Related
OVERVIEW
some people may have already seen some of the stuff i make like apps, tools, roms, mods and exploitation.
yesterday i got my first ever MTK device, and in all honesty i think the range of tools are crap other then MTK droid tools but that unfortunately isnt open source
THIS IS A COMMUNITY PROJECT AND THAT MEANS FREE AND OPENSOURCE AND OPENMINDED TO IDEAS
DOWNLOADS, DOCUMENTATION AND SOURCE
DOWNLOAD(VERY EARLY STAGES)
SOURCE CODE
NOTES
hopefully the community jumps in and gives me a hand and suggests features
XDA:DevDB Information
MTK open source AIO tool, Tool/Utility for all devices (see above for details)
Contributors
Ricky Divjakovski
Source Code: https://github.com/Ricky310711/OpenSource-MTK-Tool
Version Information
Status: Testing
Created 2016-01-14
Last Updated 2016-01-21
those are Teclast T98 MT8752
first stock
second modified for resizing purpose (system userdata)
hocuspocus69 said:
those are Teclast T98 MT8752
first stock
second modified for resizing purpose (system userdata)
Click to expand...
Click to collapse
i have made the scatter file parser made, ill be making a new repo and pushing to git later tonight
Great idea since MTK Droid Tools doesn't have support. :good:
My MT6572 scatter file with custpack partition (Alcatel Pop C2).
MT6575 scatter file with custpack partition (Alcatel S'Pop).
MT6571 scatter file (Blu Dash Jr K)
MT6577 scatter file with custpack partition (Alcatel Idol 6030X)
Mt6572 ( other china phone)
Here is the scatter for the Wiko Fever: http://forum.xda-developers.com/showpost.php?p=63755203&postcount=4
scatter file for Coolpad Note 3
scatter file for Coolpad Note 3
keemi said:
MT6577 scatter file with custpack partition (Alcatel Idol 6030X)
Mt6572 ( other china phone)
Click to expand...
Click to collapse
kirito9 said:
Great idea since MTK Droid Tools doesn't have support. :good:
My MT6572 scatter file with custpack partition (Alcatel Pop C2).
MT6575 scatter file with custpack partition (Alcatel S'Pop).
MT6571 scatter file (Blu Dash Jr K)
Click to expand...
Click to collapse
well normal scatter conversion is done, but may i ask what is an emmc scatter?
and couldnt we refer to a normal scatter file rather then the eMMC scatter, it doesnt seem to contain much info other then the partition label and size?
Ricky Divjakovski said:
well normal scatter conversion is done, but may i ask what is an emmc scatter?
and couldnt we refer to a normal scatter file rather then the eMMC scatter, it doesnt seem to contain much info other then the partition label and size?
Click to expand...
Click to collapse
It's basically the same as a normal scatter but some smart phones produce that scatter type(emmc) instead of the normal scatter. Same goes for some MTK Droid Tool versions like it happened with me. I got both normal scatter and an emmc scatter for the same phone.
I don't know why that is though. By both scatter files work with SP Flash Tool.
kirito9 said:
It's basically the same as a normal scatter but some smart phones produce that scatter type(emmc) instead of the normal scatter. Same goes for some MTK Droid Tool versions like it happened with me. I got both normal scatter and an emmc scatter for the same phone.
I don't know why that is though. By both scatter files work with SP Flash Tool.
Click to expand...
Click to collapse
ok, well ive made the scatter conversion, added the project donate feature and the abillity to see the tool and utillity versions, the source is in the main post
mt6572 jb scatter
TurkishBoy1 said:
mt6572 jb scatter
Click to expand...
Click to collapse
scatter files arent needed anymore, thanks anyway ill keep it for refferrence
Ricky Divjakovski said:
ok, well ive made the scatter conversion, added the project donate feature and the abillity to see the tool and utillity versions, the source is in the main post
Click to expand...
Click to collapse
Great I will check it out.
kirito9 said:
Great I will check it out.
Click to expand...
Click to collapse
any features you would like to suggest use the suggest features tab
Ricky Divjakovski said:
any features you would like to suggest use the suggest features tab
Click to expand...
Click to collapse
I recently go into mtk myself and have used your kitchen, Thank you! I don't have much experience in making roms but I have hard bricked my mt6572 K8 watch and my Cubot X-15 by getting carried away with with flashing but while doing so I've managed to bring them both back to life and have aquired 10 gigs of all kinds of different MTK tools. I'm mpre then willing to share my collection, now why would any one need 10 gigs of tools? well I learned the hard way that SP flash tools can be a pain in the ass when trying to bring your phone back from the dead hitting you with mad BROM errors so I found out that if you need a no bull**** save me flash tool, go with Infinix Flash. Any ways I'm more then down to be a part of this and will try to comtribute whatever I can
m0nt3s said:
I recently go into mtk myself and have used your kitchen, Thank you! I don't have much experience in making roms but I have hard bricked my mt6572 K8 watch and my Cubot X-15 by getting carried away with with flashing but while doing so I've managed to bring them both back to life and have aquired 10 gigs of all kinds of different MTK tools. I'm mpre then willing to share my collection, now why would any one need 10 gigs of tools? well I learned the hard way that SP flash tools can be a pain in the ass when trying to bring your phone back from the dead hitting you with mad BROM errors so I found out that if you need a no bull**** save me flash tool, go with Infinix Flash. Any ways I'm more then down to be a part of this and will try to comtribute whatever I can
Click to expand...
Click to collapse
SP flash tool is a great tool, abit complicated fpr norrmal users to use but gets the job done, if it were upto me personally id make a menu from the scatter file presented and have a list of partitions to flash based on the scatter
MediaTek 6571 which wont address hard drive properly
Ricky Divjakovski said:
SP flash tool is a great tool, abit complicated fpr norrmal users to use but gets the job done, if it were upto me personally id make a menu from the scatter file presented and have a list of partitions to flash based on the scatter
Click to expand...
Click to collapse
Not sure where to start, trying to get my MediaTek MT6571 working properly but before I try to flash, is there any utility which can read the hard drive, either in Windows, Mac or Linux please? I and numerous others report that we have severe partitioning problems and would like either to see if there is unallocated space on my hard drive OR if there is some endemic problem with my Hexing71_et_lca ROM which is stopping it addressing its drive properly.
I feel I am caught in a Windows 98 time warp with some sort of LBA problem where I can't address anything more than a tiny percentage of the hard drive!
The 6571 seems to have a 16 gig hard drive but if it does, most of it is unallocated and only 899 meg shows as usable. When I try to install anything much larger than a few meg on it, I get OUT OF SPACE error messages.
So I figured that I need to install an SD card in the device and installed a 32 gig one, - obviously for all the apps. Aparted managed to get the card working but now after I did manage to install AIda on the phone, I am getting the same 32 gig installed, 899 meg available (none actually usable and) OUT OF SPACE error messages in Disk Storage & when I try to use the SD card as well!
Is there any GUI out there which can show what is actually going on with this device please? It wont show up in OSX, even in Disk Utility, but I do seem to be able to read (only) the hard drive's empty photos storage partition in XP and Linux. The only thing I know about the device from recovery mode is that it might be a sw version alps.jb7.mp.v1.14
custom build vern 1443066946, whatever that means!
licensedtoquill said:
Not sure where to start, trying to get my MediaTek MT6571 working properly but before I try to flash, is there any utility which can read the hard drive, either in Windows, Mac or Linux please? I and numerous others report that we have severe partitioning problems and would like either to see if there is unallocated space on my hard drive OR if there is some endemic problem with my Hexing71_et_lca ROM which is stopping it addressing its drive properly.
I feel I am caught in a Windows 98 time warp with some sort of LBA problem where I can't address anything more than a tiny percentage of the hard drive!
The 6571 seems to have a 16 gig hard drive but if it does, most of it is unallocated and only 899 meg shows as usable. When I try to install anything much larger than a few meg on it, I get OUT OF SPACE error messages.
So I figured that I need to install an SD card in the device and installed a 32 gig one, - obviously for all the apps. Aparted managed to get the card working but now after I did manage to install AIda on the phone, I am getting the same 32 gig installed, 899 meg available (none actually usable and) OUT OF SPACE error messages in Disk Storage & when I try to use the SD card as well!
Is there any GUI out there which can show what is actually going on with this device please? It wont show up in OSX, even in Disk Utility, but I do seem to be able to read (only) the hard drive's empty photos storage partition in XP and Linux. The only thing I know about the device from recovery mode is that it might be a sw version alps.jb7.mp.v1.14
custom build vern 1443066946, whatever that means!
Click to expand...
Click to collapse
The best way to really see how much space each partition has is using MTK Droid Tool and choose the option block information.There you will see your partition sizes and names.
licensedtoquill said:
Not sure where to start, trying to get my MediaTek MT6571 working properly but before I try to flash, is there any utility which can read the hard drive, either in Windows, Mac or Linux please? I and numerous others report that we have severe partitioning problems and would like either to see if there is unallocated space on my hard drive OR if there is some endemic problem with my Hexing71_et_lca ROM which is stopping it addressing its drive properly.
I feel I am caught in a Windows 98 time warp with some sort of LBA problem where I can't address anything more than a tiny percentage of the hard drive!
The 6571 seems to have a 16 gig hard drive but if it does, most of it is unallocated and only 899 meg shows as usable. When I try to install anything much larger than a few meg on it, I get OUT OF SPACE error messages.
So I figured that I need to install an SD card in the device and installed a 32 gig one, - obviously for all the apps. Aparted managed to get the card working but now after I did manage to install AIda on the phone, I am getting the same 32 gig installed, 899 meg available (none actually usable and) OUT OF SPACE error messages in Disk Storage & when I try to use the SD card as well!
Is there any GUI out there which can show what is actually going on with this device please? It wont show up in OSX, even in Disk Utility, but I do seem to be able to read (only) the hard drive's empty photos storage partition in XP and Linux. The only thing I know about the device from recovery mode is that it might be a sw version alps.jb7.mp.v1.14
custom build vern 1443066946, whatever that means!
Click to expand...
Click to collapse
what do you mean read the hard drive?
if your reffering to the phones storage i think you mean eMMC?
and that is devised into seperate partitions and filesystem formats, you need software to read it not to mention split it, a good start would be SP flashtool and MTK droid tools, also i suggest you format the sdcard(take it out of the device) as FAT32 with minitool partition wizard, also might be a good idea to check for damaged blocks and if you have the time zero all sectors out
EDIT: also if your modifying andd flashing .img files make sure you save it as the exact same size as the partition
Thnx
Models: SM-G930_, SM-G935_ (Flat & Edge, all Snapdragon variants, NOT Exynos)
Developer thread only!
Work in Progress!
DONT flash anything on your phone unless you either a)Dont care of the result or b)Know what you're doing! I will take NO RESPONSIBILITY for you breaking your phone! Know the risks!
Research & Development Thread for Unlocking S7 bootloader
What is this thread?
This is a thread with all information (research) I can find regarding the locked bootloader for the S7 Snapdragon (Exynos has been unlocked so this thread will NOT cover that.) There are a lot of great seasoned Devs out there, but it seems all have given up, or remained in the dark. Flagships like the S7 we all bought because they're amazing phones, but it appears the future is locked bootloaders; if you're here then you're interested in custom ROMs. If we give up and can't 'crack this', then I'm afraid amazing phones like this will never get custom ROMs, ie, that will be a thing of the past.
In other words, there doesn't appear to be any development anymore on trying to unlock the bootloader. Hope is lost... or is it? Therefore, we need new talent. We need a new generation of developers walking into the game knowing that what they're trying to do is almost impossible. I'm hoping this thread will quickly bring any developer up to speed so we can get some "unlocking Dev rookies". We are recruiting! Come here and ask questions regarding this so hopefully you can figure this out!
I'm going to update from time to time the first few posts with critical info, links to info, etc. My goal with this thread is to put all of the great information from the community in one place. I don't way people to have to search this entire thread, rather get the info quick so they can begin developing quick, so we can get an unlocked bootloader, QUICK!
Remember, there were previous locked bootloaders, but many of them have been cracked so let's take away the 'impossibility factor'!
Who is this thread for?
Anyone that wants to quickly be brought up to speed on the S7 locked bootload status, all the hurdles, etc
Developers that want to be part of the future of locked bootloaders and something great!
Who can post and what posts are allowed?
Anyone with PRODUCTIVE comments towards unlocking the bootloader or efforts already completed (regarding of fail or success)
Developers working on this initiative
Developers with questions for other developers regarding this
Wanna-be developers with questions (There is no shame, and you never know if YOU just might be the rookie dev we're looking for to unlock this! If you're willing to try something to potentially brick your device, then you can play here Or maybe you might throw out an idea that might spark an idea with someone else that leads to an unlock.)
Links to things that have been attempted
Information you think people should know regarding this, that's not already listed. Or information you think should be in the original post so people can easily see it. (I don't want great info hidden deep in the thread, rather on the first page)
Keep me honest! If I post nonsense or inaccurate information, WE NEED you to correct me! Last thing I want to do is steer anyone in the wrong direction!
What NOT to post:
"+1"
"Thanks"
Petitions
Bounties
ANYTHING NEGATIVE! Negative Nancy, PLEASE go away!!
Etc. In other words, DONT waste thread space with nonsense. (Don't let that comment confuse you however with the 'very welcoming' questions from developers; This SHOULD be a collaborative thread. Productive input certainly welcome.) The idea is to QUICKLY allow someone to read this and get ALL the info to start trying to crack this. Going through pages and pages of irrelevant or useless comments will only make the goal more difficult, or prevent our new rookies from coming up to speed and trying to unlock this bootloader.
Who am I and what am I trying to get out of this?
I'm an application engineer and developer that bought an S7 from Tmobile and found out the hard way it had no way to get a custom rom, despite TMobiles past of typically allowing this. I'm frustrated like you all & want my phone unlocked, pure and simple! Besides, this is a community, and what better of an agenda than to try and conquer what others have said, "that's impossible"!
Other Notes:
MANY, many thanks to all the contributors out there!!! I got most of this information from other forums on XDA!
Following few posts will have resources and additional links. This thread is new so I'll find a good organization method in time.
PLEASE subscribe if you are (or want to be) a contributing developer, or have anything to add - or if you can answer others questions. I think a lot of this knowledge will expand to other devices, and not just Samsung, but future devices as well.
Please let me know of anything to fix with this thread, like tags, thread description, etc.
Make sure to send the link to this thread to people you think might be interested (but don't spam them!) Or post a link to this thread in other seemingly dead threads on unlocking this bootloader. Alone it just may be impossible to do this...but as a community, sharing all of our knowledge...we can do this!
Still not motivated to do this? Try this: https://www.google.com/webhp?source...=1&espv=2&ie=UTF-8#q=s7+bootloader+bounties&*
If you found this thread useful hit "Thanks"!
.
Information
Quick facts
Exynos bootloader is unlockable, which is why we won't talk about that here!
S7 Variants https://en.wikipedia.org/wiki/Samsung_Galaxy_S7#Variants
US & China use a Snapdragon processor, all other locations use the Exynos
Knox counter: will void warranty (if you still have one!) Most could careless if there's a remote possibility of unlocking the bootloader. Methods or tampering could possibly trip this counter.
Mostly when people say a phone is "locked", they mean locked to a CARRIER. That is NOT what we're talking about here - we're talking about a locked bootloader which allows you to install a custom ROM.
FRP: (Factory Reset Protection) Requires username/pass after factory resetting http://www.androidcentral.com/factory-reset-protection-what-you-need-know Reset: https://forum.xda-developers.com/galaxy-s7/how-to/samsung-factory-reset-protection-gmail-t3446788
Bootloader version: PhoneSettings->AboutPhone->Baseband version: 5th from last number.
Ex: Bbaseband: G935UUES4AQC1 = Bootloader version 4 @thescorpion420 (Tmobile & U = ver4, China=ver2)
Locked bootloader
Easy way to tell you bootloader locked status(?)
What is the bootloader? Part of the Android boot process. See all about it here: http://newandroidbook.com/
Why can't we currently unlock the bootloader? There is something called the chain of trust, whereby 'everything' from when the phone first turns on, through each 'piece' it verifies the contents of the flash is legit and from a listed trusted source (either Samsung or carrier). What controls this is the current, existing software/FW on your phone. So if we took what's there and removed these checks, we currently don't have a way to write this to your phone, since "we" aren't from the list of trusted sources. How do they enforce this? The images need to be digitally signed.
What does it mean to digitally sign a file (or image, FW in our case)? There is a private key and public key. Samsung and/or Carrier have the private key, your phone has the public key. Author writes a new SW package, then uses a tool to get a checksum. The checksum gets encrypted with the private key. The encrypted checksum gets appended to the SW package. Using OTA (over the air deployment) or ODIN, we push the package to the phone. The phone decrypts the appended encrypted checksum using its public key, does a checksum on the remaining package, and makes sure they both match. Now you can see why we can't fake this! Only way would be to find an exploit or get the private key so we can sign these ourselves!
Links (relevant threads)
Potential way to unlock bootloader? https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
ROOT DISCUSSION / TEKXv2 Dev Thread Extension SM-G935T - Dev Section / Discoveries https://forum.xda-developers.com/tmobile-s7-edge/how-to/root-discussion-future-sticky-root-t3327399
G935AVPT cross bootloader, flash Chinese Version , support ALL lte band,Knox stil 0!! https://forum.xda-developers.com/ve...ross-bootloader-flash-chinese-t3432190/page15 or
https://forum.xda-developers.com/att-s7-edge/how-to/g935avpt-cross-bootloader-flash-chinese-t3435043
High-level explanation on whats going on with this locked bootloader: https://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
Resources
Android Internals: A Confectioner's Cookbook http://newandroidbook.com/
Many thanks to Jonathan Levin for releasing that to the public for free, but please support his work via the other listed means. Also Reverse Engineering Aboot: http://newandroidbook.com/Articles/aboot.html
Samsung Source (Tmobile) http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G930T
Bootloaders, Encryption, Signing http://www.androidpolice.com/2011/0...ncryption-signing-and-locking-let-me-explain/
LOCK download mode (opposite but might have useful info) https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/
Tools
Phone Apps
Root Browser app (doesnt need root) access all files on phone (across ALL partitions?) https://play.google.com/store/apps/details?id=com.jrummy.root.browserfree&hl=en
Phone INFO (get info about phone) https://play.google.com/store/apps/details?id=org.vndnguyen.phoneinfo&hl=en
Other
S7 USB driver http://samsungodin.com/SamsungUSBDriver/USB_Drivers_1.5.27.0.rar
ADB (Install Android SDK)
DD: https://forum.xda-developers.com/showthread.php?t=1153991 (can be "disk destroyer" if used stupidly)
Sandbox: Possible to make a virtual S7 to test on? (including ALL partitions such as aboot, etc)
Ubunto VM: How to build a Linux VM for Dev & testing on this: http://imicrov.com/small-tech/android-development/android-development-with-ubuntu-in-virtualbox VMWare: http://www.vmware.com/products/player/playerpro-evaluation.html Ubunto image: http://www.osboxes.org/ubuntu/
Flashing
Info https://code.tutsplus.com/articles/an-introduction-to-android-firmware--cms-26791
Firmware (Android ROM) is stored in a writable form of memory called NAND flash memory, the same type of memory that is used in storage devices, such as USB sticks and SD cards
Bootloader more info
Ways to Flash
ODIN - Odin3_v3.12_PrinceComsy (ODIN is Samsungs replacement of Fastboot) https://www.androidfilehost.com/?fid=24591023225177749 or http://samsungodin.com/ (?)
ODIN is the only possible way (that we know of). You push a download from PC to phone, it runs checksum and signature verification, if it doesnt match what it expects, it never writes from memory to phone and throws away image. This intense security likely due to Samsung pay.
ADB - No standard way to do this, but maybe something creative might work...
Heimdall https://forum.xda-developers.com/galaxy-s7/how-to/guide-heimdall-to-flash-firmware-t3452904 (still work? couple years since updated) Sourcecode: https://github.com/Benjamin-Dobell/Heimdall
USB jig: https://forum.xda-developers.com/galaxy-s7/accessories/usb-jig-t3347793/page4 eBay: http://www.ebay.com/sch/i.html?_odk....H0.Xusb+jig+s7.TRS0&_nkw=usb+jig+s7&_sacat=0 Or make your own: http://www.instructables.com/id/USB-JIG-to-give-life-to-your-Bricked-mobile/
SD card: https://forum.xda-developers.com/showpost.php?p=69235306&postcount=38
Z3X Box: eBay: http://www.ebay.com/itm/2016-Z3X-BO...I-Unlock-Flash-Tool-C3300KCable-/291810363162
Safestrap(?)
Flash Errors & What they mean:
Failed aboot Fused 2> binary 1 - bootloader error: ?
SECURE CHECK FAIL: No Bueno! You're trying to flash something that's not digitally signed correctly
Firmware/Files:
AP (Application Processor or PDA or Android Partition): Android. System partition with recovery, etc. Recovery, kernel and ROM will be in this file. This is the only FW that is open source.
Typical contents of update.zip:
android-info.txt: Text file specifying the prerequisites of the build, such as the version numbers of the bootloader and the radio firmware that the build needs
boot.img: Binary file that contains both a Linux kernel and a ramdisk in the form of a GZIP archive. The kernel is a boot executable zImage that can be used by the bootloader. The ramdisk, on the other hand, is a read-only filesystem that is mounted by the kernel during the boot process. It contains the well known init process, the first process started by any Linux-based operating system. It also contains various daemons such as adbd and healthd, which are started by the init process More info
recovery.img: Very similar to boot.img. It has a boot executable kernel file the bootloader can use and a ramdisk. Consequently, the recovery image too can be used to start an Android device. When it is used, instead of Android, a very limited operating system is started that allows the user to perform administrative operations, such as resetting the device's user data, installing new firmware, and creating backups.
system.img: Partition image thats mounted on the empty system directory from boot.img. Contains the Android OS binaries as well as system apps, fonts, framework JAR files, libraries, media codecs, bloatware, etc. (Most used for flashing a custom ROM)
userdata.img: Partition image that will be mounted on the empty data directory from boot.img. Custom ROMs typically come with this image as blank so that it resets the contents of the data directory.
BL (Bootloader): Proprietary code that is responsible for starting the Android operating system when an Android device is powered on. Typically, it checks if the operating system it is starting is authentic as well. (Checks if the boot partition has been signed using a unique OEM key, which belongs to the device manufacturer, & is private.) Ie, Locked bootloader. Fastboot, IF allowed on a device, disables this check.
CP (Core Processor): Modem. This proprietary Radio firmware is another operating system on an independent processor called a baseband processor, independent of Android. This adds the cellular radio capabilities of the device like 3g & LTE. Qualcomm, etc develop this FW.
CSC (Consumer Software Customization): It is specific to geographical region and carriers. It contains the software packages specific to that region, carrier branding and APN setting. Eg Wi-Fi Calling. Flashing will lose your data (factory reset). Variations of CSC may retain data.
PIT files (Partition Information Tables) (Danger! Dont flash these unless you know what youre doing!)
Different variants of the S7 have different partition sizes; same phone/same carrier with different storage size have different PIT. One issues people were having flashing images for other variants is that the partition would fill up. A workaround would be to reformat with a correct PIT file and check "repartition" in ODIN. More info via @[Ramad] https://forum.xda-developers.com/sho...d.php?t=999097
"Get PIT for mapping" error while flashing (indicates you need a PIT file to flash what youre trying to flash)
-Extract current PIT file from phone: http://www.**********.com/how-to-ext...alaxy-devices/ (need root)
Unlock Methods
High-Level Ways to Unlock:
Get leaked private key so we can sign our own images
Find exploits
Dev bootloader gets leaked
?
What does work:
Can flash digitally signed images
Can write to partitions with engineering kernel
Ideas:
Use engineering kernel that has root to somehow modify bootloader partition to remove digital signature checks - at level/entry point can or should this be done? (ie, where in boot process at a minimum do we need to remove the check?)
Thread on installing LineageOS on bootloader locked Note 3: (this possible on our device?) https://forum.xda-developers.com/redmi-note-3/how-to/kate-guide-install-lineage-os-locked-t3546154
Thread on Recovery for locked bootloaders by @hsbadr : (work on our device?) https://forum.xda-developers.com/an...g/tool-multirom-recovery-replacement-t3102395
...Reading sdd10 line by line. I did find an entry "Device is unlocked! Skipping verification...". I'm starting to think we need to look into recovery-side exploits" @Flippy125 https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220/page2
Back rev bootloader version (or other partition) to reintroduce security exploits (dont believe you can backrev though, easily) dd Chinese version? (Hard brick?) https://forum.xda-developers.com/showpost.php?p=70977356&postcount=39 @thescorpion420
Exploits: (known existing)
SD card most vulnerable?
Samsung Source available I believe (in its entirety though? See Resources links above) Perhaps viewing this may reveal exploits
?
Attempted Methods:
OEM Unlock in Android Settings menu: YES! We tried that!
Flashed Chinese images via ODIN. People used PIT (Partition Information Table) files and checked reformat partitions in ODIN and still failed.
Result: Errors during flash process, won't take, "Thread Failed" error
Chinese bootloader is v2 where all US models are v4(? How to determine?)
Convert Chinese ROM to another variant: https://forum.xda-developers.com/android/general/guide-how-to-convert-chinese-roms-based-t3577469
Use CROM app (Chinese phones have this app to unlock their phones):
Result: This app communicates to Samsung servers and ends up writing a flag (kiwibird?) to STEADY partition. US phones dont have this partition so this currently wont work.
Dirty cow exploit - (didnt work) indicated by @Binary100100
Android OS & Everything about it
Engboot kernel write protection seems to be off, so it appears you can use dd to write to normally write protected partitions such as the bootloaders (ex: "dd if=/sdcard/aboot of=/dev/block/sdd10"). In my testing I was successfully "dd" a backed up aboot (secondary bootloader) partition and also write to the modem partition and have it stick @qwewqa
MBN files: Multi boot binary firmware. Mostly used with Samsung, binary data for storing the device's memory partitions, such as the resources and power manager, secondary boot loader, AP boot loader, and trust zone. Can't just edit, need source then compiling creates mbn files? Info: https://www.quora.com/What-is-mbn-file-format-where-is-it-used https://forum.xda-developers.com/showpost.php?p=29787988&postcount=31
Create MBN: https://forum.xda-developers.com/showpost.php?p=28145975&postcount=198 Moreinfo: https://forum.xda-developers.com/showpost.php?p=28149932&postcount=212
Cook custom ROM: https://forum.xda-developers.com/showthread.php?t=901417
Extract mbn files using unyaffsmbn: https://forum.xda-developers.com/showpost.php?p=6303911&postcount=827
How to get existing versions, eg, bootloader version? (Many versions are in Phone->Settings->About device)
Partitions... needed to be modified(?) @qwewqa https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
- rpm (Resource and Power Manager / Primary Bootloader) located at /dev/block/sdd1 (/dev/block/bootdevice/by-name/rpm)
- aboot (AP Bootloader / Secondary Bootloader) located at /dev/block/sdd10 (/dev/block/bootdevice/by-name/aboot)
- xbl (Extended Bootloader) located at /dev/block/sdb1 (/dev/block/bootdevice/by-name/xbl)
- ? located at /dev/block/sdc1
- Sdd1 is the primary bootloader
Boot Process @qwewqa
RPM = Resource and Power Manager = Primary Bootloader
ABoot = AP Bootloader = Secondary Bootloader
I believe the boot process is "RPM > ABoot > boot.img (Main OS)", so both the rpm and aboot file would be needed
Partitions (Correct? via @silentwind827)
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://source.android.com/devices/bootloader/partitions-images
http://davinci-michelangelo-os.com/2017/01/22/edit-init-rc-android/
ls -l /dev/block/bootdevice/by-name/
cat /proc/partitions
/dev/block/sda1 => modemst1
/dev/block/sda2 => modemst2
/dev/block/sda3 => fsc
/dev/block/sda4 => ssd
/dev/block/sda5 => persist
/dev/block/sda6 => efs
/dev/block/sda7 => param
/dev/block/sda8 => misc
/dev/block/sda9 => keystore
/dev/block/sda10 => devcfg
/dev/block/sda11 => frp
/dev/block/sda12 => bota
/dev/block/sda13 => fota
/dev/block/sda14 => persistent [edited]
/dev/block/sda15 => apnhlos
/dev/block/sda16 => modem
/dev/block/sda17 => boot (Kernel, RAMdisk, & boot images get flashed here see link above for details)
/dev/block/sda18 => recovery
/dev/block/sda19 => persdata
/dev/block/sda20 => system
/dev/block/sda21 => cache
/dev/block/sda22 => userdata
/dev/block/sdb1 => xbl
/dev/block/sdd1 => rpm
/dev/block/sdd2 => tz
/dev/block/sdd3 => hyp
/dev/block/sdd4 => fsg
/dev/block/sdd5 => sec
/dev/block/sdd6 => pmic
/dev/block/sdd7 => dsp
/dev/block/sdd8 => dip
/dev/block/sdd9 => mdtp
/dev/block/sdd10 => aboot
/dev/block/sdd11 => devinfo
/dev/block/sdd12 => bluetooth
/dev/block/sdd13 => lksecapp
/dev/block/sdd14 => keymaster
/dev/block/sdd15 => cmnlib
/dev/block/sdd16 => cmnlib64
/dev/block/sdd17 => apdp
/dev/block/sdd18 => msadp
/dev/block/sdd19 => dpo
/dev/block/sdd20 => ddr
/dev/block/sdd21 => pad
Restore Stock Methods
(Since we need a way to fix a bricked phone while we're trying to break it!)
Hard bricks likely not restorable though?)
Note: Not all of these methods will work, depending on how bad you bricked your phone.
https://www.androidsage.com/2016/03/...ware-download/
How to Fix a Bootloop: Turn off your device and reboot into recovery mode by press and holding Power + Volume down + Home keys for a few seconds. From the Recovery, select Wipe Data / Factory Reset. Confirm the action and reboot once done. Your device should now boot up.
Samsung Kies & Samsung Smart Switch https://forum.xda-developers.com/galaxy-s7/how-to/guide-revert-to-stock-anytime-kies-t3396314
Stock Files
Stock Files Collection https://forum.xda-developers.com/galaxy-s7/how-to/s7-s7e-stock-rom-bootloader-modem-t3383963
[Collection] Firmware/ROM Full, PIT Files https://forum.xda-developers.com/galaxy-s7/how-to/collection-firmware-rom-pit-files-t3326707
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
[ROM][TMOBILE][S7_SM-G930T][Oreo Rooted]
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017
kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (This still work?) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
Not on the newer versions of Android unless rooted, then it does.
Does anyone know if the phone boots differently when using a)the SD card boot & b)USB jig? Or z3x box? If so, how? (I'm guessing the jig boots the same as button pressing into download mode, but wanted to leave no leaf unturned!) Knowing this might open some doors of vulnerability if it boots differently. All the reading I did about this, I haven't read about anyone trying to flash an image via either of these methods. (I'm assuming & hoping this is even possible & you can actually boot off the SD card, if not at least install via SD) Testers?! (Reference "Flashing -> Ways to Flash" above for details, links.)
can try on your phone 7 edge
kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
The 935f bootloader is for exynos, you want to flash the 9350 bootloader. Odds are if you succeeded in flashing the 935f bootloader you'd have a nice shiny paperweight.
kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
Where are you finding a "BL.mdf" file? I'm looking at stock images and see mostly mbn, bin, and img files. Is this an extraction of one of these files, images? Not sure this will help but here they talk about "brushing" (flashing) 'pick and choose' images making a compilation for a full flash (like pick US modem, with chinese bl, etc) & the Chinese are successful using US "pieces"/images despite having a different phone variant https://forum.xda-developers.com/ve...g935v-cross-bootloader-flash-chinese-t3432190 Another possible way could be the opposite of what you're trying: implant the international device ID on our phone so the image can flash without your error. (via engineering kernel possible to change this value, wherever it sits?)
Also, another thought: I wonder if there's a way to modify the PC ODIN tool (or Heimdall since that source is easily available) to add functions to talk to "hidden functions" on ODIN (on the phone) to unlock it that way. Or modify it to turn it more into an interactive console so we can navigate and investigate the phone's ODIN program. Does anyone know if the ODIN source for the phone side has been leaked? If not, any intelligent folks out there know how to 'reveal' all methods so we can go through it and maybe find exploits? (This been done already?)
One more thing: Those thinking the S8 is nearly out now so let's give up... Well, can anyone predict the future like I can?!! I'm SURE it will be locked as well. I wouldn't be surprised however if any exploit we can find for the S7 will be relevant on the S8!
Thanks for the efforts kenshin6106 ! And all the viewers of this thread make sure to hit the "Thanks" button on the bottom right of the developers posts to show your support. Remember, most think this is a dead subject, let's change that mentality!!
Can anyone please indicate what images or partitions are allowed to be downgraded, version-wise (if any)? I'm reading conflicting information - or its hard to tell if the bl rejected it due to a fundamental error or because it will not allow down-reving, whereby it would be possible had an acceptable image been used. eg, I read the bootloader cannot go from ver4 (US) to ver2 (Chinese). I'm not sure what's accurate. And Does ODIN/bootloader allow you to go from Nougat to Marshmellow? Knowing this will help with our unlocking methods...
Any instructions on how to flash g930p to u firmware I get errors
Bump.
I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.
Chiller252 said:
I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.
Click to expand...
Click to collapse
Check out this thread - https://forum.xda-developers.com/s7...heoretical-variant-bootloader-unlock-t3627286
We need testers!!
Hello folks,
I ran into a poblem with my old Samsung Galaxy Grand Prime Plus. 3 years ago I was messing up with the phone and I ran into an invalid IMEI problem. As I was a real newbie, I brought it straight to a friend of a friend of a friend who had a phone shop, and he fixed it for me.
Everything OK until last week, when I suddenly realized that probably the guy had flashed the wrong IMEI to it, mistyping 2 numbers of one of the two IMEIs.
Currently, I then have a perfectly working phone, but the IMEI is incorrect and I need to fix it.
I don't have the box anymore, but luckilly the numbers under the battery are perfectly clear and readable, although this is quite an old device.
As the shop of the guy who did the work is long gone, I started to look around for instruction on how to deal with the problem, and I followed all the possible tutorials, but apparently I'm not able to fix the issue.
I just know it can be done, as this was done to the very same phone in the past, creating the problem. I just do not happen to know how he did...
Here's what I tried so far:
1. APP: Mobileuncle Tools
Whenever I tap onto "IMEI Backup Restore (MTK)" I get an error message that says "No support".
2. APP: MTK engineering mode
I open the app, and whenever I tap onto "MTK Settings" I get an error message that says: "Cannot find EngineerMode App - Mediatek chipset is mandatory and stock ROM must be installed".
I tried both Mobileuncle Tools and MTK Engineering mode with 3 different ROMs downloaded from different sources, before and after rooting the device with Super SU, but to no avail.
3. With any xposed module
This could be a solution... but not a real one.
At least according to all the documentation I found (also here on the forum), any xposed module like "IMEI Changer", "chamaleon", "device changer", "hijack suite free" etc only mask the IMEI in front of other apps, but do not really change the IMEI of the phone.
So basically I would still have a phone with an illegal IMEI on it.
Not ideal: this is not what I am looking for.
4. IMEI Maker and IMEI Repair
I followed the tutorial I found here:
https://forum.xda-developers.com/showthread.php?t=2399037
I encounter no errors at all, and TWRP shows a clean log, nothing seems to be wrong. But after flashing the new IMEI, nothing changes: with *#06# I can still see the wrong IMEI there.
The file in data/nvram/md/NVRAM/NVD_IMEI/MP0B_001 just remains the same, dating 2016, and does not get replaced by the new one.
I tried to replace the file manually, using ROM Toolbox Lite. At the beginning I could not delete the original MP0B_001 file, even after changin permissions to 775. It kept saying "File deleted" but the file remained there.
I then installed BusyBox Free, and it did the trick: now using ROM Toolbox Lite I definitely can delete the MP0B_001 file. The problem is that the original file keeps coming back again and again, after every reboot.
Nevermind if I place the new MP0B_001 file in the folder copying and pasting it or flashing it with TWRP, it will get overwritten by the old file with the wrong IMEI.
5. Flashing a Combination ROM
I didn't find a specific tutorial for this one, but I just tried to flash the combination ROM and see whether I could get any luck touching things in there.
No luck!
6. With SN write tool (windows software)
Here the big problem is, I can't find the BP file anywhere.
No AP_BP_database seems to contain the BP file for the MT6737T (that is the chipset of the G532F). As I am writing, I am thinking about trying to use a different BP file, from a different chipset. This will probably won't work, but after trying all of these, I mean, why not...
I also tried to look for the BP file into the folder /system/etc/mddb/ , as advised here: https://forum.hovatek.com/thread-11609.html . I looked for ir with any of the 3 different stock ROMs I tried to install. Yet again, absolutely nooooo luck here.
7. MTK Droid Root & Tools (windows software)
This won't even connect to the phone. That is, whenever I connect the phone to the PC, I get the following errors:
" --- Estructura de ROM desconocida, no se puede hacer backup ! "
That would be something like: "Unknown ROM structure, cannot perform backup"
The device gets recognized (hardware, model, build number...), so it should be a problem of drivers, cable or USB port. Also because I used the same setup to install all the stock ROM, TWRP, Super SU etc...
---------------------------
And here I am. After one week of try and fail, getting tired of all this!
I'm surprised on how persistent that wrong IMEI is, as I can't get rid of it in any way.
Do you have ANY kind of idea of what can I do?
As the points 1, 2, 4, 6 and 7 are specifically advised for MTK chipset. I'm starting to doubt that this is an MTK chipset altogether!!!
Thanks for your help
Peter
Update:
I tried with NCK Dongle AndroidMTK 2.5.6.2
Still no success (phone apparently not supported).
Hi,
I do have some MK903V TV Sticks that came with Android 4.4.2 and some with Android 7.1.
I thought I could potentially just clone the complete flash from one device to another using AndroidTool v2.3, but that failed.
I used "ExportImage" from "Advanced Function" to export the flash from 0 to 0x00E90000. I then selected the exported file and flashed it to Address 0x00000000 and name "system" using the "Download Image" tab.
The AndroidTool said it uploaded the file and verified okay. But after that I re-exported few blocks from 0x0 and found that the flash was not overwritten. The device did not boot (no HDMI signal).
I re-exported the system partition and found that it wrote the full backup into the system partition instead.
So basically the Tool used the "name" column and completely ignored the "address" column?
Is there a way to just write the complete flash using AndroidTool v2.3 ignoring partitions? I basically just want to mirror a device to another.
Okay, so I guess I understood that "LOADER" is actually aware of all partitions on the device and also their use/format. The "Address" column seems to be ignored completely. I guess this is only relevant for "MASK ROM" mode devices?
I found out by trying to write to "parameter" partition, hoping it would write to 0x00. But instead it wrote into the first partition at 0x08 and properly wrote the header in front of it with the size of the written data.
So, I now know how to properly extract the "parameter" image from another device and I assume all other partitions can be simply dumped and written without any magic happening to them? But I need to write them partition by partition?
For my understanding... The LOADER mode / the green "Loader" row in AndroidTool is something that is not on the flash, right? But it obviously reads the flash and its partitions.
If I'm right, I cannot brick the device as long as I don't flash a different "Loader" (which I don't have anyways as I cannot extract it from another device).
But: When I mess up the "parameter", will LOADER mode still boot fine and allow me to rewrite "parameter"?
Is "Loader" always booting "uboot" next, which then decides on booting into "kernel" or "recovery" if "R" is pressed?
Okay, I have so many questions and I can't really find any documentation :/
So at least I'll continue my self conversation here.
The bootloader of the RK3288 - and I'm still not sure what exactly it is - has two modes, LOADER and MASKROM.
I think in LOADER mode it is aware of partitions and makes sure users can only flash data to specific partitions. However, you can also update the partitions (and other stuff?) by writing to "parameter", which is part of the first few blocks of the flash.
In MASKROM mode it is not aware of any contents of the flash and you can basically write over the complete flash. In this mode the AndroidTool will actually use the Address column to flash data (I think).
I'm not exactly sure what triggers MASKROM mode but I guess the bootloader boots MASKROM mode if it cannot find "valid" data on the flash.
For example
erases the Flash and IDB, which forces the device from LOADER into MASKROM mode.
I also found lots of instructions that tell you to short two pins on the NAND Flash chip of the device to trigger MASKROM mode. None of these instructions tell you why you do it and how it works, but I guess it just disables the Flash so the bootloader reads back all zeroes or anything like that?
I also cannot find any information what IDB is, what it stands for and where it is stored, but it seems to play an important role here :/
There are multiple Versions of the "bootloader". e.g. https://github.com/neo-technologies/rockchip-bootloader / https://forum.xda-developers.com/t/rk-bl-rockchip-bootloader-collection.3739510/ lists RK3288Loader_uboot_Apr182014_155036.bin, RK3288Loader_uboot_Apr212014_134842.bin, RK3288Loader_uboot_V2.17.02.bin, RK3288Loader(L)_V2.17.bin, RK32xxLoader(L)_uboot_V2.15_replace_ddr.bin
They obviously do some things differently, but I'm not sure if this is relevant for "normal" operation of the device or just if you need to do special things. e.g.
Running Android or Linux from an SD card on a RK3288 device - An easy way to dual boo
If you are interested in dual booting Android and Linux on your RK3288 device or you simply want to try a different Android ROM or Linux distro without flashing the device, then use this method of booting from an SD card. You will need a PC...
forum.xda-developers.com
says that RK3288Loader_uboot_V2.17.02.bin is required to boot from SD card. So earlier versions can't do that?
Can I flash these Loaders to any RK3288 device (I guess?) or are they device specific? Can I downgrade? Can I flash them in LOADER and MASKROM mode? Many things I don't understand properly...
The filenames usually contain "uboot". I guess that's not because they include uboot, but because the bootloader starts U-Boot from the "uboot" partition on a regular boot?
Hi everyone
I have created an python script to automate patching of the super partition in A/B devices
can be found here: (https://github.com/ChromiumOS-Guy/SuperPatcherGSI)
important to mention that both Windows / Linux versions only work for 64-bit,
I have attached how a full log of the SuperPatcherGSI script looks like when it successfully makes a patched super.img
also I'm a new user in the XDA forums so please tell me if this post needs to be moved to somewhere else,
feel free to ask any question I will try to answer to the best of my abilities
Enjoy and Thanks.
@ChromiumOS-Guy , you are great and your script works smoothly.
Just installed LineageOS 20 after having MIUI 13.
Somehow, after flashing, my phone lost the MAC address and bluetooth (IMEIs are fine).
Do you think it can be due to LineageOS or for the flashing process?
Welcome to XDA!
Hello good tool i like it but im getting error on repack could you help ?
snx413 said:
Hello good tool i like it but im getting error on repack could you help ?
Click to expand...
Click to collapse
I can try to
newboihere said:
@ChromiumOS-Guy , you are great and your script works smoothly.
Just installed LineageOS 20 after having MIUI 13.
Somehow, after flashing, my phone lost the MAC address and bluetooth (IMEIs are fine).
Do you think it can be due to LineageOS or for the flashing process?
Welcome to XDA!
Click to expand...
Click to collapse
Thanks!,
never happened to me though, try changing LineageOS to 19 had only bad things happen with 20 (my own experience though may not be the same)
if it still doesn't work maybe the firmware you flashed corrupted your nvdata ?
if this is the case you can use SP flash to take a backup of current nvram /nvdata / nvcfg / protect1 / protect2
and try to restore MAC address and bluetooth with SP writer or Modem Meta (don't forget engineering rom)
sorry for reply time i took a break from phone roming (working on making custom PCBs)
edit:
also know that fastbootb(fastboot dynamic) works for flashing dynamic images with phones with fastboot support, this tool is for phones without fastboot like Samsung with download mode ,though it should work all the same just letting you know (if Samsung do have fastboot then i don't know about it)