[Root]Greyhat Root SM-G925VVRS4CPI2 MM 6.0.1 - Verizon Samsung Galaxy S6 Edge

Update 5:3:2017
I have returned, to this thread after a long absense.
I'm sorry. Really.
But I do still have my S6 g925v. I also have S3, S5, and S7 verizon devices.
I've been absent because I am not testing my theories only on the Verizon S6 edge specifically. I feel that as of right now much, much, progress has been made via development on the AT&T Note 5 platform.
I am hard at work. Reading as always when I can.
I won't give up on these devices no matter how many times they throw their malware my way.
They are my devices and I will use them if I want to.
I'm preparing a new thread that aims to organize all of the threads I've made across the last few months. There is just a lot of information I've had to learn on my own is all.
And I still don't have all the formal definitions yet.
But remember. I've had a virus twice now, that installs itself via a fake OTA system update.

Can't delete.

First off, I want to thank you for spending so much time on this root strategy. Reading everything seems like you have been living a nightmare. I am not a developer myself so I can only help by spending the word of this thread. Many users and devs declared a root strategy dead, that is why I think you don't have many replies. @trailblazer101 seems like he is working on something similar, as you have previously stated. Have you messaged him or any other developers?

While it's hard to follow exactly what you've managed to do, I do hope you've been able to achieve root on later MM builds. Although from my experience that is nearly impossible (without eng-boot, or a modified kernel, etc), due to dm-verity. I can provide to you the ability for shell root, where you can dump the system partition or any other. Please PM me for details on that regard. I'll be able to test whatever you do manage to have.

Can't delete

Can't delete.

Can't delete

Can't delete

I just started messing with my verizon 6e. I am rooted still and wanted to understand all the awesome things you wrote about.
I used a root shell to get in:
[email protected]:/data/data/berserker.android.apps.sshdroid/home # df
Filesystem Size Used Free Blksize
/dev 1.3G 104.0K 1.3G 4.0K
/sys/fs/cgroup 1.3G 12.0K 1.3G 4.0K
/mnt/secure 1.3G 0.0K 1.3G 4.0K
/mnt/asec 1.3G 0.0K 1.3G 4.0K
/mnt/obb 1.3G 0.0K 1.3G 4.0K
/system 4.2G 1.6G 2.6G 4.0K
/efs 15.7M 288.0K 15.4M 4.0K
/cache 991.9M 4.1M 987.8M 4.0K
/data 112.6G 59.8G 52.8G 4.0K
/persdata/absolute 4.9M 112.0K 4.8M 4.0K
/sbfs 10.8M 8.0K 10.7M 4.0K
/firmware 86.0M 67.7M 18.2M 16.0K
/vzw 10.8M 8.0K 10.7M 4.0K
/mnt/shell/privatemode 112.6G 59.8G 52.8G 4.0K
/mnt/shell/knox-emulated 112.6G 59.8G 52.8G 4.0K
/mnt/shell/emulated 112.6G 59.8G 52.8G 4.0K
/storage/emulated 1.3G 0.0K 1.3G 4.0K
/storage/emulated/0 112.6G 59.8G 52.8G 4.0K
/storage/emulated/0/Android/obb 112.6G 59.8G 52.8G 4.0K
/storage/emulated/legacy 112.6G 59.8G 52.8G 4.0K
/storage/emulated/legacy/Android/obb 112.6G 59.8G 52.8G 4.0K
[email protected]:/data/data/berserker.android.apps.sshdroid/home # cd /
[email protected]:/ # ls -lad .
drwxr-xr-x 25 root root 0 Dec 23 00:36 .
[email protected]:/ # chmod 777 .
chmod: .: Read-only file system
OK, its read only, then I did this:
1|[email protected]:/ # mount -w -o remount /
[email protected]:/ # ls -lad .
drwxr-xr-x 25 root root 0 Dec 23 00:36 .
[email protected]:/ # chmod 777 .
[email protected]:/ # ls -lad
drwxrwxrwx 25 root root 0 Dec 23 00:36 .
Then I did the same thing to /system:
[email protected]:/ # ls -lad /system
drwxr-xr-x 28 root root 4096 Aug 16 19:54 /system
[email protected]:/ # chmod 777 /system
chmod: /system: Read-only file system
1|[email protected]:/ # mount -w -o remount /system
[email protected]:/ # chmod 777 /system
[email protected]:/ # ls -lad /system
drwxrwxrwx 28 root root 4096 Aug 16 19:54 /system
[email protected]:/ #
Now I can write to the / and system partition.
Where is the bootloader located? I would like to try poke around to see if I find something.

Appreciation and offer to help
I just want to say thanks for all of your harday work so far and express my interest in this project going forward. I don't have much experience with finding root exploits or android dev, but I have followed root procedures for several different phones and know my way around add and the Linux she'll in general. I am also a software engineer. If there is anything I can do to help from beta testing to providing dumps let me know. I have a rooted 925V Running 5.0.2 OE2.

Can't delete.

Can't delete.

I am on this baseband, non rooted but happy to help

Can't delete.

Can't delete

Delgoth, why did you delete what you previously wrote? :/

Degloth we're anxiously waiting for good news from you!

I don't understand, why care what anyone says, we would all be happy for root

Because I put out some information without giving it, its proper due. And I put out a repo full of some things, some did not want put out that way.
Because of it, I've ended up losing most of my own personal data and years of other research data.
Because nothing seemed so wrong until I went public about my initial infection to Verizon and XDA. Call me paranoid, but a lot of stuff happened on all my devices after I started this thread.
Everytime I've breached one plateau, I've been hit with an attack forcing me to re setup & download just to go the next step. Only to have it happen over again.
The real problem being my Internet connection, and my original Android Development Environment is sized around 75GB for all the libraries and sources. So it's just been a long frustrating process this whole time.

Sorry to hear about this, I'm sure we are all grateful for what you've done, and if you continue your progress we would all be happy for a release

Related

[Q] Can't install protected (app-private) apps

Hi
First things first:
PDA: I9000XWJM6
PHONE: I9000XXJM3
CSC: I9000OXAJM1
Rooted, CFLagFix applied if that matters.
I flashed it recently to the mentioned ROM. After flash, I've got strange problem when I'm trying to install any protected apps (ones which go to app-private folder, I'm guessing they're all protected?). When I'm trying to install them, they report success in installing, but there is default icon used in applications' menu, and instead of name I can see only the beginning part of application's package. When I'm trying to launch, launcher force closes
Anyway, I tried to debug this problem. So here is what I've got, the example app is QR Contacts. First, relevant part of logcat file is attached.
As far as I can understand, it all starts with PackageManager unable to move some files to app-private, and all following warning and errors happens because file hadn't been moved, so it's not where it supposed to be
But, then again: I adb shell'ed, and as root (and as system user) I CAN copy some files to this destination. Furthermore, here are my persmissions for this folder:
Code:
# ls -l
drwxrwx--x system root 2010-09-16 16:44 gps
drwxrwx--t system misc 2010-09-15 12:08 misc
drwxrwx--x wifi wifi 2010-09-13 00:34 wifi
drwxrwx--x shell shell 2010-09-12 23:14 local
drwxrwx--x system system 2010-09-16 16:49 data
drwxrwx--x system system 2010-09-16 16:23 app-private
drwxrwx--x system system 2010-09-16 16:49 app
drwx------ root root 2010-09-15 22:56 property
drwxrwxrwx root root 2010-09-13 02:31 log
drwxrwxrwx root root 2010-09-15 22:54 dump
drwxrwx--x system system 2010-09-16 16:49 dalvik-cache
drwxrwx--- root root 2010-09-12 21:57 lost+found
drwxrwxrwx system system 2010-09-16 14:03 anr
drwxrwxr-x system system 2010-09-16 17:14 system
drwx------ system system 2010-09-12 21:58 backup
drwxrwxrwx system system 2010-09-16 16:45 cflf
drwxr-xr-x system system 2010-09-15 23:16 tombstones
As You can see, the same permissions are used for app folder - and normal apps can be installed without problems. So, what about free space then?
Code:
# busybox df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 162.7M 0 162.7M 0% /dev
df: /mnt/.lfs: Function not implemented
tmpfs 4.0M 0 4.0M 0% /sqlite_stmt_journals
/dev/block/stl9 275.8M 269.1M 6.7M 98% /system
/dev/block/mmcblk0p2 1.9G 1.6G 250.5M 87% /data
/dev/block/stl10 127.2M 95.4M 31.8M 75% /dbdata
/dev/block/stl11 30.1M 2.2M 27.9M 7% /cache
/dev/block/stl3 5.9M 4.0M 1.9M 68% /efs
/dev/loop0 1.6G 447.9M 1.2G 27% /data/cflf/mount
/dev/loop0 1.6G 447.9M 1.2G 27% /data/app-private
/dev/loop0 1.6G 447.9M 1.2G 27% /data/app
/dev/loop0 1.6G 447.9M 1.2G 27% /data/dalvik-cache
/dev/loop0 1.6G 447.9M 1.2G 27% /data/data
/dev/loop0 1.6G 447.9M 1.2G 27% /data/system
/dev/loop1 93.9M 12.7M 81.2M 14% /dbdata/cflf/mount
/dev/loop1 93.9M 12.7M 81.2M 14% /dbdata/databases
/dev/block//vold/179:1
13.4G 1.7G 11.7G 13% /sdcard
/dev/block//vold/179:9
14.9G 13.8G 1.1G 93% /sdcard/sd
Clearly, I do have enough space, or so it appears.
So, right now I'm clueless. Googled for couple hours, searched this forum and found nothing. Does anyone have idea what's causing this problem?
Same problem here, any solutions?
if you can download the .apk file you can install it from your SD card
even if you can not download them from Android Market because you are listed in an area of no valid

need help with app2sd badly.. pls

i think i managed to get the app2sd installed.
however i'm unable to confirm if its working. it appears my /system/sd is there but when i went to /data/app and did a pwd
it appears the prompt still return /data/app instead of /system/sd/app
anyone know what i did wrong and what i can do to address the symbolic link?
Thanks
# ./busybox df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 112.5M 0 112.5M 0% /dev
tmpfs 4.0M 16.0K 4.0M 0% /sqlite_stmt_journals
/dev/block/mtdblock6 175.6M 146.5M 29.2M 83% /system
/dev/block/mtdblock8 197.1M 58.0M 139.1M 29% /data
/dev/block/mtdblock7 106.0M 3.0M 103.0M 3% /cache
/dev/block/mtdblock5 8.8M 8.4M 328.0K 96% /cdrom
tmpfs 2.0M 24.0K 2.0M 1% /tmp
/dev/block/mtdblock0 1.5M 1.2M 268.0K 83% /pds
/dev/block/mmcblk0p2 984.3M 17.3M 917.0M 2% /system/sd
/dev/block//vold/179:1
13.7G 3.5M 13.7G 0% /sdcard
# cd /data/app
# pwd
/data/app

system dump

Hey guys,
Here's a dump of /system from the Google I/O GT10.1. Let me know if there's anything else you're interested in.
http://www.mediafire.com/?hmjy4w04u9cb4j4
smaskell said:
Hey guys,
Here's a dump of /system from the Google I/O GT10.1. Let me know if there's anything else you're interested in.
http://www.mediafire.com/?hmjy4w04u9cb4j4
Click to expand...
Click to collapse
EDIT: Haha fail wasn't even thinking.....
Thanks mate. Can you dump boot and recovery as well? Not even sure if you can, but...
I could if I knew where they were. Someone more knowledgeable than I would probably know where they usually are. Unfortunately, I cannot search the device because most standard commands are not available(find, grep, etc.)
smaskell said:
I could if I knew where they were. Someone more knowledgeable than I would probably know where they usually are. Unfortunately, I cannot search the device because most standard commands are not available(find, grep, etc.)
Click to expand...
Click to collapse
Cool. Thanks.
Have you tried adding busybox? Im surprised that the root 'package' didn't include them. I think Titanium Backup will add it for you but not the symlinks AFAIK so you need to prefix each command with busybox. eg:
Code:
busybox chmod +x <file>
it won't let me create a link to /system/bin/ because it's stuck at read only. I created a thread about this already, but does anyone know how to remount /system? I've tried the standard ways and they don't seem to work
This worked for me:
mount -o remount,rw /system
If all else fails, use Root Explorer to remount /system
Just thinking "out loud" here, but would it be fair to say that if someone could extract the boot and recovery images from these google 10.1's that they could be flashed onto a 10.1v with Odin or fastboot and allow the 10.1v to be rooted in the same way as the 10.1g?
That's what I'm hoping
Sent from my GT-P7100 using XDA Premium App
ObsidianX said:
This worked for me:
mount -o remount,rw /system
Click to expand...
Click to collapse
wow, that was stupid of me. I was trying
mount -o remount,rw /dev/block/mmcblk0p4 /system
but obviously that isn't needed.
Thanks
alright, so I have busybox working
but all the tutorials I've found have said to use
cat /proc/mtd
to find out what to pull but for me, it just returns
dev: size erasesize name
also, they say to use
cat /dev/mtd/mtdX > /sdcard/mtdX.img
but /dev/mtd doesn't exist on this device
any ideas what I could be doing wrong?
smaskell said:
alright, so I have busybox working
but all the tutorials I've found have said to use
cat /proc/mtd
to find out what to pull but for me, it just returns
dev: size erasesize name
also, they say to use
cat /dev/mtd/mtdX > /sdcard/mtdX.img
but /dev/mtd doesn't exist on this device
any ideas what I could be doing wrong?
Click to expand...
Click to collapse
Stupid question, but you did do a
Code:
su
before running these commands?
Sometimes it's the simple things
it certainly wouldn't be the first time I'd missed something as blatantly obvious as that, but no I did remember this time. That's not to say that I'm not missing something else that should be completely obvious, but I did at least remember to run it as root.
smaskell said:
it certainly wouldn't be the first time I'd missed something as blatantly obvious as that, but no I did remember this time.
Click to expand...
Click to collapse
Haha - yeah, Ive certainly been stumped by simpler things than that. Usually success if followed by a facepalm
Really appreciate your persistence with this!
Could you possibly post the output of:
Code:
adb shell mount
and
Code:
adb shell su ls -l /cache
You should see from this output which device is mounted as /cache and how the /cache/recovery is mounted/linked.
certainly
Code:
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p4 /system ext4 ro,relatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p5 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p8 /data ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p1 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered 0 0
/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
Code:
drwxrwx--- root root 1969-12-31 16:00 lost+found
drwxrwx--- system cache 2011-05-11 23:38 recovery
in /cache/recovery/last_log, I see this(among other things)
Code:
recovery filesystem table
=========================
0 /tmp ramdisk (null) (null) '(null)' 0000 '(null)' 0
1 /efs ext4 /dev/block/mmcblk0p1 (null) '(null)' 0000 '(null)' 0
2 /recovery emmc /dev/block/mmcblk0p2 (null) '(null)' 0000 '(null)' 0
3 /boot emmc /dev/block/mmcblk0p3 (null) '(null)' 0000 '(null)' 0
4 /system ext4 /dev/block/mmcblk0p4 (null) '(null)' 0000 '(null)' 0
5 /cache ext4 /dev/block/mmcblk0p5 (null) '(null)' 0000 '(null)' 0
6 /data ext4 /dev/block/mmcblk0p8 (null) '(null)' 0000 '(null)' -16384
I'll try pulling mmcblk0p2 and 3
Edit: here they are. Hopefully this is what you were looking for
or not.. I tried uploading twice and both times it appeared to succeed but they're not showing up. let's try again.
still not working. let's try mediafire
http://www.mediafire.com/file/r37q8vluzshkdu8/boot.img
http://www.mediafire.com/file/bhi4q2wrqgl2ms5/recovery.img
Fantastic! Thanks again.
Downloading now although I just discovered I have blown my 120Gb/month allowance in 14 days so it may take a while to download at 256k
EDIT: smaskell, you are truly a champ! Recovery works on the 10.1v so I now have root!
Will be posting a guide here and asking all to thank smaskell
http://forum.xda-developers.com/showthread.php?t=1079781
smaskell said:
or not.. I tried uploading twice and both times it appeared to succeed but they're not showing up. let's try again.
still not working. let's try mediafire
http://www.mediafire.com/file/r37q8vluzshkdu8/boot.img
http://www.mediafire.com/file/bhi4q2wrqgl2ms5/recovery.img
Click to expand...
Click to collapse
You need to zip them. XDA only accepts ZIPs and media files for upload. Only discovered this myself yesterday
excellent! just glad I could help =]

Rooting the Captivate using the command line under Linux

I've tried just about every automated/one click/whatever method for rooting my spiffy new Captivate, and they all failed for one reason or another. I finally got it to work using adb & the command line. Here's how I did it. Oh, and before someone asks "Why didn't you just use Windoze?", it's because all my computers run Linux so that's not an option.
STANDARD DISCLAIMER: If you root your phone, the ceiling will collapse on your head and your family will die. No one should ever follow these instructions. In fact, I should probably be banned for even posting them.
MY SETUP:
Ubuntu 11.04 (natty)
Samsung Captivate i897, stock, KB2
AT&T
1. Download SuperOneClick
http://forum.xda-developers.com/showthread.php?t=803682
I used 1.9.5, only because another poster told me he had successfully rooted his Captivate using that specific version. This may also work with the files from a newer version; I don't see why it wouldn't.
2. Extract everything
Duh.
3. Put adblinux, psneuter, busybox, su-v2, and Superuser.apk in one directory.
I don't know that it has to specifically be su-v2, but that one worked for me, so huzzah.
4. Put the phone in USB debug mode; plug it in to your computer.
Settings -> Applications -> Development (check the box for USB debugging). Linux users need no drivers.
5. Open a terminal, cd into wherever you extracted the SOC files.
6. Let's dance:
Code:
./adblinux push psneuter /data/local/tmp
./adblinux push su-v2 /data/local/tmp
./adblinux push busybox /data/local/tmp
./adblinux shell
$ cd /data/local/tmp
Make everything you just pushed over executable:
Code:
$ chmod 6755 psneuter
$ chmod 6755 su-v2
$ chmod 6755 busybox
Run the exploit:
Code:
$ /data/local/tmp/psneuter
Running psneuter successfully kicked me out of the shell, so go back. You should also notice when you re-enter the shell that your prompt has changed from "$" to "#", indicating psneuter was successful. This also means you have root privileges, at least temporarily, for the rest of your work.
Code:
./adblinux shell
# mount
"mount" should spit out something that looks like this:
mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
/dev/block/stl6 /mnt/.lfs j4fs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
none /dev/cpuctl cgroup rw,cpu 0 0
/dev/block/stl9 /system rfs ro,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/block/mmcblk0p2 /data rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,ioc
harset=utf8 0 0
/dev/block/stl10 /dbdata rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocha
rset=utf8 0 0
/dev/block/stl11 /cache rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iochar
set=utf8 0 0
/dev/block/stl3 /efs rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocharset
=utf8 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=
1015,fmask=0102,dmask=0002,allow_utime=0020,codepa ge=cp437,iocharset=iso8859-1,s
hortname=mixed,utf8,errors=remount-ro 0 0
Click to expand...
Click to collapse
On your phone, that output might look a little different, but you're looking for the line in BOLD. In the example above, "/dev/block/stl9" is the mount point for "/system". If "mount" gives you a different mount point, then use that in the commands below. The stuff after that tells you the properties of "/system"; "ro" is the one we're concerned with. That tells us that "/system" is mounted as "read-only". We need to change that so we can move some files over.
Code:
# mount -o remount,rw /dev/block/stl9 /system
"/system" is now writable. Let's move some files over.
Code:
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin
# chmod 6755 /system/xbin/busybox
# /data/local/tmp/busybox chown 0.2000 /system/xbin/busybox
A functional copy of busybox now resides at /system/xbin, so from now on you can just call it with "busybox" instead of having to use the full path to the one we pushed over earlier.
Code:
# busybox mv /data/local/tmp/su-v2 /system/xbin/su
# chmod 6755 /system/xbin/su
# busybox chown 0.2000 /system/xbin/su
# busybox ln -s /system/xbin/su /system/bin/su
IMPORTANT: Do not leave your "/system" mounted as read-write; change it back and exit the shell:
Code:
# mount -o remount,ro /dev/block/stl9 /system
# exit
$ exit
You should be back at your basic Linux command prompt now. Install the Superuser app.
Code:
./adblinux install Superuser.apk
7. Reboot your phone
When everything loads back up, you should have root privileges. Update BusyBox from the market. If everything went according to plan, when you try to install BusyBox you should get a prompt from the Superuser app asking if you want to grant the BusyBox installer superuser privileges. If so, everything worked the way it was supposed to, and you're now a 1337 [email protected]><0r or something.
8. Troubleshooting
Mine didn't take the first time for some reason. After reboot, I installed BusyBox and Titanium Backup, both of which failed to get root privileges. I went back into the phone with adblinux, remounted /system as rw, again set the privileges for "/system/xbin/su" to 6755, then remounted /system as ro and rebooted. It took the second time, so I'm assuming I may have typed something wrong.
Another thing I was keen to try is installing the Superuser app FIRST, then running the hacks to root the phone. The phone does not need to be rooted to install Superuser, only for it to work as designed. I am curious if "SU->root->reboot" would work the first time, instead of "Root->SU->Reboot->Re-Root->Reboot", which is how it's been working now. If I happen to reinstall and try this again, I'll update. If anyone else gives it a whirl, post a comment and I'll update accordingly.
I hope this helps someone else. Please comment below with questions/criticisms/flames.
Thanks bro this is a very handy guide i to use only linux and it kills me how many people say ehh just install windows it easier BLAAA is what i say great work keep it coming...
tkienzle said:
Thanks bro this is a very handy guide i to use only linux and it kills me how many people say ehh just install windows it easier BLAAA is what i say great work keep it coming...
Click to expand...
Click to collapse
I'm with you. I HATE hearing "just use Odin" or "you can buy a copy of Windoze for not much $$$!" If I wanted Windoze, I'd be using it already. If I could use Odin, I'd probably just follow the directions for that and not be asking questions about Heimdall.
+1 thanks. been running linux since 2002, wasn't looking forward to using a friends computer just to root a phone.

[Solved] /efs partition gone

Hello, [Solution lower in this thread]
My /EFS partition is gone. I dont know why, because I wasnt doing anything with my phone at that moment. Until this problem I was running cyanogenmod nightly. The battery was wasted I think because it feels slightly thicker than normal. I already replaced it.
I have an efs.img made with SA manager.
Symptoms:
Bootloop
Original recovery says:
Code:
E: failed to mount /efs (invalid argument)
I can get into recovery & download mode.
I can still flash philz custom recovery.
When in cwm I can still flash a zip with a rom, but it wont start.
These are the steps I tried to get my phone working again:
ODIN
Flashed stock jellybean with original pit file, and checked "clear efs" in odin 3.09.
Custom Recovery
Connected with ADB, and executed the following commands:
Code:
But as you can see that doesnt help much.
I tried several other things, but they boil down to the same. I used an aroma efs restore tool, but it just executes the dd command and fails the same way.
jogai said:
Hello,
My /EFS partition is gone. I dont know why, because I wasnt doing anything with my phone at that moment. Until this problem I was running cyanogenmod nightly. The battery was wasted I think because it feels slightly thicker than normal. I already replaced it.
I have an efs.img made with SA manager.
Symptoms:
Bootloop
Original recovery says:
Code:
E: failed to mount /efs (invalid argument)
I can get into recovery & download mode.
I can still flash philz custom recovery.
When in cwm I can still flash a zip with a rom, but it wont start.
These are the steps I tried to get my phone working again:
ODIN
Flashed stock jellybean with original pit file, and checked "clear efs" in odin 3.09.
Custom Recovery
Connected with ADB, and executed the following commands:
Code:
~ # mount
mount
rootfs on / type rootfs (rw)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,seclabel,relatime)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,mode=050,gid=1028)
tmpfs on /mnt/secure type tmpfs (rw,seclabel,relatime,mode=700)
tmpfs on /mnt/fuse type tmpfs (rw,seclabel,relatime,mode=775,gid=1000)
/dev/block/mmcblk0p7 on /cache type ext4 (rw,seclabel,relatime,user_xattr,barrier=1,journal_async_commit,data=ordered)
/dev/block/vold/259:3 on /storage/sdcard0 type vfat (rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_uime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
~ # mke2fs /dev/block/mmcblk0p3
mke2fs /dev/block/mmcblk0p3
mke2fs 1.41.14 (22-Dec-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
160 inodes, 1280 blocks
64 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=1310720
1 block group
8192 blocks per group, 8192 fragments per group
160 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 27 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
~ # dd if=/storage/sdcard0/efs.img of=/dev/block/mmcblk0p3 bs=4096
dd if=/storage/sdcard0/efs.img of=/dev/block/mmcblk0p3 bs=4096
dd: writing '/dev/block/mmcblk0p3': No space left on device
321+0 records in
320+0 records out
1310720 bytes (1.3MB) copied, 0.035800 seconds, 34.9MB/s
~ # chown 1001:radio /efs/nv_data.bin
chown 1001:radio /efs/nv_data.bin
chown: /efs/nv_data.bin: No such file or directory
But as you can see that doesnt help much.
I tried several other things, but they boil down to the same. I used an aroma efs restore tool, but it just executes the dd command and fails the same way.
Click to expand...
Click to collapse
so hold on!
the dd is failing because the img file is larger than the partition
why?
https://github.com/CyanogenMod/andr...common/blob/cm-11.0/rootdir/fstab.smdk4210#L9
i dont have an exynos4 device, but it seems p1 is /efs. and you are flashing p3, wtf!!! its a miracle if the phone is not fully bricked!! also, was efs mounted while you dd'ed? that would have corrupted it! not to mention using chown on it.
seriously, please stop randomly touching things and be very sure of what you do next or you'll have an unrecoverable brick soon.
p2 and p3 seem to be the bootloaders:
https://gitlab.com/ameer1234567890/...part_layouts/raw/partlayout4nandroid.GT-N7000
so. have you tried rebooting the phone after this? do you still have recovery and download mode?
if so, you need to recover p3 somehow. google a method then ASK before doing anything.
go to recovery and adb shell to it.
use blockdev command to find out the sizes of partitions p1 p2 and p3.
compare it to the size of the alleged-efs.img file you have, which apparently may actually be anything but.
unmount everything from recovery, then you can just adb pull /dev/your/desired/partition.
(i havent seen this used anywhere in xda, but i use it all the time. easier than dd'ing)
get images of your current p1 p2 and p3.
check that p3 and alleged-efs.img match (except for size) to verify that p3 was actually overwritten.
check the contents of alleged-efs.img and verify that it actually is an efs partition image.
dont make any further changes, and post the result of EVERYTHING here
Yes. Can confirm p1 is EFS.
This is N7000 partition table print by parted.
Model: MMC VYL00M (sd/mmc)
Disk /dev/block/mmcblk0: 15.8GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 4194kB 25.2MB 21.0MB ext4 EFS
2 25.2MB 26.5MB 1311kB SBL1
3 27.3MB 28.6MB 1311kB SBL2
4 29.4MB 37.7MB 8389kB PARAM
5 37.7MB 46.1MB 8389kB KERNEL
6 46.1MB 54.5MB 8389kB RECOVERY
7 54.5MB 264MB 210MB ext4 CACHE
8 264MB 281MB 16.8MB MODEM
9 281MB 1174MB 893MB ext4 FACTORYFS
10 1174MB 3322MB 2147MB ext4 DATAFS
11 3322MB 15.2GB 11.9GB fat32 UMS
12 15.2GB 15.8GB 537MB ext4 HIDDEN
The efs backup image in my phone is about 20mb.
GL.
you havent answered my questions.
so. have you tried rebooting the phone after this? do you still have recovery and download mode?
go to recovery and adb shell to it.
use blockdev command to find out the EXACT sizes of partitions p1 p2 and p3.
or use any other command you want.
compare it to the EXACT size of the alleged-efs.img file you have.
apparently it might be a match for p1, which is good.
get images of your current p1 p2 and p3:
unmount everything from recovery, then you can just adb pull /dev/your/desired/partition.
(i havent seen this used anywhere in xda, but i use it all the time. easier than dd'ing)
this is another way to find the exact partition sizes by the way: looking at the image sizes
check that p3 and alleged-efs.img match (except for size) to verify that p3 was actually overwritten.
do you absolutely trust that your alleged-efs.img is a good efs backup? you can mount it read only in your linux pc and check the contents of it to verify that it actually is an efs partition image. or you can just be sure that it is the right image. or you can pm it to me and i can check that.
you can pm the 4 partition images so i can see whats going on.
i think the phone has two equal bootloader copies (because corruption means unrecoverable brick) and you borked one. that's why it might be still booting. we need to restore p3 asap. please google the subject and check my asumption if you can.
---------- Post added at 03:31 PM ---------- Previous post was at 02:35 PM ----------
of course if you are lazy you can just:
dd if=/storage/sdcard0/efs.img of=/dev/block/mmcblk0p1
or:
adb push your/pc/dir/efs.img /dev/block/mmcblk0p1
MAKE SURE that the efs partition is not mounted before doing those.
you dont need any kind of chown if the backup is ok.
you need to recover p3. it could be as simple as:
adb pull /dev/block/mmcblk0p2 sbl.img
adb push sbl.img /dev/block/mmcblk0p3
if the two copies are the same, BUT DONT DO ANYTHING UNTIL YOU ARE VERY SURE!
if you use, say, odin now, and the writing of p2 gets interrupted for any reason, there wont be p3 to boot! so device is bricked FOREVER. no recovery possible without JTAG. you need to fix this ASAP.
your first TO-DO: verify the assumption that p2 and p3 are supposed to be two bit-by-bit exact copies of the bootloader.
any rom that contains a bootloader is extremely dangerous to flash at this time. this includes stock.
Thanks for your concern!
I got my instructions from here: http://techbeasts.com/2013/11/29/how-to-restore-and-back-up-efs-data-on-samsung-galaxy-devices/
Thats why I was tring p3. The aroma backup tool did try the same partition.
I tried all this several times, and tried to odin flash several times. The phone is still not bricked and I still can get to download & recovery just fine.
I'm at work now, but will post my findings asap.
jogai said:
Thanks for your concern!
I got my instructions from here: http://techbeasts.com/2013/11/29/how-to-restore-and-back-up-efs-data-on-samsung-galaxy-devices/
Thats why I was tring p3. The aroma backup tool did try the same partition.
I tried all this several times, and tried to odin flash several times. The phone is still not bricked and I still can get to download & recovery just fine.
I'm at work now, but will post my findings asap.
Click to expand...
Click to collapse
I would try to restore efs first to see how it goes. I suspect SBL2 maybe not important!
forest1971 said:
I would try to restore efs first to see how it goes. I suspect SBL2 maybe not important!
Click to expand...
Click to collapse
SBL2 is probably the 2nd copy of the bootloader. if SBL1 gets damaged (eg: interrupted odin) the phone is bricked and unbrickable, except by taking it to a JTAG house.
if you are not going to reseach this, at least copy p2 over p3:
adb pull /dev/block/mmcblk0p2 sbl.img
adb push sbl.img /dev/block/mmcblk0p3
Code:
~ # dd if=/dev/block/mmcblk0p2 of=sdcard/sbl1.img
dd if=/dev/block/mmcblk0p2 of=sdcard/sbl1.img
2560+0 records in
2560+0 records out
1310720 bytes (1.3MB) copied, 0.400897 seconds, 3.1MB/s
~ # dd if=/dev/block/mmcblk0p3 of=sdcard/sbl3.img
dd if=/dev/block/mmcblk0p3 of=sdcard/sbl3.img
2560+0 records in
2560+0 records out
1310720 bytes (1.3MB) copied, 0.161615 seconds, 7.7MB/s
Result:
https://filetea.me/t1sxlmPdQ9xSe2qh94HX82wMQ
https://filetea.me/t1sVUTXpxrWQ2mRSIx600aCqg
Code:
~ # dd if=sdcard/efs.img of=/dev/block/mmcblk0p1
dd if=sdcard/efs.img of=/dev/block/mmcblk0p1
40960+0 records in
40960+0 records out
20971520 bytes (20.0MB) copied, 6.726656 seconds, 3.0MB/s
Seems to work!
Code:
~ # mkdir /efs
mkdir /efs
~ # busybox mount -w -t ext4 /dev/block/mmcblk0p1 /efs
busybox mount -w -t ext4 /dev/block/mmcblk0p1 /efs
I think its strange I had to make /efs, and after reboot its seems gone:
Code:
~ # mount
mount
rootfs on / type rootfs (rw)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,seclabel,relatime)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,mode=050,gid=1028)
tmpfs on /mnt/secure type tmpfs (rw,seclabel,relatime,mode=700)
tmpfs on /mnt/fuse type tmpfs (rw,seclabel,relatime,mode=775,gid=1000)
/dev/block/mmcblk0p7 on /cache type ext4 (rw,seclabel,relatime,user_xattr,barrier=1,journal_async_commit,data=ordered)
While in fstab.smdk4210:
Code:
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
# data partition must be located at the bottom for supporting device encryption
/dev/block/mmcblk0p9 /system ext4 ro,noatime wait
/dev/block/mmcblk0p7 /cache ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check_spo
/dev/block/mmcblk0p1 /efs ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check_spo
/dev/block/mmcblk0p10 /data ext4 noatime,nosuid,nodev,discard,noauto_da_alloc,journal_async_commit,errors=panic wait,check_spo,encryptable=/efs/metadata
/dev/block/mmcblk0p12 /preload ext4 noatime,nosuid,nodev,journal_async_commit wait
# vold-managed volumes ("block device" is actually a sysfs devpath)
/devices/platform/dw_mmc/mmc_host/mmc0/mmc0 auto auto defaults voldmanaged=sdcard0:11,nonremovable,noemulatedsd
/devices/platform/s3c-sdhci.2/mmc_host/mmc1 auto auto defaults voldmanaged=sdcard1:auto
/devices/platform/s3c_otghcd/usb auto auto defaults voldmanaged=usbdisk0:auto
# recovery
/dev/block/mmcblk0p5 /boot emmc defaults recoveryonly
/dev/block/mmcblk0p6 /recovery emmc defaults recoveryonly
/dev/block/mmcblk0p8 /modem emmc defaults recoveryonly
Odin'd & working again!
Many thanks to everyone who wanted to help this dumbass out! Much appreciated!
I think its strange I had to make /efs, and after reboot its seems gone:
Code:
~ # mount
mount
rootfs on / type rootfs (rw)
Click to expand...
Click to collapse
/ is rootfs which is a special instance of tempfs (which is a ram drive). nothing you put in / will survive a reboot.

Categories

Resources