Database Develop

[DEV] [ROMTEST] Debugging ICS KU5900 ROM on Optimus Black P970

This thread doesn't have ROM to download, so don't expect it happen soon!
It's an explanation or procedure to make ICS KU5900 boot on our our device P970.
Remember, just BOOT, not running perfect.
WARNING! This intended as development, so don't try this if you don't know what to do!
First, I'm using V30I. If you want to use V30G or V30H it might be different, I don't know, since I have deleted V30G and V30H so I'm not trying for G/H version.
This method are using Windows OS, and to debugging we need Linux OS.
I wont explain all in detail, I assume that you have your knowledge to do this.
PREPARING THE FILES
I get V30i KU5900 from here..
Code:
http://csmg.lgmobile.com:9002/swdata/RNDTESTSW/LGKU5900/KTF/G8MU86SJS7/V30i_00/V30I_00.kdz
Use this tools to decrypt and extract KDZ to BIN and FLS.
Code:
[URL="http://forum.xda-developers.com/showpost.php?p=24083497&postcount=1"]http://forum.xda-developers.com/showpost.php?p=24083497&postcount=1[/URL]
Then proceed...
Code:
> copy /b KU5900_AP[?].bin+KU5900_AP[1?].bin KU5900_AP.bin
Use this tools to extract partition from BIN
Code:
[URL="http://forum.xda-developers.com/showpost.php?p=31476664&postcount=17"]http://forum.xda-developers.com/showpost.php?p=31476664&postcount=17[/URL]
Extract system.img and system2.img using this tools
Code:
[URL="http://www.diskinternals.com/linux-reader/"]http://www.diskinternals.com/linux-reader/[/URL]
Extract system.img to system and system2.img to system2
Put all files inside system2 to system/vendor
The list of directory supposed to be like this:
Code:
[URL="http://pastebin.com/sD2HKTSM"]http://pastebin.com/sD2HKTSM[/URL]
Download my customized boot.img
Code:
[URL="http://www.mediafire.com/?5klw4df6sf2wd8c"]http://www.mediafire.com/?5klw4df6sf2wd8c[/URL]
Download my updater-script to make flashable zip.
Code:
[URL="http://www.mediafire.com/?f6u97faa1abyrd9"]http://www.mediafire.com/?f6u97faa1abyrd9[/URL]
Cook! I use this...
Code:
[URL="http://forum.xda-developers.com/showthread.php?t=633246"]http://forum.xda-developers.com/showthread.php?t=633246[/URL]
adb push "zip" /sdcard
reboot recovery
Flash! and flashing means bootloop
------------------------------------------------------------------------------------------------------------
DEBUGGING
Because Windows OS not detecting the port, we need Linux OS, I'm using Ubuntu 12.04.
This sample are using my environment, so adapt or adjust yourself...
ATTENTION, If you adb without root permission, then you'll get this
Code:
[email protected]:~$ adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
???????????? no permissions
So, run adb with "sudo"
Code:
[email protected]:~$ cd sdk/platform-tools/
[email protected]:~/sdk/platform-tools$ sudo ./adb kill-server
[sudo] password for redy:
[email protected]:~/sdk/platform-tools$ sudo ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[email protected]:~/sdk/platform-tools$
Check connection,
Code:
[email protected]:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 003: ID 1004:61d7 LG Electronics, Inc.
Perhaps your detected ID would be different.
Code:
[email protected]:~$ adb devices
List of devices attached
62F400029FFC00000000000000000000 device
Great, adb detected.... :victory:
Let's have fun with debugging....

It seems gabwerkz can have adb running in Windows OS. We'll see....

I Download this and try too

Use u-boot of V20. I used V20S
Logcat + dmesg all work Windows/Linux :victory:
I deleted apps... still it's almost full. Need delete more.

Do you guys still have the libsurfaceflinger error? How about trying the versions of 4.0.3 ICS build? I mean redy u already tested the 4.0.4 ones and they didnt work. Or do you think the error is really ramdisk dependent?

N00BY0815 said:
Do you guys still have the libsurfaceflinger error? How about trying the versions of 4.0.3 ICS build? I mean redy u already tested the 4.0.4 ones and they didnt work. Or do you think the error is really ramdisk dependent?
Click to expand...
Click to collapse
Mine still has it. But my firmware is V30G. Though redy uses V30I, I don't know why it errors out. Might be ramdisk.

I'm thinking about bootargs u-boot... at kernel log, see
Code:
Kernel command line: mem=511M init=/init videoout=omap24xxvout omap_vout_mod.video1_numbuffers=6 omap_vout_mod.vid1_static_vrfb_alloc=y vram=5M,0x9FA00000 omapfb.vram=0:5M lpj=2334720 rs=s fuelgauge=q muic_state=0 console=/dev/null
While KU5900 bootargs,
Code:
mem=512M init=/init videoout=omap24xxvout omap_vout.video1_numbuffers=6 omap_vout.vid1_static_vrfb_alloc=y vram=16M omapfb.vram=0:5M lpj=2334720 fuelgauge=g androidboot.hardware=black
and kernel log produce,
Code:
<3>[ 1.054168] omapfb omapfb: failed to allocate framebuffer
<3>[ 1.054290] omapfb omapfb: failed to allocate fbmem
<3>[ 1.054565] omapfb omapfb: failed to setup omapfb
<4>[ 1.054687] omapfb: probe of omapfb failed with error -12
And based on this, error -12 = Out of memory
Code:
[URL="http://www.omappedia.org/wiki/Frequently_Faced_Display_errors"]http://www.omappedia.org/wiki/Frequently_Faced_Display_errors[/URL]
So I think it because VRAM are not enough to load framebuffer.. u-boot V20 vram=5M, u-boot V30 vram=16M.
-CMIIW-

I read somewhere that korean one has only storage, cache and few software (bloatware) extra with our OB.
If camera is same and we have extractor working then is it not possible to just pick the camera HAL?

pkb_always4u said:
I read somewhere that korean one has only storage, cache and few software (bloatware) extra with our OB.
If camera is same and we have extractor working then is it not possible to just pick the camera HAL?
Click to expand...
Click to collapse
The source is needed since theirs is compiled for 3.0 not 2.6.
Sent from my LG Optimus Black

@Redy
Need to update your updater-script. you don't have permissions to vendor folder. Check what missing too, symlinks perhaps.
Code:
set_perm_recursive(0, 2000, 0755, 0644, "/system/vendor");

I had a look at the u-boot from V20 (P970) and V30 (KU5900). They are in a totally different format and they don't even have the same file identifiers.
The kernel args are easy to find in the img but the u-boot image doesn't match that of anything I managed to find so I am not sure of the offsets. There is four 00 bytes after the bootargs that might be padding but it could also be the next things reserved bytes or something. So I can assume that it is padding and simple change the VRAM to 16 and use 1 of the four padding bytes but If it is not that then I am not sure what will happen.
I don't know where it splits of to SW Update and breaking the u-boot might make your device unrecoverable.It is a very small chance but it is a risk I'm not willing to take. The SW Update might be loaded from the ROM and then we can do pretty much whatever we want besides break it physically and we'll still be able to recover it. If someone knows more on this please tell me.
Have you guy tried using the u-boot from V20 of the KU5900. In the other thread they said they flashed that successfully ( It was part of the steps used to get it working on the KU5900 so they tried it. ).
Good luck.

gabwerkz said:
@Redy
Need to update your updater-script. you don't have permissions to vendor folder. Check what missing too, symlinks perhaps.
Code:
set_perm_recursive(0, 2000, 0755, 0644, "/system/vendor");
Click to expand...
Click to collapse
Actually, it's already setup by
Code:
set_perm_recursive(0, 0, 0755, 0644, "/system");
But I don't know if /system/vendor need owner of uid 2000
xonar_ said:
I had a look at the u-boot from V20 (P970) and V30 (KU5900). They are in a totally different format and they don't even have the same file identifiers.
The kernel args are easy to find in the img but the u-boot image doesn't match that of anything I managed to find so I am not sure of the offsets. There is four 00 bytes after the bootargs that might be padding but it could also be the next things reserved bytes or something. So I can assume that it is padding and simple change the VRAM to 16 and use 1 of the four padding bytes but If it is not that then I am not sure what will happen.
I don't know where it splits of to SW Update and breaking the u-boot might make your device unrecoverable.It is a very small chance but it is a risk I'm not willing to take. The SW Update might be loaded from the ROM and then we can do pretty much whatever we want besides break it physically and we'll still be able to recover it. If someone knows more on this please tell me.
Have you guy tried using the u-boot from V20 of the KU5900. In the other thread they said they flashed that successfully ( It was part of the steps used to get it working on the KU5900 so they tried it. ).
Good luck.
Click to expand...
Click to collapse
Well, I know that u-boot was used by SFT to manage recovery if we got bricked, and hacking via hex editor are considered dangerous if it might break u-boot port that read by SFT. So if we can't hack it, then leave it. I'm also won't take that risk
V20 KU5900 are having the same bootargs as V20 P970, vram=5M, so I assume that it still the same, won't work..
I'm under downloading Code Composer Studio (CCStudio) from TI, to try booting to u-boot environment and we might able to change the bootargs via u-boot console. I learn that actually we can enter u-boot environment, but I don't know how to do it for omap 3630, so it might be we can try using CCStudio to enter it. The concept does actually the same as SFT, it read the u-boot serial port which I think it might can be setup via NFS,
Code:
baudrate=115200 <-- I think it's the serial port
ipaddr=192.168.1.101
serverip=192.168.1.100
netmask=255.255.254.0
But, I don't know, I'm currently downloading the tools, haven't tried it yet...
-CMIIW-

redy2006 said:
Well, I know that u-boot was used by SFT to manage recovery if we got bricked, and hacking via hex editor are considered dangerous if it might break u-boot port that read by SFT. So if we can't hack it, then leave it. I'm also won't take that risk
V20 KU5900 are having the same bootargs as V20 P970, vram=5M, so I assume that it still the same, won't work..
I'm under downloading Code Composer Studio (CCStudio) from TI, to try booting to u-boot environment and we might able to change the bootargs via u-boot console. I learn that actually we can enter u-boot environment, but I don't know how to do it for omap 3630, so it might be we can try using CCStudio to enter it. The concept does actually the same as SFT, it read the u-boot serial port which I think it might can be setup via NFS,
Code:
baudrate=115200 <-- I think it's the serial port
ipaddr=192.168.1.101
serverip=192.168.1.100
netmask=255.255.254.0
But, I don't know, I'm currently downloading the tools, haven't tried it yet...
-CMIIW-
Click to expand...
Click to collapse
If you can get a u-boot connection while in sw update mode then we can read from the device and get a disk dump. That would help a lot. I tried doing it but the I could get no data from the serial connection. Succesfully established but nothing, probably missed a fairly significant detail somewhere. The recovery might be something like nand write that can be configured by the ROM without full u-boot.(Still not a risk I'm willing to take). If it has a IP Address then it needs u-boot set up properly though but SFT asks for a Direct Serial Port so that's why I'm not sure.
The baudrate is the bitrate at which it can communicate. If you can get a u-boot connection and enter u-boot terminal please tell me how .

CCStudio aren't f*cking running in my computer...
xonar_ said:
The baudrate is the bitrate at which it can communicate. If you can get a u-boot connection and enter u-boot terminal please tell me how .
Click to expand...
Click to collapse
Hmm, I'm thinking probably something like this..
Code:
[URL="https://www.ridgerun.com/developer/wiki/index.php/Setting_up_Picocom_-_Ubuntu"]https://www.ridgerun.com/developer/wiki/index.php/Setting_up_Picocom_-_Ubuntu[/URL]
You need to know the name of the serial port. Also, you should have read/write permissions to the serial port. Typical serial port names are /dev/ttyS0 for PCs with a built-in serial port and /dev/ttyUSB0 if you are using a USB to serial dongle.
picocom is wonderful in that you can specify all the serial port setting as parameters on the command line. For 115,200 baud (-b 115200), 8 bits (default setting), no parity (default setting), no flow control (default setting), and with no port reset (-r) and no port locking (-l), use:
Code:
picocom -b 115200 -r -l /dev/ttyUSB0
Click to expand...
Click to collapse
See that baudrate are the same value to ours...
Maybe we can test it, while on mode SFT recovery...
But but "picocom" need Linux environment. I can't test it now, since I'm at the office..

redy2006 said:
CCStudio aren't f*cking running in my computer...
Hmm, I'm thinking probably something like this..
Code:
[URL]https://www.ridgerun.com/developer/wiki/index.php/Setting_up_Picocom_-_Ubuntu[/URL]
See that baudrate are the same value to ours...
Maybe we can test it, while on mode SFT recovery...
But but "picocom" need Linux environment. I can't test it now, since I'm at the office..
Click to expand...
Click to collapse
Picocom doesent work. Just tried on your behalf. I get the same baudrate
Sent from my LG Optimus Black using Tapatalk 2

SoulExertz said:
Picocom doesent work. Just tried on your behalf. I get the same baudrate
Click to expand...
Click to collapse
Okay, test mode...
Code:
[email protected]:~$ [B][COLOR="blue"]lsusb[/COLOR][/B]
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[B]Bus 001 Device 002: ID 1004:6000 LG Electronics, Inc. KU330/KU990/VX4400/VX6000[/B]
[email protected]:~$ [B][COLOR="Blue"]sudo modprobe usbserial vendor=0x1004 product=0x6000[/COLOR][/B]
[email protected]:~$ [COLOR="blue"][B]dmesg[/B][/COLOR]
--wraped--
[ 746.531997] usbcore: registered new interface driver usbserial
[ 746.532075] USB Serial support registered for generic
[ 746.532106] usbserial_generic 1-4:1.0: Generic device with no bulk out, not allowed.
[ 746.532119] usbserial_generic: probe of 1-4:1.0 failed with error -5
[ 746.532133] usbserial_generic 1-4:1.1: generic converter detected
[ 746.532788] usb 1-4: generic converter now attached to [B]ttyUSB0[/B]
[ 746.532811] usbserial_generic 1-4:1.2: generic converter detected
[ 746.533721] usb 1-4: generic converter now attached to ttyUSB1
[ 746.533758] usbcore: registered new interface driver usbserial_generic
[ 746.533762] usbserial: USB Serial Driver core
[email protected]:~$ [B][COLOR="Blue"]sudo picocom -b 115200 -r -l /dev/ttyUSB0[/COLOR][/B]
picocom v1.4
port is : /dev/ttyUSB0
flowcontrol : none
baudrate is : 115200
parity is : none
databits are : 8
escape is : C-a
noinit is : no
noreset is : yes
nolock is : yes
send_cmd is : ascii_xfr -s -v -l10
receive_cmd is : rz -vv
Terminal ready
Skipping tty reset...
Thanks for using picocom
[email protected]:~$

I am currently trying to use OMAPFlash. Apparently OMAP boards are capable of booting from serial. If we can get that to work we can recover even if we wiped uboot completely. We can also test uboot changes without flashing it onto the device.
I got stuck at now reboot the board...
It's possible LG removed this or changed this. There is a download that is a way to get it working on I9003 that I haven't looked at yet.
There is also a Tool LG Flash that I haven't looked at yet.
Sent from my LG Optimus Black
---------- Post added at 12:46 PM ---------- Previous post was at 12:43 PM ----------
SoulExertz said:
Picocom doesent work. Just tried on your behalf. I get the same baudrate
Sent from my LG Optimus Black using Tapatalk 2
Click to expand...
Click to collapse
Don't select ttyS0 like the link says ,that's the serial connection on the motherboard. Use lsusb to get the USB device and its corresponding serial port.
Sent from my LG Optimus Black

xonar_ said:
I am currently trying to use OMAPFlash. Apparently OMAP boards are capable of booting from serial. If we can get that to work we can recover even if we wiped uboot completely. We can also test uboot changes without flashing it onto the device.
I got stuck at now reboot the board...
Click to expand...
Click to collapse
Which one the tools of OMAPFlash?
xonar_ said:
Don't select ttyS0 like the link says ,that's the serial connection on the motherboard. Use lsusb to get the USB device and its corresponding serial port.
Click to expand...
Click to collapse
I have connected with u-boot, but how we can enter the terminal command?

redy2006 said:
Which one the tools of OMAPFlash?
Click to expand...
Click to collapse
This one : OMAPFlash
I just read it doesn't work well with Win7 so my Consumer Preview Win8 isn't going to fair much better,
redy2006 said:
I have connected with u-boot, but how we can enter the terminal command?
Click to expand...
Click to collapse
Nice. No Idea never used picocom before.

Whats the proposite of bugging that rom on our black? Are u trying to boot that room on our black?
Sorry about the noob question
Enviado desde mi LG-P970 usando Tapatalk 2

[Q] CM 10.1.3 and NookHD+ MTP woes

How can I connect CM10.1.3 Nook HD+ as an MTP device on Ubuntu 12.04 Acer Netbook/Chromebook?
I can connect on Windows 7 with same Nook HD+ on a Laptop
I am pretty sure thinks are messy unless an alias or link gets created under /media on the netbook
So I am hoping knowledgeable folks help me before I brick either the Netbook or NookHD+ or both
Note: the output from mtpdetect command is lengthy error 7 message was displayed 200 times it was repetetive so I edited it out
[email protected]:~$ sudo lsusb
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 04ca:3006 Lite-On Technology Corp.
Bus 001 Device 004: ID 064e:d251 Suyin Corp.
Bus 002 Device 003: ID 2080:0005 Barnes & Noble
[email protected]:~$ mtp-detect
Unable to read MTPZ public exponent from ~/.mtpz-data, MTPZ disabledlibmtp version: 1.1.5
Listing raw device(s)
Device 0 (VID=2080 and PID=0005) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp development team
Found 1 device(s):
2080:0005 @ bus 2, dev 4
Attempting to connect device(s)
Android device detected, assigning default bug flags
Error 7: Found a bad handle, trying to ignore it.
Error 7: Found a bad handle, trying to ignore it.
USB low-level info:
Interface has a kernel driver attached.
bcdUSB: 14748
bDeviceClass: 3
bDeviceSubClass: 127
bDeviceProtocol: 0
idVendor: fc5f
idProduct: 3967
IN endpoint maxpacket: 512 bytes
OUT endpoint maxpacket: 512 bytes
Raw device info:
Bus location: 2
Device number: 4
Device entry info:
Vendor: (null)
Vendor id: 0x2080
Product: (null)
Vendor id: 0x0005
Device flags: 0x08008106
Device info:
Manufacturer: Barnes & Noble
Model: BN NookHD+
Device version: 1.0
Serial number: 3030420047364309
Vendor extension ID: 0x00000006
Vendor extension description: microsoft.com: 1.0; android.com: 1.0;
Detected object size: 64 bits
Extensions:
microsoft.com: 1.0
android.com: 1.0
Supported operations:
1001: get device info
1002: Open session
1003: Close session
1004: Get storage IDs
1005: Get storage info
1006: Get number of objects
1007: Get object handles
1008: Get object info
1009: Get object
100a: Get thumbnail
100b: Delete object
100c: Send object info
100d: Send object
1014: Get device property description
1015: Get device property value
1016: Set device property value
1017: Reset device property value
101b: Get partial object
9801: Get object properties supported
9802: Get object property description
9803: Get object property value
9804: Set object property value
9805: Get object property list
9810: Get object references
9811: Set object references
95c1: Unknown (95c1)
95c2: Unknown (95c2)
95c3: Unknown (95c3)
95c4: Unknown (95c4)
95c5: Unknown (95c5)
Events supported:
0x4002
0x4003
0x4004
0x4005
Device Properties Supported:
0xd401: Synchronization Partner
0xd402: Friendly Device Name
0x5003: Image Size
Playable File (Object) Types and Object Properties Supported:
3000: Undefined Type
3001: Association/Directory
3004: Text
3005: HTML
3008: MS Wave
3009: MP3
300b: MPEG
3801: JPEG
3802: TIFF EP
3804: BMP
3807: GIF
3808: JFIF
380b: PNG
380d: TIFF
b901: WMA
b902: OGG
b903: AAC
b982: MP4
b983: MP2
b984: 3GP
ba05: Abstract Audio Video Playlist
ba10: WPL Playlist
ba11: M3U Playlist
ba14: PLS Playlist
ba82: XMLDocument
b906: FLAC
Storage Devices:
StorageID: 0x00010001
StorageType: 0x0003 fixed RAM storage
FilesystemType: 0x0002 generic hierarchical
AccessCapability: 0x0000 read/write
MaxCapacity: 13607493632
FreeSpaceInBytes: 3942952960
FreeSpaceInObjects: 1073741824
StorageDescription: Internal storage
VolumeIdentifier: (null)
StorageID: 0x00020001
StorageType: 0x0004 removable RAM storage
FilesystemType: 0x0002 generic hierarchical
AccessCapability: 0x0000 read/write
MaxCapacity: 63816613888
FreeSpaceInBytes: 12730400768
FreeSpaceInObjects: 1073741824
StorageDescription: SD card
VolumeIdentifier: (null)
Special directories:
Default music folder: 0x00000077
Default playlist folder: 0xffffffff
Default picture folder: 0x0000007b
Default video folder: 0x0000b9d3
Default organizer folder: 0xffffffff
Default zencast folder: 0xffffffff
Default album folder: 0xffffffff
Default text folder: 0xffffffff
MTP-specific device properties:
Friendly name: (NULL)
Synchronization partner: (NULL)
libmtp supported (playable) filetypes:
Folder
Text file
HTML file
RIFF WAVE file
ISO MPEG-1 Audio Layer 3
MPEG video stream
JPEG file
BMP bitmap file
GIF bitmap file
JFIF file
Portable Network Graphics
TIFF bitmap file
Microsoft Windows Media Audio
Ogg container format
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
ISO MPEG-1 Audio Layer 2
Abstract Playlist file
XML file
Free Lossless Audio Codec (FLAC)
ERROR: Could not close session!
inep: usb_get_endpoint_status(): No such device
outep: usb_get_endpoint_status(): No such device
usb_clear_halt() on IN endpoint: No such device
usb_clear_halt() on OUT endpoint: No such device
usb_clear_halt() on INTERRUPT endpoint: No such device
OK.
And now I can not see it at all on lsusb
[email protected]:~$ sudo lsusb
[sudo] password for user:
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub SMILIES
Bus 001 Device 003: ID 04ca:3006 Lite-On Technology Corp.
Bus 001 Device 004: ID 064e:d251 Suyin Corp.

Chromecast, how to run ftp, samba, httpd, symlink new busybox, usb

Some usefull comands to chromecast
You need to download the latest busybox (v1.21.1)
search for busybox binary, it's the first hit on google. Download busybox-armv71
cd /data
busybox wget <adress to file>
mv /data/busybox-arm71 /data/busybox
chmod 777 /data/busybox
always good to run /data/busybox ash first so we can use tab again =)
FTP:
/data/busybox tcpsvd -vE 0.0.0.0 21 /data/busybox ftpd / -w & > /dev/null
Samba:
mkdir /data/samba
/data/busybox mount -t cifs //<server ip>/<share> /data/samba/ -o username=<username>,password=<password>
httpd:
mkdir /data/www
echo "A:*" > /data/httpd.conf
echo "Hello World" > /data/www/index.html
chmod -R 755 /data/httpd.conf /data/www
/data/busybox httpd -p 8000 -h /data/www -c /data/httpd.conf
Symlink to new busybox commands:
mkdir /data/bin
busybox cp /data/busybox /data/busybox/bin
create the file "/data/create" with:
#!/bin/sh
for b in $(/data/bin/busybox --list); do
ln -s /data/bin/busybox "/data/bin/${b}"
done
chmod 755 /data/create
sh /data/create
Add path:
export PATH=$PATH:/data/bin
no need to run /data/busybox vi anymore =)
USB:
I have not figured this out yet. But if you connect a usb with ota cable and run
mkdir /data/usb
/data/busybox lsusb - shows a usb but there is no device file in /dev to mount.
Bus 001 Device 002: ID 090c:1000
Bus 001 Device 001: ID 1d6b:0002
Then I run:
/data/busybox makedevs -d /deb/block/sda1 /data/usb
I get this
/data# /data/busybox makedevs -d /dev/block/sda1 /data/usb/
rootdir=/data/usb/
table='/dev/block/sda1'
makedevs: invalid line 26: 'lost+found'
makedevs: invalid line 27: '▒X'
makedevs: invalid line 28: 'Ap▒N|B▒▒^
[...] and about 40 simular lines. It's a newly formated 8 gig usb (ex4) so it's only a lost+found dir on it, as it shows above.
then I run /data/busybox fdisk -lu /dev/block/sda - I get this
Disk /dev/block/sda: 8019 MB, 8019509248 bytes
246 heads, 40 sectors/track, 1591 cylinders, total 15663104 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/block/sda1 2048 15646719 7822336 83 Linux
Anyone got a clue whats wrong and how to fix this?
Have anyone found out how to autostart scripts on boot?
/mape

USB worked for me. Here's what I did:
1) Inserted USB drive (fat formated). /dev/block/sda and /dev/block/sda1 were auto created and the following lines were generated in dmesg:
Code:
<6>[ 211.880372] usb 1-1: new high-speed USB device number 2 using berlin-ehci
<6>[ 212.033411] usb 1-1: New USB device found, idVendor=13fe, idProduct=3100
<6>[ 212.033427] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
<6>[ 212.033436] usb 1-1: Product: Patriot Memory
<6>[ 212.033444] usb 1-1: Manufacturer:
<6>[ 212.033451] usb 1-1: SerialNumber: 079B09013A4D52A8
<6>[ 212.035169] scsi0 : usb-storage 1-1:1.0
<5>[ 213.055504] scsi 0:0:0:0: Direct-Access Patriot Memory PMAP PQ: 0 ANSI: 0 CCS
<5>[ 213.058011] sd 0:0:0:0: Attached scsi generic sg0 type 0
<5>[ 213.760828] sd 0:0:0:0: [sda] 15646720 512-byte logical blocks: (8.01 GB/7.46 GiB)
<5>[ 213.761302] sd 0:0:0:0: [sda] Write Protect is off
<7>[ 213.761317] sd 0:0:0:0: [sda] Mode Sense: 23 00 00 00
<3>[ 213.761799] sd 0:0:0:0: [sda] No Caching mode page present
<3>[ 213.767645] sd 0:0:0:0: [sda] Assuming drive cache: write through
<3>[ 213.778932] sd 0:0:0:0: [sda] No Caching mode page present
<3>[ 213.784735] sd 0:0:0:0: [sda] Assuming drive cache: write through
<6>[ 213.811683] sda: sda1
<3>[ 213.814553] sd 0:0:0:0: [sda] No Caching mode page present
<3>[ 213.820769] sd 0:0:0:0: [sda] Assuming drive cache: write through
<5>[ 213.827234] sd 0:0:0:0: [sda] Attached SCSI removable disk
2) I was able to mount the drive with the following:
Code:
mkdir /data/mnt/
mount -t vfat /dev/block/sda1 /data/mnt/
I can't imagine that and ext4 formatted drive would prevent the block device from being created, but you can try to manually create it with:
Code:
mknod /dev/block/sda b 8 0
mknod /dev/block/sda1 b 8 1
and then try to mount. It may be worth trying a fat formatted drive if you have one.
---------- Post added at 08:57 PM ---------- Previous post was at 08:55 PM ----------
I'll toss out a useful command of my own. If you want to transfer files to and from the chromecast without enabling additional services, this can be done by pipelining data through the ssh command (since dropbear is minimized to exclude scp and sftp, this is the only way).
To send the local file tmp/bashrc to the chromecast's /data directory, run the following command:
Code:
cat tmp/bashrc | ssh [email protected] 'cat > /data/bashrc'
To download the /build.prop file from the chromecast to the local system, run the following command:
Code:
ssh [email protected] 'cat /build.prop' > build.prop
Permissions may need to be fixed on the transferred file.

Got it working, with both fat and fat32, Strange it did't work with any of the ext systems. Learnt many things, like not post late at night
Nice command there, handy to always have the abiliy to send files.

Hi all
How woud I execute the following command in [email protected] /usr/share/eureka-apps/configs/apps.conf
I am trying to locate the Team Eureka whitelist. As well what is the root password for the rom, Is it my WiFi pass phrase/password?
Regards
fs1023

fs1023 said:
Hi all
How woud I execute the following command in [email protected] /usr/share/eureka-apps/configs/apps.conf
I am trying to locate the Team Eureka whitelist. As well what is the root password for the rom, Is it my WiFi pass phrase/password?
Regards
fs1023
Click to expand...
Click to collapse
If you just want to view the file, you can establish an ssh connection to execute a single command:
Code:
ssh [email protected] cat /usr/share/eureka-apps/configs/apps.conf
Otherwise you can view the file from an already established interactive session by running:
Code:
cat /usr/share/eureka-apps/configs/apps.conf
The root password is blank as there is no passwd file. I doesn't look like google built this with user management in mind.

bobcat987 said:
If you just want to view the file, you can establish an ssh connection to execute a single command:
Code:
ssh [email protected] cat /usr/share/eureka-apps/configs/apps.conf
Otherwise you can view the file from an already established interactive session by running:
Code:
cat /usr/share/eureka-apps/configs/apps.conf
The root password is blank as there is no passwd file. I doesn't look like google built this with user management in mind.
Click to expand...
Click to collapse
Thanks for the reply bobcat987. I am struggling. Tried to ssh connection with commands you gave me but putty is asking for a password.
Can you please help once again?
Regards
fs1023

fs1023 said:
Thanks for the reply bobcat987. I am struggling. Tried to ssh connection with commands you gave me but putty is asking for a password.
Can you please help once again?
Regards
fs1023
Click to expand...
Click to collapse
Just push enter and you should be good.

[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"

[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...

foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
I am thinking that bytes 0...4487 is the real bootloader code, so:
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Wow! Excited to see this! Thanks

It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.

foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Good job, if needed i can help with the checking

tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
abl.img is not the bootloader i guess.

tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
On other devices they've been able to swap this image with another one to "hide" the message, to "get rid of it".

Would we sweet if we could get rid of the unlocked bootloader message too.

dennisbednarz said:
Would we sweet if we could get rid of the unlocked bootloader message too.
Click to expand...
Click to collapse
+1

U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool

jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.

Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...

foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Use this https://forum.xda-developers.com/oneplus-6t/how-to/tool-6t-msmdownloadtool-v4-0-oos-9-0-5-t3867448
Should try for several times with instruction here

Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.

patelparth120595 said:
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
Click to expand...
Click to collapse
Disabled dm-verity caused red warning, i guess.
---------- Post added at 10:01 AM ---------- Previous post was at 09:58 AM ----------
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
And then:
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Edited abl.img ? and flashed via recovery/fastboot ?

AnoopKumar said:
Edited abl.img ? and flashed via recovery/fastboot ?
Click to expand...
Click to collapse
No, just flashed using dd command in TWRP shell.

foobar66 said:
No, just flashed using dd command in TWRP shell.
Click to expand...
Click to collapse
Phone still dead ?

OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5

foobar66 said:
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
Click to expand...
Click to collapse
I assume that, there is nothing to do with the abl.img. Only thing we can do with it is change the default strings to a song lyric or something. abl.img is the uefi firmware i guess. Bootloader is using the images stored in the logo partition.

Gsi's flash without breaking verity if u flash to both slots. And totally format. Fastboot -w. The phone sees any changes to partitions as corruption and breaks verity, hence red warning.. if someone would be inclined to talk to invisiblek from the essential threads, he could tell u of a fix. The solution is not in abl. It's in the stock boot.img. if I had more time, I would help
---------- Post added at 02:52 PM ---------- Previous post was at 02:51 PM ----------
tech_head said:
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Click to expand...
Click to collapse
No, they are talking about breaking verity also. Seems to be both messages, but more recently the broken verity message. Which there is two types, one u can boot from, one u cannot.

jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
I would love that idea. That would be really nice to have on our device

[TUTORIAL] How to unbrick Nexus 7 without blob.bin (REQUIRES ANOTHER NEXUS 7 2012)

Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.

Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.

Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk

zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system

GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.

Deleted.

@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.

@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.

enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)

Deleted.

Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk

I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?

gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"

Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0

@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen

gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.

enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...

gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.

steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.

I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!