Risk of unlocking bootloader and flashing twrp. - ZTE Axon 7 Questions & Answers

Hello
I am aware that there isn't any warranty at all here that anything you do won't have negative effects on your phone. I've flashed quite a few roms on phones like the oneplus one, sony xperia sp, samsung galaxy core plus, nexus 5x, lg cookie, moto defy plus,... I've had tens of soft bricks, but never anything I couldn't recover from.
Anyways, I'm sick and tired of the laggy MiFavor UI on this phone, and would like to install CM13. I've an A2016G. I've seen some EU folk have issues with Tenfar's unlocking method, having hard bricked them since they can't get into a certain (EDL?) mode.
My question is this: if I read every thread and follow every step very carefully, is there a major risk my axon 2016G turns into a 450 euro paperweight? Is there perhaps another unlock method that's 99% secure?
Thank you
Jan

Hate to be that guy, but is there no-one with some knowledge around this?
Thanks.

Controllerboy said:
Hate to be that guy, but is there no-one with some knowledge around this?
Thanks.
Click to expand...
Click to collapse
Let me be the second guy, I'm amazed no one replied...
I'm in the same predicament; do I stay stock and use a great piece of hardware with crap software, or do I dare take the plunch and be able to make the phone as it ought to be at the risk of ending up with a very expensive paperweight...
What the hell did ZTE think when developing the A2017G model. And why is there after all these month no clear answer/procedure for this model. Is it that rarely used? How come there is no solution even though the firehose files are out there?
Hope someone finds a fullproof solutions soon....
Cheerz,
/Cacti
Verstuurd vanaf mijn ZTE A2017G met Tapatalk

I have the US model and I won't use tenfar's method on the phone for which it's intended. It's a questionable method

Unlocking your bootloader and Flashing CM13 is pretty easy and I don't really think there is much risk of permanently bricking your phone. However as of right now it really isn't worth the effort. I flashed CM 13 yesterday and it ran well, but the camera wasn't working so I decided to go back to the stock software. So unless you don't need the camera I'd skip flashing for now.

lag?
Controllerboy said:
Hello
I am aware that there isn't any warranty at all here that anything you do won't have negative effects on your phone. I've flashed quite a few roms on phones like the oneplus one, sony xperia sp, samsung galaxy core plus, nexus 5x, lg cookie, moto defy plus,... I've had tens of soft bricks, but never anything I couldn't recover from.
Anyways, I'm sick and tired of the laggy MiFavor UI on this phone, and would like to install CM13. I've an A2016G. I've seen some EU folk have issues with Tenfar's unlocking method, having hard bricked them since they can't get into a certain (EDL?) mode.
My question is this: if I read every thread and follow every step very carefully, is there a major risk my axon 2016G turns into a 450 euro paperweight? Is there perhaps another unlock method that's 99% secure?
Thank you
Jan
Click to expand...
Click to collapse
ok, where is this lag? I've been using it stock since I got it after the Note 7, which was very laggy, and have failed to notice any lag.

Zero lag here as well, buttery smooth at all times. Heads and shoulders above the Note 7 that I came from in terms of responsiveness and general performance.
Sent from my ZTE A2017 using Tapatalk

jawz101 said:
I have the US model and I won't use tenfar's method on the phone for which it's intended. It's a questionable method
Click to expand...
Click to collapse
On the US model, you can get an unlocked bootloader & all the trimmings without using tenfar's tool at all, although it's a bit more of a roundabout method.

Just unlocked mine working great.

Hi,
Just thought I'd add as I'm one of those who did end up in DFU mode permanently. I have a reasonable understanding of the issue at hand and I've been one of the few who have been vocal about not calling the current method safe of us.
My suggestion if you have a A2017G is not to bother using tenfar's tool unless you're willing to RMA or make use of your warranty. I'm not in a position where I can do that, but since most are there hasn't been much interest in a solution.
I don't have the firehose itself to begin working on fixing the issue, though I do have a rough idea of how do so using the partition table for TWRP but I don't think I have the time to learn how to put it all together myself. Particularly when I'm replacing my Axon 7 with a Mi Note 2.
What is needed is an unbrick tool, ZTE have made and released them for their own devices before, why they don't do that with Axon 7 is beyond me.

rendler said:
Zero lag here as well, buttery smooth at all times. Heads and shoulders above the Note 7 that I came from in terms of responsiveness and general performance.
Sent from my ZTE A2017 using Tapatalk
Click to expand...
Click to collapse
You must be using the US or CN model, because the EU model is laggy as hell. It's by far the laggiest ROM I used on a phone with high-end specs..

keessonnema said:
You must be using the US or CN model, because the EU model is laggy as hell. It's by far the laggiest ROM I used on a phone with high-end specs..
Click to expand...
Click to collapse
Yup, using Chinese model with 128GB of storage.
Sent from my ZTE A2017 using Tapatalk

Just my 2 cents having unlocked the bootloader on my A2017G. I used tenfar's tool to backup the boot and stock recovery images and flashed the TWRP recovery and didn't run into problems fortunately. I wouldn't recommend to flash the rooted boot.img by tenfar until (hopefully) we'll have a unbrick tool for the G version.
My recommendation ----- On the G version don't mess around with the bootloader! ----- My recommendation
I've been able to unlock the bootloader on B03, reflashed stock recovery with tenfar's tool and successfully updated to B05 from the SD card.
If you want root I recommend to go the unlock bootloader - flash SuperSU 3.65 route instead of flashing the pre-rooted boot.img from tenfar with a locked bootloader as chances of things going haywire seem to be greater with the second method on the G version.
In case you have any reservations I definitely recommend to wait for a unbrick method of the G version before you try any of this. If and when such a method will come is undetermined at this point in time.
@lag of G version: Can't confirm that on B05, everything running smooth so far. There are a few graphical glitches though (stock browser displaying left side first und has sometimes trouble to show the content fullscreen.
Pull down notification bar has double lined icon text slightly cut off on the bottom once you switch to landscape mode and pull down the notification bar.

jawz101 said:
I have the US model and I won't use tenfar's method on the phone for which it's intended. It's a questionable method
Click to expand...
Click to collapse
I've seen this said a couple of times (or maybe it's just you in different threads, I don't know), but I don't understand it. By its very nature, rooting your phone is "questionable". Why is tenfar's method/tool any worse than any other method or tool? Do you have some technical insight to provide (and if so, please do so) or is it just an opinion based on nothing? I certainly don't have any issue with the latter, but I find it odd that people without any technical expertise speak as if they're an authority of some kind.

rczrider said:
I've seen this said a couple of times (or maybe it's just you in different threads, I don't know), but I don't understand it. By its very nature, rooting your phone is "questionable". Why is tenfar's method/tool any worse than any other method or tool? Do you have some technical insight to provide (and if so, please do so) or is it just an opinion based on nothing? I certainly don't have any issue with the latter, but I find it odd that people without any technical expertise speak as if they're an authority of some kind.
Click to expand...
Click to collapse
It's probably me and a few others. Ok, answer me these questions:
What does the tool specifically modify on the phone?
What is a "firehose mbn" anyway? Tenfar mentioned it is how it gains access to the phone. I don't know if that is a tool to do so or if it's a file that gets put on the phone in a more permanent chipset-level storage only meant to be altered by Qualcomm or phone manufacturers. I'm find with replacing a recovery, kernel, ROM- the boot.img or anything lower than that is closed source for a reason. Probably because it's talking directly to the hardware and code at that lower level can circumvent anything in a kernel, recovery or ROM.
Would it affect Snapdragon SmartProtect?
https://www.qualcomm.com/products/snapdragon/security/smart-protect
Why do virus scanners call it a Windows trojan if it's an Android hack?
Yes, I call it questionable because I have questions. Since the file is encrypted you can't answer those questions for me. All I can gather is everyone who has used it has basically said "I used it and it did what I wanted it to do so it must be safe."
---------- Post added at 10:20 AM ---------- Previous post was at 09:46 AM ----------
@rczrider
Here are the posts in the thread by a security expert asking questions about the method.
http://forum.xda-developers.com/search.php?searchid=430010789
Here is tenfar's response to him
http://forum.xda-developers.com/axo...r-unlokced-t3441204/post68301899#post68301899
Here's a post from him on ZTEUSA
https://community.zteusa.com/message/50425
Here's a blog post he made about it
https://blog.onedefence.com/signed-firehose-images-and-why-theyre-dangerous/?pk_campaign=zte-forums

jawz101 said:
It's probably me and a few others. Ok, answer me these questions:
What does the tool specifically modify on the phone?
What is a "firehose mbn" anyway? Tenfar mentioned it is how it gains access to the phone. I don't know if that is a tool to do so or if it's a file that gets put on the phone in a more permanent chipset-level storage only meant to be altered by Qualcomm or phone manufacturers. I'm find with replacing a recovery, kernel, ROM- the boot.img or anything lower than that is closed source for a reason. Probably because it's talking directly to the hardware and code at that lower level can circumvent anything in a kernel, recovery or ROM.
Would it affect Snapdragon SmartProtect?
https://www.qualcomm.com/products/snapdragon/security/smart-protect
Why do virus scanners call it a Windows trojan if it's an Android hack?
Yes, I call it questionable because I have questions. Since the file is encrypted you can't answer those questions for me. All I can gather is everyone who has used it has basically said "I used it and it did what I wanted it to do so it must be safe."
---------- Post added at 10:20 AM ---------- Previous post was at 09:46 AM ----------
@rczrider
Here are the posts in the thread by a security expert asking questions about the method.
http://forum.xda-developers.com/search.php?searchid=430010789
Here is tenfar's response to him
http://forum.xda-developers.com/axo...r-unlokced-t3441204/post68301899#post68301899
Here's a post from him on ZTEUSA
https://community.zteusa.com/message/50425
Here's a blog post he made about it
https://blog.onedefence.com/signed-firehose-images-and-why-theyre-dangerous/?pk_campaign=zte-forums
Click to expand...
Click to collapse
OK, It would be nice if people would inform themselves about this but unfortunately this is the state of XDA now... so here we go
- Firehose is a protocol used to communicate to the qcom chipset directly at a level lower than OS. Since there are security measures in place, in order to talk to it you need a signed firehose withe a coresponding certificate that is burned into the SBL. This is what ZTE uses to directly flash the units at factory and can also be used at repair centers. Tenfar is in possession of such a file and his flasher utilizes it to write modified boot and recovery that would otherwise be discarded by SoC's security protocols. Since it's obfuscated code to hide the firehose plus in addition uses comm libs and code that probably reads and writes other files, it is no wonder it gets flagged by AV software. I had ODIN flagged by Avast once.
- The boot.img is not closed-source, it is actually kernel and ramdisk and can be unpacked so you can see what's inside. It can be compared to stock as well and in fact that is exactly what his are, patched stock boot images. The boot image has been patched in order to allow the modified boot img with root to boot since SecureBoot is still in place due to locked bootloader. In addition is modifies SE Linux to allow root to run. And that brings us to why this tool exists in the first place. It is to allow you to bypass SecureBoot and have root and was created in the period before unlock method was provided by ZTE. It is still the only method to use on non-US model. It is a hack tool by definition and has made development on this phone move ahead way further then it would.
- The security concerns raised were more along the line of how bad it is that the signed firehose is in the wild, not so much to what tenfars tool does or how it does it. The expert even wanted the firehose to be posted on the forum(SMH), which tenfar refused since he did not wanted it to spread and hence obfuscated the code. The signed firehose would present a security vulnerability if someone came in physical contact with your phone since they could dump data or load something on it without your knowledge, as pointed out on the sec blog and other posts, but it has nothing to do with whether you use tenfars tool or not.
- Smart Protect is an API feature that the an AV app would have to use, it exists in the SoC but does nothing on it's own so is irrelevant but i figured i'd clarify it (again)
Most either understand that or don't care. This is the XDA, where we break our warranties and bypass SafetyNet in order to have different emojis Thanks to tenfars tools i have noticed that ZTE has broken the FDE on their stock builds since TWRP was able to decode /data with default password even though it shouldn't. So in my book it's a net plus, at least i know how unsafe it is now.

xtermmin said:
On the US model, you can get an unlocked bootloader & all the trimmings without using tenfar's tool at all, although it's a bit more of a roundabout method.
Click to expand...
Click to collapse
Would that be this method?
http://forum.xda-developers.com/axon-7/how-to/bootloader-unlock-t3437778/page1
And thank you @peramikic for the answer. I've been googling forever on the mbn stuff but never found much on what it exactly is save that it's a manufacturer's tool. This clears up a lot for me. My biggest concern was if an mbn was something that actually rewrites code on the chip itself. Sounds like it's just an external tool a manufacturer uses to put their image onto the phone.

jawz101 said:
Would that be this method?
http://forum.xda-developers.com/axon-7/how-to/bootloader-unlock-t3437778/page1
And thank you @peramikic for the answer. I've been googling forever on the mbn stuff but never found much on what it exactly is save that it's a manufacturer's tool. This clears up a lot for me. My biggest concern was if an mbn was something that actually rewrites code on the chip itself. Sounds like it's just an external tool a manufacturer uses to put their image onto the phone.
Click to expand...
Click to collapse
No problem. The mbn itself is just a file format. In this case it has information about emmc partitions. It is also signed with proper certificate. That let's it talk to the chip and is pretty much just a low lever read/write interface.
As far as that method linked, it will work only if you are on the B20 release, US model only. The file looks for a particular build signature as well as partition signatures so it will not flash on anything else.

peramikic said:
No problem. The mbn itself is just a file format. In this case it has information about emmc partitions. It is also signed with proper certificate. That let's it talk to the chip and is pretty much just a low lever read/write interface.
As far as that method linked, it will work only if you are on the B20 release, US model only. The file looks for a particular build signature as well as partition signatures so it will not flash on anything else.
Click to expand...
Click to collapse
Yeah. At this point I think I'm too lazy to futz with downgrading, patching, then upgrading, and all that. Probably just go with the tenfar tool then 0_o

jawz101 said:
Would that be this method?
http://forum.xda-developers.com/axon-7/how-to/bootloader-unlock-t3437778/page1
Click to expand...
Click to collapse
Yeah, I used that method because I was already on B20, and my PC runs linux so :effort: to setup a Windows VM to use tenfar's tool. Using that (ZTE's official B20_Boot) and ZTE's official B20 image, you can have an unlocked BL and be on B29 without using tenfar's tool.
tl;dr: Whatever version you're on -> B20 -> B20_Boot -> unlock BL -> B20 -> OTA to B27 -> OTA to B29 (-> flash TWRP, SuperSU, whatever)

Related

Which TWRP for TF300TL?

Hi!
I would like to apologize, if I was unable to find a matching thread for my problem. I am rather new to Android and have great respect for unlocking and modding my device, but would like to do so. I own a TF300TL and are stopped at the very beginning. I am unable to find the matching TWRP for the device and would like to know, which would be the correct file, as I am afraid, that I could easily brick my device. Perhaps someone has done this with a TF300TL. At the moment, I have not yet unlocked the bootloader.
I have installed the latest stock rom on the device.
Do I have to flash the TG version of TWRP? And I am unsure, if I need -JB, -4.2? It is very difficult to understand.
Regards,
Matthias
xcommy said:
Hi!
I would like to apologize, if I was unable to find a matching thread for my problem. I am rather new to Android and have great respect for unlocking and modding my device, but would like to do so. I own a TF300TL and are stopped at the very beginning. I am unable to find the matching TWRP for the device and would like to know, which would be the correct file, as I am afraid, that I could easily brick my device. Perhaps someone has done this with a TF300TL. At the moment, I have not yet unlocked the bootloader.
I have installed the latest stock rom on the device.
Do I have to flash the TG version of TWRP? And I am unsure, if I need -JB, -4.2? It is very difficult to understand.
Regards,
Matthias
Click to expand...
Click to collapse
Try going to the TWRP website then search by your device. The differences are clearly explained there. I have the 300 and I have the late July OTA, I beeline it's 10.1.6.25.1 ire something close to that. In any event I had to use the 4.2 version. Be sure to use the blob file and not the IMG file.
Sent from the Awesome Lone Star State where the law abiding carry guns and the criminals think twice.

Confused Noob+H990DS - Unlock/Root+TWRP Official Custom ROM possible (W/ 2. Screen)?

hi folks!
I am pretty confused now. I am looking to get the V20 H990DS, but i am more confused now after reading here. My questions:
1. Is Bootloader unlock possible?
2. Can i install TWRP?
3. Can i root?
4. There is LOS official i know, but is the problem with 2. screen now fixed / going to be fixed?
Seems so good of a device, but i am insecure about it now after reading here. My old Mi4/Cancro is one of the best supported phones out there, so i dont expect it to be the same with V20, but i need working LOS with Root and working 2. screen (or the outlook on it working in the future) to be confident in buying it.
I hope you forgive me my nood questions,
Greetings
With sadly no replys, let me add what i know now:
1. + 2. + 3. Still no easy way in sight AFAIK. EDIT: To be clear: There IS a way, Dirty Santa, but the instructions are somewhat too complicated to be confident with trying. Have had rooted Phones with custom ROMs since over 5 years and never again a stock device, but i dont dare it. The 300€ i payed are much to much to have spend it on a bricked device. Will try to find more dirty Santa noob friendly explanations and post them here. EDIT2: For those who DO dare it, here the thread: https://forum.xda-developers.com/v20/development/dirtysanta-h990-t3624296
4. Second screen still a problem, nothing new heard for quite a long time.
Anyone with knowledge to add or correct, please help! Stock ROM is not as bad as i thought, but without Root, Android is not fully usable for me.
thank you pro for this thread
very useful for me.
Stele88 said:
With sadly no replys, let me add what i know now:
1. + 2. + 3. Still no easy way in sight AFAIK. EDIT: To be clear: There IS a way, Dirty Santa, but the instructions are somewhat too complicated to be confident with trying. Have had rooted Phones with custom ROMs since over 5 years and never again a stock device, but i dont dare it. The 300€ i payed are much to much to have spend it on a bricked device. Will try to find more dirty Santa noob friendly explanations and post them here. EDIT2: For those who DO dare it, here the thread: https://forum.xda-developers.com/v20/development/dirtysanta-h990-t3624296
4. Second screen still a problem, nothing new heard for quite a long time.
Anyone with knowledge to add or correct, please help! Stock ROM is not as bad as i thought, but without Root, Android is not fully usable for me.
Click to expand...
Click to collapse
i dont get about your complain. you said already using phone with root for 5 years so i guess you've been here on xda for a while. if you really want a phone which support custom rom go with phone which support unlock bootloader like HTC, Oneplus, or even xiaomy. its not that hard finding them on XDA. 300euro for briked devices? well, if you read v20 section carefully you knew most people here bought this devices for the camera, audio, and other things like removable battery, etc. i never found someone who bricked their devices while rooting here, even if they do we already had flasher tools like LG up which already tested fully working by some members. and whats the problem with second screen? its working for whatever it made for. are you expecting to watch movie on those 2.1 inch display? i had lg v20 h990ds rooted with magisk and had no problem so far. bought some apps like grenify and titanium backup for debloated and my phone rocking solid for abouth 2 month. if you cant wait for LOS just bought lenovo zuk2 or oneplus 3t on the same price range.
No problem doing 1+2+3 with DirtySanta exploit/procedure. It's not as complicated or dangerous as it might seem from the instructions. I thought I had soft-bricked my phone twice after rebooting normally with the old kernel instead of straight to TWRP to update the kernel first, but it was easy to re-flash the 10d factory firmware file I had and start over again without any issues both times.
Basic summary of procedure:
1. Flash factory firmware version earlier than 31 December 2016 (only needed if installed firmware version is after 1 January 2017).
2. Do DirtySanta exploit to unlock bootloader and install TWRP and root.
3. Use kdzwriter to update phone's system/modem/cust partitions to latest firmware version without overwriting unlocked bootloader/TWRP, reinstall root (SuperSU or Magisk) from TWRP.
4. Disable automatic OTA updates so that any future firmwares won't automatically install and overwrite bootloader/recovery and remove root and set ARB 1. If that ever happens then TWRP/root will probably be gone forever.
provided you follow the instructions carefully, it's safe to root with DirtySanta.
xoose said:
No problem doing 1+2+3 with DirtySanta exploit/procedure. It's not as complicated or dangerous as it might seem from the instructions. I thought I had soft-bricked my phone twice after rebooting normally with the old kernel instead of straight to TWRP to update the kernel first, but it was easy to re-flash the 10d factory firmware file I had and start over again without any issues both times.
Basic summary of procedure:
1. Flash factory firmware version earlier than 31 December 2016 (only needed if installed firmware version is after 1 January 2017).
2. Do DirtySanta exploit to unlock bootloader and install TWRP and root.
3. Use kdzwriter to update phone's system/modem/cust partitions to latest firmware version without overwriting unlocked bootloader/TWRP, reinstall root (SuperSU or Magisk) from TWRP.
4. Disable automatic OTA updates so that any future firmwares won't automatically install and overwrite bootloader/recovery and remove root and set ARB 1. If that ever happens then TWRP/root will probably be gone forever.
Click to expand...
Click to collapse
Using the steps on #3, would it be safe to say that we can update the device to oreo and still keep root?
nurse_chuck said:
Using the steps on #3, would it be safe to say that we can update the device to oreo and still keep root?
Click to expand...
Click to collapse
No, right now if you update you'll lose root as the engineering aboot isn't compatible with Oreo and you have possibly non working data, invalid sim issues etc
Sent from my LG-H910 using XDA Labs
cnjax said:
No, right now if you update you'll lose root as the engineering aboot isn't compatible with Oreo and you have possibly non working data, invalid sim issues etc
Sent from my LG-H910 using XDA Labs
Click to expand...
Click to collapse
Too bad. Your earlier post actually got me excited. Hehe. Anyway, hopefully someones starts working on rooting the oreo firmware.
The short answer? @Stele88
Yes. To all of it.
The long answer starts with the Dirty Santa root process. Believe me, I was daunted by it as well, but as long as you follow it (or the noob version of the guide you can find by searching around the same section the original guide is in) and take your time, you'll be okay. It's what I did and I'm now where I am today.
I'll address a couple things since I have the same device as you. If you want to get your device working properly on LineageOS/ResurrectionRemix (LOS with more customisation) then it's a long process.
1. Start by following the bootloader unlock process for Dirty Santa. Depending on what firmware your device gets shipped with, you may need to downgrade to (in the case of the H990DS) the v10c firmware. Once done, then you can Dirty Santa the bootloader and get it unlocked.
2. Once that's done and you're rooted with the initial TWRP from the thread installed, you'll want to look into KDZWriter. It's a program by the same emdroidle who did the Dirty Santa process for us that allows you to update your STOCK system software to newer versions and keep root. You can use it for example with the H990DS firmware KDZ files and go from rooted 10c -> rooted 10f -> rooted 10xx -> etc. until you're on the latest available 7.0 KDZ for the H990DS. This will be the longest part of your process, but it ensures that everything is up to date before going to AOSP/Lineage/Resurrection, specifically the modem partition. I recommend using the TWN region of firmwares if you're just going to convert to a custom ROM anyway, but any region will work fine (the only real difference is that, for example, the Australia region of firmwares comes with more bloat than the TWN region).
2b. You can also use KDZWriter from an updated TWRP you can get in the thread by Phoenix591, his latest TWRP versions have KDZWriter built-in so you don't have to run it off the computer, you can do it all with the kdz files in recovery.
3. Yes, you can root using the Dirty Santa method on v10c kdz firmware. I recommend Magisk for root over SuperSU.
4. There's no official LineageOS that is as up to date as the unofficial ones, and there's no official ones with second screen enabled full stop. That being said, the unoffcial LineageOS 15.1 by x86cpu has been my rock solid daily driver for about 2 months now and I've never had any issues that stop me from using it. The same can be said for ResurrectionRemix 6.2 by Blaises. To use either of these, you will need the updated TWRP from Phoenix591.
4. Second-screen enabled builds of LineageOS and ResurrectionRemix do exist, and in this case ResurrectionRemix is (as of this post) more up-to-date than the LineageOS 15.1 second screen version. If you find yourself needing additional features that aren't in the stock kernels for those ROMs (such as KCAL configuration to help with burn in, among other things), then I maintain the second-screen version of the Gamma Kernel by Omar-Avelar. People are successfully using this with second-screen ROMs and have full functionality. You can purchase the app BoredSigns from the play-store to add additional functions to the second-screen.
As I said at the start, it is a long process, but a very worthwhile one. The jump from stock to custom-ROMs is absolutely incredible. Again, in short, yes. You can get everything you want.
Just do your searching around the forums for the processes I outlined above, ask any questions you have, pre-download your kdz firmwares from HERE and any software you need, and just take your time. It's maybe a couple hours to get setup with a rooted stock system that's up-to-date, and maybe another hour or so to go from stock to Lineage/Resurrection.
P.S: If all goes well with the Dirty Santa process, but you get screen distortion after rebooting when flashing the TWRP from Dirty Santa, just pull the battery instead of rebooting.
Good luck, good searching, and remember to not be afraid to ask questions in the relevant threads.
---------- Post added at 04:50 AM ---------- Previous post was at 04:49 AM ----------
nurse_chuck said:
Too bad. Your earlier post actually got me excited. Hehe. Anyway, hopefully someones starts working on rooting the oreo firmware.
Click to expand...
Click to collapse
It's highly doubtful this will happen, but one can hope. Right now the best way to get Oreo is through a custom ROM, purely because of how security is implemented by LG in the stock Oreo ROMs.
iDefalt said:
It's highly doubtful this will happen, but one can hope. Right now the best way to get Oreo is through a custom ROM, purely because of how security is implemented by LG in the stock Oreo ROMs.
Click to expand...
Click to collapse
Actually it is possible runningnak3d has already said awhile ago he has a process to root stock oreo he's just not releasing it yet so LG can't patch it before the Oreo roll out is complete
Sent from my LG-H910 using XDA Labs

G950U Root after flashing Bootloader BL2 // S8 Hardware direct re-flashing to UFS

I was trying to get a more stable root this weekend. I decided I would flash back to stock, then re-apply SamPWND. Like an idiot, I flashed G950U1UEU2AQK2. The last 4 "AQK2" is the version of the firmware, and the "2" before that is bootloader version 2. After installing version 2, I cannot flash any old firmware, including the ENG firmware used for SamPWND!
Question 1: Am I out of luck? Time to sell this thing and buy a OP5T?
I was looking at some S8 teardowns, and the storage chip "Toshiba THGBF7G9L4LBATR 64 GB UFS (NAND flash + controller)" is a seperate chip from the MSM8998.
Hypothetically, if I could remove my UFS chip from the phone, and reprogram it, could I flash a custom bootloader?
This is a question for someone who knows more about the 835 than me. Does the chip verify bootloader using a signature stored on the board? is the UFS flash chip protecting itself from being overwritten, or is the upload code protecting from unsigned firmware?
or is Samsung's public key stored within the 835?
Thanks for the help.
tim.vrakas said:
I was trying to get a more stable root this weekend. I decided I would flash back to stock, then re-apply SamPWND. Like an idiot, I flashed G950U1UEU2AQK2. The last 4 "AQK2" is the version of the firmware, and the "2" before that is bootloader version 2. After installing version 2, I cannot flash any old firmware, including the ENG firmware used for SamPWND!
Question 1: Am I out of luck? Time to sell this thing and buy a OP5T?
I was looking at some S8 teardowns, and the storage chip "Toshiba THGBF7G9L4LBATR 64 GB UFS (NAND flash + controller)" is a seperate chip from the MSM8998.
Hypothetically, if I could remove my UFS chip from the phone, and reprogram it, could I flash a custom bootloader?
This is a question for someone who knows more about the 835 than me. Does the chip verify bootloader using a signature stored on the board? is the UFS flash chip protecting itself from being overwritten, or is the upload code protecting from unsigned firmware?
or is Samsung's public key stored within the 835?
Thanks for the help.
Click to expand...
Click to collapse
Bad news and good news...
Bad news first, there is no downgrading. Even if you raw programmed it wouldn't boot. There's no way to go back on that.
The good news...
The n8 v2 is rootable using samfail, and I see no reason that the s8 wouldnt too. I havent been able to work on it yet as I've been busy with my rom, but it's next on my Android Todo list.
If you'd like to guinea pig, since your already on U2 and have little to lose (only risk is soft brick) I'll let you know when it's ready
partcyborg said:
Bad news and good news...
Bad news first, there is no downgrading. Even if you raw programmed it wouldn't boot. There's no way to go back on that.
The good news...
The n8 v2 is rootable using samfail, and I see no reason that the s8 wouldnt too. I havent been able to work on it yet as I've been busy with my rom, but it's next on my Android Todo list.
If you'd like to guinea pig, since your already on U2 and have little to lose (only risk is soft brick) I'll let you know when it's ready
Click to expand...
Click to collapse
Oh yeah for sure! I was gonna just stick with touchwiz, but then I sent a message with those stupid emojiis and thats when it really got to me.
I will read up on SamFail. I can definitely handle flashing/recovery/etc. I've been trying to get more under the hood on these things.
Thanks
Tim
___EDIT____
I just tried PartCyborgRom and it shows the same error. Flashing the AP works (but throws the expected error). But on the boot loader flash, it has the same complaint about the boot loader version being less than the fused version.
I'm a little confused how this could work. The new version of the bootloader is resistant to installing any bootloader version less than 2, and that includes the engineering bootloader used by PartCyborgRom and SamPWND correct? I look forward to understanding the loophole.
Also, what exactly is contained in the "BL" package? is the "Download" interface part of the bootloader? Is the recovery interface part of the bootloader? The kernel (which is the boot.img?) is part of the AP, along with actual file system.
tim.vrakas said:
Oh yeah for sure! I was gonna just stick with touchwiz, but then I sent a message with those stupid emojiis and thats when it really got to me.
I will read up on SamFail. I can definitely handle flashing/recovery/etc. I've been trying to get more under the hood on these things.
Thanks
Tim
___EDIT____
I just tried PartCyborgRom and it shows the same error. Flashing the AP works (but throws the expected error). But on the boot loader flash, it has the same complaint about the boot loader version being less than the fused version.
I'm a little confused how this could work. The new version of the bootloader is resistant to installing any bootloader version less than 2, and that includes the engineering bootloader used by PartCyborgRom and SamPWND correct? I look forward to understanding the loophole.
Also, what exactly is contained in the "BL" package? is the "Download" interface part of the bootloader? Is the recovery interface part of the bootloader? The kernel (which is the boot.img?) is part of the AP, along with actual file system.
Click to expand...
Click to collapse
I meant I have to create samfail v2, not that you could flash the current. 1. Sorry that wasn't clear.
partcyborg said:
I meant I have to create samfail v2, not that you could flash the current. 1. Sorry that wasn't clear.
Click to expand...
Click to collapse
I knew it wasn't likely to work, I just thought I would go for it before bothering to set up my new TouchWiz Monster.
Also, is the telegram still up? The link on the SamFail for Note8 thread is expired...
Correct, I was only able to "upgrade" to BQK5 and now am running running Oreo 2ZQKO since there isn't much else to try So that might be something to do in the meantime
rudimenta said:
Correct, I was only able to "upgrade" to BQK5 and now am running running Oreo 2ZQKO since there isn't much else to try So that might be something to do in the meantime
Click to expand...
Click to collapse
There is a u1 (carrierless no bloat) rom that is on leave (the latest one). Updato has it
Am in the same situation, glad I read your post flashed the non carrier AQK2 and had been trying to root it, felt so silly,
I am also able to help guinea pig it =)
partcyborg said:
There is a u1 (carrierless no bloat) rom that is on leave (the latest one). Updato has it
Click to expand...
Click to collapse
That's the one I run before I went on to try oreo, which is actually running rather decent
Sent from my SM-G950U using Tapatalk

Samsung Note 4 Sprint Android 6.0.1 no return 5.0

Hello....!
I am sorry for my bad English skills
I am using Samsung Note 4 Sprint Android 6.0.1.
It's very bad and doesn't have a fingerprint. I need to go back to an earlier version.
I've used "Odin" and "Z3X SamsungTool, COMBINATION". All failed.
I downloaded Firmware at website sammobile.com.
Please Help me...!
If you were on the n910PVP5DQ15 firmware then the sboot is fused5, binary 4 and can not be downgraded. That is most likely the reason you have a fail in Odin. The following links will provide further information and guidance. If you have questions ask then in this post, good luck
https://forum.xda-developers.com/note-4-sprint/help/n910pvpu5dqi5-firmware-download-t3941451
https://forum.xda-developers.com/note-4-sprint/help/roms-installed-qi15-firmware-t3990677
Mr. JAVI said:
If you were on the n910PVP5DQ15 firmware then the sboot is fused5, binary 4 and can not be downgraded. That is most likely the reason you have a fail in Odin. The following links will provide further information and guidance. If you have questions ask then in this post, good luck
https://forum.xda-developers.com/note-4-sprint/help/n910pvpu5dqi5-firmware-download-t3941451
https://forum.xda-developers.com/note-4-sprint/help/roms-installed-qi15-firmware-t3990677
Click to expand...
Click to collapse
Thank you verry much ..!!
Your welcome
Mr. JAVI said:
Your welcome
Click to expand...
Click to collapse
My phone is very cheap...!
I'm not afraid to ruin it
It will help me understand more. :laugh:
Bán Trinh Trả Góp said:
My phone is very cheap...!
I'm not afraid to ruin it
It will help me understand more. :laugh:
Click to expand...
Click to collapse
Well I hope you don't ruin it. lol The Note 4 is concerned by many as "the last develop friendly phone". The Last Spirit update (5DQ15) has made it not so friendly. Prior to loosing my phone, I was on Lollipop
4COK1 with the ultimate Note 5 hybrid (MORA) rom as my daily driver. I could flash back and forth form lollipop to Marshmallow and choose many different custom roms. However, I seldom used MM because I didnt like the layout of the OS. Hated the mock location that force an app and Google maps in Samsung settings (BIG TIME, Yea how moke is it if it connected to Google maps?). While on lollipop just set mock location and done. Furthermore, the permission settings in MM are scattered in different sections that not only adds completely in navigation but confusion as to what the F is this? All the while stating udate for you security. My security or there's? Well, no use crying over spilled milk as they say.
Being locked to 5DQ15 firmware was a new experience. Now years later, I found myself unfamiliar with the Note 4 5DQ15. The first thing I noticed was n910p xda forum was "where did everybody go" ? Next thing I noticed is all the bricked devices and fails in Odin when downgrading the 5DQ15. Thats when I decided the safest choice to begin with was the
https://forum.xda-developers.com/no.../rom-15nov2017-stock-ish-plustidbits-t3705395
Being with installing TWRP followed by rebooting the phone. Then I rebooted back to TWRP and made a backup of all the partitions to external sd. Afterwards, I flash the custom rom. I was very pleased it had completely with xposed firmware and models. Although its really a great rom, I still missed my old customizations in 5.0 roms.
Reading threw the forums at that time provided very little to go by and the information posted by members seemed to conflict. Some said you you can on 6.0 rom and others saying the opposite. All the while lioking to purchase another n910p with a lower bootloader which lead me to visual prof of custom roms on 6.0 are compatible (maybe). I still needed to flash to be 100% sure. (screen shots in next post).
I also felt like you "Its an inexpensive device and Im going to take a risk".
Mr. JAVI said:
Well I hope you don't ruin it. lol The Note 4 is concerned by many as "the last develop friendly phone". The Last Spirit update (5DQ15) has made it not so friendly. Prior to loosing my phone, I was on Lollipop
4COK1 with the ultimate Note 5 hybrid (MORA) rom as my daily driver. I could flash back and forth form lollipop to Marshmallow and choose many different custom roms. However, I seldom used MM because I didnt like the layout of the OS. Hated the mock location that force an app and Google maps in Samsung settings (BIG TIME, Yea how moke is it if it connected to Google maps?). While on lollipop just set mock location and done. Furthermore, the permission settings in MM are scattered in different sections that not only adds completely in navigation but confusion as to what the F is this? All the while stating udate for you security. My security or there's? Well, no use crying over spilled milk as they say.
Being locked to 5DQ15 firmware was a new experience. Now years later, I found myself unfamiliar with the Note 4 5DQ15. The first thing I noticed was n910p xda forum was "where did everybody go" ? Next thing I noticed is all the bricked devices and fails in Odin when downgrading the 5DQ15. Thats when I decided the safest choice to begin with was the
https://forum.xda-developers.com/no.../rom-15nov2017-stock-ish-plustidbits-t3705395
Being with installing TWRP followed by rebooting the phone. Then I rebooted back to TWRP and made a backup of all the partitions to external sd. Afterwards, I flash the custom rom. I was very pleased it had completely with xposed firmware and models. Although its really a great rom, I still missed my old customizations in 5.0 roms.
Reading threw the forums at that time provided very little to go by and the information posted by members seemed to conflict. Some said you you can on 6.0 rom and others saying the opposite. All the while lioking to purchase another n910p with a lower bootloader which lead me to visual prof of custom roms on 6.0 are compatible (maybe). I still needed to flash to be 100% sure. (screen shots in next post).
I also felt like you "Its an inexpensive device and Im going to take a risk".
Click to expand...
Click to collapse
I think people can easily buy the latest phones today.
The warranty company assumes all responsibility.
It is difficult to find someone with hobby of editing phone software.
Now just to be perfectly clean, I am in no way suggesting that anyone purchase a pre rooted device. Never
WARNING
To all , You never know what has been installed hidden within the system when purchasing a pre-rooted phone.
If thats not enough, consider the developer of the rom that has put in all the work, cheated out of there donations.
Mr. JAVI said:
Well I hope you don't ruin it. lol The Note 4 is concerned by many as "the last develop friendly phone". The Last Spirit update (5DQ15) has made it not so friendly. Prior to loosing my phone, I was on Lollipop
4COK1 with the ultimate Note 5 hybrid (MORA) rom as my daily driver. I could flash back and forth form lollipop to Marshmallow and choose many different custom roms. However, I seldom used MM because I didnt like the layout of the OS. Hated the mock location that force an app and Google maps in Samsung settings (BIG TIME, Yea how moke is it if it connected to Google maps?). While on lollipop just set mock location and done. Furthermore, the permission settings in MM are scattered in different sections that not only adds completely in navigation but confusion as to what the F is this? All the while stating udate for you security. My security or there's? Well, no use crying over spilled milk as they say.
Being locked to 5DQ15 firmware was a new experience. Now years later, I found myself unfamiliar with the Note 4 5DQ15. The first thing I noticed was n910p xda forum was "where did everybody go" ? Next thing I noticed is all the bricked devices and fails in Odin when downgrading the 5DQ15. Thats when I decided the safest choice to begin with was the
https://forum.xda-developers.com/no.../rom-15nov2017-stock-ish-plustidbits-t3705395
Being with installing TWRP followed by rebooting the phone. Then I rebooted back to TWRP and made a backup of all the partitions to external sd. Afterwards, I flash the custom rom. I was very pleased it had completely with xposed firmware and models. Although its really a great rom, I still missed my old customizations in 5.0 roms.
Reading threw the forums at that time provided very little to go by and the information posted by members seemed to conflict. Some said you you can on 6.0 rom and others saying the opposite. All the while lioking to purchase another n910p with a lower bootloader which lead me to visual prof of custom roms on 6.0 are compatible (maybe). I still needed to flash to be 100% sure. (screen shots in next post).
I also felt like you "Its an inexpensive device and Im going to take a risk".
Click to expand...
Click to collapse
Sorry for the language differences,
I can not understand everything you write :crying::crying:
Bán Trinh Trả Góp said:
I think people can easily buy the latest phones today.
The warranty company assumes all responsibility.
It is difficult to find someone with hobby of editing phone software.
Click to expand...
Click to collapse
The warranty company assumes responsible with new devices, of course rooting will void the warranty.
Not that difficult to find someone with the skills to edit Android devices. I'll simply say XDA
You are using Z3E tool and Odin are you not? Well then why not buy a newer phone?
---------- Post added at 01:04 PM ---------- Previous post was at 12:59 PM ----------
Its just a hobby of mine, I enjoy moding and flashing. Im not a programer. I simply wish to give back to the XDA community.
I could buy a new phone but the newer models of have locked bootloaders. (us versions).
---------- Post added at 01:23 PM ---------- Previous post was at 01:04 PM ----------
Bán Trinh Trả Góp said:
Sorry for the language differences,
I can not understand everything you write :crying::crying:
Click to expand...
Click to collapse
It not your fault, I know my writing skills need important. Im spelling is horrible.
I thank you as in your first question in this post has help me too. First time I heard of Z3E tool. Thank you

$$ BOUNTY $$ thread for ROOT on ZTE Blade A5 2019

This is a Bug bounty thread to get root on ZTE Blade A5 2019.
Thanks to ZTE this model doesn't have bootloader unlockable, so root should be made through an exploit. I'm sick of their excuses, i personally believe they were instructed by the governement to do things this way and use eula and "security" as excuse, same happened to axon 7, they said, it's because of security, and i think this is a lie (and i would say i'm not the only). Is unacceptable that experienced people that want to mod their devices can't because to unlock the bootloader you need a signed image, is unacceptable, unlocking bootloader is to flash unsigned images and you tell me that to unlock it i need a signed image from zte or the signature itself? Well i call this "lock users out of their own devices".
But returning on the root topic: I would suggest or CVE-2020-0041:https://github.com/bluefrostsecurity/CVE-2020-0041 that allowed some xperia to get root or CVE-2019-2215:https://github.com/grant-h/qu1ckr00t that has a 32bit version available here:https://forum.xda-developers.com/t/root-with-cve-2019-2215.3979341/post-80748711 another thing that could be tried is this:https://research.nccgroup.com/2022/09/02/theres-another-hole-in-your-soc-unisoc-rom-vulnerabilities/ (note that if we use this maybe would be possible to make an universal root method for unisoc getting bootrom context, but i'm not sure about that.
I also extracted kallsyms so the dev doesn't have to:https://www.mediafire.com/folder/uvde49kcna40o/ZTE_A5_2019_Stuff
Kernel Sources included since zte mirror is really slow.
N.B. Is suggested to flash an old firmware, for example Claro one has 5 January 2019 patch and because of this is vulnerable to qu1ckr00t, also it has fastboot and no updates at all.
if some dev is interested please contact (i'm not a dev so i would need one), also if people want this root to go ahead donate (I will also obliviously), you can tell how much you want to donate and after you can donate to the developer directly (these rules can be changed if the dev is trusted i guess), nb i'm not responsible for any issues, i hope won't succeed nothing badly.
I say this because i also had bad experiences.
About donations i would suggest to do those after the root process is verified to work.
I would stay fine with only a temp root
Hello, I noticed your thread while I was using my fresh script to warp pages fast. I was a person who was involved into exploiting several devices, and You can get yourself a root on this device if I put in enough time into this, Please, provide contacts so I could get in touch with you. We will discuss prices and other stuff somewhere else privately.

Categories

Resources