Related
EDIT: Fixed! Big thanks to @S0wL , @bkores , @tamahouse02 and @tron1 for the help. I made a guide to help other people with the same problem:
Guide to get TWRP again HERE
Okay, it seems to me that I messed up kinda badly. The phone is fully operational, but after I got to 7.0 the stock recovery replaced good ol' TWRP... which left me with an unlocked bootloader and an useless recovery. I have no root, and that's pretty much the only thing that matters to me. I downloaded @bkores 's Axon7Toolkit but there is NO way to get fastboot on the damned thing. After the program tries to get to bl mode (I assume adb reboot bootloader?) the ZTE logo flashes and the unlocked BL image appears, then the phone starts as normal.
Same thing with the leaked 7.1.1, no difference.
I tried EDL, recovery, that shady factory test mode thing, no one gives fastboot... Any ideas as to why I can't get there??+
I suspect it may be something related to the OEM unlocking option in the dev options, but it is set to ON and greyed out. so no idea
Try the menu on the boot screen.
Choose an username... said:
Okay, it seems to me that I messed up kinda badly. The phone is fully operational, but after I got to 7.0 the stock recovery replaced good ol' TWRP... which left me with an unlocked bootloader and an useless recovery. I have no root, and that's pretty much the only thing that matters to me. I downloaded @bkores 's Axon7Toolkit but there is NO way to get fastboot on the damned thing. After the program tries to get to bl mode (I assume adb reboot bootloader?) the ZTE logo flashes and the unlocked BL image appears, then the phone starts as normal.
Same thing with the leaked 7.1.1, no difference.
I tried EDL, recovery, that shady factory test mode thing, no one gives fastboot... Any ideas as to why I can't get there??+
I suspect it may be something related to the OEM unlocking option in the dev options, but it is set to ON and greyed out. so no idea
Click to expand...
Click to collapse
Sounds like the issue is with the ROM like it is somehow blocking you from accessing bootloader mode. It's definitely not my toolkit.
Choose an username... said:
Okay, it seems to me that I messed up kinda badly. The phone is fully operational, but after I got to 7.0 the stock recovery replaced good ol' TWRP... which left me with an unlocked bootloader and an useless recovery. I have no root, and that's pretty much the only thing that matters to me. I downloaded @bkores 's Axon7Toolkit but there is NO way to get fastboot on the damned thing. After the program tries to get to bl mode (I assume adb reboot bootloader?) the ZTE logo flashes and the unlocked BL image appears, then the phone starts as normal.
Same thing with the leaked 7.1.1, no difference.
I tried EDL, recovery, that shady factory test mode thing, no one gives fastboot... Any ideas as to why I can't get there??+
I suspect it may be something related to the OEM unlocking option in the dev options, but it is set to ON and greyed out. so no idea
Click to expand...
Click to collapse
Feel the same, 7.1.1 stock recovery is evil, it keep coming back after flash twrp. LOL
Here what I didi to get twrp on 7.1.1:
1. Use axon7tool -w recovery (twrp of couse)
2. Watch closely the cmd, when it said "Successful!","Reboot in 5 second" - unplug your phone
3. Use Volume Up + Power to get to recovery (twrp)
4. Mount > Mount System (dont check read only)
5. Flash something - I don't know - But I get the feeling that it stop stock recovery coming back - I personally flash Chinese Modem (because I have to ))
6. Reboot system
@bkores Yeah I'm pretty sure it's not your toolkit since I can't access it even with key comb, adb, option on the unl bl page...
@lafester Nope, tried many times. It just boots to normal whenever I select fastboot
@tamahouse02 Well I believe that should work, but I can't get axon7tool not to crash... I'll keep trying, maybe it's a driver or sth.
Choose an username... said:
@bkores Yeah I'm pretty sure it's not your toolkit since I can't access it even with key comb, adb, option on the unl bl page...
@lafester Nope, tried many times. It just boots to normal whenever I select fastboot
@tamahouse02 Well I believe that should work, but I can't get axon7tool not to crash... I'll keep trying, maybe it's a driver or sth.
Click to expand...
Click to collapse
Have you restart after install zadig driver?
1. From system: adb reboot edl
2. Install zadig driver
3. Hold "Volume Up + Power"
4. Enter system again: adb reboot edl
5. axon7tool -w recovery
tamahouse02 said:
Have you restart after install zadig driver?
1. From system: adb reboot edl
2. Install zadig driver
3. Hold "Volume Up + Power"
4. Enter system again: adb reboot edl
5. axon7tool -w recovery
Click to expand...
Click to collapse
yes, like 4 times already. I even used the stock Qualcomm COM3 drivers... no dice.
the thing is that I had to do the same when I did the stuff on android 6 and it worked after some time. I even wrote the procedure on another thread xd
Choose an username... said:
yes, like 4 times already. I even used the stock Qualcomm COM3 drivers... no dice.
the thing is that I had to do the same when I did the stuff on android 6 and it worked after some time. I even wrote the procedure on another thread xd
Click to expand...
Click to collapse
Not same my axon7tool. I use this https://forum.xda-developers.com/axon-7/development/axon7tool-flash-backup-boot-recovery-t3514254
Bootloader Mode is Disable/strip in G variant, and if this is how ZTE is headed to future updates it seems like U will have a Disable Bootloader Mode as well.
If you guy can rollback to MM , you can Unlock there using @bkores tool.
DrakenFX said:
Bootloader Mode is Disable/strip in G variant, and if this is how ZTE is headed to future updates it seems like U will have a Disable Bootloader Mode as well.
If you guy can rollback to MM , you can Unlock there using @bkores tool.
Click to expand...
Click to collapse
I was thinking about that, but does mifavor let you roll back from an SD update? I'll try later, but i doubt it.
Besides from that is there any way to flash stuff from the stock recovery? It tells me that ZIPs have to be signed only
tamahouse02 said:
Feel the same, 7.1.1 stock recovery is evil, it keep coming back after flash twrp. LOL
Here what I didi to get twrp on 7.1.1:
1. Use axon7tool -w recovery (twrp of couse)
2. Watch closely the cmd, when it said "Successful!","Reboot in 5 second" - unplug your phone
3. Use Volume Up + Power to get to recovery (twrp)
4. Mount > Mount System (dont check read only)
5. Flash something - I don't know - But I get the feeling that it stop stock recovery coming back - I personally flash Chinese Modem (because I have to ))
6. Reboot system
Click to expand...
Click to collapse
In step 1, which TWRP version did you use? The latest 3.1.0.-0 ?
dnlilas said:
In step 1, which TWRP version did you use? The latest 3.1.0.-0 ?
Click to expand...
Click to collapse
Official 3.0.4.1
@tamahouse02
The latest "official" TWRP is at TWRP site https://twrp.me/devices/zteaxon7.html , version 3.1.0-0.
Is there any problem using it instead of the previous "official" 3.0.4.1 ?
Edit: I also read on TWRP site:
"Note many devices will replace your custom recovery automatically during first boot. To prevent this, use Google to find the proper key combo to enter recovery. After typing fastboot reboot, hold the key combo and boot to TWRP. Once TWRP is booted, TWRP will patch the stock ROM to prevent the stock ROM from replacing TWRP. If you don't follow this step, you will have to repeat the install."
This is in sync with your information requiring to reboot immediately to TWRP (step 2 and 3).
dnlilas said:
@tamahouse02
The latest "official" TWRP is at TWRP site https://twrp.me/devices/zteaxon7.html , version 3.1.0-0.
Is there any problem using it instead of the previous "official" 3.0.4.1 ?
Edit: I also read on TWRP site:
"Note many devices will replace your custom recovery automatically during first boot. To prevent this, use Google to find the proper key combo to enter recovery. After typing fastboot reboot, hold the key combo and boot to TWRP. Once TWRP is booted, TWRP will patch the stock ROM to prevent the stock ROM from replacing TWRP. If you don't follow this step, you will have to repeat the install."
This is in sync with your information requiring to reboot immediately to TWRP (step 2 and 3).
Click to expand...
Click to collapse
I use 3.0.4.1 because I flash plenty things before without any issue, so I keep using it.
After write recovery by axon7tool, it's reboot automatically and override the recovery, that why I have to unplug to stop the reboot, and also flash all I can - fortunaeally it also stop recovery be overrided
@tamahouse02 sorry to ask, but is the a7tool of the link a fixed version? how does it differ from the one i have?
I've been in the same situation like you @Choose an username... Updated to nougat on G model and I had not bootloader. This is what I did :
1. Downloaded the tool from here https://forum.xda-developers.com/axon-7/development/tool-axon7toolkit-t3573108
2. Installed the driver using the install driver option that you can choose once you connect you phone to your computer
3. Use the tool to perform the unlock bootloader command again even though you have unlocked it before
4. Use the tool to install twrp, it will boot the phone in twrp
5. Flash Supersu before you boot the system first time after flashing twrp
5. Install whatever version of android want after
@S0wL Funny, I had to use Zadig to make it work. I'll try r n, thx
Choose an username... said:
@S0wL Funny, I had to use Zadig to make it work. I'll try r n, thx
Click to expand...
Click to collapse
Use Zadig then and let me know if it worked
@S0wL I can't use bootloader unlock on it, says "This option does not support your device!"
How did you do this??
Choose an username... said:
@tamahouse02 sorry to ask, but is the a7tool of the link a fixed version? how does it differ from the one i have?
Click to expand...
Click to collapse
I try your version once, but it seems not work for me, so I keep using the old one.
---------- Post added at 03:42 AM ---------- Previous post was at 03:39 AM ----------
Choose an username... said:
@S0wL I can't use bootloader unlock on it, says "This option does not support your device!"
How did you do this??
Click to expand...
Click to collapse
I thought you had already unlocked bootloader? Why have you done it twice?
Hey guys, so, I bought a used V20 US Cellular US996 and it was already rooted (superSU 2.76 installed and working fine). When I try to boot into recovery (using Simple Recovery app), it reboots then I get a screen of static. Now, which guide do I follow to install TWRP or does my phone already have TWRP but I need to do something else to get into recovery? Thx
It may or may not have TWRP. You are getting static because an engineering bootloader had to be used to root your phone.
Easy way to tell is to boot into recovery, and then plug your phone into you PC and run adb devices. If you have TWRP, then it will show your device id and the fact that it is in recovery, like so:
Code:
adb devices
LGUS996cee1f168 recovery
Either way, TWRP isn't much good if you can't see the screen, so you need to flash a version that has a kernel for your phone: link
Download that, and flash it from fastboot:
* adb reboot bootloader (or with the phone off, hold vol DOWN and plug in the USB cable)
* fastboot flash recovery twrp-3.0.2-1-us996.img
* fastboot reboot
You should then have a TWRP that you can use.
-- Brian
runningnak3d said:
It may or may not have TWRP. You are getting static because an engineering bootloader had to be used to root your phone.
Easy way to tell is to boot into recovery, and then plug your phone into you PC and run adb devices. If you have TWRP, then it will show your device id and the fact that it is in recovery, like so:
Code:
adb devices
LGUS996cee1f168 recovery
Either way, TWRP isn't much good if you can't see the screen, so you need to flash a version that has a kernel for your phone: link
Download that, and flash it from fastboot:
* adb reboot bootloader (or with the phone off, hold vol DOWN and plug in the USB cable)
* fastboot flash recovery twrp-3.0.2-1-us996.img
* fastboot reboot
You should then have a TWRP that you can use.
-- Brian
Click to expand...
Click to collapse
Hey Brian, thanks for the great instructions.
When I boot to recovery and get the static screen, I can't communicate with adb. adb devices will simply run and terminate. When it's in the OS, it'll say:
Code:
C:\Program Files (x86)\Minimal ADB and Fastboot>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
LGUS9961bcda6c4 device
The link to the TWRP says US996, but just wanted to confirm it's also good for the US CELLULAR carrier version, not the unlocked?
I'm super scared it'll brick something flashing the wrong recovery.
It is good for both. As for you bricking your phone, no, there is no risk at all. There is also no risk of you losing root. The worst that would happen is that you still don't have recovery -- and I lean on the cautious side when I advise someone as to what is safe and not safe
-- Brian
runningnak3d said:
It is good for both. As for you bricking your phone, no, there is no risk at all. There is also no risk of you losing root. The worst that would happen is that you still don't have recovery -- and I lean on the cautious side when I advise someone as to what is safe and not safe
-- Brian
Click to expand...
Click to collapse
Nice, got into TWRP
Making a backup of everything now so I can try to remove supersu and move to magisk... any known issues with Magisk on the US996?
Or try another ROM debloated stock rom (want to keep the camera/2nd screen for a while).
Thanks again!
No issues with Magisk and the US996.
As for ROMs, you can use any ROM that says it is for the US996 -- doesn't matter if it is USC or unlocked. Firmware on the other hand, you should stick to USC firmware. I don't own a US996, so don't quote me on this, but I believe there is some signal issue if you cross flash firmware between the USC and unlocked versions.
Just to be safe, you should download the patched LG UP and use the DUMP option (select all and then uncheck userdata or you will be wasting 60+ gigs of space) to backup everything from your phone (that backs up literally everything on your phone that TWRP or other backup apps can't -- or don't backup), that way if you do make a mistake, you have the ability to completely restore your phone.
-- Brian
runningnak3d said:
No issues with Magisk and the US996.
As for ROMs, you can use any ROM that says it is for the US996 -- doesn't matter if it is USC or unlocked. Firmware on the other hand, you should stick to USC firmware. I don't own a US996, so don't quote me on this, but I believe there is some signal issue if you cross flash firmware between the USC and unlocked versions.
Just to be safe, you should download the patched LG UP and use the DUMP option (select all and then uncheck userdata or you will be wasting 60+ gigs of space) to backup everything from your phone (that backs up literally everything on your phone that TWRP or other backup apps can't -- or don't backup), that way if you do make a mistake, you have the ability to completely restore your phone.
-- Brian
Click to expand...
Click to collapse
Do you mean the LGUP from this site? I've seen this reference in the dirtysanta and some other threads:
http://downloads.codefi.re/autoprime/LG/Flash_Tools/LGUP/
Do I use the LGUP storeframe or Uppercut to dump?
No. LG UP from this thread. It is patched to add additional features.
-- Brian
runningnak3d said:
No. LG UP from this thread. It is patched to add additional features.
-- Brian
Click to expand...
Click to collapse
Doing the dump now, but the weird thing is after it reboots, it goes into the static screen again. I'll test after to see if TWRP is still there or not, but not sure why it's in this mode.
Recovery (stock or TWRP), Download mode (LAF), and boot are all just Linux kernels with an initrd. You are getting static in download mode, because the kernel that download mode uses is relying on aboot for screen init information. That was the case for you with the stock recovery as well. The laf partition is just an Android boot image. If it really bothered you, you could replace the kernel in the laf image and reflash it, but there really isn't anything to see on the firmware update screen, and it works fine.
-- Brian
At the request from @dimm0k
I've made kernels for the 996 unlocked and locked variants here.
Untested.
runningnak3d said:
No. LG UP from this thread. It is patched to add additional features.
-- Brian
Click to expand...
Click to collapse
Wow, the tool makes a full byte for byte dump of all the partitions. I deleted the userdata partition since it's like 50GB. Deleted cache too.
Using this patched LGUP, I can restore partitions so they're in the exact state of the dump? If I don't restore userdata, will it still work?
strifej said:
Using this patched LGUP, I can restore partitions so they're in the exact state of the dump?
Click to expand...
Click to collapse
Nope, can't restore with LGUP yet. @runningnak3d has been trying to crack it but no luck so far.
So you would need root/twrp to restore those.
I think I messed up my PH-1 something royally.
All I was trying to do is unlock my bootloader and load Magisk.
To preface this, my PH-1 seemed to act a little wonky from the get-go. I bought it 3rd person from a guy on craigslist so anything warranty involved I think I'm out of luck.
The phone would take a while to power on, it took something like 10secs on the power button just to turn it on. And if I set it to reboot , it boots into the bootloader. Also, I was never able to access the recovery (even using power + up). It always felt like I had to hold the buttons for way to long to get to its destination; e.g. up and power to get into fastboot.
Ok where I'm at now. In can occasionally get into fastboot mostly after it bootlooping a few times. It won't get past the Essential logo if I try to boot it up.
PS I was able to unlock the bootloader.
Steps I took to remedy this:
> erase all user data in fastboot
> hold power + u + d to hard power off
> follow this guide https://forum.xda-developers.com/essential-phone/how-to/guide-rooting-essential-ph-1-magisk-t3701976
> attempt to install stock system image via flash-all
>a ton other
Here are the results of that.
https://imgur.com/a/iVwwS
Help me guys please. :crying:
A little progress, I was unable to unlock_critical but its still hanging here
https://imgur.com/a/IdZum
jAm-0 said:
I think I messed up my PH-1 something royally.
All I was trying to do is unlock my bootloader and load Magisk.
To preface this, my PH-1 seemed to act a little wonky from the get-go. I bought it 3rd person from a guy on craigslist so anything warranty involved I think I'm out of luck.
The phone would take a while to power on, it took something like 10secs on the power button just to turn it on. And if I set it to reboot , it boots into the bootloader. Also, I was never able to access the recovery (even using power + up). It always felt like I had to hold the buttons for way to long to get to its destination; e.g. up and power to get into fastboot.
Ok where I'm at now. In can occasionally get into fastboot mostly after it bootlooping a few times. It won't get past the Essential logo if I try to boot it up.
PS I was able to unlock the bootloader.
Steps I took to remedy this:
> erase all user data in fastboot
> hold power + u + d to hard power off
> follow this guide https://forum.xda-developers.com/essential-phone/how-to/guide-rooting-essential-ph-1-magisk-t3701976
> attempt to install stock system image via flash-all
>a ton other
Here are the results of that.
https://imgur.com/a/iVwwS
Help me guys please. :crying:
Click to expand...
Click to collapse
read through this and follow the steps should be good to go.
https://forum.xda-developers.com/essential-phone/development/stock-7-1-1-nmj20d-t3701681
This is also very helpful
https://mata.readthedocs.io/en/latest/
That's the exact process I was going through, and it finally booted up.
The issue I was having was a bad usb connection which wouldn't allow me to unlock_critical.
SOLVED. Still no Magisk, we'll worry about that another time. 5hrs of troubleshooting is enough for one night.
https://imgur.com/a/ZiBzp
SO close to getting Magisk to install, any reason the refuses to flash the boot partition? I used the stock boot.img and had Magisk patch it before I flashed
SO close to getting Magisk to install, any reason the refuses to flash the boot partition? I used the stock boot.img and had Magisk patch it before I flashed
jAm-0 said:
SO close to getting Magisk to install, any reason the refuses to flash the boot partition? I used the stock boot.img and had Magisk patch it before I flashed
Click to expand...
Click to collapse
You have to flash magisk in twrp recovery NOT bootloader mode.
It's right in the OP from the rooting guide you followed:
Do not set up a password if you are on 8.1 twrp doesn't work.
You need to read through that rooting guide and make sure you know what you're doing before you try.
This phone is easy to hard brick and there is no solution to recover from that.
OREO 8.0/8.1
REQUIREMENTS:
An unlocked bootloader.
A working ADB/Fastboot environment on your computer. Knowledge on how ADB and Fastboot works is also preferred.
The stock boot image for whatever build you're running/trying to root.
The latest TWRP build for our device.
If on 8.1, remove your pin/pattern/passcode until the root process is done.
1. Download both the stock boot image for whatever build you're running and the Magisk or SuperSU zip. Transfer both files to your device's internal storage.
2. Reboot your phone into the bootloader, then open up your command prompt or terminal and flash the latest TWRP build for the device using:
Code:
fastboot flash boot twrp.img
3. Once TWRP has finished flashing, reboot into your recovery. When prompted, enter your pattern/passcode/password to decrypt your data in order to gain access to your internal storage.
4. Once you're in TWRP, install the stock boot image and then the Magisk/SuperSU zip.
5. Whenever Magisk/SuperSU finishes installing, simply reboot your device! You should now be rooted.
*NOTE: TWRP will NOT remain installed on your device.
wolfu11 said:
You have to flash magisk in twrp recovery NOT bootloader mode.
It's right in the OP from the rooting guide you followed:
Do not set up a password if you are on 8.1 twrp doesn't work.
You need to read through that rooting guide and make sure you know what you're doing before you try.
This phone is easy to hard brick and there is no solution to recover from that.
OREO 8.0/8.1
REQUIREMENTS:
An unlocked bootloader.
A working ADB/Fastboot environment on your computer. Knowledge on how ADB and Fastboot works is also preferred.
The stock boot image for whatever build you're running/trying to root.
The latest TWRP build for our device.
If on 8.1, remove your pin/pattern/passcode until the root process is done.
1. Download both the stock boot image for whatever build you're running and the Magisk or SuperSU zip. Transfer both files to your device's internal storage.
2. Reboot your phone into the bootloader, then open up your command prompt or terminal and flash the latest TWRP build for the device using:
Code:
fastboot flash boot twrp.img
3. Once TWRP has finished flashing, reboot into your recovery. When prompted, enter your pattern/passcode/password to decrypt your data in order to gain access to your internal storage.
4. Once you're in TWRP, install the stock boot image and then the Magisk/SuperSU zip.
5. Whenever Magisk/SuperSU finishes installing, simply reboot your device! You should now be rooted.
*NOTE: TWRP will NOT remain installed on your device.
Click to expand...
Click to collapse
I realize all that, the issue is I cannot access any sort of recovery because I think my bootloader is defective.
For example from a cold restart if I press the power button for say 3 -5 seconds it wont boot, just boot to the Essential logo and loop. To get the phone to boot I have to hold the power down for 15-20 seconds while it bootloops a couple times then it'll boot.
Is there a possible way to reflash the bootloader software if it is defective? It's unlocked btw
There is a way to install magisk via fastboot with a patched_boot img which I'm working on. Cant seem to find the right boot img to patch for 8.1
PS Is it possible to flash .zips through fastboot? e.g. custom roms etc
Was finally able to get into recovery, so all is well. Thanks for the help yall
OP, what was your process to successfully get into recovery and fix your problems?
It may help others sometime?
gimpy1 said:
OP, what was your process to successfully get into recovery and fix your problems?
It may help others sometime?
Click to expand...
Click to collapse
It's really hard to say, my phone has a serious problem with it. sometimes I cant get it to boot, it will boot into the bootloader over and over and over. I've managed to get Lineage 15.1 on if for a bit until I tried to get back into the recovery which sent it manic.
I just got lucky I was able to get into TWRP and flash lineage.
my first issue not being able to flash the stock image via fastboot because I didn't unlock_critical which can sometimes fail when the usb connection is bad.
Currently flashing stock again if my phone will boot up. I'm not sure whats wrong with my bootloader but its causing a ton of havoc
My essential phone stuck in boot logo,bootloader work but recovery doesn´t work
Bootloader locked.
Oem unlocking disable.
Usb debugging disable.
How to flash stock recovery or twrp on bootloader locked ? please
Thank you!
katastyle971 said:
My essential phone stuck in boot logo,bootloader work but recovery doesn´t work
Bootloader locked.
Oem unlocking disable.
Usb debugging disable.
How to flash stock recovery or twrp on bootloader locked ? please
Thank you!
Click to expand...
Click to collapse
Same boat for me - just keep rebooting to show Powered by Android Screen and then reboot again and again. Was able to see my device using fastboot devices command but all attempts to access recory just repeat the bootloop entry. I would happily check the OEM UNLOCK option in dev settings but can't even get it to book to any OS to make that option happen. Still shows bootloader locked on bootloader screen - any help someone can suggest?
I had this problem tonight also. In my case I suspect it had to do with the install of magisk in which I checked both boxes and patched the bootloader. on reboot I was stuck on boot. Just wanted to add my solution. I got the pie back to stock zip here https://forum.xda-developers.com/essential-phone/development/stock-7-1-1-nmj20d-t3701681 then I put it into the adb folder and ran the flashall.bat script. I tried the no wipe one and it saved my information. very happy I didnt have to resetup my phone in the end.
katastyle971 said:
My essential phone stuck in boot logo,bootloader work but recovery doesn´t work
Bootloader locked.
Oem unlocking disable.
Usb debugging disable.
How to flash stock recovery or twrp on bootloader locked ? please
Thank you!
Click to expand...
Click to collapse
I am in the same boat. I tried to re-install the OS, but because my USB debugging was not enabled, Fastboot worked but ADB would not and since I basically wiped the recovery area, my phone will only boot into Fastboot but will not allow any loading of recovery. I would pay for someone to help. This is so hard to figure out. I have contacted Essential but since my phone is over 12 months old, the warranty has expired.
Help please. It seems like such a waste to have a bricked phone.
WARNING
DO NOT LET YOUR PHONE REBOOT, OR POWER OFF UNTIL I TELL YOU THAT IS WHAT YOU NEED TO DO.
If you do, I am not sure what shape your phone will be in.
This should go without saying, but you MUST have your bootloader unlocked (check OEM UNLOCK in developer options AND fastboot oem unlock). If you don't, you will probably brick your phone.
If you use this on any model G6 besides the H872, you will be stuck in a bootloop, and you will not be able to fix it since you will have wiped out download mode!
This is safe if no mistakes are made (typos, missing a step, etc). However, if you do mess up, the risk is high that you lose download mode at best, or brick your phone at worst.
If you deviate from this procedure, and think: "I can just skip a step, or I can do this on my own Linux install". Don't complain if you brick your phone.
PREREQUISITES:
You must have a version of laf that has the COPY opcode.
Since none of the firmware available for the H872 has the COPY opcode, we have to use the H918 laf partition.
Grab the H918 10p KDZ: link to 10p KDZ
You need to be on 11g or above. Be aware, once you are on 11g+ you cannot downgrade to any versions prior to 11g due to anti-rollback.
You will need a copy of the KDZ that your phone is on. If you are not currently on 11g, upgrade before continuing.
For 11g : Link to 11g KDZ
For 11h : Link to 11h KDZ
For 20a : Link to 20a KDZ
We are going to flash this using the patched LG UP. There may be one that was patched specifically for the G6 -- don't use it,
it has NOT been tested. Grab the one for the V20: link
It MUST be installed in: Crogram Files (x86)LG ElectronicsLGUP
You can't just unzip it anywhere and run it, it will not find the model file.
You need the H872 Unofficial 3.2.3 TWRP by @Eliminator74. 3.2.3 is included in the repo so that you know that you have the exact version.
If you decide to use any other version, you will brick your phone because the commands below are for this exact version!
You need to grab FWUL (version 2.7 or later) and burn it to a USB stick: link
Even if you have Linux, and you think you can install the dependencies, don't. I know this works from FWUL.
If you are rooting on 20a, you will need a Micro-SD card. Copy the TWRP 3.2.3 image and the latest Magisk zip to the SD card.
WARNING: Only applies if rooting while on 20a
Minor Encryption-related issues have occurred while testing 20a. If your data partition is encrypted, TWRP will NOT be able to decrypt it. Because of this, you will have to perform a wipe and format of your Data partition. Be sure to backup all data on your device prior to continuing by copying important files to an external SD card or using LG Mobile Switch to back it up.
PROCEDURE PART 1: Getting a working LAF onto your phone
By far this is the most dangerous part of this procedure.
Boot to download mode
In LG UP, choose partition DL.
Pick the H918 10p KDZ
Click start / ok
When you will be given a list of partitions to flash, only check laf
Click start / ok
You will get a warning about additional modified partitions -- ignore it, and click OK.
As a safety feature, LG UP will start flashing those modified partitions after laf completes flashing.
After the flash is initiated, pay close attention to the "step" and as soon as it changes from laf to another partition, PULL THE USB CABLE!
If you let it completely flash the H918 KDZ, your phone WILL reboot, and you WILL have a brick that can't be fixed.
You need to pay attention, but you also don't need to be sitting on pins and needles. You have quite a bit of time to pull the cable since system is one of the partitions that is flashed
Click OK and it will start flashing.
Once laf is flashed, and you have pulled the USB cable, you can click exit, and then re-open LG UP.
Choose partition DL again, and this time pick the H872 KDZ for the version your phone was on prior to flashing 10p (11g, 11h, or 20a)
Select all partitions except laf. If you forget to uncheck laf, you will have to do this all over again.
When it completes, it will reboot your phone.
Go back into download mode. This time you will be running the H918 laf, and we can continue with PART 2
PROCEDURE PART 2: Installing TWRP
Boot from your FWUL USB stick.
Put your phone into download mode. With the phone powered off, hold vol up and plug in the USB cable. You do not need to touch the power button -- the phone will power on and enter download mode.
This will NOT look like normal download mode on the phone. All you will get is small box that says: "Download mode" -- this is normal. You will also not have ANY indication on the PHONE that it is being flashed.
Once booted, login. The password is: linux
Double click the LG folder that is on the desktop
Double click on LG LAF (runningnak3d) icon and you will be at a terminal prompt.
The following are the commands that you enter into that terminal. You can copy / paste them if you like.
Code:
git pull
git checkout h872-miscwrte
./step1.sh
When you are told to, pull the USB cable, and the phone will power off. You now have TWRP on your laf partition. At this point you can flash a ROM, or Magisk or whatever you like, but I would suggest
at least flashing TWRP to the recovery partition. There is no button combination to get into laf (download mode), so if you only have TWRP on laf, then you will need a USB cable to get into recovery.
OPTIONAL:
If you don't know what to do with TWRP, and you just want to run rooted stock 11g, 11h or 20a, this is for you....
First boot into TWRP - with the phone off, hold vol up and plug in the USB cable.
PROCEDURE PART 3: Rooting and cleanup
Now that you are in TWRP:
Nougat (11g, 11h Users)
./step2.sh
If you ran step2.sh you have TWRP on laf, and recovery, and you are rooted. If you only ran step1.sh, then you have TWRP on laf. Either way, enjoy!
Oreo (20a) Users
Once in TWRP, click the “Wipe” button.
Choose Advanced Wipe and select the Dalvik, Data and Cache options and Wipe. Do not reboot the phone.
Go back to the main menu or main wipe screen
Select “Format Data” and complete the format.
Go back to the main menu and choose Install, and then Install Image.
Flash the TWRP 3.2.3 image from external_sd to the RECOVERY partition. DO NOT Reboot to System.
Go back to the main screen and attempt to reboot to Recovery.
If you are able to reboot to recovery without any issues, you should now Install the Magisk zip from external_sd.
After flashing Magisk, you may now reboot to system and Oreo should boot to the initial Android Setup screen.
After booting to Oreo, make sure you enable installations from Unknown Sources in your Android Settings and install the latest Magisk Manager.
If Oreo boots to an "Encryption Unsuccessful" screen, you will need to format the Data partition again. Tap the reset button and it should boot to Recovery. Perform another wipe of cache/data/dalvik and go back to the Wipe screen and Format Data. Reboot system and you should boot to Oreo Normally.
To Restore Download Mode
20a - Flash @Eliminator74's Bootstock with LAF image using TWRP
11g - Flash @weakNPCdotCom's StockLAF image using TWRP
CREDITS:
@KAsp3rd -- he risked his phone to make this happen. There were no guarantees that the H918 laf would boot and function.
Lekensteyn -- His base work on the G2 / G3 gave me a GREAT headstart!
@steadfasterX - He added some real nice features, great guy to bounce ideas off, and just testing crazy ideas because he wasn't afraid to brick his phone Also, for FWUL
tuxuser - Helping with my lacking in Python
@smitel - His original reverse engineering of LG UP. Great inspiration!
@weakNPCdotCom - Testing/Help with H87220a (Oreo)
-- Brian
XDA:DevDB Information
lafsploit - H872, Tool/Utility for the T-Mobile LG G6
Contributors
runningnak3d, KAsp3rd, weakNPCdotCom
Source Code: http://gitlab.com/runningnak3d/lglaf
Version Information
Status: Testing
Created 2018-04-09
Last Updated 2018-10-09
You ARE the man!
Good job, I'm certainly tempted to try, but have never done such kind of procedure to get root and I started flashing and rooting some time ago but everything was easier back then, I'll probably wait a bit, what's a week or two when I got the phone May last year.
Enjoy your time off. You really deserve it.
From a SM-960U that thinks is a SM-960U1...
Sent from my SM-G960U1 using Tapatalk
brick to me i didn't pull out the cable during laf partition...im on qualcomm 9008 no way to come out
Just curious, did you somehow overlook that step, or were you not looking and missed it?
-- Brian
runningnak3d said:
Just curious, did you somehow overlook that step, or were you not looking and missed it?
-- Brian
Click to expand...
Click to collapse
I feel like he just wants a way or a tool to unbrick Qualcomm 9008 models. Looking at his name and post on other thread. I might be wrong tho.
Amazing job btw. Much respect for you sir !!
pantmunu said:
I feel like he just wants a way or a tool to unbrick Qualcomm 9008 models. Looking at his name and post on other thread. I might be wrong tho.
Amazing job btw. Much respect for you sir !!
Click to expand...
Click to collapse
it my fall, when i start to do laf partion i didn't see when come out laf partition, so i let the program do his job after i see that it come to system write and i understand that it was there that i will pull the cable out, btw i will wait some good person will found solution for the qualcomm 9008 problem..they made a lot of good job..and of course is my mistake...if someone know how to come out from this problem i will be grated for all life..for the moment i will wait..or i found someone can unlock for a good price i will pay him and do the job...
The only fix for 9008 mode on UFS devices (which the G6 is) is a firehose programmer and QFIL. It is no longer possible to boot from an SD card. AFAIK, there is no signed (yes it MUST be signed) firehose for the H872.
Your only options are T-Mobile or LG warranty, or pay to have it repaired if it isn't under warranty. You could also swap the board with an H872 that has a cracked screen, but getting the thing apart looks like a real PITA.
-- Brian
runningnak3d said:
The only fix for 9008 mode on UFS devices (which the G6 is) is a firehose programmer and QFIL. It is no longer possible to boot from an SD card. AFAIK, there is no signed (yes it MUST be signed) firehose for the H872.
Your only options are T-Mobile or LG warranty, or pay to have it repaired if it isn't under warranty. You could also swap the board with an H872 that has a cracked screen, but getting the thing apart looks like a real PITA.
-- Brian
Click to expand...
Click to collapse
did you think in the future will come out a firehose file the lg g6? very thanks for your unswer and help, and very good job, i admire this talent people
Done!!! Where's your PayPal brother? I need to give you my pledge, thanks so much for opening the doors for this device's development. Can't thank you enough really...
Glad you came through it without issue.
Just click on the Donate to Me button -- tis linked to my PayPal.
Thanks,
-- Brian
Guys i found this on the web... maybe for the profesional user this can be a way to unbrick lg g6 with hard brick like mine https://www.androidbrick.com/download/download-latest-2018-qualcomm-flasher-qfil-qpst-2-7-472/
i try to use it and i didn't understand nothing..but my mobile it see as download mode
Thanks for putting this together, runningnak3d!
So, reading through the tutorial, you say this towards the end, after doing the cleanup steps:
Now you have TWRP on laf, and recovery, and you are rooted.
Click to expand...
Click to collapse
So... does that mean attempting to boot into LAF will always put you into TWRP? If yes... is there any way to get the original LAF partition back, while keeping TWRP in recovery?
Denversmartphone said:
Guys i found this on the web... maybe for the profesional user this can be a way to unbrick lg g6 with hard brick like mine https://www.androidbrick.com/download/download-latest-2018-qualcomm-flasher-qfil-qpst-2-7-472/
i try to use it and i didn't understand nothing..but my mobile it see as download mode
Click to expand...
Click to collapse
It's for Huawei.
Sent from my SM-G960U1 using Tapatalk
hendusoone said:
Thanks for putting this together, runningnak3d!
So, reading through the tutorial, you say this towards the end, after doing the cleanup steps:
So... does that mean attempting to boot into LAF will always put you into TWRP? If yes... is there any way to get the original LAF partition back, while keeping TWRP in recovery?
Click to expand...
Click to collapse
Yes, you can extract it from the 11g KDZ and flash it, but why? There will never be a situation where you would want laf over TWRP.
-- Brian
runningnak3d said:
Yes, you can extract it from the 11g KDZ and flash it, but why? There will never be a situation where you would want laf over TWRP.
-- Brian
Click to expand...
Click to collapse
My main reason is to maintain multiple methods of recovery. With a working LAF, you can flash a KDZ to get back to a working phone (even though it would need to be re-rooted). With TWRP in the LAF partition, if for some reason both instances of TWRP failed, that is no longer possible.
If something stopped TWRP from booting on laf, then laf wouldn't boot on laf either. They are both just kernel / initrd boot images.
Do what you want, but trust me, you are a lot safer with two copies of TWRP.
-- Brian
runningnak3d said:
If something stopped TWRP from booting on laf, then laf wouldn't boot on laf either. They are both just kernel / initrd boot images.
Do what you want, but trust me, you are a lot safer with two copies of TWRP.
-- Brian
Click to expand...
Click to collapse
Generally, I'd agree. Having redundant TWRP recoveries is probably better.
But it is nice that we can restore LAF on the off chance we want to restore the phone to default via KDZ. Perhaps to sell it or such.
---
Anyway, thanks for all the great work! I'll probably give it a whirl in a few days. Hopefully, this will spur some ROM development for the H872.
I made it all the way through to mounting system with read/write, twrp console just complains that it failed to mount /system with "device or resource busy". I haven't attempted to boot into recovery again since booting into system but twrp is definitely on laf still. I did try booting from laf twrp to recovery twrp before booting to system and it didn't have permissions either.
Installing Magisk doesn't give me root as it spits an error can't write to /system.
I truly never thought I'd ever see TWRP on this device, this is incredible.
slayer3032 said:
I made it all the way through to mounting system with read/write, twrp console just complains that it failed to mount /system with "device or resource busy". I haven't attempted to boot into recovery again since booting into system but twrp is definitely on laf still. I did try booting from laf twrp to recovery twrp before booting to system and it didn't have permissions either.
Installing Magisk doesn't give me root as it spits an error can't write to /system.
I truly never thought I'd ever see TWRP on this device, this is incredible.
Click to expand...
Click to collapse
U can mount /system. If u still have twrp on the laf partition all u have to do is reboot twice back into twrp then go to mounts and check system, clear cache then flash the magisk zip. But one thing o truly hate about magisk is my frequencies don't stick on kernel apps so I flashed regular su and right now everything is running amazing.
---------- Post added at 02:04 PM ---------- Previous post was at 01:42 PM ----------
Also if anyone has got a bootloop after flashing something I found out that the phone reboots when you are restoring backup. To fix this flash recovery system and boot from the backup but u have to keep tapping on the screen so it dont timeout and restore wrong.
Think I will wait till next week I'm just happy you got this far
TWRP Custom Recovery for the Onn Android Tablet series
This is the first fully-featured custom recovery for Walmart's MediaTek-based Onn tablets: ONA19TB002, ONA19TB003 and ONA19TB007. TWRP needs no introduction. If you have come here, you probably have some idea of what it is and what it's used for. This TWRP build does not need the bootloader unlocked or VBMeta verification disabled, although it's recommended that you at least unlock the bootloader.
DISCLAIMER
Everything described in this thread is done at your own risk. No one else will be responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
FEATURES
Decrypted data partition
All USB modes functional: MTP, ADB, Mass Storage, OTG, Charging
Fast boot time
Adoptable storage mounting
Firmware image backup and restore
Works under locked bootloader
Android 9 build fits within the 16MB recovery partition -- no compromises or partition resizing necessary
INSTALLATION METHOD 1
Download the recovery to your PC and unzip the image
Unlock the bootloader (skip if you have already done this)
Enable OEM Unlock in Developer Options in Android Settings
Boot into fastboot mode either by holding vol. up+power to power it on and selecting "Fastboot mode", or by running the 'adb reboot bootloader' command from within Android.
Install fastboot and appropriate drivers on your PC if you have not set those up
Unlock the bootloader with the command
Code:
fastboot flashing unlock
...and follow the instructions on the screen. This will wipe your data.
Flash the custom recovery with
Code:
fastboot flash recovery twrp-3.3.1-ONA19TB002.img
(use the right file name path for your device)
Reboot to recovery with
Code:
fastboot oem reboot-recovery
INSTALLATION METHOD 2
This assumes you are familiar with SP Flash Tool or can figure it out on your own
Download the recovery to your PC and unzip the image
Get the appropriate scatter file for your device. The scatter file may be found in the device's firmware under /system/data/misc.
Set up SPFT Download tab as Download Only. Load your scatter file.
Under the recovery line, double-click Location and open your TWRP image.
Click Download and connect your powered-off tablet to your PC. SPFT will automatically flash the recovery to the emmc and disconnect when finished.
INSTALLATION METHOD 3
Head over to Amazing Temp Root for MediaTek ARMv8, read the requirements and directions, and grab the latest mtk-su.
Open a root shell with mtk-su
Flash the (unzipped) recovery with the command:
Code:
dd bs=1048576 if=twrp-3.3.1-0-ONA19TB002.img of=/dev/block/by-name/recovery
(replace the if= file name with your appropriate recovery image path)
Exit root shell
START RECOVERY
Three methods:
On a powered off tablet, hold Vol. up+power for about 3 seconds. In the menu that appears, select "Recovery mode"
With Android ADB, use the command 'adb reboot recovery'
From Android root shell, use the command 'reboot recovery' or just use any root app with OS reboot features
NOTES
Kind of important: Make a backup of your Crypto Footer as soon as you can. This is the encryption key to your data partition. When accessed from TWRP, this key can get "upgraded" so that you will get locked out of Android. TWRP uses a hacky workaround that saves and restores the original footer on every /data decrypt. But that method is not what I would call 100% reliable.
Make sure you have a backup of the untouched stock system and vendor images. There are no official firmware packages available to download.
Only mount system/vendor partitions in read/write mode if you have unlocked the bootloader. It is recommended to choose to leave system read-only at the startup prompt unless you have a specific reason to modify it. If the bootloader is locked, then dm-verity is enforced.* So merely mounting it once in r/w will cause a boot loop.
It's currently not possible to install incremental OTA updates using this TWRP. Use the stock recovery to update the FW. That will only work if you have never mounted system/vendor in write mode.
DOWNLOAD (Nov. 30, 2019)
Current version: 3.3.1-1
ONA19TB002 - Onn 8" model
ONA19TB003 - Onn 10.1" model
ONA19TB007 - Onn 10.1" w/keyboard model
Source code
ONA19TB002 | ONA19TB003 | ONA19TB007
ACKNOWLEDGEMENTS
The team behind TWRP & OmniROM
@tek3195 for testing and feedback on the 8" model
Please post feedback since these are still pretty new and not exhaustively tested. Let me know if I should port it to other models in the series.
Reserved also
grabbing this one too cuz why not
Very nice! I'll download and test the 003 one soon.
I also have a 007 model to experiment with.
I tried about a dozen times to build TWRP and failed miserably LOL. Closest I got was one that would boot but the rotation was all messed up, USB wouldn't work, didn't mount some partitions... Yeah, it was a hot mess.
Do you happen to have sources available?
Hi @NFSP G35,
I'll have the source code soon. Most of the tricks involved patching bootable/recovery. So I need to commit those changes and include the proper patch set from my tree....
Amazing!! Gonna install and test 8" right now.
Has anyone tried a GSI on these tablets yet?
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I do know @tek3195 , the Onn 8 thread starter, has tried many of them as well as others here, somewhere on that thread he listed his tests and opinion of several of them.
I'm pretty sure others on that thread have also tried GSI's.
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I did try both Phhuson vanilla and also Liquid Remix (I'm keeping this one for now). I didn't flash them through twrp, but using fastboot via bootloader.
WoW! AwEsOmE! I cannot wait to try this! THANK YOU!!!!!!
Hey,
This is a neat thing to see for the Onn tablets. I have a question though. I own a device based on the mt8163, and am trying to help people with another device I don't own (the powkiddy x18 which also uses the mt8163). One of the things I wanted to do was to make a custom rom for the x18, since it's stock firmware is horrible. And of course, one of the first steps to custom roms is twrp. So I have a question for you that I hope you can answer for me. How did you make this build of twrp? I have seen no device trees for this device so I was kinda curious. If you can help me in any way, I'd be so grateful, and I'm sure the other people with the x18 would be grateful for help.
@diplomatic
Is there a different procedure for installing TWRP on a locked bootloader?
I can confirm that using SP Flash to load your TWRP.img will produce a bootloop when installing to a device with the BL locked. Reflashing the original recovery.img makes the problem go away. You mentioned in the OP that this TWRP will work on a locked BL so I thought I would share my case study with you in following the procedure you defined.
MY SINCERE GRATITUDE FOR YOUR EFFORTS IN PORTING THIS TO THE ONN!
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
diplomatic said:
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
Click to expand...
Click to collapse
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
At one time I did run with the bootloader unlocked (with --disable-verification on stock vbmeta) and I ran Phusson's AOSP, Liquid Remix and Bliss. I found there was no benefit to me in running the other mods so I reverted back to stock courtesy of @CaffeinePizza and the bootloader re-locked to get rid of that annoying 5 second orange state.
In each instance, I always used SP Flash tools to load all .img files. I only used fastboot to install magisk_patched.img onto the stock installation. Unlocking the bootloader erases all data and I did not feel like reinstalling everything again, so I figured I would try to install TWRP per your instruction to see if it would work while the BL was still locked... Restoring the original recovery got rid of the bootloop. I do want to try your TWRP so I will try it with BL unlocked when I get some free time to do so.
Spatry said:
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
Click to expand...
Click to collapse
This sounds like you might have flashed a wrong/corrupt image to recovery. It may have to do with AVB checks rather than bootloader lock. But those conditions might be interdependent somehow so I can't tell you for sure. The fact that you are able to boot a patched image on a locked BL says it doesn't care too much about verification. I can tell you for sure that any recovery image must have avb metadata, not necessarily the required hash, for both Android and recovery to boot. Can you try to unzip the image file and flash it over again?
Hmm, the situation with the bootloader lock sounds eerily similar to the Nabi SE. The latter also had a similar implementation where there's not much in the way of locking things down, other than an (easily circumvented) SP Flash Tool signature check and different preloader keys. And here's the real kicker: the nearly-identical Fisher Price Nabi also ran on the MT8163, so it makes me wonder if it's possible to boot Pie on it, or perhaps a GSI assuming that Treble can be tacked onto it.
Also, do you have the source repo to this TWRP port of yours?
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Where do I find crypto footer to backup
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Kinda cool without the ads isn't it. I know I sent one about a week ago or so. I think everybody ought to send you one, you deserve it. THANKS and AWESOME work.