Database Info

[Q] Help with Unlocking -weird things when trying to unlock Samsung Galaxy Gio

I bought my first smart phone Samsung Gio S5660M and tried to unlock it. I tried different ways but weird things happened and I don’t know what causes the problem. I was wondering whether the unlock code would change if I did something to the phone. Now the phone is still locked and I really need and appreciate your help.
First I used the method in the link: http://forum.xda-developers.com/showthread.php?t=1204705 to root and unlock the phone but was not able to finish it. The steps that I have completed are as follows:
To root the phone:
1. Download this file http://www.mediafire.com/download.php?jzvnlbhidsd5f6l
2. Copy root_gb_gio.zip to the root of the SD card and put the card in the phone
3. Shutdown the phone.
4. Put the phone in recovery Mode (press: Home button + Power button toghether)
5. In recovery mode, choose Install Update from SD-card using Vol. up / down key and press Home key to confirm
6. Search for the root_gb_gio.zip file on the SD-card and Press home key again to run the update
7. Reboot
8. Verify in the app folder if SuperUser app is installed properly
9. Reboot
Network Unlock (using ADB Shell from PC).
1. Download and install Samsung Kies to the PC from here: http://www.samsungapps.com/about/onPc.as, also install Samsung USB Driver
2. Download and install ADB which comes with Android SDK from: http://developer.android.com/sdk/index.html
-Go to the "Available Packages" Option on the left Menu
-Click on the "Refresh" Button on the bottom Right and wait until it finish
-From Items select the "Andoid SDK platform-tools, revision 6" Item
-Click the "Install Selected" button on the botton right and wait until it finish then close the Android SDK
3. Add the correct path
-Right-click on Computer Icon (on your Desktop) and select "Properties" from the menu,
-On My PC Properties select the "Advanced Options" Tab
-Click "Advanced System Settings"
-Click "Environment Variables"
-Highlight the "Path" Variable and click the "Edit"
-At the end of the line (and path) add the path: ;C:\Program Files\Android\android-sdk\platform-tools
4. Connect the phone to the computer via the USB cable
-Click on the start button and open the "Run" option, on Run type cmd.exe and press enter. A command prompt window popped out.
-Type the next text to access the ADB Shell: cd C:\Program Files\Android\android-sdk\platform-tools
-Type: adb shell
-Now in adb shell (and executing commands on the phone itself)
-Type the next command: su
-The superuser application popped up on the PHONE SCREEN (yes take a look at the phone screen) asking to allow root privileges to the adb shell. Choose Allow root access for the ADB shell on the phone.
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
got a bunch of characters on the screen and a 8 digit number, the unlock code, which is 28572603
-Type: unmount /efs (It should umount /efs, but I typed it wrong)
5. Disconnect the USB cable from the phone
6.Turn the phone off and insert the SIM card
7. Turn on the phone
In the last step it should ask for the unlock code to unlock the phone, however, it didn’t ask for the unlock code. Instead there was a message: “Phone is SIM Corporate Locked” and there is nowhere to input any code.
When I typed “*#7465625#, the result is as follows: Network Lock [OFF], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [ON]. Note that the corporate lock is on. But I could access menu with the foreign SIM card in the phone. When I tried to dial “*#7465625*638*28572603” or “#0111*28572603” with or without foreign SIM card, the message is always something like network not available (cannot recall the exact words). When I went to a FIDO kiosk for help (SIM card is from FIDO), they told me to unroot the phone so that the phone could ask for the unlock code.
I googled corporate lock/SPCK code on the Internet and there is such message: “In 1% of cases to unlock samsung SPCK code is need”, I called Samsung for help with SPCK code. The technical support in Samsung asked me to factory reset the phone by typing “*2767*3855#”. After the reset, the status of the locks were still the same as before, so is the message “Phone is SIM Corporate Locked”. Then Samsung told me that they don’t have SPCK code. I noticed that SuperUser icon was still on the menu after the factory reset.
A further search showed the unlock method of mapping image partition from: http://forum.xda-developers.com/showthread.php?t=1244695 and http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334 (same method). When I went to Shell and typed “su”, not sure whether because of the factory reset or not, superuser or admin denied, so I redid the rooting by following the previous steps, but it only took a few seconds to finish it. Then the steps I followed were:
1, first, go to the command line of pc.(win xp "start->run->cmd" )
and type "cd\", now in the root of the hard drive (also tried cd \Program Files\Android\android-sdk\platform-tools)
2, second, type "adb shell".
3, after that, type "su".
4, then, type "cat /dev/bml5>/sdcard/bml5.img"
5, type twice "exit" to disconnect with gio.
6, type "adb pull /sdcard/bml5.img"
But there is an error message “remote object /sdcar/bml5.img does not exist". I just repeated the steps a few minutes ago to get a few screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(using cd \Program Files\Android\android-sdk\platform-tools)
(using cd \)
(a different error: so I used mount command)
I think at this point (cannot recall after the following tries or at this time) that I inserted a foreign SIM card, the phone began to show message “Network Locked”, took out the foreign SIM card, typed “*#7465625#", weird enough, the result changed to: Network Lock [ON], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [OFF]. Corporate lock is gone but the network lock came back. I don’t know the reason – is that because I did factory reset?
I put the foreign SIM card back to the phone, input the unlock code generated earlier “28572603”, but it was not successful. I decided to go back to the first method (ADB shell from PC) to generate the unlock code again to see whether the result code is the same. However, weird gain, this time no code at all. I reproduced the screenshot a moment ago for the result (I had to cut the screen into two half):
The third method I tried is to unlock the phone by using Android Terminal Emulator, the steps were:
- In Android Market, download and install Android Terminal Emulator
- Boot up the Android Terminal Emulator application
-Using the on-screen keyboard, type su, allowed the permission from the prompt
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
The desire result should be a bunch of characters on the screen and a 8 digit number. However, I didn’t get the desire result – it seems that the result is the same as using the first method after factory reset, here is the screenshot (it seems that the shot is incomplete, but I had a hard time to get even such an incomplete shot – the shell would exit when I tried to screenshot):
My questions are: why the same method cannot generate the same code? Is it because I did something to the phone, like factory reset? The unlock code will change because of the situation or it will always keep the same? Why I cannot see the bml5.img? Is it possible I damaged it by chance? I am also worried that now even if I buy uncode code from GSMLiberty, it would not work any more because of what I did to the phone. Is it possible so? What is my option now? (I tried the code once, so I still have another two chances to input unlock code). Is what has happened weird or there is a reason for that?
Thank you very much.

I also pulled the perso.txt file onto my PC and reviewed it in XVI32. It does not look like any of the files others mentioned (a lot of 00 or FF followed by a number). Attached here is perso.txt. Is my perso.txt corrupted? If yes, how can I recover it? Thanks.

As far as I know, you're the first person that's reported seeing a CP lock on this phone... One possibility is that this happened instead of plain old bricking when you mistyped the umount command the first time around.
Is your IMEI still intact?
Did you reboot the phone since your third attempt?
Did you by any chance keep the first perso.txt you cat'ed on your first attempt?
The suggestion below is at best a shot in the dark and could very well worsen the situation. With that out of the way...
If your IMEI is still intact, you could try booting in CWM, mounting /efs as rewritable, and upload the attached perso.txt, unmount efs and reboot. The file is simply my own perso.txt, from an unlocked 5660M, with your unlock code put in place of mine in a Unix line-ending aware editor. (Another, albeit riskier possibility would be to mount rewritable in the main OS and cat the file into place, then unmount and reboot.)
Good luck,
Darkshado

Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
No I didn't make a copy of the original perso.txt as I almost knew nothing when I first tried.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.

SPnewb said:
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
Click to expand...
Click to collapse
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
Click to expand...
Click to collapse
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
Click to expand...
Click to collapse
The idea of comparing some perso.txt files is good, but so far all the perso.txt files I've seen uploaded came from the Euro/Asia 5660 Gio, so we'd need files from a 5660M. They did look almost identical to mine though, with essentially a Bell network identifier at the beginning that wasn't present at all in theirs. One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
I've been reluctant to try too many things on my EFS partition, like deleting perso.txt to see how the phone reacts, for fear of bricking it.
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
Click to expand...
Click to collapse
There are two "levels" you can access the partitions on the phone. stl is a higher level access, with which you can get correct RFS partitions for instance, while bml is a lower, block-level access. perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Unlike reading stl5, reading bml5 has not caused anyone bricking so far. bml5 is sufficient to get the unlock code as well.
Good luck,
Darkshado

Hi Darkshado,
Thank you very much for your help.
Darkshado said:
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
Click to expand...
Click to collapse
The phone was locked to Bell, and my SIM card is from FIDO. I also got a Rogers SIM card for testing. When I rooted and generated teh code, I didn't have any SIM card in the phone. When I inserted Fido card after teh first attempt, I got the message " Phone is SIM Coperated locked" [i.e. when CP lock is On and other locks OFF], but I could still use the other functions of the phone. When the CP lock is OFF and Network lock is ON, I could not use the phoen at all because teh screen asked to input unlock code. If no input orcode is wrong, I cannot use the phone at all. Without SIM card, I could still use other functions of the phone.
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
Click to expand...
Click to collapse
What is NV items? Can you tell me how I can tell where to see NV items?
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
Click to expand...
Click to collapse
I was wondering whether the perso.txt is like config file?
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
Click to expand...
Click to collapse
perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Click to expand...
Click to collapse
I cannot think of where I read the partition wriong other than I might hav etyped the wrong unmount for the first time followed by a reboot. I actually thinking of falshing the phone, but for the moment I have not read anything about flash yet and have no idea where to find the proper version of files to falsh.
When I pull the perso.txt to PC, I seemed to use the following method (my PC is still in repair so I cannot verify ):
-Type: adb shell
-Now in adb shell
-Type: su
- allow root privileges to the adb shell.
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: exit twice to exit shell
-Type: adb pull /efs/mits/perso.txt
-Type: adb shell (to go back to shell)
-Type: umount
Is there any risk with this method?
About perso.txt,
One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
Click to expand...
Click to collapse
I will try to see whether I could get some perso.txt files from anotehr forum (redflagdeals). Can you tell me where I can find the before/after set?
Thank you again very much.
Cathy

Hello Cathy,
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
The "cat" command can take one or many standard inputs (we'll stick to files for now) and output them to a standard output; in our case, the screen or another file.
Its one way of copying a file, or simply seeing its contents depending on where you send it.
With multiple files in the input, you're concatenating them before they get output.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
The problems we've seen occur are in all likelyhood due to interference between the modem firmware and the higher-level Android OS. That's why even normally "harmless" read commands have caused problems.
The dd command, as well as leaving /efs mounted on normal mode phone shutdown are constants in multiple bricking cases on the Gio and other similar Samsung phones like the Galaxy Ace and Mini.
The lower-level bml5 partition has been deemed safe to read with the dd command so far, even from a live phone.
Completely disable the modem firmware, like in recovery mode, and you can access, and even edit, the /efs partition in a relatively safe manner.
Something interesting happened as I began writing this: I don't know how or when this happened, but I somehow had relocked my phone to Bell!
I decided to try the lock status code you posted above and saw "Network Lock: ON" Slipping another SIM (an unactivated Koodo one) in my Gio prompted for the unlock code, which I typed and got a network unlocked message.
I took another look at the perso.txt file I had modified for you and recognized a number near the beginning: 302610 that's the Bell MNC! I rebooted in recovery, mounted /efs and adb pulled perso.txt again (safe because I was in recovery mode). The file has the exact same length, and a few differences visible in Winmerge or a hex editor of your choosing.
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
You also asked about NV items: they're phone settings common to all Qualcomm cellular modem based cellphones. GSM and WCDMA antenna power and gain settings, factory test mode, IMEI, there are thousands.
In the case of the Gio, some are accessible off the EFS (stl5) partition in the /nvm/num/ directory. Others, like the IMEI unfortunately, are stored elsewhere in the phone, I don't know where. We can read all the settings by using two leaked Samsung programs, named QPST and QXDM respectively. We can edit some of them, but unless you know exactly what you're doing, this is an easy way to completely mess up a phone.
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Okay. I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get the latest Odin-flashable Gio ClockworkMod-based recovery available on XDA.
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
The phone should already be unlocked on reboot.
Good luck,
Darkshado

Hi Darkshado,
Thank you for your quick response.
Darkshado said:
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
Click to expand...
Click to collapse
That's good advice If I read the whole thread of unlocking first before I began unlocking, there might not have been problems. I began to unlock after reading a few postings. I used Linux long time ago, but obviously I could not recall anything now.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
Click to expand...
Click to collapse
The code I had was got before the corrupted perso.txt. I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking, Otherwise if perso.txt is not useful any more, why when I input the initially generated unlock code, the unlocking is not successful. The CP lock is now OFF after the perso.txt is corrupted, though it is hard to judge whether CP is ON or not before perso.txt is corrupted because I got the unlock first then I saw CP was ON.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
Click to expand...
Click to collapse
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
Click to expand...
Click to collapse
By editing perso.txt only?
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Click to expand...
Click to collapse
Yes, since I inserted the MicroSD card into the phone for rooting, I never took it out. But I can hardly imagine this will cause any problem.
I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get Ingmar Steen's latest Gio ClockworkMod-based recovery here
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
Click to expand...
Click to collapse
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think? Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Thank you very much.
Cathy

SPnewb said:
I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking
Click to expand...
Click to collapse
It most definitely is compared. From what I can tell, perso.txt contains all the SIM-lock information, status and codes.
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
Click to expand...
Click to collapse
Exactly. Recovery mode is what makes the whole thing safe. You need a rooted recovery to do it though.
There are two ways to get the actual perso.txt file off the phone: adb pull (directly or by cat'ing the file to the sd card beforehand) or dd'ing the stl5 partition and extracting perso.txt from it.
By editing perso.txt only?
Click to expand...
Click to collapse
Yes.
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think?
Click to expand...
Click to collapse
I'm pretty confident it will solve the problem, otherwise I would not have gone to the trouble of writing these instructions and uploading the file for you.
Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
Click to expand...
Click to collapse
Look here.
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Click to expand...
Click to collapse
What does the ADK installer say? If its complaining about not finding the JDK when you've already installed it, just it Back, and then Next. It will detect at that time and proceed with the installation. It's a known bug. Also, stick to JDK version 6 for the time being. Version 7 is so recent there might be some incompatibilities...
Thank you very much.
Click to expand...
Click to collapse
You're welcome.
Goodbye,
Darkshado

The phone is bricked now. What I did is: hole the HOme key while pressing the power key, the phone asked me whether to "reboot the system now" or "update from /sdcard" or "wipe /data XXX factory reset" (sth like factory reset) or "wipe /cach", I chose "reboot the system now". after that , connect the phone to the system. What I did in PC is catured in teh following image:
After that, when rebooting the phone, the phone began to falsh "samsung" and it cannot be shut down any more.
It seems that using other people's perso.txt does not work. One reason may be that, as you said, "perso.txt contains all the SIM-lock information, status and codes", other than unlock code, it might also read each individual phone's information, since that hte perso.txt is not mine, the phone cannot find the proper information, which causes phone to do indefinite loop. If that is the case, instead of uploading a new perso.txt, editing my own (even the corrupted) perso.txt and changing the corresponding location into the unlock code might work, as the phoen could start up before. Another reason may be that by editing the perso.txt, the system might detect the action for example like using CRC, and if only perso.txt is edited, system detected inconsistency and will go into indefinite loop. If I were the developer and I am aware that perople crack the phone, I might using another file or check code to protect. In this case, "I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell." might not work.
I guess that now even hardware unlock will not work, becaue when the phone start, it will read "perso.txt" and cannot find the right information. The only solution is push my original corrupted perso.txt back to the phone, but the question is how? Can you advise me what I should do now? SInce the phone does not start up at all, can I still flash the memory using Odin?
Thank you very much.
Cathy

Crap. I'm afraid that if your phone is now bootlooping with no access to recovery mode there is little to be done but to get it serviced or replaced.
No one has been able to flash EFS with Odin yet on our phones.
Also, your image attachment explaining what you attempted exactly is missing...
Look at the perso.txt files in a hex editor, there's no CRC or MD5 like thing anywhere in there. Of course it could be placed elsewhere, but it would be a first to have a booby-trapped phone OS...
I'll try locking my phone to another network within the next week for the heck of it.
Goodbye,
Darkshado

It's the format of the image. I changed to a different image format. You should be able to view the image in the first page now. Anyway, I posted it here again:
I'll try locking my phone to another network within the next week for the heck of it.
Click to expand...
Click to collapse
Let me know the result.
Thanks.
Cathy

SPnewb said:
Anyway, I posted it here again:
Click to expand...
Click to collapse
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /

Darkshado said:
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Click to expand...
Click to collapse
I thought that I booted in recovery mode since when I turned on the phone, I held Home key then press the power key, but when the phone start up there were only 4 or 5 choices in the recovery menu and except the one "reboot the system now", there were no other choices about reboot. I suspected that to choose "reboot the system now" will cause startup in normal mode. How do you start up the phone in recover mode?
I cannot recall teh color of the text, but I never see any orange text since I had the phone.
Thank you very much for your help. I'm going to get another Gio to unlock.

[Q] [T] nexus s i9020 scrambled voice calls

Recently, whenever I flash a rom that is not stock, I am having trouble making and receiving phone calls. The first call is all scrambled distorted and subsequent calls are no voice at all. This never used to happen to me at all with any rom. I COMPLETELY deleted everything off my phone via both CWM and ADB shell's parted rm command. I then reflashed the img files (radio, recovery, and the zip) and everything worked fine in ICS Stock. This is a Telus phone. Has anyone dealt with this kind of bug?

Try running CPU at 1GHz (or lower). I found voice distorted if I overclock.

Backup your EFS it's muy importante!
_android_ said:
Try running CPU at 1GHz (or lower). I found voice distorted if I overclock.
Click to expand...
Click to collapse
Well it wasn't overclocking or a radio image issue as I tried both. I can't proove it but I think a custom rom overwrote my /efs partition and essentially made my phone on the network invalid, luckly I was able to find a proper backup of the /efs and reinstall it I just hope this doesn't happen again and I encourage all of you to BACKUP YOUR /EFS PARTITION it's very simple just type adb root, then adb remount then finally adb.exe pull /efs/ boom there it is in your pc.

Well I thought I had the problem licked, turns out for some reason, and I do hope someone knows the answer to this problem, if I flash back to stock 4.0.4,*#06# shows my proper IMEI, if I flash a custom rom (any custom rom) and my IMEI goes back to IMEI: 004999010640000

ethan_hines said:
Well I thought I had the problem licked, turns out for some reason, and I do hope someone knows the answer to this problem, if I flash back to stock 4.0.4,*#06# shows my proper IMEI, if I flash a custom rom (any custom rom) and my IMEI goes back to IMEI: 004999010640000
Click to expand...
Click to collapse
Install your custom rom, then paste back your /efs folder from your backup?

polobunny said:
Install your custom rom, then paste back your /efs folder from your backup?
Click to expand...
Click to collapse
Tried that, didn't work. I don't know maybe it has something to do with the permissions/owner of the files. To make matters worse now that partition is showing signs of corruption but I don't know how to repair it. It is a YAFFS partition.
/dev/block/mtdblock6 /efs yaffs2 rw,nosuid,nodev,noatime 0 0

I got my imei back yeah!!
oh i am so relived
It took me a while to understand how the imei system woks but i think i have the gist of it now. i don't know if this works for other models but it must considering i took information from a multitude of sources to work out a solution here's what I did
Before starting this tricky set of commands please make sure your phone has the following settings:
ROOTED
HAS BUSYBOX INSTALLED
HAS EITHER ROOTEXPLORER OR ADB
YOUR PC HAS A PROPER UNIX TEXT EDITOR (NOTEPAD++ OR JEDIT)
Ensure you have one good copy of nv_data.bin somewhere on the phone. it could be located in either /efs or /data/radio
Ensure you have a nv.log with at least one line that looks somewhat like this:
MD5 fail. orignal md5 'XXXXXXXXXXXXXXXXXXXXXX' computed md5 'XXXXXXXXXXXXXXXXXXXXXXXXX' (rild)
where the X's are a bunch of number and letters.
Copy the good nv_data.bin, nv_data.bin.md5 and nv.log to both the sdcard and then via usb put them on your hard drive in a folder called efsbackup
(use either rootexpoler or adb shell to copy the files to the sdcard first)
Open the nv.log and look for the second sting of lines. after the words computed md5 (the first string is the md5 the phone found and the second string is the md5 it was expecting for. if the md5 it was expecting can't be found, it uses the default IMEI 004999010640000
Open nv_data.bin.m5d with a proper unix text editor (I suggest Notepad++ or jedit) and remove the sting of numbers and letters and replace it with the string from the nv.log (the second string after computed md5) and save the file
Go back to the phone and put the phone into Airplane Mode (this turns off the radio)
Copy the files nv_data.bin and nv_data.bin.m5d back to the sdcard overwirting them
Using either rootexplorer or adb shell copy the nv_data.bin and nv_data.bin.md5 back to the original folder (either /efs or /data/radio (for me it was /data/radio that did the trick))
Using either rootexplorer or adb shell ensure both files have the following attributes Owner:radio Group:radio Owner:RWX Group:R Other:R
Using adb shell type ps (this lists all the running processes) find the one that end with rild and remember the pid
Using adb shell type kill pid# where pid# is the rild process (this restarts the radio)
Go back to the phone and take the phone out of Airplane mode
Reboot the phone
Open up the dialer and dial *#06# (the universal way to get your IMEI it SHOULD be equal to the one written under the battery):good:
If you have any problems please list them below and i will do my best to solve them

[Q] IMEI Repair

I own the D-820 model of the phone. I was trying to change the PRL, and the IMEI is showing up as 0 now.
Having said that, I flashed the kernel with diagnostic mode enabled and installed LG United drivers. I was successful at getting the device SPC. Using DFS, I was able to change the "Ruim mode" as well. The changes got successfully written so far. Changing PRL screwed up the IMEI.
Ever since, I've been trying to set ESN, MEID and IMEI using DFS, CDMADevTerm, QPST NV Manager, and EFS Pro (Qualcomm NV Tools). All fail (the IMEI reverts to 0; the original IMEI does not get written back).
I have even tried changing the connection mode in Qualcomm NV Tools (EFS Pro) to factory test mode, before writing. It results in "Unknown" baseband and blank IMEI (upon dialing *#06# on the phone). "Low power" connection mode also fails to write the IMEI back.
I've read the MEID fields are secured in some way. Anybody have any pointers to make it work?
By the way, the phone accepts any 16-digit diagnostic password in the aforementioned tools. I've been told it may not apply to phones other than Samsung devices. Could it be possible the phone is waiting for the correct 16-digit password to "unlock" the MEID fields, and simply accepts other passwords but does NOT unlock the fields?
I have also tried flashing stock firmware, and it appears it wasn't the case where phone is not able to read the stored IMEI.

Anybody have any clues about the security used?

Writing IMEI isn't allowed to discuss over here since it's illegal. Just send it to a LG center and let them write it for you.
May be @bitdomo can help you will the partition/security query you've got

halfbytecode said:
Anybody have any clues about the security used?
Click to expand...
Click to collapse
I am not familiar with efs yet.
Maybe try to follow the guide about fix imei on lg g2. It could serve as a good base. http://forum.xda-developers.com/showthread.php?t=2701861
If you have a backup of your efs before you started editing the nvitems then restore it. It is important to make efs backup before you start to play with those kind of efs tools.

vin4yak said:
Writing IMEI isn't allowed to discuss over here since it's illegal. Just send it to a LG center and let them write it for you.
May be @bitdomo can help you will the partition/security query you've got
Click to expand...
Click to collapse
I'm just trying to fix my device here on my own, by writing back the IMEI found on my phone's sim tray, box, etc. I'm kind of broke these days, so it's hard.
bitdomo said:
I am not familiar with efs yet.
Maybe try to follow the guide about fix imei on lg g2. It could serve as a good base. http://forum.xda-developers.com/showthread.php?t=2701861
If you have a backup of your efs before you started editing the nvitems then restore it. It is important to make efs backup before you start to play with those kind of efs tools.
Click to expand...
Click to collapse
I had indeed tried out NV Manager in QPST, but it failed to write to item number 550 (IMEI).
In fact I found this exact same guide and a bunch of others too.
I'm kind of surprised it works on LG g2 and not for me on nexus 5.
Could it be possible the diagnostic mode that was enabled by modifying the kernel (found here on XDA) didn't enable it fully?

halfbytecode said:
I'm just trying to fix my device here on my own, by writing back the IMEI found on my phone's sim tray, box, etc. I'm kind of broke these days, so it's hard.
I had indeed tried out NV Manager in QPST, but it failed to write to item number 550 (IMEI).
In fact I found this exact same guide and a bunch of others too.
I'm kind of surprised it works on LG g2 and not for me on nexus 5.
Could it be possible the diagnostic mode that was enabled by modifying the kernel (found here on XDA) didn't enable it fully?
Click to expand...
Click to collapse
It could be. What if we find a lg g2 as a donor. You flash the efs from your nexus to lg g2 and try to fix it, then if it worked you move the fixed efs from lg g2 back to nexus 5.
Nexus 5 has a second recovery it is on the LAF partition, this is called download mode. By exteacting the ramdisk of it I found traces that it could be used with qpst. To enable it I have to edit the ramdisk. The file which have to be edited is usb.init.rc or something similar. I dont remember well.
I can extract ramdisk and change the content, but I dont know the command parameters for put the kernel image and the ramdisk together as a whole boot.img

bitdomo said:
It could be. What if we find a lg g2 as a donor. You flash the efs from your nexus to lg g2 and try to fix it, then if it worked you move the fixed efs from lg g2 back to nexus 5.
Nexus 5 has a second recovery it is on the LAF partition, this is called download mode. By exteacting the ramdisk of it I found traces that it could be used with qpst. To enable it I have to edit the ramdisk. The file which have to be edited is usb.init.rc or something similar. I dont remember well.
I can extract ramdisk and change the content, but I dont know the command parameters for put the kernel image and the ramdisk together as a whole boot.img
Click to expand...
Click to collapse
I'm not really sure where I could find a donor g2. The plan could work though.
The boot IMG with diag mode is on page 3 here http://forum.xda-developers.com/showthread.php?t=2535478 if you want to look.
I may be able to figure out how to put ramdisk together with the zimage (of the diag mode kernel above). I've analyzed some kernels which do it using updater-script. In the past I've also used tools like android kitchen (not sure about the exact name).

@bitdomo Are you referring to this file?
https://android.googlesource.com/device/lge/hammerhead/+/kitkat-release/init.hammerhead.usb.rc

halfbytecode said:
I'm not really sure where I could find a donor g2. The plan could work though.
The boot IMG with diag mode is on page 3 here http://forum.xda-developers.com/showthread.php?t=2535478 if you want to look.
I may be able to figure out how to put ramdisk together with the zimage (of the diag mode kernel above). I've analyzed some kernels which do it using updater-script. In the past I've also used tools like android kitchen (not sure about the exact name).
Click to expand...
Click to collapse
hm... comparing the laf ramdis and the diag enabled ramdisk I have to say that I was wrong, but still this is a interesting thing in the init.laf.usb.rc file:
# it can run as user cable for QCT PID
on property:ro.boot.laf=QCOM
wait /sys/class/android_usb/android0/enable
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 05C6
write /sys/class/android_usb/android0/idProduct 903A
write /sys/class/android_usb/android0/f_acm/acm_transports tty
write /sys/class/android_usb/android0/f_diag/clients diag
write /sys/class/android_usb/android0/functions mtp,laf
write /sys/class/android_usb/android0/enable 1
Click to expand...
Click to collapse
What could this QCT PID be? I thought these are the lines for teh diag mode.
Here is the laf image with extracted ramdisk and some from here to build the kernel
You could also try this early key lime pie rom. This is an internal test version of android 4.4 from september or august. Maybe this kernel can be used to enable diag mode. If I remember well it may have an app called hidden menu where you can change the usb port settings so you dont need root an use adb commands. Before you flash it backup you misc partition because at the first booting this rom will change the device factory version string on the misc partition to something else which will cause cause that LG flashtool will stop wokring for you device unless you change that string back from "FACTORY" to "USER"
to backup your misc: dd if=/dev/block/platform/msm_sdcc.1/by-name/misc of=/sdcard/misc.img
from your sdcard copy it to you pc just for safety reasones
To return to stock flash back any stock rom from google then restore your misc partition using this command:
dd if=/sdcard/misc.img of=/dev/block/platform/msm_sdcc.1/by-name/misc

Well that is really intriguing. I was oblivious to the laf mode. I did know about .tot files and lg flash tool, but nothing more than that.
I see laf has seprate a kernel and a ramdisk, which is what you were talking about all along. It makes sense to me now.
I will give this a shot when I have some free time on my hands and will let you know.
Thanks for the key lime pie leak too!

halfbytecode said:
Well that is really intriguing. I was oblivious to the laf mode. I did know about .tot files and lg flash tool, but nothing more than that.
I see laf has seprate a kernel and a ramdisk, which is what you were talking about all along. It makes sense to me now.
I will give this a shot when I have some free time on my hands and will let you know.
Thanks for the key lime pie leak too!
Click to expand...
Click to collapse
I already extracted it for you, the original laf is the "laf.img" everything is untouched.

bitdomo said:
I already extracted it for you, the original laf is the "laf.img" everything is untouched.
Click to expand...
Click to collapse
Yes I will give that a shot soon and see what happens. Thanks for the help so far.

@bitdomo I modified the file that you mentioned, swapping USER and QCOM lines. Repacked the ramdisk, and then put together the laf image by supplying the base address, ramdisk address, command line value and page size from the the original laf dump. I flashed it on my phone using Terminal Emulator using the following command:
Code:
dd if=/sdcard/laf1.img of=/dev/block/platform/msm_sdcc.1/by-name/laf
Now when I connect the phone in download mode, the phone is stuck at the tiny "Download Mode" logo and windows does not detect any USB device.
Further, I observed the original dump size is 22 MB and the repacked laf image size is merely 13.2 MB. The size of the extracted kernel and ramdisk sums up to 13.2 MB.
It gets me to think these tools are missing out on the remaining stuff in the laf image. Ive uploaded the modified laf image. https://www.sendspace.com/file/f31xi1

I didn't read these posts just wanted to share my experience...
This happened to me 2x months and months ago ( lost Imei) I don't remember what I was doing to cause it but the only thing that fixed it for me was my TWRP backup . my backup efs file did nothing factory IMG did nothing and everything else I tries did nothing . agn this probably helps u NONE but wanted share anyways ...

Tampering with the imei is illegal
Sent from my Nexus 5

drawde40599 said:
I didn't read these posts just wanted to share my experience...
This happened to me 2x months and months ago ( lost Imei) I don't remember what I was doing to cause it but the only thing that fixed it for me was my TWRP backup . my backup efs file did nothing factory IMG did nothing and everything else I tries did nothing . agn this probably helps u NONE but wanted share anyways ...
Click to expand...
Click to collapse
Yes, it may help someone reading this thread.
dicecuber said:
Tampering with the imei is illegal
Sent from my Nexus 5
Click to expand...
Click to collapse
Just trying to restore the IMEI. I'm not attempting to do something illegal.

halfbytecode said:
@bitdomo I modified the file that you mentioned, swapping USER and QCOM lines. Repacked the ramdisk, and then put together the laf image by supplying the base address, ramdisk address, command line value and page size from the the original laf dump. I flashed it on my phone using Terminal Emulator using the following command:
Code:
dd if=/sdcard/laf1.img of=/dev/block/platform/msm_sdcc.1/by-name/laf
Now when I connect the phone in download mode, the phone is stuck at the tiny "Download Mode" logo and windows does not detect any USB device.
Further, I observed the original dump size is 22 MB and the repacked laf image size is merely 13.2 MB. The size of the extracted kernel and ramdisk sums up to 13.2 MB.
It gets me to think these tools are missing out on the remaining stuff in the laf image. Ive uploaded the modified laf image. https://www.sendspace.com/file/f31xi1
Click to expand...
Click to collapse
@bitdomo I compared the original laf dump and my modified image using a hex editor.
Just as I had suspected, the original dump is padded with zeros. Disregarding that, their actual size looks similar.
So I take back what I said about the tools not being able to extract from the laf image completely.
Do you know what could be the issue here?
EDIT: There was an interesting tidbit from unmkbootimg output. (The full command line output is attached with this post, ramdisk was repacked separately using the tool in the package - not in the output)
Code:
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFD908100
OFF_RAMDISK_ADDR is 0x00200100
OFF_SECOND_ADDR is 0xFE800100
Please modify mkbootimg.c using the above values to build your image.
****************
Could compiling mkbootimg with the above be of any help, since the mkbootimg had been modified to include ramdisk address parameter in the links you posted?

halfbytecode said:
@bitdomo I compared the original laf dump and my modified image using a hex editor.
Just as I had suspected, the original dump is padded with zeros. Disregarding that, their actual size looks similar.
So I take back what I said about the tools not being able to extract from the laf image completely.
Do you know what could be the issue here?
EDIT: There was an interesting tidbit from unmkbootimg output. (The full command line output is attached with this post, ramdisk was repacked separately using the tool in the package - not in the output)
Code:
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFD908100
OFF_RAMDISK_ADDR is 0x00200100
OFF_SECOND_ADDR is 0xFE800100
Please modify mkbootimg.c using the above values to build your image.
****************
Could compiling mkbootimg with the above be of any help, since the mkbootimg had been modified to include ramdisk address parameter in the links you posted?
Click to expand...
Click to collapse
what was the command you used to put the kernel and the modified ramdisk together?

halfbytecode said:
Yes, it may help someone reading this thread.
Just trying to restore the IMEI. I'm not attempting to do something illegal.
Click to expand...
Click to collapse
U no what I just remembered how I lost my IMEI back then . I was updating to 4.4.3 from factory .IMG and did the command "Fastboot wipe cache" after fastbooting the system.IMG . ( I no it makes no sense) but that's how mine was lost . now I just Fastboot system.IMG with new updates no wipe cache and works perfect . but ya a restore of TWRP was only thing that fixed it .

bitdomo said:
what was the command you used to put the kernel and the modified ramdisk together?
Click to expand...
Click to collapse
I used
Code:
mkbootimg --kernel laf_dump.img-kernel --ramdisk new-ramdisk.cpio.gz --base 0x026fff00 --cmdline '"console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1"' --pagesize 2048 --ramdiskaddr 0x02900000 -o laf_q_mod_3.img
Just a note, this is the modified mkbootimg which has "ramdiskaddr" parameter (from the thread you linked to in one of your previous posts). Version shipped with bbqlinux distribution has "ramdisk_offset" instead. The original version does not have either, as you may know.

[HOW-TO] Recover Bricked U11+

Greetings all.
Several weeks ago, I made this post seeking help with a self-created problem. I am happy to announce that the problem has been resolved with the immense help of sephstyler. He is literally my phone's messiah.
The afore-mentioned XDA member has a device identical to mine. I borrowed his and mirrored most of the data on his device by copying several partitions off his phone on to mine. I followed this guide about changing CID/MID.
I got a hold of a notepad document (you'll find it here) that lists partition information of the U11+. I wasn't sure which of my partitions were corrupt but I was certain the one containing the OS and IMEI information were messed up. My IMEI was blank. The OS version reported in fastboot was 9.99999 or something like that.
So I set out to copy these partitions and their corresponding img files in no particular order - boot, hosd, radio, modemst1, modemst2, cache, system, vendor, persist, and sdf1 (which carries CID info).
Please note that this method fixes the issue where your device is stuck on the bootloader screen with the message, "this phone has been flashed with unauthorised software and is locked....." And you will need a second device that is identical to yours (and functional too) for this process to work. I don't know if they both have to come from the same region (i.e have the same CID and MID). I guess there is no harm in trying. You couldn't possibly do more harm to your device by doing this. Or maybe you could. Either way, I will not be held responsible for any undesirable outcomes.
Steps taken:
- I installed HTC drivers on my computer, running Windows 10 64-bit. And 15-second ADB Installer. Get them both from here and here. I uninstalled HTC Sync Manager after the installation was done as I only needed the drivers.
- I flashed TWRP on the borrowed device so I could have access to adb from recovery.
- I then opened up a command prompt window on my computer, typed adb devices just to be sure that drivers were installed correctly.
The next few steps can be achieved right from within TWRP using the Terminal function. But I chose to use my computer as it'd be much quicker and I am less likely to make typos on a full-sized keyboard.
In a command prompt window, type adb shell. Hit enter.
To copy the system image, type dd if=/dev/block/sda5 of=/sdcard/system.img
For cache, type dd if=/dev/block/sdd21 of=/sdcard/cache.img
For boot, type dd if=/dev/block/sda3 of=/sdcard/boot.img
For radio, type dd if=/dev/block/sdd13 of=/sdcard/radio.img
For modemst1, type dd if=/dev/block/sde2 of=/sdcard/modemst1.img
For modemst2, type dd if=/dev/block/sde3 of=/sdcard/modemst2.img
For persist, type dd if=/dev/block/sde5 of=/sdcard/persist.img
For vendor, type dd if=/dev/block/sda6 of=/sdcard/vendor.img
For sdf1 (board_info), type dd if=/dev/block/sdf1 of=/sdcard/sdf1.img
For hosd, type dd if=/dev/block/sdd12 of=/sdcard/hosd.img
These img files would be saved to your internal storage. I then copied all files to the root folder of my faulty device's storage using Windows Explorer. System.img however refused to transfer. I got creative and used a microSD to make the transfer possible.
Now that these files were sitting comfortably on my phone, I booted to TWRP, connected it to my PC, then entered the following commands in Command Prompt via adb shell.
To copy these images to the appropriate partitions on your phone:
For board_info, type dd if=/sdcard/sdf1.img of=/dev/block/sdf1
For system, type dd if=/sdcard/system.img of=/dev/block/sda5
For cache, type dd if=/sdcard/cache.img of=/dev/block/sdd21
For boot, type dd if=/sdcard/boot.img of=/dev/block/sda3
For radio, type dd if=/sdcard/radio.img of=/dev/block/sdd13
For modemst1, type dd if=/sdcard/modemst1.img of=/dev/block/sde2
For modemst2, type dd if=/sdcard/modemst2.img of=/dev/block/sde3
For persist, type dd if=/sdcard/persist.img of=/dev/block/sde5
For vendor, type dd if=/sdcard/vendor.img of=/dev/block/sda6
For hosd, type dd if=/sdcard/hosd.img of=/dev/block/sdd12
Upon completion, press Ctrl+C or type exit to quit adb shell. Then type adb reboot to reboot your device.
If the above commands were entered correctly (and if the adb gods smile upon you), your device should be restored.
Now I know that copying all images fixed the issue. My guess is the system, boot, and radio images were the crucial ones. I am not entirely sure. But I was desperate for a positive result so I copied the ones that I deemed important.
I hope this helps someone. Cheers.
P.S: My apologies for the formatting. I am still fairly new to this. Also, I just realised I could upload these images for anyone who doesn't have access to a second device. I shall update the post with download links after the upload's completed. Sorry about the brain fart.
[EDIT] Images are up. You can find them here. These files are for the Taiwan-based HTC U11+ (CID - HTC_621)

Nice tutorial.

Hi, I'm having a similar problem with my U11+.... followed ur download link but a decryption key is needed. whats the decryption key?

ChuDust said:
Hi, I'm having a similar problem with my U11+.... followed ur download link but a decryption key is needed. whats the decryption key?
Click to expand...
Click to collapse
Here's the key. I had no idea the files were encrypted to begin with. Sorry about that.
-b087zdU9re0k3e3HHah1w
P.S: Since you're downloading the image files from the link provided, you don't have to go through the first half of the process - copying data from a working phone to an external location.
Best of luck.

Hello. I have an identical situation. My original CID is 622. I changed the CID to 001, but after RUU firmware I could not boot into the system. Now after flash RUU, the phone will reboot into the bootloader. Can anyone help me?

Do you have to be rooted or with unlocked bootloader to be able to backup the phone partitions using this method ?
Or does it just work on completely stock from an db connection to PC ?
Thank you.

The bootloader needs to be unlocked at the very least so you can gain access to the required partitions. Root isn't necessary.
Hope this helps.

Hello, I followed your instructions and made backups of my partitions from HTC U11+ dual-sim european version 401.12.
With unlocked bootloader and rooted with magisk by patched boot image.
Ran adb shell and su while phone was running normally in Android OS and connected to PC.
I'm curious about the sizes of the images created because they don't match with the sizes from partitions.txt.
For example "4210688 sda5 - system" is actually 4,311,744,512 bytes,
"65536 sda3 - boot" is actually 67,108,864 bytes in created image, but the actual boot.img from the OTA file is 38,163,762 bytes.
If these sizes are different can I actually trust the created images ? and use them in need.
Can these created images be flashed by fastboot, for example for system.img: "fastboot flash -S 1G system system.img" ?
Thanks.

andreipaval said:
I'm curious about the sizes of the images created because they don't match with the sizes from partitions.txt.
For example "4210688 sda5 - system" is actually 4,311,744,512 bytes,
"65536 sda3 - boot" is actually 67,108,864 bytes in created image, but the actual boot.img from the OTA file is 38,163,762 bytes.
Thanks.
Click to expand...
Click to collapse
If you divide the 4,311,744,512 bytes by the 1024, you get what you need - 4210688 - this is in Kb.
And so same for boot - 67,108,864 bytes / 1024 = 65536 Kb.

andreipaval said:
Hello, I followed your instructions and made backups of my partitions from HTC U11+ dual-sim european version 401.12.
With unlocked bootloader and rooted with magisk by patched boot image.
Ran adb shell and su while phone was running normally in Android OS and connected to PC.
I'm curious about the sizes of the images created because they don't match with the sizes from partitions.txt.
For example "4210688 sda5 - system" is actually 4,311,744,512 bytes,
"65536 sda3 - boot" is actually 67,108,864 bytes in created image, but the actual boot.img from the OTA file is 38,163,762 bytes.
If these sizes are different can I actually trust the created images ? and use them in need.
Can these created images be flashed by fastboot, for example for system.img: "fastboot flash -S 1G system system.img" ?
Thanks.
Click to expand...
Click to collapse
Hi. I hope your first question was answered. Regarding your second concern, I'm afraid I don't have an answer to that. At the time, flashing any image files onto my device didn't fix the issue even though each flash completed successfully. Copying them manually sure did.
Hope this helps.

Do you have the twrp backup of the stock rom?
andreipaval said:
Hello, I followed your instructions and made backups of my partitions from HTC U11+ dual-sim european version 401.12.
With unlocked bootloader and rooted with magisk by patched boot image.
Ran adb shell and su while phone was running normally in Android OS and connected to PC.
I'm curious about the sizes of the images created because they don't match with the sizes from partitions.txt.
For example "4210688 sda5 - system" is actually 4,311,744,512 bytes,
"65536 sda3 - boot" is actually 67,108,864 bytes in created image, but the actual boot.img from the OTA file is 38,163,762 bytes.
If these sizes are different can I actually trust the created images ? and use them in need.
Can these created images be flashed by fastboot, for example for system.img: "fastboot flash -S 1G system system.img" ?
Thanks.
Click to expand...
Click to collapse
Hello,
do you have the twrp backup of stock rom?

I did not make backups with twrp.

Backup Unmountable Data Partition from TWRP Stock 8.1

This works fine on my phone. If it doesn't work on yours, standard disclaimer applies about bricking, phone exploding, etc... that's all on you.
The problem has been that regardless of patches and regardless of methods to make the stock 8.1 data partition readable from TWRP, my phone won't do it. So as follows is how I've backup up and restored as an alternative. I don't know if this works well on Windows (Probably not) or MacOS (More likely it will), so its only tested on Linux.
Install adb on the computer
On the running phone, enable usb debugging.
Connect to the phone, allow the computer to access it.
Get a shell
Code:
adb shell
Enter as follows to find the block device where data is mounted
Code:
mount | grep /data | grep block
My output was this
Code:
/dev/block/mmcblk0p24 on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,discard,journal_checksum,journal_async_commit,noauto_da_alloc,errors=panic,data=ordered
The first part, "/dev/block/mmcblk0p24" is what I was interested in. You can see it's mounted at /data
You're in fact looking for this specifically at the beginning "/dev/block/mmcblk0p24 on /data"
If you're confused or you have multiple mount-points or what not, or you don't understand, Stop Now, you're about to screw things up.
Copy the first part of what you have here, in my case "/dev/block/mmcblk0p24" (don't use quotes though)
Reboot into TWRP.
Make sure /data is not mounted in the TWRP menu. If it is, then no need to do this as you can back it up directly from TWRP anyway, and you don't nee this.
Backup will make an image of the entire partition, so it will be big. As follows to backup, change the /dev/block/xxxxxxx to what yours is, if it is differant. Replace xxxxxxx with what your output was, mine was mmcblk0p24 (this needs to be input correctly for backup and restore, this here is where you can screw your phone up)
Code:
adb shell 'dd if=/dev/block/xxxxxxx' > DataBackupName.img
(Above, you DO use the single quotes)
DataBackupName.img can be named whatever you want to call it.
This takes a long time, my phone writes 12 gigs or so.
The above command should exit telling you how much data was written. You don't want to have an incomplete backup because the usb cable wasn't great or the process spit the dummy for some reason.
To restore, cross your fingers (works fine on my PC)
Also from TWRP and also making sure data is not mounted:
Code:
adb push DataBackupName.img /dev/block/xxxxxxx
You need to have the correct text to replace the xxxxxx. Screwing this up is very high risk of bricking your phone.
Okay all that said, my assumption is that the initial dump won't work on Windows as it needs to direct the output to a file and I have a hunch that the syntax above for directing the output might be done differently. If someone knows how to do the backup on Windows, or can clarify if it works or not as is (after testing) I imagine that would be helpful for Windows users. Feedback in general is good for others, solutions to problems are great.
Additionally, when I was looking for this solution, the answers were a bit old and had to be mildly adapted, but there was a complaint back then that adb couldn't handle the restore. That hasn't been the case for me. A more recent adb binary might fix this if you happen to have this sort of problem.
A benefit of this method, is that if your system can mount an ext4 volume, you can also mount the image, so if you only want one file from a previous backup, or you want to remove a file from the image, or add one, that's all possible... with Linux (Linux geeks know who they are). Note that the image also contains the contents of what gets mounted at /storage/emulated/0
You can compress the image file when its done to reduce the size.