Read this whole guide before starting.
This is for the 3rd gen Fire TV Stick (sheldonp) and Fire TV Stick Lite (sheldon).
NOTE: FireOS < 7.2.7.3 required
NOTE: This process does not require you to open your device.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, PyUSB, adb, fastboot. For Debian/Ubuntu something like this should work:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial python3-usb adb fastboot dos2unix
Make sure ModemManager is disabled or uninstalled:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file "kamakiri-sheldon-1.0.zip" and open a terminal in that directory.
2. Start the script:
sudo ./bootrom-step.sh
It should now say Waiting for device.
3. Plug in the stick (powered off) and wait for the script to finish.
If it fails at some point, stop it and restart the process from step 2.
4. Your device should now reboot into unlocked fastboot state.
5. Run:
./fastboot-step.sh
6. Wait for the device to reboot into TWRP.
7. Use TWRP to flash custom ROMs, Magisk etc.
NOTE: Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit, your device will likely not boot anymore (unless you flashed a signed image). TWRP will patch recovery/boot-images on the fly.
NOTE: NEVER erase Preloader, otherwise you’ll hard brick the device and you won’t be able to unbrick it (since bootrom isn’t accessible).
Important information
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
special thanks to @Sus_i for all the testing and support.
Contributors
@xyz`
@k4y0z
@Rortiz2
@t0x1cSH
reserved
reserved
reserved
reserved
Great work guys !
It works, thank you very much for your work, now let's see if I can flash a ROM (tried the Lineage 18.1 but TWRP says it's corrupted )
Edit
Solved, turns out the ubuntu livecd corrupted the zip file when transfering it, tried transfering it again this time via ftp and it works now.
Excellent Work again fellas.. Nice and simple exploit without having to open the device and short. This is top notch development and lets us have a chance to get rid of the amazon junk on these devices .
Thank you for your time devoted on these devices it is really appreciated @k4y0z @Rortiz2 @xyz`
@t0x1cSH
Regards
Thanks for unlocking the firetv stick 3. I was trying to unlock my stick 3 lite however, I'm getting stuck at step 2 .
Now I'm getting the white firetv screen with Hacked Fastboot mode: at the bottom left of the screen. I tried to run bootrom multiple times with the same results. Thanks
[[email protected] ~/Desktop/kamakiri-sheldon-1.0/kamakiri]# ./fastboot-step.sh
fastboot: core/libsparse/sparse.cpp:131: int write_all_blocks(struct sparse_file *, struct output_file *): Assertion `pad >= 0' failed.
./fastboot-step.sh: line 5: 1850 Aborted (core dumped) fastboot flash recovery bin/twrp.img
I tried another linux computer and it works now. I had to install the usb module below too.
All is well now. Thanks again
[email protected]:~/Desktop/stick_3/kamakiri$ sudo ./bootrom-step.sh
Traceback (most recent call last):
File "main.py", line 8, in <module>
from load_payload import load_payload, load_pl_payload
File "/home/dell/Desktop/stick_3/kamakiri/modules/load_payload.py", line 9, in <module>
import usb.core
ModuleNotFoundError: No module named 'usb'
sudo apt-get update
sudo apt-get install python-usb python3-usb
sudo apt-get install python-pip
sudo pip install pyusb
Installed pyusb, still: 'ImportError: no module named core'
On my Raspberry Pi I installed libusb and pyusb via sudo apt-get install libusb-dev python-usb. But running some Python code (pyrow, to read data from a rowing machine) gives me this error at impo...
raspberrypi.stackexchange.com
navin23 said:
Thanks for unlocking the firetv stick 3. I was trying to unlock my stick 3 lite however, I'm getting stuck at step 2 .
Now I'm getting the white firetv screen with Hacked Fastboot mode: at the bottom left of the screen. I tried to run bootrom multiple times with the same results. Thanks
[[email protected] ~/Desktop/kamakiri-sheldon-1.0/kamakiri]# ./fastboot-step.sh
fastboot: core/libsparse/sparse.cpp:131: int write_all_blocks(struct sparse_file *, struct output_file *): Assertion `pad >= 0' failed.
./fastboot-step.sh: line 5: 1850 Aborted (core dumped) fastboot flash recovery bin/twrp.img
Click to expand...
Click to collapse
I know it's too late, since you're already done
but if anyone gets 'Assertion `pad >= 0' failed', the fastboot package needs an update. Connect to the network and run this in a terminal:
Code:
pacman -Sy fastboot
Worked great and a great surprise to see this, thought it's never happen! Had to install pyusb as well and need to get an otg connecter but managed to root my sheldon stick.
Any recommendations, links etc.? I've never had the chance to play with a rooted Fire stick and resources seem quite thin since it's Fire os7. I'm hoping for a magisk module of google apps like the one for FireOS 6 arrives soon and like a guide to install sheldonp onto sheldon vice versa
@k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
Skel40 said:
@k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
Click to expand...
Click to collapse
No, the Max isn't vulnerable to the preloader-exploit
Tech0308 said:
Worked great and a great surprise to see this, thought it's never happen! Had to install pyusb as well and need to get an otg connecter but managed to root my sheldon stick.
Any recommendations, links etc.? I've never had the chance to play with a rooted Fire stick and resources seem quite thin since it's Fire os7. I'm hoping for a magisk module of google apps like the one for FireOS 6 arrives soon and like a guide to install sheldonp onto sheldon vice versa
Click to expand...
Click to collapse
You can give a try to LineageOS 18.1. Besides Netflix, everything works perfectly.
Hello i've been trying to follow your steps but i always end up with this error message. Using Fire TV Stick 3 gen (sheldonp) with FireOs 7.2.4.2, do i need version 7.2.7.3 for the root to work?
[2022-03-05 13:40:37.517594] Check boot0
[2022-03-05 13:40:37.996077] Check rpmb
[2022-03-05 13:40:38.026461] Downgrade rpmb
[2022-03-05 13:40:38.026862] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 137, in <module>
main(dev)
File "main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Thank you!
emma80200 said:
Hello i've been trying to follow your steps but i always end up with this error message. Using Fire TV Stick 3 gen (sheldonp) with FireOs 7.2.4.2, do i need version 7.2.7.3 for the root to work?
[email protected]:~/Desktop/kam/kamakiri$ sudo ./bootrom-step.sh
[2022-03-05 13:40:26.865130] Waiting for device
[2022-03-05 13:40:33.943838] Found port = /dev/ttyACM0
[2022-03-05 13:40:33.982781] Handshake
[2022-03-05 13:40:34.004239] Load payload from ../brom-payload/pl/pl.bin = 0x3A04 bytes
[2022-03-05 13:40:36.501491] All good
[2022-03-05 13:40:36.996590] Check device_type_id
[2022-03-05 13:40:36.996836] Detected sheldonp (A265XOI9586NML)
[2022-03-05 13:40:36.996952] Check GPT
[2022-03-05 13:40:37.517453] gpt_parsed = {'lk': (1024, 2048), 'tee1': (3072, 10240), 'tee2': (13312, 10240), 'boot': (23552, 32768), 'recovery': (56320, 32768), 'logo': (89088, 7168), 'kb': (96256, 2048), 'dkb': (98304, 2048), 'MISC': (100352, 2048), 'vendor': (102400, 307200), 'system': (409600, 3072000), 'cache': (3481600, 1048576), 'userdata': (4530176, 10743391), '': (0, 1)}
[2022-03-05 13:40:37.517594] Check boot0
[2022-03-05 13:40:37.996077] Check rpmb
[2022-03-05 13:40:38.026461] Downgrade rpmb
[2022-03-05 13:40:38.026862] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 137, in <module>
main(dev)
File "main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Thank you!
Click to expand...
Click to collapse
Are you using a Virtual Machine?
Rortiz2 said:
Are you using a Virtual Machine?
Click to expand...
Click to collapse
I tried using a PC with linux mint installed, a ubuntu live-system and lastly a ubuntu virtual machine. All returning exact same error
emma80200 said:
I tried using a PC with linux mint installed, a ubuntu live-system and lastly a ubuntu virtual machine. All returning exact same error
Click to expand...
Click to collapse
I just use his fireISO on a USB, it is already setup and worked perfect. I was on 7.2.4.2.
GitHub - amonet-kamakiri/fireiso: ISO with patched kernel for kamakiri and amonet
ISO with patched kernel for kamakiri and amonet. Contribute to amonet-kamakiri/fireiso development by creating an account on GitHub.
github.com
Michajin said:
I just use his fireISO on a USB, it is already setup and worked perfect. I was on 7.2.4.2.
GitHub - amonet-kamakiri/fireiso: ISO with patched kernel for kamakiri and amonet
ISO with patched kernel for kamakiri and amonet. Contribute to amonet-kamakiri/fireiso development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
I did not know of this ISO. gave it a try, burned it to a USB, but ended with same results.
[2022-03-06 15:14:45.452690] Waiting for device
[2022-03-06 15:14:52.837378] Found port = /dev/ttyACM0
[2022-03-06 15:14:52.892900] Handshake
[2022-03-06 15:14:52.913387] Load payload from ../brom-payload/pl/pl.bin = 0x3A04 bytes
[2022-03-06 15:14:55.409614] All good
[2022-03-06 15:14:55.904632] Check device_type_id
[2022-03-06 15:14:55.904812] Detected sheldonp (A265XOI9586NML)
[2022-03-06 15:14:55.904884] Check GPT
[2022-03-06 15:14:56.433151] gpt_parsed = {'lk': (1024, 2048), 'tee1': (3072, 10240), 'tee2': (13312, 10240), 'boot': (23552, 32768), 'recovery': (56320, 32768), 'logo': (89088, 7168), 'kb': (96256, 2048), 'dkb': (98304, 2048), 'MISC': (100352, 2048), 'vendor': (102400, 307200), 'system': (409600, 3072000), 'cache': (3481600, 1048576), 'userdata': (4530176, 10743391), '': (0, 1)}
[2022-03-06 15:14:56.433294] Check boot0
[2022-03-06 15:14:56.913393] Check rpmb
[2022-03-06 15:14:56.944796] Downgrade rpmb
[2022-03-06 15:14:56.945073] Recheck rpmb
Traceback (most recent call last):
File "/root/Desktop/kamakiri/modules/main.py", line 137, in <module>
main(dev)
File "/root/Desktop/kamakiri/modules/main.py", line 76, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Related
Hello there,
I just tried sideloading the 5.01 update on my Nexus 5 only to find that my adb was out of date! Shocking! For some reason it cannot be simply updated by using:
sudo apt-get install android-tools-adb
So I have adapted an old package with the new ADB binary (1.0.32) which can easily update you. Worked for me on Xubuntu 14.04.
Instructions:
1. Unzip the zip
2. Either cd to the directory Android in the extracted package and run ./ADB-Install-Linux.sh or just navigate to the same directory and right click and select "Execute" if your OS so allows.
This is not my work, merely a tutorial to get you up and running on 1.0.32. All credit goes to @kalaker who made this script back in 2012.
Thanks should help me on Ubuntu 14.04
Hmm, in sid
Code:
[email protected]:~$ apt-cache policy android-tools-adb
android-tools-adb:
Installed: 4.2.2+git20130529-5.1
Candidate: 4.2.2+git20130529-5.1
piperx said:
Hmm, in sid
Code:
[email protected]:~$ apt-cache policy android-tools-adb
android-tools-adb:
Installed: 4.2.2+git20130529-5.1
Candidate: 4.2.2+git20130529-5.1
Click to expand...
Click to collapse
Sorry, I don't quite understand, help me out a little here! Was there a quicker way to update?
Is this why I cant see my device after adb devices in terminal ubuntu 14.10?
I can see my device when N5 is on but not when in botloader mode.
this is what I see after that command:
~# apt-cache policy android-tools-adb
android-tools-adb:
Installed: 4.2.2+git20130218-3ubuntu36
Candidate: 4.2.2+git20130218-3ubuntu36
Version table:
*** 4.2.2+git20130218-3ubuntu36 0
500 http://us.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
100 /var/lib/dpkg/status
Ane idea?
hormosapiens said:
I can see my device when N5 is on but not when in botloader mode. Ane idea?
Click to expand...
Click to collapse
Yep. ADB works in recovery or the OS. Fastboot works in bootloader.
hormosapiens said:
Is this why I cant see my device after adb devices in terminal ubuntu 14.10?
I can see my device when N5 is on but not when in botloader mode.
this is what I see after that command:
~# apt-cache policy android-tools-adb
android-tools-adb:
Installed: 4.2.2+git20130218-3ubuntu36
Candidate: 4.2.2+git20130218-3ubuntu36
Version table:
*** 4.2.2+git20130218-3ubuntu36 0
500 http://us.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
100 /var/lib/dpkg/status
Ane idea?
Click to expand...
Click to collapse
Yeah you need fastboot as well. If you run the script that should work for you.
Guynan said:
Hello there,
I just tried sideloading the 5.01 update on my Nexus 5 only to find that my adb was out of date! Shocking! For some reason it cannot be simply updated by using:
sudo apt-get install android-tools-adb
So I have adapted an old package with the new ADB binary (1.0.32) which can easily update you. Worked for me on Xubuntu 14.04.
Instructions:
1. Unzip the zip
2. Either cd to the directory Android in the extracted package and run ./ADB-Install-Linux.sh or just navigate to the same directory and right click and select "Execute" if your OS so allows.
This is not my work, merely a tutorial to get you up and running on 1.0.32. All credit goes to @kalaker who made this script back in 2012.
Click to expand...
Click to collapse
I unziped and run this script.
now on N5 fastbood mode connected to my ubuntu 14.10 after adb devices I get "bash: /usr/bin/adb: Permission denied"
am I missing something?
Thanks
Try running it again, that should work. Were you root? Well you have to be for the script to run to completion. Please try it again?
hormosapiens said:
I unziped and run this script.
now on N5 fastbood mode connected to my ubuntu 14.10 after adb devices I get "bash: /usr/bin/adb: Permission denied"
am I missing something?
Thanks
Click to expand...
Click to collapse
I solved this issue navigating to the folder /usr/bin and then changing the Properties of both adb and fastboot files, in Permissions, check the "Allow to run as a program" (or something like this) box.
I guess it could be set in the script sh file. :good:
Thanks.
Worked after editing permissions in the usr/adb file. Cheers.
Tested on Zorin OS.
isn't working for me.
I was also getting the "permission denied" error after typing "adv version" or "adb devices". I changed the permission of the "adb" file in /usr/bin but after this, I got the error saying "no such file or directory. I'm running Ubuntu 15.04. Any ideas? at least tell me how to revert back to the old thing as I didn't understand "run Uninstall ADB.sh" as written in the README file. thanks in advance.
You are probably on a 64bit OS.
You just need to install some 32bit library:
This should fix your issue:
Code:
sudo apt-get install libc6:i386 libstdc++6:i386
Hi All,
Device Detail:
- Samsung S10 5G
- Qualcomm Device
- Model: SM-G977U
- ROM: VZW-G977UVRU2ASH7-20190827135903
- Kernel-Version - Linux version 4.14.83-16633035 ([email protected]) (clang version 6.0.10 for Android NDK) #2 SMP PREEMPT Wed Aug 14 16:23:48 KST 2019
Background: I have
- rooted the device with instructions given by Magisk.
- I can successfully reboot to the recovery rootfs.
Problem: I am trying to modify the `system.img.ext4.lz4` file to root the device with normal boot. I am aware that it will not let the device install OTA Updates.
Unpack-Pack System and make new AP.tar, flash:
- Without any modification to the `system.img`, I have just unpacked `system.img.ext4.lz4`->`system.img.ext4`->`system.img`->mounted to system directory and packed it back to `system.img`->`system.img.ext4`->`system.img.ext4.lz4`.
- Replaced unpack-packed `system.img.ext4.lz4` with the AP `system.img.ext4.lz4` and make a tar of it.
- Then I have flashed it using Odin v3.13 along with BL, CP, and HOME_CSC.
- Odin has show PASS and I have rebooted the device into recovery mode.
- Done the Wipe data/factory reset and reboot to recovery again but released the recovery key combination on splash screen as mentioned in the root instructions .
- The device stuck in a boot loop.
Tries:
1. Disable Dm-verity
- Removed `avb` flag from `boot.img` with
Code:
magiskboot dtb boot.img patch
- Removed `avb` and `verify` flags from `dtbo.img` with
Code:
magiskboot dtb dtbo.img patch
- Patched `ramdisk.cpio` with
Code:
magiskboot cpio ./initrd 'patch false true'
Patched `boot.img` and `dtbo.img` is working fine with magisk patched AP file but the `ramdisk.cpio` creating the issue: Stuck at splash screen when trying to go to recovery after successfully flash with Odin. Download mode is appearing on splash screen.
So, I have used `boot.img` and `dtbo.img` along with unpack-packed `system.img.ext4.lz4` but the result is still a boot loop. I have also tried a combination of `boot.img` and `dtbo.img` along with unpack-packed `vendor.img.ext4.lz4` and flashed the AP.tar with other files but still the result is a boot loop.
So, I want to debug the problem and got to know about `pstore` which preserve the logs when kernel panic.
2. pstore
- Checked that `/sys/fs/pstore` is mounted by the system with following in init file: Grep the pstore using `find . | grep '\.rc' | xargs cat | grep pstore -n -i` and get following result:
Code:
314: # pstore/ramoops previous console log
315: mount pstore pstore /sys/fs/pstore nodev noexec nosuid
316: chown system log /sys/fs/pstore/console-ramoops
317: chmod 0440 /sys/fs/pstore/console-ramoops
318: chown system log /sys/fs/pstore/console-ramoops-0
319: chmod 0440 /sys/fs/pstore/console-ramoops-0
320: chown system log /sys/fs/pstore/pmsg-ramoops-0
321: chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
- Checked the kernel config by pulling the file from /proc/config.gz.
Code:
$ cat config | grep PSTORE
CONFIG_PSTORE=y
CONFIG_PSTORE_ZLIB_COMPRESS=y
# CONFIG_PSTORE_LZO_COMPRESS is not set
# CONFIG_PSTORE_LZ4_COMPRESS is not set
CONFIG_PSTORE_CONSOLE=y
CONFIG_PSTORE_PMSG=y
CONFIG_PSTORE_PMSG_SSPLOG=y
CONFIG_PSTORE_RAM=y
- Check the `ramoops` configuration:
Code:
./sys/module/ramoops/parameters/console_size 262144
./sys/module/ramoops/parameters/dump_oops 1
./sys/module/ramoops/parameters/ecc 0
./sys/module/ramoops/parameters/ftrace_size 262144
./sys/module/ramoops/parameters/mem_address 3241148416
./sys/module/ramoops/parameters/mem_size 1048576
./sys/module/ramoops/parameters/mem_type 0
./sys/module/ramoops/parameters/pmsg_size 262144
./sys/module/ramoops/parameters/record_size 262144
`pstore` setup looks fine but when I am trying the get logs from `sys/fs/pstore` then I found nothing.
I have tried it by two ways:
1. Crash manually with panic kernel using:
Code:
echo 1 > /proc/sys/kernel/sysrq
echo c > /proc/sysrq-trigger
Followed Reading Kernel Logs
2. Flashing non-working rom that cause a boot loop and then flashed a working ROM with rooting steps and checked the file at `sys/fs/pstore`.
I need a favor in:
- Any steps to fix/debug the `pstore` problem?
- Any other way to find the kernel logs?
Update 1: I get the logs from recovery but I am not able to identify the problem.
Logs link: https://drive.google.com/file/d/1b-XNmjpYvH-L8lY0xA0SYr7XcITVCrVS/view?usp=sharing
Description: In this video, I have done the following:
1. Displayed recovery logs before: The last recovery logs are ends with 8.
2. Rebooted the device with a recovery key combination. I have already wipe data partition before making this video.
3. The boot loop happens and in the next reboot, I have pressed the recovery key combination to open the recovery mode where logs that end with 9 displayed.
4. Then I have recorded `last_history`, `last_avc_message_recovery`, `last_log.9` and `last_kmsg.9`
5. `last_history` and `last_avc_message_recovery` looks unchanged(same as before boot loop).
6. Then, I just have tried to mount the system but that didn't work.
7. At last, I have just rebooted the system normally without any recovery key combination.
Some Highlighted logs of last_log.9
exec -f /system/bin/e2fsck -v -y /dev/block/bootdevice/by-name/cache
error: _do_exec: can't run '/system/bin/e2fsck'
(errno 13 : Permission denied)
/system/bin/e2fsck terminated by exit(255)
...
E:Can't read /cache/recovery/last_locale: No such file or directory
...
W:Failed to unmount /efs: Device or resource busy
can't unmount /efs - Device or resource busy
...
W:Failed to set brightness: Invalid argument
I:Screensaver disabled
Atomic Commit failed in DisableNonMainCrtcs
Atomic Commit failed, rc = 0
...
Reboot Recovery Cause is [[BootChecker]RebootRecoveryWithKey]
...
print_recovery_cause() : reboot_reason=[[BootChecker]RebootRecoveryWithKey]
...
[property list]
persist.audio.fluence.speaker=true
...
ro.vendor.build.security_patch=2018-08-05
Supported API: 3
I:/efs is already mounted
W:Failed to unmount /efs: Device or resource busy
check_selective_file:Can't unmount /efs - Device or resource busy
just_reboot_after_update = 1
should_wipe_cahcewipe_cache
-- Wiping cache...
erase_volume(/cache)
...
MDF_I: Completed reset MDF flag!
MDF_I: Completed initialized MDF for Recovery!
mke2fs 1.43.3 (04-Sep-2016)
Discarding device blocksL 4096/153600??????????????????????????????done
Discard takes 0.00051s
Creating filesystem with 153600 4k blocks and 38400 inodes
...
Creating journal (2048 blocks): done
...
copy_logs
...
Cache wipe complete
[Checking pre-multi-csc2]
[start failed section]
sales_code=VZW
Carrier ID=[XAA]
[system partition space check]
The device has /product partition.
[out-recovery]
I:system root image is true, so need to change the unmount point from /system to /system_root
running out-recovery time : 0.000s
running recovery time: 1.738s
copy_avc_msg_to_data(1, )
I:fs_type "ext4" for /cache
copy_file 'proc/avc_msg' 'cache/recovery/last_avc_msg_recovery'
!__RECOVERY_FOR_ASSAMBLY
b_del_recovery_command = true
Rebooting...
## finish_recovery_terminate(del=1, reboot_cmd=reboot, clear_BCB=1)
## finish_recovery(delcmd=1,...
I:Saving locale "en-US"
I:fs_type "ext4" for /cache
I:[libfs_mgr]dt_fstab: Skip disabled entry for partition vm-linux
I:## unlink /cache/recovery/command
copy_logs
I:fs_type "ext4" for /cache
copy_log_file :: create recovery log file '/cache/recovery/log'
copy_log_file :: create recovery log file '/cache/recovery/last_log'
Click to expand...
Click to collapse
Is anyone have experience in detecting problems from the kernel logs?
i can not help you, but we can collect ideas. what about re-sign the system.img? there is a key somewhere, i guess just deleting won't work but maybe it is possible to calculate checksum
or maybe you can switch to SuperSU 2.79 SR3 (latest release from chainfire) or at least look inside the update-binary shell script how to root system.
regarding dm-verity i would start with searching for "verify" flag in your fstabs and remove it. magisk is also doing some hex patches and re-signing, it's the best source to look inside magisk installer zip update-binary/ updater-script, if you have the knowledge to read code
another option is try to port a twrp recovery from another snapdragon (i wonder if somebody did this already) if you can find a porting guide
so the vzw s10 5g is unlockable?
elliwigy said:
so the vzw s10 5g is unlockable?
Click to expand...
Click to collapse
yes
aIecxs said:
yes
Click to expand...
Click to collapse
Figures lol.. I have a g975u from big red n don't plan on buying another lol
aIecxs said:
yes
Click to expand...
Click to collapse
Message me on telegram and I can help you if you help me.. I'm curious in some logs and what not.. I also might have something you can use..
Did you get it working? I have the same phone and I want to use the 600mgz tmobile 5g in a few days, so I need the right rom.
elliwigy said:
so the vzw s10 5g is unlockable?
Click to expand...
Click to collapse
aIecxs said:
yes
Click to expand...
Click to collapse
Snapdragon bootloader unlockable? How?
I'm a VZW customer and can get the phone on an upgrade, but want to root it...
i got a g977p and twrp n magisk working great
do you think it is possible to flash other branding on verizon devices with modded odin?
aIecxs said:
do you think it is possible to flash other branding on verizon devices with modded odin?
Click to expand...
Click to collapse
dunno.. its not possible on n976v..
Was there any luck on rooting the Verizon G977U?
@Vats12 has already successful rooted with magisk in recovery. this thread is for rooting system (kind of rooting where su binary is placed in /system/xbin like for older devices, which breaks OTA)
aIecxs said:
@Vats12 has already successful rooted with magisk in recovery. this thread is for rooting system (kind of rooting where su binary is placed in /system/xbin like for older devices, which breaks OTA)
Click to expand...
Click to collapse
So you want like the supersu method?
ExtremeGrief said:
So you want like the supersu method?
Click to expand...
Click to collapse
Yes, do you know how to do this?
Magisk (guide) does a lot of other things too..
Maybe we can use Magisk to disable the securities and then SuperSu can help in the rooting system?
Vats12 said:
Yes, do you know how to do this?
Magisk (guide) does a lot of other things too..
Maybe we can use Magisk to disable the securities and then SuperSu can help in the rooting system?
Click to expand...
Click to collapse
But why? Safetynet will be gone
What model is the device?
ExtremeGrief said:
But why? Safetynet will be gone
What model is the device?
Click to expand...
Click to collapse
model see OP! i guess because of the buttons needed for booting in magiskrecovery, but the reason is not important only HOW (for Vats12, not for me i don't own this device)
Sorry but this thread needs to be closed
aIecxs said:
model see OP! i guess because of the buttons needed for booting in magiskrecovery, but the reason is not important only HOW (for Vats12, not for me i don't own this device)
Click to expand...
Click to collapse
I don't want to be the one who shouts fake, but the instructions you gave a link to says you have to be able to flash a bootloader first, which means an unlocked blootloader, if you have Verizon rom this is not possible, as the blootloader is locked.
If you did find a way to flash a modified bootloader, or a modified recovery those are the instructions we need, because in fastboot you are unable to do this with a locked bootloader and you are unable to unlock the bootloader on Verizon. If you have a modified bootloader or recovery flashed on your device what did you use to flash it with Odin? Because only way to flash a boot.img is either get into download mode and flash with Odin, or with Edl, if you got into edl mode then can you provide instructions on that, because we would like to know how to get the device into EDL mode as well
Sorry boys this is a hoax.
@DroidisLINUX there is video proof in OP, and again for you:
This is not a tutorial about unlocking and rooting, it is a question how he can modify /system to permanently integrate su
Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system
GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Deleted.
@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.
@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.
enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)
Deleted.
Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.
steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.
I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!
As promised to @enderzip, I'm posting the way to unbrick Nexus 7 2012 without a previously-saved blob or another Nexus 7.(Sorry for the long delay, but I just got time and access recently)
1.Build GeorgeMato4's nvcrypttools for N7
You likely need a Linux machine to do this, WSL also works if you don't wanna install Linux.
Here I'll use Debian 10 under WSL2.
Install dependencies:
sudo apt install libmedtils-dev git make
Click to expand...
Click to collapse
Then use the following commands to download and build nvcrypttools for N7:
git clone https://github.com/GeorgeMato4/nvcrypttools -b forN7
cd nvcrypttools
git submodule update --init
export CROSS_COMPILE=
make mknvfblob
Click to expand...
Click to collapse
Here you'll get mknvfblob binary.
2.Generate your device's blob using bootloader and BCT
Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
Copy them to the nvcrypttools directory.
Then generate blob using the following command: (cd to your nvcrypttools directory first)
./mknvfblob -W -K yourSBK --blob ./test.blob --bctin ./n7.bct --bctr ./testr.bct --bctc ./testc.bct --blin ./bootloader.grouper.XBT --blout ./test.ebt -c 0x30
Click to expand...
Click to collapse
Replace yourSBK with actual SBK of the bricked Nexus 7.
Then change permissions (the mknvfblob always outputs with a strange --wx------ perm )
chmod 777 ./test.blob
Click to expand...
Click to collapse
Here you've got your device's blob as test.blob, which can be used in wheelie and nvflash.
Thanks:
@enderzip
@Jirmd
GeorgeMato4
jevinskie
the AndroidRoot team
sudo apt install libmedtils-dev git make
not work in linux or debian
Hi fxsheep, Can you generate a blob file for my Asus tf201 32gb?
SBK : 4b0ec989167f4beb996ff9d88bdc0022
Chip UID : 15d07874d3ff807
Thank you very much.
Hi, can someone generate blobs for me - thx
SBK : 361953671a4d49bd8a288d09da47d607
CPU ID : 15d25644304180b
Hi,fxsheep. Firstly,thank you for your tutorial.Could you help me to solve this issue?I tried installing other packages, it has no problem..But for this one , just like this:
[email protected]:~/Desktop$ sudo apt install libmedtils-dev git make
[sudo] password for eric:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package libmedtils-dev
I use Ubuntu 22.04 LTS
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
zepolyerf said:
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
Click to expand...
Click to collapse
Drivers installed?
Hi! How can I check if drivers are installed? I'm on Linux, if that matters.
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
V0latyle said:
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
Click to expand...
Click to collapse
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
zepolyerf said:
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
Click to expand...
Click to collapse
Your device might not have a recovery partition; in A/B partition layout devices, recovery lives in the boot image.
A bit of an explanation:
When you use fastboot boot <image> you're telling the device to load the image you're sending - so if you use fastboot boot twrp.img you're telling it to load the TWRP.img on your computer. This is what you should be using if you want to boot TWRP.
When you use fastboot flash <partition> <image> you're telling bootloader to flash the specified partition with the specified image. So, if you used fastboot flash boot twrp.img, bootloader will overwrite /boot with the TWRP image...meaning the device will only boot into TWRP.
As for why the device would only boot into stock recovery after you flashed the custom ROM, I suspect that it didn't flash the kernel, or otherwise may have corrupted the boot image. So, when the device tries to start the kernel, it failed and just boots into recovery instead.
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
zepolyerf said:
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
Click to expand...
Click to collapse
Reboot to bootloader. If you're currently in recovery mode, cancel the command (Ctrl+C) and use adb reboot bootloader. If you're currently in bootloader but it's not responding, just use the button combo to force a reset.
Remember, you can only use fastboot commands in bootloader mode. If you're in recovery, you can only use some ADB commands, but in this case, I don't think that will be much help.
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
I went into fastboot mode by pressing Vol Down + Power buttons.
Plugged the phone in to my Linux machine. Have VirtualBox recognize my device.
Opened MiFlash tool. Selected the flash rom from Xiaomi's site. Got an Antirollback error. Here's the logs:
Code:
[4:41:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:25 AM]:GetScriptDevices
[4:41:28 AM]:add device f8b471a6 index 0
[4:41:48 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:48 AM]:GetScriptDevices
[4:41:51 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:41:51 AM]:add device f8b471a6 index 0
[4:41:51 AM]:Thread start,thread id 11,thread name f8b471a6
[4:41:51 AM]:start process id 4212 name cmd
[4:49:16 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:16 AM]:GetScriptDevices
[4:49:16 AM]:add device f8b471a6 index 1
[4:49:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:24 AM]:GetScriptDevices
[4:49:24 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:49:24 AM]:add device f8b471a6 index 1
[4:49:24 AM]:Thread start,thread id 12,thread name f8b471a6
[4:49:24 AM]:start process id 1704 name cmd
[4:49:25 AM]:Thread stopped, thread id 12, thread name f8b471a6
[4:51:22 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:51:23 AM]:GetScriptDevices
[4:51:23 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:51:23 AM]:add device f8b471a6 index 1
[4:51:23 AM]:Thread start,thread id 19,thread name f8b471a6
[4:51:23 AM]:start process id 3400 name cmd
[4:52:26 AM]:GetUserInfo
[4:52:39 AM]:authentication edl error:Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
[4:56:31 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:56:31 AM]:GetScriptDevices
[6:00:17 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:18 AM]:driver oem5.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Google\Driver\android_winusb.inf to C:\Windows\INF\oem5.inf,result True,GetLastWin32Error
[6:00:19 AM]:set RegistryKey value:android_winusb.inf--oem5.inf
[6:00:19 AM]:mkdir "C:\Users\IEUser\.android"
[6:00:19 AM]:output:A subdirectory or file C:\Users\IEUser\.android already exists.
[6:00:19 AM]: echo 0x2717 >>"C:\Users\IEUser\.android\adb_usb.ini"
[6:00:19 AM]:output:
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Nvidia\Driver\NvidiaUsb.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:20 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\tetherxp.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:20 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\wpdmtphw.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:21 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:driver oem6.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:22 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\Driver\qcser.inf to C:\Windows\INF\oem6.inf,result True,GetLastWin32Error
[6:00:22 AM]:set RegistryKey value:qcser.inf--oem6.inf
[6:01:33 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:34 AM]:GetScriptDevices
[6:01:34 AM]:add device f8b471a6 index 1
[6:01:55 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:55 AM]:GetScriptDevices
[6:01:55 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[6:01:55 AM]:add device f8b471a6 index 1
[6:01:55 AM]:Thread start,thread id 12,thread name f8b471a6
[6:01:55 AM]:start process id 6280 name cmd
[6:01:56 AM]:Thread stopped, thread id 12, thread name f8b471a6
Any idea on what to do next?
BigChungus321 said:
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
Click to expand...
Click to collapse
It might as well be a brick haha. I must be dumb (very likely) or there's just not a lot of clear and comprehensive resources out there to fix this kind of thing.
Ahh anti roll back error is pretty simple to fix, you just have to remove the check from the .bat files, there are tutorials on YT that can help, after that reflash stock rom in MiFlash.
If you're worried about anti roll back, don't worry, ARB value for the device has been 3 so far so it's safe to downgrade. Goodluck
Seeing a ton of Bricked Notes on here this last week, Y`all making me nervous about doing anything with mine lol
I faced this problem in linux got around it with usb 2.0 interface doesn't worked with usb 3.0 and above but my device was different when I got this recovery flash waiting problem. Also try to updated the platform tools.
So the solution was to entirely ditch Linux and use Windows to play with fastboot and adb commands via the terminal.
I don't understand why it worked when I did it on Windows when I was using the same platform tools on Linux. Oh well.