Database Info

[RESEARCH|MT8127] Bootloader hack ideas for LeapFrog Epic

I dunno, but I thought maybe I could make a separate thread about a possible way to poke into the LeapFrog Epic's preloader so it could accept unsigned images. LeapFrog won't spill the beans for us, as their staff (falsely) claims to know next to nothing about it, so unless we somehow managed to social-engineer them into giving us a signed ROM or an unlocked bootloader, our only chance is to patch it so it would ignore the lack of digital signatures.
What I've done so far is to run a strings check on the preloader and uboot binaries - fastboot seems watered down somehow as it lacked references to "oem unlock" and so on, but none of that Amazon Fire-style failsafe seems present from what I can tell.
Preloader: http://pastebin.com/H9QbzqC0
lk: http://pastebin.com/kSxRKYna
Boot files from the latest firmware revision are attached here, so if anyone is interested, please please please let me know so we can fix bricked units and finally port TWRP to this underrated kids' tablet.

blakegriplingph said:
I dunno, but I thought maybe I could make a separate thread about a possible way to poke into the LeapFrog Epic's preloader so it could accept unsigned images. LeapFrog won't spill the beans for us, as their staff (falsely) claims to know next to nothing about it, so unless we somehow managed to social-engineer them into giving us a signed ROM or an unlocked bootloader, our only chance is to patch it so it would ignore the lack of digital signatures.
Click to expand...
Click to collapse
Bumping the thread.
Would also like to know is this is possible
If I may ask, how did you extract the strings from preloader and lk? Did you use a hexeditor or there is another app?

Gibz97 said:
Bumping the thread.
Would also like to know is this is possible
If I may ask, how did you extract the strings from preloader and lk? Did you use a hexeditor or there is another app?
Click to expand...
Click to collapse
I used this utility to do a strings dump off an Epic ROM:
http://split-code.com/strings2.html
It did turn up some interesting stuff but I was wondering if a binwalk or perhaps an IDA disassembly analysis would do wonders so we can finally poke into this tablet.

blakegriplingph said:
I used this utility to do a strings dump off an Epic ROM:
http://split-code.com/strings2.html
It did turn up some interesting stuff but I was wondering if a binwalk or perhaps an IDA disassembly analysis would do wonders so we can finally poke into this tablet.
Click to expand...
Click to collapse
Thanks for the tool but I cannot seem find a way to use it.
 @gursewak.10 or @smartmanvartan please chime in to help us because they were able to hack the preloader of k4 note and lk of RCA Viking Pro respectively

I also know a friend who is willing to donate a spare Epic, if that helps.
As for using Strings2, the following batch script should work:
Code:
@echo off
strings2 %1 > test.txt
pause
Just drag a binary to be analysed into the batch file, and a resulting text file with strings and stuff should be generated.

Hello friend
You need to tweak lk to unlock bootloader . i am giving you my phone's both files(.you can easily compare them.
on unlocked bootloader u can flash unsigned images via write memory option of SP flash tool .
Try HxD hex editor

gursewak.10 said:
Hello friend
You need to tweak lk to unlock bootloader . i am giving you my phone's both files(.you can easily compare them.
on unlocked bootloader u can flash unsigned images via write memory option of SP flash tool .
Try HxD hex editor
Click to expand...
Click to collapse
Hmm, I can flash the preloader to my leapfrog via SPFT, but not anything else. Write memory works, and I can flash stuff one at a time to it, but I couldn't get the tablet to force itself out of flash/download mode and into normal mode. There's no reset button, and not even taking the battery off does the trick.

However, on my working Epic, I can alter the demo system image, flash it back using Write Memory and still end up with a working device, just as long as the preloader isn't messed with in any way. Right now I am at a loss as to how to revive my other Epic, short of taking it apart and shorting KCOLO and GND. It also didn't help that the testpoints aren't labeled at all. :/
Also, I did a quick logcat while running the FOTA utility, and I managed to get a few URLs off the said logs. Problem is that while the ZIPs may be of some use, they're incremental and there doesn't seem to be a full scatter/zip image to restore a faulty unit. There definitely needs to be a way to patch the bootloader so we can do whatever we want to it, but is there any one of you guys who are experts when it comes to MTK modding?

Any more ideas?

Anyone, please?

Bumping in case there's anyone interested in poking into this.

Now this is interesting let us see what we can do.

Warrior1988 said:
Now this is interesting let us see what we can do.
Click to expand...
Click to collapse
You happen to have an Epic with you? Please let me know if you need more than just the firmware images. I've tried contacting LeapFrog regarding this issue to no avail. They did give my friend and I the kernel sources, but it's no use as the bootloader has to be unlocked for custom boot or recovery images to be used.

Is anyone willing to test if SP Flash Tool 5.1532.00 works on the Epic? I managed to flash a complete system image to a bricked Epic but I was unable to revive it as it has been bricked prior due to a botched preloader flash. The ROM's on my main Epic discussion thread, but one should take note to flash just the boot, recovery and system images and see if the device still works.

im also poking around in this since my volume up button doesnt work in bootloader mode
i have a figo gravity x55l
i can also upload the stock rom files that can be checked if needed

SP6RK said:
im also poking around in this since my volume up button doesnt work in bootloader mode
i have a figo gravity x55l
i can also upload the stock rom files that can be checked if needed
Click to expand...
Click to collapse
Are you able to muck around with LK or sbchk using IDA Pro or some other tool? Makes me wonder if merely deleting /system/bin/sbchk would disable boot-time checks or if there's more to it than just that.

blakegriplingph said:
Are you able to muck around with LK or sbchk using IDA Pro or some other tool? Makes me wonder if merely deleting /system/bin/sbchk would disable boot-time checks or if there's more to it than just that.
Click to expand...
Click to collapse
well i tried hex editors but lk.bin isnt decoded for my rom so half of my lk file is not showing me anything exept weird characters but i can see some of the other half.
if you delete the file...will it brick?...will it even boot?

GREAT NEWS I MANAGED TO GET ROOT WITHOUT UNLOCKING THE BOOTLOADER ALL YOU NEED IS TO
1.download your firmware and extract it
2.extract the boot.img from the firmware and put it on your phone REMEMBER WHERE YOU PUT IT SINCE YOU WILL NEED THIS!
3download magiskmanager install it and open it.
4click install and choose the boot.img it will install magisk into it
5.put it back in your firmware folder on your pc
6 look for a file that says Checksum_gen and run it
7 once that completes use spflash tool and load your scatterfile and flash JUST THE BOOT.IMG wait for the reboot and you have root!
THANK YOU DEVELOPERS OF MAGISKMANAGER!

SP6RK said:
GREAT NEWS I MANAGED TO GET ROOT WITHOUT UNLOCKING THE BOOTLOADER ALL YOU NEED IS TO
1.download your firmware and extract it
2.extract the boot.img from the firmware and put it on your phone REMEMBER WHERE YOU PUT IT SINCE YOU WILL NEED THIS!
3download magiskmanager install it and open it.
4click install and choose the boot.img it will install magisk into it
5.put it back in your firmware folder on your pc
6 look for a file that says Checksum_gen and run it
7 once that completes use spflash tool and load your scatterfile and flash JUST THE BOOT.IMG wait for the reboot and you have root!
THANK YOU DEVELOPERS OF MAGISKMANAGER!
Click to expand...
Click to collapse
What device are you referring to? Is this for an MT8127 tablet?

blakegriplingph said:
What device are you referring to? Is this for an MT8127 tablet?
Click to expand...
Click to collapse
i have a figo gravity x55l ? and it is not a tablet
it is a mt6753 great phone btw!
im a starting developer and got this phone so i can learn from my mistakes of course?
but this should work on any device that you can get a hold of its boot.img from its firmware

Vortex SYNQ Dev Thread (TWRP Image & Bootloader Unlock!!!)

During our quest to gain root on the ANS UL40, @Matthew702 and I went a bit off topic and started messing with his Vortex Synq he picked up. 'Thew was able to find a method to unlock the bootloader, which I will post here shortly, and we shortly thereafter found out that the device is "vulnerable" to using SPFT--as in the VCOM port stays open and allows us to read/write partition images directly from the emmc.
UPDATE: We now have enough people to really get the ball rolling for some development for this phone, so as we accomplish more things we'll post them here

Anything you try from here, you do so at your own risk. This may void your warranty, break your device, etc.
HOW TO UNLOCK THE BOOTLOADER
Go to Settings>About Phone>Build Number and tap this a lot really fast to enable developer mode
Go to the new developer mode option in the Settings menu, check the switch that says Allow OEM Unlock
Plug your phone into your computer, enable ADB Debugging, open up a terminal on your computer, and initiate an "adb reboot fastboot" to put the device into fastboot mode
In your computer terminal again, type in "fastboot oem unlock". If it fails, run it again. If it fails again, reboot to fastboot one more time and try a couple more times. Eventually it should work after a couple tries, it did for us
Confirm the device unlock on the phone (pressing volume up at the prompt I believe), and wait for the phone to reboot. Note that it's not stuck in a bootloop at this point, it's just factory resetting after the unlock, so give it time to work
HOW WE WANT TO ROOT IT (NOT DONE YET): METHOD 1
Pull a recovery image from the phone with SPFT using a proper mtk6739 scatter file which I can't exactly find
Port TWRP to the phone from another device's mtk6739 TWRP image with carliv image kitchen tool, and flash it back to the phone with SPFT
Flash Magisk in TWRP, reboot, profit
HOW WE WANT TO ROOT IT (NOT DONE YET): METHOD 2
Pull a boot image with SPFT
Use the Magisk APK to inject magisk into the boot image
Flash the boot image back with SPFT (or maybe fastboot), reboot, profit
HOW TO FLASH TWRP TO THE PHONE (STILL EXPERIMENTAL)
Download the TWRP image from here
Reboot to the bootloader
Assuming you unlocked the bootloader from before, just do "fastboot flash recovery [imagename]" to get it on there
If fastboot complains about it not being able to flash, try running the command one more time
CUSTOM ROMS FOR THIS PHONE
This phone came with 8.1 Oreo, so that means it has to be Treble enabled. I'm no expert with Treble stuff but I believe GSIs made for arm a-only partitions SHOULD work on here. We haven't tested this for ourselves yet though
Like mentioned before, feel free to drop by and leave a message if you're willing to help us out on our endeavors. I also want to try and get 'Thew a working recovery on his phone again if possible, since for some reason when we try to flash back the image we pulled (with our "best guess" mt6739 scatter file) it didn't work

i might have one.. i will check as soon as i get to the shop

jasonmerc said:
During our quest to gain root on the ANS UL40, @Matthew702 and I went a bit off topic and started messing with his Vortex Synq he picked up. 'Thew was able to find a method to unlock the bootloader, which I will post here shortly, and we shortly thereafter found out that the device is "vulnerable" to using SPFT--as in the VCOM port stays open and allows us to read/write partition images directly from the emmc.
Unfortunately during our testing, he seems to have messed up his recovery image and is unable to restore a stock one on there. If there's any other owners out there willing to help us out (and maybe willing to risk their device for some test builds of TWRP too) I beseech thee to make yourself known.
Click to expand...
Click to collapse
i have one .. if you need

desbloqueokings said:
i have one .. if you need
Click to expand...
Click to collapse
Check your PMs on here, just sent you something

So the other 6739 scatter files we found didn't exactly work for this phone, so we pulled our own with a tool we found on Hovatek. This isn't a "port" from another phone, this directly came from the Synq itself.
Give major thanks to @desbloqueokings for pulling this for us!

The group we had seems a bit inactive now, so I'll post my new creations up here for all you guys here to test and tell us all if it works or not. One is a patched boot image that contains Magisk, all you'd need to do for that is flash the boot image and install a Magisk APK and you should be good to go for root. The other is a dirty port of TWRP Recovery I did from another MT6739 phone. It was hard finding an image to port from, so I want to give a huge thanks to @lopestom who sent me a 6739 image he had that I could port from
PLEASE BE AWARE THAT THESE ARE TEST IMAGES. I DONT HAVE THIS PHONE MYSELF AND CANT TEST IT MYSELF, SO IM NOT SURE IF THESE WILL WORK OR NOT. PLEASE MAKE A BACKUP OF YOUR CURRENT BOOT & RECOVERY IMAGES WITH SPFT USING THE SCATTER FILE ABOVE BEFORE TRYING ANY OF THIS. WHAT YOU DO TO YOUR OWN PHONE IS YOUR OWN RESPONSIBILITY. WHILE I WILL TRY TO HELP YOU IF SOMETHING BREAKS, IM NOT RESPONSIBLE FOR WHAT YOU CHOOSE TO DO
With that being said, here's the Mega folder containing the boot and recovery images. You can either flash these through SPFT like most people do with mediatek phones, or through fastboot, whatever you can get working. I'd also recommend you unlock your bootloader using the method posted above before doing any of this
Let me know if this stuff works or not, if you choose to flash it

Our victory was bittersweet, but a victory nonetheless
We got a working recovery image from @lopestom that seems to work fine on the surface, but when we need to flash the zip that disables dm-verity (disables force encryption) it supposedly breaks the /system partition on the stock ROM. My recommendation would be to take a backup of your /system directory in recovery before trying to flash anything. But since this is a Treble-enabled device, that means GSI ROMs could also work when flashed.
Here's a link to the recovery image we were using. We flashed it in fastboot with an unlocked bootloader but I imagine it would work just fine in SPFT too. I was told by the person that made the image that it's apparently not a good idea to flash the disable-force-encryption zip on a dirty port of a TWRP image like this (and to also never wipe /data). While you should be able to use this TWRP to flash something like Magisk, don't do those other two things for now.
Here's some screenshots from @Matthew702 to show the phone booting to TWRP (we made the mistake of trying to wipe /data and trying to flash the disable-encryption zip, please do not do this):
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Thank you!

You guys are amazing.
I had a SYNQ just laying around taking up space. Now it is not totally useless. Anyway i wanted to say thanks and post some proof of concept.
Sorry for the horrible quality...
So i used the recovery image named “recoverytest3.img” if im not mistaken. Once that was complete (And i figured i messed everything up because i had a dead android guy every other time....) To my surprise TWRP popped up in russian. At that point i installed magisk manager and downloaded the most recent package then rebooted to recovery and flashed the pack.
NOTES - I did use Command line WIN 10 via the platform tools package your provided for the whole process.... If you don’t know russian or whatever lang TWRP happens to be in just good. Anyway im sure im missing some data i should add but i am dog tired and having trouble reading the phone.
night all and i hope it all goes well for everyone else.
xAlimorAx

xAlimorAx said:
I had a SYNQ just laying around taking up space. Now it is not totally useless. Anyway i wanted to say thanks and post some proof of concept.
Sorry for the horrible quality...
So i used the recovery image named “recoverytest3.img” if im not mistaken. Once that was complete (And i figured i messed everything up because i had a dead android guy every other time....) To my surprise TWRP popped up in russian. At that point i installed magisk manager and downloaded the most recent package then rebooted to recovery and flashed the pack.
NOTES - I did use Command line WIN 10 via the platform tools package your provided for the whole process.... If you don’t know russian or whatever lang TWRP happens to be in just good. Anyway im sure im missing some data i should add but i am dog tired and having trouble reading the phone.
night all and i hope it all goes well for everyone else.
xAlimorAx
Click to expand...
Click to collapse
Yeah it showed up in Russian for our tester too. Not sure why it does that, but otherwise it should still work fine

Need your assistance
Season greetings to you my friend, I ended up formatting my vortex synq using Sp flash tool, after attempting to root, now I have black screen only vcom for sp flash tool works but I need preloaded files and others to unbrick, it was gonna be a Xmas gift for my aunt, but I messed it up, wont turn on just vcom when connected to PC, I have the files stckboot and recovery but sp tool needs pre-loader error, plz help me

Please back up vortex synq
Good I ask for a help to see if someone will have or could make a back up for this vortex synq cell phone since some of us have problems in the firmware when modifying it and we do not have a previous backup if someone can collaborate, it would be infinitely appreciated.

I know this post is old but if somebody can backup the firmware from this it would be awesome, because i am trying to restore my vortex snyq (its hard bricked) but i can't find the preloader for this phone anywhere, when i tried to flash the preloader with sp flash tool it gives me this: STATUS_DA_HASH_MISMATCH, the preloader has to match this phone, if anyone has a backup of the firmware feel free to post it here or dm me, but yeah just wanted to post here.

also need firmware having the same issue ages now
any help much appreciated
safe 2021-2022

use this to unlock bootloader and backup fw https://github.com/bkerler/mtkclient

Making this post to do a dump of the Vortex Synq stuff I had on Mega. XDA allows us to upload large files to here now, and my Mega account is getting pretty full, so I want to transfer everything I have that's Vortex Synq related from there to here. That means any download links pointing to my Mega will be broken, but all of that stuff previously linked by me can be found in this zip.
disclaimer
Feel free to use any of my stuff in any way you see fit. The only thing I ask is that if you do improve on something, share it with everyone else and don't just keep it for yourself. Keep it going for the good of the community/public.
Also, know that it's been a long time since I've messed with this phone, so I don't remember what mods/images/etc in my Mega repo are functional or not. Anything contained within this zip, FLASH AT YOUR OWN RISK.
/disclaimer

[CLOSED] Delete Thread.

Due to the disrespect of certain members I will no longer share the tutorials.

Wait does this mean you finally got my script to work?

lebigmac said:
Wait does this mean you finally got my script to work?
How about a little feedback in my project thread? Is that too much to ask for?
Did the latest fix work for you or not? Hello?
Click to expand...
Click to collapse
I said you were working on it. LOL. If it worked I'd be writing a Guide for that!

Make sure boot.img matched with the phone build number, or the phone may get bootloop.
Moto One Ace is one of the easiest phone to root

mingkee said:
Make sure boot.img matched with the phone build number, or the phone may get bootloop.
Moto One Ace is one of the easiest phone to root
Click to expand...
Click to collapse
Exactly. Definitely made a note of that in the guide since that is why the frozen touchscreen issue happens.

Articul8Madness said:
.This tutorial is for people like me than ran into problems rooting the Moto One 5G Ace XT2113 (MetroPCS Qualcomm Variant) running on stock Android 10. I got this phone literally last week brand new in the box. This is a hand holding guide for the Noobs that really are intimidated by rooting their device.
Follow the following at your own risk! I am not responsible for any mishaps with your devices.
I want to thank @mingkee and @sd_shadow for pointing me in the right direction. And for the rest of the contributors that I took bits and pieces from that helped me figure out rooting this; I did achieve root out the starting gate but initially lost touchscreen functionality. The issue was that you have to use the boot.img of your firmware to patch into Magisk; if you do this with your phone out the box you really don't know which firmware was used and that is where the bungle happens. This will clear up all those potential freakout moments.
Thanks to Android 10 being System As Root with all these new super partitions running amuck, you cannot get Write access in the actual system files. So even when you achieve root, you can't do much. @lebigmac is working on that as we speak. Drop by his thread on R/W access and beta test his script so he can get more knowledge about how our phone works.
Introduction/Preparation
First, go and prepare by READING EVERYTHING. Very important. This is the Qualcomm variant and NOT the Mediatek variant. Flashing does make a difference between the two. Last thing you want to do is brick the device because you flashed the wrong firmware to the wrong processor, or you flashed other software for the other similiar Moto One 5G and it bricked.
Second, unlock the bootloader. All T-Mobile and their subsidiary variants can be unlocked by Motorola as well as International and Motorola factory variants; go to their bootloader official unlock site and follow their instructions, it's easy peasy. If you do it in firefox it may not go to the third step page and hang on the page where you put the long code in (follow instructions on page to get the unlock code you'll see what I'm talking about). It is HIGHLY ADVISABLE to do this in Waterfox or Chrome (I used Waterfox). And yes, you may have to request the code 3x to get it to send to your email depending on their server traffic. When you get it, follow Motorola's instructions for unlocking the bootloader in fastboot. It will show you that the bootloader is unlocked.
Verizon and ATT Variants CANNOT BE BOOTLOADER UNLOADER UNLOCKED.
***NOTES SO YOU DON'T FREAK OUT***
1. I did NOT see the motorola post screen telling me it was unlocked. I had to find this in fastboot's menu.
2. The only way to restore the phone if something goes wrong is by flashing it via fastboot. The way to get to fastboot is turn the phone off and press Volume Down and Power. The Motorola tool will NOT work. That's normal.
3. You will see a cute message that you've unlocked the bootloader and that the phone software integrity is compromised when you boot the phone up every single time after the bootloader unlock. It will also say press the power button to pause. This is normal. Give it a minute, you havent broke it.
4. OEM Unlocking should already be activated and greyed out in the Developer Options once the bootloader is unlocked; you can't access it anymore.
Files
You will need an SD card for root. You will also need other apks to successfully help you pull off root ready to install. Pull ALL the necessary files you will need.
1. Get Minimal ADB and Fastboot (it's easier).
2. Download the Motorola Drivers from their site if yo don't already have them (if you run into problems you will have to uninstall and reinstall them through their utility which is found on PC here: C:\Program Files\Common Files\Motorola Shared\Mobile Drivers
3. Cpu-Z.apk (Very important, its hard to know your hardware without this).
4. Magisk v22.0.apk (They no longer have a separate Magisk Manager)
5. Root Explorer.apk (This software helps navigation better but you can use any Explorer of your choice).
6. Root Checker.apk
7. Stock Firmware XT2113-3_KIEV_RETEU_10_QZK30.Q4-40-62_subsidy-DEFAULT_regulatory-XT2113-3-EU-SAR_CFC.xml (This is important if you mess up the boot image trying to root). You can get the firmware of your choice at Motorola Official Firmware For Kiev.
8. Patience (and a good movie keeping you going).
As of now this device as no TWRP, so you have to do this the old fashioned way to root. And just so you know, I used Windows 7 for all of this.
Pre-Rooting
1. Make sure the phone is fully charged.
2. Make sure your sim card is REMOVED from the phone. Everytime you wipe the phone or do anything messing with the boot image the phone resets itself to factory settings, and tries to push an update. Just take the silver key thing and pop it out. You will have to push it back in and out in a second, but start with it out.
3. Make sure your wifi is OFF.
4. Make sure your SD is in and mountable and all files you need are on the card.
5. Make sure you Save boot.img to your SD Card from your firmware files. This is very important for root.
6. Make sure your developer options are activated.
7. Make sure your USB debugging is enabled AND you've given permissions for your computer to have administrative access with it enabled (more on this below).
8. Make sure to check CPU-Z for your hardware specs so you download the right files for the phone and avoid potential problems.
9. Make sure you manually set USB to Transfer files (no other option will work and by default its set to Charge this Device).
10. Make sure you have the STOCK CABLE that comes with the phone. Like most Motorolas this model is funky about using other cables.
11. Make sure you back up all your calls, texts, pics, etc. Flashing the firmware is the ultimate factory reset and you will lose all your files on the phone. SMS Restore is a good software to backup Calls and Text logs and it supports keeping MMS.
12. Make sure you have the internet. It is necessary for some steps.
Rooting
1. Make sure all the firmware files are extracted into your Minimal ADB and Fastboot folder (or whatever ADB folder you're using for this).
2. Open FlashFile.xml in Notepad. This is located among the firmware files you put in the Minimal ADB and Fastboot folder.
3. Cut, copy, and paste everything from the FlashFile that is shown and then paste it in an online Flash file Converter. I used Online Flash File Converter here.
4. Convert the text by pressing the bar below where you pasted the text. It may be in Spanish or Portuguese but is should say something like Cerar Commandos.
5. Copy the text by hitting the two pieces of paper icon in the corner after it's converted. Or just cut copy and paste manually.
6. Turn the phone completely OFF.
7. Plug your phone via USB cable into the computer.
8. Press Volume Down and Power to boot into fastboot mode. Do not use "adb reboot bootloader" as that command may or may not work and hang at "waiting for device" (it was iffy for me and it knocked off USB permissions BADLY).
9. Open up Minimal ADB and Fastboot (Make sure you don't have it set to open this as an administrator, it messes with permissions) Make sure your firmware files are in the Minimal ADB directory or it won't work.
10. Paste the contents of the flashfile converter into Minimal ADB and Fastboot. This should start the process of the flashing.
11. When the entire flash is complete, boot the phone and disconnect phone from the computer. Ignore the bootloader unlock error.
12. Wait. Sometimes this takes up to 3-5 minutes on a new flash. You should see the boot animation of Motorola.
13. Push your Sim Card back into the phone.
14. Start setting up your device on the screen. Sim Card must be in or it will give you a message your phone is Network Locked.
15. Once you make it to the Wifi Setup screen take the Sim back OUT the phone. Do not connect to Wifi.
16. Once you are done with setup, go to Settings>About phone.
17. Go all the way down to Build Number and press it until you unlock Developer Options.
18. Go to Settings>System>Advanced>Developer Options. Advanced is a pull down tab that will reveal Developer Options.
19. Disable Automatic System Updates. I know this is hard for some people, but a forced OTA update may cause problems and prohibit root.
20. Enable USB Debugging. Disable Verify bytecode of debuggable apps. Disable Verify apps over USB if it is highlighted. Exit.
21. Put your SD/Sim card back into the phone.
22. Go to the Files folder and install Magisk first, then Root Explorer and Root Checker.
23. Open Magisk. You will see Magisk and App. Hit Install by Magisk (a fingerprint looking icon is to its left).
24. Allow Magisk to access photos, media, and files if it asks.
25. Select option "Select and Patch A File."
26. It will take you to a screen where you can select your explorer to navigate to your SD card where you saved the boot.img. Go there and select it.
27. Magisk will save it as magisk_patched.img. Once you get it patched, find where it saved, make sure it's on your SD card and then turn off the phone.
28. Plug your phone via USB cable into the computer.
29. Press Volume Down and Power to boot into fastboot mode.
30. Open up a fresh Minimal ADB and Fastboot (Make sure you don't have it set to open this as an administrator, it messes with permissions) Make sure you transfer the magisk_patched.img that Magisk patched off your SD card into this folder.
31. Rename your original boot.img to "boot.img original" or whatever distinct name you want to give it in your Minimal ADB and Fastboot folder.
32. Rename your magisk_patched.img to boot.img.
33. In Minimal ADB and Fastboot type "fastboot flash boot boot.img" and hit enter.
34. If all goes well it should flash to the partition before it says done and in how many seconds.
35. When it is done, reboot phone by selecting START (keep pressing volume rockers until you see it, then press the power button).
36. Wait for the bootloader cannot be trusted screen to pass (may take a minute) and wait for the Hello Moto opening.
37. Open Root Checker and confirm root. You can uninstall it after confirmation if you like.
38. Open Root Explorer. A prompt asking you to grant permission should pop up.
Congrats. You should be rooted now.
***NOTES SO YOU DON'T FREAK OUT***
1. Do NOT flash someone else's patched boot image. It WILL NOT WORK. Do the work, find your firmware, and patch the boot image yourself. You're asking for bootloop hell if you do as your boot.img that Magisk patches needs to match that particular firmware you used.
2. While it hasn't happened to me, You may have followed everything perfect and it still bootlooped. Save yourself the frustration and just flash it over. See the next section on the proper way to flash so you don't lose your baseband, IMEI, or any other important stuff.
3. While you won't lose anything just flashing boot.img, you will lose everything having to flash ALL the firmware over. Keep backups of all your important stuff.
****Notes on Flashing The Stock Firmware if you have to****
In the event you bootloop and have to start from scratch, follow my guide on restoring the firmware on the phone. And don't worry - it won't relock the bootloader. You can find my guide here: The Complete Noob Guide to Flashing via Fastboot MetroPCS Moto One 5G Ace XT2113 [Qualcomm Version]
Hope this helps my fellow TMobile and subdiary acolytes and othoers. I have flashed and reflashed my phone with different variant roms trying to force Write status and beta testing scripts for @lebigmac on our device so it's pretty straightforward now.
I will try and answer questions if I can or point you in the right direction.
Click to expand...
Click to collapse
Question I keep seeing you have to use adb to fix if messed up, sorry not a question yet but that's wrong. When I did it I think I mixed up my moto g stylus boot.img and got a boot loop. I flashed stock boot.img and it came up with a screen saying Android os was corrupted try to reboot if didn't work factory reset is needed. Rebooted popped up again hit factory reset and the phone did it for me. Not sure if you knew that, question tho lol sorry, can I patch boot img with magisk and flash to a phone that's not fresh from a factory reset

bobbyp1086 said:
Question I keep seeing you have to use adb to fix if messed up, sorry not a question yet but that's wrong. When I did it I think I mixed up my moto g stylus boot.img and got a boot loop. I flashed stock boot.img and it came up with a screen saying Android os was corrupted try to reboot if didn't work factory reset is needed. Rebooted popped up again hit factory reset and the phone did it for me. Not sure if you knew that, question tho lol sorry, can I patch boot img with magisk and flash to a phone that's not fresh from a factory reset
Click to expand...
Click to collapse
Well, when I rooted the 1st time I got a frozen touchscreen as I didn't have the correct Firmware (as the phone's firmware out of the box auto updated and the firmware that was available did not match its peripherals). So my phone lost ALL TOUCH ability. The way I explain in this guide is what worked for me, as the LHSA tool doesn't help at that stage. And honestly, I think adb is better and more familiar to most Moto folks that have had several devices and got root on them.
If you mixed up your Moto G Stylus boot.img, all you have to do is try and reflash your firmware boot.img and flash it (or if you have root your patched boot.img). I've flashed this phone almost 70 times in 9 days and I normally do not reflash my boot.img as its already patched to the firmware and I'm just starting from scratch. However, I wouldn't advise that on recovery.img that went wrong, just saying. The phone will force a factory reset.
I don't recommend a factory reset for flashing if you're trying to get root. It's best to compile all the files in ADB to make sure they're taking together, and not going after the fact. There is no shutting off DM-Verity at this time, especially without TWRP and a patch for it, and this model is a bit funky about added flashing with this new Dynamic Partition crap.

Articul8Madness said:
Well, when I rooted the 1st time I got a frozen touchscreen as I didn't have the correct Firmware (as the phone's firmware out of the box auto updated and the firmware that was available did not match its peripherals). So my phone lost ALL TOUCH ability. The way I explain in this guide is what worked for me, as the LHSA tool doesn't help at that stage. And honestly, I think adb is better and more familiar to most Moto folks that have had several devices and got root on them.
If you mixed up your Moto G Stylus boot.img, all you have to do is try and reflash your firmware boot.img and flash it (or if you have root your patched boot.img). I've flashed this phone almost 70 times in 9 days and I normally do not reflash my boot.img as its already patched to the firmware and I'm just starting from scratch. However, I wouldn't advise that on recovery.img that went wrong, just saying. The phone will force a factory reset.
I don't recommend a factory reset for flashing if you're trying to get root. It's best to compile all the files in ADB to make sure they're taking together, and not going after the fact. There is no shutting off DM-Verity at this time, especially without TWRP and a patch for it, and this model is a bit funky about added flashing with this new Dynamic Partition crap.
Click to expand...
Click to collapse
That's what mine did, I flashed stock boot, is corrupted my phone says and forced reset, I'm newish to moto, Samsung for many years, had to ditch them tho lol.
I appreciate the help and hope I didn't come across as arguing, more like clarifying. I too prefer adb over anything, only get the rom from tool. Again thanks for info.

bobbyp1086 said:
That's what mine did, I flashed stock boot, is corrupted my phone says and forced reset, I'm newish to moto, Samsung for many years, had to ditch them tho lol.
I appreciate the help and hope I didn't come across as arguing, more like clarifying. I too prefer adb over anything, only get the rom from tool. Again thanks for info.
Click to expand...
Click to collapse
If your bootloader is unlocked the only way you should have gotten the corruption is if you flashed an incompatible firmware. Mine came with MetroPCS but I've flashed RETUS and RETEU well. I'd stray from any VZW or ATT software just because you can't trust their firmware won't lock down the bootloader.
Or maybe the software just didn't download well. Try re-downloading it . I've had a bad download mess up a flash before.

I think it's cause 1 magisk wasn't installed and 2i used a different phone to patch

bobbyp1086 said:
I think it's cause 1 magisk wasn't installed and 2i used a different phone to patch
Click to expand...
Click to collapse
You have to install Magisk and patch on the phone in question since it's looking for that firmware and that phone's peripherals. You can't use another phone - that's a no no. This ain't Gingerbread, lol.

Articul8Madness said:
You have to install Magisk and patch on the phone in question since it's looking for that firmware and that phone's peripherals. You can't use another phone - that's a no no. This ain't Gingerbread, lol.
Click to expand...
Click to collapse
I'm fairly new to magisk, just recently in past year or so stopped using supersu. Not by choice lol but upgraded my note 4 lmao. So as far as the script for read and write, never flashed and after I got magisk, no modules only su permissions, fx did mount /
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
and fix file permissions, it's in settings

bobbyp1086 said:
I'm fairly new to magisk, just recently in past year or so stopped using supersu. Not by choice lol but upgraded my note 4 lmao. So as far as the script for read and write, never flashed and after I got magisk, no modules only su permissions, fx did mount /View attachment 5279427View attachment 5279429View attachment 5279431View attachment 5279433 and fix file permissions, it's in settings
Click to expand...
Click to collapse
Having Root on this device is not going to magically fix the fact that Android 10 on ALL DEVICES is READ ONLY. You will have to go to @lebigmac or @munjeni and try their R/W mount scripts to get true root access. Munjeni's V2 worked for me. He's on V7 now. LeBigMac has been hard at work trying to get us up and running with his script, but we have Super partitions AND A/B. So it's taking some time.

Articul8Madness said:
Having Root on this device is not going to magically fix the fact that Android 10 on ALL DEVICES is READ ONLY. You will have to go to @lebigmac or @munjeni and try their R/W mount scripts to get true root access. Munjeni's V2 worked for me. He's on V7 now. LeBigMac has been hard at work trying to get us up and running with his script, but we have Super partitions AND A/B. So it's taking some time.
Click to expand...
Click to collapse
I am not familiar with either but take it that's it's not an easy task. Should I run v2 or v7 then? Moto one g ace metro.
I was fooled by the trickery, I thought something seemed off with the root on modern phone's.

I just bought a new Moto One 5G ace and was wondering where I can find the stock T-Mobile Firmware variants to prevent bricking?

I successfully rooted it with Magisk patched and ready to go. Unfortunately for the time being the phone won't bypass safety net even with MagiskHide. It just won't work but I'm really happy this phone can be unlocked

bobbyp1086 said:
I am not familiar with either but take it that's it's not an easy task. Should I run v2 or v7 then? Moto one g ace metro.
I was fooled by the trickery, I thought something seemed off with the root on modern phone's.
Click to expand...
Click to collapse
Android 10 is very challenging. It is easy to root but it is a trickable root with a false sense of root since Google locked all Android 10 and newer as Read Only on the System with this super partition crap trying to be Apple.

Skel40 said:
I just bought a new Moto One 5G ace and was wondering where I can find the stock T-Mobile Firmware variants to prevent bricking?
Click to expand...
Click to collapse
Check my guide. I posted link to where the repository is.

Skel40 said:
I successfully rooted it with Magisk patched and ready to go. Unfortunately for the time being the phone won't bypass safety net even with MagiskHide. It just won't work but I'm really happy this phone can be unlocked
Click to expand...
Click to collapse
You will not pass safety net because you've rooted it and Android 10 will block it. It isn't necessary, especially if you delete all Google stuff and their tracking Covid crap.

Articul8Madness said:
Having Root on this device is not going to magically fix the fact that Android 10 on ALL DEVICES is READ ONLY. You will have to go to @lebigmac or @munjeni and try their R/W mount scripts to get true root access. Munjeni's V2 worked for me. He's on V7 now. LeBigMac has been hard at work trying to get us up and running with his script, but we have Super partitions AND A/B. So it's taking some time.
Click to expand...
Click to collapse
Hi @Articul8Madness. Thanks for mentioning me
There's a Motorola user who recently got my script to work using the troubleshooting repair script that I posted here
It turns out the lpmake arguments that are auto-generated by the original script were flawless and were not the root cause of the unidentified lpmake error that some Motorola users were experiencing at the end of the original script. According to @Xiaoleng the error was most likely caused by some kind of new Motorola security feature that prevents the terminal command from executing if the arguments are too long. Go figure.
And he was even able to fastboot flash the super_fixed.bin in one piece without having to first split it up into chunks. That's a huge surprise to me. I always thought Motorola users can only fastboot flash super sparsechunks?!
Please feel free to give it a try and report back your results. Thanks. Good luck!

Blu bl140dl unlock bootloader and ROOT w/magisk

Unlocked bootloader and acheived root/magisk on b140dl aka blu view 3, i did search for this phone on xda before(1 week ago as my first stop) and could not find, or across across web, after deep hair pulling, disapointments in the dark ( I Im pretty new at this guys), and not trying to present something already found or reinvent the wheel, just trying to perpetuate the freedom to "really OWN your device and perceverence of never giving up and you shall prevail!!!!! Any questions, pm me

rtype77 said:
Unlocked bootloader and acheived root/magisk on b140dl aka blu view 3, i did search for this phone on xda before(1 week ago as my first stop) and could not find, or across across web, after deep hair pulling, disapointments in the dark ( I Im pretty new at this guys), and not trying to present something already found or reinvent the wheel, just trying to perpetuate the freedom to "really OWN your device and perceverence of never giving up and you shall prevail!!!!! Any questions, pm me
Click to expand...
Click to collapse
Im now working on removing orange status warning (only meaning unlocked bootloader with 5 sec. delay)
I did extract my stock image in .bin dump as well as extracting .img partitions from this dump. I tried the few online methods of altering the lk.bin hex and reflash leading to no boot, no lights, no nothing as if a security encryption signature principal must be in place, to put a halt if not matched. Not sure but could sure use some advice, Im kinda new at this.

I've also been trying to figure out how to port a twrp recovery, which i also attempted, flashed, same result-phone black, no boot, so i flashed back original, back to normal,(what a scare on such a dead response!!- holding power button down and nothing) So ive softbricked twice, and recovered twice without a problem.
Specs
Helio p22 mtk chipset (6762)
4.19.127 kernel android 11
I do realize each phone has different specific source and understand this determines if twrp compatible, correct me if im wrong my friends, im just learning and open, one more thing, ive gotten a status of p22 from installed play store app device info, cpu-z. no root permission. mtk _client tool gives me p35 as my processor which is the (6735). Maybe the difference is negligible in the two 2 readings? or the mtk_client is old and rounds the 6762 to 6765, as maybe there differences are small enough to ignore 62-65 differences? Like i mentioned Im very new, and though ive researched a lot, this is tough, but i must say, I love a good game of chess!!!!

. Ive currently got two of these phones and Im starting from scratch tryna do the same thing you are. So at least youre not alone. I figured id kinda follow the guide for the b130dl (since that seems to have so much success even with other variants and devices) idk how much help I will be, seeing as I havent done any development of any kind for about 5 years.... But since I have 2, lmk if there is anything kinda risky you wanna try. (After I catch up of course)

Yeah right on, im goin at orange status removal once again, I did do a little homework, and beleive the inability to flash any custom partition is due to encryption of partitions by dm verity and or AVB preventing boot even if rooted? Not sure exactly but reading and learning. btw my friend, Im Rob, pleasure to meet. I dont know any coding, though ready to learn, just mods a bit, though im relatively new to that as well, but i try being creative, and was stoked I actually pulled off root on this newer phone, unlocked the bootloader with mtk_client, from git-hub, no problem : https://www.google.com/url?sa=t&rct...er/mtkclient&usg=AOvVaw1EA0UgBcE8bbeVuiVn4L7c
I then read all partitions to my laptop which dumped in .bin form, from there i looked everywhere for a root on this phone. too new, as i found nothing. That made me think if mtk_gui could pull off unlocking the bl, what else can it do? So read its readme a bit and noticed the magisk root using adb and fastboot, with accompaning custom magisk for mtk. Thought i was probably wasting my time as this phones security is newer. Well, it worked, so bootloader down, root accomplished with magisk, now this orange state, which i tried online hex manipulation of lk.bin file and flashed it to original lk.bin partition on phone, no boot. Tried making a custom logo.bin and same flash, no boot. So used my mtk_client tool to flash my backup abov 2 partitions and, booted right up, no problem which led me to investigate this vb meta and AVB which im currently trying to grasp. Oh and yes i figured out how to take a complete flash dump into a .bin file with mtkclient, so I have backup of partitions from this tool by reading partitions section, and also backup by using the read flash option under flash in the tool. It gave me one giant file called user.bin. I researched what bin and img files are and learned we can use 7 zip or any storage compress/decompress software or cd iso software to open bin files, so preceded with 7 zip on user.bin file and was able to extract the partitions in .img format, really cool, so now i have backup in3 styles lol .bin partitions, .img partitions or 1 .bin complete rom dump which when opened with 7 zip gives you the img forms, been fun, but this orange state and security stuff seems a bit tricky to understand, so thats where im at my freind, Let me know you need any help, Good idea about starting with previous phone guide, my thoughts exactly as well when i started gettin my hands dirty lol What a universe in these gadgets, awesome

Is there anyway you could post a guide of sorts. Looking to unlock the bootloader and root (aren't we all).
Am relatively new at this. Last phone I rooted before this year was the Epic Touch! Please at least list which downloads are needed. Thanks in advance. *Jaymi*

Thsi a Specs by your phone?
Okay. Let's go to the beginning.
I have a friend who knows how to handle Mediatek phones. He even has a BLU MT6762 with Android 9. He compiled the TWRP himself. Maybe compile one to you.
I'll try to send him a message to know if he can help you.
But the bigger question is about the original firmware (without ROOT/Magisk). Have you tried using the Smart Phone Flash Tool (SPFT) to copy all the firmware? Is there an official stock firmware? So you could use the scatter.txt file to use SPFT.
If you couldn't use SPFT then were you forced to use mtk_client?
To unlock bootloader, can you use this guide?: https://forum.xda-developers.com/t/...om-rom-on-a-blu-g90-pro.4253737/post-85180967
Update:
Okay. He agreed to help. He asked someone to put the stock recovery.img file attached to the message and information about fastboot:
Code:
fastboot getvar all
and fastbootd:
Code:
fastboot getvar all
Furthermore an experienced user should contact him to test the TWRP files he will compile. So think hard if you can get your phone back to normal if something strange happens. Usually just reinstall the stock file and everything will be simple. One more detail: you should be able to understand that the test needs the phone with the full wipe process and without using magisk at the moment.

rtype77 said:
Yeah right on, im goin at orange status removal once again, I did do a little homework, and beleive the inability to flash any custom partition is due to encryption of partitions by dm verity and or AVB preventing boot even if rooted? Not sure exactly but reading and learning. btw my friend, Im Rob, pleasure to meet. I dont know any coding, though ready to learn, just mods a bit, though im relatively new to that as well, but i try being creative, and was stoked I actually pulled off root on this newer phone, unlocked the bootloader with mtk_client, from git-hub, no problem : https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjlsKWdh7b2AhVXjokEHXJ1DD4QFnoECAsQAQ&url=https://github.com/bkerler/mtkclient&usg=AOvVaw1EA0UgBcE8bbeVuiVn4L7c
I then read all partitions to my laptop which dumped in .bin form, from there i looked everywhere for a root on this phone. too new, as i found nothing. That made me think if mtk_gui could pull off unlocking the bl, what else can it do? So read its readme a bit and noticed the magisk root using adb and fastboot, with accompaning custom magisk for mtk. Thought i was probably wasting my time as this phones security is newer. Well, it worked, so bootloader down, root accomplished with magisk, now this orange state, which i tried online hex manipulation of lk.bin file and flashed it to original lk.bin partition on phone, no boot. Tried making a custom logo.bin and same flash, no boot. So used my mtk_client tool to flash my backup abov 2 partitions and, booted right up, no problem which led me to investigate this vb meta and AVB which im currently trying to grasp. Oh and yes i figured out how to take a complete flash dump into a .bin file with mtkclient, so I have backup of partitions from this tool by reading partitions section, and also backup by using the read flash option under flash in the tool. It gave me one giant file called user.bin. I researched what bin and img files are and learned we can use 7 zip or any storage compress/decompress software or cd iso software to open bin files, so preceded with 7 zip on user.bin file and was able to extract the partitions in .img format, really cool, so now i have backup in3 styles lol .bin partitions, .img partitions or 1 .bin complete rom dump which when opened with 7 zip gives you the img forms, been fun, but this orange state and security stuff seems a bit tricky to understand, so thats where im at my freind, Let me know you need any help, Good idea about starting with previous phone guide, my thoughts exactly as well when i started gettin my hands dirty lol What a universe in these gadgets, awesome
Click to expand...
Click to collapse
I get handshake error with mtk client on my b140dl, on both windows and relived iso. Would love to have mine unlocked.

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Hey guys, I am a total noob with android but I have this same model hone and I have a custom OS. I'm not sure what it means outside of:
"my crazy ex gf managed to get spyware on my new phone like the day after she got the cops to take my old one (Jan 12th) and has been ruining what's left of my sad existence"
But google isn't giving me any results for this firmware version or really this model phone at all so if it would help people working on modding it and there is a way I could like dump the data from it somewhere?

jayleemcnabb81 said:
Is there anyway you could post a guide of sorts. Looking to unlock the bootloader and root (aren't we all).
Am relatively new at this. Last phone I rooted before this year was the Epic Touch! Please at least list which downloads are needed. Thanks in advance. *Jaymi*
Click to expand...
Click to collapse
Hi Jaymi, sorry for the late 2 month late response, been totally busy and other places, but yes, i think i will make a guide, to the best of my ability as im relatively new at this as well and have never wrote a guide, but shall give it my best! Any questions, just ask, Rob

Can someone show me how to do this? it appears OP has been offline and nobody ever got around to actually SHARING THIS METHOD OF BOOTLOADER UNLOCK... I used to unlock my phones bootloaders all the time around 2014 but the game has changed and now you gotta edit files on notepad and download github sources it seems...
tl:dr: NEED ISNRUCTIONZ pl0X!!

rtype77 said:
Yeah right on, im goin at orange status removal once again, I did do a little homework, and beleive the inability to flash any custom partition is due to encryption of partitions by dm verity and or AVB preventing boot even if rooted? Not sure exactly but reading and learning. btw my friend, Im Rob, pleasure to meet. I dont know any coding, though ready to learn, just mods a bit, though im relatively new to that as well, but i try being creative, and was stoked I actually pulled off root on this newer phone, unlocked the bootloader with mtk_client, from git-hub, no problem : https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjlsKWdh7b2AhVXjokEHXJ1DD4QFnoECAsQAQ&url=https://github.com/bkerler/mtkclient&usg=AOvVaw1EA0UgBcE8bbeVuiVn4L7c
I then read all partitions to my laptop which dumped in .bin form, from there i looked everywhere for a root on this phone. too new, as i found nothing. That made me think if mtk_gui could pull off unlocking the bl, what else can it do? So read its readme a bit and noticed the magisk root using adb and fastboot, with accompaning custom magisk for mtk. Thought i was probably wasting my time as this phones security is newer. Well, it worked, so bootloader down, root accomplished with magisk, now this orange state, which i tried online hex manipulation of lk.bin file and flashed it to original lk.bin partition on phone, no boot. Tried making a custom logo.bin and same flash, no boot. So used my mtk_client tool to flash my backup abov 2 partitions and, booted right up, no problem which led me to investigate this vb meta and AVB which im currently trying to grasp. Oh and yes i figured out how to take a complete flash dump into a .bin file with mtkclient, so I have backup of partitions from this tool by reading partitions section, and also backup by using the read flash option under flash in the tool. It gave me one giant file called user.bin. I researched what bin and img files are and learned we can use 7 zip or any storage compress/decompress software or cd iso software to open bin files, so preceded with 7 zip on user.bin file and was able to extract the partitions in .img format, really cool, so now i have backup in3 styles lol .bin partitions, .img partitions or 1 .bin complete rom dump which when opened with 7 zip gives you the img forms, been fun, but this orange state and security stuff seems a bit tricky to understand, so thats where im at my freind, Let me know you need any help, Good idea about starting with previous phone guide, my thoughts exactly as well when i started gettin my hands dirty lol What a universe in these gadgets, awesome
Click to expand...
Click to collapse
Hey, I have a B140DL and unlocking it's bootloader has become personal. I have achieved root on other handsets and tablets, but this little bastard is something else. I was just inquiring to see if you ever put together a guide. Any advice is greatly appreciated. I will say for a cheap phone, it has been a Mother-Fuxxer!

iamx51 said:
I get handshake error with mtk client on my b140dl, on both windows and relived iso. Would love to have mine unlocked.
Click to expand...
Click to collapse
I kept getting handshake error also. Then I started getting device not configured. Have you made any headway?

One more thing, out of curiosity I ran the command "fastboot flashing lock" and I got a menu that asked Do you wish to LOCK BOOTLOADER? Locking your BOOTLOADER will wipe your device of all DATA! You must then flash your phone with a stock ROM.

Looking into this device myself and having a hard time. I haven't rooted a phone since a droid x2 and back then i did it with some kind of software through an ubuntu terminal. Not sure what's being used now but has anyone been able to do this or can anyone offer any tips or guidance?

oldt7mer said:
Looking into this device myself and having a hard time. I haven't rooted a phone since a droid x2 and back then i did it with some kind of software through an ubuntu terminal. Not sure what's being used now but has anyone been able to do this or can anyone offer any tips or guidance?
Click to expand...
Click to collapse
MTK Client and Python with Chimera exploit can supposedly do it. Look to GitHub. Hope you enjoy a challenge. I have made little problems.

ive been playing with this all day and its safe to say this is impossible with currently released tech on the latest security updates. the only way youre going to be able to do this is if youre able to force the phone into brom mode. doesnt seem possible from where im standing unless that can be done, would have to be done through a hardware mod.

oldt7mer said:
ive been playing with this all day and its safe to say this is impossible with currently released tech on the latest security updates. the only way youre going to be able to do this is if youre able to force the phone into brom mode. doesnt seem possible from where im standing unless that can be done, would have to be done through a hardware mod.
Click to expand...
Click to collapse
in case i wasnt clear, if you are on 2021 security updates with this phone (i.e. havent updated it or just got it and declined updates) you can easily unlock the phone with mtkclient and root with magisk; however if you've installed the 2022 security updates, brom mode is basically disabled making it impossible to unlock the phone.

oldt7mer said:
ive been playing with this all day and its safe to say this is impossible with currently released tech on the latest security updates. the only way youre going to be able to do this is if youre able to force the phone into brom mode. doesnt seem possible from where im standing unless that can be done, would have to be done through a hardware mod.
Click to expand...
Click to collapse
Run the fastboot command "fastboot flashing lock". Do that and tell me what you think. Trust me. Just be sure to read the prompt on your phone.

oldt7mer said:
in case i wasnt clear, if you are on 2021 security updates with this phone (i.e. havent updated it or just got it and declined updates) you can easily unlock the phone with mtkclient and root with magisk; however if you've installed the 2022 security updates, brom mode is basically disabled making it impossible to unlock the phone.
Click to expand...
Click to collapse
MTK Client has been no go. Lib USB error and NO BACK END error.

How To Guide Safely convert regions (includes T-Mobile) as well as restore the ability to use OOS12 after using Indian MSM to recover from a brick (Windows only)

It seems lots of us have had to use the India 9 Pro MSM to recover our devices and in the process, we lose the ability to go back to OOS12 or ROMs based on that firmware because the touchscreen stops working and also trying to convert T-Mobile variants, the fastboot scripts are just bricking them. Well I found a fix for these issues. Those who just want to convert can skip the MSM Tool process and get right to the conversion process as long as they're already running OOS11.
First thing is first, you need to be on OOS11. If you have a T-Mobile variant and you have flashed it with India firmware, you have to use a modded T-Mobile MSM: https://forum.xda-developers.com/t/...ariant-flashing-as-well.4454357/post-87050821
If you have a T-Mobile variant that hasn't used the Indian 9 Pro MSM Tool, is on OOS12, and you're just wanting to convert, you need this tool: https://forum.xda-developers.com/t/oneplus-9-11-2-22-2-t-mobile-msm-download-tool.4276119/
If you have a global variant or a global variant that has been flashed with Indian firmware, you can use this MSM (choose O2 for global or India for India in the Target dropdown, check Sha256, uncheck use lite firehose, it's a multi-target MSM Tool): https://mega.nz/file/ZWtGxTSb#UZ6aSOR2UTYrCao2fQNJ1IN5LSxPNBOxzel1kihnnJs
If you don't know how to use the MSM Tool, there are other guides around here, that's outside of the scope of this post.
Once you are back on OOS11, unlock the bootloader. We also need USB debugging enabled.
Now we need a tool called Fastboot Enhance. This wonderful tool allows you to directly flash OTAs from fastbootd and it doesn't have the same brick risk that flashing with fastboot scripts does.
Download it and unzip it somewhere.
Next we need the OOS11 global downgrade package (or whatever region you are wanting to switch to, global is recommended for T-Mobile variants) from here: https://forum.xda-developers.com/t/oneplus-9-rom-ota-oxygen-os-repo-of-oxygen-os-builds.4254579/
Fire up command prompt in the folder you have your platform tools and run:
adb reboot fastboot (if you do adb reboot bootloader you will then need to type fastboot reboot fastboot to get to fastbootd)
This will take you into fastbootd. It will have a screen that has three different languages to choose from on it. Go ahead and fire up Fastboot Enhance now.
It may take a few seconds for the app to recognize the device but when you see it in the list, double-click it to get to the main screen.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Check that it says that the device is in fastbootd. Now we just need to click Flash Payload.bin and choose the OTA we downloaded earlier (we don't even need to extract the zip, the app does that for us). If it pops up with an unrecognized partitions error, you're either not in fastbootd, you didn't MSM back to stock (you cannot do this with a custom recovery), or you grabbed an OOS12 OTA. Do not continue and check that everything is correct otherwise you will brick and have to start all over with the MSM Tool. Likewise, if it pops up an alert about cow partitions, don't continue. Go to the partitions screen and search for cow and delete them all.
Once it's done, boot the device, factory reset it in the settings (this is mandatory as Fastboot Enhance does not erase the device like a normal downgrade would do and this can cause problems), set it back up, and then do the OTA process to get back to where you want to go.

Hey bud. So I ended up having too india again. After flashing nameless, it locked up completely. I followed along, but maybe I made a mistake around this point?
Once I was able to boot into India, i just used another msmtoolkit, this successfully converted my Pro to the proper OP 9 5g (the cutout for the cam was aligned so it worked) and i was now on 11.2.10.10
i then let the phone just OTA itself to Android 12.1 c.48
this is when i attempted to get into the latest nameless ROM that requires us to go from OOS 11 based system for the tom to A12.
did i mess up? Should i have flashed 12.1 again?
because the additional flash requirements were fairly straight forward. .
i unlocked the bootloader and then re-enabled /adb debugging the 12.1 and rebooted to bootloader
i flashed the 3 images i extracted from the payload of the latest 12.1 nameless zip and flashed them
fastboot flash boot boot.img
fastboot flash vendor_boot vendor_boot.img
fastboot flash dtbo dtbo.img
Click to expand...
Click to collapse
while in the same fastboot, i selected recovery boot. i was in the lineage recovery system, this is where i formatted and sideloaded in the same session
when i rebooted i was qualcom killed. could sitll fastboot but nothing would take so i just started over. i am now on my 2nd toolkit flash (india-pro to non-pro global.
i may just stick with the latest release that doesnt require 12. it doesnt help that im 2 days no sleep (unrelated but not helping) but even saying that, i feel i had most of what was required done, but im a big dummy so who knows
youre knowledge is sexy

THANK YOU SIR, true gentleman. Your post I guess was the only one convincing enough that it was finally brushed through the beta testing phase enough that it would be worth trying. No real risk here considering its just using that awesome tool you mentioned in the post, which i've never heard of. will be using for now on. Dunno about any testing with this method so i thought i would owe the community my post. i saw the sahara error post not too long ago talking about a fix with no testing yet xD that made me laugh honestly. But yeah my phone is now converted global through payload.bin flash in fastbootd. Tmo Variant had me & my girls phone networked unlocked through the one guy that was doing it for free on here a while back.. then applied for unlock code and did it officially, never tried to convert due to brick concerns, so i had the easy route through the methods involved in this post, considering i was still on oos 11 with bootloader unlocked when reading this. anyways, i think its safe to say its fixed pretty hyped to flash roms now and not get bootlooped and excited to see where this variant is gonna go! thanks again mate.

applyscience said:
Hey bud. So I ended up having too india again. After flashing nameless, it locked up completely. I followed along, but maybe I made a mistake around this point?
Once I was able to boot into India, i just used another msmtoolkit, this successfully converted my Pro to the proper OP 9 5g (the cutout for the cam was aligned so it worked) and i was now on 11.2.10.10
i then let the phone just OTA itself to Android 12.1 c.48
this is when i attempted to get into the latest nameless ROM that requires us to go from OOS 11 based system for the tom to A12.
did i mess up? Should i have flashed 12.1 again?
because the additional flash requirements were fairly straight forward. .
i unlocked the bootloader and then re-enabled /adb debugging the 12.1 and rebooted to bootloader
i flashed the 3 images i extracted from the payload of the latest 12.1 nameless zip and flashed them
while in the same fastboot, i selected recovery boot. i was in the lineage recovery system, this is where i formatted and sideloaded in the same session
when i rebooted i was qualcom killed. could sitll fastboot but nothing would take so i just started over. i am now on my 2nd toolkit flash (india-pro to non-pro global.
i may just stick with the latest release that doesnt require 12. it doesnt help that im 2 days no sleep (unrelated but not helping) but even saying that, i feel i had most of what was required done, but im a big dummy so who knows
youre knowledge is sexy
Click to expand...
Click to collapse
Did you use the copy partitions zip? You will brick if you don't do that after a MSM.
Process is:
MSM
Upgrade to C.48
Extract boot, dtbo, and vendor_boot from ROM
Fastboot flash dtbo, vendor_boot, and boot in that order
Reboot to recovery
Factory reset
Run copy partitions script
Reboot recovery
Flash ROM
Reboot
It shouldn't brick if you follow that process exactly.
zacattackkc said:
THANK YOU SIR, true gentleman. Your post I guess was the only one convincing enough that it was finally brushed through the beta testing phase enough that it would be worth trying. No real risk here considering its just using that awesome tool you mentioned in the post, which i've never heard of. will be using for now on. Dunno about any testing with this method so i thought i would owe the community my post. i saw the sahara error post not too long ago talking about a fix with no testing yet xD that made me laugh honestly. But yeah my phone is now converted global through payload.bin flash in fastbootd. Tmo Variant had me & my girls phone networked unlocked through the one guy that was doing it for free on here a while back.. then applied for unlock code and did it officially, never tried to convert due to brick concerns, so i had the easy route through the methods involved in this post, considering i was still on oos 11 with bootloader unlocked when reading this. anyways, i think its safe to say its fixed pretty hyped to flash roms now and not get bootlooped and excited to see where this variant is gonna go! thanks again mate.
Click to expand...
Click to collapse
Awesome, glad that it worked for you! There were two other testers before you as well as myself that have confirmed this method works, I guess I should have put that in the post. Thanks for being a guinea pig

question; so now that i did it through advanced boot app, does that mean my phone is officially seen as a global one? can i use global regular msm? can i use fastboot payload files for global, ect?

zacattackkc said:
question; so now that i did it through advanced boot app, does that mean my phone is officially seen as a global one? can i use global regular msm? can i use fastboot payload files for global, ect?
Click to expand...
Click to collapse
So your phone will be seen as global by OTAs but not the MSM. You would have to use a modded MSM Tool that flashes global firmware while targeting your device model.

EtherealRemnant said:
So your phone will be seen as global by OTAs but not the MSM. You would have to use a modded MSM Tool that flashes global firmware while targeting your device model.
Click to expand...
Click to collapse
damn.. that seems to be the culprit of everyone's hard brick.. so what about fastboot flashing oem software for global? I'm guessing that's not a problem because otas are of similar format, but just in a smaller package because it's adding only the updated parts instead of the full ROM.. and is this enhanced fastboot app an alternative to using msmtool and then unlocking bootloader and then flashing custom roms? kinda seems like it would be. and as a matter of fact after using the enhanced fastboot tool I went ahead and put it into fastbootd and flashed payload and it wouldn't boot at first. The app itself gave me an error regarding some cow partitions (really strange and very new concept for me) and told me that I could possibly fix everything if I deleted the cow partitions so I did and then formatted data and it booted into nameless AOSP. This might be the new way to flash custom roms due to the simple fact that it's way quicker than having to use NSM tool and then unlock bootloader and then do all the intricate flashing custom ROM parts. Just put in a fast boot d and flash just always have to make sure you format data afterwards to decrypt. This hasn't been fully tested at least not that I'm aware of

zacattackkc said:
damn.. that seems to be the culprit of everyone's hard brick.. so what about fastboot flashing oem software for global? I'm guessing that's not a problem because otas are of similar format, but just in a smaller package because it's adding only the updated parts instead of the full ROM.. and is this enhanced fastboot app an alternative to using msmtool and then unlocking bootloader and then flashing custom roms? kinda seems like it would be. and as a matter of fact after using the enhanced fastboot tool I went ahead and put it into fastbootd and flashed payload and it wouldn't boot at first. The app itself gave me an error regarding some cow partitions (really strange and very new concept for me) and told me that I could possibly fix everything if I deleted the cow partitions so I did and then formatted data and it booted into nameless AOSP. This might be the new way to flash custom roms due to the simple fact that it's way quicker than having to use NSM tool and then unlock bootloader and then do all the intricate flashing custom ROM parts. Just put in a fast boot d and flash just always have to make sure you format data afterwards to decrypt. This hasn't been fully tested at least not that I'm aware of
Click to expand...
Click to collapse
So honestly I haven't wanted to mess with it too much because it's such a chore to MSM and set everything back up. I can confirm the conversion works as long as you don't ignore any errors and continue (as you found out yourself with the cow files) but as for switching between custom ROMs, fastbootd is part of the custom recovery that we use to flash these ROMs and I don't know if it's possible to get a full flash using that custom recovery. When I tried to use an OOS12 OTA to skip having to use the MSM Tool to go back to stock, I got a partitions error and it rebooted to fastboot. Upon trying to flash the stock boot, dtbo, and vendor_boot, it bricked. I decided it was more important to figure out how to help people with their initial conversion process and I was frustrated because this particular brick was refusing to go into edl until I putzed around with the phone for a few minutes and managed to get it. It just isn't worth me possibly having an unrecoverable brick so I didn't mess with it any further.
In theory though, moving between custom ROMs using the same base firmware should be fine. People will have to test and find out.

EtherealRemnant said:
So honestly I haven't wanted to mess with it too much because it's such a chore to MSM and set everything back up. I can confirm the conversion works as long as you don't ignore any errors and continue (as you found out yourself with the cow files) but as for switching between custom ROMs, fastbootd is part of the custom recovery that we use to flash these ROMs and I don't know if it's possible to get a full flash using that custom recovery. When I tried to use an OOS12 OTA to skip having to use the MSM Tool to go back to stock, I got a partitions error and it rebooted to fastboot. Upon trying to flash the stock boot, dtbo, and vendor_boot, it bricked. I decided it was more important to figure out how to help people with their initial conversion process and I was frustrated because this particular brick was refusing to go into edl until I putzed around with the phone for a few minutes and managed to get it. It just isn't worth me possibly having an unrecoverable brick so I didn't mess with it any further.
In theory though, moving between custom ROMs using the same base firmware should be fine. People will have to test and find out.
Click to expand...
Click to collapse
ive been playing with them for the last 20 hours almost nonstop. im back to being tmobile but no msm tool (yet) will work with it. I tried almost every tmobile msm and a plethora of others have yet to work with it since. i also cant get my unlock_code.bin to work since i think somehow the code dont match with the region that it was applied with was. so i cant unlock my bootloader to get any conversion scripts or flashing commands to work. fastbootenhanced doesn't work either. i dont know what to do, please help me cuz i goofed hard as hell somewhere.

YourLocalDund33 said:
ive been playing with them for the last 20 hours almost nonstop. im back to being tmobile but no msm tool (yet) will work with it. I tried almost every tmobile msm and a plethora of others have yet to work with it since. i also cant get my unlock_code.bin to work since i think somehow the code dont match with the region that it was applied with was. so i cant unlock my bootloader to get any conversion scripts or flashing commands to work. fastbootenhanced doesn't work either. i dont know what to do, please help me cuz i goofed hard as hell somewhere.
Click to expand...
Click to collapse
Is the MSM saying device not match image, is it an unsupported target TMO error, what's the error?

EtherealRemnant said:
Is the MSM saying device not match image, is it an unsupported target TMO error, what's the error?
Click to expand...
Click to collapse
the msm is saying its a device mismatch and it thinks its the Indian variant but everything else is T-Mobile (stock), sorry about the late reply, its a holiday for me here.
Edit: I am Android version 12 now on T-Mobile, but I trying to get back to global rooted if that helps any with where I'm wanting to go with it
Edit 2: when I tried to use the multi msm tool provides I couldn't get O2 to show as an option anywhere, only Indian again.

YourLocalDund33 said:
the msm is saying its a device mismatch and it thinks its the Indian variant but everything else is T-Mobile (stock), sorry about the late reply, its a holiday for me here.
Edit: I am Android version 12 now on T-Mobile, but I trying to get back to global rooted if that helps any with where I'm wanting to go with it
Edit 2: when I tried to use the multi msm tool provides I couldn't get O2 to show as an option anywhere, only Indian again.
Click to expand...
Click to collapse
If it thinks it's an Indian variant, you use my modded MSM and select India for the target.

I recovered my bricked LE2110 from Oneplus 9 pro Indian msm tools and I wish to restore it to Oneplus 9 global rom. I try to use the "Fastboot enhance (version 1.3)" to flash the payload.bin into my LE2110, but I cannot find any "lfash" button ! The only button I can see is "Extract Image", am I missing something ? I try local upgrade but it cannot find the firmware file ! Please help !

EtherealRemnant said:
If it thinks it's an Indian variant, you use my modded MSM and select India for the target.
Click to expand...
Click to collapse
Thats why i edited my post, I tried to use the modded tool but it only gives the option for the indian variant. the 02 option is not there boss.

YourLocalDund33 said:
Thats why i edited my post, I tried to use the modded tool but it only gives the option for the indian variant. the 02 option is not there boss.
Click to expand...
Click to collapse
Which mod are you using? There have been a bunch posted in this forum.

EtherealRemnant said:
Which mod are you using? There have been a bunch posted in this forum.
Click to expand...
Click to collapse
the one from the op. its the one thats said its multi support for indian and global

YourLocalDund33 said:
the one from the op. its the one thats said its multi support for indian and global
Click to expand...
Click to collapse
Try this one.
3.56 GB file on MEGA
mega.nz
That one is also multi target. Both of these have been tested, I don't know why it's not working for you. You can also try not selecting a target and see what happens, I have found I don't always need to select the target if my device firmware hasn't been too corrupted.
Beware that with this one, you can't unlock the bootloader until after you go to OOS12 because OnePlus bugged the erase script on 11.2.10.10.

EtherealRemnant said:
Try this one.
3.56 GB file on MEGA
mega.nz
That one is also multi target. Both of these have been tested, I don't know why it's not working for you. You can also try not selecting a target and see what happens, I have found I don't always need to select the target if my device firmware hasn't been too corrupted.
Beware that with this one, you can't unlock the bootloader until after you go to OOS12 because OnePlus bugged the erase script on 11.2.10.10.
Click to expand...
Click to collapse
I'm already OOS12. still couldn't unlock bootloader. I was on chat with Oneplus support for an hour or so just a few minutes ago. They were a little slow with understanding the situation (didn't mention to them using a lot of modded msm tools) but I did tell them I used the tool to reset it to stock. that and my unlock_code.bin was no longer working. They put me on chat with the higher team and then the supervisor herself overtook chat and had a look at when my original application for my phone was. She decided she will reissue me a new code and said after 24-48hrs ill get the new code via email. How familiar are you with the erase script with the msm tool?

YourLocalDund33 said:
I'm already OOS12. still couldn't unlock bootloader. I was on chat with Oneplus support for an hour or so just a few minutes ago. They were a little slow with understanding the situation (didn't mention to them using a lot of modded msm tools) but I did tell them I used the tool to reset it to stock. that and my unlock_code.bin was no longer working. They put me on chat with the higher team and then the supervisor herself overtook chat and had a look at when my original application for my phone was. She decided she will reissue me a new code and said after 24-48hrs ill get the new code via email. How familiar are you with the erase script with the msm tool?
Click to expand...
Click to collapse
It's not the MSM Tool that's borked, it's the ROM itself.

Looking for a stock c61 LE2115 Global boot.img (oneplus 9)
I overwrote mine trying to root and now I can't get the phone to boot back into c61. I have access to fastboot though