I'm a novice enthusiast when it comes to phones. When my wife needed a replacement phone after hers started to fail (I blame repeated gravity-related incidents, but she insists that's not it), I decided to see if I could transform my old V20 into a "new" V20 for her. I didn't know what was to come, but I was going to do it!
This can also serve as a pseudo-guide for other novices, and something to laugh at for those more experienced as I list all the steps I took, and all the mistakes I made through the process. If you are going to use this as a guide, make sure you read it completely before starting! I've made mistakes, and I list them here, but don't repeat them!
Big list of files
Stuff for Linux live environment:
Etcherv1.7.9 https://github.com/balena-io/etcher/releases
steadfasterX's FWUL/mAid_v4.0-RC3_x86_64.iso https://leech.binbash.rocks:8008/mAid/
Stuff for Windows:
Android SDK Platform Tools (adb and fastboot) https://developer.android.com/studio/releases/platform-tools#downloads
LGMobileDriver_WHQL_Ver_4.8.0.exe http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
LGUP_Store_Frame_Ver_1_14_3.msi http://downloads.codefi.re/autoprime/LG/Flash_Tools/LGUP/
LGUP_Common_DLL_Ver_1_0_40_2.msi https://drive.google.com/uc?id=1MQ7u7ghlNNzjAgVkCpCmswdtZjeB3l6p&export=download&confirm=t
CXZa's utilities https://forum.xda-developers.com/t/lg-tools-lg-kdz-dll-tool-lgup_ui-fixer-lg-kdz-downloader.3916444/
Files you'll want on your external SD card:
H91810p_00_0717.kdz https://forum.xda-developers.com/t/...-and-including-20h-now-n00b-friendly.3773443/
Phoenix591's h918-20g-prerooted.zip https://forum.xda-developers.com/t/...-20g-20h-oreo-flashable.3848854/post-77987795
topjohnwu's Magisk-v23.0.zip (renamed from .apk) https://github.com/topjohnwu/Magisk/releases/tag/v23.0
TeamWin's twrp-3.6.1_9-0-h918.img https://dl.twrp.me/h918/
rootchecker apk https://apkpure.com/p/com.joeykrim.rootcheck
(optional but highly recommended) Darnrain1's Auto_Debloat v7.4 https://forum.xda-developers.com/t/...hones-volte-and-wifi-calling-working.4432865/
(optional) F-droid apk https://f-droid.org
(optional) laf_restore.zip https://forum.xda-developers.com/t/laf-restore-zip-file.4398879/
(optional) Phoenix591's encrypt-v3.zip https://forum.xda-developers.com/t/recovery-unofficial-twrp-3-3-1-1-2019-10-25.3720239/
Credits:
@topjohnwu for Magisk
@Phoenix591 for 20g in zip format and TWRP
@npjohnson for TWRP
@CXZa for their awesome LG utilities
@runningnak3d for the core of the project: lafsploit
@75th for updated method of using lafsploit
@steadfasterX for their amazing FWUL/mAid and SALT
@me2151 for their original root exploit Dirty Santa
@demasta123 for finding and sharing laf_restore.zip
@Darnrain1 for the excellent debloat script
What I did:
Flashed mAid_v4.0-RC3_x86_64.iso to my thumbdrive via Etcher.
Put the thumbdrive into my little Lenovo laptop and booted (had to reboot cause the bootloader menu was super brief), and selected "Search for GRUB2 configuration on external media"
Logged in (password is 'linux')
Connected to WiFi
Started V20 in download mode (VOLUP+USB)
Opened SALT and under Advanced found that none of my partitions were displayed (which I expected because the V20 has Universal Flash Storage).
In SALT there's three buttons on the bottom. The leftmost one allowed me to change all the ummm sources? builds? to 'develop' and then I restarted SALT. Now I can see the partitions!
Clicked the backup option and selected Custom. All the partitions appeared to be selected, but I can't see the whole window because it doesn't allow itself to be resized smaller than a certain point which was too large for my little laptop screen. Since it appeared that all the partitions were checkmarked, I tapped Enter and it prompted me for a location to save the 60GB(!) backup.
I opened the file browser and I found the laptop's internal hard drive listed as '158 GB Volume'. Clicking it prompted for a password so I tried 'linux' and it worked! I created a directory at /home/user/Documents/H918, then copied the very cryptic path from the address bar of the file browser over to SALT and started the backup.
I babysat the laptop so it would not fall asleep or w/e just in case that would ruin the backup.
It hung during the backup (possibly because I was looking for a way to change the mouse senstivity and the screen timeout) so I had to forcibly power off the laptop and reboot into FWUL/mAid. I had to remove the battery from the phone to get it out of download mode. I did everything as before but this time I am only backing up the userdata partition as it is by far the largest, and I am touching NOTHING during the process other than the occasional mouse jiggle. If/When that's done I'll backup everything else. I very much doubt I need the userdata but better safe than sorry. The speed is slow; less than 1GB/minute.
Hung again, and I discovered that my poor little laptop was super hot, so I think that my laptop's cooling has failed, or for some reason it doesn't engage in FWUL/mAid. I'll need to either find a cooling solution, or more likely use my big desktop for this.
I used my desktop to do this, and was able to extract all the partitions as .img files. I also captured my device info and saved it to the PC as well. I was going to do the rest of the steps right from FWUL/mAid but outside of SALT, I couldn't get anything to work. I think it was missing Java because nothing was listed for echo $JAVA_HOME and the ADB tool would not launch. I'll just do the rest from Windows.
Back in Windows I tried compressing the images with 7zip but it was being a resource hog so I'll do it later and let it run overnight since I want this super compressed.
I went through the process of unlocking the bootloader:
Booted up phone to OS.
Skipped/Bypassed as much of the initial setup as possible. For some reason it keeps telling me it will "process my request" when it has connection to the Internet (cell data or wifi). Don't know WTF that is. Hope it is wiped during the process of rooting and installing a new ROM.
PC didn't have drivers, but I ran the LGMobileDriver_WHQL_Ver_4.8.0.exe and it installed them.
Set USB mode to file transfer.
Enabled USB debugging.
Enabled Dev Options.
Enabled OEM unlock.
adb reboot bootloader
fastboot oem unlock
fastboot reboot
Since the userdata was wiped I had to go through the setup again, enabled dev options, usb debugging (oem unlock was enabled and greyed out unsurprisingly).
adb reboot bootloader
fastboot getvar unlocked (reported as yes; so the bootloader is successfully unlocked!)
Now for flashing H91810p_00_0717.kdz, I head back to FWUL/mAid to use SALT.
Or not. SALT doesn't work because LG changed something in regards to being able to flash as of MM, but it appears I can do this in Windows with LGUP.
A (device-specific?) DLL file is required for LGUP and after much searching I learned that it is extracted directly from the KDZ. Fortunately CXZa has some nifty tools available, one of which is a dll extractor which is perfect for this. The readme for the dll extractor said I should install LGUP_Common_DLL_Ver_1_0_40_2.msi in addition to LGUP_Store_Frame_Ver_1_14_3.msi so I did so. I used the dll extractor to get the needed dll file from H91810p_00_0717.kdz. The option to copy to the LGUP folder didn't appear to work so I tried again and told it to not copy the dll. It doesn't say as such but it places the extracted dll in the folder that the kdz was in with the same name as the KDZ +.dll.
Copied and renamed the extracted dll to 'C:\Program Files (x86)\LG Electronics\LGUP\model\Common\LGUP_Common.dll'
Upgraded LGUP with CXZa's tools (not really necessary but neat)
Ran LGUP as admin, selected UPGRADE, for the BIN file I selected the H91810p_00_0717.kdz that I downloaded from the link in the original lafsploit thread by runningnak3d, and clicked start (and held my breath...)
It worked! The phone rebooted as part of the process directly to the OS, and Settings > Phone Info shows "H91810p" so I should be ready for the next part which is following the updated lafsploit instructions by 75th with some minor edits by me for clarity: :
Boot from your FWUL/mAid USB stick.
Put your phone into download mode.
Double click the LG folder that is on the desktop.
Double click on open-lglafsploit.desktop and you will be at a terminal prompt.
Enter the following into that terminal. I'd copypasta the first line at least:
git clone https://gitlab.com/runningnak3d/lglaf -b h918-miscwrte
cd lglaf
./step1.sh
When you are told to, pull the USB cable, and the phone will power off. You now have TWRP on your laf partition.
I then booted to Download mode (VOLUP+USB) again and the phone booted to the TWRP 3.2.1-3 image installed on the laf partition. I did not mount system as rw (keep as read only). Chose Install > Install Image > and browsed to the TWRP image (twrp-3.6.1_9-0-h918.img) on my external SD. For the location to flash it I selected Recovery, and then swiped to flash.
When complete I hit the Back button twice, and changed to Install Zip. Selected Magisk-v23.0.zip, and swiped to confirm flash. When done wiped cache/dalvik, then reboot system. I opted to not install the TWRP app.
Back in the OS I turned on wifi because Magisk had to download the full app. Once Magisk was done I turned off wifi because holy **** why are outbound firewalls not a thing on phones!? Then w/in the Magisk app I selected Install, checkmarked both Preserve AVB 2.0/dm-verity and Preserve force encryption (I learned later this was a big mistake), and then chose the Direct Install method, and rebooted when it completed.
I then installed the root checker apk, and it verified that I was rooted!
Spoiler: THIS IS THE PART WHERE I AM ACTUALLY RETARDED
Read this section if you want to laugh at me, but don't follow any of the steps because it was a massive mistake due to my catastrophic stupidity.
Recovery and download mode issues?
If I am in the OS I can use adb reboot recovery and it will boot to TWRP 3.6.1_9-0 as expected. However if I do the hw key combo of VOLDN+PWR release PWR, hold PWR again, it takes me to what appears to be some stock "recovery" that only gives me the option to factory reset the device. Oddly, you have to tell it to reset your device and it will load TWRP 3.6.1_9-0 instead of doing a factory reset.
Also, if I try to go to download mode (which should have been replaced with a version of TWRP as part of the lafsploit process) it only brings me to a screen that says "Welcome to Fastboot Mode". This would be fine, but if I run fastboot reboot recovery it reboots not into recovery, but into the OS so I wonder if this fastboot mode is broken in some way. The *only* thing I can think of that may have caused fastboot to replace TWRP is installing Magisk as its process of patching the image(s) may have changed the laf partition from TWRP to fastboot. I also end up here if I am in TWRP and select reboot to bootloader, so is "download mode" == "bootloader"? I thought they were different tbh...
Next step is to get onto stock Oreo so I can run the debloater. To get oreo, Darnrain1 says "I have learned from experience that v20h has kernel panic green screen errors. Best to use v20g if you can." https://forum.xda-developers.com/t/...hones-volte-and-wifi-calling-working.4432865/
Ok so I'm wrong about the lafsploit TWRP being gone. When I attempted to flash to an Oreo ROM (H91820g_00_1010.kdz) via LGUP, it rebooted to TWRP 3.2.1-3! So the TWRP used to replace Download mode (the laf partition) is still there, but why do I get a fastboot prompt when I attempt to boot to download mode via the VOLDN+USB?
Summary:
In Android OS, adb reboot bootloader --> fastboot prompt
In Android OS, adb reboot recovery --> TWRP 3.6.1_9-0
In Android OS, adb reboot fastboot --> Android OS
In fastboot prompt, fastboot reboot bootloader --> fastboot prompt
In fastboot prompt, fastboot reboot recovery --> Android OS
In fastboot prompt, fastboot reboot --> Android OS
Within (either) TWRP, reboot bootloader --> fastboot prompt
Within (either) TWRP, reboot recovery --> TWRP 3.6.1_9-0
VOLDN+PWR, release PWR for 1s, hold PWR again --> TWRP 3.6.1_9-0 (after being prompted to factory reset)
VOLDN+USB --> fastboot prompt
Since LGUP won't work w/o the original laf partition for download mode, I had to find a copy of the laf_restore.zip at https://forum.xda-developers.com/t/laf-restore-zip-file.4398879/ since the links for it in the OP were dead. Flashed it via recovery TWRP 3.6.1_9-0, wiped cache/dalvik (probably not needed tbh), then reboot system.
Copied and renamed the dll extracted from H91820g_00_1010.kdz to 'C:\Program Files (x86)\LG Electronics\LGUP\model\Common\LGUP_Common.dll'. I suspect that I can just use the latest version of the dll, but I'm not going to risk anything so I will just use the one extracted from the very KDZ I'm flashing.
Ran LGUP as admin, selected UPGRADE, for the BIN file I selected the H91820g_00_1010.kdz file.
After reboot the phone reported its software version as H91820g. Magisk was still installed, but not surprisingly, root had been lost. This time there wasn't an easy Direct Install option so I'll need to extract the boot image so that Magisk can patch it, then I can flash it.
PROBLEM! Looks like the KDZ isn't just the OS, but also (all?) other partitions including recovery! I no longer have TWRP for my recovery. I really hope I can flash H91810p_00_0717.kdz back and redo lafsploit.
I was able to use LGUP to flash back to H91810p with the only complaint that the phone couldn't be decrypted so it had to be reset, which wasn't a problem and I let it do so.
I think I'm ****ed. Although I was able to reflash H91810p, I cannot run the lafsploit again because I only get "fastboot mode" when I hold VOLDN and plug in the USB. This fastboot mode doesn't work with the lafsploit script. I also do not have a recovery. adb reboot recovery sends me to a screen with a dead android mascot with a red triangle and the text "No command". Neither adb devices[ICODE] nor [ICODE]fastboot devices will list the phone in this mode, and LGUP doesn't see it. My recovery is totally broken.
I attempted fastboot flash recovery twrp-3.6.1_9-0-h918.img but got:
Sending 'recovery' (24948 KB) OKAY [ 3.608s]
Writing 'recovery' FAILED (remote: 'unknown command')
fastboot: error: Command failed
I used LGUP to once again reflash H91810p, and even though that should wipe everything, I also did the VOLDN+PWR, release PWR, press PWR, and told it to factory reset (no TWRP here of course so it actually factory reset). I jumped through initial ****up again and enabled dev options and USB debugging.
Now the phone isn't seen by LGUP. In device manager it shows as "Android Sooner Single ADB Interface". No COM ports. WTF!?
I tried running LGMobileDriver_WHQL_Ver_4.8.0.exe again. It didn't throw errors but nothing changed. Tried uninstalling the "sooner" device and reinstalling the LGMobileDriver. The "sooner" device just reappeared.
Windows Explorer gave me a hint though. It just showed "V20" listed with no access to its storage. On the phone I changed its USB mode to file transfer and now it shows up as a COM port. I'd forgotten that I had set the phone to always do file transfer before wiping it so it always showed up as a COM port in DM. God I'm dumb.
Now for something really ghetto. Since LGUP does send the phone into download mode when I tell it to flash, and I need to be in that mode to run the lafsploit script, I'm going to tell it to flash my phone and yank the USB cable as soon as the phone powers off for a reboot into DL mode.
It seems to have actually worked? Below is the output of my run of step1.sh:
This will install TWRP.
You do NOT need to do ANYTHING!
If it fails, NO damage is done to your phone.
If the hash check fails, it will make five attempts.
If after five attempts, it does not get a hash match, it will abort.
NO damage has been done to your phone.
You can re-run this script as many times as you want, however,
if you are not getting a hash match, you should try a different PC,
or a different cable, or a different USB port.
Press any key to continue...
Flashing... this will take a while.
Flashing TWRP to lafbak. Please wait...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Dumping lafbak for hash check...
[ 100 % ] 2022-04-25 20:22:36,237 partitions: INFO: Wrote 50331648 bytes to h918-twrp-tmp.img
Trimming trailing zeros
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S97ccbe70f0431f824a0f46c4256f0e7f3c1b6e0e9ac35f69978fbd58fe2b55be
Hash check failed! Retrying for 5 times.
Attempt 1 - Press ctrl C to break
Flashing TWRP to lafbak. Please wait...
[ 100 % ] 2022-04-25 20:23:58,271 partitions: INFO: Done after writing 29798400 bytes from h918-twrp.img
Dumping lafbak for hash check...
[ 100 % ] 2022-04-25 20:24:02,820 partitions: INFO: Wrote 50331648 bytes to h918-twrp-tmp.img
Trimming trailing zeros
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Hash check passed. Copying TWRP to laf
Flash sucessful! Unplug your USB cable and your phone will power off.
Once your phone is off, go back into download mode - hold vol up and plug the USB cable back in.
Once TWRP loads, you need to flash TWRP onto recovery.
Attempt 2 - Press ctrl C to break
Flashing TWRP to lafbak. Please wait...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Dumping lafbak for hash check...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Trimming trailing zeros
sha256sum: test.img: No such file or directory
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S
Hash check failed! Retrying for 5 times.
rm: cannot remove 'h918-twrp-tmp.img': No such file or directory
rm: cannot remove 'test.img': No such file or directory
Attempt 3 - Press ctrl C to break
Flashing TWRP to lafbak. Please wait...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Dumping lafbak for hash check...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Trimming trailing zeros
sha256sum: test.img: No such file or directory
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S
Hash check failed! Retrying for 5 times.
rm: cannot remove 'h918-twrp-tmp.img': No such file or directory
rm: cannot remove 'test.img': No such file or directory
Attempt 4 - Press ctrl C to break
Flashing TWRP to lafbak. Please wait...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Dumping lafbak for hash check...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Trimming trailing zeros
sha256sum: test.img: No such file or directory
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S
Hash check failed! Retrying for 5 times.
rm: cannot remove 'h918-twrp-tmp.img': No such file or directory
rm: cannot remove 'test.img': No such file or directory
Attempt 5 - Press ctrl C to break
Flashing TWRP to lafbak. Please wait...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Dumping lafbak for hash check...
Traceback (most recent call last):
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 471, in <module>
main()
File "/home/android/programs/lglafsploit/lglaf/./partitions.py", line 421, in main
lglaf.try_hello(comm)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/programs/lglafsploit/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.9/site-packages/usb/core.py", line 1029, in read
ret = fn(
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 846, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 954, in __read
_check(retval)
File "/usr/lib/python3.9/site-packages/usb/backend/libusb1.py", line 602, in _check
raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBTimeoutError: [Errno 110] Operation timed out
Trimming trailing zeros
sha256sum: test.img: No such file or directory
Checking hash...
TWRP hash: S260cb44d98c67f5ad11fb4512577b6ad4754d9fc8173802ae15d7f5c3aa39e3c
Test dump hash: S
Hash check failed! Retrying for 5 times.
rm: cannot remove 'h918-twrp-tmp.img': No such file or directory
rm: cannot remove 'test.img': No such file or directory
Hash check failed after 5 attempts - exiting
[[email protected] lglaf]$
Strange that it ran 5 times even though appears to have worked the first time? Well let's see if it works.
I followed the instructions to get back into download mode by plugging the USB cable back in while holding VOLUP...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
It's ****ing volume up and USB. Volume up. UP. UUUUUUUUUUPPPPPPPPP! At some point my brain decided "DOWNload mode is accessed by pressing volume DOWN + USB"
With 10p and the original laf back on the phone I went through the same steps as before for lafsploit and got TWRP 3.6.1_9-0 flashed onto recovery again. I figured that since I have to re-run Magisk after flashing 20g there isn't any point to doing it now so I skipped it this time.
Then w/in recovery I flashed h918-20g-prerooted.zip, wiped cache, and rebooted to System. Once there I went into Magisk and did the recommended Direct Install method for patching the image and rebooted. Tested with a root checker app and we have root!
Sweet, now it is time to debloat the phone and get it set up for actual use, but first I will check to make sure my tools are still accessable.
VOLUP+USB will show TWRP 3.2.1-3 briefly then the phone reboots... which is super odd, but not a dealbreaker since the VOLDN+PWR, release PWR for 1s, press PWR method gets me to actual recovery (TWRP 3.6.1_9-0).
Going into recovery I find that the device is encrypted and asks for a password that I never configured (was this set up on first boot of 20g, or did Magisk do this?). Reading online looks like you can virtually never decrypt your data in TWRP, but if you want to make any changes you'll need to get rid of the encryption. That's a shame because it's like you can have either a secure device (encrypted), or a usable one (rooted and debloated). I need a usable one so goodbye encryption.
Wipe > Format data > reboot
It booted to something called "Secure start-up" and said "Decryption unsuccessful" and that I needed to reset the phone. Sure, whatever. It then rebooted to recovery (TWRP 3.6.1_9-0). Weird. But data was not encrypted this time. Tried rebooting to system and got the same secure startup thing. Tried resetting again and back to recovery. Decided to just flash the 20g zip again and reboot.
I am at Secure start-up again! WTH?! I told it to reset to get me back to TWRP and here under Wipe I selected
Dalvik
System
Data
Internal Storage
Cache
and did a Format Data again. Then told it to reboot to Recovery, not System.
Back in TWRP I told it to mount System and allow modifications. Changed the filesysem of System from vfat to ext4 to make extra sure System was nuked. Reboot System (it shouldn't boot to anything if the ****er is actually wiped this time). Hung on LG logo, so I'm pretty sure I was able to remove the old OS.
Pulled battery, and did the VOLDN+PWR, release PWR for 1s, press PWR dance to get into "factory reset" which in reality leads to TWRP 3.6.1_9-0. Flashed 20g again, hopefully with better success.
Secure start-up! Why won't this thing die?! I initially thought that it was the ROM itself, or wiping data in TWRP irrevokably ****ed it somehow. Further reading lead me to this post by Theraze who clued me in that TWRP for V20 has a bug that doesn't properly clear the encryption flag. Fantastic.
I would go back and start over but I don't think I can. I'd need to use the LGUP utility, but since the phone doesn't present itself as a COM port anymore I
don't think it will work. On a whim I tried LGUP... and after like a full minute it ****ing sees the phone! I will try flashing H91810p_00_0717.kdz onto it again. It booted to TWRP 3.2.1-3 lol. I forgot we replaced the laf dl mode with TWRP.
Went to TWRP 3.6.1_9-0, flashed laf_restore.zip, rebooted to system ~SuCKurE sTarTuP~. Ran LGUP again and told it to flash 10p again. (I really wish the default option was UPGRADE and not REFURBISH; I'm sure I'm going to **** it up one of these times)
I can't believe it. I literally cannot believe it. After flashing H91810p_00_0717.kdz via LGUP I am at the Secure start-up screen. The only difference is it looks slightly different due to it being Nougat this time instead of Oreo. I told it to reset the phone JIC it will actually work, and went to pour myself a stiff drink.
Resetting actually worked. Holy. ****.
FWUL/mAid, lafsploit, flash TWRP 3.6.1_9-0 to recovery, reboot to recovery (no encryption prompt), reboot system, no secure setup.
Tried VOLDN+PWR, release PWR for 1s, press PWR, but it did not put me into recovery. It erased my device. Power off, VOLUP+USB, went into TWRP 3.2.1-3. Reboot recovery. Dead droid "no command" again. GDI.
TWRP 3.2.1-3, flash laf_restore (glad it let me; was worried that I couldn't flash the laf partition while on lafTWRP), reboot system. LGUP to flash 10p AGAIN. Didn't erase the device so didn't need to do setup again at least.
FWUL/mAid, lafsploit again.
In TWRP 3.2.1-3 I did nothing but flash TWRP 3.6.1_9-0 to Recovery and reboot system. Then I ran adb reboot recovery. Dead droid, no command. ****.
LGUP to flash 10p yet again, but this time after it booted up, I did the VOLDN+PWR dance and told it to factory reset. It rebooted and I did setup again, and rebooted to system once before shutting down.
FWUL/mAid and lafsploit yet again.
Unplugged USB and the phone powered off like it should. Then VOLUP+USB. Swiped to allow modifications.
Wiped:
Dalvik
Data
Internal Storage
Cache
Format Data:
Formatting Data using make_ext4fs...
Failed to mount '/data/ (Device or resource busy)
Failed to mount '/data/ (Device or resource busy)
Unable to recreate /data/media folder.
You may need to reboot recovery to be able to use /data again.
Updating partition details...
Failed to mount '/data/ (Device or resource busy)
...done
Unable to mount storage
Opening TWRP's terminal and doing ls shows a /data with lost and found so it's there and empty.
Ran the following command via the TWRP terminal in case the GUI method of flashing is somehow not working:
dd if=/external_sd/Docs/TWRP/twrp-3.6.1_9-0-h918.img of=/dev/block/bootdevice/by-name/recovery
I tried running the following but the file didn't exist:
rm /system/recovery-from-boot.p
Flashed Magisk23.0.zip and again 'Failed to mount '/data/ (Device or resource busy)'. Tried to wipe dalvik/cache but it failed. Reboot System.
Went through initial ****up again. Completed and did adb reboot recovery.
Got to TWRP 3.6.1_9-0. This time. Swiped to allow modifications. Reboot system.
adb reboot recovery
Got TWRP 3.6.1_9-0 so it *might* be working now. Reboot > power off.
Tried VOLDN+PWR dance and it took me to recovery.
I think the lesson is wipe the **** out of the device after getting into lafTWRP both before and after flashing new TWRP to Recovery. Also swipe to allow modification so if there's secret sauce behind the scenes in System that's killing recovery TWRP it is neutralized during the process of getting 3.6.1_9-0 flashed. I am unsure if flashing Magisk is required as part of the process. I don't believe it is as I think mounting system as rw and wiping the other partitions is what's really needed, but I don't think it actually harms anything. (later on I learned that wiping is only part of it; Magisk and no-verity-opt-encrypt are what's needed to stop the encryption that was causing secure startup)
I rebooted to system and again adb reboot recovery. I went to TWRP 3.6.1_9-0 but it did not prompt me about swiping to make modifications so I immediately did reboot system. I was expecting Secure startup but it didn't appear, thank ****.
Back to recovery and I flashed no-verity-opt-encrypt-6.1.zip in the hopes that it would prevent Suckure startup from occuring again when I flash 20g in a minute. Wiped dalv/cache tho probably unnecessary. Reboot system.
No problems thus far. Time to flash 20g again.
Rebooted to recovery and told it to flash 20g. Since I've learned how amazing and cathartic wiping is, I formated data, and then wiped:
Dalvik/Cache
Data (probably not needed)
Internal Storage
Cache
Reboot system.
Secure start-up. *sigh*
VOLDN+PWR dance actually worked this time so that's nice. Swiped to allow modifications. Flashed no-verity-opt-encrypt-6.1.zip. Format data, wipe dalvik data internal cache again. Reboot system.
Secure start-up.
Recovery > flashed laf_restore > reboot system. Secure startup ofc, but I can run LGUP and flash 10p KDZ again to start over. Again.
I'm 99.999% sure that encryption being enabled is the problem.
In https://forum.xda-developers.com/t/twrp-3-1-1-0-touch-recovery.3603760/post-73129295 me2151 says that "Encryption unsuccessful is because you did not do supersu or something to disable force-encrypt". Note that he says "Encryption unsuccessful" but the problem I have is "decryption unsuccessful". Not sure if a typo or a different issue.
Phoenix591 says https://forum.xda-developers.com/t/twrp-3-1-1-0-touch-recovery.3603760/post-75429764 "You need to either root or install no-verity-opt-encrypt to keep stock from replacing twrp with stock recovery iirc"
This makes me think that I'll need to flash Magisk *and* no-verity-opt-encrypt to ensure that there is no encryption at all for the data partition.
FWUL/mAid froze while I was doing this so I hope my notes are correct as they're from my highly fallible memory:
lafsploit
VOLUP+USB > lafTWRP
Left system as ro
Format data (It even mentions we'd need to reenter recovery for data to be accessible again ffs. No wonder I was getting Failed to mount '/data/ (Device or resource busy). I need to learn how to read.)
Reboot > Power off
VOLUP+USB > lafTWRP
System ro
Wipe dalv, data, internal, cache
Flash Magisk (it mentions that forceencryption is enabled and will keep it that way when patching)
Flash no-verity-opt-encrypt-6.1.zip (to override the forced encryption)
Flash TWRP 3.6.1_9-0 to recovery
Reboot recovery
Made it to TWRP 3.6.1_9-0, yay
I would have left ro if prompted; for some reason the prompt about system modifications is inconsistant; sometimes it asks, sometimes not
Reboot system
Did first time setup again, dev options, turn on wifi, let magisk update and let it reboot
Back in system used Magisk's Direct Install method leaving "preserve AVB" UN-checked in case AVB forces encryption back on. Interestingly there wasn't an option for 'Preserve force encryption' so I think no-verity-opt-encrypt is working.
Rebooted
Installed root check app and we have root
Reboot recovery
Format data
Reboot RECOVERY (NOT system!)
Wipe dalv, data, internal, cache
Reboot RECOVERY (NOT system!) <-- not sure if needed, but I'm so sick of secure setup
Flash 20g zip
Flash magisk
Flash no-verity-opt-encrypt
Reboot system this time
Oh my ****ing god it's not at secure setup! It's at the normal first time setup for Oreo!
Did first time setup again, dev options, turn on wifi, let magisk update and let it reboot
Back in system used Magisk's Direct Install method leaving "preserve AVB" UN-checked in case AVB forces encryption back on (still no Preserve force encryption) and rebooted
Installed root checker and it's rooted
Tested adb reboot recovery and it worked
Tested VOLDN+PWR dance and it worked
Time for debloat
Already in recovery from testing the methods to get into recovery
Wipe > advanced > just dalvik and cache this time (hope this is all I need to do)
Flash Auto_Debloat v7.4
Swiped to wipe dalv/cache JIC
Reboot system
Success!
I suspect that (but haven't tried) flashing encrypt-v3.zip at this point will encrypt userdata and have it decryptable in TWRP. It might not work with the official TWRP 3.6.1_9-0, but Phoenix591 says it should with his version of TWRP. However, this adventure has gone on long enough so I'm not keen on trying it. Maybe later when I have some energy.
Well that was a trip. Skimmed through didn't read everything. Liked the touch of memes properly used. Congrats.
lol thank you. It was quite the journey but I feel like I learned from it so it was a good experience.
Oh fer... yep. Lol That's about what a nightmare (journey is a good word, too lol) rooting phones can be & precisely why 7% (at the VERY most) of cell phone users really end up doing it. I'm just glad to be a part of (the even smaller) percentage of us that enjoy helping one another. Thanks to all for being so helpful.
Good job Sidney & thank you.
Nice report. Read bits here and there - as usual.
And very detailed. I should start taking notes too...
SidneyD said:
dead android mascot with a red triangle and the text "No command"
Click to expand...
Click to collapse
Some stock recoveries does this. Next time try pressing power and then Vol Up shortly...
always good to see users sharing their knowledge and congrats that you was steadfast enough going through all this !
Thanks for that and as a little site note: SALT can extract KDZs too, ofc even with the DLL needed for LGup later
I found that attempting to format my thumb drive back to a general purpose storage device only showed 60MB of space. I've experienced this before and knew that I had to use the diskpart command to fix the partitions. I fixed it by following the guide at: https://www.diskpart.com/articles/how-to-format-usb-drive-in-command-prompt-7201.html
Be careful about selecting the correct disk number!
SidneyD said:
I found that attempting to format my thumb drive back to a general purpose storage device only showed 60MB of space. I've experienced this before and knew that I had to use the diskpart command to fix the partitions. I fixed it by following the guide at: https://www.diskpart.com/articles/how-to-format-usb-drive-in-command-prompt-7201.html
Be careful about selecting the correct disk number!
Click to expand...
Click to collapse
Awesome. Thx Sidney.
Thanks for the guide. Were you able to keep VoLTE? Does this re Sim Lock the phone? Thanks from a nervous noob
Related
Hi,
After downloading the official image with android-1.5 (also known as
signed-dream_devphone_userdebug-img-150275.zip) for adp1 from the link
(http://www.htc.com/www/support/android/adp.html#s3) provided by HTC
and unzipping the image into someplace you want in the terminal, and
then four files with the same extension of .img will be got, as shown
below.
boot.img
recovery.img
system.img
userdata.img
Here's a discussion mainly focused on how to extract these contents of
the last two images for adp1 on host.
With respect to how to extract these contents of the first two images
for adp1 on host, please refer to the following link. Meanwhile,
thanks for the community efforts as well!!
http://forum.xda-developers.com/showthread.php?t=443994
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_....
1> system.img
==> the unyaffs2 tool is used to extract the contents from system.img
on host.
For the tool, you can access its source code with the license of GPLv3
located at the link (http://code.google.com/p/unyaffs/) and download
the source code and its binary.
2> userdata.img
While using the aforementioned tool extracting these contents of
userdata.img, the contents fail to be got on host and just a message
of "end of image" is shown up in the terminal, as follows.
$ chmod a+x unyaffs
$ unyaffs userdata.img
end of image
So, the problem to be asked is about how to extract contents of
userdata.img for adp1 on host!!
Any input will be greatly appreciated!!
for the official rom, userdata should be empty isn't it?
You could flash userdata and then boot into recovery, mount data, and adb pull /data.
I'm also interested in extracting boot and recovery images, so any hints please post here
First off, thanks for your reply, billc.
As regards the issuse that if the image of userdata.img is empty, the two methods are taken, as follows. (so sorry that the below is too long. )
1. checking that with bash command in the terminal
$ ls -lh
total 57M
-rw-r--r-- 1 samuel samuel 1.6M 2009-01-01 00:00 boot.img
-rw-r--r-- 1 samuel samuel 1.8M 2009-01-01 00:00 recovery.img
-rw-r--r-- 1 samuel samuel 54M 2009-01-01 00:00 system.img
-rw------- 1 samuel samuel 2.1K 2009-07-02 08:23 userdata.img
With the first scenario, the size of "userdata.img" is shown as "2.1K", which seems to indicate that the image of "userdata.img" isn't empty, instead of with the size.
2. checing that with programs (unyaffs.c[1]/unyaff.h[2]) for the tool of "unyaffs"
[1]http://unyaffs.googlecode.com/files/unyaffs.c
[2]http://unyaffs.googlecode.com/files/unyaffs.h
(NOTE: the instruction of complicatioin is "gcc -o unyaffs unyaffs.c" with the version 4.2.4 of gcc)
After compiling, the executable tool is got in your directory, also known as "unyaffs". And then, type the instruction with the terminal below.
$ unyaffs userdata.img
end of image
Unfortunately, there is nothing out there after extracting contents of "userdata.img" with the size of "2.1K"(-the length really includes what contents?). Only a message of "end of image" is shown up with the terminal.
To get more information about the message of "end of image, therefore, diving into the C file used to generate the tool of "unyaffs", getting the following connents. Meanwhile, please also pay more attention to the lines with the bold.
int read_chunk()
{
ssize_t s;
int ret = -1;
memset(chunk_data, 0xff, sizeof(chunk_data));
s = read(img_file, data, CHUNK_SIZE + SPARE_SIZE);
if (s == -1) {
perror("read image file\n");
} else if (s == 0) {
printf("end of image\n");
} else if ((s == (CHUNK_SIZE + SPARE_SIZE))) {
ret = 0;
} else {
fprintf(stderr, "broken image file\n");
}
return ret;
}
And then, indexing the function in the Linux Programmer's Mannual with the command of "man read" in the terminal to get more info, as shown below. In the meantime, please pay more attention to the lines with the bold as well.
$man read
...
...
NAME
read - read from a file descriptor
SYNOPSIS
#include <unistd.h>
ssize_t read(int fd, void *buf, size_t count);
DESCRIPTION
read() attempts to read up to count bytes from file descriptor fd into
the buffer starting at buf.
If count is zero, read() returns zero and has no other results. If
count is greater than SSIZE_MAX, the result is unspecified.
RETURN VALUE
On success, the number of bytes read is returned (zero indicates end of
file), and the file position is advanced by this number.
...
...
Just judging from the combination of the snippet of "unyaffs.c" and the mannual of "read" above, the conclusion below can be come to.
The real contents of "userdata.img" with the size of "2.1k" is exactly empty ending up with "end of file".
When compared the two conclusions as mentioned above, it's found that the both are just contrary, the former ISN'T empty while the latter IS empty.
So, there are a set of problems about the above confusion herein.
Q1: What contents exactly does the "userdata.img" with the size of "2.1k" mean?
Q2: What contents and from which position does the function of "read" read in the file? In the case of "userdata.img", what are"what contents" and "from which position" respectively?
Q3: According to the above two scenarios, what steps to take are to judge if the file is really empty?
Looking forward to your replies, thanks!!
to jubeh,
As to extracting the images of boot and recovery from adp1/g1, you can refer to the following links. hope that that's helpful.
http://forum.xda-developers.com/showthread.php?t=443994
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
I'm looking at getting into rom cooking with this latest cyanogen fiasco, but i'm having errors getting repo set up, and i'm wondering if it's my configuration.
I'm running OS X 10.5.8, everything is updated, and i've followed the whole guide from source.android.com, up to a certain point.
when i run "repo init -u git://android.git.kernel.org/platform/manifest.git", i get this error:
Code:
Traceback (most recent call last):
File "/Users/aaron/bin/repo", line 595, in <module>
main(sys.argv[1:])
File "/Users/aaron/bin/repo", line 562, in main
_Init(args)
File "/Users/aaron/bin/repo", line 181, in _Init
_CheckGitVersion()
File "/Users/aaron/bin/repo", line 210, in _CheckGitVersion
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/subprocess.py", line 593, in __init__
errread, errwrite)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/subprocess.py", line 1079, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
anyone else have this error or know how to correct it?
side note, I made a partition on an external hard drive for nabbing the source, i'm CDing to the /Volumes/Android/mydroid before i run the command. ( the partition is HFS journaled/case sensitive) and have all the port stuff installed onto my Mac hard drive
Nevermind, my path settings aren't sticking for some reason. resetting the path solved my problems
[GUIDE][UTIL][MT65xx] Create Scatter File / Dump Full ROM
For any MT65xx device, no matter how obscure.
I will discuss a method for:
* making your own SPFT scatter file
* dumping your entire ROM (without root)
* dicing up your entire ROM into partition blocks
This is somewhat of a manual process. rua1's MTK Droid Root & Tools circumvents the need for doing most of this. I applaude his work, it's a big undertaking and he supports it well.
Here are a few reasons to use the method I discuss here:
* you want a ROM dump without rooting
* you want a ROM dump without your OS booted (clone cold system is safe)
* you want a guaranteed way to restore exactly current state (safety and return to store)
* you are just plain worried something will go wrong
-------------------------------------
I have two methods for creating a scatter file.
Method #1
Find your scatter information in SP Flash Tool's Logs
Well first, you have to make SP Flash Tool happy enough to give you some information about your device.
* Obtain a SPFT ROM that is known good for any phone/tablet, preferrably with the same chip as yours. Make sure that scatter file loads into SPFT without error, SPFT checks the PRELOADER and DSP_BL and if they aren't in the scatter directory, it will fail and maybe crash.
* Close SPFT, now modify the MT*scatter.txt file and introduce a few errors in the partition names, but don't change PRELOADER or DSP_BL. An example, instead of "ANDROID" replace it with "DEADBEEF". You ask why? Well you want to make SURE that the "Download" feature fails. You DON'T want the "Download" to actually work and write your random SPFT ROM to your new device. After loading the freshly broken scatter file, click "Download" and hook up your MTK device in preloader / META Mode. It will say your PMT block does not match the scatter file. ERROR:
* Go to SPFT's menu "Help / Open logs folder" and find the latest date. Open the BROM_DLL*.log in your text editor. Search for text that looks like this, I'd first search for "CMD_ReadPartitionInfo():
Code:
11/14/13 09:01:27.382 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): command is allowed. (FlashToolLib/sv5/common/generic/src/da_c
md.cpp:5242)
11/14/13 09:01:27.382 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): getting 20 partitions .. (FlashToolLib/sv5/common/generic/src
/da_cmd.cpp:5269)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): dump 20 partitions (FlashToolLib/sv5/common/generic/src/da_cm
d.cpp:5279)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[0 ](PRELOADER ) - offset (0x0000000000000000) - size (0x0000000000040000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[1 ](DSP_BL ) - offset (0x0000000000040000) - size (0x00000000005C0000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[2 ](MBR ) - offset (0x0000000000600000) - size (0x0000000000004000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[3 ](EBR1 ) - offset (0x0000000000604000) - size (0x000000000005C000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[4 ](__NODL_PMT ) - offset (0x0000000000660000) - size (0x0000000000400000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[5 ](__NODL_NVRAM ) - offset (0x0000000000A60000) - size (0x0000000000300000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[6 ](__NODL_SECCFG ) - offset (0x0000000000D60000) - size (0x0000000000020000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[7 ](UBOOT ) - offset (0x0000000000D80000) - size (0x0000000000060000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[8 ](BOOTIMG ) - offset (0x0000000000DE0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[9 ](RECOVERY ) - offset (0x00000000013E0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[10](SEC_RO ) - offset (0x00000000019E0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[11](__NODL_MISC ) - offset (0x0000000001FE0000) - size (0x0000000000060000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[12](LOGO ) - offset (0x0000000002040000) - size (0x0000000000300000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[13](__NODL_EXPDB ) - offset (0x0000000002340000) - size (0x00000000000A0000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[14](EBR2 ) - offset (0x00000000023E0000) - size (0x0000000000004000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[15](FAC ) - offset (0x00000000023E4000) - size (0x0000000010000000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[16](ANDROID ) - offset (0x00000000123E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[17](CACHE ) - offset (0x00000000324E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[18](USRDATA ) - offset (0x00000000525E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[19](FAT ) - offset (0x00000000726E4000) - size (0x0000000000000000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
Make sure you aren't looking at a dump of your scatter, but looking at the partition dump from your device. (If it contains DEADBEEF flag from above, you are looking at the wrong part of the log.) You can manually create a scatter file from that, or you can paste the lines with partition info into a text file and run this shell script:
Code:
cat pastedlog.txt | sed -n 's/.*](\([^ ]*\)[^(]*(\([^)]*\).*)/\1 \2\n{\n}/p' | sed 's/x00000000/x/g' > mynewscatter.txt
This will get you really close, but the last entry you see in a typical scatter file is BMTPOOL. I don't know much about BMTPOOL or __NODL_BMPPOOL other than it's not a real partition. It might not even be required? (You might be able to fake that entry if you look at similar scatter files. If not, read on)
Method #2
An alternate and supplemental way of getting scatter info is to use ADB on a running device. I'm sure this is similar to MTK Droid Root & Tools method.
Code:
adb pull /proc/dumchar_info
Now that you have that file local on your PC, you can run this python script:
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" )
outs = open( "scatter.txt", "wb" )
for line in ins:
linesp = re.split('\W+', line)
name = linesp[0].upper()
start = int(linesp[2],16)
block = linesp[5]
if block != 'misc':
start = start + 0x600000
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n")
ins.close()
outs.close()
This method gives you the BMTPOOL entry that the other method does not, but it lacks the __NODL_ designator for all partitions. If you aren't familiar with that prefix, SPFT uses that to know if it should typically allow you to DownLoad over the top of the paritition.
With both scatter files, throw them side-by-side in a text editor (or diff tool) and with a brain, it's easy enough to merge one with the __NODL_ prefix and the one with the BMTPOOL entry.
Scatter file complete!
PS - Possibly another way, is to use SPFT to do a "Read back" (read memory) at 0x660000 of size 0x400000. Save this as the PMT block and analyse it with a hex editor. I believe the PMT block is always at address 0x66000 judging from a dozen different scatter files.
Dump Full ROM
Perfect Total Backup of your Firmware
The safe way to do this with or without a proper scatter file is the "Read back" feature of SP Flash Tool. There are MANY reasons to dislike MediaTek, but this feature is so nice that I can forgive them for most of their wrong doing.
Most of this section I will generalize from my Lenovo A2107A Guide.
Here is a cookbook for doing a total backup of your MTK device with MediaTek's SP Flash Tool. No rooting, you might even do this before you ever boot! I have basically done this with both of my devices before I fiddled too much. I recommend doing it before you do anything really.
1. Install VCOM Drivers.
2. Install SP Flash Tool.
3. Grab an SPFT ROM, really anything should work, you just have to make SP Flash Tool happy. SPFT validates the scatter file against some of the image files, so you have to calm SPFT down by giving it something it can make sense of. We won't use the scatter file or image files while we do the "Read back" operation.
4. Run SP Flash Tool, Open Scatter File
5. Don't play with anything, go into the "Read back" tab (This will read your flash to a file on your PC)
6. Click on any items in the list, then click the "Remove" button
7. Now click the "Add" button
8. Double click on the "N/A" under Read Flag
9. Type a file name to write to, like "WHOLE_ROM"
10. Now it will popup a window "Readback block start address"
11. Leave "Hex" selected, Start Address" 0x0000, Length: 0x40000000, Click OK (NOTE: this will get the first GIG of flash)
12. Click the "Read back" button
13. SPFT now waits for you to connect your device and put it in Meta Mode
14. Without plugging your phone/tablet in, tap the Reset Button or make sure it's fully off
15. Hold VolUp, plug in USB, Release VolUp (putting it in Meta Mode) <--- Important
16. You will see the progress bar moving. Total backup takes forever, because in this mode SPFT seems to not do USB HIGHSPEED
That's IT! It'll take a few hours, so go to bed.
If you ever restore, just go into Recovery and Wipe Data and Cache. (as these are large and we probably didn't back them up above)
Note: "Length" in Step 11 is probably long enough for most devices. You can reference the scatter file you made above to make sure get everything, but you don't need USRDATA or CACHE, as those get wiped anyway.
Dicing up Full ROM image into partition images
I've made a little bash shell script to dice up a whole ROM according to a scatter file. This creates files exactly the size of the partitions. Some post processing needs done below the script:
dice.sh
Code:
#!/bin/bash
scatterfile=$1
rom=$2
pdir=raw.partitions
rm -rf $pdir
mkdir $pdir
cat $scatterfile | grep "x" | while read line; do
name=$(echo $line | sed 's/ .*//g')
name=$(echo $name | sed 's/^__NODL_//g')
start=$(echo $line | sed 's/.* //g')
# echo $name
if [[ -n $last_name ]]; then
echo "Processing: $last_name"
echo " start: $last_start"
size=$(( $start - $last_start ))
if [[ $size -lt 0 ]]; then
size=0xFFFFF000
else
size=0x$(echo "obase=16; $size" | bc)
fi
echo " size: $size"
short_start=$(echo $last_start | sed 's/000$//g')
short_size=$(echo $size | sed 's/000$//g')
echo dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
fi
last_name=$name
last_start=$start
done
Now there is some post processing done. Truncate MBR, EBR1, EBR2 to 512 bytes. And remove trailing bytes of 0000 or FFFF on the end of PRELOADER and DSP_BL.
Here is a one off script for example use:
clean.sh
Code:
#!/bin/bash
pdir=raw.partitions
odir=out
rm -rf $odir
mkdir $odir
dd if=$pdir/PRELOADER of=$odir/preloader.bin bs=$(( 0x800 )) skip=1
./trim.sh $odir/preloader.bin
./trimFF.sh $odir/preloader.bin
dd if=$pdir/DSP_BL of=$odir/DSP_BL bs=$(( 0x8000 )) count=1
./trimFF.sh $odir/DSP_BL
dd if=$pdir/MBR of=$odir/MBR bs=512 count=1
dd if=$pdir/EBR1 of=$odir/EBR1 bs=512 count=1
dd if=$pdir/EBR2 of=$odir/EBR2 bs=512 count=1
cp $pdir/UBOOT $odir/uboot.bin
cp $pdir/LOGO $odir/logo.bin
./trim.sh $odir/logo.bin
cp $pdir/SEC_RO $odir/secro.img
cp $pdir/RECOVERY $odir/recovery.img
cp $pdir/BOOTIMG $odir/boot.img
cp $pdir/FAC $odir/fac.img
cp $pdir/ANDROID $odir/system.img
cp MT*.txt $odir/
And quickly, Here is my hack to remove 0000 and FFFF from the end of files:
trim.sh
Code:
#!/bin/bash
truncate -s $(( 4 + $(cat $1 | hexdump -v -e '/4 "%_ad: " ' -e '4/1 "%02X" "\n"' \
| grep -v ": 00000000" | tail -n 1 | sed 's/:.*//') )) $1
trimFF.sh
Code:
#!/bin/bash
truncate -s $(( 4 + $(cat $1 | hexdump -v -e '/4 "%_ad: " ' -e '4/1 "%02X" "\n"' \
| grep -v ": FFFFFFFF" | tail -n 1 | sed 's/:.*//') )) $1
You should be able to read the clean.sh script and figure out only in just those few cases, is special post processing needed. If you don't post process, SPFT will give errors.
I hope this helps. If you have any questions, ask... I'll try to clarify this first post.
syserr said:
[GUIDE][UTIL][MT65xx] Create Scatter File / Dump Full ROM
For any MT65xx device, no matter how obscure.
Dicing up Full ROM image into partition images
I've made a little bash shell script to dice up a whole ROM according to a scatter file. This creates files exactly the size of the partitions. Some post processing needs done below the script:
dice.sh
Code:
#!/bin/bash
scatterfile=$1
rom=$2
pdir=raw.partitions
rm -rf $pdir
mkdir $pdir
cat $scatterfile | grep "x" | while read line; do
name=$(echo $line | sed 's/ .*//g')
name=$(echo $name | sed 's/^__NODL_//g')
start=$(echo $line | sed 's/.* //g')
# echo $name
if [[ -n $last_name ]]; then
echo "Processing: $last_name"
echo " start: $last_start"
size=$(( $start - $last_start ))
if [[ $size -lt 0 ]]; then
size=0xFFFFF000
else
size=0x$(echo "obase=16; $size" | bc)
fi
echo " size: $size"
short_start=$(echo $last_start | sed 's/000$//g')
short_size=$(echo $size | sed 's/000$//g')
echo dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
fi
last_name=$name
last_start=$start
done
Click to expand...
Click to collapse
hi syserr,
i m tryin to run the script dice.sh and this is the trace i get
Code:
[email protected] ~/TESTbcup $ sh -x ./dice.sh
+
: not found2: ./dice.sh:
+ scatterfile=
+ rom=
+ pdir=raw.partitions
+
: not found6: ./dice.sh:
+ rm -rf raw.partitions
+ mkdir raw.partitions
+
: not found9: ./dice.sh:
./dice.sh: 37: ./dice.sh: Syntax error: end of file unexpected (expecting "then")
[email protected] ~/TESTbcup $
any advice would be welcome. I dumb a complete rom and try to dice it.
thank you syserr
fragargon said:
hi syserr,
i m tryin to run the script dice.sh and this is the trace i get
Code:
[email protected] ~/TESTbcup $ sh -x ./dice.sh
+
: not found2: ./dice.sh:
+ scatterfile=
+ rom=
+ pdir=raw.partitions
+
: not found6: ./dice.sh:
+ rm -rf raw.partitions
+ mkdir raw.partitions
+
: not found9: ./dice.sh:
./dice.sh: 37: ./dice.sh: Syntax error: end of file unexpected (expecting "then")
[email protected] ~/TESTbcup $
any advice would be welcome. I dumb a complete rom and try to dice it.
thank you syserr
Click to expand...
Click to collapse
Sorry Sorry Sorry. It takes 2 arguments, I should do some error checking and make sure the user supplies them.
Code:
./dice.sh scatterfile.txt FULLROM.img
It might have some syntax that is specific to bash, so "sh" might throw errors too.
Dumchar.txt
I did dumchar_info, I've renamed it dumchar.txt.
Run script , and it gives me error(He created and an scatter.txt), but empty - see image
Dumchar.txt
What happens and what is the solution?
Alex1948 said:
I did dumchar_info, I've renamed it dumchar.txt.
Run script , and it gives me error(He created and an scatter.txt), but empty - see image
Click to expand...
Click to collapse
I'm sorry, I didn't see this message before, I'm following about 10 threads and this got lost.
I also copied this over from the rua1 thread. I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.
Alex1948 said:
For @syserr
I do not know what all you write here, Python, etc.start adress + lenght , I think we know how to add two numbers in base 16 , no other ....MTKdroid is a software that solves everything,In Python a script of yours, gives me error.
I posted a picture of treadh and you did not answer why(Or you can not quite explain , and we do not understand) - see image
Click to expand...
Click to collapse
Answers:
I've never run it without putting it in a file. Put that python text in dumchar2scatter.py, or something like that. I'm 99% sure that will get rid of the error and give you stuff in your scatter file. You are using Python2, that is good!
You are free to PM me why you feel I didn't see a post. Again, sorry.
Because I think you are genuinely interested in learning, I will describe what my little script is doing. (btw, this is about my third program/script in Python ever)
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" ) [COLOR=Blue]# creates a file handle (ins) to read in dumchar.txt[/COLOR]
outs = open( "scatter.txt", "wb" ) [COLOR=Blue]# creates a file handle (outs) to write to scatter.txt[/COLOR]
for line in ins: [COLOR=Blue]# loops through each line of the input file and puts each line in variable "line"[/COLOR]
linesp = re.split('\W+', line) [COLOR=Blue]# this splits the line varable based on whitespace/spaces, results go into linesp array[/COLOR]
name = linesp[0].upper() [COLOR=Blue]# grabs the first thing in the line, uppercases it, puts it in a varable called name[/COLOR]
start = int(linesp[2],16) [COLOR=Blue]# start variable gets the value of the 3rd thing in the line, but also converts it to an int from text[/COLOR]
block = linesp[5] [COLOR=Blue]# block variable gets 6th thing in line - usually misc or blk[/COLOR]
if block != 'misc': [COLOR=Blue]# if the block variable is NOT 'misc' (only preloader and dsp_bl are these) then ...[/COLOR]
start = start + 0x600000 [COLOR=Blue]# add the offset to the start variable[/COLOR]
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n") [COLOR=Blue]# write out name with start address followed by { } on newlines[/COLOR]
ins.close() [COLOR="Blue"]# just close the file handles here, to clean up, outs might need last writes to be flushed to file.[/COLOR]
outs.close()
I've previewed the code block above on this forum. Why is it so narrow, sorry you will need to use the scrollbar a lot.
UPDATE: Also it's important to have SPACES in a python file, not tabs. And the spaces are critical for python to know code blocks, it acts like {} in Java/C. So, when you make your python file, use spaces to make sure lines line up just right.
syserr said:
I'm sorry, I didn't see this message before, I'm following about 10 threads and this got lost.
I also copied this over from the rua1 thread. I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.
Answers:
I've never run it without putting it in a file. Put that python text in dumchar2scatter.py, or something like that. I'm 99% sure that will get rid of the error and give you stuff in your scatter file. You are using Python2, that is good!
You are free to PM me why you feel I didn't see a post. Again, sorry.
Because I think you are genuinely interested in learning, I will describe what my little script is doing. (btw, this is about my third program/script in Python ever)
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" ) [COLOR=Blue]# creates a file handle (ins) to read in dumchar.txt[/COLOR]
outs = open( "scatter.txt", "wb" ) [COLOR=Blue]# creates a file handle (outs) to write to scatter.txt[/COLOR]
for line in ins: [COLOR=Blue]# loops through each line of the input file and puts each line in variable "line"[/COLOR]
linesp = re.split('\W+', line) [COLOR=Blue]# this splits the line varable based on whitespace/spaces, results go into linesp array[/COLOR]
name = linesp[0].upper() [COLOR=Blue]# grabs the first thing in the line, uppercases it, puts it in a varable called name[/COLOR]
start = int(linesp[2],16) [COLOR=Blue]# start variable gets the value of the 3rd thing in the line, but also converts it to an int from text[/COLOR]
block = linesp[5] [COLOR=Blue]# block variable gets 6th thing in line - usually misc or blk[/COLOR]
if block != 'misc': [COLOR=Blue]# if the block variable is NOT 'misc' (only preloader and dsp_bl are these) then ...[/COLOR]
start = start + 0x600000 [COLOR=Blue]# add the offset to the start variable[/COLOR]
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n") [COLOR=Blue]# write out name with start address followed by { } on newlines[/COLOR]
ins.close() [COLOR="Blue"]# just close the file handles here, to clean up, outs might need last writes to be flushed to file.[/COLOR]
outs.close()
I've previewed the code block above on this forum. Why is it so narrow, sorry you will need to use the scrollbar a lot.
UPDATE: Also it's important to have SPACES in a python file, not tabs. And the spaces are critical for python to know code blocks, it acts like {} in Java/C. So, when you make your python file, use spaces to make sure lines line up just right.
Click to expand...
Click to collapse
OK, I get it("" I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.""
, and why I posted here.
I do not know python, but try to understand more about these phones and their software.
A carefully read what I've written for other questions, as I have, and across from method 1, and there I have some questions.
Especially that last for hours at a READ BACK ,Dump Full ROM , with start adress and lenght by you.
I understand your explanation, written in the program right lines.I did not need them, I know what each instruction written there.
I do not know python but I want to understand .Look - I send you dumchar_info and firmware.info , with partitions start adress and lenght and see what you get.
And finally you get scatter file , my SCATTER FILE , block info - start adress , size , etc.
It's OK. ?As we do not just theory.
I liked your idea, what you wrote but I want to see it completed
Crashes
I did as you said. Look :
Send and dumchar.txt and dumchar2scatter.py
It's ok, I'm sorry you do not answer.I also sent a file and I wanted to enlighten and method 1.
I feel that all that script and dump rom are stupid
I think you should post here on this thred, not on MTKDroid Tool.
Sorry, if you prove me wrong
I'm sorry special excuse but if the script does not work , I posted the file dumchar.txt ,the idea that a fix you
It again sorry, did not mean to upset
Scatter.txt
Successful scatter.txt.As shown in the picture has the same start adress with MTKDroid scatter file , without __NODL_ to 10 partitions.
SP Flash Tool , scatter - loading , load all - see image 2.
For Read Back why use it or one obtained with MTKDroid(see image 3)
Tks.
Alex1948 said:
It's ok, I'm sorry you do not answer.
Click to expand...
Click to collapse
Hi Alex, I figured out why I wasn't catching your posts here. I'm normally looking at my Subscribed threads, and I hadn't subscribed to this thread. I should subscribe and look at my notifications too.
I will look at your messages today. My script is "dumb" as it's looking for a certain path for the block device in the output of dumchar. If that output changes, my script will probably fail.
Alex1948 said:
Successful scatter.txt.As shown in the picture has the same start adress with MTKDroid scatter file , without __NODL_ to 10 partitions.
SP Flash Tool , scatter - loading , load all - see image 2.
For Read Back why use it or one obtained with MTKDroid(see image 3)
Tks.
Click to expand...
Click to collapse
I see it's working for you now. Great. We could make great tools, but MediaTek is changing things that cause problems for even rua1's MTKDRT. Personally, I think it's good to understand things. I'm glad you want to understand too.
Nice share :fingers-crossed:
WHOLE_ROM
4. Run SP Flash Tool, Open Scatter File :
- What scatter file upload ? images 1(that obtained with MTKDroid) or scatter.txt (renamed) and otained with dumchar , script pyton....see images 2. ???
- Start adress is 0x00000000 , but Lenght can pass 0xE7F20000 (start adress FAT=0xC81C0000+FAT lenght=0x1FD60000) END adress FAT ???
With this file, probably higher, than 1GB ,WHOLE_ROM - without extension , What do I do next ?
- to get all the MTKDroid A5_Duo_130806_ForFlashtoolFromReadBack_131007-212823 - see image 3(for this we used start adress 0x00000000 and Lenght 0x3c9c0000 - my CACHE start adress) and My ROM_0 has - 969 MB
And another CWM recovery, more personalized for this phone with can be done?Android-Kitchen-0.224 ? Need 2 files(system.img and boot.img)
I installed and cygwin but does not work, crashes
Alex1948 said:
4. Run SP Flash Tool, Open Scatter File :
- What scatter file upload ? images 1(that obtained with MTKDroid) or scatter.txt (renamed) and otained with dumchar , script pyton....see images 2. ???
- Start adress is 0x00000000 , but Lenght can pass 0xE7F20000 (start adress FAT=0xC81C0000+FAT lenght=0x1FD60000) END adress FAT ???
With this file, probably higher, than 1GB ,WHOLE_ROM - without extension , What do I do next ?
- to get all the MTKDroid A5_Duo_130806_ForFlashtoolFromReadBack_131007-212823 - see image 3(for this we used start adress 0x00000000 and Lenght 0x3c9c0000 - my CACHE start adress) and My ROM_0 has - 969 MB
And another CWM recovery, more personalized for this phone with can be done?Android-Kitchen-0.224 ? Need 2 files(system.img and boot.img)
I installed and cygwin but does not work, crashes
Click to expand...
Click to collapse
#3 and #4 go hand in hand. You just need to make SPFT happy. In all my testing, the scatter and img files can be WRONG... *IF* all you are doing is using "Read back" and "Write memory". It makes sense that to do raw reads and writes, you wouldn't need to know the structure. But this tool forces you to have a scatter and images so it will perform the read/write tasks.
On your second issue, the "FAT" block is not very important and at least on ICS 4.0.4 on my device, if it is all zeros, then on first boot Android will ask to format it. On 4.0.3, I think I had to create a FAT image, which is pretty easy on Linux.
I used this "tool".
But with clean.sh I get a error about DSP_BL. In my scatterfile (MT6589) it is not there. I attached scatterfile.
Is there another "replacement" which i need to clean ?
Thanks for the guide!
Lost calibration data - Unresponsive screen
Hey guys, I have Star N9800 phone. During the last week I've been trying hard to fix my touchscreen driver since I flashed a stock ROM. The problems I was facing were checking and comparing lk.bin (lcm driver) with other people who also have same phone, downloading different ROMs and boot images, tried almost everything. I even opened my phone and disconnected the digitizer to check if it's the problem. When it's connected it says: touchscreen: ili2113a when I check version in factory mode (VOL- + HOME + POWER). When it's disconnected it says: touchscreen: (null), so obviously digitizer is working fine.
Today I think i've found the problem. While using SP Flash Tool I've used manual format from 0x00000000 to whatever it said. It deleted calibration data. And apparently calibration data is stored in nvram.bin which can be backed up using MTK Droid Tools while running a working ROM.
I have flashed original stock ROM now, I'm rooted and I can control my phone from the PC but can't use the screen. It's fully unresponsive. I've checked some answers here on XDA and some guy said I should make a nvram backup of stock ROM and then flash userdata_nvram_only.tar as USERDATA in SP Flash Tool. When I tried unzipping that .tar it clearly has /data/nvram/ folder which also contains some calibration and other files. But when I flashed that .tar as USERDATA my phone isn't booting anymore. I've tried flashing different boot.img but the problem is still here.
Does anybody know how to fix my touchscreen?
I contacted few people on www.NeedRom.com to upload userdata_nvram_only.tar for me, but I don't know whether they are going to do it or not.
I appreciate all help I can get, and I'd seriously hate if I had to send the phone back to china. I wouldn't really do it.
Posted my reply to his PM:
JoeSip said:
Wow you cleared some things for me now. I have Star N9800 smartphone. I've flashed 15 ROMs and tried disconnecting and connecting back the digitizer but screen is still unresponsive. It doesn't react at all. It could be because I used Format option and manual format option in SP Flash tool. Do you have any clue how to get my screen working again? Apparently when doing manual format from adress 0x00000000 calibration data gets removed. Please help me, i'm really desperate.
I can ask people from www.NeedRom.com to help me. They already tried because some of us have the same problems...
You could be the saviour of us all.
Click to expand...
Click to collapse
I think you are totally on track. The NVRAM block/partition is special and it really bugs me that I didn't know this up front when I killed my first MTK device, and people I trusted (ahead of me) didn't talk about it. (FYI, I bought an identical device to repair my device's NVRAM block)
The trick here is... most MTK SP Flash ROMs available don't have the NVRAM block. This is because, they are unique to the device (IMEI and MAC) and if you don't Format with SP Flash, then you don't need them.
What you need... someone with an identical device that is willing to run SP Flash and do a "Read Memory" on the address range of NVRAM block. You would get the address range from the scatter file.
JoeSip said:
Hey guys, I have Star N9800 phone. During the last week I've been trying hard to fix my touchscreen driver since I flashed a stock ROM. The problems I was facing were checking and comparing lk.bin (lcm driver) with other people who also have same phone, downloading different ROMs and boot images, tried almost everything. I even opened my phone and disconnected the digitizer to check if it's the problem. When it's connected it says: touchscreen: ili2113a when I check version in factory mode (VOL- + HOME + POWER). When it's disconnected it says: touchscreen: (null), so obviously digitizer is working fine.
Today I think i've found the problem. While using SP Flash Tool I've used manual format from 0x00000000 to whatever it said. It deleted calibration data. And apparently calibration data is stored in nvram.bin which can be backed up using MTK Droid Tools while running a working ROM.
I have flashed original stock ROM now, I'm rooted and I can control my phone from the PC but can't use the screen. It's fully unresponsive. I've checked some answers here on XDA and some guy said I should make a nvram backup of stock ROM and then flash userdata_nvram_only.tar as USERDATA in SP Flash Tool. When I tried unzipping that .tar it clearly has /data/nvram/ folder which also contains some calibration and other files. But when I flashed that .tar as USERDATA my phone isn't booting anymore. I've tried flashing different boot.img but the problem is still here.
Does anybody know how to fix my touchscreen?
I contacted few people on www.NeedRom.com to upload userdata_nvram_only.tar for me, but I don't know whether they are going to do it or not.
I appreciate all help I can get, and I'd seriously hate if I had to send the phone back to china. I wouldn't really do it.
Click to expand...
Click to collapse
I'll say a couple more things:
Yes, right now your NVRAM block is probably all zeros. And yes, you can use MTK Droid Tools to back up a good NVRAM... I like using SP Flash Tool to read the memory range of the NVRAM block, then I know it's in a shutdown state etc. All MKDRT is doing is running an adb command and doing something like "dd if=/dev/mc***** of=nvram.bin bs=1M count=1"... You could do that too with adb.
You don't need the USERDATA block at all. I would correct your request, to just ask for NVRAM. As USERDATA/USRDATA/DATA (all aliases of the same thing) is a block for your installed apps and data. It is what gets wiped when you do a Factory Reset with typical ROMs or with CWM etc.
Thank you very much man!
So now I'm supposed to just get backup of NVRAM that someone has done in MTK Droid Tools and not the whole ROM?
What if I flash full backup of someone's whole ROM? Will that save me too?
WARNING
This should go without saying, but you MUST have your bootloader unlocked (check OEM UNLOCK in developer options AND fastboot oem unlock). If you don't, you will probably brick your phone.
If you deviate from this procedure, and think: "I can just skip a step, or I can do this on my own Linux install". Don't complain if you brick your phone.
PREREQUISITES:
You need to grab FWUL (version 2.7 or later) and burn it to a USB stick: link
Even if you have Linux, and you think you can install the dependencies, don't. I know this works from FWUL.
PROCEDURE PART 1: Installing TWRP
Boot from your FWUL USB stick. If your PC has secureboot enabled, you will have to disable it in BIOS
Put your phone into download mode. With the phone powered off, hold vol up and plug in the USB cable. You do not need to touch the power button -- the phone will power on and enter download mode.
Once booted, login. The password is: linux
Double click the LG folder that is on the desktop
Double click on LG LAF (runningnak3d) icon and you will be at a terminal prompt.
The following are the commands that you enter into that terminal. You can copy / paste them if you like.
Code:
git pull
git checkout v10-miscwrte
./step1.sh
When you are told to, pull the USB cable, and the phone will power off. You now have TWRP installed. At this point you can flash a ROM, or Magisk or whatever you like.
OPTIONAL:
If you don't know what to do with TWRP, and you just want to run rooted stock, this is for you....
First boot into TWRP - with the phone off, hold vol down and power at the same time. The second the LG logo appears, release power for a split second, then then press and hold power again (you never let go of vol down).
When you get a screen asking you to factory reset, you can let go of both buttons. hit vol down to select yes -- two times -- this will take you to TWRP.
PROCEDURE PART 2: Rooting and cleanup
Now that you are in TWRP:
./step2.sh
If you ran step2.sh you have TWRP on recovery, and you are rooted. If you only ran step1.sh, then you have TWRP on recovery. Either way, enjoy!
CREDITS:
Lekensteyn -- His base work on the G2 / G3 gave me a GREAT headstart!
@steadfasterX - He added some real nice features, great guy to bounce ideas off, and just testing crazy ideas because he wasn't afraid to brick his phone Also, for FWUL
tuxuser - Helping with my lacking in Python
@smitel - His original reverse engineering of LG UP. Great inspiration!
-- Brian
Entering recovery [ READ THIS ]
To enter recovery power off the phone then hold both the down volume and power at the same time. When you see the black LG screen briefly release the power button and then press it again while not letting the volume down up.
You will see a screen asking if you want to delete all user settings. Say YES
You will see a screen asking if you want to delete all user data. Say YES
You will briefly see the black LG bootup screen.
TWRP or factory recovery will load.
------------------------------------------------------------------
Thanks for remembering the V10 users!
For those wondering, to get into download mode power off your phone then hold down volume up at the same time as you are plugging in the usb cable. It should go into download mode. [I recently installed twrp to the laf partition so I have it in two places...if somehow my main twrp gets wiped out I can still get to it via download mode.]
Might be worth mentioning once booted up into TWRP magisk is the preferred root method since it provides modules to add xposed and can help pass safetynet so android pay/pokemon go continue to work even while rooted.
https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
Magisk also has alot of REALLY nice modules to add all sorts of features to our vanilla rom including methods to debloat all the t-mobile and LG apps.
runningnak3d said:
WARNING
This should go without saying, but
Click to expand...
Click to collapse
Thanks for the effort and time! Much appreciated. Too bad I'm not in FL to see about this beers!
Will be back later after my virgin V10 (100% stock nougat) sacrifice is complete...
Sent from my LG-H901 using XDA Labs
Just a heads up -- you can always flash again if it fails, but if you want to check before you reboot, you can run:
./partitions.py --dump test.img recovery
sha256sum test.img and compare it to the hash of TWRP.
Flashing via this method has no retries, so if there is noise on the cable or the bus, you will have a bad flash.
-- Brian
runningnak3d said:
Download this vdi: fwul.zip
Click to expand...
Click to collapse
Getting an error on the vdi..
Code:
This download file is not currently available (it was deleted or disabled).
Is the referenced file the same as this one?
Code:
FWUL_v2.3_x86_64_15GB.zip
runningnak3d said:
Just a heads up -- you can always flash again if it fails, but if you want to check before you reboot, you can run:
./partitions.py --dump test.img recovery
sha256sum test.img and compare it to the hash of TWRP.
Flashing via this method has no retries, so if there is noise on the cable or the bus, you will have a bad flash.
-- Brian
Click to expand...
Click to collapse
Why not add an auto hash check post flash with a prompt to reflash if they don't match?
That is if you plan to customize it or use the generic lglaf.
---------- Post added at 08:09 PM ---------- Previous post was at 08:05 PM ----------
NYLimited said:
Getting an error on the vdi..
Code:
This download file is not currently available (it was deleted or disabled).
Click to expand...
Click to collapse
Some alternatives here: https://forum.xda-developers.com/an.../live-iso-adb-fastboot-driver-issues-t3526755
famewolf said:
Thanks for remembering the V10 users!
Might be worth mentioning once booted up into TWRP magisk is the preferred root method since it provides modules to add xposed and can help pass safetynet so android pay/pokemon go continue to work even while rooted.
https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
Magisk also has alot of REALLY nice modules to add all sorts of features to our vanilla rom including methods to debloat all the t-mobile and LG apps.
Click to expand...
Click to collapse
Agreed and let's not forget that SuperSU development seems to have stalled since Chanfire moved on...
Sorry about that, I had to upload a version that did hash checks. I will update the link now.
-- Brian
@famewolf There are a LOT of things that I am going to add. This will eventually be a full blown replacement for LG UP with ARB checking, etc.
LG is getting ready to relate Oreo for the V20, so I wanted to get it out there ASAP.
-- Brian
runningnak3d said:
@famewolf There are a LOT of things that I am going to add. This will eventually be a full blown replacement for LG UP with ARB checking, etc.
LG is getting ready to relate Oreo for the V20, so I wanted to get it out there ASAP.
-- Brian
Click to expand...
Click to collapse
Are you planning to make an oreo available for the V10 or at least willing to work with a few of us on it? I'm not sure what would have to be changed to allow a v20 rom to run for us or if there is a closer match now that nougat can be rooted.
---------- Post added at 09:15 PM ---------- Previous post was at 09:12 PM ----------
famewolf said:
Are you planning to make an oreo available for the V10 or at least willing to work with a few of us on it? I'm not sure what would have to be changed to allow a v20 rom to run for us or if there is a closer match now that nougat can be rooted.
Click to expand...
Click to collapse
Oh you may want to implement automatic backup of recovery or laf prior to flashing a new one...maybe with a timestamp in filename so multiple revisions can be saved....that way for example someone could go back to normal download mode. I wrote some shell scripts that run under twrp or rooted system and allow you to backup all the partitions to images on the microsd and then pull them via adb to the pc. Something similar might be worthwhile for a backup option. I'm excellent with suggestions of hard work for others. ;P
NYLimited said:
Getting an error on the vdi..
This download file is not currently available (it was deleted or disabled).
Click to expand...
Click to collapse
famewolf said:
Some alternatives here: https://forum.xda-developers.com/an.../live-iso-adb-fastboot-driver-issues-t3526755
Click to expand...
Click to collapse
I grabbed the 15 and 32 GB persistent files but they need to be converted from .img to .vdi which takes a while... I suppose I could post the converted file for d/l if anyone wants them.
Also, VirtualBox did NOT give me Arch Linux 64 bit option (only 32 bit)..
By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian
runningnak3d said:
By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian
Click to expand...
Click to collapse
I don't know python although I can usually manage simple mods to it....I do ok in quick and dirty bash shell scripts....virtualbox seems to be causing more complications than it helps...it may be worthwhile to consider a bootable iso to burn to a cd with a shellscript on the desktop that says "run me" which automated the downloading of twrp and then the running of the commands....that's something I could probably manage but it wouldn't be "pretty".
(I'm working with NYLimited in email).
---------- Post added at 10:22 PM ---------- Previous post was at 10:19 PM ----------
runningnak3d said:
By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian
Click to expand...
Click to collapse
The V10 isn't even my primary device anymore but it had so much potential and LG just crippled it so badly. With your recent root, the updated twrp (the latest version we had was 3.0 previously) and bringing people up to 30c at least it has a decent starting point.
So glad to see this!
A quick question, on the final step I get this error message:
./partitions.py --restoremisc ~/Downloads/TWRP_3.2.1_H901.img recovery
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Any suggestions? I haven't had any trouble with the USB cable and there were no installation issues.
chin'ah.girl said:
So glad to see this!
A quick question, on the final step I get this error message:
./partitions.py --restoremisc ~/Downloads/TWRP_3.2.1_H901.img recovery
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Any suggestions? I haven't had any trouble with the USB cable and there were no installation issues.
Click to expand...
Click to collapse
JUst as a suggestion you may want to copy/paste all the text in your terminal session to help identify possible issues. The phone is in download mode (power it off then hold vol up while plugging in the usb cable) and says so on the screen. If you try "./partitions.py --list" what do you get?
Check out this post to ensure dependencies are installed: https://forum.xda-developers.com/showpost.php?p=76134256&postcount=97
Also if you are in ~/lglaf you may want to use ../Downloads/TWRP_3.2.1_H901.img or cp the img file directly into same dir and use ./TWRP_3.2.1_H901.img
Hi @runningnak3d, thank you so much for not abandonning us lg v10 and for your hard work, really appreciated. Please this link https://forum.xda-developers.com/devdb/project/dl/?id=29075 doesn't support "resume", i already tried 5 times and always failed because the download can't be resumed. Please could you add another androifilehost link to dowload this fwul.zip? Thank you. I wanna try to root mine with your awesome method then disable 2big cores that give bootloop to my phone.
@famewolf
I made sure the phone is in download mode. Unfortunately that command pretty much generates the same results...
[[email protected] ~]$ cd lglaf
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ git checkout v10-miscwrte
Already on 'v10-miscwrte'
Your branch is up to date with 'origin/v10-miscwrte'.
[[email protected] lglaf]$ ./partitions.py --list
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
The phone appears as its supposed to in the VM Devices > USB menu as well.
chin'ah.girl said:
@famewolf
I made sure the phone is in download mode. Unfortunately that command pretty much generates the same results...
[[email protected] ~]$ cd lglaf
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ git checkout v10-miscwrte
Already on 'v10-miscwrte'
Your branch is up to date with 'origin/v10-miscwrte'.
[[email protected] lglaf]$ ./partitions.py --list
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
The phone appears as its supposed to in the VM Devices > USB menu as well.
Click to expand...
Click to collapse
Did you run the lines to verify dependencies? Specifically the pip lines to install PyUSB and the 2 others.... If all else fails simplify things..I think using virtualbox is causing more problems then helping.... download the ISO of his linux version or an ubuntu one...write it to a cd or to a usb drive...boot off that directly....do the pip commands to ensure dependencies....run his instructions with phone connected to pc or laptop. I use linux directly and didn't do virtualbox.....NYLimited is also having issues that may be attributed to Virtualbox.
@runningnak3d @famewolf
Thanks for the help and patience! I did a lot of little stuff tonight and found a few inconsistencies, some perhaps due to the fact that I had to improvise and grab another fwul version and such. My lack of linux background didn't help, of course.
Long story short, I got to the point of running the py script. It wrote 32796672 bytes but recovery did not load for me.
Pulling the image back from recovery via --dump yielded a consistent 41943040 bytes. Each time I flashed the img file the 32796672 bytes were consistent. So were the 41943040 bytes coming back. The computed hash sums differed from each other but the twrp image was always the same hash and the test dump from recovery was consistent with itself but different from twrp.
It almost seemed like I was writing to a place totally different than the place I was pulling data back from. Neither side ever changed from the previous version of itself but the two never matched each other. Recovery did not load, regardless.
Time to take a break (early day tomorrow) and will regroup again sometime tomorrow eve with hopefully fresh ideas.
This is the last flash and hash of the files. The numbers are consistent over multiple flashes:
Code:
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:39:16,946 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:40:49,401 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$ sha256sum ../Downloads/TWRP321.img
1a5667e8ac35784780d8cd7b5c3ad72a353889c39220d8002ac2498a92ff6f8e ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:49:38,020 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:51:12,507 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$
NYLimited said:
@runningnak3d @famewolf
Thanks for the help and patience! I did a lot of little stuff tonight and found a few inconsistencies, some perhaps due to the fact that I had to improvise and grab another fwul version and such. My lack of linux background didn't help, of course.
Long story short, I got to the point of running the py script. It wrote 32796672 bytes but recovery did not load for me.
Pulling the image back from recovery via --dump yielded a consistent 41943040 bytes. Each time I flashed the img file the 32796672 bytes were consistent. So were the 41943040 bytes coming back. The computed hash sums differed from each other but the twrp image was always the same hash and the test dump from recovery was consistent with itself but different from twrp.
It almost seemed like I was writing to a place totally different than the place I was pulling data back from. Neither side ever changed from the previous version of itself but the two never matched each other. Recovery did not load, regardless.
Time to take a break (early day tomorrow) and will regroup again sometime tomorrow eve with hopefully fresh ideas.
This is the last flash and hash of the files. The numbers are consistent over multiple flashes:
Code:
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:39:16,946 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:40:49,401 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$ sha256sum ../Downloads/TWRP321.img
1a5667e8ac35784780d8cd7b5c3ad72a353889c39220d8002ac2498a92ff6f8e ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:49:38,020 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:51:12,507 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$
Click to expand...
Click to collapse
If your twrp is showing the following:
[email protected] /workarea/android/v10 $ md5sum TWRP_3.2.1_H901.img
b89d341cd61da31a5348d8f6b3c75c97 TWRP_3.2.1_H901.img
then it's fine...as for the dump...I think empty space at the end would have to be stripped off for them to match. Will work with it more tomorrow..just drop me a line.
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
getting this error while using unkdz.py command.
[!] Error: Data between headers and payload! (offsets 826 to 83768).
tried different kdz for h918 but the error was consistent.
Kiraisuki said:
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
View attachment 5243977
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
Click to expand...
Click to collapse
Can you please make a video for this guide
I've been working with your guide to revive my LG V20 and have stopped at step 7.
Kiraisuki said:
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
Click to expand...
Click to collapse
When I extract files from .DZ, my "dzextracted" folder is filled with “.image” and “.params” files.
There is no single .BIN file and no file has any letter prefix.
I have tried with multiple .DZ files from different V20 ROMs.
I have even downloaded “VS99513A” ROM you mentioned.
I have tried in Windows (7) and Linux (Mint 20.1).
Every time I get this mess of files.
KDZTools version is from direct link on GitHub you provided.
Are there any additional steps that are missing from guide?
Did anyone tried to revive V20 stuck in EDL mode, and has any tips to share?
Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?
Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)
for h918, @Kiraisuki the elf file not work for me i got this error
Code:
sahara - Trying loader: Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin
sahara - Uploading loader Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin ...
sahara
sahara - [LIB]: Timeout while uploading loader. Wrong loader ?
No suitable loader found :(
no, edl mode must
virginwidow said:
Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)
View attachment 5305585
Click to expand...
Click to collapse
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup
walidham said:
no, edl mode must
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup
Click to expand...
Click to collapse
TY for response -
It appears I'm in a 'purgatory' between brick and "dead"... due to being a noob again (nothing like breaking things to learn).
LGUP, Uppercut - both of these go "No Device Connected" - the closest I can provide for a logcat is 'getvar all' from fastboot.
Code:
fastboot getvar all
(bootloader) version:0.5
(bootloader) variant:MTP eMMC
(bootloader) secure:yes
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) display-panel:
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) max-download-size: 0x20000000
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x4d000000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0xced000000
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x180000000
(bootloader) serialno:LGUS996fzzzzzzzz
(bootloader) kernel:lk
(bootloader) product:MSM8996
(bootloader) unlocked:yes
all:
finished. total time: 0.194s
(Serial editted) There's not enuff info left for the usual end-user tools to "see"
Any thoughts?
Thanks in Advance
VW
........main - Device detected
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x009470e100310000 (MSM_ID:0x009470e1,OEM_ID:0x0031,MODEL_ID:0x0000)
CPU detected: "MSM8996"
PK_HASH: 0x2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496
Serial: 0xe895007b
sahara - Detected loader: Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin
sahara - Uploading loader Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin ...
Successfully uploaded programmer
firehose - Nop succeeded.
firehose - Chip serial num: 3902079099 (0xe895007b)
oneplus
oneplus - [LIB]: No module named 'Library.Modules.oneplus_param'
firehose -
firehose_client - Target detected: MSM8996
firehose
firehose - [LIB]: <?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="fh.attrs.MaxPayloadSizeToTargetInBytes of 1048576 > fh.channel_buffer_capacity of 4096"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1'"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling hotplug_poll_device('UFS')"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Storage device of type 'UFS' cannot be opened"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="storage_device_open() returned FALSE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR 13: Line 1142: HANDLE_CONFIGURE_FAILURE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" />
</data>
\\\\\\\\\\\\\\\\Getiing this error/////////////// oneplus param And firehose lib
facing this problem
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
getting this same error. has anyone fixed it?
dmad767 said:
getting this same error. has anyone fixed it?
Click to expand...
Click to collapse
Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
i found a fix
dmad767 said:
i found a fix
Click to expand...
Click to collapse
how did you fix it
ezzony said:
Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?
Click to expand...
Click to collapse
the goal is the same, I think it's easier with qfil partition manager. because the results of extracting the .dz file are in the form of a single image without the lun description as described above.
ROMSG said:
how did you fix it
Click to expand...
Click to collapse
I suggest using qfil manager (raw data manager), manually input the image file to be flashed.
Kiraisuki said:
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
View attachment 5243977
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
Click to expand...
Click to collapse
If you have successfully manage to generate raw program.xml. why don't you just share with us and save us from the trouble
Faisal_Mystic said:
If you have successfully manage to generate raw program.xml. why don't you just share with us and save us from the trouble
Click to expand...
Click to collapse
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition
lambtur said:
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition
Click to expand...
Click to collapse
if you have such backup firmware it would be so nice of you if you upload on G_Drive and provide me the links
I will be very grateful