Database Users

[Devs Needed]Behold 2/II Updated Information for Root/ROMS

I have mine rooted, there is something very interesting about the way Samsung did this. This phone has like 20 different partitionssee below, however I think I know how the phone is able to restore root and the recovery after boot. These 20 partitions include copies of each other. For example if you do su on terminal emulator and then you type "cat /proc/partitions" it will list all the partitions. Notice how some partitions have different labels but are the same size. These are the respective back ups(i think). The only partition that I know is "stl9" or "st9" is the system.
I tried flash_image recovery and said it wasn't a recognized partition as the BH2 also does not have mtd. cat /proc/mtd produces nothing. Hope this helps.
Oh 1 last thing it seems I may have found an exploit with the device management.apk. It has the option to run a bootloader/bootstrap test, could this be exploited to install customer recovery? Its just a thought...
Can someone with root, compile busybox for install on the Behold 2. I am sorry I only have Windows 7.
Terminal Output:
See the areas highlighted in BOLD. The G1 has half the number of partitions and mtd has output.
$ export PATH=/data/local/bin:$PATH
$ su
# cat proc/partitions
major minor #blocks name
137 0 513024 bml0/c
137 1 2048 bml1
137 2 512 bml2
137 3 512 bml3
137 4 1024 bml4
137 5 23040 bml5
137 6 6144 bml6
137 7 23040 bml7
137 8 6144 bml8
137 9 226304 bml9
137 10 8192 bml10
137 11 512 bml11
137 12 40960 bml12
137 13 1024 bml13
137 14 173568 bml14
138 9 210432 stl9
138 12 25088 stl12
138 14 157696 stl14
179 0 1982464 mmcblk0
179 1 1982338 mmcblk0p1
#
Click to expand...
Click to collapse

Samsung is doing their best to screw us here aren't they?
I have an ubuntu partition, but it will be a bit before I can compile. I'm writing up guides to overhaul the current UI.

having trouble with adb in ubuntu. I'll retry tomorrow, but this could take a while. Probably best for someone else to take this one on.

What's the output for 'mount'?

I posted this on alldroid.org today ,,, samsung seem to have used some of its bada OS and or UI in the behold 2 ,.,,.,. I was wondering if someone could download their SDK and see what they can find out ,.,,., maybe it could help us with ROOT .,.,....,.,
SDK link http://developer.bada.com/apis/docs/commonpage.do?menu=MC01040000&mtb1=&mtb2=
''Re: Important Behold 2 Discovery / 1st step to Custom Roms
They are similar but for that method you need 'new PcStudio', which does not recognize the behold 2,.,..,.,.,
BTW the galaxy (( samsung i7500 )) is almost the same as the behold 2 ,,,, same hardware but the behold 2 has a lot more memory ,.,,..
http://androidforums.com/samsung-i7500/ ... rom-s.html
one interesting thing i did find this weekend while doing some research was that (I think ) samsung has implemented some of its BADA Os on the behold 2 look at the video and let me know what you think
http://www.gsmarena.com/samsung_finally ... s-1311.php ''''
PS:;: (thanks to yatimameiji) this was just found and hopefully it can help you look in the right place '''''To get the recovery menu ,.,,.,. when you do vol. down+call button+power and the triangle comes up .,. then do home + power ., recovery menu,''''''' I got it up but cant select anything and there's the e:can;t open cache and some others

Finally some posts back. I thought no one was going to respond and I was going to delete this thread. So this is great news that we can now enter recovery mode. Also I know whats plauging the device with the battery issue. It seems the phone is reading the battery as 1440 mah and the battery is tagged 1500mah. This can be confirmed by using BetterCut and adding the shortcut Battery read.

dan0zone said:
I posted this on alldroid.org today ,,, samsung seem to have used some of its bada OS and or UI in the behold 2 ,.,,.,. I was wondering if someone could download their SDK and see what they can find out ,.,,., maybe it could help us with ROOT .,.,....,.,
SDK link http://developer.bada.com/apis/docs/commonpage.do?menu=MC01040000&mtb1=&mtb2=
Click to expand...
Click to collapse
It seems so close to the Android Developer Site. Did AOSP give some code to Samsung as a base?

I believe so ,I remember reading that it was going to be like the OPhone project , but samsung wants to use this like they use touchwiz on all their touch screen phones ,.,..,.,

ok so i was playing around with my samsung behold2 today, all i found was recovery mode (voldown+call+power) and fastboot (dpadleft+power). im currently installing the android sdk as we speak, after that will play around with this a bit more.

We had a good look at this over at androidforums (behold and galaxy sub forums).
It seems they are using some secure bootloader, and those other partitions (which almost corespond in size) seem to be the original partition in a security container.
I had assumed that on boot if the main partition is modified it would simply reflash it. However we have now been able to 'persistant root' the phone. (check in the behold section on androidforums). We hijack the playlogo file, and insert the shell commands to execute the exploit executable on every boot. This happens after init.rc so making custom roms is going to be a bit of a headache.
Whats strange tho is why it doesnt recognise the system partition was changed when we mod playlogo. Perhaps it just wipes the bin and xbin directories and reextracts them. That would make life alot easier.
I was going to sell my galaxy and switch to a behold, but I couldnt find one cheap enough. So i've stopped looking at all this now.
Hope that helps anyway.

well we have made some head way ..,,.,., we can now flash between builds for the behold2 via ODIN_flasher . For now we have two builds an older build and the one shipped with the phone .,.,.,. so what i think we need is a way to edit the .tar files within the flasher but keep the partition structure that samsung has in_place .,,,. What i have notice is that if you connect to ddms , and go to the system info tab or allocation tracker , you will see that samsung has renamed every thing as a kernel, even the browser .,.,., if we get our hands on sammy's build environment maybe we can make sense of their madness,.,.,..

Odin isnt actually anything new. We've been using it with the galaxy for a while now.
The phones' bootloader contains a download mode, which also forwards to the AMSS's OEMBL in download mode. Odin simply forwards the files to this bootloader without doing anything clever. This is why you can take ANY update from NPS and apply it using odin as is.
We have tried flashing galaxy partitions onto the behold, but as i said in an earlier post there is a secure bootloader and it simply rejects the images.
I havnt downloaded this H6 leaked behold image, but it probably just contains yafs images, probably in a security container. You could unyaffs them, modify and yaffs them up again. Just modifying them is trivial. I'm pretty sure that the bootloader will just reject any modified images tho. Sorry but I don't think this is going to get you anywhere.
On a security unlocked phone like the galaxy we just edit the system or recovery images and flash them back using Odin. Similarly fastboot can also do it. On the behold however i'm pretty sure it wont accept anything that isnt signed.
The only interesting thing to try would be to try to flash the galaxy bootloader onto the behold using odin. We have both the arm9 and arm11 bootloaders if you'd like to try. This is VERY VERY VERY risky and in all likelyhood will brick your phone. But if it works you should be able to manage partitions simply like with the galaxy.
The very first thing you guys should look at is to compare the system image of the galaxy and the behold. Check if there is a security container around the behold one or not. If there is, attempt to exploit it (change length fields, change offsets, create oversized image - the usual stuff).
I think there are only 2 routes to acheive what you want:
- quick route
Use a userland exploit, like the current root. Then use the persisitant root idea to run a script which modified your filesystem on boot - possibly extracting a custom rom from the sdcard onto the system partition.
- Slow route
Try to find a flaw in the secure bootloader, or some other exploit to allow you to flash a modified bootloader.
You're idea of just editing the firmware files directly is really unlikely to work.

Thanks for your input Kam ..well it just a thought , I knew the signing would of been the issue ( same as with the G1 roms and themes ) .,.,., I know someone will figure it out .,.,.. I would love to help with getting this going , but I work 14 hour days ,., I should get a second behold2 soon so I can use one for testing ,,, well till i brick it .........
I'm gonna browse some of the galaxy forums to see how they doing it ,., I """think""" the galaxy is closer to stock android than the behold2 is .,.
BTW , H6 image you talking about , is that one posted by sammydroid ? because he also has a J6 image , H6 is older .

Yeah thats the one. I have a galaxy, and not a behold so my interest in this is kinda limited. I only really got into it because i was going to switch to the behold.
Personally I think you guys are better off just using the persistant root to modify the OS after boot for now.

Samsung Source Code
Does this help at all?
http://opensource.samsungmobile.com/download/OpenSource/SGH-T939_OpenSource.zip
Appears to be the build source for the existing rom. Don't have access to a *nix box to dig into it right now...

Here's the tutorial to install busybox for behold 2.
http://www.myhangoutonline.com/2010/01/08/install-busybox-on-behold-ii/

kam187 said:
Odin isnt actually anything new. We've been using it with the galaxy for a while now.
The phones' bootloader contains a download mode, which also forwards to the AMSS's OEMBL in download mode. Odin simply forwards the files to this bootloader without doing anything clever. This is why you can take ANY update from NPS and apply it using odin as is.
We have tried flashing galaxy partitions onto the behold, but as i said in an earlier post there is a secure bootloader and it simply rejects the images.
I havnt downloaded this H6 leaked behold image, but it probably just contains yafs images, probably in a security container. You could unyaffs them, modify and yaffs them up again. Just modifying them is trivial. I'm pretty sure that the bootloader will just reject any modified images tho. Sorry but I don't think this is going to get you anywhere.
On a security unlocked phone like the galaxy we just edit the system or recovery images and flash them back using Odin. Similarly fastboot can also do it. On the behold however i'm pretty sure it wont accept anything that isnt signed.
The only interesting thing to try would be to try to flash the galaxy bootloader onto the behold using odin. We have both the arm9 and arm11 bootloaders if you'd like to try. This is VERY VERY VERY risky and in all likelyhood will brick your phone. But if it works you should be able to manage partitions simply like with the galaxy.
The very first thing you guys should look at is to compare the system image of the galaxy and the behold. Check if there is a security container around the behold one or not. If there is, attempt to exploit it (change length fields, change offsets, create oversized image - the usual stuff).
I think there are only 2 routes to acheive what you want:
- quick route
Use a userland exploit, like the current root. Then use the persisitant root idea to run a script which modified your filesystem on boot - possibly extracting a custom rom from the sdcard onto the system partition.
- Slow route
Try to find a flaw in the secure bootloader, or some other exploit to allow you to flash a modified bootloader.
You're idea of just editing the firmware files directly is really unlikely to work.
Click to expand...
Click to collapse
Have a second unit on hand now (for about a week) so bricking isn't a concern and can/will try these options... but need guidance. can jump on irc for assistance... anyone interested? The above seems totally possible.... but out of my league without help.

Thanks to MobileBand we had some succees Managed to get the galaxy system onto the behold. Force close problem at the moment but stay tuned.
PS. its fastttttttttttttttttttt

Let me publicly state that kam187 ROCKS! Kudos on the work last night!
Behold owners; start getting hyped... this is the break we've been looking for!

love the work
love you guys work man i have 140mb free on my behold 2 thats with out task manager its blazin fast but always wanted to do something differnent with it can you pleaseeeeeeeeeeee lol ( : ) : post a rom and turt

[recovery-app] Partition scanner (mainly for emmc bricks)

Hi emmc bricked folks,
this is a emmc partition scanner which is mainly usable for emmc bricked phones (only Samsung?).
It's a companion software for my xda thread: "PIT file method to revive your phone from a MMC_CAP_ERASE brick".
The tools are started via "install zip" from a recovery.
emmc_scan_all_partitions_once.zip
emmc_scan_all_partitions_infinitely.zip
these allow fast scanning of all blocks of all emmc partitions in 1MiB steps.
The main purpose is to access each emmc block to find any bricked block in the partitions after repartitioning.
The "infinitely" variant runs checks infinitely, which may help to find emmc brick effects which only occur sporadically (if such effect really exists). Run this as long as you want. Reboot to finish.
If this freezes the last partition shown may have a bricked block inside.
emmc_find_brick_start.zip
emmc_find_brick_end.zip
these scan the whole emmc device.
emmc_find_brick_start starts scanning from the beginning of the device upward.
emmc_find_brick_end searches the end of the device and then scans downward.
If this runs up to the end or down to zero (showing a message with "completed --> OK"), no bricked block was found.
If it freezes, the block shown last with "..." at end of line is the first bricked block in that direction.
The line before with "-> ok" is the first usable block before/after the brick.
The tools above only read bytes from the emmc block devices, so it generally shouldn't harm anything.
Don't worry about the term "flash", because it doesn't really flash, it's only using the update mechanism of the recovery (edify scripting).
This is called fake flashing.
emmc_scan_write.zip
this is a very experimental scanner.
It is for experiments on phones, which have no obvious bad blocks in the partitions (scanned by scan_all_partitions_infintely without freeze) but still freeze randomly (without having problems with apps etc.).
It continuously creates a file of 10MB and deletes it after that.
The theory behind that:
* the wear leveler will assign different blocks each time the file is created
* the wear leveler may get a problem when assigning blocks to the file
* then it will freeze
* hopefully, if the file isn't deleted it will claim the bricked block(s), so they are not assigned again
* this will allow to isolate the blocks
* to keep those files containing bricked blocks, they are placed on the internal sd
note: the running counter is the amount written yet. It is not related to the partition size.
important:
The internal sd is determined by an environment variable EXTERNAL_STORAGE.
Despite it's name it should be the *internal* sd, instead SECONDARY_STORAGE contains the external sd.
I hope, this applies to all android OSes...please report if not.
For now you shouldn't use the tool, until you checked this:
adb shell set
If EXTERNAL_STORAGE isn't your *internal* sd, the tool will not help, because it writes on the external sd.
Some users wonder why it works so fast.
That's because it doesn't read each and every byte (like dd command or the "emmc brickbug check" app) but instead jumps in reasonable steps and in each step reads only the first byte of the chunk.
I think, reading each byte is not needed, because the flash memory is always used blockwise and the wear leveler (which has the bug) is working on the block level not the byte level. So a bricked block should always affect each byte in this block, which means reading one byte should be enough.
I choose steps of 1MiB (1024x1024 bytes), mainly because it's like parted etc., but unfortunately 1MB (1000x1000) doesn't work well so I was forced to use the MiB steps and calculated the other (currently rounded). May be the internal wear leveler block size is smaller (e.g. 256kiB = 256x1024 bytes), but it seems that the affected block area is always bigger than 1MiB. But I may rethink this decision...
when it's running slow
The scan method is very fast, I think the complete scan of the internal emmc should be done in under a minute, add several minutes for the external sd if scanning all partitions.
That said, if you get much slower performance, you probably hit an emmc bricked block. It seems the emmc brick can show up in two ways, either completely freezing the device or returning an error after a timeout which slows down the scan process significantly.
The word "FREEZE" in the descriptions above should be replaced by "freeze or slowdown".
So if it slows down, note the numbers at this point, like if the emmc freezes.
It's possible to use the scanner manually in adb (also from a terminal in the gui).
Extract file emmc-scan from one of the zips, put somewhere (=PATHTOSCANNER).
Eventually use
Code:
chmod 555 PATHTOSCANNER/emmc-scan
to make it executable (depend on how you extract it).
usage for find-brick-start:
Code:
PATHTOSCANNER/emmc-scan -p -f MMCBLOCKDEVICE
usage for find-brick-end:
Code:
PATHTOSCANNER/emmc-scan -p -b MMCBLOCKDEVICE
with e.g. MMCBLOCKDEVICE = /dev/block/mmcblk0 for N7000, etc.
example session:
Code:
unzip 120824-221256-emmc_find_brick_end.zip emmc-scan
adb root
adb push emmc-scan /cache/
adb shell chmod 555 /cache/emmc-scan
adb shell /cache/emmc-scan -p -f /dev/block/mmcblk0
to scan all partitions of all flash memory devices automatically (using my algorithm to find the flash devices) simply use:
Code:
adb shell /cache/emmc-scan
for usage description use:
Code:
adb shell /cache/emmc-scan -H
which outputs something like this:
Code:
usage:
emmc-scan [-f | -b] [-a] [-p] [DEVICE | PARTITION]
emmc-scan -w [-a] [-p] DIRECTORY
emmc-scan -H
operations:
-f forward, scan from begin to end of device
-b backward, scan from end to begin of device
-w write to writable partitions (fill with small files)
targets
-a scan all partitions
DEVICE device to be scanned (e.g. /dev/block/mmcblk0 )
PARTITION partition to be scanned (e.g. /dev/block/mmcblk0p10 )
DIRECTORY directory to be filled with files (e.g. /data, /sdcard )
other:
-p print position while scanning
-c print CR after position
-H output this help text
comments:
- scanning/writing is done in 0 byte steps (0 MiB)
- multiple devices/partitions/-a can be given with different options
- devices are scanned with all options given before
examples:
emmc-scan -b mmcblk0p10
scan /dev/block/mmcblk0p10 backward
emmc-scan -f -a -b /dev/block/mmcblk0
scan all partitions forward and mmcblk0 backward
To use the scanner with a terminal app in the android gui,
you ommit "adb shell",
so the example session would look like this:
Code:
chmod 555 /cache/emmc-scan
/cache/emmc-scan -p -f /dev/block/mmcblk0
There were several problems to be solved, mainly:
* seek, setpos functions not working for big partitions (only 4 byte numbers)
* dd command with skip= also not working for big partitions
* finding the emmc device(s)
* finding all emmc partitions to be scanned
* finding the end of a partition without working seek/setpos and without touching a block
* showing live outputs from the program in recovery (unfortunately doesn't work with \r)
the zips are now signed (but see "known bugs" section below).
currently tested on:
* Samsung Galaxy Note N7000
please report if it works for your phone model (e.g. finds the correct partitions) if it's not on the compatibility list.
known bugs:
* the signed zips may not work with stock recovery (1 report but no reports after changing the signing method)
Disclaimer: of course I cannot give any guaranties.
Please don't copy or link directly to an attachment. Link to the whole thread instead.
I will probably update this first post and the attachments frequently, at least until all calms down.

hg42 said:
Hi emmc bricked folks (and perhaps others),
I just created a emmc partition scanner which is mainly usable for emmc bricked phones (only Samsung?).
It is started via install zip from recovery.
It allows fast scanning of blocks in 1MiB steps of all emmc partitions.
The main purpose is to access each emmc block to find any bricked partition after repartitioning.
There were several problems to be solved.
Mainly
* seek, setpos functions not working for big partitions (only 4 byte numbers)
* dd command with skip= also not working for big partitions
* showing live outputs from the program in recovery
* finding all emmc partitions to be scanned
Please report, if it works for each unreported phone model. I will add a compatibility list and try to fix incompatibilities.
currently tested on:
* Samsung Galaxy Note N7000
Click to expand...
Click to collapse
Thank you for the post,
I need to try...
However, is it okay to flash this with STOCK ICS ROM?

tannykim said:
Thank you for the post,
I need to try...
However, is it okay to flash this with STOCK ICS ROM?
Click to expand...
Click to collapse
yes, this software only reads, so generally cannot harm.
It doesn't really flash, it's only using the update mechanism of the recovery (scripting).

hg42 said:
yes, this software only reads, so generally cannot harm.
It doesn't really flash, it's only using the update mechanism of the recovery (scripting).
Click to expand...
Click to collapse
Please let me know if I am wrong.
I think I can only run signature confirmed flash with STOCK ROM.
Could you please confirm I can flash this with STOCK KERNEL [3.0.15-N7000XXLPY-CL474507] ?

please i neeed a good help whene its ok with custom partition but after flashing stock pit i have a good black screen i cant access to nothing either with jig

nice work will try.Thanks

tannykim said:
Please let me know if I am wrong.
I think I can only run signature confirmed flash with STOCK ROM.
Could you please confirm I can flash this with STOCK KERNEL [3.0.15-N7000XXLPY-CL474507] ?
Click to expand...
Click to collapse
this might be, I am using custom ROMs all the time (mostly cm9).
But anyway, it's better to flash a custom kernel in these times (emmc brick is waiting).

tannykim said:
Please let me know if I am wrong.
I think I can only run signature confirmed flash with STOCK ROM.
Could you please confirm I can flash this with STOCK KERNEL [3.0.15-N7000XXLPY-CL474507] ?
Click to expand...
Click to collapse
hg42 said:
this might be, I am using custom ROMs all the time (mostly cm9).
But anyway, it's better to flash a custom kernel in these times (emmc brick is waiting).
Click to expand...
Click to collapse
Hi hg42, I'm on S2, but I think your work is great for all user that have bricked their devices, so any question: there is a cwm.zip for note (a temporary CWM flashable from the stock recovery like on S2)? If yes this can answer the question of tannykim.
Thank you
Mario
Inviato dal mio Galaxy S2 con Tapatalk2®
XWLPF Stock
Siyah 4.1 beta 6
Jkay V14.1

Mario1968 said:
there is a cwm.zip for note (a temporary CWM flashable from the stock recovery like on S2)? If yes this can answer the question of tannykim.
Click to expand...
Click to collapse
yes, you are right, I didn't think of it.
So he can flash cwm.zip and from cwm flash the scanner
But again I would not stay on stock ics kernel.
Too much danger to brick again.
Btw, this cwm.zip together with the stock ics kernel will cause the brick if wiping.
Newer cm recoveries and I think current chainfire's versions don't brick with the dangerous stock ics kernel.

hg42 said:
yes, you are right, I didn't think of it.
So he can flash cwm.zip and from cwm flash the scanner
But again I would not stay on stock ics kernel.
Too much danger to brick again.
Btw, this cwm.zip together with the stock ics kernel will cause the brick if wiping.
Newer cm recoveries and I think current chainfire's versions don't brick with the dangerous stock ics kernel.
Click to expand...
Click to collapse
I do not want to stay on stock but if I do not try anything [root... Custom OS...] There will be no further issue with STOCK...
I do want to have Rocket ROM but there is no way I can get Odin file for Custom ROM. After PIT change Odin installation is more efficient from my experiences. I tried to start with GB then Root and Wipe then Flash Custom ROM in recovery, but it is not stable after these process.
I am not expert so I need someone who have better experiences and knowledge on this.......
As I already posted on PIT post, I tried more than 50 times and I found most stable method, which is
1. Odin Flashing PIT file.
2. Odin Flashing CM9 safe kernel.
3. Boot in recovery Wipe everything / format everything
4. Odin Flashing Stock ICS ROM.
I can not use my Note same as before the Bricked...[No more many apps/No more multitasking....]
However I did not have any freeze and force to restart...

Dear hg42,
As tannykim said, I don't know what is happening with may Note too, it do exactly that same as his SGN !!!!!!!!!
Now I'm able to locate the bad blocks .. and I'm surly out of these blocks in my eMMC structure now. I did everything to make sure that FACTORYFS, DATAFS, and UMS partitions are in clear blocks, even though, random restarts, freezing, and hanging all the time.
Note: RECOVERY, CACHE, and KERNEL are also in clear blocks (after running the Partition Scanner app).
I also did a check that certainly made me sure that the I'm in a clear area in UMS. I mounted my SGN in the PC after flashing a ROM, then I copied to/from anything in the UMS partition till its full (more than a time) and it works like a charm, with no hangs at all. That made me certain that these blocks are OK. Even though, it hangs!!!!!. In addition I did the following checks:
Run the Partition Scanner app and shows no errors at all.
Did the DD command scan method, and shows no errors in all partitions (from forest1971 post)
Did the e2fsck check method, and shows no errors (from forest1971 post)
I can wipe all partitions in Recovery without any errors or hangs at all
I can install all types of roms without errors, no hangs in FACTORYFS image in odin at all
Now I'm about to go mad, everything is fine, I'm out of bad blocks, even though; freezing all the time and Force Close !!!!!!!!!!!!!!! WHY??
I noticed also that ICS stock ROM installed without the Lock Screen, strange!!!
Is there any explanation of what my phone is doing?
Thanks a lot for your efforts hg42, you rock
Mohamed

tannykim said:
I do not want to stay on stock
...
I do want to have Rocket ROM but there is no way I can get Odin file for Custom ROM.
Click to expand...
Click to collapse
ok
After PIT change Odin installation is more efficient from my experiences.
Click to expand...
Click to collapse
but there should be absolutely no difference.
Either you have other problems or the emmc brick behaves different in your case.
I can imagine, that a problem like the emmc brick, which is to be located in the wear leveler could produce any kind of errors.
It may just like a faulty memory.
I remember when reviving my phone, the start offset of the bricked blocks was higher first and then moved some 100 MB.
So my very first attempt didn't work, because some good blocks changed to bad blocks, so factoryfs freezed again.
Perhaps you may scan multiple times (the more the better in this case) to be sure it works reliably...
I tried to start with GB then Root and Wipe then Flash Custom ROM in recovery, but it is not stable after these process.
Click to expand...
Click to collapse
what is unstable then?
1. Odin Flashing PIT file.
2. Odin Flashing CM9 safe kernel.
3. Boot in recovery Wipe everything / format everything
4. Odin Flashing Stock ICS ROM.
I can not use my Note same as before the Bricked...[No more many apps/No more multitasking....]
However I did not have any freeze and force to restart...
Click to expand...
Click to collapse
this shouldn't be like this. E.g. the data partition has the same size afterwards, so the maximum count of apps should be the same.
What do you mean with "no multitasking"? You cannot switch between apps or such?
With absolutely *no* multitasking the OS wouldn't work.
What happens if you install cm9 (stable) in step 4?
Btw. do you do all these tests with a clean new system without any bloat? Or do you restore apps e.g. via Titanium backup?

what is unstable then?
- It keep freeze and randomly shut down
this shouldn't be like this. E.g. the data partition has the same size afterwards, so the maximum count of apps should be the same.
What do you mean with "no multitasking"? You cannot switch between apps or such? -If I want to switch between apps. Note get freeze step and do not do anything even screen stop.-
With absolutely *no* multitasking the OS wouldn't work.
What happens if you install cm9 (stable) in step 4? -I will try to flash the Rocket Rom V10 since your OP state Odin flash is best way to install the ROM I followed your OP. However, I will try and report that.-
Btw. do you do all these tests with a clean new system without any bloat? Or do you restore apps e.g. via Titanium backup?[/QUOTE]
-I did all these tests with a clean new system without any bloat. I am not sure what bloat you means but I did not have any backup since I lost all my data from the first bricked situations HaHa-

I updated the thread starter:
* added brick finder (start and end)
* added infinite variant of scanner
* some minor cleanups and improvements
* the files now start with date and time in YYYYMMDD-HHMMSS format

tannykim said:
It keep freeze and randomly shut down
Click to expand...
Click to collapse
you may try the new indefinite scanner, may be it finds a bricked block after many iterations.
The speculative theory behind that assumes the wear leveler which assigns free blocks to a write request may sometime assign a bricked block.
This would then result in random freezes (which usually reboot the phone after many seconds, if you wait patiently).

signed zips (hopefully)
update:
the zips should now be signed.
Those with stock recovery, please report failure and success.
EDIT: someone reported the zips still don't work with stock recovery.
I assume I have to dig deeper into the signing

sry for my bad english
when i use emmc_find_brick_start.zip , it's process Stop on 834MB
when i use emmc_find_brick_end.zip , it's Stop on 3064 MB
i use ( Q1_20110914_16GB-patched-regain-1126400-kB.pit ) pit file
any better pit file for me?

biostar said:
sry for my bad english
when i use emmc_find_brick_start.zip , it's process Stop on 834MB
when i use emmc_find_brick_end.zip , it's Stop on 3064 MB
i use ( Q1_20110914_16GB-patched-regain-1126400-kB.pit ) pit file
any better pit file for me?
Click to expand...
Click to collapse
note, this is a general android thread.
I'll answer in the PIT thread instead.

signed with testsign
I updated the emmc scanner tools with another signing method applied.
Hope this works now on stock recoveries...please report success or failure

hg42 said:
I updated the emmc scanner tools with another signing method applied.
Hope this works now on stock recoveries...please report success or failure
Click to expand...
Click to collapse
Hello hg42,
I have just flashed back a stock ICS recovery to test the signature verification, but unfortunately it failed with the standard message:
Code:
E:signature verification failed
Please, let me know if you need more tests.
Best regards,
aDEO

Nexus 7 3G RADIO ISSUE

I am sorry for opening this thread.
After 2 days of waiting, it seems that the 3G forum section is useless in terms of helping the ones in need.
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
My request, if someone knows, on which emmc partition is stored the radio i would be very grateful.
Also a dump of that partition would help also.
I cannot flash the radio via fastboot
apia-1231_0.17.0_1205.img
sending 'radio' (16384 KB)...
OKAY [ 2.001s]
writing 'radio'...
FAILED (remote: (BadParameter))
finished. total time: 2.018s
Also trying to dump the partition on the usual mount point results this
dd if=/dev/block/platform/sdhci-tegra.3/by-name/RDO of=/sdcard/RDO.img
/dev/block/platform/sdhci-tegra.3/by-name/RDO: cannot open for read: No such file or directory
In theory i should be able to restore by using the dd on the emmc partitions, but i don`t know which one it is.
ls /dev/block/mmcblk*
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
In my first look this is what i found, if someone can assist me with this, there are multiple users with this issue, so also others at some moment will be grateful if we fix this.
1) On which partition is the radio stored
2) Can someone dump that partition using dd ?
Again, sorry for creating this post, i don`t usually do things like this (old user, know how the things work around here), but i am a little bit desperate.
Managed to fix partially the issue.
In bootloader the Baseband still appears as N/A
What I did.
1) Mounted radio-tilapia-1231_0.18.0_0409.img
2) Copied the radio_update.zip
3) Rebooted the Tablet in RECOVERY
4) Presse Power Key and Volume Key Plus (first power key, while you keep the power pressed, press the volume key for 2 seconds, release)
5) Select "Apply Update From ADB"
6) Issue the command "adb sideload radio_update.zip
7) Wait till the update goes to end,, and select Reboot system now.
Now when you check in Settings/About Tablet/Baseband, you should have the Baseband which you applied via adb
For those in need, here is the radio_update.zip
http://globula.arctablet.com/Nexus7/radio_update.zip
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?

Hello
I have exactly the same issue reported by globula neagra.
In my case the issue started just after Nexus came back from Asus repair center with the motherboard replaced. .
As the radio cannot be flashed, the ota procedure fails.
Any idea how to recover the radio partition in order to flash the correct radio image file?
Regards.

My N7 2012 has the same symptoms (Baseband N/A in fastboot) after getting it back from Asus a couple of weeks ago. I believe they replaced the motherboard of my N7 if that matters. I was able to adb sideload the radio from 4.3 then fastboot all factory images from the latest update and then relock. Not sure if I should send it back since it will not install otas on its own, and I will have to adb sideload the radio every update. Thanks op for the info on adb radio update.
Sent from my Nexus 7 using xda app-developers app

My Nexus 7 2012 has the same problem. I could not update OTA and also fastboot update fails, because of Baseband N/A. Now I'm on 4.3 but with old Baseband. I didn't update it, because looks like everything is running.
Before my one was two times in service at Asus. One time they replaced the mainboard.

For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....

flaps1970 said:
For sure the solution of globula neagra is a good workaround, but it is very strange that, after the motherboard replacement, you cannot update anymore a standard product with a standard OTA procedure.
Maybe something could be revised in the replacement process.....
Click to expand...
Click to collapse
UP
Can someone dump that partition using dd, as asked by Globula Neagra?

I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear

Blown_ouT said:
I don`t understand what exactly you talk about .. radio partitions etc. but if that helps I had a problem with the memory of the tablet: have 32g + gsm N7 and in storage tab it appears only 6gb availabale, so I downloaded nakasig-jwr66y-factory-bdbb7bd7.tgz , extracted the archive and in created folder there was
bootloader-tilapia-4.23.img
flash-all.bat
flash-all.sh
flash-base.sh
image-nakasig-jwr66y.zip
radio-tilapia-1231_0.18.0_0409.img
Using windows 8 I executed in CMD flash-all.bat and the script flashes the radio,bootloader,stock rom and many other things that I did not seen before.I can`t provide a link for download but it is in the forum.I`ll be happy if that can help you solve your problem! Just flash without fear
Click to expand...
Click to collapse
So it will erase all apps and data on N7?

vndnguyen said:
So it will erase all apps and data on N7?
Click to expand...
Click to collapse
Yes in that case executing the flash-all.bat it will wipe all the data and apps but you can try to manualy flash the radio and the bootloader with that latest version...and like I understand your problem you can`t lose much...still you can`t use your device

@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio

globula_neagra said:
@Blown_ouT
I did tried several approaches, and actually what you are saying above broke my device and created the issue with the radio.
The bootloader is saying that my radio partition does not exist anymore, therefore you can not flash something that is not existent, and your method does not work.
Tough, the partition is not vanished it must be there but i think is corrupted somehow.
When i broke the device first time i did this:
1) Update the tablet using the OTA
2) Result was a broken radio
3) Tried to re-flash the tablet using the stand alone pack
-when i did this, i did not wanted to unlock the tablet, still the cmd file runned and erased everything from the tablet but not flashed nothing, which is the most stupid thing since i did not unlocked the device and therefore the restrictions were up (which are supposed to be in theory a non access to erase/write but still google allows you to brick your device with the cmd file without unlocking, but does not allow you to fix it till you unlock it, again VERY STUPID)
-i was able to flash all the files one by one except the radio
Click to expand...
Click to collapse
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.

flaps1970 said:
Hello, just an update about this issue,
I started the RMA procedure and ASUS replaced me the motherboard again (already one had been replaced).
Yesterday i received back the Nexus, nothing had changed, the tablet has exactly the same issue.
At this point, i think there are only three possibilities:
1) all the motherboards used in the Repair center are faulty
2) there is something wrong in the ASUS procedure
3) the problem is not related to the motherboard but is somewhere else
I am very frustrated about this situation, 5 months of tablet and three times in repair center without repairing the issue.
Click to expand...
Click to collapse
I do think is an issue on a software level.
Google/Asus don`t want to admit that the updates are "braking" the tablets.

Geez, I have the same problem, I also got my Nex7 GSM from the repair with the new motherboard.
They had one job....

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition, and now it seems that my tablet is on first baseband (a backup radio it seems) released with the device which has some issues (wifi signal very crappy)
In fastboot the baseband appears N/A
Click to expand...
Click to collapse
When ASUS replaced my device's motherboard they reinstalled the factory 4.2 instead of the 4.4.4 it was on at the time. During the 4.3 OTA upgrade the device hung and now the baseband is N/A in the bootloader menu. Trying to flash factory images or just the radio itself obviously doesn't work.
Other than your excellent sideload work-around, have you found a proper fix for the radio partition itself?

globula_neagra said:
ls /dev/block/mmcblk*
/dev/block/mmcblk0 TO BIG
/dev/block/mmcblk0boot0 2.048KB (bootloader)
/dev/block/mmcblk0boot1 2.048KB (bootloader backup)
/dev/block/mmcblk0p1 12.288KB (boot or recovery)
/dev/block/mmcblk0p2 8.192 KB
/dev/block/mmcblk0p3 TO BIG
/dev/block/mmcblk0p4 TO BIG
/dev/block/mmcblk0p5 512KB
/dev/block/mmcblk0p6 10.240KB (boot or recovery)
/dev/block/mmcblk0p7 5.120KB
/dev/block/mmcblk0p8 512KB
/dev/block/mmcblk0p9 TO BIG
Click to expand...
Click to collapse
Still the question remains open, HO KNOWS WHAT PARTITION IS THE ONE FROM THE RADIO ?
Click to expand...
Click to collapse
By now it's probably common knowledge to you and others with this problem that when the Nexus 7 3G gets into this state, the radio partition doesn't show up in the list anymore. My tablet broke before I could have a look at what correct partition information looks like, and there isn't much about it on the Internet either. However, these seem to agree:
http://forum.xda-developers.com/showpost.php?p=35103211&postcount=16
http://www.0jl.com/blog/?p=2196
http://forum.xda-developers.com/showthread.php?p=45045265#post45045265
E.g.:
Code:
Device "/ dev / block / mmcblk0p1", the name of "SOS", format emmc, capacity 12M, mount --- storage recovery
Device "/ dev / block / mmcblk0p2", the name "LNX", format emmc, capacity 8M, mount --- storage boot
Device "/ dev / block / mmcblk0p3", the name "APP", format ext4, the capacity of 650M, mount "/ system", the storage system
Device "/ dev / block / mmcblk0p4", the name "RDO", format emmc, capacity 16M, mount --- store radio
Device "/ dev / block / mmcblk0p5", the name "CAC", format ext4, the capacity of 443M, mount "/ cache", storage cache
Device "/ dev / block / mmcblk0p6", the name "MSC", format emmc, capacity 512K, mount --- storage misc
Device "/ dev / block / mmcblk0p7", the name "USP", format, capacity 10M, mount --- storage ---
Device "/ dev / block / mmcblk0p8", the name "PER", format, capacity 5M, mount --- storage ---
Device "/ dev / block / mmcblk0p9", the name "MDA", format, capacity 512K, mount --- storage ---
Device "/ dev / block / mmcblk0p10", the name "UDA", format ext4, capacity 28G, mount "/ data", storage userdata
and
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
IOW, compared to grouper the tilapia has an extra 16M radio partition inserted at mmcblk0p4.
Tablets in this state had this partition corrupted or deleted. Would it be correct to deduce that the problem can therefore be fixed by correctly recreating the partition table and then reflashing the machine?
I'm only familiar with working with Windows partitions and haven't been able to find instructions for recreating the Nexus 7 3G's partition table specifically. Is the above information sufficient for doing that, and what commands are needed? My tablet's currently on 4.2.2 and comes with both fdisk and parted.
Thanks in advance,
Francois

globula_neagra said:
My issue: after i updated via OTA, the tablet, the 3G stopped working, the OTA corrupted the radio partition
Click to expand...
Click to collapse
This seems to be the common experience with radio partition corruption. It also seems the process that leads to this corruption could involve a corrupt bootloader.
It turns out that both recent factory images as well as at least the 4.3 OTA for the Nexus 7 3G contain a corrupt bootloader, see http://forum.xda-developers.com/nexus-7/general/info-nexus-7-3g-ota-bootloader-corrupt-t3033513. This means whether Android software is being installed manually or automatically, the target machine is potentially exposed to the corrupt bootloader.
Most firmware installs that include a new bootloader and radio software first install the bootloader, then boot into that, then next proceed with installation of the radio software, and then whatever else.
This opens up the possibility that failure to install and activate the new bootloader contributes to corruption of the radio partition when its upgrade is attempted. If I manage to test this once my machine is returned from repairs I hope to update. Any other thoughts or contributions in the meantime will be appreciated. Especially towards fixing the radio partition.

CWM cannot restore /system due to no space (ZTE Blade C)

Hey guys, I was trying to increase app storage by re-partitioning the internal storage with Mt657xRepartition_EN.apk, where I selected 1gb for app storage. The next step was to wipe data/factory reset. Post this step, the phone is stuck at boot logo. So I tried restoring my backup via CWM and it failed while restoring /system. The log reveals that system cannot be restored due to no space left on the partition. As per my understanding, the above repartitioning was for data partition, but it may have messed up something. Here is full log while trying to restore system from advanced restore:
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 2048
Label:
Blocks: 131072
Block groups: 4
Reserved block group size: 31
Created file system with 11/32768 inodes and 4206/131072 blocks
SDCardUpdate.apksdcarda7d2cf64.0bouncycastle.odexlibbinder.solimobilelog_jni.soProcyon.oggOrganDub.oggtar: write error: No space left on device Vendor_045e_Product_028e.klError while restoring /system!
When connected to MTKDroidTools, the device is recognised in CWM recovery, but the kernel and baseband fields are empty. There is a blue dot at bottom left with some Russian word (see attachment). With MTKDroidTools, I was able to recover block map on the ROM (see attachment) where it says the following: System space is 64,27,77,088 bytes. The recovery on the PC says the system.ext4.tar file is 52,72,86,272 bytes. Therefore it should be able to restore, right? Also, isn't cache a bit too big at 485490688 bytes, which is same as usrdata at 463mb? usrdata was about 463mb before starting this, so that means partitioning failed, right? (I had selected 1 gb for the same).
My apologies that I do not have the original block map of the phone, but the usrdata (apps) and fat (media) seem to be the same. Should I try wiping system and restoring again via CWM?
Other Details:
Note: 1. I am able to restore /data and /cache from CWM recovery. I'm a bit worried to try restoring boot partition
2. Backup was made using Custom CWM recovery made with MTKDroidTools
Device: ZTE Blade C
Processor: MT6577 by Mediatek
Storage: 4gb (about 430 to 460mb was internal storage (apps) and 2.2gb was phone storage (media))
ROM: Official, was rooted with vroot and replaced by SuperSU.
I tried flashing custom rom via spflashtools, but it seems to stay stuck at 0% with word searching below (It does recognize that connected at start). Probably has to do with the fact that the phone cannot connect properly to PC when connected in preloader mode (I have installed preload drivers, but the phones seems to connect and disconnect every second)
I really need to revive this device, preferably with some extra space in usrdata partition, if possible. I have browsed several threads and collected this information based on that. Any pointers, help, information, diagnosis, guidance, steps, etc. would be much appreciated. I'll try my best to find my way to the solution. Please tell me if you need any other info. This device is at the edge of bricking. And I had given this to my dad on Father's Day 2 days back. He wasn't receiving emails due to low storage and I told him I can fix it. It would be terrible if I tell him I killed his phone.
Thanks for consideration to those who read through and did not reply for being unable to help.
Update:
When backup was made with MTKDroidTools, I found this:
- nodl_pmt
- PMT tables found
- PMT tables OK, 18 blocks found
--- Kernel Block Map to PMT mismatch!
-------------------------------------------
BlockName Offset
-------------------------------------------
Kernel: __NODL_BMTPOOL 0x00000000FFFF00A8
PMT: Not present! ??????????
-------------------------------------------
--- scatter from PMTis write to the file:
E:\Desktop\Android\MTKDroid\backups\ZTE-BLADE-C_130508_backup_140617-053203\MT6577_Android_scatter_emmc_PMT.txt
- Use it if SP FlashTool errors of 8038 or 4050 occurs

Hi!
Unfortunately playing with partitions can be a sensitive affair. Best left for very experienced tinkerers. Best way to free up space, is to free up space.
I hesitate to point you to any one particular thread, as I am not sure with your device exactly where you stand....and what you can and can't do at this point.
I will ask a moderator to move your thread to the Blade section, so you don't have to type all this out again. One thing, maybe put your device info at the very top of your thread and even edit your thread title to say Blade C. That will get you more model specific help hopefully.
Your thread will be moved here, to ZTE Blade General section....
http://forum.xda-developers.com/zte-blade/general?nocache=1&z=6848981278017163
Good luck! ?

Can the post please stay here for a little while? :fingers-crossed: As you said, this stuff is for experienced Android tinkerers and I believe there will be many more experienced folks here than in the ZTE blade forum.
With the update, I think I am closing in on the problem. I just need to understand how I can fix "Kernel Block Map to PMT mismatch". I have also requested folks with ZTE blade C to retrieve the original partition tables via MTKDroidTools.
Thanks for your time.

msmsmsmsms said:
Can the post please stay here for a little while? :fingers-crossed: As you said, this stuff is for experienced Android tinkerers and I believe there will be many more experienced folks here than in the ZTE blade forum.
With the update, I think I am closing in on the problem. I just need to understand how I can fix "Kernel Block Map to PMT mismatch". I have also requested folks with ZTE blade C to retrieve the original partition tables via MTKDroidTools.
Thanks for your time.
Click to expand...
Click to collapse
Sorry. XDA Assist is a place to get shown the way, not for troubleshooting or discussion. If you want answers, the area for your device is definitely the best place to post.

Please delete this thread. I had requested a mod 2 days back, but haven't received a reply.

[DISCUSSION][S7-SNAPDRAGON]Unlock Bootloader - R&D

Models: SM-G930_, SM-G935_ (Flat & Edge, all Snapdragon variants, NOT Exynos)
Developer thread only!
Work in Progress!
DONT flash anything on your phone unless you either a)Dont care of the result or b)Know what you're doing! I will take NO RESPONSIBILITY for you breaking your phone! Know the risks!
Research & Development Thread for Unlocking S7 bootloader
What is this thread?
This is a thread with all information (research) I can find regarding the locked bootloader for the S7 Snapdragon (Exynos has been unlocked so this thread will NOT cover that.) There are a lot of great seasoned Devs out there, but it seems all have given up, or remained in the dark. Flagships like the S7 we all bought because they're amazing phones, but it appears the future is locked bootloaders; if you're here then you're interested in custom ROMs. If we give up and can't 'crack this', then I'm afraid amazing phones like this will never get custom ROMs, ie, that will be a thing of the past.
In other words, there doesn't appear to be any development anymore on trying to unlock the bootloader. Hope is lost... or is it? Therefore, we need new talent. We need a new generation of developers walking into the game knowing that what they're trying to do is almost impossible. I'm hoping this thread will quickly bring any developer up to speed so we can get some "unlocking Dev rookies". We are recruiting! Come here and ask questions regarding this so hopefully you can figure this out!
I'm going to update from time to time the first few posts with critical info, links to info, etc. My goal with this thread is to put all of the great information from the community in one place. I don't way people to have to search this entire thread, rather get the info quick so they can begin developing quick, so we can get an unlocked bootloader, QUICK!
Remember, there were previous locked bootloaders, but many of them have been cracked so let's take away the 'impossibility factor'!
Who is this thread for?
Anyone that wants to quickly be brought up to speed on the S7 locked bootload status, all the hurdles, etc
Developers that want to be part of the future of locked bootloaders and something great!
Who can post and what posts are allowed?
Anyone with PRODUCTIVE comments towards unlocking the bootloader or efforts already completed (regarding of fail or success)
Developers working on this initiative
Developers with questions for other developers regarding this
Wanna-be developers with questions (There is no shame, and you never know if YOU just might be the rookie dev we're looking for to unlock this! If you're willing to try something to potentially brick your device, then you can play here Or maybe you might throw out an idea that might spark an idea with someone else that leads to an unlock.)
Links to things that have been attempted
Information you think people should know regarding this, that's not already listed. Or information you think should be in the original post so people can easily see it. (I don't want great info hidden deep in the thread, rather on the first page)
Keep me honest! If I post nonsense or inaccurate information, WE NEED you to correct me! Last thing I want to do is steer anyone in the wrong direction!
What NOT to post:
"+1"
"Thanks"
Petitions
Bounties
ANYTHING NEGATIVE! Negative Nancy, PLEASE go away!!
Etc. In other words, DONT waste thread space with nonsense. (Don't let that comment confuse you however with the 'very welcoming' questions from developers; This SHOULD be a collaborative thread. Productive input certainly welcome.) The idea is to QUICKLY allow someone to read this and get ALL the info to start trying to crack this. Going through pages and pages of irrelevant or useless comments will only make the goal more difficult, or prevent our new rookies from coming up to speed and trying to unlock this bootloader.
Who am I and what am I trying to get out of this?
I'm an application engineer and developer that bought an S7 from Tmobile and found out the hard way it had no way to get a custom rom, despite TMobiles past of typically allowing this. I'm frustrated like you all & want my phone unlocked, pure and simple! Besides, this is a community, and what better of an agenda than to try and conquer what others have said, "that's impossible"!
Other Notes:
MANY, many thanks to all the contributors out there!!! I got most of this information from other forums on XDA!
Following few posts will have resources and additional links. This thread is new so I'll find a good organization method in time.
PLEASE subscribe if you are (or want to be) a contributing developer, or have anything to add - or if you can answer others questions. I think a lot of this knowledge will expand to other devices, and not just Samsung, but future devices as well.
Please let me know of anything to fix with this thread, like tags, thread description, etc.
Make sure to send the link to this thread to people you think might be interested (but don't spam them!) Or post a link to this thread in other seemingly dead threads on unlocking this bootloader. Alone it just may be impossible to do this...but as a community, sharing all of our knowledge...we can do this!
Still not motivated to do this? Try this: https://www.google.com/webhp?source...=1&espv=2&ie=UTF-8#q=s7+bootloader+bounties&*
If you found this thread useful hit "Thanks"!
.

Information
Quick facts
Exynos bootloader is unlockable, which is why we won't talk about that here!
S7 Variants https://en.wikipedia.org/wiki/Samsung_Galaxy_S7#Variants
US & China use a Snapdragon processor, all other locations use the Exynos
Knox counter: will void warranty (if you still have one!) Most could careless if there's a remote possibility of unlocking the bootloader. Methods or tampering could possibly trip this counter.
Mostly when people say a phone is "locked", they mean locked to a CARRIER. That is NOT what we're talking about here - we're talking about a locked bootloader which allows you to install a custom ROM.
FRP: (Factory Reset Protection) Requires username/pass after factory resetting http://www.androidcentral.com/factory-reset-protection-what-you-need-know Reset: https://forum.xda-developers.com/galaxy-s7/how-to/samsung-factory-reset-protection-gmail-t3446788
Bootloader version: PhoneSettings->AboutPhone->Baseband version: 5th from last number.
Ex: Bbaseband: G935UUES4AQC1 = Bootloader version 4 @thescorpion420 (Tmobile & U = ver4, China=ver2)
Locked bootloader
Easy way to tell you bootloader locked status(?)
What is the bootloader? Part of the Android boot process. See all about it here: http://newandroidbook.com/
Why can't we currently unlock the bootloader? There is something called the chain of trust, whereby 'everything' from when the phone first turns on, through each 'piece' it verifies the contents of the flash is legit and from a listed trusted source (either Samsung or carrier). What controls this is the current, existing software/FW on your phone. So if we took what's there and removed these checks, we currently don't have a way to write this to your phone, since "we" aren't from the list of trusted sources. How do they enforce this? The images need to be digitally signed.
What does it mean to digitally sign a file (or image, FW in our case)? There is a private key and public key. Samsung and/or Carrier have the private key, your phone has the public key. Author writes a new SW package, then uses a tool to get a checksum. The checksum gets encrypted with the private key. The encrypted checksum gets appended to the SW package. Using OTA (over the air deployment) or ODIN, we push the package to the phone. The phone decrypts the appended encrypted checksum using its public key, does a checksum on the remaining package, and makes sure they both match. Now you can see why we can't fake this! Only way would be to find an exploit or get the private key so we can sign these ourselves!

Links (relevant threads)
Potential way to unlock bootloader? https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
ROOT DISCUSSION / TEKXv2 Dev Thread Extension SM-G935T - Dev Section / Discoveries https://forum.xda-developers.com/tmobile-s7-edge/how-to/root-discussion-future-sticky-root-t3327399
G935AVPT cross bootloader, flash Chinese Version , support ALL lte band,Knox stil 0!! https://forum.xda-developers.com/ve...ross-bootloader-flash-chinese-t3432190/page15 or
https://forum.xda-developers.com/att-s7-edge/how-to/g935avpt-cross-bootloader-flash-chinese-t3435043
High-level explanation on whats going on with this locked bootloader: https://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
Resources
Android Internals: A Confectioner's Cookbook http://newandroidbook.com/
Many thanks to Jonathan Levin for releasing that to the public for free, but please support his work via the other listed means. Also Reverse Engineering Aboot: http://newandroidbook.com/Articles/aboot.html
Samsung Source (Tmobile) http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G930T
Bootloaders, Encryption, Signing http://www.androidpolice.com/2011/0...ncryption-signing-and-locking-let-me-explain/
LOCK download mode (opposite but might have useful info) https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

Tools
Phone Apps
Root Browser app (doesnt need root) access all files on phone (across ALL partitions?) https://play.google.com/store/apps/details?id=com.jrummy.root.browserfree&hl=en
Phone INFO (get info about phone) https://play.google.com/store/apps/details?id=org.vndnguyen.phoneinfo&hl=en
Other
S7 USB driver http://samsungodin.com/SamsungUSBDriver/USB_Drivers_1.5.27.0.rar
ADB (Install Android SDK)
DD: https://forum.xda-developers.com/showthread.php?t=1153991 (can be "disk destroyer" if used stupidly)
Sandbox: Possible to make a virtual S7 to test on? (including ALL partitions such as aboot, etc)
Ubunto VM: How to build a Linux VM for Dev & testing on this: http://imicrov.com/small-tech/android-development/android-development-with-ubuntu-in-virtualbox VMWare: http://www.vmware.com/products/player/playerpro-evaluation.html Ubunto image: http://www.osboxes.org/ubuntu/

Flashing
Info https://code.tutsplus.com/articles/an-introduction-to-android-firmware--cms-26791
Firmware (Android ROM) is stored in a writable form of memory called NAND flash memory, the same type of memory that is used in storage devices, such as USB sticks and SD cards
Bootloader more info
Ways to Flash
ODIN - Odin3_v3.12_PrinceComsy (ODIN is Samsungs replacement of Fastboot) https://www.androidfilehost.com/?fid=24591023225177749 or http://samsungodin.com/ (?)
ODIN is the only possible way (that we know of). You push a download from PC to phone, it runs checksum and signature verification, if it doesnt match what it expects, it never writes from memory to phone and throws away image. This intense security likely due to Samsung pay.
ADB - No standard way to do this, but maybe something creative might work...
Heimdall https://forum.xda-developers.com/galaxy-s7/how-to/guide-heimdall-to-flash-firmware-t3452904 (still work? couple years since updated) Sourcecode: https://github.com/Benjamin-Dobell/Heimdall
USB jig: https://forum.xda-developers.com/galaxy-s7/accessories/usb-jig-t3347793/page4 eBay: http://www.ebay.com/sch/i.html?_odk....H0.Xusb+jig+s7.TRS0&_nkw=usb+jig+s7&_sacat=0 Or make your own: http://www.instructables.com/id/USB-JIG-to-give-life-to-your-Bricked-mobile/
SD card: https://forum.xda-developers.com/showpost.php?p=69235306&postcount=38
Z3X Box: eBay: http://www.ebay.com/itm/2016-Z3X-BO...I-Unlock-Flash-Tool-C3300KCable-/291810363162
Safestrap(?)
Flash Errors & What they mean:
Failed aboot Fused 2> binary 1 - bootloader error: ?
SECURE CHECK FAIL: No Bueno! You're trying to flash something that's not digitally signed correctly
Firmware/Files:
AP (Application Processor or PDA or Android Partition): Android. System partition with recovery, etc. Recovery, kernel and ROM will be in this file. This is the only FW that is open source.
Typical contents of update.zip:
android-info.txt: Text file specifying the prerequisites of the build, such as the version numbers of the bootloader and the radio firmware that the build needs
boot.img: Binary file that contains both a Linux kernel and a ramdisk in the form of a GZIP archive. The kernel is a boot executable zImage that can be used by the bootloader. The ramdisk, on the other hand, is a read-only filesystem that is mounted by the kernel during the boot process. It contains the well known init process, the first process started by any Linux-based operating system. It also contains various daemons such as adbd and healthd, which are started by the init process More info
recovery.img: Very similar to boot.img. It has a boot executable kernel file the bootloader can use and a ramdisk. Consequently, the recovery image too can be used to start an Android device. When it is used, instead of Android, a very limited operating system is started that allows the user to perform administrative operations, such as resetting the device's user data, installing new firmware, and creating backups.
system.img: Partition image thats mounted on the empty system directory from boot.img. Contains the Android OS binaries as well as system apps, fonts, framework JAR files, libraries, media codecs, bloatware, etc. (Most used for flashing a custom ROM)
userdata.img: Partition image that will be mounted on the empty data directory from boot.img. Custom ROMs typically come with this image as blank so that it resets the contents of the data directory.
BL (Bootloader): Proprietary code that is responsible for starting the Android operating system when an Android device is powered on. Typically, it checks if the operating system it is starting is authentic as well. (Checks if the boot partition has been signed using a unique OEM key, which belongs to the device manufacturer, & is private.) Ie, Locked bootloader. Fastboot, IF allowed on a device, disables this check.
CP (Core Processor): Modem. This proprietary Radio firmware is another operating system on an independent processor called a baseband processor, independent of Android. This adds the cellular radio capabilities of the device like 3g & LTE. Qualcomm, etc develop this FW.
CSC (Consumer Software Customization): It is specific to geographical region and carriers. It contains the software packages specific to that region, carrier branding and APN setting. Eg Wi-Fi Calling. Flashing will lose your data (factory reset). Variations of CSC may retain data.
PIT files (Partition Information Tables) (Danger! Dont flash these unless you know what youre doing!)
Different variants of the S7 have different partition sizes; same phone/same carrier with different storage size have different PIT. One issues people were having flashing images for other variants is that the partition would fill up. A workaround would be to reformat with a correct PIT file and check "repartition" in ODIN. More info via @[Ramad] https://forum.xda-developers.com/sho...d.php?t=999097
"Get PIT for mapping" error while flashing (indicates you need a PIT file to flash what youre trying to flash)
-Extract current PIT file from phone: http://www.**********.com/how-to-ext...alaxy-devices/ (need root)

Unlock Methods
High-Level Ways to Unlock:
Get leaked private key so we can sign our own images
Find exploits
Dev bootloader gets leaked
?
What does work:
Can flash digitally signed images
Can write to partitions with engineering kernel
Ideas:
Use engineering kernel that has root to somehow modify bootloader partition to remove digital signature checks - at level/entry point can or should this be done? (ie, where in boot process at a minimum do we need to remove the check?)
Thread on installing LineageOS on bootloader locked Note 3: (this possible on our device?) https://forum.xda-developers.com/redmi-note-3/how-to/kate-guide-install-lineage-os-locked-t3546154
Thread on Recovery for locked bootloaders by @hsbadr : (work on our device?) https://forum.xda-developers.com/an...g/tool-multirom-recovery-replacement-t3102395
...Reading sdd10 line by line. I did find an entry "Device is unlocked! Skipping verification...". I'm starting to think we need to look into recovery-side exploits" @Flippy125 https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220/page2
Back rev bootloader version (or other partition) to reintroduce security exploits (dont believe you can backrev though, easily) dd Chinese version? (Hard brick?) https://forum.xda-developers.com/showpost.php?p=70977356&postcount=39 @thescorpion420
Exploits: (known existing)
SD card most vulnerable?
Samsung Source available I believe (in its entirety though? See Resources links above) Perhaps viewing this may reveal exploits
?
Attempted Methods:
OEM Unlock in Android Settings menu: YES! We tried that!
Flashed Chinese images via ODIN. People used PIT (Partition Information Table) files and checked reformat partitions in ODIN and still failed.
Result: Errors during flash process, won't take, "Thread Failed" error
Chinese bootloader is v2 where all US models are v4(? How to determine?)
Convert Chinese ROM to another variant: https://forum.xda-developers.com/android/general/guide-how-to-convert-chinese-roms-based-t3577469
Use CROM app (Chinese phones have this app to unlock their phones):
Result: This app communicates to Samsung servers and ends up writing a flag (kiwibird?) to STEADY partition. US phones dont have this partition so this currently wont work.
Dirty cow exploit - (didnt work) indicated by @Binary100100

Android OS & Everything about it
Engboot kernel write protection seems to be off, so it appears you can use dd to write to normally write protected partitions such as the bootloaders (ex: "dd if=/sdcard/aboot of=/dev/block/sdd10"). In my testing I was successfully "dd" a backed up aboot (secondary bootloader) partition and also write to the modem partition and have it stick @qwewqa
MBN files: Multi boot binary firmware. Mostly used with Samsung, binary data for storing the device's memory partitions, such as the resources and power manager, secondary boot loader, AP boot loader, and trust zone. Can't just edit, need source then compiling creates mbn files? Info: https://www.quora.com/What-is-mbn-file-format-where-is-it-used https://forum.xda-developers.com/showpost.php?p=29787988&postcount=31
Create MBN: https://forum.xda-developers.com/showpost.php?p=28145975&postcount=198 Moreinfo: https://forum.xda-developers.com/showpost.php?p=28149932&postcount=212
Cook custom ROM: https://forum.xda-developers.com/showthread.php?t=901417
Extract mbn files using unyaffsmbn: https://forum.xda-developers.com/showpost.php?p=6303911&postcount=827
How to get existing versions, eg, bootloader version? (Many versions are in Phone->Settings->About device)
Partitions... needed to be modified(?) @qwewqa https://forum.xda-developers.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
- rpm (Resource and Power Manager / Primary Bootloader) located at /dev/block/sdd1 (/dev/block/bootdevice/by-name/rpm)
- aboot (AP Bootloader / Secondary Bootloader) located at /dev/block/sdd10 (/dev/block/bootdevice/by-name/aboot)
- xbl (Extended Bootloader) located at /dev/block/sdb1 (/dev/block/bootdevice/by-name/xbl)
- ? located at /dev/block/sdc1
- Sdd1 is the primary bootloader
Boot Process @qwewqa
RPM = Resource and Power Manager = Primary Bootloader
ABoot = AP Bootloader = Secondary Bootloader
I believe the boot process is "RPM > ABoot > boot.img (Main OS)", so both the rpm and aboot file would be needed
Partitions (Correct? via @silentwind827)
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://source.android.com/devices/bootloader/partitions-images
http://davinci-michelangelo-os.com/2017/01/22/edit-init-rc-android/
ls -l /dev/block/bootdevice/by-name/
cat /proc/partitions
/dev/block/sda1 => modemst1
/dev/block/sda2 => modemst2
/dev/block/sda3 => fsc
/dev/block/sda4 => ssd
/dev/block/sda5 => persist
/dev/block/sda6 => efs
/dev/block/sda7 => param
/dev/block/sda8 => misc
/dev/block/sda9 => keystore
/dev/block/sda10 => devcfg
/dev/block/sda11 => frp
/dev/block/sda12 => bota
/dev/block/sda13 => fota
/dev/block/sda14 => persistent [edited]
/dev/block/sda15 => apnhlos
/dev/block/sda16 => modem
/dev/block/sda17 => boot (Kernel, RAMdisk, & boot images get flashed here see link above for details)
/dev/block/sda18 => recovery
/dev/block/sda19 => persdata
/dev/block/sda20 => system
/dev/block/sda21 => cache
/dev/block/sda22 => userdata
/dev/block/sdb1 => xbl
/dev/block/sdd1 => rpm
/dev/block/sdd2 => tz
/dev/block/sdd3 => hyp
/dev/block/sdd4 => fsg
/dev/block/sdd5 => sec
/dev/block/sdd6 => pmic
/dev/block/sdd7 => dsp
/dev/block/sdd8 => dip
/dev/block/sdd9 => mdtp
/dev/block/sdd10 => aboot
/dev/block/sdd11 => devinfo
/dev/block/sdd12 => bluetooth
/dev/block/sdd13 => lksecapp
/dev/block/sdd14 => keymaster
/dev/block/sdd15 => cmnlib
/dev/block/sdd16 => cmnlib64
/dev/block/sdd17 => apdp
/dev/block/sdd18 => msadp
/dev/block/sdd19 => dpo
/dev/block/sdd20 => ddr
/dev/block/sdd21 => pad

Restore Stock Methods
(Since we need a way to fix a bricked phone while we're trying to break it!)
Hard bricks likely not restorable though?)
Note: Not all of these methods will work, depending on how bad you bricked your phone.
https://www.androidsage.com/2016/03/...ware-download/
How to Fix a Bootloop: Turn off your device and reboot into recovery mode by press and holding Power + Volume down + Home keys for a few seconds. From the Recovery, select Wipe Data / Factory Reset. Confirm the action and reboot once done. Your device should now boot up.
Samsung Kies & Samsung Smart Switch https://forum.xda-developers.com/galaxy-s7/how-to/guide-revert-to-stock-anytime-kies-t3396314
Stock Files
Stock Files Collection https://forum.xda-developers.com/galaxy-s7/how-to/s7-s7e-stock-rom-bootloader-modem-t3383963
[Collection] Firmware/ROM Full, PIT Files https://forum.xda-developers.com/galaxy-s7/how-to/collection-firmware-rom-pit-files-t3326707

Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
[ROM][TMOBILE][S7_SM-G930T][Oreo Rooted]
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017

kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (This still work?) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
Not on the newer versions of Android unless rooted, then it does.

Does anyone know if the phone boots differently when using a)the SD card boot & b)USB jig? Or z3x box? If so, how? (I'm guessing the jig boots the same as button pressing into download mode, but wanted to leave no leaf unturned!) Knowing this might open some doors of vulnerability if it boots differently. All the reading I did about this, I haven't read about anyone trying to flash an image via either of these methods. (I'm assuming & hoping this is even possible & you can actually boot off the SD card, if not at least install via SD) Testers?! (Reference "Flashing -> Ways to Flash" above for details, links.)

can try on your phone 7 edge

kevin712467 said:
Alternatives to unlocked bootloader
A Quick and Simple Summary list of things to get by until we get custom roms:
Use Engineering kernel to get root https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502 (SOME people complain of lag with the engineering kernel)
Remove bloatware:
Debloater by @gatesjunior (Works on latest Android with root) https://forum.xda-developers.com/android/software/debloater-remove-carrier-bloat-t2998294
Other apps: Titanium Backup, Package Disabler Pro, Root Package Disabler
Freeze these apps: https://forum.xda-developers.com/galaxy-s7/how-to/touchwiz-bloatware-save-to-remove-list-t3330241
Stock ROM Engineering kernel modified, with root (NOT installed traditionally via recovery like TWRP) Ex: https://forum.xda-developers.com/tmobile-s7-edge/development/rom-t3572739 by @jrkruse or https://forum.xda-developers.com/tm...ekx-dev-deodex-systemui-3minit-multi-t3411776 by @TEKHD
xposed not available yet for nougat as of 4/1/2017
Click to expand...
Click to collapse
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.

kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
The 935f bootloader is for exynos, you want to flash the 9350 bootloader. Odds are if you succeeded in flashing the 935f bootloader you'd have a nice shiny paperweight.

kenshin6106 said:
well ive been reading the BL.mdf file and how ive done it if you delete the mdf extension and etract it as a tar file youll get three files with encryption, some of it is readable i'm studying the code and looking for loop holes. however i have tried flashing the G935F BL file on my G935V and it gives me an device ID not supported error so if we can somehow implant the US models device ID to the G935F BL file we should have an unlocked bootloader. it's just a theory but i believe this would be a great start for us models of the s7 edge.
Click to expand...
Click to collapse
Where are you finding a "BL.mdf" file? I'm looking at stock images and see mostly mbn, bin, and img files. Is this an extraction of one of these files, images? Not sure this will help but here they talk about "brushing" (flashing) 'pick and choose' images making a compilation for a full flash (like pick US modem, with chinese bl, etc) & the Chinese are successful using US "pieces"/images despite having a different phone variant https://forum.xda-developers.com/ve...g935v-cross-bootloader-flash-chinese-t3432190 Another possible way could be the opposite of what you're trying: implant the international device ID on our phone so the image can flash without your error. (via engineering kernel possible to change this value, wherever it sits?)
Also, another thought: I wonder if there's a way to modify the PC ODIN tool (or Heimdall since that source is easily available) to add functions to talk to "hidden functions" on ODIN (on the phone) to unlock it that way. Or modify it to turn it more into an interactive console so we can navigate and investigate the phone's ODIN program. Does anyone know if the ODIN source for the phone side has been leaked? If not, any intelligent folks out there know how to 'reveal' all methods so we can go through it and maybe find exploits? (This been done already?)
One more thing: Those thinking the S8 is nearly out now so let's give up... Well, can anyone predict the future like I can?!! I'm SURE it will be locked as well. I wouldn't be surprised however if any exploit we can find for the S7 will be relevant on the S8!
Thanks for the efforts kenshin6106 ! And all the viewers of this thread make sure to hit the "Thanks" button on the bottom right of the developers posts to show your support. Remember, most think this is a dead subject, let's change that mentality!!

Can anyone please indicate what images or partitions are allowed to be downgraded, version-wise (if any)? I'm reading conflicting information - or its hard to tell if the bl rejected it due to a fundamental error or because it will not allow down-reving, whereby it would be possible had an acceptable image been used. eg, I read the bootloader cannot go from ver4 (US) to ver2 (Chinese). I'm not sure what's accurate. And Does ODIN/bootloader allow you to go from Nougat to Marshmellow? Knowing this will help with our unlocking methods...

Any instructions on how to flash g930p to u firmware I get errors

Bump.

I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.

Chiller252 said:
I have a rooted SM-G930v using the engineering kernel, but I find the limitations of having a locked bootloader hyper-frustrating. In fact, I started researching which non-samsung android phone will be my next. (Looking at the Huawei P10/P11). I've been trying to use Magisk, TWRP, and a few other tools and have come to the realization that none of these are possible with a locked bootloader. Why is it that the Chinese variants have unlocked bootloaders? Samsung surely didn't make the decision to lock down their devices. It must be the US carriers that insist on locking down their devices and systems so that people can't modify certain apps, systems, and roms. Like bloatware for example. We just can't have nice things.
I wish I had more time to work on this, but I am not very experienced and I would almost rather get a similar device that is easier to root. I will however follow this thread and contribute what I can.
Click to expand...
Click to collapse
Check out this thread - https://forum.xda-developers.com/s7...heoretical-variant-bootloader-unlock-t3627286
We need testers!!