Database Info

[HELP!] Velocity Cruz T301 Full Brick Recovery

Hi XDA,
so basically i bought a Velocity Cruz T301 recently and followed the known procedures for rooting, flashing ClockworkMod Recovery and custom rom (SJHill Rom v0.3).
before the full brick my device was at ClockworkMod 5 and rooted with SJHill Rom v0.3.
i installed CWM by flashing the zip in stock recovery, then succesfully rooted the device, finally wiped and flashed my custom rom
after major dissapointment in this tablets performance i decided i wanted to get rid of it.
So i downloaded the stock rom, wipe and flashed it onto the tablet...
the tablet turned off when it was finished (i think it was attempting to reboot) and never turned back on again...EVER! :good:
i cant even get to recovery
i tried flashing with adb and fastboot but the device is never even presents itselft to the computer.
i found out that you can boot the device into USB boot mode where you hold the "VOL -" (Volume Down) button and press the reset button and while connected to the computer (windows only) a "JZ4760 USB Boot Device" appears.
i did some googling and also found out that the T301 is based on similar tech to a bunch of tablets and they can all be modified by some software released by Ingenic called USBBootTool.exe
the tool is written in chinese and i cant decypher it all, though i found out how to use it based on its usage for other Ingenic based tablets
1.) you will need to disable driver signature verification (press F8 on boot of windows and toggle the setting, i hate rebooting too but it has to be done)
2.) boot your tablet into USB Boot Mode (hold down Vol - and press Reset button)
3.) install the driver for your device (included in the files below)
4.) with the tablet disconnected you would open the USBBootTool.exe
5.) select your tablet in the options and fill each box with the files needed to flash (files included below)
6.) reconnect the tablet while still in USB Boot Mode and the software will flash your device on detection
everything goes fine for me except when i get to the flashing part in the end.
when USBBootTool detects my tablet, it attempts to flash and gives me a stream of errors and never flashes my device.
i dont know what to do at this point. i have provided direct links to all the software im using and also links to where i got them.
any help would be appreciated, thank you to the XDA community in advance
>------------------- DOWNLOADS ------------------------<
USBBootTool.exe / Tablet Drivers (4725 / 4725B / 4740 / 4750 / 4755 / 4760 / 4770)
http://dl.dropbox.com/u/79196608/burn_tools_3.0.16.rar
obtained from - http://forum.xda-developers.com/showthread.php?t=1720621
Velocity Cruz T301 Update.zip (contains the system.img / data.img / mbr-xboot.bin files)
http://www.cruztablet.com/T301update.zip
obtained from - http://www.cruztablet.com/Article_861.php
SJHill Rom v0.3
http://www.androidfilehost.com/?fid=9390362690511176486
obtained from - http://www.slatedroid.com/topic/27583-rom-t301-sjhill-rom-17-feb-2012-download-link-updated/
ClockworkMod 5
http://files.androtab.info/ingenic/cwm/20120514/T301-recovery-signed.zip
obtained from - http://androtab.info/mips/ingenic/clockworkmod/

I have the same situation. I have gone through every menu in the USB Boot tool and to no avail am I able to recover my T100.

gmick is redoing the software because the coding is set up wrong. Once he gets that figured out there should be a fool proof unbricking method that we can follow. He is posting information over on Slate Droid if you want to take a look.

feyerbrand said:
gmick is redoing the software because the coding is set up wrong. Once he gets that figured out there should be a fool proof unbricking method that we can follow. He is posting information over on Slate Droid if you want to take a look.
Click to expand...
Click to collapse
ok post the link to the thread, and ill add it to the first post as a solution if its found to be a working one

JustSayTech said:
ok post the link to the thread, and ill add it to the first post as a solution if its found to be a working one
Click to expand...
Click to collapse
*Cross Post from SlateDroid* (but I can't post the link because XDA won't allow it)
I found out why the USB boot isn't working. Well, more appropriately I know where it fails but not exactly "why".
The USB Boot tool works like this:
1) Send x00 command (Get CPU Info)
2) Device responds with "JZ4760V1"
3) Host sends two binaries, stage1 and stage2. Stage 1 sets up memory stuff, and Stage 2 sets up USB flashing functions.
4) Host checks that the binaries executed by issuing another x00 command (Which serves as an "Are you still there?" function)
5) If the response is good, the host will flash the images, if the response is bad, it will abort.
Our devices are failing at step 4. The linux usb boot tools (xburst-tools) fail in an identical fashion.
I know that the first stage binary transfers and executes fine because if it didn't the device would be limited to 16k. The second stage is 120K and is transferred successfully. Once the second stage "execute" command is sent, the device crashes.
The second stage is also unique to the CPU type. I've used all of the binaries for JZ4760 I could find on the net and when that failed I cross compiled my own binary from source and it still crashed.
At this point I highly doubt I'll ever be able to fix it, and this completely explains why no one could get any usb recovery tool to work while others using similar devices could. I guess our board is modified just enough for ingenic's stock binaries to fail. Without knowing what's changed (getting Velocity Micro's source) we're SOL.
I can open it up again and solder on the serial header but I'm betting it's going to give me some generic "couldn't execute" message that isn't going to help me. I'll probably do this anyway though because I've come this far so what's the loss.

wow, i learned alot from that post, seems like writing a usbboottool-like application that can send the commands but also log and possibly bypass security checks etc but that def would take sometime. thank you for your insight, seems youve come the closest to cracking the case, actually you found the fault, hopefully your methods can eventually bring about a fix

JZ 4770
gmick said:
*Cross Post from SlateDroid* (but I can't post the link because XDA won't allow it)
I found out why the USB boot isn't working. Well, more appropriately I know where it fails but not exactly "why".
The USB Boot tool works like this:
1) Send x00 command (Get CPU Info)
2) Device responds with "JZ4760V1"
3) Host sends two binaries, stage1 and stage2. Stage 1 sets up memory stuff, and Stage 2 sets up USB flashing functions.
4) Host checks that the binaries executed by issuing another x00 command (Which serves as an "Are you still there?" function)
5) If the response is good, the host will flash the images, if the response is bad, it will abort.
Our devices are failing at step 4. The linux usb boot tools (xburst-tools) fail in an identical fashion.
I know that the first stage binary transfers and executes fine because if it didn't the device would be limited to 16k. The second stage is 120K and is transferred successfully. Once the second stage "execute" command is sent, the device crashes.
The second stage is also unique to the CPU type. I've used all of the binaries for JZ4760 I could find on the net and when that failed I cross compiled my own binary from source and it still crashed.
At this point I highly doubt I'll ever be able to fix it, and this completely explains why no one could get any usb recovery tool to work while others using similar devices could. I guess our board is modified just enough for ingenic's stock binaries to fail. Without knowing what's changed (getting Velocity Micro's source) we're SOL.
I can open it up again and solder on the serial header but I'm betting it's going to give me some generic "couldn't execute" message that isn't going to help me. I'll probably do this anyway though because I've come this far so what's the loss.
Click to expand...
Click to collapse
for my JZ4770 Earlier USB tool was flashing .img without any problem but for now it is saying "load cfg failed". "API downlaod failed' like dialogues and doesnt flash anything. Any idea? Thanks in advance!!

First restart your computer (actually restart it) then redownload the USB boot tool and save it in a completely new directory and use a different USB port
Sent from my Pokeball

Yes, I did
JustSayTech said:
First restart your computer (actually restart it) then redownload the USB boot tool and save it in a completely new directory and use a different USB port
Sent from my Pokeball
Click to expand...
Click to collapse
Yes, I tried with this suggestion. Rather I reinstalled xp and the tried again. But the dialogues are same. The history is like this. Was having ICS on JZ 4770. Formatted with usb tool and put JB updates. It was not sensing touch so reflashed another JB updates. Now the tab boots, it reaches to boot logo for around 12 seconds and restarts in stock recovery. While it is in booting stage it get detected by windows and adb also. In stock recovery mode it get detected by windows and in turn by adb also. If I tried to install updates through SD card it shows it had installed and reboots after completion. But again the same way it goes to boot logo and then back to stock JB recovery. It also boots in ingenic boot device mode and gets detected by USB burn tools. But when try to flash any of the ROM it gives the same dialogues "check cfg failed" "api download failed" "boot. fw failed" and cant flash anything.
Is there any tool which can be flashed or a script which can be used from SD card for completely formatting flash memory so that USB burn tool can flash required ROM?

can you flash the stock rom in recovery?

Managed using USB BOOT TOOL for ingenic JZ 4770 board in English
JustSayTech said:
can you flash the stock rom in recovery?
Click to expand...
Click to collapse
thanks man but I managed to boot the device. I used following USB BOOT TOOL for ingenic 4770 boards. The goodness with this tool, this is completely in English. You will know what you are doing. Even after opening the main window of the tool you can right click and then get another options(yes again in English). My problem with this device was bad blocks at 1024. In the options there is chance to force erase whole the nand partitions which I used and erased all the partitions thereby made all the partions available for flashing and readable by the tool. Then from File option selected stock rom files and flashed them. While flashing selected JZ4770 iNanad.ini file in manual configuration. This tool has really helped me to come out of the issue and will be useful for guys using JZ 4770 board.
http://www.4shared.com/rar/m1BUV5r2/USBBurnTool_20120401_for_relea.html

Got USBBootTool.exe kind of working.
1. Download the following file from Ingenic.
ftp * ingenic * cn/3sw/01linux/tmp/jz4770-20110610.rar
2. Download Applocale from Microsoft.
www * microsoft * com/en-us/download/details.aspx?id=13209
3. Extract the jz4770-20110610.rar and find the folder. (Using 7zip should keep the UTF encoding in Chinese)
20110610\04burn\20110524_4770_Programmer
4. Copy the folder 20110524_4770_Programmer to location you want to use it in.
5. Install Microsoft Applocale (Just in case, I don't think it is required)
Now Start Applocale and create a shortcut to USBbootTool.exe inside 20110524_4770_Programmer
中文(简体) is simplified Chinese option and should let you view the GUI correctly.
6. Now with the Applocale Shortcut created for USBbootTool.exe you can start the application with correct fonts.
Now this is where is breaks down.
TABLET-8 NAND FINAL BSP(S3 TEST) will allow you to read from it and write to it, but the CFG is off.
\tool_cfg\tablet-8-nand-final.ini is the configuration for it.
DO NOT CONNECT THE DEVICE WITH ANY OPTIONS CHECKED OR LOAD ANY FILES.
See Attached Images.
Next to the Read button is some Boot Option menu. I am not fulling aware of what this does.
What I need is a someone to help me fix/correct the ini/cfg files in
\20110524_4770_Programmer\tool_cfg\.ini
\20110524_4770_Programmer\4760\
to correctly match the files of the NAND.
Also if anyone has a copy (dd to img) or (cat to img) of the block devices.
That would help a ton.
# cat /proc/partitions
# cat /proc/mtd
I would also love another T10x Tablet for cheap.
I want to start building things like new bootloader, kernel, system image,
performance libraries to take full use of the Ingenic JZ4760 (www * ingenic * cn/product.aspx?CID=11)
I also bring Christmas gifts
2 APKS. You can place them in /system/app or /data/app.
Google Play will crash now and again, but it will load and work. (Vending.apk)
Secondly I bring the gift of performance increase, just by a slight bit.
edit the line of the heapsize in /system/build.prop dalvik.vm.heapsize=96m
Remember to make sure the permissions are set back to 666 or 644.
Original Vending.Apk before updates came from here: (Incase you are paranoid)
code * google * com/p/ics-nexus-s-4g/source/browse/trunk/system/app/Vending.apk?spec=svn20&r=18
ics-nexus-s-4g * googlecode * com/svn-history/r18/trunk/system/app/Vending.apk
To prevent spam on the XDA forums, ALL new users prevented from posting outside links in their messages. After approximately 10 posts, you will be able to post outside links. Thank you for
Click to expand...
Click to collapse
Stupid. how do you expect real people to help post Tech Docs? That is bad Moderating and Administrating.
Make sure to replace the Asterisk's with spaces to normal dots.

Requesting Block Images.
Does anyone have a copy of it they can send me for a T10x?

block images......
IceGryphon said:
Does anyone have a copy of it they can send me for a T10x?
Click to expand...
Click to collapse
Which block images do you want?
...also is there a way to rip the stock images off the jz4760 in the t301.
Such as:
Can i usethe ingenic uboot tool?
Anybody find the jtag pins?
Is the 4 pin conn next 2 the batt for serial?
.......i guess ill try to take a look this weekend
Ics would be really nice, but probably slower than stock..... especially with the limited ram
I unpacked the stock rom. I also unpacked an ics rom for a jz4770, and repo sync'd the aosp and mips 3.0.8 android kernel.
I'm still trying to figure out specs for the processor though. I know that its mips32 - el- fp- r1, but i cannot figur out the dsp version ... if it has one?

Error in erasing nand
nanachitang420 said:
thanks man but I managed to boot the device. I used following USB BOOT TOOL for ingenic 4770 boards. The goodness with this tool, this is completely in English. You will know what you are doing. Even after opening the main window of the tool you can right click and then get another options(yes again in English). My problem with this device was bad blocks at 1024. In the options there is chance to force erase whole the nand partitions which I used and erased all the partitions thereby made all the partions available for flashing and readable by the tool. Then from File option selected stock rom files and flashed them. While flashing selected JZ4770 iNanad.ini file in manual configuration. This tool has really helped me to come out of the issue and will be useful for guys using JZ 4770 board.
http://www.4shared.com/rar/m1BUV5r2/USBBurnTool_20120401_for_relea.html
Click to expand...
Click to collapse
I used english ingenic tool to erase bad blocks but m nt able erase bad blocks live suit is giving eror id=0x4848

[Q] Trying to root SM-G920F using Linux

Hi! I'm exasperated so I turn to the experts: you! I hope this is right (or should I have continued this megathread?)
TLDR: Want to root international S6 running branded 5.1.1; but using Linux and having trouble getting things to work. Have tried lots already; details below.
1. bootloader status = I think it's unlocked but not sure how to determine this.
2. Rom name with complete baseband/date/version = "Austrian 3/Hutchinson" branded, PDA Version G920FXXU3COI9, CSC Version G920FDRE3COJ1, PHONE Version G920FXXU3QOJ1.
3. Kernel name = uh, stock Samsung 5.1.1?
4. Mods = none
5. Custom Rom = none
6. Guides =
7. Root status = unrooted.
8. Your exact problem = Want to root, having trouble doing so.
9. Any method you tried that failed = see details below.
10.Any other detail you think would be necessary = my phone's ODIN screen lists this information:
PRODUCT NAME: SM-G920F
CURRENT BINARY: Samsung Official
SYSTEM STATUS: Official
REACTIVATION LOCK: OFF
Secure Download: Enabled
KNOX WARRANTY VOID: 0 (0x0000)
RP SWREV: B:3 K:2 S:2
I've tried rooting my S6 using Linux, using a virtual WInXP hosted on Linux, and using an old real WinXP computer. None of the methods worked, but let me describe what I've tried on each -- I'd be happy if I can get either one of the methods across the finish line!
1) Virtual WinXP computer on Linux host
created a brand-new virtual WinXP installation to make sure nothing would interfere.
Installed Samsung drivers.
Installed Odin 3.06 - this is the newest version I could find that didn't show the error "The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll."
In the settings for the virtual machine, set up rules to ensure all Samsung USB devices (USB vendor ID 04e8, any product ID) would be routed directly to the virtual machine.
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
Neither Windows nor Odin sees the phone - neither in its normal operating mode nor in its "Odin" download mode.
Give up.
2) Physical Ubuntu computer, using JOdin
Installed Heimdall (latest version = 1.4.0-0).
Downloaded JOdin (latest version = v1035).
Installed Oracle Java 8 (8u67).
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
JOdin says: "We could not obtain the pit file. We tried, but it didn't work." It seems that this is not really JOdin's fault but rather Heimdall (which JOdin relies on) because running just Heimdall from the CLI gives the same problem, as seen from this log (verbose version).
I dare not download a "random" PIT file from the Internet; this would satisfy JOdin but the risk of choosing the wrong one is too high. Other sites also mention ways to use the adb shell but ironically these require root - so I can't use them.
3) Physical WinXP computer
I did all of the above Linux trickery because I don't own a computer with Windows. By sheer chance, a friend came by with an old WinXP machine that I could commandeer for this purpose.
Installed Samsung drivers.
Installed Odin 3.06 - this is the newest version I could find that didn't show the error "The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll."
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
Odin sees my phone in download mode (first success!) and I can do the steps to start the root.
Odin works it way through the file and goes to "NAND write start" and then "Complete(Write) operation failed". I've tried this using the CF-Auto-Root and also separately using the unibase kernel for 5.1.1, with identical results.
I feel that I'm so close and yet success is not yet in reach. What more can I do? Thank you for your help and kind assistance!

torbengb said:
Hi! I'm exasperated so I turn to the experts: you! I hope this is right (or should I have continued this megathread?)
TLDR: Want to root international S6 running branded 5.1.1; but using Linux and having trouble getting things to work. Have tried lots already; details below.
1. bootloader status = I think it's unlocked but not sure how to determine this.
2. Rom name with complete baseband/date/version = "Austrian 3/Hutchinson" branded, PDA Version G920FXXU3COI9, CSC Version G920FDRE3COJ1, PHONE Version G920FXXU3QOJ1.
3. Kernel name = uh, stock Samsung 5.1.1?
4. Mods = none
5. Custom Rom = none
6. Guides =
7. Root status = unrooted.
8. Your exact problem = Want to root, having trouble doing so.
9. Any method you tried that failed = see details below.
10.Any other detail you think would be necessary = my phone's ODIN screen lists this information:
PRODUCT NAME: SM-G920F
CURRENT BINARY: Samsung Official
SYSTEM STATUS: Official
REACTIVATION LOCK: OFF
Secure Download: Enabled
KNOX WARRANTY VOID: 0 (0x0000)
RP SWREV: B:3 K:2 S:2
I've tried rooting my S6 using Linux, using a virtual WInXP hosted on Linux, and using an old real WinXP computer. None of the methods worked, but let me describe what I've tried on each -- I'd be happy if I can get either one of the methods across the finish line!
1) Virtual WinXP computer on Linux host
created a brand-new virtual WinXP installation to make sure nothing would interfere.
Installed Samsung drivers.
Installed Odin 3.06 - this is the newest version I could find that didn't show the error "The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll."
In the settings for the virtual machine, set up rules to ensure all Samsung USB devices (USB vendor ID 04e8, any product ID) would be routed directly to the virtual machine.
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
Neither Windows nor Odin sees the phone - neither in its normal operating mode nor in its "Odin" download mode.
Give up.
2) Physical Ubuntu computer, using JOdin
Installed Heimdall (latest version = 1.4.0-0).
Downloaded JOdin (latest version = v1035).
Installed Oracle Java 8 (8u67).
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
JOdin says: "We could not obtain the pit file. We tried, but it didn't work." It seems that this is not really JOdin's fault but rather Heimdall (which JOdin relies on) because running just Heimdall from the CLI gives the same problem, as seen from this log (verbose version).
I dare not download a "random" PIT file from the Internet; this would satisfy JOdin but the risk of choosing the wrong one is too high. Other sites also mention ways to use the adb shell but ironically these require root - so I can't use them.
3) Physical WinXP computer
I did all of the above Linux trickery because I don't own a computer with Windows. By sheer chance, a friend came by with an old WinXP machine that I could commandeer for this purpose.
Installed Samsung drivers.
Installed Odin 3.06 - this is the newest version I could find that didn't show the error "The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll."
Rebooted for good measure.
Connected phone in rear USB port, directly on motherboard (no hubs).
Odin sees my phone in download mode (first success!) and I can do the steps to start the root.
Odin works it way through the file and goes to "NAND write start" and then "Complete(Write) operation failed". I've tried this using the CF-Auto-Root and also separately using the unibase kernel for 5.1.1, with identical results.
I feel that I'm so close and yet success is not yet in reach. What more can I do? Thank you for your help and kind assistance!
Click to expand...
Click to collapse
I think may need to find a way to run the newest odin thats the only thing i can see thats rong in your attempts idk im not a big linux guy. U might need to get ahold of a win8 pc

WinXP SP2 = solved!
I solved the problem on Windows and finally got that big friendly PASS! :laugh:
As it turns out, there were two things blocking my success:
Odin version not compatible
Windows XP needed Service Pack 2
Initially I tried using the newest version of Odin, of course. But version 3.10.7 does not work, says "is not a valid Win32 application" so I went back to earlier versions until I found one that could run. The second-newest Odin version 3.10.6 does not work, says "The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll." Finally, version 3.06 could run, but as I now know, that version is so old that it does not support the Samsung S6! Of course it doesn't say so, and that's why I was stumbling in the dark for a good while.
So I need a newer version, but what can I do to make the newest one work? I finally discover that v3.10.7 (despite being only a minor release) has this in its unofficial release notes: "Removed support for Windows XP or earlier"! Okay that was hard to find!
So I need the previous version, v3.10.6. However, that one complains about kernel32.dll. Where can I find a newer version of that DLL? It dawns on me that my brand-new WinXP installation doesn't have any of the service packs yet, so I install WinXP SP2 and, lo and behold, version 3.10.6 can finally run!
But all of this was on my virtual machine, and it still couldn't detect when I plugged in the phone on the host computer. So I took a look at the WinXP machine that luckily was passing through my home just now. It's in German, and only runs WinXP SP1. I managed to find and install SP2 in German, and finally I had Odin v3.10.6 running on that machine - and it actually detected my phone!!
From here on, it was trivial to complete the rooting process. Once the software gets to run as intended, it's a beautifully simple thing. My phone is now rooted, and I can finally have Llama put it into airplane mode when I go to sleep. SUCCESS!
(But I still don't know why it doesn't work on Linux.)

[Root] H901 - For Newbies!

None of the methods in this thread are my own work. I struggled with getting my phone rooted for a long time and spend 10s of hours on the process. I had never rooted before and was therefore unfamiliar with all the terms, unfamiliar with how to complete all the recommended checks to ensure one had the right model, etc. There were several helpful threads but most approach the subject with the assumption that one knows something about the process. In this post I lay out what worked for me in a step-by-step way and what you have to do to achieve my results.
#1 Ensure you have a H-901 motherboard and not the Korean F600 motherboard by checking the sticker, and checking “About Phone” -> “Hardware Info” -> “Model number” in settings. These must both be LG-H901…from what I can tell the community has only developed technique for the H-901 variant.
#2 Get a micro SD card and load it with Magisk https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445 , and if you have Marshmallow or Lollipop and want Nougat (much better experience IMHO), load the files in this thread: https://forum.xda-developers.com/tmobile-lg-v10/development/h901-t-mobile-nougat-v30b-twrp-t3639203 And maybe this thread as well (read both and then decide): https://forum.xda-developers.com/tm.../h901-t-mobile-nougat-v30c-flashable-t3744648
#3 Ensure you have unlocked your bootloader. (apparently only for T-mobile LG v10s since other carriers lock the bootloader) The FWUL virtual machine root method will not work if you have not done so. This is an entire process in itself. The following 2 videos which show how to root android 6.0 or earlier (process will not work with Nougat, 7.0, since some fastboot commands are missing). https://youtu.be/OtXlokk6JkQ , https://youtu.be/PPLwFGxLQA4
Also, this thread may be helpful. https://forum.xda-developers.com/tm...t-mobile-bootloader-factory-unlocked-t3236224 , download the nexus root toolkit here for easy ADB command entry http://www.wugfresh.com/nrt/ —we will only use the “Advanced Utilities” -> ”Manual Input” -> ”Launch CMD Prompt”. When it prompts you to select a phone, select the first option and then for android version select Android *** Any. Don’t use any of the other commands because they are not configured for your device.
If you get a “waiting for device” error while attempting the fastboot oem unlock command in the above thread, see: https://forum.xda-developers.com/tmobile-g4/help/fastboot-waiting-device-t3489789 Great video which shows how to change drivers. You will need to do this, I found a number of drivers that were already on my PC from google and Samsung worked although I didn’t have the specific one mentioned in the above thread. Don’t be afraid to experiment… you can always try another driver. And don’t require it to be hardware compatible. Ignore the warning message: https://youtu.be/nQjg6ePnGAc
---------------------------------------------
NOW that you have your bootloader unlocked you can proceed to actually flash the TWRP image as per this thread: https://forum.xda-developers.com/tmobile-lg-v10/general/root-h901-nougat-t3773942
Notes before beginning:
-To enter download mode to begin: Plug a USB cable into your phone with your phone powered off, hold down on the Vol Up button and plug the USB cord into your computer. It should immediately boot into download mode. Exiting Download mode after flash: pull battery…no damage will be done.
-To enter recovery after flashing TWRP: power off the phone then hold both the down volume and power at the same time. When you see the black LG screen briefly release the power button and then press it again while not letting the volume down up. You will see a screen asking if you want to delete all user settings. Say YES (via the volume and power keys—no touch input). You will see a screen asking if you want to delete all user data. Say YES (the data is only deleted if TWRP loads successfully) You will briefly see the black LG bootup screen. TWRP or factory recovery will load. Or if you did not unlock your bootloader, it will say recovery is corrupted and cannot be trusted, and then boot normally without changing your settings or deleting files.
-Additional note: as of 7-23-18 some commands had changed:
From V20 forum, Brian (runningnak3d) has moved to gitlab.com. So instead of github.com, we have to use a new git repository that Brian created in gitlab.com.
cd
mv lglaf lglaf_BAK
git clone https://gitlab.com/runningnak3d/lglaf
cd lglaf
git pull
git checkout v10-miscwrte
There are additional comments in the thread. Some timeout errors may be solved by: 1 - Download the VirtualBox extension pack: https://download.virtualbox.org/vir..._VirtualBox_Extension_Pack-5.2.8.vbox-extpack
2 - Go to File / Preferences / Extensions / click the + and browse to where you downloaded it.
3 - Once installed, with the VM off, right click on the VM, and go to settings. Click on USB, and pick USB 3.0. If your machine doesn't have a USB 3 port, pick 2.0.
But frankly, simply up arrow after a timeout error to load the last command on the command line and hit enter again. Simply keep doing this until it works. You know it works because no dialog appears for several minutes before informing one of success.
**Upgrade to Nougat after Flashing TWRP and booting to Recovery steps: (I did a full wipe as suggested by this thread: https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594 before flashing the v30b upgrade then full Nougat zip, and then flashing Magisk. I flashed the 3 zips sequentially. I was afraid Nougat would not boot successfully because the zip files are less than 2 gb combined but success! You may want to also flash the 30c upgrade before flashing Magisk for a total of 4 zip flashes. I did not try this. However doing all this means no backups are done so if there is a problem you may have to flash a KDZ with the LG UP tool (don’t ask me how).
As a final note, I cannot answer specific questions about the various processes provided or errors you may encounter that I have not listed in this write up since I have not experienced them. A bit of research on your part may be required, but this post should provide you with a huge head start compared to where I started. Good luck!

Methods to get unlimited mobile hotspot, very useful if you're on the $50 MetroPCs (owned by T-mobile) unlimited plan. All you $70 T-mobile plan suckazzz! https://forum.xda-developers.com/tm...ited-tetherting-hotspot-t3825144#post77249285
I would actually recommend using a USB tether client and forgoing root access if tethering is your only objective and you are trying to be efficient with your time. However, with root you can install all these cool apps!: https://www.digitaltrends.com/mobile/best-android-root-apps/
The following caught my eye:
-Rec: screen record
-liveboot: boot animation (does not work with Magisk)
-Servicely: checks to see which apps are using a lot of battery and lets you suppress them
-Adblock Plus
-Titanium backup: very powerful phone backup application & bloatware remover look into for quickly switching over to a different lg v10
-Greenify: put apps into hibernation
-System tuner: get lots of info about you phone but be careful making changes
-ES file explorer: dig into the android system
-Disk digger: recovers deleted files (photos only?)

[ROM][TWRP][ROOT] Vizio Smartcast Tablets

TWRP
XR6M10
Here
XR6P10
Here
Stock firmware
XR6M10 Version 03.99.01.04 - Marshmallow - Latest
Here
XR6P10 Version 03.02.00.04 - Marshmallow- Latest
Here
How to flash twrp and or stock firmware
Download and install the Qualcomm drivers from here
Download the firmware from above
Extract the firmware to a folder that you can easily access them from like your desktop
Download and install QPST from here
Open the QFIL application (Find it in your start menu)
In the "Select Build Type" field select Flat Build
In the "Select Programmer" field navigate to the folder you extracted the firmware and support files to and select the prog_emmc_firehose_8936.mbn file
Select the "Load XML" button and navigate to the folder you extracted the firmware and support files to and select the rawprogram0.xml and then the patch0.xml when prompted.
Plug in your tablet
Run the following adb command "adb reboot edl"
If the text at the top of the QFIL application says "No Port Available" click the "Select Port..." option and pick your device. If your device isn't showing up there you didn't install the drivers properly.
Click the Download Button to begin flashing your device
Root
Once you flash twrp you can install magisk via the flashable zip
Some info on what i have found about the device
There is really no security on this tablet. The bootloader will always report as bootloader locked, green dm-verity and secure boot being enabled this is because the LK doesn't seem to have ever been completed on it. Because of this everything it reports is static and the fastboot implementation is broken and doesn't work. This means we will need to EDL to flash the device which I provided instructions above on how to do.
Notes
Some XR6P10 may require more work because there is multiple variants of it made by vizio but what i have uploaded works on mine.

Screenshots:
Root:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Magisk:
TWRP:

Is it just me not able to boot into EDL through ADB? I have a EDL cable arriving later this month I could use but I figure the device should have it. reboot edl through adb just reboots the device normally which is unfortunate.
XR6P10

Hey. And where to get the driver. And then I have two devices without an Android driver and an ADB Interface hanging in my device manager?

I cannot get anything to work on my XR6P10 either. Every time I try to "download" with the QFIL application it just fails.

@deadman96385
In regards to EDL mode am I missing something obvious. I tried EDL cable that has shorted pins which seems to not work "maybe a bad cable?" and ADB reboot edl seems to not work. I've tried ADB on two different tablets to boot into EDL mode but have yet to see the device pop up in device manager.
*I believe after Dec 2017 security patch ADB reboot EDL was removed, ill check the version on the devices since it should be fairly close to this year.

I'm having the exact same issue. adb reboot edl simply reboots the tablet. It does not enter it into EDL mode. I'm assuming you don't need an EDL cable to do this since we're doing this through the ADB interface. Or did I get that part wrong?
edit: I was able to enter EDL mode on the device itself using the following directions I found from another thread
Here is something to try ...
Enter edl via button combo (volup + voldn + pwr)
You should have a black screen ...
Now plug your phone into the cable on your PC/laptop ..
If your PC / laptop doesn't recognise your phone via Miflash or app you are using ...
Try tapping the power button once ...this seems to open/close the port ...
I noticed this when I was using edl mode to flash a ROM
I hope this helps
edit 2 I'm coming across two errors when downloading the ROM. The first is a Sahara Error which is due from not running QFIL immediately after entering EDL mode. Apparently the full connection does not remain open for that long. The second issue that I'm still dealing with is a Firehose error. I've googled this one and nothing seems to work to get around this.

Any update on this? Can't seem to get my XR6M10 rooted following these directions. Running into the same Firehose error as stefanpolo. Thanks!

stefanopolo said:
I'm having the exact same issue. adb reboot edl simply reboots the tablet. It does not enter it into EDL mode. I'm assuming you don't need an EDL cable to do this since we're doing this through the ADB interface. Or did I get that part wrong?
edit: I was able to enter EDL mode on the device itself using the following directions I found from another thread
Here is something to try ...
Enter edl via button combo (volup + voldn + pwr)
You should have a black screen ...
Now plug your phone into the cable on your PC/laptop ..
If your PC / laptop doesn't recognise your phone via Miflash or app you are using ...
Try tapping the power button once ...this seems to open/close the port ...
I noticed this when I was using edl mode to flash a ROM
I hope this helps
edit 2 I'm coming across two errors when downloading the ROM. The first is a Sahara Error which is due from not running QFIL immediately after entering EDL mode. Apparently the full connection does not remain open for that long. The second issue that I'm still dealing with is a Firehose error. I've googled this one and nothing seems to work to get around this.
Click to expand...
Click to collapse
Its flashed through EDL not ADB and thanks for the tips ill give it a shot. To my knowldege that button combo is just for hard resets on most devices. As of 2017 I believe the security patch removed adb reboot edl as preventive measures to some exploits. I believe that was the last security patch for the device and its dated Jan 1st 2017 for my security patch date. Although I believe it was late 2017 when this was released. Ill give some feed back if I can flash the patched boot file later.
The cable is also just for shorting pins on the USB port which is also a way to trigger EDL most on some devices. I have the cable and it does not work either.
---------- Post added at 03:40 AM ---------- Previous post was at 03:27 AM ----------
Post your log output from QFIL you can hit save log if you right click the Status area.
---------- Post added at 03:45 AM ---------- Previous post was at 03:40 AM ----------
Ah nvm I see what you mean that it just times out on you. I tried flashing TWRP and it just hangs at start download after specifying the working folder

removed

removed

So after restoring to 5.1.1 and fiddling around with QFIL and constructing things from scratch myself the solution is as follows and most likely applies to any variant of these devices. 6.0.1 Is on the device and with TWRP/Root. Next up is a lineage port to the device as 6.0.1 sucks not having OK google working while the device screen is off whereas 5.1.1 did. 6.0.1 and up is the bare minimum for certain apps to install and other various functionality.
1. Hold the volume buttons and PWR buttons until the device vibrates. The screen will be powered on but black instead of off which is in EDL mode. adb reboot edl does not work. I'm not exactly sure how the OP managed to use that unless he had an older build with the functionality or perhaps ADB removed the ability to pass the argument in newer builds past X date and I currently use the latest. Either way this is the only method to get EDL mode without opening the device to my knowledge as EDL cables even did not work for myself.
2. You need to flash within roughly 10 seconds of entering EDL mode. The window is small and you will see a 3 second timer in QFIL if you got it right. If not just reset the device again with step 1. You can have the device plugged in prior to entering EDL mode and QFIL pointing to the proper directory in advance to make things easy.
3. You need to modify the rawprogrammer0.xml that is provided as its making references to files that do not exist. File types that do not exist such as sparse images of which system.img is not a sparse file. I made the mistake here initially by commenting out lines instead of just removing the referenced file which soft bricked the device. I've uploaded the modified file which should work fine for any device and also retain user files. The original worked for the OP due to its his cached files/content/userdata but it will soft brick the device until the cache/data is cleared. I had to do this with TWRP in order to get the device to boot.
Using the provided xml file should be fine for anyone. Try to take a backup of the device in the rare event you play around with things and overwrite your MAC address with another. Its not a huge deal if you do but there is a super slim chance that it would cause problems if another device was on the same network with the same MAC. In short ensure you do not overwrite the persist partition if you do experiment with the firmware.
If anyone else has issues feel free to post here and I can address any questions despite there is probably not much interest in these devices as they were discontinued and I do not even think the new 2020 models are bringing back tablets from vizio. These things make great PDF/screen readers along with being a house hold tablet to control various devices.

I'd be really interested in that Lineage port if it wouldn't take a lot of work. I think these little tablets are a great buy for the price and they look great on the dock. I've already picked up 2 of them.
EDIT: And officially soft bricked one of them... Stuck in a boot loop after attempting to flash TWRP. It fails because it can not find NON-HLOS.bin when flashing TWRP. Obviously the file is not in the directory but I don't understand why it won't skip the file.
EDIT 2: I managed to get it out of the boot loop with a factory reset, but I still can't get the original firmware or TWRP installed on my XR6P10. It always fails because there isn't a file in the folder to flash.

So any Lineage port yet, did anyone verify the original firmware was built from CyanogenMod if so there is a good chance of lineage working. Does this OEM (not Vizio) have other tabs that have been rooted and ported? My P tabs work great as Logitech harmony hub controllers with the harmony app and as small tablets. We will need to get this working soon as developers and the play store end support for Android 6.xx.

Solace50 said:
So after restoring to 5.1.1 and fiddling around with QFIL and constructing things from scratch myself the solution is as follows and most likely applies to any variant of these devices. 6.0.1 Is on the device and with TWRP/Root. Next up is a lineage port to the device as 6.0.1 sucks not having OK google working while the device screen is off whereas 5.1.1 did. 6.0.1 and up is the bare minimum for certain apps to install and other various functionality.
1. Hold the volume buttons and PWR buttons until the device vibrates. The screen will be powered on but black instead of off which is in EDL mode. adb reboot edl does not work. I'm not exactly sure how the OP managed to use that unless he had an older build with the functionality or perhaps ADB removed the ability to pass the argument in newer builds past X date and I currently use the latest. Either way this is the only method to get EDL mode without opening the device to my knowledge as EDL cables even did not work for myself.
2. You need to flash within roughly 10 seconds of entering EDL mode. The window is small and you will see a 3 second timer in QFIL if you got it right. If not just reset the device again with step 1. You can have the device plugged in prior to entering EDL mode and QFIL pointing to the proper directory in advance to make things easy.
3. You need to modify the rawprogrammer0.xml that is provided as its making references to files that do not exist. File types that do not exist such as sparse images of which system.img is not a sparse file. I made the mistake here initially by commenting out lines instead of just removing the referenced file which soft bricked the device. I've uploaded the modified file which should work fine for any device and also retain user files. The original worked for the OP due to its his cached files/content/userdata but it will soft brick the device until the cache/data is cleared. I had to do this with TWRP in order to get the device to boot.
Using the provided xml file should be fine for anyone. Try to take a backup of the device in the rare event you play around with things and overwrite your MAC address with another. Its not a huge deal if you do but there is a super slim chance that it would cause problems if another device was on the same network with the same MAC. In short ensure you do not overwrite the persist partition if you do experiment with the firmware.
If anyone else has issues feel free to post here and I can address any questions despite there is probably not much interest in these devices as they were discontinued and I do not even think the new 2020 models are bringing back tablets from vizio. These things make great PDF/screen readers along with being a house hold tablet to control various devices.
Click to expand...
Click to collapse
Thanks for the write up. Just purchased one for a home automation setup. I am running into so odd issues. I have tried multiple versions of QFIL and finally got a better error with 2.0.0.2. I am having a few errors, downloaded another copy of the firmware and unblocked the files. also grabbed the xml file you uploaded but same issues. Any help would be great as some apps require marshmallow and edl flashing is new to me. Would a full factory reset help from the recovery menu?
FireHose Log: Host's payload to target size is too large
Fail to open image file: C:\test\sec.dat
Error reading the C:\test\rawprogram0.xml
Download Fail:FireHose Fail FireHose Fail:Failed to Upload the emmc images to the phone using Firehose.

Is hope for further updates on this project done?

I found the xml was not right, in addition the max send size needs to be backed down to 4096 in firehose config. I am uploading the files I had working successfully to get TWRP lit up. Hmm doesnt let me post cause I am too new. guess I will code paste the xml I used.
I dont know how far I am going to dive into a device like this, but its nice to be able to do *something* with it now.
this is my contents of rawprogram0.xml
Code:
<?xml version="1.0" ?>
<data>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0xe38c000" start_sector="466016"/>
</data>

Has anyone managed to get any further with this, i've been using mine as a trusty Sonos controller but been Android 6 it is no longer unsupported.
If not, does anyone know of any other similar device, eg thin, light, no camera, wireless charging with stand?

Yeah. Unfortunately I'm not moving to S2 yet as these are my primary hardware sonos controllers. It's really sad that such a perfect little tablet for this duty is being left by the wayside because there isn't enough of a following for them.

Yeah, wish i'd not upgraded to S2, you're not missing much!

Unbrick Honor 9 STF-L09 (NOT FREE, HCU and DC-Phoenix required)

Introduction
THIS METHOD IS NOT FREE. I HAVE NO IDEA HOW TO DO THIS FOR FREE, EXCEPT MAYBE WITH THIS : https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/162196-free-hcu-license-offer
Oh my god. I just come out of 3 days of trying to get this to work, non-stop. I feel the need to write this guide so people in the exact same configuration as me won't have to go through what I did.
Yes there are many tutorials about unbricking your Honor 9, but few are very detailed, and I couldn't make them to work for my european STF-L09. Plus, very few of them have a solution for updating to the very latest version (9.1.0 as the time of writing). So here we go.
The device I did this with, and the situation I was in.
There are so many variants of the Honor 9, and I've tried tutorials that weren't the same model as me, they just wouldn't work.
Honor 9 STF-L09, Europe version, Kirin960.
Previous installed ROM before brick was Oreo (the Pie update I tried to make bricked the phone), but I think you can do that on any previous version.
After the brick, I had a completely dead Honor 9 : no reaction at all, whether I plugged it in or tried any buttons combination.
What you need
- The correct Drivers
- A HCU Client Timed License, which is 19 EUR for 72h, and is going to give you access to the main software we need, DC-Phoenix.
- The correct .dgtks Repair File
- The correct ROM file to flash
- HiSuite
- Tools to open the back of your phone
- A metal object to connect the testpoints (anything will do : tweezers, copper cable, paperclip, sim-tool...)
- Read these two tutorials from www.dc-unlocker.com :
https://www.dc-unlocker.com/dc-phoenix-flash-repair-tutorial
https://www.dc-unlocker.com/flash-bricked-huawei-phones-in-huawei-1-mode
Step 1 - Connect the testpoints
Then open the back of your phone to reveal the testpoints that you can see on the image below (thanks to the user 4r44444 for the picture).
Then, open the Device Manager on Windows, and reveal the COM and LPT Ports (so you can see if you failed at connecting the testpoints or not).
You don't need to connect the two testpoints shown in the picture : you only need to connect the bottom one with anything else that's metal inside the phone.
It will take you some trial and error but eventually, your Device Manager should refresh and show you an unknown device called "SER".
Step 2 - Install the drivers
First, install the latest version of HiSuite to get the basic drivers. Make sure to close it completely (taskbar) and disable the fact that it opens itself when you plug your phone, or it might screw things up.
Then, install the two drivers that are on both dc-unlocker.com tutorials I've linked above.
https://files.dc-unlocker.com/share.html?v=share/984CE114852148B5B9A9CDD918BEC235
https://files.dc-unlocker.com/share.html?v=share/18B15B9D02C945A79B1967234CECB423
The first one "Huawei_Android_phone_drivers.rar" was not useful for me, but the second one, "Huawei drivers testpoint.rar", is to make your COM port recognizable instead of this unknown "SER" in device manager.
In Device Manager, right click on "SER", "Update driver", and locate the extracted folder on your computer.
This is all you need I think, but I installed so many random drivers (which I would not recommend) that I'm not even sure anymore.
Step 3 - Repair the phone with DC-Phoenix
Following "Method 3" from this link, but with some differences : https://www.dc-unlocker.com/dc-phoenix-flash-repair-tutorial
As I said, this method is not free. You can buy credits to make DC-Phoenix work for 72 hours (you need 15 of them for that I think), but since we need HCU, you're better off buying a timed license which gives access to DC-Phoenix.
Open DC-Phoenix, and click on the "Download files" button on top. There, search for the file "STF-Full-Repair-NV-included-Board-A051-7.0.0_r1.dgtks" and download it, it's the Repair File.
https://get-file.org/search#q|STF-Full-Repair-NV-included-Board-A051-7.0.0_r1|1
With your phone connected via testpoints (it has to appear in the Device Manager in the COM Ports, and I recommend changing the COM Port to 1 (right click, Port settings, advanced,...)), go to the "Update OEMINFO" tab, and check "Use BOOTLOADER". There, choose "Kirin960_T2_A7.0_V4" (maybe it's a different one for you, but for me only this one worked).
Then check "Update OEMINFO and unlock Huawei ID", and choose "STF-L09". Click Update, and this should run without errors. If it doesn't recognize your device, that means that it's not turned off and connected via testpoints.
Once that is done, your device may show a sign of life by booting into fastboot mode (or sometimes not). Anyway, you can go directly to the "Update Firmware" tab, and in the "Update file" field, choose the file "STF-Full-Repair-NV-included-Board-A051-7.0.0_r1", check "Rescue Revovery" and "Old slow algo", and click "Update".
After completion, your phone should be able to boot (after a very long press) into a chinese test ROM.
Step 4 - Repair the phone infos with DCU
Follow this tutorial : http://hcu-client.com/huawei-phone-repair-as-empty-board/
Don't forget to change your phone to Manufactured mode (as explained) so you can read your phone info.
In the Step 4, they let you choose between Repair UMTS or CDMA tab, I chose CDMA because I think the phone has a MEID.
Then, when they tell you that you just have to click on "Repair as empty board" to make everything fill in automatically, for me this was complete bs : only my IMEIs were added.
So what you have to do is fill your original SN, WiFi and BT MAC adresses, and so on. But since your phone is bricked and you probably dumped the box that states the SN, you're outta luck like me. It seems like it's illegal to change a MAC or SN number, so I can't recommend it, but I personally just chose random numbers (that have the same number of digits).
For model I entered "STF-L09", for vendor "hw", and for country "eu". Don't check "Erase restricted ver.", since it's only for Qualcomm CPUs. Click on Repair.
Once this is done, your phone should be resetting, and able to boot in the same ROM as before, except in english.
Step 5 - Upgrade to the latest Android 9.1.0
Normally you'd have to do this step with DC-Phoenix : just flash one of their Full Stock Roms they have on their file database (click Download Files on DC-Phoenix, and search for "STF-L09").
You can try that (don't forget that you have to be in fastboot mode (Vol down + plug USB) to install), but it really didn't work for me, and even if it did, I don't know how you'd update after it, because your phone probably won't receive OTAs.
So the solution I found was this one : https://www.reddit.com/r/Huawei/comments/az4bl7/finally_managed_to_update_my_mate10_pro_to_pie/
First, uninstall your latest version of HiSuite to be able to follow this tutorial and install the old version.
Then, the file I chose in Firmware Finder was this one :
STF-L09 9.0.1.175(C432E2R1P5)
STF-L09C432E2R1P5B175 (9.0.1.175)
STF-L09C432E2R1P5T8B175 (9.0.1.175)
I chose the "full" version, which gave me this link :
http://update.dbankcdn.com/TDS/data/files/p3/s15/G3757/g1699/v260353/f1/full/update.zip
After following this tutorial, your phone should boot normally. You can then installs OTAs to update to 9.1.0. I'd recommend resetting the phone after this last step, to have a clean install.
If it doesn't work for you, you can also try this method : https://www.getdroidtips.com/full-guide-install-stock-firmware-huawei-smartphone/
I'll try to answer as many questions as fast as possible (since the Timed License is quite stressful), so feel free to ask !

Does the HCU Client unblock the network after doing the full repair?

Hello , Is this solution still works for honor 9 ?
I can't find stock rom on official website also.