Cannot unlock bootloader with Nexus Root Toolkit v 2.1.0 - Nexus 10 Q&A, Help & Troubleshooting

Cannot unlock bootloader with Nexus Root Toolkit v 2.1.0 - Nexus 10 Q&A, Help & Troubleshooting

While attempting to use Nexus Root Toolkit to unlock the bootloader on my Nexus 10 I get the message
Line 27242 (File “C:\Program Files (x86)\Wugfresh Development\Nexus Root Toolkit\NexusRootToolkit.exe”):
Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded
Does anyone know what this means and what I can do about it?

Mark Mohrfield said:
While attempting to use Nexus Root Toolkit to unlock the bootloader on my Nexus 10 I get the message
Line 27242 (File “C:\Program Files (x86)\Wugfresh Development\Nexus Root Toolkit\NexusRootToolkit.exe”):
Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded
Does anyone know what this means and what I can do about it?
Click to expand...
Click to collapse
I have the same error but haven't found any solution. Does anybody have a suggestion?

Why not just go into a dos prompt and type fastboot oem unlock?

Related

Is it possble to dump ROM from bootloader ?

Hi !!
I'm sorry if I write about talking before but I search for 2 dayes internet (Most link coming from xda ) without success.
I'm pretty sure that is not possible to do on Trinity due to bootloader limitation but I want a last confirm before to flash my device.
My boot loader is a Des' Crash-Proof SPL:
TRIN100
IPL-0.50
TRIN100
SPL-9.99 CP
After I play with the WM6 registry it don't load th OS after reset.
I wondering if is it possible to dump the ROM (The mass storage part) to mount in a linux box from the boot loader.
I read that the Trinity lack of the s2d command and also the rbmc didn't work.
There is any other way to do it
Off course I can't use pdocread.exe due to the OS is not loaded on the Trinity.
Thanks in advance and sorry for my english.
Carlo.

Hi again.
I was able to read ROM whit the rbmc command using the follow command:
password BsaD5SeoA
set 1e 1
task32
rbmc >/tmp/dump.bin 0x3100 0x17900
The problem is that the output is show on the screen and not writed in the file.
I tried on linux using HTCFlasher and mtty on WIndows whit the > and without.
Any Idea ?
Carlo

Try QMAT too, although it's not meant to be used with Trinity, it supports rbmc dumping.

Thanks, I'll try it tonight.

Here's an rbmc partition dumper I've created for dumping os, storage and ext rom. Storage partition doesn't seem to be readable this way...
You need to have a security unlocked device or HSPL that allows rbmc when device is not security unlocked.
Hope this helps...

Thanks for the command, I tried and it don't work.
I have the Des' Crash-Proof SPL on my Trinity and the rbmc command work but I have to give the follow commands before use it.
password BsaD5SeoA
set 1e 1
task32
is your command supplied it before to dump or there is any command line option to pass it to the command ?

Works on my trinity allright... task 32 is not required, btw.
Did you manage to get QMAT working/dumping?

I tried more times but I have allways this message:
C:\Temp2>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:01s.953ms
HTCSBye!>.L.HTCE
I switch the Trinity to the bootloader screen and then I plug the usb and ru the command with no args.
Where I wrong ? I tried without ActiveSync open and with it opne with the usb connection disbled.
No, I was unable to use QMAT, the manuals is little different from the version and don't explain the very first operation to recognise the PDA to the program.
Instend I was able to capture the rmbc output on my linux box and minicom on usb but I get error after a while the program is dumping (The same I got on the screen using mtty) and then I'm little confusing about partition dimension showed by the "info 8" command
Bye.

What happens when you manually issue "rbmc c:\temp\os.bin OS" in mtty or minicom?

I start minicom with the capture option active then I use the command
Cmd>rbmc a 0x3100 0x17900
Then the dump start
Cmd>rbmc a 0x3100 0x17900
GetExtRomData+(): *pszPathName=a, dwStartAddress=57600000, dwLength=8C08DAA0
:F=a :A=57600000 :L=8C08DAA0 :rbmc= HTCS¼Ñÿÿùÿ0ÖÿÿùÿRPQQ"RTP¤QP>Öÿÿùÿ¤ìÿÿùÿÔÿÿùÿ9Öÿÿùÿ<Öÿÿùÿ=Öÿÿùÿina
condominiale
[.....]
,(*"(B+&*0ùÿNANDFlashReadSectorWithSectorInfo: dwBlockIndex=0x400
NANDFlashReadSectorWithSectorInfo: Address over boundary!!!
rbmc: read data error at 0x8000000
In the [...] I got about 1 MByte of data.
My I was to dump th user partition to recover same data, not the OS.

This syntax is not valid:
rbmc a 0x3100 0x17900
1. Do not use 0x prefix for offset and length
2. Use actual flash offsets (starting at 50000000 (hex))
Can you try this exact command?
rbmc c:\temp\os.bin OS
This is the command rbmc.exe executes and it seems to be failing on your Trinity.

I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>

cybor said:
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
Click to expand...
Click to collapse
Can you do it in mtty?

Ok, sorry, I missunderstand.
Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCEPassWord: BsaD5SeoA
Cmd>set 1e 1
Cmd>rbmc c:\temp\os.bin OS
Command error !!!

Ok, it looks like your SPL doesn't support rbmc command, but if you do "rbmc 50000000 1" in mtty that works?

Yes, it work.
Cmd>rbmc 50000000 1
GetExtRomData+(): *pszPathName=50000000, dwStartAddress=1, dwLength=8C08DAA0
rbmc=8DAA0
Cmd>
But it work only if I supply the "task 32" command after the "password .. " and "set 1e 1"
Colud you modify your command to supply the "task 32" command, maybe by a switch ?

Finally it work !!
I mean your command.. after the message before I tried this way.
I connect to the bootloader with the patched version of TeraTerm (To have the copy and paste function ), then I supply the three commands like the message above and finally I close the Teraterm and lunched your command with no parameters and here what I get:
C:\Temp0\rbmc>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
0x4d50800 bytes read
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0x55628D8 bytes in 0d:00h:02m:02s.125ms
HTCSBye!>.L.HTCE
How you can watch it don't read the Storage.nb and the ExtROM.nb, but now I can get OS.
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?

cybor said:
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
Click to expand...
Click to collapse
Yeah, well, this seems to be the way HardSPL works, you only get access to locked commands after faking security lock status with "task 32". I've added this command to rbmc.exe, however I want to make it more generic before I post the updated version, because dumping storage doesn't work so far.
I'm using MFG SPL 1.05 patched to allow rbmc, this shouldn't be relevant though.

Ok, so attached is an updated version of rbmc.exe.
It will work just like the old version without any parameters, but you can specify the same parameters as you would feed to rbmc command too now.
E.g. to dump storage you can do
C:\>rbmc.exe storage.bin Storage
However due to a bug in SPL this won't work, it will produce an error message showing the starting offset of storage partition though.
Grab that offset, substract it from 0x60000000 to get the correct storage size and rub rbmc.exe again with parameters:
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
You should have a dump of storage partition (albeit not excatly 0xACAC0000 bytes) in storage.bin file as a result. Note that resulting dump has NAND flash block status data (0x10 bytes every 0x200 bytes) that you may need to strip to get an image of storage partition you can work on.
Good luck!

Thanks for this new realese, it work fine.
I have a problem to understand how to calculate the offset.
When I run
rbmc.exe storage.bin Storage
I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "
What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.

[R&D][UNBRICKING] - Thread for trying to solve the OTA brick problem

Intro
Someone contacted me because of my work unbricking Amlogic tablets and sent me their bricked Nexus 7 2013 32GB Wifi version tablet. I have the same tablet and I’ve been exploring unbricking options and looking at the devices. I have not found a solution yet but I have found a lot of interesting things. I worked on several models of Ainol's AML8726-MX SoC tablets and unbricked them in from various states, including having no signs of life and jumping some pins on the nand chip to get it recognized by the computer. Some tablets had similar problems to the Nexus when the bootloader was corrupted from a bad flash. The internal memory showed as zero in TWRP and the tablets wouldn't boot into the system. Checking debug logs showed the memory chip was not initializing. The Ainol tablets don't have a bootloader with a GUI but they did have a external SD card slot, so the tablet could boot from the SD card and run a "rescue flash". If that didn't work, Amlogic also had low-level USB Burning software to write to the tablet, although special files were needed and flashing was tricky.
I don’t know if we will be able to fix the Nexus tablets with this problem or if they are even fixable with the tools available but I’m providing all this information because I’m working on the problem in my spare time and maybe other people want to experiment with their bricked devices as well. There are a couple obvious routes to explore, one being Qualcomm's QPST and QFIL software, as well as other similar software programs for these chips, like the BoardDiag Tool. Another option is try and boot the tablet from a "rescue card" like I used for the Ainol tablets but to do it through an On-The-Go cable. Even if we don't unbrick any tablets, if anything, at least this thread might provide some documentation on the Nexus 7 2013 that doesn’t seem to be available elsewhere. I’ll keep updating this thread with new info and links to drivers, software, documentation and relevant websites. I’ll post what I’ve updated into the “Updates to this thread” section.
The problem
OTA update bricks device and we get one of the following scenarios:
Users can enter fastboot but can not flash, format or erase anything. Trying to start the device or boot into recovery gets stuck on the Google screen with the lock icon.
Same as above but when entering a recovery like TWRP, device hangs on the TWRP logo screen.
Users can not enter fastboot. Plugging the device into the computer shows QHSUSB_DLOAD in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB QDLoader 9008 in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB Diagnostics 9006 in the device manager
In 9006 mode the storage shows as Qualcomm MMC Storage USB Device in the Device Manager
---
Trying to flash or format in fastboot returns the following error:
Code:
FAILED <status read failed <Too many links>>
I’ve figured out a way to boot into TWRP and have started collecting logs and other information about the problem. I’ve also figured out the majority of fastboot oem commands which I’ll list below. The device is not initializing the MMC card when it starts up. In dmesg we can see the error:
Code:
mmc0: error -110 whilst initialising MMC card
Where on a working device we see:
Code:
mmc0: new HS200 MMC card at address 0001
mmcblk0: mmc0:0001 MMC32G 28.8 GiB
In the TWRP log we see:
Code:
[COLOR="Red"]E: Could not mount /data and unable to find crypto footer.
E: Unable to mount ‘/data’
E: Unable to recreate /data/media folder.[/COLOR]
Updating partition details…
[COLOR="Red"]E: Unable to mount ‘/system’
E: Unable to mount ‘/data’
E: Unable to mount ‘/cache’[/COLOR]
...done
[COLOR="Red"]E: Unable to mount storage
E: Unable to mount /data/media during GUI startup
E: Unable to mount ‘/cache’[/COLOR]
Full SELinux support is present.
[COLOR="Red"]E: Unable to mount ‘/cache’
E: Unable to set emmc bootloader message.
E: Unable to mount ‘/cache’
E: Unable to mount /data/media/TWRP/ .twrps when trying to read settings file.
E: Unable to mount ‘/data’[/COLOR]
MTP Enabled
Trying to wipe partitions or flash in TWRP fails because the card isn’t mounted at all and the partition table isn’t being read. Everything is running in the RAM and the only filesystems mounted are rootfs, tmpfs, devpts, proc, sysfs, selinuxfs and tmpfs.
Checking the partition table in fastboot using “fastboot oem gpt-info” does return the same results as a working device though. When booting into TWRP we can see “Nexus 7” as an MTP device but there is nothing on it. In Qualcomm’s 9006 Diagnostics mode we can see the device under disk drives in the device manager as Qualcomm MMC Storage USB Device but it doesn’t show up in Qualcomm’s 9008 Download mode. In disk management we can see it as an Unknown 28.81 GB Unallocated Disk. We can see the same thing in MiniTool Partition Wizard but neither Windows or MiniTool can initialize or format the disk. In HDD Raw Copy Tool the device shows as Qualcomm MMC Storage with a capacity of 30.93 GB. I was unable to write a RAW image of mmcblk0.img using HDD Raw Copy Tool, getting the error “Write Error occured at offset 0 (1)”.
My Working Theory
Looking at both the most recent reports of the OTA brick and past reports, it seems like the problem occurs when there is a bootloader update packaged in with the firmware update. It is possible that the eMMC chip is fried because we've seen bugs in the past but I'm working on the assumption that it is not since the chip is recognized, shows the correct capacity and gets registered it in by the kernel. We can also see that persistent_ram has an uncorrectable error in the header and no valid data in the buffer. This could mean a bad eMMC chip but it could also mean the parts of the bootloader are gone or corrupt. It could also mean the GPT is bad.
We can also see that the device is always booting into ttyHSL0 mode which is the UART Serial Console mode for debugging. I don't know a lot about Qualcomm architecture but I do know that there are several modes including diagnostics, download and emergency download mode. It's possible that the tablet is stuck in one of these modes. I read though some Qualcomm documents and it mentions using the NPRGxxxx.hex file to flash your device but it also mentions that, if the chipset supports it, changing the name of the NPRGxxxx.hex file to eNPRGxxxx.hex "allows you to download new images to a mobile device that has an empty or currupt flash device." That function was implemented in 2008 though and I'm unsure if the implementation has changed at all.
Getting Started
I’m not going to cover any of the basics like installing ADB and Fastboot on your computer. This thread is intended for people who already have a working knowledge of using these tools and want to try and work on the bricking problem. If you are don’t have that knowledge and would still like to experiment with your bricked device you can find lots of tutorials on XDA on how to install and use ADB and Fastboot.
I will mention a couple of things I ran into though. Since I hadn't been working on tablets for a while I wasn't able to use ADB in TWRP at first. I noticed that it only worked if I disabled MTP in the TWRP menu. However, updating the Android SDK solved this problem and the updated drivers allow both an MTP and ADB connected at the same time.
There may also be times when you need to disable Windows Driver Signature Verification to be able to install unsigned drivers. Here is a link showing how to do it temporarily. There is also a way to disable it permanently which I think is to run the Command Prompt as Admin and type:
Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Lastly, you'll probably want to stop Windows from automatically installing drivers for new hardware. You can do that by right clicking on your computer and then going to "properties -> advanced system settings -> hardware -> device installation settings -> no let me choose what to do -> never install driver software from windows update". There are also guides with screenshots on how to do this if you Google it.
---
We can get into a recovery like TWRP by using the fastboot command:
Code:
fastboot boot twrp.img
If booting into recovery fails and the you get stuck on the TWRP logo screen then go back to the bootloader and use the fastboot command:
Code:
fastboot oem reset-dev_info
---
To enter Qualcomm HS-USB QDLoader 9008 “download mode” you can hold down all three hardware buttons when the device is powered off and plugged in. You can also power down the device, hold the Vol+ and the Vol- buttons and then plug in the device. To enter Qualcomm HS-USB Diagnostics 9006 “diagnostic mode” you can press the power button repeatedly then wait around 30 seconds and see if it connects in the device manager. I don’t know what the speed you are supposed to press the button is but it seems to take at least 10 presses, sometimes more. You’ll have to test it out until you get used to doing it.
Tasks
Want to help out? Here are some things I'm working on. There's a good deal of research to do, so even if you don't have a working device you can help. If you have a device that you've totally given up on and are pretty much going to throw out but can still get into the bootloader, test those fastboot oem erase_ commands before tossing the tablet. It will be fastboot oem erase_"partition name". An example is fastboot oem erase_aboot. Just run through them and write down which ones work and which ones don't.
If someone with a bricked tablet has UART off in the bootloader and can boot into TWRP, please check "adb shell cat /proc/cmdline" and tell me if "console=ttyHSL0,115200,n8" is in the commandline. You can check if UART is on or off in the bootloader by using "fastboot getvar all".
Look into other APQ8064 devices to see if files relevant to QPST work. There is a list of devices below that have the same SoC but not the 1AA or FLO tag at the end. Its possible some of these files might work well enough to at least get the memory recognized.
Pull partition table from a working device and format it in partition.bin or partition.mbn for use in QPST.
Try to write partitions pulled from working device back to the tablet in fastboot.
Format partitions from a working device as .mbn files for QPST.
Pull first few raw GB from a bricked tablet and examine it to see if there is data present. If there is then it might mean that those partitions are corrupted and we can focus on writing working partitions back to those location. Try with RAW copy tool and with dd.
Testing QPST software to resurrect the device. Will need more files first, need to structure them as .xml files necessary for the software.
Test "fastboot oem erase_" on other partitions.
Test "fastboot flash" of partitions that aren't normally included in a firmware update, like sb1.img, rpm.img, aboot.img, etc.
General Device Info
Here is a spreadsheet with all the partition info that I've pulled and sorted.
The Nexus 7 2013 is an APQ8064 1AA/FLO Snapdragon 600 series device that is advertised as a S4 Pro. The APQ8064–1AA is the WiFi version and APQ8064-FLO is the LTE version. The ASUS MeMO Pad FHD 10 ME302KL LTE also has the same SoC according to wiki. The platform board is listed as MSM8960 in most of the code.
Here are other devices with an APQ8064 soc but aren't listed as 1AA or FLO:
LG Optimus G
MDP / T
Xiaomi MI-2
Pantech Vega R3
Sharp Aquos Phone Zeta SH-02E
Oppo Find 5
Asus MeMO pad 10 LTE
Asus padfone 2
HTC J Butterfly
HTC Droid DNA
Nexus 4
HTC Butterfly
ZTE Nubia Z5
ZTE Nubia Z5 Mini
ZTE Grand S
Sony Xperia Z
Xperia ZL Sony
Sony Xperia ZR
Fujitsu Arrows S
Sony Xperia Tablet Z
LG Optimus GJ
Nexus 7 2013 Tablet’s Vendor ID is 18d1 and Hexidecimal Syntax is 0x18D1 (used in fastboot). The USB device ID's for different connections are:
Qualcomm HS-USB Diagnostics 9006 (COM3) - USB\VID_05C6&PID_9006&MI_00
Qualcomm HS-USB Diagnostics 9008 (COM4) - USB\VID_05C6&PID_9008
Android Bootloader Interface - USB\VID_18D1&PID_4EE0
Android ADB Interface - USB\VID_18D1&PID_D002
Serial Numbers I've seen are:
Bricked Device - SERIAL NUMBER 2143658709BADCFE ← According to HDD Raw Copy Tool
Bricked Device - SERIAL NUMBER 049973d5 ← According to adb get-serialno
Dumps, Unpacked Partitions and Other Files
Here is a link to a MediaFire folder with various files. So far I have:
Unpacked the 4.04 Bootloader
aboot.img
bootloader.img
rpm.img
sbl1.img
sbl2.img
sbl3.img
tz.img
Pulled all partitions from HDD Raw Copy Backup of a working device
aboot.img
abootb.img
boot.img
DDR.im
first_131071_sectors.img
fsg.img
m9kefs.img
m9kefs2.img
m9kefs3.img
m9kefsc.img
metadata.img
misc.img
modemst1.img
modemst2.img
pad.img
radio.img
recovery.img
rpm.img
rpmb.img
sbl1.img
sbl2.img
sbl2b.img
sbl3.img
sbl3b.img
ssd.img
tz.img
tzb.img
QPST Memory Debug Dump from a bricked device
CODERAM.BIN
CPU_REG.BIN
CPU0_WDT.BIN
CPU1_WDT.BIN
CPU2_WDT.BIN
CPU3_WDT.BIN
EBICS0.BIN
ETB_ERR.BIN
ETB_REG.BIN
IMEM_A.BIN
IMEM_C.BIN
load.cmm
LPASS.BIN
MM_IMEM.BIN
PMIC_PON.BIN
RPM_MSG.BIN
RPM_WDT.BIN
RST_STAT.BIN
SPS_BUFF.BIN
SPS_PIPE.BIN
SPS_RAM.BIN
Unpacked Radio partition from a working device
ACDB.MBN
APPS.MBN
DSP1.MBN
DSP2.MBN
DSP3.MBN
EFS1.MBN
EFS2.MBN
EFS3.MBN
MDM_ACDB.IMG
RPM.MBN
SBL1.MBN
SBL2.MBN

Fastboot Commands
Click To Show Content for examples of each commands usage, partitions that are excepted by a command and additional info.
Regular fastboot commands
Code:
fastboot update
Code:
fastboot update update.img
Code:
fastboot flashall
Code:
fastboot flash
Code:
fastboot flash aboot aboot.img ?
fastboot flash bootloader bootloader.img
fastboot flash rpm rpm.img ?
fastboot flash sbl1 sbl1.img ?
fastboot flash sbl2 sbl2.img ?
fastboot flash sbl3 sbl3.img ?
fastboot flash tz tz.img ?
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
Code:
fastboot erase
Code:
fastboot erase all
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
Code:
fastboot format
Code:
fastboot format boot
fastboot format cache
fastboot format recovery
fastboot format system
fastboot format userdata
Example of advanced functions:
Code:
fastboot format cache:ext4:0x0000000023000000 cache
(hex value for 587202560 bytes (= 587 MB / 573440 don’t know what this value is but it equals a hex value of 008c000)
Code:
fastboot format cache:0x0000000023000000 cache
(skips fs type and uses default)
Code:
fastboot getvar
Code:
fastboot getvar all
fastboot getvar version-bootloader
fastboot getvar version-baseband
fastboot getvar version-hardware
fastboot getvar ersion-cdma
fastboot getvar variant
fastboot getvar serialno
fastboot getvar product
fastboot getvar secure_boot
fastboot getvar lock_state
fastboot getvar project
fastboot getvar off-mode-charge
fastboot getvar uart-on
fastboot getvar partition-type:<partition name>
fastboot getvar partition-size:<partition name>
Code:
fastboot continue
Code:
fastboot boot
Code:
fastboot boot recovery.img
fastboot boot boot.img
fastboot boot bootloader.img
Example of advanced functions:
Code:
fastboot boot <kernel> [ <ramdisk> [ <second> ] ]
Examples of booting the kernel and ramdisk:
Code:
fastboot boot zImage boot.img-ramdisk.cpio.gz
fastboot -c *cmdline* boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot flash:raw boot
Same command format as the advanced "fastboot boot" command:
Code:
fastboot flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
fastboot flash:raw boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot devices
fastboot continue
fastboot reboot
fastboot reboot-bootloader
fastboot help
Regular fastboot options that might be useful
-c <cmdline> override kernel commandline
Add -c followed by a kernel command. If more than one kernel command is in the line then they should have parenthesis around them like this "console=ttyHSL0,115200,n8 androidboot.hardware=flo". This is used for the "fastboot boot" command to boot into a kernel with different commandline parameters. Here are the kernel commandlines listed in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=flo user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 androidboot.emmc=true androidboot.serialno=049973d5 bootreason=PowerKey fuse_info=Y ddr_vendor=hynix androidboot.baseband=apq asustek.hw_rev=rev_e androidboot.bootloader=FLO-04.04
-i <vendor id> specify a custom USB vendor id
Add -i and then the vendor id you want to use. The Nexus 7 vendor id is 18d1 and Hexidecimal Syntax is 0x18D1. Fastboot wants the Hex value:
Code:
-i 0x18D1
-b <base_addr> specify a custom kernel base address.
I haven't done this in long enough that I've forgotten how to use it. The default is 0x10000000 and the BOARD_KERNEL_BASE is listed as 0x80200000 in the Nexus code.
-n <page size> specify the nand page size.
The default value is 2048. Add -n and then the value you want to use:
Code:
-n 2048
-S <size>[K|M|G] automatically sparse files greater than size. 0 to disable.
I've never used this. If anyone has any insight, let me know.
fastboot oem commands
I extracted the aboot.img and used Notepad++ to look at the commands. I’m not sure what the variables are for some of them but I’m working on testing some things out. This is how how I figured out “fastboot oem reset-dev_info” would allow “fastboot boot twrp.img” though.
Code:
fastboot oem unlock
fastboot oem lock
fastboot oem device-info
fastboot oem memtest_
fastboot oem gpt-info
fastboot oem fuse_blow
fastboot oem check-fuse
fastboot oem reset-dev_info
Code:
fastboot oem erase_
Usage is erase_<partition name>. I've only tested it on persist so far. I'm assuming this is for partitions that aren't supported by the regular "fastboot erase" command.
Code:
fastboot oem erase_persist
Code:
fastboot oem off-mode-charge 1
fastboot oem off-mode charge 0
fastboot oem uart-on
fastboot oem uart-off

Links
Drivers and Software
Qualcomm Drivers - The one marked 2012 seems to be the newest I could find and is the one I've been using the most.
Qualcomm Product Support Tools (QPST)
Qualcomm Documents
HDD Raw Copy Tool
Nexus 5 Boarddiag Tool
EFS Professional
Links to relevant threads
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[DEV][REF] El Grande Partition Table Reference

Logs
All logs posted to Pastebin.
Fastboot Logs
Nexus 7 2013 - fastboot getvar all
Nexus 7 2013 - fastboot oem gpt-info
ADB Logs
Nexus 7 2013 - Big Collection of Partition Info
Nexus 7 2013 - mmc error - kernel log snippet
Nexus 7 2013 - Bricked Tablet - dmesg
Nexus 7 2013 - Working Tablet - dmesg
Nexus 7 2013 - Bricked Tablet - last_kmsg
Nexus 7 2013 - Working Tablet - last_kmsg
Nexus 7 2013 - Bricked Tablet - Recovery Log
Nexus 7 2013 - Working Tablet - Recovery Log
Nexus 7 2013 - adb shell dmesg | grep mmc0
Nexus 7 2013 - adb shell cat /proc/devices
Nexus 7 2013 - adb shell tail ./etc/fstab
Nexus 7 2013 - adb shell tail ./etc/recovery.fstab
Nexus 7 2013 - adb shell mount
Nexus 7 2013 - adb shell df
Nexus 7 2013 - adb shell cat /proc/cmdline
Nexus 7 2013 - adb shell ls /dev/block
Nexus 7 2013 - adb shell cat /proc/partitions

Updates to this thread
1/24/2015
- Added a link to a spreadsheet with partition info to the original post under "General Info".
- Added a section to the original post for files. Added a link to a MediaFire folder with QPST memory debug of a bricked device as well as dumped and unpacked partitions from a working device. Listed all files in each folder.
- Added another build of the QPST software to the MediaFire folder.
- Edited "Tasks" in original post.
6/01/2015
- Added info on how to pull a full raw backup of a working Nexus 7.
- Added all fastboot and adb logs I have.
- Added more documents to the MediaFire folder.
05/28/2015
- Added a working theory to the initial post.
05/26/2015
- Added more info to the Intro section and the Problem section.
- Formatted the Fastboot Command section differently.
05/25/2015
- Added links to drivers, software and relevant websites.
- Added Qualcomm Documents to the links section.
- Added info about driver installation to the Getting Started section.
- Added a list of other APQ8064 devices.
- Reformatting some things to look better. I'll keep working on it.
05/24/2015
- Initial Post

Reserved
Reserved for if there is ever a solution.

I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
-----
Update: The info on how to make a full RAW backup of the entire device without having an external SD card to save it to can be found in this thread. I made some adjustments for the Nexus 7 and I did it all in Cygwin.
To make device backup in Cygwin and TWRP open a terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
adb shell
/sbin/busybox nc -l -p 5555 -e /sbin/busybox dd if=/dev/block/mmcblk0
Then open a second Cygwin Terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
cd /nexus
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.img
You can then mount the image you pulled with DiskInternals Linux Reader. It will show you all of the individual partitions, all of the unllocated gaps between partitions and some info about each one. You can open the EXT4 partitions like /system to explore them and you can also open the radio.img and see everything inside. You can then save all the partitions as individual images. This method doesn't work with the bricked tablet. I'm building a spreadsheet with info on all the partitions.

fuser-invent said:
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
Click to expand...
Click to collapse
From a working or an OTA-bricked device?

MattG987 said:
From a working or an OTA-bricked device?
Click to expand...
Click to collapse
I pulled them all from a working device so I can try to write them back to the bricked device but also so I can try and make the flash programming files for use in QFIL. On another note the bricked devices can show up in the Windows file manager as a single small partitions with a list of files. I found out today that those files are the contents of the radio partition. I have a folder with those files from a bricked and working device now and I'll do a hex comparison to see if they are still all intact on the bricked device. That also means the FAT partition at the very beginning of the eMMC chip is still there and working, so the whole chip isn't "dead".

Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.

yodtc said:
Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.
Click to expand...
Click to collapse
Still working on it but my job suddenly got really, really busy. Hoping to get back into it after the holiday rush. I wish there were other people trying to work on this problem too though.
Sent from my iPhone using Tapatalk

I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.

Andrew025 said:
I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.
Click to expand...
Click to collapse
Have you tried the multi-rom TWRP that fixes the mount point problems?

autocon said:
Have you tried the multi-rom TWRP that fixes the mount point problems?
Click to expand...
Click to collapse
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.

Andrew025 said:
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.
Click to expand...
Click to collapse
I've the same issue and used the Multirom to workaround, but what about ROMs that say "use the latest version of TWRP" ?
If this is a software-caused problem, has the Android team been notified with a bug report or something?

As owner of 2 N7 2013 devices, one of them bricked, I would like to thank you for your work and time.
I find this thread very instructive and I think I will try to follow the leads you provided and try to get my device back to life.
Alas, much study is needed on my part!
I also found some info that may or may not be useful here:
github.com/aureljared/unbrick_8960
I hope I can find and share something useful, and wish you all good luck!

N7 2013 32GB Bricked
I look forward to doing some testing my self with this tablet... Problem is, my bootloader is locked and I can't unlock it since it won't format the internal storage... can't even boot into TWRP because of that.
Anyway, I'm very interested in using DD to flash the partitions at some point if that's available. I can also get into download mode, so using the qualcomm utility to write that way. It's just sitting here, waiting to be revived!

Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!

orzem said:
Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!
Click to expand...
Click to collapse
I think we need to build our own flashing files using aureljared's method. I have a ton of partitions and data ripped. I'll try to upload it soon so everyone has access to expirement with.
Sent from my iPhone using Tapatalk

Yes, I think so too. Also considering the fact that those scripts are much more understandable than a closed source program, even to me and my scarce knowledge.
Just a thought: why try and rebuild the partition table and then copy each partition in its place? Wouldn't it be much easier to just "dd" the working device in one single file and then "dd" it back on the bricked one?
Of course, IF (and only if) the hex and mbn provided by aureljared succed in switching the device into Streaming Protocol and let us actually write to memory.
If there's anything I can do, I'll be glad to do it.
Have a nice day!

[TEST MODE] Windows Phone 8/8.1 for Retail Device

Hello Folks,
We are introducing a way to apply @Myrianchan's WindowsRT "Test Mode" hack to Windows Phone 8/8.1 and Windows 10 Mobile Preview builds before 10572.
Yeah,Actually this not my complete hack but @Myriachan discovered wonderful hack I've ever seen. So the FULL credits goes to her of course.
Probably to Enable test Mode for Phone you have to Full Registry Access to configure the BCD objects "Boot Configuration Data".
Yeah, we have vcReg editor base upon this for Lumia Devices.
This is NOT specific about the LUMIA device but for now we have only lumia device with FULL Registry Access.
**********
CAUTIONS.
please, DON'T BE STUPID. IT'S UEFI Hacking. Bricking chances is maximum and potentially too Dangerous.
It can be a permanent damage to the Device and no one will recover your device. like[Nokia/Microsoft Care. ATF Box]
So the, I'm/Any other XDA Member not responsible for any damage to your device. Use it on your own risk.
**********
Introduction to Test-Signing.
Test-signing refers to using a test certificate to sign a pre-release version of a driver package for use on test computers. In particular, this allows developers to sign kernel-mode binaries by using self-signed certificates, such as those the MakeCert tool generates. Starting with Windows Vista, this capability allows developers to test kernel-mode binaries on Windows with driver signature verification enabled.
More details are here.
Introduction to Test-Signing Hack for Windows Phone.
Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is Myriachan's jailbreak exploit.
The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:
bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'
(The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)
Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.
How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).
More Details of why this works:
http://pastebin.com/w5U2qTR0
Source
How to Enable Test-Sign on Windows Phone.
Yeah, It is also Simple.
Not Got much time to write simple tool for it. (I'll attached xap here later)
You have to write this Registry Key and Value.
1. Deploy and RUN VcReg Editor.
2. Select "HKEY_LOCAL_MACHINE"
3. Select "String"
Enter Without Quote.
Path:
Code:
"BCD00000001\objects\{7619dcc9-fafe-11d9-b411-000476eba25f}\Elements\12000030"
(your guid may vary)
Key:
Code:
"Element"
Value:
Code:
"/TŅSTSIGNING"
*** NOTE THAT, "Ņ" character is Unicode character U+0145. So don't mess with it. Probably Copy and Paste it. ***
4. HIT WRITE BUTTON !!!
5. REBOOT DEVICE.
That's It.
To verify Test Mode is Actually Enabled or Not
Read the below registry key and value.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control]
"SystemStartOptions"
It should have Included a value of "TESTSIGNING"(theres other strings too,forget them) . If not that mean it didn't work.
*** This is permanent TEST-SING mode. After the Hard reset it will stay "ENABLED". if you want to disable simply flash the Stock ROM***
Thanks,
Credits.
Special thanks to @vcfan, Without his RPC Code really unreachable registry access.
@Myriachan For this wonderful discovery.

Reserved Post for Official Test packages.
Microsoft.MS_TSHELL.MSN.MainOS.spkg
(Remove ".zip" extension)

Reserved for Custom Packages.
Also You can post your custom package in this thread, I'll attach here to this post.

How are we supposed to find our GUID in case it's different?

I got code execution as SYSTEM through this.
See http://forum.xda-developers.com/windows-phone-8/general/code-execution-test-mode-t3239066

Do not works on my lumia 1020 with this GUID how can i find GUID?

titi66200 said:
Do not works on my lumia 1020 with this GUID how can i find GUID?
Click to expand...
Click to collapse
I think the easiest way would be to grab the BCD from one of your phone's FFUs (convert it to VHD, open it with winimage, go to the first partition (FAT32), it'll be in \efi\microsoft\boot), then run the exploit in PowerShell in the directory you extracted the BCD to like:
bcdedit /store BCD /set '{default}' loadoptions '/TŅSTSIGNING'
then load the BCD as a registry hive in regedit and search it for "STSIGNING", find the GUID as the result.

Works on Lumia 830 Windows Phone 8.1 Version 8.10.15148.160 but not on Lumia 1020 Windows Mobile 10 Version 10.0.10581.0.

titi66200 said:
Works on Lumia 830 Windows Phone 8.1 Version 8.10.15148.160 but not on Lumia 1020 Windows Mobile 10 Version 10.0.10581.0.
Click to expand...
Click to collapse
This patched on 10581 do the thing I did .
flash back your 1020 to 8.1 and get Insider Slow ring update (it's build 10166)
do Interop Unlock using VCReg v2.2 . in build 10166 this bug is still presents .

??? 520, 640xl
Get 10166 before they close the entrance!!
⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙

need help on iball I701
djamol said:
Reserved Post for Official Test packages.
Microsoft.MS_TSHELL.MSN.MainOS.spkg
(Remove ".zip" extension)
Click to expand...
Click to collapse
Hello sir i have Iball I701 windows * tablet n i want to make it android can it be possible n can u plz guide me how i can make this possible plz thank you

madycoot said:
Hello sir i have Iball I701 windows * tablet n i want to make it android can it be possible n can u plz guide me how i can make this possible plz thank you
Click to expand...
Click to collapse
Though my vision isn't possible if then thumbs up ?

Is there any way to do this on Win10 10.0.586.29?

titi66200 said:
Is there any way to do this on Win10 10.0.586.29?
Click to expand...
Click to collapse
No. Not Possible.
It has been patch in build 572.
So it will not work on later builds untill secured boot if OFF.

My bootloader is unlocked with Windows Phone Internals.
I can deploy testsigning packages?

titi66200 said:
Is there any way to do this on Win10 10.0.586.29?
Click to expand...
Click to collapse
titi66200 said:
My bootloader is unlocked with Windows Phone Internals.
I can deploy testsigning packages?
Click to expand...
Click to collapse
Yes.
Put device into MassStorage Mode.
Bcdedit.exe /store D:\xyz -set TESTSIGNING ON
Or through reg edit.
Refers official msdn page.

bcdedit /store H:\EFIESP\efi\Microsoft\Boot\BCD -set TESTSIGNING ON
But error
An error occurred while trying referencing the specified entry.
The specified file can not be found.

titi66200 said:
bcdedit /store H:\EFIESP\efi\Microsoft\Boot\BCD -set TESTSIGNING ON
But error
An error occurred while trying referencing the specified entry.
The specified file can not be found.
Click to expand...
Click to collapse
Hmm, then edit BCD entries through vcRegEditor.
Grab BCD (Its hive file) from FFU or your device.
"C:\EFIESP\efi\Microsoft\Boot\BCD"
run whatever commands. (like dual boot)
Observe objects and elements.
Write same Object Elements using vcreg Editor.
while writing to the BCD use this "BCD00000001" instead of "BCD".
Cheers...
Here is some test entries from Engineering Device.
GlobalSettings
Code:
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
Boot Manager.
Code:
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:01

Found "Microsoft.BaseOS.EnableTestSigning_BCDStore_0.reg" in EFIESP.bin from RM825_1232.2101.1239.3001_PROD_developer_265_01_86530.ffu
Code:
[HKEY_LOCAL_MACHINE\BCD]
[HKEY_LOCAL_MACHINE\BCD\Objects]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:00

titi66200 said:
Found "Microsoft.BaseOS.EnableTestSigning_BCDStore_0.reg" in EFIESP.bin from RM825_1232.2101.1239.3001_PROD_developer_265_01_86530.ffu
Code:
[HKEY_LOCAL_MACHINE\BCD]
[HKEY_LOCAL_MACHINE\BCD\Objects]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:00
Click to expand...
Click to collapse
Yes. Exactly.

Some luv for moto e 1st gen (xt830c)

I kinda doubt too many folks are still using a first gen moto e (xt830c..), however if you
are heres a little - albeit late - love from the cactus patch! I had one of these given to
me a week or so ago, so I set out to root it and what not. Welps, root'in wasn't tootin since
BL couldnt be unlocked.. Until I stumbled upon the Aleph Security initroot path to gaining adb
shell root via command line injection exploit. Woot! So I set out to do this, and succeeded after
a little head banging. Heres how it works:
Boot phone into fastboot mode (volume down + power)
fastboot flash a malicious image to a non-existent partition
set a utag variable via fastboot oem config command
resume booting.
The utag variable set is actually the memnory location aboot will find the malicious payload
at in the form of a ramdisk init string. This string is added to the command line, forcing aboot
to populate the filesystem with the malicious ramdisk contents. This allows you to replace init with a edited copy that sets selinux to permissive, and replaces adbd with a hacked copy.
I decided to take things one step further, and modified this to load TWRP. And hey, it werx gr8!
Anyhow, useage has been beaver-proofed. Extract the motoinit.zip to a folder. Put your phone intofastboot mode, then run init-root.cmd to load the payload for root adb shell, or run init-twrp.cmd to boot into TWRP recovery. These exploits aren't (currently...) persistent, so they would need ran each time you wanted into TWRP or wanted a shell root session. Also, once you are done you'll need to drop back to fastboot mode again and run init-fixbootloop.cmd. This will unset the UTAG variable and allow you to boot normally.

I have an XT830C too. TWRP worked for me and boots, but problem is I get the line "INFOPermission denied" after the flash on both init-xxxx.cmd files on the command prompt, even if I ran it as administrator. Rooting still doesn't work for me. Wish someone found a way to decipher the bootloader unlock code.

[GUIDE] Re-locking the bootloader on the OnePlus 8t with a self-signed build of LOS 18.1

What is this tutorial?
This tutorial will:
Creating an unofficial build of LineageOS 18.1 suitable for using to re-lock the bootloader on a OnePlus 8t
Take you through the process of re-locking your bootloader after installing the above
This tutorial will NOT:
Remove *all* warning messages during boot (the yellow "Custom OS" message will be present though the orange "Unlocked bootloader" message will not)
Allow you to use official builds of LineageOS 18.1 on your device with a re-locked bootloader (more details near the end of the tutorial)
This tutorial will assume you are working on an Ubuntu 18.04 installation, if you are using Windows or another Linux distro, the commands may be different.
Supported devices:
The following devices have been tested and confirmed to work:
OnePlus 7 Pro (guacamole)
OnePlus 8t (kebab)
Pixel 4 (flame)
Other OnePlus devices that support AVBv2 (OnePlus 6t and newer as well as most Pixel devices) and LineageOS 18.1 (see current support list over on the LineageOS download page) should work as well.
For simplicities sake, all further references will only be to the 8t (kebab).
Pre-requisites:
a mid level knowledge of terminal commands and features
a supported phone
a PC with enough CPU/RAM to build LineageOS 18.1 (recommended 8 cores, 24g of RAM)
a working USB cable
fastboot/adb installed and functional
LineageOS 18.1 source code downloaded
at least one successful build of LineageOS
at least one successful signing of your build with your own keys
Misc. notes:
the basics of building/signing of LineageOS is outside the scope of this tutorial, refer to the LineageOS Wiki for details on how to complete these tasks
you'll be modifying some code in LineageOS, so if you are not comfortable using basic editing utilities as well as patch, do not proceed any further
the path to your LineageOS source code is going to be assumed to be ~/android/lineageos, if it is somewhere else, substitute the correct path in the tutorial
the path to your private certificate files is going to be assumed to be ~/android-certs, if it is somewhere else, substitute the correct path in the tutorial
*** WARNING ****
This process may brick your device. Do not proceed unless you are comfortable taking this risk.
*** WARNING ****
This process will delete all data on your phone! Do not proceed unless you have backed up your data!
*** WARNING ****
Make sure you have read through this entire process at least once before attempting, if you are uncomfortable with any steps include in this guide, do not continue.
And now on with the show!
Step 1: Basic setup
You need a few places to store things, so create some working directories:
Code:
mkdir ~/android/kebab
mkdir ~/android/kebab/patches
mkdir ~/android/kebab/pkmd
You also need to add "~/android/lineageos/out/host/linux-x86/bin" to your shell's profile path. Make sure to close and restart your session afterwards otherwise the signing will fail later on with a "file not found" error message (this may no longer be required).
Step 2: Update kebab's BoardConfig.mk
You will need to add a few parameters to the end of ~/android/lineageos/device/oneplus/kebab/BoardConfig.mk, they are:
Code:
BOARD_AVB_ALGORITHM := SHA256_RSA2048
BOARD_AVB_KEY_PATH := /home/<userid>/.android-certs/releasekey.key
Note you cannot use "~" in the path names above to signify your home directory, so give the full absolute path to make sure the files are found.
Step 3: Update sm8250-common's BoardConfigCommon.mk
LineageOS by default disables Android Verified Boot's partition verification, but you can enable it now as all the required parts will be in place.
To enable partition verification do the following:
Code:
cd ~/android/lineageos/device/oneplus/sm8250-common
sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' BoardConfigCommon.mk
sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/' BoardConfigCommon.mk
sed -i 's/^BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external\/avb\/test\/data\/testkey_rsa2048.pem/BOARD_AVB_KEY_PATH := \/home\/<userid>\/.android-certs\/releasekey.key/' BoardConfigCommon.mk
Don't forget to replace your <userid> in the third sed command above with your current logged in user id.
Step 4: Patch the AOSP and Device Makefile
You also need to patch the Makefile included with AOSP as it will otherwise fail during the build.
The required patch can be found here:
https://raw.githubusercontent.com/Wunderment/build_tasks/master/source/core-Makefile-fix-18.1.patch
Download it and store in ~/android/kebab/patches.
Now apply it with the following command:
Code:
cd ~/android/lineageos/build/core
patch Makefile ~/android/kebab/patches/core-Makefile-fix-18.1.patch
If you would like to know more about this patch, see the additional info at the bottom of this post.
There is also a small addition to the device's common.mk required to enable the OEM unlock option in developers options, do this via the following commands:
Code:
cd ~/android/lineageos/device/oneplus/sm8250-common
sed -i 's/^# OMX/# OEM Unlock reporting\nPRODUCT_DEFAULT_PROPERTY_OVERRIDES += \\\n ro.oem_unlock_supported=1\n\n# OMX/' common.mk
Step 5: Build LineageOS
You are now ready to build:
Code:
cd ~/android/lineageos
breakfast kebab
source build/envsetup.sh
croot
mka target-files-package otatools
Step 6: Sign the APKs
You are now ready to sign the apks with sign_target_files_apks:
Code:
./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip
Step 7: Build the OTA
Now it is time to complete the OTA package:
Code:
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block signed-target_files.zip lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip
Note, replace [date] with today's date in YYYYMMDD format.
Step 8: Create pkmd.bin for your phone
Before you can lock your phone, you have to tell it what your public key is so it knows it can trust your build.
To do this you need to create a pkmd.bin file:
Code:
~/android/lineageos/external/avb/avbtool extract_public_key --key ~/.android-certs/releasekey.key --output ~/android/kebab/pkmd/pkmd.bin
Step 9: Flashing your LineageOS build
It's time to flash your build to your phone. The following steps assume you have already unlocked your phone and have flashed an official version of LineageOS to it. You don't need to have flashed LineageOS yet, you could use TWRP through "fastboot boot" if you prefer. Or, if you want to use the recovery that was just created, it is located in ~/android/lineageos/out/target/product/kebab and is called recovery.img.
Reboot your phone in to recovery mode
In LineageOS Recovery return to the main menu and select "Apply update"
From your PC, run:
Code:
adb sideload ~/android/lineageos/lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip
When the sideload is complete, reboot in to LineageOS. Make sure everything looks good with your build.
You may also need to format your data partition at this time depending on what you had installed on your phone previously.
Step 10: Flashing your signing key
Now it's time to add your signing key to the Android Verified Boot process. To do so, do the following:
Reboot your phone in to fastboot mode
From your PC, run:
Code:
fastboot flash avb_custom_key ~/android/kebab/pkmd/pkmd.bin
fastboot reboot bootloader
fastboot oem lock
On your phone, confirm you want to re-lock and it will reboot
Your phone will then factory reset and then reboot in to LineageOS.
Which of course means you have to go through the first time setup wizard, so do so now.
Step 11: Disable OEM unlock
Congratulations! Your boot loader is now locked, but you can still unlock it again using fastboot, so it's time to disable that as well.
Unlock you phone and go to Settings->About phone
Scroll to the bottom and find "Build number"
Tap on it you enable the developer options
Go to Settings->System->Advanced->Developer options
Disable the "OEM unlocking" slider
Reboot
Step 12: Profit!
Other things
The above will build a standard USERDEBUG version of LineageOS, however this will still allow LineageOS Recovery to sideload non-signed files as well as give you root shell access through ADB. Step 3/4 above protects your system/vendor/boot/dtbo/etc. partitions, but none of the others. Likewise USERDEBUG builds will allow for rolling back to a previous builds/versions of LineageOS. To increase security and disallow both of these scenarios you may want to build a USER version of LineageOS to install. However this brings in other issues, such as flashing newer firmware from OnePlus so make sure you understand the implications of both choices. For more details on build types, see https://source.android.com/setup/develop/new-device#build-variants.
In the above example the releasekey from your LineageOS install has been used to sign AVB, but AVB supports other key strengths up to SHA512_RSA8192. You could create a key just for signing AVB that used different options than the default keys generated to sign LineageOS.
If you want to remove you signing key from your phone, you can do it by running "fastboot erase avb_custom_key".
The changes you made to the AOSP Makefile may conflict with future updates that you pull from LineageOS through repo sync, if you have to reset the file to get repo sync to complete successfully, you'll have to reapply the changes afterwards.
So why can't I do this with official LineageOS builds?
NEW: You can! See this thread for more details.
For Android Verified Boot (AVB) to work, it must have the hash values for each of the system/vendor/boot/dtbo/etc. partitions stored in vbmeta. Official LineageOS builds for kebab do include the vendor.img in them along with everything else that is needed, however that is not true for all phones.
There are two "issues" that stop someone from using the official kebab builds:
LineageOS does not provide a pkmd.bin file to flash to your phone to include the public key in your AVB process (NEW: this thread shows you how to extract the key).
AVB is enabled in the official LineageOS builds but does not validate the hash trees during boot which limits the protection offered.
Ok, what messages do I see during the boot process then?
During a boot you will of course see the standard OnePlus power up screen, followed by the yellow "custom os" message and then the standard LineageOS boot animation.
For more details on AVB boot messages, see https://source.android.com/security/verifiedboot/boot-flow
So what does that patch to the Makefile do?
AOSP's default Makefile makes an assumption that when AVB is enabled, that all the img files will be available well before vbmeta.img is created. This is simply NOT true and AOSP seems to know this as well from the following comment in the Makefile:
Code:
# Not using INSTALLED_VBMETA_SYSTEMIMAGE_TARGET as it won't be set yet.
ifdef BOARD_AVB_VBMETA_SYSTEM
$(eval $(call check-and-set-avb-args,vbmeta_system))
endif
ifdef BOARD_AVB_VBMETA_VENDOR
$(eval $(call check-and-set-avb-args,vbmeta_vendor))
endif
These two calls eventual evaluate to returning the path to the partitions based upon the INSTALLED_*IMAGE_TARGET variable, which isn't created until later in the build process.
Because of this, the command to build vbmeta.img gets corrupted due to the missing make variable being empty and an invalid command line is passed to avbtool near the end of the build.
The corruption happens due to the fact that the following line from the original Makefile:
Code:
--include_descriptors_from_image $(call images-for-partitions,$(1))))))
Gets added to the avbtool call even if "$(call images-for-partitions,$(1))" turns out to be an empty string. Avbtool then throws an error message as it is expecting a parameter after the "--include_descriptors_from_image" flag that is added for the "empty" partition path.
The fix is to call "$(call images-for-partitions,$(1))" earlier, set it to a variable and check to make sure it isn't an empty string before letting the "--include_descriptors_from_image" be added to the avbtool command line to be used later.
This technically generates an incomplete vbmeta.img file during the build process, but since the signing process recreates it from scratch anyway; no harm, no foul.
Thank You's
Obviously to all of the members of the LineageOS team!
LuK1337 for supporting kebab
optimumpro for the OnePlus 5/5t re-locking guide (https://forum.xda-developers.com/oneplus-5/how-to/guide-relock-bootloader-custom-rom-t3849299)which inspired this one
Quark.23 for helping with the process and testing on enchilada for my previous guide (https://forum.xda-developers.com/t/...s-6t-with-a-self-signed-build-of-los.4113743/) with the Oneplus 6/6t and LineageOS 17.1

Is root with magisk possibe with an locked bootloader? Would that require signing the magisk
-patched boot.img or packing magisk into the boot.img at build time?

coloneyescolon said:
Is root with magisk possibe with an locked bootloader? Would that require signing the magisk
-patched boot.img or packing magisk into the boot.img at build time?
Click to expand...
Click to collapse
You would have to include magisk in the build process, if you tried to "patch" the boot image after signing it would fail to boot as it would no longer have the right hash and you'd get the "currupt OS" message.

Is it possible signing the boot image after patching it with magisk?

Hello,
I followed the exact steps, and The build failed for OnePlus 7 Pro (guacamole), with this error:
error: device/oneplus/sm8150-common/fod/Android.bp:16:1: "[email protected]us_msmnile" depends on undefined module "//device/oneplus/
common:[email protected]"
error: device/oneplus/sm8150-common/fod/Android.bp:16:1: "[email protected]us_msmnile" depends on undefined module "//device/oneplus/
common:[email protected]"
16:07:07 soong bootstrap failed with: exit status 1
#### failed to build some targets (10 seconds) ####

ahmed.elsersi said:
Hello,
I followed the exact steps, and The build failed for OnePlus 7 Pro (guacamole), with this error:
error: device/oneplus/sm8150-common/fod/Android.bp:16:1: "[email protected]us_msmnile" depends on undefined module "//device/oneplus/
common:[email protected]"
error: device/oneplus/sm8150-common/fod/Android.bp:16:1: "[email protected]us_msmnile" depends on undefined module "//device/oneplus/
common:[email protected]"
16:07:07 soong bootstrap failed with: exit status 1
#### failed to build some targets (10 seconds) ####
Click to expand...
Click to collapse
That looks like you're missing some of the proprietery blobs, did you verify LineageOS comipled successfully before making any changes? Did you use the extract files script or use the muppets repo?

WhitbyGreg said:
That looks like you're missing some of the proprietery blobs, did you verify LineageOS comipled successfully before making any changes? Did you use the extract files script or use the muppets repo?
Click to expand...
Click to collapse
Hello,
I did extract the proprietary blobs from payload-based.
Do you mean I should compile LinageOS successfully first using:
source build/envsetup.sh
breakfast guacamole
croot
brunch guacamole
before i follow the steps listed here in this guide??
Thank You

ahmed.elsersi said:
Hello,
I did extract the proprietary blobs from payload-based.
Do you mean I should compile LinageOS successfully first using:
source build/envsetup.sh
breakfast guacamole
croot
brunch guacamole
before i follow the steps listed here in this guide??
Thank You
Click to expand...
Click to collapse
Check the extraction script for errors or switch to the muppets, sometimes the extraction script isn't up to date.
In general, yes, make sure you have a version of LineageOS that compiles successfully, that way you know you have a valid base to start from.
Pre-requisites:
at least one successful build of LineageOS
at least one successful signing of your build with your own keys
Click to expand...
Click to collapse

WhitbyGreg said:
Check the extraction script for errors or switch to the muppets, sometimes the extraction script isn't up to date.
In general, yes, make sure you have a version of LineageOS that compiles successfully, that way you know you have a valid base to start from.
Click to expand...
Click to collapse
Thank You so much.
One last question if i may, can these steps applied on LinageOS 4 MicroG using the automated build by their docker image docker-lineage-cicd ?
Thank You

ahmed.elsersi said:
Thank You so much.
One last question if i may, can these steps applied on LinageOS 4 MicroG using the automated build by their docker image docker-lineage-cicd ?
Thank You
Click to expand...
Click to collapse
You'd have to modify the docker image from my understanding as it includes all the source and tools required to do the build.

Hello,
Kindly Please, Could you clarify what do you mean by ~/.android-certs/releasekey.key and ~/.android-certs/releasekey.key/ ??
I created my own signing keys, and the output contains releasekey.pk8 and releasekey.x509.pem, that is why I'm confused.
Note: I did a successful build of LineageOS with OEM unlock support and its option show in development menu and I flashed it to my OnePlus 7 Pro, I used only that option:
cd ~/android/lineageos/device/oneplus/sm8250-common
sed -i 's/^# OMX/# OEM Unlock reporting\nPRODUCT_DEFAULT_PROPERTY_OVERRIDES += \\\n ro.oem_unlock_supported=1\n\n# OMX/' common.mk
Thank You

ahmed.elsersi said:
Hello,
Kindly Please, Could you clarify what do you mean by ~/.android-certs/releasekey.key and ~/.android-certs/releasekey.key/ ??
I created my own signing keys, and the output contains releasekey.pk8 and releasekey.x509.pem, that is why I'm confused.
Click to expand...
Click to collapse
You might need to convert your pk8 in to plain text using openssl like so:
openssl pkcs8 -in releasekey.pk8 -out releasekey.key
Click to expand...
Click to collapse

WhitbyGreg said:
You might need to convert your pk8 in to plain text using openssl like so:
Click to expand...
Click to collapse
Thank You for the help.
I'm sorry, it did not work, that's what i got:
Error reading key
139625476420992:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ENCRYPTED PRIVATE KEY

WhitbyGreg said:
You might need to convert your pk8 in to plain text using openssl like so:
Click to expand...
Click to collapse
I used the releasekey.x509.pem file, it is a PEM certificate text file, the build failed.

Hello,
Kindly please, clarify what is releasekey.key stands for, is it the private key or the public ? Is it data file or text file.
the build fail to the same.
avbtool extract_public_key --key ~/keys/releasekey.x509.pem --output ~/public_key.key
/android/lineageos/out/host/linux-x86/bin/avbtool: Error getting public key: unable to load Public Key
140081520305536:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PUBLIC KEY
avbtool extract_public_key --key ~/keys/releasekey.pk8 --output ~/public_key.key
/android/lineageos/out/host/linux-x86/bin/avbtool: Error getting public key: unable to load Public Key
140477081752960:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PUBLIC KEY

ahmed.elsersi said:
Thank You for the help.
I'm sorry, it did not work, that's what i got:
Error reading key
139625476420992:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ENCRYPTED PRIVATE KEY
Click to expand...
Click to collapse
What commandline did you use exactly?

ahmed.elsersi said:
I used the releasekey.x509.pem file, it is a PEM certificate text file, the build failed.
Click to expand...
Click to collapse
You can't use that.

WhitbyGreg said:
You can't use that.
Click to expand...
Click to collapse
I'm trying to understand, What is releasekey.key file??, it contains private key or public key, or both, and is it a data file or text file??
I did this:
openssl x509 -in releasekey.x509.pem -pubkey -out releasekey.key
The outputfile is a text and contains the public key and the certificate
when i delete the certificate part and start the build, i get this error:
/android/lineageos/out/host/linux-x86/bin/avbtool: Error signing: unable to load Private Key
140394811372928:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
if i delete the public key part, i get this error:
/android/lineageos/out/host/linux-x86/bin/avbtool: Error getting public key: unable to load Public Key
139655441114496:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PUBLIC KEY
if i didn't change anything and used the output file releasekey.key and start the build, i get this error:
/android/lineageos/out/host/linux-x86/bin/avbtool: Error signing: unable to load Private Key
139736685180288:error:0909006C:EM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
I did a successful LineageOS signed build with my own generated keys and flashed on my mobile and working fine.
So, Kindly please, Could you please just tell us, What is this releasekey.key file, and how can we generate this releasekey.key ?
Thank You

ahmed.elsersi said:
when i delete the certificate part and start the build, i get this error:
Click to expand...
Click to collapse
Why did you delete anything?
ahmed.elsersi said:
So, Kindly please, Could you please just tell us, What is this releasekey.key file, and how can we generate this releasekey.key ?
Click to expand...
Click to collapse
releasekey.key is the plaintext private key for the release certificate.

WhitbyGreg said:
Why did you delete anything?
releasekey.key is the plaintext private key for the release certificate.
Click to expand...
Click to collapse
Following the LineageOS signing build steps, these files are generated:
media.pk8, networkstack.pk8, platform.pk8, releasekey.x509.pem, shared.x509.pem, testkey.x509.pem, media.x509.pem , networkstack.x509.pem , platform.x509.pem , releasekey.pk8, shared.pk8, testkey.pk8
I'm sorry, for the last 2 days I'm spinning around myself to figure out how to complete your guide and get a successful build.
Could you please, if you do not mind, just tell me how to generate this releasekey.key plaintext private key for the release certificate?
Your help is highly appreciated, thank you

Database Users

welcome