Related
Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
taj786 said:
Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
Click to expand...
Click to collapse
This thread may be old, but for now, the only option you have is getting a replacement. I had that qualcomm HS-USB composite identity on my hard bricked lg g stylo and i couldn't do anything about it but get it replaced.
taj786 said:
Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
Click to expand...
Click to collapse
If this is still an issue you face PM me and i will help you unbrick the device!
TimelessPWN said:
If this is still an issue you face PM me and i will help you unbrick the device!
Click to expand...
Click to collapse
I'm ready to help for unbrick my S8
I have the same exact hard brick on my S8, did you guys ever figure out a solution?
TimelessPWN said:
If this is still an issue you face PM me and i will help you unbrick the device!
Click to expand...
Click to collapse
I have the same error, could you solve it?
did you get it fixed? I think TimelessPWN would have used EDL mode.
mweinbach said:
did you get it fixed? I think TimelessPWN would have used EDL mode.
Click to expand...
Click to collapse
I have not fixed it ye, i need help.
FUBUKY said:
I have not fixed it ye, i need help.
Click to expand...
Click to collapse
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting https://www.facebook.com/GSMCHEN.up for help. he 100% can.
mweinbach said:
did you get it fixed? I think TimelessPWN would have used EDL mode.
Click to expand...
Click to collapse
FUBUKY said:
I have not fixed it ye, i need help.
Click to expand...
Click to collapse
mweinbach said:
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting for help. he 100% can.
Click to expand...
Click to collapse
thx man, i am retry repair.
mweinbach said:
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting https://www.facebook.com/GSMCHEN.up for help. he 100% can.
Click to expand...
Click to collapse
Do you mind sharing the files sir? I have this issue and need the files please
Regards,
.:112:.
Sent from my SM-G928T using Tapatalk
stuntman112 said:
Do you mind sharing the files sir? I have this issue and need the files please
Regards,
.:112:.
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
I have been told not to. Sorry.
I hope soon a solution comes out, while I continue with my brick.
GSMCHEN apparently can repair them, but you have not answered my messages.
I found the files needed. Will upload a link tonight
Sent from my SM-G928T using Tapatalk
stuntman112 said:
I found the files needed. Will upload a link tonight
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
thank you very much, I hope the link to try to unbrick my s8 +
Some of the files are in plain sight at AFH. The developer has all the required QCOM tools at the link.
Prog_UFS_Firehose_8998_ddr.elf file:
https://androidfilehost.com/?fid=961840155545585810
Notice it is UFS storage, not EMMC so make sure you have the latest QPST software. Thanks to the developer (hazmat) for the prog file but i believe we will need others also such as .XML's
Messed around with it for a little but didnt figure it out. Hopefully this is a start to dead boot repair for the SM-G955..The Dream2 awakes..
Sent from my SM-G928T using Tapatalk
stuntman112 said:
Some of the files are in plain sight at AFH. The developer has all the required QCOM tools at the link.
Prog_UFS_Firehose_8998_ddr.elf file:
https://androidfilehost.com/?fid=961840155545585810
Notice it is UFS storage, not EMMC so make sure you have the latest QPST software. Thanks to the developer (hazmat) for the prog file but i believe we will need others also such as .XML's
Messed around with it for a little but didnt figure it out. Hopefully this is a start to dead boot repair for the SM-G955..The Dream2 awakes..
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
without the xml files it does not help us.
I had already tried it, the xml files that it has shared (hazmat) are from xiaomi.
mweinbach said:
I have been told not to. Sorry.
Click to expand...
Click to collapse
That's the right thing to do,
Anyway, we have to protect these documents, right
Could not get the device un bricked. Thanks GSM CHEN for help. Possible CPU hardware problem. Seems stuck in EDL
LOG
Programmer Path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
Image Search Path: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download
RAWPROGRAM file path: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\rawprogram0.xml
PATCH file path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\patch0.xml
Start Download
Program Path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
***** Working Folder:C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Binary build date: Oct 31 2016 @ 22:51:05
QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
11:44:18: Requested ID 13, file: "C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf"
11:44:18: 599432 bytes transferred in 0.172000 seconds (3.3236MBps)
11:44:18: File transferred successfully
11:44:18: Sahara protocol completed
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:UFS
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
***** Working Folder:C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Base Version: 16.10.28.15.28
Binary build date: Oct 31 2016 @ 22:51:02
Incremental Build version: 16.10.31.22.51.02
11:44:22: INFO: FH_LOADER WAS CALLED EXACTLY LIKE THIS
************************************************
C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe --port=\\.\COM11 --sendxml=rawprogram0.xml --search_path=C:\Users\User1\Desktop\nhlos\common\tools\emergency_download --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=ufs
************************************************
11:44:22: INFO: Current working dir (cwd): C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\
11:44:22: INFO: Showing network mappings to allow debugging
11:44:22: INFO:
11:44:22: INFO: Trying to store 'rawprogram0.xml' in string table
11:44:22: INFO: Looking for file 'rawprogram0.xml'
11:44:22: INFO: User wants to talk to port '\\.\COM11'
11:44:22: INFO: Took 0.00000000 seconds to open port
11:44:22: INFO: Sorting TAGS to ensure order is <configure>,<erase>, others, <patch>,<power>
11:44:22: INFO: If you don't want this, use --dontsorttags
11:44:22: INFO: Looking for file 'gpt_main0.bin'
11:44:22: INFO: Looking for file 'gpt_backup0.bin'
11:44:22: INFO:
Total to be tansferd with <program> or <read> is 44.00 KB
11:44:22: INFO: Sending <configure>
11:44:22: INFO: TARGET SAID: 'Binary build date: Jun 1 2017 @ 14:29:30'
11:44:22: INFO: TARGET SAID: 'Chip serial num: 4294967295 (0xffffffff)'
11:44:22: INFO: TARGET SAID: 'Supported Functions: program configure nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke '
11:44:22: INFO: TARGET SAID: 'Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1''
11:44:22: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 1048576
11:44:22: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
11:44:22: INFO: In handleProgram('gpt_main0.bin')
11:44:22: INFO: Looking for file 'gpt_main0.bin'
11:44:22: INFO: =======================================================
11:44:22: INFO: {<program> FILE: 'C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\gpt_main0.bin'}
11:44:22: INFO: {<program> (24.00 KB) 6 sectors needed at location 0 on LUN 0}
11:44:22: INFO: =======================================================
11:44:22: INFO: TARGET SAID: 'ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 0'
11:44:22: INFO: TARGET SAID: 'ERROR: ufs_open_error_code 0 :: 0x27c'
11:44:22: INFO: TARGET SAID: 'ERROR: last ufs_open_error_code 16 :: 0x27c'
11:44:22: INFO: TARGET SAID: 'ERROR: Failed to open the device 3 slot 0 partition 0'
11:44:22: INFO: TARGET SAID: 'INFO: Device type 3, slot 0, partition 0, error 0'
11:44:22: INFO: TARGET SAID: 'WARN: Get Info failed to open 3 slot 0, partition 0, error 0'
11:44:22: INFO: TARGET SAID: 'storage_device_get_num_partition_sectors FAILED!'
11:44:22: INFO: TARGET SAID: 'parseSectorValue could not handle start_sector value'
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
11:44:22: {ERROR: program FAILED - Please see log}
Writing log to 'C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\port_trace.txt', might take a minute
Log is 'C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\port_trace.txt'
Download Fail:FireHose Fail:FHLoader Failrocess fail
Finish Download
Sent from my SM-G928T using Tapatalk
a me has not helped me yet.
So many Thank for : Android Root Team
Code:
https://github.com/AndroidRoot
So many Thank for: Jevinskie
Code:
https://github.com/jevinskie
My github
Code:
https://github.com/GeorgeMato4/nvcrypttools/tree/forN7
required: Use linux based OS.!!!!
First time:
To make your encrypted blob for your Tegra3 Device ( Nexus7/tf201/tf300/tf700) you need another working tegra3 Device.
I am sorry for that, but i was going with easys possible way. I will solve this, but not now.
But, when you give me information (sbk and cpuid) , i will try create blob for you. And , if will be your device restored, please, help others with same problem.
How get sbk from your bricked device?
Download from Jevinskie Github page source code.
Code:
https://github.com/jevinskie/fusee-launcher
Unzip and make it. (Open in folder with source code command line and type “make” )
It is need install pyusb with command “pip install pyusb”.
It is need connected device to usb v3.
Check if is device in apx mode with command “lsusb”. In list must be Nvidia corp.
Run Command on sudo “./fusee-launcher.py –tty dump-sbk-via-usb.bin”
You get something like this:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20' (This is SBK)
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
You need this two number: Tegra with Device ID: b'01042c205f4a5d01
and
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'. This is not real sbk.
Sbk have only 32 number. Your sbk is only “e57de3bab6cb499d874d5772cb219f” and after this number is first 8 number from tegra device id.
Congratulation, you get sbk.
I test dump-sbk-via-usb on nexus 7 and on asus TF300. I thing this will work on other device.
How get chip id?
Download wheelei from this page:
Code:
https://github.com/AndroidRoot/androidroot.github.io/tree/master/download
and download some bad blob.bin or my blank blob.bin
Reboot your device and connect to your pc. Check if is this on apx mode with command “lsusb”.
With sudo run “./wheelie --blob blob.bin ”
You get cpu id and 0x4 error (bad blob format).
Format cpu id for grouper is like this 0x15d4a5f202c0401
Chip id is 015d4a5f202c0401.
Tegra Id from dump-sbk-via-usb is cpu id, but on bad format. 01042c205f4a5d01 vs 015d4a5f202c0401.
I have another Tegra3 device: How build blob?
Try my precompiled mknvfblob. Download from :
Code:
https://github.com/GeorgeMato4/nvcrypttools/tree/forN7/precompiled
precompiledN7 is for Nexus,
precompiledCardhu is for other device.
Type:
mkdir /AndroidRoot
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Cpuinfo file look like this:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Where Hardware is type of chip-set, can be grouper (for Nexus 7 2012) or cardhu (for TF 201/300/700) and serial is chip id. Change this number with your chip id.
Now, untar my precompilated mknvfblob.
From
Code:
https://github.com/GeorgeMato4/nvcrypttools/tree/forN7/bct
download btc file for your device
Code:
https://github.com/GeorgeMato4/nvcrypttools/tree/forN7/bootloaders
download bootloader.xbt for your device
and take this files to AndroidRoot folder.
If you have on your device working linux, type :
./mknvfblob -W -K e57de3bab6cb499d874d5772cb219f01 --blob /AndroidRoot/test.blob --bctin /AndroidRoot/testa.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.blob.XBT --blout /AndroidRoot/test.ebt
Where: e57de3bab6cb499d874d5772cb219f01 is your bsk
testa.bct is your bct.
bootloader.blob.XBT is your bootloader bct.
If you have android, use adb shell command.
how this work?
When you use blob.bin (test.blob) with “./wheelie --blob blob.bin ”
You get error 3 reciever.
But this is not problem.
Run command with sudo:
./nvflash --btc testr.bct --ebt test.ebt --blob test.blob --go
after run this, restore bootloader.
./nvflash --resrore --download 4 bootloader.img --go
Where number 4 is partition with bootloader and bootloadr.img is bootloader for your device.
Helppp, im keep getting this problem
log:
Code:
Traceback (most recent call last):
File "./fusee-launcher.py", line 692, in <module>
pid=arguments.pid, os_override=arguments.platform, override_checks=arguments.skip_checks)
File "./fusee-launcher.py", line 490, in __init__
self.dev = self._find_device(vid, pid)
File "./fusee-launcher.py", line 526, in _find_device
return self.backend.find_device(vid, pid)
File "./fusee-launcher.py", line 156, in find_device
import usb
ImportError: No module named 'usb'
edit: nvm fix it
when i do "lsusb" it show nothing, help!
edit: nvm fix this too
enderzip said:
when i do "lsusb" it show nothing, help!
Click to expand...
Click to collapse
lsusb show command not found ?
Then try command sudo apt-get install usbutils
and try lsusb again
or
Nvidia Corp is not in list ?
Then you not start on apx mode.
power button + volume up.
or
Do you install pyusb with command : pip install pyusb ?
try use command: pip3 install pyusb.
Jirmd said:
lsusb show command not found ?
Then try command sudo apt-get install usbutils
and try lsusb again
or
Nvidia Corp is not in list ?
Then you not start on apx mode.
power button + volume up.
or
Do you install pyusb with command : pip install pyusb ?
try use command: pip3 install pyusb.
Click to expand...
Click to collapse
"pip3 install pyusb" didnt work. This is all it show:
Code:
fusee-launcher-n7$: lsusb
fusee-launcher-n7$:
What OS are you using to unbrick Tegra 3? Linux or Windows?
edit: fix it
ok after spending a day trying to dump sbk, i finnaly did it.
First, you need to have ubuntu. WINDOWS WILL NOT WORK. Make a bootable ubuntu usb and live boot it or install it
Second, open temernial inside of the fusee-launcher-n7 folder
Thirdly, type: sudo apt-get install python-usb python3-usb. If it say cant locate package, open Software and Update and check the 4 first box
Lastly, type: pip install pyusb
After that, type: sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin and you are good to go
enderzip said:
ok after spending a day trying to dump sbk, i finnaly did it.
First, you need to have ubuntu. WINDOWS WILL NOT WORK. Make a bootable ubuntu usb and live boot it or install it
Second, open temernial inside of the fusee-launcher-n7 folder
Thirdly, type: sudo apt-get install python-usb python3-usb. If it say cant locate package, open Software and Update and check the 4 first box
Lastly, type: pip install pyusb
After that, type: sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin and you are good to go
Click to expand...
Click to collapse
Im so sorry, I forget to write this first. I use debian based os more than 10 years. I forgot then exist something like windows.
I will edit my first post.
im not getting error 3 receiver in nvflash it just stuck at sending file 100%
but my nexus 7 display a GOOGLE LOGO!!! with the "battery is too low" text on the upper left corner
idk what to do next
am i suppose to use the ./nvflash.exe command instead of the wheelie.exe one?
your guide is so confuse
---------- Post added at 04:38 AM ---------- Previous post was at 04:25 AM ----------
now im stuck on "waiting for bootloader to initialize" after the ./nvflash --bct command
Code:
[email protected]:/mnt/c/Users/EnderZip/Desktop/Nexus 7 recovery stuffs/ehr$ sudo ./nvflash.exe --bct testr.bct -
-bl test.ebt --blob test.blob --go
[sudo] password for enderzip:
Nvflash v1.13.87205 started
Using blob v1.13.00000ommon½╣·┌√¬
chip uid from BR is: 0x0000000000000000015d2bc2ad43f602
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc2ad43f602
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 1
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
I write something about error 3 on wheelie, for people, who want start nvflash sessions with wheelie (like nvflash preloader) . This mean for people who know quide for wheelie and nvflash from AndroidRoot team. But how i see, it is not real good idea. If you want, write your own nvflash guide.
Jirmd said:
I write something about error 3 on wheelie, for people, who want start nvflash sessions with wheelie (like nvflash preloader) . This mean for people who know quide for wheelie and nvflash from AndroidRoot team. But how i see, it is not real good idea. If you want, write your own nvflash guide.
Click to expand...
Click to collapse
what? so im meant to get that error 3?
Hello @Jirmd I have an issue with your post...it is very well explained but i cannot create the blob.bin for my 32Gb Nexus 7 , because i do not have a working tegra to get the cat/proc/cpu info and i cannot run the mknvfblob command it gives me and error that cannot execute, maybe because i am missing some files. Like the test.blob testa.blob testr.blob If I paste you the sbk and CPU ID will you please create a blob for my N7?
Found a Tegra with Device ID: b'1710282806495d01'
Hello World
b'87e2b3998fc0483c86931785736d7cbe17102828'
SBK 87e2b3998fc0483c86931785736d7cbe
CHIP ID 015d490628281017
Paste you this completely so i make sure it is correct.
Many Thanks
in list Nvidia corp.
Run Command on
sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
Invalid payload path specified!
help me...
Enplat said:
in list Nvidia corp.
Run Command on
sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
Invalid payload path specified!
help me...
Click to expand...
Click to collapse
You need to download the COMPLETE fusee launcher from github. Install python 3 via adb. Run the make command. Then install the pip command thingy. And run the command sudo ./fusee...bla...bla from the folder where fusee is located on your system.
The_Pacifier said:
You need to download the COMPLETE fusee launcher from github. Install python 3 via adb. Run the make command. Then install the pip command thingy. And run the command sudo ./fusee...bla...bla from the folder where fusee is located on your system.
Click to expand...
Click to collapse
Code:
[email protected]:~/Downloads/fusee-launcher-n7$ sudo apt-get install python-usb python3-usb
[sudo] password for enplat:
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-usb is already the newest version (1.0.0-1).
python3-usb is already the newest version (1.0.0-1).
0 to upgrade, 0 to newly install, 0 to remove and 42 not to upgrade.
[email protected]:~/Downloads/fusee-launcher-n7$ pip install pyusb
Collecting pyusb
Installing collected packages: pyusb
Successfully installed pyusb-1.0.2
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 001 Device 004: ID 058f:6361 Alcor Micro Corp. Multimedia Card Reader
Bus 001 Device 003: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 0a5f:0157 Zebra
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 004: ID 04b4:0510 Cypress Semiconductor Corp.
Bus 004 Device 019: ID 0955:7330 NVidia Corp.
Bus 004 Device 003: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 004 Device 002: ID 04a9:2737 Canon, Inc. MF4410
Bus 004 Device 012: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 004 Device 008: ID 045e:07a5 Microsoft Corp. Wireless Receiver 1461C
Bus 004 Device 011: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 004 Device 009: ID 1516:8628 CompUSA Pen Drive
Bus 004 Device 006: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
Invalid payload path specified!
[email protected]:~/Downloads/fusee-launcher-n7$
I already did it.....
Enplat said:
Code:
[email protected]:~/Downloads/fusee-launcher-n7$ sudo apt-get install python-usb python3-usb
[sudo] password for enplat:
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-usb is already the newest version (1.0.0-1).
python3-usb is already the newest version (1.0.0-1).
0 to upgrade, 0 to newly install, 0 to remove and 42 not to upgrade.
[email protected]:~/Downloads/fusee-launcher-n7$ pip install pyusb
Collecting pyusb
Installing collected packages: pyusb
Successfully installed pyusb-1.0.2
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 001 Device 004: ID 058f:6361 Alcor Micro Corp. Multimedia Card Reader
Bus 001 Device 003: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 0a5f:0157 Zebra
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 004: ID 04b4:0510 Cypress Semiconductor Corp.
Bus 004 Device 019: ID 0955:7330 NVidia Corp.
Bus 004 Device 003: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 004 Device 002: ID 04a9:2737 Canon, Inc. MF4410
Bus 004 Device 012: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 004 Device 008: ID 045e:07a5 Microsoft Corp. Wireless Receiver 1461C
Bus 004 Device 011: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 004 Device 009: ID 1516:8628 CompUSA Pen Drive
Bus 004 Device 006: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
Invalid payload path specified!
[email protected]:~/Downloads/fusee-launcher-n7$
I already did it.....
Click to expand...
Click to collapse
[email protected]:/mnt/c/Users/EnderZip/Desktop/nexus 7 stuff lol/Nexus 7 recovery stuffs/fusee-launcher-n7/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
2020-04-11 16:44:07,350 INFO:usb.core:find(): using backend "usb.backend.libusb1"
No TegraRCM device found?
Click to expand...
Click to collapse
check for the dump-sbk-via-usb.bin file inside of your fusee-launcher folder
if there is no dump-sbk-via-usb.bin file inside of your folder, open a terminal inside of that folder then type: make
after done that type : pip install pyusb
then: sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
and that might gonna solve your problem
I was going to say the same as Enderzip, i do not see the make command. You just need to type make in the fusee folder just the word make alone. Be sure you download ALL the folder from github, by just hitting the green Download button.
I am really sorry.
1. On GitHub, I downloaded it and extracted it. (by just hitting the green Download button)
2. I ran the terminal from that folder and entered the make command
[email protected]:~/Downloads/fusee-launcher-n7$ make
arm-none-eabi-gcc -mtune=arm7tdmi -mlittle-endian -fno-stack-protector -fno-common -fno-builtin -ffreestanding -std=gnu99 -Werror -Wall -Wno-error=unused-function -fomit-frame-pointer -g -Os -DENTRY_POINT_ADDRESS=0x4000A000 intermezzo.S -c -o intermezzo.o
make: arm-none-eabi-gcc: Command not found
Makefile:38: recipe for target 'intermezzo.o' failed
make: *** [intermezzo.o] Error 127
Am I doing something wrong?
I say thank you.....
Enplat said:
I am really sorry.
1. On GitHub, I downloaded it and extracted it. (by just hitting the green Download button)
2. I ran the terminal from that folder and entered the make command
[email protected]:~/Downloads/fusee-launcher-n7$ make
arm-none-eabi-gcc -mtune=arm7tdmi -mlittle-endian -fno-stack-protector -fno-common -fno-builtin -ffreestanding -std=gnu99 -Werror -Wall -Wno-error=unused-function -fomit-frame-pointer -g -Os -DENTRY_POINT_ADDRESS=0x4000A000 intermezzo.S -c -o intermezzo.o
make: arm-none-eabi-gcc: Command not found
Makefile:38: recipe for target 'intermezzo.o' failed
make: *** [intermezzo.o] Error 127
Am I doing something wrong?
I say thank you.....
Click to expand...
Click to collapse
Try my already maked fusee-launcher
You may have to install pip using: pip install pyusb
enderzip said:
Try my already maked fusee-launcher
You may have to install pip using: pip install pyusb
Click to expand...
Click to collapse
thank you enderzip. im back from hospital now. so, i will solve your request for encrypted blob. please, send me your email address on pm. enderzip will write new tutorial for unbrick.
Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system
GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Deleted.
@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.
@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.
enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)
Deleted.
Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.
steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.
I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!
Read this whole guide before starting.
This is for the 3rd gen Fire TV Stick (sheldonp) and Fire TV Stick Lite (sheldon).
NOTE: FireOS < 7.2.7.3 required
NOTE: This process does not require you to open your device.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, PyUSB, adb, fastboot. For Debian/Ubuntu something like this should work:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial python3-usb adb fastboot dos2unix
Make sure ModemManager is disabled or uninstalled:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file "kamakiri-sheldon-1.0.zip" and open a terminal in that directory.
2. Start the script:
sudo ./bootrom-step.sh
It should now say Waiting for device.
3. Plug in the stick (powered off) and wait for the script to finish.
If it fails at some point, stop it and restart the process from step 2.
4. Your device should now reboot into unlocked fastboot state.
5. Run:
./fastboot-step.sh
6. Wait for the device to reboot into TWRP.
7. Use TWRP to flash custom ROMs, Magisk etc.
NOTE: Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit, your device will likely not boot anymore (unless you flashed a signed image). TWRP will patch recovery/boot-images on the fly.
NOTE: NEVER erase Preloader, otherwise you’ll hard brick the device and you won’t be able to unbrick it (since bootrom isn’t accessible).
Important information
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
special thanks to @Sus_i for all the testing and support.
Contributors
@xyz`
@k4y0z
@Rortiz2
@t0x1cSH
reserved
reserved
reserved
reserved
Great work guys !
It works, thank you very much for your work, now let's see if I can flash a ROM (tried the Lineage 18.1 but TWRP says it's corrupted )
Edit
Solved, turns out the ubuntu livecd corrupted the zip file when transfering it, tried transfering it again this time via ftp and it works now.
Excellent Work again fellas.. Nice and simple exploit without having to open the device and short. This is top notch development and lets us have a chance to get rid of the amazon junk on these devices .
Thank you for your time devoted on these devices it is really appreciated @k4y0z @Rortiz2 @xyz`
@t0x1cSH
Regards
Thanks for unlocking the firetv stick 3. I was trying to unlock my stick 3 lite however, I'm getting stuck at step 2 .
Now I'm getting the white firetv screen with Hacked Fastboot mode: at the bottom left of the screen. I tried to run bootrom multiple times with the same results. Thanks
[[email protected] ~/Desktop/kamakiri-sheldon-1.0/kamakiri]# ./fastboot-step.sh
fastboot: core/libsparse/sparse.cpp:131: int write_all_blocks(struct sparse_file *, struct output_file *): Assertion `pad >= 0' failed.
./fastboot-step.sh: line 5: 1850 Aborted (core dumped) fastboot flash recovery bin/twrp.img
I tried another linux computer and it works now. I had to install the usb module below too.
All is well now. Thanks again
[email protected]:~/Desktop/stick_3/kamakiri$ sudo ./bootrom-step.sh
Traceback (most recent call last):
File "main.py", line 8, in <module>
from load_payload import load_payload, load_pl_payload
File "/home/dell/Desktop/stick_3/kamakiri/modules/load_payload.py", line 9, in <module>
import usb.core
ModuleNotFoundError: No module named 'usb'
sudo apt-get update
sudo apt-get install python-usb python3-usb
sudo apt-get install python-pip
sudo pip install pyusb
Installed pyusb, still: 'ImportError: no module named core'
On my Raspberry Pi I installed libusb and pyusb via sudo apt-get install libusb-dev python-usb. But running some Python code (pyrow, to read data from a rowing machine) gives me this error at impo...
raspberrypi.stackexchange.com
navin23 said:
Thanks for unlocking the firetv stick 3. I was trying to unlock my stick 3 lite however, I'm getting stuck at step 2 .
Now I'm getting the white firetv screen with Hacked Fastboot mode: at the bottom left of the screen. I tried to run bootrom multiple times with the same results. Thanks
[[email protected] ~/Desktop/kamakiri-sheldon-1.0/kamakiri]# ./fastboot-step.sh
fastboot: core/libsparse/sparse.cpp:131: int write_all_blocks(struct sparse_file *, struct output_file *): Assertion `pad >= 0' failed.
./fastboot-step.sh: line 5: 1850 Aborted (core dumped) fastboot flash recovery bin/twrp.img
Click to expand...
Click to collapse
I know it's too late, since you're already done
but if anyone gets 'Assertion `pad >= 0' failed', the fastboot package needs an update. Connect to the network and run this in a terminal:
Code:
pacman -Sy fastboot
Worked great and a great surprise to see this, thought it's never happen! Had to install pyusb as well and need to get an otg connecter but managed to root my sheldon stick.
Any recommendations, links etc.? I've never had the chance to play with a rooted Fire stick and resources seem quite thin since it's Fire os7. I'm hoping for a magisk module of google apps like the one for FireOS 6 arrives soon and like a guide to install sheldonp onto sheldon vice versa
@k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
Skel40 said:
@k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
Click to expand...
Click to collapse
No, the Max isn't vulnerable to the preloader-exploit
Tech0308 said:
Worked great and a great surprise to see this, thought it's never happen! Had to install pyusb as well and need to get an otg connecter but managed to root my sheldon stick.
Any recommendations, links etc.? I've never had the chance to play with a rooted Fire stick and resources seem quite thin since it's Fire os7. I'm hoping for a magisk module of google apps like the one for FireOS 6 arrives soon and like a guide to install sheldonp onto sheldon vice versa
Click to expand...
Click to collapse
You can give a try to LineageOS 18.1. Besides Netflix, everything works perfectly.
Hello i've been trying to follow your steps but i always end up with this error message. Using Fire TV Stick 3 gen (sheldonp) with FireOs 7.2.4.2, do i need version 7.2.7.3 for the root to work?
[2022-03-05 13:40:37.517594] Check boot0
[2022-03-05 13:40:37.996077] Check rpmb
[2022-03-05 13:40:38.026461] Downgrade rpmb
[2022-03-05 13:40:38.026862] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 137, in <module>
main(dev)
File "main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Thank you!
emma80200 said:
Hello i've been trying to follow your steps but i always end up with this error message. Using Fire TV Stick 3 gen (sheldonp) with FireOs 7.2.4.2, do i need version 7.2.7.3 for the root to work?
[email protected]:~/Desktop/kam/kamakiri$ sudo ./bootrom-step.sh
[2022-03-05 13:40:26.865130] Waiting for device
[2022-03-05 13:40:33.943838] Found port = /dev/ttyACM0
[2022-03-05 13:40:33.982781] Handshake
[2022-03-05 13:40:34.004239] Load payload from ../brom-payload/pl/pl.bin = 0x3A04 bytes
[2022-03-05 13:40:36.501491] All good
[2022-03-05 13:40:36.996590] Check device_type_id
[2022-03-05 13:40:36.996836] Detected sheldonp (A265XOI9586NML)
[2022-03-05 13:40:36.996952] Check GPT
[2022-03-05 13:40:37.517453] gpt_parsed = {'lk': (1024, 2048), 'tee1': (3072, 10240), 'tee2': (13312, 10240), 'boot': (23552, 32768), 'recovery': (56320, 32768), 'logo': (89088, 7168), 'kb': (96256, 2048), 'dkb': (98304, 2048), 'MISC': (100352, 2048), 'vendor': (102400, 307200), 'system': (409600, 3072000), 'cache': (3481600, 1048576), 'userdata': (4530176, 10743391), '': (0, 1)}
[2022-03-05 13:40:37.517594] Check boot0
[2022-03-05 13:40:37.996077] Check rpmb
[2022-03-05 13:40:38.026461] Downgrade rpmb
[2022-03-05 13:40:38.026862] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 137, in <module>
main(dev)
File "main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Thank you!
Click to expand...
Click to collapse
Are you using a Virtual Machine?
Rortiz2 said:
Are you using a Virtual Machine?
Click to expand...
Click to collapse
I tried using a PC with linux mint installed, a ubuntu live-system and lastly a ubuntu virtual machine. All returning exact same error
emma80200 said:
I tried using a PC with linux mint installed, a ubuntu live-system and lastly a ubuntu virtual machine. All returning exact same error
Click to expand...
Click to collapse
I just use his fireISO on a USB, it is already setup and worked perfect. I was on 7.2.4.2.
GitHub - amonet-kamakiri/fireiso: ISO with patched kernel for kamakiri and amonet
ISO with patched kernel for kamakiri and amonet. Contribute to amonet-kamakiri/fireiso development by creating an account on GitHub.
github.com
Michajin said:
I just use his fireISO on a USB, it is already setup and worked perfect. I was on 7.2.4.2.
GitHub - amonet-kamakiri/fireiso: ISO with patched kernel for kamakiri and amonet
ISO with patched kernel for kamakiri and amonet. Contribute to amonet-kamakiri/fireiso development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
I did not know of this ISO. gave it a try, burned it to a USB, but ended with same results.
[2022-03-06 15:14:45.452690] Waiting for device
[2022-03-06 15:14:52.837378] Found port = /dev/ttyACM0
[2022-03-06 15:14:52.892900] Handshake
[2022-03-06 15:14:52.913387] Load payload from ../brom-payload/pl/pl.bin = 0x3A04 bytes
[2022-03-06 15:14:55.409614] All good
[2022-03-06 15:14:55.904632] Check device_type_id
[2022-03-06 15:14:55.904812] Detected sheldonp (A265XOI9586NML)
[2022-03-06 15:14:55.904884] Check GPT
[2022-03-06 15:14:56.433151] gpt_parsed = {'lk': (1024, 2048), 'tee1': (3072, 10240), 'tee2': (13312, 10240), 'boot': (23552, 32768), 'recovery': (56320, 32768), 'logo': (89088, 7168), 'kb': (96256, 2048), 'dkb': (98304, 2048), 'MISC': (100352, 2048), 'vendor': (102400, 307200), 'system': (409600, 3072000), 'cache': (3481600, 1048576), 'userdata': (4530176, 10743391), '': (0, 1)}
[2022-03-06 15:14:56.433294] Check boot0
[2022-03-06 15:14:56.913393] Check rpmb
[2022-03-06 15:14:56.944796] Downgrade rpmb
[2022-03-06 15:14:56.945073] Recheck rpmb
Traceback (most recent call last):
File "/root/Desktop/kamakiri/modules/main.py", line 137, in <module>
main(dev)
File "/root/Desktop/kamakiri/modules/main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
hey i am getting handshake failed error, not sure how to fix this.
Sidharth09 said:
So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
View attachment 5741507
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
View attachment 5741509
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
View attachment 5741511
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
Click to expand...
Click to collapse
Hello have you made the Linux version?
Thank you for this guide, I have encountered an error on Tecno spark 8C(kg5j) when trying either of the commands in ubuntu.
Here is an output of the error.
-----
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1
-----
Johnhek said:
handshake failed error
Click to expand...
Click to collapse
Check this out: https://github.com/bkerler/mtkclient/issues/52
Fair warning, there are a TON of multiple GB dependencies to make this work. I'm seriously starting to wonder if trying to un brick my $1,800 device is even worth the trouble.
I have an RFinder B1+ with a MTK 6765 chipset. It has external batteries only and boot loops when one is attached due to a bad lk.img flash. The device does show up brieflu in Windows task manager as a MediaTek COM port when I plug in a USB cable with no battery attached.
Should I plug in the battery first or try to run mtkclient without it?
I was using "wl" command (write list: write partitions from directory to flash) and I had a very dumb issue:
I moved the partition images to the mtkclient folder and started the wl comand, but when the partitions were all copied, the comand continued checking all the subfolders looking for more partition files to write to the phone... and it "found" one: inside of the python lib folder there is a file called gpt and the command overwrited my pgpt partition with that file!
Now of course any command trying to read or write partitions crash because the pgpt partition is corrupt.
I can read sectors and indeed I have confirmed that the contents of the first sectors (that would correspond to pgpt partition) actually contains plain text from the pgt file at python lib folder.
Before this mistake, I saved the gpt table to a file and I also have gpt scatter information from my phone.
I would need help to restore the pgpt partition using the sgpt partition or using the pgt scatter information, or the gpt table copied from my phone before the deletion or any other way to restore the phone...
Someone can help me?
I Have a lg k61, I can use mtkclient but I have no fastboot. Im wondering if its posible to boot a bin without flashing it (like fastboot boot recovery.img) because I think that the only reazon I cant install a working twrp in my device is the way I flash it, directly to boot partition.
Maybe is it possible to flash the recovery to b slot, force boot from that slot, flash from twrp the zip to boot_a partition, then set a slot?
Sidharth09 said:
So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
View attachment 5741507
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
View attachment 5741509
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
View attachment 5741511
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
Click to expand...
Click to collapse
Hi, not quite sure with the terminologies in the commands part, if i want to root /give root access to my phone which command should i use?
darklight_69 said:
Hi, not quite sure with the terminologies in the commands part, if i want to root /give root access to my phone which command should i use?
Click to expand...
Click to collapse
You read to your pc from your phone vía mtkclient the boot_a.bin. You then rename it to boot_a.img, then you turn on your phone, move the img to it, install magisk, patch the boot.img, move it to your pc again, rename the patched to *.bin again and flash it to your boot_a partition vía mtkclient.
Jaguar_90 said:
You read to your pc from your phone vía mtkclient the boot_a.bin. You then rename it to boot_a.img, then you turn on your phone, move the img to it, install magisk, patch the boot.img, move it to your pc again, rename the patched to *.bin again and flash it to your boot_a partition vía mtkclient.
Click to expand...
Click to collapse
if it's not bothering, could you please make a detailed step by step or link a post for a detailed instruction on how to exactly do what youve said? sorry i am having a hard time comprehending the steps, dont want to mess the procedure, thank you
or can i pm u instead?
darklight_69 said:
if it's not bothering, could you please make a detailed step by step or link a post for a detailed instruction on how to exactly do what youve said? sorry i am having a hard time comprehending the steps, dont want to mess the procedure, thank you
or can i pm u instead?
Click to expand...
Click to collapse
Here is a more detail steps.
You need to find out if the Phone is using AB slot or not. For AB slot partitions, you need to know which slot is active and flash accordingly.
Use Mtkclientand to copy the boot_a.bin.
For AB slot: python mtk r boot_a boot_a.bin
For AB slot: python mtk r boot_b boot_b.bin
For single slot: python mtk r boot boot.bin
You rename it to boot_a.img
Copy the boot_a.img to phone's internal storage.
Install Magisk on the phone.
Open Magisk app.
Click the Install button .
Select the patch the image file option.
After you patched boot_a.img, copy the patched boot_a.img to the PC.
Rename the patched boot_a.img to boot_a.bin.
Use MTKClient to flash it to the boot_a partition.
For AB slot: python mtk w boot boot.bin
For AB slot: python mtk w boot_a boot_a.bin
For single slot: python mtk w boot_b boot_b.bin
edited this instead sicne i cant delte this reply, please ignore this one
i want to ask some questions here in advance after reading the entire process so i can reduce the unnecessary replies from me lol
magi44ken said:
You need to find out if the Phone is using AB slot or not. For AB slot partitions, you need to know which slot is active and flash accordingly.
Click to expand...
Click to collapse
-my phone is using a/b slot and is currently on B slot
magi44ken said:
Use Mtkclientand to copy the boot_a.bin.
For AB slot: python mtk r boot boot.bin
For AB slot: python mtk r boot_a boot_a.bin
Click to expand...
Click to collapse
do i need to run all of them one by one?
and in 2nd command's case, sicne i'm currently in slot b should i rename "boot_a | boot_a.bin" to "boot_b | boot_b.bin"?
magi44ken said:
You rename it to boot_a.img
Click to expand...
Click to collapse
okay for this part its just changing the extension
magi44ken said:
Copy the boot_a.img to phone's internal storage.
Click to expand...
Click to collapse
you mean like the regular transfer when the phone is on right? XD
magi44ken said:
Install Magisk on the phone.
Open Magisk app.
Click the Install button .
Select the patch the image file option.
After you patched boot_a.img, copy the patched boot_a.img to the PC.
Rename the patched boot_a.img to boot_a.bin.
Use MTKClient to flash it to the boot_a partition.
For AB slot: python mtk w boot boot.bin
For AB slot: python mtk w boot_a boot_a.bin
For single slot: python mtk w boot_b boot_b.bin
Click to expand...
Click to collapse
well, the earlier questions will clear the confusion in this part anyways but i still got the gist of it.
also on this post, it mentioned something about vbmeta.img, do i no longer need that?
Hello, if I have a bin file (Rom1) from another device, can I read the rpmb key with mtkclient this way?
I do not understand these messages:
mtkclient-main\mtk_gui:557: DeprecationWarning: Enum value 'Qt::ApplicationAttribute.AA_EnableHighDpiScaling' is marked as deprecated, please check the documentation for more information.
QApplication.setAttribute(Qt.AA_EnableHighDpiScaling, True)
...and...
\mtkclient-main\mtk_gui:118: DeprecationWarning: Function: 'QLibraryInfo.location(QLibraryInfo.LibraryPath location)' is marked as deprecated, please check the documentation for more information.
translations_path = QLibraryInfo.location(QLibraryInfo.TranslationsPath)
When trying to flash the preloader, the execution of the command started like this:
Device detected : )
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 5649224A4BD6F0263F7ABC130DCE05AA
Preloader - SOC_ID: 67EB8D8456F3D36A30C5801507195F549290F216EF032600F78136D5E0D540D5
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
It is a Unihertz Titanium (UFS) that stopped responding. The previous owner tried to prepare the bottles of Gargoyle-LOS20 by deleting user data, cache and system. I would like to help him and save the device for him.
I would like to use the graphical interface of mtkclient. But unfortunately the tool does not load the files from the unpacked stock ROM...where do I have to put the files in the mtkclient-main directory?
how come your preloader gets detected? mine only shows up for 1 sec in device manager
Medionato said:
I do not understand these messages:
mtkclient-main\mtk_gui:557: DeprecationWarning: Enum value 'Qt::ApplicationAttribute.AA_EnableHighDpiScaling' is marked as deprecated, please check the documentation for more information.
QApplication.setAttribute(Qt.AA_EnableHighDpiScaling, True)
...and...
\mtkclient-main\mtk_gui:118: DeprecationWarning: Function: 'QLibraryInfo.location(QLibraryInfo.LibraryPath location)' is marked as deprecated, please check the documentation for more information.
translations_path = QLibraryInfo.location(QLibraryInfo.TranslationsPath)
When trying to flash the preloader, the execution of the command started like this:
Device detected : )
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 5649224A4BD6F0263F7ABC130DCE05AA
Preloader - SOC_ID: 67EB8D8456F3D36A30C5801507195F549290F216EF032600F78136D5E0D540D5
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
It is a Unihertz Titanium (UFS) that stopped responding. The previous owner tried to prepare the bottles of Gargoyle-LOS20 by deleting user data, cache and system. I would like to help him and save the device for him.
I would like to use the graphical interface of mtkclient. But unfortunately the tool does not load the files from the unpacked stock ROM...where do I have to put the files in the mtkclient-main directory?
Click to expand...
Click to collapse
I tried installing directly from here: https://github.com/bkerler/mtkclient. It works for the most part. But I would have liked to use the graphical interface, but that somehow fails. The files don't load into the selection windows and the command buttons don't respond either. Only the terminal control works. But I could not flash the preloader yet. The battery of the device doesn't seem to be charged either. I can't control this...is this possibly a hindering problem?
Medionato said:
I tried installing directly from here: https://github.com/bkerler/mtkclient. It works for the most part. But I would have liked to use the graphical interface, but that somehow fails. The files don't load into the selection windows and the command buttons don't respond either. Only the terminal control works. But I could not flash the preloader yet. The battery of the device doesn't seem to be charged either. I can't control this...is this possibly a hindering problem?
Click to expand...
Click to collapse
Which device are you using?
anybody knows how to solve this problem? i get this whenever i try to extract boot.bin
Code:
.DeviceClass
DeviceClass - [LIB]: ←[31mCouldn't get device configuration.←[0m