Database Info

[REF][I9500-I9505] How to repack galaxy S4 img files (system/cache)

Hi xda
for some reson the ext4_utils is not working well on the galaxy s4, but there is another way to do that.
so thanks to hua_wuxin explained to me how to do it, and big thank to Chenglu for this.
What do you need to do:
first flash the firmware you wnat to modify, and root the phone. (it's can't be done without root first)
Do your changes in the device, by root explorer, zip files and etc.
Then via CMD (or terminal emulator) you type the following commands to dump the partition to samsung img file. (odin img, not ext4)
The commands according to the device and partition.
I9500
System:
Code:
su
make_ext4fs -s -l 2764M -a system /sdcard/system.img /system
Cache:
Code:
su
make_ext4fs -s -l 2072M -a cache /sdcard/cache.img /cache
I9505
System:
Code:
su
make_ext4fs -s -l 2760M -a system /sdcard/system.img.ext4 /system
Cache:
Code:
su
make_ext4fs -s -l 2070M -a cache /sdcard/cache.img.ext4 /cache
Now you can flash in odin by making tar from this modified img and the rest of the firmware.
The commands to create tar file, for example to I9500. (Cygwin or Linux)
Code:
tar -c boot.img cache.img hidden.img modem.bin recovery.img system.img >> file_name.tar
md5sum -t file_name.tar >> file_name.tar
mv file_name.tar file_name.tar.md5
Good Luck!
Sorry for my bad english.

Unfortunately, this still doesn't work for the I9500. Works fine for I9505 (which for me never had any issue at all, and worked with existing make_ext4fs tools just fine), but can't get *anything* to work with I9500.

To me it worked for both I9500 and I9505.
I created successfully for the I9500/I9505 scripts to add hebrew language to the languages list, by flashing custem recovery and cache img. (extended command and zip like your old root method to I9300)
also, i created full firmwares to both models with system and cache modified.
i flashed this files on over 1000 devices (I9500), and it's works gerat.

avicohh said:
To me it worked for both I9500 and I9505.
I created successfully for the I9500/I9505 scripts to add hebrew language to the languages list, by flashing custem recovery and cache img. (extended command and zip like your old root method to I9300)
also, i created full firmwares to both models with system and cache modified.
i flashed this files on over 1000 devices (I9500), and it's works gerat.
Click to expand...
Click to collapse
Have you tried making the I9500 image on the I9505 ? Or only on the I9500 ?
Could you make and attach an empty (or containing one small file: echo 1 > file ) custom cache.img for the I9500, so I can test some more ?
Really need to get this working I wish I actually had the device, heh ...
EDIT: Also maybe attach the make_ext4fs from your device ?

Chainfire said:
Unfortunately, this still doesn't work for the I9500. Works fine for I9505 (which for me never had any issue at all, and worked with existing make_ext4fs tools just fine), but can't get *anything* to work with I9500.
Click to expand...
Click to collapse
+1 :good:

You have to make the img on the same model exactly, because they have some differences in the img building.
For example the cache.img from the I9500 cannot be convert to ext4 by sgs2ext4.jar on windows. The cache.img.ext4 from the i9505 converted fine with this jar, so there is some differences. (Maybe it is the CPU differences)
any way I made the imgs for the i9500 on the i9500, and for i9505 on i9505.
I dont have the i9500 next to me, I have it in the work. (I will be there tomorrow)
For now i'm attaching a small cache.img from the firmware I made, containing only a command file for wipe data. (after flashing)
I hope it's will help.
Any way if you want, you can send me the cfroot folder with the root files and i will build it tomorrow for you to a cache.img. (with 32M size or 2072M)
btw. how exactly i can copy the the make_ext4fs from my device? (ftom where)

Thanks, just trying to figure out what the damned difference is
If you're on Windows, can you run this ? https://dl.dropboxusercontent.com/u/25695577/i9500_makefs_test.zip
Should make a cache.img file from your i9500, identical to ones I have here from a different device. This may help me figure the difference. Please attach both cache.img and commands.out files

file attached

Thanks! My my, Samsung is adding bytes to the image, make it non-standard and outside of spec. Not sure what those bytes mean yet, I've made an image with them zeroed out. Can you see if this flashes no your i9500, or ODIN produces an error ?

check it now.
edit:
works!!
how did you made this img? (on the I9505/computer)

Awesome!
Can you try this test version of CF-Auto-Root ? https://dl.dropboxusercontent.com/u/25695577/cfar_i9500_test.zip
Please:
- unroot your device before trying (just do full unroot from SuperSU's settings tab)
- flash this test CF-Auto-Root
- pay attention - is the Android you see during rooting red, blue, or green ?
- boot and see if you are re-rooted
As for what I did: I put a lot of files together, figured out what the difference was, and wrote a tool to convert between normal images and the ones used for the i9500. If all this works, I'll upload the tool (and the code, and the docs) later.
These images are made on the computer, by the way. As I said before, for the I9505 I didn't need to do this on the phone anyway, just make_ext4fs from latest Android source. And add to that my new tool, and you can make images for i9500 ... no phone needed.

works great!
i flashed it on new device and i checked it with root explorer.
the android was red like all cf-auto root.
waitng to your tool..
thanks.

https://github.com/Chainfire/sgs4ext4fs

Chainfire said:
https://github.com/Chainfire/sgs4ext4fs
Click to expand...
Click to collapse
Hi Cainfire, tnx for your tools, may be this can help you repack image I9505...
checkout android-4.2.2_r1.2

as i9000 said:
Hi Cainfire, tnx for your tools, may be this can help you repack image I9505...
checkout android-4.2.2_r1.2
Click to expand...
Click to collapse
I don't get it... I don't need help repacking i9505, as I've stated, latest ext4 utils will just work ?

i need to repack firmware for i9505 with hidden.img.ext4
i see in your commands hidden.img without ext4 extension

This should be work (create hidden img from the device)
Code:
make_ext4fs -s -l 500M -a hidden /sdcard/hidden.img.ext4 /preload
if you like to make a tar file, use those commands
Code:
tar -c boot.img cache.img.ext4 hidden.img.ext4 modem.bin NON-HLOS.bin persdata.img.ext4 recovery.img system.img.ext4 >> file_name.tar
md5sum -t file_name.tar >> file_name.tar
mv file_name.tar file_name.tar.md5

Works like a charm
Thanks Chainfire
I've tried it on the cache partition and system partition on i9500 and everything is more than fine/
Thank you very much.

do we need to make cache.img.ext4 off of our phone in Terminal EMUlator for all to work well or is that optional. thanks
also why such a large cache size and what is the difference between the larger and smaller cache recommended sizes ? ie 30M vs the 2000+ size and should we stick with those numbers.
iask because one time odin failed me on the cach.img.ext4 so I am wondering thanks again

hebrew
Hello cainfire,thanks for your work,it's amazing, i'm useing it alot.
Is there a chance to get a hebrew script or a tar for the samsung galaxy 9505,9500
You will make me happy and i would be happy to buy u a beer
Thanks

[TOOL] KDZ Writer

Tool for writing portions of KDZ files to LG devices. As long as KDZ files for the particular device are available and LGE doesn't change the format in an incompatible fashion, this will handle upgrades. Presently this tool targets the format as is used with UFS devices. The LG G5 and LG V20 are examples; the G6 and V30 may turn out to be compatible.
KDZ files are available for several LG V20 variants. Notably H918TN (US T-Mobile), H990 (non-US single-SIM), H990DS (non-US dual-SIM), H990N (Korea dual-SIM), US996 (US unlocked), and VS995 (US Verizon).
The primary goal of this tool is updating /system and /firmware, though updating other areas is in theory possible.
XDA:DevDB Information
KDZ Writer, Tool/Utility for the LG V20
Contributors
emdroidle
Source Code: https://github.com/ehem/lg-v20-tools
Instructions
Boot into TWRP. Upload an appropriate KDZ for your phone somewhere on your phone. This can be on a SD card, since all known KDZ files are just under 3GB even TWRP's in-memory filesystem is sufficient. Download(the Downloads tab, above), and upload kdzwriter to your phone:
Code:
adb push kdzwriter.gz /
Then in a shell (`adb shell`):
Code:
gunzip -c /kdzwriter.gz >/sbin/kdzwriter
chmod 755 /sbin/kdzwriter
[STRIKE]umount /system
ln -s /sbin /system/bin[/STRIKE]
The `umount` command may give an error. If you're on TWRP 3.0.2-1 /system won't have been mounted and you'll get "invalid argument"; if you get an error saying "busy" there is a problem. If using version 1.95 or later, the second two commands are unnecessary.
From here you can invoke `kdzwriter` with various arguments to write /system and /firmware:
-v
Increase verbosity. At lower levels not too much is added, at level 3 `kdzwriter` starts gushing debugging information.
-r
Report mode, tells you about how the chunks in the KDZ file match your phone.
-t
Test mode, tells you whether `kdzwriter` has decided the KDZ is an appropriate match for your phone (safety check). If used with other options, `kdzwriter` will run through the write procedure and tell you whether all the steps succeed.
-a
Write areas known safe to apply to the device. As of right now this is /system, /firmware and /cust. (equivalent to -s -m -a)
-s
Write /system. If you only want to update /system, this is the option for you. By default -s will attempt to preserve the kernel modules present on /system and overwrite the ones on the new /system image with those. This is appropriate if you've installed a custom kernel.
-M
Disables preserving kernel modules from the current /system. If you've got a stock kernel you want this option. If /system has been corrupted, this also avoids mounting /system and ensures -s succeeds.
-m
Write /firmware (aka modem).
-c
Write /cust. Some files of these files appear related to VoLTE. I'm unsure whether they're critical or optional. One (seemingly harmless) error message generated when switching regions can be avoided by writing this area.
-k
Write boot (/dev/block/bootdevice/by-name/boot). If you're opting to stay with the stock kernel then you'll want this option. This can also be used to recover from a failed Magisk/SuperSU/Superuser installation.
-P
GPT restoration mode. If a "ROM" has modified the GPTs this will attempt to restore them closer to stock. There are plans to have LineageOS do just this, so I wanted to be prepared to return to stock.
-R
Modified GPT restoration mode. "userdata" is moved closer to the begining of the device potentially allowing additional data to be merged without needing to wipe.
The most common invocation will be `kdzwriter -a <some location>/<KDZ_for_your_device>.kdz`, as noted you can use "-at" to simulate the process and confirm no errors occur.
The -b option has been allocated, but are not yet implemented. A deliberate attempt to minimize flash wear has been made. Blocks will not be rewritten if possible. Empty areas will be discarded/TRIMed.
`kdzwriter` attempts to preserve some files when writing areas. When writing /system unless -M is specified, `kdzwriter` will attempt to preserve kernel modules. When writing /cust, `kdzwriter` attempts to preserve "official_op_resize.cfg" (see GPT restoration mode for details). There are plans for v2.0 to try to preserve the contents of "open_path_mapping.cfg" and "op_list.cfg".
If you get an error message about "Failed while writing /system, major problem, PANIC!" this is most likely to be caused by a corrupt KDZ file. In this case retrying the download is the most likely solution.
Apparently for some devices/KDZ files it is necessary not to skip too many revisions. Notably going from H990N version 10b to version 10o does not work; instead you need to do 10b -> 10e ->10o. This hasn't yet been observed on other devices, but beware big skips can fail.
GPT Restoration mode
There are plans to have a future version of LineageOS hack off a piece of /system to utilize as /vendor. This is reasonable for LineageOS (or another "ROM"), but a problem if you desire to return to stock. As such v1.95 has been brought out which features the ability to restore the GPTs.
Crucial item: In the interest of safety this operation demands a KDZ which is a better match for your device! You will need to use a KDZ file matching what your device was at when you initially rooted! (H990ds10b* or so for most devices)
You can confirm whether a given KDZ is appropriate using the "-t" option. If `kdzwriter -t <someKDZfile>.kdz` gives the message "KDZ appears applicable to this device" then kdzwriter will not use that file for this operation, that command must give the output "KDZ appears applicable to this device and matches original" in order to be acceptable for this operation.
On the H990 some space is stolen from userdata for use as /OP. Everything in /OP appears to be bloatware, but since I'm trying to make it possible to go back close to stock, I've got to do something about /OP. The size of /OP is controlled by the file "/cust/official_op_resize.cfg". As I didn't have a better way of handling it, I simply grab the first line and use that. If /cust is unavailable (hasn't been restored?) a size of 0 will be assumed. If a size of 0 is found, `kdzwriter` will wipe the slice^Wpartition and the space will in fact end up as part of /data (hint, hint).
Important note: Since the normal order is system, cache, cust, OP then userdata, modifying the size of /OP will require wiping /data!
The -R option restores a modified GPT. The modified GPT mode tries to reorders the slices^Wpartitions as userdata, OP, cust, system, cache. The theory is that if cust isn't needed in LineageOS, cust could be removed from the GPT and the space merged into userdata. Since userdata is then first, it could be enlarged without the need to wipe and restore.
Examples
I expect by far the most common usage to be `kdzwriter -a <somekdz>.kdz`, but as typed there extra flags for certain situations:
Recovering from bad flash attempt -sM
If there was a problem when attempting to write /system there is a decent chance it won't be possible to mount /system for saving kernel modules. In this case using `kdzwriter -sM <somekdz>.kdz` is your need. This skips mounting /system at the cost of being unable to preserve kernel modules, you will need to reinstall whatever kernel you were using.
Partial unrooting -k
If you want to switch between Magisk, SuperSU, and Superuser this is your need. `kdzwriter -k <somekdz>.kdz` overwrites the boot/kernel area with the image from the KDZ file. Your next step will likely be to reinstall whatever kernel you were using. Afterwords all traces of a systemless install will have been wiped and you can install a different `su` implementation.
Going mostly back to stock -ak
For owners of the V20s where the stock kernel works, you can use a combination of these two options to update /system and to a newer kernel (you don't want to be hit by DirtyCOW). After doing this you'll need to reinstall whichever `su` implementation you were using.
Version Information
Status: Stable
v1.98a
Identified which check was preventing installation of 20a KDZ files. That is now disabled. There is also a force option which will override the safety check, but please be careful. That safety check was written to try to make it hard to generate bricks...
v1.98
Implemented modified GPT restoration mode. This mode reorders the slices^Wpartitions during restoration. This allows for potentially merging more space into /data without needing to wipe /data again.
v1.95
Found the appropriate compiler flag for setting the runtime linker. Thanks to the TWRP folks, kdzwriter is now a bit easier to use.
Implemented GPT restoration mode. This allows for restoring modified GPTs back to stock. This is valuable if a "ROM" has modified the GPTs. Given how there are plans to have LineageOS do just that, I'm figuring a number of people may be rather interested in this feature.
v1.3
Fixed testing for whether a KDZ is applicable to the device. This should merely be a safety precaution, but I need it there so I don't get fingers pointed my way on failure.
Finally tracked down the issue with kernel module preservation. This is a really stupid bug. There should no longer be any need to reinstall modified kernels after updates!
v1.2
Added additional debugging information around calls to Zlib. There has been a report of difficulty around Zlib so extra information is available. Some of this is only available at verbosity level 3 though.
Created 2017-07-31
Last Updated 2019-01-02
v1.2
MD5: 49b06410f8f90606f9829cc8ff8ed82a
SHA1: ce1f84f579c94e788539e462febc2f2e293a64ff
SHA512: 47a94ae6c6d1157dd406319d2d44ba72c9f954c3f0ad6b892eafbb818d01a7bf9c14b0a9f01ab6f092c07537d3273f8981b83c80ebf67f2cf9e33c26f8838ad3
v1.3
MD5: a412c7fe58722b6e63560c5074bc59b7
SHA1: 8e7e1fbd2edef0ff10516c57a84b642a1a92a758
SHA512: a5b9d3a66bf4237138264a5756f1637ba849a3aeb78d935e0fe6033486de41ad56a0ca5c62b3d94546fd2b4fe86e9edf7958e80481f1f10ef7ef2b6b562a412a
v1.95
MD5: 5f8797b5829ca5a919d1d685404a2726
SHA1: 62d7476ec50a2ea3a682b86654dd1ddc03da0c24
SHA512: ee717f3803e43862dc6faac3788e16267d9661bf98f8fdeebedd6b871dcd4cadb7dc4ee5208dc6072f5f7ba44e46440a759425536a354b530584f824570283c7
v1.98
MD5: 7dfee90d7e0711f5742b94efb81a8b18
SHA1: f020345935b078ebc336e88e3b0623e0792f71ad
SHA512: 71e82f535d33cc64fe023425db0b6d924c6d11677b04843628a9c6ca90cc6700d0a6c5e868c964e31d54f7d3c835d9ecd3b6c33108926da29e75e3be3e1456b2
v1.98a
MD5: 31f207a865b453472271eed29544833e
SHA1: 42ab0486cfc100b52dde9c6bac9bca684eccfde2
SHA512: fe127bece0e25ae4927f3499d708d1533b5fe0a00513de9cb8565ffc24b3e4ee08e9000d828a0177feb4b3b449137836b63cda72cf178b5cd67ae377997a1d37

@emdroidle I'm getting "permission denied" from KDZWriter when I execute the kdzwriter -a /external_sd/H990_something.kdz command in TWRP Terminal. I noticed that I can't umount /system either, it says it's an invalid argument?
Would this be something to do with the locking of /system I read about earlier? I did try manually mounting /system in TWRP before trying anything too, but that doesn't seem to have helped at all.
I've also tried doing mount -o rw,remount,rw /system
I'm running rooted 10C-TWN firmware with Magisk (interestingly, phone will flat out refuse to boot if I flash SuperSU, so Magisk it is). When I go to install Magisk it says "mounting /system" with no problems at all

Thanks very much for your work.
Iam confused about the instructions im not very familiar with adb shell . can you please elaborate more the steps for easy running of kdzwriter. thank you and let me tell you that you are awesome

Where is kdzwriter.gz? No attachment? Works kdzwriter from Dirty Santa thread?

i am getting kdzwriter: permission denied

iDefalt said:
I'm running rooted 10C-TWN firmware with Magisk (interestingly, phone will flat out refuse to boot if I flash SuperSU, so Magisk it is). When I go to install Magisk it says "mounting /system" with no problems at all
Click to expand...
Click to collapse
My first attempt to install Magisk failed, "Unable to repack ramdisk". At which point I had a problem. Suddenly the "-k" option came into existence and a retry succeeded.
iDefalt said:
@emdroidle I'm getting "permission denied" from KDZWriter when I execute the kdzwriter -a /external_sd/H990_something.kdz command in TWRP Terminal. I noticed that I can't umount /system either, it says it's an invalid argument?
Would this be something to do with the locking of /system I read about earlier? I did try manually mounting /system in TWRP before trying anything too, but that doesn't seem to have helped at all.
I've also tried doing mount -o rw,remount,rw /system
Click to expand...
Click to collapse
Okay, I guess I'm not that great at writing instructions. The added `chmod` will fix the "permission denied" error.
The `umount` is more an issue if you've updated to TWRP 3.1.1-0 which does successfully mount /system, whereas TWRP 3.0.2-1 didn't. The "invalid argument" is saying it isn't mounted and you can simply proceed. It is a problem if it says "busy". In this case you would get an error "Failed mounting system for kmod saving: <message>", then "kdzwriter: Failed while reading kernel modules" and `kdzwriter` wouldn't proceed.
Also replace "/external_sd/H990_something.kdz" with the filename/where you installed it (did you really rename the KDZ file to H990_something.kdz?).
dadme said:
Where is kdzwriter.gz? No attachment? Works kdzwriter from Dirty Santa thread?
Click to expand...
Click to collapse
Notice the "Download" tab at the top of this thread?

does anyone have the link to TWRP 3.1.1-0 for the h990ds? My device didn't seem to like the command 'kdzwriter -a /external_sd/H990ds10f_00_OPEN_TW_DS_OP_0622.kdz' I received the error "Failed while writing /system, major problem, PANIC!" . It's in a bootloop now should have run '-at' first!
second attempt...
You have to try harder than that message to make me panic
i figure my 10f kdz must be corrupt, so tried 10e
kdzwriter -a /external_sd/H990ds10e_00_OPEN_TW_DS_OP_0517.kdz
errors recieved were:
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
I reinstalled the kernel. Not sure what the kmod error means?
Anyway android upgraded and works a charm. Didn't fix my camera focus issue but i guess that must be down to the kernel.
Thanks for this awesome tool emdroidle, are you taking donations?

Sorry, Emdroidle i use classic theme, so download tab is not visible. Can use this TWRP https://forum.xda-developers.com/v20/development/recovery-twrp-3-1-0-0-touch-recovery-t3603760, elsa version? TWRP can be updated from TWRP 3.0.2.1 or from fastboot?
Got this on 10f H990DS TWN,
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
Finished rewrite of system area
Begining rewrite of modem area
ooo...ooo.oooooooo.ooooo...oooooooo.o*
Finished rewrite of modem area

dadme said:
Sorry, Emdroidle i use classic theme, so download tab is not visible. Can use this TWRP https://forum.xda-developers.com/v20/development/recovery-twrp-3-1-0-0-touch-recovery-t3603760, elsa version? TWRP can be updated from TWRP 3.0.2.1 or from fastboot?
Got this on 10f H990DS TWN,
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
Finished rewrite of system area
Begining rewrite of modem area
ooo...ooo.oooooooo.ooooo...oooooooo.o*
Finished rewrite of modem area
Click to expand...
Click to collapse
Either TWRP should work, just there is a small behavior difference. TWRP 3.0.2-1 has a small bug and never manages to mount /system; while TWRP 3.1.1-0 does manage to mount /system. With 3.0.2-1 the `umount /system` can be skipped, with 3.1.1-0 that command needs to be run before /system is upgraded.
Mars104 said:
does anyone have the link to TWRP 3.1.1-0 for the h990ds? My device didn't seem to like the command 'kdzwriter -a /external_sd/H990ds10f_00_OPEN_TW_DS_OP_0622.kdz' I received the error "Failed while writing /system, major problem, PANIC!" . It's in a bootloop now should have run '-at' first!
second attempt...
You have to try harder than that message to make me panic
i figure my 10f kdz must be corrupt, so tried 10e
kdzwriter -a /external_sd/H990ds10e_00_OPEN_TW_DS_OP_0517.kdz
errors recieved were:
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
I reinstalled the kernel. Not sure what the kmod error means?
Click to expand...
Click to collapse
Well seeing that "PANIC" message means something rather problematic occurred, and the state of /system is Bad(tm).
"kmod" is short for "kernel module". The Linux kernel has the capability to load/unload extra bits of code (generally drivers) while the kernel is running. These are specific to the particular kernel and trying to load modules for the wrong kernel could fail or cause problems.
I was surprised to learn the Bluetooth and FM Radio drivers are modules, as well as the exfat filesystem is a module. The userspace portion of talking to the Bluetooth chip won't load unless it successfully loads "brcm_bt_drv.ko" into the kernel.
The kernel modules are located in /system/lib/modules. When writing /system, `kdzwriter` first tries to mount /system and save copies of the modules. Once /system has been rewritten it tries to restore them. If either of those steps fails, there is need to reinstall the kernel since the modules on /system will match LG's stock kernel, not the static-fixed kernel I built.
Mars104 said:
Thanks for this awesome tool emdroidle, are you taking donations?
Click to expand...
Click to collapse
Well I don't send them back.

emdroidle said:
The added `chmod` will fix the "permission denied" error. (did you really rename the KDZ file to H990_something.kdz?).
Click to expand...
Click to collapse
Haha no mate I didn't, was just using the name for the KDZ from your example
Just wanted to say thanks as well. Used your tool with the updated instructions. Booted into TWRP, plugged into PC, used ADB from Command Prompt to do the whole thing. Went perfectly. It gave me a line when it was done about recommending a kernel re-install, so once the tool was finished I re-flashed the H990 kernel zip from your other thread, Magisk, the latest Aroma GAPPS package, and then rebooted. After the optimization process, I'm now on V10F-TWN with a patch date of 1st June, and rooted.
It's a touch of a process to get to this point, but if you follow everything properly to the letter, it works. Cheers mate.

i rename my kdz into "some.kdz" i run kdzwriter -at /external_sd/some.kdz itsays : Next chunk starts beyond end of file, Failed to open KDZ file, aborting what does this mean thank you

iDefalt said:
Haha no mate I didn't, was just using the name for the KDZ from your example
Click to expand...
Click to collapse
Okay, fine. I just wanted to make sure since there are people who don't realize you're supposed to adapt the name and complain when things don't work. Just one of those things that makes one go wait-a-minute...
kuachi00 said:
i rename my kdz into "some.kdz" i run kdzwriter -at /external_sd/some.kdz itsays : Next chunk starts beyond end of file, Failed to open KDZ file, aborting what does this mean thank you
Click to expand...
Click to collapse
Most likely you don't have the full file. Were you downloading it and the download got interrupted?

Success! Upgraded to 10f with root

emdroidle
Can you please make a small tool that extract the content of the KDZ file and the system.img file to modify things with ease on PC, and can easier interchange between versions to see what bugs can be avoided....

zinou213 said:
emdroidle
Can you please make a small tool that extract the content of the KDZ file and the system.img file to modify things with ease on PC, and can easier interchange between versions to see what bugs can be avoided....
Click to expand...
Click to collapse
There already are tools for this. https://github.com/Bigcountry907/kdztools and https://forum.xda-developers.com/showthread.php?t=2600575
Though I'm not sure they are completely compatible with the newest kdz's. Simple extraction should work.
-------
Nice tool btw. Now if only it where possible to flash kdz's directly in EDL mode, that would be great !!

askermk2000 said:
There already are tools for this. https://github.com/Bigcountry907/kdztools and https://forum.xda-developers.com/showthread.php?t=2600575
Though I'm not sure they are completely compatible with the newest kdz's. Simple extraction should work.
-------
Nice tool btw. Now if only it where possible to flash kdz's directly in EDL mode, that would be great !!
Click to expand...
Click to collapse
Thank you, I know this tools but i want a confirmation about there compatibility with v20's KDZs, and what is the EDL mode you talk about ??

zinou213 said:
Thank you, I know this tools but i want a confirmation about there compatibility with v20's KDZs, and what is the EDL mode you talk about ??
Click to expand...
Click to collapse
That last part was not for you specifically. It's Sahara Download Mode, or Emergency Download Mode I was talking about, something you probably won't know much about until you brick your phone

askermk2000 said:
That last part was not for you specifically. It's Sahara Download Mode, or Emergency Download Mode I was talking about, something you probably won't know much about until you brick your phone
Click to expand...
Click to collapse
OK Sahara Download Mode i know, i saw this with my old bricked gflex 2 that i unbricked with too many tools and processes that i forget now...

why is it that only the android security patch has been changed and the version is still v10e iam trying to upgrade to v10g thanks
---------- Post added at 11:09 PM ---------- Previous post was at 10:47 PM ----------
also my cpu load is alway going 90 to 100 percent even tho im not using any app did not also do cpu adjustments . it drains my battery fast

@emdroidle
Your donation button doesn't work:
We cannot process this transaction because there is a problem with the PayPal email address supplied by the seller. Please contact the seller to resolve the problem. If this payment is for an eBay listing, you can contact the seller via the "Ask Seller a Question" link on the listing page. When you have the correct email address, payment can be made at www.paypal.com.
Click to expand...
Click to collapse

Error trying to flash 8.1 factory image

I sideloaded the 8.1 OTA yesterday. However, I'm having issues with my finger print sensor and want to do a clean flash of the whole image. I downloaded the Walleye .011 image file from Google's site this morning. When I attempt to flash the image using the flash-all command, I receive the following error:
wiping userdata...
CreateProcess failed: The system cannot find the file specified. (2)
mke2fs failed: -1
error: Cannot generate image for userdata
I have my bootloader unlocked but am not rooted. The phone is currently on the .011 build but it will not let me flash the image. Any ideas? I've also downloaded the latest platform tools in case that was an issue.
Thanks,
Rick

C5Longhorn said:
I sideloaded the 8.1 OTA yesterday. However, I'm having issues with my finger print sensor and want to do a clean flash of the whole image. I downloaded the Walleye .011 image file from Google's site this morning. When I attempt to flash the image using the flash-all command, I receive the following error:
wiping userdata...
CreateProcess failed: The system cannot find the file specified. (2)
mke2fs failed: -1
error: Cannot generate image for userdata
I have my bootloader unlocked but am not rooted. The phone is currently on the .011 build but it will not let me flash the image. Any ideas? I've also downloaded the latest platform tools in case that was an issue.
Thanks,
Rick
Click to expand...
Click to collapse
Are you running it from the directory where the image is?

C5Longhorn said:
I sideloaded the 8.1 OTA yesterday. However, I'm having issues with my finger print sensor and want to do a clean flash of the whole image. I downloaded the Walleye .011 image file from Google's site this morning. When I attempt to flash the image using the flash-all command, I receive the following error:
wiping userdata...
CreateProcess failed: The system cannot find the file specified. (2)
mke2fs failed: -1
error: Cannot generate image for userdata
I have my bootloader unlocked but am not rooted. The phone is currently on the .011 build but it will not let me flash the image. Any ideas? I've also downloaded the latest platform tools in case that was an issue.
Thanks,
Rick
Click to expand...
Click to collapse
I had the same issue with my 2 XL and it was driving me crazy.
The only way I was able to get the factory image to flash is by removing the -w flag near the bottom of the script. I couldn't figure out what was going wrong and have never needed to modify the script for a factory image to flash.

your problem could be easily solved by restoring factory settings.

have you compared the SHA-256 Checksum hashes? It may/might explain or expose if something is missing...
I mean it's doubtful that you've gone this far where it would be something like that, but you never know... small but won't hurt to try and if that ends up being it, then it's a small thing and keeps you from going all too far...

Thanks for all the replies. I have not compared a checksum yet, but will validate they are the same.
I wanted to flash the whole image as a way to completely clean install the system and my apps. Wouldn't a factory reset only remove my data and configuration settings? If there was an issue with the system files, those wouldn't be fixed, correct?
Thanks,
Rick
Sent from my Pixel 2 using Tapatalk

osi13 said:
I had the same issue with my 2 XL and it was driving me crazy.
The only way I was able to get the factory image to flash is by removing the -w flag near the bottom of the script. I couldn't figure out what was going wrong and have never needed to modify the script for a factory image to flash.
Click to expand...
Click to collapse
How I can do that ( removing the -w flag near the bottom of the script ) pls help

zetareticuli said:
How I can do that ( removing the -w flag near the bottom of the script ) pls help
Click to expand...
Click to collapse
You want to remove the -w flag from flashall.sh or flashall.bat.

osi13 said:
You want to remove the -w flag from flashall.sh or flashall.bat.
Click to expand...
Click to collapse
problem solved i found the (-w) but the problem now is i can't flash or install one ROM to start the process to go out of the bootloop problem.. no recovery mode, i can't install TWRP, the phone are connecting with my comp and i has tryied flash many stock rom's and flash the 4 core.img, but nothing works can you help me??

Fire hd8 2017 root, debrick

Tested only on 2017 hd8
This post is outdated please refer to: https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-8-2017-douglas-t3962846
1 - Open your fire hd 8 7th gen, now you need to access the pads under the board(be very careful there is a lot of glue), specifically we need the pad TP28 which is the clk signal of the emmc
2 - Get yourself a wire (I recommend one with only one conductor in the plastic shroud) or something conductive
3 - Now on a linux machine/vm (if you use a vm, do usb passthrough) go in the amonet folder and do:
Code:
sudo ./bootrom-step.sh
4 - When you see:
Code:
[2019-02-07 14:35:59.478924] Waiting for bootrom
short TP28 to ground (there is a big pad near TP28, its ground so you can use it) and plug the usb
5 - If the operation is successful you should be prompted to remove the short and press enter
6 - Wait until the script end if it's succesfull you will see:
Code:
[2019-02-07 12:11:05.621357] Reboot to unlocked fastboot
in case of any error probably you should start again from step 4
7 - now the device should reboot and go automatically in fastboot mode (if not, try unplug and plug back the usb), you can reflash any partition ex:
Code:
sudo fastboot flash <partition-name> <image-file.img>
The boot partition need to be flashed on the device in order to recover from the first part of the guide so:
Code:
sudo fastboot flash boot boot.img
You can extract boot.img from the ota archive
Becouse there is no system partition check on th 7th gen you can flash a modified system.img (a rooted one)
i will link the ota where i've extracted the .img (sorry i can't upload mine becouse my up speed is trash, 512kbit/s)
8 - Now, again on al linux machine/vm go in the folder amonet-res and run again:
Code:
sudo ./bootrom-step.sh
the steps are the same as from 3 to 6
9 - your table should reboot into FireOS
Recover from flashing the 8th gen exploit
in step 7, when you get into fastboot mode do:
Code:
sudo fastboot flash boot boot.img
with the boot.img from an ota then proceed with the other step
Ready to flash rooted system
Instead of make your own modified system image, you can flash this (thanks to @JJ2017) https://mega.nz/#F!G7pn3SCS!TWhEmzSFNctoil626IbF3A
download both boot and system from the mega link then, once you get in the fastboot mode in step 7, run from the directory where the downloaded system.img and boot.img are:
Code:
sudo fastboot flash system system.img
sudo fastboot flash boot boot.img
This method require you to install the SuperSu app (download an apk from a site like APKmirror)
Make your own system.img
Download this : https://raw.githubusercontent.com/xpirt/sdat2img/master/sdat2img.py
(assuming debian or ubuntu distro) install android-tools-fsutils
1 - get yourself an ota archive
2 - extract it
3 - put sdat2img.py in the same directory as the extracted ota
4 - do
Code:
python2 sdat2img.py system.transfer.list system.new.dat system.img
5 - now do
Code:
mkdir system && sudo mount system.img system
6 - now you can modify the image and for example install SuperSU (Install SuperSu on system.img section of the thread)
7 - unmount the image
8 - do
Code:
img2simg system.img system-a.img
9 - in fastboot mode do:
Code:
sudo fastboot flash system system-a.img
sudo fastboot flash boot boot.img
run the commands in the same folder as the .img
Install SuperSu on system.img
Coming soon. for now you can refer to Building the system image section of this post (thanks to @cybersaga) https://forum.xda-developers.com/showpost.php?p=78864228&postcount=31
Or try this script for creating a rooted system.img (thanks to @SirausKen) https://forum.xda-developers.com/showpost.php?p=78868608&postcount=39
My terminal output while i'm flashing rooted system.img
https://pastebin.com/hn2Rhk87
Thanks
- xyz' for the amonet exploit chain
- <br > for the emmc pinout
- xpirt for sdat2img

looks like I got something to try this evening.
Thanks!

NFSP G35 said:
looks like I got something to try this evening.
Thanks!
Click to expand...
Click to collapse
Please post your results

Ok, I'm gathering the required stuff to try this out.
I'm going to go through your method exactly, but I'm curious... (and this is probably a stupid question that's already been answered somewhere else) why can't we flash TWRP?

Is it just me, or is the process of manually applying SuperSU to the system image a huge pain?
Got to put it on pause for tonight. Any tips or suggestions are welcome though!

NFSP G35 said:
Is it just me, or is the process of manually applying SuperSU to the system image a huge pain?
Got to put it on pause for tonight. Any tips or suggestions are welcome though!
Click to expand...
Click to collapse
Yeah I feel like step 6 could be expanded into, like, 5 steps. I'm not sure how that's done either.

Can confirm working....
Awesome work @t0x1cSH.... after many an hour.... yes, your method successfully root Fire HD8 (2017)
Pretty much followed your guide - managed the 'SU' injection with help from the method description @ <br /> Hardmod Root (https://forum.xda-developers.com/hd...ot-hardmod-root-amazon-fire-hd-8-7th-t3851617)
Actually, not too difficult compared to the Hardmod - when fully written up this will be a game-changer
Many thanks: :good::good::good:
BTW: used Fire OS 5.3.6.4 (most recent)

I'll probably give it a try this weekend. Where did you get the OTA update from?
Update: Nevermind, I found it: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610

I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?

I'll try this weekend as well.

niggabyte said:
I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?
Click to expand...
Click to collapse
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
JJ2017 said:
... managed the 'SU' injection with help from the method description @ <br /> Hardmod Root (https://forum.xda-developers.com/hd...ot-hardmod-root-amazon-fire-hd-8-7th-t3851617)
Click to expand...
Click to collapse
Also, thanks @JJ2017 for pointing out that thread had the steps for manually patching in SuperSU.
I thought I remembered seeing it before, but couldn't remember where and majorly failed at finding it (meanwhile it's hiding out right under my nose LOL) Probably just too tired.
Anyone who does this successfully could share their patched system.img (preferably just a stock-rooted)

NFSP G35 said:
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
Click to expand...
Click to collapse
Rather embarrassingly, I don't know what commands are required in terminal for copying, moving, and applying permissions to files...

niggabyte said:
I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?
Click to expand...
Click to collapse
niggabyte said:
Rather embarrassingly, I don't know what commands are required in terminal for copying, moving, and applying permissions to files...
Click to expand...
Click to collapse
No problem. Linux can be intimidating at first... Believe me, I've been there!
Fortunately, it's not hard to come up to speed and quite a rewarding experience.
Grab yourself a Linux cheat-sheet: https://www.google.com/search?q=linux+cheat+sheet&tbm=isch
I believe cp and chmod are mainly what you'll need.

NFSP G35 said:
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
Also, thanks @JJ2017 for pointing out that thread had the steps for manually patching in SuperSU.
I thought I remembered seeing it before, but couldn't remember where and majorly failed at finding it (meanwhile it's hiding out right under my nose LOL) Probably just too tired.
Anyone who does this successfully could share their patched system.img (preferably just a stock-rooted)
Click to expand...
Click to collapse
I was about to ask the same thing, if someone want to share their rooted and preferably stock system images (like a MEGA link) i will put them on the main thread (with credits of course)
With my internet connection, upload my system.img will take forever

JJ2017 said:
BTW: used Fire OS 5.3.6.4 (most recent)
Click to expand...
Click to collapse
Their site says that 5.6.3.0 is the most recent: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610
Are we looking at the same thing?
I'm wondering because I just went through this process and now the tablet won't boot. It's stuck at the "fire" logo.
So where did you get your OTA file?

cybersaga said:
Their site says that 5.6.3.0 is the most recent: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610
Are we looking at the same thing?
I'm wondering because I just went through this process and now the tablet won't boot. It's stuck at the "fire" logo.
So where did you get your OTA file?
Click to expand...
Click to collapse
my guess is that you probably created a wrong symbolic link for app_process, the command should be something like:
Code:
ln -s system/xbin/daemonsu bin/app_process

t0x1cSH said:
my guess is that you probably created a wrong symbolic link for app_process, should be something like:
Code:
ln -s system/xbin/daemonsu bin/app_process
Click to expand...
Click to collapse
I did create that. I kept track of all the commands I typed. But I remounted the image to check and it's there:
Code:
[email protected]:~/Desktop# ls -l system/bin/app_process
lrwxrwxrwx 1 root root 13 Feb 8 17:09 system/bin/app_process -> xbin/daemonsu

cybersaga said:
I did create that. I kept track of all the commands I typed. But I remounted the image to check and it's there:
Code:
[email protected]:~/Desktop# ls -l system/bin/app_process
lrwxrwxrwx 1 root root 13 Feb 8 17:09 system/bin/app_process -> xbin/daemonsu
Click to expand...
Click to collapse
Should be (straight from the device)

t0x1cSH said:
Should be (straight from the device)
Click to expand...
Click to collapse
That makes a whole lot of sense! I'll try again.
---------- Post added at 06:47 PM ---------- Previous post was at 06:10 PM ----------
Hrm... now it's stuck at the Amazon logo. That's a step back.
I'll retrace my steps.

cybersaga said:
That makes a whole lot of sense! I'll try again.
---------- Post added at 06:47 PM ---------- Previous post was at 06:10 PM ----------
Hrm... now it's stuck at the Amazon logo. That's a step back.
I'll retrace my steps.
Click to expand...
Click to collapse
try to clear the cache from the recovery (power + volume down) and remember to flash boot.img from the recovery, if you forgot it the tablet will hang on the amazon logo

[SOLVED] Help to mount userdata in linux or repair userdata.img

After an Update of Two magisk modules, my Ulefone Armor 11 5G staied stucked on boot logo, I can only enter in recovery or fastboot.
I try to build a TWRP, but it is not able to mount userdata.
I was able to download with the help of mtkclient all the partition on my phone, even userdata , it took 7 hours.
I wanted to load the image in linux but using mount disk imag or using the command sudo mount -o loop userdata.img ~/Armor_11_5G doesn't do anything not even an error message.
I'm wondering if the filesystem was corrupted during the update.
Is it possible to repair the fylesystem like in Windows?
Thanks

did you previously disable encryption and factory reset long time before the modules updates failed?
what do you mean mount doesn't do anything not even an error message? either it give error message or it succeed.

I didn't disable encryption before updating the modules, I already updated this modules many times.
what do you mean mount doesn't do anything not even an error message? either it give error message or it succeed.
Click to expand...
Click to collapse
That is the problem, it doesn't succed and I don't have an error message. The file is 256 Gbyte big, I don't know if it plays a role. I'm using Ubuntu 22

if phone is encrypted that's just 256G garbage. post the output of
Code:
$ parted <file> unit B print

Here are the results of parted
Code:
Error: /home/*****/Public/userdata.bin.img: unrecognised disk label
Model: (file)
Disk /home/osboxes/Public/userdata.bin.img: 249208733696B
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
Thanks

You may try https://www.cgsecurity.org/wiki/TestDisk_Download
I'd be glad for your feedback.

sorry thought it's whole disk, but it's only 232G file therefore parted won't print partition table
does apply to FDE only
assuming this file is dump of single userdata partition, open with HxD editor. if the partition image is not encrypted, you will see lot zeros within first 1024 bytes.
in that case you can check for file system type is ext4 or f2fs.
Code:
$ xxd -l 1080 dump.img | grep 53ef
$ xxd -l 1024 dump.img | grep 1020.f5f2
But most likely the userdata partition is encrypted, therefore no way to recover data offline.
The easiest way not to load Magisk modules is, not to load Magisk. Flashing stock boot.img will solve it.
Beware, in case you disabled encryption beforehand, booting stock boot.img will force encryption. This may take long time without notice.

I never disabled encryption, I don't know if Magisk do it without informing. I used this phone for an year without a problem.
After the update I left the phone on for one night but nothing happens. I tried to reflash the stock boot image, and again a whole night wait, but again nothing happens.
Reading the fstab the file system should be ext4.
The file is the dump of the whole userdata partition of my Ulefone Armor 11 5G.
I did a backup of the whole system before doing any experiment so if the partition table is corrupted maybe if I reflash back the userdata partition with a working partition table I have again access to the datas.

there is no partition table in userdata partition, I just gave you wrong advise. because the phones total storage is 256G, I made wrong assumptions (you can view partition table from file pgpt.bin)
full 1:1 backup is impossible for FBE encryption because encryption keys are stored in TEE. once you factory reset device backup of userdata + metadata becomes useless.
fstab doesn't tell you what file you just have dumped. if you can't find ext4 super magic (#7) it's impossible to loop mount that file (and impossible to decrypt on linux PC)
if you can't fix boot-loop by stock boot.img then it's unrelated to magisk modules. you can however enable adb in default.prop and capture adb logcat during boot-loop for further analysis. you could also inject own script that deletes some files (only DE encrypted files, CE encrypted files requires lock screen credentials aka pin/pattern)

boot this TWRP and get log from adb
Code:
$ fastboot boot recovery.img
$ adb shell twrp decrypt '1234'
$ adb pull /tmp/recovery.log
https://twrp.me/faq/openrecoveryscript.html

full 1:1 backup is impossible for FBE encryption because encryption keys are stored in TEE. once you factory reset device backup of userdata + metadata becomes useless.
Click to expand...
Click to collapse
With mtk client I was able to do the backup of tee1 and tee2 and also of gpt_backup and gpt_main.
$ xxd -l 1080 dump.img | grep 53ef
$ xxd -l 1024 dump.img | grep 1020.f5f2
Click to expand...
Click to collapse
Doesn't produce any results.
I have immediately the command prompt.
you can however enable adb in default.prop
Click to expand...
Click to collapse
How can I do that? Which value should I change in default.prop?

so your "backup" is encrypted. please note Trustonic Kinibi is TEE OS running in secure memory one can't access or backup with mtkclient. the tee partitions in phone storage do not contain any encryption key (none of the partitions does, secure memory is not even a partition). the only crypto related partition is metadata used for keydirectory of metadata encryption (on top of FBE encryption) but it is useless for backup purposes.
yes you can modify default.prop in boot.img, ro.secure=0 should give root access.
https://forum.xda-developers.com/t/...hone-with-broken-screen.2965462/post-85905033
Code:
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
in case the default.prop modification is not sufficient, you need additional command to be executed as root.
Code:
# settings put global adb_enabled 1
as you installed magisk, you could use magisk overlay.d/sbin/ for running startup script.
https://forum.xda-developers.com/t/...ithout-losing-your-data.4383255/post-86934375
aIecxs said:
boot this TWRP and get log from adb
Code:
$ fastboot boot recovery.img
$ adb shell twrp decrypt '1234'
$ adb pull /tmp/recovery.log
https://twrp.me/faq/openrecoveryscript.html
Click to expand...
Click to collapse
How about this TWRP? it should be able to decrypt userdata. if decryption failed, provide recovery.log

Until tomorrow I cannot do a logcat and I cannot find my view logcat on my laptop.
I unpacked boot.img with Carliv Image Kitchen and there is no default.prop, that is present in the recovery as prop.default.
Is there a way to backup secure memory of Trustonic?
How about this TWRP? it should be able to decrypt userdata. if decryption failed, provide recovery.log
Click to expand...
Click to collapse
I already tried that version but it cannot decrypt, that' why I'm trying to build my own version of TWRp with the help of the creator of that version of TWRP, but I'm stucked.

oh, you know how to build TWRP with proper FBE + metadata encryption support? have a look at other Oppo devices how they did... good luck.
regarding default.prop in boot.img (it's a symlink to system unfortunately) you can do it the other way
use magisk overlay.d/sbin/
create a boot script that does the thing with resetprop -n <prop_name> <prop_value>
don't use outdated Carliv Image Kitchen! use osm0sis AIK from link above.

oh, you know how to build TWRP with proper FBE + metadata encryption support? have a look at other Oppo devices how they did... good luck.
Click to expand...
Click to collapse
I'm learning.
I try to integrate the decryption service following the suggestion of ADeadTrouser on Github, but the service doesn't want to start and I don't understand why.
I never checked Oppo, I will take a look at them also, thanks for the suggestion.

I think I figured out now the adb logcat at least. hope that helps
https://forum.xda-developers.com/t/accessing-my-phone-with-a-dead-screen.4542763/post-88016019

I tried your script butr nothing happens, the telephone is not listed when I type
Code:
adb devices
and if I type
Code:
adb logcat
I receive the message waiting for device

you might follow the thread

wenyendev said:
You may try https://www.cgsecurity.org/wiki/TestDisk_Download
I'd be glad for your feedback.
Click to expand...
Click to collapse
I run the software on the image and it identify the contents and can read the encrypted and not encrypted part, that means that all the files are there, but I cannot mount in Linux or in TWRP

The fact that I cannot mount in Linux or TWRP the userdata image/partition can be that is corrupted the partition or the file index?
That would also explain why the script for Magisk provided by aIecxs is not able to copy the adb_key from the cache in the data partition.