Related
Sorry for the caps everyone, but THIS IS IMPORTANT! People like myself and TheManii who keep track of OTA updates for Nexus devices need this information!!
When you first turn on your N7, the minute you connect it to WiFi, it will do a force OTA update that you CANNOT defer.
Before you boot up your N7 for the first time, could someone please do the following steps:
1. Boot into fastboot mode by holding down volume down while you power it on.
2. Unlock the bootloader with "fastboot oem unlock"
3. Boot up TWRP for the new N7 using "fastboot boot twrp.img". Please DO NOT use "fastboot flash recovery twrp.img" because that will overwrite the stock recovery.
4. Do a full Nandroid backup.
5. Post the Nandroid somewhere for us.
6. Have our eternal gratitude.
We would be most appreciative. Thank you!
oldblue910 said:
Sorry for the caps everyone, but THIS IS IMPORTANT! People like myself and TheManii who keep track of OTA updates for Nexus devices need this information!!
When you first turn on your N7, the minute you connect it to WiFi, it will do a force OTA update that you CANNOT defer. Before you boot up your N7 for the first time, could someone please boot straight into fastboot mode, unlock, flash TWRP and get two pieces of info:
1. The bootloader version displayed on screen in fastboot mode.
2. The build.prop file in /system. You can pull that via adb once you boot into TWRP.
3. Totally optional, but we wouldn't complain if you would do a full nandroid backup of the ROM and post it somewhere.
We would be most appreciative. Thank you!
Click to expand...
Click to collapse
Hey, I'm just down the road in Raleigh, I can bring my new Nexus 7 16GB to a local Starbucks if you want to do this yourself. I have it fully charged but not yet turned on. Send me a PM and I'll give you my phone #, email.
Thought you were going to be here, anyway I posted the 2nd update, JWR66N to JSS15J, here (if it helps in anyway)
http://forum.xda-developers.com/showpost.php?p=43984053&postcount=5
Edit: See that you already have it on your Razor page!
Bob Smith42 said:
Hey, I'm just down the road in Raleigh, I can bring my new Nexus 7 16GB to a local Starbucks if you want to do this yourself. I have it fully charged but not yet turned on. Send me a PM and I'll give you my phone #, email.
Click to expand...
Click to collapse
Dude, PM me. I'm on it.
If this isn't done by the time I get mine tomorrow, I'll get it done
Sent from my Nexus 7 using Tapatalk HD
Flippy125 said:
If this isn't done by the time I get mine tomorrow, I'll get it done
Sent from my Nexus 7 using Tapatalk HD
Click to expand...
Click to collapse
Thanks, but BobSmith came to the rescue. I met him at a McDonalds and got everything. What happened is that somebody at Google messed up big time. The ROM that comes preloaded on the N7 is 4.3/JWR66N, but it's erroneously signed with development keys and not release keys. This is a huge problem, of course, since lots of apps that rely on DRM won't work right on dev-keys ROMs. So this forced OTA update simply updates you from JWR66N/dev-keys to JWR66N/release-keys. We don't know the URL to the OTA file since it's not in the normal place on Google's servers, but I managed to get the OTA update file out of /cache on BobSmith's device. The OTA file is available on http://randomphantasmagoria.com/firmware/nexus-7/razor.
Interesting.
Thank you for sharing that first OTA. I found something interesting...
If you hadn't heard, some of the new Nexus 7s, particularly those at Best Buy, are failing on the second OTA update due to a sha1sum mismatch on PrebuiltGmsCore.apk. According to the first OTA update, it too patches that file.
Looking at OTA1 and OTA2, it looks like it was supposed to go:
9392ccc5b4753684b73adf89b790b607f6a29388 -> f6193294456e67aad2a2d7e5ae03a2865d8544f6 -> 8e01a021b1edcfcc31266bc3193dec82c601f0bd
from out of the box -> OTA1 -> OTA2.
But in my case, and others, the sha1sum was something else (starting with 123 IIRC).
It's weird that the first OTA would verify and patch the file, which means it had to have the original 9392... sha1sum, but then fail on the second update. I wonder what would have caused it to break, and why it's only affecting a handful of devices.
phonic said:
Interesting.
Thank you for sharing that first OTA. I found something interesting...
If you hadn't heard, some of the new Nexus 7s, particularly those at Best Buy, are failing on the second OTA update due to a sha1sum mismatch on PrebuiltGmsCore.apk. According to the first OTA update, it too patches that file.
Looking at OTA1 and OTA2, it looks like it was supposed to go:
9392ccc5b4753684b73adf89b790b607f6a29388 -> f6193294456e67aad2a2d7e5ae03a2865d8544f6 -> 8e01a021b1edcfcc31266bc3193dec82c601f0bd
from out of the box -> OTA1 -> OTA2.
But in my case, and others, the sha1sum was something else (starting with 123 IIRC).
It's weird that the first OTA would verify and patch the file, which means it had to have the original 9392... sha1sum, but then fail on the second update. I wonder what would have caused it to break, and why it's only affecting a handful of devices.
Click to expand...
Click to collapse
I hadn't heard that, but that's very interesting. I wonder if we're going to see a new OTA from Google soon that has a full version of that file rather than a patch. It's happened in the past.
oldblue910 said:
I hadn't heard that, but that's very interesting. I wonder if we're going to see a new OTA from Google soon that has a full version of that file rather than a patch. It's happened in the past.
Click to expand...
Click to collapse
I made my own
http://forum.xda-developers.com/showthread.php?t=2380258
Fortunately, someone was kind enough to make a backup of a JSS15J that I was able to pull that file from.
On a completely unrelated note, does anyone have any idea why I am unable to access apk.gz backup files from TiBu? I'm trying to copy my apps from my old N7 to the new one, but am running into a very weird issue. Nothing I've tried (including adb pull) seems to be able to access them. I can move/delete the files, and I can make TiBu recreate them from scratch, but I can't copy them off of the device or even to another directory. I tried making a backup with tar via the shell, but that fails too. I can't even cat the file:
-rw-rw-r-- root sdcard_rw 2550494 2013-07-27 00:13 stericson.busybox-05fe3b964848cdb5fb3c07890734e899.apk.gz
sh: cat: stericson.busybox-05fe3b964848cdb5fb3c07890734e899.apk.gz: Permission denied
The properties and data files are not affected by this, only the apk.gz files...
This reminds me of the weird issue with the earlier versions of custom recovery, where you could make nandroid backups but couldn't delete them.
---------- Post added at 12:52 AM ---------- Previous post was at 12:43 AM ----------
NM. I changed the directory TiBu was using and I can access the new backups now. Instead of using /storage/emulated/0/TitaniumBackup, I now have it as /sdcard/TitaniumBackup.
Six in one hand, half a dozen in the other.
Weird bug....
We still need a dump of JWR66N/dev-keys (or specifically just /system)
The JWR66N/dev-keys -> JWR66N ota doesnt touch anything beyond stuff in /system.
As I already have a complete dump of JWR66N, I can regenerate a complete dump of JWR66N/dev-keys if i had a dump of it's /system.
While I dont expect it to be terribly useful for anyone, I like to collect these things for historical purposes.
What you have to do is make a nandroid before letting it connect to wifi and updating.
I do as soon as get mine pm me if need it
Sent from my LT28h using xda premium
tejasvi1 said:
I do as soon as get mine pm me if need it
Sent from my LT28h using xda premium
Click to expand...
Click to collapse
I'm all set now thanks to BobSmith42. Thanks, though.
oldblue910 said:
Thanks, but BobSmith came to the rescue. I met him at a McDonalds and got everything. What happened is that somebody at Google messed up big time. The ROM that comes preloaded on the N7 is 4.3/JWR66N, but it's erroneously signed with development keys and not release keys. This is a huge problem, of course, since lots of apps that rely on DRM won't work right on dev-keys ROMs. So this forced OTA update simply updates you from JWR66N/dev-keys to JWR66N/release-keys. We don't know the URL to the OTA file since it's not in the normal place on Google's servers, but I managed to get the OTA update file out of /cache on BobSmith's device. The OTA file is available on http://randomphantasmagoria.com/firmware/nexus-7/razor.
Click to expand...
Click to collapse
so if the Forced OTA patches the Dev signed keys to Release Keys then why do you /we need the Nandroid dump BEFORE the patches? what will that do for you/us considering that after the OTAs we are fine and wont have any issues?
nextelbuddy said:
so if the Forced OTA patches the Dev signed keys to Release Keys then why do you /we need the Nandroid dump BEFORE the patches? what will that do for you/us considering that after the OTAs we are fine and wont have any issues?
Click to expand...
Click to collapse
It's more just for archival purposes to have the JWR66N/dev-keys ROM since there will never be any factory images released. Plus, it's good for seeing exactly what was changed between the devkeys and releasekeys ROMs.
good job bob
Please someone provide a stock Jwr66n build.
I'm posting this as a word of caution. In hindsight, it may seem like a "duh, don't do that!". But maybe this can serve as a warning for those who are tempted to follow a similar path.
I have a Verizon LG G2 that is running the stock rom, but rooted and also has TWRP. Mostly to allow things like removing bloatware and doing backups, etc. At some point, I got a notification that there was an OTA software update available. I clicked to postpone the update. Without any user interaction, I noticed at some point that my phone was on the TWRP screen. Rebooting the phone brought it back the TWRP screen. Damn. After a bit of googling, I found that the following tip to get back to running:
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/fota
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/misc
Now my phone is working. Alternate reality: I realize that attempting an OTA update on a hacked up phone is unwise. Actual reality: I fear that I'm going to continue to get bugged by the update prompt, and I can't leave things alone.
Apparently an OTA update can only take place if the original recovery partition. Now to revert to the original recovery. I found a download of what I believed to be the stock recovery image. Flashed it with fastboot. I tried rebooting into that stock recovery, but it didn't work.
Alternate reality: I realize that my recovery partition is hosed, and I switch back to TWRP. Actual reality: I feel lucky and proceed with the OTA update. It might just work, right?
After the OTA update reboots the phone, it stops at the LG logo that first shows up when the phone powers on. I can't access fastboot (as I did before), and it doesn't seem to be recognized by any computer I plug it into. Factory reset option just stops at the point where it says "Factory reset processing..." At this point, the phone appears to be truly bricked.
I've replaced the phone, so I'm personally not looking for advice here. However, if somebody knows what can be done when a phone is bricked to the point of the above, maybe post it here for others.
Due to the fact that the N6/9 cannot oem unlock until after initial setup (which also means a forced ota), it may be impossible to dump the initial rom on it, info: PSA: OEM Unlock On The Nexus 6 And 9 Requires Checking A Box In Developer Options
What can be done however is finding a little information, specifically the bootloader/baseband (for devices that have them) and initial rom version.
How to check:
Enter fastboot mode
Make note of baseband and bootloader versions
Enter Recovery mode
Press and hold Volume up, and then press power until the UI appears
Make note of rom build in title
I would like to request someone that has not done first setup to make note of what build is preinstalled.
TheManii said:
Due to the fact that the N6/9 cannot oem unlock until after initial setup (which also means a forced ota), it may be impossible to dump the initial rom on it, info: PSA: OEM Unlock On The Nexus 6 And 9 Requires Checking A Box In Developer Options
What can be done however is finding a little information, specifically the bootloader/baseband (for devices that have them) and initial rom version.
How to check:
Enter fastboot mode
Make note of baseband and bootloader versions
Enter Recovery mode
Press and hold Volume up, and then press power until the UI appears
Make note of rom build in title
I would like to request someone that has not done first setup to make note of what build is preinstalled.
Click to expand...
Click to collapse
Hi, I will get a replacement unit tonight and will try to get the information for you. To enter the fastboot mode it's the same procedure as for the recovery : Power+volume up upon startup, then select "Fastboot", right ?
Got mine one week ago, but I made this after receiving it:
So the build number was LFW73W .
Hope this helps.
simmac said:
Got mine one week ago, but I made this after receiving it:
So the build number was LFW73W .
Hope this helps.
Click to expand...
Click to collapse
All we need now is the bootloader version and that's about as much as I can expect from the initial rom, we still need ota information though.
Hello, I managed to take the following picture yesterday before the OTA, however I did not get into recovery (the little Android with its belly opened and a red warning triangle seemed tho take too long, well over two minutes, so I rebooted).
Hope this helps.
aleandre1974 said:
Hello, I managed to take the following picture yesterday before the OTA, however I did not get into recovery (the little Android with its belly opened and a red warning triangle seemed tho take too long, well over two minutes, so I rebooted).
Hope this helps.
Click to expand...
Click to collapse
Can you confirm that that picture was taken before you did first setup?
I've seen that picture before but the other poster did not make note of if he had updated or not.
TheManii said:
Can you confirm that that picture was taken before you did first setup?
I've seen that picture before but the other poster did not make note of if he had updated or not.
Click to expand...
Click to collapse
Hi, yes it was before the ota. In fact, before ANY setup on the tablet was carried out, straight out of the box !
Bump: The N9 LTE will be out soon, the same instructions and issues apply to it's initial rom also.
The N9 LTE is technically a different device then the N9 wifi, and will likely have a different initial rom(s)
< include generic disclaimer here >
TL;DR
Since update 3.1, Nvidia can force updates (such as the one that bricks your tablet) to be downloaded and installed silently. No guarantees, but:
If you're on stock, delete TegraOTA (/system/app/TegraOTA or /system/priv-app/TegraOTA if you're on 5.0 or newer, or /system/app/TegraOTA.apk if you're still on 4.4) before booting into Android (the attached ZIP file does this for you, but please check with the file manager in recovery before rebooting and let me know if it didn't work), then reboot
Note: you also will need to delete TegraOTA again if you ever install an OTA from Nvidia or a recovery image
If you're not on stock, you're probably safe
EDIT: The urgent OTA is currently not getting sent out to any devices anymore, not even to those who have been getting it before.
EDIT 2: The urgent OTA is now being delivered again, this time named "ST - yy"!
What if my tablet is already deactivated?
Unless you can still boot into fastboot mode (in which case your tablet isn't really deactivated yet), your tablet is probably gone for good. The only way to fix this would be through nvflash, and using it requires the SBK that is unique to each device and that only Nvidia knows, so it's pretty unlikely that we'll ever be able to fix these deactivated tablets.
What/why/how?
In the last OTA (Update 3.1), Nvidia has made some changes to their TegraOTA application. The most important/interesting/suspicious of which is the ability for them to mark OTAs as "urgent". What this means is that these updates will be downloaded without ever notifying the user, and they will be installed without asking the user for permission first. If this is how the kill switch is delivered, all users will see is the tablet randomly rebooting and installing an update, then the tablet would never boot again. As some of you might notice, this would match what has been happening to a few users already, both here and on reddit.
But that's not all. I've been connecting to the OTA servers using various serial numbers (both found and provided to me by a few people) in hopes of actually finding the update that bricks the device. The first serial number I've tried that wasn't mine was the serial number from the screenshot on the recall page. It revealed an interesting "urgent" OTA, named "SHIELD Tablet xx - LTE", which does nothing but flash a blob (which, among other things, contains the bootloader). Many more questions appear now, but the main one is: if this is nothing but a routine bootloader update, why is it marked urgent? And why is it not attached to any Android update? But this by itself is not enough to prove anything, as I could only obtain it with one serial number, so as far as I could have known, it might had just been an internal update or something similar. (update is linked and analysed in the second post below)
Today, however, one of the serial numbers I've been given by some of the people here (thanks for the help guys!) turned out to have the same update waiting for it the next time it connected to the Internet. This rules out the possibility of an internal update, so the next somewhat obvious possibility is that this is the kill switch. Mind you, I still have no direct way of proving this without flashing the ZIP to see what happens (which I'm not planning to do myself), but I will keep checking on the other serial numbers I've gotten to see if this update turns up for them too.
The same person who has given me this serial number has also tested running the old tablet on the latest stock Android version but with TegraOTA removed, and, as expected, the tablet is still working perfectly fine now. Your mileage may vary.
How can I know if the kill switch has been triggered for my tablet?
Go to http://shield.bogdacutu.me/ and enter the full serial number of your old tablet. If the next OTA returned is "SHIELD Tablet xx" "ST - yy", the kill switch has been triggered for your tablet.
Warning: the serial number from the box of the tablet and the one etched on the side of the tablet are not complete, as they only contain the first 13 characters of the full (20 characters) serial number. You can get the full serial number from Android (Settings -> About -> Status), from the bootloader (it will be on the screen when you boot into bootloader mode), or from your computer if the tablet is or (in some cases) if it was previously connected, using various tools such as USBDeview. Example: 0413714803249000a4cf (you can try this on the page and it will return that the kill switch is activated).
Why would I want to also do the fix on my new tablet too?
The update is signed by Nvidia, and communication with the OTA server does not use HTTPS, so, for example, a malicious WiFi network could MITM your connection and cause this update (as well as any other signed update) to be flashed to your new tablet without your permission, thus permanently disabling it too. If you have the stock recovery, only updates signed by Nvidia can run. The story might be slightly different if your recovery doesn't enforce signature verification (such as TWRP and CWM by default).
Can I still get updates from Nvidia after doing this?
Not directly, but people will post OTA download links here on xda when new updates get released. I'd personally recommend that you wait before flashing though until someone here checks the new update to confirm that there's no new way for Nvidia to kill your tablet.
Many hours of work have gone into investigating this. Even if it doesn't help your specific scenario, consider hitting that Thanks button, so that I can at least know it wasn't for nothing.
I'd also like to thank the people who have given me their serial numbers to use for testing again, this wouldn't have been possible without their help: @Beauenheim, @Jackill, and @runandhide05 (who has even volunteered to test removing TegraOTA with the latest update on his old tablet :highfive
Fragments of code from TegraOTA.apk
< screenshots temporarily removed >
Also, from what I've seen so far, the update isn't delivered instantly after activating the new tablet. I don't know exactly what the rule is, but out of the 4 serial numbers that I have, only 2 have this update waiting for them.
EDIT: One more serial number from the ones I have has gotten the xx update. Only one left...
EDIT 2: All the serial numbers I have have the urgent OTA waiting for them now.
"SHIELD Tablet xx" - Update Analysis
OTA URL: http://ota.nvidia.com/ota/data/post...wf-full_ota-32256_554.0168.20150624152335.zip
yy OTA URL: http://ota.nvidia.com/ota/data/posted-roms/uploaded/st---yy--092704233775---7294.20150819152732.zip (if you don't know what you're doing, DO NOT DOWNLOAD THIS, it's very likely that this will permanently brick your device upon flashing it!!!) - also attached to this post in case this link becomes invalid
updater-script is the first file we check:
Code:
getprop("ro.product.device") == "shieldtablet" || abort("This package is for \"shieldtablet\" devices; this is a \"" + getprop("ro.product.device") + "\".");
nv_copy_blob_file("blob", "/staging");
reboot_now("/dev/block/platform/sdhci-tegra.3/by-name/MSC", "");
Suspiciously enough, this only flashes a blob to the staging partition. But what exactly does this blob do, you might ask? Well, the blob actually contains data for 9 partitions, which are automatically replaced during the next boot (before the bootloader does anything else at all, so once you've rebooted, there's no going back) with the contents present in this blob. The 9 partitions are as follows (also detailing comparison with files from update 3.1):
BCT (Boot Configuration Table) - stores some information that is needed for the device to find the bootloader stored on the other partitions, initialize the RAM and some other stuff
Status after update: probably corrupted - the previous OTAs have binary BCTs, but this update replaces it with a text file (which, while it does contain somewhat relevant information, is likely not a valid format). If this is corrupted, it's enough for the device not to be able to boot anymore.
BMP (boot logo) - intact
DTB - intact
EBT (part of the bootloader) - has a zeroed out region
NVC (part of the bootloader) - intact
RBL (part of the bootloader) - has a zeroed out region
RP4 (landscape boot logo) - intact
TOS (Trusted OS - probably part of the bootloader too) - has a zeroed out region
WB0 (related to the boot process, source file is named "nvbootwb0.bin") - has a zeroed out region
The update also contains a few other files, but those are not used at all (probably leftovers from the 5.1 AOSP update template that they are using).
DO NOT DOWNLOAD THE ATTACHMENT IF YOU DON'T KNOW WHAT YOU'RE DOING. THIS IS THE XX OTA, NOT THE ZIP THAT REMOVES TEGRAOTA!
Just as I suspected!!
Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?
How to install the provided zip?
Thanks again.
tecnoworld said:
Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?
How to install the provided zip?
Thanks again.
Click to expand...
Click to collapse
CWM and TWRP are both compatible with OTAs, so yes, it can. If you completely erase the recovery (fastboot erase recovery), the update can't get flashed, but the tablet will still reboot (which is at least annoying).
You can flash the provided ZIP through CWM or TWRP (but please check through the file manager if /system/app/TegraOTA still exists after installing it, the ZIP hasn't gone through a lot of testing so it might not work properly in all cases)
tecnoworld said:
Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?
How to install the provided zip?
Thanks again.
Click to expand...
Click to collapse
This was to be my question too... Normal ota updates will not flash if you have a custom recovery, so how would this silent ota update?
bluegizmo83 said:
This was to be my question too... Normal ota updates will not flash if you have a custom recovery, so how would this silent ota update?
Click to expand...
Click to collapse
Normal OTAs don't work through custom recoveries because they do various checks that usually fail when you have a custom recovery (such as if the system partition is modified, by rooting for example), this urgent OTA has none of those checks
Bogdacutu said:
Normal OTAs don't work through custom recoveries because they do various checks that usually fail when you have a custom recovery (such as if the system partition is modified, by rooting for example), this urgent OTA has none of those checks
Click to expand...
Click to collapse
Oh ok! Great explaination. Thanks for all your hard work on this! I'm flashing the zip now, i'll report back if it removes the file
Edit: Ok I flashed the zip, and TegraOTA is gone. Now I will finally turn on my new tablet and set it up!
So out of interest, what do you think the chances are that thisll work?
How did you find out if the update is waiting? FYI I flashed the ZIP... All is good and it booted fine on LTE 32Gb...
Plus the deleting of the TegraOTA File has gone through... So you really think the TegraOTA removal has stopped it?
How do i check if i have downloaded randomly that update?
Great post. Hopefully that's as far as Nvidia is going to go. I flashed a custom rom on my old tablet. I'm keeping my new one stock but deleting the system app per your post. Just in case Nvidia is spiteful when I don't return the old tablet. I don't want to leave them any option of nuking the new one.
fkofilee said:
So out of interest, what do you think the chances are that thisll work?
How did you find out if the update is waiting? FYI I flashed the ZIP... All is good and it booted fine on LTE 32Gb...
Click to expand...
Click to collapse
Decompiled the OTA application. Using information from there I can connect to the OTA server directly from my PC, and request updates for any given serial number and Android version combination.
I wouldn't have posted this if I weren't relatively confident in my findings
Bogdacutu said:
Decompiled the OTA application. Using information from there I can connect to the OTA server directly from my PC, and request updates for any given serial number and Android version combination.
I wouldn't have posted this if I weren't relatively confident in my findings
Click to expand...
Click to collapse
I know fella I appreciate it. Could you check my second point? 2 x Nvidia Shields would be awesome! One for Work, One For Home
fkofilee said:
Plus the deleting of the TegraOTA File has gone through... So you really think the TegraOTA removal has stopped it?
How do i check if i have downloaded randomly that update?
Click to expand...
Click to collapse
Yes, I think it did. If that update was downloaded on your device, it would have been too late (as it reboots instantly after the update is downloaded), so I wouldn't worry about that.
Bogdacutu said:
Yes, I think it did. If that update was downloaded on your device, it would have been too late (as it reboots instantly after the update is downloaded), so I wouldn't worry about that.
Click to expand...
Click to collapse
So heres an interesting one for you, using a logical mindset, if you receive your new tablet, activate it, the next time that the old one connects to the network, it downloads this update and bricks it? But it wont technically do this until the new tablet is turned on?
fkofilee said:
So heres an interesting one for you, using a logical mindset, if you receive your new tablet, activate it, the next time that the old one connects to the network, it downloads this update and bricks it? But it wont technically do this until the new tablet is turned on?
Click to expand...
Click to collapse
As mentioned in the OP, the update doesn't get delivered immediately after you activate the new tablet. But yes, the old tablet shouldn't get the update before the new one is activated.
Bogdacutu said:
As mentioned in the first post, the update doesn't get delivered immediately after you activate the new tablet. But yes, the old tablet shouldn't get the update before the new one is activated.
Click to expand...
Click to collapse
Sorry fella missed that part, I will be donating some funds when i get paid later this month Mucho Gracias!
Totally not related to this thread, but I just went to setup my new tablet and it's not letting me restore apps & settings from my old Shield Tablet... It doesn't show my old tablet as a restore option. I doubt checked and the old tablet is setup to backup all settings and apps though. Anyone else have this issue when setting up they're new tablet?
bluegizmo83 said:
Totally not related to this thread, but I just went to setup my new tablet and it's not letting me restore apps & settings from my old Shield Tablet... It doesn't show my old tablet as a restore option. I doubt checked and the old tablet is setup to backup all settings and apps though. Anyone else have this issue when setting up they're new tablet?
Click to expand...
Click to collapse
Upgrade to 5.1 on the new tablet without restoring any data, then do a factory reset and you should get the option to restore
Bogdacutu said:
Upgrade to 5.1 on the new tablet without restoring any data, then do a factory reset and you should get the option to restore
Click to expand...
Click to collapse
AWESOME man, thank you!!
Update March 8 2017: As you can probably tell, this is very old. I have not worked on the device in several months and I have no idea if these methods are still safe. Please proceed with caution. I will be using one of these on a daily basis in the near future, so I probably will get back into development, and hope to release new content for the phone to help out the community. Please accept this as an official warning that the following is probably out of date and that you should be very careful should you decide to try it. The original post in it's entirety is spoilered below. You have been warned.
Update: A new update was released for the Prime model, V6.6, which replaces the preloader and completely breaks SPFT. If you unlocked your bootloader (so you can use fastboot) in any capacity before taking that update, there may be hope for you yet, but as of right now V6.6 is unsupported. Update: If you used this method to safely* take* the V6.6* update*, this will still work.
Update: I just checked the stats, and this has been downloaded more than 3 thousand times. I never thought my humble little conversion guide would help out so many people. I have also added a new mirror at [REDACTED], so anyone in North America who was having trouble with the Europe mirror, give that one a shot. It should be faster! I have updated all links in the guide to use the new North America mirror, and added a separate Europe mirror link after each link.
Hello! This is a tutorial for converting the Amazon Prime Edition BLU R1 HD to the OEM BLU version. This will overwrite the relevant partitions on your Amazon version of the device with the non-Amazon version. The physical model number on your device will still be a tell (obviously), but besides that, there will be no way to tell your device apart from the regular model! You can also use this method to convert non-Prime to Prime version, and undo OTAs or system modifications. This will restore a 100% out of the box image from either edition on your device.
This will work if you have software version...
V12
V6.1
V6.4
V6.5
SAFE V6.6 FROM THIS THREAD
This will NOT work on software version...
V6.6
The V6.6 update brought a new preloader that breaks our ability to use SPFT. I am currently working on ways to reverse the damage, but as of right now, there is no way to convert (or downgrade) from software V6.6
You can use this on any 16/2 R1 HD with supported software version to...
Convert to the non-Prime OEM version
Convert to the Prime version
Remove ads (via conversion to non-Prime version)
Unroot
Downgrade to V6.1
Downgrade to V12
Undo system alterations/tampers
Restore the system image to the way it was when you first opened the box
Unbrick a device (if bricked because of bad system/recovery/boot image)
There are a handful of reports about this working flawlessly on the 8/1 model as well. I have not personally tested this, so there is still some risk factor.
This only overwrites the system, recovery, and boot partitions. Any other partitions that have been altered will not be restored. In most cases, other partitions should not have been altered, so this is not a concern. I have a full system backup of all partitions, but there is currently evidence to suggest that it is not safe to flash all of the partitions, so I will not release that backup until more is known.
You *should* be able to safely pull this off without wiping your data. This does not require your phone to be rooted or have any other modifications. You can pull it straight out of the box and do this process! If your phone is rooted, you'll lose it. This will make your phone EXACTLY like the non-Prime version comes out of the box! You can also convert a non-Prime device (or a converted Prime device back) to a Prime device using the same method, but I'm not exactly sure why you would want to. I did this all on Linux, but the Windows should work fine too as long as you have drivers dealt with. If you don't have drivers dealt with, I'm not your guy. I'll just tell you to use a better operating system. You'll also need an archive program that can deal with tar.gz files, because that's how my computer zipped them.
And the standard disclaimer: If this bricks your phone or makes it become sentient and plot with other sentient phones to murder your entire family, it's not my fault. That's all on you, buddy.
Ok, without further ado, on to the tutorial!
First, you need these things. Some of the files are quire large, so it might take a while to download:
You'll need the latest version of Smart Phone Flash Tools, or SPFT for short. You can download that from this site, or from [REDACTED]. Please use the latest version for your OS.
You'll need to download the system image. If you're converting to the non-Prime version, [REDACTED]. If you're converting to the Prime version, [REDACTED]
You need the scatter file. This will tell SPFT where the partitions are. This is the same for both variants, so just download [REDACTED]
Once you have those things, you can start actually flashing your phone:
Power your phone completely OFF! This will not work if your phone is powered on. SPFT writes directly to the phone's memory, bypassing all security measures the phone has, so it requires the phone to be completely OFF to get safe and exclusive access to the memory. DO NOT PLUG IN YOUR PHONE YET!
Extract SPFT into a folder on your computer. If you can't figure out how to do that, please stop tinkering with your phone. It's only a matter of time until you break something.
Extract the system image into the same folder you put SPFT in. The three files (boot.img, recovery.img, system.img) should be in the same folder as all the other SPFT files, including the binaries.
Run SPFT. On Windows, simply double clicking the SPFT executable should do the trick. On Linux, you must run the flash_tool.sh script as root. Open a terminal emulator, cd to the SPFT folder, and run `sudo ./flash_tool.sh`. If you recieve an error about permissions, run `chmod +x flash_tool.sh` and try the first command again.
Go to the Download tab in SPFT and click the Scatter-loading button on the far right side. DO NOT click the Download Agent button. When the file picker dialog pops up, find and open the r1hd-spft-scatter.txt file you downloaded earlier.
You should see a list of partitions. Only three of them (boot, recovery, system) should be checked, and the location should point to the files you extracted from the tar.gz file earlier. If this is not the case, double-click the location block of the boot, recovery, and system partitions, and select the boot.img, recovery.img, and system.img files from your filesystem respectively. After selecting the files, the boxes should check themselves.
From the dropdown in the upper left of the partition list, make sure Download Only is selected. Any other option could damage your device.
Click the Download button in the upper left.
While your phone is OFF, plug it into your computer with a data safe USB cable. The cable that came in the box from the factory is ideal, but any good quality cable will work just fine.
SPFT should start overwriting your phone. If you receive an error from SPFT, unplug your phone, close SPFT, and repeat steps 4 through 9. The whole process takes about 10 minutes, after which you should see a window with a large green checkmark. Once you see that window, you can safely unplug your phone and start it up. You're all done!
And as a bonus, I've also included a guide for unlocking the bootloader, getting custom recovery, and rooting the device after you've done this in post #2. That makes this your one stop shop for getting a brand new Prime phone out of the box!!
HUGE THANKS TO @mrmazak FOR THEORIZING THIS METHOD AND GETTING ME THE NON-PRIME SYSTEM IMAGE TO USE!
As always, if you have any questions, just ask in a thread reply or send me a private message on XDA. And by the way, hit the Thanks button in the lower right corner of the post if my guide helps you. It motivates me to keep this up to date and write more helpful guides. If you feel like giving me even more motivation and help fund future development, [REDACTED].
{OUTDATED}[GUIDE][OEM][Stock] Bootloader Unlock, TWRP, and root!
Update March 8 2017: As you can probably tell, this is very old. I have not worked on the device in several months and I have no idea if these methods are still safe. Please proceed with caution. I will be using one of these on a daily basis in the near future, so I probably will get back into development, and hope to release new content for the phone to help out the community. Please accept this as an official warning that the following is probably out of date and that you should be very careful should you decide to try it. The original post in it's entirety is spoilered below. You have been warned.
Ok, now you've converted your brand new Prime phone to the non-Prime version. How do you unlock this sucker? The conversion process actually unlocks the standard unlock method from the factory, so it's VERY simple! No hoops to jump through or anything. You'll need adb and fastboot. You can get those as part of the official Android developer kit, your distro's repos (on Linux) or Homebrew (on Mac). Of course, this guide works for the normal non-converted non-Prime version as well. This WILL wipe your phone, so make sure you back up any important data before doing this.
This guide is for the OEM (non-Prime) version. If you have the Prime version, convert it to OEM using the guide above BEFORE doing this guide.
The standard disclaimer from above still applies.
This guide is broken up into two parts. Unlocking the bootloader, and rooting the phone. If you are preparing to install Magisk, do the bootloader unlock, skip the rooting part and move on to the Magisk guide. You do not need the files above if you are only unlocking the bootloader. If your bootloader is already unlocked, skip the bootloader unlocking part and skip to rooting the phone. If you are preparing to install Magisk and your bootloader is already unlocked, you shouldn't be here. Also please note that the bootloader can sometimes re-lock itself after completing a conversion/restore from the guide above, especially to/from the Prime version, so if you're not sure, play it safe and re-unlock your bootloader.
Part 1 - Unlocking the bootloader:
Boot up your phone. If you haven't already gone through the initial setup process, go through it. The bootloader unlock process will wipe your phone, so skip as many questions as possible so you don't waste your time.
Open the Settings app, go to About device, fine the Build number (it's toward the bottom), and tap on it 8-10 times (until it says you are now a developer. If it says there's no need and you're already a developer, you can skip to the next step)
Go back to the main Settings menu. You should see a new option where About device used to be, Developer options! Click on it.
Toward the top of the long list of developer options, there is an option called "OEM unlocking". If it's switched off, switch it on. If it's switched on, switch it off and back on again. You may get a warning saying that device protection features won't work. Click Enable and proceed. You may also be prompted to enter your password/PIN/pattern lock if you have one.
Scroll down a little bit to reveal USB debugging. Switch it on if it's not already.
Connect your phone to your computer using a data safe cable. Do not disconnect it until the very end.
On your computer, open a terminal emulator (or Command Prompt with ADB access) and run `adb reboot bootloader`. If you get a message complaining about keys or authorization, check your phone. There should be a window asking for permission for your computer to access the device. Allow it and run the command again.
Your phone will reboot into fastboot mode.
On your computer, run `fastboot oem unlock`. On the phone you will get a warning message talking about the implications of unlocking the bootloader. Press Volume Up to accept them. If everything goes smoothly, your bootloader should now be unlocked. You're not ready to flash quite yet! Flashing at this stage WILL brick your phone, so it's important that you continue following the guide carefully.
On your computer, run `fastboot reboot`. Your phone should reboot anywhere from 3 to 5 times. If it reboots more than that, your phone is bricked and you need to start again by following the guide above again.
Once Android starts up again, you should see the setup wizard. Your bootloader is now unlocked!
Part 2 - rooting the phone:
BEFORE YOU PROCEED: If you want your phone to be encrypted AND rooted, it's important that you unlock the bootloader using the steps above first, then use the encryption APK to encrypt your phone BEFORE installing TWRP and rooting your device. This device is an exception to the general rule of flashing TWRP first and then rooting afterwards. Repeat, if you want your phone encrypted and rooted, unlock the bootloader FIRST, then encrypt SECOND, then flash TWRP THIRD, and root your phone LAST.
This is the guide for rooting the actual phone. You must unlock the bootloader using the steps above before doing this part.
First, you'll need these things on your computer.
The TWRP image for the R1 HD. You can download [REDACTED]).
A copy of the latest SuperSU zip from Chainfire. You can get it from the official forum post, or Chainfire's website.
Linux Users: On Linux, you must add `sudo` to the beginning of all fastboot commands, because most Linux distributions will not give you enough access to the hardware without being root.
And finally, the guide:
Hold Volume Up and Power until the phone turns on with the boot menu. Once the boot menu appears, use the volume keys to scroll to [Fastboot Mode] and press the power button to select it. It's the middle option.
On your computer, cd to the folder where you downloaded twrp-3.0.2-1-r1hd-lopestom.img and do `fastboot flash recovery twrp-3.0.2-1-r1hd-lopestom.img`.
On your computer, do `fastboot boot twrp-3.0.2-1-r1hd-lopestom.img`.
Once TWRP boots up, dismiss the prompt about mounting the system, go to Reboot, then choose Recovery. Your device will reboot back into TWRP. I know this step seems odd, but just trust me.
Make a backup if you want. It's not a bad idea, but seeing how you just unlocked your bootloader so your data is gone and we have the images in case you somehow brick the system, I doubt you actually need it.
In TWRP, go to Advanced, then ADB Sideload. Slide the confirmation slider all the way to the right to confirm.
On your computer, cd to the folder where you downloaded SuperSU and run `adb sideload [SuperSU-zip-name.zip]`, replacing the last argument with the name of the SuperSU zip you downloaded, of course. If your computer says "waiting for device" for a long time, cancel with Ctrl+C, run `adb kill-server`, then run the first command again but with `sudo` in front this time.
Reboot the phone. If everything worked correctly, you should now have a rooted phone with SuperSU, bootloader unlocked, and custom recovery! Yay for cheap phones!
As always, if you have any questions, just ask in a thread reply or send me a private message on XDA. And by the way, hit the Thanks button in the lower right corner of the post if my guide helps you. It motivates me to keep this up to date and write more helpful guides. If you feel like giving me even more motivation and help fund future development, [REDACTED].
reserved 3
reserved 4
reserved 5
Can you verify the image you uploaded for the non-Prime version? I'm getting unexpected EOF errors when extracting in Windows using 7Zip and TarTool, and I'm also getting an "operation not permitted" error when extracting using the built in Archive Utility in OS X.
abs0lute said:
Can you verify the image you uploaded for the non-Prime version? I'm getting unexpected EOF errors when extracting in Windows using 7Zip and TarTool, and I'm also getting an "operation not permitted" error when extracting using the built in Archive Utility in OS X.
Click to expand...
Click to collapse
Yeah, that's because the image isn't fully uploaded. My internet is very slow, so it's taking a while to upload. Sorry about that. I was hoping it would be finished by the time I finished writing this, but alas, nope. I will have all files uploaded by tomorrow, along with .md5 files so you can verify the checksums, so come back then. Again, sorry. I guess I should have posted this _after_ I got those uploaded. Oh! And I have North America mirrors coming within the next couple months. It seems a little oxy-moronic to host files for a US only device on an EU server, but unfortunately, servers in the US are significantly more expensive.
ColtonDRG said:
Yeah, that's because the image isn't fully uploaded. My internet is very slow, so it's taking a while to upload. Sorry about that. I was hoping it would be finished by the time I finished writing this, but alas, nope. I will have all files uploaded by tomorrow, along with .md5 files so you can verify the checksums, so come back then. Again, sorry. I guess I should have posted this _after_ I got those uploaded. Oh! And I have North America mirrors coming within the next couple months. It seems a little oxy-moronic to host files for a US only device on an EU server, but unfortunately, servers in the US are significantly more expensive.
Click to expand...
Click to collapse
No problem - thanks for your work on this!
abs0lute said:
No problem - thanks for your work on this!
Click to expand...
Click to collapse
Just finished uploading the non-Prime version. I will start the other upload before sleeping and update the post removing the warning when I awaken, assuming everything has gone well. You're free to attempt a non-Prime conversion now. Just don't do it the other way around yet.
Sent from my LG G4 using XDA Labs
Can't wait to give this a shot. Well, at least after someone else reports success first...
followed post 1 convert to non prime steps on windows, did not do the bootloader unlock steps.
phone booted up ok, followed by android is upgrading x of 37.
phone working and no ad's on lock screen
the amazon apps are still there but appear to be disabled, causing errors at first boot.
disabled or uninstall the apps. - used cleanmaster
everything seems ok now
Hello, I have now finished uploading the files, so you can now safely flash away! Enjoy! @abs0lute
bupkis said:
Can't wait to give this a shot. Well, at least after someone else reports success first...
Click to expand...
Click to collapse
I report success. Of course I did everything in the guide here before posting it. I'm not irresponsible. It's completely safe. I just finished uploading the files, so please go ahead and give it a shot.
ColtonDRG said:
I report success. Of course I did everything in the guide here before posting it. I'm not irresponsible. It's completely safe. I just finished uploading the files, so please go ahead and give it a shot.
Click to expand...
Click to collapse
ok, away we go! :laugh:
When I try to download the scatter file it just opens the file in a new browser window.
>nevermind, figured it out...success!
...on to bootloader unlock, TWRP, root...
bupkis said:
...
When I try to download the scatter file it just opens the file in a new browser window.
...
Click to expand...
Click to collapse
Yeah, that's a problem with my server configuration. I'll fix it later. For now, you can save the file by opening it in a browser window and pressing Ctrl+S
I have completed the process successfully-TWRP, root, no ads but do still have all the Amazon apps so something is screwy but not the end of the world.
bupkis said:
I have completed the process successfully-TWRP, root, no ads but do still have all the Amazon apps so something is screwy but not the end of the world.
Click to expand...
Click to collapse
Nope, it's not screwy. The non-Amazon version does include a lot of the Amazon apps. You can uninstall some of them the normal way (they're pre-installed user apps), and others you can either disable or uninstall using your favourite system app remover.
Anyone else missing Encrypt section in Settings > Security after converting to non-prime?
When I try to load the scatter, SPFT says "Error: Initializing scatter file failed. Please check the name of scatter file which you load is legal." I downloaded it from both the primary link and your mirror, same error. Any ideas? Thanks.
EDIT: Looks like I downloaded the oldest version, not the newest version of SPFT. Whoops! I'll leave my mistake on here to help others who may assume the first link is the right one.
notfix said:
Anyone else missing Encrypt section in Settings > Security after converting to non-prime?
Click to expand...
Click to collapse
It is missing. How peculiar. I will attempt to implement a workaround in a little bit. Sorry about that.
Update: The Encryption activity exists on the phone, we just can't get to it from the settings menu. You can launch it by manually launching com.android.settings.Settings$CryptKeeperSettingsActivity using your preferred method for launching arbitrary activities. I will release an app that will launch this activity for you ASAP!