[UNBRICK] BQ Aquaris M8 (aquaris_m8) with amonet

[UNBRICK] BQ Aquaris M8 (aquaris_m8) with amonet - Android General

This guide is only for the BQ Aquaris M8 codenamed "aquaris_m8/karin" with mt8163.
NO, this WILL NOT WORK ON ANY BQ M10.
This will flash correct partitions to debrick it.
I am not responsable of any damage in your device, YOU choose to make this modifications.
MATERIAL NEEDED:
Linux based system
USB Cable
Something conductive to short
Install Python3, PySerial, adb, fastboot:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot
Uninstall modemmanager:
Code:
sudo apt remove modemmanager
AVAILABLE OPTIONS:
Code:
sudo ./dump-bootrom.sh
Will dump the bootrom of the device (Probably will crash, don't worry, the bootrom will be dumped in dumps folder)
Code:
sudo ./boot-recovery.sh
This will do the device to boot into recovery (if has working one).
Code:
sudo ./boot-fastboot.sh
This will boot the device to fastboot mode using Preloader.
Code:
sudo ./gpt-fix.sh
This will restore the gpt of your device using bootROM.
Code:
sudo ./bootrom-step.sh
This will basically unbrick the device by flashing his correct partitions (Preloader/TZ/LK). Instructions to unbrick above.
HOW-TO UNBRICK:
1. Download amonet-mt8163-aquaris_m8 from downloads and unpack it.
2. Open the unpacked folder of amonet, open a terminal inside it and type:
Code:
sudo ./bootrom-step.sh
3. When you see something like:
Code:
[2019-02-07 14:35:59.478924] Waiting for bootrom
You will have two options.
If your tablet has a working Preloader from version 2.1 to 2.9.0 you can just connect the tablet while you press volume +.
If your Preloader version is not inside 2.1-2.9.0 or you have a wrong Preloader, short DAT0 in the attatched picture with GND and at same time connect the tablet.
4. The script will say to remove the short. When this happens, stop pressing the Volume + button or remove the cable that is shorting and press enter.
5. Now just wait until finishes, it should output something like:
Code:
[email protected]:~/amonet_bq/amonet$ sudo ./bootrom-step.sh
[sudo] contraseña para r0rtiz2:
[2019-12-20 22:53:05.110947] Waiting for bootrom
[2019-12-20 22:53:24.973079] Found port = /dev/ttyACM0
[2019-12-20 22:53:24.974198] Handshake
* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *
[2019-12-20 22:53:27.981825] Init crypto engine
[2019-12-20 22:53:28.002180] Disable caches
[2019-12-20 22:53:28.003140] Disable bootrom range checks
[2019-12-20 22:53:28.016551] Load payload from ../brom-payload/build/payload.bin = 0x48D8 bytes
[2019-12-20 22:53:28.020237] Send payload
[2019-12-20 22:53:28.684542] Let's rock
[2019-12-20 22:53:28.686183] Wait for the payload to come online...
[2019-12-20 22:53:29.406543] all good
[2019-12-20 22:53:29.407323] Check GPT
[2019-12-20 22:53:29.739682] gpt_parsed = {'proinfo': (1024, 6144), 'nvram': (7168, 10240), 'protect1': (17408, 20480), 'protect2': (37888, 20480), 'persist': (58368, 98304), 'seccfg': (156672, 512), 'lk': (157184, 768), 'boot': (157952, 32768), 'recovery': (190720, 32768), 'secro': (223488, 12288), 'para': (235776, 1024), 'logo': (236800, 16384), 'expdb': (253184, 20480), 'frp': (273664, 2048), 'tee1': (275712, 10240), 'tee2': (285952, 10240)}
[2019-12-20 22:53:29.740037] Check boot0
[2019-12-20 22:53:29.982147] Clear preloader header
[8 / 8]
[2019-12-20 22:53:30.496089] Flashing TEE..
[4569 / 4569]
[2019-12-20 22:55:08.902230] Flashing bootloader..
[537 / 537]
[2019-12-20 22:55:20.719667] Flashing preloader..
[312 / 312]
[2019-12-20 22:55:31.905118] Reboot..
[email protected]:~/amonet_bq/amonet$
6. The device should reboot now.
NOTES:
In lsusb boot-rom shows up as:
Code:
Bus 001 Device 009: ID 0e8d:0003 MediaTek Inc. MT6227 phone
If you see:
Code:
Bus 001 Device 013: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
means you're in preloader mode. Try shorting again.
THANKS:
- @xyz for the original exploit.
- @k4y0z for his messages in the original amonet thread that helped me a lot with porting it to my device
- @t0x1cSH and his patience for finding out the trick to make amonet work in my tab
DOWNLOAD:
amonet-mt8163-aquaris_m8

Reserved

Hey, I've never opened it, there is this metal plate, how should I remove it? I'm too scared to break something.

Related

Fetching TWG10 Factory imgs+Introduction of Android Device Drivers

Notice : , First of all ,you are responsible for any damages on your tablet and I do not accept any responsibility for that , by reading and doing these procedures , you have already accepted its responsibility by yourself only , secondly this knowledge for Dev people much more ! , of course its written such way that newbies can understand too .
Click to expand...
Click to collapse
Before starting about fetching Stock ROM of TWG10 , maybe you ask ,what is TWG10 ? which Tablet is it ? ,so you can know and Find it from here : Introduction of Datamini TWG10 .
So , we pay attention some introduction and requirements in some steps then considering to the main .
Using of Ubuntu has far better features and advantage respect to Windows to fetch the Stock ROM of any Android devices , So we use Ubuntu too.
First Step is to Install ADB and Fastboot for Ubuntu from here using Terminal of Ubuntu.
Second step is to root your device , Rooting will be released so many privileges that make us to fetch the Stock ROM of any Android Devices .
One of the common and famous way of rooting Android devices is booting TWRP recovery from fastboot and Flashing SuperSu, but when there is no TWRP recovery for your device , you can port and compile it for your device : Porting TWRP From Source .
But always there is a final and better way to root your device which is so easy too -> UNIVERSAL GUIDE for Rooting Any Android Device Manually ! which has worked and been tested on Intel Atom based processor devices .
<<Fetching Factory Imgs>> :
After installing the SU ,now we can access to Android partition scheme of TWG10 , just connect your device through its cable to your PC (Ubuntu) , hoping you have already made USB debugging on in Developer options , just open a new terminal and write
Code:
adb devices
, you should see Baytrail000... in the last line , now command in the terminal ,
Code:
adb shell
and then when it starts , you will see your phone code name ,[email protected]_phone_32:/$ ,it means now you can get controlled fully of your tablet , just type
Code:
su
and press Enter , the information of Android partition scheme is located in /dev/block/platform/dw_mmc/by-name such that , the dw_mmc for TWG10 is 808060F14:00 let's use
Code:
ls -l /dev/block/platform/808060F14:00/by-name
to find locations of , boot.img , system.img, recovery.img and so on(Factory imgs) you will see such below photo : ( you can save this info in your internal storage ,
Code:
ls -la /dev/block/platform/808060F14:00/by-name > sdcard/your selective name.txt
)
also by commanding cat /proc/partition in terminal , you find some info about your tablet partition too
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
As you see ,you can find location of each img file in your device for example : boot.img is in /dev/block/mmcblk0p5 now its time to fetch them using
Code:
dd if=Directory of source of=Directory of Destination
for example :
Code:
dd if=/dev/block/mmcblk0p5 of=/sdcard/boot.img
sdcard is absolute location of your Internal storage :/storage/emulated/legancy.(Notice : NEVER TOUCH basic_data_partition , its data of your windows OS , NEVER TOUCH ESP , its location of your UEFI bios insyde software , NEVER TOUCH Microsoft_reserve_partition , the only img files that you need to dd is boot.img. fastboot.img (bootloader) , system.img, recovery.img ,config.img ,factory.img, these two contains vendor.img and radio.img related connectivity and WIFI)
after fetching all imgs of stock ROM (Factory imgs) of TWG10 , its the time to pull them to your PC .
Just type exit and enter , write in the terminal ,
Code:
adb pull /sdcard/"img File" /" your selective Directory in your PC"
for example :
Code:
adb pull /sdcard/boot.img /home/amir/twg10_imgs
.
Do not worry , if you cant fetch all factory images , you can download them from here :Factory imgs of TWG10
But the important question is : why we need those factory imgs ? because when the Android OS gets damaged and its not booted up or in boot looping condition, we can survive it in below instruction :
Reviving TWG10 Android OS by Flashing Factory imgs via Fastboot:
open a new terminal in the directory which those factory images are there and placed and then write in the terminal :
Code:
adb reboot -bootloader
(we will boot to fastboot)
after restarting :
Code:
sudo fastboot devices
now we need to unlock bootloader for flashing
Code:
sudo fastboot oem unlock
sudo fastboot flashing unlock
sudo fastboot reboot bootloader
after restarting to bootloader ,you should press volume up to enter to fastboot
now its the time for erasing necessary partition, as we saw , ls -l /dev/block/platform/808060F14:00/by-name , shows the portions by name for example /dev/block/mmcblk0p5 is called boot .
so we use this code sudo fastboot erase 'partition by name'
Code:
sudo fastboot erase boot
sudo fastboot erase cache
sudo fastboot erase recovery
sudo fastboot erase date (userdata)
sudo fastboot erase system
now flashing 'partition by name'
sudo fastboot flash 'partition by name' 'img file association'
Code:
sudo fastboot flash boot boot.img
sudo fastboot flash fastboot fastboot.img (flashing bootloader)
sudo fastboot reboot bootloader (reboot to fastboot)
sudo fastboot flash recovery recovery.img
sudo fastboot flash system system.img
sudo fastboot flash config config.img (this is radio.img)
sudo fastboot flash factory factory.img (this is vendor.img)
sudo fastboot reboot
Congratulation ! your stock Android revived !
you can also download and install any Android X86 on your TWG10 , you can make bootable flash memory using Rufus but its important to say , you should use GPT Partition scheme for UEFI in partition scheme and target system type , another important notice is : when your bootable flash memory gets ready , you should open your flash memory and go to /boot/grub and open grub.cfg by gedit and modify it , after root=/dev/ram0 you should "space" and type nomodeset vga=5785 for live , debug and installation and then save , otherwise it wont be booted into TWG10!.
By pressing ESC before going to any OS ,you can select the bootable flash memory in boot manager and enter to boot menu of android X86 , if you did not modify the grub.cfg , you can press E in boot menu of Android X86 installation and modify it ( type and add nomodeset vga=5785 after root=/dev/ram0) and press F10 , but because of the orientation of tablet is in horizontal , maybe its difficult to modify , so its better to modify it before booting the flash memory and its better to install Android X86 on a SD card or another flash memory , because 32 GB is not enough for 3 OSs!
Another notice is you should pay attention to above partition scheme in the time of Android X86 installation.
but when you booted up the Android X86 , nothing works , touch , rotation ,sound and ......
this is because of no one of Android Drivers is installed for TWG10 , so we pay attention to ->
<<Introduction of Android Device Drivers >>
lets your TWG10 is connected to your PC.
Android Device Drivers (modules) are C program in fact , they are kind of modules which will be added to kernel of Android OS and they load and unload in the time of demand , these C program files after compiling ,they convert to the files with extension .ko , these .ko Files are located in /lib/modules .
these ko files are taking care of Device functionality (how they perform and operate) and files of hardware devices( such HDMI , hard disk , sound , touchscreen , WIFI...) are located in /dev
you can see the files of hardware devices using these codes in a terminal :
Code:
adb shell
ls -l /dev/i2c-1
you will see
Code:
crw------- root root 89, 1 2017-11-11 01:02 i2c-1
if the first letter is C its character device , 89 is major number using for identify the driver (which module or .ko file is used for this device file) , after 89 , there is a ',' and then 1 its a minor number which is used to distinguish between devices with same driver ,
for example if we write
Code:
adb shell
ls -l /dev/i2c-2
you will see
Code:
crw------- root root 89, 2 2017-11-11 01:02 i2c-2
i2c-2 used same driver file (major number is same) but another device file (minor number different)
we have two type devices , block devices and character devices.
block devices have a buffer for a request so they can have best response , block devices takes input and gives output only , but character devices can takes so many inputs and give so many outputs .
to see blocks and character devices on your TWG10 , you can use below codes :
Code:
adb shell
cat proc/devices
to create a device file ,using this code :
open a terminal :
Code:
mknod dev/'device name' 'major number' 'minor number'
for example :
Code:
adb shell
mknod dev/i2c 89 3
In fact modules (device drivers ) and devices file (hardware) are connect to each other by major number .
You can pull modules which are control the functionality of devices (hardware) in your PC from the stock Android using ADB and Ubuntu Terminal :
just open a new Terminal , type :
Code:
adb devices
adb pull /lib/modules 'A directory in your PC"
now if you want to see these .ko files are about which Device Driver , just open a terminal in the directory that .ko files are type :
Code:
modinfo 'name of the ko file'
for example
Code:
modinfo 8723bs.ko
We can also see Device Drivers which are activated by using lsmod or cat /proc/modules :
open a new terminal and type :
Code:
adb shell
lsmode or cat/proc/modules
For adding a driver or module to the kernel ,
open a terminal in the directory of .ko file where you pulled them into your PC
Code:
adb push 'directory of modules(drivers) in the PC' /lib/modules
adb shell
modprobe 'the pushed file name'
for example :
Code:
adb push /home/amir/twg10_imgs/drivers /lib/modules
adb shell
modprobe 8723bs
also with insmod command , we can add a driver to the kernel , but its dependencies command , we should add other related driver(module) too.
for example
Code:
adb shell
insmod ./8723bs.ko
the story still has not be started , it will be continued !

amirhtc said:
Before starting about fetching Stock ROM of TWG10 , maybe you ask ,what is TWG10 ? which Tablet is it ? ,so you can know and Find it from here : Introduction of Datamini TWG10 .
So , we pay attention some introduction and requirements in some steps then considering to the main .
Using of Ubuntu has far better features and advantage respect to Windows to fetch the Stock ROM of any Android devices , So we use Ubuntu too.
First Step is to Install ADB and Fastboot for Ubuntu from here using Terminal of Ubuntu.
Second step is to root your device , Rooting will be released so many privileges that make us to fetch the Stock ROM of any Android Devices .
One of the common and famous way of rooting Android devices is booting TWRP recovery from fastboot and Flashing SuperSu, but when there is no TWRP recovery for your device , you can port and compile it for your device : Porting TWRP From Source .
But always there is a final and better way to root your device which is so easy too -> UNIVERSAL GUIDE for Rooting Any Android Device Manually ! which has worked and been tested on Intel Atom based processor devices .
<<Fetching Factory Imgs>> :
After installing the SU ,now we can access to Android partition scheme of TWG10 , just connect your device through its cable to your PC (Ubuntu) , hoping you have already made USB debugging on in Developer options , just open a new terminal and write
Code:
adb devices
, you should see Baytrail000... in the last line , now command in the terminal ,
Code:
adb shell
and then when it starts , you will see your phone code name ,[email protected]_phone_32:/$ ,it means now you can get controlled fully of your tablet , just type
Code:
su
and press Enter , the information of Android partition scheme is located in /dev/block/platform/dw_mmc/by-name such that , the dw_mmc for TWG10 is 808060F14:00 let's use
Code:
ls -l /dev/block/platform/808060F14:00/by-name
to find locations of , boot.img , system.img, recovery.img and so on(Factory imgs) you will see such below photo : ( you can save this info in your internal storage ,
Code:
ls -la /dev/block/platform/808060F14:00/by-name > sdcard/your selective name.txt
)
also by commanding cat /proc/partition in terminal , you find some info about your tablet partition too
As you see ,you can find location of each img file in your device for example : boot.img is in /dev/block/mmcblk0p5 now its time to fetch them using
Code:
dd if=Directory of source of=Directory of Destination
for example :
Code:
dd if=/dev/block/mmcblk0p5 of=/sdcard/boot.img
sdcard is absolute location of your Internal storage :/storage/emulated/legancy.(Notice : NEVER TOUCH basic_data_partition , its data of your windows OS , NEVER TOUCH ESP , its location of your UEFI bios insyde software , NEVER TOUCH Microsoft_reserve_partition , the only img files that you need to dd is boot.img. fastboot.img (bootloader) , system.img, recovery.img ,config.img ,factory.img, these two contains vendor.img and radio.img related connectivity and WIFI)
after fetching all imgs of stock ROM (Factory imgs) of TWG10 , its the time to pull them to your PC .
Just type exit and enter , write in the terminal ,
Code:
adb pull /sdcard/"img File" /" your selective Directory in your PC"
for example :
Code:
adb pull /sdcard/boot.img /home/amir/twg10_imgs
.
Do not worry , if you cant fetch all factory images , you can download them from here :Factory imgs of TWG10
But the important question is : why we need those factory imgs ? because when the Android OS gets damaged and its not booted up or in boot looping condition, we can survive it in below instruction :
Reviving TWG10 Android OS by Flashing Factory imgs via Fastboot:
open a new terminal in the directory which those factory images are there and placed and then write in the terminal :
Code:
adb reboot -bootloader
(we will boot to fastboot)
after restarting :
Code:
sudo fastboot devices
now we need to unlock bootloader for flashing
Code:
sudo fastboot oem unlock
sudo fastboot flashing unlock
sudo fastboot reboot bootloader
after restarting to bootloader ,you should press volume up to enter to fastboot
now its the time for erasing necessary partition, as we saw , ls -l /dev/block/platform/808060F14:00/by-name , shows the portions by name for example /dev/block/mmcblk0p5 is called boot .
so we use this code sudo fastboot erase 'partition by name'
Code:
sudo fastboot erase boot
sudo fastboot erase cache
sudo fastboot erase recovery
sudo fastboot erase date (userdata)
sudo fastboot erase system
now flashing 'partition by name'
sudo fastboot flash 'partition by name' 'img file association'
Code:
sudo fastboot flash boot boot.img
sudo fastboot flash fastboot fastboot.img (flashing bootloader)
sudo fastboot reboot bootloader (reboot to fastboot)
sudo fastboot flash recovery recovery.img
sudo fastboot flash system system.img
sudo fastboot flash config config.img (this is radio.img)
sudo fastboot flash factory factory.img (this is vendor.img)
sudo fastboot reboot
Congratulation ! your stock Android revived !
you can also download and install any Android X86 on your TWG10 , you can make bootable flash memory using Rufus but its important to say , you should use GPT Partition scheme for UEFI in partition scheme and target system type , another important notice is : when your bootable flash memory gets ready , you should open your flash memory and go to /boot/grub and open grub.cfg by gedit and modify it , after root=/dev/ram0 you should "space" and type nomodeset vga=5785 for live , debug and installation and then save , otherwise it wont be booted into TWG10!.
By pressing ESC before going to any OS ,you can select the bootable flash memory in boot manager and enter to boot menu of android X86 , if you did not modify the grub.cfg , you can press E in boot menu of Android X86 installation and modify it ( type and add nomodeset vga=5785 after root=/dev/ram0) and press F10 , but because of the orientation of tablet is in horizontal , maybe its difficult to modify , so its better to modify it before booting the flash memory and its better to install Android X86 on a SD card or another flash memory , because 32 GB is not enough for 3 OSs!
Another notice is you should pay attention to above partition scheme in the time of Android X86 installation.
but when you booted up the Android X86 , nothing works , touch , rotation ,sound and ......
this is because of no one of Android Drivers is installed for TWG10 , so we pay attention to ->
<<Introduction of Android Device Drivers >>
lets your TWG10 is connected to your PC.
Android Device Drivers (modules) are C program in fact , they are kind of modules which will be added to kernel of Android OS and they load and unload in the time of demand , these C program files after compiling ,they convert to the files with extension .ko , these .ko Files are located in /lib/modules .
these ko files are taking care of Device functionality (how they perform and operate) and files of hardware devices( such HDMI , hard disk , sound , touchscreen , WIFI...) are located in /dev
you can see the files of hardware devices using these codes in a terminal :
Code:
adb shell
ls -l /dev/i2c-1
you will see
Code:
crw------- root root 89, 1 2017-11-11 01:02 i2c-1
if the first letter is C its character device , 89 is major number using for identify the driver (which module or .ko file is used for this device file) , after 89 , there is a ',' and then 1 its a minor number which is used to distinguish between devices with same driver ,
for example if we write
Code:
adb shell
ls -l /dev/i2c-2
you will see
Code:
crw------- root root 89, 2 2017-11-11 01:02 i2c-2
i2c-2 used same driver file (major number is same) but another device file (minor number different)
we have two type devices , block devices and character devices.
block devices have a buffer for a request so they can have best response , block devices takes input and gives output only , but character devices can takes so many inputs and give so many outputs .
to see blocks and character devices on your TWG10 , you can use below codes :
Code:
adb shell
cat proc/devices
to create a device file ,using this code :
open a terminal :
Code:
mknod dev/'device name' 'major number' 'minor number'
for example :
Code:
adb shell
mknod dev/i2c 89 3
In fact modules (device drivers ) and devices file (hardware) are connect to each other by major number .
You can pull modules which are control the functionality of devices (hardware) in your PC from the stock Android using ADB and Ubuntu Terminal :
just open a new Terminal , type :
Code:
adb devices
adb pull /lib/modules 'A directory in your PC"
now if you want to see these .ko files are about which Device Driver , just open a terminal in the directory that .ko files are type :
Code:
modinfo 'name of the ko file'
for example
Code:
modinfo 8723bs.ko
We can also see Device Drivers which are activated by using lsmod or cat /proc/modules :
open a new terminal and type :
Code:
adb shell
lsmode or cat/proc/modules
For adding a driver or module to the kernel ,
open a terminal in the directory of .ko file where you pulled them into your PC
Code:
adb push 'directory of modules(drivers) in the PC' /lib/modules
adb shell
modprobe 'the pushed file name'
for example :
Code:
adb push /home/amir/twg10_imgs/drivers /lib/modules
adb shell
modprobe 8723bs
also with insmod command , we can add a driver to the kernel , but its dependencies command , we should add other related driver(module) too.
for example
Code:
adb shell
insmod ./8723bs.ko
the story still has not be started , it will be continued !
Click to expand...
Click to collapse
Is it possible to get a copy of your files?

Upload factory image
If you can, kindly please upload the factory images again
If possible in google drive
Atleat it won't get deleted

amirhtc said:
Before starting about fetching Stock ROM of TWG10 , maybe you ask ,what is TWG10 ? which Tablet is it ? ,so you can know and Find it from here : Introduction of Datamini TWG10 .
So , we pay attention some introduction and requirements in some steps then considering to the main .
Using of Ubuntu has far better features and advantage respect to Windows to fetch the Stock ROM of any Android devices , So we use Ubuntu too.
First Step is to Install ADB and Fastboot for Ubuntu from here using Terminal of Ubuntu.
Second step is to root your device , Rooting will be released so many privileges that make us to fetch the Stock ROM of any Android Devices .
One of the common and famous way of rooting Android devices is booting TWRP recovery from fastboot and Flashing SuperSu, but when there is no TWRP recovery for your device , you can port and compile it for your device : Porting TWRP From Source .
But always there is a final and better way to root your device which is so easy too -> UNIVERSAL GUIDE for Rooting Any Android Device Manually ! which has worked and been tested on Intel Atom based processor devices .
<<Fetching Factory Imgs>> :
After installing the SU ,now we can access to Android partition scheme of TWG10 , just connect your device through its cable to your PC (Ubuntu) , hoping you have already made USB debugging on in Developer options , just open a new terminal and write
Code:
adb devices
, you should see Baytrail000... in the last line , now command in the terminal ,
Code:
adb shell
and then when it starts , you will see your phone code name ,[email protected]_phone_32:/$ ,it means now you can get controlled fully of your tablet , just type
Code:
su
and press Enter , the information of Android partition scheme is located in /dev/block/platform/dw_mmc/by-name such that , the dw_mmc for TWG10 is 808060F14:00 let's use
Code:
ls -l /dev/block/platform/808060F14:00/by-name
to find locations of , boot.img , system.img, recovery.img and so on(Factory imgs) you will see such below photo : ( you can save this info in your internal storage ,
Code:
ls -la /dev/block/platform/808060F14:00/by-name > sdcard/your selective name.txt
)
also by commanding cat /proc/partition in terminal , you find some info about your tablet partition too
As you see ,you can find location of each img file in your device for example : boot.img is in /dev/block/mmcblk0p5 now its time to fetch them using
Code:
dd if=Directory of source of=Directory of Destination
for example :
Code:
dd if=/dev/block/mmcblk0p5 of=/sdcard/boot.img
sdcard is absolute location of your Internal storage :/storage/emulated/legancy.(Notice : NEVER TOUCH basic_data_partition , its data of your windows OS , NEVER TOUCH ESP , its location of your UEFI bios insyde software , NEVER TOUCH Microsoft_reserve_partition , the only img files that you need to dd is boot.img. fastboot.img (bootloader) , system.img, recovery.img ,config.img ,factory.img, these two contains vendor.img and radio.img related connectivity and WIFI)
after fetching all imgs of stock ROM (Factory imgs) of TWG10 , its the time to pull them to your PC .
Just type exit and enter , write in the terminal ,
Code:
adb pull /sdcard/"img File" /" your selective Directory in your PC"
for example :
Code:
adb pull /sdcard/boot.img /home/amir/twg10_imgs
.
Do not worry , if you cant fetch all factory images , you can download them from here :Factory imgs of TWG10
But the important question is : why we need those factory imgs ? because when the Android OS gets damaged and its not booted up or in boot looping condition, we can survive it in below instruction :
Reviving TWG10 Android OS by Flashing Factory imgs via Fastboot:
open a new terminal in the directory which those factory images are there and placed and then write in the terminal :
Code:
adb reboot -bootloader
(we will boot to fastboot)
after restarting :
Code:
sudo fastboot devices
now we need to unlock bootloader for flashing
Code:
sudo fastboot oem unlock
sudo fastboot flashing unlock
sudo fastboot reboot bootloader
after restarting to bootloader ,you should press volume up to enter to fastboot
now its the time for erasing necessary partition, as we saw , ls -l /dev/block/platform/808060F14:00/by-name , shows the portions by name for example /dev/block/mmcblk0p5 is called boot .
so we use this code sudo fastboot erase 'partition by name'
Code:
sudo fastboot erase boot
sudo fastboot erase cache
sudo fastboot erase recovery
sudo fastboot erase date (userdata)
sudo fastboot erase system
now flashing 'partition by name'
sudo fastboot flash 'partition by name' 'img file association'
Code:
sudo fastboot flash boot boot.img
sudo fastboot flash fastboot fastboot.img (flashing bootloader)
sudo fastboot reboot bootloader (reboot to fastboot)
sudo fastboot flash recovery recovery.img
sudo fastboot flash system system.img
sudo fastboot flash config config.img (this is radio.img)
sudo fastboot flash factory factory.img (this is vendor.img)
sudo fastboot reboot
Congratulation ! your stock Android revived !
you can also download and install any Android X86 on your TWG10 , you can make bootable flash memory using Rufus but its important to say , you should use GPT Partition scheme for UEFI in partition scheme and target system type , another important notice is : when your bootable flash memory gets ready , you should open your flash memory and go to /boot/grub and open grub.cfg by gedit and modify it , after root=/dev/ram0 you should "space" and type nomodeset vga=5785 for live , debug and installation and then save , otherwise it wont be booted into TWG10!.
By pressing ESC before going to any OS ,you can select the bootable flash memory in boot manager and enter to boot menu of android X86 , if you did not modify the grub.cfg , you can press E in boot menu of Android X86 installation and modify it ( type and add nomodeset vga=5785 after root=/dev/ram0) and press F10 , but because of the orientation of tablet is in horizontal , maybe its difficult to modify , so its better to modify it before booting the flash memory and its better to install Android X86 on a SD card or another flash memory , because 32 GB is not enough for 3 OSs!
Another notice is you should pay attention to above partition scheme in the time of Android X86 installation.
but when you booted up the Android X86 , nothing works , touch , rotation ,sound and ......
this is because of no one of Android Drivers is installed for TWG10 , so we pay attention to ->
<<Introduction of Android Device Drivers >>
lets your TWG10 is connected to your PC.
Android Device Drivers (modules) are C program in fact , they are kind of modules which will be added to kernel of Android OS and they load and unload in the time of demand , these C program files after compiling ,they convert to the files with extension .ko , these .ko Files are located in /lib/modules .
these ko files are taking care of Device functionality (how they perform and operate) and files of hardware devices( such HDMI , hard disk , sound , touchscreen , WIFI...) are located in /dev
you can see the files of hardware devices using these codes in a terminal :
Code:
adb shell
ls -l /dev/i2c-1
you will see
Code:
crw------- root root 89, 1 2017-11-11 01:02 i2c-1
if the first letter is C its character device , 89 is major number using for identify the driver (which module or .ko file is used for this device file) , after 89 , there is a ',' and then 1 its a minor number which is used to distinguish between devices with same driver ,
for example if we write
Code:
adb shell
ls -l /dev/i2c-2
you will see
Code:
crw------- root root 89, 2 2017-11-11 01:02 i2c-2
i2c-2 used same driver file (major number is same) but another device file (minor number different)
we have two type devices , block devices and character devices.
block devices have a buffer for a request so they can have best response , block devices takes input and gives output only , but character devices can takes so many inputs and give so many outputs .
to see blocks and character devices on your TWG10 , you can use below codes :
Code:
adb shell
cat proc/devices
to create a device file ,using this code :
open a terminal :
Code:
mknod dev/'device name' 'major number' 'minor number'
for example :
Code:
adb shell
mknod dev/i2c 89 3
In fact modules (device drivers ) and devices file (hardware) are connect to each other by major number .
You can pull modules which are control the functionality of devices (hardware) in your PC from the stock Android using ADB and Ubuntu Terminal :
just open a new Terminal , type :
Code:
adb devices
adb pull /lib/modules 'A directory in your PC"
now if you want to see these .ko files are about which Device Driver , just open a terminal in the directory that .ko files are type :
Code:
modinfo 'name of the ko file'
for example
Code:
modinfo 8723bs.ko
We can also see Device Drivers which are activated by using lsmod or cat /proc/modules :
open a new terminal and type :
Code:
adb shell
lsmode or cat/proc/modules
For adding a driver or module to the kernel ,
open a terminal in the directory of .ko file where you pulled them into your PC
Code:
adb push 'directory of modules(drivers) in the PC' /lib/modules
adb shell
modprobe 'the pushed file name'
for example :
Code:
adb push /home/amir/twg10_imgs/drivers /lib/modules
adb shell
modprobe 8723bs
also with insmod command , we can add a driver to the kernel , but its dependencies command , we should add other related driver(module) too.
for example
Code:
adb shell
insmod ./8723bs.ko
the story still has not be started , it will be continued !
Click to expand...
Click to collapse
please upload the factory images again

Motorola Bootloader error

Hello everyone,
I had unlocked boot loader of my Moto G(XT 1033) a couple of years ago. I was using stock android(lollipop) on it. Now i was trying to install lineageos on it using twrp it was not able to install it it said md5 not found. so i tried to format the phone and now i am stuck on bootloader/ fastboot screen of my device and not able to open even twrp. so i tried to install twrp again using fastboot using my laptop but it shows the following error.
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot
usage: fastboot [ <option> ] <command>
commands:
update <filename> Reflash device from update.zip.
Sets the flashed slot as active.
flashall Flash boot, system, vendor, and --
if found -- recovery. If the device
supports slots, the slot that has
been flashed to is set as active.
Secondary images may be flashed to
an inactive slot.
flash <partition> [ <filename> ] Write a file to a flash partition.
flashing lock Locks the device. Prevents flashing.
flashing unlock Unlocks the device. Allows flashing
any partition except
bootloader-related partitions.
flashing lock_critical Prevents flashing bootloader-related
partitions.
flashing unlock_critical Enables flashing bootloader-related
partitions.
flashing get_unlock_ability Queries bootloader to see if the
device is unlocked.
flashing get_unlock_bootloader_nonce Queries the bootloader to get the
unlock nonce.
flashing unlock_bootloader <request> Issue unlock bootloader using request.
flashing lock_bootloader Locks the bootloader to prevent
bootloader version rollback.
erase <partition> Erase a flash partition.
format[:[<fs type>][:[<size>]] <partition>
Format a flash partition. Can
override the fs type and/or size
the bootloader reports.
getvar <variable> Display a bootloader variable.
set_active <slot> Sets the active slot. If slots are
not supported, this does nothing.
boot <kernel> [ <ramdisk> [ <second> ] ] Download and boot kernel.
flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
Create bootimage and flash it.
devices [-l] List all connected devices [with
device paths].
continue Continue with autoboot.
reboot [bootloader] Reboot device [into bootloader].
reboot-bootloader Reboot device into bootloader.
help Show this help message.
options:
-w Erase userdata and cache (and format
if supported by partition type).
-u Do not erase partition before
formatting.
-s <specific device> Specify a device. For USB, provide either
a serial number or path to device port.
For ethernet, provide an address in the
form <protocol>:<hostname>[ort] where
<protocol> is either tcp or udp.
-p <product> Specify product name.
-c <cmdline> Override kernel commandline.
-i <vendor id> Specify a custom USB vendor id.
-b, --base <base_addr> Specify a custom kernel base
address (default: 0x10000000).
--kernel-offset Specify a custom kernel offset.
(default: 0x00008000)
--ramdisk-offset Specify a custom ramdisk offset.
(default: 0x01000000)
--tags-offset Specify a custom tags offset.
(default: 0x00000100)
-n, --page-size <page size> Specify the nand page size
(default: 2048).
-S <size>[K|M|G] Automatically sparse files greater
than 'size'. 0 to disable.
--slot <slot> Specify slot name to be used if the
device supports slots. All operations
on partitions that support slots will
be done on the slot specified.
'all' can be given to refer to all slots.
'other' can be given to refer to a
non-current slot. If this flag is not
used, slotted partitions will default
to the current active slot.
-a, --set-active[=<slot>] Sets the active slot. If no slot is
provided, this will default to the value
given by --slot. If slots are not
supported, this sets the current slot
to be active. This will run after all
non-reboot commands.
--skip-secondary Will not flash secondary slots when
performing a flashall or update. This
will preserve data on other slots.
--unbuffered Do not buffer input or output.
--version Display version.
-h, --help show this message.
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot device
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
usage: fastboot [ <option> ] <command>
commands:
update <filename> Reflash device from update.zip.
Sets the flashed slot as active.
flashall Flash boot, system, vendor, and --
if found -- recovery. If the device
supports slots, the slot that has
been flashed to is set as active.
Secondary images may be flashed to
an inactive slot.
flash <partition> [ <filename> ] Write a file to a flash partition.
flashing lock Locks the device. Prevents flashing.
flashing unlock Unlocks the device. Allows flashing
any partition except
bootloader-related partitions.
flashing lock_critical Prevents flashing bootloader-related
partitions.
flashing unlock_critical Enables flashing bootloader-related
partitions.
flashing get_unlock_ability Queries bootloader to see if the
device is unlocked.
flashing get_unlock_bootloader_nonce Queries the bootloader to get the
unlock nonce.
flashing unlock_bootloader <request> Issue unlock bootloader using request.
flashing lock_bootloader Locks the bootloader to prevent
bootloader version rollback.
erase <partition> Erase a flash partition.
format[:[<fs type>][:[<size>]] <partition>
Format a flash partition. Can
override the fs type and/or size
the bootloader reports.
getvar <variable> Display a bootloader variable.
set_active <slot> Sets the active slot. If slots are
not supported, this does nothing.
boot <kernel> [ <ramdisk> [ <second> ] ] Download and boot kernel.
flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
Create bootimage and flash it.
devices [-l] List all connected devices [with
device paths].
continue Continue with autoboot.
reboot [bootloader] Reboot device [into bootloader].
reboot-bootloader Reboot device into bootloader.
help Show this help message.
options:
-w Erase userdata and cache (and format
if supported by partition type).
-u Do not erase partition before
formatting.
-s <specific device> Specify a device. For USB, provide either
a serial number or path to device port.
For ethernet, provide an address in the
form <protocol>:<hostname>[ort] where
<protocol> is either tcp or udp.
-p <product> Specify product name.
-c <cmdline> Override kernel commandline.
-i <vendor id> Specify a custom USB vendor id.
-b, --base <base_addr> Specify a custom kernel base
address (default: 0x10000000).
--kernel-offset Specify a custom kernel offset.
(default: 0x00008000)
--ramdisk-offset Specify a custom ramdisk offset.
(default: 0x01000000)
--tags-offset Specify a custom tags offset.
(default: 0x00000100)
-n, --page-size <page size> Specify the nand page size
(default: 2048).
-S <size>[K|M|G] Automatically sparse files greater
than 'size'. 0 to disable.
--slot <slot> Specify slot name to be used if the
device supports slots. All operations
on partitions that support slots will
be done on the slot specified.
'all' can be given to refer to all slots.
'other' can be given to refer to a
non-current slot. If this flag is not
used, slotted partitions will default
to the current active slot.
-a, --set-active[=<slot>] Sets the active slot. If no slot is
provided, this will default to the value
given by --slot. If slots are not
supported, this sets the current slot
to be active. This will run after all
non-reboot commands.
--skip-secondary Will not flash secondary slots when
performing a flashall or update. This
will preserve data on other slots.
--unbuffered Do not buffer input or output.
--version Display version.
-h, --help show this message.
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot devices
TA93305J1W fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery.img
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
unknown partition 'recovery.img'
error: cannot determine image filename for 'recovery.img'
C:\Program Files (x86)\Minimal ADB and Fastboot>adb
Android Debug Bridge version 1.0.36
Revision 0e9850346394-android
-a - directs adb to listen on all interfaces for a connection
-d - directs command to the only connected USB device
returns an error if more than one USB device is present.
-e - directs command to the only running emulator.
returns an error if more than one emulator is running.
-s <specific device> - directs command to the device or emulator with the given
serial number or qualifier. Overrides ANDROID_SERIAL
environment variable.
-p <product name or path> - simple product name like 'sooner', or
a relative/absolute path to a product
out directory like 'out/target/product/sooner'.
If -p is not specified, the ANDROID_PRODUCT_OUT
environment variable is used, which must
be an absolute path.
-H - Name of adb server host (default: localhost)
-P - Port of adb server (default: 5037)
devices [-l] - list all connected devices
('-l' will also list device qualifiers)
connect <host>[:<port>] - connect to a device via TCP/IP
Port 5555 is used by default if no port number is specified.
disconnect [<host>[:<port>]] - disconnect from a TCP/IP device.
Port 5555 is used by default if no port number is specified.
Using this command with no additional arguments
will disconnect from all connected TCP/IP devices.
device commands:
adb push <local>... <remote>
- copy files/dirs to device
adb pull [-a] <remote>... <local>
- copy files/dirs from device
(-a preserves file timestamp and mode)
adb sync [ <directory> ] - copy host->device only if changed
(-l means list but don't copy)
adb shell [-e escape] [-n] [-Tt] [-x] [command]
- run remote shell command (interactive shell if no command given)
(-e: choose escape character, or "none"; default '~')
(-n: don't read from stdin)
(-T: disable PTY allocation)
(-t: force PTY allocation)
(-x: disable remote exit codes and stdout/stderr separation)
adb emu <command> - run emulator console command
adb logcat [ <filter-spec> ] - View device log
adb forward --list - list all forward socket connections.
the format is a list of lines with the following format:
<serial> " " <local> " " <remote> "\n"
adb forward <local> <remote> - forward socket connections
forward specs are one of:
tcp:<port>
localabstract:<unix domain socket name>
localreserved:<unix domain socket name>
localfilesystem:<unix domain socket name>
dev:<character device name>
jdwp:<process pid> (remote only)
adb forward --no-rebind <local> <remote>
- same as 'adb forward <local> <remote>' but fails
if <local> is already forwarded
adb forward --remove <local> - remove a specific forward socket connection
adb forward --remove-all - remove all forward socket connections
adb reverse --list - list all reverse socket connections from device
adb reverse <remote> <local> - reverse socket connections
reverse specs are one of:
tcp:<port>
localabstract:<unix domain socket name>
localreserved:<unix domain socket name>
localfilesystem:<unix domain socket name>
adb reverse --no-rebind <remote> <local>
- same as 'adb reverse <remote> <local>' but fails
if <remote> is already reversed.
adb reverse --remove <remote>
- remove a specific reversed socket connection
adb reverse --remove-all - remove all reversed socket connections from device
adb jdwp - list PIDs of processes hosting a JDWP transport
adb install [-lrtsdg] <file>
- push this package file to the device and install it
(-l: forward lock application)
(-r: replace existing application)
(-t: allow test packages)
(-s: install application on sdcard)
(-d: allow version code downgrade (debuggable packages only))
(-g: grant all runtime permissions)
adb install-multiple [-lrtsdpg] <file...>
- push this package file to the device and install it
(-l: forward lock application)
(-r: replace existing application)
(-t: allow test packages)
(-s: install application on sdcard)
(-d: allow version code downgrade (debuggable packages only))
(-p: partial application install)
(-g: grant all runtime permissions)
adb uninstall [-k] <package> - remove this app package from the device
('-k' means keep the data and cache directories)
adb bugreport [<path>] - return all information from the device that should be included in a zipped bug report.
If <path> is a file, the bug report will be saved as that file.
If <path> is a directory, the bug report will be saved in that directory with the name provided by the device.
If <path> is omitted, the bug report will be saved in the current directory with the name provided by the device.
NOTE: if the device does not support zipped bug reports, the bug report will be output on stdout.
adb backup [-f <file>] [-apk|-noapk] [-obb|-noobb] [-shared|-noshared] [-all] [-system|-nosystem] [<packages...>]
- write an archive of the device's data to <file>.
If no -f option is supplied then the data is written
to "backup.ab" in the current directory.
(-apk|-noapk enable/disable backup of the .apks themselves
in the archive; the default is noapk.)
(-obb|-noobb enable/disable backup of any installed apk expansion
(aka .obb) files associated with each application; the default
is noobb.)
(-shared|-noshared enable/disable backup of the device's
shared storage / SD card contents; the default is noshared.)
(-all means to back up all installed applications)
(-system|-nosystem toggles whether -all automatically includes
system applications; the default is to include system apps)
(<packages...> is the list of applications to be backed up. If
the -all or -shared flags are passed, then the package
list is optional. Applications explicitly given on the
command line will be included even if -nosystem would
ordinarily cause them to be omitted.)
adb restore <file> - restore device contents from the <file> backup archive
adb disable-verity - disable dm-verity checking on USERDEBUG builds
adb enable-verity - re-enable dm-verity checking on USERDEBUG builds
adb keygen <file> - generate adb public/private key. The private key is stored in <file>,
and the public key is stored in <file>.pub. Any existing files
are overwritten.
adb help - show this help message
adb version - show version num
scripting:
adb wait-for[-<transport>]-<state>
- wait for device to be in the given state:
device, recovery, sideload, or bootloader
Transport is: usb, local or any [default=any]
adb start-server - ensure that there is a server running
adb kill-server - kill the server if it is running
adb get-state - prints: offline | bootloader | device
adb get-serialno - prints: <serial-number>
adb get-devpath - prints: <device-path>
adb remount - remounts the /system, /vendor (if present) and /oem (if present) partitions on the device read-write
adb reboot [bootloader|recovery]
- reboots the device, optionally into the bootloader or recovery program.
adb reboot sideload - reboots the device into the sideload mode in recovery program (adb root required).
adb reboot sideload-auto-reboot
- reboots into the sideload mode, then reboots automatically after the sideload regardless of the result.
adb sideload <file> - sideloads the given package
adb root - restarts the adbd daemon with root permissions
adb unroot - restarts the adbd daemon without root permissions
adb usb - restarts the adbd daemon listening on USB
adb tcpip <port> - restarts the adbd daemon listening on TCP on the specified port
networking:
adb ppp <tty> [parameters] - Run PPP over USB.
Note: you should not automatically start a PPP connection.
<tty> refers to the tty for PPP stream. Eg. dev:/dev/omap_csmi_tty1
[parameters] - Eg. defaultroute debug dump local notty usepeerdns
adb sync notes: adb sync [ <directory> ]
<localdir> can be interpreted in several ways:
- If <directory> is not specified, /system, /vendor (if present), /oem (if present) and /data partitions will be updated.
- If it is "system", "vendor", "oem" or "data", only the corresponding partition
is updated.
internal debugging:
adb reconnect Kick current connection from host side and make it reconnect.
adb reconnect device Kick current connection from device side and make it reconnect.
environment variables:
ADB_TRACE - Print debug information. A comma separated list of the following values
1 or all, adb, sockets, packets, rwx, usb, sync, sysdeps, transport, jdwp
ANDROID_SERIAL - The serial number to connect to. -s takes priority over this if given.
ANDROID_LOG_TAGS - When used with the logcat option, only these debug tags are printed.
C:\Program Files (x86)\Minimal ADB and Fastboot>adb reboot bootloader
adb server version (39) doesn't match this client (36); killing...
* daemon started successfully *
error: no devices/emulators found
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot devices
TA93305J1W fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash update
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
unknown partition 'update'
error: cannot determine image filename for 'update'
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
error: neither -p product specified nor ANDROID_PRODUCT_OUT set
C:\Program Files (x86)\Minimal ADB and Fastboot>
basically i need to get back to my device. pls help(step by step tutorial).
any kind of help will be greatly appreciated.

This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.

getting this error while using unkdz.py command.
[!] Error: Data between headers and payload! (offsets 826 to 83768).
tried different kdz for h918 but the error was consistent.

Kiraisuki said:
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
View attachment 5243977
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
Click to expand...
Click to collapse
Can you please make a video for this guide

I've been working with your guide to revive my LG V20 and have stopped at step 7.
Kiraisuki said:
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
Click to expand...
Click to collapse
When I extract files from .DZ, my "dzextracted" folder is filled with “.image” and “.params” files.
There is no single .BIN file and no file has any letter prefix.
I have tried with multiple .DZ files from different V20 ROMs.
I have even downloaded “VS99513A” ROM you mentioned.
I have tried in Windows (7) and Linux (Mint 20.1).
Every time I get this mess of files.
KDZTools version is from direct link on GitHub you provided.
Are there any additional steps that are missing from guide?
Did anyone tried to revive V20 stuck in EDL mode, and has any tips to share?

Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?

Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)

for h918, @Kiraisuki the elf file not work for me i got this error
Code:
sahara - Trying loader: Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin
sahara - Uploading loader Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin ...
sahara
sahara - [LIB]: Timeout while uploading loader. Wrong loader ?
No suitable loader found :(

no, edl mode must
virginwidow said:
Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)
View attachment 5305585
Click to expand...
Click to collapse
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup

walidham said:
no, edl mode must
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup
Click to expand...
Click to collapse
TY for response -
It appears I'm in a 'purgatory' between brick and "dead"... due to being a noob again (nothing like breaking things to learn).
LGUP, Uppercut - both of these go "No Device Connected" - the closest I can provide for a logcat is 'getvar all' from fastboot.
Code:
fastboot getvar all
(bootloader) version:0.5
(bootloader) variant:MTP eMMC
(bootloader) secure:yes
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) display-panel:
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) max-download-size: 0x20000000
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x4d000000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0xced000000
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x180000000
(bootloader) serialno:LGUS996fzzzzzzzz
(bootloader) kernel:lk
(bootloader) product:MSM8996
(bootloader) unlocked:yes
all:
finished. total time: 0.194s
(Serial editted) There's not enuff info left for the usual end-user tools to "see"
Any thoughts?
Thanks in Advance
VW

........main - Device detected
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x009470e100310000 (MSM_ID:0x009470e1,OEM_ID:0x0031,MODEL_ID:0x0000)
CPU detected: "MSM8996"
PK_HASH: 0x2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496
Serial: 0xe895007b
sahara - Detected loader: Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin
sahara - Uploading loader Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin ...
Successfully uploaded programmer
firehose - Nop succeeded.
firehose - Chip serial num: 3902079099 (0xe895007b)
oneplus
oneplus - [LIB]: No module named 'Library.Modules.oneplus_param'
firehose -
firehose_client - Target detected: MSM8996
firehose
firehose - [LIB]: <?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="fh.attrs.MaxPayloadSizeToTargetInBytes of 1048576 > fh.channel_buffer_capacity of 4096"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1'"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling hotplug_poll_device('UFS')"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Storage device of type 'UFS' cannot be opened"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="storage_device_open() returned FALSE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR 13: Line 1142: HANDLE_CONFIGURE_FAILURE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" />
</data>
\\\\\\\\\\\\\\\\Getiing this error/////////////// oneplus param And firehose lib

facing this problem

[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.

Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
getting this same error. has anyone fixed it?

dmad767 said:
getting this same error. has anyone fixed it?
Click to expand...
Click to collapse

Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
i found a fix

dmad767 said:
i found a fix
Click to expand...
Click to collapse
how did you fix it

ezzony said:
Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?
Click to expand...
Click to collapse
the goal is the same, I think it's easier with qfil partition manager. because the results of extracting the .dz file are in the form of a single image without the lun description as described above.
ROMSG said:
how did you fix it
Click to expand...
Click to collapse
I suggest using qfil manager (raw data manager), manually input the image file to be flashed.

Faisal_Mystic said:
If you have successfully manage to generate raw program.xml. why don't you just share with us and save us from the trouble
Click to expand...
Click to collapse
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition

lambtur said:
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition
Click to expand...
Click to collapse
if you have such backup firmware it would be so nice of you if you upload on G_Drive and provide me the links
I will be very grateful

[RECOVERY] TWRP 3.5.2 | Unihertz Jelly 2

How to install:
Unlock bootloader:
Boot your device into the official OS.
Go to Settings > About phone, tap the "build number" several times to enable developer settings.
Go to Settings > System > Developer Settings, enable OEM unlocking and ADB debugging.
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC (there is no way to enter bootloader directly, only possible through adb).
Once your device has finished booting run fastboot flashing unlock and comfirm unlock on device (THIS WILL WIPE ALL DATA!).
Run fastboot reboot to reboot your device and now you should see an unlocked warning during boot screen.
Disable AVB:
Download vbmeta.img from the latest release page of your device.
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC to put your device in bootloader mode.
Once your device has finished booting run fastboot flash --disable-verification --disable-verity vbmeta vbmeta.img
Then run fastboot flash --disable-verification --disable-verity vbmeta_system vbmeta.img
Also run fastboot flash --disable-verification --disable-verity vbmeta_vendor vbmeta.img
Flash recovery image:
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC to put your device in bootloader mode.
Once your device has finished booting run fastboot erase recovery. For some reason, image may be not actually flashed, even if fastboot reported success (at least over the stock recovery image), so in order make sure that the custom image is always flashed it's better to always erase the partition before flashing. After the erasing run fastboot flash recovery recovery.img
Run fastboot reboot and after the screen goes dark press volume up until you see the TWRP logo. Also you can type fastboot reboot recovery to boot to recovery mode immediately.
Please note that booting in stock ROM will bring stock recovery back.
This recovery image is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare an image based on EEA binaries.
Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2

Thanks!
This fantastic!
its work on EEA!

Meetoul said:
Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2
Click to expand...
Click to collapse
I just received my Jelly 2. It was on 2020 and I went straight through your files. Your TWRP does not respond on my European Jelly 2. Meaning, the touch screen does not respond. But I connected an USB trackball and switched in between adb sideloads. So I finally got it working.
For some reason during reboot TWRP warns me that there is no OS installed. But LoS 18.1 (yours) booted fine. Also flashed opengapps 2707 nano.
After a reboot (phone is still restoring apps) there is a "serial console is enabled" message "performance is impacted, check bootloader". Any instructions on how to get rid of that?.

I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though
Any ideas?

kkazakov13 said:
I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though
Any ideas?
Click to expand...
Click to collapse
Dave you tried the latest release a suggested by Meetoul?
[ROM] [UNOFFICIAL] Lineage OS 17.1 | Unihertz Jelly 2
https://drive.google.com/drive/u/0/folders/1VSmj_-a1PYNzFWtUfbsDGWg4uIh-Tgkd This ROM is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare ROW...
forum.xda-developers.com
Release Fix gt1151qm touch in recovery · Meetoul/twrp_device_Unihertz_Jelly2_TEE
Recovery image based on new kernel image with patches for both gt1x and gt1151qm touch panel drivers.
github.com

Great Job!
I have Jelly2_JP.
I tried your recovery.img for Jelly2_TEE.
It can boot my Jelly2_JP, and it can enable adb shell, but it looped the splash screen.
But I execute following command in adb shell, twrp starts gui("Keep System Read only?" screen)
Jelly2_TEE:/ # mount -o ro /dev/block/mapper/system /
Touchscreen works fine.
Next, I tried to build twrp for Jelly2_JP using your device tree.
But it has same problem. (It looped the splash screen until I mount system partition.)
Do you have any advice?
Attachments
recovery_tee.log is pulled file from /tmp/recovery.log in your twrp for Jelly2_TEE. Line 1119 is after I mount system partition by adb shell.
recovery_jp.log is pulled file from /tmp/recovery.log in my twrp for Jelly2_JP. Line 1356 is after I mount system partition by adb shell.
My build instructions
$ cd ~/twrp
$ repo init -u https://github.com/minimal-manifest-twrp/platform_manifest_twrp_omni.git -b twrp-10.0
$ vi .repo/local_manifests/roomservice.xml
$ repo sync --force-sync
$ cd device/Unihertz
$ cp -r Jelly2_TEE Jelly2_JP
$ cd Jelly2_JP
$ mv omni_Jelly2_TEE.mk omni_Jelly2_JP.mk
$ grep -l Jelly2_TEE * | xargs sed -i 's/Jelly2_TEE/Jelly2_JP/g'
$ grep -l g55v71c2k_dfl_tee * | xargs sed -i 's/g55v71c2k_dfl_tee/g55v71c2k_dfl_jp_felica/g'
$ ./extract-files.sh ~/stock_jp/extracted
$ unpack_bootimg --boot_img ~/stock_jp/recovery.img --out ~/stock_jp/recovery
$ cp ~/stock_jp/recovery/kernel prebuilt/Image.gz
$ cp ~/stock_jp/recovery/dtb prebuilt/dtb/mt6771.dtb
$ cp ~/stock_jp/recovery/recovery_dtbo prebuilt/dtbo.img
$ cd ~/twrp
$ source build/envsetup.sh
$ lunch omni_Jelly2_JP-eng
$ mka recoveryimage
$ ls out/target/product/Jelly2_JP/recovery/root/vendor
bin etc
$ cp -r vendor/Unihertz/Jelly2_JP/proprietary/reovery/root/vendor out/target/product/Jelly2_JP/recovery/root
$ mka recoveryimage

file upload again.
Sorry, I can't upload Attach files.
I clicked "Attach files" button and choose file.
I clicked "Save" button, but file link did not inserted.
I uploaded recovery.log to github.

How to get vbmeta.img

Three knife said:
How to get vbmeta.img
Click to expand...
Click to collapse
Direct Link
Google Drive: Sign-in
Access Google Drive with a Google account (for personal use) or Google Workspace account (for business use).
drive.google.com
See Also
Jelly 2 firmware made available by Unihertz
A post to let people interested in small Android phones know that the firmware of the Jelly 2 has been made available by Unihertz. Would be great if a LineageOS version of this could be made...
forum.xda-developers.com
Or
[HOWTO] Flash a blank vbmeta
Hey guys, As some of you know samsung made had a bunch of different changes since the release of Android 10. It took me a week to figure it out but it was really simple. I had to do two things: Repatch the the magisk boot image with Preserve AVB...
forum.xda-developers.com

I found the crash point in Jelly2_JP.
The crash point is CHECK() on line 772 of twrp/hardware/interfaces/keymaster/4.0/support/Keymaster.cpp.
C++:
CHECK(error == ErrorCode::OK)
<< "Failed to get HMAC parameters from " << *keymaster << " error " << error;
CHECK() is defined on line 495 of twrp/system/core/base/include/android-base/logging.h
C++:
#define CHECK(x) \
LIKELY((x)) || ABORT_AFTER_LOG_FATAL_EXPR(false) || \
::android::base::LogMessage(__FILE__, __LINE__, ::android::base::DEFAULT, \
::android::base::FATAL, _LOG_TAG_INTERNAL, -1) \
.stream() \
<< "Check failed: " #x << " "
I thought /system/bin/recovery was crashing due to a bug.
But it is not a bug.
/system/bin/recovery is programmed to abort if CHECK() fails.
Next, I compared the results of CHECK().
1. using your recovery.img for Jelly2_TEE.
Code:
$ adb shell
Jelly2_TEE:/ # uname -a
Linux localhost 4.14.141+ #15 SMP PREEMPT Wed May 19 11:04:10 CST 2021 aarch64
Jelly2_TEE:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_TEE:/ # umount /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
22ede18944c5f47daf04d699a72717b2 /vendor/lib64/libkeymaster4.so
Jelly2_TEE:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery( 324): Failed to get IAshmemDeviceService.
W//system/bin/recovery( 324): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery( 324): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery( 324): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery( 324): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery( 324): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery( 324): fscrypt_initialize_systemwide_keys
I//system/bin/recovery( 324): List of Keymaster HALs found:
I//system/bin/recovery( 324): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery( 324): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED
2. using my recovery.img for Jelly2_JP.
This is built with Jelly2_JP's kernel and /vendor/*.
Code:
$ adb shell
Jelly2_JP:/ # uname -a
Linux localhost 4.14.141+ #5 SMP PREEMPT Wed May 19 12:15:37 CST 2021 aarch64
Jelly2_JP:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_JP:/ # umount /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_JP:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery( 327): Failed to get IAshmemDeviceService.
W//system/bin/recovery( 327): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery( 327): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery( 327): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery( 327): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery( 327): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery( 327): fscrypt_initialize_systemwide_keys
I//system/bin/recovery( 327): List of Keymaster HALs found:
I//system/bin/recovery( 327): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery( 327): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED
They are same Error code SECURE_HW_COMMUNICATION_FAILED.
Unfortunately, my recovery.img wasn't improved from your recovery.img when used with Jelly2_JP.

I'm sorry for the continuous posting.
I solved the decryption by modifying omni_Jelly2_JP.mk as follows.
Code:
PRODUCT_NAME := omni_Jelly2_JP
PRODUCT_DEVICE := Jelly2_JP
PRODUCT_MODEL := Jelly2_JP
PRODUCT_BOARD := g55v71c2k_dfl_jp_felica
BUILD_FINGERPRINT := "Unihertz/Jelly2_JP/Jelly2_JP:10/QP1A.190711.020/root.20210422.092852:user/release-keys"
PRODUCT_BUILD_PROP_OVERRIDES += \
TARGET_DEVICE=Jelly2_JP \
PRODUCT_NAME=Jelly2_JP \
PRIVATE_BUILD_DESC="Jelly2-user 10 QP1A.190711.020 root.20210422.092852 release-keys"
My mistake was that I only replaced "Jelly2_TEE" with "Jelly2_JP".
I had to replace "Jelly2" with "Jelly2_JP".
Anyway, now I can display the decryption screen.
Next, I tried HOW-TO-PATCH.md.
However, the touch screen does not respond on the patched kernel.
Code:
$ head -n 1 symbl_tee.txt
ffffff81dd680800 T do_undefinstr
$ grep get_boot_mode symbl_tee.txt
ffffff81ddda5b30 T get_boot_mode
$ zcat twrp/device/Unihertz/Jelly2_TEE/prebuilt/Image.gz > Image
$ aarch64-linux-android-objdump -D -b binary -m aarch64 --adjust-vma=0xffffff81dd680000 --start-address=0xffffff81ddda5b30 Image| head
ffffff81ddda5b30: d0009cc8 adrp x8, 0xffffff81df13f000
ffffff81ddda5b34: b947ad09 ldr w9, [x8,#1964]
ffffff81ddda5b38: 7100093f cmp w9, #0x2
I think you are using a different technique to enable the touch screen, because "cmp w9, #0x2" is not patched to "cmp w9, #0x0".
Please teach me your technique after you are not busy with work.

谢谢你,我用的是中国的没有Google Play的版本,按照你的步骤成功了,不过在安装完recovery.img之后,内部存储有可能无法写入,需要在recovery里删除data分区,然后就可以了

Thanks for this!
I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
Things seem good, except:
the battery seems to drain a little quickly
no IR blaster (ZaZa remote does not recognize it)
TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?

@karoooo
Sorry for not responding to you, for some reason email notifications from XDA were stopped. Please tell me if you still need patched kernel, I will try to patch it explain you the technique.

zxczxc4 said:
Thanks for this!
I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
Things seem good, except:
the battery seems to drain a little quickly
no IR blaster (ZaZa remote does not recognize it)
TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?
Click to expand...
Click to collapse
Actually, data decryption on MTK SoCs is very painful thing. I'm still waiting for stable release of Android 11 from Unihertz, but they are in no hurry...
I know that beta 11 available. Unfortunately, I was not able to update using the official way. The bootloader was locked and the moment of updating, but probably the reason is that it was unlocked before (it possible to relock bootloader using SP Flash Tool). But I manager to fetch zip update package and install it via TWRP After that I even managed to make package for SP Flash Tool based on this package, so I can to flash pure FW without updating and have locked bootloader!
UPD. I see that Unihertz have published Android 11 SW package for SP Flash Tool on their Google Drive! Soon I will try to make recovery based on this package.

@Meetoul
Thank you for your response.
Yes, yes, yes!
I want to know your technique.
Best Regards.

HI.
Summary: FRONT CAMERA not working after Bootloader Unlock
I am using Jelly2_JP (on latest Android 10) and I was wondering,
has anyone has experinced the Front Camera not working after Bootloader Unlock, and possibly the three " --disable-verification --disable-verity" commands?
The stock camera app won't recognize the front camera (not front/back switch button where there should be one), and other apps cant use the front camera either.
I can confirm that the front camera worked before unlocking the bootloader.
Reflashing stock image using SP Flash Tool and relocking Bootlader did not fix the issue.
Is anyone else experiencing the same issue?

karoooo said:
@Meetoul
Thank you for your response.
Yes, yes, yes!
I want to know your technique.
Best Regards.
Click to expand...
Click to collapse
Since Unihertz has released Android 11, I think that there is no sense to work on patching the old kernel.
Btw, now I'm working on TWRP based on Android 11 binaries from the latest FW, but no luck so far, it seems that kernel doesn't even start to boot...

@Meetoul
I wanted to learn your technique so that I could work on my own when Android 11 was released.
If Android 11 is formidable, prioritize working with Android 11.
Unfortunately, Android 11 for Jelly2_JP has not been released yet.
@kendzhi
I unlocked the bootloader with Jelly2_JP, but the front camera is still working.

@karoooo
Thank you for the reply!
May I ask, was your Jelly2_JP shipped before the latest Andorid 10 update (2021051912_g55v71c2k_dfl_jp_felica), meaning did your phone come with the previous Firmware (2020101915_g55v71c2k_dfl_jp_felica)?
I have two Jelly2_JP from Japan which came preshipped with the latest andorid Andorid 10 update (there was no need for OTA update). And in both phones, upon executing "fastboot flashing unlock" (without disableling AVB & without Rooting), the the front camera stopped working (not recognized by the system).
I even went into the Debug/Diagnostic? mode that was in Chinese (Booting by Vol down + Connecting to PC via USB), and peformed a hardware test for the Front Camera and the test froze the phone.
So I'm suspecting that Jelly2_JP that was shipped to Japan with the latest Firmware has some issues with Bootloader Unlocking breaking the Front Cam...

Fire HD 8 2016 Boot Issues

I wanna ask you
I have fire hd8 8gen
I but for it bootrom 8hd 7gen
my devices get error
have hot gpt fix for hd8 8geb
please

789mod said:
I wanna ask you
I have fire hd8 8gen
I but for it bootrom 8hd 7gen
my devices get error
have hot gpt fix for hd8 8geb
please
Click to expand...
Click to collapse
So.. you used douglas amonet in your karnak .. (lol)? Have a look over https://forum.xda-developers.com/t/unlock-root-twrp-unbrick-fire-hd-8-2018-karnak-amonet-3.3963496/, there should be a GPT fix there, I guess.

Rortiz2 said:
So.. you used douglas amonet in your karnak .. (lol)? Have a look over https://forum.xda-developers.com/t/unlock-root-twrp-unbrick-fire-hd-8-2018-karnak-amonet-3.3963496/, there should be a GPT fix there, I guess.
Click to expand...
Click to collapse
i was search for it yeasterday
i dont found it ,
i was edit main.py in karank
i delete gpt parsi ...... els
put when bootrom get to change boot
it stooop
what was i most doooo ???

Rortiz2 said:
Ok, yeah, your Preloader was corrupt, try with this zip (which ignores boot0 status). And no, don't run gpt-fix, your issue isn't the partition table.
Click to expand...
Click to collapse
$ sudo ./bootrom-step.sh
[2021-09-10 10:55:32.608720] Waiting for bootrom
[2021-09-10 10:55:43.159326] Found port = /dev/ttyACM0
[2021-09-10 10:55:43.159787] Handshake
* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *
[2021-09-10 10:55:44.162116] Init crypto engine
[2021-09-10 10:55:44.179312] Disable caches
[2021-09-10 10:55:44.179827] Disable bootrom range checks
[2021-09-10 10:55:44.193967] Load payload from ../brom-payload/build/payload.bin = 0x4888 bytes
[2021-09-10 10:55:44.196248] Send payload
[2021-09-10 10:55:44.852660] Let's rock
[2021-09-10 10:55:44.853586] Wait for the payload to come online...
[2021-09-10 10:55:45.574042] all good
Running in minimal mode, assuming LK, TZ, LK-payload and TWRP to have already been flashed.
If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C
[2021-09-10 10:55:46.669831] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'lk': (16384, 1024), 'lk2': (17408, 1024), 'boot_x': (18432, 32768), 'recovery_x': (51200, 34816), 'tee1': (86016, 10240), 'tee2': (96256, 10240), 'metadata': (106496, 80896), 'kb': (187392, 2048), 'dkb': (189440, 2048), 'MISC': (191488, 1024), 'reserved': (192512, 16384), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 25700352)}
Traceback (most recent call last):
File "main.py", line 210, in <module>
main()
File "main.py", line 127, in main
raise RuntimeError("bad gvvvvvpt")
RuntimeError: bad gpt
________________________
this is my error in karank (( plzzzz help

789mod said:
$ sudo ./bootrom-step.sh
[2021-09-10 10:55:32.608720] Waiting for bootrom
[2021-09-10 10:55:43.159326] Found port = /dev/ttyACM0
[2021-09-10 10:55:43.159787] Handshake
* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *
[2021-09-10 10:55:44.162116] Init crypto engine
[2021-09-10 10:55:44.179312] Disable caches
[2021-09-10 10:55:44.179827] Disable bootrom range checks
[2021-09-10 10:55:44.193967] Load payload from ../brom-payload/build/payload.bin = 0x4888 bytes
[2021-09-10 10:55:44.196248] Send payload
[2021-09-10 10:55:44.852660] Let's rock
[2021-09-10 10:55:44.853586] Wait for the payload to come online...
[2021-09-10 10:55:45.574042] all good
Running in minimal mode, assuming LK, TZ, LK-payload and TWRP to have already been flashed.
If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C
[2021-09-10 10:55:46.669831] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'lk': (16384, 1024), 'lk2': (17408, 1024), 'boot_x': (18432, 32768), 'recovery_x': (51200, 34816), 'tee1': (86016, 10240), 'tee2': (96256, 10240), 'metadata': (106496, 80896), 'kb': (187392, 2048), 'dkb': (189440, 2048), 'MISC': (191488, 1024), 'reserved': (192512, 16384), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 25700352)}
Traceback (most recent call last):
File "main.py", line 210, in <module>
main()
File "main.py", line 127, in main
raise RuntimeError("bad gvvvvvpt")
RuntimeError: bad gpt
________________________
this is my error in karank (( plzzzz help
Click to expand...
Click to collapse
This is not karnak's thread, so don't spam with your issues, please. Anyway, here's the gpt-fix for karnak. Next messages related to other tablets that aren't giza will be ignored.

sancho_sumy said:
It works!
Thank you for prompt reply and assistance.
Now device flashed with Lineage 15.1 and work good!
Click to expand...
Click to collapse
but camra not working

Database Info

welcome