I apologize if this is in the wrong place as this is my first thread, but I wanted to show people that OneClickRoot does work for T-Mo. They are legitimate. It cost me $35 and I chose to pay another $20 for a full phone replacement and guarantee if anything goes wrong they fix it. I had an H91810J Version with a newer security patch.
I am pasting the code they used through the command prompt, at least what I could from my buffer. I also missed part of the commands as I had the buffer size in my command prompt set too low so I missed some of the commands. I know more went on behind the scenes as I did the exact same thing numerous times and it NEVER flashed twrp. I have all the programs they used as well if they should be posted? Hopefully I am not violating any policies here as I am new to XDA so if I am please let me know.
A few of these steps were missing in the dirty cow exploit when I tried it or as I stated I missed some of it in the command prompt and more was going on through their program I didn't see. I have also rooted or I should say followed other people methods to root a phone several times (and understood the exploit) but I couldn't get twrp flashed on this. You can read my followup posts.
C:\Users\XXXXXXFAMILY>cd "C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo"
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb devices
List of devices attached
LGH918XXXXXXXX device
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb shell
elsa:/ $ cd system/xbin
cd system/xbin
elsa:/system/xbin $ ls
ls
dexlist tcd
elsa:/system/xbin $ exit
exit
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb reboot bootloader
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>fastboot devices
LGH918XXXXXXXX fastboot
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>fastboot oem unlock
...
(bootloader) Device already : unlocked!
OKAY [ 0.016s]
finished. total time: 0.016s
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>fastboot reboot
rebooting...
finished. total time: 0.000s
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb push twrp.img /storage/emulated/0/Download
adb server is out of date. killing...
* daemon started successfully *
2361 KB/s (25759744 bytes in 10.654s)
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb push dirtycow /data/local/tmp
9 KB/s (9984 bytes in 1.000s)
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb push recowvery-applypatch /data/local/tmp
1153 KB/s (18472 bytes in 0.015s)
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb push recowvery-app_process64 /data/local/tmp
637 KB/s (10200 bytes in 0.015s)
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb push recowvery-run-as /data/local/tmp
9 KB/s (10192 bytes in 1.000s)
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb shell
elsa:/ $ cd /data/local/tmp
cd /data/local/tmp
elsa:/data/local/tmp $ chmod 0777 *
chmod 0777 *
elsa:/data/local/tmp $ ./dirtycow /system/bin/applypatch recowvery-applypatch
./dirtycow /system/bin/applypatch recowvery-applypatch
warning: new file size (18472) and file old size (165144) differ
size 165144
[*] mmap 0x7554457000
[*] exploit (patch)
[*] currently 0x7554457000=10102464c457f
[*] madvise = 0x7554457000 165144
[*] madvise = 0 1048576
[*] /proc/self/mem 1367343104 1048576
[*] exploited 0x7554457000=10102464c457f
elsa:/data/local/tmp $ ./dirtycow /system/bin/app_process64 recowvery-app_process64
dirtycow /system/bin/app_process64 recowvery-app_process64 <
warning: new file size (10200) and file old size (18600) differ
size 18600
[*] mmap 0x7288fd4000
[*] exploit (patch)
[*] currently 0x7288fd4000=10102464c457f
[*] madvise = 0x7288fd4000 18600
[*] madvise = 0 1048576
[*] /proc/self/mem -1971322880 1048576
[*] exploited 0x7288fd4000=10102464c457f
elsa:/data/local/tmp $ exit
exit
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb logcat -s recowvery
--------- beginning of system
--------- beginning of main
--------- beginning of crash
04-23 00:35:53.713 8495 8495 I recowvery: Welcome to recowvery! (app_process64)
04-23 00:35:53.713 8495 8495 I recowvery: ------------
04-23 00:35:53.713 8495 8495 I recowvery: Current selinux context: u:r:zygote:s0
04-23 00:35:53.713 8495 8495 I recowvery: Set context to 'u:r:system_server:s0'
04-23 00:35:53.714 8495 8495 I recowvery: Current security context: u:r:system_server:s0
04-23 00:35:53.714 8495 8495 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
04-23 00:35:53.716 8495 8495 I recowvery: ------------
04-23 00:35:53.716 8495 8495 I recowvery: Recovery flash script should have started!
04-23 00:35:53.716 8495 8495 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
04-23 00:35:53.716 8495 8495 I recowvery: Waiting 120 seconds...
04-23 00:35:53.751 8499 8499 I recowvery: Welcome to recowvery! (applypatch)
04-23 00:35:53.751 8499 8499 I recowvery: ------------
04-23 00:35:53.751 8499 8499 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'...
04-23 00:35:53.931 8499 8499 I recowvery: Loaded boot image!
04-23 00:35:53.931 8499 8499 I recowvery: ------------
04-23 00:35:53.931 8499 8499 I recowvery: Saving old ramdisk to file
04-23 00:35:53.932 8499 8499 I recowvery: Writing to file '/cache/ramdisk.gz'...
04-23 00:35:53.962 8499 8499 I recowvery: Wrote OK: 6558126 bytes
04-23 00:35:53.962 8499 8499 I recowvery: Decompressing ramdisk (gzip -d)
04-23 00:35:54.411 8499 8499 I recowvery: Checking '/cache/ramdisk.cpio' for validity (size >= 4194304 bytes)
04-23 00:35:54.411 8499 8499 I recowvery: '/cache/ramdisk.cpio': 16792832 bytes
04-23 00:35:54.411 8499 8499 I recowvery: File OK
04-23 00:35:54.411 8499 8499 I recowvery: Decompression of ramdisk successful
04-23 00:35:54.411 8499 8499 I recowvery: Deleting '/cache/ramdisk.gz' (no longer needed)
04-23 00:35:54.415 8499 8499 I recowvery: ------------
04-23 00:35:54.415 8499 8499 I recowvery: Opened cpio archive '/cache/ramdisk.cpio' (16792832 bytes)
04-23 00:35:54.416 8499 8499 I recowvery: Wrote new file (308 bytes) to cpio archive,
04-23 00:35:54.416 8499 8499 I recowvery: Final size: 16793036 bytes
04-23 00:35:54.416 8499 8499 I recowvery: ------------
04-23 00:35:54.416 8499 8499 I recowvery: Compressing cpio to ramdisk (gzip -9 -c)
04-23 00:36:00.080 8499 8499 I recowvery: Checking '/cache/ramdisk.gz' for validity (size >= 2097152 bytes)
04-23 00:36:00.081 8499 8499 I recowvery: '/cache/ramdisk.gz': 6539881 bytes
04-23 00:36:00.081 8499 8499 I recowvery: File OK
04-23 00:36:00.081 8499 8499 I recowvery: Compression of ramdisk successful
04-23 00:36:00.081 8499 8499 I recowvery: Deleting '/cache/ramdisk.cpio' (no longer needed)
04-23 00:36:00.095 8499 8499 I recowvery: Loading new ramdisk into boot image
04-23 00:36:00.105 8499 8499 I recowvery: ------------
04-23 00:36:00.105 8499 8499 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] androidboot.hardware=elsa"
04-23 00:36:00.105 8499 8499 I recowvery: Setting permissive arguments on cmdline
04-23 00:36:00.105 8499 8499 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0"
04-23 00:36:00.105 8499 8499 I recowvery: ------------
04-23 00:36:00.105 8499 8499 I recowvery: Updating boot image hash
04-23 00:36:00.444 8499 8499 I recowvery: Writing modified boot image to block device '/dev/block/bootdevice/by-name/recovery'...
04-23 00:36:00.614 8499 8499 I recowvery: Done!
04-23 00:36:00.614 8499 8499 I recowvery: ------------
04-23 00:36:00.614 8499 8499 I recowvery: Permissive boot has been has been flashed to /dev/block/bootdevice/by-name/recovery successfully!
04-23 00:36:00.614 8499 8499 I recowvery: You may use 'reboot recovery' now to enter a permissive system.
04-23 00:36:00.614 8499 8499 I recowvery: ***********************************************
04-23 00:36:00.614 8499 8499 I recowvery: * give jcadduono a hug, will ya? *
04-23 00:36:00.614 8499 8499 I recowvery: ***********************************************
^C
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb shell reboot recovery
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb shell
elsa:/ $ getenforce
getenforce
Permissive
elsa:/ $ cd /data/local/tmp
cd /data/local/tmp
elsa:/data/local/tmp $ ./dirtycow /system/bin/run-as recowvery-run-as
./dirtycow /system/bin/run-as recowvery-run-as
warning: new file size (10192) and file old size (14360) differ
size 14360
[*] mmap 0x7f643b9000
[*] exploit (patch)
[*] currently 0x7f643b9000=10102464c457f
[*] madvise = 0x7f643b9000 14360
[*] madvise = 0 1048576
[*] /proc/self/mem -2122317824 1048576
[*] exploited 0x7f643b9000=10102464c457f
elsa:/data/local/tmp $ run-as exec ./recowvery-applypatch boot
run-as exec ./recowvery-applypatch boot
Welcome to recowvery! (run-as)
------------
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
We have root access!
------------
Executing: './recowvery-applypatch' with 1 arguments
Welcome to recowvery! (applypatch)
------------
Loading boot image from block device '/dev/block/bootdevice/by-name/boot'...
Loaded boot image!
------------
Saving old ramdisk to file
Writing to file '/data/local/ramdisk.gz'...
Wrote OK: 6558126 bytes
Decompressing ramdisk (gzip -d)
Checking '/data/local/ramdisk.cpio' for validity (size >= 4194304 bytes)
'/data/local/ramdisk.cpio': 16792832 bytes
File OK
Decompression of ramdisk successful
Deleting '/data/local/ramdisk.gz' (no longer needed)
------------
Opened cpio archive '/data/local/ramdisk.cpio' (16792832 bytes)
Wrote new file (308 bytes) to cpio archive,
Final size: 16793036 bytes
------------
Compressing cpio to ramdisk (gzip -9 -c)
Checking '/data/local/ramdisk.gz' for validity (size >= 2097152 bytes)
'/data/local/ramdisk.gz': 6539881 bytes
File OK
Compression of ramdisk successful
Deleting '/data/local/ramdisk.cpio' (no longer needed)
Loading new ramdisk into boot image
------------
cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] androidboot.hardware=elsa"
Setting permissive arguments on cmdline
cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0"
------------
Updating boot image hash
Writing modified boot image to block device '/dev/block/bootdevice/by-name/boot'...
Done!
------------
Permissive boot has been has been flashed to /dev/block/bootdevice/by-name/boot successfully!
You may use 'reboot' now to enter a permissive system.
***********************************************
* give jcadduono a hug, will ya? *
***********************************************
elsa:/data/local/tmp $ run-as su
run-as su
Welcome to recowvery! (run-as)
------------
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
We have root access!
------------
Starting root shell
elsa:/data/local/tmp # dd if=/storage/emulated/0/Download/twrp.img of=/dev/block/bootdevice/by-name/recovery
ownload/twrp.img of=/dev/block/bootdevice/by-name/recovery <
50312+0 records in
50312+0 records out
25759744 bytes transferred in 2.940 secs (8761817 bytes/sec)
elsa:/data/local/tmp # reboot recovery
reboot recovery
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb devices
List of devices attached
LGH918XXXXXXXX recovery
C:\Users\XXXXXXFAMILY\Desktop\LG V20 TMo>adb sideload su.zip
Total xfer: 1.48x
C:\XXXXXXFAMILY\Desktop\LG V20 TMo>
Last of what my CMD buffer held. My Bad. I know better. Please Read followups Their is a point to this.
So you paid money for the exact same steps as you would do on your own? this guide is already posed with the EXACT steps you already needed.
Well I will say this. I have rooted many devices but things are getting a little more complicated these days. I pondered and procrastinated about rooting this device for a while after I bought it. I was a bit worried about bricking so I chose to leave it in their hands to do it months ago. It wasn't that much money and was painless and professional.
I've been meaning to bring this up for a while but didn't really see the right opportunity. They made the process so easy and boom it was done. Well worth the money!
Not sure why we need to post their process though. It's is the same posted elsewhere.
Great service. It was a great and interesting experience!
I tried the Exact steps...didn't work
I tried the exact recowvery steps and it wouldn't flash twrp. I tried it ten ways from Sunday and every time I got stuck when it was supposed to flash twrp nothing. Overridden by system recovery every time. So either the post listed is missing something or they did something not listed in my post but for $35 bucks and after me spending two weeks fighting with it. Trust me the $35 bucks was a lot easier and it is far from perfect but it works. They didn't wipe format the data partition either which is said to be the ONLY WAY in the XDA post as I lost nothing I had installed. Not even one email. Root checker verifies full root and I can install anything I want with full root. $35 bucks is much easier than bricking this thing. With the H91810J or higher you have one shot or its nothing but a pile of junk. $35 bucks was much easier trust me. Their professionalism was great as well and they stand behind their product. The recowvery isn't as easy on the higher versions of the H918. Especially 10J and higher. I realized my buffer for my cmd prompt wasn't set high enough either. Which bothers me as I obviously didn't get it all.
I've done this quite a few times and the one thing no one answered is this. With full root can I boot into twrp with ADB and do I backup without the system overwriting twrp? If so exactly how would I do it. Remember they did not Format Data. Nothing was lost at all. I don't want to do all this just to end up with a brick anyway when I try and make a backup? Then again I could ask them to do it and they probably would.
Their are plenty of bricks to attest to the fact the V 20 isn't that easy to root. It might be for some that had the first versions. For $35 bucks I was done fighting. Took them about 30 minutes done. Guarantee with it. Worth it to me I have a wife and kid. I have other things to do after two weeks of fighting with it.
The Point - OneClickRoot (Paying)
The point of my reply was this. If you don't want to take the chance and for a little more they offer full phone replacement. OneClickRoot is worth the money. By the times you spend hours installing full adb, device drivers, downloading tools, fixing any issues like wrong adb version, wrong drivers...etc then praying you don't make one mistake and brick your device. On top of that the time and frustration involved? Also, you can't install any updates, and you have to disable this in multiple places. Not just the setting that says enable disable updates. Like I said before I've done this numerous times (through other people's exploit's), the recowvery wasn't working as it was posted for me. I even went in as SU then Elevated SU then SuperSU. I got nowhere. I disabled FRP and did the OEM Unlock myself easily.
In My Opinion, OneClickRoot is worth the money if you don't want the hassle or waste the time. I am not a programmer, certainly not a master programmer, but I understand the exploits others find. Some people just blindly copy and paste. This might works sometimes, but other times it doesn't and you have to understand the exploit to fix the issue. I spent 5 years as an IT administrator for an entire network of one of Eli Lilly Pharmaceuticals subsidiaries. A multi-billion dollar drug company. I am not a genius but I do have some knowledge.
OneClickRoot was so simple and I learned how they did it. I'm sure more goes on behind the scenes through their program...etc. Also, if you have an issue an screw it up they fix it of if you pay another $20 they replace the phone completely and buy a new one.
How can you justify even attempting to root these things? I'm just saying if your comfortable with copy and paste and pray then go for it. If you don't understand the exploit of what it is doing then I would pay $35 plus another $20 for phone replacement and the full guarantee to OneClickRoot. Of course, this is my opinion. It depends on your knowledge and willingness to try and root your phone. So to answer a previous reply yes I did pat the $35 plus I chose to pay $20 for free phone replacement and a full guarantee to fix it for any reason. That's about an hours worth of pay to me. The answer is yes it is worth that much money just to not have to deal with it. I have a Wife and Kid. Why am I wasting weeks fixing this locked phone which shouldn't be locked? I learned a few lessons though. If possible I will never buy anything locked in any way ever again and I am done wasting my time doing something someone else can do for peanuts and I have peace of mind.
With the exception of the Nexus series and I haven't owned one in a while but the last pure android phone I owned was the easiest one to unlock like all of them should be. I do see what right these companies have to tell us we can't unlock our phones. We own them. Hopefully these "Right to Fix" laws get passed and people get behind them. If you don't know what that is find out and sign the petitions.
UPDATE: I Just did a FULL NANDROID of EVERYTHING. I hooked up a large USB drive and made it done. Also have all the original files. It really shouldn't be this difficult. We should have the "Right to Fix" and we should have control over something we own not locked by a manufacturer.
Related
As the title suggests I'm porting cyanogenmod to my old phone so when I root my hydro wave c6740n...I'll have the source & knowledge to do the same with the hydro wave as well, but back to my problem. I keep getting this error when ever i try to build the recovery.
build/core/tasks/kernel.mk:290: warning: overriding recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/kernel'
build/core/Makefile:46: warning: ignoring old recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/kernel'
Target boot image: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img
/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img maxsize=3514368 blocksize=135168 total=6680576 reserve=270336
error: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img too large (6680576 > [3784704 - 270336])
build/core/Makefile:570: recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img' failed
make: *** [/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img] Error 1
make: *** Deleting file '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img'
#### make failed to build some targets (02:55 (mm:ss)) ####
it keeps stating its too large & i'm just stuck at this point..
also im trying to build recovery NOT the boot.img which I don't why it states boot.img instead of recovery.
BOARD_BOOTIMAGE_PARTITION_SIZE := 0x00380000
BOARD_RECOVERYIMAGE_PARTITION_SIZE := 0x00480000
BOARD_SYSTEMIMAGE_PARTITION_SIZE := 0x08c60000
BOARD_USERDATAIMAGE_PARTITION_SIZE := 0x105c0000
BOARD_FLASH_BLOCK_SIZE := 131072
aslo I am having trouble with the board config as well
BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 no_console_suspend=1 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=312M
BOARD_KERNEL_BASE := 0x
BOARD_KERNEL_PAGESIZE := 2048
I don't know what the kernel base would be in the mess below...
Kernel size 5820152
Kernel address 0x80208000
Ramdisk size 336324
Ramdisk address 0x82200000
Secondary size 0
Secondary address 0x81100000
Kernel tags address 0x80200100
Flash page size 2048
if you need more info to help just ask...I'm truly new to all this.
update-still not working, but...
Target boot image: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img
/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img maxsize=10040448 blocksize=135168 total=6676480 reserve=270336
Made boot image: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/boot.img
target StaticExecutable: recovery (/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/obj/EXECUTABLES/recovery_intermediates/LINKED/recovery)
target Symbolic: recovery (/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/symbols/system/bin/recovery)
target Strip: recovery (/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/obj/EXECUTABLES/recovery_intermediates/recovery)
----- Making recovery image ------
Copying baseline ramdisk...
Modifying ramdisk contents...
cp: cannot stat ‘/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/root/init.recovery.*.rc’: No such file or directory
build/core/Makefile:944: recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/ramdisk-recovery.img' failed
make: [/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/ramdisk-recovery.img] Error 1 (ignored)
/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img maxsize=8177664 blocksize=135168 total=9250816 reserve=270336
error: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img too large (9250816 > [8448000 - 270336])
build/core/Makefile:978: recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img' failed
make: *** [/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img] Error 1
make: *** Deleting file '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img'
#### make failed to build some targets (11:50 (mm:ss)) ####
build error!
I tried many things now, but I can't seem to get the recovery maxsize right during build...
im going to change the recovery size from 8000000 to 8177664
update 2-not working
----- Making recovery image ------
Copying baseline ramdisk...
Modifying ramdisk contents...
cp: cannot stat ‘/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/root/init.recovery.*.rc’: No such file or directory
build/core/Makefile:944: recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/ramdisk-recovery.img' failed
make: [/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/ramdisk-recovery.img] Error 1 (ignored)
/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img maxsize=8162880 blocksize=135168 total=9250816 reserve=270336
error: /media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img too large (9250816 > [8433216 - 270336])
build/core/Makefile:978: recipe for target '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img' failed
make: *** [/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img] Error 1
make: *** Deleting file '/media/xstar97/Acer/Users/xstar97/Desktop/cm12.1/out/target/product/c6522n/recovery.img'
#### make failed to build some targets (10:29 (mm:ss)) ####
I'm honestly stuck trying to build the recovery
almost working
It's still saying that it's too large & i finally noticed i been missing a file called init.recovery.*.rc
I gotten boardconfig.mk all set up and correct
BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 no_console_suspend=1 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=312M
BOARD_KERNEL_BASE := 0x80200000
BOARD_KERNEL_PAGESIZE := 2048
# fix this up by examining /proc/mtd on a running device
BOARD_BOOTIMAGE_PARTITION_SIZE := 10485760
BOARD_RECOVERYIMAGE_PARTITION_SIZE := 8388608
BOARD_SYSTEMIMAGE_PARTITION_SIZE := 674234368
BOARD_USERDATAIMAGE_PARTITION_SIZE := 1073741824
BOARD_FLASH_BLOCK_SIZE := 131072
recovery.fstab
# mount point fstype device [device2]
/boot mtd /dev/block/mmcblk0p7
/cache yaffs2 /dev/block/mmcblk0p15
/data yaffs2 /dev/block/mmcblk0p13
/misc mtd /dev/block/mmcblk0p17
/recovery mtd /dev/block/mmcblk0p18
/sdcard vfat /dev/block/mmcblk0p1 /dev/block/mmcblk0
/system yaffs2 /dev/block/mmcblk0p12
/sd-ext ext4 /dev/block/mmcblk0p2
do I need to add more?
such as ...0p1 to ..0p37
what else do I need to do?
I give up on cyanogenmod recovery
BUT, I found a perfect substitute for it...PhilZ recovery.img for hydro xtrm c6522 varients
I tested it & works like a charm, but the only downside is that you have to constantly connect your PC and boot(NOT FLASH) into PhilZ recovery.
so I made all steps easier by creating script(s) & provide the PhilZ recovery & stock recovery.
1. please open a terminal within the folder with all the files
2. you can either run & read the help.sh or just run setup.sh (basically the same info, but setup.sh starts the process)
to run the scripts please type "./setup.sh" without ""
the following info in the script will tell you what to do from then on.
NOTE:
DO NOT FLASH PhilZ recovery because it's NOT a standalone recovery.
click the link below to download from my dropbox, if by any chance that dropbox decides to stop allowing you to download, just PM & I WILL send you a new link personally.
philz.zip
You can check the scripts/edit them to your hearts content, but there's nothing in them that will harm your PC, device, or your mom..
also the credits
the one & only dev who built this recovery for us! is hroark13
Note: This method works with both 10i and 10j
I have read few posts arguing can root be done with 10i. I have been hesitant until last night. After I fixed USB 3.1 problem by updating the driver, I decided to give a try.
I updated mine with LG Bridge in order to grab an important file (a dll required for LGUP) and I made it. It's in
c:\users\(username)\Local\LG Electronics\LG Bridge\SW upgrade\
The dll file doesn't show up until the phones starts update, so timing is important.
Now, here is the instruction how to root with dirtycow method. I had problem with Easycow (no command error), so I have to do it manually to enter command one by one.
References:
https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594 (instruction and link to all files)
https://build.nethunter.com/android-tools/dirtycow/arm64/ (all required files. Copy all of them where your ADB folder is)
https://github.com/jcadduono/android_external_dirtycow#running (all the commands)
https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-h918.img (TWRP image. Rename it to twrp.img and put it into internal storage)
https://download.chainfire.eu/supersu (SuperSU. Put the file into memory card)
Prerequisites:
Your LG driver must be up to date. I have problem with USB 3.1 cable until the driver is up to date.
ADB installed and copy the address, and put all recowvery files into the folder (\sdk\platform-tools)
Rename TWRP file to twrp.img and put it into internal storage
Copy SuperSU into memory card
You must be in 100% stock ROM. Rooted or not.
USB debugging enabled and allowed your host computer.
Bootloader unlocked (you should see a warning on boot) and OEM unlock allowed in Developer Settings
Use LG Backup to backup internal storage and all apps into your memory card
Setup a temporary PIN
Steps:
1. Plug your phone to your host computer. Make sure it's in MTP mode.
2. Open your command prompt:
Code:
cd\
cd (right click your mouse and paste the ADB platform-tools address)
adb devices
This will show your connected phone (LGE Elsa)
3. Enter the following prompt: (you can simply highlight, copy, right click on command prompt and choose paste)
Code:
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb shell
cd /data/local/tmp
chmod 0777 *
./dirtycow /system/bin/applypatch recowvery-applypatch
On ADB shell mode, you should see $ on the front. Wait for few minutes.
Code:
./dirtycow /system/bin/app_process64 recowvery-app_process64
Your phone screen may look weird. Wait for another few minutes.
Type
Code:
exit
when finished.
4. Type in:
Code:
adb logcat -s recowvery
You should see a lot of lines comes across your screen. Wait for few minutes and press and hold Ctrl and press C once.
Code:
adb shell reboot recovery
Your phone will return to stock recovery.
Code:
adb shell
A $ sign will show up
Code:
getenforce
It should show Permissive.
5. Temp root
Type in:
Code:
cd /data/local/tmp
./dirtycow /system/bin/run-as recowvery-run-as
run-as exec ./recowvery-applypatch boot
The boot image will be patched.
Code:
run-as su
A # sign should show up. it means you have a temp root.
6. Flash TWRP
Code:
dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
exit
reboot recovery
6. Rooting
Your phone should be in TWRP.
Enter PIN you previously setup
Allow modifications
You may not be able to see internal storage. That's why you have to put SuperSU into memory card. Locate SuperSU and install it.
If everything went well, just reboot. You may want to wipe cache and dalvik cache.
Reboot
Update SuperSU binary if necessary
I can not get this thing to work.
It runs
C:\WINDOWS\system32>adb shell
elsa:/ $ cd /data/local/tmp
elsa:/data/local/tmp $ chmod 0777 *
dirtycow /system/bin/app_process64 recowvery-app_process64 <
warning: new file size (10200) and file old size (18600) differ
size 18600
[*] mmap 0x711b476000
[*] exploit (patch)
[*] currently 0x711b476000=10102464c457f
[*] madvise = 0x711b476000 18600
[*] madvise = 0 1048576
[*] /proc/self/mem -1971322880 1048576
[*] exploited 0x711b476000=10102464c457f
elsa:/data/local/tmp $
Click to expand...
Click to collapse
And when I run log cat:
--------- beginning of system
--------- beginning of main
--------- beginning of crash
01-12 10:54:53.926 12840 12840 I recowvery: Welcome to recowvery! (app_process64)
01-12 10:54:53.926 12840 12840 I recowvery: ------------
01-12 10:54:53.926 12840 12840 I recowvery: Current selinux context: u:r:zygote:s0
01-12 10:54:53.926 12840 12840 I recowvery: Set context to 'u:r:system_server:s0'
01-12 10:54:53.927 12840 12840 I recowvery: Current security context: u:r:system_server:s0
01-12 10:54:53.927 12840 12840 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-12 10:54:53.954 12840 12840 I recowvery: ------------
01-12 10:54:53.954 12840 12840 I recowvery: Recovery flash script should have started!
01-12 10:54:53.954 12840 12840 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-12 10:54:53.954 12840 12840 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-12 10:57:54.031 13219 13219 I recowvery: Welcome to recowvery! (app_process64)
01-12 10:57:54.031 13219 13219 I recowvery: ------------
01-12 10:57:54.032 13219 13219 I recowvery: Current selinux context: u:r:zygote:s0
01-12 10:57:54.032 13219 13219 I recowvery: Set context to 'u:r:system_server:s0'
01-12 10:57:54.034 13219 13219 I recowvery: Current security context: u:r:system_server:s0
01-12 10:57:54.034 13219 13219 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-12 10:57:54.038 13219 13219 I recowvery: ------------
01-12 10:57:54.038 13219 13219 I recowvery: Recovery flash script should have started!
01-12 10:57:54.038 13219 13219 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-12 10:57:54.038 13219 13219 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-12 11:00:54.101 13583 13583 I recowvery: Welcome to recowvery! (app_process64)
01-12 11:00:54.102 13583 13583 I recowvery: ------------
01-12 11:00:54.102 13583 13583 I recowvery: Current selinux context: u:r:zygote:s0
01-12 11:00:54.102 13583 13583 I recowvery: Set context to 'u:r:system_server:s0'
01-12 11:00:54.103 13583 13583 I recowvery: Current security context: u:r:system_server:s0
01-12 11:00:54.103 13583 13583 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-12 11:00:54.113 13583 13583 I recowvery: ------------
01-12 11:00:54.113 13583 13583 I recowvery: Recovery flash script should have started!
01-12 11:00:54.113 13583 13583 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-12 11:00:54.113 13583 13583 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-12 11:03:54.187 13961 13961 I recowvery: Welcome to recowvery! (app_process64)
01-12 11:03:54.187 13961 13961 I recowvery: ------------
01-12 11:03:54.188 13961 13961 I recowvery: Current selinux context: u:r:zygote:s0
01-12 11:03:54.188 13961 13961 I recowvery: Set context to 'u:r:system_server:s0'
01-12 11:03:54.189 13961 13961 I recowvery: Current security context: u:r:system_server:s0
01-12 11:03:54.189 13961 13961 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-12 11:03:54.190 13961 13961 I recowvery: ------------
01-12 11:03:54.191 13961 13961 I recowvery: Recovery flash script should have started!
01-12 11:03:54.191 13961 13961 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-12 11:03:54.191 13961 13961 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
Click to expand...
Click to collapse
All worked like a charm! Thanks OP!
Was gonna update and do this today but my damn hard drive quit on me. Really pissed. I need to update and probably return to stock since I have no way to fix anything in case something goes wrong. Might keep root but haven't decided. So to install the update via recovery, what do I need to do? Been a while since I had to do it this way. Say I wanted to keep root and twrp. Would I install boot img then system img the flash supersu and for safe measures flash twrp from this thread? What about the modem img and all that?
I was sweating bullets but I finally rooted 10i Thanks Op..
Starting root shell
1|elsa:/data/local/tmp $ dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
dd: /sdcard/twrp.img: No such file or directory
1|elsa:/data/local/tmp $
this what happen when I put the flash recovery comman any help?
how can you unroot the v20 and go to bone stock
dudeawsome said:
how can you unroot the v20 and go to bone stock
Click to expand...
Click to collapse
There's another thread where you can get required dll for LGUP, and you can also download stock kdz file.
https://forum.xda-developers.com/v20/how-to/h918-dll-lgup-t3535988
Use upgrade to retain your data
Use refurbish to wipe
mingkee said:
There's another thread where you can get required dll for LGUP, and you can also download stock kdz file.
https://forum.xda-developers.com/v20/how-to/h918-dll-lgup-t3535988
Use upgrade to retain your data
Use refurbish to wipe
Click to expand...
Click to collapse
Refurbish doesnt work
how do you setup temporary pin pls help asap
dudeawsome said:
Refurbish doesnt work
Click to expand...
Click to collapse
UPPERCUT works for me :good: https://forum.xda-developers.com/lg-g5/development/uppercut-lgup-loader-g5-variants-t3511295/
manuelperro said:
UPPERCUT works for me :good: https://forum.xda-developers.com/lg-g5/development/uppercut-lgup-loader-g5-variants-t3511295/
Click to expand...
Click to collapse
it says not working
dudeawsome said:
it says not working
Click to expand...
Click to collapse
well I just flashing my rooted h918d to h918i with UPPERCUT yesterday without any problems:fingers-crossed:
manuelperro said:
well I just flashing my rooted h918d to h918i with UPPERCUT yesterday without any problems:fingers-crossed:
Click to expand...
Click to collapse
yes you used the upgrade option not the refurbish option
dudeawsome said:
how do you setup temporary pin pls help asap
Click to expand...
Click to collapse
You don't really need it. However, you can set it up on Security Settings.
I didn't setup mine. I was prompt for password but I choose "cancel" and rooting still went through.
How do you unroot and remove twrp and go to full stock
dudeawsome said:
How do you unroot and remove twrp and go to full stock
Click to expand...
Click to collapse
Just scroll few posts back up and you will see the post with the bone stock kdz download link.
mingkee said:
Just scroll few posts back up and you will see the post with the bone stock kdz download link.
Click to expand...
Click to collapse
But the refurbish isn't supported by the kids only upgrade option
Could you please upload the dll file somewhere for me?
does 10j still have anti rollback unset?
Hello there.
Long story short: I have a Mate 9 MHA-L09 running on latest Oreo update which was rooted (with bootloader unlocked of course) and worked fine. I've installed Xposed (without making a backup, nice job me …) and, unfortunately, I'm now stuck in bootloop.
I've tried following methods:
starting in fastboot mode to recover using HiSuite but my Mate 9 isn't supported.
Boot on TWRP and tried to wipe data cache and dalvik but it didn't work.
Tried to install Oreo and Nougat updates from TWRP (with 3 archives on SD card: update.zip, update_data_public.zip and update_all_hw.zip) however I'm also getting and error when trying to install the first zip file (error 7 - "update_huawei_pkg_from_ota_zip: update package from zip failed")
I also tried the HWOTA method but after starting in TWRP and connecting a USB cable, the script seems frozen.
Maybe I'm using an incorrect function of TWRP? Or there is an easier method?
Any help would be greatly appreciated.
Thanks guys!
Tried to install latest MHA-L09C33 firmware and got an error 9 on TWRP.
Here is the log: https://pastebin.com/Yc0bnbfk
I'm trying to invoke @ante0 as he seems quite an expert
The current situation is the following:
Phone is bootlooping
I can start in fastboot (PHONE Unlocked, FRP Unlock)
I can start on TWRP. I did install the version @ante0 suggested me (https://forum.xda-developers.com/mate-9/development/recovery-twrp-3-2-1-0-t3783353) but it's stuck on start screen. Therefore I install another one (https://forum.xda-developers.com/mate-9/development/recovery-twrp-3-2-1-0-oreo-t3734967) which is correctly starting.
The thing is that the model is MHL-C09 but I don't remember if the exact region is C33 (FR) or C432 (EU). Does it matter?
Anyway, I downloaded the latest firmware of both versions using Firmware Finder:
MHA-L29C432B369 (8.0.0.369) / MHA-L09C432B369 (8.0.0.369)
MHA-L09C33B317 (8.0.0.317) / MHA-L09BC33B317 (8.0.0.317)
So I boot in TWRP, try to install the Update.zip file of either one of the two versions and ... I still get an error 9.
Apparently it's the following instruction which fails:
Code:
assert(update_huawei_pkg_from_ota_zip("UPDATE.APP"));
See the output log for L09C432B369: https://pastebin.com/1iLNPNBR
Am I doing anything wrong? Is there a missing step?
Gynsu2000 said:
I'm trying to invoke @ante0 as he seems quite an expert
The current situation is the following:
Phone is bootlooping
I can start in fastboot (PHONE Unlocked, FRP Unlock)
I can start on TWRP. I did install the version @ante0 suggested me (https://forum.xda-developers.com/mate-9/development/recovery-twrp-3-2-1-0-t3783353) but it's stuck on start screen. Therefore I install another one (https://forum.xda-developers.com/mate-9/development/recovery-twrp-3-2-1-0-oreo-t3734967) which is correctly starting.
The thing is that the model is MHL-C09 but I don't remember if the exact region is C33 (FR) or C432 (EU). Does it matter?
Anyway, I downloaded the latest firmware of both versions using Firmware Finder:
MHA-L29C432B369 (8.0.0.369) / MHA-L09C432B369 (8.0.0.369)
MHA-L09C33B317 (8.0.0.317) / MHA-L09BC33B317 (8.0.0.317)
So I boot in TWRP, try to install the Update.zip file of either one of the two versions and ... I still get an error 9.
Apparently it's the following instruction which fails:
Code:
assert(update_huawei_pkg_from_ota_zip("UPDATE.APP"));
See the output log for L09C432B369: https://pastebin.com/1iLNPNBR
Am I doing anything wrong? Is there a missing step?
Click to expand...
Click to collapse
You can't flash update.zip directly in TWRP, you need to use HuRUpdater. It can be found here: https://forum.xda-developers.com/honor-9/development/tool-flash-official-firmware-recovery-t3769279
If it works with Blackballs twrp I do not know.
Though, you would have to know your cust before flashing.
You can check in Fastboot using this command:
fastboot oem get-build-number
After you know, download the appropriate firmware
Thanks for the update and the command.
MHA-L09 8.0.0.316(C33)
ante0 said:
You can't flash update.zip directly in TWRP, you need to use HuRUpdater. It can be found here: https://forum.xda-developers.com/honor-9/development/tool-flash-official-firmware-recovery-t3769279
If it works with Blackballs twrp I do not know.
Though, you would have to know your cust before flashing.
You can check in Fastboot using this command:
fastboot oem get-build-number
After you know, download the appropriate firmware
Click to expand...
Click to collapse
Thank again for your help.
Follow-up:
I copied the correct ROM version and HuRUpdater however it doesn't work with Blackballs' TWRP.
Code:
********************
* HuRUpdater *
* by zxz0O0 *
********************
Trying to find the gpio-keys event node.
Found and will be using /dev/input/event1!
Archive: /external_sd/fw/MHA-L09C33B316/HuRUpdater_0.3.zip
inflating: utils/hurupdate-binary
Archive: /external_sd/fw/MHA-L09C33B316/HuRUpdater_0.3.zip
inflating: utils/busybox
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
Archive: /external_sd/fw/MHA-L09C33B316/update.zip
inflating: VERSION.mbn
unzip: invalid zip magic 0447C7F0
CANNOT LINK EXECUTABLE "/tmp/utils/busybox": cannot locate symbol "__sendto_chk" referenced by "/tmp/utils/busybox"...
Aborted
I've tried to switch back to Pretoriano80's twrp but I'm still stuck on startup screen.
Is there any other method? Even downgrading to Nougat would be okay
Gynsu2000 said:
Thank again for your help.
Follow-up:
I copied the correct ROM version and HuRUpdater however it doesn't work with Blackballs' TWRP.
Code:
********************
* HuRUpdater *
* by zxz0O0 *
********************
Trying to find the gpio-keys event node.
Found and will be using /dev/input/event1!
Archive: /external_sd/fw/MHA-L09C33B316/HuRUpdater_0.3.zip
inflating: utils/hurupdate-binary
Archive: /external_sd/fw/MHA-L09C33B316/HuRUpdater_0.3.zip
inflating: utils/busybox
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
Archive: /external_sd/fw/MHA-L09C33B316/update.zip
inflating: VERSION.mbn
unzip: invalid zip magic 0447C7F0
CANNOT LINK EXECUTABLE "/tmp/utils/busybox": cannot locate symbol "__sendto_chk" referenced by "/tmp/utils/busybox"...
Aborted
I've tried to switch back to Pretoriano80's twrp but I'm still stuck on startup screen.
Is there any other method? Even downgrading to Nougat would be okay
Click to expand...
Click to collapse
I guess you could try:
Extract update.app from update.zip
Download Huawei Update Extractor
Open Huawei Update Extractor and go to options and uncheck header check.
Open update.app in Huawei Update Extractor.
Right click on system and extract selected.
Do the same for vendor.
Flash both using fastboot, then try Pretoriano80s TWRP again.
(you could try to boot phone after flashing system and vendor)
Another solution could be to:
Unpack Pretoriano80s TWRP with Android Image Kitchen, copy ramdisk/sbin/busybox and paste to desktop or somewhere not in the ramdisk folder.
Unpack Blackballs twrp and put the previously copied busybox in ramdisk/sbin/ then repack image and flash.
Then try HuRUpdater again.
For some reason flashing the system worked but not the vendor.
Code:
D:\download\android\mate9\MHA-L09C33B316>fastboot flash vendor VENDOR.img
target reported max download size of 471859200 bytes
sending sparse 'vendor' (460651 KB)...
OKAY [ 10.857s]
writing 'vendor'...
FAILED (remote: Command not allowed)
finished. total time: 10.873s
However, the phone now boots correctly, flashing the system partition was enough (I assume it seems obvious for an experienced guy).
\o/
Thanks a lot @ante0 !
Gynsu2000 said:
For some reason flashing the system worked but not the vendor.
Code:
D:\download\android\mate9\MHA-L09C33B316>fastboot flash vendor VENDOR.img
target reported max download size of 471859200 bytes
sending sparse 'vendor' (460651 KB)...
OKAY [ 10.857s]
writing 'vendor'...
FAILED (remote: Command not allowed)
finished. total time: 10.873s
However, the phone now boots correctly, flashing the system partition was enough (I assume it seems obvious for an experienced guy).
\o/
Thanks a lot @ante0 !
Click to expand...
Click to collapse
Check if OEM unlocking is still enabled.
It seems to disable itself sometimes when flashing system.
ante0 said:
You can't flash update.zip directly in TWRP, you need to use HuRUpdater. It can be found here: https://forum.xda-developers.com/honor-9/development/tool-flash-official-firmware-recovery-t3769279
If it works with Blackballs twrp I do not know.
Though, you would have to know your cust before flashing.
You can check in Fastboot using this command:
fastboot oem get-build-number
After you know, download the appropriate firmware
Click to expand...
Click to collapse
Have been able to upgrade latest Oreo firmware using @Blackball twrp.
Just follow the instructions on his page.
1.Now that you have your correct firmware downloaded and intact.
2.Rename to this (update.zip, update_all_hw.zip, update_data_public.zip )
3.Download this file from here https://drive.google.com/file/d/1YM-Bga-wAKOct971WrrKCsX2K3tFP6zF/view?usp=sharing
4.Create a folder and rename to HWOTA8 , copy the downloaded file and the 3 firmware files
5.Now copy the the whole folder to your external storage and boot phone to twrp recovery.
6.Install by locating this file hwota8_update in the HWOTA8 folder on your external storage.
7.When done it will reboot and firmware upgrade processing will take over.
when you use this method,you will not loose and bit of information you original have before the installation,everything will be intact.:good::good:
ante0 said:
Check if OEM unlocking is still enabled.
It seems to disable itself sometimes when flashing system.
Click to expand...
Click to collapse
First thing I checked: bootloader was still unlocked.
Second thing: TWRP -> Backup.
golastic said:
when you use this method,you will not loose and bit of information you original have before the installation,everything will be intact.:good::good:
Click to expand...
Click to collapse
Thanks for the heads up. Hopefully I will backup thing first on TWRP before toying around with the phone.
ante0 said:
Check if OEM unlocking is still enabled.
It seems to disable itself sometimes when flashing system.
Click to expand...
Click to collapse
Ok, so now the phone is correctly starting but I have 2 issues.
First one is more an annoyance than an issue: when I reach the "About" screen, the model pf the phone is marked as ... "Unknown". I've tried to flash in fastboot the correct OEMINFO (using the file from there : https://forum.xda-developers.com/mate-9/development/oeminfo-library-t3555353 ). After that the bootloader was locked and .... I still have an Unknow phone.
Second issue is that I've tried to install superSU but it doesn't seem to work.
Install output is the following:
Code:
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
- System-less mode, boot image support required
- Creating paths
mkdir: can't create directory '/su/bin': File exists
mkdir: can't create directory '/su/xbin': File exists
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
mkdir: can't create directory '/su/lib': File exists
mkdir: can't create directory '/su/etc': File exists
mkdir: can't create directory '/su/su.d': File exists
- Removing old files
- Placing files
rm: can't remove '/su/bin/su': No such file or directory
rm: can't remove '/su/bin/daemonsu': No such file or directory
rm: can't remove '/su/bin/supolicy_wrapped': No such file or directory
rm: can't remove '/su/lib/libsupol.so': No such file or directory
rm: can't remove '/su/bin/sukernel': No such file or directory
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
******************
Boot image patcher
******************
- Finding boot image
--- Boot image: /dev/block/sdd35
- Extracting ramdisk
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/dev/block/sdd35] ...
magic: [ANDROID!]
kernel: [12078158] (12079104) @ 0x00080000
ramdisk: [0] (0) @ 0x07c00000
second: [0] (0) @ 0x00f00000
tags: @ 0x07a00000
page size: 2048
unused: [0x00000000] [0x10000125]
dtb(?): [0] (0)
name: []
command line: [loglevel=4 initcall_debug=n page_tracker=on slub_min_objects=16 unmovable_isolate1=2:192M,3:224M,4:256M printktimer=0xfff0a000,0x534,0x538 androidboot.selinux=enforcing buildvariant=user]
extra command line: []
id: [0xe3bfe4262954c0437ae810fc16281a76152117bb000000000000000000000000]
Saving to [/sutmp/ramdisk.packed] ...
- Decompressing ramdisk (none)
- Checking patch status
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Already patched, attempting to find stock backup
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Stock restore failed, attempting ramdisk restore
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Ramdisk restore failed, aborting
umount: can't umount /su: Invalid argument
BusyBox v1.22.1 bionic (2018-01-13 12:03 +0100) multi-call binary.
Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device
-o OFS Start OFS bytes into FILE
-r Read-only
-f Show/use next free loop device
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
- Unmounting /system and /vendor
- Done !
I:Updater process ended with RC=0
I:Install took 8 second(s).
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
Updating partition details...
I:Data backup size is 1571MB, free: 51976MB.
I:Unable to mount '/usb-otg'
I:Actual block device: '', current file system: 'auto'
...done
Full log: https://pastebin.com/QGKdMEPU
I've tried 2 other versions but the result is the same.
Gynsu2000 said:
Ok, so now the phone is correctly starting but I have 2 issues.
First one is more an annoyance than an issue: when I reach the "About" screen, the model pf the phone is marked as ... "Unknown". I've tried to flash in fastboot the correct OEMINFO (using the file from there : https://forum.xda-developers.com/mate-9/development/oeminfo-library-t3555353 ). After that the bootloader was locked and .... I still have an Unknow phone.
Second issue is that I've tried to install superSU but it doesn't seem to work.
Install output is the following:
Code:
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
- System-less mode, boot image support required
- Creating paths
mkdir: can't create directory '/su/bin': File exists
mkdir: can't create directory '/su/xbin': File exists
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
mkdir: can't create directory '/su/lib': File exists
mkdir: can't create directory '/su/etc': File exists
mkdir: can't create directory '/su/su.d': File exists
- Removing old files
- Placing files
rm: can't remove '/su/bin/su': No such file or directory
rm: can't remove '/su/bin/daemonsu': No such file or directory
rm: can't remove '/su/bin/supolicy_wrapped': No such file or directory
rm: can't remove '/su/lib/libsupol.so': No such file or directory
rm: can't remove '/su/bin/sukernel': No such file or directory
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
******************
Boot image patcher
******************
- Finding boot image
--- Boot image: /dev/block/sdd35
- Extracting ramdisk
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/dev/block/sdd35] ...
magic: [ANDROID!]
kernel: [12078158] (12079104) @ 0x00080000
ramdisk: [0] (0) @ 0x07c00000
second: [0] (0) @ 0x00f00000
tags: @ 0x07a00000
page size: 2048
unused: [0x00000000] [0x10000125]
dtb(?): [0] (0)
name: []
command line: [loglevel=4 initcall_debug=n page_tracker=on slub_min_objects=16 unmovable_isolate1=2:192M,3:224M,4:256M printktimer=0xfff0a000,0x534,0x538 androidboot.selinux=enforcing buildvariant=user]
extra command line: []
id: [0xe3bfe4262954c0437ae810fc16281a76152117bb000000000000000000000000]
Saving to [/sutmp/ramdisk.packed] ...
- Decompressing ramdisk (none)
- Checking patch status
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Already patched, attempting to find stock backup
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Stock restore failed, attempting ramdisk restore
sukernel v2.82 (ndk:arm64-v8a) - Copyright (C) 2014-2017 - Chainfire & CCMT
Loading from [/sutmp/ramdisk] ...
--- Ramdisk restore failed, aborting
umount: can't umount /su: Invalid argument
BusyBox v1.22.1 bionic (2018-01-13 12:03 +0100) multi-call binary.
Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device
-o OFS Start OFS bytes into FILE
-r Read-only
-f Show/use next free loop device
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
- Unmounting /system and /vendor
- Done !
I:Updater process ended with RC=0
I:Install took 8 second(s).
I:[MTP] MtpServer::run fd: 18
E:[MTP] request read returned -1, errno: 22, exiting MtpServer::run loop
Updating partition details...
I:Data backup size is 1571MB, free: 51976MB.
I:Unable to mount '/usb-otg'
I:Actual block device: '', current file system: 'auto'
...done
Full log: https://pastebin.com/QGKdMEPU
I've tried 2 other versions but the result is the same.
Click to expand...
Click to collapse
I would do a full update again, oeminfo won't change model in about. Either using HWOTA as someone posted above or use HuRUpdater
Also, use Magisk instead of supersu. https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
In the end I used HWOTA8 and it worked like a charm. Until I discovered that I wasn't able to access a mobile network: SIM card is detected (icon in status bar have it displayed), however I'm not prompted for the sim's pin. First thing I checked was the sim lock using the super code: it's not (SIMLOCK_DEACTIVE). Then I've tried a couple of sims from other carriers but none of them are working.
Unless you guys have an idea, I suppose I should bring it to warranty.
I performed a factory reset on my Redmi Note 6 Pro and it seems things went wrong as it now won't boot. When I turn it on, I get the Mi.com screen for a few seconds then nothing. I did some googling and decided to try a fastboot flash. This did not work with an error "Flash xbl error"
Here is the log:
MiFlash 2020.3.14.0
vboytest index:1
idproduct: 53261 idvendor: 6353
Thread id:10 Thread name:95c0959
image path:C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global
env android path:"C:\Users\User\Desktop\MIUI_Flash\Source\ThirdParty\Google\Android"
script :C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\flash_all_lock.bat
Physical Memory Usage:1044480 Byte
start process id 2968 name cmd
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || echo Missmatching image and device
info1roduct: tulip
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || exit /B 1
info1roduct: tulip
info1:$set CURRENT_ANTI_VER=4
info1:$for /F "tokens=2 delims=: " %i in ('fastboot -s devicename getvar anti 2&1 | findstr /r /c:"anti:"') do (set version=%i )
info1:$(set version=4 )
info1:$if [4] EQU [] set version=0
info1:$if 4 GTR 4 (
info1:echo current device antirollback version is greater than this package
info1: exit /B 1
info1
info1:$fastboot -s devicename flash xbl C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\images\xbl.elf ||
info2:Sending 'xbl' (2504 KB) OKAY [ 0.078s]
info1:"Flash xbl error"
info2:Writing 'xbl' FAILED (remote: 'Flashing is not allowed in Lock State')
info2:fastboot: error: Command failed
begin FlashDone
error:"Flash xbl error"
process exit.
flashSuccess False
isFactory False CheckCPUID False
before:flashSuccess is False set IsUpdate:True set IsDone True
after:flashSuccess is False set IsUpdate:false set IsDone true
Click to expand...
Click to collapse
Can anyone assist? I see the "flashing is not allowed in lock state" message but my various googlings seem to suggest I shouldn't need to unlock? Perhaps I do (I did start down that path but got a bit stuck - will persevere if that is the issue).
Managed to get into Recovery mode on the device and that fixed it. No need to flash after all.
As the thread starter state's...
Android 10 'System-As-Root' was never supposed to be released. Google it.
It never was. Nothing wrong with my fone. boot-debug.img IS the system-as-root, it just isnt a root app.
User-debug will be tied to your account, so dont expect to see them ever again...
So many naysayers saying my fone company got it wrong, that my fone is fecked up...
Na.. System-As-Root = root, as good as it's ever gonna be in the open, provided by boot-debug.
You have root but cant flash a dynamic /system. Magisk KILL's Developer/Feature Flags. With stock boot, feature flags is seen, but shows 'experimental' nothing else. With boot-debug, all feature flags are shown. First thing you'll do is flash magisk. Why does magisk remove this access? In particular for YOU is 'settings-dynamic-system' (used to overlay your gsi - needed to flash gsi). Without these feature flags to set, how will your magisk'd fone boot gsi on system-as-root a-only? It cant. Uninstall magisk... but magisk leaves traces on the fone that prevent earlier versions of magisk being installed, so how can we test earlier versions? That we know worked before?
Magisk'd boot removes the feature flags section from developer menu in Android 10_Q. Why?
This is needed to mount any gsi on an 'a-only' 'system-as-root', by mounting to 'upper' partition, which wipes when re-flashing stock boot.img. Do the work in the upper (like we do in twrp) reflash to the lower after 'sync' will retain your work before reflashing stock boot.img, so no root app needed, but we need one to cut down on how tedious it all is now.. at least they keep you at home... safe lol...
Magisk is only using overlay because it works in pie... in fact, all using magisk are using PIE exploits that dont work in android 10 system as root!! (just a noticed warning )
SystemRW works in PIE, even works in my system-as-root but useless, cause the point, being able to write system while in fone gui, is negated by the fact that system is ro, in about 20 different locations, in about a billion different mount points and well... right down to file sizes for each file in each partition contained within the super.img, but what I dont get is why it works in twrp, yet not in the gui.. (i'm in the directory so cant mount it when using fone, duh...)
As for the other tool to create rw in the super partition, I'll say this:
Pie is dying. Re-write your apps to work with the android 10 super, which is NOT the same as PIE super.img... (this is not a super.img ring any bell's?)
Both rw tool authors stuck on them damn pie's.. I'd swap parted to get the auto resize of space on the fly, I'd give my 10 cents worth, but you know better... if they kill all fones previous to android 10... google win.
They gave us root.
Overlay your own tools!
In a system-as-root booted fone. Feck safety net, I use my nokia 8310 to this day..
And for the naysayers...
D:\0\AdbStation>adb reboot download
D:\0\AdbStation>fastboot flashing unlock_critical
(bootloader) Start unlock flow
OKAY [ 4.196s]
Finished. Total time: 4.196s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.420s
D:\0\AdbStation>fastboot -w
Erasing 'userdata' OKAY [ 0.452s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6311931 4k blocks and 1581056 inodes
Filesystem UUID: aa3b871c-2496-11ec-9dd6-d71d0c30be37
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (180 KB) OKAY [ 0.016s]
Writing 'userdata' OKAY [ 0.047s]
Erasing 'cache' OKAY [ 0.016s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 110592 4k blocks and 110592 inodes
Filesystem UUID: aa63fe86-2496-11ec-99f6-f719dec4c630
Superblock backups stored on blocks:
32768, 98304
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (68 KB) OKAY [ 0.016s]
Writing 'cache' OKAY [ 0.031s]
Erasing 'metadata' OKAY [ 0.016s]
Erase successful, but not automatically formatting.
File system type raw data not supported.
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb disable-verity
Error getting verity state. Try adb root first?
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # whoami
root
Armor_X5_Q:/ # mount -o rw,remount /
'/dev/block/dm-3' is read-only
Armor_X5_Q:/ # mount -o rw,remount /sys
Armor_X5_Q:/ # cd sys
Armor_X5_Q:/sys # ls
block bus dev firmware kernel mtk_rgu
bootinfo class devices fs module power
Armor_X5_Q:/sys # bootinfo
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # bootinfo --help
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # devices
/system/bin/sh: devices: inaccessible or not found
127|Armor_X5_Q:/sys # cd dev
Armor_X5_Q:/sys/dev # ls
block char
Armor_X5_Q:/sys/dev # cd /
Armor_X5_Q:/ # cd /
Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
AudioSetParam hwclock printenv
abb hwservicemanager printf
acpi i2cdetect procrank
adbd i2cdump profman
aee i2cget ps
aee_aed i2cset pwd
aee_aed64 iconv racoon
aee_archive id readlink
aee_core_forwarder idmap realpath
aee_dumpstate idmap2 reboot
am idmap2d recovery-persist
apexd ifconfig renice
app_process ime requestsync
app_process32 incident resize.f2fs
app_process64 incident_helper resize2fs
applypatch incidentd restorecon
appops init rm
appwidget inotifyd rmdir
art_apex_boot_integrity input rmmod
ashmemd insmod rss_hwm_reset
atrace install rtt
audioserver install-recovery.sh run-as
auditctl installd runcon
awk ionice schedtest
badblocks iorapd screencap
base64 iorenice screenrecord
basename ip sdcard
batterywarning ip-wrapper-1.0 secdiscard
bc ip6tables secilc
bcc ip6tables-restore sed
blank_screen ip6tables-save sendevent
blkid ip6tables-wrapper-1.0 sensorservice
blockdev iptables seq
bmgr iptables-restore service
boot_logo_updater iptables-save servicemanager
bootstat iptables-wrapper-1.0 setenforce
bootstrap keystore setprop
bpfloader keystore_cli_v2 setsid
bu kill settings
bugreport killall sgdisk
bugreportz kpoc_charger sh
bunzip2 lbs_dbg sha1sum
bzcat lcdc_screen_cap sha224sum
bzip2 ld.mc sha256sum
cal librank sha384sum
cameraserver linker sha512sum
cat linker64 showmap
charger linker_asan simpleperf
chcon linker_asan64 simpleperf_app_runner
chgrp lmkd sleep
chmod ln sload_f2fs
chown load_policy sm
chroot locksettings sort
chrt log split
cksum logcat ss
clatd logd sspm_log_writer
clear loghidlsysservice st_factorytests
cmd logname start
cmp logwrapper stat
comm losetup statsd
connsyslogger lpdump stop
content lpdumpd storaged
cp ls strings
cpio lshal stty
crash_dump32 lsmod surfaceflinger
crash_dump64 lsof svc
cut lspci swapoff
dalvikvm lsusb swapon
dalvikvm32 make_f2fs sync
dalvikvm64 md5sum sysctl
date mdlogger tac
dd mdnsd tail
debuggerd media tar
defrag.f2fs mediadrmserver taskset
device_config mediaextractor tc
devmem mediametrics tc-wrapper-1.0
dex2oat mediaserver tcpdump
dexdiag met-cmd tee
dexdump met_log_d telecom
dexlist microcom terservice
dexoptanalyzer migrate_legacy_obb_data.sh thermald
df mini-keyctl time
diff mkdir timeout
dirname mke2fs tombstoned
dmctl mkfifo toolbox
dmesg mkfs.ext2 top
dnsmasq mkfs.ext3 touch
dos2unix mkfs.ext4 toybox
dpm mknod tr
drmserver mkswap traced
du mktemp traced_probes
dumpstate mobile_log_d trigger_perfetto
dumpsys modemdbfilter_client true
e2fsck modinfo truncate
e2fsdroid modprobe tty
echo monkey tune2fs
egrep more tzdatacheck
emdlogger1 mount ueventd
emdlogger2 mountpoint uiautomator
emdlogger3 move_widevine_data.sh ulimit
emdlogger5 mtkbootanimation umount
env mtpd uname
expand mv uncrypt
expr nc uniq
fallocate ndc unix2dos
false ndc-wrapper-1.0 unlink
fgrep netcat unshare
file netd unzip
find netdiag uptime
flags_health_check netstat usbd
flock netutils-wrapper-1.0 usleep
fmt newfs_msdos uudecode
free nfcstackp uuencode
fsck.f2fs nice uuidgen
fsck_msdos nl vdc
fsverity_init nohup viewcompiler
fsync notify_traceur.override.sh vintf
gatekeeperd notify_traceur.sh vmstat
getconf nproc vold
getenforce nsenter vold_prepare_subdirs
getevent oatdump vr
getprop od vtservice
gpuservice oem-iptables-init.sh wait_for_keymaster
grep paste watch
groups patch watchdogd
gsi_tool perfetto wc
gsid pgrep which
gunzip pidof whoami
gzip ping wificond
head ping6 wm
heapprofd pkill xargs
hid pm xxd
hostname pmap yes
hw pppd zcat
Armor_X5_Q:/system/bin # getenforce
Enforcing
Armor_X5_Q:/system/bin # setenforce 0
Armor_X5_Q:/system/bin # get enforce
/system/bin/sh: get: inaccessible or not found
127|Armor_X5_Q:/system/bin # getenforce
Permissive
Armor_X5_Q:/system/bin # root mofo's, System-As-Root! boot-debug rocks!
> ^C
130|Armor_X5_Q:/system/bin # Who needs su
/system/bin/sh: Who: inaccessible or not found
127|Armor_X5_Q:/system/bin # whoami
root
Armor_X5_Q:/system/bin #