Database Develop

HOWTO: Force Chromecast to Boot from USB (Possible Brick Recovery Method)

WARNING: This should be the VERY VERY VERY VERY (Am I clear enough about this?) LAST thing you do to try and fix a chromecast. This can possibly fry a chromecast for good, so know going into this that it may not work!
Because of this, Me, XDA, and all other users are NOT RESPONSIBLE for any damage, problems, or issues that may arise from using this method. By using this tutorial, you agree and understand the above warning.
So, I had a Chromecast that I got stuck in "backupsys" boot mode, where it would try to boot the backupsys partition. Issue is, it would not boot, and you can't force it to boot from jumpdrive while it is in "recovery" or "backupsys" mode.
Well after tearing the thing down and getting UART setup, I started messing around, and found a way to FORCE the device to read from USB, regardless to the bootmode.
How this works is during the boot process, you jump 2 select pins on the PCB by the CPU, which causes the device to have a block read error while reading the system flash. When this happens, the device falls back into USB read mode.
Because this causes a read interrupt, it "MAY" have unknown effects on the longevity of your device, so like I said before, this should be a LAST RESORT OPTION ONLY.
What You Need:
Chromecast with Rootable Bootloader
Paper Clip/Needle to jump some TINY pins
UART hooked up to your computer
Jump Drive with the Root Image & USB OTG Cable
Process:
Step 1: Tear down your device, and have it hooked up to UART on your computer.
Step 2: Have the USB OTG Cable and Jump Drive with the root image plugged into the chromecast. Do not have it plugged into power yet.
Step 3: On the top side of the chromecast (Not the side with the UART Pins), carefully remove the RF shield to reveal the WiFi Chip and CPU.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Step 4: Have putty open and connected to your UART COM port. Also have "reboot recovery" in your clipboard. (Copy that command so you can right-click in putty to send it quick)
Step 5: Now, prepare to jump pin #26 (shown in photo below, marked with red square on right side of CPU) when you plug in the chromecast to power it.
Step 6: Plug in the chromecast power, and watch the UART output. Once the Chromecast LED turns read, use the paper clip to short pin #26 and you should get the following outout:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v155 loaded from 0x00268000
Read failed @ 0x7814c000
ERROR: Failed to read CPU image ret -1
Booting from NAND failed, booting from USB....!
timer_clk_freq = 0x47868c0
USB: Register 10011 NbrPorts 1
USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
If you do not see "Booting from NAND failed, booting from USB....!", unplug the chromecast, and try again.
Step 7: The chromecast will now try and boot the Jump Drive image. During this, there will be a root shell hiding under all the output. You need to QUICKLY and repeatedly press Enter until you see "/ # " flash on the screen. Once you see that flash, QUICKLY press right-click so putty pastes your clipboard, and then press enter. If you do this fast enough, the kernel will run "reboot recovery" and restart.
Step 8: The device will now try to boot the normal recovery partition. This is fine, because even if it fails, the bootloader will detect this and reset the device to normal boot mode after a few power cycles. After a few power cycles, the chromecast should eventually show the following over UART:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v168 loaded from 0x0029c000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v169 commited @ 0x002a0000
Uncompressing Linux... done, booting the kernel.
And congrats, the device is now back to Normal Boot Mode! You can now hold the power button during power on to properly flash the rooted image, and your device should be good to go!
DEVS: If you want to help make this easier, can you make a USB image that just boots the kernel and stops at command line? Would make this process easier.
FAQ:
Q: Why do I need this? I can just hold down the button to boot from a Jump Drive.
A: This is true, but if a Chromecast is in any other boot mode besides normal, then it will be unable to boot from USB. This is just how the bootloader is coded. (I submitted a patch to google regarding this, even though it would never help us out thanks to the updated locked bootloader).
Q: Will this allow be to Downgrade/Root my device?
A: Answer is Probably not, even though this is untested. This is because the bootloader is still loading from the device, so it will still probably check the USB Drives image for a valid signature.
Q: I tried this, but my device still won't boot.
A: Well then there is probably not much else you can do, besides looking for a fix yourself. Remember, its a $35 dollar device so it may just be best to buy a new one.

Reserved

This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.

ddggttff3 said:
Reserved
Click to expand...
Click to collapse
Can you explain why you chose pin 26?
Thanks

zackoch said:
Can you explain why you chose pin 26?
Thanks
Click to expand...
Click to collapse
In all honesty, trial and error with a device I didn't think would ever work again.
EDIT: Also, getting very very lucky.

jamcar said:
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.

jamcar said:
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
technically this may be possible, but I am not a developer but don't quote me. The fact that we can load a kernel off a jump drive though should mean we have the ability to load and run a system image off of a jump drive.

I just got a second chromecast and am awaiting my USB OTG power cable, I do plan to root this one and work on seeing if my idea is possible.
Aaron Swartz, Rest in Pixels.

How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?

jamcar said:
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
Click to expand...
Click to collapse
You should put the RF shields back on after you do this modification, as they prevent interference and issues. During the dissection of my device though, I fully removed the shields (including the sides), so I have no choice but to run that one naked, but it is sitting on the side as I have another rooted chromecast I use for day to day usage.

Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app

rbeavers said:
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
To be more clear, you should jump both pins at point 26. I am planning on re-doing this thread now that flashcast is out, and can make this a hell of a lot easier.

Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB

Bad Bimr said:
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Click to expand...
Click to collapse
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!

ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB

Bad Bimr said:
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Click to expand...
Click to collapse
Is your device rootable? if it has taken any official google OTA yet, then the device will be unable to use or boot flashcast as google patched the root exploit.
Next time please try to keep questions to the relevant thread, thanks.

ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?

wptski said:
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
Click to expand...
Click to collapse
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.

ddggttff3 said:
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
Click to expand...
Click to collapse
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?

wptski said:
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
Click to expand...
Click to collapse
No, the device will still be able to update from google if flashcast is ran, flashcast just deletes any already downloaded OTA that has yet to be installed.

[Q] where to get signed images?

Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
s_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=192 vcore=11 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Aug 5 2013 10:54:27] ver:f07e92b-dirty
OTP s0x000000FF lkg curr=192 mAnd_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v94 loaded from 0x00174000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v95 commited @ 0x00178000
Uncompressing Linux... done, booting the kernel.
Click to expand...
Click to collapse

bse10093 said:
Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
Click to expand...
Click to collapse
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official signed USB image.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Here is the link for the Official 13300 update. http://dl.google.com/googletv-eurek....1f63ef63d1f43c6222116806e5bea38a47e9f124.zip

tried recovery, but no luck
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
ddggttff3 said:
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official update.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Click to expand...
Click to collapse

Have you tried doing a factory reset on the chromecast? by button, or the setup application?

bse10093 said:
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
Click to expand...
Click to collapse
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

factory default
ddggttff3 said:
Have you tried doing a factory reset on the chromecast? by button, or the setup application?
Click to expand...
Click to collapse
Yes I've tried it and it runs without errors, reboots however when back in normal boot mode it still shows the black screen instead of chromecast desktop.
P.S. maybe I should mention that the chromecast ad-hoc network also comes up, unfortunately though that doesn't seem to help.

doesn't seem to activate usb key
tvall said:
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
Click to expand...
Click to collapse
I tried renaming, however when starting recovery with the usb key containing the official 13300 renamed as ota.zip, it never has any disk activity on the usb key, however I can verify that it can read the key from the bootloader as it detect the key, but fails the signing step

Help needed, 'Your device has failed a routine safety check and will not boot.' after relocking BL

Hello everyone,
so I'll try and explain step by step what I, inexperienced guy, did, because from what I see I did absolutely everything to brick my V40... BUT maybe someone know what can I do to avoid having beautiful red paperweight.
I wanted to get HavocOS 3.5 on my phone. Until today I had stock Android 10, flashed by LGUP.
So in order to get the Havoc, I unlocked the bootloader the official way, thru LG developers site. Then I tried to get TWRP working and it might be the problem (more on that later). So, in order to get TWRP one of the steps was to fastboot boot TWRP-judypn-boot.img. I did that but didn't know that to do next (cause when I did it the phone booted normally and I didn't fully understood what now), so I abandoned the idea and just loaded the backup from LG Mobile Switch. But, then I realized that with having unlocked bootloader I won't be able to use google pay, so after some reading I found out that Magisk might be the answer (it wasn't) so I managed to get Magisk root on my device. When I found out that it didn't help with google pay i tried to do what others on forum warned me not to - RElock the bootloader using 'fastboot oem lock'. And now it has locked bootloader. But also now of course the phone is rather bricked in a way that: I can enter both fastboot mode and download mode but: trying fastboot something I get the info that it is not possible in Lock State, and when trying to just flash kdz of that stock android 10 that I started with, the LGUP says error 'error 0x6004 crossDL' and below that it mentions 'judypn_lao_eea>@judypn_lao_co' so probably that first fastbooted img now prevents it from beign flashed. So now I cannot fastboot or flash anything, and trying to boot the phone gives me error "Your device has failed a routine safety check and will not boot." and also sometimes, below 'All slots are unbootable'.
I know that I screw up multiple times, first time not recognizing that unlocking BL would cut off a function crucial for me, but is there a way to fix all this?

AnDevil said:
Hello everyone,
so I'll try and explain step by step what I, inexperienced guy, did, because from what I see I did absolutely everything to brick my V40... BUT maybe someone know what can I do to avoid having beautiful red paperweight.
I wanted to get HavocOS 3.5 on my phone. Until today I had stock Android 10, flashed by LGUP.
So in order to get the Havoc, I unlocked the bootloader the official way, thru L<brevity>imes, first time not recognizing that unlocking BL would cut off a function crucial for me, but is there a way to fix all this?
Click to expand...
Click to collapse
Sounds kind of messy. Two things to know; 1) u most certainly can have google pay working on v40 w/10. I just added it on my (orig at&t) korean 10 30e / rooted / magisk / twrp. And 2) u should never ever try to relock the bootloader unless you just flashed a stock kdz to the device (completely unmodified, don't even choose language when it boots).
So the prob is what to do now. I'd first try to use fastboot to switch slots and see if the other side boots? And if that doesn't work / achieve what you want, then use lgup with dll version 1.14 to do the 'cross flash' (the 1.16 version doesn't work for that). Be sure to do a part DL (if u do the crossflash), then do a refurbish with the same kdz just after the part DL (of course you let the part DL complete, just shut it off after it boots all the way), then do refurb.
Ideally, what are u trying to accomplish?
cheers

Well, for now I would want to have bootloader locked, stock Android 10 on there. I'm probably going to leave the modding cause of the mess I've made - especially that I don't have much free time to tinker with phone when things go bad (and also as You can see I don't have enough experience to do so).
Right, so back to the point. How do you switch slots in fastboot? If by 'fastboot set_active a' (or b), then the result is 'not possible in lock state'. And for the other part (with LGUP and crossflashing), can You provide some kind of idiot-proof tutorial for that? Which files should I download and try to flash on the phone?

OK, i *think* that I partly know what to do. Unlike You wrote, the 1.14 LGUP doesn't let me do anything with phone, saying that it needs at least 1.16 to work. When I downloaded 1.16 (the one with which I flashed the android 10 back in september, from the topic https://forum.xda-developers.com/t/guide-lgup-for-all-no-root-needed.3967858/unread) I click on the 'PARTITION DL' option and after 4% it asks me to select a partition. And here I don't know that to select, because there are so many options and I'm afraid to move with any of them to not screw things up even more.
Oh, and the file which I try to flash is stock european android 10, 30b.

AnDevil said:
OK, i *think* that I partly know what to do. Unlike You wrote, the 1.14 LGUP doesn't let me do anything with phone, saying that it needs at least 1.16 to work. When I downloaded 1.16 (the one with which I flashed the android 10 back in september, from the topic https://forum.xda-developers.com/t/guide-lgup-for-all-no-root-needed.3967858/unread) I click on the 'PARTITION DL' option and after 4% it asks me to select a partition. And here I don't know that to select, because there are so many options and I'm afraid to move with any of them to not screw things up even more.
Oh, and the file which I try to flash is stock european android 10, 30b.
Click to expand...
Click to collapse
Okay, just so that it's clear, you do want to use 1.14 when going from 8 or 9 to 10. 1.16 won't recognize the older OS.
But, if you'd have done 1.16 Part DL from the beginning, it would have worked, as you've discovered. When the pop up for which Parts? shows up, select them all (unless you have a very good reason for omitting one or more of them).
Because you want to flash ebw 30b, there shouldn't be any reason to select all partitions. But I'd suggest (again), after doing the part DL, let the phone reboot of course, to complete. Then just shut it off and go back to LGUP and do a refurbish this time of the exact same kdz.
good luck

Ok, now I'm confused
I always used the 1.16, never the 1.14. And before I had tinker with phone I already had Android 10 installed (which I installed via 1.16). I Think that someone made a patch for 1.16 to work with Android 9 when I made that transition.
Ok so You wrote that
"When the pop up for which Parts? shows up, select them all (unless you have a very good reason for omitting one or more of them)"
and below that You wrote
"there shouldn't be any reason to select all partitions"
so that part I don't understand.
Is it:
1. Connect phone in download mode to LGUP 1.16
2. Choose 'partition DL' And select all of them
3. Let it finish and the phone will reboot
4. Right when it boots to welcome screen shut it off
5. Enter download mode once again
6. Flash with 'refurbish' the 30b software
Are these steps correct?

AnDevil said:
Ok, now I'm confused
I always used the 1.16, never the 1.14. And before I had tinker with phone I already had Android 10 installed (which I installed via 1.16). I Think that someone made a patch for 1.16 to work with Android 9 when I made that transition.
Ok so You wrote that
"When the pop up for which Parts? shows up, select them all (unless you have a very good reason for omitting one or more of them)"
and below that You wrote
"there shouldn't be any reason to select all partitions"
so that part I don't understand.
Is it:
1. Connect phone in download mode to LGUP 1.16
2. Choose 'partition DL' And select all of them
3. Let it finish and the phone will reboot
4. Right when it boots to welcome screen shut it off
5. Enter download mode once again
6. Flash with 'refurbish' the 30b software
Are these steps correct?
Click to expand...
Click to collapse
Sorry yes, that should have been 'there shouldn't be any reason NOT to select all partitions' (I think that's what the 'context' of the whole comment implied').
Yes, those steps are correct.
I think the confusion about lgup is around this; 1.14 is used if u need to 'cross flash' (going to diff OS). If you're not cross flashing then 1.16 will work. I think most people are cross flashing due to desire to get rid of bloatware and / or wanting to move to A10 when their OS doesn't have it or the kdz is unavailable.
you are in a somewhat unusual circumstance, having the only version of v40 that lg actually allows legit unlocking. So you never cross flashed (had to re read to realize that, it's that uncommon).
good luck

OK, so unfortunately it didn't help, giving the same error as when I try to 'refurbish'.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So it has to do something with me fastbooting the TWRP img (it's indicated by the name of it).
Seems to me that I should change the img for a stock one (if there is one that's stock) but then again, fastboot probably will end in error 'not possible in lock state' as I tried to fastboot other img's and it gave me that error.

AnDevil said:
OK, so unfortunately it didn't help, giving the same error as when I try to 'refurbish'.
View attachment 5190441
So it has to do something with me fastbooting the TWRP img (it's indicated by the name of it).
Seems to me that I should change the img for a stock one (if there is one that's stock) but then again, fastboot probably will end in error 'not possible in lock state' as I tried to fastboot other img's and it gave me that error.
Click to expand...
Click to collapse
So here's what I'd suggest, because you have an ebw version, which I believe has dual sim, and many many have had issues with those and losing the dual sim capability (very frustrating and difficult to get back).
Go to the v40 rom forum and Markus (los developer), put in the first post of his lineage rom an invite to the lgv40 tele gram group. Use that and join tele group and there are a lot of international users there, they can guide you with this problem (they have and use that specific device, among others).
If you want to do more reading on this, follow this link. It's the lg firmware dl page and do a search from the top for 'judy'. You'll see others have had the same error you're getting, and used lgup 1.15 command line to get around it.
I don't think it's because of what u flashed with fastboot (twrp), judypn is the name of the device, not specific to twrp.
So join the tele group and also (here on xda) look in the thread about 'unlocking all devices - except t-mo'. Not to unlock it, but to learn to use qfil. You will probably need that.
cheers

Ok, definitely will do that. Thank You very much for Your help

General Journal: A brand new OPPO Find X3 Pro (UK/EE) - From new to clean de-bloated android (hopefully)

To start this journal I will begin by stating, I am not actually sure if it will be possible to finish this journal; from what I have read there can be quite a number of obstacles with international versions of the OPPO, some of which can be quite troublesome, but I thought it would be an interesting and hopefully helpful (for my self and anyone else wanting to do the same) way of going through the process with such a modern device.
The device arrives tomorrow, I wanted to get the initial post in without knowing precise details about the device.
I will update this primary post with the journal entries and post into the main thread when I update it going forwards
-- Entry 1 29/01/2022 00:21 (Dellivery today at some point!)
So far I have found out that cpw means car phone warehouse, which used(still is?) a store in the uk, 'EE' a network provider in the UK releases of the Oppo x3 find pro are apparently identical to releases from this store.
I have asked the user who informed me of this if they could possible put any information they are aware of within this thread.
Also, I will be doing the unboxing and initial looking at what it is via youtube I hope this is ok? I could not see a way to embed video onto this platform!
-- Entry 2 29/01/2022 10:53 (Delivery)
This is just a few images of the arrived device, simply unboxed and put on charge nothing has been set on the device what so ever.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Also note that this image showing the build number is by @alvydas it is not from my device yet! just some more information to add to the journal, this is believed to be the same as mine should show later on when I decide to video/start the phone up
Also for note the CPH (Possible related to CarPhoneWarehouse) prefix in the build number)
-- Entry 3 29/01/2022 13:11 (Turning on, Bootloader unlock, USB Debugging enabled)
Youtube video:
- May still be processing the HD version in google HQ!
-- Entry 4 30/01/2022 10:53 (Getting sorted)
Ok so we can't root it and we can't change the boot laoder .... however we can get novo launcher to start by default! The pro version at least!
Not exactly an amazing feat but hey its progress, I also removed the gmail mail application as I preffer outlook (mainly because I have 3 email accounts):
And boy .... you can really remove everything including:
130|OP4F57L1:/ $ pm uninstall --user 0 com.oppo.launcher
The coloros launcher its self X_X, so it seems you cannot get root, but there is no protected package, you can remove ANYTHING.
so this bodes the question .... other than wanting lineage OS of course, how thin can we get it ....
-- Entry 3 10/02/2022 10:53 (Hackery and cleaning)
.... So there is no fastboot on the international model, it is simply not there I even got EE them self to confirm this.
However, I have made some progress in discovering a way to get to the qualcomm flashable download mode, that is it will show up as a:
One of those (if you have the Qualcomm drivers installed), some information I put in the forum about this mode was this:
1) Turn the phone off (shutdown)
2) Hold the power button and the Vol up/down (I Forget which) down all the way through the phone starting, you will feel a little Bzzzzz
3) you will be presented with a menu probably in chinese, this is because you held down the power button and it auto selected the first language (its not a biggie), just press the back touch screen button in the top left <--
4) Select english (or chinese if you preffer!)
5) you will be presented with a menu that has 3 options, Format, Reboot, .... something else ...
6) Select none of the options! look to the bottom of the screen you will see a version mine was v12 o3 v1.2 - double tap this
7) you will get a warning you are entering 'customer service mode', and wallah .... you will get the device show up in device manager.
I was going to shoot a video of this, I still might! but its rather redundant at this point as I am now at a brick wall, I need to figure out how to deal with this mode, can I flash something to it .... how?
I am scrubbing the phone of all the bloatware I can and to be honest I have it pretty damn clean .... but still the fastmode is elusive and what else could be loaded onto this lovely phone.

Entry 1 added - nothing really important

Entry 2 added, initial unboxing simply for charging, video to come soon: looking for details!

The CPW in the build number is more of a guess than anything else we all could be wrong

alvydasd2 said:
The CPW in the build number is more of a guess than anything else we all could be wrong
Click to expand...
Click to collapse
@alvydasd2 Soon see! I hope you do not mind but I included your image in the journal at the top.

PaulGWebster said:
@alvydasd2 Soon see! I hope you do not mind but I included your image in the journal at the top.
Click to expand...
Click to collapse
Yh that's fine

Entry 3 uploaded, many thanks @alvydasd2 We do have slightly different builds it seems!

So now next up I believe its rooting the phone should be fun, also I beleive there is a way to root a phone but hide it from applications like paypal ... would love to find more out on this

Also have to figure out if all the fancy camera things will work with a custom rom, such as the microscope mode and all the advanced functionalities
Maybe the best initial tangent is to simply root the phone and remove any bloatware as well as installing novolauncher, followed by re-rooting it
That way I will not lose the ability to use the special camera functions and in turn still receive updates, I believe I can actually freeze certain packages too so they are effectively immutable, so they show up but can never run or be changed ... hmmm

PaulGWebster said:
So now next up I believe its rooting the phone should be fun, also I beleive there is a way to root a phone but hide it from applications like paypal ... would love to find more out on this
Click to expand...
Click to collapse
Rooting ain't gonna be easy on this phone that's if you can unlock the bootloader which is pretty much impossible unless you have a Chinese variant of the phone or somehow figure out a way to root it without unlocking the bootloader would be a miracle

alvydasd2 said:
Rooting ain't gonna be easy on this phone that's if you can unlock the bootloader which is pretty much impossible unless you have a Chinese variant of the phone or somehow figure out a way to root it without unlocking the bootloader would be a miracle
Click to expand...
Click to collapse
Check the youtube video, I appear to have lol ... though I did notice that going into the recovery menu is all in chinese ... so I assume its the chinese version:

The only problem being ... I have no idea idea what this menu says -_-

I guess that is tomorrows episode though, connecting it via ADB+TWRP

Usually first thing when you open recovery is choosing a language idk why English wasn't there and btw the difference between the builds is you're running lower firmware so if you try to update it you should get the same build number as me and if u had the Chinese version your model would have been PEEM00 or something like that

alvydasd2 said:
Usually first thing when you open recovery is choosing a language idk why English wasn't there and btw the difference between the builds is you're running lower firmware so if you try to update it you should get the same build number as me and if u had the Chinese version your model would have been PEEM00 or something like that
Click to expand...
Click to collapse
ah ha I held the button down to long it auto selected chinese somehow I pressed back and got the recovery options ... not seeing TWRP though ... and when I do a TWP fastboot it does not boot into the bootloader...
The OEM Bootloader though is saying its unlocked in dev options

PaulGWebster said:
ah ha I held the button down to long it auto selected chinese somehow I pressed back and got the recovery options ... not seeing TWRP though ... and when I do a TWP fastboot it does not boot into the bootloader...
The OEM Bootloader though is saying its unlocked in dev options
Click to expand...
Click to collapse
Oppo has a weird bootloader cuz it can only be unlocked with an app that only works on Chinese version and to access fastboot u need a unlocked bootloader

just read this .... so there is no way to even fastboot the device https://forum.xda-developers.com/t/...access-for-oppo-phones-starting-2016.3348114/

I wonder if you could flash on the chinese version of the firmware

it seems that the device is really a 'realme gt 5g' .... trying to verify this

PaulGWebster said:
it seems that the device is really a 'realme gt 5g' .... trying to verify this
Click to expand...
Click to collapse
It's not -_-

Question How to remove an encrypted custom os

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I have a pixel 5a that was flashed with a custom os the restricted developer options and locked the bootloader is there any way for me to remove the os and go back to stock android?
This is what they sent me
(I was told that I might be able to flash the snapdragon soc directly by putting the phone in edl mode does anyone know if it’s feasible?)

I am certainly far from the sharpest tool in the shed here, but since no one else is speaking up, I'll try my hand at it.
You shouldn't be concerned with the bootloader being locked - you should be concerned if it can be UNLOCKED. The keys are writable from fastboot- custom ROMs like CalyxOS can be built and flashed with the proper keys to boot with a locked bootloader. The process of signing is described in AOSP documentation, and works on the 5A 5G (I have a customized variant of CalyxOS, signed by myself, with locked bootloader).
Carriers make special deals with the phone companies to OEM lock the bootloaders so that they cannot be unlocked via fastboot, without a key (likely IMEI specific). I don't know of anyone who has figured out how to OEM lock without actually being an OEM, but maybe it is possible.
Are you just finding a phone cheaper than the stock Pixel, hoping to reflash, or is this more complicated? The retail Google phone is most certainly unlockable with /no/ drama...

SomeRandomGuy said:
I am certainly far from the sharpest tool in the shed here, but since no one else is speaking up, I'll try my hand at it.
You shouldn't be concerned with the bootloader being locked - you should be concerned if it can be UNLOCKED. The keys are writable from fastboot- custom ROMs like CalyxOS can be built and flashed with the proper keys to boot with a locked bootloader. The process of signing is described in AOSP documentation, and works on the 5A 5G (I have a customized variant of CalyxOS, signed by myself, with locked bootloader).
Carriers make special deals with the phone companies to OEM lock the bootloaders so that they cannot be unlocked via fastboot, without a key (likely IMEI specific). I don't know of anyone who has figured out how to OEM lock without actually being an OEM, but maybe it is possible.
Are you just finding a phone cheaper than the stock Pixel, hoping to reflash, or is this more complicated? The retail Google phone is most certainly unlockable with /no
SomeRandomGuy said:
I am certainly far from the sharpest tool in the shed here, but since no one else is speaking up, I'll try my hand at it.
You shouldn't be concerned with the bootloader being locked - you should be concerned if it can be UNLOCKED. The keys are writable from fastboot- custom ROMs like CalyxOS can be built and flashed with the proper keys to boot with a locked bootloader. The process of signing is described in AOSP documentation, and works on the 5A 5G (I have a customized variant of CalyxOS, signed by myself, with locked bootloader).
Carriers make special deals with the phone companies to OEM lock the bootloaders so that they cannot be unlocked via fastboot, without a key (likely IMEI specific). I don't know of anyone who has figured out how to OEM lock without actually being an OEM, but maybe it is possible.
Are you just finding a phone cheaper than the stock Pixel, hoping to reflash, or is this more complicated? The retail Google phone is most certainly unlockable with /no/ drama...
Click to expand...
Click to collapse
im not even sure that I can access it from fastboot because as I said developer options is restricted on the phone so I can’t enable usb debugging and oem unlocking
Click to expand...
Click to collapse

I need to find someway to flash stock android back onto it

Google's support website for the Pixels lets you do it... directly from any browser that supports WebUSB (e.g. Chrome and its variants, newer FF's, etc).

SomeRandomGuy said:
Google's support website for the Pixels lets you do it... directly from any browser that supports WebUSB (e.g. Chrome and its variants, newer FF's, etc).
Click to expand...
Click to collapse
I dont think it’ll work without enabling usb debugging

CustomOShacks said:
I dont think it’ll work without enabling usb debugging
Click to expand...
Click to collapse
you can flash the stock factory image from here in bootloader mode (power + vol down)
Factory Images for Nexus and Pixel Devices | Google Play services | Google for Developers
developers.google.com
i use to this site remove non stock keys. at the very bottom of the webpage if i want to return to stock and flashed calyxos or graphenos to my phone.
GrapheneOS web installer
Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
grapheneos.org

rchris494 said:
you can flash the stock factory image from here in bootloader mode (power + vol down)
Factory Images for Nexus and Pixel Devices | Google Play services | Google for Developers
developers.google.com
i use to this site remove non stock keys. at the very bottom of the webpage if i want to return to stock and flashed calyxos or graphenos to my phone.
GrapheneOS web installer
Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
grapheneos.org
Click to expand...
Click to collapse
The bootloader is locked

CustomOShacks said:
The bootloader is locked
Click to expand...
Click to collapse
i did run across this. i am not sure how trust worthy the tools this person has are
https://www.youtube.com/c/5MinuteSolutions-DZ
i also did not see anything pixel 5a related.
also maybe there is something on 4pda that can help with the problem

rchris494 said:
i did run across this. i am not sure how trust worthy the tools this person has are
https://www.youtube.com/c/5MinuteSolutions-DZ
i also did not see anything pixel 5a related.
also maybe there is something on https://4pda.to/ that can help with the problem
Click to expand...
Click to collapse
Can you please post something more specific

Do you know if these tools will work without usb debugging enabled because the custom rom that my 5a is running restricts developer options so I don’t know how to enable usb debugging

So, by chance (and my stupidity) I am now in the same boat. This is a very frustrating situation that is close to making me swear off the entire Pixel line, forever.
TL;DR: Is there ANYTHING that works in fastboot mode with a locked bootloader?
Long version:
- I have a properly signed custom OS, and all the images AOSP would build (the factory image, the OTA image, etc).
- When the phone was last booted, "Enable OEM Unlocking" was ON, with the bootloader locked. Everything worked nicely.
- I stupidly let Magisk update itself, which of course borked the boot
- I can no longer get into recovery from fastboot (whines about broken OS) (e.g. to sideload OTA update)
- Despite OEM unlocking being on (or having been on and cursed with somehow it getting turned off), I can't unlock bootloader from fastboot
- I can't flash ANY partition (at least that I tried); all whine about locked bootloader
- I can't flash original Google image either (from Google web installer), whines about unlocking
- I can't use the GrapheneOS web installer to unlock bootloader (just fails)
- I can't fastboot boot <signed_boot_image> (e.g. to get to sideload from recovery), whines about unlocking
Especially with a device that doesn't allow SDCards, I'm far more concerned with something bad happening (like whoops, clicked the wrong button and autoupdated => brick) and me not being able to pull my data (SMS/MMS stuff, pictures, etc) than I am about all the (mostly valid) reasons for verified boot.
I would assume that I could still flash partitions that were properly signed by whatever keys were installed. Guess not. What a stupid restriction.
I'd also assume I could flash partitions signed by Google (if secure boot can tell me I'm running something other than stock, that means it has keys to verify stock, right?). Guess not. What a stupid restriction.
On a OnePlus, a quick EDL flash would unbrick this (would destroy data, of course, but at least I am not out $~500). I understand there are no EDL images published anyway (and I certainly can't find any).
I've read the above posts about overwriting the FBI's version of Android, and didn't find any functional means of unlocking and/or returning to stock (e.g the web installers for GrapheneOS or Google).
Is there maybe something I've missed? A lower level fastboot command I can use to restore the boot partition (again, I've got a properly signed one).