't think there is any way unless you know the VoWiFi settings. I'll look into it. For me at least I'm no longer having dropped calls or missing out on important calls
Click to expand...
Click to collapse
I see......
Well, still congrats to you~

Please flashable zip sir

chris_j26 said:
1) First using a root file browser - I recommend this one browse to /system/etc/customisations/modem/
2) Check to see if there is any reference to your operator's modem in your model firmware. They are all in the format of amss_fsg_poplar_xxx_tar.mbn
Click to expand...
Click to collapse
If the mbn file is not there, can I copy it to this folder? What has to be changed after copying the file threre?

SGH-i200 said:
If the mbn file is not there, can I copy it to this folder? What has to be changed after copying the file threre?
Click to expand...
Click to collapse
If you got an mbn file it might work. However I suspect that it contains modem specific files if you copied it across from one device family (Xperia X , Xperia xz for example) it theoretically could work. I would imagine you would need to set permissions on the mbn file once copied I would think 1744 would do it but I'm not an expert on Android filesystem permissions. You could always do ls -la in terminal on the folder and replicate those permissions.

chris_j26 said:
10) Turn off your phone, connect it into Flashmode to your PC (hold vol- while plugging in to the PC)
11) Flash your firmware with these options - do a wipe of all partitions. Tick the OEM box in the 'Exclude SIN' section.
12) Once you have completed reboot your phone and you should pickup VoLTE settings at setup.
Click to expand...
Click to collapse
A Factory Reset is not needed to switch the active MBN! Please update point 11 to 'Flash cust-reset.ta' (and keep all your data and settings!):
pbarrette said:
I usually just flash the cust-reset.ta file. That clears the unit in the TA partition which holds the current carrier customization information.
Click to expand...
Click to collapse

[XZ1c/XZ1/XZp] temp root exploit via CVE-2019-2215 including magisk setup [Locked BL]

temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
by j4nn
https://j4nn.github.io/​
Let me present you a temp root exploit for sony xperia XZ1 Compact / XZ1 / XZ Premium phones running android oreo firmware.
The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
SUPPORTED TARGETS
XZ1 Compact
G8441_47.1.A.8.49 (tested myself)
G8441_47.1.A.16.20 (tested myself)
XZ1
G8341_47.1.A.16.20
G8342_47.1.A.16.20
XZ Premium
G8141_47.1.A.16.20
G8142_47.1.A.16.20
with bindershell-v2 following targets added:
Xperia XZ1
G8343_47.1.A.12.150 (Freedom Canada)
G8343_47.1.A.12.205 (Freedom Canada)
SO-01K_47.1.F.1.105 (Docomo Japan)
SOV36_47.1.C.9.106 (AU Japan)
Xperia XZ1 Compact
SO-02K_47.1.F.1.105 (Docomo Japan)
XZ Premium
SO-04J_47.1.F.1.105 (Docomo Japan)
with bindershell-v2x following target added:
Xperia XZ1
701SO_47.1.D.11.32 (Softbank Japan)
This is an alternative method to my renoroot exploit release before, to get a temp root shell for TA (drm keys) backup .
I've also implemented a script to start up magisk from the temp root shell, so this can be used nicely with still locked phones to enable magisk root without unlocking bootloader with the latest oreo fw. You still cannot modify anything in /system or /vendor partitions due to dm-verity, but you could use it for other useful stuff, like iptables based firewall for example.
Listed firmware versions may be found for example here:
https://www.xperiasite.pl/forum/221-firmware/
https://boycracked.com/?s=xperia+xz1
USAGE HOWTO
to get a simple temp root shell
just download bindershell.zip, unzip, 'adb push bindershell /data/local/tmp' and get temp root:
Code:
G8441:/ $ cd /data/local/tmp
G8441:/data/local/tmp $ chmod 755 ./bindershell
G8441:/data/local/tmp $ ./bindershell
bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffecc9691b00
MAIN: thread_info_ptr = ffffffecc4c34000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kaslr slide 0x1d35200000
selinux set to permissive
current task credentials patched
got root, start shell...
G8441:/data/local/tmp #
for temp root with magisk setup
do as in previous option and download also the magisk-setup-from-exploit.zip and Magisk-v19.3-Manager-v7.1.2.zip, unzip both and use following commands in addition (skip starting the bindershell in previous section):
Code:
adb install MagiskManager-v7.1.2.apk
adb push Magisk-v19.3 /data/local/tmp
adb shell 'cd /data/local/tmp/Magisk-v19.3 ; chmod 755 * ; /system/bin/sh ./update-binary -x ; ./magiskinit -x magisk magisk'
adb push magisk-setup.sh /data/local/tmp
adb shell chmod 755 /data/local/tmp/magisk-setup.sh
(also present in the included magisk-push.sh script, which you can simply execute in linux or possibly rename to a .bat file and execute it in windows too /not tested though/)
The above would copy the needed stuff to your phone.
Then after each boot you can use following command to startup magisk via the exploit:
Code:
adb shell 'cd /data/local/tmp ; ./bindershell -c ./magisk-setup.sh'
see post#41 for a possibility to start this exploit again after reboot without use of adb, thanks to @Tifs
SOURCES
Source code for the exploit (bindershell) is available here:
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
Magisk startup script is obviously already in source form inside the magisk-setup-from-exploit.zip archive attached.
Magisk binaries packed in the Magisk-v19.3-Manager-v7.1.2.zip are not modified upstream released Magisk-v19.3.zip and MagiskManager-v7.1.2.apk, extracted only needed components and combined into single archive.
It might be possible to use other versions (v19.3+), but that has not been tested and is not supported in any way.
CREDITS
thanks to @arpruss for the su98 exploit variant (where binder_thread wait queue is at 0x98 offset instead of 0xa0, needed completely different approach than the original exploit) - the core of the exploit up to kernel space r/w primitives has been used
DOWNLOAD

Hi @j4nn, it's done for my XZ1 DUAL. Many thanks. But when I unplug the phone from computer, then temp root will be reset, it is normal?
Ps: Do I need to worry/care about dm-verity?

I can permanently uninstall bloatware, install adaway and other applications that need root..
I think it's said. But I need to ask.
Thank you
Sent from my [device_name] using XDA-Developers Legacy app

[email protected] said:
I can permanently uninstall bloatware, install adaway and other applications that need root..
I think it's said. But I need to ask.
Thank you
Click to expand...
Click to collapse
Yes, you can install and use e.g. adaway, AFWall+ etc.
But - as already mentioned in the op - it's not possible to modify /system and /vendor, due to dm-verity, which is still present with a locked bl. Therefore you can't get rid of bloatware, which is placed in /system or /vendor

Actually you can remove bloatware permanently, but without gaining any storage space.
It is possible to do that via oem partition - there you can make modifications, dm-verity does not check oem partition.
It is possible to define which applications would be "removed", then even factory reset would not enable them again.
This way of bloatware removal is quite tricky, as you may need to test factory reset to see if the phone boots or not.
Such debloating can be done via early_config.xml in oem partition - there you can permanently blacklist apps with entries like this:
Code:
<string-array name="config_packagesBlacklist">
<item>com.amazon.mShop.android.shopping</item>
</string-array>
<string-array name="config_packagesFullBlacklist">
<item>com.amazon.mShop.android.shopping</item>
</string-array>

temp root for new targets available with bindershell-v2 - following targets added:
Xperia XZ1
G8343_47.1.A.12.150 (Freedom Canada)
G8343_47.1.A.12.205 (Freedom Canada)
SO-01K_47.1.F.1.105 (Docomo Japan)
SOV36_47.1.C.9.106 (AU Japan)
Xperia XZ1 Compact
SO-02K_47.1.F.1.105 (Docomo Japan)
XZ Premium
SO-04J_47.1.F.1.105 (Docomo Japan)
(offsets extracted from kernels from fully downloaded firmwares)

j4nn said:
temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
by j4nn
Click to expand...
Click to collapse
Nice work j4nn :good:

@j4nn
Thank you very much for the possibilities you give us due to your great work.
Once TA backup has been carried out, Magisk installed and changes made using root example install adaway, some Magisk module, etc.
These changes are maintained if we update firmware to Pie?
Can we continue using root with Magisk in Pie?
Thanks in advance
Sent from my [device_name] using XDA-Developers Legacy app

@[email protected], it's only a temp root. Once you power off / reboot, it is not rooted anymore, you would need to start the exploit again - just the last command starting magisk. Using magisk modules might work or not, it depends - magisk is used in a way here that it has not been designed in (normally it should be started from kernel's ramdisk before the original init).
You need to unlock and restore ta backup in order to get possibilities like custom kernels or full roms, pie or whatever...
The only permanent customizations may be done in oem partition. You could tune the blacklisted apps there in an oem version from pie firmware to prepare it for pie upgrade and then manually flash the rest of the pie fw skipping oem to keep the modded/debloated seetup in oem while running pie with still locked BL, obviously without root.
Or stick with the exploitable fw version (latest oreo) to be able to startup magisk after each boot, if you cannot unlock your BL.

Klaus N. said:
Yes, you can install and use e.g. adaway, AFWall+ etc.
But - as already mentioned in the op - it's not possible to modify /system and /vendor, due to dm-verity, which is still present with a locked bl. Therefore you can't get rid of bloatware, which is placed in /system or /vendor
Click to expand...
Click to collapse
Hi @j4nn, can we modify /etc or /cache? Of course we cannot with /system /vendor, but I have no idea about another place.

@anaconda875, I believe /etc is a symlink to /system/etc. You could redirect it somewhere else and make changes there. But it would be only temporal, because content of / is coming from kernel's initramfs, that is not possible to modify persistently with just a temp root. You can modify /cache, but I am afraid there is not that interesting stuff to change there.
In my opinion, the most interesting stuff you can modify is the content in /oem, where you can permanently block apps (debloat) or change stuff related to wifi/lte calling.

Many thanks @j4nn

not works sov36 LB .
Solved
Realle work thanks j4nn

@Aviv_Gopax, please do not full quote the very big opening post for no reason at all.
Instead you could provide some details from your test - what fw version do you have and a log from your test.

j4nn said:
@Aviv_Gopax, please do not full quote the very big opening post for no reason at all.
Instead you could provide some details from your test - what fw version do you have and a log from your test.
Click to expand...
Click to collapse
Sorry hehe , Im Using Fw Oreo Build 106

@Aviv_Gopax, I did recheck the SOV36 target offsets and I do not see a reason why it would not work.
Please post the log from the run of ./bindershell as shown in the OP in usage howto section - is not any error there?

downgraded to supported fw (G8342_47.1.A.16.20), and also followed all procedures on both old and new temp root posts, but only showed:
my bad, eventually learned how to backup TA with new method, thank you j4nn!
but I'm gonna unlock and restore some other day.

@j4nn how did you find the offsets? from the stock kernel source code? I'm btw also interested in extracting the keys from the trustzone exploit before upgrading my device

@tombbb, thank you for your donation, really appreciated.

@tb_, cannot get to my PC for some more days to provide the details, but in the case of this cve the most important thing is the offset of the wait queue inside the binder_thread struct - the original poc assumes 0xa0 offset, while for yoshino 0x98 offset is used. That fundamentally changes the core of the exploit. I tried to adapt it similarly for XZ2,there 0xa0 is used,so original poc needs to be adapted. It would never work though, because of hw based mitigation - see my post here:
https://forum.xda-developers.com/showpost.php?p=81689337&postcount=1528