Database Info

How to extract contents of *.img (boot/recovery/system/userdata) for adp1 on host

Hi,
After downloading the official image with android-1.5 (also known as
signed-dream_devphone_userdebug-img-150275.zip) for adp1 from the link
(http://www.htc.com/www/support/android/adp.html#s3) provided by HTC
and unzipping the image into someplace you want in the terminal, and
then four files with the same extension of .img will be got, as shown
below.
boot.img
recovery.img
system.img
userdata.img
Here's a discussion mainly focused on how to extract these contents of
the last two images for adp1 on host.
With respect to how to extract these contents of the first two images
for adp1 on host, please refer to the following link. Meanwhile,
thanks for the community efforts as well!!
http://forum.xda-developers.com/showthread.php?t=443994
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_....
1> system.img
==> the unyaffs2 tool is used to extract the contents from system.img
on host.
For the tool, you can access its source code with the license of GPLv3
located at the link (http://code.google.com/p/unyaffs/) and download
the source code and its binary.
2> userdata.img
While using the aforementioned tool extracting these contents of
userdata.img, the contents fail to be got on host and just a message
of "end of image" is shown up in the terminal, as follows.
$ chmod a+x unyaffs
$ unyaffs userdata.img
end of image
So, the problem to be asked is about how to extract contents of
userdata.img for adp1 on host!!
Any input will be greatly appreciated!!

for the official rom, userdata should be empty isn't it?

You could flash userdata and then boot into recovery, mount data, and adb pull /data.
I'm also interested in extracting boot and recovery images, so any hints please post here

First off, thanks for your reply, billc.
As regards the issuse that if the image of userdata.img is empty, the two methods are taken, as follows. (so sorry that the below is too long. )
1. checking that with bash command in the terminal
$ ls -lh
total 57M
-rw-r--r-- 1 samuel samuel 1.6M 2009-01-01 00:00 boot.img
-rw-r--r-- 1 samuel samuel 1.8M 2009-01-01 00:00 recovery.img
-rw-r--r-- 1 samuel samuel 54M 2009-01-01 00:00 system.img
-rw------- 1 samuel samuel 2.1K 2009-07-02 08:23 userdata.img
With the first scenario, the size of "userdata.img" is shown as "2.1K", which seems to indicate that the image of "userdata.img" isn't empty, instead of with the size.
2. checing that with programs (unyaffs.c[1]/unyaff.h[2]) for the tool of "unyaffs"
[1]http://unyaffs.googlecode.com/files/unyaffs.c
[2]http://unyaffs.googlecode.com/files/unyaffs.h
(NOTE: the instruction of complicatioin is "gcc -o unyaffs unyaffs.c" with the version 4.2.4 of gcc)
After compiling, the executable tool is got in your directory, also known as "unyaffs". And then, type the instruction with the terminal below.
$ unyaffs userdata.img
end of image
Unfortunately, there is nothing out there after extracting contents of "userdata.img" with the size of "2.1K"(-the length really includes what contents?). Only a message of "end of image" is shown up with the terminal.
To get more information about the message of "end of image, therefore, diving into the C file used to generate the tool of "unyaffs", getting the following connents. Meanwhile, please also pay more attention to the lines with the bold.
int read_chunk()
{
ssize_t s;
int ret = -1;
memset(chunk_data, 0xff, sizeof(chunk_data));
s = read(img_file, data, CHUNK_SIZE + SPARE_SIZE);
if (s == -1) {
perror("read image file\n");
} else if (s == 0) {
printf("end of image\n");
} else if ((s == (CHUNK_SIZE + SPARE_SIZE))) {
ret = 0;
} else {
fprintf(stderr, "broken image file\n");
}
return ret;
}
And then, indexing the function in the Linux Programmer's Mannual with the command of "man read" in the terminal to get more info, as shown below. In the meantime, please pay more attention to the lines with the bold as well.
$man read
...
...
NAME
read - read from a file descriptor
SYNOPSIS
#include <unistd.h>
ssize_t read(int fd, void *buf, size_t count);
DESCRIPTION
read() attempts to read up to count bytes from file descriptor fd into
the buffer starting at buf.
If count is zero, read() returns zero and has no other results. If
count is greater than SSIZE_MAX, the result is unspecified.
RETURN VALUE
On success, the number of bytes read is returned (zero indicates end of
file), and the file position is advanced by this number.
...
...
Just judging from the combination of the snippet of "unyaffs.c" and the mannual of "read" above, the conclusion below can be come to.
The real contents of "userdata.img" with the size of "2.1k" is exactly empty ending up with "end of file".
When compared the two conclusions as mentioned above, it's found that the both are just contrary, the former ISN'T empty while the latter IS empty.
So, there are a set of problems about the above confusion herein.
Q1: What contents exactly does the "userdata.img" with the size of "2.1k" mean?
Q2: What contents and from which position does the function of "read" read in the file? In the case of "userdata.img", what are"what contents" and "from which position" respectively?
Q3: According to the above two scenarios, what steps to take are to judge if the file is really empty?
Looking forward to your replies, thanks!!

to jubeh,
As to extracting the images of boot and recovery from adp1/g1, you can refer to the following links. hope that that's helpful.
http://forum.xda-developers.com/showthread.php?t=443994
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images

Issues with setting up build environment

I'm looking at getting into rom cooking with this latest cyanogen fiasco, but i'm having errors getting repo set up, and i'm wondering if it's my configuration.
I'm running OS X 10.5.8, everything is updated, and i've followed the whole guide from source.android.com, up to a certain point.
when i run "repo init -u git://android.git.kernel.org/platform/manifest.git", i get this error:
Code:
Traceback (most recent call last):
File "/Users/aaron/bin/repo", line 595, in <module>
main(sys.argv[1:])
File "/Users/aaron/bin/repo", line 562, in main
_Init(args)
File "/Users/aaron/bin/repo", line 181, in _Init
_CheckGitVersion()
File "/Users/aaron/bin/repo", line 210, in _CheckGitVersion
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/subprocess.py", line 593, in __init__
errread, errwrite)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/subprocess.py", line 1079, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
anyone else have this error or know how to correct it?
side note, I made a partition on an external hard drive for nabbing the source, i'm CDing to the /Volumes/Android/mydroid before i run the command. ( the partition is HFS journaled/case sensitive) and have all the port stuff installed onto my Mac hard drive

Nevermind, my path settings aren't sticking for some reason. resetting the path solved my problems

[GUIDE][UTIL][MT65xx] Create Scatter File and Dump Full ROM

[GUIDE][UTIL][MT65xx] Create Scatter File / Dump Full ROM
For any MT65xx device, no matter how obscure.
I will discuss a method for:
* making your own SPFT scatter file
* dumping your entire ROM (without root)
* dicing up your entire ROM into partition blocks
This is somewhat of a manual process. rua1's MTK Droid Root & Tools circumvents the need for doing most of this. I applaude his work, it's a big undertaking and he supports it well.
Here are a few reasons to use the method I discuss here:
* you want a ROM dump without rooting
* you want a ROM dump without your OS booted (clone cold system is safe)
* you want a guaranteed way to restore exactly current state (safety and return to store)
* you are just plain worried something will go wrong
-------------------------------------
I have two methods for creating a scatter file.
Method #1
Find your scatter information in SP Flash Tool's Logs
Well first, you have to make SP Flash Tool happy enough to give you some information about your device.
* Obtain a SPFT ROM that is known good for any phone/tablet, preferrably with the same chip as yours. Make sure that scatter file loads into SPFT without error, SPFT checks the PRELOADER and DSP_BL and if they aren't in the scatter directory, it will fail and maybe crash.
* Close SPFT, now modify the MT*scatter.txt file and introduce a few errors in the partition names, but don't change PRELOADER or DSP_BL. An example, instead of "ANDROID" replace it with "DEADBEEF". You ask why? Well you want to make SURE that the "Download" feature fails. You DON'T want the "Download" to actually work and write your random SPFT ROM to your new device. After loading the freshly broken scatter file, click "Download" and hook up your MTK device in preloader / META Mode. It will say your PMT block does not match the scatter file. ERROR:
* Go to SPFT's menu "Help / Open logs folder" and find the latest date. Open the BROM_DLL*.log in your text editor. Search for text that looks like this, I'd first search for "CMD_ReadPartitionInfo():
Code:
11/14/13 09:01:27.382 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): command is allowed. (FlashToolLib/sv5/common/generic/src/da_c
md.cpp:5242)
11/14/13 09:01:27.382 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): getting 20 partitions .. (FlashToolLib/sv5/common/generic/src
/da_cmd.cpp:5269)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: DA_cmd::CMD_ReadPartitionInfo(): dump 20 partitions (FlashToolLib/sv5/common/generic/src/da_cm
d.cpp:5279)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[0 ](PRELOADER ) - offset (0x0000000000000000) - size (0x0000000000040000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[1 ](DSP_BL ) - offset (0x0000000000040000) - size (0x00000000005C0000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.397 BROM_DLL[3836][2208]: PART[2 ](MBR ) - offset (0x0000000000600000) - size (0x0000000000004000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[3 ](EBR1 ) - offset (0x0000000000604000) - size (0x000000000005C000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[4 ](__NODL_PMT ) - offset (0x0000000000660000) - size (0x0000000000400000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[5 ](__NODL_NVRAM ) - offset (0x0000000000A60000) - size (0x0000000000300000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[6 ](__NODL_SECCFG ) - offset (0x0000000000D60000) - size (0x0000000000020000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[7 ](UBOOT ) - offset (0x0000000000D80000) - size (0x0000000000060000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[8 ](BOOTIMG ) - offset (0x0000000000DE0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[9 ](RECOVERY ) - offset (0x00000000013E0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[10](SEC_RO ) - offset (0x00000000019E0000) - size (0x0000000000600000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[11](__NODL_MISC ) - offset (0x0000000001FE0000) - size (0x0000000000060000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[12](LOGO ) - offset (0x0000000002040000) - size (0x0000000000300000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[13](__NODL_EXPDB ) - offset (0x0000000002340000) - size (0x00000000000A0000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[14](EBR2 ) - offset (0x00000000023E0000) - size (0x0000000000004000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[15](FAC ) - offset (0x00000000023E4000) - size (0x0000000010000000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[16](ANDROID ) - offset (0x00000000123E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[17](CACHE ) - offset (0x00000000324E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[18](USRDATA ) - offset (0x00000000525E4000) - size (0x0000000020100000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
11/14/13 09:01:27.413 BROM_DLL[3836][2208]: PART[19](FAT ) - offset (0x00000000726E4000) - size (0x0000000000000000) - mask (0x0
000000000000000) (FlashToolLib/sv5/common/generic/src/da_cmd.cpp:5283)
Make sure you aren't looking at a dump of your scatter, but looking at the partition dump from your device. (If it contains DEADBEEF flag from above, you are looking at the wrong part of the log.) You can manually create a scatter file from that, or you can paste the lines with partition info into a text file and run this shell script:
Code:
cat pastedlog.txt | sed -n 's/.*](\([^ ]*\)[^(]*(\([^)]*\).*)/\1 \2\n{\n}/p' | sed 's/x00000000/x/g' > mynewscatter.txt
This will get you really close, but the last entry you see in a typical scatter file is BMTPOOL. I don't know much about BMTPOOL or __NODL_BMPPOOL other than it's not a real partition. It might not even be required? (You might be able to fake that entry if you look at similar scatter files. If not, read on)
Method #2
An alternate and supplemental way of getting scatter info is to use ADB on a running device. I'm sure this is similar to MTK Droid Root & Tools method.
Code:
adb pull /proc/dumchar_info
Now that you have that file local on your PC, you can run this python script:
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" )
outs = open( "scatter.txt", "wb" )
for line in ins:
linesp = re.split('\W+', line)
name = linesp[0].upper()
start = int(linesp[2],16)
block = linesp[5]
if block != 'misc':
start = start + 0x600000
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n")
ins.close()
outs.close()
This method gives you the BMTPOOL entry that the other method does not, but it lacks the __NODL_ designator for all partitions. If you aren't familiar with that prefix, SPFT uses that to know if it should typically allow you to DownLoad over the top of the paritition.
With both scatter files, throw them side-by-side in a text editor (or diff tool) and with a brain, it's easy enough to merge one with the __NODL_ prefix and the one with the BMTPOOL entry.
Scatter file complete!
PS - Possibly another way, is to use SPFT to do a "Read back" (read memory) at 0x660000 of size 0x400000. Save this as the PMT block and analyse it with a hex editor. I believe the PMT block is always at address 0x66000 judging from a dozen different scatter files.
Dump Full ROM
Perfect Total Backup of your Firmware
The safe way to do this with or without a proper scatter file is the "Read back" feature of SP Flash Tool. There are MANY reasons to dislike MediaTek, but this feature is so nice that I can forgive them for most of their wrong doing.
Most of this section I will generalize from my Lenovo A2107A Guide.
Here is a cookbook for doing a total backup of your MTK device with MediaTek's SP Flash Tool. No rooting, you might even do this before you ever boot! I have basically done this with both of my devices before I fiddled too much. I recommend doing it before you do anything really.
1. Install VCOM Drivers.
2. Install SP Flash Tool.
3. Grab an SPFT ROM, really anything should work, you just have to make SP Flash Tool happy. SPFT validates the scatter file against some of the image files, so you have to calm SPFT down by giving it something it can make sense of. We won't use the scatter file or image files while we do the "Read back" operation.
4. Run SP Flash Tool, Open Scatter File
5. Don't play with anything, go into the "Read back" tab (This will read your flash to a file on your PC)
6. Click on any items in the list, then click the "Remove" button
7. Now click the "Add" button
8. Double click on the "N/A" under Read Flag
9. Type a file name to write to, like "WHOLE_ROM"
10. Now it will popup a window "Readback block start address"
11. Leave "Hex" selected, Start Address" 0x0000, Length: 0x40000000, Click OK (NOTE: this will get the first GIG of flash)
12. Click the "Read back" button
13. SPFT now waits for you to connect your device and put it in Meta Mode
14. Without plugging your phone/tablet in, tap the Reset Button or make sure it's fully off
15. Hold VolUp, plug in USB, Release VolUp (putting it in Meta Mode) <--- Important
16. You will see the progress bar moving. Total backup takes forever, because in this mode SPFT seems to not do USB HIGHSPEED
That's IT! It'll take a few hours, so go to bed.
If you ever restore, just go into Recovery and Wipe Data and Cache. (as these are large and we probably didn't back them up above)
Note: "Length" in Step 11 is probably long enough for most devices. You can reference the scatter file you made above to make sure get everything, but you don't need USRDATA or CACHE, as those get wiped anyway.
Dicing up Full ROM image into partition images
I've made a little bash shell script to dice up a whole ROM according to a scatter file. This creates files exactly the size of the partitions. Some post processing needs done below the script:
dice.sh
Code:
#!/bin/bash
scatterfile=$1
rom=$2
pdir=raw.partitions
rm -rf $pdir
mkdir $pdir
cat $scatterfile | grep "x" | while read line; do
name=$(echo $line | sed 's/ .*//g')
name=$(echo $name | sed 's/^__NODL_//g')
start=$(echo $line | sed 's/.* //g')
# echo $name
if [[ -n $last_name ]]; then
echo "Processing: $last_name"
echo " start: $last_start"
size=$(( $start - $last_start ))
if [[ $size -lt 0 ]]; then
size=0xFFFFF000
else
size=0x$(echo "obase=16; $size" | bc)
fi
echo " size: $size"
short_start=$(echo $last_start | sed 's/000$//g')
short_size=$(echo $size | sed 's/000$//g')
echo dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
fi
last_name=$name
last_start=$start
done
Now there is some post processing done. Truncate MBR, EBR1, EBR2 to 512 bytes. And remove trailing bytes of 0000 or FFFF on the end of PRELOADER and DSP_BL.
Here is a one off script for example use:
clean.sh
Code:
#!/bin/bash
pdir=raw.partitions
odir=out
rm -rf $odir
mkdir $odir
dd if=$pdir/PRELOADER of=$odir/preloader.bin bs=$(( 0x800 )) skip=1
./trim.sh $odir/preloader.bin
./trimFF.sh $odir/preloader.bin
dd if=$pdir/DSP_BL of=$odir/DSP_BL bs=$(( 0x8000 )) count=1
./trimFF.sh $odir/DSP_BL
dd if=$pdir/MBR of=$odir/MBR bs=512 count=1
dd if=$pdir/EBR1 of=$odir/EBR1 bs=512 count=1
dd if=$pdir/EBR2 of=$odir/EBR2 bs=512 count=1
cp $pdir/UBOOT $odir/uboot.bin
cp $pdir/LOGO $odir/logo.bin
./trim.sh $odir/logo.bin
cp $pdir/SEC_RO $odir/secro.img
cp $pdir/RECOVERY $odir/recovery.img
cp $pdir/BOOTIMG $odir/boot.img
cp $pdir/FAC $odir/fac.img
cp $pdir/ANDROID $odir/system.img
cp MT*.txt $odir/
And quickly, Here is my hack to remove 0000 and FFFF from the end of files:
trim.sh
Code:
#!/bin/bash
truncate -s $(( 4 + $(cat $1 | hexdump -v -e '/4 "%_ad: " ' -e '4/1 "%02X" "\n"' \
| grep -v ": 00000000" | tail -n 1 | sed 's/:.*//') )) $1
trimFF.sh
Code:
#!/bin/bash
truncate -s $(( 4 + $(cat $1 | hexdump -v -e '/4 "%_ad: " ' -e '4/1 "%02X" "\n"' \
| grep -v ": FFFFFFFF" | tail -n 1 | sed 's/:.*//') )) $1
You should be able to read the clean.sh script and figure out only in just those few cases, is special post processing needed. If you don't post process, SPFT will give errors.
I hope this helps. If you have any questions, ask... I'll try to clarify this first post.

syserr said:
[GUIDE][UTIL][MT65xx] Create Scatter File / Dump Full ROM
For any MT65xx device, no matter how obscure.
Dicing up Full ROM image into partition images
I've made a little bash shell script to dice up a whole ROM according to a scatter file. This creates files exactly the size of the partitions. Some post processing needs done below the script:
dice.sh
Code:
#!/bin/bash
scatterfile=$1
rom=$2
pdir=raw.partitions
rm -rf $pdir
mkdir $pdir
cat $scatterfile | grep "x" | while read line; do
name=$(echo $line | sed 's/ .*//g')
name=$(echo $name | sed 's/^__NODL_//g')
start=$(echo $line | sed 's/.* //g')
# echo $name
if [[ -n $last_name ]]; then
echo "Processing: $last_name"
echo " start: $last_start"
size=$(( $start - $last_start ))
if [[ $size -lt 0 ]]; then
size=0xFFFFF000
else
size=0x$(echo "obase=16; $size" | bc)
fi
echo " size: $size"
short_start=$(echo $last_start | sed 's/000$//g')
short_size=$(echo $size | sed 's/000$//g')
echo dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
dd if=$rom of=$pdir/$last_name bs=$(( 0x1000 )) \
skip=$(( $short_start )) count=$(( $short_size ))
fi
last_name=$name
last_start=$start
done
Click to expand...
Click to collapse
hi syserr,
i m tryin to run the script dice.sh and this is the trace i get
Code:
[email protected] ~/TESTbcup $ sh -x ./dice.sh
+
: not found2: ./dice.sh:
+ scatterfile=
+ rom=
+ pdir=raw.partitions
+
: not found6: ./dice.sh:
+ rm -rf raw.partitions
+ mkdir raw.partitions
+
: not found9: ./dice.sh:
./dice.sh: 37: ./dice.sh: Syntax error: end of file unexpected (expecting "then")
[email protected] ~/TESTbcup $
any advice would be welcome. I dumb a complete rom and try to dice it.
thank you syserr

fragargon said:
hi syserr,
i m tryin to run the script dice.sh and this is the trace i get
Code:
[email protected] ~/TESTbcup $ sh -x ./dice.sh
+
: not found2: ./dice.sh:
+ scatterfile=
+ rom=
+ pdir=raw.partitions
+
: not found6: ./dice.sh:
+ rm -rf raw.partitions
+ mkdir raw.partitions
+
: not found9: ./dice.sh:
./dice.sh: 37: ./dice.sh: Syntax error: end of file unexpected (expecting "then")
[email protected] ~/TESTbcup $
any advice would be welcome. I dumb a complete rom and try to dice it.
thank you syserr
Click to expand...
Click to collapse
Sorry Sorry Sorry. It takes 2 arguments, I should do some error checking and make sure the user supplies them.
Code:
./dice.sh scatterfile.txt FULLROM.img
It might have some syntax that is specific to bash, so "sh" might throw errors too.

Dumchar.txt
I did dumchar_info, I've renamed it dumchar.txt.
Run script , and it gives me error(He created and an scatter.txt), but empty - see image

Dumchar.txt
What happens and what is the solution?

Alex1948 said:
I did dumchar_info, I've renamed it dumchar.txt.
Run script , and it gives me error(He created and an scatter.txt), but empty - see image
Click to expand...
Click to collapse
I'm sorry, I didn't see this message before, I'm following about 10 threads and this got lost.
I also copied this over from the rua1 thread. I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.
Alex1948 said:
For @syserr
I do not know what all you write here, Python, etc.start adress + lenght , I think we know how to add two numbers in base 16 , no other ....MTKdroid is a software that solves everything,In Python a script of yours, gives me error.
I posted a picture of treadh and you did not answer why(Or you can not quite explain , and we do not understand) - see image
Click to expand...
Click to collapse
Answers:
I've never run it without putting it in a file. Put that python text in dumchar2scatter.py, or something like that. I'm 99% sure that will get rid of the error and give you stuff in your scatter file. You are using Python2, that is good!
You are free to PM me why you feel I didn't see a post. Again, sorry.
Because I think you are genuinely interested in learning, I will describe what my little script is doing. (btw, this is about my third program/script in Python ever)
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" ) [COLOR=Blue]# creates a file handle (ins) to read in dumchar.txt[/COLOR]
outs = open( "scatter.txt", "wb" ) [COLOR=Blue]# creates a file handle (outs) to write to scatter.txt[/COLOR]
for line in ins: [COLOR=Blue]# loops through each line of the input file and puts each line in variable "line"[/COLOR]
linesp = re.split('\W+', line) [COLOR=Blue]# this splits the line varable based on whitespace/spaces, results go into linesp array[/COLOR]
name = linesp[0].upper() [COLOR=Blue]# grabs the first thing in the line, uppercases it, puts it in a varable called name[/COLOR]
start = int(linesp[2],16) [COLOR=Blue]# start variable gets the value of the 3rd thing in the line, but also converts it to an int from text[/COLOR]
block = linesp[5] [COLOR=Blue]# block variable gets 6th thing in line - usually misc or blk[/COLOR]
if block != 'misc': [COLOR=Blue]# if the block variable is NOT 'misc' (only preloader and dsp_bl are these) then ...[/COLOR]
start = start + 0x600000 [COLOR=Blue]# add the offset to the start variable[/COLOR]
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n") [COLOR=Blue]# write out name with start address followed by { } on newlines[/COLOR]
ins.close() [COLOR="Blue"]# just close the file handles here, to clean up, outs might need last writes to be flushed to file.[/COLOR]
outs.close()
I've previewed the code block above on this forum. Why is it so narrow, sorry you will need to use the scrollbar a lot.
UPDATE: Also it's important to have SPACES in a python file, not tabs. And the spaces are critical for python to know code blocks, it acts like {} in Java/C. So, when you make your python file, use spaces to make sure lines line up just right.

syserr said:
I'm sorry, I didn't see this message before, I'm following about 10 threads and this got lost.
I also copied this over from the rua1 thread. I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.
Answers:
I've never run it without putting it in a file. Put that python text in dumchar2scatter.py, or something like that. I'm 99% sure that will get rid of the error and give you stuff in your scatter file. You are using Python2, that is good!
You are free to PM me why you feel I didn't see a post. Again, sorry.
Because I think you are genuinely interested in learning, I will describe what my little script is doing. (btw, this is about my third program/script in Python ever)
Code:
import sys
import string
import re
ins = open( "dumchar.txt", "rb" ) [COLOR=Blue]# creates a file handle (ins) to read in dumchar.txt[/COLOR]
outs = open( "scatter.txt", "wb" ) [COLOR=Blue]# creates a file handle (outs) to write to scatter.txt[/COLOR]
for line in ins: [COLOR=Blue]# loops through each line of the input file and puts each line in variable "line"[/COLOR]
linesp = re.split('\W+', line) [COLOR=Blue]# this splits the line varable based on whitespace/spaces, results go into linesp array[/COLOR]
name = linesp[0].upper() [COLOR=Blue]# grabs the first thing in the line, uppercases it, puts it in a varable called name[/COLOR]
start = int(linesp[2],16) [COLOR=Blue]# start variable gets the value of the 3rd thing in the line, but also converts it to an int from text[/COLOR]
block = linesp[5] [COLOR=Blue]# block variable gets 6th thing in line - usually misc or blk[/COLOR]
if block != 'misc': [COLOR=Blue]# if the block variable is NOT 'misc' (only preloader and dsp_bl are these) then ...[/COLOR]
start = start + 0x600000 [COLOR=Blue]# add the offset to the start variable[/COLOR]
outs.write(name + " " + string.replace(hex(start), "L", "") + "\n{\n}\n") [COLOR=Blue]# write out name with start address followed by { } on newlines[/COLOR]
ins.close() [COLOR="Blue"]# just close the file handles here, to clean up, outs might need last writes to be flushed to file.[/COLOR]
outs.close()
I've previewed the code block above on this forum. Why is it so narrow, sorry you will need to use the scrollbar a lot.
UPDATE: Also it's important to have SPACES in a python file, not tabs. And the spaces are critical for python to know code blocks, it acts like {} in Java/C. So, when you make your python file, use spaces to make sure lines line up just right.
Click to expand...
Click to collapse
OK, I get it("" I don't think he appreciates our conversation over there, mainly because it's somewhat off topic.""
, and why I posted here.
I do not know python, but try to understand more about these phones and their software.
A carefully read what I've written for other questions, as I have, and across from method 1, and there I have some questions.
Especially that last for hours at a READ BACK ,Dump Full ROM , with start adress and lenght by you.
I understand your explanation, written in the program right lines.I did not need them, I know what each instruction written there.
I do not know python but I want to understand .Look - I send you dumchar_info and firmware.info , with partitions start adress and lenght and see what you get.
And finally you get scatter file , my SCATTER FILE , block info - start adress , size , etc.
It's OK. ?As we do not just theory.
I liked your idea, what you wrote but I want to see it completed

Crashes
I did as you said. Look :
Send and dumchar.txt and dumchar2scatter.py
It's ok, I'm sorry you do not answer.I also sent a file and I wanted to enlighten and method 1.
I feel that all that script and dump rom are stupid
I think you should post here on this thred, not on MTKDroid Tool.
Sorry, if you prove me wrong
I'm sorry special excuse but if the script does not work , I posted the file dumchar.txt ,the idea that a fix you
It again sorry, did not mean to upset

Scatter.txt
Successful scatter.txt.As shown in the picture has the same start adress with MTKDroid scatter file , without __NODL_ to 10 partitions.
SP Flash Tool , scatter - loading , load all - see image 2.
For Read Back why use it or one obtained with MTKDroid(see image 3)
Tks.

Alex1948 said:
It's ok, I'm sorry you do not answer.
Click to expand...
Click to collapse
Hi Alex, I figured out why I wasn't catching your posts here. I'm normally looking at my Subscribed threads, and I hadn't subscribed to this thread. I should subscribe and look at my notifications too.
I will look at your messages today. My script is "dumb" as it's looking for a certain path for the block device in the output of dumchar. If that output changes, my script will probably fail.

Alex1948 said:
Successful scatter.txt.As shown in the picture has the same start adress with MTKDroid scatter file , without __NODL_ to 10 partitions.
SP Flash Tool , scatter - loading , load all - see image 2.
For Read Back why use it or one obtained with MTKDroid(see image 3)
Tks.
Click to expand...
Click to collapse
I see it's working for you now. Great. We could make great tools, but MediaTek is changing things that cause problems for even rua1's MTKDRT. Personally, I think it's good to understand things. I'm glad you want to understand too.

Nice share :fingers-crossed:

WHOLE_ROM
4. Run SP Flash Tool, Open Scatter File :
- What scatter file upload ? images 1(that obtained with MTKDroid) or scatter.txt (renamed) and otained with dumchar , script pyton....see images 2. ???
- Start adress is 0x00000000 , but Lenght can pass 0xE7F20000 (start adress FAT=0xC81C0000+FAT lenght=0x1FD60000) END adress FAT ???
With this file, probably higher, than 1GB ,WHOLE_ROM - without extension , What do I do next ?
- to get all the MTKDroid A5_Duo_130806_ForFlashtoolFromReadBack_131007-212823 - see image 3(for this we used start adress 0x00000000 and Lenght 0x3c9c0000 - my CACHE start adress) and My ROM_0 has - 969 MB
And another CWM recovery, more personalized for this phone with can be done?Android-Kitchen-0.224 ? Need 2 files(system.img and boot.img)
I installed and cygwin but does not work, crashes

Alex1948 said:
4. Run SP Flash Tool, Open Scatter File :
- What scatter file upload ? images 1(that obtained with MTKDroid) or scatter.txt (renamed) and otained with dumchar , script pyton....see images 2. ???
- Start adress is 0x00000000 , but Lenght can pass 0xE7F20000 (start adress FAT=0xC81C0000+FAT lenght=0x1FD60000) END adress FAT ???
With this file, probably higher, than 1GB ,WHOLE_ROM - without extension , What do I do next ?
- to get all the MTKDroid A5_Duo_130806_ForFlashtoolFromReadBack_131007-212823 - see image 3(for this we used start adress 0x00000000 and Lenght 0x3c9c0000 - my CACHE start adress) and My ROM_0 has - 969 MB
And another CWM recovery, more personalized for this phone with can be done?Android-Kitchen-0.224 ? Need 2 files(system.img and boot.img)
I installed and cygwin but does not work, crashes
Click to expand...
Click to collapse
#3 and #4 go hand in hand. You just need to make SPFT happy. In all my testing, the scatter and img files can be WRONG... *IF* all you are doing is using "Read back" and "Write memory". It makes sense that to do raw reads and writes, you wouldn't need to know the structure. But this tool forces you to have a scatter and images so it will perform the read/write tasks.
On your second issue, the "FAT" block is not very important and at least on ICS 4.0.4 on my device, if it is all zeros, then on first boot Android will ask to format it. On 4.0.3, I think I had to create a FAT image, which is pretty easy on Linux.

I used this "tool".
But with clean.sh I get a error about DSP_BL. In my scatterfile (MT6589) it is not there. I attached scatterfile.
Is there another "replacement" which i need to clean ?

Thanks for the guide!

Lost calibration data - Unresponsive screen
Hey guys, I have Star N9800 phone. During the last week I've been trying hard to fix my touchscreen driver since I flashed a stock ROM. The problems I was facing were checking and comparing lk.bin (lcm driver) with other people who also have same phone, downloading different ROMs and boot images, tried almost everything. I even opened my phone and disconnected the digitizer to check if it's the problem. When it's connected it says: touchscreen: ili2113a when I check version in factory mode (VOL- + HOME + POWER). When it's disconnected it says: touchscreen: (null), so obviously digitizer is working fine.
Today I think i've found the problem. While using SP Flash Tool I've used manual format from 0x00000000 to whatever it said. It deleted calibration data. And apparently calibration data is stored in nvram.bin which can be backed up using MTK Droid Tools while running a working ROM.
I have flashed original stock ROM now, I'm rooted and I can control my phone from the PC but can't use the screen. It's fully unresponsive. I've checked some answers here on XDA and some guy said I should make a nvram backup of stock ROM and then flash userdata_nvram_only.tar as USERDATA in SP Flash Tool. When I tried unzipping that .tar it clearly has /data/nvram/ folder which also contains some calibration and other files. But when I flashed that .tar as USERDATA my phone isn't booting anymore. I've tried flashing different boot.img but the problem is still here.
Does anybody know how to fix my touchscreen?
I contacted few people on www.NeedRom.com to upload userdata_nvram_only.tar for me, but I don't know whether they are going to do it or not.
I appreciate all help I can get, and I'd seriously hate if I had to send the phone back to china. I wouldn't really do it.

Posted my reply to his PM:
JoeSip said:
Wow you cleared some things for me now. I have Star N9800 smartphone. I've flashed 15 ROMs and tried disconnecting and connecting back the digitizer but screen is still unresponsive. It doesn't react at all. It could be because I used Format option and manual format option in SP Flash tool. Do you have any clue how to get my screen working again? Apparently when doing manual format from adress 0x00000000 calibration data gets removed. Please help me, i'm really desperate.
I can ask people from www.NeedRom.com to help me. They already tried because some of us have the same problems...
You could be the saviour of us all.
Click to expand...
Click to collapse
I think you are totally on track. The NVRAM block/partition is special and it really bugs me that I didn't know this up front when I killed my first MTK device, and people I trusted (ahead of me) didn't talk about it. (FYI, I bought an identical device to repair my device's NVRAM block)
The trick here is... most MTK SP Flash ROMs available don't have the NVRAM block. This is because, they are unique to the device (IMEI and MAC) and if you don't Format with SP Flash, then you don't need them.
What you need... someone with an identical device that is willing to run SP Flash and do a "Read Memory" on the address range of NVRAM block. You would get the address range from the scatter file.

JoeSip said:
Hey guys, I have Star N9800 phone. During the last week I've been trying hard to fix my touchscreen driver since I flashed a stock ROM. The problems I was facing were checking and comparing lk.bin (lcm driver) with other people who also have same phone, downloading different ROMs and boot images, tried almost everything. I even opened my phone and disconnected the digitizer to check if it's the problem. When it's connected it says: touchscreen: ili2113a when I check version in factory mode (VOL- + HOME + POWER). When it's disconnected it says: touchscreen: (null), so obviously digitizer is working fine.
Today I think i've found the problem. While using SP Flash Tool I've used manual format from 0x00000000 to whatever it said. It deleted calibration data. And apparently calibration data is stored in nvram.bin which can be backed up using MTK Droid Tools while running a working ROM.
I have flashed original stock ROM now, I'm rooted and I can control my phone from the PC but can't use the screen. It's fully unresponsive. I've checked some answers here on XDA and some guy said I should make a nvram backup of stock ROM and then flash userdata_nvram_only.tar as USERDATA in SP Flash Tool. When I tried unzipping that .tar it clearly has /data/nvram/ folder which also contains some calibration and other files. But when I flashed that .tar as USERDATA my phone isn't booting anymore. I've tried flashing different boot.img but the problem is still here.
Does anybody know how to fix my touchscreen?
I contacted few people on www.NeedRom.com to upload userdata_nvram_only.tar for me, but I don't know whether they are going to do it or not.
I appreciate all help I can get, and I'd seriously hate if I had to send the phone back to china. I wouldn't really do it.
Click to expand...
Click to collapse
I'll say a couple more things:
Yes, right now your NVRAM block is probably all zeros. And yes, you can use MTK Droid Tools to back up a good NVRAM... I like using SP Flash Tool to read the memory range of the NVRAM block, then I know it's in a shutdown state etc. All MKDRT is doing is running an adb command and doing something like "dd if=/dev/mc***** of=nvram.bin bs=1M count=1"... You could do that too with adb.
You don't need the USERDATA block at all. I would correct your request, to just ask for NVRAM. As USERDATA/USRDATA/DATA (all aliases of the same thing) is a block for your installed apps and data. It is what gets wiped when you do a Factory Reset with typical ROMs or with CWM etc.

Thank you very much man!
So now I'm supposed to just get backup of NVRAM that someone has done in MTK Droid Tools and not the whole ROM?
What if I flash full backup of someone's whole ROM? Will that save me too?

[ROOT] H901 even on Nougat

WARNING​
This should go without saying, but you MUST have your bootloader unlocked (check OEM UNLOCK in developer options AND fastboot oem unlock). If you don't, you will probably brick your phone.
If you deviate from this procedure, and think: "I can just skip a step, or I can do this on my own Linux install". Don't complain if you brick your phone.
PREREQUISITES:
You need to grab FWUL (version 2.7 or later) and burn it to a USB stick: link
Even if you have Linux, and you think you can install the dependencies, don't. I know this works from FWUL.
PROCEDURE PART 1: Installing TWRP
Boot from your FWUL USB stick. If your PC has secureboot enabled, you will have to disable it in BIOS
Put your phone into download mode. With the phone powered off, hold vol up and plug in the USB cable. You do not need to touch the power button -- the phone will power on and enter download mode.
Once booted, login. The password is: linux
Double click the LG folder that is on the desktop
Double click on LG LAF (runningnak3d) icon and you will be at a terminal prompt.
The following are the commands that you enter into that terminal. You can copy / paste them if you like.
Code:
git pull
git checkout v10-miscwrte
./step1.sh
When you are told to, pull the USB cable, and the phone will power off. You now have TWRP installed. At this point you can flash a ROM, or Magisk or whatever you like.
OPTIONAL:
If you don't know what to do with TWRP, and you just want to run rooted stock, this is for you....
First boot into TWRP - with the phone off, hold vol down and power at the same time. The second the LG logo appears, release power for a split second, then then press and hold power again (you never let go of vol down).
When you get a screen asking you to factory reset, you can let go of both buttons. hit vol down to select yes -- two times -- this will take you to TWRP.
PROCEDURE PART 2: Rooting and cleanup
Now that you are in TWRP:
./step2.sh
If you ran step2.sh you have TWRP on recovery, and you are rooted. If you only ran step1.sh, then you have TWRP on recovery. Either way, enjoy!
CREDITS:
Lekensteyn -- His base work on the G2 / G3 gave me a GREAT headstart!
@steadfasterX - He added some real nice features, great guy to bounce ideas off, and just testing crazy ideas because he wasn't afraid to brick his phone Also, for FWUL
tuxuser - Helping with my lacking in Python
@smitel - His original reverse engineering of LG UP. Great inspiration!
-- Brian

Entering recovery [ READ THIS ]
To enter recovery power off the phone then hold both the down volume and power at the same time. When you see the black LG screen briefly release the power button and then press it again while not letting the volume down up.
You will see a screen asking if you want to delete all user settings. Say YES
You will see a screen asking if you want to delete all user data. Say YES
You will briefly see the black LG bootup screen.
TWRP or factory recovery will load.
------------------------------------------------------------------
Thanks for remembering the V10 users!
For those wondering, to get into download mode power off your phone then hold down volume up at the same time as you are plugging in the usb cable. It should go into download mode. [I recently installed twrp to the laf partition so I have it in two places...if somehow my main twrp gets wiped out I can still get to it via download mode.]
Might be worth mentioning once booted up into TWRP magisk is the preferred root method since it provides modules to add xposed and can help pass safetynet so android pay/pokemon go continue to work even while rooted.
https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
Magisk also has alot of REALLY nice modules to add all sorts of features to our vanilla rom including methods to debloat all the t-mobile and LG apps.

runningnak3d said:
WARNING
This should go without saying, but
Click to expand...
Click to collapse
Thanks for the effort and time! Much appreciated. Too bad I'm not in FL to see about this beers!
Will be back later after my virgin V10 (100% stock nougat) sacrifice is complete...
Sent from my LG-H901 using XDA Labs

Just a heads up -- you can always flash again if it fails, but if you want to check before you reboot, you can run:
./partitions.py --dump test.img recovery
sha256sum test.img and compare it to the hash of TWRP.
Flashing via this method has no retries, so if there is noise on the cable or the bus, you will have a bad flash.
-- Brian

runningnak3d said:
Download this vdi: fwul.zip
Click to expand...
Click to collapse
Getting an error on the vdi..
Code:
This download file is not currently available (it was deleted or disabled).
Is the referenced file the same as this one?
Code:
FWUL_v2.3_x86_64_15GB.zip

runningnak3d said:
Just a heads up -- you can always flash again if it fails, but if you want to check before you reboot, you can run:
./partitions.py --dump test.img recovery
sha256sum test.img and compare it to the hash of TWRP.
Flashing via this method has no retries, so if there is noise on the cable or the bus, you will have a bad flash.
-- Brian
Click to expand...
Click to collapse
Why not add an auto hash check post flash with a prompt to reflash if they don't match?
That is if you plan to customize it or use the generic lglaf.
---------- Post added at 08:09 PM ---------- Previous post was at 08:05 PM ----------
NYLimited said:
Getting an error on the vdi..
Code:
This download file is not currently available (it was deleted or disabled).
Click to expand...
Click to collapse
Some alternatives here: https://forum.xda-developers.com/an.../live-iso-adb-fastboot-driver-issues-t3526755

famewolf said:
Thanks for remembering the V10 users!
Might be worth mentioning once booted up into TWRP magisk is the preferred root method since it provides modules to add xposed and can help pass safetynet so android pay/pokemon go continue to work even while rooted.
https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
Magisk also has alot of REALLY nice modules to add all sorts of features to our vanilla rom including methods to debloat all the t-mobile and LG apps.
Click to expand...
Click to collapse
Agreed and let's not forget that SuperSU development seems to have stalled since Chanfire moved on...

Sorry about that, I had to upload a version that did hash checks. I will update the link now.
-- Brian

@famewolf There are a LOT of things that I am going to add. This will eventually be a full blown replacement for LG UP with ARB checking, etc.
LG is getting ready to relate Oreo for the V20, so I wanted to get it out there ASAP.
-- Brian

runningnak3d said:
@famewolf There are a LOT of things that I am going to add. This will eventually be a full blown replacement for LG UP with ARB checking, etc.
LG is getting ready to relate Oreo for the V20, so I wanted to get it out there ASAP.
-- Brian
Click to expand...
Click to collapse
Are you planning to make an oreo available for the V10 or at least willing to work with a few of us on it? I'm not sure what would have to be changed to allow a v20 rom to run for us or if there is a closer match now that nougat can be rooted.
---------- Post added at 09:15 PM ---------- Previous post was at 09:12 PM ----------
famewolf said:
Are you planning to make an oreo available for the V10 or at least willing to work with a few of us on it? I'm not sure what would have to be changed to allow a v20 rom to run for us or if there is a closer match now that nougat can be rooted.
Click to expand...
Click to collapse
Oh you may want to implement automatic backup of recovery or laf prior to flashing a new one...maybe with a timestamp in filename so multiple revisions can be saved....that way for example someone could go back to normal download mode. I wrote some shell scripts that run under twrp or rooted system and allow you to backup all the partitions to images on the microsd and then pull them via adb to the pc. Something similar might be worthwhile for a backup option. I'm excellent with suggestions of hard work for others. ;P

NYLimited said:
Getting an error on the vdi..
This download file is not currently available (it was deleted or disabled).
Click to expand...
Click to collapse
famewolf said:
Some alternatives here: https://forum.xda-developers.com/an.../live-iso-adb-fastboot-driver-issues-t3526755
Click to expand...
Click to collapse
I grabbed the 15 and 32 GB persistent files but they need to be converted from .img to .vdi which takes a while... I suppose I could post the converted file for d/l if anyone wants them.
Also, VirtualBox did NOT give me Arch Linux 64 bit option (only 32 bit)..

By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian

runningnak3d said:
By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian
Click to expand...
Click to collapse
I don't know python although I can usually manage simple mods to it....I do ok in quick and dirty bash shell scripts....virtualbox seems to be causing more complications than it helps...it may be worthwhile to consider a bootable iso to burn to a cd with a shellscript on the desktop that says "run me" which automated the downloading of twrp and then the running of the commands....that's something I could probably manage but it wouldn't be "pretty".
(I'm working with NYLimited in email).
---------- Post added at 10:22 PM ---------- Previous post was at 10:19 PM ----------
runningnak3d said:
By all means keep the suggestions coming. I don't suppose you are any good with Python? I would love the help. For the things you are talking about you don't need to know the protocol, although I would be glad to teach you / give you all the documentation.
Yes, if it is possible, I will port Oreo to the V10, or at least help. Unless they do something so radical that it just isn't feasible. Nougat on the V20 isn't much different than Nougat on the V10.
Heck, they are so cheap now, I am ordering me another V10 just so I can help out.
-- Brian
Click to expand...
Click to collapse
The V10 isn't even my primary device anymore but it had so much potential and LG just crippled it so badly. With your recent root, the updated twrp (the latest version we had was 3.0 previously) and bringing people up to 30c at least it has a decent starting point.

So glad to see this!
A quick question, on the final step I get this error message:
./partitions.py --restoremisc ~/Downloads/TWRP_3.2.1_H901.img recovery
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Any suggestions? I haven't had any trouble with the USB cable and there were no installation issues.

chin'ah.girl said:
So glad to see this!
A quick question, on the final step I get this error message:
./partitions.py --restoremisc ~/Downloads/TWRP_3.2.1_H901.img recovery
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Any suggestions? I haven't had any trouble with the USB cable and there were no installation issues.
Click to expand...
Click to collapse
JUst as a suggestion you may want to copy/paste all the text in your terminal session to help identify possible issues. The phone is in download mode (power it off then hold vol up while plugging in the usb cable) and says so on the screen. If you try "./partitions.py --list" what do you get?
Check out this post to ensure dependencies are installed: https://forum.xda-developers.com/showpost.php?p=76134256&postcount=97
Also if you are in ~/lglaf you may want to use ../Downloads/TWRP_3.2.1_H901.img or cp the img file directly into same dir and use ./TWRP_3.2.1_H901.img

Hi @runningnak3d, thank you so much for not abandonning us lg v10 and for your hard work, really appreciated. Please this link https://forum.xda-developers.com/devdb/project/dl/?id=29075 doesn't support "resume", i already tried 5 times and always failed because the download can't be resumed. Please could you add another androifilehost link to dowload this fwul.zip? Thank you. I wanna try to root mine with your awesome method then disable 2big cores that give bootloop to my phone.

@famewolf
I made sure the phone is in download mode. Unfortunately that command pretty much generates the same results...
[[email protected] ~]$ cd lglaf
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ git checkout v10-miscwrte
Already on 'v10-miscwrte'
Your branch is up to date with 'origin/v10-miscwrte'.
[[email protected] lglaf]$ ./partitions.py --list
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
The phone appears as its supposed to in the VM Devices > USB menu as well.

chin'ah.girl said:
@famewolf
I made sure the phone is in download mode. Unfortunately that command pretty much generates the same results...
[[email protected] ~]$ cd lglaf
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ git checkout v10-miscwrte
Already on 'v10-miscwrte'
Your branch is up to date with 'origin/v10-miscwrte'.
[[email protected] lglaf]$ ./partitions.py --list
Traceback (most recent call last):
File "./partitions.py", line 460, in <module>
main()
File "./partitions.py", line 410, in main
lglaf.try_hello(comm)
File "/home/android/lglaf/lglaf.py", line 401, in try_hello
data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
File "/home/android/lglaf/lglaf.py", line 240, in read
buff = self._read(need, timeout=timeout)
File "/home/android/lglaf/lglaf.py", line 359, in _read
array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
The phone appears as its supposed to in the VM Devices > USB menu as well.
Click to expand...
Click to collapse
Did you run the lines to verify dependencies? Specifically the pip lines to install PyUSB and the 2 others.... If all else fails simplify things..I think using virtualbox is causing more problems then helping.... download the ISO of his linux version or an ubuntu one...write it to a cd or to a usb drive...boot off that directly....do the pip commands to ensure dependencies....run his instructions with phone connected to pc or laptop. I use linux directly and didn't do virtualbox.....NYLimited is also having issues that may be attributed to Virtualbox.

@runningnak3d @famewolf
Thanks for the help and patience! I did a lot of little stuff tonight and found a few inconsistencies, some perhaps due to the fact that I had to improvise and grab another fwul version and such. My lack of linux background didn't help, of course.
Long story short, I got to the point of running the py script. It wrote 32796672 bytes but recovery did not load for me.
Pulling the image back from recovery via --dump yielded a consistent 41943040 bytes. Each time I flashed the img file the 32796672 bytes were consistent. So were the 41943040 bytes coming back. The computed hash sums differed from each other but the twrp image was always the same hash and the test dump from recovery was consistent with itself but different from twrp.
It almost seemed like I was writing to a place totally different than the place I was pulling data back from. Neither side ever changed from the previous version of itself but the two never matched each other. Recovery did not load, regardless.
Time to take a break (early day tomorrow) and will regroup again sometime tomorrow eve with hopefully fresh ideas.
This is the last flash and hash of the files. The numbers are consistent over multiple flashes:
Code:
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:39:16,946 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:40:49,401 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$ sha256sum ../Downloads/TWRP321.img
1a5667e8ac35784780d8cd7b5c3ad72a353889c39220d8002ac2498a92ff6f8e ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:49:38,020 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:51:12,507 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$

NYLimited said:
@runningnak3d @famewolf
Thanks for the help and patience! I did a lot of little stuff tonight and found a few inconsistencies, some perhaps due to the fact that I had to improvise and grab another fwul version and such. My lack of linux background didn't help, of course.
Long story short, I got to the point of running the py script. It wrote 32796672 bytes but recovery did not load for me.
Pulling the image back from recovery via --dump yielded a consistent 41943040 bytes. Each time I flashed the img file the 32796672 bytes were consistent. So were the 41943040 bytes coming back. The computed hash sums differed from each other but the twrp image was always the same hash and the test dump from recovery was consistent with itself but different from twrp.
It almost seemed like I was writing to a place totally different than the place I was pulling data back from. Neither side ever changed from the previous version of itself but the two never matched each other. Recovery did not load, regardless.
Time to take a break (early day tomorrow) and will regroup again sometime tomorrow eve with hopefully fresh ideas.
This is the last flash and hash of the files. The numbers are consistent over multiple flashes:
Code:
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:39:16,946 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:40:49,401 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$ sha256sum ../Downloads/TWRP321.img
1a5667e8ac35784780d8cd7b5c3ad72a353889c39220d8002ac2498a92ff6f8e ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --restoremisc ../Downloads/TWRP321.img recovery
2018-04-06 05:49:38,020 partitions: INFO: Done after writing 32796672 bytes from ../Downloads/TWRP321.img
[[email protected] lglaf]$ ./partitions.py --dump test.img recovery
[ 100 % ] 2018-04-06 05:51:12,507 partitions: INFO: Wrote 41943040 bytes to test.img
[[email protected] lglaf]$ sha256sum test.img
d78190b422733a84b2526558f36c5d8ab6915748096fd7569927ad84f509e6c1 test.img
[[email protected] lglaf]$
Click to expand...
Click to collapse
If your twrp is showing the following:
[email protected] /workarea/android/v10 $ md5sum TWRP_3.2.1_H901.img
b89d341cd61da31a5348d8f6b3c75c97 TWRP_3.2.1_H901.img
then it's fine...as for the dump...I think empty space at the end would have to be stripped off for them to match. Will work with it more tomorrow..just drop me a line.

[GUIDE] LG V20 Hard-Unbrick

This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.

getting this error while using unkdz.py command.
[!] Error: Data between headers and payload! (offsets 826 to 83768).
tried different kdz for h918 but the error was consistent.

Kiraisuki said:
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
View attachment 5243977
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
Click to expand...
Click to collapse
Can you please make a video for this guide

I've been working with your guide to revive my LG V20 and have stopped at step 7.
Kiraisuki said:
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
Click to expand...
Click to collapse
When I extract files from .DZ, my "dzextracted" folder is filled with “.image” and “.params” files.
There is no single .BIN file and no file has any letter prefix.
I have tried with multiple .DZ files from different V20 ROMs.
I have even downloaded “VS99513A” ROM you mentioned.
I have tried in Windows (7) and Linux (Mint 20.1).
Every time I get this mess of files.
KDZTools version is from direct link on GitHub you provided.
Are there any additional steps that are missing from guide?
Did anyone tried to revive V20 stuck in EDL mode, and has any tips to share?

Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?

Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)

for h918, @Kiraisuki the elf file not work for me i got this error
Code:
sahara - Trying loader: Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin
sahara - Uploading loader Loaders\009470e10031026c_2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496_fhprg.bin ...
sahara
sahara - [LIB]: Timeout while uploading loader. Wrong loader ?
No suitable loader found :(

no, edl mode must
virginwidow said:
Is this EDL mode? Unlocked the bootloader and now uppercut, LGUP, NOTHING "sees" the phone USB connection (tho adb and fastboot do, but something's seriously ___ in there, I can't do much with either adb or fastboot)
Either adb or fastboot complain of "locked" this or that - but unlocked bootloader, from LG... (US996 turns out it has BPT - brightpoint - in the barcode, if that matters)
View attachment 5305585
Click to expand...
Click to collapse
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup

walidham said:
no, edl mode must
no , edl mode is black screen no bootloader, no recovery , no charge animation, nothing just 9008 mode
try to install original kdz with lgup
Click to expand...
Click to collapse
TY for response -
It appears I'm in a 'purgatory' between brick and "dead"... due to being a noob again (nothing like breaking things to learn).
LGUP, Uppercut - both of these go "No Device Connected" - the closest I can provide for a logcat is 'getvar all' from fastboot.
Code:
fastboot getvar all
(bootloader) version:0.5
(bootloader) variant:MTP eMMC
(bootloader) secure:yes
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) display-panel:
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) max-download-size: 0x20000000
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x4d000000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0xced000000
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x180000000
(bootloader) serialno:LGUS996fzzzzzzzz
(bootloader) kernel:lk
(bootloader) product:MSM8996
(bootloader) unlocked:yes
all:
finished. total time: 0.194s
(Serial editted) There's not enuff info left for the usual end-user tools to "see"
Any thoughts?
Thanks in Advance
VW

........main - Device detected
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x009470e100310000 (MSM_ID:0x009470e1,OEM_ID:0x0031,MODEL_ID:0x0000)
CPU detected: "MSM8996"
PK_HASH: 0x2cf7619a278d26073f7eea79bb7f4b7949c221487fea058ea072cffe38ce1496
Serial: 0xe895007b
sahara - Detected loader: Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin
sahara - Uploading loader Loaders\009470e100310000_2cf7619a278d2607_[FHPRG].bin ...
Successfully uploaded programmer
firehose - Nop succeeded.
firehose - Chip serial num: 3902079099 (0xe895007b)
oneplus
oneplus - [LIB]: No module named 'Library.Modules.oneplus_param'
firehose -
firehose_client - Target detected: MSM8996
firehose
firehose - [LIB]: <?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="fh.attrs.MaxPayloadSizeToTargetInBytes of 1048576 > fh.channel_buffer_capacity of 4096"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1'"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Calling hotplug_poll_device('UFS')"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Storage device of type 'UFS' cannot be opened"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="storage_device_open() returned FALSE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR 13: Line 1142: HANDLE_CONFIGURE_FAILURE"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" />
</data>
\\\\\\\\\\\\\\\\Getiing this error/////////////// oneplus param And firehose lib

facing this problem

[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.

Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
getting this same error. has anyone fixed it?

dmad767 said:
getting this same error. has anyone fixed it?
Click to expand...
Click to collapse

Illusings said:
[Question]
At the step 12 of preparation
"12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r"
There were no rawprogram.xml and cmd window showed
C:\kdztools>undz.py -f kdzextracted/H99010b_00.dz -r
usage: undz.py [-h] -f DZFILE (-l | -x | -c | -s | -i) [-d OUTDIR]
undz.py: error: one of the arguments -l/--list -x/--extract -c/--chunk -s/--sing
le -i/--image is required
How to generate the xml files? Thanks.
Click to expand...
Click to collapse
i found a fix

dmad767 said:
i found a fix
Click to expand...
Click to collapse
how did you fix it

ezzony said:
Question: How is this different from using the QFIL software from qualcomm which is easier to do than this guide?
Click to expand...
Click to collapse
the goal is the same, I think it's easier with qfil partition manager. because the results of extracting the .dz file are in the form of a single image without the lun description as described above.
ROMSG said:
how did you fix it
Click to expand...
Click to collapse
I suggest using qfil manager (raw data manager), manually input the image file to be flashed.

Kiraisuki said:
This guide is for people whose V20s are stuck in EDL mode or are otherwise unable to boot recovery, fastboot, or laf/download mode. You know if your device is in EDL mode if it does not react when you try to turn it on, and when plugged into a computer, it shows up as Qualcomm HS-USB QDLoader 9008, or some similar variation. If your phone can boot into recovery, fastboot, or laf/download mode, this guide is not for you.
Preface
I only have a VS995, so this guide has only been tested with that. However the firehose programmer I found said it was for a H918 so it will likely work for other variants. I performed these steps on Linux, but the tools used are written in Python and should work on Windows and MacOS too.
I take no responsibility if you mess up your phone doing this. Flashing over EDL is a very powerful process that can totally erase your phone's NAND if you're not careful. This process wil likely require a factory reset and you will likely lose all the data stored on the phone.
Prerequisites
Python 3 - Both tools used in this guide are written in Python 3
KDZTools - Used to extract partition images from KDZ files
Bjoern Kerler's EDL Utility - For flashing partition images in EDL mode
v20-root.zip from this XDA post - For the rooted aboot.img
A stock firmware KDZ - Can be obtained from lg-firmwares.com. I used VS99513A. Choose an appropriate KDZ for your device.
A screwdriver and a paper clip - Used to force the device into EDL mode
prog_ufs_firehose_8996_lite.elf - Firehose programmer file for use with the EDL utility
Since the firehose programmer is copyright LG, I cannot link to it as that would be unauthorized distribution of copyrighted work. It can be found online fairly easily though.
Preparation
1. Windows and MacOS: Download and install Python 3. Most Linux distros come with Python 3 already installed. To check, open a terminal/command window and type python --version. It should say "Python 3.x.x"
2. Download and extract KDZTools to a directory of your choosing
3. Download and extract the EDL utility to a directory of your choosing and follow the setup instructions listed on its GitHub page
4. Download v20-root.zip and extract aboot.img into the directory you extracted the EDL utility into
5. Place your KDZ in the KDZTools directory and open a terminal/command window within that directory
6. Type python unkdz.py -f [NAME OF KDZ FILE].kdz -x and press enter. Once complete, you should have a "kdzextracted" folder containing a DZ file and a few other things. If you get an error about missing zstandard, type pip install zstandard and try again
7. Type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -s and press enter. Once complete, you should have a "dzextracted" folder containing a load of files
8. Create seven folders within "dzextracted", named "lun0", "lun1", "lun2", etc
9. Move all the files prefixed with "B." into the folder titled "lun1", all the files prefixed with "C." into the folder titled "lun2", and so on. Move all the files that are not prefixed with any capital letter into the folder titled "lun0"
10. Rename all the files in each folder and remove the letter and the period from the filename. "E.modem_35910.bin" becomes "modem_35910.bin" for example
11. In the "lun0" folder, delete "userdata.bin"
12. In the command window, type python undz.py -f kdzextracted/[NAME OF DZ FILE].dz -r
13. You should now have seven files titled "rawprogram#.xml" where # is a number from 0 to 6
14. Exit the KDZTools directory and go into the directory containing the EDL utility
15. Place the firehose programmer file into the folder named "Loaders"
16. Follow this iFixit guide up to Step 10 to gain access to your phone's motherboard.
Programming
1. Open a terminal/command window in the folder you extracted the EDL utility to. On Windows, you may need to open the command window as administrator. On MacOS and Linux, you will likely have to run the utility with sudo.
2. Type python edl.py printgpt --memory=ufs and press enter. You should see
Code:
Qualcomm Sahara / Firehose Client V3.2 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
If you get a message about missing Capstone and Keystone libraries, ignore it.
3. Put your phone's battery back in
4. Look for the following two pads on your phone's motherboard
View attachment 5243977
If you can't see them, it's the pair of tiny pads just above the silver square with the H etched into it in the center of the image (Photo courtesy of runningnak3d)
5. Hold your paper clip or other conductive item on those two pads to short them out, then, while holding the paper clip in place, plug your phone into your computer. Keep holding the paper clip in place until you get an error about missing the firehose programmer from the EDL utility
6. Unplug your phone and remove the battery
7. In the message from the EDL utility, you should see a hardware ID and pkhash
8. Rename "prog_ufs_firehose_8996_lite.elf" to [Hardware ID]_[PKHASH]_FHPRG.bin where [Hardware ID] is the hwid provided by the EDL utility, and [PKHASH] is the first 16 characters in the pkhash provided by the EDL utility
9. Follow steps 2-5 again, but this time holding the paper clip in place until you see Programmer uploaded successfully :). If all went well, you should see a list of partition names and a load of hexadecimal offsets and such. This means you've set everything up correctly
10. In the terminal/command window, type python edl.py r fsg fsg.bin --memory=ufs --lun=1 and hit enter. If you get "main - Waiting for the device", unplug your phone, remove the battery, and follow steps 3-5 again until you see Programmer uploaded successfully :)
11. Type python edl.py r modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter.
12. Type python edl.py r modemst2 modemst2.bin --memory=ufs --lun=5 and hit enter. These three steps back up your EFS, which contains your phone's IMEI. We want a backup of this in case it gets corrupted by the flashing process. Your IMEI CANNOT be restored if EFS becomes corrupt and your phone will never be able to be activated on a cellular network again if we do not back up these three partitions first
13. In the terminal/command window, type python edl.py qfil "[PATH TO rawprogram0.xml]" "" "[PATH TO dzextracted/lun0]" --memory=ufs and press enter. Note that all the quotation marks are required.
14. Do step 13 again for each of the seven folders you created, replacing "0" in "rawprogram0.xml" and "lun0" with 1, 2, 3, 4, 5, and 6 as needed. This step will take some time
15. Once you have flashed all 7 "lun#" folders, type python edl.py w aboot aboot.img --memory=ufs --lun=4
16. Once complete, unplug your phone, remove the battery, reattach the backplate, and attempt to turn on the phone. It might boot to Android, but it might not. In my case, it did not boot to Android, but I could access fastboot and laf/download mode again, and I used those to finish fixing my phone.
Potential Problems
If you followed the guide and were able to restore your device to functioning order, but find that you have no signal and your phone reports it has no IMEI, type python edl.py w fsg fsg.bin --memory=ufs --lun=1 and hit enter, then type python edl.py w modemst1 modemst1.bin --memory=ufs --lun=5 and hit enter, then type python edl.py w modemst2 modemst2.bin --memory=ufs --lun=5. These three commands will restore your EFS backup.
Click to expand...
Click to collapse
If you have successfully manage to generate raw program.xml. why don't you just share with us and save us from the trouble

Faisal_Mystic said:
If you have successfully manage to generate raw program.xml. why don't you just share with us and save us from the trouble
Click to expand...
Click to collapse
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition

lambtur said:
Is your phone having problems? if the partition can still be read by QFIL, you can still manually flash the partitions one by one. But if the partition is blank, I have a raw firmware backup from kdz H990DS. It can be used to save the phone to boot and enter download mode. then just fix it with LGup partition DL, select All partition
Click to expand...
Click to collapse
if you have such backup firmware it would be so nice of you if you upload on G_Drive and provide me the links
I will be very grateful