For those who own G Pro 2 D838 that cannot enter stock recovery to run adb sideload option (ioroot25), this tutorial teaches you how to grant root access through normal adb (ioroot24).
After long time investigating LG TOT file structure, I've found the way to partially flash a partition. And if you flash, for example, F350K kernel into a D838, you can run modified ioroot24 batch file by adding LG-D838 in the model option list.
The steps are as follows:
0. Backup your critical data. Flashing TOT will do factory reset automatically. All user data except Ext-SD will be erased.
1. Find and download the firmware exactly matching your D838 (16GB or 32GB model, HK or TW model), and the DLL file (or extract from KDZ).
2. Find and download old version F350 firmware such as F350K 10d version (only old versions are compatible with ioroot24 method).
3. Download my sample TOT header file below (myboothdr.bin). This file is verified on D838 16GB Taiwan. May not work for 32GB version.
4. Download any KDZ/TOT extractor you like.
5. Download any CRC32 checksum program you like. I use HashMyFiles. And download any hex editor you like. I use xvi32.
6. Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
7. Extract F350 firmware to get boot.bin. Rename it as boot350.bin
8. In Windows command prompt, combine PrimaryGPT.bin and boot.bin into d838body.bin by the following command:
copy /b PrimaryGPT.bin+boot.bin d838body.bin
Don't forget the argument "/b". It's very important to use the flag to do "binary mode" copy.
9. Calculate d838body.bin CRC32 checksum by your checksum program. This should be a 32-bit nubmer.
10. In sample header file "myboothdr.bin", Fill the CRC32 value at file offset 0x08. Please note that the file store number in little-endian order, so the byte order of the 32-bit CRC32 value should be reversed. For example, a calculated CRC32 value 0x12345678 should be filled as 78 56 34 12 in file offset 0x08, 0x09, 0x0a, 0x0b.
11. Combine header and body by the following command (the result file must be in "tot" file extension):
copy /b myboothdr.bin+d838body.bin d838kernel.tot
12. Repeat steps 8~11 but replace boot.bin with boot350.bin and d838kernel.tot with f350k4d848.tot.
Now you have two kernel TOT files for your D838.
13. Use LG Flash Tool to flash f350k4d838.tot with your D838 DLL ffile.
14. Manually run adb command similar with ioroot24 for F350. However, unplug and plug USB cable did not work for me. Switching between "Changing Only" and "MTP" works.
15. Use LG Flash Tool to flash back d838kernel.tot with your D838 DLL file.
The file "myboothdr.bin" contains some offset / size values which may not work for other region and/or 32GB D838. Make sure the size of boot.bin is 12058624 bytes. And try to investigate your partition table file PrimaryGPT.bin to make sure "boot" partition starting at 0x40000.
It is assumed that all 16GB models have the same partition geometry and same size of kernel image (boot.bin), so I GUESS all 16GB D838 could use this header file. But I am not responsible to this. To custom the header file for you D838 16GB or 32GB model, check the following items and modify the header if necessary:
1. Check you partition table file (PrimaryGPT.bin) to find the location of your kernel image partition. In D838 TW model, the kernel partition entry is at offset 0x700 (totally 0x80 bytes, 0x700~0x77f), offset 0x700+0x38 contains partition name 0x62,0x00,0x6F,0x00,0x6F,0x00, 0x74,0x00 (UTF16-LE string "boot"). And offset 0x700+0x20 contains kernel partition starting sector 0x00, 0x00, 0x04, 0x00 (32-bit number 0x00040000). If your D838 model has different value from 0x00040000, please modify my header file offset 0x2020 to your value.
2. Verify the files size of you boot.bin (and boot350.bin) to make sure if it is 12058624 bytes (0xb80000). If not, please stop here. Some calculation is required to modify my header file, and some partition size verification has to be made for your case.
Because the resulting tot files contain partition info and kernel image. You'd better use your own tot files. If you want to use others, please make sure it's for the same model, kernel version, ROM size (16 or 32GB), and region (TW, HK or SG).
Thanks:
autoprime's great ioroot tools
You are the man! I
Feel proud to be a Taiwanese
這才是愛台灣
humble suggestion, probably move this thread to development?
pcfree said:
For those who own G Pro 2 D838 that cannot enter stock recovery to run adb sideload option (ioroot25), this tutorial teaches you hot to grant root access through normal adb (ioroot24).
After long time investigating LG TOT file structure, I've found the way to partially flash a partition. And if you flash, for example, F350K kernel into a D838, you can run modified ioroot24 batch file by adding LG-D838 in the model option list.
The steps are as follows:
0. Backup your critical data. Flash TOT will do factory reset automatically.
1. Find and download the firmware exactly matching your D838 (16GB or 32GB model, HK or TW model), and the DLL file (or extract from KDZ).
2. Find and download old version F350 firmware such as F350K 10d version (only old versions are compatible with ioroot24 method).
3. Download my sample TOT header file below (myboothdr.bin). This file is verified on D838 16GB Taiwan. May not work for 32GB version.
4. Download any KDZ/TOT extractor you like.
5. Download any CRC32 checksum program you like. I use HashMyFiles.
6. Download any hex editor.
6. Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
7. Extract F350 firmware to get boot.bin. Rename it as boot350.bin
8. In Windows command prompt, combine PrimaryGPT.bin and boot.bin into d838body.bin by the following command:
copy /b PrimaryGPT.bin+boot.bin d838body.bin
9. Calculate d838body.bin CRC32 checksum.
10. In sample header file "myboothdr.bin", Fill the CRC32 value at file offset 0x08.
11. Combine header and body by the following command (the result file must be in "tot" file extension):
copy /b mybootheader.bin+d838body.bin d838kernel.tot
12. Repeat steps 8~11 but replace boot.bin with boot350.bin and d838kernel.tot with f350k4d848.tot.
Now you have two kernel TOT files for your D838.
13. Use LG Flash Tool to flash f350k4d838.tot.
14. Manually run adb command similar with ioroot24 for F350. However, unplug and plug USB cable did not work for me. Switching between "Changing Only" and "MTP" works.
15. Use LG Flash Tool to flash back d838kernel.tot.
The file "myboothdr.bin" contains some offset / size values which may not work for other region and/or 32GB D838. Make sure the size of boot.bin is 12058624 bytes. And try to investigate your partition table file PrimaryGPT.bin to make sure "boot" partition starting at 0x40000.
Click to expand...
Click to collapse
Nice work! But speaking as a non-technical guy, do you think there'll be an easier, less scary, way of rooting the D838 soon?
I've rooted and flashed all my previous phones but these instructions sound very complicated indeed...
Appreciate your amazing work,
You're the miracle creator!!
我也要說…這才是愛台灣啦+1 ~^^
It's true.
The procedure is too complicate for beginner to root the D838.
But be honestly, this is one small step for a man, a giant leap for D838 device owners.
I believe author will try to reform the procedure into a simple way.
It just takes time to improve it.
Again, thanks for your great work on D838.
So close, but the LGFlashTool doesn't want to recognise my D838, even after trying every driver I could find... So I'm stuck at unlucky step 13!
Sent from my LG-D838 using Tapatalk
sub69 said:
So close, but the LGFlashTool doesn't want to recognise my D838, even after trying every driver I could find... So I'm stuck at unlucky step 13!
Sent from my LG-D838 using Tapatalk
Click to expand...
Click to collapse
Do you get the message "Failed previousLoad()"? This seems to be caused by an invalid tot file.
OP any chance you can just up the tot files?
thelestat said:
Do you get the message "Failed previousLoad()"? This seems to be caused by an invalid tot file.
Click to expand...
Click to collapse
I did, but I think as an LG n00b it's a PEBKAC error. I'll keep reading and let you know when it works...
Sent from my LG-D838 using Tapatalk
Wrong check sum
According to above tutorial.
Someone had reply that the checksum is inccorect.
The correct checksum is 30252AC8 for d838body.bin
and E5ED3232 for f350body.bin
That's another tutorial by Taiwan developer named "z30152" had simplified the procedure which much easier for most user.
You can refer to http://www.mobile01.com/topicdetail.php?f=581&t=3864486&p=1
jc042982 said:
According to above tutorial.
Someone had reply that the checksum is inccorect.
The correct checksum is 30252AC8 for d838body.bin
and E5ED3232 for f350body.bin
That's another tutorial by Taiwan developer named "z30152" had simplified the procedure which much easier for most user.
You can refer to http://www.mobile01.com/topicdetail.php?f=581&t=3864486&p=1
Click to expand...
Click to collapse
Yeah, not sure what I'm doing wrong - I'm sure I've input the CRC correctly, but it's just not playing ball. Will have a look at the other tutorial later...
Thinking about it, it's possibly failing because I'm using a 16Gb HKG phone with the .kdz of the HKG firmware, but I expected the process to be the same, even if the CRC's are different...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
sub69 said:
Yeah, not sure what I'm doing wrong - I'm sure I've input the CRC correctly, but it's just not playing ball. Will have a look at the other tutorial later...
Thinking about it, it's possibly failing because I'm using a 16Gb HKG phone with the HKG firmware, but I expected the process to be the same, even if the CRC's are different...
Click to expand...
Click to collapse
Follow the instruction here!
I think you can extract the HKG version firmware and follow the instruction to merge with F350K.
This should be work properly for HKG version 16GB.
jc042982 said:
Follow the instruction here!
I think you can extract the HKG version firmware and follow the instruction to merge with F350K.
This should be work properly for HKG version 16GB.
Click to expand...
Click to collapse
Ohhhhh, reverse the hex-pairs!
I'm an idiot, I always forget to do that. Thanks, it looks far more promising now.
May I know how do I start to do this with 32GB International version? Currently the firmware is D83810a-SEA-XX
Yep, that did it.
So for anyone else trying this, follow the instructions in the OP precisely, and you should be fine, with the caveat that in Point 10 YOU HAVE TO REVERSE THE CRC32 HEX PAIRS when adding them to 0x08 in "myboothdr.bin"
My CRC32 value was "e46a6dcb" so I had to add "CB 6D 6A E4" into myboothdr.bin
Great work pcfree, and many thanks to jc042982 for pointing this LG n00b in the right direction.
thanks
would you please explain inside the header file:
44 DD 55 AA
how to make these values?
hkfriends said:
thanks
would you please explain inside the header file:
44 DD 55 AA
how to make these values?
Click to expand...
Click to collapse
Don't touch those, just open your myboothdr.bin file in a Hex Editor (I used HxD) and change the four pairs shown below (my CRC32 value for this file came up as b00db074 in "HashMyFiles", so I had to enter "74 B0 0D B0"):
hkfriends said:
thanks
would you please explain inside the header file:
44 DD 55 AA
how to make these values?
Click to expand...
Click to collapse
Which KDZ you extract from? 16GB? or 32GB?
What country?
I am having a 16GB D838 International Edition (Taiwan)
and the procedure is workable for all D838.
This only thing you need to do is extract the correct file from your origin firmware.
It depends by what country version you purchase, such as Taiwan, HK, or Singapore...etc.
THE ONLY DIFFERENCE IS STEP 6.Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
*PLEASE your own firmware and extract it!
Other procedures are all the same with the post.
Be careful with the 16GB and 32GB PrimaryGPT_0.bin!!!
jc042982 said:
Which KDZ you extract from? 16GB? or 32GB?
What country?
I am having a 16GB D838 International Edition (Taiwan)
and the procedure is workable for all D838.
This only thing you need to do is extract the correct file from your origin firmware.
It depends by what country version you purchase, such as Taiwan, HK, or Singapore...etc.
THE ONLY DIFFERENCE IS STEP 6.Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
*PLEASE your own firmware and extract it!
Other procedures are all the same with the post.
Be careful with the 16GB and 32GB PrimaryGPT_0.bin!!!
Click to expand...
Click to collapse
yep... i double check all related TOT files with header starting "44 DD 55 AA"
so I believe it is TOT header signature only
the only thing need to cater is what you said, PrimaryGPT.bin (partition table), boot.bin (kernel)
I am thinking it can ported to oher models...
hkfriends said:
yep... i double check all related TOT files with header starting "44 DD 55 AA"
so I believe it is TOT header signature only
the only thing need to cater is what you said, PrimaryGPT.bin (partition table), boot.bin (kernel)
I am thinking it can ported to oher models...
Click to expand...
Click to collapse
After successful root your device.
You can revise the platform.xml by following the instruction post by http://forum.xda-developers.com/showthread.php?t=2537793
I am success revise the platform and this allow you to read-write your external SD card.
The next step is revise the NAV Key, make it smaller^^
Related
Hi all MTK6573/MTK6516 users !!!!
SEE SECOND POST FOR MTK6516 phones.
THIS POST IS FOR MTK6573 phones.
This is for all MTK6573 users with Android 2.3(.x). Also for all B63M phones !!
Follow this guide to backup your FULL ROM !! You can even flash your phone through FlashTools with this COMPLETE backup !!!
ROOT IS REQUIRED !!
Here is the guide:
1) ROOT is necessary. It is recommended to put the phone in 'Airplane mode' so that it won't disturb the process and make sure you have ~500 mb space in SD card.
2) Download 'MTK-6573-BackUpTools.rar' from attachments and extract it to your SD Card. You'll have 2 folders - 'gscript' and 'Install'.
3) Install 'GScriptLite.apk' from gscript folder.
3) After installation, open the 'GScriptLite' application -> Menu -> Add Script.
4) Tick 'Needs SU ?'
5) Click 'Load File' and select 'Back23.sh' and then select 'save'
6) Now Click on 'Back 23' and Super User will ask for Permission and allow it. Nothing more to touch. Wait for few minutes. After few mins, it will say 'Auto Close is Cancelled'. Now its safe to close.
7) Your Back-Up will be in 'backup_' folder located in your SD card's root.
It will have files named ' firmware.info, preloader.img, nvram.img, seccnfg.img, uboot.img, boot.img, recovery.img, secstatic. img, misc.img, logo.img, expdb.img, cache.img, system.img, data.img' in that folder. Copy it to your computer and keep it at a safe place. More Over if you are posting in the forums or sharing it online, don't include ' data.img, cache.img and nvram.img' as they contain your personal information.
NOTE: The backup script is not created by me. Gathered all information from the web !!
Hit THANKS if you find this useful !!
For MTK6516 !!
THIS POST IS FOR MTK6516 phones.
This is for all MTK6516 users with Android 2.2(.x).
Follow this guide to backup your FULL ROM !! You can even flash your phone through FlashTools with this COMPLETE backup !!!
ROOT IS REQUIRED !!
Here is the guide:
1) ROOT is necessary. It is recommended to put the phone in 'Airplane mode' so that it won't disturb the process and make sure you have ~500 mb space in SD card.
2) Download 'MTK-6516-BackUpTools.rar' from attachments and extract it to your SD Card. You'll have 2 folders - 'gscript' and 'Install'.
3) Install 'GScriptLite.apk' from gscript folder.
3) After installation, open the 'GScriptLite' application -> Menu -> Add Script.
4) Tick 'Needs SU ?'
5) Click 'Load File' and select 'Back23.sh' and then select 'save'
6) Now Click on 'Back 23' and Super User will ask for Permission and allow it. Nothing more to touch. Wait for few minutes. After few mins, it will say 'Auto Close is Cancelled'. Now its safe to close.
7) Your Back-Up will be in 'backup_' folder located in your SD card's root.
It will have files named ' firmware.info, preloader.img, nvram.img, seccnfg.img, uboot.img, boot.img, recovery.img, secstatic. img, misc.img, logo.img, expdb.img, cache.img, system.img, data.img' in that folder. Copy it to your computer and keep it at a safe place. More Over if you are posting in the forums or sharing it online, don't include ' data.img, cache.img and nvram.img' as they contain your personal information.
NOTE: The backup script is not created by me. Gathered all information from the web !!
Hit THANKS if you find this useful !!
A few questions!
Hello!
Thank you for this software, it worked with making a dump of my rom. How do you create a scatter file to use in SP Flash Tool? Or do you have another program that I can use to flash these files back onto the phone?
The SP Flash Tool I am using V2.1129.00 does not show as many partitions as what was backed up by my phone with the default MT6573 scatter file that it comes with.
I keep getting errors trying to load/burn the files to my phone.
PLEASE HELP!!
LeStonga said:
Hello!
Thank you for this software, it worked with making a dump of my rom. How do you create a scatter file to use in SP Flash Tool? Or do you have another program that I can use to flash these files back onto the phone?
The SP Flash Tool I am using V2.1129.00 does not show as many partitions as what was backed up by my phone with the default MT6573 scatter file that it comes with.
I keep getting errors trying to load/burn the files to my phone.
PLEASE HELP!!
Click to expand...
Click to collapse
You can try this:
Copy the backup_ folder from your sd card to your computer. Now place a copy of a the scatter file.txt in that folder.
Now in SP Flash tool, browse to the folder and select the scatter file that you placed.....all files will be loaded automatically......
It didnt work . . .
Hello!
I took your advice and attempted to load the scatter file from the same folder that the backup partitions are in.
A few of they files loaded on their own, not all of them, and their are still partitions missing.
When I open the scatter file in txt editor it shows all partitions.
When I open the scatter file in smart phone flash tool i only show
preloader
dsp
uboot*
bootimg*
recovery*
secro
logo*
android*
usrdata
The files above are what shows in sp flash tool program and the ones with the * are the files that load automatically.
I did try a smart phone flash tool version 5.1140 and the scatter file did load correctly with all the partitions, but again not all load and I get an error when I try to load them manually. In addition, I have never been able to successfully use version 5.1140 to flash.
I was able to flash in version 2.1129, but as I said I couldnt load every partition so I am missing my nvram and other partitions.
Can you recommend anything else?
Maybe a different version of sp flash tool that you know works? Maybe a different program all together?
THANKS!
@Bala
Yo, bro, its been awhile since our last chat ! You have been like an android modding/ hacking teacher/ guru & i'm sure alot of users will benefit from all of it...
@LeStonga
Yes, in fact your are correct, there is a software by linerty(these russians are so 'terror', not only hacking but coming out with tools to make it easier) that converts the extracted firmware.info back into scatter.txt...You can find the tuts & tools here.
The tuts even show you ways to upload with FlashTool too ! i know there is an upload function but never knew the way to use it though...
Hello balamu96m!
Thank you for your suggestions, that was the website which I first followed instructions for.
As you can see however, even when Bruno (administrator of the tutorial you provided in the link) opened his scatter file, nvram partition is not shown. I was able to use the program balamu96m pointed me to and it made perfect backups of all my partitions.
My problem is that sp flash tool loads my scatter file and it is the same as Bruno's which is lacking several partitions, especially the nvram partition.
If i use an updated sp flash tool (v5), when I load my scatter file all of my partitions are shown, including nvram, but I have never had any success flashing my phone with that version.
Maybe I can use that version but someone has to help me set up the configurations to flash . .. i.e. download with or without battery, com, baud rate, etc.
Sp flash tool V2.11 was easy to use and straight forward, but even though my scatter lists all my partitions (when i open in a text editor), it only loads the partitions shown in bruno's tutorial, not including nvram.
yuweng said:
@Bala
Yo, bro, its been awhile since our last chat ! You have been like an android modding/ hacking teacher/ guru & i'm sure alot of users will benefit from all of it...
@LeStonga
Yes, in fact your are correct, there is a software by linerty(these russians are so 'terror', not only hacking but coming out with tools to make it easier) that converts the extracted firmware.info back into scatter.txt...You can find the tuts & tools here.
The tuts even show you ways to upload with FlashTool too ! i know there is an upload function but never knew the way to use it though...
Click to expand...
Click to collapse
Hi yuweng bro!
It seems miui is going to release their source code........i read in the russian forum at 4pda that one mtk6573 was running miui 4 (ics).......is that true??
So when miui sources are out, can we build one for our mi-357/350n??
Waiting for your reply
@Bala
AFAIK, Miui public part of their source code before the launch of their first android phone, Xiaomi M1 & now launching their next version M2 which is based on ARM Cortex-A8 & coincidentally, its just been launch today ! Its fully supported by the Miui team & it has two ROM, one ROM for daily use & the other one for you to flash their 'nightly' built. Best is that you can switch over to either one of them at any time ! Great for android enthusiastic...
However, of all hundreds over MT65xx android phone manufacturer all over the world, non of them actually ported it to Miui ! There is only one answer to this, it will be copied over to all other MT65xx ! Thats what Chinese are best at...(Oopps, i'm a Chinese too...)
So, i think you won't see an official Miui phone on MT65xx platform... Currently, official Miui ROM is for single SIM... You can check out Miui sources here & here
If its really true that the russian has ported Miui to MT65xx, very soon we'll have Miui running on every MT65xx...
What you said on the other thread is true, if Mediatek keep on keeping their source code, i think very soon they can keep it to themself forever.... No android enthusiastic will ever buy their phone ever... Even HTC has released the source code for a whole bunch of devices recently after been pressured by android enthusiastic...
@LeStonga
AFAIK, FlashTool is not for flashing NVRam(IMEI). However, you can use it to backup NVRam then restore it. Typically, you only need to download boot, recovery, logo, android, usrdata. Normally, i just download 'android' partition only(system.img) I normally put a 'tick' at 'No Action' for NVRam...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There is a thread on how to backup & restoring your MT65xx IMEI by cybermaus just over a week ago...
help help
I have android phone china H4300. mediatek mtk6573. yesterday , i deleted stock launcher and format factory the phone. so i don't use it.
please help me up rom (i haved rom) or install the Launcher ,...
thank you
vanlaosonya said:
I have android phone china H4300. mediatek mtk6573. yesterday , i deleted stock launcher and format factory the phone. so i don't use it.
please help me up rom (i haved rom) or install the Launcher ,...
thank you
Click to expand...
Click to collapse
Do you have modded recovery??
balamu96m said:
Do you have modded recovery??
Click to expand...
Click to collapse
i only have stock recovery
Thanks it works on my MT6573 phone
Hey balamu....
Can you please tell me how to restore this backup...???
maitreyapatni said:
Hey balamu....
Can you please tell me how to restore this backup...???
Click to expand...
Click to collapse
Allow me to answer ...
To restore this backup, 1st you need to convert the firmware.info into your own scatter.txt file. Read here : http://bm-smartphone-reviews.blogspot.com/2012/04/creating-rom-dump-of-your-mt65x3-device.html
Then you run SPflash tool, choose your scatter file and the appropriate area to flash. You don't need to flash all area. Just boot+system (android) to restore is sufficient. You can change the file by double-click at the appropriate row. Untick to deselect, tick to select which area to flash.
Again, no need to flash the whole thing ... some file contains private info such as nvram/userdata. I've read that many device already bricked by flashing wrong file (specially uboot) unless it's from your own backup.
no cache.img, system.img, data.img
hi balamu, i need some help.
i have an mt6516 phone. i followed every step, but 3 files didn't show up i.e cache.img, system.img, data.img
in the end of running script, gscript show "no such files". my question are: is that normal? are those file important? any ideas to get these files?
i really need any help here.
so thx in advance
hisoka8888 said:
hi balamu, i need some help.
i have an mt6516 phone. i followed every step, but 3 files didn't show up i.e cache.img, system.img, data.img
in the end of running script, gscript show "no such files". my question are: is that normal? are those file important? any ideas to get these files?
i really need any help here.
so thx in advance
Click to expand...
Click to collapse
they are really important...................you can retry the process again.......it should work.....!
silly me
found out the problem. looks like i didn't do exactly one of your step "extract into sd card". i actually extract the content into a folder inside the sd card, so gscript can't find the "Install" folder. I copied the folder into sd card and redo the process then those file showed up. LOL.
anyway, nice share... :good::good:
n7000 note copy rom file i loss it help
n7000 note copy rom file i loss it help
mtk 6573
plz send rom file
mail id [email protected]
thanks in adwance
Hi,Thanks for tutorial,I backup my phone,create scatter file and all goes ok but now i have 1 litl problem,my phone is mobiwire aquila mt6573 platform, he got factory recovery e3 and i wanna change to cwm and Bruno say that cwm must be specific for phone so is any chance to find cwm for my phone or any hack/swap from backup recovery or any other method?
Sorry guys on bad english or wrong section
Thanks
I'm trying to try to downgrade my bootloader to 4.4, to downgrade system to SU5-24. If this works, it'll bring many bootloader downgrades to low versions which will allow bootloader unlocks. However, aboot.img and many other necessities are in the motoboot.img, and very basic methods such as WinRAR or 7z doesn't deal with .img files. So the huge question is how can it be done?
I do not think this will work, as the boot procedure checks certificates stored on the cid partition, and will not let you boot older firmware if a newer one was already run on your phone, see http://forum.xda-developers.com/showpost.php?p=59567559&postcount=86
as for the motoboot.img:
file seems to contain a 1024 byte header, first 4 bytes for some magic value, then 32bytes for each partition inside
offset 0 -> partition name
offset 24 -> first sector
offset 28 -> last sector
sector size is 512bytes and skip first 1024bytes of file (the header)
please double check this, as I might be wrong, this is only my own reverse engineering of this file.
View attachment unpack_motoboot.c
this is the code that I used to extract the partition images from the motoboot.img file
pizmak said:
View attachment 3259841
this is the code that I used to extract the partition images from the motoboot.img file
Click to expand...
Click to collapse
can u tell how did u used tht code??
Ashutosh15 said:
can u tell how did u used tht code??
Click to expand...
Click to collapse
just compile it and run with parameter: path to the motoboot.img file, that's it
Acquire a similar scatter file for another device.
Use ADB to extract Partition information.
Edit similar Scatter using ADB and Device for Reference's.
Add the Partition information into the similar scatter.
Test scatter file for proper PMT & HW Chip ID.
Error & Repairs for HW ID Mismatch & PMT Changed.
Test Error repaired scatter to extract Preloader.
Extract preloader from BOOT_0.
Test Preloader with boot.img extraction & download.
Save Scatter file & Preloader into a safe place.
Use Scatter & Preloader for Memory Test.
Use Memory Test information for Read back of entire Memory.
Save Full Read back to a safe place.
Extract System.img, Boot.img, Recovery.img, NVram.img, NVDATA.img, frp.img, Etc.
Compile Firmware for SP Flash Tool.
Edit & Remove proprietary information from firmware for custom release.
Leave stock for stock Firmware extraction.
For Pure time consumption reasons, this guide may take me a while to complete, however the steps above should give you a rough idea of how everything is going to be written...
To start with, the information is so much at once, that I've made a video to help people go along with it...
The video is in 2 parts & in English... Please watch these first, that'll cover about everything in the steps except a few things like compilation of extracted IMG files.
The second video should be watched after the first video, so I've put that link in the description of video 1.
https://youtu.be/e2_U68EGSlY
OK... Now you've seen the instructions, you can work through extracting every partition you'll need for a firmware backup.... You don't need all of them !
After that, Copy the following files (you should now have them all ) to a new folder called Stock Firmware for SP Flash Tool ..
boot.img
cache.img
lk.img
logo.img
preloader.bin
recovery.img
secro.img
system.img
trustzone.bin or .img
userdata.img
MT*****_Android_scatter.txt
Now you need to edit the Scatter file using NotePad++ or another program that won't wreck line endings... Word pad & Notepad will wreck line endings and destroy the scatter file.
Edit the scatter file to now have the correct file names, eg.....
preloader_******_njh_gjb_.bin TO preloader.bin - The same as your copied file name.
boot_example_mt.img TO boot.img - The name of the file for boot.
Now the scatter file, Image's & Preloader should be all together...
ZIP the folder to remove empty space in .img files, Shrink the Firmware to a Zip file.....
You just need to extract the zip file and open the scatter file in SP Flash Tool v5.16+ .. Then select Download to do a firmware installation.
I will edit this guide in time, however I just wanted to get out how I do this on my MTK Device's... People keep asking me how to do it, so I released the video and this extra information for them... I don't make money on YouTube so everything here is provided free & I don't make any money from helping !!! Sorry about the terrible audio !
The device is a Sam Gal A11W.
I want to change one text file in the /system partition.
In order to do that, I want to start from the stock firmware I already downloaded, make the change then flash the whole modified firmware.
There are 5 .tar.md5 files (4 if we consider only one of CSC_ and HOME_CSC_) in this firmware, which can be flashed just fine in their original form.
What I want to do is to:
1 - unpack the AP_***.tar file (contains meta-data/fota.zip, boot.img.lz4, carrier.img.lz4, dtbo.img.lz4, metadata.img.lz4, recovery.img.lz4, super.img.lz4, userdata.img.lz4, vbmeta.img.lz4)
2 - unlz4 the super.img.lz4,
3 - unsparse the super.img to super.ext4.img (using simg2img)
4 - lpunpack the super.ext4.img into individual dynamic partitions (there are only 4: odm.img, product.img, system.img, vendor.img - this is NOT an A/B device !!)
5 - modify the text file on system.img
6 - lpmake the super.ext4.img back from odm.img, product.img, system.img, vendor.img
7 - re-sparse the super.ext4.img back into super.img (using img2simg)
8 - lz4 the super.img back into super.img.lz4
9 - Re-TAR the super.img.lz4 file plus all the rest of the original .img.lz4 files back into the AP_***.tar file
10 - Flash the AP_***.tar file to this mother****ing piece of Samsung crap without errors, and that is WITHOUT UNLOCKED BOOTLOADER, because the scumbags eliminated the OEM Unlock option from the Dev Options.
What I already know is:
- How to do the whole process without preserving any signatures.
This is already explained in this thread:
Editing system.img inside super.img and flashing our modifications
I'm trying to modify my system.img (/system/build.prop) to include support for multi users. After struggling a lot, I've succeeded following your guide (that's an awesome work btw) to unpack, mount, modify, umount and repack super.img. Then...
forum.xda-developers.com
but the author assumes the bootloader can be unlocked and therefore doesn't deal with any signatures / security-crypto-baloney checks.
What I (still) need to know is:
1 - How many crypto-security-baloney-whatever-signatures are there on all these files ?
2 - How can I restore them during repackaging so the flashing process does not get screwed up by the locked phone ?
If anyone here knows the answer to these 2 things ... well I guess they must be the Android Godfather Almighty !!
have you figured this out?
FugkGoocle said:
The device is a Sam Gal A11W.
I want to change one text file in the /system partition.
In order to do that, I want to start from the stock firmware I already downloaded, make the change then flash the whole modified firmware.
There are 5 .tar.md5 files (4 if we consider only one of CSC_ and HOME_CSC_) in this firmware, which can be flashed just fine in their original form.
What I want to do is to:
1 - unpack the AP_***.tar file (contains meta-data/fota.zip, boot.img.lz4, carrier.img.lz4, dtbo.img.lz4, metadata.img.lz4, recovery.img.lz4, super.img.lz4, userdata.img.lz4, vbmeta.img.lz4)
2 - unlz4 the super.img.lz4,
3 - unsparse the super.img to super.ext4.img (using simg2img)
4 - lpunpack the super.ext4.img into individual dynamic partitions (there are only 4: odm.img, product.img, system.img, vendor.img - this is NOT an A/B device !!)
5 - modify the text file on system.img
6 - lpmake the super.ext4.img back from odm.img, product.img, system.img, vendor.img
7 - re-sparse the super.ext4.img back into super.img (using img2simg)
8 - lz4 the super.img back into super.img.lz4
9 - Re-TAR the super.img.lz4 file plus all the rest of the original .img.lz4 files back into the AP_***.tar file
10 - Flash the AP_***.tar file to this mother****ing piece of Samsung crap without errors, and that is WITHOUT UNLOCKED BOOTLOADER, because the scumbags eliminated the OEM Unlock option from the Dev Options.
What I already know is:
- How to do the whole process without preserving any signatures.
This is already explained in this thread:
Editing system.img inside super.img and flashing our modifications
I'm trying to modify my system.img (/system/build.prop) to include support for multi users. After struggling a lot, I've succeeded following your guide (that's an awesome work btw) to unpack, mount, modify, umount and repack super.img. Then...
forum.xda-developers.com
but the author assumes the bootloader can be unlocked and therefore doesn't deal with any signatures / security-crypto-baloney checks.
What I (still) need to know is:
1 - How many crypto-security-baloney-whatever-signatures are there on all these files ?
2 - How can I restore them during repackaging so the flashing process does not get screwed up by the locked phone ?
If anyone here knows the answer to these 2 things ... well I guess they must be the Android Godfather Almighty !!
Click to expand...
Click to collapse
Try using modified/patched Odin. As for trying to bypass unlocking the bootloader to flash the modified firmware or trying to "mimic" or "fake" the original signature, that isn't going to work. Samsung's proprietary signature is an enigma that can't be cracked. Though you might be able to match the MD5 by adding a dummy file to the file you are modifying and filing it bit/byte by bit/byte, one step at a time, the goal is to add characters to the file until it is large enough to make your modified file match the original file's MD5. That is if your modified file is smaller than the original file, if your modified file is larger than the original file, you can delete unimportant files from the modified MD5 file until it is smaller than the original MD5 and then create the dummy file filled with dummy characters until it exactly matches the original MD5 bit for bit. Then try flashing your MD5 file once you gets it's MD5 code matching bit for bit. Try the patched version of Odin to flash your modified file. No guarantees that it will work but part of the security checks during flashing checks the MD5 for a match/mismatch.
Rab_DaJew said:
have you figured this out?
Click to expand...
Click to collapse
Can someone help me find a scatter firmware for my lg k10 2017 mt6750. I’m using sp flash tool .I have searched online but I still didn’t get it. My phone is bricked. I can’t get into recovery and download mode. I tried extracting it from kdz rom, but It has not been a success.
hello
if you want to extract LGk10 2017 m250n kdz firmware , you can use this tool
Download LG Firmware Extract Tool (.kdz .dz extract tool)
Download LG Firmware Extract Tool which helps LG users to extract the contents of any KDZ or DZ Firmware (ROM) on the computer.
androidmtk.com
yakapa40 said:
hello
if you want to extract LGk10 2017 m250n kdz firmware , you can use this tool
Download LG Firmware Extract Tool (.kdz .dz extract tool)
Download LG Firmware Extract Tool which helps LG users to extract the contents of any KDZ or DZ Firmware (ROM) on the computer.
androidmtk.com
Click to expand...
Click to collapse
I used it, but the system.bin is multiple. So I had to flash it once a time in the system partition. And it didn’t work out for me it’s still bootloops. I get error when I flash the laf and cust file.
I've made a scatter file once for this. Can be found by searching..
At that time sp flash tool wasn't workable solution..
Hacks have been improved since.
I would now use mtkclient.
You can join that system with that tool..
CXZa said:
I've made a scatter file once for this. Can be found by searching..
At that time sp flash tool wasn't workable solution..
Hacks have been improved since.
I would now use mtkclient.
You can join that system with that tool..
Click to expand...
Click to collapse
I have tried the mtk client. I also get errors with that. It frequently disconnects with my phone.
if you want only one file for system click :Merge system bin and in Merge output folder you will have system.img
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
yakapa40 said:
if you want only one file for system click :Merge system bin and in Merge output folder you will have system.img
View attachment 5901631
Click to expand...
Click to collapse
I did that but I couldn’t load the file.
Young540 said:
I did that but I couldn’t load the file.
Click to expand...
Click to collapse
Ah, it might be Android 8 then.. don't remember much anymore... for some reason I made some tools that I've not released for the kdz/tot files.
Mainly because there are some python tools that can do most of them... but one has to find the right one for the version.
I wanted to it to extract them all.. but the variations.. like 90% goes fine... but then there is some (rare?) weird differences in these kdz/tot files..
Don't know what version is the best at the moment, but this that @haise.zero mentions here works in many newer cases...
GitHub - haise0/kdz-toolkit: A list of script tools, informational resources, and analysis reports for LG KDZ firmware files.
A list of script tools, informational resources, and analysis reports for LG KDZ firmware files. - GitHub - haise0/kdz-toolkit: A list of script tools, informational resources, and analysis reports...
github.com
Check Hovatek too... they have sometimes some good findings...
Spoiler: This was nice... Thanks, Haise!
GitHub - haise0/kdz-toolkit: A list of script tools, informational resources, and analysis reports for LG KDZ firmware files.
A list of script tools, informational resources, and analysis reports for LG KDZ firmware files. - GitHub - haise0/kdz-toolkit: A list of script tools, informational resources, and analysis reports...
github.com
Edit... missed the pic... so it was the sp tool that doesn't load the file....
The scatter I made if it makes any difference...
Nuked LAF = No Download Mode,always without fastboot
Hello everyone, today I made a bull****, let's start from the beginning, my K10 2017 M250n had Android Oreo and I had come to know the exploit LGLAF, I tried, and did not work because I discovered that the flaw was patched on Android Oreo but I...
forum.xda-developers.com
Mtkclient: Try the LiveDVD if it makes any difference...
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
CXZa said:
The scatter I made if it makes any difference...
Nuked LAF = No Download Mode,always without fastboot
Hello everyone, today I made a bull****, let's start from the beginning, my K10 2017 M250n had Android Oreo and I had come to know the exploit LGLAF, I tried, and did not work because I discovered that the flaw was patched on Android Oreo but I...
forum.xda-developers.com
Mtkclient: Try the LiveDVD if it makes any difference...
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
I tried your scatter file. The laf failed again.
CXZa said:
The scatter I made if it makes any difference...
Nuked LAF = No Download Mode,always without fastboot
Hello everyone, today I made a bull****, let's start from the beginning, my K10 2017 M250n had Android Oreo and I had come to know the exploit LGLAF, I tried, and did not work because I discovered that the flaw was patched on Android Oreo but I...
forum.xda-developers.com
Mtkclient: Try the LiveDVD if it makes any difference...
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
this is the output I got when I flashed the laf with mtk client
Failed to write laf_102400.bin to sector 102400 with sector count 57344
Young540 said:
flashed the laf with mtk client
Click to expand...
Click to collapse
That's not the livedvd i.e. linux.. I run it in virtualbox... just had to put mtk vendor id to usb settings so it catches them all..
The loader file I used was MTK_AllInOne_DA_5.2136.bin , removed the others...
Nice gui but if if errors it just halts... and if relocking the bootloader the seccfg wasn't exactly the same as before, do a backup first...
Don't know if these are now fixed ...
Thanks for your help. I’ve been able to flash the laf by using a bypass trick. Thanks for your help.
First, the tools I used was hxd editor, hex calculator, notepad and sp flash tool. I added the lk and the laf partition together using the hex calculator. Then I changed the partition size of the lk partition size to the sum of the lk and laf partition on the scatter file with notepad. Then I deleted the laf partition from the notepad. I opened the pgpt.bin in the hex editor, then I deleted the last zeros found under the pgpt partition . I saved it leading to a reduction in the pgpt.bin size. Then I opened both the laf.bin and lk.bin in the hex editor. I copied the data on the laf.bin then I pasted it after the end of the data found on the lk partition. Then I saved it, this increased the lk partition size. Then I loaded the scatter file on sp flash tool. Then I did format all + download. It did that successfully. Then I flashed only the pgpt.bin. This time I didn’t format it. After that I was able to flash with the LG UP tool and it worked like a charm.
*Note: I added the lk and the laf because on my device the laf is next to the lk. So it depends on how they follow each other on your device. I saw a similar post on hovatek forum "How to bypass verified boot is enabled error in sp flash tool" and I followed the steps. They also have a video in the post explaining it. So it’s recommended to check there if you have the same problem.
Young540 said:
First, the tools I used was hxd editor, hex calculator, notepad and sp flash tool. I added the lk and the laf partition together using the hex calculator. Then I changed the partition size of the lk partition size to the sum of the lk and laf partition on the scatter file with notepad. Then I deleted the laf partition from the notepad. I opened the pgpt.bin in the hex editor, then I deleted the last zeros found under the pgpt partition . I saved it leading to a reduction in the pgpt.bin size. Then I opened both the laf.bin and lk.bin in the hex editor. I copied the data on the laf.bin then I pasted it after the end of the data found on the lk partition. Then I saved it, this increased the lk partition size. Then I loaded the scatter file on sp flash tool. Then I did format all + download. It did that successfully. Then I flashed only the pgpt.bin. This time I didn’t format it. After that I was able to flash with the LG UP tool and it worked like a charm.
*Note: I added the lk and the laf because on my device the laf is next to the lk. So it depends on how they follow each other on your device. I saw a similar post on hovatek forum "How to bypass verified boot is enabled error in sp flash tool" and I followed the steps. They also have a video in the post explaining it. So it’s recommended to check there if you have the same problem.
Click to expand...
Click to collapse
Interesting...