Database Develop

[GUIDE][GT-I9100G]Repair Totally Sleep/Dead Boot Mode Via USB

First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username

-- OMAPFlash Introduction --
This document contains a description of a tool – OMAPFlash – that can be used to transfer binary images from a host PC to an OMAP based target
platform. The tool consists of four main components:
- a host application, called OMAPFlash Host
- a “second” loader, called OMAPFlash Second, specific to the platform with which OMAPFlash is used
- drivers for the memory devices of the platform
- a USB driver for the host PC, compatible with the OMAP device in use
The tool makes use of the OMAP ROM code mechanism for peripheral boot from either UART or USB to transfer OMAPFlash Second to the internal memory
of the OMAP device. Using OMAPFlash Second a device driver is then transferred to SDRAM for the memory device to which the binary transfer is to
take place. Finally a binary file can be transferred through OMAPFlash Second and the device driver to the memory device itself.
The communication protocol used between OMAPFlash Host and OMAPFlash Second is based on the Fastboot protocol used in the Android community – a
simple text based command-response protocol. Source code is available under a BSD-style license and may be used and modified for other platforms
freely as long as the license terms are observed.
-- Installation --
OMAPFlash comes as an installer for the Windows XP platform. Run the installer executable, OMAPFlashInstaller.msi, to install to the hard-drive of
the host PC. In some cases the installer will display a warning that a DLL has failed to register properly – should this happen, accept this and
press continue to complete the installation (it will not cause the tool to fail). The program is installed to the folder ‘c:\Program Files\Texas
Instruments\OMAPFlash’ and scripts are designed to be run from this path.
Uninstalling OMAPFlash can be done through the Windows XP control panel (Start – Control Panel – Add or Remove Programs). Select OMAPFlash and
press ‘Remove’.
-- Connections --
The physical connection between the target platform and the host PC can be either UART or USB based and the actual connector to use will depend on
the platform. In general the user manual for the platform should be consulted in order to identify the connectors to use for peripheral boot.
-- Drivers --
When using the software with a USB connection, drivers will need to be installed. This should only be necessary when connecting the board to the
host PC for the first time. There are two USB drivers included in the installed software – one for the OMAP device (always needed) and one for the
Android Fastboot protocol (only needed if OMAPFlash is used with target software acting as a Fastboot protocol enabled device). Windows should
detect when a USB driver is needed and ask for it – the drivers are located in the usb_drv_windows folder under the installation directory for
OMAPFlash.
For UART connectivity where UART communication is taking place of USB , a UART USB driver will be needed. This can be downloaded from
http://www.ftdichip.com/Drivers/VCP.htm. Whenever a new driver installation happens during a download attempt to a platform, the process will most
likely time out while the driver is being installed. Simply retry after the installation of the driver is completed.
-- Usage --
OMAPFlash Host is a command-line based application. It is currently available for Windows XP only and will run in a Windows command shell. The
application can take commands directly from the command line or via a script file (a more useful approach). The syntax for calling the tool is:
omapflash [ <option> ] <command>
or, if a script file is used:
omapflash @<file>
-- Options --
The tool has a number of options that can be used to control its overall behavior.
-com <port number>
By default OMAPFlash will try to communicate with the target platform using a USB serial link. This option will force OMAPFlash to use a UART for
serial communication and specify the host side COM-port to use.
-t <timeout>
By default the timeout for communication on the serial link is 5 seconds. This option allows control of the timeout value by specifying another
timeout value in seconds.
-p <platform>
This option is required by OMAPFlash and specifies the platform for which the download is to take place. The platform specified is a name tag that
allows OMAPFlash to identify the correct second loader to use. The tag typically identifies the platform type and the memory used with the OMAP
device present on the platform (“e.g. SDP_MDDR_HYNIX_4G). The tag is used to look up the second loader in a configuration file (omapflash2nd.txt)
in combination with an OMAP device identifier received from the platform during peripheral boot.
-omap <version>
This option is required by OMAPFlash if a peripheral boot sequence is used to transfer a second loader to a target platform. The option specifies
the OMAP generation used on the platform – without this option set, OMAPFlash will be unable to determine how to correctly perform the peripheral
boot sequence necessary for transfer of the second loader to the platform. The version number is a single digit integer (e.g. ‘3’ for an OMAP3xxx
based platform or ‘4’ for an OMAP4xxx based platform).
-2
This option controls whether OMAPFlash will try to use the ROM code peripheral boot sequence to transfer a second loader to internal RAM before
doing anything else. This option will be required for most scenarios where OMAPFlash is used but can be left out if OMAPFlash Host is interacting
with a second loader already running on a target platform.
-v
The ‘-v’ option controls whether OMAPFlash Host will run in verbose mode. If set, more information will be shown during the execution of the
flashing sequence. Note that this option should be set in order to see the target platform response to certain commands (e.g. ‘chips’).
-- Commands --
Commands are executed on the target platform. Any command is prefixed by the keyword ‘command’ and anything following this keyword will be passed directly to OMAPFlash Second by OMAPFlash Host without interpretation or modification. Typically the ‘verbose’ option should be used with commands in order to ensure that information returned from the platform will be shown on the console.
branch <device> <offset>
This command will cause OMAPFlash Second to make an unconditional branch to a memory mapped address. The device will typically be the SDRAM
handled by the OMAP SDRAM controller in this case, and the offset typically zero. The device ID must be one known by OMAPFlash Second and the
offset an integer within the address offset range valid for the device.
peek32 <address>
Get the register value of the register with the given address.
poke32 <address> <value>
Modify the register at the given address to the given value
peekpoke32 <address> <value> <mask>
Modify the register at the given address with the given value and mask
-- Flashing --
OMAPFlash Host is able to handle three basic procedures for accessing memory devices through the OMAPFlash Second loader. These procedures are used
to erase memory devices, transfer a binary file to a device or upload the device content to a binary file. In all cases, parameter values specifying
sizes or offsets are hexadecimal.
chip_erase <device>[@offset] <size>
This procedure is used to erase the content of a device, either for the whole device or for part of its address range. The ‘device’ identifier is
a string matching one of the devices available on the platform as listed from the ‘chips’ command – in other words, a device known to OMAPFlash
Second for the particular platform used (SDRAM is not a valid choice). If an ‘offset’ is used, the device erasure will start at the offset
specified. The offset will need to be compatible with the memory structure of the device in question – e.g. if the device has a block size of
40000h bytes, the offset will need to be a multiple of the block size. The ‘size’ specifies the number of bytes to erase – a value of zero has the
special meaning of “to the end of the device”, either starting at offset zero or at the specified ‘offset’ value, and can be used to erase the
entire device. Note that the typical erase functionality of a memory device is based on the erasure of blocks of memory – it may not make sense to
ask for erasure of a size that is not a multiple of the block size of the device.
chip_download <device>[@offset] <file>
In order to transfer a binary file to a device on the platform this procedure is used. The ‘device’ identifier is a string matching one of the
devices available on the platform. If an ‘offset’ is specified the binary will be downloaded to the device starting at the offset address
specified. Using an offset should be done with some caution, since the meaning of the offset value may be unclear for some device types (e.g. for
a NAND device the offset will be used without consideration of bad blocks present in the memory space preceding the offset address). The file to
be downloaded is specified by the ‘file’ parameter and must be a raw image.
chip_upload <device>[@offset] <size> <file>
In order to upload the content of a memory device this procedure is used. The ‘device’ identifier is a string matching one of the devices
available on the platform. If an ‘offset’ is specified content will be uploaded from the device starting at the offset address specified. As for
the ‘chip_download’ procedure the use of an offset should be done with caution. The ‘size’ parameter specifies the number of bytes to upload and
the ‘file’ parameter the file to which the uploaded data will be saved. Note that due to some limitations on the serial link, upload of data will
be considerably slower than download.
-- Examples --
The following examples are illustrations of the use of OMAPFlash. Sample scripts are available and installed with the tool.
-- Commands --
An example of a sequence making use of a command, including peripheral boot and download of OMAPFlash Second to the platform, could be:
omapflash -v -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 command peek32 6e00000
Once OMAPFlash Second is present on the platform, commands can be run with the requirement for renewed peripheral boot:
omapflash -v –p SDP_MDDR_HYNIX_4G command peek32 6e000000
-- Erase --
An example of the erasure of the content of a device on a platform could be (for NAND):
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_erase NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.343 (33271 bytes/s)
» End loading driver
» Erasing
Erase progress :::::::::::::::::::: [536870912]
» Elapsed time: 0:24.537
Additional information (e.g. bad block count, freed up memory and device information) may be available by including the verbose option:
omapflash -v -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_erase NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
Interface 'OMAPFLASH DRIVER v1'
Driver 'NAND ONFI 16/8 BIT'
NAND ONFIv2 VENDOR 0x2C MICRON
NAND 16 BIT DEVICE 0xBC MT29F4G16ABC
NAND 2048 BYTES/PAGE (SPARE 64)
NAND 64 PAGES/BLOCK (131072 BYTES/BLOCK)
NAND 4096 BLOCKS/UNIT (536870912 BYTES/UNIT)
NAND 512 MB TOTAL SIZE
NAND ONFI DRIVER INIT COMPLETE
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Erasing
name=NAND address=0x28000000
Erasing to end of device starting at 0x28000000
Erase progress :::::::::::::::::::: [536870912]
NAND ERASED 535691264 BYTES FROM ADDRESS 0x28000000 (9 BAD BLOCKS)
» Elapsed time: 0:24.571
If OMAPFlash Second is already present and running on the platform, it is not necessary to perform an additional peripheral boot:
omapflash chip_erase –p SDP_MDDR_HYNIX_4G NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Found device
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Erasing
Erase progress :::::::::::::::::::: [536870912]
» Elapsed time: 0:24.580
-- Download --
An example of download of a binary image to a memory device could be:
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_download NAND .\test_data\pattern_10M.bin
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.391 (29186 bytes/s)
» End loading driver
» Downloading
» Downloading '.\test_data\pattern_10M.bin'
» Sending data (10485760 bytes) :::::::::::::::::::: [10485760]
» Downloading complete
» Elapsed time: 0:35.095 (299593 bytes/s)
» Elapsed time: 0:35.334
-- Upload --
An example of uploading the content of a memory device from a platform could be:
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_upload NAND 40000 c:\temp\nand.bin
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Uploading 'NAND'
Receiving data (262144 bytes) :::::::::::::::::::: [262144]
» Elapsed time: 0:32.440
» Saving 'c:\temp\nand.bin'
» OKAY
» Elapsed time: 0:16.493
-- Scripting - Download and Branch to SDRAM --
The following script will download a binary to SDRAM via USB and branch to it for execution of the downloaded image:
# OMAP3
-omap 3
# Timeout and other config
-t 60 -p SDP_MDDR_HYNIX_4G -2
# RAM Download
chip_download SDRAM exbin.bin
# Execute image from RAM
command branch SDRAM 0
Note that the branch address offset will depend on the binary - it will not always be zero. Store the script in a text file (e.g. usb_sdram.txt) and use it as an argument
to OMAPFlash:
omapflash @usb_sdram.txt
-- Linux Flashing to eMMC --
OMAPFlash does not support the flashing of a Linux file system to any memory device, including eMMC, since only RAW image downloads are supported. This means that the x-loader, boot loader and kernel can be transferred to eMMC by OMAPFlash as raw binaries, but not the file system used by the
Linux kernel. For flashing of the Linux kernel and file system, use U-Boot.
There are multiple options for transferring U-Boot to eMMC with OMAPFlash (note that eMMC is currently only supported for the OMAP4 based
platforms).
-- U-Boot Assisted U-Boot Flashing --
OMAPFlash supports the Fastboot protocol and there is a version of U-Boot available that can be used with the Fastboot protocol. With this version
of U-Boot it is possible to transfer binaries to eMMC via U-Boot. U-Boot is transferred to SDRAM and executed by OMAPFlash. Following this, U-Boot
is used to transfer binaries to eMMC by OMAPFlash by way of the Fastboot protocol. Do the following:
1) Copy the x-loader image (x-load.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\ uboot\x-load.bin’
2) Copy the U-Boot image (u-boot.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\uboot\u-boot.bin’
3) Connect USB and UART to the host PC (both are needed)
4) Start a terminal program (e.g. TeraTerm) with 115,200 baud, no parity, one stop bit, no flow control on what will be the UART connecting to
COM3 on the platform
5) Set the SYSBOOT options of the platform to peripheral boot from USB
6) Open a console and change location to ‘c:\Program Files\Texas Instruments\OMAPFlash’
7) Run ‘OMAPFlash @uboot_ram.txt’ in order to transfer U-Boot to SDRAM and execute it
8) Go to the terminal program and type ‘fastboot’ in order to activate the Fastboot protocol mode of U-Boot
9) Await that the OMAPFlash script finishes in the console window
10) Change the SYSBOOT options to boot from eMMC
11) Power cycle the board
Following this, U-Boot will be ready for commands via the terminal program and can be used to download kernel and file system.
-- U-Boot Flashing --
OMAPFlash supports the download of RAW binaries to eMMC via a native eMMC driver. The x-loader and U-Boot can be transferred to eMMC by OMAPFlash
directly. Do the following:
1) Copy the x-loader image (x-load.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\ uboot\x-load.bin’
2) Copy the U-Boot image (u-boot.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\uboot\u-boot.bin’
3) Connect USB and UART to the host PC (both are needed)
4) Start a terminal program (e.g. TeraTerm) with 115,200 baud, no parity, one stop bit, no flow control on what will be the UART connecting to
COM3 on the platform
5) Set the SYSBOOT options of the platform to peripheral boot from USB, eMMC
6) Open a console and change location to ‘c:\Program Files\Texas Instruments\OMAPFlash’
7) Run ‘OMAPFlash @uboot_emmc.txt’ in order to transfer x-loader and U-Boot to eMMC
8) Await that the OMAPFlash script finishes in the console window
Following this, U-Boot will be ready for commands via the terminal program and can be used to download kernel and file system.

moschino_luv said:
First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username
Click to expand...
Click to collapse
Would this allow us to replace the locked bootloader on Chinese phones

Thanks for the great post..I ve been dealing with a dead galaxy nexus GT-I9250M canadian..the omap flash did not work for me.. and no other solution in the horizon..
I am trying to install the uart do I need to edit the driver to contain my pid vid and how can i have both the usb and the uart in this case.. my be with your expertise you could shed some lights for y the omap not working for me..
» OMAPFlash v4.15 (Aug 12 2011)
» -v
» Entering parameter file:Targets\Projects\tuna\omap4460_tuna_hs_pro.tx t at line
: 1
» -omap 4
» -t 36000
» -p OMAP4460_TUNA_8G_HS_PRO
» -2
» -rxtx_trace
» chip_download EMMC Targets\Projects\tuna\MLO_4460_HS_PRO
» chip_download EMMC Targets\Projects\tuna\sbl.img
» command cold_sw_reset
» Leaving parameter file:Targets\Projects\tuna\omap4460_tuna_hs_pro.tx t
» @Targets\Projects\tuna\omap4460_tuna_hs_pro.txt
» Looking for device (omap usb)
» Please turn on device
» Waiting for device (omap usb)
» Found device (omap usb)
» Requesting ASIC id
00130-000-TX 4 raw bytes: 03 00 03 F0 '????'
» AsicId items 05
» AsicId id 01 05 01 44 40 07 01
» AsicId secure_mode 13 02 01 00
» AsicId public_id 12 15 01 97 1E D2 40 84 FC E8 16 AA 20 26 62 0C 90 E0
83 26 88 80 7B
» AsicId root_key_hash 14 21 01 67 98 9B 35 54 CC 86 B4 67 32 47 05 36 74 E2
25 F0 9D A3 5C F4 59 B9 C9 3A 13 E0 B9 58 1E 5A BC
» AsicId checksum 15 09 01 22 9E 85 BA DC 58 74 BC
00130-001-TX 4 raw bytes: 02 00 03 F0 '????'
» Searching 2nd for: OMAP4460_TUNA_8G_HS_PRO 444007 01 HS
» Loading second file Targets/2nd-Downloaders/dnld_startup_omap4_hs_8g_es2.s2.si
gned.2nd.hs_pro
» Entering parameter filemapflash2nd.txt at line: 46
» -pheriphalboot_reopen
» Reading board configuration file Targets\Configurations\configuration_omap4460
_tuna_8g.txt
» Reading definition file .\targets\definitions\definitions_omap4.txt
» -board_config Targets\Configurations\configuration_omap4460_tuna _8g.txt
» Leaving parameter filemapflash2nd.txt
» Sending size of second file (0x000071B0 bytes)
00130-002-TX 4 raw bytes: B0 71 00 00 '?q??'
» Transferring second file to target (0x71B0 bytes)
00130-003-TX 29104 raw bytes: B0 1C 00 00 00 4D 00 00 00 00 00 00 00 00 00 00
'?????M??????????' ...
» Closing boot connection
» Waiting for device (omap usb)
» Found device (omap usb)
» Waiting for 2nd
00463-004-TX ACK
00571-005-RX: 4 raw bytes: 70 EC 8F 00 'p???'
» Unknown status message 'p???' during peripheral boot (waiting for 2nd)
Press any key to continue . . .
----------------------
Thanx in advance for your support

Thanx
thanks for the really hard work Bro
I really hope that no one need it and every body have a safe flashing
but it's really comforting to know that there is something to fix our phones just in case
have you tried it BTW?

dont work on win7

Very Useful at last

Means that you own a chinese bootloader locked I9100G. You can't flash any other bootloader than the chinese one.

I have seen this guide on nexus s somewhere but thanks to post here
Sent from my GT-I9100G using xda premium

s alali said:
dont work on win7
Click to expand...
Click to collapse
OP did say it's for XP. did you try using a virtual computer to work around that? try virtualbox

Using this tool may open the posibility for installing Windows 8. This video shows Windows 8 is running well on the TI OMAP 4430.

Your link is not downloadble. It limited by mediafire. My phone is dead and I want to fix it. I mistakenly re-partitioned with odin. Please help

tell me if you own a Chinese i9100g or international i9100 ... ?

Harchaoui said:
tell me if you own a Chinese i9100g or international i9100 ... ?
Click to expand...
Click to collapse
It was bought from uk...

ziaulh.ch said:
It was bought from uk...
Click to expand...
Click to collapse
use my GUIDE i mean this
[GUIDE]Switch between Chinese I9100G & international I9100G SafeWay

Help Needed-Karbonn A9 android 2.3.6
Hi dude, can you remove the password from the file because I cannot download it from mediafire it says encrypted
files limit exceeded. I need this file badly.
Unfortunately I bricked my karbonn A9. I used fastboot tools and by mistake I flashed APPSBL value to System(100)Data(284).mbn My karbonn a9 doesn't boot, no green screen and no red screen. when I try to boot by pressing power button its only jerking vibration and black screen but when I press power button and volume down - key it going to ENTRY QPTS DOWNLOAD mode, but when I press power button and volume up + key the phone is jerking little vibration and black screen not booting, any help would be apprecitated.
Thanks in Advance.

Cannot download the file mate!

Please urgently provide new link of it.
I need it badly for my friend.
Thank you.

Need alernate link
Hi, I have a Samsung Galaxy S2 T989 and i am having a problem mentioned as same. Could you please share an alternate link so that i could download.

moschino_luv said:
First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username
Click to expand...
Click to collapse
link not working pleaze upload it again and make it public

[Q] reflash stock in fastboot

Hello,
I bricked my KFHD and it is in a reset loop right now. I got a factory cable and plan to try repairing it via fastboot. I need your kind assistance with the proper commands to flash the stock ROM and get out of fastboot if needed. I know that there are instructions for doing so in the original KF but I am not sure that it applies.
Thanks.

samio2 said:
Hello,
I bricked my KFHD and it is in a reset loop right now. I got a factory cable and plan to try repairing it via fastboot. I need your kind assistance with the proper commands to flash the stock ROM and get out of fastboot if needed. I know that there are instructions for doing so in the original KF but I am not sure that it applies.
Thanks.
Click to expand...
Click to collapse
Please describe the "reset loop" you are experiencing.

Well at boot it detects something wrong and it prompts me either to reset or reboot. Regardless of what I choose it always returns me to the same prompt. Meanwhile there is no usb connectivity what so ever. I tried the 20 second hold on the power button but nothing changed

samio2 said:
Well at boot it detects something wrong and it prompts me either to reset or reboot. Regardless of what I choose it always returns me to the same prompt. Meanwhile there is no usb connectivity what so ever. I tried the 20 second hold on the power button but nothing changed
Click to expand...
Click to collapse
When choosing "reset" does it look like its doing anything or does it just reboot?

Hello!
Ive got the same Q.
Messed up preinstalled keyboard, added some apk to /system/app folder. Now my kindle acts very bad....
Default settings in device section doesn't help. I tried to copy update....bin file to kindleupdate folder but it doesn't help, kindle won't flash (as i've already have last ver)
So, is there any way to flash KHD in fastboot mode, or using update.zip file? Mayby have someth like [UTILITY] Kindle Fire Unbrick Utility V1.1! ?
Thx a lot

It starts resetting and a progress bar shows and completes in a couple of seconds. Then it reboots back to the same prompt

I doubt factory reset would help. If my experience is any indication, factory reset will not undo any changes you did to /system. If you messed it up before resetting, you'll still be messed up after.

I think I messed up the /system and I want to try to reflash it

the good news is once you disconnect the cable the device exits fastboot also it shows up as android adb interface in device manager. but I could not get adb to see it. don't know why. I used the same PC that I used to root it and a mac but could not get adb to see it.

samio2 said:
I think I messed up the /system and I want to try to reflash it
Click to expand...
Click to collapse
What were you doing in /system before the problem started?

Was trying to install Google play. Not sure where i messed up

Do you still have adb access?

The device shows up in the device manager. But adb can't see them

samio2 said:
The device shows up in the device manager. But adb can't see them
Click to expand...
Click to collapse
What does your device manager say?

on windows it said android adb deive (or interface). as for the mac it is the same case and I used the usb probe and here is the output
Code:
High Speed device @ 2 (0x26200000): ............................................. Composite device: "Tate-PVT-08"
Port Information: 0x001f
Captive
Attached to Root Hub
Internal Device
Connected
Enabled
Device Descriptor
Descriptor Version Number: 0x0200
Device Class: 0 (Composite)
Device Subclass: 0
Device Protocol: 0
Device MaxPacketSize: 64
Device VendorID/ProductID: 0x1949/0x0007 (Lab126)
Device Version Number: 0x0100
Number of Configurations: 1
Manufacturer String: 5 "Texas Instruments"
Product String: 1 "Tate-PVT-08"
Serial Number String: 2 "XXX"
Configuration Descriptor: ....................................... "Android Fastboot"
Length (and contents): 32
Raw Descriptor (hex) 0000: 09 02 20 00 01 01 03 C0 32 09 04 00 00 02 FF 42
Raw Descriptor (hex) 0010: 03 04 07 05 81 02 00 02 00 07 05 01 02 00 02 00
Unknown Descriptor 0020:
Number of Interfaces: 1
Configuration Value: 1
Attributes: 0xC0 (self-powered)
MaxPower: 100 ma
Interface #0 - Vendor-specific .............................................. "Android Fastboot"
Alternate Setting 0
Number of Endpoints 2
Interface Class: 255 (Vendor-specific)
Interface Subclass; 66 (Vendor-specific)
Interface Protocol: 3
Endpoint 0x81 - Bulk Input
Address: 0x81 (IN)
Attributes: 0x02 (Bulk no synchronization data endpoint)
Max Packet Size: 512
Polling Interval: 0 ( Endpoint never NAKs)
Endpoint 0x01 - Bulk Output
Address: 0x01 (OUT)
Attributes: 0x02 (Bulk no synchronization data endpoint)
Max Packet Size: 512
Polling Interval: 0 ( Endpoint never NAKs)
Device Qualifier Descriptor
Descriptor Version Number: 0x0200
Device Class 255 (Vendor-specific)
Device Subclass 255 (Vendor-specific)
Device Protocol 255
Device MaxPacketSize: 64
Number of Configurations: 1
bReserved: 0
Configuration Descriptor Device gave an error kIOReturnSuccess (0x0) when asked for first 4 bytes of descriptor
Configuration Descriptor Device gave an error kIOReturnSuccess (0x0) when asked for first 9 bytes of descriptor

Well, that's helpful. It says you're in fastboot. Try using fastboot to change your bootmode to either recovery or normal mode and see if you can get a different result.

Shouldn't adb recognize it to work with faatboot or are they separate?
how do change the bootmode? How to change it back?
I tried fastboot reboot but all i got is waiting for device message.

samio2 said:
Shouldn't adb recognize it to work with faatboot or are they separate?
how do change the bootmode? How to change it back?
I tried fastboot reboot but all i got is waiting for device message.
Click to expand...
Click to collapse
ADB and fastboot are completely separate.
Try "fastboot devices"

fastboot devices shows nothing for me

That's likely an issue with your drivers. Try reinstalling them. Or better yet, try the SoupKit and save yourself some hassle.

Kernel is not booting at all

Hello,
I tried to build a kernel myself and it just fails to boot. I have UART access (through headphone adapter) and I just get nothing in the serial console.
I have CM 11.0 and I cloned CM's android_kernel_lge_hammerhead repo and checked out stable/cm-11.0 with hammerhead_defconfig.
I used google's arm-eabi-4.8 precompiled toolchain.
To boot:
Code:
ttouch android_kernel_lge_hammerhead> sudo fastboot boot arch/arm/boot/zImage-dtb
creating boot image...
creating boot image - 8583168 bytes
downloading 'boot.img'...
OKAY [ 0.375s]
booting...
OKAY [ 0.123s]
finished. total time: 0.498s
Here is what I get in UART:
Code:
welcome to hammerhead bootloader
[10] Power on reason 81
[10] DDR: elpida
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[210] display panel: Default setting
[340] Turn on MIPI_CMD_PANEL.
[390] Display Init: Done
[390] cable type from shared memory: 8
[390] vibe
[590] USB init ept @ 0xf957000
[610] secured device: 1
[610] fastboot_init()
[660] splash: fastboot_op
FASTBOOT MODE
PRODUCT_NAME - hammerhead
VARIANT - hammerhead D821(E) 16GB
HW VERSION - rev_11
BOOTLOADER VERSION - HHZ11k
BASEBAND VERSION - M8974A-2.0.50.1.16
CARRIER INFO - None
SERIAL NUMBER - <blablablabla>
SIGNING - production
SECURE BOOT - enabled
LOCK STATE - unlocked
[770] splash: start
[1260] splash: bootloader
[1260] Fastboot mode started
[1260] udc_start()
�����l[60660] -- reset --
[60660] -- portchange --
[60820] -- reset --
[60820] -- portchange --
[60990] fastboot: processing commands
��[112660] fastboot: download:0082f800
downloading...
[113140] fastboot: boot
[113150] Found Appeneded Flattened Device tree
[113150] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[113160] get_display_kcal = 0, 0, 0, x
[113200] vibe
[113300] splash: boot
[113340] splash: unlocked
[113380] cmdline: uart_console=enable lcd_maker_id=primary lge.hreset=off lge.reset=unknown gpt=enable lge.kcal=0|0|0|x lge.rev=rev_11 androidboot.laf androidboot.emmc=true fastboot=true androidboot.serialno=<blablablabla> androidboot.bootloader=HHZ11k androidb[113400] Updating device tree: start
[113420] Updating device tree: done
[113420] booting linux @ 0x10008000, ramdisk @ 0x11000000 (0), tags/device tree @ 0x10000100
[113430] Turn off MIPI_CMD_PANEL.
[113430] Continuous splash enabled, keeping panel alive.
[113430] undefined abort, halting
[113430] r0 0x00000000 r1 0x00000000 r2 0x10000100 r3 0x003996e3
[113430] r4 0x10008000 r5 0x0f92607a r6 0x0f925d5b r7 0x0f925f89
[113430] r8 0x0f955652 r9 0x0f9556c7 r10 0x00000001 r11 0x10000100
[113430] r12 0x20000193 usp 0x00000000 ulr 0x00000000 pc 0x1000800c
[113430] spsr 0x40000193

I've never installed a kernel like that (via fastboot) and I had to look up the headphone UART adapter thing.
I don't have much to offer. I always use mkbootimg to link my kernel and ramdisk, then flash it via fastboot. Looking at your serial dump, the only thing I see is that the base, ramdisk, and tags offsets look completely different from the ones I use with mkbootimg.
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
I'm playing around with my breadboard and an FTDI USB<-->Serial board I have to try and make a working serial console and I'll see what my N5 dumps.

Gene Poole said:
I've never installed a kernel like that (via fastboot) and I had to look up the headphone UART adapter thing.
I don't have much to offer. I always use mkbootimg to link my kernel and ramdisk, then flash it via fastboot. Looking at your serial dump, the only thing I see is that the base, ramdisk, and tags offsets look completely different from the ones I use with mkbootimg.
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
Click to expand...
Click to collapse
Thanks, I'll try that.
Gene Poole said:
I'm playing around with my breadboard and an FTDI USB<-->Serial board I have to try and make a working serial console and I'll see what my N5 dumps.
Click to expand...
Click to collapse
I guess you're trying to build the N4 cable, but it does not work.
For the N5 to work you need to supply 3V3 and not 1V8 to the VCC
The RX though (serial input to the N5) should be 1V8 (done with a simple voltage divider, try 1K and 1.2K to GND) or there is a chance that you'll fry your serial.

Yeah, my search showed that the N5 version needed no resistors, but I used some anyway just to shunt some voltage. It worked. I got a dump and it does appear that your offsets are not right. Here's my dump up to the kernel taking over:
Code:
welcome to hammerhead bootloader
[10] Power on reason 80
[10] DDR: hynix
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[260] Found Appeneded Flattened Device tree
[260] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[300] Set panel ON cmds [35]
[420] Turn on MIPI_CMD_PANEL.
[470] Display Init: Done
[470] cable type from shared memory: 8
[470] reboot_mode restart reason = power_on
[520] vibe
[620] splash: boot
[660] splash: unlocked
[700] use_signed_kernel=0, is_unlocked=1, is_tampered=0.
[700] Loading boot image (9226240): start
[1030] Loading boot image (9226240): done
[1030] Found Appeneded Flattened Device tree
[1040] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1040] get_display_kcal = 0, 0, 0, x
[1050]
Booting Linux
[1050] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinuxt
[1090] Updating device tree: done
[1090] booting linux @ 0x8000, ramdisk @ 0x2900000 (714802), tags/device tree @ 0x2700000
[1100] Turn off MIPI_CMD_PANEL.
[1100] Continuous splash enabled, keeping panel alive.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.0-hoxnet-gd745771 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #7 SMP PREE5
[ 0.000000] CPU: ARMv7 Processor [512f06f0] revision 0 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
...
I see a fastboot option, -b, for specifying the kernel base address. Try with -b 0x8000.
Edit: maybe it's -b 0. looks like the address gets 0x8000 added by default.

Gene Poole said:
Yeah, my search showed that the N5 version needed no resistors, but I used some anyway just to shunt some voltage. It worked. I got a dump and it does appear that your offsets are not right. Here's my dump up to the kernel taking over:
Code:
welcome to hammerhead bootloader
[10] Power on reason 80
[10] DDR: hynix
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[260] Found Appeneded Flattened Device tree
[260] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[300] Set panel ON cmds [35]
[420] Turn on MIPI_CMD_PANEL.
[470] Display Init: Done
[470] cable type from shared memory: 8
[470] reboot_mode restart reason = power_on
[520] vibe
[620] splash: boot
[660] splash: unlocked
[700] use_signed_kernel=0, is_unlocked=1, is_tampered=0.
[700] Loading boot image (9226240): start
[1030] Loading boot image (9226240): done
[1030] Found Appeneded Flattened Device tree
[1040] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1040] get_display_kcal = 0, 0, 0, x
[1050]
Booting Linux
[1050] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinuxt
[1090] Updating device tree: done
[1090] booting linux @ 0x8000, ramdisk @ 0x2900000 (714802), tags/device tree @ 0x2700000
[1100] Turn off MIPI_CMD_PANEL.
[1100] Continuous splash enabled, keeping panel alive.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.0-hoxnet-gd745771 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #7 SMP PREE5
[ 0.000000] CPU: ARMv7 Processor [512f06f0] revision 0 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
...
I see a fastboot option, -b, for specifying the kernel base address. Try with -b 0x8000.
Edit: maybe it's -b 0. looks like the address gets 0x8000 added by default.
Click to expand...
Click to collapse
Didn't work.
I also tried to build a boot.img, I flashed it (just to be sure) and I get all the same results.
My tags/device tree is different and I don't know how to change it. There is no available option in fastboot or mkbootimg

ttouch said:
Didn't work.
I also tried to build a boot.img, I flashed it (just to be sure) and I get all the same results.
My tags/device tree is different and I don't know how to change it. There is no available option in fastboot or mkbootimg
Click to expand...
Click to collapse
mkbootimg has an undocumented --tags_offset option. I don't know why it doesn't show up in the --help. I found it in the source for mkbootimg (in the AOSP tree) when I first ran the unpackbootimg and noticed that it dumped text files containing info about the offsets.
I have a shell script I use to make boot images. Here it is:
Code:
#!/bin/sh
RAMDISK=ramdisk
KERNEL=zImage
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
CMDLINE="console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinux=1"
echo Making ramdisk image ...
(cd ${RAMDISK} ; mkbootfs . | gzip -9c > ../${RAMDISK}.cpio.gz )
echo Making boot image ...
mkbootimg --kernel ${KERNEL} --ramdisk ${RAMDISK}.cpio.gz --cmdline "${CMDLINE}" -o boot.img --base ${BASE} --pagesize ${PAGESIZE} --ramdisk_offset ${RAMDISK_OFFSET} --tags_offset ${TAGS_OFFSET}
"ramdisk" is a directory containing the unpacked AOSP stock ramdisk (plus my modifications). These offset values were obtained from unpackbootimg executable but I can't remember where I found the source. I'll send you a copy if you want it.

Gene Poole said:
mkbootimg has an undocumented --tags_offset option. I don't know why it doesn't show up in the --help. I found it in the source for mkbootimg (in the AOSP tree) when I first ran the unpackbootimg and noticed that it dumped text files containing info about the offsets.
I have a shell script I use to make boot images. Here it is:
Code:
#!/bin/sh
RAMDISK=ramdisk
KERNEL=zImage
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
CMDLINE="console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinux=1"
echo Making ramdisk image ...
(cd ${RAMDISK} ; mkbootfs . | gzip -9c > ../${RAMDISK}.cpio.gz )
echo Making boot image ...
mkbootimg --kernel ${KERNEL} --ramdisk ${RAMDISK}.cpio.gz --cmdline "${CMDLINE}" -o boot.img --base ${BASE} --pagesize ${PAGESIZE} --ramdisk_offset ${RAMDISK_OFFSET} --tags_offset ${TAGS_OFFSET}
"ramdisk" is a directory containing the unpacked AOSP stock ramdisk (plus my modifications). These offset values were obtained from unpackbootimg executable but I can't remember where I found the source. I'll send you a copy if you want it.
Click to expand...
Click to collapse
My mkbootimg does not have the tags_offset.
When I try to build the boot image with tags_offset, mkbootimg shows me the help message, which means it got no tags_offset option.
EDIT: Nevermind, I cloned and compiled the latest mkbootimg from here. Trying to boot it now...
EDIT2: IT WORKS!!

Since the AOSP build has to create a boot image, it is included in the utilities. I always use the one native to the build tree. It is in:
[aosp_root]/out/host/linux-x86/bin/mkbootimg
and the source is in:
[aosp_root]/system/core/mkbootimg/

flash recovery partition from android system/userland

I'm having trouble with fastboot (see my thread here: https://forum.xda-developers.com/xperia-xz1-compact/help/issues-fastboot-t3971227, maybe you can help). However, I can seem to flash sony signed software in sony-service mode using newflasher. That's nice, but I haven't used stock android in years. I am very used to lineageos without gapps---nice and clean. So, for me, until I get rid of stock and get a clean flash of lineage, I'm really not happy.
Given my state of affairs, I'm wondering about flashing one of the exploitable sony stocks and to get root, then flashing the recovery partition with twrp from userland. Then, potentially, i could boot to that recovery and maybe (idk) flash a new system ROM. Does anyone have any tips or suggestions?

It should work as you outlined.
Still having BL unlocked and not usable fastboot seems like a major disadvantage to me.
Did you try with different PC to see if it is not due to usb chipset or something?
Preferably using usb 2.0 only chipset?
Maybe trying that from different OSes too - linux vs win?

Thanks for the reply. I got the exploitable firmware downloaded and flashed as well as your renosploit kit. Hasn't found a root shell yet although I'm hopeful it will eventually (I haven't read the details but I understand that the underlying vuln is a race condition).
One question: I suppose that given that tmp root status, it should be possible to copy a su binary over and make root permanent, that would make experimentation easier, I think. And if whatever I try fails the first time I wouldn't want to have to wait for the race condition exploit every time I wanted to reboot. Am I on the right track? If so, I suppose I need to either compile or download a su binary and possibly a supersu.apk in order to manage it. Are those already available for the xz1 compact?

@apexofservice, planting su binary is possible into /oem for example, it would switch the user to root, but without any better permissions, due to selinux, so it is useless.
But since you have your BL unlocked, you do not need that. As soon as you have twrp, you can flash magisk to have root on runtime easily. Or just enter twrp to have root in recovery.

j4nn said:
@apexofservice, planting su binary is possible into /oem for example, it would switch the user to root, but without any better permissions, due to selinux, so it is useless.
But since you have your BL unlocked, you do not need that. As soon as you have twrp, you can flash magisk to have root on runtime easily. Or just enter twrp to have root in recovery.
Click to expand...
Click to collapse
Got it. Thank you for this detail. So you think my best bet is to just use the root shell to `dd` the twrp image directly to some /dev? And then I would just `adb reboot recovery` and in theory I'm good to go.

Cool. I got a root shell with your exploit kit. I've got two questions at this point.
1) If my bootloader unlock had fully succeeded, would I have expected to find all 0x0 in the TA partition? In fact, there is data in there, so I went ahead and downloaded it. I skimmed the data with xxd and there are some sections of 0x0 as well though.
2) Second question, I've read that xperia's don't have a proper "recovery" partition the way some other boards do. So is FOTAkernel actually where I want to write twrp.img? Also, it would seem that this info is actually encoded somewhere in the fastboot client since on a working fastboot, you can just say "flash recovery" and it knows what part of the disk to write to. Any info about partition layouts on lilac and xperia's in general would be greatly appreciated.

apexofservice said:
Cool. I got a root shell with your exploit kit. I've got two questions at this point.
1) If my bootloader unlock had fully succeeded, would I have expected to find all 0x0 in the TA partition? In fact, there is data in there, so I went ahead and downloaded it. I skimmed the data with xxd and there are some sections of 0x0 as well though.
2) Second question, I've read that xperia's don't have a proper "recovery" partition the way some other boards do. So is FOTAkernel actually where I want to write twrp.img? Also, it would seem that this info is actually encoded somewhere in the fastboot client since on a working fastboot, you can just say "flash recovery" and it knows what part of the disk to write to. Any info about partition layouts on lilac and xperia's in general would be greatly appreciated.
Click to expand...
Click to collapse
1 - The TA partition contains significant amounts of other information as well. So it won't be empty.
The standard way of dealing with it is to not mess with it at all.
2 - The FOTAkernel is the recovery.
2a - The partition layout can be found from the stock firmware image in the "partition-image-LUNZ_X-FLASH-ALL-C93B.sin" file where "Z" is the LUN number. Once you extract the SIN file, you're left with an EFI partition header.
I've attached a CSV file that contains the layout as specified in the "partition-image-LUN0_X-FLASH-ALL-C93B.sin" file.
The layout for LUNs 1 and 2 both contain a single 4MB partition for "xbl" and "xblbak" respectively, so they're not as interesting.

@pbarrette, thanks! I tried the naive approach:
Code:
d if=twrp-3.2.1-0-lilac-10-patchlevel-2018-05-05.img of=/dev/block/bootdevice/by-name/FOTAKernel <
60128+0 records in
60128+0 records out
30785536 bytes transferred in 2.100 secs (14659779 bytes/sec)
G8441:/data/local/tmp # sync
G8441:/data/local/tmp # sync
G8441:/data/local/tmp # reboot recovery
Alas, it just rebooted back to system. It did seem to take a bit longer, so it's possible that it tried to boot from FOTAKernel and failed then fell back to system. I've just got a new root shell so I can look in startup logs from dmesg to see if there's anything of interest.
Also, I'm probably missing something really obvious. Thanks for any insight!
Reading dmesg now, this seems quite relevant (I recall booting to recovery on my z3 compact by touching a file in /cache/recovery). I'll post it here but I'm still reading the dmesg.
Code:
[ 7.406109] bs_roots: recovery filesystem table
[ 7.406120] bs_roots: =========================
[ 7.406125] bs_roots: 0 /data ext4 /dev/block/bootdevice/by-name/userdata
[ 7.406130] bs_roots: 1 /oem ext4 /dev/block/bootdevice/by-name/oem
[ 7.406134] bs_roots: 2 /cache ext4 /dev/block/bootdevice/by-name/cache
[ 7.406139] bs_roots: 3 /rca ext4 /dev/block/bootdevice/by-name/appslog
[ 7.406143] bs_roots: 4 /idd ext4 /dev/block/bootdevice/by-name/diag
[ 7.406148] bs_roots: 5 /storage/sdcard1 vfat /devices/soc/c0a4900.sdhci/mmc_host*
[ 7.406153] bs_roots: 6 none swap /dev/block/zram0
[ 7.406157] bs_roots: 7 /persistent emmc /dev/block/bootdevice/by-name/frp
[ 7.406162] bs_roots: 8 /misc emmc /dev/block/bootdevice/by-name/misc
[ 7.406167] bs_roots: 9 /firmware vfat /dev/block/bootdevice/by-name/modem
[ 7.406172] bs_roots: 10 /bt_firmware vfat /dev/block/bootdevice/by-name/bluetooth
[ 7.406177] bs_roots: 11 /dsp ext4 /dev/block/bootdevice/by-name/dsp
[ 7.406182] bs_roots: 12 /persist ext4 /dev/block/bootdevice/by-name/persist
[ 7.406187] bs_roots: 13 /boot/modem_fs1 emmc /dev/block/bootdevice/by-name/modemst1
[ 7.406191] bs_roots: 14 /boot/modem_fs2 emmc /dev/block/bootdevice/by-name/modemst2
[ 7.406195] bs_roots: 15 auto auto /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb*
[ 7.406199] bs_roots: 16 /qns ext4 /dev/block/bootdevice/by-name/Qnovo
[ 7.406203] bs_roots: 17 /tmp ramdisk ramdisk
[ 7.406206] bs_roots:
[ 7.408585] MR: Mounting /cache ourselves
[ 7.412318] EXT4-fs (sda53): recovery complete
[ 7.412666] EXT4-fs (sda53): mounted filesystem with ordered data mode. Opts:
[ 7.413213] MR: fopen() failed -/cache/recovery/command (No such file or directory)
[ 7.413219] MR: Unmounting /cache
[ 7.413959] MR: Fail to get command from /cache/recovery/command, trying /misc
[ 7.414272] MR: Unknown wipe command
[ 7.414280] MR: Buffer is empty from /dev/block/bootdevice/by-name/misc with command 0
[ 7.417568] MR: TA_MASTER_RESET value = 0
[ 7.418475] init: Service 'exec 3 (/sbin/mr)' (pid 605) exited with status 0 waiting took 0.022997 se
conds
[ 7.418513] init: starting service 'exec 4 (/sbin/ffu)'...
[ 7.418846] init: SVC_EXEC pid 609 (uid 0 gid 0+0 context u:r:recovery:s0) started; waiting...
[ 7.419833] init: Service 'exec 4 (/sbin/ffu)' (pid 609) exited with status 255 waiting took 0.001316
seconds
------
One more update, I did a sanity check that that dd command is actually overwriting FOTAkernel. It doesn't look like it's working:
Code:
G8441:/data/local/tmp # dd if=/dev/block/bootdevice/by-name/FOTAKernel of=FOTAKernel-extracted.img
131072+0 records in
131072+0 records out
67108864 bytes transferred in 0.812 secs (82646384 bytes/sec)
G8441:/data/local/tmp # chown shell:shell FOTAKernel-extracted.img
G8441:/data/local/tmp # dd if=twrp-3.2.1-0-lilac-10-patchlevel-2018-05-05.img of=/dev/block/bootdevice/by-name/FOTAKernel
60128+0 records in
60128+0 records out
30785536 bytes transferred in 2.037 secs (15113174 bytes/sec)
G8441:/data/local/tmp # sync
G8441:/data/local/tmp # sync
=/dev/block/bootdevice/by-name/FOTAKernel of=FOTAKernel-extracted-2.img <
131072+0 records in
131072+0 records out
67108864 bytes transferred in 0.846 secs (79324898 bytes/sec)
And there's no `diff` on the device, so I pulled the files back to a laptop then:
Code:
$ diff FOTAKernel-extracted-2.img FOTAKernel-extracted.img
$ diff FOTAKernel-extracted.img twrp-3.2.1-0-lilac-10-patchlevel-2018-05-05.img
Binary files FOTAKernel-extracted.img and twrp-3.2.1-0-lilac-10-patchlevel-2018-05-05.img differ

@j4nn @pbarrette doing some more reading, I found some interesting details about booting to recovery stored on FOTAKernel here:
https://twrp.me/sony/sonyxperiaxz.html
https://twrp.me/sony/sonyxperiaz3compact.html
Looks like you really need a kernel that has the ramdisk extraction setup. So I'm guessing that once I figure out why dd isn''t working as I expected (see above) that I need to overwrite the main stock kernel with an alternative.

Yes, a dd extraction of the partition will be different than the TWRP image.
That's because the TWRP image is only ~35MB, while "dd" is extracting the entire 64MB partition.
So, if you do a visual diff on the files, you should see that what's actually different is the fact that the partition extraction is filled with zeros after the end of the TWRP image.
You're doing a "reboot recovery", but have you tried:
1 - Turn the phone off
2 - Press and hold [Vol-Down].
3 - Press and hold [Power].
4 - Release [Power] at power on.
5 - Release [Vol-Down] when you see an actual boot screen (after the bootloader unlocked screen).
I don't remember the "reboot recovery" command ever working right for me.
Edit to add: That's also a really old version of TWRP that you seem to be using.

pbarrette said:
Yes, a dd extraction of the partition will be different than the TWRP image.
That's because the TWRP image is only ~35MB, while "dd" is extracting the entire 64MB partition.
So, if you do a visual diff on the files, you should see that what's actually different is the fact that the partition extraction is filled with zeros after the end of the TWRP image.
You're doing a "reboot recovery", but have you tried:
1 - Turn the phone off
2 - Press and hold [Vol-Down].
3 - Press and hold [Power].
4 - Release [Power] at power on.
5 - Release [Vol-Down] when you see an actual boot screen (after the bootloader unlocked screen).
I don't remember the "reboot recovery" command ever working right for me.
Edit to add: That's also a really old version of TWRP that you seem to be using.
Click to expand...
Click to collapse
Hot damn. Thanks, I'm booted to twrp!
Note: i was using the older version for android 8 since I'm currently on the android 8 exploitable rom!

apexofservice said:
@j4nn @pbarrette doing some more reading, I found some interesting details about booting to recovery stored on FOTAKernel here:
https://twrp.me/sony/sonyxperiaxz.html
https://twrp.me/sony/sonyxperiaz3compact.html
Looks like you really need a kernel that has the ramdisk extraction setup. So I'm guessing that once I figure out why dd isn''t working as I expected (see above) that I need to overwrite the main stock kernel with an alternative.
Click to expand...
Click to collapse
XZ1 compact never needed the recovery with this extraction stuff. But according to
https://twrp.me/sony/sonyxperiaxzpremium.html
XZ Premium (which is also yoshino platform, the same as xz1c is) seems to need that - but I am not sure if it is still valid.
It might got fixed even in xzp case with some bootloader update to have it working the same as with other yoshino phones.
Sorry for my late answer, it's good you already have it working.
But I still wonder about that usb problem with fastboot - have you tried a different pc with different usb controller, preferably usb 2.0 type (not 3.0 one)?

j4nn said:
XZ1 compact never needed the recovery with this extraction stuff. But according to
https://twrp.me/sony/sonyxperiaxzpremium.html
XZ Premium (which is also yoshino platform, the same as xz1c is) seems to need that - but I am not sure if it is still valid.
It might got fixed even in xzp case with some bootloader update to have it working the same as with other yoshino phones.
Sorry for my late answer, it's good you already have it working.
But I still wonder about that usb problem with fastboot - have you tried a different pc with different usb controller, preferably usb 2.0 type (not 3.0 one)?
Click to expand...
Click to collapse
I haven't yet. Well, I have sorta. When I first ran into issues, I tried it with a different laptop, got the same result. Now that laptop was also a thinkpad (although a newer model) and was also running debian linux. I don't have any computers with Windows. I was going to reboot this laptop with usb3.0 kernel mod blacklisted and only using hci but I didn't get around to it yet (especially once I got twrp flashed and working, then I mainly wanted to get started actually using the phone i bought ). However, if it were a usb thing, wouldn't we expect that newflasher would fail too? Still, it is very curious about the fastboot thing, however, so I'm willing to keep playing with it.

@apexofservice, I am not sure if blacklisting usb3 drivers would help. Sometime there may be present multiple usb ports, some connected to usb 3.0 host controller, others just usb 2.0 controller.
Even if newflasher works, it is not that simple, that fastboot should work too.
Fastboot (including it's usb support) is implemented in UEFI bootloader, the ABL component of it (Android Boot Loader).
So usb stack is implemented by UEFI fw.
While newflasher uses flash mode, which is running XFL - a linux (bare bone android) kernel, running the lilo/loader userspace application. So there is in my opinion quite good usb stack implemented by linux kernel.
So it can easily be some incompatibility within UEFI usb stack implementation used with fastboot.

[TUTORIAL] How to unbrick Nexus 7 without blob.bin (REQUIRES ANOTHER NEXUS 7 2012)

Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.

Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.

Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk

zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system

GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.

Deleted.

@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.

@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.

enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)

Deleted.

Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk

I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?

gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"

Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0

@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen

gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.

enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...

gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.

steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.

I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!