Database Develop

Backup the ROM

Hello,
I would like to flash my Streak7 with HoneyStreak, but I would like to make a backup from the original ROM to go back to 2.2.2.
Can anyone tell me how can I do that?
NVFlash?
Thank you.
Multi.

Hello,
i have make a Backup with this scipt.
Code:
nvflash\nvflash --bl nvflash\bootloader.bin --go
nvflash\nvflash -r --read 2 backup\p2.img
nvflash\nvflash -r --read 3 backup\p3.img
nvflash\nvflash -r --read 4 backup\p4.img
nvflash\nvflash -r --read 5 backup\p5.img
nvflash\nvflash -r --read 6 backup\p6.img
nvflash\nvflash -r --read 7 backup\p7.img
nvflash\nvflash -r --read 8 backup\p8.img
nvflash\nvflash -r --read 9 backup\p9.img
nvflash\nvflash -r --read 10 backup\p10.img
nvflash\nvflash -r --read 11 backup\p11.img
nvflash\nvflash -r --read 12 backup\p12.img
nvflash\nvflash -r --read 13 backup\p13.img
nvflash\nvflash -r --read 14 backup\p14.img
nvflash\nvflash -r --read 14 backup\p15.img
nvflash\nvflash -r --read 16 backup\p16.img
nvflash\nvflash -r --read 14 backup\p17.img
nvflash\nvflash -r --read 18 backup\p18.img
nvflash\nvflash -r --read 19 backup\p19.img
nvflash\nvflash -r --read 20 backup\p20.img
nvflash\nvflash -r --read 21 backup\p21.img
nvflash\nvflash -r --read 22 backup\p22.img
nvflash\nvflash -r --read 23 backup\p23.img
nvflash\nvflash -r --read 24 backup\p24.img
you need nvflash in the Folder NVFLASH and a Folder called BACKUP.

Could you explain a little clearer for us newbies? Thanks!

I just noticed that partitions 15 and 17 are read from the same partition as 14. Is this correct, or just a copy/paste error?

[Q] NVFLASH commands for tegra2 on LG P990 (Linux4Tegra)

Hi all folks,
I'm a curious owner of one O2X aka LG P990 aka LG Optimus Dual, the famous device with nvdia's Tegra2 SoC.
I'm not sure that this is the correct place for this thread, but, as new member, I'm not able to post elsewhere.
Excuse me for my bad english.
Get down...
As we know, NvFlash is the nvidia tool for flashing devices over USB connection, documentations regarding this tool are a bit hard to find, but not so much.
Depending on the platform, nvidia provides the "NVIDIA Tegra Linux Driver Package (L4T)", sure, for free (sure, for Linux)!
Among other things L4T contains NvFlash.
I searched for platform code-named harmony, according to wikipedia.org, the same that seems to be under our device.
First I want to make a complete backup of my device, so if somethings goes wrong, the backup can restore my O2X.
I found some information about this, summarizing:
Code:
./nvflash --bl fastboot.bin --go
or better:
Code:
./nvflash --bl fastboot.bin --getbct --bct ./myBCT.bct --go
This command start nvflash and load the bootloader fastboot.bin (also found in L4T package) in memory. The command also read back the "boot/binary configuration table" in a file called myBCT.bct
After this command terminate correctly, I want to read the partition table of the device, so as to know which partition I'll have to backup.
Code:
./nvflash -r --getpartitiontable ptable.txt
I'm stuck on getting the partition table.
NvFlash return me this erros:
Code:
Nvflash v1.9.86345 started
[resume mode]
failed executing command 20 NvError 0x120002
command failure: get partition table failed (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x4 (0x4) flags: 0
Can anyone help me please?
I don't want to use any kind of oneclicktool that hide the "real" actions performed on my box, as I said, I'm curoius!
Thanks!

Download the flashtool from homero2 for Linux and open the shell with an editor, so there you'll find the commands you're looking for, if not all at least the most used.
Do not say "thanks"; just press it under here.

louiscypherbr said:
Download the flashtool from homero2 for Linux and open the shell with an editor, so there you'll find the commands you're looking for, if not all at least the most used.
Do not say "thanks"; just press it under here.
Click to expand...
Click to collapse
Ok I'll click on the thanks button, but my question has not been answered.
I'm stuck on getting the partition table.
NvFlash return me this erros:
Code:
Nvflash v1.9.86345 started
[resume mode]
failed executing command 20 NvError 0x120002
command failure: get partition table failed (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x4 (0x4) flags: 0
Can someone who has already seen this error help me?
What could the cause be?
Thanks in advance!

Change USB cable. On some low quality cables nvflash work with errors.
Sent from my LG-P990 using xda premium

Acider_HardStyle said:
Change USB cable. On some low quality cables nvflash work with errors.
Sent from my LG-P990 using xda premium
Click to expand...
Click to collapse
Yes I heared about problems due to cable, I'm using the original LG USB cable, hope it is good.
I think the error concern a specific thing,
Code:
bootloader status: partition table is required for this command (code: 8) message: nverror:0x4 (0x4) flags: 0
but i cannot find nothing about this message on the internet.
Help me please...

tryin said:
Ok I'll click on the thanks button, but my question has not been answered.
Click to expand...
Click to collapse
Lol.. You don't need to thank me for nothing. I'm sorry, it's my signature, and just a way to say people stop posting "oh, thank you" and anything else that justifies a new post. I'll remove it anyway.
Btw, back to the topic, I always used that scripts to make the things by myself, understanding what command is for and so. Perhaps it's the easy way to learn, looking at codes.

louiscypherbr said:
Lol.. You don't need to thank me for nothing. I'm sorry, it's my signature, and just a way to say people stop posting "oh, thank you" and anything else that justifies a new post. I'll remove it anyway.
Btw, back to the topic, I always used that scripts to make the things by myself, understanding what command is for and so. Perhaps it's the easy way to learn, looking at codes.
Click to expand...
Click to collapse
Don't worry louis,
did you used the nvflash elf executable packed in the homero2's packet..?

tryin said:
Don't worry louis,
did you used the nvflash elf executable packed in the homero2's packet..?
Click to expand...
Click to collapse
Yes.

louiscypherbr said:
Yes.
Click to expand...
Click to collapse
and you know where that elf does come from?

No.
But now a suggestion comes to my mind. Did you tried passing -bl fastboot.bin on the command you're getting error? I think it's always necessary to pass the fastboot.bin to make the phone boot on nvflash mode and read its partition table.
Sent from my LG-P990 using xda app-developers app

..

louiscypherbr said:
No.
But now a suggestion comes to my mind. Did you tried passing -bl fastboot.bin on the command you're getting error? I think it's always necessary to pass the fastboot.bin to make the phone boot on nvflash mode and read its partition table.
Sent from my LG-P990 using xda app-developers app
Click to expand...
Click to collapse
Fastboot is loaded without any problem, i think the error was caused by the --getparitiontable in resume mode, " -r ".
I would like to know the origin of that executable, or al least the version...

tryin said:
Fastboot is loaded without any problem, i think the error was caused by the --getparitiontable in resume mode, " -r ".
I would like to know the origin of that executable, or al least the version...
Click to expand...
Click to collapse
I think I got similar error when I was playing with nvflash tool as well. I guess you are correct, it will be related to resume mode.
I have all commands in batch and it works fine, but when insert one by one, then error can happen.
My code for GB partition backup:
Code:
nvflash.exe --bl fastboot.bin --getbct --bct backup\backup.bct --go
nvflash.exe -r --getpartitiontable backup\partition.txt
nvflash.exe -r --read 2 backup\bct.img
nvflash.exe -r --read 4 backup\bootloader.img
nvflash.exe -r --read 10 backup\boot.img
nvflash.exe -r --read 12 backup\lgdrm.img
nvflash.exe -r --read 14 backup\recovery.img
nvflash.exe -r --read 16 backup\data.img
nvflash.exe -r --read 6 backup\system.img
nvflash.exe -r --go

p.valenta said:
I think I got similar error when I was playing with nvflash tool as well. I guess you are correct, it will be related to resume mode.
I have all commands in batch and it works fine, but when insert one by one, then error can happen.
Click to expand...
Click to collapse
And what version of nvflash did you used?

tryin said:
And what version of nvflash did you used?
Click to expand...
Click to collapse
I extract it from ProgMaq zip file. I cannot search on XDA now, but you can try to get it from this thread: http://forum.xda-developers.com/showthread.php?t=1975274. Well, I download it from another thead, but XDA search not works now, hard to find.

Ok,
obviously here:
http://forum.xda-developers.com/wiki/Nvflash
http://developer.download.nvidia.com/assets/mobile/files/tegra-linux-12.alpha.1.0.tar.gz
this is the only "official" link that give me a version of NvFlash that work without problems on my O2X.
It with fastbootICS.bin packed in homero2's Optimus_Toolkit_6-in-1_V-1.1.1 tar.
With the fastboot.bin found in the same packed of the official nvflash i get stuck!
Why?
I don't know yet...

[TUTORIAL]How to unbrick your N4

How to unbrick your N4 ​I'm not responsible for anything that happens with your device!
I accidently flashed a S4 ROM.
After I noticed that, I tried to flash a factory image, but it booted for a very long time and WiFi, signal and other radio stuff didn't work.
Then I searched for help here, but anything they suggested didn't work, so you might be thinking that the only solution would be to send the device for repair.
But I searched for a solution anyway and found it
So this is what you need to download:
Nexus 4 Unbrick.zip
For Nexus 4 16GB you also need to download this files:
Nexus 4 Unbrick 16 GB Files.zip
OK let's start:
First thing we need to do is extracting everything and installing the LGNPST (this is for Windows 8, but I don't see why it shouldn't work on other versions).
Open your extracted Nexus 4 files folder
Open the LGNPST folder
Install "LGUnitedMobileDriver_S4981MAN38AP22_ML_WHQL_Ver_3.8.1.exe", it's located under "LG_USB_Driver"
Install "LGNPSTv1.3_Lab_Verison_RightClickReg.exe", located in root of the folder
Install "LGNPST_GenericModels_Ver_5_0_12_0", located under "NPST Generic Components and Models"
Install "LGNPST_Components_Ver_5_0_20_0", also located under "NPST Generic Components and Models"
Copy the Models folder to C:\LG Electronics\LGNPST\
Start a command prompt as admin
Type: regsvr32 "C:\LG Electronics\LGNPST\Models\LGNPST_LS970.dll" (yes, I know this is a .dll for the Optimus G)
That's it
If you got no ADB or fastboot drivers installed, install the Universal ADB Driver.
Now start the LGNPST and get your N4 into download mode:
Turn the phone off.
Make sure the phone is off.
Plug a USB cable into your PC, AND ONLY INTO YOUR PC. THE PHONE PART COMES NEXT.
Hold down the volume up and down buttons for 2 (two) seconds on your Nexus, and continue to hold the volume up and down buttons while pluging in the USB cable which is connected to your PC. Continue to hold the buttons until the download mode screen appears. Now step five.
Once the download mode screen comes up, let go of the volume buttons.
Thanks to @Connor Baker for sharing this method
Now you should get a screen like this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Now your LGNPST should look like this:
In the bottom center you see DLL and BIN File.
Click on the folder symbol and select LGNPST_LS970.dll (and again, yes, I know it's for Optimus G, trust me I know what I'm doing)
Then select the .bin file you extracted before.
Now click start and it'll flash it.
Your N4 will reboot automatically, but the LGNPST reached only 85%, thats's normal (but please wait until the 67% changed to 85% before you close it)
The LGNPST will say you, that you should reboot again to download mode to finish the process, but the only thing it does is giving you an error message.
So now you have a developer firmware on your device and it's encrypted so you can do nothing.
Reboot into bootloader with Vol - and power button.
Now start flash_all.bat in the flashfactory folder and the program will do the things by itself.
Now you are completely on stock and should have a fully working device
Next steps for Nexus 4 16GB:
First thing I need to say: No, this doesn't work!
First step is rooting your phone (search through XDA if you don't know how; thanks to Rockstar600 for remembering me)
Copy the files you downloaded for the 16GB Version on your Nexus 4 (without the CWM Image).
If "dd" got renamed to "dd.bin" rename it back to "dd".
Install Root Browser or an similar app and copy the files to your /system directory.
Then flash the CWM Recory Image.
To do that open the folder that contains the Factory Image flashable with fastboot and do CTRL+Right Click in that folder and select "Open Command Prompt here" or something like that (don't know the exact name).
Get your device into fastboot mode with Vol- and Power.
Now type:
Code:
fastboot flash recovery recovery-clockwork-touch-6.0.4.7-mako.img
Then reboot into recovery.
I think you leaved CMD open.
So now type:
Code:
adb shell
mount /system
cp /system/dd /
chmod 755 /dd
/dd if=/dev/block/mmcblk0 of=/system/pgpt8G.img bs=512 count=34
/dd if=/dev/block/mmcblk0 of=/system/sgpt8G.img bs=512 skip=30777311
umount /data
umount /cache
umount /system
df -h
Now the output should look like this:
Code:
# df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 911.7M 48.0K 911.6M 0% /dev
There shouldn't be a extra line.
If there is no extra line then continue with:
Code:
mount /system
/dd if=/dev/block/mmcblk0 of=/system/DDR bs=512 skip=15267840 count=2015
/dd if=/system/DDR of=/dev/block/mmcblk0 bs=512 seek=30775296 conv=notrunc
/dd if=/system/sgpt16G.img of=/dev/block/mmcblk0 bs=512 seek=30777311 conv=notrunc
/dd if=/system/pgpt16G.img of=/dev/block/mmcblk0 bs=512 seek=0 conv=notrunc
parted /dev/block/mmcblk0
Then type p and press enter and the output should look like this:
Code:
# parted /dev/block/mmcblk0
GNU Parted 1.8.8.1.179-aef3
Using /dev/block/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
p
Model: MMC 016G92 (sd/mmc)
Disk /dev/block/mmcblk0: 15.8GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 524kB 67.6MB 67.1MB fat16 modem
2 67.6MB 68.2MB 524kB sbl1
3 68.2MB 68.7MB 524kB sbl2
4 68.7MB 70.8MB 2097kB sbl3
5 70.8MB 71.3MB 524kB tz
6 71.3MB 94.4MB 23.1MB boot
7 94.4MB 117MB 23.1MB recovery
8 117MB 118MB 799kB m9kefs1
9 118MB 119MB 799kB m9kefs2
10 119MB 120MB 799kB m9kefs3
11 120MB 121MB 524kB rpm
12 121MB 121MB 524kB aboot
13 121MB 122MB 524kB sbl2b
14 122MB 124MB 2097kB sbl3b
15 124MB 124MB 524kB abootb
16 124MB 125MB 524kB rpmb
17 125MB 125MB 524kB tzb
18 125MB 126MB 524kB metadata
19 126MB 143MB 16.8MB misc
20 143MB 159MB 16.8MB ext4 persist
21 159MB 1040MB 881MB ext4 system
22 1040MB 1627MB 587MB ext4 cache
23 1627MB 15.8GB 14.1GB ext4 userdata
24 15.8GB 15.8GB 524kB DDR
25 15.8GB 15.8GB 507kB grow
Notice that userdata partition is 14.1GB in size
In case parted reports an error I suggest to return back to the old 8G partition tables, see below.
You can close parted with simply typing quit.
Now reboot the phone into bootloader: type reboot and hold 'Up' button to enter bootloader menu.
Then type:
Code:
fastboot erase userdata
fastboot -w
Now again start the flash-all.bat in your folder.
Now you have your 16GB back
Return back to the old 8G partition tables:
In case parted reported an error, put the old 8G partition tables back. This should not happen but never say never:
Code:
/dd if=/system/sgpt8G.img of=/dev/block/mmcblk0 bs=512 seek=30777311 conv=notrunc
/dd if=/system/pgpt8G.img of=/dev/block/mmcblk0 bs=512 seek=0 conv=notrunc
Fix for Bluetooth and MAC adress:
For bluetooth:
- In /persist directory create bluetooth directory. Under the new directory create a file named .bdaddr (don't miss the dot!)
Edit the file and put 6 random characters in it. Even better, if you can do this in a hex editor and put 6 random bytes, not just printable characters.
- Set execute and read permissions for everybody on /persist/bluetooth directory and change owner of .bdaddr to bluetooth:bluetooth and permission to 660 (read/write for owner and group and nothing else). In command line:
Code:
chown root:root /persist/bluetooth
chmod 755 /persist/bluetooth
chown bluetooth:bluetooth /persist/bluetooth/.bdaddr
chmod 660 /persist/bluetooth/.bdaddr
For mac address:
- In /persist directory create wifi directory. In the new directory create a file named .macaddr (don't miss the dot!)
Edit the file and put 12 random hex numbers in it (0-9, A-F), save.
- Set execute and read permissions for everybody on /persist/wifi directory and change owner of .macaddr to wifi:wifi and permission to 660 (read/write for owner and group and nothing else). In command line:
Code:
chown root:root /persist/wifi
chmod 755 /persist/wifi
chown wifi:wifi /persist/wifi/.macaddr
chmod 660 /persist/wifi/.macaddr
- run /system/bin/conn_init program. Can be run in root explorer(choose Linux Script Handler when you open it), or in adb shell:
Code:
su
/system/bin/conn_init
Then reboot and check if the changes got applied in settings
Donate
Every $ helps me : Donate
Credits
Koush for his ADB Driver
Jhoopes517 for his tutorial to install LGNPST
FLYN's thread about unbricking a Nexus 4, because I got the parts for LGNPST from there
foil for his .tot files
Jbele for his picture from download mode xD
Google for the factory images
dvhexer for his guide to convert 8GB to 16GB

OK there's a problem: After using this method you get only 8GB and it seems like there's no fix for that
Does somebody know a solution?
PS: Yes, already tried that: http://forum.xda-developers.com/showthread.php?p=36673191#post36673191

Have you tried formatting data, not wipe, in recovery?

Try this: http://forum.xda-developers.com/showthread.php?t=2033692

meangreenie said:
Have you tried formatting data, not wipe, in recovery?
Click to expand...
Click to collapse
Yes.
RussianBear said:
Try this: http://forum.xda-developers.com/showthread.php?t=2033692
Click to expand...
Click to collapse
Mentioned it above, but forgot to remove postcount behind showthread, sry

nice!!
I know someone who can use this:
http://forum.xda-developers.com/showthread.php?t=2175663

I think I found a fix for the 8GB problem
But it needs a external sd so I need to make some changes
EDIT: Got it, I'll add this to the guide now

thanks !!!!!!!!!!!!!!!!!
I am from china.
i flash the 4.3 for s4.
and i know 2 person have the same problem like me in our forum.
SO happy i encounter the god-like person--you!
thanks a lot.
And i will quote your ways to save them, are you mind this?

tigerCHINA said:
I am from china.
i flash the 4.3 for s4.
and i know 2 person have the same problem like me in our forum.
SO happy i encounter the god-like person--you!
thanks a lot.
And i will quote your ways to save them, are you mind this?
Click to expand...
Click to collapse
Why on earth would you flash anything for the S4? I'm curious

Updated OP with Instructions to get your 16 GB back
tigerCHINA said:
I am from china.
i flash the 4.3 for s4.
and i know 2 person have the same problem like me in our forum.
SO happy i encounter the god-like person--you!
thanks a lot.
And i will quote your ways to save them, are you mind this?
Click to expand...
Click to collapse
No problem, it's there to help everyone
KiNG OMaR said:
Why on earth would you flash anything for the S4? I'm curious
Click to expand...
Click to collapse
Everyone does start as a beginner, one and a half year ago I thought there are universal ICS flashable zips (look here xD) , now look where I got

I wanna try 4.3 but i dont know i will fail
KiNG OMaR said:
Why on earth would you flash anything for the S4? I'm curious
Click to expand...
Click to collapse
I wanna try 4.3 but i dont know i will fail

Hi, thanks for your help. I have a Nexus 4 bricked, when a friend tried to flash Nexus 7 kernel. The phone is dead and have only a red blinking led. When i connect the nexus to my Windows 8, i see a DXUSB_ERROR (or something similar, i don't have now the phone). Do you think it will work your method?
Thanks
Regards
EDIT: I have no fastboot or download mode

cicciociccio333 said:
Hi, thanks for your help. I have a Nexus 4 bricked, when a friend tried to flash Nexus 7 kernel. The phone is dead and have only a red blinking led. When i connect the nexus to my Windows 8, i see a DXUSB_ERROR (or something similar, i don't have now the phone). Do you think it will work your method?
Thanks
Regards
EDIT: I have no fastboot or download mode
Click to expand...
Click to collapse
Hmmm....don't know, can you get into a download mode?
Give it a try, seems like you can't brick even more
Oh, didn't saw that edit.
No, without download mode you can't use this

Gigadroid said:
Oh, didn't saw that edit.
No, without download mode you can't use this
Click to expand...
Click to collapse
So i tought. That's a pity :'(

thanks for the guide! as i said you're my hero!! but i cant do the 16gb part. i think im doing something wrong first, i write the lines one by one right? second, when i type: cp /system/dd /
it says that cannot find the file, something like that. i have move the 3 files to /system of course. and no the dd file didnt renamed to dd.bin, i check it. can you help??

@OP,
Thanks a ton bro!!

johnxarma said:
thanks for the guide! as i said you're my hero!! but i cant do the 16gb part. i think im doing something wrong first, i write the lines one by one right? second, when i type: cp /system/dd /
it says that cannot find the file, something like that. i have move the 3 files to /system of course. and no the dd file didnt renamed to dd.bin, i check it. can you help??
Click to expand...
Click to collapse
Ignore, I was incorrect.

meangreenie said:
Lose the last space, it's a typo I believe. dd/ or just dd
Click to expand...
Click to collapse
thanks for the reply. but i dont understand you.. what part i must change to correct the code?
 @Gigadroid can you fix the typos in OP??

johnxarma said:
thanks for the guide! as i said you're my hero!! but i cant do the 16gb part. i think im doing something wrong first, i write the lines one by one right? second, when i type: cp /system/dd /
it says that cannot find the file, something like that. i have move the 3 files to /system of course. and no the dd file didnt renamed to dd.bin, i check it. can you help??
Click to expand...
Click to collapse
Yes, one by one.
Try to mount system partition, simply type:
Code:
mount /system
I'll add this to op
meangreenie said:
Lose the last space, it's a typo I believe. dd/ or just dd
Click to expand...
Click to collapse
It isn't a typo.
cp stands for copy, the first path says which file will be copied, the second path where it will be copied.
In this case we want the files in our root directory which is /

its very useful THX:good::good:

Maybe a working nvflash method

Maybe I am late by 3 years, but I got my hands on a zip file from LG called "P880 nvFlash tool(Recovery tool).zip".
It may can unbrick phones which happend to end up in APX (nvflash) mode.
There are two 2 type of bat files in it. 1 uses the regular nvlfash command like for optimus 2x and the other uses a blob file and also uses an encrypted bootloader and bct file.
My advice is to use the bat files from the "Final" folder if it's happen to work as it flashes the system.img boot.img and recovery.img too.
Here is the download link
And an image of the content
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Hopeful signs
Never too late to post useful tools. I know I'd be a lot braver in experimenting if I knew I could recover from any possible screwup, and that is pretty much what this looks like.
I don't have windows and apparently didn't find the right nvflash executable for linux, but I came close. I am being very cautious and tried the minimal nvflash command I could think of, the --wait command, figuring it would be hard for THAT to hose me. Apparently it didn't but it also didn't quite work either.
Code:
# ./nvflash --blob blob.bin -w
Nvflash v1.13.87205 started
Using blob v1.1.57813
chip uid from BR is: 0x0000000000000000015d262e30281402
rcm version 0X30001
unknown bootrom version NvError 0x0
# ./nvflash -r --blob blob.bin --go
Nvflash v1.13.87205 started
[resume mode]
Using blob v1.1.57813
command failure: go failed
Considering that normally nvflash does absolutely nothing this tells me these files really do have the crypto 'mojo' for talking to the phone. So once I find a newer nvflash I'll play some more and report.
Update: That Chip uid matches the USB serial number so that proves beyond a doubt that nvflash is successfully communicating with the crypto enabled.

jmorris_42 said:
Never too late to post useful tools. I know I'd be a lot braver in experimenting if I knew I could recover from any possible screwup, and that is pretty much what this looks like.
I don't have windows and apparently didn't find the right nvflash executable for linux, but I came close. I am being very cautious and tried the minimal nvflash command I could think of, the --wait command, figuring it would be hard for THAT to hose me. Apparently it didn't but it also didn't quite work either.
Code:
# ./nvflash --blob blob.bin -w
Nvflash v1.13.87205 started
Using blob v1.1.57813
chip uid from BR is: 0x0000000000000000015d262e30281402
rcm version 0X30001
unknown bootrom version NvError 0x0
# ./nvflash -r --blob blob.bin --go
Nvflash v1.13.87205 started
[resume mode]
Using blob v1.1.57813
command failure: go failed
Considering that normally nvflash does absolutely nothing this tells me these files really do have the crypto 'mojo' for talking to the phone. So once I find a newer nvflash I'll play some more and report.
Update: That Chip uid matches the USB serial number so that proves beyond a doubt that nvflash is successfully communicating with the crypto enabled.
Click to expand...
Click to collapse
That sounds great.
Maybe you can try using the --getpartitiontable switch or read back a partition with the --read switch. Use the blob and the encrypted bootloader for that.
That two switch should not cause any problam to your device, normaly. But you may have heard that HTC One X gets stucked in APX mode if the user entered to that mode by accident. So anything can happen.
nvflash --blob blob.bin --bl bootloader.bin.encrypt --getpartitiontable partitions.txt --go
Or
nvflash --blob blob.bin --bl bootloader.bin.encrypt --read 8 SOS.img --go

bitdomo said:
nvflash --blob blob.bin --bl bootloader.bin.encrypt --getpartitiontable partitions.txt --go
Or
nvflash --blob blob.bin --bl bootloader.bin.encrypt --read 8 SOS.img --go
Click to expand...
Click to collapse
Code:
# nvflash --blob blob.bin --bl bootloader.bin.encrypt --getpartitiontable partitions.txt --go
Nvflash v1.13.87205 started
Using blob v1.1.57813
chip uid from BR is: 0x0000000000000000015d262e30281402
rcm version 0X30001
unknown bootrom version NvError 0x0
Code:
# nvflash --blob blob.bin --bl bootloader.bin.encrypt --read 8 SOS.img --go
Nvflash v1.13.87205 started
Using blob v1.1.57813
chip uid from BR is: 0x0000000000000000015d262e30281402
rcm version 0X30001
unknown bootrom version NvError 0x0
Nope, it throws out that unknown bootrom version and stops right there. Even better is that the version of NvFlash I'm running is newer than the one in the zip file you provide, which is v1.7.75664. Looks like I have to go find a Windows PC and see what happens on that. Good grief but the horror show that I just that is going to be.... usb driver heck. Long term, gotta make it work here if it going to be very useful but need to know where the trouble is.
Not giving up here, too close.

Total extraction achieved
After a few hours of Windows Update grinding because I hadn't booted that side of that machine for months.....
Victory is achieved. All partitions successfully extracted, including those not normally visible. Now moving them back to the Linux box for examination and comparing to what was extracted via adb from the running phone for a sanity check, but the sizes all match, etc. and this IS supposed to be LG's own recovery method for a bare metal rebuild from a replaced CPU on a motherboard so the only question was really the provenance of the info and that was already shown to be good.
So unless I am misunderstanding, here is where things now stand on this phone.
Other than blowing fuses that would kill unlocking the bootloader again or other OTP fuse games, there is nothing that can be done on this handset that can't now be undone. This NvFlash thing is in mask ROM inside the CPU die and it runs before anything else. So unless somebody is overclocking and melts the hardware or something really dumb this is now one of the safest platforms for experimentation.
The phone's flash could even be repartitioned to recover the space wasted on things we do not care about.
The one remaining downside is that the SBK is still controlling the boot so the bootloader itself can't be replaced with one with a more complete fastboot. Editing the boot parameters the LG bootloader passes to the kernel doesn't look possible either.

is this nvflash is for moto g

nickbella2 said:
is this nvflash is for moto g
Click to expand...
Click to collapse
Why would it be for moto g if I posted on the optimus 4x forums? Not mention moto g does not have tegra soc, it has qualcomm soc.

Is this something? I think it just might be...
Looking at the dump some more and got curious at the manual explaining how to lock up a newly replaced CPU. Noticed it didn't say anything about obtaining the correct SBK, it just said to click the button to lock it down. Hmm....
Running strings on the utility turns up this most interesting sequence:
Code:
Enter Com Port
Error In OpenCommPort
Port Number : %d
at%nvsbk=8nGOWzuvGa/5u55X5kVj5IR3kLx2OlI0111GqsMe7WcgXVg4
%s%c
Error In WriteCommPort
Error In ReadCommPort
Success
Fail
at%nvsbchk
Fused
Not Fused
So it looks like AT modem like commands over a serial port but there is nvsbk as a command option right before nvsbkchk which pretty much has to be a check command that can return Fused or Not Fused. Problem is if that string is base64 encoded it yields 288 bits and not the 256 that one would expect... unless there is some sort of checksum to make sure you send the right key? 256 + a 32bit CRC would be just right.
So the jewels just might have leaked out. Stay tuned, will be experimenting more but had to post this as breaking news. Will need the patented Ace of Spades HQ flaming skull if it actually works.

Status update, no joy yet.
Update time. Yes that base64 blob does indeed appear to be a 256 bit key with a crc32 tacked on the end. The help text on the nvsbktool command is unclear, showing only an example of a 128bit key but if I just expand the four 32bit hex entries out to 64 bit the command runs and produces output. The blob.bin I get is not the same size as LG's and the encrypted data isn't the same either. Tried reversing the bytes for endianness issues and no joy either.
Here is what I have tried:
Code:
wine nvsbktool.exe --sbk 0xf2718e5b3baf19af f9bb9e57e64563e4 847790bc763a5234 d75d46aac31eed67 --chip 0x30 --blob /tmp/blob.bin --bct flash.bct /tmp/flash.bct.encrypted --bl bootloader.bin /tmp/bootloader.bin.encrypted
and
Code:
wine nvsbktool.exe --sbk 0xaf19af3b5b8e71f2 e46345e6579ebbf9 34523a76bc907784 67ed1ec3aa465dd7 --chip 0x30 --blob /tmp/blob.bin --bct flash.bct /tmp/flash.bct.encrypted --bl bootloader.bin /tmp/bootloader.bin.encrypted
If someone running on WIndows could repeat those commands (from inside Final/nvflash within whereever you unpacked the nvflash-recovery zip) and ensure you get these md5sum hashes to ensure something isn't whacky based on my using wine to run a Window executable I'd appreciate it:
af7ff5a63c343fc8c6cbaf7e2adb9234 /tmp/blob.bin
2971d586cf91b31d962b6d201c5238e0 /tmp/bootloader.bin.encrypted
211ae3430281fc3890809bc464b8d5e5 /tmp/flash.bct.encrypted

Still digging....
jmorris_42 said:
Update time. Yes that base64 blob does indeed appear to be a 256 bit key with a crc32 tacked on the end. The help text on the nvsbktool command is unclear, showing only an example of a 128bit key but if I just expand the four 32bit hex entries out to 64 bit the command runs and produces output. The blob.bin I get is not the same size as LG's and the encrypted data isn't the same either. Tried reversing the bytes for endianness issues and no joy either.
Click to expand...
Click to collapse
No, this is a dead end. That utility seems to be talking to the modem but with a name like nvsbk there was a chance they were stashing the key over in the modem. A newly born or rebuilt unit has to obtain the key material somehow, wouldn't be the first time obfuscation was used in place of a really secure method. But that theory is busted because the source for the Tegra3 clearly shows the SBK field as 128 bits and not the 256 this key yields after the CRC is removed. So perhaps this key locks down the firmware in the modem? If so it probably isn't too interesting.
But the same questions remain as to how a repaired handset gets locked down. They are telling techs to just flash away and not worry about it when replacing the applications processor. So what if fastboot locks itself? Nobody was apparently ever supposed to get a clear text copy of it so what if it just looks to see if an sbk is set and if it isn't sets one and rewrites itself into the flash? That would put a copy of the key somewhere in that binary blob. A glance does show what appears to be HDMI HDCP keys. While we have an unencrypted copy it is really big blob of ARM assembly language to wade through.
Wonder... any reason I couldn't write a perl script to take walk along 32bits at a time and feed every 128 bit value to the command and see what that key gets compared to the known good encrypted copy? Probably talking about days of runtime but not nearly as much grinding as figuring out the raw assembly.

So can this method be used to unbrick the phone in apx mode?

Restoring Bricked o4x wiht APX mode via NVFLASH
punit9779 said:
So can this method be used to unbrick the phone in apx mode?
Click to expand...
Click to collapse
Yes, it can be done with this tool. I did it on my o4x - the tool is restoring the ics version v10b. You can extract the DZ file of any ics and overwrite the files in downloaded package to get v10h
Q/A flashing extracted v20.
Yes it can be flashed with it and even boot. But after first boot rom just hangs in a few seconds. After reseting the phone you stuck at LG logo. I gues it's a due blob file. Its only for ics, and we dont have iit for JB.

ya5 said:
Yes, it can be done with this tool. I did it on my o4x - the tool is restoring the ics version v10b. You can extract the DZ file of any ics and overwrite the files in downloaded package to get v10h
Q/A flashing extracted v20.
Yes it can be flashed with it and even boot. But after first boot rom just hangs in a few seconds. After reseting the phone you stuck at LG logo. I gues it's a due blob file. Its only for ics, and we dont have iit for JB.
Click to expand...
Click to collapse
But in the given bat files it doesnt give any command for flashing the system.img, so how does it flash the ics version v10b?

Hy ! Can you help me?
Folder 1 : (Encrypt) : data send failed NvError 0x120002
command failure: bootloader download failed (bad data)
Folder 1 : (Non-Ecrypt) : rcm version 0X4
Command send failed (usb write failed)
Final : Encrypt : data send failed NvError 0x120002
command failure: bootloader download failed (bad data)
Final : Non-Ecrypt : rcm version 0X4
Command send failed (usb write failed)

How do you extract the dz of v10h to img files? i tried with lgextract and dzextract but get errors...

[TOOL] KDZ and TOT Extractor
tsimon40 said:
How do you extract the dz of v10h to img files? i tried with lgextract and dzextract but get errors...
Click to expand...
Click to collapse
Please use search, for me works.
http://forum.xda-developers.com/showthread.php?t=2600575
---------- Post added at 01:04 PM ---------- Previous post was at 12:45 PM ----------
nfs32100 said:
Hy ! Can you help me?
Folder 1 : (Encrypt) : data send failed NvError 0x120002
command failure: bootloader download failed (bad data)
Folder 1 : (Non-Ecrypt) : rcm version 0X4
Command send failed (usb write failed)
Final : Encrypt : data send failed NvError 0x120002
command failure: bootloader download failed (bad data)
Final : Non-Ecrypt : rcm version 0X4
Command send failed (usb write failed)
Click to expand...
Click to collapse
Inside final folder run cmd line, and run bat files. Try both.
After error feedback reconnect usb cable to your phone, then run again bat file.
---------- Post added at 01:08 PM ---------- Previous post was at 01:04 PM ----------
punit9779 said:
But in the given bat files it doesnt give any command for flashing the system.img, so how does it flash the ics version v10b?
Click to expand...
Click to collapse
Thats for sure command to flash sth. isnt it ? It doesnt need to say im flashing img file. The best of it ist it just does
iside the BAT file.
nvflash --blob blob.bin --bct flash.bct.encrypt --setbct --configfile flash_encrypt.cfg --create --bl bootloader.bin.encrypt --go
pause

iside the BAT file.
nvflash --blob blob.bin --bct flash.bct.encrypt --setbct --configfile flash_encrypt.cfg --create --bl bootloader.bin.encrypt --go
pause
Click to expand...
Click to collapse
Remember what this info dump was intended for and things make more sense. The two scripts were intended for a tech replacing the flash chip or the Tegra3. If you run the one intended for a flash replacement it assumes the processor is still locked down so it uses the blob.bin and flashes the encrypted BCT, Partition table and the bootloader. Assuming the flash is actually new, all other partitions are empty. In this condition we can assume the bootloader will come up in one of the two recovery modes and the tech is expected to use their normal procedure to flash a .kdz. You aren't in that situation, you have stuff on the other partitions and if they were not bootable before they are unchanged.
However the normal kernel, recovery and system images are present so you could manually use nvflash to restore those as well. You will of course get an ICS version but it will be a working phone again and you can upgrade back up.

im stuck in S7W Upgrade mode and cant install the usb driver. can somebody tell me if this method will work when im stuck in s/W upgrade mode??

oops

yunsen said:
im stuck in S7W Upgrade mode and cant install the usb driver. can somebody tell me if this method will work when im stuck in s/W upgrade mode??
Click to expand...
Click to collapse
If you can still get to SW Upgrade mode I'd suggest sorting out the Windows issues and using that since upgrade mode is known to be reliable.

[TUTORIAL] How to unbrick Nexus 7 without blob.bin (REQUIRES ANOTHER NEXUS 7 2012)

Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.

Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.

Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk

zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system

GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.

Deleted.

@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.

@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.

enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)

Deleted.

Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk

I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?

gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"

Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0

@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen

gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.

enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...

gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.

steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.

I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!