Database Develop

[Q] Loop in bootanimation after update to CROMi-X 7.0.2

Hi to everyone.
I was updating my tab to the latest version of the ROM of sbdags.
Everything was fine until i reboot the tab to use it for the first time: loop in the boot animation and never come out from it.
I came from the previous version of the rom, the Cromi-x 6.1 with 10.26.1.18 bootloader.
The process i use to update was this:
1) wipe of data/factory reset, wipe with format /boot, wipe with format /system
2) Install the CWM recovery 6.0.5.0 and update the bootloader to 11.4.1.17 by flashing they with the file that you can find in the rom page.
3) repeat point 1
4) install the rom by flashing it from an SD. Complete the Aroma installer and answer to every option that it ask to me.
5) reboot the system and stuck in the bootanimation
I use the WW format cause i'm italian and i check the md5
What's wrong? I can go to recovery everytime i need and i have a backup just in case i need it.
Sdbags, i really want to offer you a beer for your work. I think i will do it in every case, but yes, kitkat on my tab would be great :victory:
Sorry for bad english. For every question, i'm here. Thanks a lot.
M.

aMachi said:
Hi to everyone.
I was updating my tab to the latest version of the ROM of sbdags.
Everything was fine until i reboot the tab to use it for the first time: loop in the boot animation and never come out from it.
I came from the previous version of the rom, the Cromi-x 6.1 with 10.26.1.18 bootloader.
The process i use to update was this:
1) wipe of data/factory reset, wipe with format /boot, wipe with format /system
2) Install the CWM recovery 6.0.5.0 and update the bootloader to 11.4.1.17 by flashing they with the file that you can find in the rom page.
3) repeat point 1
4) install the rom by flashing it from an SD. Complete the Aroma installer and answer to every option that it ask to me.
5) reboot the system and stuck in the bootanimation
I use the WW format cause i'm italian and i check the md5
What's wrong? I can go to recovery everytime i need and i have a backup just in case i need it.
Sdbags, i really want to offer you a beer for your work. I think i will do it in every case, but yes, kitkat on my tab would be great :victory:
Sorry for bad english. For every question, i'm here. Thanks a lot.
M.
Click to expand...
Click to collapse
Don't do step 3. Try it again please.
Try the default options first.

sbdags said:
Don't do step 3. Try it again please.
Try the default options first.
Click to expand...
Click to collapse
If default option are those who are pre-selected on the aroma installer i've already try it.
Also i try to do it without point 3. Nothing
Here a log of the installation of the rom
AROMA INSTALLER version 2.56
(c) 2012 by amarullz xda-developers
ROM Name : CROMi-Xenogenesis KitKat
ROM Version : 7.0.2 DEODEX
ROM Author : sbdags
Device : Asus Transformer TF701T
Start at : Mon Aug 25 20:30:02 2014
Thank you for installing CROMi-Xenogenesis KitKat 4.4.2!
Sit back and relax...
-----------------------------------------------------
This will take a few minutes!
Preparing File System...
about to run program [/sbin/umount] with 3 args
umount: can't umount /system: Invalid argument
run_program: child exited with status 1
about to run program [/sbin/umount] with 3 args
Formatting System....
Creating filesystem with parameters:
Size: 2147483648
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 8192
Label:
Blocks: 524288
Block groups: 16
Reserved block group size: 127
Created filesystem with 11/131072 inodes and 17193/524288 blocks
Tuning System....
about to run program [/tmp/tune2fs.ext4] with 6 args
tune2fs 1.41.12 (17-May-2010)
Tuning Data - Journaling Enabled.....
about to run program [/tmp/tune2fs.ext4] with 6 args
tune2fs 1.41.12 (17-May-2010)
Wiping Cache.....
Installing Core System.....
Installing Options...
Region Specific Files
- TF701 WW Build
Kernel Preparation
- sbdag's 11.4.1.17 Stock Modded Kernel
package_extract_file: no extras/kernel/sbmodded/701sb3.img in package
DPI Preparation
- 320 DPI
Resolution Preparation
- 2560x1600 res
Boot Animation
- Google Android-L
Launcher
- Asus Stock Launcher
Asus Apps 1
- Asus Email
- Asus Desk Clock & Widget
- Asus Weather & Time Widget
- Asus Splendid
- Asus Calculator
- Asus MyDictionary
- Asus Studio
Asus Apps 2
Google Apps 1
- Google Calendar
- Google Now and Voice Search
- Google Music
- News and Weather Genie
- YouTube
- Maps
- Hangouts
Google Apps 2
- Google Chrome
- Google Drive Docs
Misc Apps
- ES File Explorer
- AdAway installed
- Keyboard Manager
- Terminal Emulator
- Polaris Office
Installing CROMi-X System Tweaks.....
about to run program [/tmp/cromix-build-prop.sh] with 1 args
Tweaks and Scripts
- Browser2RAM enabled
- Ad Blocker enabled
- Zip Align Script installed
- Keyboard Dock Remapping installed
Building symlinks.....
Setting permissions.....
Installing BusyBox.....
about to run program [/system/xbin/busybox] with 4 args
Setting ROOT.....
DRM Options
- Google Video & Hulu+ DRM
Installing build.prop
about to run program [/sbin/sh] with 2 args
about to run program [/sbin/sh] with 2 args
Finalising ROM
about to run program [/sbin/umount] with 3 args
---------------------------------------
All Done!
Don't forget to follow @sbdags on Twitter
If you like it please donate to [email protected] on paypal
Enjoy CROMi-X!
script succeeded: result was [Enjoy CROMi-X!]
Installer Sucessfull (Status 0)
I don't know if this can be helpful, but if i restore the backup of the previous version of the rom everything work fine. I'm reading the discussion of the guy with the partition problem and i was wondering if maybe the problem was the same, but i don't think it.
Another time, sorry for bad english and thanks for all your work sdbags.
M.

That log is fine - everything is installed.
Read out the bootloader version from the bootloader screen to double check please.
Also you are rebooting after installing the bootloader and cwm package aren't you?
aMachi said:
If default option are those who are pre-selected on the aroma installer i've already try it.
Also i try to do it without point 3. Nothing
Here a log of the installation of the rom
AROMA INSTALLER version 2.56
(c) 2012 by amarullz xda-developers
ROM Name : CROMi-Xenogenesis KitKat
ROM Version : 7.0.2 DEODEX
ROM Author : sbdags
Device : Asus Transformer TF701T
Start at : Mon Aug 25 20:30:02 2014
Thank you for installing CROMi-Xenogenesis KitKat 4.4.2!
Sit back and relax...
-----------------------------------------------------
This will take a few minutes!
Preparing File System...
about to run program [/sbin/umount] with 3 args
umount: can't umount /system: Invalid argument
run_program: child exited with status 1
about to run program [/sbin/umount] with 3 args
Formatting System....
Creating filesystem with parameters:
Size: 2147483648
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 8192
Label:
Blocks: 524288
Block groups: 16
Reserved block group size: 127
Created filesystem with 11/131072 inodes and 17193/524288 blocks
Tuning System....
about to run program [/tmp/tune2fs.ext4] with 6 args
tune2fs 1.41.12 (17-May-2010)
Tuning Data - Journaling Enabled.....
about to run program [/tmp/tune2fs.ext4] with 6 args
tune2fs 1.41.12 (17-May-2010)
Wiping Cache.....
Installing Core System.....
Installing Options...
Region Specific Files
- TF701 WW Build
Kernel Preparation
- sbdag's 11.4.1.17 Stock Modded Kernel
package_extract_file: no extras/kernel/sbmodded/701sb3.img in package
DPI Preparation
- 320 DPI
Resolution Preparation
- 2560x1600 res
Boot Animation
- Google Android-L
Launcher
- Asus Stock Launcher
Asus Apps 1
- Asus Email
- Asus Desk Clock & Widget
- Asus Weather & Time Widget
- Asus Splendid
- Asus Calculator
- Asus MyDictionary
- Asus Studio
Asus Apps 2
Google Apps 1
- Google Calendar
- Google Now and Voice Search
- Google Music
- News and Weather Genie
- YouTube
- Maps
- Hangouts
Google Apps 2
- Google Chrome
- Google Drive Docs
Misc Apps
- ES File Explorer
- AdAway installed
- Keyboard Manager
- Terminal Emulator
- Polaris Office
Installing CROMi-X System Tweaks.....
about to run program [/tmp/cromix-build-prop.sh] with 1 args
Tweaks and Scripts
- Browser2RAM enabled
- Ad Blocker enabled
- Zip Align Script installed
- Keyboard Dock Remapping installed
Building symlinks.....
Setting permissions.....
Installing BusyBox.....
about to run program [/system/xbin/busybox] with 4 args
Setting ROOT.....
DRM Options
- Google Video & Hulu+ DRM
Installing build.prop
about to run program [/sbin/sh] with 2 args
about to run program [/sbin/sh] with 2 args
Finalising ROM
about to run program [/sbin/umount] with 3 args
---------------------------------------
All Done!
Don't forget to follow @sbdags on Twitter
If you like it please donate to [email protected] on paypal
Enjoy CROMi-X!
script succeeded: result was [Enjoy CROMi-X!]
Installer Sucessfull (Status 0)
I don't know if this can be helpful, but if i restore the backup of the previous version of the rom everything work fine. I'm reading the discussion of the guy with the partition problem and i was wondering if maybe the problem was the same, but i don't think it.
Another time, sorry for bad english and thanks for all your work sdbags.
M.
Click to expand...
Click to collapse

sbdags said:
That log is fine - everything is installed.
Read out the bootloader version from the bootloader screen to double check please.
Also you are rebooting after installing the bootloader and cwm package aren't you?
Click to expand...
Click to collapse
When i install cwm and bootloader package i reboot from cwm but i stuck in boot animation. The same that happen when i try to reboot after install the rom.
In bootloader screen i read
Android macallan-user BL released by WW_epad-11.4.1.17-20140711

aMachi said:
When i install cwm and bootloader package i reboot from cwm but i stuck in boot animation. The same that happen when i try to reboot after install the rom.
In bootloader screen i read
Android macallan-user BL released by WW_epad-11.4.1.17-20140711
Click to expand...
Click to collapse
Right and then you boot back to CWM, do a full wipe (you may need to wipe your internal sdcard so back it up first) and then flash the rom. After that it should boot fine.
If not please search xda for how to get a logcat and post one of it bootlooping please.

sbdags said:
Right and then you boot back to CWM, do a full wipe (you may need to wipe your internal sdcard so back it up first) and then flash the rom. After that it should boot fine.
If not please search xda for how to get a logcat and post one of it bootlooping please.
Click to expand...
Click to collapse
I try the first thing that you say but nothing, still loop in bootanimation.
I'll do a logcat through adb in the afternoon. Now i had some problem cause i can't mount usb storage through cwm for some reason. Late i'll find drivers or what's missing.
Maybe can help: when i reboot frequently cwm ask me if i want to fix root. It's normal?
Thanks you for your help.

aMachi said:
I try the first thing that you say but nothing, still loop in bootanimation.
I'll do a logcat through adb in the afternoon. Now i had some problem cause i can't mount usb storage through cwm for some reason. Late i'll find drivers or what's missing.
Maybe can help: when i reboot frequently cwm ask me if i want to fix root. It's normal?
Thanks you for your help.
Click to expand...
Click to collapse
That message is normal. Just a bug in CWM.
We need to find why you are bootlooping.

sbdags said:
That message is normal. Just a bug in CWM.
We need to find why you are bootlooping.
Click to expand...
Click to collapse
Ok, logcat is here.
Hope it can help.

aMachi said:
Ok, logcat is here.
Hope it can help.
Click to expand...
Click to collapse
OK You got some serious problems there. It would appear that your internal sdcard doesn't mount:
Code:
D/Vold ( 359): Volume sdcard state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 359): *********** Success!! "ro.epad.mount_point.sdcard=/mnt/media_rw/sdcard"
D/Vold ( 359): Volume usbdrive state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 359): *********** Success!! "ro.epad.mount_point.usbdrive=/mnt/media_rw/usbdrive"
I/Vold ( 359): opening the sysfs of TF701
E/Vold ( 359): lookupVolume usbdisk1 failed!
E/Vold ( 359): lookupVolume usbdisk2 failed!
E/Vold ( 359): lookupVolume sdreader failed!
D/Vold ( 359): checkUsbdisk sucess.
D/DirectVolume( 359): i:0 minor:48
D/Vold ( 359): Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
D/DirectVolume( 359): i:1 minor:49
D/Vold ( 359): Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted)
@lj50036, @_that any suggestions for this one?
@aMachi - what is the SKU of your device? And you can restore a nandroid back to 4.3 and it works fine?

sbdags said:
OK You got some serious problems there. It would appear that your internal sdcard doesn't mount:
Code:
D/Vold ( 359): Volume sdcard state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 359): *********** Success!! "ro.epad.mount_point.sdcard=/mnt/media_rw/sdcard"
D/Vold ( 359): Volume usbdrive state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 359): *********** Success!! "ro.epad.mount_point.usbdrive=/mnt/media_rw/usbdrive"
I/Vold ( 359): opening the sysfs of TF701
E/Vold ( 359): lookupVolume usbdisk1 failed!
E/Vold ( 359): lookupVolume usbdisk2 failed!
E/Vold ( 359): lookupVolume sdreader failed!
D/Vold ( 359): checkUsbdisk sucess.
D/DirectVolume( 359): i:0 minor:48
D/Vold ( 359): Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
D/DirectVolume( 359): i:1 minor:49
D/Vold ( 359): Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted)
@lj50036, @_that any suggestions for this one?
@aMachi - what is the SKU of your device? And you can restore a nandroid back to 4.3 and it works fine?
Click to expand...
Click to collapse
i've some problem to find the SKU code. I search on the box of the tablet but there are too many codes and i don't know what's the right. Can you give me an exemple of it?
Yes, i can restore to 4.3. In this right moment i'm writing with the tab with cromix 6. Everything seems to work fine.
In case like this you really know how much important is to do a backup..

aMachi said:
i've some problem to find the SKU code. I search on the box of the tablet but there are too many codes and i don't know what's the right. Can you give me an exemple of it?
Yes, i can restore to 4.3. In this right moment i'm writing with the tab with cromix 6. Everything seems to work fine.
In case like this you really know how much important is to do a backup..
Click to expand...
Click to collapse
SKU is just your country code - so if you have changed it it could be causing issues with the clean install.
US, WW, TW, CN, JP are the only 5 I know of.
So if you changed the bootloader from US to WW I heard another user reporting some issues.
But in your case I am at a loss as to how you can boot 4.3 but not 4.4.2 as you are apparently on a 4.4.2 compatible bootloader and recovery .......

sbdags said:
SKU is just your country code - so if you have changed it it could be causing issues with the clean install.
US, WW, TW, CN, JP are the only 5 I know of.
So if you changed the bootloader from US to WW I heard another user reporting some issues.
But in your case I am at a loss as to how you can boot 4.3 but not 4.4.2 as you are apparently on a 4.4.2 compatible bootloader and recovery .......
Click to expand...
Click to collapse
Ah, right, i understand. I am WW, and i use it in every installation that i've done on my eee pad, from the rooting process and the unlocking of bootloader to the change of the rom.
Now that i am on the previous version of your rom those are infos of kernel, firmware, ecc.
Android Version 4.3
Kernel Version 3.4.57-g47dbe4d [email protected]#1
Tue Dec 17 23.26.15 CST 2013
Build Number TF701T_CROMi-Xenogenesis-6.1-WW_DEODEX-ORIGINAL-10.26.1.18 020115_201310210002
In ROM Manager i can see that my Recovery still is the 6.0.5.0 version.
In bootloader i can see that it is "WW_epad-11.4.1.17-20140711"
Hope that this might be helpful and hope that i don't write anything of unsafe.
M.

aMachi said:
Ah, right, i understand. I am WW, and i use it in every installation that i've done on my eee pad, from the rooting process and the unlocking of bootloader to the change of the rom.
Now that i am on the previous version of your rom those are infos of kernel, firmware, ecc.
Android Version 4.3
Kernel Version 3.4.57-g47dbe4d [email protected]#1
Tue Dec 17 23.26.15 CST 2013
Build Number TF701T_CROMi-Xenogenesis-6.1-WW_DEODEX-ORIGINAL-10.26.1.18 020115_201310210002
In ROM Manager i can see that my Recovery still is the 6.0.5.0 version.
In bootloader i can see that it is "WW_epad-11.4.1.17-20140711"
Hope that this might be helpful and hope that i don't write anything of unsafe.
M.
Click to expand...
Click to collapse
NO that is expected but hat is not expected is why you can't boot 4.4.2. Let's wait for _that and lj50036 to cast their expert eyes over your issues.

sbdags said:
@lj50036, @_that any suggestions for this one?
Click to expand...
Click to collapse
This seems to be the core of the problem:
Code:
E/dalvikvm(13002): JNI posting fatal error: Native registration unable to find class 'com/android/internal/os/RuntimeInit'; aborting...
Check that the framework is correctly installed and the BOOTCLASSPATH is set correctly:
Code:
adb shell echo $BOOTCLASSPATH > bootclasspath.txt
adb shell ls -l /system/framework > framework.txt

_that said:
This seems to be the core of the problem:
Code:
E/dalvikvm(13002): JNI posting fatal error: Native registration unable to find class 'com/android/internal/os/RuntimeInit'; aborting...
Check that the framework is correctly installed and the BOOTCLASSPATH is set correctly:
Code:
adb shell echo $BOOTCLASSPATH > bootclasspath.txt
adb shell ls -l /system/framework > framework.txt
Click to expand...
Click to collapse
Ok, so maybe now i need some help.
I run adb in my pc then i type adb shell to run the remote shell interactively.
Then what i need to type?
Anyway if i type "ls -l /system/framework > framework.txt" the response is "No such file or directory"
Sorry for my n00b questions. Really hope to learn something here, and give a chance to reward everyone for the help.

aMachi said:
Ok, so maybe now i need some help.
I run adb in my pc then i type adb shell to run the remote shell interactively.
Then what i need to type?
Anyway if i type "ls -l /system/framework > framework.txt" the response is "No such file or directory"
Sorry for my n00b questions. Really hope to learn something here, and give a chance to reward everyone for the help.
Click to expand...
Click to collapse
The commands were supposed to be typed as is on your computer. However I think I missed to quote the "echo $BOOTCLASSPATH" - I want the bootclasspath of your device, not of your PC.
Anyway, if you type "adb shell" first and then "ls -l /system/framework" and you get back "No such file or directory" that's strange...

_that said:
The commands were supposed to be typed as is on your computer. However I think I missed to quote the "echo $BOOTCLASSPATH" - I want the bootclasspath of your device, not of your PC.
Anyway, if you type "adb shell" first and then "ls -l /system/framework" and you get back "No such file or directory" that's strange...
Click to expand...
Click to collapse
Ok so tomorrow i'll give you the result of this test. I hope that i learn how to right use this command.
Any other thing that i can do?

aMachi said:
Ok so tomorrow i'll give you the result of this test. I hope that i learn how to right use this command.
Any other thing that i can do?
Click to expand...
Click to collapse
Post screenshots of your cmd window so that they can see the actual input/output

berndblb said:
Post screenshots of your cmd window so that they can see the actual input/output
Click to expand...
Click to collapse
No need for a graphical screenshot - you can copy the text from the console window.

TF701T NvFlash Unbrick Solution(tested)

TF701T NvFlash Unbrick Solution(tested)
(continue of the threadhttps://forum.xda-developers.com/showthread.php?t=2655888)
Charge tab before unbricking.
Connect tab to PC.
If your tab not started already in APX mode, then run APX mode by pressing button combination Vol+ and Power.
Insall drivers from "usb_drivers" if needed.
If there is a problem with the installation of drivers, use Google to search- how to install unsigned drivers.
When device installed correctly run "tf701t_flash.bat".
If flash process interrupts with error like ...read\write error..., then probably EMMC memory chip is damaged and need to replace.
If flash process complete, then we ready to next step.
Prepare fat32 formatted microSD card.
Download from ASUS site update package.
https://www.asus.com/us/Tablets/The_New_ASUS_Transformer_PadTF701T/HelpDesk_BIOS/
It _MUST_ be Version V10.14.1.47, SKU(region)- of your choice.
The downloaded file will look like **_epaduser_10_14_1_47_UpdateLauncher.zip
There will be another archive inside that archive.
Extract it, and rename it to t4_sdupdate.zip
Put t4_sdupdate.zip in root of microSD card.
Insert microSD card in tab, then start tab in recovery mode by pressing Vol- and Power key combination.
Follow onscreen instructions to complete recovery process.
After all you tab must be restored to factory state JB Android.
Now you may update firmware version using OTA or sdcard.
NvFlash TF701T Unbrick
http://mega.nz/#!mk8k0Y5S!TQJVfcQudH9HIMnapiGZWccV3VvygnTjDWYLxJte4lo
mirror
http://smartjtagbox.com/owncloud/index.php/s/T8DKqDuhSZzffSp

What is this? A covert ad campaign for Mega? How about hosting the file somewhere that does not force you to download an app, open an account and all that cr***? I'd be really curious to see the code, but not like this.....
Sent from my TF700T using Tapatalk

berndblb said:
What is this? A covert ad campaign for Mega? How about hosting the file somewhere that does not force you to download an app, open an account and all that cr***? I'd be really curious to see the code, but not like this.....
Click to expand...
Click to collapse
Where did you see the ad or need to register, or requirement of install the program for downloading?
Just checking in IE and FF.
I see a big red button- "download", no ads, and no requirements.
Ok, for those who have problems with mega.nz added a mirror for download.

TF701t - Hard Reset Fails ...
Dear Community,
I wanted to hard reset my TF701t to delete my data and give it to another one.
But now it stucks in "deleting data" ... that endures a minute then a dead android is on the screen.
When I want to reboot it, the hard reset comes again and want to delete everything, but the dead android is coming back :/
I can't go in Recovery Mode (Volume-down + Power)
Connection to APX works but, see pic below ...
I don't know what I could try anymore ...
Hope somebody have an idea.
Best greetings,
Symbic
Bild -> url: ibb.co/iFP5JH
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Symbic said:
Dear Community,
I wanted to hard reset my TF701t to delete my data and give it to another one.
But now it stucks in "deleting data" ... that endures a minute then a dead android is on the screen.
When I want to reboot it, the hard reset comes again and want to delete everything, but the dead android is coming back :/
I can't go in Recovery Mode (Volume-down + Power)
Connection to APX works but, see pic below ...
I don't know what I could try anymore ...
Hope somebody have an idea.
Best greetings,
Symbic
Bild -> url: ibb.co/iFP5JH
Click to expand...
Click to collapse
Link to the picture is broken, so we cannot see what result you got...
What's your situation: Bootloader unlocked? Custom recovery? I guess not since you get the dead Android?

link to screenshot ok.
as i can see- problems begin after trying access to EMMC chip.
"Taking backup of EKS"
unfortunately with 90% certainty i can say that the EMMC chip damaged.

mr.bin said:
link to screenshot ok.
as i can see- problems begin after trying access to EMMC chip.
"Taking backup of EKS"
unfortunately with 90% certainty i can say that the EMMC chip damaged.
Click to expand...
Click to collapse
Can I do anything else to test the EMMC chip?

Symbic said:
Can I do anything else to test the EMMC chip?
Click to expand...
Click to collapse
In that state the EMMC chip can be tested with the special equipment like EasyJtag box.

Hello Mr Bin, registered an account just to say thank you...
You have no idea.. was helping a friend to update, but the guy who sold it(tf701) had bought it from different region and turned it to US, so we ended up hard bricking it.
Long story short, we hard bricked it.
Thank you for your hard work in making the fix, and a big THANK you for sharing it...
Perfect fix, its better than before because it got updated to .47 (we couldnt update, no OTA no manual, too old version for custom recoveries)
Again.. thanks :good::good:

Thanks.
But, after clicking to RCK, shows Android with blue procesing line and after few seconds android with open door and red triangle !. After few minutes bootloop....nothing more.
What can i doing again?

Wow! It's back!
Hi.
First of all: Thank you very much! I was sure my tablet was a goner... It is actually back. One tip I'd like to add: I had to try around a bit to get into APX mode. But essentially I just had to connect the tablet to my PC and then push "Volume up" and power at the same time - and ignore that the screen did not light up ...
Again: Thanks a lot!

Mr.Bin,
You have resurrected my TF701T! Thank you SOOOO MUCH! You are an actual genius! Thanks!

Help w installation
I have the same problems although i have not installed any custom OS but after few months of not using it didnt load up and ended in APX mode.
Tried this solution, installed the driver, started the .bat file and ended up here :
Nvflash 3.08.1704 started
Using blob 3.08.1704
chip uid from BR is: 0x600000015c3e10080c000000190301c0
rcm version 0X350001
Skipping BoardID read at miniloader level
System Information:
chip name: unknown
chip id: 0x35 major: 1 minor: 2
chip sku: 0x3
chip uid: 0x000000015c3e10080c000000190301c0
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
board id: 0
warranty fuse: 0
dk burned: true
boot device: emmc
operating mode: 6
device config strap: 0
device config fuse: 17
sdram config strap: 0
RCM communication completed
sending file: flash.bct
- 8192/8192 bytes sent
flash.bct sent successfully
BCT sent successfully
odm data: 0x82098000
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.bin
data send failed NvError 0x120002
command failure/warning: bootloader download failed (bad data)
I would be very thankful for any information you could read from this. Just would like to know if i even have a chance of getting it back on.

So, I was running fine with CROMi-X KitKat, but wanted to upgrade to Marshmallow (to install sw not supported in KitKat), so decided to try KatKiss 6.0. It's been years since I've played with flashing ROMs, but I did a little reading to refresh my memory. Then I rebooted into recovery (ClockworkMod), backed everything up, then wiped everything, formatted /data, and tried flashing the KatKiss zip file. At that point, it just sat there forever at the ASUS logo screen:
I've tried several times to boot back into recovery by holding the Vol+ and Power buttons, but it either doesn't boot, or boots to the above screen. I've connected it to my Mac w/ the Android SDK Platform Tools, but adb doesn't see any device listed. [I've got an old Windows laptop (XP?)] I could use if it will do something the Mac can't.]
Any advice on how I can save this tablet?

This method can be apply to tft300t?

Hi! What a great thread! After lurking on this forum for many years, i've registered to expose my issue with an old tf701 that was given to me by a friend. He say me he installed esexplorer and deleted file to clean space. Next day he rebooted and never been able to boot system. Now tablet is in bootloop ending with blackscreen and backlight on. Im able to open in fastboot and talk with minimal adb and fastboot. RCK update ending with fallen robot, Wipe data/cache ending with fallen robot. APX mode also working and ive run mr.bin's Nvflash unbrick tool with this result:
Nvflash 3.08.1704 started
Using blob 3.08.1704
chip uid from BR is: 0x600000015c3e10060400000001058440
rcm version 0X350001
Skipping BoardID read at miniloader level
System Information:
chip name: unknown
chip id: 0x35 major: 1 minor: 2
chip sku: 0x3
chip uid: 0x000000015c3e10060400000001058440
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
board id: 0
warranty fuse: 0
dk burned: true
boot device: emmc
operating mode: 6
device config strap: 0
device config fuse: 17
sdram config strap: 1
RCM communication completed
sending file: flash.bct
- 8192/8192 bytes sent
flash.bct sent successfully
BCT sent successfully
odm data: 0x82098000
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.bin
| 1463232/1463232 bytes sent
bootloader.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
Taking backup of EKS
Receiving file: EKS_0400000001058440.bin, expected size: 4194304 bytes
/ 4194304/0 bytes received
file received successfully
Taking backup of PER
Receiving file: PER_0400000001058440.bin, expected size: 8388608 bytes
/ 8388608/0 bytes received
file received successfully
Taking backup of ABT
Receiving file: ABT_0400000001058440.bin, expected size: 4194304 bytes
/ 4194304/0 bytes received
file received successfully
Continuing create using flash.cfg
setting device: 2 3
deleting device partitions
creating partition: BCT
creating partition: PT
creating partition: EBT
creating partition: DFI
creating partition: BMP
creating partition: ABT
creating partition: GP1
creating partition: SOS
creating partition: DTB
creating partition: LNX
creating partition: APP
creating partition: CAC
creating partition: APD
creating partition: ADF
creating partition: MSC
creating partition: USP
creating partition: PER
creating partition: CRA
creating partition: MDA
creating partition: EKS
creating partition: UDA
creating partition: GPT
sending file: bootloader.bin
| 1463232/1463232 bytes sent
bootloader.bin sent successfully
sending file: xusb_sil_rel_fw
- 126464/126464 bytes sent
xusb_sil_rel_fw sent successfully
sending file: ABT_0400000001058440.bin
/ 4194304/4194304 bytes sent
ABT_0400000001058440.bin sent successfully
sending file: recovery.img
\ 7272704/7272704 bytes sent
recovery.img sent successfully
sending file: boot.img
- 6760704/6760704 bytes sent
boot.img sent successfully
sending file: PER_0400000001058440.bin
/ 8388608/8388608 bytes sent
PER_0400000001058440.bin sent successfully
sending file: EKS_0400000001058440.bin
/ 4194304/4194304 bytes sent
EKS_0400000001058440.bin sent successfully
failed executing command 26 NvError 0x120002
command failure/warning: sync failed (bad data)
bootloader status: Bct Write Failed (code: 22) message: nverror:0x40005 (0x14000
5) flags: 0
Click to expand...
Click to collapse
Advise would be great help. I dont know if mmc could be dead, it showing some successful tranfert but keep failing at same place. Thanks!

Hello. These commands for nvflash make a backup and installation of the system.
REED
@cls
@nvflash.exe --blob blob.bin --bl bootloader.bin --read 9 recovery.img --read 11 boot.img --read 12 system.img
@pause
WRITE
@cls
@nvflash.exe --blob blob.bin --bl bootloader.bin --download 9 recovery.img --download 11 boot.img --download 12 system.img
@pause
Thanks mr.bin for a great tool

Important information who uses nvflash!
3 files (ABTxxxxxxxxxxxxxxxx.bin, EKS_xxxxxxxxxxxxxxxx.bin, PER_xxxxxxxxxxxxxxxx.bin, which are created after running nvflash, must be flashed again. Otherwise, it will be impossible to unlock the tablet again and the serial number will be lost. Save in a safe place and then rename the files to EKS, ABT, PER.
To do this, create a second file with the bat extension. In a text editor, type these lines
Code:
nvflash --wait --blob blob.bin --bl bootloader.bin --download 7 ABT --download 21 EKS --download 18 PER --go
If these files are saved on the unlocked tablet, then after their firmware unlocking will be restored.
Also, using nvflash, you can resize partitions, flash a bootloader with file system markup, recovery.

There is no way to load an unlocked bootloader in this process ??

[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"

[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...

foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
I am thinking that bytes 0...4487 is the real bootloader code, so:
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Wow! Excited to see this! Thanks

It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.

foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Good job, if needed i can help with the checking

tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
abl.img is not the bootloader i guess.

tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
On other devices they've been able to swap this image with another one to "hide" the message, to "get rid of it".

Would we sweet if we could get rid of the unlocked bootloader message too.

dennisbednarz said:
Would we sweet if we could get rid of the unlocked bootloader message too.
Click to expand...
Click to collapse
+1

U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool

jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.

Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...

foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Use this https://forum.xda-developers.com/oneplus-6t/how-to/tool-6t-msmdownloadtool-v4-0-oos-9-0-5-t3867448
Should try for several times with instruction here

Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.

patelparth120595 said:
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
Click to expand...
Click to collapse
Disabled dm-verity caused red warning, i guess.
---------- Post added at 10:01 AM ---------- Previous post was at 09:58 AM ----------
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
And then:
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Edited abl.img ? and flashed via recovery/fastboot ?

AnoopKumar said:
Edited abl.img ? and flashed via recovery/fastboot ?
Click to expand...
Click to collapse
No, just flashed using dd command in TWRP shell.

foobar66 said:
No, just flashed using dd command in TWRP shell.
Click to expand...
Click to collapse
Phone still dead ?

OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5

foobar66 said:
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
Click to expand...
Click to collapse
I assume that, there is nothing to do with the abl.img. Only thing we can do with it is change the default strings to a song lyric or something. abl.img is the uefi firmware i guess. Bootloader is using the images stored in the logo partition.

Gsi's flash without breaking verity if u flash to both slots. And totally format. Fastboot -w. The phone sees any changes to partitions as corruption and breaks verity, hence red warning.. if someone would be inclined to talk to invisiblek from the essential threads, he could tell u of a fix. The solution is not in abl. It's in the stock boot.img. if I had more time, I would help
---------- Post added at 02:52 PM ---------- Previous post was at 02:51 PM ----------
tech_head said:
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Click to expand...
Click to collapse
No, they are talking about breaking verity also. Seems to be both messages, but more recently the broken verity message. Which there is two types, one u can boot from, one u cannot.

jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
I would love that idea. That would be really nice to have on our device

How to patch `system.img` to root the Samsung S10 5G (Qualcomm) device?

Hi All,
Device Detail:
- Samsung S10 5G
- Qualcomm Device
- Model: SM-G977U
- ROM: VZW-G977UVRU2ASH7-20190827135903
- Kernel-Version - Linux version 4.14.83-16633035 ([email protected]) (clang version 6.0.10 for Android NDK) #2 SMP PREEMPT Wed Aug 14 16:23:48 KST 2019
Background: I have
- rooted the device with instructions given by Magisk.
- I can successfully reboot to the recovery rootfs.
Problem: I am trying to modify the `system.img.ext4.lz4` file to root the device with normal boot. I am aware that it will not let the device install OTA Updates.
Unpack-Pack System and make new AP.tar, flash:
- Without any modification to the `system.img`, I have just unpacked `system.img.ext4.lz4`->`system.img.ext4`->`system.img`->mounted to system directory and packed it back to `system.img`->`system.img.ext4`->`system.img.ext4.lz4`.
- Replaced unpack-packed `system.img.ext4.lz4` with the AP `system.img.ext4.lz4` and make a tar of it.
- Then I have flashed it using Odin v3.13 along with BL, CP, and HOME_CSC.
- Odin has show PASS and I have rebooted the device into recovery mode.
- Done the Wipe data/factory reset and reboot to recovery again but released the recovery key combination on splash screen as mentioned in the root instructions .
- The device stuck in a boot loop.
Tries:
1. Disable Dm-verity
- Removed `avb` flag from `boot.img` with
Code:
magiskboot dtb boot.img patch
- Removed `avb` and `verify` flags from `dtbo.img` with
Code:
magiskboot dtb dtbo.img patch
- Patched `ramdisk.cpio` with
Code:
magiskboot cpio ./initrd 'patch false true'
Patched `boot.img` and `dtbo.img` is working fine with magisk patched AP file but the `ramdisk.cpio` creating the issue: Stuck at splash screen when trying to go to recovery after successfully flash with Odin. Download mode is appearing on splash screen.
So, I have used `boot.img` and `dtbo.img` along with unpack-packed `system.img.ext4.lz4` but the result is still a boot loop. I have also tried a combination of `boot.img` and `dtbo.img` along with unpack-packed `vendor.img.ext4.lz4` and flashed the AP.tar with other files but still the result is a boot loop.
So, I want to debug the problem and got to know about `pstore` which preserve the logs when kernel panic.
2. pstore
- Checked that `/sys/fs/pstore` is mounted by the system with following in init file: Grep the pstore using `find . | grep '\.rc' | xargs cat | grep pstore -n -i` and get following result:
Code:
314: # pstore/ramoops previous console log
315: mount pstore pstore /sys/fs/pstore nodev noexec nosuid
316: chown system log /sys/fs/pstore/console-ramoops
317: chmod 0440 /sys/fs/pstore/console-ramoops
318: chown system log /sys/fs/pstore/console-ramoops-0
319: chmod 0440 /sys/fs/pstore/console-ramoops-0
320: chown system log /sys/fs/pstore/pmsg-ramoops-0
321: chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
- Checked the kernel config by pulling the file from /proc/config.gz.
Code:
$ cat config | grep PSTORE
CONFIG_PSTORE=y
CONFIG_PSTORE_ZLIB_COMPRESS=y
# CONFIG_PSTORE_LZO_COMPRESS is not set
# CONFIG_PSTORE_LZ4_COMPRESS is not set
CONFIG_PSTORE_CONSOLE=y
CONFIG_PSTORE_PMSG=y
CONFIG_PSTORE_PMSG_SSPLOG=y
CONFIG_PSTORE_RAM=y
- Check the `ramoops` configuration:
Code:
./sys/module/ramoops/parameters/console_size 262144
./sys/module/ramoops/parameters/dump_oops 1
./sys/module/ramoops/parameters/ecc 0
./sys/module/ramoops/parameters/ftrace_size 262144
./sys/module/ramoops/parameters/mem_address 3241148416
./sys/module/ramoops/parameters/mem_size 1048576
./sys/module/ramoops/parameters/mem_type 0
./sys/module/ramoops/parameters/pmsg_size 262144
./sys/module/ramoops/parameters/record_size 262144
`pstore` setup looks fine but when I am trying the get logs from `sys/fs/pstore` then I found nothing.
I have tried it by two ways:
1. Crash manually with panic kernel using:
Code:
echo 1 > /proc/sys/kernel/sysrq
echo c > /proc/sysrq-trigger
Followed Reading Kernel Logs
2. Flashing non-working rom that cause a boot loop and then flashed a working ROM with rooting steps and checked the file at `sys/fs/pstore`.
I need a favor in:
- Any steps to fix/debug the `pstore` problem?
- Any other way to find the kernel logs?
Update 1: I get the logs from recovery but I am not able to identify the problem.
Logs link: https://drive.google.com/file/d/1b-XNmjpYvH-L8lY0xA0SYr7XcITVCrVS/view?usp=sharing
Description: In this video, I have done the following:
1. Displayed recovery logs before: The last recovery logs are ends with 8.
2. Rebooted the device with a recovery key combination. I have already wipe data partition before making this video.
3. The boot loop happens and in the next reboot, I have pressed the recovery key combination to open the recovery mode where logs that end with 9 displayed.
4. Then I have recorded `last_history`, `last_avc_message_recovery`, `last_log.9` and `last_kmsg.9`
5. `last_history` and `last_avc_message_recovery` looks unchanged(same as before boot loop).
6. Then, I just have tried to mount the system but that didn't work.
7. At last, I have just rebooted the system normally without any recovery key combination.
Some Highlighted logs of last_log.9
exec -f /system/bin/e2fsck -v -y /dev/block/bootdevice/by-name/cache
error: _do_exec: can't run '/system/bin/e2fsck'
(errno 13 : Permission denied)
/system/bin/e2fsck terminated by exit(255)
...
E:Can't read /cache/recovery/last_locale: No such file or directory
...
W:Failed to unmount /efs: Device or resource busy
can't unmount /efs - Device or resource busy
...
W:Failed to set brightness: Invalid argument
I:Screensaver disabled
Atomic Commit failed in DisableNonMainCrtcs
Atomic Commit failed, rc = 0
...
Reboot Recovery Cause is [[BootChecker]RebootRecoveryWithKey]
...
print_recovery_cause() : reboot_reason=[[BootChecker]RebootRecoveryWithKey]
...
[property list]
persist.audio.fluence.speaker=true
...
ro.vendor.build.security_patch=2018-08-05
Supported API: 3
I:/efs is already mounted
W:Failed to unmount /efs: Device or resource busy
check_selective_file:Can't unmount /efs - Device or resource busy
just_reboot_after_update = 1
should_wipe_cahcewipe_cache
-- Wiping cache...
erase_volume(/cache)
...
MDF_I: Completed reset MDF flag!
MDF_I: Completed initialized MDF for Recovery!
mke2fs 1.43.3 (04-Sep-2016)
Discarding device blocksL 4096/153600??????????????????????????????done
Discard takes 0.00051s
Creating filesystem with 153600 4k blocks and 38400 inodes
...
Creating journal (2048 blocks): done
...
copy_logs
...
Cache wipe complete
[Checking pre-multi-csc2]
[start failed section]
sales_code=VZW
Carrier ID=[XAA]
[system partition space check]
The device has /product partition.
[out-recovery]
I:system root image is true, so need to change the unmount point from /system to /system_root
running out-recovery time : 0.000s
running recovery time: 1.738s
copy_avc_msg_to_data(1, )
I:fs_type "ext4" for /cache
copy_file 'proc/avc_msg' 'cache/recovery/last_avc_msg_recovery'
!__RECOVERY_FOR_ASSAMBLY
b_del_recovery_command = true
Rebooting...
## finish_recovery_terminate(del=1, reboot_cmd=reboot, clear_BCB=1)
## finish_recovery(delcmd=1,...
I:Saving locale "en-US"
I:fs_type "ext4" for /cache
I:[libfs_mgr]dt_fstab: Skip disabled entry for partition vm-linux
I:## unlink /cache/recovery/command
copy_logs
I:fs_type "ext4" for /cache
copy_log_file :: create recovery log file '/cache/recovery/log'
copy_log_file :: create recovery log file '/cache/recovery/last_log'
Click to expand...
Click to collapse
Is anyone have experience in detecting problems from the kernel logs?

i can not help you, but we can collect ideas. what about re-sign the system.img? there is a key somewhere, i guess just deleting won't work but maybe it is possible to calculate checksum

or maybe you can switch to SuperSU 2.79 SR3 (latest release from chainfire) or at least look inside the update-binary shell script how to root system.
regarding dm-verity i would start with searching for "verify" flag in your fstabs and remove it. magisk is also doing some hex patches and re-signing, it's the best source to look inside magisk installer zip update-binary/ updater-script, if you have the knowledge to read code
another option is try to port a twrp recovery from another snapdragon (i wonder if somebody did this already) if you can find a porting guide

so the vzw s10 5g is unlockable?

elliwigy said:
so the vzw s10 5g is unlockable?
Click to expand...
Click to collapse
yes

aIecxs said:
yes
Click to expand...
Click to collapse
Figures lol.. I have a g975u from big red n don't plan on buying another lol

aIecxs said:
yes
Click to expand...
Click to collapse
Message me on telegram and I can help you if you help me.. I'm curious in some logs and what not.. I also might have something you can use..

Did you get it working? I have the same phone and I want to use the 600mgz tmobile 5g in a few days, so I need the right rom.

elliwigy said:
so the vzw s10 5g is unlockable?
Click to expand...
Click to collapse
aIecxs said:
yes
Click to expand...
Click to collapse
Snapdragon bootloader unlockable? How?
I'm a VZW customer and can get the phone on an upgrade, but want to root it...

i got a g977p and twrp n magisk working great

do you think it is possible to flash other branding on verizon devices with modded odin?

aIecxs said:
do you think it is possible to flash other branding on verizon devices with modded odin?
Click to expand...
Click to collapse
dunno.. its not possible on n976v..

Was there any luck on rooting the Verizon G977U?

@Vats12 has already successful rooted with magisk in recovery. this thread is for rooting system (kind of rooting where su binary is placed in /system/xbin like for older devices, which breaks OTA)

aIecxs said:
@Vats12 has already successful rooted with magisk in recovery. this thread is for rooting system (kind of rooting where su binary is placed in /system/xbin like for older devices, which breaks OTA)
Click to expand...
Click to collapse
So you want like the supersu method?

ExtremeGrief said:
So you want like the supersu method?
Click to expand...
Click to collapse
Yes, do you know how to do this?
Magisk (guide) does a lot of other things too..
Maybe we can use Magisk to disable the securities and then SuperSu can help in the rooting system?

Vats12 said:
Yes, do you know how to do this?
Magisk (guide) does a lot of other things too..
Maybe we can use Magisk to disable the securities and then SuperSu can help in the rooting system?
Click to expand...
Click to collapse
But why? Safetynet will be gone
What model is the device?

ExtremeGrief said:
But why? Safetynet will be gone
What model is the device?
Click to expand...
Click to collapse
model see OP! i guess because of the buttons needed for booting in magiskrecovery, but the reason is not important only HOW (for Vats12, not for me i don't own this device)

Sorry but this thread needs to be closed
aIecxs said:
model see OP! i guess because of the buttons needed for booting in magiskrecovery, but the reason is not important only HOW (for Vats12, not for me i don't own this device)
Click to expand...
Click to collapse
I don't want to be the one who shouts fake, but the instructions you gave a link to says you have to be able to flash a bootloader first, which means an unlocked blootloader, if you have Verizon rom this is not possible, as the blootloader is locked.
If you did find a way to flash a modified bootloader, or a modified recovery those are the instructions we need, because in fastboot you are unable to do this with a locked bootloader and you are unable to unlock the bootloader on Verizon. If you have a modified bootloader or recovery flashed on your device what did you use to flash it with Odin? Because only way to flash a boot.img is either get into download mode and flash with Odin, or with Edl, if you got into edl mode then can you provide instructions on that, because we would like to know how to get the device into EDL mode as well
Sorry boys this is a hoax.

@DroidisLINUX there is video proof in OP, and again for you:
This is not a tutorial about unlocking and rooting, it is a question how he can modify /system to permanently integrate su

[TUTORIAL] How to unbrick Nexus 7 without blob.bin (REQUIRES ANOTHER NEXUS 7 2012)

Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.

Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.

Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk

zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system

GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.

Deleted.

@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.

@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.

enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)

Deleted.

Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk

I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?

gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"

Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0

@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen

gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.

enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...

gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.

steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.

I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!