Related
Welcome everyone!
This project has started, becouse we need real solution for the problem. The problem of hard bricked Moto devices. It is like a curse.
When my device bricked I have done solid research, I have gathered many informations and files essential to revive my cellphone but 5 years experience of linux, rooting, compiling kernels and roms weren't enough to make it work.
But nevermind. I am even more determinated and I am asking ALL of You guys here to help me. Together we will come to solution.
Here is what I got, happy reading :
DICTIONARY:
PBL - Primary bootloader of the chip - this is like BIOS for phone so it checks chip for damage and problems and then it tries to load SBL but if SBL is corrupted or checksum doesn't match, PBL invokes Qualcomm HS-USB QDLoader 9008 emergency mode. PBL is hard flashed into SoC and can't be corrupted by firmware.
SBL - Second stage bootloader wich is more advanced than PBL. It initializes phone hardware and ABOOT.
ABOOT - Application bootloader (HBOOT). You probably know this one well. Android botloader.
Full mmcblk0 backup - Backup of whole phone flash storage byto to byte.
blankflash - method of repairing msm phones in 9008 state
programmer.mbn - Special type of software programmer that is being sent to chip in Qualcomm 9008 emergency mode. There it comunicates with pc via firehose protocol. Each phone has set of their own programmers, they are unique to phone and other programmers don't work. These programmers are signed so tampering it results in not working one.
firehose protocol - it is used to tell programmer what operations it must do on chip.
singleimage.bin - this package contains instructions for programmer and set of files it need (for example to replace)
gpt_main0.bin - Partition layout
rawprogram0.xml - instructions for programmer
patch0.xml - I don't know yet
STAR.exe - Application for managing and editing contents of singleimage.bin aka blankflash files
QPST - Flash tool from Qualcomm it basic function is to handle blank-flashing in a better way, also it allows for in-depth debugging of the process
Qualcom Premium Tool - Program made by Mppg Myanmar that is capable of making unlocking bootloader, OEM locks, making backup/restore of chip firmware, handling blank-flashing in VERY specific way (creating instructions for programmer), reading eMMC structure from firmware (can generate gpt layout so very useful!!!), modyfing FW and removing Xiaomi account. It also contains ALL programmers
for more:
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://alephsecurity.com/
https://github.com/alephsecurity/firehorse
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick
INFO:
1. What causes the brick
I bet 100$ that you hard-bricked your Moto Z Play by installing OTA updates after downgrading firmware. This is only known reason for me at the time of writing this. There is most probable reason why it happens, look:
There are two most common chips on which smartphones are built - Qualcomm and Mediatek. While Mediatek chips are "modification friendly" and simple, Qualcomm chips are somewhat more advanced and have many features that can be enabled or disabled during prorammming in factory. One of them is PBL signature checking. During programming of your phone, proper signatures of SBL are written to it. When someone tries to override default SBL with the new one, it checksums are compared with that stored. If they match, new one is flashed, if not, then update does not happen.
Ok, but what it has to do with brick?!
I explain:
1. You decide to downgrade your firmware
2. During flashing, everything goes "well" (Phone boots), but trully update is partial:
FW in chip is (obviously) more recent that the one you downgrade to, and SBL signature is different (updated), so when it is compared to the signature of SBL from FW you want to flash, it don't match. That don't rise error and flashing continues. Only partition that stays untouched is bootloader, but all other partitions get replaced by those in FW zip. SBL is still compatible with the new partition offsets and partition layout overall so phone functions normally.
3 When OTA is executed, it checks the version of currently installed firware. The most reliabe way to do it is to check checksum of SBL which is pretty logical becouse it's checksum is like "fingerprint" of firmware. Normally, if it would detect the old firmware, OTA would be stopped, but newer SBL tricks it and OTA installs anyway.
4 Results are horrible, becouse OTA does not check GPT table and flashes partitions in bad sectors, corrupting FW.
This causes bootloader to go into Qualcomm HS-USB QDLoader 9008 safe mode.
5 Viola! Hard brick!
2. How to fix it?
That is jolly good question! What we have to do is to reflash full chip firmware. Suprisingly I see some solutions, but those need to be developed:
A) SD-BOOT
It turns out that our fancy chip can probably boot from SD-CARD! The procedure works like this:
- When chip starts, one of the very first things it does is loading the memory, so it can actually work. The trick, is that chip loads it from specific disk, marked with exact name (I don't remember which, but I will do research). Speccially repared SD-CARD can appear with that name, so chip boots from it, not from internal memory. (This trick is proved to work on this model)
How to do it?
- Get full dd of working phone - it must be phone with the SAME chip and very likely the same model
- flash it to SD-CARD of 32GB or more, class 10 speed or higher, directly to card, not partition
- put card in phone, turn it on and wait
- you should see HBOOT
- select fastboot and flash new FW via it
- viola!
!!!THIS IS COMPLICATED PROCEDURE, I WILL MAKE DETAILED THREAD SOON, BUT FOLLOW IT ONLY IF YOU KNOW WHAT ARE YOU DOING!!!
B) FIREHOSE/SAHARA ATTACK
This could be achieved by sending payload via Firehose programmer that would allow to break verification of SBL or somehow allow SBL to be flashed. Now, PBL blocks attempts to update SBL. I have thesis that it is becouse PBL do not allows for SBL downgrade, so it's version must be higher, but we try to flash same version of SBL so it doesn't work. That thesis needs confirmation.
C) CRAFT BLANKFLASH
This would be last resort. It will work for sure, but this method needs knowledge and I don't know if it is doable.
STEP 1: Get white-listed blankflash checksums from OTA (we would need to reverse engineer those)
STEP 2: Break hash
STEP 3: Craft blankflash with needed hash
STEP 4: Flash
NEVER USE BLANKFLASH (ATTENTION!)
DO NOT try any blankflash files. They can make situation a lot worse and even physically (!) dmage your phone.
D) JTAG
Medusa Box etc.
E) Qualcomm Premium Tool
This can even work, but it is untested and there is a slight chance that can worsen state of phone (needs confirming).
The tool is very advanced and I need to gather info about usage, so very probable to be a good solution if we will learn how to use it!
E) METHOD 7
Interesting method from this guy: (7th option, I have contacted him if it is compatibile)
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick/blob/master/Unbrick%20methods.md
3. DOWNLOAD
(Links will be aded *soon*)
XDA:DevDB Information
Unbrick Developement for Moto Z Play (addison) Full-Brick, Tool/Utility for the Moto Z Play
Contributors
Bobernator, Artim_96, Camarda
Version Information
Status: Testing
Created 2019-05-03
Last Updated 2019-05-03
Hi, same problem. Did you solve it?
WARNING: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY AND MAY FURTHER DAMAGE YOUR DEVICE. EXERCISE EXTREME CAUTION. USE ONLY AS A LAST RESORT.
This was tested with a Global OnePlus 9 LE2115
Overview
So I was encountering an error with MSM Download Tool that would show "Sahara communication failed" after about 18 seconds. This resulted in me being 100% unable to recover my device with MSM as it was continuously rebooting into EDL mode with no possibility of entering fastboot.
After much research, I stumbled upon a solution completely by accident. I was able to fix the issue by utilizing the following tools:
Qualcomm Sahara Tools - https://github.com/bkerler/edl
Oppo/OnePlus Decryption Tools - https://github.com/bkerler/oppo_decrypt
You need:
- Latest version of Python 3
- C/C++ build tools (gcc, Visual Studio, XCode) to build pip dependencies
- Dependencies installed using pip as specified in README.md of each repo
- Linux or macOS (Windows untested)
- *.ops file from your corresponding MSM Download Tool package
Process
Follow the instructions contained within the README of the above repos to download all files and install dependencies before continuing.
Spoiler: Extract ops package
Use opscrypto.py to extract the ops file you obtained earlier.
This results in a directory full of the decrypted contents of the update image (a collection of bin, img, and other files):
Code:
$ ./opscrypto.py decrypt lemonade_xxxx.ops
This creates an extract directory containing the decrypted files
Spoiler: Flash using edl.py
The wl subcommand for edl.py can then be used to write the aforementioned partitions.
The documentation describes the command thusly:
Code:
./edl.py wl dumps --memory=ufs >> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun
I ran the command on the extract directory that was previously decrypted.
Additionally, I had to explicitly specify the OP9 EDL loader as well as specify that the flash memory was UFS and not EMMC:
Code:
$ sudo ./edl.py wl extract --memory=ufs --loader=Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin
This output was produced:
Code:
main - Using loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
main - Waiting for the device
...............
.main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: <CLIPPED>
CPU detected: "lahaina"
PK_HASH: <CLIPPED>
Serial: <CLIPPED>
sahara - Uploading loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
Successfully uploaded programmer :)
firehose - Chip serial num: <CLIPPED>
firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
firehose_client - Target detected: lahaina
firehose - TargetName=
firehose - MemoryName=UFS
firehose - Version=
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
Reading from physical partition 0, sector 8, sectors 1
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Progress: |██████████████████████████████████████████████████| 100.0% Complete
oneplus - Oneplus protection with prjid 19825 detected
Writing ./param.bin to partition param.
firehose -
Writing to physical partition 0, sector 8, sectors 256
Writing ./persist.img to partition persist.
firehose -
Writing to physical partition 0, sector 2056, sectors 8192
Writing ./misc.bin to partition misc.
firehose -
Writing to physical partition 0, sector 10248, sectors 256
Writing ./frp.bin to partition frp.
firehose -
Writing to physical partition 0, sector 10632, sectors 128
Writing ./carrier.img to partition carrier.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 18440, sectors 12288
Writing ./opluslog.img to partition opluslog.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 34824, sectors 65536
Writing ./metadata.img to partition metadata.
firehose -
Writing to physical partition 0, sector 108616, sectors 4096
Writing ./super.img to partition super.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 145480, sectors 1
Writing ./userdata.img to partition userdata.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 2877512, sectors 2105
Writing ./ocdt.bin to partition ocdt.
firehose -
Writing to physical partition 3, sector 576, sectors 32
Writing ./oplusreserve2.img to partition oplusreserve2.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 4, sector 6, sectors 32768
Writing ./devinfo.bin to partition devinfo.
firehose -
Writing to physical partition 4, sector 722224, sectors 1
Writing ./apdp.mbn to partition apdp.
firehose -
Writing to physical partition 4, sector 722481, sectors 4
Writing ./storsec.mbn to partition storsec.
firehose -
Writing to physical partition 4, sector 817779, sectors 6
Writing ./mdcompress.mbn to partition mdcompress.
firehose -
Writing to physical partition 4, sector 826302, sectors 12
Writing ./spunvm.bin to partition spunvm.
firehose -
Writing to physical partition 4, sector 831486, sectors 87
Writing ./rtice.mbn to partition rtice.
firehose -
Writing to physical partition 4, sector 839678, sectors 65
Writing ./abl_log.bin to partition abl_log.
firehose -
Writing to physical partition 4, sector 839870, sectors 4048
Writing ./android_log.bin to partition android_log.
firehose -
Writing to physical partition 4, sector 847966, sectors 4048
Writing ./qsee_log.bin to partition qsee_log.
firehose -
Writing to physical partition 4, sector 852014, sectors 4048
Writing ./hyp_log.bin to partition hyp_log.
firehose -
Writing to physical partition 4, sector 856062, sectors 4048
ConclusionAfter performing the above on a macOS device, the device successfully flashed in MSM on Windows 11.
I rebooted the device prior to attempting to flash after performing the above steps.
AddendumThis isn't a foolproof guide and may not even work for your device or may even damage it further.The process described above is somewhat advanced and very much undocumented and unsupported/unofficial/hacky.
I cannot vouch for the quality, security or effectiveness of the tools linked above.
I'm putting this out there in hopes it helps others and to gather more information about how MSM Download Tool and EDL mode actually work.
Please let me know if this solves any issues with MSM and I can potentially produce a guide if this method is proven safe.
Spoiler: Speculation / Thoughts
Firehose appears to be an executable elf file that is ran on the device, which then parses settings.xml and provision_*.xml contained within the ops file.
These files appear to contain the directives that allow MSM to recover bricked devices.
MSM appears to transmit these XML files to the firehose executable after loading it on the device.
These files reference the stock images, partition sizes, names, and extents that firehose then uses to provision the device.
Since firehose is simply an elf file that appears to rely on some preexisting data to be present on the device, some bricks may cause firehose to fail due to corruption of certain partitions.
Producing errors such as:
- Device mismatch
- Param preload error
- Sahara communication failure
- Waiting for device
- Waiting for COM port
The partitions shown in the output log appear to not be touched by MSM prior to sending firehose to the device, suggesting that it assumes they have been untouched.
Therefore, firehose may throw an error or fail to run entirely when attempting to recover some devices, even when using the correct MSM tool and drivers.
Despite being contained in the ops file, MSM doesn't appear to touch these partitions in its default Upgrade Mode.
That functionality may be locked behind more advanced modes such as SMT Download Mode, however, that mode is well known for causing more issues than it solves.
The tools above are open source reverse engineering tools that can do some rudimentary communication with OnePlus devices in EDL mode by utilizing a custom firehose binary (known as the "loader").
These appear to permit operations not possible with MSM's default behavior.
Spoiler: Observations
I was only able to get the edl.py tool to work on macOS.
I was unable to get this tool (edl.py) to work in Windows. It threw various libusb related errors despite using zadig as directed.
I observed that writing to any partition that was part of A/B dynamic partitioning would report that it was written successfully but in reality would only write 1 sector of the provided file.
However, a handful of other partitions appear to be writable, ones that typically can't be written to/aren't written with fastbootd or OTA side loading.
My IMEI and Serial Number were fully intact after flashing.
Bruh my pro was in that constant reboot state. Buss laugh if this is a Tually a fix for that
Click to expand...
Click to collapse
Hopefully it is. I'm curious to see if it works for others. I stumbled upon this right as I had given up and submitted a ticket to OnePlus.
At which point they said there's nothing to do and the device needed repaired.
So hopefully this is a reliable fix for devices that are super-bricked, because it saved me from having to send my device in.
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
Jessp4046 said:
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
Click to expand...
Click to collapse
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
GlitterFartzz said:
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
Click to expand...
Click to collapse
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
Jhoopes517 said:
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
Click to expand...
Click to collapse
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.
I m waiting here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
flameteam said:
I m waiting here
View attachment 5364413
Click to expand...
Click to collapse
Looks like you're trying to do a full dump of LUN 0 into a single bin file. LUN 0 contains a large chunk of data as it houses the super partition and the userdata partition.
I would recommend using the r subcommand to dump individual partitions or just use rl which will dump your whole device while neatly separating each partition into individual files.
To see exactly what each LUN is comprised of, you can use the printgpt command:
Code:
./edl.py printgpt --memory=ufs
Given that you're running in a VM, your I/O speeds are likely much lower.
I recommend at least booting into a Linux Live USB to do this.
If security is a concern, at a minimum I would recommend vfio passthrough via QEMU to pass your entire USB controller through from a Linux host.
IMO, virtualizing the USB connection will kill your throughput and put you at risk of data corruption.
GlitterFartzz said:
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.
Click to expand...
Click to collapse
I couldn't this time. I was able to prior but no go.
my one plus 8t is completely hard bricked, black screen, no logo, no vibration, nothing. Now i cant use msm cuz always got sahara communication failed. This seems like the way to go, will update you if it works
Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax
_MartyMan_ said:
Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax
Click to expand...
Click to collapse
same here! oneplu 9 chinese version model 2110, screen its just black, but computer detects it.
thanks in advance
Kind of progress but still does not work... I get this error message:
Somebody help pls.......
@GlitterFartzz do you have any idea what this could be?
I have tried everything to get my Global one plus 9 back up and running again … monster what I do with drivers I get this error on msm tool . As you can see my phone is detected in tool but can put go past this point . I do not have access to download or fast or mode . Last steps I took was through this thread ——https://forum.xda-developers.com/t/fastboot-rom-pc-required-op9-stock-oos-11-2-2-2aa.4275727/—— and reached 1/2 way point (waiting on device) and now I can’t get oos back on phone .. does anyone have any tips or knowledge they can guide me to get my phone working with msm tool ? Much appreciated
Toggle on "Use lite Firehose" before running
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Justingaribay7 said:
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Click to expand...
Click to collapse
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
This is a great resource to have, nice work. I'll give it a go if I ever hit that state again. I've only had success using the pro msm tools up to this point for some reason with lite firehose when I get the Sahara or param info device not match error. Once I've lite msmed with the pro tool, I can normal msm with the nonpro tool, just like flame team mentioned
flameteam said:
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
Click to expand...
Click to collapse
Thanks for the reply flameteam . My device is LE2115 Global . Would this method still work on this Version?
I tried running the Eu tool . No luck . Same errors as the O2 tool . Tried different flash options such as light firehouse on and off .. Sahara error and Parameters error still present
I'm working on running a standalone firehose programmer elf binary within Docker (for research purposes)
I have the container building and has all the tools I need to get started (readelf, gdb, strings) and all the aarch64 emulation that should be needed to run the programmer.
When I do run the binary I get:
# ./prog_firehose_lite.elf
./prog_firehose_lite.elf: Invalid argument
The binary itself is expecting some flags at launch time. I would not be surprised if there is a certificate as part of that handshake. Any idea what these flags may be?
I'll likely be publishing some of my findings to GitHub. I can't tell you how much theory I've learned about the sahara/firehose setup and how each OEM does things differently. Pretty fascinating...
One thing that I'm not sure of is the chainloading that I believe that happens from the PBL (stored on the hardware ROM) to the loading of the firehose programmer.
A few useful articles for this research:
Qualcomm’s Chain of Trust
Covering Qualcomm bootloader’s up to the point of Android being loaded
lineageos.org
GitHub - bkerler/edl: Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - GitHub - bkerler/edl: Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
github.com
GitHub - alephsecurity/firehorse: Research & Exploitation framework for Qualcomm EDL Firehose programmers
Research & Exploitation framework for Qualcomm EDL Firehose programmers - GitHub - alephsecurity/firehorse: Research & Exploitation framework for Qualcomm EDL Firehose programmers
github.com
It’s As Easy As EDL - Oxygen Forensics, Inc.
Facebook0Tweet0LinkedIn0 The problem that has been plaguing investigators is the fact Android devices offer different mechanisms of data protection. For this reason, it is almost impossible to develop a single method of extracting and decrypting a device’s data. Of course, in many cases data...
blog.oxygen-forensic.com
Qualcomm USB flashing tool
32- and 64-bit ARM Open Platform Specifications. For software developers. For the maker community. For embedded OEMs. 64-bit ARM for $129.
www.96boards.org
has anyone installed any kind of GSI or custom rom on the V60 ?
here are some roms for those who looking to test on the v60.
Generic System Image (GSI) list
Notes about tinkering with Android Project Treble. Contribute to phhusson/treble_experimentations development by creating an account on GitHub.
github.com
Device support (Project Treble)
harvey186 I see that you seem to know a lot. I installed a generic a/b treble image on my pixel 3a sargo. It works fine. but it says the base image is months out of date. How can I manually upgrade it?
community.e.foundation
Treble-Enabled Device Development A/AB ROMS
Treble-Enabled Device Development A/AB ROMS
forum.xda-developers.com
I just learned that the V60 tmobile variant has no vendor or system or product partition. I has a super partition which seems to have system and vendor combined. can someone confirm this and if so how do we flash a GSI to the V60?
heres a video that might help use get some GSI on our newer dynamic partitions
i manged to flash 3 different gsi roms only 2 booted, but never entered android environment
Finally got GSI installed on v60 so snappy and no bloated ware. everything seems to work except no audio over bluetooth
blaze2051 said:
Finally got GSI installed on v60 so snappy and no bloated ware. everything seems to work except no audio over bluetooth
Click to expand...
Click to collapse
Wondering if you've used any Bkerler edl utilities on the V60? If so do you have a working copy of the v60 "loader". This is of course just the v60 firehose renamed.
hooutoo said:
Wondering if you've used any Bkerler edl utilities on the V60? If so do you have a working copy of the v60 "loader". This is of course just the v60 firehose renamed.
Click to expand...
Click to collapse
i couldnt get it to work on my v60
blaze2051 said:
i couldnt get it to work on my v60
Click to expand...
Click to collapse
Was this the error you got?????? The important part is at the end. The loader (firehose) it can't upload is the one provided by Bkerler.
edl$ edl printgpt --memory=ufs --lun=0 --loader=000c30e100310000_e746e34f737403f4_fhprg.bin
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Using loader 000c30e100310000_e746e34f737403f4_fhprg.bin ...
main - Waiting for the device
......
main - Hint: Press and hold vol up+dwn, connect usb. For some, only use vol up.
main - Xiaomi: Press and hold vol dwn + pwr, in fastboot mode connect usb.
Run "./fastpwn oem edl".
main - Other: Run "adb reboot edl".
...............
....main - Device detected
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x000c30e100310000 (MSM_ID:0x000c30e1,OEM_ID:0x0031,MODEL_ID:0x0000)
CPU detected: "SM8250:CD90-PH805-1A"
PK_HASH: 0xe746e34f737403f40212cf29f0c0cab9f1038aa8bce6c097e82cc93213020edb
Serial: 0xff08b1ae
sahara - Uploading loader 000c30e100310000_e746e34f737403f4_fhprg.bin ...
sahara
sahara - [LIB]: [Errno 2] No such file or directory: '000c30e100310000_e746e34f737403f4_fhprg.bin'
blaze2051 said:
Finally got GSI installed on v60 so snappy and no bloated ware. everything seems to work except no audio over bluetooth
Click to expand...
Click to collapse
can you link the gsi rom
FernSal said:
can you link the gsi rom
Click to expand...
Click to collapse
the link is provided
hooutoo said:
Was this the error you got?????? The important part is at the end. The loader (firehose) it can't upload is the one provided by Bkerler.
edl$ edl printgpt --memory=ufs --lun=0 --loader=000c30e100310000_e746e34f737403f4_fhprg.bin
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Using loader 000c30e100310000_e746e34f737403f4_fhprg.bin ...
main - Waiting for the device
......
main - Hint: Press and hold vol up+dwn, connect usb. For some, only use vol up.
main - Xiaomi: Press and hold vol dwn + pwr, in fastboot mode connect usb.
Run "./fastpwn oem edl".
main - Other: Run "adb reboot edl".
...............
....main - Device detected
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x000c30e100310000 (MSM_ID:0x000c30e1,OEM_ID:0x0031,MODEL_ID:0x0000)
CPU detected: "SM8250:CD90-PH805-1A"
PK_HASH: 0xe746e34f737403f40212cf29f0c0cab9f1038aa8bce6c097e82cc93213020edb
Serial: 0xff08b1ae
sahara - Uploading loader 000c30e100310000_e746e34f737403f4_fhprg.bin ...
sahara
sahara - [LIB]: [Errno 2] No such file or directory: '000c30e100310000_e746e34f737403f4_fhprg.bin'
Click to expand...
Click to collapse
i dont remember exactly, basically it says device detected but it cant load the firehose file or non found something like that
blaze2051 said:
the link is provided
Click to expand...
Click to collapse
i meant the specific rom that worked for you
FernSal said:
i meant the specific rom that worked for you
Click to expand...
Click to collapse
https://images.ecloud.global/dev/treble_arm64_bvN/IMG-e-0.19-q-20211027142973-dev-treble_arm64_bvN.zip
blaze2051 said:
https://images.ecloud.global/dev/treble_arm64_bvN/IMG-e-0.19-q-20211027142973-dev-treble_arm64_bvN.zip
Click to expand...
Click to collapse
thanks bro i appreciate it
blaze2051 said:
Finally got GSI installed on v60 so snappy and no bloated ware. everything seems to work except no audio over bluetooth
Click to expand...
Click to collapse
I have lg v60 a12 and i downloaded elixir gsi when i flash in fastboot it shows error like no partition found. Can you help me
Naziraslam88 said:
I have lg v60 a12 and i downloaded elixir gsi when i flash in fastboot it shows error like no partition found. Can you help me
Click to expand...
Click to collapse
you were not in the correct fastboot, you need to type "fastboot reboot fastboot"
ONLY WORKS FOR THE G900TM SINCE THAT MODEL HAS A MEDIATEK CHIP, DO NOT TRY THIS ON ANY OTHER VELVET MODEL
Prerequisites:
MTKclient: this is the free tool we will use to unlock the bootloader, follow the installation instructions here or use the provided LiveDVD that has everything ready to go: https://github.com/bkerler/mtkclient
LGUP: Use this patched one: https://tbl-locksmiths.com/d/4-lgup-1163-patched-latest
ADB (Android Debug Bridge): See here on how to install ADB: https://www.xda-developers.com/install-adb-windows-macos-linux/
FOR NOW YOU MUST USE AN UBUNTU OR DEBIAN BASED LINUX DISTRO SINCE MTKCLIENT DOES NOT PLAY NICE WITH AND REQUIRES MORE STEPS TO WORK ON WINDOWS. A VIRTUAL MACHINE WILL WORK FINE FOR THIS TUTORIAL.
UNLOCKING THE BOOTLOADER WILL WIPE YOUR DATA, PLEASE MAKE SURE YOU HAVE BACKED YOUR DATA UP BEFORE ATTEMPTING THIS.
1. If you are on Android 11 already, please downgrade to Android 10 first using the G900TM14k KDZ before attempting this. You can download it here or from another website. https://drive.google.com/file/d/1GYOHiuIbOqO9x_t8E-dvLI3sEKDe6fRS/view?usp=sharing
Spoiler: Nerd explanation 🤓
The reason that we are doing this is because in the Android 11 firmware, the phone’s preloader (first stage bootloader) has the exploit MTKclient needs to crash the phone into BROM mode (Mediatek equivalent to Qualcomm EDL mode) patched out. This means MTKclient will not work with the Android 11 firmware installed, unless you are willing to open up the phone and short some test points! By downgrading to Android 10, the exploitable preloader can be put back onto the device.
2. Install LGUP, then launch it when it is done. Make sure the “refurbish” option is selected, then click the button with the three dots that is circled in the picture.
Spoiler: LGUP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
3. Select the G900TM14k kdz file. Then click start and wait for the kdz to finish flashing.
Spoiler
4. Now you are ready to use MTKclient. When using it, make sure the phone is powered off, run a command, and then plug the phone into your PC. Follow the instructions here: https://github.com/bkerler/mtkclient#unlock-bootloader
Output should look something like this example output:
Code:
[email protected]:~/Desktop/mtkclient-main$ python mtk e metadata,userdata,md_udc
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
Port - Device detected :)
Preloader - CPU: MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x816
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
usb_class - USBError(19, 'No such device (it may have been disconnected)')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
Port - Device detected :)
Preloader - CPU: MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x816
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Preloader - ME_ID: 2DF842BC6706D1EA3150DC28E8B69081
Preloader - SOC_ID: D68B399A7D66DF240C22270698248840AF48675FA82F2F5B8B2048A993A646B3
PLTools - Loading payload from mt6885_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/sugondeseballs/Desktop/mtkclient-main/mtkclient/payloads/mt6885_payload.bin
Port - Device detected :)
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2124.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS FWVer: 0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: SDINEDK4-128G
DAXFlash - UFS CID: 45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : 45015344494e45444b342d3132384720
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - UFS FWVer: 0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: SDINEDK4-128G
DAXFlash - UFS CID: 45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DA-CODE : 0x161E0
DAXFlash - DA Extensions successfully added
DAXFlash - Formatting addr 0x94a2000 with length 0x2000000, please standby....
DAXFlash - Successsfully formatted addr 0x94a2000 with length 33554432.
Formatted sector 38050 with sector count 8192.
DAXFlash - Formatting addr 0x462800000 with length 0x1962800000, please standby....
DAXFlash - Successsfully formatted addr 0x462800000 with length 109026738176.
Formatted sector 4597760 with sector count 26617856.
DAXFlash - Formatting addr 0x7e08000 with length 0x169a000, please standby....
DAXFlash - Successsfully formatted addr 0x7e08000 with length 23699456.
Formatted sector 32264 with sector count 5786.
[email protected]:~/Desktop/mtkclient-main$ python mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.05 MB/s
xflashext - Successfully wrote seccfg.
Congrats! Your bootloader is now unlocked!
Now if you want to flash back to Android 11 first and then root, you can! You can either perform the OTA updates needed to get to the latest Android 11 software version, or just download an Android 11 KDZ from one of those websites that hosts LG firmware and flash it with the “Upgrade” option selected in LGUP.
But doing so will replace the exploitable preloader. If you still want MTKclient to work, follow this process:
Download an Android 11 KDZ
Open up LGUP and select the KDZ
Select the “Partition DL” option and press “Start”
When the partition list window pops up, click “Select all” and uncheck the preloader partition, then press OK to start flashing.
Spoiler: Partition list window
ROOTING INSTRUCTIONS (this part can be done in Windows or Linux):
To root, dump both of the boot images from the phone using “python mtk r boot_a boot_a.bin” and “python mtk r boot_b boot_b.bin”. It’s fine to dump only boot_a or boot_b, but make sure to verify which boot slot your phone is in first, then dump the correct image.
Turn the phone back on, then download the Magisk APK file from its Github page, and install it.
Copy the dumped boot images to your phone’s storage.
Then in the Magisk app, tap the Install button in the Magisk box, then tap “Select and patch a file”.
Select your boot image, then press “Let’s go”.
Wait for it to patch the boot image.
When the app finishes patching the boot image it will be in the Downloads folder. If you want to patch the other boot image, repeat this process.
When you have your patched boot images, copy them back to your computer, preferably to the same directory/folder where ADB is installed to.
Make sure USB Debugging is enabled in the developer settings on your phone, then connect the phone to your computer. Allow the computer to access the phone if needed.
Open up a command prompt in the folder where the boot images are and where ADB is installed and type “adb reboot fastboot”.
Wait for the phone to boot to fastboot, then type and run these commands: “fastboot flash boot_a boot_a.bin” and “fastboot flash boot_b boot_b.bin”.
Reboot the phone.
You’re rooted!
Big thanks to @Warlockguitarman, who discovered the bootloader unlock exploit, and Bjoern Kerler, the author of MTKclient and integrated the exploit into the tool. Without them, many Mediatek devices including the T-Mobile Velvet would probably never have root!
Some pictures of my rooted Velvet
If you happen to hard brick your device enough so that it only gets detected as a USB port, here are the unbrick files to get the phone to download mode. You will need to flash these using SP Flash Tool with the "Format all + Download" option. This will nuke your IMEI and serial number, however it is not too difficult to write those back to the phone.
Velvet (MTK) - Google Drive
drive.google.com
Reserved
Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?
Metconnect2000 said:
Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?
Click to expand...
Click to collapse
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
Wish39 said:
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
Click to expand...
Click to collapse
Cool. Thanks!
I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.
EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:
1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader
To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too
username32 said:
I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.
EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:
1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader
To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too
Click to expand...
Click to collapse
What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.
Wish39 said:
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
Click to expand...
Click to collapse
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
lentm said:
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
Click to expand...
Click to collapse
It normally will.I get a strange hex message when it tries to update,and it will tell you to contact LG Support.
Surgemanxx said:
It normally will.I get a strange hex message when it tries to update,and it will tell you to contact LG Support.
Click to expand...
Click to collapse
It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.
lentm said:
It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.
Click to expand...
Click to collapse
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.
lentm said:
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
Click to expand...
Click to collapse
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.
lentm said:
What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.
Click to expand...
Click to collapse
There's no BROM hardware key combo, did you downgrade the phone first?
Easiest way is to downgrade to Android 10, run a command on mtkclient and then simply power off the phone, plug it into your PC and let mtkclient do the work.
The only other way is to disassemble the phone and short the BROM testpoints on the motherboard, then plug the phone into your PC.
Surgemanxx said:
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.
Click to expand...
Click to collapse
Korean Wing does have Android 12
Wish39 said:
Korean Wing does have Android 12
Click to expand...
Click to collapse
Yes,built from the Velvet 765g firmware.Nothing for other regions as of yet.
Wish39 said:
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.
Click to expand...
Click to collapse
If your Velvet was able to OTA update, it's probably because I unchecked preloader with PARTITION D/L option on LGUP when upgrading to Android 12.
A) Since this is a mediatek chipped device, is it not possible to unlock bootloader via adb and fastboot commands from a windows rig?
Then patch the boot image with magisk.
Flash patched image with adb or the smart phone flash tool?
Ive had success with other brands on mediatek android 10 using this method.
--> Here is a guide thats similar to the method ive successfully used to root other devices, but for mediatek android 11 devices
--> Here is another guide specifically for LG devices from the same source as above
--------------------
B) Re: Resources for the method in post 1
1. Anyone have the link to the latest android 11 kdz [G900TM20i]? I cant find a copy for d/l. Seems to be discrepancy whether OTA update will work post-root, and would like to have latest security patch
2. Is there a minimum version of ubuntu to use? I have one in the archives but it has to be at least a few years old. Should it work or do i want to grab a newer version to be sure?
--------------------
Thanks for the guide and help.
I just picked up this mint unlocked t-mobile velvet for less than $150 and so far seem like a nice device. Only gripe is no face unlock. Noticed a faceprint and handprint option in the service menu, but my understanding is that it doesnt serve any function on this device.
One of the main reasons i picked this device up was due to the mediatek chipset, and that mediatek devices are typically rootable with a generic process like i linked above. Im glad to see it can be rooted, even if not via the 'typical method' ive used for others.
@double b26 Hey whats up. The normal fastboot method doesn't work for newer LG devices because those don't have normal fastboot, they only have fastbootd, which is fastboot in userspace. The bootloader unlock commands are missing, so you can't really do anything in there besides flash some partitions while in there.
As of now there isnt a KDZ for G900TM20i, and I recommend you use Ubuntu 20.04 LTS or newer so you dont run into compatibility issues.
Also I believe the handprint and faceprint options in the hidden menu are meant for the G8, guess LG was too lazy to remove those options.