Hello All,
So I got my Axon 7 the other day. Using one of the guides from this site, I started to flash it using (Win 10 64 bit) ADB to Lineage OS. Long story short as per the title, it didn't end well. I'm no expert but I've managed to flash a couple of phones before with success. I did read up and I was careful.
Obviously the point of this post is, I've not had any luck trying to recover it and now my phone is bricked. Its got stuck in DFU mode. My pc recognises it when connected to USB (hold Vol+/Vol-, insert USB), it shows as Handset Diagnostic Interface (DFU) (Com7) in the device manager.
I've not been able to anything with it. I made up and used a deep flash cable but it didn't work.
Can anyone recommend a good phone fixer in South of England that can sort my phone and get it going again?
It's ****ed up. you have to do the semi brick trick.
Sn8K said:
It's ****ed up. you have to do the semi brick trick.
Click to expand...
Click to collapse
As in 4th category brick repair?
https://forum.xda-developers.com/showpost.php?p=70948893&postcount=28
coremania said:
First try it yourself, read the thread from controllerboy
https://forum.xda-developers.com/axon-7/how-to/guide-install-twrp-unlock-bl-flash-t3517379
Shut down the phone and try to press both volume buttons while connecting the usb cable to get edl mode running. With zadig try to get the right driver working.
You should read the thread to rescue your phone, a lot of people managed to fix their phones.
Click to expand...
Click to collapse
Thanks for the reply. That very post by controllerboy was my guide. I think it was at step 20 or 21 things went awry. The method you suggest, I've tried many times and believe me I've read many of the rescue threads. Perhaps I've missed something somewhere. I've used Zadig and I have WinUsb drivers installed.
I've tried the Axon7Toolkit, QPST and Miflash software.
coremania said:
https://forum.xda-developers.com/showpost.php?p=70948893&postcount=28
Click to expand...
Click to collapse
Thanks for that. Curiously I'd read that post before, but before I got to this stage of "brickness".
I don't have my A7 with me right now, but I do remember on one of the countless connections to my pc over the weekend that I did see "? device" in response to an "adb devices" command.
That gives me hope! Thanks for your memory jogging post : )
HVMan01 said:
As in 4th category brick repair?
Click to expand...
Click to collapse
Sorry for the delay .. not often on my computer theses times ...
Yeah, was talking about that one. Or even another way, is to use warranty as I did when my A7 went down the same way as your.
To be sure, i've relocked bootloader (fastboot should always be accessible in your case by powering phone + Vol Down) and described my problem as a sudden boot failure after a failed OFFICIAL recovery update.
They've trusted me ... And changed my motherboard.
I'm not sure I could do that now. I thought I'd had a lucky break re comment about adb and the ? device message. Couldn't repeat that though. Going to have to find a good repairer to get into the hardware! Thanks for taking time to reply, much appreciated.
Update. With phone connected to pc, have managed to get it recognised and shows as "Qualcomm HS-USB QDLoader 9008" in the Device Manager. No other instances of the device appear there.
Using Adb in administrator mode, commands won't reach it. Axon7tool is the same.
But.......using the current version of Qualcomm's QFIL, it now finds the phone on port 9. At this stage I'm attempting to flash a TWRP recovery image only.
I get an error. This is the log, can anyone make sense of it?
Thanks
------------------------------------------------------------
Start Download
Program Path:C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf
Binary build date: May 13 2015 @ 14:41:37
QSAHARASERVER CALLED LIKE THIS: 'E:\Downloads\Qualcomm_Flash_Image_Loader_v2.0.0.5(1)\Qualcomm_Flash_Image_Loader_v2.0.0.5\QSaharaServer.exe -p \\.\COM9 -s 13:C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf 'Current working dir: C:\Users\Nick\AppData\Roaming\Qualcomm\QFIL
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf
14:19:32: Received file 'load.cmm'
14:19:32: 1372 bytes transferred in 0.000000 seconds
14:19:32: File transferred successfully
14:20:28: Received file 'DDRCS1.BIN'
14:20:28: -2147483648 bytes transferred in 55.593000 seconds (36.8392MBps)
14:20:28: File transferred successfully
14:21:23: Received file 'DDRCS0.BIN'
14:21:23: -2147483648 bytes transferred in 54.985000 seconds (37.2465MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'PMSG.BIN'
14:21:23: 1048576 bytes transferred in 0.031000 seconds (32.2581MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'OOPS.BIN'
14:21:23: 1048576 bytes transferred in 0.015000 seconds (66.6667MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'RAMCON.BIN'
14:21:23: 1048576 bytes transferred in 0.016000 seconds (62.5000MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'PIMEM.BIN'
14:21:23: 16777216 bytes transferred in 0.375000 seconds (42.6667MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'DDR_DATA.BIN'
14:21:23: 4096 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'RST_STAT.BIN'
14:21:23: 4 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'PMIC_PON.BIN'
14:21:23: 8 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_MBOX.BIN'
14:21:23: 256 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_HRAM.BIN'
14:21:23: 12032 bytes transferred in 0.016000 seconds (0.7172MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_SRAM.BIN'
14:21:23: 8192 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_DRAM.BIN'
14:21:23: 16128 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_IRAM.BIN'
14:21:23: 16384 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'MSGRAM.BIN'
14:21:23: 24576 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'DATARAM.BIN'
14:21:23: 81920 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'CODERAM.BIN'
14:21:24: 163840 bytes transferred in 0.000000 seconds
14:21:24: File transferred successfully
14:21:24: Received file 'OCIMEM.BIN'
14:21:24: 262144 bytes transferred in 0.016000 seconds (15.6250MBps)
14:21:24: File transferred successfully
14:21:24: Successfully downloaded files from target
14:21:24: ERROR: function: is_ack_successful:943 SAHARA_NAK_INVALID_IMAGE_TYPE
14:21:24: ERROR: function: sahara_start:825 Exiting abruptly
14:21:24: ERROR: function: sahara_main:854 Sahara protocol error
14:21:24: ERROR: function: main:265 Uploading Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Failrocess fail
Finish Download
------------------------------------------------------------------------------------------------
HVMan01 said:
Update. With phone connected to pc, have managed to get it recognised and shows as "Qualcomm HS-USB QDLoader 9008" in the Device Manager. No other instances of the device appear there.
Using Adb in administrator mode, commands won't reach it. Axon7tool is the same.
But.......using the current version of Qualcomm's QFIL, it now finds the phone on port 9. At this stage I'm attempting to flash a TWRP recovery image only.
I get an error. This is the log, can anyone make sense of it?
Thanks
------------------------------------------------------------
Start Download
Program Path:C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf
Binary build date: May 13 2015 @ 14:41:37
QSAHARASERVER CALLED LIKE THIS: 'E:\Downloads\Qualcomm_Flash_Image_Loader_v2.0.0.5(1)\Qualcomm_Flash_Image_Loader_v2.0.0.5\QSaharaServer.exe -p \.\COM9 -s 13:C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf 'Current working dir: C:\Users\Nick\AppData\Roaming\Qualcomm\QFIL
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: C:\Program Files (x86)\Qualcomm\QPST\bin\prog_ufs_firehose_8996_ddr_zte1.elf
14:19:32: Received file 'load.cmm'
14:19:32: 1372 bytes transferred in 0.000000 seconds
14:19:32: File transferred successfully
14:20:28: Received file 'DDRCS1.BIN'
14:20:28: -2147483648 bytes transferred in 55.593000 seconds (36.8392MBps)
14:20:28: File transferred successfully
14:21:23: Received file 'DDRCS0.BIN'
14:21:23: -2147483648 bytes transferred in 54.985000 seconds (37.2465MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'PMSG.BIN'
14:21:23: 1048576 bytes transferred in 0.031000 seconds (32.2581MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'OOPS.BIN'
14:21:23: 1048576 bytes transferred in 0.015000 seconds (66.6667MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'RAMCON.BIN'
14:21:23: 1048576 bytes transferred in 0.016000 seconds (62.5000MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'PIMEM.BIN'
14:21:23: 16777216 bytes transferred in 0.375000 seconds (42.6667MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'DDR_DATA.BIN'
14:21:23: 4096 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'RST_STAT.BIN'
14:21:23: 4 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'PMIC_PON.BIN'
14:21:23: 8 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_MBOX.BIN'
14:21:23: 256 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_HRAM.BIN'
14:21:23: 12032 bytes transferred in 0.016000 seconds (0.7172MBps)
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_SRAM.BIN'
14:21:23: 8192 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_DRAM.BIN'
14:21:23: 16128 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'IPA_IRAM.BIN'
14:21:23: 16384 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'MSGRAM.BIN'
14:21:23: 24576 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'DATARAM.BIN'
14:21:23: 81920 bytes transferred in 0.000000 seconds
14:21:23: File transferred successfully
14:21:23: Received file 'CODERAM.BIN'
14:21:24: 163840 bytes transferred in 0.000000 seconds
14:21:24: File transferred successfully
14:21:24: Received file 'OCIMEM.BIN'
14:21:24: 262144 bytes transferred in 0.016000 seconds (15.6250MBps)
14:21:24: File transferred successfully
14:21:24: Successfully downloaded files from target
14:21:24: ERROR: function: is_ack_successful:943 SAHARA_NAK_INVALID_IMAGE_TYPE
14:21:24: ERROR: function: sahara_start:825 Exiting abruptly
14:21:24: ERROR: function: sahara_main:854 Sahara protocol error
14:21:24: ERROR: function: main:265 Uploading Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Failrocess fail
Finish Download
------------------------------------------------------------------------------------------------
Click to expand...
Click to collapse
Wich TWRP version do u flash when u get this error?
TWRP_3.1.1-1_Axon7.img
I myself could never get win 10 to flash or detect my axon had to install win7 to properly flash it.
HVMan01 said:
TWRP_3.1.1-1_Axon7.img
Click to expand...
Click to collapse
Look in this XDA forum for axon7 in the gudies thread for a post that is named download center.
In there u have a different TWRP file. Try to flash that file instead.
Have you tried booting to FTM mode by long pressing vol down + power when the device is powered off. If you can, then you can have adb access. On cmd it will come up as "? devices" when you try adb devices.
In reply #13, yes I've tried other Axon7 TWRP files. Using Qualcomm's QFIL, all ends up with error log stating
----------------------------------------------------------
14:21:24: ERROR: function: is_ack_successful:943 SAHARA_NAK_INVALID_IMAGE_TYPE
14:21:24: ERROR: function: sahara_start:825 Exiting abruptly
14:21:24: ERROR: function: sahara_main:854 Sahara protocol error
14:21:24: ERROR: function: main:265 Uploading Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Failrocess fail
Finish Download
---------------------------
So not sure what's up (yet). Obviously the .xml files need a tweek.
At reply #14. I cannot get ADB access now no matter what key combination I press, and I've tried, oh how I've tried : (
Hi, have you finished your problem ?
Unfortunately not. I need to fix the errors shown in the log above @ #15.
Possibly someone knows? As I said before, I cannot access the phone via the ADB command set or fastboot for that matter.
A bit late, but I guess u tried to bring your phone to edl mode. And changing the drivers via zadig.
I mean shut down phone, press both volume buttons while connecting to USB. If it's blank, you just have to manage zadig to use the right driver and start from scratch.
coremania said:
A bit late, but I guess u tried to bring your phone to edl mode. And changing the drivers via zadig.
I mean shut down phone, press both volume buttons while connecting to USB. If it's blank, you just have to manage zadig to use the right driver and start from scratch.
Click to expand...
Click to collapse
Ok so phone is off, as in no red light on. Both vol buttons pressed, connected to USB.
Device recognised sound, shows as Qualcomm HSUSB QDLoader 9008 com4.
Minimal ADB and Fastboot running in administrator mode, entered ADB devices, none found. Tried ADB reboot, got error no devices/emulators found.
Started QFIL, can't run meta build with .mbn as no mbn files in anything I have to flash phone with. Can do a flat build but this just fails with the same errors as in #15.
Have looked at supposed "fixed" sahara/QFIL fail problem vids on YouTube. No answers found there.
So just stuck right now.
https://forum-lw-1.xda-cdn.com/images/smilies/frown.gif
HVMan01 said:
Ok so phone is off, as in no red light on. Both vol buttons pressed, connected to USB.
Device recognised sound, shows as Qualcomm HSUSB QDLoader 9008 com4.
Minimal ADB and Fastboot running in administrator mode, entered ADB devices, none found. Tried ADB reboot, got error no devices/emulators found.
Started QFIL, can't run meta build with .mbn as no mbn files in anything I have to flash phone with. Can do a flat build but this just fails with the same errors as in #15.
Have looked at supposed "fixed" sahara/QFIL fail problem vids on YouTube. No answers found there.
So just stuck right now.
https://forum-lw-1.xda-cdn.com/images/smilies/frown.gif
Click to expand...
Click to collapse
Hey could you clarify some things?
Why are you trying adb on EDL mode? (it only works on FTM, anyways)
Can't you just use MiFlash? After all this, I guess you should've already thought about the 4th category brick repair method. I did it, it worked. just sayin.
I had assembled a Fire HD 8 (2016) using parts from three different tablets, and I thought I'd have a play and see it if I could unlock it using a modified version of amonet for karnak (Fire HD 8, 2018).
I started with a rooted Fire HD 8 (2016) running Fire OS 5.6.3.4 (build 626536720). Amonet-karnak-v3.01 was downloaded from here: https://forum.xda-developers.com/showpost.php?p=80166353&postcount=1. Image files from Fire OS 5.6.3.4, update-kindle-49.6.2.6_user_626536720.bin: lk.bin, tz.img, preloader.bin, preloader.hdr0 and preloader.hdr1 were copied to amonet/bin, replacing the originals. The script 'fireos-step.sh'' was edited to allow 'max_pl=6' (preloader version 6), to change the model to 'full_giza' and to change the path (PART_PREFIX=) to /dev/block/platform/mtk-msdc.0.
The output from running the modified 'fireos-step.sh' script was as follows:
Code:
[email protected]:~/Downloads/amonet-giza-t/amonet$ sudo ./fireos-step.sh
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 6 (6)
LK version: 1 (1)
TZ version: 258 (258)
Flashing PL
1602 KB/s (138924 bytes in 0.084s)
271+1 records in
271+1 records out
138924 bytes transferred in 0.063 secs (2205142 bytes/sec)
271+1 records in
271+1 records out
138924 bytes transferred in 0.016 secs (8682750 bytes/sec)
Flashing LK-payload
62 KB/s (2872 bytes in 0.044s)
5+1 records in
5+1 records out
2872 bytes transferred in 0.005 secs (574400 bytes/sec)
Flashing LK
4234 KB/s (487392 bytes in 0.112s)
951+1 records in
951+1 records out
487392 bytes transferred in 0.045 secs (10830933 bytes/sec)
Flashing TZ
4218 KB/s (3307008 bytes in 0.765s)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.287 secs (11522675 bytes/sec)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.297 secs (11134707 bytes/sec)
Flashing TWRP
4285 KB/s (13930496 bytes in 3.174s)
27208+0 records in
27208+0 records out
13930496 bytes transferred in 1.046 secs (13317873 bytes/sec)
Patching boot
2+0 records in
2+0 records out
1024 bytes transferred in 0.001 secs (1024000 bytes/sec)
2+0 records in
2+0 records out
1024 bytes transferred in 0.004 secs (256000 bytes/sec)
- Inject microloader
2+0 records in
2+0 records out
1024 bytes transferred in 0.004 secs (256000 bytes/sec)
Flashing PL header
44 KB/s (2048 bytes in 0.044s)
44 KB/s (2048 bytes in 0.044s)
4+0 records in
4+0 records out
2048 bytes transferred in 0.040 secs (51200 bytes/sec)
4+0 records in
4+0 records out
2048 bytes transferred in 0.052 secs (39384 bytes/sec)
Rebooting to TWRP
[email protected]:~/Downloads/amonet-giza-t/amonet$
This seemed OK but after rebooting, the tablet got stuck on the white Amazon logo, with no recovery mode available.
Amonet_giza_v1.3 was downloaded from here: https://forum.xda-developers.com/showpost.php?p=80232977&postcount=1. I ran the script 'bootrom-step.sh' (shorting method) and this was apparently sucessful:
Code:
[email protected]:~/Downloads/amonet-giza-v1.3$ sudo ./bootrom-step.sh
[2020-06-17 14:49:13.017742] Waiting for bootrom
[2020-06-17 14:49:44.205417] Found port = /dev/ttyACM0
[2020-06-17 14:49:44.215424] Handshake
[2020-06-17 14:49:44.263501] Disable watchdog
* * * Remove the short and press Enter * * *
[2020-06-17 14:49:48.644612] Init crypto engine
[2020-06-17 14:49:48.790589] Disable caches
[2020-06-17 14:49:48.798307] Disable bootrom range checks
[2020-06-17 14:49:48.898946] Load payload from ../brom-payload/build/payload.bin = 0x48D8 bytes
[2020-06-17 14:49:48.965959] Send payload
[2020-06-17 14:49:53.690455] Let's rock
[2020-06-17 14:49:53.699383] Wait for the payload to come online...
[2020-06-17 14:49:54.420378] all good
[2020-06-17 14:49:54.429345] Check GPT
[2020-06-17 14:49:54.802163] gpt_parsed = {'nvram': (7168, 10240), 'recovery': (92416, 32768), 'expdb': (154880, 20480), 'para': (137472, 1024), 'lk': (58880, 1000), 'secro': (125184, 12288), 'frp': (175360, 2048), 'protect2': (37888, 20480), 'metadata': (197888, 80640), 'logo': (138496, 16384), 'tee1': (177408, 10240), 'protect1': (17408, 20480), 'tee2': (187648, 10240), 'seccfg': (58368, 512), 'boot': (59880, 32536), 'proinfo': (1024, 6144)}
[2020-06-17 14:49:54.806253] Check boot0
[2020-06-17 14:49:55.053280] Check rpmb
[2020-06-17 14:49:55.269372] Downgrade rpmb
[2020-06-17 14:49:55.277150] Recheck rpmb
[2020-06-17 14:49:56.174262] rpmb downgrade ok
[2020-06-17 14:49:56.180584] Clear preloader header
[8 / 8]
[2020-06-17 14:49:56.897490] Flashing TZ
[6459 / 6459]
[2020-06-17 14:52:29.248010] Flash LK
[952 / 952]
[2020-06-17 14:52:52.133657] Flash PL
[280 / 280]
[2020-06-17 14:53:10.364218] Reboot
[email protected]:~/Downloads/amonet-giza-v1.3
However, it is still getting stuck at the white Amazon logo. Is there any way of resurrecting this tablet?
MontysEvilTwin said:
I had assembled a Fire HD 8 (2016) using parts from three different tablets, and I thought I'd have a play and see it if I could unlock it using a modified version of amonet for karnak (Fire HD 8, 2018).
I started with a rooted Fire HD 8 (2016) running Fire OS 5.6.3.4 (build 626536720). Amonet-karnak-v3.01 was downloaded from here: https://forum.xda-developers.com/showpost.php?p=80166353&postcount=1. Image files from Fire OS 5.6.3.4, update-kindle-49.6.2.6_user_626536720.bin: lk.bin, tz.img, preloader.bin, preloader.hdr0 and preloader.hdr1 were copied to amonet/bin, replacing the originals. The script 'fireos-step.sh'' was edited to allow 'max_pl=6' (preloader version 6), to change the model to 'full_giza' and to change the path (PART_PREFIX=) to /dev/block/platform/mtk-msdc.0.
The output from running the modified 'fireos-step.sh' script was as follows:
Code:
[email protected]:~/Downloads/amonet-giza-t/amonet$ sudo ./fireos-step.sh
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 6 (6)
LK version: 1 (1)
TZ version: 258 (258)
Flashing PL
1602 KB/s (138924 bytes in 0.084s)
271+1 records in
271+1 records out
138924 bytes transferred in 0.063 secs (2205142 bytes/sec)
271+1 records in
271+1 records out
138924 bytes transferred in 0.016 secs (8682750 bytes/sec)
Flashing LK-payload
62 KB/s (2872 bytes in 0.044s)
5+1 records in
5+1 records out
2872 bytes transferred in 0.005 secs (574400 bytes/sec)
Flashing LK
4234 KB/s (487392 bytes in 0.112s)
951+1 records in
951+1 records out
487392 bytes transferred in 0.045 secs (10830933 bytes/sec)
Flashing TZ
4218 KB/s (3307008 bytes in 0.765s)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.287 secs (11522675 bytes/sec)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.297 secs (11134707 bytes/sec)
Flashing TWRP
4285 KB/s (13930496 bytes in 3.174s)
27208+0 records in
27208+0 records out
13930496 bytes transferred in 1.046 secs (13317873 bytes/sec)
Patching boot
2+0 records in
2+0 records out
1024 bytes transferred in 0.001 secs (1024000 bytes/sec)
2+0 records in
2+0 records out
1024 bytes transferred in 0.004 secs (256000 bytes/sec)
- Inject microloader
2+0 records in
2+0 records out
1024 bytes transferred in 0.004 secs (256000 bytes/sec)
Flashing PL header
44 KB/s (2048 bytes in 0.044s)
44 KB/s (2048 bytes in 0.044s)
4+0 records in
4+0 records out
2048 bytes transferred in 0.040 secs (51200 bytes/sec)
4+0 records in
4+0 records out
2048 bytes transferred in 0.052 secs (39384 bytes/sec)
Rebooting to TWRP
[email protected]:~/Downloads/amonet-giza-t/amonet$
This seemed OK but after rebooting, the tablet got stuck on the white Amazon logo, with no recovery mode available.
Amonet_giza_v1.3 was downloaded from here: https://forum.xda-developers.com/showpost.php?p=80232977&postcount=1. I ran the script 'bootrom-step.sh' (shorting method) and this was apparently sucessful:
Code:
[email protected]:~/Downloads/amonet-giza-v1.3$ sudo ./bootrom-step.sh
[2020-06-17 14:49:13.017742] Waiting for bootrom
[2020-06-17 14:49:44.205417] Found port = /dev/ttyACM0
[2020-06-17 14:49:44.215424] Handshake
[2020-06-17 14:49:44.263501] Disable watchdog
* * * Remove the short and press Enter * * *
[2020-06-17 14:49:48.644612] Init crypto engine
[2020-06-17 14:49:48.790589] Disable caches
[2020-06-17 14:49:48.798307] Disable bootrom range checks
[2020-06-17 14:49:48.898946] Load payload from ../brom-payload/build/payload.bin = 0x48D8 bytes
[2020-06-17 14:49:48.965959] Send payload
[2020-06-17 14:49:53.690455] Let's rock
[2020-06-17 14:49:53.699383] Wait for the payload to come online...
[2020-06-17 14:49:54.420378] all good
[2020-06-17 14:49:54.429345] Check GPT
[2020-06-17 14:49:54.802163] gpt_parsed = {'nvram': (7168, 10240), 'recovery': (92416, 32768), 'expdb': (154880, 20480), 'para': (137472, 1024), 'lk': (58880, 1000), 'secro': (125184, 12288), 'frp': (175360, 2048), 'protect2': (37888, 20480), 'metadata': (197888, 80640), 'logo': (138496, 16384), 'tee1': (177408, 10240), 'protect1': (17408, 20480), 'tee2': (187648, 10240), 'seccfg': (58368, 512), 'boot': (59880, 32536), 'proinfo': (1024, 6144)}
[2020-06-17 14:49:54.806253] Check boot0
[2020-06-17 14:49:55.053280] Check rpmb
[2020-06-17 14:49:55.269372] Downgrade rpmb
[2020-06-17 14:49:55.277150] Recheck rpmb
[2020-06-17 14:49:56.174262] rpmb downgrade ok
[2020-06-17 14:49:56.180584] Clear preloader header
[8 / 8]
[2020-06-17 14:49:56.897490] Flashing TZ
[6459 / 6459]
[2020-06-17 14:52:29.248010] Flash LK
[952 / 952]
[2020-06-17 14:52:52.133657] Flash PL
[280 / 280]
[2020-06-17 14:53:10.364218] Reboot
[email protected]:~/Downloads/amonet-giza-v1.3
However, it is still getting stuck at the white Amazon logo. Is there any way of resurrecting this tablet?
Click to expand...
Click to collapse
Have you tried flashing the full image from amazon?
Michajin said:
Have you tried flashing the full image from amazon?
Click to expand...
Click to collapse
I can't get into recovery. I think that the standard recovery was overwritten by TWRP, but it won't boot into TWRP.
MontysEvilTwin said:
I can't get into recovery. I think that the standard recovery was overwritten by TWRP, but it won't boot into TWRP.
Click to expand...
Click to collapse
I never seen Giza get that far to make the full unlock/TWRP install. Can you show me the thread that unlocks it? The thread you listed was a unbrick thread. Did you try anything that might have wiped the recovery partition? Vol (+or-) and power don't try and force recovery? (i dont have a giza, just trying to help).
Michajin said:
I never seen Giza get that far to make the full unlock/TWRP install. Can you show me the thread that unlocks it? The thread you listed was a unbrick thread. Did you try anything that might have wiped the recovery partition? Vol (+or-) and power don't try and force recovery? (i dont have a giza, just trying to help).
Click to expand...
Click to collapse
There is no official unlock, I was playing around with a spare tablet and I used the latest version of amonet for karnak (v 3.0.1) but with giza bootloader files and a modified fireos-step script. According to the output (post #1) TWRP did flash correctly and as this is based on amonet for karnak it will have overwritten the recovery partition. It was a risk, as while the giza, douglas and karnak tablets all have a common processor, the douglas requires the device to be repartitioned and TWRP to be installed on a second recovery partition, karnak does not.
There is an old thread (see here: https://forum.xda-developers.com/hd8-hd10/orig-development/fire-hd8-2017-amonet-debrick-root-t3897841) which enabled the douglas to be rooted before mtk-su was released. This installed karnak bootloader files using amonet and then flashed a rooted software image (hacked fastboot) before flashing the devices own bootloaders. This also works for giza using giza bootloaders. I will probably try this method. I am not sure if it is sufficient to flash a system and boot image or if I need to reflash a separate recovery image too?
MontysEvilTwin said:
There is no official unlock, I was playing around with a spare tablet and I used the latest version of amonet for karnak (v 3.0.1) but with giza bootloader files and a modified fireos-step script. According to the output (post #1) TWRP did flash correctly and as this is based on amonet for karnak it will have overwritten the recovery partition. It was a risk, as while the giza, douglas and karnak tablets all have a common processor, the douglas requires the device to be repartitioned and TWRP to be installed on a second recovery partition, karnak does not.
There is an old thread (see here: https://forum.xda-developers.com/hd8-hd10/orig-development/fire-hd8-2017-amonet-debrick-root-t3897841) which enabled the douglas to be rooted before mtk-su was released. This installed karnak bootloader files using amonet and then flashed a rooted software image (hacked fastboot) before flashing the devices own bootloaders. This also works for giza using giza bootloaders. I will probably try this method. I am not sure if it is sufficient to flash a system and boot image or if I need to reflash a separate recovery image too?
Click to expand...
Click to collapse
I fixed it using the last method described in my previous post; the original HD 8 (2017) debrick thread. This used shorting with the bootrom method to install karnak preloader, TZ and LK files, plus hacked fastboot. I then flashed boot.img (taken from the '.bin' of the OS 5.3.6.4 software - first build), system.img (created from the same software using a python script, as described in the link) and, to be safe, I also flashed recovery.img (copied from another 2016 HD 8 running the same version of software). Then I used bootrom again (amonet-res from the link, with 2016 HD 8 files) to restore 2016 HD 8 preloader plus LK and TZ files. The device then booted normally into Fire OS.
MontysEvilTwin said:
I fixed it using the last method described in my previous post; the original HD 8 (2017) debrick thread. This used shorting with the bootrom method to install karnak preloader, TZ and LK files, plus hacked fastboot. I then flashed boot.img (taken from the '.bin' of the OS 5.3.6.4 software - first build), system.img (created from the same software using a python script, as described in the link) and, to be safe, I also flashed recovery.img (copied from another 2016 HD 8 running the same version of software). Then I used bootrom again (amonet-res from the link, with 2016 HD 8 files) to restore 2016 HD 8 preloader plus LK and TZ files. The device then booted normally into Fire OS.
Click to expand...
Click to collapse
Awesome!
Sounds like you had it unlocked, and you could have installed TWRP (douglas?) over stock recovery from the hacked fastboot.
Michajin said:
Awesome!
Sounds like you had it unlocked, and you could have installed TWRP (douglas?) over stock recovery from the hacked fastboot.
Click to expand...
Click to collapse
I think someone who knows what they are doing could get it working. I know it flashed TWRP for karnak when I first tried to unlock but something I did temporarily bricked the tablet. The method I used to recover installs karnak files on the device. The screen stays black but hacked fastboot still runs.
It may be that the exploit for douglas is worth trying. This is a bit different to karnak in that it repartitions the device and installs TWRP on a secondary partition.
MontysEvilTwin said:
I think someone who knows what they are doing could get it working. I know it flashed TWRP for karnak when I first tried to unlock but something I did temporarily bricked the tablet. The method I used to recover installs karnak files on the device. The screen stays black but hacked fastboot still runs.
It may be that the exploit for douglas is worth trying. This is a bit different to karnak in that it repartitions the device and installs TWRP on a secondary position.
Click to expand...
Click to collapse
Promising move. Thanks! :good:
Wish @k4y0z or @xyz could spare some time to look into your hints described here to unlock this 8hd 6th gen bad boy.
Fingers crossed!
drdtyc said:
Promising move. Thanks! :good:
Wish @k4y0z or @xyz could spare some time to look into your hints described here to unlock this 8hd 6th gen bad boy.
Fingers crossed!
Click to expand...
Click to collapse
I have done nothing original really. I am sure those guys you mentioned could make this work (assuming the LK file has the necessary vulnerability) but they may not have the tablet in question, the time and/ or the inclination.
You did a great job. I expect that you only need some operations. To try, I can help you try because I own 3 from Amazon hd8 6th giza
I was thinking of modifying amonet for douglas (HD 8, 2017) and trying it on the 2016 model. This would involve replacing some of the files in amonet/bin with their equivalents from the latest HD 8, 2016 software 'bin' and minor tweaking of the 'step-1' and 'step-2' scripts. This method re-partitions the device to create new 'boot_x' and 'recovery_x' partitions. The partitioning schemes for these two devices are different: they have the same 'by-name' paths, but the 2016 model has some extra partitions, and has a different partition numbering scheme. I am not sure if the amonet (HD 8, 2017) scripts would partition the 2016 device correctly or if they would create an unrecoverable brick. I may try it anyway at some point out of curiosity.
MontysEvilTwin said:
I was thinking of modifying amonet for douglas (HD 8, 2017) and trying it on the 2016 model. This would involve replacing some of the files in amonet/bin with their equivalents from the latest HD 8, 2016 software 'bin' and minor tweaking of the 'step-1' and 'step-2' scripts. This method re-partitions the device to create new 'boot_x' and 'recovery_x' partitions. The partitioning schemes for these two devices are different: they have the same 'by-name' paths, but the 2016 model has some extra partitions, and has a different partition numbering scheme. I am not sure if the amonet (HD 8, 2017) scripts would partition the 2016 device correctly or if they would create an unrecoverable brick. I may try it anyway at some point out of curiosity.
Click to expand...
Click to collapse
Great, as amonet for giza is taking shape!
Would pm @k4y0z get a useful answer of partition schemes ? It is like straight from the horse's mouth, so to speak, as he is the author of those 'step-1' and 'step-2' scripts.
My apologies in advance if this post breaks any etiquette of the XDA forum.
drdtyc said:
Great, as amonet for giza is taking shape!
Would pm @k4y0z get a useful answer of partition schemes ? It is like straight from the horse's mouth, so to speak, as he is the author of those 'step-1' and 'step-2' scripts.
My apologies in advance if this post breaks any etiquette of the XDA forum.
Click to expand...
Click to collapse
Please don't get your hopes up. I am having a look out of interest and to learn a bit, but what needs changing may be beyond me.
MontysEvilTwin said:
Please don't get your hopes up. I am having a look out of interest and to learn a bit, but what needs changing may be beyond me.
Click to expand...
Click to collapse
Good that you are looking into this!
Keep up the good work.
Not all hope is lost yet to unlock this bad boy.
---------- Post added at 05:42 PM ---------- Previous post was at 05:35 PM ----------
https://forum.xda-developers.com/hd8-hd10/general/custom-recovery-rooted-6th-gen-fire-hd-t3540050
This thread discusses the partition structure of several Fire tablets including the 8hd 6th gen. All these are beyond me.
It may be of use to @MontysEvilTwin.
---------- Post added at 05:43 PM ---------- Previous post was at 05:42 PM ----------
https://forum.xda-developers.com/amazon-fire/development/partitions-list-t3236213
This thread lists the partition structure of Fire Android devices.
It may be of use to @MontysEvilTwin.
anyone need help i am ready i have three rooted device from GIZA
regards
Ever since I got the tablet in 2017, I was looking for a way to get TWRP working on this device. Thanks for giving me hope for a a full unlock experience!
I have a rooted device, so feel free to ask me run some commands (that doesn't brick it hopefully, it's my daily driver for stuff)
(I guess it's almost time to start porting LineageOS?)
Unfortunately my attempt has ended in failure. I downloaded amonet-douglas-v1.2 (see here: https://forum.xda-developers.com/showpost.php?p=80154797&postcount=1) and replaced the LK, TZ, and preloader images in the 'bin' folder with those from the latest version of FIre OS for giza (5.3.6.4). I also edited the 'Step-1' and 'Step-2' scripts to allow them to run on the giza (HD 8, 2016). I ran Step-1. Output here:
Code:
[email protected]:~/Downloads/amonet-giza-t2/amonet$ sudo ./step-1.sh
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 6 (6)
LK version: 1 (2)
TZ version: 258 (259)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
34+0 records in
34+0 records out
17408 bytes transferred in 0.001 secs (17408000 bytes/sec)
97 KB/s (17408 bytes in 0.174s)
Modifying GPT
[2020-06-23 12:47:56.140090] Input GPT:
[2020-06-23 12:47:56.155798]
[2020-06-23 12:47:56.165320] Sector size (logical): 512 bytes
[2020-06-23 12:47:56.181377] Disk identifier (GUID): 0977B6B6-2B39-4075-8CCF-F0F9A3D117CD
[2020-06-23 12:47:56.187570] Partition table holds up to 128 entries
[2020-06-23 12:47:56.192110] This partition table begins at sector 2 and ends at sector 33
[2020-06-23 12:47:56.196498] First usable sector is 34, last usable sector is 30777310
[2020-06-23 12:47:56.201418] Other partition table is at sector 30777343
[2020-06-23 12:47:56.207044]
[2020-06-23 12:47:56.212063] Number Start (sector) End (sector) Size Name
[2020-06-23 12:47:56.270255] 1 1024 7167 3.00 MiB proinfo
[2020-06-23 12:47:56.280114] 2 7168 17407 5.00 MiB nvram
[2020-06-23 12:47:56.294441] 3 17408 37887 10.00 MiB protect1
[2020-06-23 12:47:56.315751] 4 37888 58367 10.00 MiB protect2
[2020-06-23 12:47:56.327317] 5 58368 58879 256.00 KiB seccfg
[2020-06-23 12:47:56.338008] 6 58880 59879 500.00 KiB lk
[2020-06-23 12:47:56.348155] 7 59880 92415 15.89 MiB boot
[2020-06-23 12:47:56.364741] 8 92416 125183 16.00 MiB recovery
[2020-06-23 12:47:56.375237] 9 125184 137471 6.00 MiB secro
[2020-06-23 12:47:56.385676] 10 137472 138495 512.00 KiB para
[2020-06-23 12:47:56.403211] 11 138496 154879 8.00 MiB logo
[2020-06-23 12:47:56.414057] 12 154880 175359 10.00 MiB expdb
[2020-06-23 12:47:56.423967] 13 175360 177407 1024.00 KiB frp
[2020-06-23 12:47:56.446425] 14 177408 187647 5.00 MiB tee1
[2020-06-23 12:47:56.457419] 15 187648 197887 5.00 MiB tee2
[2020-06-23 12:47:56.466734] 16 197888 278527 39.38 MiB metadata
[2020-06-23 12:47:56.486107] 17 278528 280575 1024.00 KiB kb
[2020-06-23 12:47:56.501732] 18 280576 282623 1024.00 KiB dkb
[2020-06-23 12:47:56.511501] 19 282624 3588671 1.58 GiB system
[2020-06-23 12:47:56.534411] 20 3588672 4457023 424.00 MiB cache
[2020-06-23 12:47:56.545231] 21 4457024 4458047 512.00 KiB MISC
[2020-06-23 12:47:56.554629] 22 4458048 4490815 16.00 MiB persisbackup
[2020-06-23 12:47:56.572927] 23 4490816 4499455 4.22 MiB PMT
[2020-06-23 12:47:56.583723] 24 4499456 30777310 12.53 GiB userdata
[2020-06-23 12:47:57.130509]
[2020-06-23 12:47:57.135884] Regenerate primary and backup GPT from input
[2020-06-23 12:47:57.140959] Writing regenerated GPT to gpt-G000KW0463310950/gpt.bin.gpt
[2020-06-23 12:47:57.272546] Writing regenerated backup GPT to gpt-G000KW0463310950/gpt.bin.bak
[2020-06-23 12:47:57.296137] Writing backup GPT offset to gpt-G000KW0463310950/gpt.bin.offset
[2020-06-23 12:47:57.325285]
[2020-06-23 12:47:57.330897] Modified GPT Step 1:
[2020-06-23 12:47:57.351999]
[2020-06-23 12:47:57.358603] Sector size (logical): 512 bytes
[2020-06-23 12:47:57.364570] Disk identifier (GUID): 0977B6B6-2B39-4075-8CCF-F0F9A3D117CD
[2020-06-23 12:47:57.369705] Partition table holds up to 128 entries
[2020-06-23 12:47:57.374261] This partition table begins at sector 2 and ends at sector 33
[2020-06-23 12:47:57.378757] First usable sector is 34, last usable sector is 30777310
[2020-06-23 12:47:57.383981] Other partition table is at sector 30777343
[2020-06-23 12:47:57.389786]
[2020-06-23 12:47:57.396300] Number Start (sector) End (sector) Size Name
[2020-06-23 12:47:57.413002] 1 1024 7167 3.00 MiB proinfo
[2020-06-23 12:47:57.429682] 2 7168 17407 5.00 MiB nvram
[2020-06-23 12:47:57.462799] 3 17408 37887 10.00 MiB protect1
[2020-06-23 12:47:57.479811] 4 37888 58367 10.00 MiB protect2
[2020-06-23 12:47:57.500102] 5 58368 58879 256.00 KiB seccfg
[2020-06-23 12:47:57.513027] 6 58880 59879 500.00 KiB lk
[2020-06-23 12:47:57.521735] 7 59880 92415 15.89 MiB boot
[2020-06-23 12:47:57.530851] 8 92416 125183 16.00 MiB recovery
[2020-06-23 12:47:57.546480] 9 125184 137471 6.00 MiB secro
[2020-06-23 12:47:57.558800] 10 137472 138495 512.00 KiB para
[2020-06-23 12:47:57.567431] 11 138496 154879 8.00 MiB logo
[2020-06-23 12:47:57.583867] 12 154880 175359 10.00 MiB expdb
[2020-06-23 12:47:57.601516] 13 175360 177407 1024.00 KiB frp
[2020-06-23 12:47:57.612980] 14 177408 187647 5.00 MiB tee1
[2020-06-23 12:47:57.622936] 15 187648 197887 5.00 MiB tee2
[2020-06-23 12:47:57.633490] 16 197888 278527 39.38 MiB metadata
[2020-06-23 12:47:57.647775] 17 278528 280575 1024.00 KiB kb
[2020-06-23 12:47:57.659414] 18 280576 282623 1024.00 KiB dkb
[2020-06-23 12:47:57.679812] 19 282624 3588671 1.58 GiB system
[2020-06-23 12:47:57.690797] 20 3588672 4457023 424.00 MiB cache
[2020-06-23 12:47:57.700665] 21 4457024 4458047 512.00 KiB MISC
[2020-06-23 12:47:57.714175] 22 4458048 4490815 16.00 MiB persisbackup
[2020-06-23 12:47:57.730194] 23 4490816 4499455 4.22 MiB PMT
[2020-06-23 12:47:57.739627] 24 4499456 30325759 12.31 GiB userdata
[2020-06-23 12:47:57.749898] 25 30325760 30551039 110.00 MiB boot_tmp
[2020-06-23 12:47:57.759279] 26 30551040 30776319 110.00 MiB recovery_tmp
[2020-06-23 12:47:58.281302]
[2020-06-23 12:47:58.286574] Writing primary GPT (part 1) to gpt-G000KW0463310950/gpt.bin.step1.gpt
[2020-06-23 12:47:58.428890] Writing backup GPT (part 1) to gpt-G000KW0463310950/gpt.bin.step1.bak
[2020-06-23 12:47:58.455505]
[2020-06-23 12:47:58.466746] Modified GPT Step 2:
[2020-06-23 12:47:58.481602]
[2020-06-23 12:47:58.487415] Sector size (logical): 512 bytes
[2020-06-23 12:47:58.492206] Disk identifier (GUID): 0977B6B6-2B39-4075-8CCF-F0F9A3D117CD
[2020-06-23 12:47:58.511517] Partition table holds up to 128 entries
[2020-06-23 12:47:58.518431] This partition table begins at sector 2 and ends at sector 33
[2020-06-23 12:47:58.523640] First usable sector is 34, last usable sector is 30777310
[2020-06-23 12:47:58.529462] Other partition table is at sector 30777343
[2020-06-23 12:47:58.543548]
[2020-06-23 12:47:58.566847] Number Start (sector) End (sector) Size Name
[2020-06-23 12:47:58.578207] 1 1024 7167 3.00 MiB proinfo
[2020-06-23 12:47:58.600018] 2 7168 17407 5.00 MiB nvram
[2020-06-23 12:47:58.621133] 3 17408 37887 10.00 MiB protect1
[2020-06-23 12:47:58.629613] 4 37888 58367 10.00 MiB protect2
[2020-06-23 12:47:58.642478] 5 58368 58879 256.00 KiB seccfg
[2020-06-23 12:47:58.656863] 6 58880 59879 500.00 KiB lk
[2020-06-23 12:47:58.665863] 7 59880 92415 15.89 MiB boot_x
[2020-06-23 12:47:58.674533] 8 92416 125183 16.00 MiB recovery_x
[2020-06-23 12:47:58.686749] 9 125184 137471 6.00 MiB secro
[2020-06-23 12:47:58.713124] 10 137472 138495 512.00 KiB para
[2020-06-23 12:47:58.726349] 11 138496 154879 8.00 MiB logo
[2020-06-23 12:47:58.738046] 12 154880 175359 10.00 MiB expdb
[2020-06-23 12:47:58.764317] 13 175360 177407 1024.00 KiB frp
[2020-06-23 12:47:58.777031] 14 177408 187647 5.00 MiB tee1
[2020-06-23 12:47:58.793473] 15 187648 197887 5.00 MiB tee2
[2020-06-23 12:47:58.805405] 16 197888 278527 39.38 MiB metadata
[2020-06-23 12:47:58.813721] 17 278528 280575 1024.00 KiB kb
[2020-06-23 12:47:58.823369] 18 280576 282623 1024.00 KiB dkb
[2020-06-23 12:47:58.836732] 19 282624 3588671 1.58 GiB system
[2020-06-23 12:47:58.855238] 20 3588672 4457023 424.00 MiB cache
[2020-06-23 12:47:58.868765] 21 4457024 4458047 512.00 KiB MISC
[2020-06-23 12:47:58.895499] 22 4458048 4490815 16.00 MiB persisbackup
[2020-06-23 12:47:58.905577] 23 4490816 4499455 4.22 MiB PMT
[2020-06-23 12:47:58.913732] 24 4499456 30325759 12.31 GiB userdata
[2020-06-23 12:47:58.925229] 25 30325760 30551039 110.00 MiB boot
[2020-06-23 12:47:58.944759] 26 30551040 30776319 110.00 MiB recovery
[2020-06-23 12:47:59.460926]
[2020-06-23 12:47:59.466811] Writing primary GPT (part 2) to gpt-G000KW0463310950/gpt.bin.step2.gpt
[2020-06-23 12:47:59.594491] Writing backup GPT (part 2) to gpt-G000KW0463310950/gpt.bin.step2.bak
Flashing temp GPT
239 KB/s (17408 bytes in 0.070s)
34+0 records in
34+0 records out
17408 bytes transferred in 0.001 secs (17408000 bytes/sec)
Preparing for Factory Reset
Rebooting into Recovery
[email protected]:~/Downloads/amonet-giza-t2/amonet$
This seemed to run OK; the device rebooted and did a factory reset. I then ran Step-2. The output is below:
Code:
[email protected]:~/Downloads/amonet-giza-t2/amonet$ sudo ./step-2.sh
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
Looking for partition-suffix
lrwxrwxrwx root root 2020-06-23 11:48 recovery_tmp -> /dev/block/mmcblk0p26
Flashing exploit
57 KB/s (4096 bytes in 0.069s)
3563 KB/s (492132 bytes in 0.134s)
8+0 records in
8+0 records out
4096 bytes transferred in 0.001 secs (4096000 bytes/sec)
961+1 records in
961+1 records out
492132 bytes transferred in 0.035 secs (14060914 bytes/sec)
8+0 records in
8+0 records out
4096 bytes transferred in 0.002 secs (2048000 bytes/sec)
961+1 records in
961+1 records out
492132 bytes transferred in 0.034 secs (14474470 bytes/sec)
Flashing LK
3589 KB/s (487392 bytes in 0.132s)
951+1 records in
951+1 records out
487392 bytes transferred in 0.040 secs (12184800 bytes/sec)
Flashing TZ
3689 KB/s (3307008 bytes in 0.875s)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.270 secs (12248177 bytes/sec)
6459+0 records in
6459+0 records out
3307008 bytes transferred in 0.325 secs (10175409 bytes/sec)
Flashing Preloader
44 KB/s (2048 bytes in 0.044s)
44 KB/s (2048 bytes in 0.044s)
1706 KB/s (138924 bytes in 0.079s)
4+0 records in
4+0 records out
2048 bytes transferred in 0.056 secs (36571 bytes/sec)
4+0 records in
4+0 records out
2048 bytes transferred in 0.059 secs (34711 bytes/sec)
271+1 records in
271+1 records out
138924 bytes transferred in 0.067 secs (2073492 bytes/sec)
271+1 records in
271+1 records out
138924 bytes transferred in 0.018 secs (7718000 bytes/sec)
Flashing final GPT
350 KB/s (17408 bytes in 0.048s)
34+0 records in
34+0 records out
17408 bytes transferred in 0.002 secs (8704000 bytes/sec)
Flashing final GPT (backup)
335 KB/s (16896 bytes in 0.049s)
33+0 records in
33+0 records out
16896 bytes transferred in 0.002 secs (8448000 bytes/sec)
Flashing TWRP
3565 KB/s (13512704 bytes in 3.701s)
26392+0 records in
26392+0 records out
13512704 bytes transferred in 1.596 secs (8466606 bytes/sec)
Rebooting into TWRP
[email protected]:~/Downloads/amonet-giza-t2/amonet$
Unfortunately, after rebooting the device got stuck on the white Amazon logo. I attempted to recover using the original debrick method for douglas (a reworking of the original karnak unlock method) modified for giza: see here (https://forum.xda-developers.com/showpost.php?p=78853205&postcount=1) However the bottom write method fell over; the device failed a gpt check:
Code:
[email protected]:/media/x/SD Card/Giza-Restore/amonet$ sudo ./bootrom-step.sh
[2020-06-23 15:30:19.049767] Waiting for bootrom
[2020-06-23 15:30:33.527575] Found port = /dev/ttyACM0
[2020-06-23 15:30:33.542589] Handshake
[2020-06-23 15:30:33.581694] Disable watchdog
* * * Remove the short and press Enter * * *
[2020-06-23 15:30:35.884990] Init crypto engine
[2020-06-23 15:30:36.034842] Disable caches
[2020-06-23 15:30:36.044648] Disable bootrom range checks
[2020-06-23 15:30:36.161904] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2020-06-23 15:30:36.205440] Send payload
[2020-06-23 15:30:40.773015] Let's rock
[2020-06-23 15:30:40.788256] Wait for the payload to come online...
[2020-06-23 15:30:41.517972] all good
[2020-06-23 15:30:41.527461] Check GPT
[2020-06-23 15:30:41.888837] gpt_parsed = {'tee1': (177408, 10240), 'boot_x': (59880, 32536), 'nvram': (7168, 10240), 'frp': (175360, 2048), 'metadata': (197888, 80640), 'protect1': (17408, 20480), 'protect2': (37888, 20480), 'logo': (138496, 16384), 'tee2': (187648, 10240), 'secro': (125184, 12288), 'expdb': (154880, 20480), 'seccfg': (58368, 512), 'proinfo': (1024, 6144), 'lk': (58880, 1000), 'recovery_x': (92416, 32768), 'para': (137472, 1024)}
Traceback (most recent call last):
File "main.py", line 123, in <module>
main()
File "main.py", line 69, in main
raise RuntimeError("bad gpt")
RuntimeError: bad gpt
[email protected]:/media/x/SD Card/Giza-Restore/amonet$
Is there anything I can do to restore this tablet?
Looks like the device now has 'boot_x' and 'recovery_x' partitions but no boot or recovery. I can get bootrom working (by modifying 'main.py') but can't get into fastboot. Is it possible to rename the '_x' partitions directly through bootrom? Or is there another clever way?