Hi everyone and thanks for your time. I will get straight to the point:
All these tests were made on G925V 5.1.1 , rooted with eng boot. (Look at my profile for my post on how to downgrade from 7.0 ,and all below, to 5.1.1 and for for root turorial)
-The samsung downgrade mechanism relies on a flag set in the different partitions to determine its version.
- The phone looks for the flag "SYSMAGIC X" where X is the version. (Starting from 0, meaning SYSMAGIC 0= version 1)
-The following partitions have the flag:
*BOTA0 <----gets its files from sboot.bin (bootloader first partition)
* BOTA1 <-------gets its files from cm.bin (bootloader second partition)
*BOOT <----- from boot.img
*CACHE <-----from cache.img
*RECOVERY <----from recovery.img
*SYSTEM <------from system.img
*sdb <---- which is the bootloader as a whole I believe, don't quote me in this, just a deduction.
All these files can be accessed through a full tar or by dumping them using dd if of.
Bota0, bota1, boot, system,recovery,cache..etc can be found in :
/dev/block/platform/15570000.ufs/by-name
Putting any of these in a hex editor, you will find the line "SYSMAGIC 3" (in my case for 5.1.1, binary version 4).
If you dump /dev/block/sda18 , edit with hex editor and edit the SYSMAGIC to one version lower. Save then dd back to sda18, reboot the phone and guess what?
SYSTEM REV. CHECK FAIL. DEVICE:3 BINARY:2.
All this is assumption but the line is there and it seems to pass every check and just assumes thats the version.
Hope someone can take it further. I unfortunately bricked my s6 writing the wrong partiton back over the bootloader...and well...bad bootloader....no more download mode.
Be careful, devs please help. Anyone with a device willing to use as a ginny pig, pm me.
dragoodwael said:
Hi everyone and thanks for your time. I will get straight to the point:
All these tests were made on G925V 5.1.1 , rooted with eng boot. (Look at my profile for my post on how to downgrade from 7.0 ,and all below, to 5.1.1 and for for root turorial)
-The samsung downgrade mechanism relies on a flag set in the different partitions to determine its version.
- The phone looks for the flag "SYSMAGIC X" where X is the version. (Starting from 0, meaning SYSMAGIC 0= version 1)
-The following partitions have the flag:
*BOTA0 <----gets its files from sboot.bin (bootloader first partition)
* BOTA1 <-------gets its files from cm.bin (bootloader second partition)
*BOOT <----- from boot.img
*CACHE <-----from cache.img
*RECOVERY <----from recovery.img
*SYSTEM <------from system.img
*sdb <---- which is the bootloader as a whole I believe, don't quote me in this, just a deduction.
All these files can be accessed through a full tar or by dumping them using dd if of.
Bota0, bota1, boot, system,recovery,cache..etc can be found in :
/dev/block/platform/15570000.ufs/by-name
Putting any of these in a hex editor, you will find the line "SYSMAGIC 3" (in my case for 5.1.1, binary version 4).
If you dump /dev/block/sda18 , edit with hex editor and edit the SYSMAGIC to one version lower. Save then dd back to sda18, reboot the phone and guess what?
SYSTEM REV. CHECK FAIL. DEVICE:3 BINARY:2.
All this is assumption but the line is there and it seems to pass every check and just assumes thats the version.
Hope someone can take it further. I unfortunately bricked my s6 writing the wrong partiton back over the bootloader...and well...bad bootloader....no more download mode.
Be careful, devs please help. Anyone with a device willing to use as a ginny pig, pm me.
Click to expand...
Click to collapse
That is great news. What else do you know of the magic bytes at the footer of the system image?
I'm going to look into this.
All of those partitions, probably even the cache partition with it's metadata file from the CSC, have points that have access to the private signing key burned into the Trust Zone firmware.
Hi, I followed your tut on downgrading my SM-G925V to 5.1.1 and also got root which was great, but I guess its pretty worthless as its only temporary til reboot, has there been any further progress on permanent root on the G925v? Great work btw all involved!
Below are the steps I followed to create a mmcblk0.img from a working device.
What is needed? -
a) A Working device of same model XT179x where 'x' could be 2,3,4,5,etc depending on region.
b) It should be a rooted one.
c) A working linux system. Any variant would do.
Steps to follow in working device:
1) Reboot device to TWRP recovery.
2) Take a backup of system,data and boot partitions. While taking backup, select the storage as Micro SDCard.
3) Once backup is complete, do a factory reset. This step is required as you don't want your friends personal files and settings.
3a) Power off the device.
4) Remove the SIM and existing SDCard.
5) Insert a new 32GB SDCard Class 10 UHS-1 into the device. This should be formatted as FAT32 or exFAT.
6) Boot the device.
7) Once booted, connect the device to computer using USB.
8) Open a terminal in your linux.
9) adb devices (This step assumes that adb and fastboot are in linux system path)
10) adb shell
11) su -
12) You are in root shell now.
13) cat /proc/partitions.
13a) Above step would list out all partitions.
14) Note the size of mmcblk0 partition.
15) Now run 'dd if=/dev/block/mmcblk0 of=/storage/<STORAGE-ID>/mmcblk0.img bs=1000000000 count=30' without quotes. 'bs' stands for block size. Here in the above command I am giving a block size of 1GB. In my case mmcblk0 partition size was nearly 30GB. So the above command worked for me. If you are experiencing problem, then play with the numbers. For example you could try decreasing the 'bs' value and increase the 'count' value. Ultimately 'bs' multiplied by count should be the partition size. If everything goes fine, you will have a mmcblk0.img in your sdcard. One more point to note. <STORAGE-ID> in the command is the place holder. The actual ID would be a hexadecimal value. You can get your storage id by doing a 'ls /storage' in root shell. In my case the SDCard was referred as 7368-9BEE.
16)Above step would take some time as it has to create a image of 30G size. Once complete, copy the image from SDcard to your computer.
17) Power off the device and remove the SDcard from device.
18) Insert your friend's SIM card and SDCard.
19) Boot to TWRP recovery.
20) Restore the backup you took in step 2 above.
Thanks
KS
kalyansundhar said:
Below are the steps I followed to create a mmcblk0.img from a working device.
Thanks
KS
Click to expand...
Click to collapse
I, Thankyou!
Can someone please create this file of a moto g5 xt1676 cedric?
we are many who need this file. Thanks again.
takoa said:
Can someone please create this file of a moto g5 xt1676 cedric?
we are many who need this file. Thanks again.
Click to expand...
Click to collapse
sure, but you have to ask this in g5 threads not here
is hard to beleive someone has both devices tipe g5 and g5s
I just used adb in a dos-cmd-prompt under windows 10. As steps 10 until 15 are executed inside 'adb shell' and use nothing of the underlying OS (only on the phone itself).
Furtheron, i had to use a exFAT formatted SD-card, as FAT32 maxfile size is 4Gb and the mmcblk0.img file will be (a lot) bigger.
And i had to use a 64Gb SD-card as my mmcblk0.img seems to be bigger as yours (and the SD-card hosts some files in the android-folder, onces the phone was booted).
My mmcblk0 was listed in 'cat /proc/partitions' sized at 30.535.680 (blocks of 1024 bytes).
I used dd command:
dd if=/dev/block/mmcblk0 of=/storage/<SDcard-ID>/mmcblk0.img bs=1048576 count=29820
matching the exact size of mmcblk0
Once i uploaded the image file, i will put the download link in a post in the unbrick thread. With specs of my phone and versions.
Can you make a video about it? which is in linux or windows 10 because I already have 2 days with my cell phone dead and I still can not solve the problem. The template is xt1792.
kalyansundhar said:
Below are the steps I followed to create a mmcblk0.img from a working device.
What is needed? -
a) A Working device of same model XT179x where 'x' could be 2,3,4,5,etc depending on region.
b) It should be a rooted one.
c) A working linux system. Any variant would do.
Steps to follow in working device:
1) Reboot device to TWRP recovery.
2) Take a backup of system,data and boot partitions. While taking backup, select the storage as Micro SDCard.
3) Once backup is complete, do a factory reset. This step is required as you don't want your friends personal files and settings.
3a) Power off the device.
4) Remove the SIM and existing SDCard.
5) Insert a new 32GB SDCard Class 10 UHS-1 into the device. This should be formatted as FAT32 or exFAT.
6) Boot the device.
7) Once booted, connect the device to computer using USB.
8) Open a terminal in your linux.
9) adb devices (This step assumes that adb and fastboot are in linux system path)
10) adb shell
11) su -
12) You are in root shell now.
13) cat /proc/partitions.
13a) Above step would list out all partitions.
14) Note the size of mmcblk0 partition.
15) Now run 'dd if=/dev/block/mmcblk0 of=/storage/<STORAGE-ID>/mmcblk0.img bs=1000000000 count=30' without quotes. 'bs' stands for block size. Here in the above command I am giving a block size of 1GB. In my case mmcblk0 partition size was nearly 30GB. So the above command worked for me. If you are experiencing problem, then play with the numbers. For example you could try decreasing the 'bs' value and increase the 'count' value. Ultimately 'bs' multiplied by count should be the partition size. If everything goes fine, you will have a mmcblk0.img in your sdcard. One more point to note. <STORAGE-ID> in the command is the place holder. The actual ID would be a hexadecimal value. You can get your storage id by doing a 'ls /storage' in root shell. In my case the SDCard was referred as 7368-9BEE.
16)Above step would take some time as it has to create a image of 30G size. Once complete, copy the image from SDcard to your computer.
17) Power off the device and remove the SDcard from device.
18) Insert your friend's SIM card and SDCard.
19) Boot to TWRP recovery.
20) Restore the backup you took in step 2 above.
Thanks
KS
Click to expand...
Click to collapse
Thanks for the tutorial, I'm doing the file for the moto G5 Cedric.
TheFixItMan said:
Since no one responded to my request in the Q&A section I'll ask here so sorry for off topic but I know people here will have a rooted moto g5
Since I don't own this device anymore I'm looking for someone to provide the mmcblk0 partition so people with hard bricked device could potentially revive them
If you would like to provide it you will need the following
A moto g5 cedric rooted with twrp installed
A blank micro sd card of at least 32gb
Linux/Ubuntu or a virtual machine running it
Cloud storage & a decent Internet connection
See instructions below
https://forum.xda-developers.com/showpost.php?p=76795590&postcount=1
You can pm me the image
Click to expand...
Click to collapse
I suppose @rssxda, as messaged previously, can help you..
I have 2 mmcblk0 images:
1) Moto G5S and
2) Moto G5.
My Moto G5 (Cedric): XT1676, model M2675 (3Gb mem + 16Gb storage), NPP25.137-93 (1nov2017), reteu, android 7.0
download link: https://www.androidfilehost.com/?fid=11050483647474830935
MD5 of 7z-file: fc8617eb3957e2b4df16400f722f8095
MD5 of img-file (after unzip): 90efa172d7881f7268bb58708f3d9935
My Moto G5S (Montana): XT1794, model 2996, (3Gb + 32Gb), NPPS26.102-49-8 (1apr2018), reteu, android 7.1.1
download link https://www.androidfilehost.com/?fid=11050483647474830875
MD5 of 7z-file: dd10315797b78c359a2887b149cc8f44
MD5 of img-file (after unzip): ffeca74973f0b38b0996e13cde667c38
Have fun with it!
hanshu43 said:
I have 2 mmcblk0 images:
1) Moto G5S and
2) Moto G5.
My Moto G5 (Cedric): XT1676, model M2675 (3Gb mem + 16Gb storage), NPP25.137-93 (1nov2017), reteu, android 7.0
download link: https://www.androidfilehost.com/?fid=11050483647474830935
MD5 of 7z-file: fc8617eb3957e2b4df16400f722f8095
MD5 of img-file (after unzip): 90efa172d7881f7268bb58708f3d9935
My Moto G5S (Montana): XT1794, model 2996, (3Gb + 32Gb), NPPS26.102-49-8 (1apr2018), reteu, android 7.1.1
download link https://www.androidfilehost.com/?fid=11050483647474830875
MD5 of 7z-file: dd10315797b78c359a2887b149cc8f44
MD5 of img-file (after unzip): ffeca74973f0b38b0996e13cde667c38
Have fun with it!
Click to expand...
Click to collapse
-friend I have a Motorola g5 xt1670 (2GB ram and 32 storage) sera compatible ?
-Tengo otro dispositivo y la hora de extraer el mmcblk0 pesa 30 000 000 000 y no me enciende ademas mi
mmcblk0 su tamaño de bloques es igual al de usted uso el mismo comando ?
hanshu43 said:
I just used adb in a dos-cmd-prompt under windows 10. As steps 10 until 15 are executed inside 'adb shell' and use nothing of the underlying OS (only on the phone itself).
Furtheron, i had to use a exFAT formatted SD-card, as FAT32 maxfile size is 4Gb and the mmcblk0.img file will be (a lot) bigger.
And i had to use a 64Gb SD-card as my mmcblk0.img seems to be bigger as yours (and the SD-card hosts some files in the android-folder, onces the phone was booted).
My mmcblk0 was listed in 'cat /proc/partitions' sized at 30.535.680 (blocks of 1024 bytes).
I used dd command:
dd if=/dev/block/mmcblk0 of=/storage/<SDcard-ID>/mmcblk0.img bs=1048576 count=29820
matching the exact size of mmcblk0
Once i uploaded the image file, i will put the download link in a post in the unbrick thread. With specs of my phone and versions.
Click to expand...
Click to collapse
Thank you very much excellent tutorial, my block is equal to yours.
-What method do I burn the image to your sdcard?
Happiness777 said:
-friend I have a Motorola g5 xt1670 (2GB ram and 32 storage) sera compatible ?
-Tengo otro dispositivo y la hora de extraer el mmcblk0 pesa 30 000 000 000 y no me enciende ademas mi
mmcblk0 su tamaño de bloques es igual al de usted uso el mismo comando ?
Click to expand...
Click to collapse
Sorry, my Spanish (is it spanish?) is not that good. English for me please.
If the xt1670 is compatible with xt1676? i don't know. My guess, it is not. As yours has 2+32Gb and mine has 3+16Gb.
And the image is almost 16Gb and not almost 32Gb.
I create the image with blocksize (bs=) 1048576 and count 14910 for the xt1676.
Hope this helps.
Happiness777 said:
Thank you very much excellent tutorial, my block is equal to yours.
-What method do I burn the image to your sdcard?
Click to expand...
Click to collapse
The 'dd' command writes a (big) file on the SDcard. Actually, can see the file on de SDcard.
See thread https://forum.xda-developers.com/moto-g5s/how-to/blank-flash-montana-t3765150 howto write the image-file on a recovery SDcard.
The phone boots from the SDcard and gives you the opportunity to flashboot the latest stockrom to the internal storage of your phone.
I did *not* brick my phone (yet), so i did not test this recovery. I just created the mmcblk0 images for xt1676 and xt1794.
Can someone please create this file of a moto g5s xt1799-2?
Can someone please make a xt1972 Montana file? I can't revive my Montana with XT1974 and xt1975 files :/ I'm trying so hard since monday, please!
xt1792 a salvação
eu tenho um moto xt1792 mais nao sei como criar a imagem pfv me ajudem o mais rapido
This procedure has for the Moto Z Play XT1635-02 ???
hanshu43 said:
I have 2 mmcblk0 images:
1) Moto G5S and
2) Moto G5.
My Moto G5 (Cedric): XT1676, model M2675 (3Gb mem + 16Gb storage), NPP25.137-93 (1nov2017), reteu, android 7.0
download link:
MD5 of 7z-file: fc8617eb3957e2b4df16400f722f8095
MD5 of img-file (after unzip): 90efa172d7881f7268bb58708f3d9935
My Moto G5S (Montana): XT1794, model 2996, (3Gb + 32Gb), NPPS26.102-49-8 (1apr2018), reteu, android 7.1.1
download link
MD5 of 7z-file: dd10315797b78c359a2887b149cc8f44
MD5 of img-file (after unzip): ffeca74973f0b38b0996e13cde667c38
Have fun with it!
Click to expand...
Click to collapse
im looking for the g5s file, but your link is dead?
does anyone have Moto G5S (Montana): XT1794 mmcblk0 file?
edit: i used a XT1795 file instead and it worked
scruffe said:
im looking for the g5s file, but your link is dead?
does anyone have Moto G5S (Montana): XT1794 mmcblk0 file?
edit: i used a XT1795 file instead and it worked
Click to expand...
Click to collapse
I tried downgrading the bootloader and my XT1795 is hard bricked now. The device doesn't boot up with only led blinking when power source is connected.
Have you flashed the file provided by hanshu43 in the previous post ?
If yes can you please help me with how to flash the mmcblk0 file on my XT1795 .
And is everything working fine after you have flashed an XT1794 file on XT1795 ?
rizwan.mahai said:
I tried downgrading the bootloader and my XT1795 is hard bricked now. The device doesn't boot up with only led blinking when power source is connected.
Have you flashed the file provided by hanshu43 in the previous post ?
If yes can you please help me with how to flash the mmcblk0 file on my XT1795 .
And is everything working fine after you have flashed an XT1794 file on XT1795 ?
Click to expand...
Click to collapse
Use the nougat IMG file!
It work too even you have Oreo bootloader(bc-12)
Thankyou!
Dear All,
My Lg G8 Stuck in Qualcomm Hs-USB QBLoader
I am trying to restore back My G8 Via QFIL Method but I Need rawprogram
After Extract KDZ Via Python, I manged to get gpt.bin (For List of gtp.bin please find the attachment)
By using the Extracted gpt.bin from KDZ I am not able to get the partition list
Can any one guide me the proper method to create Rawprogram & patch file to restore my phone
vikramanananda said:
Dear All,
My Lg G8 Stuck in Qualcomm Hs-USB QBLoader
I am trying to restore back My G8 Via QFIL Method but I Need rawprogram
After Extract KDZ Via Python, I manged to get gpt.bin (For List of gtp.bin please find the attachment)
By using the Extracted gpt.bin from KDZ I am not able to get the partition list
Can any one guide me the proper method to create Rawprogram & patch file to restore my phone
Click to expand...
Click to collapse
Well I think you still need the firehose unless you've got a modded so, butt if you can use the xiaomi firehose, I can't help you sorry. I would join the v40 telegram group and ask there (or v30)
i can create rawprogram for you if u send me extracted lg g8 firmware (extracted dz whole data)
If your LG g8 is completely empty you erased everything without raw program file you can restore it use netmsm method in xda