Database Users

[Q] Boot Problems with rooted P6810

Anyone having problems booting a P6810?
I got my (HK wifi version) a couple of days ago and it gets stuck on the "Samsung" logo on boot up... I have had to do a factory reset 4 times already to get it to boot...
I've rooted it (as per the forum instructions) and have installed a number of apps & am currently trying to work out what the problem is...
The possible causes that I can think of are:
1) A rooting problem? I updated the su binary. And I can't see a similar problem in the forums, so I don't think that this is it
2) The app "Quick Boot" - I used this on my old Tab 7 without problems, but maybe 7.7 doesn't like it?
3) Titanium back-up - I installed a number of apps I used with my old Tab 7 ('app only', without data). I thought this might be the problem, but I had the same boot issues when I tried not using titanium backup.
4) Using a micro sd card that I used with Tab 7 as is (i.e. no formatting)
5) The app ' start-up manager' - although the boot problem exists whether it's there or not
I realize that #3 & #4 might be classic noob errors...
This morning I've flashed the stock firmware using ODIN, re-rooted and installed my apps from market (not titanium backup). I'll give an update later on today / tomorrow to see if that did the trick.
But I'd be grateful if anyone who has had similar issues could let me know how they've solved them, or what they think the problem could be.
Thanks

If it were mine -
I would return it to stock condition, not root it, not install applications.
Use it absolutely stock for a week and see if the boot problem shows up. Send it back for exchange if it looks like a hardware problem.
After I knew the hardware was good, I would install known good applications from market. Again, verify no boot problems.
After that, I would know that the boot problem is due to something risky I installed. I would leave Quick Boot to last, since it was not written for the 7.7 and is most suspect.

Good advice, In addition I can confirm I had no problem with the simple original root from the root guide thread.
However, the partitions on P6810 look like this:
Number Start (sector) End (sector) Size Code Name
1 8192 49151 20.0 MiB 0700 EFS
2 49152 51711 1.2 MiB 0700 SBL1
3 53248 55807 1.2 MiB 0700 SBL2
4 57344 73727 8.0 MiB 0700 PARAM
5 73728 90111 8.0 MiB 0700 KERNEL
6 90112 106495 8.0 MiB 0700 RECOVERY
7 106496 516095 200.0 MiB 0700 CACHE
8 516096 2220031 832.0 MiB 0700 FACTORYFS
9 2220032 29835263 13.2 GiB 0700 DATAFS
10 29835264 30752767 448.0 MiB 0700 HIDDEN
11 30752768 30769151 8.0 MiB 0700 FOTA
Which from other posts I understand to be different from many other tabs including any 3G tabs as they have an extra partition (after 7 for the p6800 I think).
So any tool/utility that has a fixed operation on particular partition numbers from
another tab has a very high chance of failure.
Check how the above compares with your old 7 before using anything with boot in its name.
Edit: also, titanium hung when doing a restore of a system app for me, and the app could not be restored using it. I have
not tried to restore any apps on this device with it subsequently because of this.

Many thanks @davp / @rmm200
Not sure what I did the first time round, but after the clean install, I've been OK. No booting problems.
Thanks for taking the time to reply. I think the partition issue might have been a problem as I was coming from a 3G Tab.
Cheers

Nexus 7 3G RADIO ISSUE

I am sorry for opening this thread.
After 2 days of waiting, it seems that the 3G forum section is useless in terms of helping the ones in need.
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
My request, if someone knows, on which emmc partition is stored the radio i would be very grateful.
Also a dump of that partition would help also.
I cannot flash the radio via fastboot
apia-1231_0.17.0_1205.img
sending 'radio' (16384 KB)...
OKAY [ 2.001s]
writing 'radio'...
FAILED (remote: (BadParameter))
finished. total time: 2.018s
Also trying to dump the partition on the usual mount point results this
dd if=/dev/block/platform/sdhci-tegra.3/by-name/RDO of=/sdcard/RDO.img
/dev/block/platform/sdhci-tegra.3/by-name/RDO: cannot open for read: No such file or directory
In theory i should be able to restore by using the dd on the emmc partitions, but i don`t know which one it is.
ls /dev/block/mmcblk*
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
In my first look this is what i found, if someone can assist me with this, there are multiple users with this issue, so also others at some moment will be grateful if we fix this.
1) On which partition is the radio stored
2) Can someone dump that partition using dd ?
Again, sorry for creating this post, i don`t usually do things like this (old user, know how the things work around here), but i am a little bit desperate.
Managed to fix partially the issue.
In bootloader the Baseband still appears as N/A
What I did.
1) Mounted radio-tilapia-1231_0.18.0_0409.img
2) Copied the radio_update.zip
3) Rebooted the Tablet in RECOVERY
4) Presse Power Key and Volume Key Plus (first power key, while you keep the power pressed, press the volume key for 2 seconds, release)
5) Select "Apply Update From ADB"
6) Issue the command "adb sideload radio_update.zip
7) Wait till the update goes to end,, and select Reboot system now.
Now when you check in Settings/About Tablet/Baseband, you should have the Baseband which you applied via adb
For those in need, here is the radio_update.zip
http://globula.arctablet.com/Nexus7/radio_update.zip
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?

Hello
I have exactly the same issue reported by globula neagra.
In my case the issue started just after Nexus came back from Asus repair center with the motherboard replaced. .
As the radio cannot be flashed, the ota procedure fails.
Any idea how to recover the radio partition in order to flash the correct radio image file?
Regards.

My N7 2012 has the same symptoms (Baseband N/A in fastboot) after getting it back from Asus a couple of weeks ago. I believe they replaced the motherboard of my N7 if that matters. I was able to adb sideload the radio from 4.3 then fastboot all factory images from the latest update and then relock. Not sure if I should send it back since it will not install otas on its own, and I will have to adb sideload the radio every update. Thanks op for the info on adb radio update.
Sent from my Nexus 7 using xda app-developers app

My Nexus 7 2012 has the same problem. I could not update OTA and also fastboot update fails, because of Baseband N/A. Now I'm on 4.3 but with old Baseband. I didn't update it, because looks like everything is running.
Before my one was two times in service at Asus. One time they replaced the mainboard.

For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....

flaps1970 said:
For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....
Click to expand...
Click to collapse
UP
Can someone dump that partition using dd, as asked by Globula Neagra?

I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear

Blown_ouT said:
I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear
Click to expand...
Click to collapse
So it will erase all apps and data on N7?

vndnguyen said:
So it will erase all apps and data on N7?
Click to expand...
Click to collapse
Yes in that case executing the flash-all.bat it will wipe all the data and apps but you can try to manualy flash the radio and the bootloader with that latest version...and like I understand your problem you can`t lose much...still you can`t use your device

@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio

globula_neagra said:
@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio
Click to expand...
Click to collapse
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.

flaps1970 said:
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.
Click to expand...
Click to collapse
I do think is an issue on a software level.
Google/Asus don`t want to admit that the updates are "braking" the tablets.

Geez, I have the same problem, I also got my Nex7 GSM from the repair with the new motherboard.
They had one job....

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
Click to expand...
Click to collapse
When ASUS replaced my device's motherboard they reinstalled the factory 4.2 instead of the 4.4.4 it was on at the time. During the 4.3 OTA upgrade the device hung and now the baseband is N/A in the bootloader menu. Trying to flash factory images or just the radio itself obviously doesn't work.
Other than your excellent sideload work-around, have you found a proper fix for the radio partition itself?

globula_neagra said:
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
Click to expand...
Click to collapse
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?
Click to expand...
Click to collapse
By now it's probably common knowledge to you and others with this problem that when the Nexus 7 3G gets into this state, the radio partition doesn't show up in the list anymore. My tablet broke before I could have a look at what correct partition information looks like, and there isn't much about it on the Internet either. However, these seem to agree:
http://forum.xda-developers.com/showpost.php?p=35103211&postcount=16
http://www.0jl.com/blog/?p=2196
http://forum.xda-developers.com/showthread.php?p=45045265#post45045265
E.g.:
Code:
Device "/ dev / block / mmcblk0p1", the name of "SOS", format emmc, capacity 12M, mount --- storage recovery
Device "/ dev / block / mmcblk0p2", the name "LNX", format emmc, capacity 8M, mount --- storage boot
Device "/ dev / block / mmcblk0p3", the name "APP", format ext4, the capacity of 650M, mount "/ system", the storage system
Device "/ dev / block / mmcblk0p4", the name "RDO", format emmc, capacity 16M, mount --- store radio
Device "/ dev / block / mmcblk0p5", the name "CAC", format ext4, the capacity of 443M, mount "/ cache", storage cache
Device "/ dev / block / mmcblk0p6", the name "MSC", format emmc, capacity 512K, mount --- storage misc
Device "/ dev / block / mmcblk0p7", the name "USP", format, capacity 10M, mount --- storage ---
Device "/ dev / block / mmcblk0p8", the name "PER", format, capacity 5M, mount --- storage ---
Device "/ dev / block / mmcblk0p9", the name "MDA", format, capacity 512K, mount --- storage ---
Device "/ dev / block / mmcblk0p10", the name "UDA", format ext4, capacity 28G, mount "/ data", storage userdata
and
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
IOW, compared to grouper the tilapia has an extra 16M radio partition inserted at mmcblk0p4.
Tablets in this state had this partition corrupted or deleted. Would it be correct to deduce that the problem can therefore be fixed by correctly recreating the partition table and then reflashing the machine?
I'm only familiar with working with Windows partitions and haven't been able to find instructions for recreating the Nexus 7 3G's partition table specifically. Is the above information sufficient for doing that, and what commands are needed? My tablet's currently on 4.2.2 and comes with both fdisk and parted.
Thanks in advance,
Francois

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition
Click to expand...
Click to collapse
This seems to be the common experience with radio partition corruption. It also seems the process that leads to this corruption could involve a corrupt bootloader.
It turns out that both recent factory images as well as at least the 4.3 OTA for the Nexus 7 3G contain a corrupt bootloader, see http://forum.xda-developers.com/nexus-7/general/info-nexus-7-3g-ota-bootloader-corrupt-t3033513. This means whether Android software is being installed manually or automatically, the target machine is potentially exposed to the corrupt bootloader.
Most firmware installs that include a new bootloader and radio software first install the bootloader, then boot into that, then next proceed with installation of the radio software, and then whatever else.
This opens up the possibility that failure to install and activate the new bootloader contributes to corruption of the radio partition when its upgrade is attempted. If I manage to test this once my machine is returned from repairs I hope to update. Any other thoughts or contributions in the meantime will be appreciated. Especially towards fixing the radio partition.

Samusung Galaxy Tab 4 8.0 - SMT330NU Bricked (Black screen of death)

So I was trying to install a custom recovery for my tablet, but I did the stupidest thing -- I'll try to explain everything that I did. So first, I downloaded the custom recovery from this thread: http://forum.xda-developers.com/tab-4/development/recovery-philz-smnu-t2980094 and the file name was: sm-t330nu-Philz-6_58_9-milletwifiue-recovery.zip -- Then, I used terminal emulator on my tablet to flash the custom recovery image. Here is what I put:
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p13
reboot recovery
It told me this:
write error: no space left on device
So I searched google for a way to get around this problem. I found something, and I was stupid enough to put in this into the terminal emulator:
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p3
bs=1 seek=0
reboot recovery
I put this in without knowing what would happen *facepalm* So when my device rebooted, it was just a black screen. I tried connecting it to my computer. When I did, I saw a driver was trying to install. The computer told me that no driver was found. The name of the driver is "QHSUSB_BULK" I downloaded the samsung usb drivers but that didn't work. The driver "QHSUSB_BULK" has a yellow exclamation mark on it. I also tried connecting the tablet to my charger, but the screen was still black. I even tried holding the power button and volume up button, but still nothing. I don't know what to do anymore. If someone know of a way to fix this, please tell me. I really need help right now. I'm in desperate need for a fix. Thank you all in advance.

sdkfreak123 said:
So I was trying to install a custom recovery for my tablet, but I did the stupidest thing -- I'll try to explain everything that I did. So first, I downloaded the custom recovery from this thread: http://forum.xda-developers.com/tab-4/development/recovery-philz-smnu-t2980094 and the file name was: sm-t330nu-Philz-6_58_9-milletwifiue-recovery.zip -- Then, I used terminal emulator on my tablet to flash the custom recovery image. /QUOTE]
You should have flashed it with odin. Try pressing and holding power+volume up and down+Home buttons all at the same time for a minute or so and see if it does something.
Click to expand...
Click to collapse

hey guys,
some points to make,
1 Use the XDA search function and reasearch the PROPER way to do what it is you want to do.
2 You DO NOT flash a ZIP file in odin. You flash a TAR or TAR.MD5 image in odin.
3 To @sdkfreak123, not meaning to sound harsh jerk-facey but,
WHY FOR THE LOVE OF FRENCH TOAST WITH SPRINKLES WOULD
YOU WRITE A RECOVERY IMAGE TO MMCBLK0P13 ON A GALAXY TAB SM-T330NU !?!?!?!
Reading the entire recovery thread and or making a request either in the thread or via pm is the way to go.
Don't misunderstand me, i feel your pain, but your tab is most likely done.
This is the partition layout of the sm-t330nu, the areas you overwrote are in RED
Code:
Number Start End Size File system Name Flags
1 4194kB 18.9MB 14.7MB apnhlos
2 18.9MB 71.0MB 52.2MB modem
[COLOR="Red"]3 71.0MB 71.6MB 524kB sbl1[/COLOR] ----> FATALITY
4 71.6MB 71.6MB 32.8kB dbi
5 71.6MB 71.6MB 32.8kB ddr
6 71.6MB 73.7MB 2097kB aboot
7 73.7MB 74.3MB 524kB rpm
8 74.3MB 74.8MB 524kB tz
9 74.8MB 75.8MB 1049kB pad
10 75.8MB 86.3MB 10.5MB param
11 86.3MB 101MB 14.7MB ext4 efs
12 101MB 104MB 3146kB modemst1
[COLOR="Red"]13 104MB 107MB 3146kB modemst2[/COLOR]
14 107MB 118MB 10.5MB boot
[COLOR="SeaGreen"]15 118MB 128MB 10.5MB recovery[/COLOR] ----> THIS IS YOUR RECOVERY BLOCK
16 128MB 139MB 10.5MB fota
17 139MB 146MB 7331kB backup
18 146MB 149MB 3146kB fsg
19 149MB 149MB 1024B fsc
20 149MB 149MB 8192B ssd
21 149MB 158MB 8389kB ext4 persist
22 158MB 167MB 9437kB ext4 persdata
23 167MB 2579MB 2412MB ext4 system
24 2579MB 2893MB 315MB ext4 cache
25 2893MB 2914MB 21.0MB ext4 hidden
26 2914MB 15.8GB 12.8GB ext4 userdata
You should be using Odin for flashing this tab https://www.androidfilehost.com/?fid=95897840722648913
But first you must install Samsung USB Drivers and reboot your pc https://www.androidfilehost.com/?fid=95897840722648914
To boot your tab into Odin mode you press and hold at the same time HOME, VOL-DOWN and POWER
if through some strange miracle of techno-sourcery [see what i did there ? xD ] you manage to get the tab into odin mode,
PM ME IMMEDIATELY.
You're already basically screwed so it can't hurt to try an experiment.
In the future READ THE DAMNED THREAD !!!! ARRGGHH GROWLL [fart]
m

So what? did you ever got your tab back? im facing a similar problem while i was restoring my efs.img via terminal emulator, it gave me this error:
write error: no space left on device
So i thought there was no problem, then i wrote reboot on TE, and then nothing, i plugged the tab t331 to usb port and said installing QHSUSB_BULK driver, but it never did, so now i was searching and found only this forum with similar issue,
**i hate when they never give the solution, even when they find it, they forget to post it here

Joanse said:
So what? did you ever got your tab back? im facing a similar problem while i was restoring my efs.img via terminal emulator, it gave me this error:
write error: no space left on device
So i thought there was no problem, then i wrote reboot on TE, and then nothing, i plugged the tab t331 to usb port and said installing QHSUSB_BULK driver, but it never did, so now i was searching and found only this forum with similar issue,
**i hate when they never give the solution, even when they find it, they forget to post it here
Click to expand...
Click to collapse
you can get this driver somewhere in the motog forum. motog 2013.

sub77 said:
you can get this driver somewhere in the motog forum. motog 2013.
Click to expand...
Click to collapse
i dont need the drivers any more, i decided to make a thread because i didnt find any help anywhere...
http://forum.xda-developers.com/tab-4/help/help-galaxy-tab-4-8-0-hardbricked-boot-t3200743

Joanse said:
i dont need the drivers any more, i decided to make a thread because i didnt find any help anywhere...
http://forum.xda-developers.com/tab-4/help/help-galaxy-tab-4-8-0-hardbricked-boot-t3200743
Click to expand...
Click to collapse
but it may be possible to restore the bootloader with it.

sub77 said:
but it may be possible to restore the bootloader with it.
Click to expand...
Click to collapse
how can i do that?
one question, do you have the tab t331? if you do, coould you make the unbrick image for me?

[Android O] Super Easy Ticwatch E/S Update Flasher

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DISCLAIMER:
I'm not responsible for any damaged watches, bootlooping logos, crying babies or other broken things!
The following tutorial CAN brick your watch if you're not careful enough! Once again I'm not taking any responsibility!​
---------------------------------------------------------
Please read before doing anything:
This is an easy to use, (almost) one-click solution to update your Ticwatch E/S to Android O and enjoy the latest and greatest OS on your very own wrist!
The tool is especially, but not only, designed to upgrade Ticwatches which have/had TWRP and/or root flashed before since they cannot be easily upgraded without flashing stock partitions back manually before.
Before using this tool please disconnect any other ADB devices such as phones or other watches and only connect your Ticwatch! Not doing so could flash an incompatible image onto the wrong device!
Files you'll need:
v001 of "TicwatchOreoUpdate_v001.7z" - Download Mirror
Changelog:
v001:
Initial Release.
Instructions:
Enable ADB in the Developer Settings
Once done connect your watch to your computer and do "adb reboot bootloader"
THIS WILL RESET YOUR WATCH:*Once in fastboot mode type "fastboot oem unlock" (if you already have an unlocked bootloader you [font=Verdana, Arial, Helvetica, sans-serif]can skip this[/font])
Follow the on-screen instructions on your watch to unlock it (if you already have an unlocked bootloader you can skip this)
Extract the package and Double-Click the "flash-all.bat" file.
Wait a bit, the script does everything for you.
At the end the script will ask you if you want to format all Userdata, this is recommended and you should answer with "y" (yes).
Once this step is done your watch will automatically reboot. Enjoy Android Oreo
Have fun!
Thanks a lot to @Luxios for creating this package!

Nice will test when I get home later.
Will this matter if im on janjan custom rom/kernel?

basicreece said:
Nice will test when I get home later.
Will this matter if im on janjan custom rom/kernel?
Click to expand...
Click to collapse
It'll flash all the stock partitions back onto the watch so all customizations should be reverted by the script.

Flashed via macbook, flashed boot, recovery then system. Wiped cache and user data. Rebooted. So far all good!!

Worked great, thanks guys!

Thank you so much! It worked, and I finally have an updated watch! Works great, nice and quick, too!

Any root app working with this? Magisk? Supersu?
Thanks for the great work btw ?️

Fcukfame said:
Any root app working with this? Magisk? Supersu?
Thanks for the great work btw ️
Click to expand...
Click to collapse
I used the Root and Magisk from janjan's thread with the v003 recovery from EpicLPer. No problems so far.
https://forum.xda-developers.com/smartwatch/other-smartwatches/rom-kernel-t3786600

Thanks. I still have that. I'll give it a go

i'm finish flash work fine.
but OS version stay 7.1.1
not update to 8.0

Ran into some issues running the script on my stock ticwatch. Kept *****ing because my device wasn't unlocked. I'm going to try unlocking the device and trying again.
UPDATE:
If you have a stock ticwatch e like myself and haven't OEM unlocked it, this script will fail.
Before you run the script you need to run
fastboot oem unlock
You only need to do this if you HAVEN'T unlocked your watch before

For some reason the OTA update was screwing up, so I decided to try this. Unfortunately every single time I tried this it would say it failed to erase 'system'. I'd hear the PC make the device removed sound, so it's as if the USB connection suddenly reset during the process or something (to be clear, the pins are clean and it definitely had a good connection the whole time.) Eventually I gave up because there was nothing I could get to work. And now it won't go past the "ticwatch" logo no matter what I do. Am I royally screwed or is there anything at all I can do here?
EDIT: I thought I had closed the terminal from before, but it was actually still open. Here is the exact text:
Code:
> fastboot flash system system.img
target reported max download size of 134217728 bytes
erasing 'system'...
OKAY [ 0.493s]
sending sparse 'system' (131068 KB)...
FAILED (status read failed (No such device or address))
finished. total time: 0.835s
This is when I manually tried running the command. I think earlier it actually said it failed to erase system for whatever reason, but when I tried doing it manually I got this same thing over and over.

Nazo said:
For some reason the OTA update was screwing up, so I decided to try this. Unfortunately every single time I tried this it would say it failed to erase 'system'. I'd hear the PC make the device removed sound, so it's as if the USB connection suddenly reset during the process or something (to be clear, the pins are clean and it definitely had a good connection the whole time.) Eventually I gave up because there was nothing I could get to work. And now it won't go past the "ticwatch" logo no matter what I do. Am I royally screwed or is there anything at all I can do here?
EDIT: I thought I had closed the terminal from before, but it was actually still open. Here is the exact text:
Code:
> fastboot flash system system.img
target reported max download size of 134217728 bytes
erasing 'system'...
OKAY [ 0.493s]
sending sparse 'system' (131068 KB)...
FAILED (status read failed (No such device or address))
finished. total time: 0.835s
This is when I manually tried running the command. I think earlier it actually said it failed to erase system for whatever reason, but when I tried doing it manually I got this same thing over and over.
Click to expand...
Click to collapse
Try rebooting, or a different USB port. Could be any number of things causing it.

I've rebooted a hundred times but it does exactly what it should do when system isn't flashed. The USB port has nothing to do with it, but the USB port is good. Well, I did try another with the exact same results at that time, but this is not applicable right now.

I'm having an issue where after running the flash-all.bat, the system gets stuck trying to boot up. Looking in the logs, i see this error in the flash-all
Code:
Format all Userdata?(y or n): y
Creating filesystem with parameters:
Size: 2603089920
Block size: 4096
Blocks per group: 32768
Inodes per group: 7952
Inode size: 256
Journal blocks: 9930
Label:
Blocks: 635520
Block groups: 20
Reserved block group size: 159
Created filesystem with 11/159040 inodes and 20879/635520 blocks
[B]error: file_write: write: Bad file descriptor[/B]
Cannot read image.
erasing 'userdata'...
OKAY [ 0.389s]
finished. total time: 0.393s
Creating filesystem with parameters:
Size: 67108864
Block size: 4096
Blocks per group: 32768
Inodes per group: 4096
Inode size: 256
Journal blocks: 1024
Label:
Blocks: 16384
Block groups: 1
Reserved block group size: 7
Created filesystem with 11/4096 inodes and 1294/16384 blocks
[B]error: file_write: write: Bad file descriptor[/B]
Cannot read image.
erasing 'cache'...
OKAY [ 0.037s]
finished. total time: 0.041s
EDIT:
I was able to fix the issue by flashing this rom first then reflashing this

Nazo said:
I've rebooted a hundred times but it does exactly what it should do when system isn't flashed. The USB port has nothing to do with it, but the USB port is good. Well, I did try another with the exact same results at that time, but this is not applicable right now.
Click to expand...
Click to collapse
I meant rebooting the PC.... And it doesn't matter if your USB port is "good" or not. Some ports just don't work with fastboot, regardless. If you're using a 3.0 port, it could cause errors, too.

GuyInDogSuit said:
I meant rebooting the PC.... And it doesn't matter if your USB port is "good" or not. Some ports just don't work with fastboot, regardless. If you're using a 3.0 port, it could cause errors, too.
Click to expand...
Click to collapse
Ok, I rebooted my PC. My watch that isn't even plugged into it is still doing the same thing. Could you maybe reread what I'm asking here? Basically the short of it is: "is there any way at all to get it back into recovery mode?"
And yes, the ports are fine. All other flashes did fine. Only system failed. The cable is fine. The contacts are clean. It was both USB 2.0 and 3.0 as I said I tried multiple ports. This is wildly irrelevant at this time as I need to get the watch able to be flashed before I even can flash it.

Nazo said:
Ok, I rebooted my PC. My watch that isn't even plugged into it is still doing the same thing. Could you maybe reread what I'm asking here? Basically the short of it is: "is there any way at all to get it back into recovery mode?"
And yes, the ports are fine. All other flashes did fine. Only system failed. The cable is fine. The contacts are clean. It was both USB 2.0 and 3.0 as I said I tried multiple ports. This is wildly irrelevant at this time as I need to get the watch able to be flashed before I even can flash it.
Click to expand...
Click to collapse
This is a long shot, but did you try what lil-g-gamegenius did?

What I'm saying is I can't get to recovery. I'm asking is there a way to get to it by pressing the button a certain way or something.
I had a feeling this would happen and kept it up as long as I could, but there was a really bad storm and I had to shut down. (My PC cost considerably more than this watch and the watch would go up in flames if the PC did while it was plugged in anyway.)

I ran the script but now I'm bootlooping.
Is there a way to get into the bootloader still or should I try my luck at an RMA

SM-S727VL Analysis, Partition Table, and Factory

-- UPDATE #1 (11/05/18) added
So I've got myself a Tracfone Variant of the Samsung J7, The "Galaxy J7 Sky Pro" [SM-S727VL] CDMA. As far as I can tell, this variant is sold on both the Tracfone and StraightTalk carriers, and it seems to just run a slightly modified build based off of the Official Verizon Firmware. The build fingerprint lists this device as "J7POPQLTEVZW", or an LTE Verizon Qualcomm J7 Pop. Yes, even Google refers to the device as a J7 Pop on official firmware.
I've had the phone for about two weeks now and I'm ready to begin tinkering again. I have the current official firmware with Carrier & Home CSC files. I also have the Binary 3 and Binary 4 Combination Firmware. I am awaiting download of an Official Stock Bootloader Revision 3 ROM and a set of Official VZW ROMs. I would pay someone for a real engineering firmware build. But I have the the carrier unlocked modems (still CDMA Only I hear) that are ODIN Flashable if anyone needs them. in my past experiences with Combination Firmware their modems are normally nor carrier locked.
Just bear with me on the longwinded-ness of this post. I want to know more about this device just as I've seen many others post already. I'm making this thread because, while I'm not the foremost expert on newer Samsung Firmware or even Android in general, I do know a bit about a lot of different topics spanning all of Android. I just need a little help compiling the command line tools I need. Because we are going to have to use older sources to compile the tools. Please message me if you have Linux experience. I feel like I can do this, but I will need a Linux Person on my side. Get at me bro.
***
So now I will breakdown into my Analysis and post my insights into Rooting this decently awesome (and cheaper) Android. All I know is, deep down my intuition is telling me this device is perfectly rootable, just using a round-a-bout method. I can see all the steps, they just haven't aligned yet, and I don't know the nitty gritty configuration details of CF's SuperSU/pHH's SuperUser.
At this point, it all comes down to setting the correct SELinux Contexts on the SU related files we install manually, and then extending ADB Root to the Launcher. Root currently is basically at the same point I got to with the AT&T Note 5. I have successfully manually installed & configured SuperSU from adb shell only once, and it was by accident on a Note5 w/5.1 combination installed. It seems like the 6.0 based factory binaries no longer include ADB Root in the kernel like KK and LP.
LINKS TO RESOURCES: https://drive.google.com/open?id=1eP1FK9Jw08sSVwf4X-i1P58-eDHI04LR
***
(1.) There is a major difference right off the top that can be seen in the two carriers. StraightTalk variants are stuck on the build 4ARF2 MM 6.0.1 build. This is only if you've bought the device brand new from straight talk. ST I've heard will not release the 7.0 Nougat build of 4ARF2. Straight Talk doesn't do it's own development. The normal Tracfone variant however, does have a 7.0 Nougat build of 4ARF2, the newest firmware thus far. As far as I am aware at this time, if you can find the ODIN Flashable 7.0 Nougat Firmware for the S727VL, it will still flash onto a StraightTalk variant. ST just will not do it themselves. But the current official firmware, S727UDS4ARF2 should come in a 6.0.1 form from StraightTalk OTA's, and a 7.0 form from Tracfone OTA's. But since both firmware are made for the SM-S727VL they should still flash. This might also be a path towards decrypting the test-keys the Kernel is signed with.
(2.) Normally, Combination Firmware is from a previous Android Version. Over the last few years of tinkering with Samsung devices, one thing I've always noticed, is that the combination firmware for a given bootloader revision is normally a version behind. Like on the Verizon Galaxy S6 Edge, the Revision 4 Combination Firmware is based on Lollipop 5.0 while the official builds are based on 6.0.1. Or if the device has official firmware that is 7.0 for that bootloader revision, the combination firmware will be based on 6.0.1. My point being, combination and official builds are normally not on the same Android version. They do this I think because the version change forces a full DM-Verity check with new signatures. The combination firmware still works because the "aboot" is legal for the bootloader revision is still validly signed. That's why combination firmware always comes as "1A", "3A", "4A", etc instead of "2D" or "4C". The number is the bootloader revision and the letter after is the ABOOT revision. The last 3 digits of the build ID being the date it was built. With the StraightTalk S727VL however, the revision 4 factory binary UDU4ARF1 is actually based on the same MMB29M Android 6.0.1 source as the official UDS4ARF2 MMB29M 6.0.1 release. I haven't seen this happen before and I know it means it will open a door or two for us. Especially considering we have both a Carrier and HOME CSC file for the firmware.
(3.) The Combination Firmware comes with a Permissive SELinux Kernel. Yet unlike most other Factory Binaries I've dealt until now, the Revision 4 Combination Firmware does not include a kernel with adb root. This must be one of the caveats of a MM based Factory Binary. All of the LP and older Combo's I've worked with had a Permissive Kernel with ADB Root, this one only has Permissive SELinux. The Factory Binary does include a Permissive SELinux Kernel that is flashable/bootable over top of the the official stock 4ARF2 build. So the official stock S727UDS4ARF2 firmware can be booted in SELinux Permissive mode, which means we should be able to get root somehow, that's usually a deciding factor at the end stage. Our problem with the Note5 was that the Binary 4 Combination was 5.1 while the official revision 4 builds were 6.0.1, so the kernels were all together from different versions of android. That isn't the case at all with the J7 Sky Pro.
(4.) Be careful flashing the Combination Firmware. It could mess up your SD Card. I'm not sure if it was because of the options I was testing in ODIN while flashing a couple times and my SD got repartitioned as well, or if flashing the combo firmware just shorted my SD. Either way, after flashing the combination and then back to stock, my device no longer reads my 64GB SD Card. It didn't read in the factory binary either. I may have to just repartition it for the card to work. But looking at the DiskInfo at the bottom, it looks like my External and Internal SD Cards have been combined maybe.
(5.) The Revision 4 Factory Binary ships with the 4ARF2 baseband, which is unusual as well. Normally a combination firmware will ship with the same build of the CP as the AP. But when I did a NAND Erase All & a Re-Partition in ODIN the Combination firmware still showed me having the 4ARF2 modem installed. But I use Straight Talk so my modem should already be carrier unlocked for CDMA use. Normally combination firmware carry the carrier unlocked modem for that bootloader revision.
*****
*****
*****
This is where I'm at currently. I hope to have some help tackling this. I'll try looking into this some more yes, but I haven't had this long and this is how far I've gotten in ~1.5 - 2 weeks.
ODIN Results flashing 4ARF1 Combination Firmware
T-Flash Total Sector 124735488
Download Mode - WonderShare MobileGo identifies the device as MSM8953
Flash Lock option failed to start flashing because ODIN didn't receive a response from the device.
GPT Layout Information via DiskInfo
Code:
--------------------------
Internal Storage (MMC)
--------------------------
* sbl1 [mmcblk0p1] Not mounted
Total space: 512 KB
* sbl1bak [mmcblk0p2] Not mounted
Total space: 512 KB
* ddr [mmcblk0p3] Not mounted
Total space: 32 KB
* limits [mmcblk0p4] Not mounted
Total space: 32 KB
* aboot [mmcblk0p5] Not mounted
Total space: 2 MB
* rpm [mmcblk0p6] Not mounted
Total space: 512 KB
* tz [mmcblk0p7] Not mounted
Total space: 2 MB
* hyp [mmcblk0p8] Not mounted
Total space: 512 KB
* devcfg [mmcblk0p9] Not mounted
Total space: 256 KB
* fsg [mmcblk0p10] Not mounted
Total space: 3 MB
* sec [mmcblk0p11] Not mounted
Total space: 16 KB
* keymaster [mmcblk0p12] Not mounted
Total space: 256 KB
* cmnlib [mmcblk0p13] Not mounted
Total space: 256 KB
* cmnlib64 [mmcblk0p14] Not mounted
Total space: 256 KB
* lksecapp [mmcblk0p15] Not mounted
Total space: 512 KB
* apdp [mmcblk0p16] Not mounted
Total space: 256 KB
* mdsap [mmcblk0p17] Not mounted
Total space: 256 KB
* pad [mmcblk0p18] Not mounted
Total space: 944 KB
* modemst1 [mmcblk0p19] Not mounted
Total space: 3 MB
* modemst2 [mmcblk0p20] Not mounted
Total space: 3 MB
* param [mmcblk0p21] Not mounted
Total space: 10 MB
* efs [mmcblk0p22] (/efs) [ext4]
Used: 5.1 MB, Free: 8.9 MB, Total space: 14 MB
* boot [mmcblk0p23] Not mounted
Total space: 32 MB
* recovery [mmcblk0p24] Not mounted
Total space: 32 MB
* bota [mmcblk0p25] Not mounted
Total space: 7 MB
* fota [mmcblk0p26] Not mounted
Total space: 5 MB
* backup [mmcblk0p27] Not mounted
Total space: 6 MB
* fsc [mmcblk0p28] Not mounted
Total space: 3 MB
* ssd [mmcblk0p29] Not mounted
Total space: 8 KB
* persist [mmcblk0p30] (/persist) [ext4]
Used: 5.3 MB, Free: 26.7 MB, Total space: 32 MB
* persistent [mmcblk0p31] Not mounted
Total space: 1 MB
* steady [mmcblk0p32] Not mounted
Total space: 1 MB
* keystore [mmcblk0p33] Not mounted
Total space: 512 KB
* config [mmcblk0p34] Not mounted
Total space: 32 KB
* mota [mmcblk0p35] Not mounted
Total space: 512 KB
* dpo [mmcblk0p36] Not mounted
Total space: 256 KB
* mdtp [mmcblk0p37] Not mounted
Total space: 64 KB
* dip [mmcblk0p38] Not mounted
Total space: 1 MB
* oem [mmcblk0p39] Not mounted
Total space: 64 KB
* mcfg [mmcblk0p40] Not mounted
Total space: 4 MB
* dsp [mmcblk0p41] (/dsp) [ext4]
Used: 9.5 MB, Free: 6.5 MB, Total space: 16 MB
* modem [mmcblk0p42] (/firmware-modem) [vfat]
Used: 63.9 MB, Free: 27.6 MB, Total space: 91.6 MB
* apnhlos [mmcblk0p43] (/firmware) [vfat]
Used: 23.3 MB, Free: 60.7 MB, Total space: 84 MB
* reserved2 [mmcblk0p44] Not mounted
Total space: 1 MB
* System [mmcblk0p45] (/system) [ext4]
Used: 3.1 GB, Free: 464 MB, Total space: 3.5 GB
* Cache [mmcblk0p46] (/cache) [ext4]
Used: 31.2 MB, Free: 568 MB, Total space: 600 MB
* carrier [mmcblk0p47] (/carrier) [ext4]
Used: 5.6 MB, Free: 39.4 MB, Total space: 45 MB
* Data (userdata) [mmcblk0p48] (/data) [ext4]
Used: 3.9 GB, Free: 6.3 GB, Total space: 10.2 GB
* mmcblk0rpmb [mmcblk0rpmb] Not mounted
Total space: 4 MB
--------------------------
Internal Storage
--------------------------
* vnswap0 [vnswap0] Not mounted
Total space: 1 GB
--------------------------
SD Card
--------------------------
* sbl1 [mmcblk1p1] Not mounted
Total space: 512 KB
* sbl1bak [mmcblk1p2] Not mounted
Total space: 512 KB
* ddr [mmcblk1p3] Not mounted
Total space: 32 KB
* limits [mmcblk1p4] Not mounted
Total space: 32 KB
* aboot [mmcblk1p5] Not mounted
Total space: 2 MB
* rpm [mmcblk1p6] Not mounted
Total space: 512 KB
* tz [mmcblk1p7] Not mounted
Total space: 2 MB
* hyp [mmcblk1p8] Not mounted
Total space: 512 KB
* devcfg [mmcblk1p9] Not mounted
Total space: 256 KB
* fsg [mmcblk1p10] Not mounted
Total space: 3 MB
* sec [mmcblk1p11] Not mounted
Total space: 16 KB
* keymaster [mmcblk1p12] Not mounted
Total space: 256 KB
* cmnlib [mmcblk1p13] Not mounted
Total space: 256 KB
* cmnlib64 [mmcblk1p14] Not mounted
Total space: 256 KB
* lksecapp [mmcblk1p15] Not mounted
Total space: 512 KB
* apdp [mmcblk1p16] Not mounted
Total space: 256 KB
* mdsap [mmcblk1p17] Not mounted
Total space: 256 KB
* pad [mmcblk1p18] Not mounted
Total space: 944 KB
* modemst1 [mmcblk1p19] Not mounted
Total space: 3 MB
* modemst2 [mmcblk1p20] Not mounted
Total space: 3 MB
* param [mmcblk1p21] Not mounted
Total space: 10 MB
* efs [mmcblk1p22] Not mounted
Total space: 14 MB
* boot [mmcblk1p23] Not mounted
Total space: 32 MB
* recovery [mmcblk1p24] Not mounted
Total space: 32 MB
* bota [mmcblk1p25] Not mounted
Total space: 7 MB
* fota [mmcblk1p26] Not mounted
Total space: 5 MB
* backup [mmcblk1p27] Not mounted
Total space: 6 MB
* fsc [mmcblk1p28] Not mounted
Total space: 3 MB
* ssd [mmcblk1p29] Not mounted
Total space: 8 KB
* persist [mmcblk1p30] Not mounted
Total space: 32 MB
* persistent [mmcblk1p31] Not mounted
Total space: 1 MB
* steady [mmcblk1p32] Not mounted
Total space: 1 MB
* keystore [mmcblk1p33] Not mounted
Total space: 512 KB
* config [mmcblk1p34] Not mounted
Total space: 32 KB
* mota [mmcblk1p35] Not mounted
Total space: 512 KB
* dpo [mmcblk1p36] Not mounted
Total space: 256 KB
* mdtp [mmcblk1p37] Not mounted
Total space: 64 KB
* dip [mmcblk1p38] Not mounted
Total space: 1 MB
* oem [mmcblk1p39] Not mounted
Total space: 64 KB
* mcfg [mmcblk1p40] Not mounted
Total space: 4 MB
* dsp [mmcblk1p41] Not mounted
Total space: 16 MB
* modem [mmcblk1p42] Not mounted
Total space: 91.6 MB
* apnhlos [mmcblk1p43] Not mounted
Total space: 24 MB
* reserved2 [mmcblk1p44] Not mounted
Total space: 1 MB
* system [mmcblk1p45] Not mounted
Total space: 3.5 GB
* cache [mmcblk1p46] Not mounted
Total space: 600 MB
* carrier [mmcblk1p47] Not mounted
Total space: 45 MB
* userdata [mmcblk1p48] Not mounted
Total space: 55 GB
--------------------------
Internal Storage
--------------------------
* dm-0 [dm-0] Not mounted
Total space: 10.2 GB
--------------------------
tmpfs mount points
--------------------------
* /dev [tmpfs]
Used: 192 KB, Free: 929 MB, Total space: 929 MB
* /mnt [tmpfs]
Used: 0 B, Free: 929 MB, Total space: 929 MB
* /mnt/secure [tmpfs]
Used: 0 B, Free: 929 MB, Total space: 929 MB
* /mnt/secure/asec [tmpfs]
Total space: unknown
* /storage [tmpfs]
Used: 0 B, Free: 929 MB, Total space: 929 MB
* /storage/self [tmpfs]
Used: 0 B, Free: 929 MB, Total space: 929 MB
--------------------------
Memory
--------------------------
* RAM
Used: 1.4 GB, Free: 388 MB, Total space: 1.8 GB
* Swap
Used: 503 MB, Free: 520 MB, Total space: 1023 MB
**************
**************
UPDATE #1: So I've unpacked the RAMDISK from the current official build (4ARF2), and the current official factory binary (4ARF1), as well as the official combination build from the last bootloader revision (3ARC1)
My results find that the file, "/verity_key", is the exact same across all the 3 most recent firmware. Like I opened the "verity_key" file in a hex editor, and the binary data for "verity_key" is exactly the same across the board for all 3 builds of the firmware.
THE SAME GOES FOR "/publiccert.pem". Does this mean the signature remains the same for Bootloader Revision 3 and Bootloader Revision 4? Does that mean they've used the same signature throughout their Marshmallow Releases? Doesn't that mean the signature should be easier to find?

Good **** my dude! Ill be seeing what can be done in my spare time to get this done for 100 bucks the thing is locked down tight. Or just so kadiwompus there is no simple answer. Ive been lerking this for a while now and have several j7sp's at my disposal. I do sec work and clients that have needs for SU gooyness for this device. Get with me and ill flash anything any way with whatever software and base infrastructure needed. I mostly do scummy peoples sec work so having the ability to melt wash the data is paramount and using s5's is getting harder and harder. this hundered dollar peice of her shuck donnng is what I need for what I do. although linux is my bag android and the phone scene is new to me. just here to help with the resources to lend aid.

That's awesome! I have a couple good ideas still I never got around to trying on the note 5.
And now that the S7 and S8 are as rooted and customized as they are, people are able to see how much of my concept for the greyhat root project was actually viable. System Root has always been more viable on Samsung devices. Systemless' concept doesn't work with Samsung since 6.0 by strict definition. If they could have mixed the systemless injection method with the system configuration it might have worked better.
Samsung still ships with Qualcomm Modems. And Qualcomm still dictates much of the Samsung experience. In the S6 line, the QC modems were installed before Samsung ever installed any firnware. The modems played a big part on their secured environment. I'm telling you I was able to get modaco's superboot to boot on my Verizon s6 edge once. But the thread was deleted by xda. And it worked because of the commands sent to the modem by the send_command.exe app.
DM, AT Commands, and a deeper knowledge of the QC environment is actually key to unlocking more of the device's potential.
I tried mixing up firmware bits of the stock RF2 and combination RF1. And it didn't boot the system. But I could boot into full recovery every time.
I'm also looking into a couple and will report back soon. It will be then, that I may need help acquiring a couple tools. Because I know a few other Samsung devs that could help but probably won't. I'm going to have to learn a lot from scratch. I have a few really good ideas that have already worked on other devices. I just don't have as much of a full understanding as I'd like before I tried some of it.
I need to get a few of my questions answered about a couple rooting methods that weren't explained in depth enough for me. Like I've seen some devices be rooted in a way I think the J7 Sky Pro could possibly be rooted, but I don't know how to do such an in depth analysis on some of the files involved. Seriously speaking, I need someone who is on call that could just give me some nitty gritty details when I need them and I'd be fine I think.

My next course of action includes trying to flash the Nougat Firmware to the device to see if the StraightTalk Variant can still support 7.0.
It also includes testing the J727VL from the POV of Kali Linux, and Running as much of the official firmware inside the Android Emulator as possible. Our combination firmware does not include ADB Root like LP Versions do. So with DM-Verity enabled so well, and both the stock and combination firmware being tied to the same signatures from the previous bootloader revision, I'm guessing there isn't much of a chance to get a lot done with just simple SELinux Permissive.
But I have a feeling since nothing seems to change much from 3ARC1 to 4ARF2, we may have a way to get some modified images flashed to the device. And I feel like it has to do with the order of images being flashed.
Because when I was on 4ARF2 factory binary, I was able to get to the 3ARC1 aboot.mbn to flash for a second, but ODIN failed once the sbl.mbn tried to flash from 3ARC1. It gave me an aboot revision check error, but it didn't show up until the secondary bootloader tried to flash.
As in, it would have flashed if it were not for the Software Revision Check. Which I've heard can actually be modified to a degree. But just modifying revision flags in the binary data might not solve our problem fully. I've also read from Qualcomm that the modem installed on our chipset should actually support GSM bands technically. Maybe we just need the secret menu IME code to get to the bands selection menu.

Delgoth said:
My next course of action includes trying to flash the Nougat Firmware to the device to see if the StraightTalk Variant can still support 7.0.
It also includes testing the J727VL from the POV of Kali Linux, and Running as much of the official firmware inside the Android Emulator as possible. Our combination firmware does not include ADB Root like LP Versions do. So with DM-Verity enabled so well, and both the stock and combination firmware being tied to the same signatures from the previous bootloader revision, I'm guessing there isn't much of a chance to get a lot done with just simple SELinux Permissive.
But I have a feeling since nothing seems to change much from 3ARC1 to 4ARF2, we may have a way to get some modified images flashed to the device. And I feel like it has to do with the order of images being flashed.
Because when I was on 4ARF2 factory binary, I was able to get to the 3ARC1 aboot.mbn to flash for a second, but ODIN failed once the sbl.mbn tried to flash from 3ARC1. It gave me an aboot revision check error, but it didn't show up until the secondary bootloader tried to flash.
As in, it would have flashed if it were not for the Software Revision Check. Which I've heard can actually be modified to a degree. But just modifying revision flags in the binary data might not solve our problem fully. I've also read from Qualcomm that the modem installed on our chipset should actually support GSM bands technically. Maybe we just need the secret menu IME code to get to the bands selection menu.
Click to expand...
Click to collapse
The Tracfone SM-727VL 4ARF2 is 6.0.1 not 7.0 like the firmware website(s) report.
I have the Tracfone SM-727VL and I am on 4ARF2 which is 6.0.1 (while my damn J3 Luna Pro is on 7.0 )
The StraightTalk/Tracfone SM-727VL both are 6.0.1 on their latest firmwares.
The Verizon SM-727V however is on 8.0.1 already.

This might help
Delgoth said:
My next course of action includes trying to flash the Nougat Firmware to the device to see if the StraightTalk Variant can still support 7.0.
It also includes testing the J727VL from the POV of Kali Linux, and Running as much of the official firmware inside the Android Emulator as possible. Our combination firmware does not include ADB Root like LP Versions do. So with DM-Verity enabled so well, and both the stock and combination firmware being tied to the same signatures from the previous bootloader revision, I'm guessing there isn't much of a chance to get a lot done with just simple SELinux Permissive.
But I have a feeling since nothing seems to change much from 3ARC1 to 4ARF2, we may have a way to get some modified images flashed to the device. And I feel like it has to do with the order of images being flashed.
Because when I was on 4ARF2 factory binary, I was able to get to the 3ARC1 aboot.mbn to flash for a second, but ODIN failed once the sbl.mbn tried to flash from 3ARC1. It gave me an aboot revision check error, but it didn't show up until the secondary bootloader tried to flash.
As in, it would have flashed if it were not for the Software Revision Check. Which I've heard can actually be modified to a degree. But just modifying revision flags in the binary data might not solve our problem fully. I've also read from Qualcomm that the modem installed on our chipset should actually support GSM bands technically. Maybe we just need the secret menu IME code to get to the bands selection menu.
Click to expand...
Click to collapse
Hello I ran across a issue with my moto droid turbo 2 that required me to download quick shortcut maker and I just so happen 2 install it on my Straight Talk j7 and if you open the app and scroll down to the ims+ icon under the activities tab in the shortcut maker apk then click the dropped down the click the "try" section it opens a bunch of different settings. Hopefully it may help.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I also attached the quick shortcut maker.apk

The Verizon version has yet to update past the second revision bootloader though. Yes 4ARF2 is currently 6.0.1, But all the repair firmwares and all the websites that report on this same device outside the straighttalk network, report as 7.0.
It is interesting only because it seems like not much changed security wise from revision 3 to revision 4. It is possible they just temporarily locked it to 6.0.1.
The boot.img and recovery.img are signed with test keys and have a combination version available. The revision 4 firmware looks so similar to the revision 3. My phone forced itself to update from 3ARC1. By itself. I did nothing but it took it upon itself to update my firmware even though I never wanted it to. The Firmware should exist somewhere. And I don't see why either of these carriers would take such great pains to lock down a device when they are kings of unlocked devices and BYOP plans...
I haven't finished doing a lot of stuff. Holiday times...

Well the journey ended before it really had a chance to take off. The farthest I actually achieved was just Permissive SELinux via the combination boot.img
My phone is bricked, harder even than my S6 Edge stuck in 9008 mode. It literally will not power on and will not charge.
This happened after I was messing with the aboot.mbn and boot.img from the combination trying to add more functionality to ADB's access. Well I was able to get the prince comsey ODIN to flash my tar of the aboot & boot, only for my phone to never power back after the autoreboot.
So whatever I did, ODIN didn't catch on and let the images flash, only it messed up the device. At least with my S6 Edge I know that Partition Tables are gone, I have no idea what happened to my Sky Pro today. Sad times indeed. The only chance I have is to try and write the bootloader to the SD Card via T-Flash, and hope it can give it a jump. Secure Boot usually disallows that though.

Delgoth said:
Well the journey ended before it really had a chance to take off. The farthest I actually achieved was just Permissive SELinux via the combination boot.img
My phone is bricked, harder even than my S6 Edge stuck in 9008 mode. It literally will not power on and will not charge.
This happened after I was messing with the aboot.mbn and boot.img from the combination trying to add more functionality to ADB's access. Well I was able to get the prince comsey ODIN to flash my tar of the aboot & boot, only for my phone to never power back after the autoreboot.
So whatever I did, ODIN didn't catch on and let the images flash, only it messed up the device. At least with my S6 Edge I know that Partition Tables are gone, I have no idea what happened to my Sky Pro today. Sad times indeed. The only chance I have is to try and write the bootloader to the SD Card via T-Flash, and hope it can give it a jump. Secure Boot usually disallows that though.
Click to expand...
Click to collapse
Made an image https://drive.google.com/drive/folders/1hkNQZPJhMjRsFSm-DQqqWPo1xRdGjcGI if anyone needs it. Always got to be safe.
How are you able to modify the images and getting them to apply to the device? I'm not able to without the phone throwing the security checks.

Justin1198 said:
Made an image https://drive.google.com/drive/folders/1hkNQZPJhMjRsFSm-DQqqWPo1xRdGjcGI if anyone needs it. Always got to be safe.
How are you able to modify the images and getting them to apply to the device? I'm not able to without the phone throwing the security checks.
Click to expand...
Click to collapse
Thanks, I will try this out. However I don't have high hopes. I did find out what happened to my 64GB SD Card awhile back though, T-Flash Mode actually wrote my entire firmware to the SD Card, It kept bootlooping though. It didn't break my card, just formatted it improperly for regular use.
It would be really friggin awesome if my device (Actually Manufactured this year Summer 2018) could still be debricked via SD. I thought that ability died a long time ago. I was reading that a Secure Boot Vulnerability (reported AND patched by SS in 2016) allowed T-Flash mode to allow flashing/booting of a non-signed kernel image. So I'm not sure this is an option anymore, but It can't hurt to try at this point.
I will get back to you soon.
I was using someone elses FRP Tool that can enable ADB on non ADB Enabled Firmware, essentially giving an ADB Root Shell at least. The program seems to have modified the aboot.mbn and the boot.img. I honestly Wish I knew what it did, because it bricked my device. I also used a .tar archive, instead of a .tar.md5
I believe that skips some of the security checks. At least the initial CheckSum. It is hard to get a straight answer about how ODIN functions internally sometimes, because the people that DO know usually don't talk. The people who have modified ODIN have a very niche body of knowledge to edit a program that is basically undocumented, especially since I can't get anyone who has modified ODIN for a specific purpose to tell me exactly why. All they tell me is that they modified ODIN to skip a specific checksum while flashing. Ok? But why? And how did you figure that out?

Message for all the people looking for root.
Delgoth said:
Thanks, I will try this out. However I don't have high hopes. I did find out what happened to my 64GB SD Card awhile back though, T-Flash Mode actually wrote my entire firmware to the SD Card, It kept bootlooping though. It didn't break my card, just formatted it improperly for regular use.
It would be really friggin awesome if my device (Actually Manufactured this year Summer 2018) could still be debricked via SD. I thought that ability died a long time ago. I was reading that a Secure Boot Vulnerability (reported AND patched by SS in 2016) allowed T-Flash mode to allow flashing/booting of a non-signed kernel image. So I'm not sure this is an option anymore, but It can't hurt to try at this point.
I will get back to you soon.
I was using someone elses FRP Tool that can enable ADB on non ADB Enabled Firmware, essentially giving an ADB Root Shell at least. The program seems to have modified the aboot.mbn and the boot.img. I honestly Wish I knew what it did, because it bricked my device. I also used a .tar archive, instead of a .tar.md5
I believe that skips some of the security checks. At least the initial CheckSum. It is hard to get a straight answer about how ODIN functions internally sometimes, because the people that DO know usually don't talk. The people who have modified ODIN have a very niche body of knowledge to edit a program that is basically undocumented, especially since I can't get anyone who has modified ODIN for a specific purpose to tell me exactly why. All they tell me is that they modified ODIN to skip a specific checksum while flashing. Ok? But why? And how did you figure that out?
Click to expand...
Click to collapse
I created another copy of the debrick.img if that one does not work for you. (This being my T-Flash). I have attempted to downgrade the device down to a version lower than the ARF2 and failed as it's saying that it can't fuse (even tried to flash just the system file). I also tried to run all root methods I know of on the combination and stock files and failed (The root methods mostly freezing on the combination). I can confirm that combining the files from combination and stock WILL cause a brick to the point where the phone won't turn on, yes, they flash. Another user in another thread says he managed to enable "volte" on his device with some modem file, haven't got my hands on it as I can't test due to no service being on the phone.
I keep seeing people saying "Enable OEM Unlock and then update and flash TWRP" in the other threads that are popping up about the SM-S727VL.
NO.
The "Unlock OEM" feature in the developer settings is only used to restore the stock update regardless of FRP being enabled or any type of actual "Google" interference of the restore. The setting does not actually unlock the bootloader. Yes, You could use CROM and it will say it's successful however it will not be for non-Chinese devices. The bootloader is still locked and this is why you are getting secure check fail. I know what you are thinking at this point...what about fastboot? Sorry, This is one of those Samsung devices that does not fastboot.
THE OEM UNLOCK FEATURE DOES -NOT-UNLOCK THE BOOTLOADER! Do not think that if you enable the oem unlock, that it will magically allow you to install TWRP.
CROM does not unlock it either. CROM will report that the bootloader is unlocked however it will not be.
The TWRP located on the TWRP Builder website is for an older version of the firmware for the phone. You cannot downgrade the stock firmware once you update it on this phone as I described above. That means you cannot install the May 2018 update if you have the July 2018 update installed. The TWRP build could be updated to match the latest recovery build however that is completely pointless and a waste of time at this point until you can actually 'find a way' to actually get the TWRP installed. If you want TWRP on a device that has a bootloader, you might actually have to gain root beforehand and install something like SafeStrap with the SafeStrap installer.
Well since you guys have all the heartbreaking news, here is the kind of good...
Tracfone is not very responsible when it comes to making sure their phones are up to date and even are sloppy (You might have noticed the duplicated stock ringtones, haha). This means that it could be possible for someone to find an exploit in the latest firmware or one of the internals (engineering firmware) then gain root access.
Now everyone looking for TWRP: Our first priority would be to gain root so that we can tackle the bootloader issue. Once we get root then we got everything we need. KingRoot, Kingo, and all those methods are failing so we got to get creative in finding a method, it takes time.
This was the crazy method done to an Verizon S5, root access is pretty difficult to gain especially when you get higher up in Android versions: https://forum.xda-developers.com/ve...oot-method-t3561529/post71202995#post71202995

Delgoth said:
Thanks, I will try this out. However I don't have high hopes. I did find out what happened to my 64GB SD Card awhile back though, T-Flash Mode actually wrote my entire firmware to the SD Card, It kept bootlooping though. It didn't break my card, just formatted it improperly for regular use.
It would be really friggin awesome if my device (Actually Manufactured this year Summer 2018) could still be debricked via SD. I thought that ability died a long time ago. I was reading that a Secure Boot Vulnerability (reported AND patched by SS in 2016) allowed T-Flash mode to allow flashing/booting of a non-signed kernel image. So I'm not sure this is an option anymore, but It can't hurt to try at this point.
I will get back to you soon.
I was using someone elses FRP Tool that can enable ADB on non ADB Enabled Firmware, essentially giving an ADB Root Shell at least. The program seems to have modified the aboot.mbn and the boot.img. I honestly Wish I knew what it did, because it bricked my device. I also used a .tar archive, instead of a .tar.md5
I believe that skips some of the security checks. At least the initial CheckSum. It is hard to get a straight answer about how ODIN functions internally sometimes, because the people that DO know usually don't talk. The people who have modified ODIN have a very niche body of knowledge to edit a program that is basically undocumented, especially since I can't get anyone who has modified ODIN for a specific purpose to tell me exactly why. All they tell me is that they modified ODIN to skip a specific checksum while flashing. Ok? But why? And how did you figure that out?
Click to expand...
Click to collapse
I've included a few links to this thread in other threads about root. Explained the situation above for the people who are curious. Keep me informed of anything you discover and I'll let you know what I discover. I should have more time to look into the device after exams next week. See if you can get your device down to the first release? Maybe we could open the door for more methods or something.
I’ll keep trying in my spare time to find something (because I know there is something) that will allow root on this device. I’ll keep trying and mirror everything we try on the J3 also to knock out two birds with one stone. Let me know if you need any files or anything. Hopefully you can get your phone fixed, if you can’t, take it up to a Samsung care center and see if you can swap it. Call it a “factory flaw”

Justin1198 said:
I created another copy of the debrick.img if that one does not work for you. (This being my T-Flash). I have attempted to downgrade the device down to a version lower than the ARF2 and failed as it's saying that it can't fuse (even tried to flash just the system file). I also tried to run all root methods I know of on the combination and stock files and failed (The root methods mostly freezing on the combination). I can confirm that combining the files from combination and stock WILL cause a brick to the point where the phone won't turn on, yes, they flash. Another user in another thread says he managed to enable "volte" on his device with some modem file, haven't got my hands on it as I can't test due to no service being on the phone.
I keep seeing people saying "Enable OEM Unlock and then update and flash TWRP" in the other threads that are popping up about the SM-S727VL.
NO.
The "Unlock OEM" feature in the developer settings is only used to restore the stock update regardless of FRP being enabled or any type of actual "Google" interference of the restore. The setting does not actually unlock the bootloader. Yes, You could use CROM and it will say it's successful however it will not be for non-Chinese devices. The bootloader is still locked and this is why you are getting secure check fail. I know what you are thinking at this point...what about fastboot? Sorry, This is one of those Samsung devices that does not fastboot.
THE OEM UNLOCK FEATURE DOES -NOT-UNLOCK THE BOOTLOADER! Do not think that if you enable the oem unlock, that it will magically allow you to install TWRP.
CROM does not unlock it either. CROM will report that the bootloader is unlocked however it will not be.
The TWRP located on the TWRP Builder website is for an older version of the firmware for the phone. You cannot downgrade the stock firmware once you update it on this phone as I described above. That means you cannot install the May 2018 update if you have the July 2018 update installed. The TWRP build could be updated to match the latest recovery build however that is completely pointless and a waste of time at this point until you can actually 'find a way' to actually get the TWRP installed. If you want TWRP on a device that has a bootloader, you might actually have to gain root beforehand and install something like SafeStrap with the SafeStrap installer.
Well since you guys have all the heartbreaking news, here is the kind of good...
Tracfone is not very responsible when it comes to making sure their phones are up to date and even are sloppy (You might have noticed the duplicated stock ringtones, haha). This means that it could be possible for someone to find an exploit in the latest firmware or one of the internals (engineering firmware) then gain root access.
Now everyone looking for TWRP: Our first priority would be to gain root so that we can tackle the bootloader issue. Once we get root then we got everything we need. KingRoot, Kingo, and all those methods are failing so we got to get creative in finding a method, it takes time.
This was the crazy method done to an Verizon S5, root access is pretty difficult to gain especially when you get higher up in Android versions: https://forum.xda-developers.com/ve...oot-method-t3561529/post71202995#post71202995
Click to expand...
Click to collapse
I actually have a Verizon S5 and have gone through all of that before. It isn't working here, I believe our hardware to be too new on the 727VL.
VOLTE comes from using the combination modem of 4ARF1.
The first debrick file didn't work. I only tried writing it once though to SD Card. when debricking my d2vzw (VZW S3) I've sometimes had to write the debrick image to the SD 4 times before I could get it to work. Or Samsung got smart and stopped letting these kinds of repairs happen for free...
And I'm pretty sure not much at all changed from 3ARC1 to 4ARF2 except a bootloader revision update. Those changes could be tracked down via examining the rootable and unlockable versions of the the other J series variants with a revision 4 bootloader. It really seems like everything down to even the veritykey is the same from revision 3 to revision 4 bootloader. I feel it wouldn't be too hard to crack. But Tracfone also forces updates to binary 4 bootloader from binary 3. They force the security policy update on you to patch everything that would have already got us root from the last year of MM exploits...

I am trying to figure out how to make a twrp recovery for the arf2 variant,but I don't know if I will be able to flash it if I end up succeeding. I'm not sure if anyone has any ideas on unlocking this bootloader.
(Sorry If I sound like a noob I am trying to learn android development and trying to figure this out at the same time.)

Masterx4020 said:
I am trying to figure out how to make a twrp recovery for the arf2 variant,but I don't know if I will be able to flash it if I end up succeeding. I'm not sure if anyone has any ideas on unlocking this bootloader.
(Sorry If I sound like a noob I am trying to learn android development and trying to figure this out at the same time.)
Click to expand...
Click to collapse
See post #11

Delgoth said:
I actually have a Verizon S5 and have gone through all of that before. It isn't working here, I believe our hardware to be too new on the 727VL.
VOLTE comes from using the combination modem of 4ARF1.
The first debrick file didn't work. I only tried writing it once though to SD Card. when debricking my d2vzw (VZW S3) I've sometimes had to write the debrick image to the SD 4 times before I could get it to work. Or Samsung got smart and stopped letting these kinds of repairs happen for free...
And I'm pretty sure not much at all changed from 3ARC1 to 4ARF2 except a bootloader revision update. Those changes could be tracked down via examining the rootable and unlockable versions of the the other J series variants with a revision 4 bootloader. It really seems like everything down to even the veritykey is the same from revision 3 to revision 4 bootloader. I feel it wouldn't be too hard to crack. But Tracfone also forces updates to binary 4 bootloader from binary 3. They force the security policy update on you to patch everything that would have already got us root from the last year of MM exploits...
Click to expand...
Click to collapse
We just have to wait until some carrier update to bootloader revision 4 and not upgrade. It's just a wait game now.

Delgoth said:
Thanks, I will try this out. However I don't have high hopes. I did find out what happened to my 64GB SD Card awhile back though, T-Flash Mode actually wrote my entire firmware to the SD Card, It kept bootlooping though. It didn't break my card, just formatted it improperly for regular use.
It would be really friggin awesome if my device (Actually Manufactured this year Summer 2018) could still be debricked via SD. I thought that ability died a long time ago. I was reading that a Secure Boot Vulnerability (reported AND patched by SS in 2016) allowed T-Flash mode to allow flashing/booting of a non-signed kernel image. So I'm not sure this is an option anymore, but It can't hurt to try at this point.
I will get back to you soon.
I was using someone elses FRP Tool that can enable ADB on non ADB Enabled Firmware, essentially giving an ADB Root Shell at least. The program seems to have modified the aboot.mbn and the boot.img. I honestly Wish I knew what it did, because it bricked my device. I also used a .tar archive, instead of a .tar.md5
I believe that skips some of the security checks. At least the initial CheckSum. It is hard to get a straight answer about how ODIN functions internally sometimes, because the people that DO know usually don't talk. The people who have modified ODIN have a very niche body of knowledge to edit a program that is basically undocumented, especially since I can't get anyone who has modified ODIN for a specific purpose to tell me exactly why. All they tell me is that they modified ODIN to skip a specific checksum while flashing. Ok? But why? And how did you figure that out?
Click to expand...
Click to collapse
What FRP Tool did you use?

Are you still in 9008 mode? You can probably flash kirito9's twrp from edl.

Frp

@Justin1198 I used Haggard FRP Tool v1
@djared704 It is straight brick, no charging no anything. Not even in Diagnostic Mode. I'll probably need a new device, a new motherboard, or a flash programmer.
I plan on going back to the Exynos7420 chipset here within the next month or so. I know a lot more about those devices than I do anything else.