Database Info

[ROOT] ZTE Momodesign MD Smart

First of all, I inform you that with these guides there is the possibility of bricking your phone then follow them carefully and do everything using your head, I do not assume any liability for damage which may result
CREATE A SYSTEM BACKUP:
since the ZTE does not distribute the firmware of our phone we must create for ourselves a backup of all partitions with flash tool and even then some partitions (yaffs2) will refuse to restore, them will return for sure useful later:
1 - Open Flash Tool
2 - Click on "scatter loading" and select "MT6573_Android_scatter.txt" in the root folder of flash tools
3 - Move the tab to "Read Block" and click on "Add" and you will see a line that says "PageSpare" and other things...
4 - Double-click on that line and you will see a window, position the folder where you want to dump the firmware and write the name of
partition in the "File name:" field, in this case (1th partition) you have to type "preloader"
5 - At this point, the program asks you to enter the start address and the size of the partition and write on the "Start Address", 0x00000000 and "Length:" 0x00040000, then select "read Page Only" and click "OK ".
6 - Repeat step 5 for all 14 partitions that are there in the phone, for addresses, follow this table:
Code:
PARTITION NAME. | START ADD. | LENGHT
------------------------------------------------------------
preloader | 0x00000000 | 0x00040000
dsp_bl | 0x00040000 | 0x000c0000
nvram | 0x00100000 | 0x00300000
seccnfg | 0x00400000 | 0x00020000
uboot | 0x00420000 | 0x00060000
boot | 0x00480000 | 0x00600000
recovery | 0x00a80000 | 0x00600000
secstatic | 0x01080000 | 0x00120000
misc | 0x011a0000 | 0x00060000
logo | 0x01200000 | 0x00300000
expdb | 0x01500000 | 0x000a0000
system | 0x015a0000 | 0x0fa00000
cache | 0x10fa0000 | 0x03c00000
userdata | 0x14ba0000 | 0x0aa20000
------------------------------------------------------------
7 - Click on "Options> DA Download All> Speed​​> High Speed" and then "Options> DA Download All> Battery> Without Battery"
8 - Finally, click "Read Back" and the program waits to detect the phone in bootrom mode
9 - Connect your phone to pc without the battery and make the "TestPoint" (you need to create a short circuit between the mass of the device and the point shown in this picture, the point is indicated by a small black arrow that I drew on the motherboard). I used a 1000 ohms resistance for security, but you can use a paper clip to get the bridge. I usually take the mass from the metal plate that blocks the sim. If you have made the testpoint correctly you heard the sound from the windows driver installation (if windows not found automatically the drivers give it to feed these) or, if the driver have already installed the program flashtool starts with the reading of the phone's memory. When the backup of the internal memory ends, a small window appears with a green circle and it means that the backup was successful.

INSTALL A RECOVERY:
If this procedure does not work the only way that you will have to install the recovery will be a completely format of your phone with FT, I will explain how to do it soon ... Meanwhile, we try to replace only the stock recovery with mine:
1 - Open flash tool
2 - Load the scattern file
3 - In the list that you see you have to check only "recovery" and you have to physically clicking on the word "recovery", then select the CWM or the TWRP (recommended)
4 - Then click on "Options> DA Download All> Speed​​> High Speed" and then "Options> DA Download All> Battery> Without Battery"
5 - Now click on "Download"; connect the phone without battery to pc and make the TestPoint
6 - Once the phone is in bootrom mode you will see a red bar in flashtool, finished loading you should hear a new device that connects to the PC, give it the right drivers and if all goes well you will see a yellow bar loading.
7 - If all went well then you can start the device in recovery mode (boot the phone by holding down the home + volume up buttons) and you can install your first rom in this device . I highly recommend you make a nandroid backup BEFORE you change your rom so you'll have the option to restore with the recovery.
You can find my roms here and my revoveries here

MAKE A COMPLETE UPGRADE YOUR PHONE
If the procedure for changing recovery returns error 5054 then the only solution to change the recovery is a complete upgrade of the device. Before proceeding it is required to backup with Flash Tool.
1 - To begin download this archive, inside it you will find 2 files: preloader and dsp_bl
2 - Create a folder and copy into preloader and dsp_bl you just downloaded, add these files to the same folder that come from your backup done before: nvram, seccnfg, uboot, boot, logo, expdb
3 - Finally add in the same folder also changed a recovery (CWM or TWRP)
4 - Open flash tool
5 - Load the scattern
6 - In the list you have to check all the partitions and physically clicking on the text of each and select the file corresponding that you have gathered in steps 2 and 3.
7 - Now click on "Options> DA Download All> Speed​​> High Speed" and then "Options> DA Download All> Battery> Without Battery"
8 - Now to start the flash click on "Format> Download" connect the phone without battery to pc and make the TestPoint
9 - Once the phone is in bootrom mode you will see that you upload a red bar in flashtool, finished loading you should hear a new device that connects to the PC, give it the right drivers and if all goes well you will see a yellow bar loading...
10 - At this point the phone will no longer have an operating system then will not start if you push on power button (because we haven't restored the system partition), but you can enter the recovery (start the phone by holding down the home + volume up) and install the rooted rom
You can find my roms here and my revoveries here

RESTORE THE DEVICE FOR WARRANTY:
If you need to bring the phone under warranty you can just flash the unrooted stock rom from recovery and then you have to flash the stock recovery from TWRP or CWM recovery.
At this point the phone will be like out of the factory! I have not tested the procedure , but theoretically it should work

ADD A2SD:
If you believe that 170MB available for the applications are too few then read on, let's go with this script that will place the data partition under an ext2 partition (as big as we want) of your sd card, the result is this
how to do?
1 - First of all we have to partition our sd: the second partition must be ext2 and we can make it as big as we want, the first will be a fat32 and will have to occupy all available space remanind in the sd card, it is important that ext2 is set as primary . You can do everything with "GParted" if you're on linux or "MiniTool Partition Wizard Home Edition" if you are on windows. Be careful not to use the recovery to repartition the sd because you create a ext3 and I do not know if it is compatible with our script
2 - Attach the phone to the PC with the usb debug mode enabled, download this package unzip it and run the batch file "Start.bat". On the next reboot, if everything went smoothly you can see the result on your settings menu...
RAISE THE HEADPHONES VOLUME WHILE PLAYING MP3:
If you believe that the headphone volume is too low then you have just to type in the keypad *#*#3646633#*#*
from the secret menu and go to Audio> Headset and select "Media" from the list, bring on the "level 6" and put 250, then press set and you're done!
CREDITS:
- All xda devs!
- http://forum.chinafonini.it
Write a request here if you want to share my work after modifying it and keep credits
It took from me a lot of time and hard work to achieve these results :victory:
Press thanks button please if this work was useful to you!!

the link-pic for short circuit not working, so i want try root

I replaced the link... :good:

pajerm said:
I replaced the link... :good:
Click to expand...
Click to collapse
Just a question, how the f*ck did you find out the short pin procedure? You're awesome!!!
For anyone who follows this guide, trust me, trying to solder the pin it's a very bad idea, you'll end up messing the board if you're not extra careful. I broke the input pin, and ended up having to dismantle the whole damn thing, currently working with duct tape and glue.
EDIT: Could make the backup, of the whole rom and old recovery, but when flashing the recovery, I get the red bar,listen to the new device but got nothing on Device manager, but then this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
My phone is a litlle different, the LatinAmerican variant ZTE V856

Look at #3 post! you will find the answer...

pajerm said:
Look at #3 post! you will find the answer...
Click to expand...
Click to collapse
Any step in particular?I've tried all the steps, again, and again, shorting the pin, but everything else fails

Hi, is there a way to install Greek language to this awsome rom?
Thank you!

Runbo F1 Super Thread

Welcome to the Runbo F1 Super Thread
As a new owner of a Runbo F1, I am looking forward to share with you my informations I collected for this rugged phone.
Please feel free to post your questions or any other thoughts in this thread. Thanks for reading - NewBit
Specs and Pics
Drivers / Tools
- View attachment MediaTek.USB.VCOM.drivers.7z
- MediaTek SP Flash Tool v5.1516.00
- MediaTek SP Flash Tool v5.1708.00.000 (MTK6753 support)
- View attachment MTKdroid_2.5.3d_Patched_MTKdroidTools.ini.zip
(MTKdroid 2.5.3d with Patched MTKdroidTools.ini for MT6752 support)
Enable { } Developer Options
- enter Settings -> About phone
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
- touch 10x on Build number
- and become a Developer
- Choose your Developer Options
Boot into Recovery (Stock and TWRP)
- phone is turned off
- Hold Volume Up and Power Button at the same time
- when the first Boot screen appears
-> just release the Power Button and keep holding volume up
- recovery should boot
FTP Login for Runbo Update / Upgrade Servers CN / EN
Chinese Version:
FTP: upgrade-cn.runbo.net
Port: 21
User: ftpadmin
Password: bo369123
English Version:
FTP: 185.86.148.226
Port: 21
User: ftpadmin
Password: 95dq96bcF1
Found in View attachment DecompiledRemoteOsUpdate_4.4OS_F1-Q5.zip apk folder -> Res -> Raw
Also findable in View attachment Decompiled_RemoteOsUpdate_5.1OS_F1.zip apk folder -> Res -> Raw
Decompiled with APK Studio
View attachment RemoteOsUpdate_4.4OS_F1-Q5.apk
View attachment RemoteOsUpdate_5.1OS_F1.apk
Full Backup Runbo F1 Phone (MTK 6752A Chipset)
MTK Scatter File Tool Kit by NewBit
Backup Preloader.bin and modification for Unbrick and Partition Resizing
Flashing Fullbackup / TWRP
Rooting
After flashing the TWRP, download a SuperSU-vxx.zip and install it over the TWRP.
Recoveries - Stock / TWRP
Stock Images and FTP Login for Runbo Update / Upgrade Servers CN / EN
Exchange Micro SD Card (to 128 GB)
Resizing Partition Userdata with internal SD
I am not responsible for anything bad that comes to your device when using the information posted in this thread. Everything here is dangerous,
may cause a brick, will void a warranty and has the potential to just plain wreak havoc. Do not complain you followed my instructions and met
with a dead device. Consider yourself warned
I've tested to the best of my ability, but I am one person with one device, I cannot catch all potential failure modes. If you find a problem and a fix,
or have information that should be added let me know and I will update the necessary information.
Big Thanks and Credits to:
- Kemonine96 and his team for their great work and help on the Samsung Rugby Pro (SGH-I547) Super Thread
- Chainfire, for his awesome root script [STABLE][2016.02.02] SuperSU v2.65 and [STABLE][2016.12.15] SuperSU v2.79
- Anatoly Smaznov aka javum from lenovo-forums.ru, for his TWRP 2.8.4.0 source patched and compiled
- TeamWin - TWRP, for their indescribable work on their open source project twrp.me
- Carliv, for his extraordinarily image kitchen [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
This site is still in progress and will be updated step by step.

How to Full Backup Runbo F1 Phone (MTK 6752A Chipset)
You need:
- MediaTek USB VCOM drivers installed
- Switched Off Runbo F1 phone with minimum of battery charged to 50%
- MediaTek SP Flash Tool v5.1516.00 or similar
- Scatter file for a MTK 6752A Chipset
- Minimum of 5GB free space on your HDD for the backup
How to install MediaTek USB VCOM drivers
- switch off the phone and connect
- open your device manager
- connect phone via micro USB cable to he PC
- observe the device managers list for pop up an unknown device which driver cannot be installed
- double click that device and install/update drivers
- paste the the link to the folder "MediaTek USB VCOM drivers"
- let the system search for the right drivers and wait until it is finished
- once the driver is installed properly, it should be always shown without any issues
in your device managers list, but only for a few seconds, then it disappears again.
How to backup the phone MediaTek SP Flash Tool v5.1516.00
- create your own scatter file or use mine: View attachment MT6752_Android_scatter_Blind_Backup.txt
- switch off the phone and let it disconnect
- open SP Flash Tool and load a scatter file
- click on Readback and then on Add+
- double click on the new line and create a new folder BlindDumpFile and save
- a new window will pop up, Readback block start address
- Type remains HEX
- Region remains EMMC_USER
- Start Address remains 0x0
- Length: copy and paste from the scatter file 0x150000000, fill in zero's between 0x and 15 -> 0x0000000150000000
(HEX values in SP Flash Tool are right side aligned)
- click OK and double check your setup
- hit the Read Back button, and connect your phone
- SP Flash tool should start reading your flash image right after
- after reading back your image, SP Flash will notice you (duration approx. 20min)
Congratulations, you have now a single full flash image file of your phone.
You can now experiment with your phone, you can do what ever you want,
except deleting or downloading your preloader, which is stored in Region EMMC_BOOT_1.
I can just recommend highly to backup your preloader once, either to share it to other who need it
for reverse engineering or just in case for a JTAG unbrick.
To backup your phone directly into single region files, use the View attachment MT6752_Android_scatter_Full_BackUp_Restore.txt file.
Each partition need its own Add+ entry under Readback with an own start address and length.
With the BlindDumpFile you can also do this by your self. Just use a hex editor, HxD for example,
select and cut off your regions according to your scatter file.
To extract the binary files automatically you can use the MTK Scatter File Tool Kit by NewBit

Flashing Fullbackup / TWRP
You need:
- MediaTek USB VCOM drivers installed
- Switched Off Runbo F1 phone with minimum of battery charged to 50%
- MediaTek SP Flash Tool v5.1516.00 or similar
- Scatter file for a MTK 6752A Chipset
- TWRP Image file for your Phone
- Fullbackup from your Runbo F1 Phone and extracted into single files
(If you have to flash the preloader, make sure the bin file is correctly modified)
Flashing TWRP for Runbo F1 1st Gen
- switch off the phone and let it disconnect
- open SP Flash Tool and load a scatter file View attachment MT6752_Android_scatter_Full_BackUp_Restore_Preloader_Enabled.txt
- deselect everything
- click on Location from the recovery entry and select the recovery_TWRP_2840_Runbo_F1.img file
- check if the combo box says Download Only
- click on Download
- hook on the Runbo F1 phone
- wait until it is finished -> Download Ok Windows will appear
- hook off the phone
- start into recovery by holden Volume Up and Power On until the Runbo Bootscreen shows up
-> keep holding vol up and release Power On -> TWRP Splash Screen should appear
Flashing Fullbackup back for Runbo F1 1st Gen
- switch off the phone and let it disconnect
- open SP Flash Tool and load a scatter file View attachment MT6752_Android_scatter_Full_BackUp_Restore_Preloader_Enabled.txt
- check every single entry to be correct, all files should be already selected
if all the extracted files from Fullbackup in the same folder as the scatter file
- Double Check if your Preloader.bin file is correctly modified
- check if the combo box says Format All + Download
- click on download
- hock on the Runbo F1 phone
- wait until it is finished -> Download Ok Windows will appear
- hock off the phone
- start the phone by pressing the power button, Bootscreen should appear and the phone should boot up normally

Backup Preloader.bin and modification for Unbrick and Partition Resizing
From the Fullbackup you can not extract the preloader.bin file.
It is stored in a different memory area. It is in EMMC_BOOT_1, where all other binarys are stored in HW_STORAGE_EMMC.
You have to read it back directly from the phone.
How to backup the Preloader.bin with MediaTek SP Flash Tool v5.1516.00
- create your own scatter file or use mine: View attachment MT6752_Android_scatter_Full_BackUp_Restore.txt
- switch off the phone and let it disconnect
- open SP Flash Tool and load a scatter file
- click on Readback and then on Add+
- double click on the new line and create a new folder PreloaderFile and save -> Filename: preloader_readback.bin
- a new window will pop up, Readback block start address
- Type remains HEX
- Region changes to EMMC_BOOT_1
- Start Address remains 0x0
- Length: copy and paste from the scatter file 0x40000, fill in zero's between 0x and 4 -> 0x0000000000040000
(HEX values in SP Flash Tool are right side aligned)
- click OK and double check your setup
- hit the Read Back button, and connect your phone
- SP Flash tool should start reading your flash image right after
- after reading back your image, SP Flash will notice you
Congratulations, you have now a preloader backup of your phone.
Hot to mod the perloader_readback.bin for flashing it back into the phone
The preloader_readback.bin allways gets an additional header, added from the Flashtool during the read back.
Its size is exactly 2048 Bytes. Cut these bytes off. You can also cut off the none used zero's at the end
of the file. After this mod's, you can use it to flash it back into the phone.
Download Preloader Files: View attachment PreloaderMod.zip
After extraction of the zip, rename the file preloader_without_header_and_without_noneused_Zeros.bin to preloader.bin
and put in the folder with your extracted image files.
Make sure in your scatter file the preloader area is changed to:
Code:
- partition_index: SYS0
partition_name: preloader
file_name: preloader.bin
is_download: true
type: SV5_BL_BIN
linear_start_addr: 0x0
physical_start_addr: 0x0
partition_size: 0x40000
region: EMMC_BOOT_1
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: BOOTLOADERS
reserve: 0x00

MTK Scatter File Tool Kit by NewBit
I've wrote a little Windows Tool Kit MTK Scatter File Tool Kit to edit scatter files a bit more handy and to easy extract images from a Raw Blind Dump Fullbackup Image.
You need:
- Fullbackup from your Phone -> ROM_0_Backup_3.2_Stock.img
- MTK Scatter File Tool Kit for Windows (View attachment MTK.Scatter.File.Tool.Kit.Source.Binary.7z)
- Scatter file which fits for your Raw Blind Dump Fullbackup Image
- MTK Scatter File Tool Kit, Scatter file and Raw Image in the same folder
- Minimum of 5GB free space on your HDD for the backup
How to Extract Binarys from a Raw Blind Dump Fullbackup Image
- Open the MTK Scatter File Tool Kit (MTK.Scatter.File.Tool.Kit.Source.Binary\MTK Scatter File Tool Kit\bin\Release)
View attachment 4064160
- Click on Select Raw Image File
- Select the Scatter File first -> ok
View attachment 4064159
- Select the Raw Image File second -> ok
View attachment 4064161
- Wait until the image and binary's are extracted
View attachment 4064162
- Look for a folder like -> ROM_0_Backup_3.2_Stock.img_ExtractedImages
All binary files described in the scatter file will be extracted.
How to Edit a Scatter File
- Open the MTK Scatter File Tool Kit (MTK.Scatter.File.Tool.Kit.Source.Binary\MTK Scatter File Tool Kit\bin\Release)
View attachment 4064160
- click on Select Scatter File
View attachment 4064163
- click on the combo box to select a partition
View attachment 4064165
- edit the partition by double click on the entry
View attachment 4064167
- every changes, changing directly to the file - no need to save
The MTK Scatter File Tool Kit is like it is. If you have suggestions or tipp's, you are welcome to tell me.
Source Project is attached, you can write or modify on your own. Compiled in VS Express 2013 for Desktop

Recoveries - Stock / TWRP
TWRP 2.8.4.0 for Runbo F1 - flashable with SP Flash Tool
Download Runbo.F1.TWRP_2.8.4.0.zip
This compiled version of TWRP 2.8.4.0 comes originally from Anatoly Smaznov aka javum from lenovo-forums.ru.
I only use the "init" file and modded the the other files, like fstab, by myself.
Against TeamWin's FAQ - What is a data/media device?
This Device with Android 4.4.4 does not have the SDCARD mounted to data/media.
Unfortunately, I am not capable to compile a TWRP source myself or rather to get this code who Anatoly Smaznov aka javum wrote and patched.
So I cannot change RECOVERY_SDCARD_ON_DATA := true to RECOVERY_SDCARD_ON_DATA := false. But maybe someone who reads this
is willing to support me a little? Maybe Anatoly Smaznov itself, it would be a great honer to me!
Also against all these so called "Recovery Porting Tools for MTK Devices" aka PhilZ, TWRP, CTR, CWM and so on, terminated with
the same Error Report. The Recovery Partition is too large & causes region overlap! Even those Versions which claims to be able
to ignore that massage, terminated some steps later with the same Error Report. For me it looks like, all of this tools are having a
fixed maximum size they compare with it the actually build file size. Not even according to a scatter file, which tells exactly the
truth of the partition size. Also not according to the read back image size including the not used zeros.
So thats why I was forced to puzzle the TWRP manual, where Carliv Image Kitchen for Android came into the game.
I wished there is tool which just port all these fstab and init's entrys, and then you can use the image kitchen of your choice.
As a final test, I tried even only to take the init file from the canceled Recovery Ported Image, and replaced with my already bootable
TWRP. But it just didn't wanted to boot with it.
Byte Count Compare:
- Scatter File And Read Back Image says: 16777216 Bytes
-> 9287664 Bytes Are None Used Zeros => Free Space
- "my" TWRP 2.8.4.0 says: 15798560 Bytes
But maybe I did and misunderstood something major wrong?! I am looking forward to somebody who can explain this to me.
Except that data/media feature, TWRP works flawless for me and is essential to gain root!
Stock Recovery Image 3e ALPS.KK2.MP13.V1.16 (KitKat 4.4.4) from/for Runbo F1 - flashable with SP Flash Tool
View attachment Runbo.F1.Stock.Recovery.4.4.4.zip

Stock Images and FTP Login for Runbo Update / Upgrade Servers CN / EN
System Stock Image 4.4.4 from the Runbo F1 1st Gen
Runbo.F1.Stock.System.4.4.4.7z.001
Runbo.F1.Stock.System.4.4.4.7z.002
Runbo F1 Extracted Logos from logo.bin and Medias Folder from System
Runbo.F1.Extracted.Logos.Medias.zip
FTP Login for Runbo Update / Upgrade Servers CN / EN
Chinese Version:
FTP: upgrade-cn.runbo.net
Port: 21
User: ftpadmin
Password: bo369123
English Version:
FTP: 185.86.148.226
Port: 21
User: ftpadmin
Password: 95dq96bcF1

How To Exchange Micro SD Card (To 128 GB)
You need:
- Torx 6 Screwdriver
- a Micro SD Card
- Switched Off Runbo F1 phone
How to open the phone:
- unscrew all 12 Torx 6 screws
- open the back cover by lifting it up
- get the "old" Micro SD Card out and replace it with a "new" one
- close the phone the same way you opened it, just backwards
- tight the screws in star pattern
- turn on the phone and check what it says once it's boot up
- if it says, SD Card must be formatted to use it, format it
- check your storage free space

Resizing Partition Userdata with internal SD
If your Android System says you cannot install anymore Apk's because of insufficient memory or storage.
You can resize your partition layout much more easier than told in the internet.
You only need to make your resize changes in the scatter file and flash your Fullbackup back including the preloader.bin
You need
- A Fullbackup of your phone -> Full Backup Runbo F1 Phone (MTK 6752A Chipset)
- all binarys extracted from your Fullbackup -> MTK Scatter File Tool Kit by NewBit
- A Backup of your preloader.bin and modified to flash it back -> Backup Preloader.bin and modification for Unbrick and Partition Resizing
- A modified scatter file with your partition changes
How to modify your scatter file for partition resizing
the original scatter file entry says:
Code:
- partition_index: SYS0
partition_name: preloader
file_name: NONE
is_download: false
type: SV5_BL_BIN
linear_start_addr: 0x0
physical_start_addr: 0x0
partition_size: 0x40000
region: EMMC_BOOT_1
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: BOOTLOADERS
reserve: 0x00
- partition_index: SYS19
partition_name: userdata
file_name: userdata.img
is_download: true
type: EXT4_IMG
linear_start_addr: 0x61000000
physical_start_addr: 0x61000000
partition_size: 0xDD000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS20
partition_name: intsd
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x13e000000
physical_start_addr: 0x13e000000
partition_size: 0x0
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: INVISIBLE
reserve: 0x00
You have to change first partition_size: 0xDD000000 from partition_index: SYS19 (userdata) to 0x1BA000000
Then change linear_start_addr: 0x13e000000 and physical_start_addr: 0x13e000000 from partition_index: SYS20 (intsd) to 0x21B000000
And make sure your preloader.bin is_download: true in partition_index: SYS0 (preloader)
These three entry should now look like this:
Code:
- partition_index: SYS0
partition_name: preloader
file_name: preloader.bin
is_download: true
type: SV5_BL_BIN
linear_start_addr: 0x0
physical_start_addr: 0x0
partition_size: 0x40000
region: EMMC_BOOT_1
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: BOOTLOADERS
reserve: 0x00
- partition_index: SYS19
partition_name: userdata
file_name: userdata.img
is_download: true
type: EXT4_IMG
linear_start_addr: 0x61000000
physical_start_addr: 0x61000000
partition_size: 0x1BA000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS20
partition_name: intsd
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x21B000000
physical_start_addr: 0x21B000000
partition_size: 0x0
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: INVISIBLE
reserve: 0x00
The complete Scatter file can be found here. View attachment MT6752_Android_scatter_Resize_userdata.txt
Once the scatter file is made for resizing, flashing back your Fullbackup with the new scatter file and modded preloader.bin-> Flashing Fullbackup / TWRP

Reserved 09

Reserved 10

OK!, great post here.
So I was wondering if this phone has a Notification LED for missed calls/sms and low battery/charging/charged/app push notifications?
This phone has a sealed/screwed back case, was the mUSB and the headphone jack injection molded in to the case, or is it another phone that should you have the rubber plug open water will get into the phone?
***EDIT***
The "upgraded" version of this phone has a magnetic port and a 64gb mSD card (C6) installed.
It also increased 200 bucks for the "upgrade" (magnetic port is heavily guarded licensed copyright).
This phone is now crap, should you forget your charging cable when you go on a trip overseas or out of town, you cant just purchase/borrow a usb cable and charge your phone.
The mag port cable is not available on the manufactures website. You might only get 1 cable per phone, pray you don't loose it or it breaks.
This was a good thought though, poor hardware location implementation....BEST SUITED FOR HEADPHONES AND TABLET KEYBOARD DOCKS!

for the life of me i cannot update from fota 2.4 to 3.1 or greater.
the fota just sits on checking version for days and days.
i have a rom for 3.1 from need rom. but when i do it with the phone it gives an error 1.
i am unable to get any version of the sp multi port download tool to detect the phone yet alone update it.
any help would be greatly appreciated.
i did find this
20160930
IMPORTANT! RUNBO HAVE FOUND A PROBLEM IN THE FRAMEWORK OF THE ANDROID 5.1.
THE PROBLEM IS CHARACTERIZED BY GIVING AN ERROR CODE WHEN INSTALLING CERTAIN APPS (ERROR CODE 504)
THE PROBLEM IS SOLVED BUT THE PHONE MUST BE UPDATED IN THE SOFTWARE, SEE THE GUIDE BELOW.
DOWNLOAD SHOOT DIRECTLY TO YOUR PHONE AND INSTALL THEN UPDATE THE VERSION OF THE OS.
DOWNLOAD TO YOUR MODEL!
RUNBO F1 5.1 ( CLICK HERE )
RUNBO F1 4.4 ( CLICK HERE )
but the apk wont install.
i cant post links here

On new Runbo F1, entering original stock recovery :
Phone power down
Vol up + Power
when android logo appear press quickly Vol down + Power at same time.
Recovery menu will appear.

@UniqueRelic,
the most likely reason that you cannot install the upgrade files is, that they are 2 F1 Versions out.
Take a closer look on the chipsets! I have the first generation, which they will be never come out a Android 5.x Version.
The maximum I can upgrade is 4.4.4 Android and it is the 3.2 Version of the Zip File from Runbo.
Please checkout the FTP I'Ve just posted. There you can find all updated/upgrades of both versions.
Download the files, and copy it to the SD Card. Then try to manual upgrade it. But you must be on stock firmware!
On my F1, now with Stock Firmware, the firmware apk doesnt work anymore. Same like yours, it stucks on the version checking, thats it.
And If install the new apk from the new website, it just says, server is offline. But the FTPs are working!!
@UnableToResetOldProfile
this is interesting with the mag charger. But I agree, I also would like to have the choice of using it or not, for the very same reasons!
This mag version must be also new with the 2. Generation Version of the F1.
Unfortunately, the micro USB Jack on mine is somehow brocken. Visually fine, but I cannot charge it anymore. It looks clean but nothing happens
when I plug the cable in. I need really much straight force to bring up to charge or even to data connect. I've opened a service request to get it fixed.
The jack is glue in, I cannot fix it my self which really su...
I will get rid of this phone. I am so disappointed from the F1 and the Runbo Company. There is no support, no informations nothing. The Micro USB crashed within one year!!
Cheers
NewBit

newbit said:
@UniqueRelic,
SNIP
NewBit
Click to expand...
Click to collapse
got the phone to take Fota 3.9 and 4.1 (v1.6 20160316)
A108_E450_RunboF1_WG_20160812_V4.1
android 5.1 2016-04-01
sadly now i cant get play store to work.
it wont properly launch, doesn't give a stop error just flashes a white screen then disappears.

UniqueRelic said:
got the phone to take Fota 3.9 and 4.1 (v1.6 20160316)
A108_E450_RunboF1_WG_20160812_V4.1
android 5.1 2016-04-01
sadly now i cant get play store to work.
it wont properly launch, doesn't give a stop error just flashes a white screen then disappears.
Click to expand...
Click to collapse
Oh that is not nice. I usually have this with alot of apps after an update or upgrade. Sometimes it helps to delete the cache and data just of this of this app. In case of the playstore app, i had it once that it stucked in the update process which usually happens in the background. Installed the apk manually and it worked fine. Maybe it is worth a try...
NewBit

newbit said:
Oh that is not nice. I usually have this with alot of apps after an update or upgrade. Sometimes it helps to delete the cache and data just of this of this app. In case of the playstore app, i had it once that it stucked in the update process which usually happens in the background. Installed the apk manually and it worked fine. Maybe it is worth a try...
NewBit
Click to expand...
Click to collapse
tried all of that. it wont take ANY apk. i even went down to an apk for android 2.3. tried arm arm64 x86 etc.
seems this build doesn't allow for playstore. makes me a little sad. but lucky theres apkmirror. but it doesnt have everything.

UniqueRelic said:
tried all of that. it wont take ANY apk. i even went down to an apk for android 2.3. tried arm arm64 x86 etc.
seems this build doesn't allow for playstore. makes me a little sad. but lucky theres apkmirror. but it doesnt have everything.
Click to expand...
Click to collapse
Sounds weird indeed. Are you sure V4.1 it is the right update file for you?
Do you have a source to get this file?
When I check the FTP it says V4.6 is the newest.
View attachment 4093453
Playstore in my Phone was integrated in the Stock Image.
And I guess it is essential, Runbo doesn't provide any good stock app's actually.
Did you checked this?
Worst case scenario i would say, full reset!? But I don't like this version at all...

still crashes. seems google play services might be the issue but i cant find one that works.
sad to say it would not take 3.9-3.2 from the runbof1-en nor would it take 4.5-3.9 from the runbo-un. it starts to install the update but about 40% on the bar it displays error 1 of 1.
perhaps this flash is the Chinese version? as i do notice now the boot screen shows Chinese and defaults Chinese now unlike it did before when it first bricked. i sent this back to the retailer and they repaired the flash. i assume they flashed it non English version, when i received it the first time full resets was English so was the boot. now full resets are Chinese
is there a way to flash this to the English version from Chinese?

How To Guide [ADVANCED] [UNTESTED] Possible Fix - MSM Errors (Sahara, Param info, etc)

WARNING: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY AND MAY FURTHER DAMAGE YOUR DEVICE. EXERCISE EXTREME CAUTION. USE ONLY AS A LAST RESORT.​
This was tested with a Global OnePlus 9 LE2115
Overview​
So I was encountering an error with MSM Download Tool that would show "Sahara communication failed" after about 18 seconds. This resulted in me being 100% unable to recover my device with MSM as it was continuously rebooting into EDL mode with no possibility of entering fastboot.
After much research, I stumbled upon a solution completely by accident. I was able to fix the issue by utilizing the following tools:
Qualcomm Sahara Tools - https://github.com/bkerler/edl
Oppo/OnePlus Decryption Tools - https://github.com/bkerler/oppo_decrypt
You need:
- Latest version of Python 3
- C/C++ build tools (gcc, Visual Studio, XCode) to build pip dependencies
- Dependencies installed using pip as specified in README.md of each repo
- Linux or macOS (Windows untested)
- *.ops file from your corresponding MSM Download Tool package
Process​
Follow the instructions contained within the README of the above repos to download all files and install dependencies before continuing.​
Spoiler: Extract ops package
Use opscrypto.py to extract the ops file you obtained earlier.
This results in a directory full of the decrypted contents of the update image (a collection of bin, img, and other files):
Code:
$ ./opscrypto.py decrypt lemonade_xxxx.ops
This creates an extract directory containing the decrypted files
Spoiler: Flash using edl.py
The wl subcommand for edl.py can then be used to write the aforementioned partitions.
The documentation describes the command thusly:
Code:
./edl.py wl dumps --memory=ufs >> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun
I ran the command on the extract directory that was previously decrypted.
Additionally, I had to explicitly specify the OP9 EDL loader as well as specify that the flash memory was UFS and not EMMC:
Code:
$ sudo ./edl.py wl extract --memory=ufs --loader=Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin
This output was produced:
Code:
main - Using loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
main - Waiting for the device
...............
.main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: <CLIPPED>
CPU detected: "lahaina"
PK_HASH: <CLIPPED>
Serial: <CLIPPED>
sahara - Uploading loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
Successfully uploaded programmer :)
firehose - Chip serial num: <CLIPPED>
firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
firehose_client - Target detected: lahaina
firehose - TargetName=
firehose - MemoryName=UFS
firehose - Version=
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
Reading from physical partition 0, sector 8, sectors 1
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Progress: |██████████████████████████████████████████████████| 100.0% Complete
oneplus - Oneplus protection with prjid 19825 detected
Writing ./param.bin to partition param.
firehose -
Writing to physical partition 0, sector 8, sectors 256
Writing ./persist.img to partition persist.
firehose -
Writing to physical partition 0, sector 2056, sectors 8192
Writing ./misc.bin to partition misc.
firehose -
Writing to physical partition 0, sector 10248, sectors 256
Writing ./frp.bin to partition frp.
firehose -
Writing to physical partition 0, sector 10632, sectors 128
Writing ./carrier.img to partition carrier.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 18440, sectors 12288
Writing ./opluslog.img to partition opluslog.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 34824, sectors 65536
Writing ./metadata.img to partition metadata.
firehose -
Writing to physical partition 0, sector 108616, sectors 4096
Writing ./super.img to partition super.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 145480, sectors 1
Writing ./userdata.img to partition userdata.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 2877512, sectors 2105
Writing ./ocdt.bin to partition ocdt.
firehose -
Writing to physical partition 3, sector 576, sectors 32
Writing ./oplusreserve2.img to partition oplusreserve2.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 4, sector 6, sectors 32768
Writing ./devinfo.bin to partition devinfo.
firehose -
Writing to physical partition 4, sector 722224, sectors 1
Writing ./apdp.mbn to partition apdp.
firehose -
Writing to physical partition 4, sector 722481, sectors 4
Writing ./storsec.mbn to partition storsec.
firehose -
Writing to physical partition 4, sector 817779, sectors 6
Writing ./mdcompress.mbn to partition mdcompress.
firehose -
Writing to physical partition 4, sector 826302, sectors 12
Writing ./spunvm.bin to partition spunvm.
firehose -
Writing to physical partition 4, sector 831486, sectors 87
Writing ./rtice.mbn to partition rtice.
firehose -
Writing to physical partition 4, sector 839678, sectors 65
Writing ./abl_log.bin to partition abl_log.
firehose -
Writing to physical partition 4, sector 839870, sectors 4048
Writing ./android_log.bin to partition android_log.
firehose -
Writing to physical partition 4, sector 847966, sectors 4048
Writing ./qsee_log.bin to partition qsee_log.
firehose -
Writing to physical partition 4, sector 852014, sectors 4048
Writing ./hyp_log.bin to partition hyp_log.
firehose -
Writing to physical partition 4, sector 856062, sectors 4048
Conclusion​After performing the above on a macOS device, the device successfully flashed in MSM on Windows 11.
I rebooted the device prior to attempting to flash after performing the above steps.
Addendum​This isn't a foolproof guide and may not even work for your device or may even damage it further.​The process described above is somewhat advanced and very much undocumented and unsupported/unofficial/hacky.​
I cannot vouch for the quality, security or effectiveness of the tools linked above.
I'm putting this out there in hopes it helps others and to gather more information about how MSM Download Tool and EDL mode actually work.
Please let me know if this solves any issues with MSM and I can potentially produce a guide if this method is proven safe.
Spoiler: Speculation / Thoughts
Firehose appears to be an executable elf file that is ran on the device, which then parses settings.xml and provision_*.xml contained within the ops file.
These files appear to contain the directives that allow MSM to recover bricked devices.
MSM appears to transmit these XML files to the firehose executable after loading it on the device.
These files reference the stock images, partition sizes, names, and extents that firehose then uses to provision the device.
Since firehose is simply an elf file that appears to rely on some preexisting data to be present on the device, some bricks may cause firehose to fail due to corruption of certain partitions.
Producing errors such as:
- Device mismatch
- Param preload error
- Sahara communication failure
- Waiting for device
- Waiting for COM port
The partitions shown in the output log appear to not be touched by MSM prior to sending firehose to the device, suggesting that it assumes they have been untouched.
Therefore, firehose may throw an error or fail to run entirely when attempting to recover some devices, even when using the correct MSM tool and drivers.
Despite being contained in the ops file, MSM doesn't appear to touch these partitions in its default Upgrade Mode.
That functionality may be locked behind more advanced modes such as SMT Download Mode, however, that mode is well known for causing more issues than it solves.
The tools above are open source reverse engineering tools that can do some rudimentary communication with OnePlus devices in EDL mode by utilizing a custom firehose binary (known as the "loader").
These appear to permit operations not possible with MSM's default behavior.
Spoiler: Observations
I was only able to get the edl.py tool to work on macOS.
I was unable to get this tool (edl.py) to work in Windows. It threw various libusb related errors despite using zadig as directed.
I observed that writing to any partition that was part of A/B dynamic partitioning would report that it was written successfully but in reality would only write 1 sector of the provided file.
However, a handful of other partitions appear to be writable, ones that typically can't be written to/aren't written with fastbootd or OTA side loading.
My IMEI and Serial Number were fully intact after flashing.

Bruh my pro was in that constant reboot state. Buss laugh if this is a Tually a fix for that
Click to expand...
Click to collapse
Hopefully it is. I'm curious to see if it works for others. I stumbled upon this right as I had given up and submitted a ticket to OnePlus.
At which point they said there's nothing to do and the device needed repaired.
So hopefully this is a reliable fix for devices that are super-bricked, because it saved me from having to send my device in.

Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .

Jessp4046 said:
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
Click to expand...
Click to collapse
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.

GlitterFartzz said:
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
Click to expand...
Click to collapse
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol

Jhoopes517 said:
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
Click to expand...
Click to collapse
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.

I m waiting here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

flameteam said:
I m waiting here
View attachment 5364413
Click to expand...
Click to collapse
Looks like you're trying to do a full dump of LUN 0 into a single bin file. LUN 0 contains a large chunk of data as it houses the super partition and the userdata partition.
I would recommend using the r subcommand to dump individual partitions or just use rl which will dump your whole device while neatly separating each partition into individual files.
To see exactly what each LUN is comprised of, you can use the printgpt command:
Code:
./edl.py printgpt --memory=ufs
Given that you're running in a VM, your I/O speeds are likely much lower.
I recommend at least booting into a Linux Live USB to do this.
If security is a concern, at a minimum I would recommend vfio passthrough via QEMU to pass your entire USB controller through from a Linux host.
IMO, virtualizing the USB connection will kill your throughput and put you at risk of data corruption.

GlitterFartzz said:
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.
Click to expand...
Click to collapse
I couldn't this time. I was able to prior but no go.

my one plus 8t is completely hard bricked, black screen, no logo, no vibration, nothing. Now i cant use msm cuz always got sahara communication failed. This seems like the way to go, will update you if it works

Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax

_MartyMan_ said:
Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax
Click to expand...
Click to collapse
same here! oneplu 9 chinese version model 2110, screen its just black, but computer detects it.
thanks in advance

Kind of progress but still does not work... I get this error message:
Somebody help pls.......
@GlitterFartzz do you have any idea what this could be?

I have tried everything to get my Global one plus 9 back up and running again … monster what I do with drivers I get this error on msm tool . As you can see my phone is detected in tool but can put go past this point . I do not have access to download or fast or mode . Last steps I took was through this thread ——https://forum.xda-developers.com/t/fastboot-rom-pc-required-op9-stock-oos-11-2-2-2aa.4275727/—— and reached 1/2 way point (waiting on device) and now I can’t get oos back on phone .. does anyone have any tips or knowledge they can guide me to get my phone working with msm tool ? Much appreciated

Toggle on "Use lite Firehose" before running

Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .

Justingaribay7 said:
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Click to expand...
Click to collapse
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing

This is a great resource to have, nice work. I'll give it a go if I ever hit that state again. I've only had success using the pro msm tools up to this point for some reason with lite firehose when I get the Sahara or param info device not match error. Once I've lite msmed with the pro tool, I can normal msm with the nonpro tool, just like flame team mentioned

flameteam said:
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
Click to expand...
Click to collapse
Thanks for the reply flameteam . My device is LE2115 Global . Would this method still work on this Version?

I tried running the Eu tool . No luck . Same errors as the O2 tool . Tried different flash options such as light firehouse on and off .. Sahara error and Parameters error still present

[GUIDE] [ADVANCED] Bootloader Unlock and Root for the T-Mobile LG Velvet (G900TM ONLY)

ONLY WORKS FOR THE G900TM SINCE THAT MODEL HAS A MEDIATEK CHIP, DO NOT TRY THIS ON ANY OTHER VELVET MODEL
Prerequisites:
MTKclient: this is the free tool we will use to unlock the bootloader, follow the installation instructions here or use the provided LiveDVD that has everything ready to go: https://github.com/bkerler/mtkclient
LGUP: Use this patched one: https://tbl-locksmiths.com/d/4-lgup-1163-patched-latest
ADB (Android Debug Bridge): See here on how to install ADB: https://www.xda-developers.com/install-adb-windows-macos-linux/
FOR NOW YOU MUST USE AN UBUNTU OR DEBIAN BASED LINUX DISTRO SINCE MTKCLIENT DOES NOT PLAY NICE WITH AND REQUIRES MORE STEPS TO WORK ON WINDOWS. A VIRTUAL MACHINE WILL WORK FINE FOR THIS TUTORIAL.
UNLOCKING THE BOOTLOADER WILL WIPE YOUR DATA, PLEASE MAKE SURE YOU HAVE BACKED YOUR DATA UP BEFORE ATTEMPTING THIS.
1. If you are on Android 11 already, please downgrade to Android 10 first using the G900TM14k KDZ before attempting this. You can download it here or from another website. https://drive.google.com/file/d/1GYOHiuIbOqO9x_t8E-dvLI3sEKDe6fRS/view?usp=sharing
Spoiler: Nerd explanation 🤓
The reason that we are doing this is because in the Android 11 firmware, the phone’s preloader (first stage bootloader) has the exploit MTKclient needs to crash the phone into BROM mode (Mediatek equivalent to Qualcomm EDL mode) patched out. This means MTKclient will not work with the Android 11 firmware installed, unless you are willing to open up the phone and short some test points! By downgrading to Android 10, the exploitable preloader can be put back onto the device.
2. Install LGUP, then launch it when it is done. Make sure the “refurbish” option is selected, then click the button with the three dots that is circled in the picture.
Spoiler: LGUP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
3. Select the G900TM14k kdz file. Then click start and wait for the kdz to finish flashing.
Spoiler
4. Now you are ready to use MTKclient. When using it, make sure the phone is powered off, run a command, and then plug the phone into your PC. Follow the instructions here: https://github.com/bkerler/mtkclient#unlock-bootloader
Output should look something like this example output:
Code:
[email protected]:~/Desktop/mtkclient-main$ python mtk e metadata,userdata,md_udc
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
Port - Device detected :)
Preloader - CPU: MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x816
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
usb_class - USBError(19, 'No such device (it may have been disconnected)')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
Port - Device detected :)
Preloader - CPU: MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x816
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Preloader - ME_ID: 2DF842BC6706D1EA3150DC28E8B69081
Preloader - SOC_ID: D68B399A7D66DF240C22270698248840AF48675FA82F2F5B8B2048A993A646B3
PLTools - Loading payload from mt6885_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/sugondeseballs/Desktop/mtkclient-main/mtkclient/payloads/mt6885_payload.bin
Port - Device detected :)
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2124.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS FWVer: 0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: SDINEDK4-128G
DAXFlash - UFS CID: 45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : 45015344494e45444b342d3132384720
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - UFS FWVer: 0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: SDINEDK4-128G
DAXFlash - UFS CID: 45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DA-CODE : 0x161E0
DAXFlash - DA Extensions successfully added
DAXFlash - Formatting addr 0x94a2000 with length 0x2000000, please standby....
DAXFlash - Successsfully formatted addr 0x94a2000 with length 33554432.
Formatted sector 38050 with sector count 8192.
DAXFlash - Formatting addr 0x462800000 with length 0x1962800000, please standby....
DAXFlash - Successsfully formatted addr 0x462800000 with length 109026738176.
Formatted sector 4597760 with sector count 26617856.
DAXFlash - Formatting addr 0x7e08000 with length 0x169a000, please standby....
DAXFlash - Successsfully formatted addr 0x7e08000 with length 23699456.
Formatted sector 32264 with sector count 5786.
[email protected]:~/Desktop/mtkclient-main$ python mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.05 MB/s
xflashext - Successfully wrote seccfg.
Congrats! Your bootloader is now unlocked!
Now if you want to flash back to Android 11 first and then root, you can! You can either perform the OTA updates needed to get to the latest Android 11 software version, or just download an Android 11 KDZ from one of those websites that hosts LG firmware and flash it with the “Upgrade” option selected in LGUP.
But doing so will replace the exploitable preloader. If you still want MTKclient to work, follow this process:
Download an Android 11 KDZ
Open up LGUP and select the KDZ
Select the “Partition DL” option and press “Start”
When the partition list window pops up, click “Select all” and uncheck the preloader partition, then press OK to start flashing.
Spoiler: Partition list window
ROOTING INSTRUCTIONS (this part can be done in Windows or Linux):
To root, dump both of the boot images from the phone using “python mtk r boot_a boot_a.bin” and “python mtk r boot_b boot_b.bin”. It’s fine to dump only boot_a or boot_b, but make sure to verify which boot slot your phone is in first, then dump the correct image.
Turn the phone back on, then download the Magisk APK file from its Github page, and install it.
Copy the dumped boot images to your phone’s storage.
Then in the Magisk app, tap the Install button in the Magisk box, then tap “Select and patch a file”.
Select your boot image, then press “Let’s go”.
Wait for it to patch the boot image.
When the app finishes patching the boot image it will be in the Downloads folder. If you want to patch the other boot image, repeat this process.
When you have your patched boot images, copy them back to your computer, preferably to the same directory/folder where ADB is installed to.
Make sure USB Debugging is enabled in the developer settings on your phone, then connect the phone to your computer. Allow the computer to access the phone if needed.
Open up a command prompt in the folder where the boot images are and where ADB is installed and type “adb reboot fastboot”.
Wait for the phone to boot to fastboot, then type and run these commands: “fastboot flash boot_a boot_a.bin” and “fastboot flash boot_b boot_b.bin”.
Reboot the phone.
You’re rooted!
Big thanks to @Warlockguitarman, who discovered the bootloader unlock exploit, and Bjoern Kerler, the author of MTKclient and integrated the exploit into the tool. Without them, many Mediatek devices including the T-Mobile Velvet would probably never have root!

Some pictures of my rooted Velvet

If you happen to hard brick your device enough so that it only gets detected as a USB port, here are the unbrick files to get the phone to download mode. You will need to flash these using SP Flash Tool with the "Format all + Download" option. This will nuke your IMEI and serial number, however it is not too difficult to write those back to the phone.
Velvet (MTK) - Google Drive
drive.google.com

Reserved

Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?

Metconnect2000 said:
Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?
Click to expand...
Click to collapse
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol

Wish39 said:
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
Click to expand...
Click to collapse
Cool. Thanks!

I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.
EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:
1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader
To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too

username32 said:
I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.
EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:
1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader
To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too
Click to expand...
Click to collapse
What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.

Wish39 said:
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
Click to expand...
Click to collapse
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.

lentm said:
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
Click to expand...
Click to collapse
It normally will.I get a strange hex message when it tries to update,and it will tell you to contact LG Support.

Surgemanxx said:
It normally will.I get a strange hex message when it tries to update,and it will tell you to contact LG Support.
Click to expand...
Click to collapse
It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.

lentm said:
It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.
Click to expand...
Click to collapse
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.

lentm said:
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
Click to expand...
Click to collapse
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.

lentm said:
What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.
Click to expand...
Click to collapse
There's no BROM hardware key combo, did you downgrade the phone first?
Easiest way is to downgrade to Android 10, run a command on mtkclient and then simply power off the phone, plug it into your PC and let mtkclient do the work.
The only other way is to disassemble the phone and short the BROM testpoints on the motherboard, then plug the phone into your PC.

Surgemanxx said:
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.
Click to expand...
Click to collapse
Korean Wing does have Android 12

Wish39 said:
Korean Wing does have Android 12
Click to expand...
Click to collapse
Yes,built from the Velvet 765g firmware.Nothing for other regions as of yet.

Wish39 said:
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.
Click to expand...
Click to collapse
If your Velvet was able to OTA update, it's probably because I unchecked preloader with PARTITION D/L option on LGUP when upgrading to Android 12.

A) Since this is a mediatek chipped device, is it not possible to unlock bootloader via adb and fastboot commands from a windows rig?
Then patch the boot image with magisk.
Flash patched image with adb or the smart phone flash tool?
Ive had success with other brands on mediatek android 10 using this method.
--> Here is a guide thats similar to the method ive successfully used to root other devices, but for mediatek android 11 devices
--> Here is another guide specifically for LG devices from the same source as above
--------------------
B) Re: Resources for the method in post 1
1. Anyone have the link to the latest android 11 kdz [G900TM20i]? I cant find a copy for d/l. Seems to be discrepancy whether OTA update will work post-root, and would like to have latest security patch
2. Is there a minimum version of ubuntu to use? I have one in the archives but it has to be at least a few years old. Should it work or do i want to grab a newer version to be sure?
--------------------
Thanks for the guide and help.
I just picked up this mint unlocked t-mobile velvet for less than $150 and so far seem like a nice device. Only gripe is no face unlock. Noticed a faceprint and handprint option in the service menu, but my understanding is that it doesnt serve any function on this device.
One of the main reasons i picked this device up was due to the mediatek chipset, and that mediatek devices are typically rootable with a generic process like i linked above. Im glad to see it can be rooted, even if not via the 'typical method' ive used for others.

@double b26 Hey whats up. The normal fastboot method doesn't work for newer LG devices because those don't have normal fastboot, they only have fastbootd, which is fastboot in userspace. The bootloader unlock commands are missing, so you can't really do anything in there besides flash some partitions while in there.
As of now there isnt a KDZ for G900TM20i, and I recommend you use Ubuntu 20.04 LTS or newer so you dont run into compatibility issues.
Also I believe the handprint and faceprint options in the hidden menu are meant for the G8, guess LG was too lazy to remove those options.

Cubot Pocket: unlock bootloader and flashing GSI/lineageOS

I finally got my cubot pocket. I like my devices without GAPPS so I unlocked the bootloader and finally managed to flash a GSI.
This post contains: observations and general hints for this level of development, a guide to unlock the bootloader and what I did so far to flash a GSI.
Unlocking the bootloader​This works similar to other Spreadtrum/Unisoc-based devices.
The crucial thing is to issue get_identifier_token from fastboot -> reboot to bootloader. If you issue it in adb reboot fastboot, it will say OKAY and may also print a four character string, but this is not the token you're looking for.
Also, when you flash the unlock_bootloader signature.bin, it will prompt you on the phone, but you have to react differently than described on the phone - see below.
enable Android developer mode (Settings -> About Phone -> tap "build number" >= 7x)
enable OEM unlocking (Settings -> System -> Developer Options -> OEM unlocking)
enable ADB (Settings -> System -> Developer Options -> USB debugging)
adb reboot fastboot
choose "reboot to bootloader"
Code:
$ fastboot oem get_identifier_token
proceed as described here
finally:
Code:
$ fastboot flashing unlock_bootloader signature.bin
this prompts you to press volume up to cancel, volume down to confirm.
But volume down and power don't have any effect, instead volume up starts wiping user.
wiping takes a bit longer than I'd expect, for me 433 s.
Congratulations, you now own your phone a bit more than before!
Flashing GSIs (probably applies to ROMs in general)​It's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
get and unpack necessary files as necessary: boot.img, vbmeta-sign.img, a ROM that you want, p.ex. AndyYan's Lineage GSI
fastboot resize-logical-partition product_a 38000
fastboot flash system [unpacked ROM file]
I also factory reset it afterwards
General/random notes​
there are two different things reachable as "bootloader":
in fastboot switch to bootloader. The device displays the Cubot splash and from the display it looks stuck, but it exposes a fastboot interface -> useful
$ adb|fastboot reboot bootloader
shows the droid with open service door, saying "no command". It also exposes adb, but I don't see a way how to authorise it. Maybe via the debug UART? I didn't yet read the UART when I stumbled upon this. Currently it seems useless to me.
there are test points for the debug UART easily reachable once you disassemble it.
I didn't see anything with a 3.3V USB UART adapter, but a logic analyser with 1.4 V threshold works -> it probably uses 1.8 V logic level. UART-wise it's 115200 8n1.
I think I don't have anything to hook up to the TX currently.
UART log of boot
it's easy to softbrick this device, and I haven't found a nice way out of softbricked yet. Two not-so-nice-ways
- drain the battery, which obviously requires lots of patience
- disassemble the device and disconnect the battery
then flash the original ROM from the cubot site following the instructions there.
Once it bootloops, I didn't manage to power it off or get into fastboot / recovery using the device's keys.
the device reconfigures it's USB during boot and there's a limited time for the SPDFlashTool's mode that flashes complete firmwares. That means that it's not really feasible to run SPDFlashTool inside a VM.
the phone actually does something with the battery detached but USB power attached. For example, it's possible to flash it with the SPDFlashTool. However, it doesn't boot the linux kernel / Android, this seems to be inhibited.
This is in contrast to many other devices that are not laptops for which the PMIC does not provide power to the system when the battery is disconnected.
Old notes / how not to do it: Flashing GSIs (probably applies to ROMs in general)​
it's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
system_a is a bit below 1 GB ( 0x3CF5D000 B) which is likely smaller than any interesting GSI.
attempting to flash yields
Code:
Resizing 'system' FAILED (remote: 'Not enough space to resize partition')
There's the general hint to delete the product partition by running
fastboot delete-logical-partition product
then it's actually possible to flash a GSI, however:
the device bootloops -> log
From the log I realised I need to modify vbmeta, so:
it does android verified boot / AVB which from my understanding the easiest way forward is to disable it by:
creating a vbmeta.img with
Code:
$ avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
the padding necessary might be 16384 instead, according to the hovatek thread below.
it might be necessary to pad it additionally. There's a tutorial and a script here
when I flash both the hovatek-unpadded avbtool-4096-padded and hovatek-padded avbtool-16384-padded vbmeta, the device bootloops -> log
I guess the next step would be to unpack the vendor PAC ROM and check how the vbmeta image looks there.
Since with the original vbmeta it looks like it's restarting when it's already running linux / android, another way to go at this might be to change the kernel cmdline: instruct it to not do verity - Does anyone know how this is possible?

reserved for future use

dead ends (so far...)​
didn't manage to find what image header magic number was wrong with the vbmeta.img (was already in the starting post)
the vbmeta actually doesn't chain to system, but there's a vbmeta_system partition (and vbmeta_vendor.img, vbmeta_system_ext.img, vbmeta_product.img) - I flashed the empty vbmeta disabling checking to vbmeta_system... and it bootloops again
this time the error is:
Code:
sprd_get_all_imgversion: ab_slot_flag is 0
read successed
sprd_get_all_imgversion: rpmb read blk 16382 successful
invalid sprd imgversion magic 0 exp a50000a5
uboot_vboot_verify_img() return error:param->a0=3
could be that it's just necessary to write the magic number to the correct offset, but I coulnd't figure out where this offset is - the images in the PAC don't have this number, so I guess it's embedded on-the-fly while flashing.
searching for imgversion+spreadtrum gets 0 relevant results - I guess it's very unusual that people hook up to the debug uart
I didn't manage to disassemble uboot.img - At least the disassemble doesn't look like a bootloader to me. Not an expert with disassemblies though!
modifying boot.img with magisk also results in invalid sprd imgversion, so no root or disabled verity through this route
I didn't manage to read back from flash through SPD ResearchDownload, I get the error "incompatible partition" for userdata - and I can't deselect it :/
(I thought it might be possible to get the sprd imgversion magic throught this route
Partial success​I managed to boot a GSI by signed by google through Dynamic System Updates (DSU).
It kind of looks like it's running in emulation though: settings say "About emulated device" and it gets an own userdata.img
the DSU page also says it will only run GSIs signed by google or the vendor (not sure which key that would be, but I doubt there are any) - I haven't tried flashing anything this route
Open Ends:​reverse engineering the imgversion thing​It should be possible to figure out how this imgversion business works, ultimatively from the u-boot.img / PAC content. Anyone has any idea how to proceed there? I tried:
binwalk: doesn't look useful to me, nothing got extracted -> here
arm-none-eabi-objdump -b binary -D u-boot-sign.bin -m armv8-a -Mforce-thumb
(also without -Mforce-thumb and with -m armv7)
I'm pretty sure it's actually U-boot: there is the U-boot version string matching the one printed to uart and also the printf-string for the imgversion
requested U-boot source code from Cubot​I requested source for all GPL'ed parts of the Pocket from Cubot, but especially U-Boot and the kernel. I'd be a pleasantly surprised if something comes out of this though
reading back the flash​Does anyone have an idea how to do that? without root no access to /dev/block/mmcblk* and I didn't get SPD ResearchDownload to read it.

It's nice that you could unlock the bootloader! I'll try to do it soon (maybe in some months, but ok lol)
Anyway, which GSI did you try? And about the vbmeta, I think it should be enough to flash the blank vbmeta.img from google. Maybe we could use the original vbmeta.img from stock ROM with the --disable-xxxxx flags.
This is the tutorial from phhusson's group (the man behind the treble project):
0. Get an up-to-date fastboot on your computer (fastboot —version should give version >= 29)
1. Get vbmeta.img from https://dl.google.com/developers/android/qt/images/gsi/vbmeta.img
2. Get A/B GSI (I'm guessing you need ARM64), don't forget to uncompress it
3. From running Android, do adb reboot bootloader
4. fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
5. fastboot reboot fastboot
6. fastboot flash system system-xxxx.img
6bis. If fastboot tells you there isn't enough place, do fastboot delete-logical-partition product, fastboot delete-logical-partition product_a, fastboot delete-logical-partition product_b and run the fastboot flash command again
7. On your phone, the screen should have a button "go back to recovery", select it, then select "factory reset / wipe data"
8. Reboot and enjoy

Thanks for your work. I got my Cubot Pocket unlocked too. I have booted LineageOS 19 via DSU Sideloader. It runs like a charm but there is no way to flash the GSI permanent.

@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?

wori said:
@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?
Click to expand...
Click to collapse
I tried it. My Navigation Bar is showing and working normal.
Automatic Display Brightness is working too.
I dont use gestures, but if you tell me how to do it, i will check that too.
Image: lineage-19.1-20220719-UNOFFICIAL-arm64_bvS.img.xz
and DSU-Sideloader 1.03 from Github. Default Settings

thanks for trying!
You can change it in Settings->System->Navigation->System Navigation->check Gesture Navigation
So: interesting that you got a lineage build working, maybe that's the important difference! From google's doc I understand that there's some verifcation, but looks like it's not. Since I actually don't want the google build, I'll try with lineage next. Did you also try with the built-in DSU way, like described in googles doc?

wori said:
Did you also try with the built-in DSU way, like described in googles doc?
Click to expand...
Click to collapse
As I understood, the app is doing exactly the same like the Google Doc say. It seems like unlocking the Bootloader is enough to boot a custom-DSU.I have read something about signed Images that will boot without unlocking the Bootloader, but i didnt try it. I just want to get rid of all the Google-Stuff before using the Pocket Hope we can get it working.
btw: Gestures seem to work. swipe from right to middle closes Apps. from middle to up opens Menue

After a Weekend of fails i flashed Lineage 19 to my old KingKong mini and its working on the first try. Problem seems to be the Unisoc T310. The success-rate of flashing GSI to T310 seems to be really low. Does anybody know another Android 11 Device with Unisoc T310 that is working with GSI-Roms?

changer86 said:
Does anybody know another Android 11 Device with Unisoc T310 that is working with GSI-Roms?
Click to expand...
Click to collapse
GSI on Unisoc device
My tablet is unisoc t310 T803 with oem android 11 here is were im stuck I reflashed oem super.img and the system booted fine so i can start fresh i erased product and system, and flashed lineage 17.1
www.hovatek.com
seems this guy has succeeded and his device looks pretty similar to pocket in treble info
im unisoc tablet has oem stock A11 and no GSI A10 was to boot. my oem system is system as root AB arm64. so I have no choice but to use Arm64 AB GSI A11 because A10 will not boot
Click to expand...
Click to collapse

Hi, can you help me with this situation? I can't unlock bootloader on cubot pocket.
I tried to unlock on my ubuntu and windows devices.
FAILEN ( Flashing Lock Flag is locked. Please unlock it first)
I don't know that I will do for this problem
Spoiler: image
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

@raary did you enable OEM unlocking in the Android settings?

wori said:
@raary did you enable OEM unlocking in the Android settings?
Click to expand...
Click to collapse
Yes of course

raary said:
Yes of course
Click to expand...
Click to collapse
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc
Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.

changer86 said:
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc
Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.
Click to expand...
Click to collapse
Thank you, I will be try to unlock

@wori any updates on flashing gsi?

@badcodelab not from my side. I got frustrated and also had some other things to do. Hopefully find some time + energy to continue working on this.

I can't stay in stock OS, my GSI on cubot pocket have only 16 Gb via DSU sideload less for me, correct custom not exist for this, sad

@wori, @changer86 i didn't get clear from your posts if you tried to use signed vbmeta from the stock rom
also i haven't manage to make research tool to unpack boot.img nor super.img
by some reasons they stay listed as zero-sized .flag files in the target folder