I bought my first smart phone Samsung Gio S5660M and tried to unlock it. I tried different ways but weird things happened and I don’t know what causes the problem. I was wondering whether the unlock code would change if I did something to the phone. Now the phone is still locked and I really need and appreciate your help.
First I used the method in the link: http://forum.xda-developers.com/showthread.php?t=1204705 to root and unlock the phone but was not able to finish it. The steps that I have completed are as follows:
To root the phone:
1. Download this file http://www.mediafire.com/download.php?jzvnlbhidsd5f6l
2. Copy root_gb_gio.zip to the root of the SD card and put the card in the phone
3. Shutdown the phone.
4. Put the phone in recovery Mode (press: Home button + Power button toghether)
5. In recovery mode, choose Install Update from SD-card using Vol. up / down key and press Home key to confirm
6. Search for the root_gb_gio.zip file on the SD-card and Press home key again to run the update
7. Reboot
8. Verify in the app folder if SuperUser app is installed properly
9. Reboot
Network Unlock (using ADB Shell from PC).
1. Download and install Samsung Kies to the PC from here: http://www.samsungapps.com/about/onPc.as, also install Samsung USB Driver
2. Download and install ADB which comes with Android SDK from: http://developer.android.com/sdk/index.html
-Go to the "Available Packages" Option on the left Menu
-Click on the "Refresh" Button on the bottom Right and wait until it finish
-From Items select the "Andoid SDK platform-tools, revision 6" Item
-Click the "Install Selected" button on the botton right and wait until it finish then close the Android SDK
3. Add the correct path
-Right-click on Computer Icon (on your Desktop) and select "Properties" from the menu,
-On My PC Properties select the "Advanced Options" Tab
-Click "Advanced System Settings"
-Click "Environment Variables"
-Highlight the "Path" Variable and click the "Edit"
-At the end of the line (and path) add the path: ;C:\Program Files\Android\android-sdk\platform-tools
4. Connect the phone to the computer via the USB cable
-Click on the start button and open the "Run" option, on Run type cmd.exe and press enter. A command prompt window popped out.
-Type the next text to access the ADB Shell: cd C:\Program Files\Android\android-sdk\platform-tools
-Type: adb shell
-Now in adb shell (and executing commands on the phone itself)
-Type the next command: su
-The superuser application popped up on the PHONE SCREEN (yes take a look at the phone screen) asking to allow root privileges to the adb shell. Choose Allow root access for the ADB shell on the phone.
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
got a bunch of characters on the screen and a 8 digit number, the unlock code, which is 28572603
-Type: unmount /efs (It should umount /efs, but I typed it wrong)
5. Disconnect the USB cable from the phone
6.Turn the phone off and insert the SIM card
7. Turn on the phone
In the last step it should ask for the unlock code to unlock the phone, however, it didn’t ask for the unlock code. Instead there was a message: “Phone is SIM Corporate Locked” and there is nowhere to input any code.
When I typed “*#7465625#, the result is as follows: Network Lock [OFF], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [ON]. Note that the corporate lock is on. But I could access menu with the foreign SIM card in the phone. When I tried to dial “*#7465625*638*28572603” or “#0111*28572603” with or without foreign SIM card, the message is always something like network not available (cannot recall the exact words). When I went to a FIDO kiosk for help (SIM card is from FIDO), they told me to unroot the phone so that the phone could ask for the unlock code.
I googled corporate lock/SPCK code on the Internet and there is such message: “In 1% of cases to unlock samsung SPCK code is need”, I called Samsung for help with SPCK code. The technical support in Samsung asked me to factory reset the phone by typing “*2767*3855#”. After the reset, the status of the locks were still the same as before, so is the message “Phone is SIM Corporate Locked”. Then Samsung told me that they don’t have SPCK code. I noticed that SuperUser icon was still on the menu after the factory reset.
A further search showed the unlock method of mapping image partition from: http://forum.xda-developers.com/showthread.php?t=1244695 and http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334 (same method). When I went to Shell and typed “su”, not sure whether because of the factory reset or not, superuser or admin denied, so I redid the rooting by following the previous steps, but it only took a few seconds to finish it. Then the steps I followed were:
1, first, go to the command line of pc.(win xp "start->run->cmd" )
and type "cd\", now in the root of the hard drive (also tried cd \Program Files\Android\android-sdk\platform-tools)
2, second, type "adb shell".
3, after that, type "su".
4, then, type "cat /dev/bml5>/sdcard/bml5.img"
5, type twice "exit" to disconnect with gio.
6, type "adb pull /sdcard/bml5.img"
But there is an error message “remote object /sdcar/bml5.img does not exist". I just repeated the steps a few minutes ago to get a few screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(using cd \Program Files\Android\android-sdk\platform-tools)
(using cd \)
(a different error: so I used mount command)
I think at this point (cannot recall after the following tries or at this time) that I inserted a foreign SIM card, the phone began to show message “Network Locked”, took out the foreign SIM card, typed “*#7465625#", weird enough, the result changed to: Network Lock [ON], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [OFF]. Corporate lock is gone but the network lock came back. I don’t know the reason – is that because I did factory reset?
I put the foreign SIM card back to the phone, input the unlock code generated earlier “28572603”, but it was not successful. I decided to go back to the first method (ADB shell from PC) to generate the unlock code again to see whether the result code is the same. However, weird gain, this time no code at all. I reproduced the screenshot a moment ago for the result (I had to cut the screen into two half):
The third method I tried is to unlock the phone by using Android Terminal Emulator, the steps were:
- In Android Market, download and install Android Terminal Emulator
- Boot up the Android Terminal Emulator application
-Using the on-screen keyboard, type su, allowed the permission from the prompt
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
The desire result should be a bunch of characters on the screen and a 8 digit number. However, I didn’t get the desire result – it seems that the result is the same as using the first method after factory reset, here is the screenshot (it seems that the shot is incomplete, but I had a hard time to get even such an incomplete shot – the shell would exit when I tried to screenshot):
My questions are: why the same method cannot generate the same code? Is it because I did something to the phone, like factory reset? The unlock code will change because of the situation or it will always keep the same? Why I cannot see the bml5.img? Is it possible I damaged it by chance? I am also worried that now even if I buy uncode code from GSMLiberty, it would not work any more because of what I did to the phone. Is it possible so? What is my option now? (I tried the code once, so I still have another two chances to input unlock code). Is what has happened weird or there is a reason for that?
Thank you very much.
I also pulled the perso.txt file onto my PC and reviewed it in XVI32. It does not look like any of the files others mentioned (a lot of 00 or FF followed by a number). Attached here is perso.txt. Is my perso.txt corrupted? If yes, how can I recover it? Thanks.
As far as I know, you're the first person that's reported seeing a CP lock on this phone... One possibility is that this happened instead of plain old bricking when you mistyped the umount command the first time around.
Is your IMEI still intact?
Did you reboot the phone since your third attempt?
Did you by any chance keep the first perso.txt you cat'ed on your first attempt?
The suggestion below is at best a shot in the dark and could very well worsen the situation. With that out of the way...
If your IMEI is still intact, you could try booting in CWM, mounting /efs as rewritable, and upload the attached perso.txt, unmount efs and reboot. The file is simply my own perso.txt, from an unlocked 5660M, with your unlock code put in place of mine in a Unix line-ending aware editor. (Another, albeit riskier possibility would be to mount rewritable in the main OS and cat the file into place, then unmount and reboot.)
Good luck,
Darkshado
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
No I didn't make a copy of the original perso.txt as I almost knew nothing when I first tried.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
SPnewb said:
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
Click to expand...
Click to collapse
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
Click to expand...
Click to collapse
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
Click to expand...
Click to collapse
The idea of comparing some perso.txt files is good, but so far all the perso.txt files I've seen uploaded came from the Euro/Asia 5660 Gio, so we'd need files from a 5660M. They did look almost identical to mine though, with essentially a Bell network identifier at the beginning that wasn't present at all in theirs. One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
I've been reluctant to try too many things on my EFS partition, like deleting perso.txt to see how the phone reacts, for fear of bricking it.
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
Click to expand...
Click to collapse
There are two "levels" you can access the partitions on the phone. stl is a higher level access, with which you can get correct RFS partitions for instance, while bml is a lower, block-level access. perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Unlike reading stl5, reading bml5 has not caused anyone bricking so far. bml5 is sufficient to get the unlock code as well.
Good luck,
Darkshado
Hi Darkshado,
Thank you very much for your help.
Darkshado said:
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
Click to expand...
Click to collapse
The phone was locked to Bell, and my SIM card is from FIDO. I also got a Rogers SIM card for testing. When I rooted and generated teh code, I didn't have any SIM card in the phone. When I inserted Fido card after teh first attempt, I got the message " Phone is SIM Coperated locked" [i.e. when CP lock is On and other locks OFF], but I could still use the other functions of the phone. When the CP lock is OFF and Network lock is ON, I could not use the phoen at all because teh screen asked to input unlock code. If no input orcode is wrong, I cannot use the phone at all. Without SIM card, I could still use other functions of the phone.
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
Click to expand...
Click to collapse
What is NV items? Can you tell me how I can tell where to see NV items?
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
Click to expand...
Click to collapse
I was wondering whether the perso.txt is like config file?
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
Click to expand...
Click to collapse
perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Click to expand...
Click to collapse
I cannot think of where I read the partition wriong other than I might hav etyped the wrong unmount for the first time followed by a reboot. I actually thinking of falshing the phone, but for the moment I have not read anything about flash yet and have no idea where to find the proper version of files to falsh.
When I pull the perso.txt to PC, I seemed to use the following method (my PC is still in repair so I cannot verify ):
-Type: adb shell
-Now in adb shell
-Type: su
- allow root privileges to the adb shell.
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: exit twice to exit shell
-Type: adb pull /efs/mits/perso.txt
-Type: adb shell (to go back to shell)
-Type: umount
Is there any risk with this method?
About perso.txt,
One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
Click to expand...
Click to collapse
I will try to see whether I could get some perso.txt files from anotehr forum (redflagdeals). Can you tell me where I can find the before/after set?
Thank you again very much.
Cathy
Hello Cathy,
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
The "cat" command can take one or many standard inputs (we'll stick to files for now) and output them to a standard output; in our case, the screen or another file.
Its one way of copying a file, or simply seeing its contents depending on where you send it.
With multiple files in the input, you're concatenating them before they get output.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
The problems we've seen occur are in all likelyhood due to interference between the modem firmware and the higher-level Android OS. That's why even normally "harmless" read commands have caused problems.
The dd command, as well as leaving /efs mounted on normal mode phone shutdown are constants in multiple bricking cases on the Gio and other similar Samsung phones like the Galaxy Ace and Mini.
The lower-level bml5 partition has been deemed safe to read with the dd command so far, even from a live phone.
Completely disable the modem firmware, like in recovery mode, and you can access, and even edit, the /efs partition in a relatively safe manner.
Something interesting happened as I began writing this: I don't know how or when this happened, but I somehow had relocked my phone to Bell!
I decided to try the lock status code you posted above and saw "Network Lock: ON" Slipping another SIM (an unactivated Koodo one) in my Gio prompted for the unlock code, which I typed and got a network unlocked message.
I took another look at the perso.txt file I had modified for you and recognized a number near the beginning: 302610 that's the Bell MNC! I rebooted in recovery, mounted /efs and adb pulled perso.txt again (safe because I was in recovery mode). The file has the exact same length, and a few differences visible in Winmerge or a hex editor of your choosing.
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
You also asked about NV items: they're phone settings common to all Qualcomm cellular modem based cellphones. GSM and WCDMA antenna power and gain settings, factory test mode, IMEI, there are thousands.
In the case of the Gio, some are accessible off the EFS (stl5) partition in the /nvm/num/ directory. Others, like the IMEI unfortunately, are stored elsewhere in the phone, I don't know where. We can read all the settings by using two leaked Samsung programs, named QPST and QXDM respectively. We can edit some of them, but unless you know exactly what you're doing, this is an easy way to completely mess up a phone.
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Okay. I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get the latest Odin-flashable Gio ClockworkMod-based recovery available on XDA.
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
The phone should already be unlocked on reboot.
Good luck,
Darkshado
Hi Darkshado,
Thank you for your quick response.
Darkshado said:
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
Click to expand...
Click to collapse
That's good advice If I read the whole thread of unlocking first before I began unlocking, there might not have been problems. I began to unlock after reading a few postings. I used Linux long time ago, but obviously I could not recall anything now.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
Click to expand...
Click to collapse
The code I had was got before the corrupted perso.txt. I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking, Otherwise if perso.txt is not useful any more, why when I input the initially generated unlock code, the unlocking is not successful. The CP lock is now OFF after the perso.txt is corrupted, though it is hard to judge whether CP is ON or not before perso.txt is corrupted because I got the unlock first then I saw CP was ON.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
Click to expand...
Click to collapse
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
Click to expand...
Click to collapse
By editing perso.txt only?
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Click to expand...
Click to collapse
Yes, since I inserted the MicroSD card into the phone for rooting, I never took it out. But I can hardly imagine this will cause any problem.
I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get Ingmar Steen's latest Gio ClockworkMod-based recovery here
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
Click to expand...
Click to collapse
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think? Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Thank you very much.
Cathy
SPnewb said:
I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking
Click to expand...
Click to collapse
It most definitely is compared. From what I can tell, perso.txt contains all the SIM-lock information, status and codes.
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
Click to expand...
Click to collapse
Exactly. Recovery mode is what makes the whole thing safe. You need a rooted recovery to do it though.
There are two ways to get the actual perso.txt file off the phone: adb pull (directly or by cat'ing the file to the sd card beforehand) or dd'ing the stl5 partition and extracting perso.txt from it.
By editing perso.txt only?
Click to expand...
Click to collapse
Yes.
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think?
Click to expand...
Click to collapse
I'm pretty confident it will solve the problem, otherwise I would not have gone to the trouble of writing these instructions and uploading the file for you.
Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
Click to expand...
Click to collapse
Look here.
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Click to expand...
Click to collapse
What does the ADK installer say? If its complaining about not finding the JDK when you've already installed it, just it Back, and then Next. It will detect at that time and proceed with the installation. It's a known bug. Also, stick to JDK version 6 for the time being. Version 7 is so recent there might be some incompatibilities...
Thank you very much.
Click to expand...
Click to collapse
You're welcome.
Goodbye,
Darkshado
The phone is bricked now. What I did is: hole the HOme key while pressing the power key, the phone asked me whether to "reboot the system now" or "update from /sdcard" or "wipe /data XXX factory reset" (sth like factory reset) or "wipe /cach", I chose "reboot the system now". after that , connect the phone to the system. What I did in PC is catured in teh following image:
After that, when rebooting the phone, the phone began to falsh "samsung" and it cannot be shut down any more.
It seems that using other people's perso.txt does not work. One reason may be that, as you said, "perso.txt contains all the SIM-lock information, status and codes", other than unlock code, it might also read each individual phone's information, since that hte perso.txt is not mine, the phone cannot find the proper information, which causes phone to do indefinite loop. If that is the case, instead of uploading a new perso.txt, editing my own (even the corrupted) perso.txt and changing the corresponding location into the unlock code might work, as the phoen could start up before. Another reason may be that by editing the perso.txt, the system might detect the action for example like using CRC, and if only perso.txt is edited, system detected inconsistency and will go into indefinite loop. If I were the developer and I am aware that perople crack the phone, I might using another file or check code to protect. In this case, "I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell." might not work.
I guess that now even hardware unlock will not work, becaue when the phone start, it will read "perso.txt" and cannot find the right information. The only solution is push my original corrupted perso.txt back to the phone, but the question is how? Can you advise me what I should do now? SInce the phone does not start up at all, can I still flash the memory using Odin?
Thank you very much.
Cathy
Crap. I'm afraid that if your phone is now bootlooping with no access to recovery mode there is little to be done but to get it serviced or replaced.
No one has been able to flash EFS with Odin yet on our phones.
Also, your image attachment explaining what you attempted exactly is missing...
Look at the perso.txt files in a hex editor, there's no CRC or MD5 like thing anywhere in there. Of course it could be placed elsewhere, but it would be a first to have a booby-trapped phone OS...
I'll try locking my phone to another network within the next week for the heck of it.
Goodbye,
Darkshado
It's the format of the image. I changed to a different image format. You should be able to view the image in the first page now. Anyway, I posted it here again:
I'll try locking my phone to another network within the next week for the heck of it.
Click to expand...
Click to collapse
Let me know the result.
Thanks.
Cathy
SPnewb said:
Anyway, I posted it here again:
Click to expand...
Click to collapse
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Darkshado said:
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Click to expand...
Click to collapse
I thought that I booted in recovery mode since when I turned on the phone, I held Home key then press the power key, but when the phone start up there were only 4 or 5 choices in the recovery menu and except the one "reboot the system now", there were no other choices about reboot. I suspected that to choose "reboot the system now" will cause startup in normal mode. How do you start up the phone in recover mode?
I cannot recall teh color of the text, but I never see any orange text since I had the phone.
Thank you very much for your help. I'm going to get another Gio to unlock.
This script creates backup of partitions related to IMEI number. If you have not unlocked your boot-loader then you do not have to worry, you're safe. But read this in case you root someday!
DISCLAIMER:
I am not responsible for any damage caused to your device in any manner, you should be careful while doing anything. Before you proceed please read everything.
DESCRIPTION
The IMEI number is like an identifier to your cellphone for network operators. The phones will not be able to communicate in case IMEI is lost. The IMEI number is generally stored in PDS partition of the EMMC but the Moto g is an exception, there is no physical EFS partition so NV-Items are inaccessible for manipulation which means backing up PDS partition only will not make any sense.
The EFS is created on the fly: the modem reads HOB and DHOB partitions and after manipulations it creates a EFS file-system which is isolated from rest of the system. The modem finds the baseband, MEID, IMEI etc. and reports it to the OS.
The DHOB partition is encrypted and the key used is a PBKFD2 derived key for which the details like passkey, salt and iterations are unknown. HOB partition is XML-formatted and contains encrypted base64 text items. The secret is yet to be discovered.
Reference
http://forum.xda-developers.com/moto-g/help/info-moto-g-imei0-t2925970/post62064474#post62064474
http://forum.xda-developers.com/showthread.php?t=2640677
What does the script do?
This script simply creates the dumps of HOB, DHOB, FSC and PDS partition.
REQUIREMENTS:
A rooted phone is bare minimum and rest depends upon the method you choose. Download the archive one is for Linux and other is for Windows.
Choose any one.
FROM PHONE:-
1. Download and install any “Terminal Emulator” application from App store.
2. Type su and press enter to have superuser privileges.
3. Run these commands one-by-one.
HTML:
su
mkdir /sdcard0/imei_backup
dd if=/dev/block/platform/msm_sdcc.1/by-name/hob" of=/sdcard0/imei_backup/hob.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/dhob" of=/sdcard0/imei_backup/dhob.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/fsc" of=/sdcard0/imei_backup/fsc.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/pds" of=/sdcard0/imei_backup/pds.img
4. Copy imei_backup from the top folder of internal storage or SD-card.
FROM PC:-
1. Enable ROOT for both apps and adb from developer options.
2. Open cmd or terminal hange current location to folder imei_linux or imei_windows extracted from archive.
3. Run the below commands from cmd or terminal.
Windows
Make sure you have Motorola drivers installed (Motorola device manager).
HTML:
imei_backup.bat
Linux
Superuser privileges are necessary.
HTML:
sudo bash imei_backup.sh
or
su -C 'bash imei_backup.sh'
4. Once finished save imei_backup folder to someplace safe. The folder sits in the same folder the commands are run and in phone's internal storage or SD card.
FOR RESTORATION
1. Copy imei_backup folder to /sdcard (both internal or SD-Card in case you are not sure)
2. Open terminal emulator on phone and run these commands, all of them do not miss any. Run all of them twice to be sure.
HTML:
dd if=/sdcard0/imei_backup/hob.img of=/dev/block/platform/msm_sdcc.1/by-name/hob"
dd if=/sdcard0/imei_backup/dhob.img of=/dev/block/platform/msm_sdcc.1/by-name/dhob"
dd if=/sdcard0/imei_backup/fsc.img of=/dev/block/platform/msm_sdcc.1/by-name/fsc"
dd if=/sdcard0/imei_backup/pds.img of=/dev/block/platform/msm_sdcc.1/by-name/pds"
4. Reboot your phone.
How to keep IMEI safe:
1. Do not use incompatible Roms or firmware.
2. Never run these commands.
Don't even try, I have screwed my phone already. Misspelled for safety.
HTML:
Fast-boot erasee all (Don't)
Fast-boot erasee recovery (Don't)
Fast-boot erasee HOB (Don't)
Fast-boot erasee DHOB (Don't)[/COLOR]
Fast-boot erasee earth (Please Don't)
Run any of these commands and your phone turn into a tablet forever.
3. Create backup of the partitions i mentioned using one of the methods.
FAQS:-
Does it work on Dual-Sim or CDMA ?
Yes, it works. It just creates partition dumps, nothing more nothing less. It should work on Moto G (1st and 2nd gen) all variants and Moto E (1st and 2nd).
Is it safe to share my imei_backup folder if anyone asks?
Yes, the content is encrypted and there is no chance of manipulation of IMEI, the NV-ITEMS are written after verification. No two phones can have same IMEI. If it was possible then I wouldn't be so mad or worried or you would not be reading this. The best he could achieve is base-band change and signal but IMEI stays zero. No Cheating!
I have PDS partition backup, why should I care about this?
The PDS partition alone is no good for recovery, there are other partitions which help phone get a working cellular and valid IMEI number, those partition are HOB and DHOB. You can create backup through terminal emulator.
Why should I believe you?
I am a victim and did research on this for like 30 days. I do have a clear idea of what the problem really is. Please refer to mentioned threads for more information.
I have lost my IMEI because of “fast-boot erase all” command, can I get my IMEI back?
Sorry! But there is no working solution at the moment. All you can do right now is either buy a new motherboard or a spare phone to do work. The cure has not been found till now and hopes are really low unless some guy with good cryptography knowledge comes to rescue. So far i only know the problem
Very useful, thanks. Just want to add my experience - actually I did run "fast-boot erasee recovery" once in the past and did lost IMEI, but it was possible to recover it in an easy way. But those other commands seem to be really catastrophic indeed (though I haven´t tried them )
Here´s the original story: http://forum.xda-developers.com/showthread.php?p=52648789
drfr said:
Very useful, thanks. Just want to add my experience - actually I did run "fast-boot erasee recovery" once in the past and did lost IMEI, but it was possible to recover it in an easy way. But those other commands seem to be really catastrophic indeed (though I haven´t tried them )
Here´s the original story: http://forum.xda-developers.com/showthread.php?p=52648789
Click to expand...
Click to collapse
It is always better to be safe than sorry. The thing is if you lose hob and dhob partitions, you are doomed. I am glad to know that your phone is intact.
Script works well - thanks for this.
Well I'm here to ask something related to the problems issued in this thread.
I got a XT1032 with IMEI fully written but, for some reasons I still don't know, the damn phone does not "read" the signal. The bars just stay empty and nothing, not even a full original firmware restore, seems to help.
Now I wonder if the problem is in a non-working modem partition, but I'd see that problem solved when I fully flashed the stock FW.
Is there any solution? I also tried to flash all the european (I'm italian) basebands known to mankind and nothing happens.
Dionysus2389 said:
Well I'm here to ask something related to the problems issued in this thread.
I got a XT1032 with IMEI fully written but, for some reasons I still don't know, the damn phone does not "read" the signal. The bars just stay empty and nothing, not even a full original firmware restore, seems to help.
Now I wonder if the problem is in a non-working modem partition, but I'd see that problem solved when I fully flashed the stock FW.
Is there any solution? I also tried to flash all the european (I'm italian) basebands known to mankind and nothing happens.
Click to expand...
Click to collapse
When you dial *#06# do you see your IMEI number?
PuLKit4xd said:
When you dial *#06# do you see your IMEI number?
Click to expand...
Click to collapse
Yep, the IMEI is there as it is in the phone info. That's why I can't figure out what the heck is wrong with it. I also tried to flash any baseband and still no signal.
Dionysus2389 said:
Well I'm here to ask something related to the problems issued in this thread.
I got a XT1032 with IMEI fully written but, for some reasons I still don't know, the damn phone does not "read" the signal. The bars just stay empty and nothing, not even a full original firmware restore, seems to help.
Now I wonder if the problem is in a non-working modem partition, but I'd see that problem solved when I fully flashed the stock FW.
Is there any solution? I also tried to flash all the european (I'm italian) basebands known to mankind and nothing happens.
Click to expand...
Click to collapse
PuLKit4xd said:
When you dial *#06# do you see your IMEI number?
Click to expand...
Click to collapse
Dionysus2389 said:
Yep, the IMEI is there as it is in the phone info. That's why I can't figure out what the heck is wrong with it. I also tried to flash any baseband and still no signal.
Click to expand...
Click to collapse
Aaaaan then I managed to fix everything. Simply, kitkat european firmwares have some issues with basebands, so I wipe everything and flash via mfastboot the 5.0.2 brazillian stock firmware. Everything is flawless now!
Hi all, thanks for this huge piece of info, very usefull, but i need from you if you have the backup of the files for XT1540 (moto g3 4g).
Cheers
PuLKit4xd said:
This script creates backup of partitions related to IMEI number. If you have not unlocked your boot-loader then you do not have to worry, you're safe. But read this in case you root someday!
DISCLAIMER:
I am not responsible for any damage caused to your device in any manner, you should be careful while doing anything. Before you proceed please read everything.
DESCRIPTION
The IMEI number is like an identifier to your cellphone for network operators. The phones will not be able to communicate in case IMEI is lost. The IMEI number is generally stored in PDS partition of the EMMC but the Moto g is an exception, there is no physical EFS partition so NV-Items are inaccessible for manipulation which means backing up PDS partition only will not make any sense.
The EFS is created on the fly: the modem reads HOB and DHOB partitions and after manipulations it creates a EFS file-system which is isolated from rest of the system. The modem finds the baseband, MEID, IMEI etc. and reports it to the OS.
The DHOB partition is encrypted and the key used is a PBKFD2 derived key for which the details like passkey, salt and iterations are unknown. HOB partition is XML-formatted and contains encrypted base64 text items. The secret is yet to be discovered.
Reference
http://forum.xda-developers.com/moto-g/help/info-moto-g-imei0-t2925970/post62064474#post62064474
http://forum.xda-developers.com/showthread.php?t=2640677
What does the script do?
This script simply creates the dumps of HOB, DHOB, FSC and PDS partition.
REQUIREMENTS:
A rooted phone is bare minimum and rest depends upon the method you choose. Download the archive one is for Linux and other is for Windows.
Choose any one.
FROM PHONE:-
1. Download and install any “Terminal Emulator” application from App store.
2. Type su and press enter to have superuser privileges.
3. Run these commands one-by-one.
HTML:
su
mkdir /sdcard0/imei_backup
dd if=/dev/block/platform/msm_sdcc.1/by-name/hob" of=/sdcard0/imei_backup/hob.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/dhob" of=/sdcard0/imei_backup/dhob.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/fsc" of=/sdcard0/imei_backup/fsc.img
dd if=/dev/block/platform/msm_sdcc.1/by-name/pds" of=/sdcard0/imei_backup/pds.img
4. Copy imei_backup from the top folder of internal storage or SD-card.
FROM PC:-
1. Enable ROOT for both apps and adb from developer options.
2. Open cmd or terminal hange current location to folder imei_linux or imei_windows extracted from archive.
3. Run the below commands from cmd or terminal.
Windows
Make sure you have Motorola drivers installed (Motorola device manager).
HTML:
imei_backup.bat
Linux
Superuser privileges are necessary.
HTML:
sudo bash imei_backup.sh
or
su -C 'bash imei_backup.sh'
4. Once finished save imei_backup folder to someplace safe. The folder sits in the same folder the commands are run and in phone's internal storage or SD card.
FOR RESTORATION
1. Copy imei_backup folder to /sdcard (both internal or SD-Card in case you are not sure)
2. Open terminal emulator on phone and run these commands, all of them do not miss any. Run all of them twice to be sure.
HTML:
dd if=/sdcard0/imei_backup/hob.img of=/dev/block/platform/msm_sdcc.1/by-name/hob"
dd if=/sdcard0/imei_backup/dhob.img of=/dev/block/platform/msm_sdcc.1/by-name/dhob"
dd if=/sdcard0/imei_backup/fsc.img of=/dev/block/platform/msm_sdcc.1/by-name/fsc"
dd if=/sdcard0/imei_backup/pds.img of=/dev/block/platform/msm_sdcc.1/by-name/pds"
4. Reboot your phone.
How to keep IMEI safe:
1. Do not use incompatible Roms or firmware.
2. Never run these commands.
Don't even try, I have screwed my phone already. Misspelled for safety.
HTML:
Fast-boot erasee all (Don't)
Fast-boot erasee recovery (Don't)
Fast-boot erasee HOB (Don't)
Fast-boot erasee DHOB (Don't)[/COLOR]
Fast-boot erasee earth (Please Don't)
Run any of these commands and your phone turn into a tablet forever.
3. Create backup of the partitions i mentioned using one of the methods.
FAQS:-
Does it work on Dual-Sim or CDMA ?
Yes, it works. It just creates partition dumps, nothing more nothing less. It should work on Moto G (1st and 2nd gen) all variants and Moto E (1st and 2nd).
Is it safe to share my imei_backup folder if anyone asks?
Yes, the content is encrypted and there is no chance of manipulation of IMEI, the NV-ITEMS are written after verification. No two phones can have same IMEI. If it was possible then I wouldn't be so mad or worried or you would not be reading this. The best he could achieve is base-band change and signal but IMEI stays zero. No Cheating!
I have PDS partition backup, why should I care about this?
The PDS partition alone is no good for recovery, there are other partitions which help phone get a working cellular and valid IMEI number, those partition are HOB and DHOB. You can create backup through terminal emulator.
Why should I believe you?
I am a victim and did research on this for like 30 days. I do have a clear idea of what the problem really is. Please refer to mentioned threads for more information.
I have lost my IMEI because of “fast-boot erase all” command, can I get my IMEI back?
Sorry! But there is no working solution at the moment. All you can do right now is either buy a new motherboard or a spare phone to do work. The cure has not been found till now and hopes are really low unless some guy with good cryptography knowledge comes to rescue. So far i only know the problem
Click to expand...
Click to collapse
Need help!!
It does not work for me. whenever any command with /sdcard is written, it replies "/sdcard/hob.img :File or directory not found."
Please help.
Thanks in advance : )
After an Update of Two magisk modules, my Ulefone Armor 11 5G staied stucked on boot logo, I can only enter in recovery or fastboot.
I try to build a TWRP, but it is not able to mount userdata.
I was able to download with the help of mtkclient all the partition on my phone, even userdata , it took 7 hours.
I wanted to load the image in linux but using mount disk imag or using the command sudo mount -o loop userdata.img ~/Armor_11_5G doesn't do anything not even an error message.
I'm wondering if the filesystem was corrupted during the update.
Is it possible to repair the fylesystem like in Windows?
Thanks
did you previously disable encryption and factory reset long time before the modules updates failed?
what do you mean mount doesn't do anything not even an error message? either it give error message or it succeed.
I didn't disable encryption before updating the modules, I already updated this modules many times.
what do you mean mount doesn't do anything not even an error message? either it give error message or it succeed.
Click to expand...
Click to collapse
That is the problem, it doesn't succed and I don't have an error message. The file is 256 Gbyte big, I don't know if it plays a role. I'm using Ubuntu 22
if phone is encrypted that's just 256G garbage. post the output of
Code:
$ parted <file> unit B print
Here are the results of parted
Code:
Error: /home/*****/Public/userdata.bin.img: unrecognised disk label
Model: (file)
Disk /home/osboxes/Public/userdata.bin.img: 249208733696B
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
Thanks
You may try https://www.cgsecurity.org/wiki/TestDisk_Download
I'd be glad for your feedback.
sorry thought it's whole disk, but it's only 232G file therefore parted won't print partition table
does apply to FDE only
assuming this file is dump of single userdata partition, open with HxD editor. if the partition image is not encrypted, you will see lot zeros within first 1024 bytes.
in that case you can check for file system type is ext4 or f2fs.
Code:
$ xxd -l 1080 dump.img | grep 53ef
$ xxd -l 1024 dump.img | grep 1020.f5f2
But most likely the userdata partition is encrypted, therefore no way to recover data offline.
The easiest way not to load Magisk modules is, not to load Magisk. Flashing stock boot.img will solve it.
Beware, in case you disabled encryption beforehand, booting stock boot.img will force encryption. This may take long time without notice.
I never disabled encryption, I don't know if Magisk do it without informing. I used this phone for an year without a problem.
After the update I left the phone on for one night but nothing happens. I tried to reflash the stock boot image, and again a whole night wait, but again nothing happens.
Reading the fstab the file system should be ext4.
The file is the dump of the whole userdata partition of my Ulefone Armor 11 5G.
I did a backup of the whole system before doing any experiment so if the partition table is corrupted maybe if I reflash back the userdata partition with a working partition table I have again access to the datas.
there is no partition table in userdata partition, I just gave you wrong advise. because the phones total storage is 256G, I made wrong assumptions (you can view partition table from file pgpt.bin)
full 1:1 backup is impossible for FBE encryption because encryption keys are stored in TEE. once you factory reset device backup of userdata + metadata becomes useless.
fstab doesn't tell you what file you just have dumped. if you can't find ext4 super magic (#7) it's impossible to loop mount that file (and impossible to decrypt on linux PC)
if you can't fix boot-loop by stock boot.img then it's unrelated to magisk modules. you can however enable adb in default.prop and capture adb logcat during boot-loop for further analysis. you could also inject own script that deletes some files (only DE encrypted files, CE encrypted files requires lock screen credentials aka pin/pattern)
boot this TWRP and get log from adb
Code:
$ fastboot boot recovery.img
$ adb shell twrp decrypt '1234'
$ adb pull /tmp/recovery.log
https://twrp.me/faq/openrecoveryscript.html
full 1:1 backup is impossible for FBE encryption because encryption keys are stored in TEE. once you factory reset device backup of userdata + metadata becomes useless.
Click to expand...
Click to collapse
With mtk client I was able to do the backup of tee1 and tee2 and also of gpt_backup and gpt_main.
$ xxd -l 1080 dump.img | grep 53ef
$ xxd -l 1024 dump.img | grep 1020.f5f2
Click to expand...
Click to collapse
Doesn't produce any results.
I have immediately the command prompt.
you can however enable adb in default.prop
Click to expand...
Click to collapse
How can I do that? Which value should I change in default.prop?
so your "backup" is encrypted. please note Trustonic Kinibi is TEE OS running in secure memory one can't access or backup with mtkclient. the tee partitions in phone storage do not contain any encryption key (none of the partitions does, secure memory is not even a partition). the only crypto related partition is metadata used for keydirectory of metadata encryption (on top of FBE encryption) but it is useless for backup purposes.
yes you can modify default.prop in boot.img, ro.secure=0 should give root access.
https://forum.xda-developers.com/t/...hone-with-broken-screen.2965462/post-85905033
Code:
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
in case the default.prop modification is not sufficient, you need additional command to be executed as root.
Code:
# settings put global adb_enabled 1
as you installed magisk, you could use magisk overlay.d/sbin/ for running startup script.
https://forum.xda-developers.com/t/...ithout-losing-your-data.4383255/post-86934375
aIecxs said:
boot this TWRP and get log from adb
Code:
$ fastboot boot recovery.img
$ adb shell twrp decrypt '1234'
$ adb pull /tmp/recovery.log
https://twrp.me/faq/openrecoveryscript.html
Click to expand...
Click to collapse
How about this TWRP? it should be able to decrypt userdata. if decryption failed, provide recovery.log
Until tomorrow I cannot do a logcat and I cannot find my view logcat on my laptop.
I unpacked boot.img with Carliv Image Kitchen and there is no default.prop, that is present in the recovery as prop.default.
Is there a way to backup secure memory of Trustonic?
How about this TWRP? it should be able to decrypt userdata. if decryption failed, provide recovery.log
Click to expand...
Click to collapse
I already tried that version but it cannot decrypt, that' why I'm trying to build my own version of TWRp with the help of the creator of that version of TWRP, but I'm stucked.
oh, you know how to build TWRP with proper FBE + metadata encryption support? have a look at other Oppo devices how they did... good luck.
regarding default.prop in boot.img (it's a symlink to system unfortunately) you can do it the other way
use magisk overlay.d/sbin/
create a boot script that does the thing with resetprop -n <prop_name> <prop_value>
don't use outdated Carliv Image Kitchen! use osm0sis AIK from link above.
oh, you know how to build TWRP with proper FBE + metadata encryption support? have a look at other Oppo devices how they did... good luck.
Click to expand...
Click to collapse
I'm learning.
I try to integrate the decryption service following the suggestion of ADeadTrouser on Github, but the service doesn't want to start and I don't understand why.
I never checked Oppo, I will take a look at them also, thanks for the suggestion.
I think I figured out now the adb logcat at least. hope that helps
https://forum.xda-developers.com/t/accessing-my-phone-with-a-dead-screen.4542763/post-88016019
I tried your script butr nothing happens, the telephone is not listed when I type
Code:
adb devices
and if I type
Code:
adb logcat
I receive the message waiting for device
you might follow the thread
wenyendev said:
You may try https://www.cgsecurity.org/wiki/TestDisk_Download
I'd be glad for your feedback.
Click to expand...
Click to collapse
I run the software on the image and it identify the contents and can read the encrypted and not encrypted part, that means that all the files are there, but I cannot mount in Linux or in TWRP
The fact that I cannot mount in Linux or TWRP the userdata image/partition can be that is corrupted the partition or the file index?
That would also explain why the script for Magisk provided by aIecxs is not able to copy the adb_key from the cache in the data partition.