(GUIDE) Root Onn 8 Gen 2 100011885 - Walmart Onn Tablets General

Since there's a new generation of the Onn 8 tablets, and there currently isn't a rooting guide for them,
I figured I'd write one since I finally got mine to boot with magisk.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKED DEVICES. CONSIDER BACKING YOUR DEVICE UP BEFORE FOLLOWING THE INSTRUCTIONS LISTED IN THIS POST.
I won't bore you with useless details, let's just get into how to root this thing.
TOOLS:
You're going to need your vbmeta.img file to flash. You can use the one I have attached below, or supply your own from your own device dumps. Either way, you're gonna need that.
You will also need EITHER, the stock boot.img file for your tab (mine is also attached), or a magisk patched boot.img file, which I'll show you how to create if you don't already have one.
You will also need ADB and Fastboot installed on your PC for your platform, as well.
A guide on how to obtain that is available here if you don't already have it.
CREATING PATCHED MAGISK BOOT.IMG:
On your device, install the magisk manager apk.
inside the app, click on Install magisk, and supply the app with your boot.img file.
It should then open a terminal and patch the boot file, and output it to your download folder.
Now you've got a rooted boot.img file for your device. Alternatively, you can use the one I've supplied at the bottom of this post.
FLASHING ROOT ON YOUR DEVICE:
Here's the part where things get interesting.
Copy the patched boot.img to your pc from your tablet, and save it somewhere you'll remember. (preferably the same place you saved your vbmeta.img file.)
You'll need to shut down your device, then power it into fastboot mode by holding Vol+ and Power at the same time. This should bring up a menu with three options: Recovery, Fastboot, And Normal.
You'll want to use Vol+ to scroll to fastboot, then press Vol- to select and boot into fastboot.
Connect your device to your pc and open your ADB and fastboot program.
In the command prompt, type "fastboot devices".
This should spit out the serial number of your device followed by the word "fastboot".
If there is no device present, make sure you have android USB drivers installed properly.
Given that your device is connected properly, type the following commands. (without the quotes.)
"fastboot flash --disable-verity --disable-verification --skip-reboot boot /path/to/your/magisk_boot.img"
then
"fastboot flash --disable-verity --disable-verification vbmeta /path/to/your/vbmeta.img"
If all goes well and you get no errors, you should be safe to reboot, and you should have root now!
Once booted, open Magisk, and you should see that V22 is installed and running. You can now install edxposed via the magisk module manager if you'd like xposed installed, since TWRP currently isnt available for this model and lots of android 10 devices don't support it.
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.

Here's a couple pics just showing I actually DID do this, and I'm not just ****posting or something

LaikaXv1 said:
Since there's a new generation of the Onn 8 tablets, and there currently isn't a rooting guide for them,
I figured I'd write one since I finally got mine to boot with magisk.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKED DEVICES. CONSIDER BACKING YOUR DEVICE UP BEFORE FOLLOWING THE INSTRUCTIONS LISTED IN THIS POST.
I won't bore you with useless details, let's just get into how to root this thing.
TOOLS:
You're going to need your vbmeta.img file to flash. You can use the one I have attached below, or supply your own from your own device dumps. Either way, you're gonna need that.
You will also need EITHER, the stock boot.img file for your tab (mine is also attached), or a magisk patched boot.img file, which I'll show you how to create if you don't already have one.
You will also need ADB and Fastboot installed on your PC for your platform, as well.
A guide on how to obtain that is available here if you don't already have it.
CREATING PATCHED MAGISK BOOT.IMG:
On your device, install the magisk manager apk.
inside the app, click on Install magisk, and supply the app with your boot.img file.
It should then open a terminal and patch the boot file, and output it to your download folder.
Now you've got a rooted boot.img file for your device. Alternatively, you can use the one I've supplied at the bottom of this post.
FLASHING ROOT ON YOUR DEVICE:
Here's the part where things get interesting.
Copy the patched boot.img to your pc from your tablet, and save it somewhere you'll remember. (preferably the same place you saved your vbmeta.img file.)
You'll need to shut down your device, then power it into fastboot mode by holding Vol+ and Power at the same time. This should bring up a menu with three options: Recovery, Fastboot, And Normal.
You'll want to use Vol+ to scroll to fastboot, then press Vol- to select and boot into fastboot.
Connect your device to your pc and open your ADB and fastboot program.
In the command prompt, type "fastboot devices".
This should spit out the serial number of your device followed by the word "fastboot".
If there is no device present, make sure you have android USB drivers installed properly.
Given that your device is connected properly, type the following commands. (without the quotes.)
"fastboot flash --disable-verity --disable-verification --skip-reboot boot /path/to/your/magisk_boot.img"
then
"fastboot flash --disable-verity --disable-verification vbmeta /path/to/your/vbmeta.img"
If all goes well and you get no errors, you should be safe to reboot, and you should have root now!
Once booted, open Magisk, and you should see that V22 is installed and running. You can now install edxposed via the magisk module manager if you'd like xposed installed, since TWRP currently isnt available for this model and lots of android 10 devices don't support it.
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.
Click to expand...
Click to collapse
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.
I'm glad to see that there is finally a root solution for this device. I have 2 Onn 8 first gen, Android 9 tablets and I use the Magisk module: Universal SafetyNet Fix to
pass.
MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0
Universal SafetyNet Fix Magisk module Magisk module to work around Google's SafetyNet attestation. This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS...
forum.xda-developers.com
Let us all know if this works. I work in a Walmart electronics department and have not bought one of the 2nd gen devices because I had assumed that it could not be rooted. I am temped just for a new challenge, even though I really don't need a new device.
Have you been able to create a backup of the stock rom? Is it flashed with spflashtool like the older device?
Thanks

I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!

LaikaXv1 said:
I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!
Click to expand...
Click to collapse
Ah, I didn't hit reply. Oops!
I'm not new to XDA persay, but I'm not usually the one making guides and actually saying things haha.

Doesn't seem to work for me
Keeps failing says
(remote: not allowed in locked state)

Boox17 said:
Doesn't seem to work for me
Keeps failing says
(remote: not allowed in locked state)
Click to expand...
Click to collapse
It sounds like maybe you did not unlock the bootloader first?

martyfender said:
It sounds like maybe you did not unlock the bootloader first?
Click to expand...
Click to collapse
Yeah exactly what it was

I have a 100011886 that I got used and has FRP lock, will this process work on it as well? Only rooted Fire tablets before, so this would be new to me and if I brick it not much will be lost. But any insight as to what I will need that isn't included in your post would be great! It seems pretty thorough though.
Edit: I've tried it, and I have done pretty much everything thanks to being able to get to the browser with one of those language keyboard tricks, but I can't enable dev mode and turn on OEM unlock so I can't unlock the bootloader. Really want to know what to do so I don't have a paper weight At least it was only $30

I'm stuck in a boot loop. Does this work with a 100011885 that has Android 11 or did I just brick it cause I didn't pay attention.

I think I have extracted the boot.img using spflashtool on the 100011885 with Android 11. abootimg seems to like it and I can extract the kernel and initrd.img I have tried booting with fastboot boot but it blackscreens the tablet. I have not tried re-flashing this image as I don't know if it will actually work.
start location and size
0x00000000085c0000
0x0000000002000000
boot.img
and another boot image found at
A5C0000
boot2.img

bowb said:
I think I have extracted the boot.img using spflashtool on the 100011885 with Android 11. abootimg seems to like it and I can extract the kernel and initrd.img I have tried booting with fastboot boot but it blackscreens the tablet. I have not tried re-flashing this image as I don't know if it will actually work.
start location and size
0x00000000085c0000
0x0000000002000000
boot.img
and another boot image found at
A5C0000
boot2.img
Click to expand...
Click to collapse
Did you get this working?

Valiante said:
Did you get this working?
Click to expand...
Click to collapse
No.

LaikaXv1 said:
I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!
Click to expand...
Click to collapse
did you happen to upload this image yet? if so, got a link?

I followed this guide for a ONN 100003561 (didn't look closely at the numbers) and this is what I get when trying to flash the vbmeta:
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (11520 KB) OKAY [ 0.287s]
Writing 'vbmeta' FAILED (remote: 'size too large')
I tried using a different vbmeta and when I restarted my tablet and got blank black screen. Tried twrp and now I can't get anything to work. Never tried rooting an Android device before, just trying to get all the annoying stuff off and now it looks like I bricked it.
Any advice from anyone?

pj_dev said:
I followed this guide for a ONN 100003561 (didn't look closely at the numbers) and this is what I get when trying to flash the vbmeta:
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (11520 KB) OKAY [ 0.287s]
Writing 'vbmeta' FAILED (remote: 'size too large')
I tried using a different vbmeta and when I restarted my tablet and got blank black screen. Tried twrp and now I can't get anything to work. Never tried rooting an Android device before, just trying to get all the annoying stuff off and now it looks like I bricked it.
Any advice from anyone?
Click to expand...
Click to collapse
Unfortunately, the numbers are important. Are you able to get to fastbootd? If you can get to fastbootd, I would recommend trying to change to boot slot. Newer androids actually have two boot partitions for updating purposes. You can check which boot partition you're using with `fastboot getvar current-slot` which should return "a" or "b". Then do `fastboot set-active x` and replace x with whichever slot is NOT active as determined by the previous command. If the other boot slot is still intact, this would hopefully result in a bootable device. I haven't tried this myself, but this is what I would try if I were in your situation.
If this doesn't work, I would try flashing stock with sp flash tool, which doesn't need fastboot if you can't access that. It's a leaked mediatek tool, so there isn't an official site to get it from unfortunately. I got it from here: https://androidmtk.com/smart-phone-flash-tool but use your discretion. And get v5, because that's what most of the guides use. Then you can try flashing the 3561 stock firmware here: https://forum.xda-developers.com/t/stock-stock-backups-images-otas.3998227/post-82619259
If you can get it to boot at this point and want to de-walmart it, I would recommend just flashing a GSI rather than messing around with the stock rom. You can find the GSI's here: https://github.com/phhusson/treble_experimentations/wiki/Generic-System-Image-(GSI)-list

LaikaXv1 said:
Here's a couple pics just showing I actually DID do this, and I'm not just ****posting or something
Click to expand...
Click to collapse
Lol, remember those copy-pasted guides where they provide the wrong TWRP images and it messes up the device

So the 8" Onn actually has a boot-ramdisk it appears. On the 7" Onn Surf (100005206), there is no boot-ramdisk, so the alternative is patching a recovery.img and allowing Magisk to hijack the /recovery partition. The only drawback is, anytime you need to reboot, using hardware keys as though booting into recovery is necessary.

inzane105 said:
I have a 100011886 that I got used and has FRP lock, will this process work on it as well? Only rooted Fire tablets before, so this would be new to me and if I brick it not much will be lost. But any insight as to what I will need that isn't included in your post would be great! It seems pretty thorough though.
Edit: I've tried it, and I have done pretty much everything thanks to being able to get to the browser with one of those language keyboard tricks, but I can't enable dev mode and turn on OEM unlock so I can't unlock the bootloader. Really want to know what to do so I don't have a paper weight At least it was only $30
Click to expand...
Click to collapse
I'm in a similar situation, my friend got an RCA Atlas 10 Pro-S from Goodwill for $1. It had an FRP lock on it though, and we ultimately managed to get to the home screen by enabling TalkBack and watching the support video to open the browser. Then, we installed Lawnchair to access the home screen. The settings app worked, but Developer Options would not open.
GetDroidTips has published a software called Miracle Box, claiming that it can unlock MediaTek bootloaders, as well as bypass FRP. However, a VirusTotal scan indicates that it is likely malware. I tried running it in a virtual machine and it asked if I wanted to run a process impersonating "svchost.exe" as Administrator. I airgapped the virtual machine, and Miracle Box said it needed Internet access for licensing, however GetDroidTips said it was free. I suspect that this was a fake software crack.
I am aware of a program called SP Flash Tool, but that won't work because I am on Linux, and not Windows. I doubt it would work under WINE, as it requires special device-specific drivers that also only work on Windows. I have a spare Lenovo IdeaPad 110-15ACL, however I don't have the drivers needed to set up Windows 7 on it. I could, of course, use Windows 10, but I have heard it is bad for flashing, and it is very slow anyway. (I did, however, buy an SSD for it, perhaps this will speed it up enough to be somewhat usable?)
I also found an open-source MediaTek exploit script called MTKTools. It did not work, and it told me to hold all hardware buttons before plugging the device in. It still did not detect the tablet. It told me that I could also short TP1 to ground, however I could not find Test Point 1 on the tablet's motherboard.
There are no custom recoveries or FRP unlocking guides for this device, likely because it's an obscure Android 7.1 tablet from back in 2014. I wouldnt be able to flash them anyway as the bootloader is locked. It has 2 GB of RAM and the processor cores are Cortex-A35s so I'm not sure that this is worth unlocking. On the other hand, it costs over $100 from Walmart.
I am worried that the device was stolen, as it had a password, and once I reset it from Recovery mode, it had an FRP lock. If it is indeed stolen, I can't return it, due to the "as is" nature of Goodwill, and besides, I have disassembled it several times as well. Should I be concerned about the ethical implications of unlocking this device?

Does this work on Android 11? I have the Onn. 100011885 model, according to my settings app.

Related

Root & TWRP!

Note: I am no expert at this. I used this to get TWRP and root, but it there is no guarentee it won't brick your phone. Only do this if you know what your doing. Before you start you must have an unlocked bootloader, which will delete all your data. Here's the instructions (If you need help, feel free to post a comment):
Download Magisk's installer zip on your phone from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445 (Google Pay only works with Magisk v19.0+)
Download arter97's kernel .img to your PC. This kernel currently is the only reliable way to get TWRP. https://forum.xda-developers.com/razer-phone-2/development/arter97-kernel-razer-phone-2-t3914996
Reboot your phone into bootloader mode (Turn off then back on while holding vol down).
Make sure your phone is recognized by Windows before proceeding. Follow this guide to setup the proper drivers and fastboot.
Flash arter97's kernel by running
Code:
fastboot flash boot arter97-kernel-*.img
If you run into any issues, then you will probably need to specify the slot to flash. Reboot back into your system.
Turn on Android Debugging and run
Code:
adb shell getprop ro.boot.slot_suffix
and make note if the output is _a or _b
Reboot back into bootloader
If _a use
Code:
fastboot flash boot_a arter97-kernel-*.img
if _b use
Code:
fastboot flash boot_b arter97-kernel-*.img
Reboot to recovery (either through bootloader mode or hold vol up while rebooting).
Install the Magisk .zip from TWRP.
Be amazed by the possibilities.
Old instructions (Should always work to get root):
Download the factory image from here: https://developer.razer.com/razer-phone-dev-tools/
Extract and copy the boot.img file to your device
Download and install Magisk Manager. If you have an SD card make sure it's installed on your internal storage, not the SD card.
Tap install, select Patch Boot Image File, and select the boot.img (If using the default file manager click the overflow menu and show internal storage)
Copy the patched_boot.img back over to your PC
Flash the patched_boot.img to your device via fastboot (Turn off then back on while holding vol down) and run
Code:
fastboot flash boot patched_boot.img
.
If you run into any issues, then you will need to specify the slot to flash.
Turn on Android Debugging and run
Code:
adb shell getprop ro.boot.slot_suffix
and make note if the output is _a or _b
Reboot back into bootloader
If _a use
Code:
fastboot flash boot_a patched_boot.img
if _b use
Code:
fastboot flash boot_b patched_boot.img
Reboot, and open up magisk manager to confirm everything is working. After an OTA update you may have to re-apply due to it using a different slot.
Note: the phone wasn't properly recognized by my computer when in bootloader mode so I had to install the Google adb drivers and manually set the driver used to Google Bootloader Interface (or something like that)
I found you needed to specify boot_a or boot_b specifically as the bootloader tended to mess up the suffix(it tried "bootb_b"????). So I had to first run "fastboot getvar all" to check the current slot.
I also found the commands are executed much more reliably if you enter the command first and press enter so fastboot goes into the "waiting for device" state and then boot into the bootloader and afterwards plug in the cable so fastboot executes the command as soon as it connects.
figured itd be as easy as that. this will be my first up to date device in years, att sending it to me in the mail. should get it by the 6th . but glad to see theres root! hopefully lineage to follow <3
Twiggy000b said:
figured itd be as easy as that. this will be my first up to date device in years, att sending it to me in the mail. should get it by the 6th . but glad to see theres root! hopefully lineage to follow <3
Click to expand...
Click to collapse
I know the feeling, my last device was the Nexus 5
my last "decent" device was the essential phone. then i went to the xperia xa2 ultra, then the iphone 6 then.... zte quest. -.-
CurtisMJ said:
I found you needed to specify boot_a or boot_b specifically as the bootloader tended to mess up the suffix(it tried "bootb_b"????). So I had to first run "fastboot getvar all" to check the current slot.
I also found the commands are executed much more reliably if you enter the command first and press enter so fastboot goes into the "waiting for device" state and then boot into the bootloader and afterwards plug in the cable so fastboot executes the command as soon as it connects.
Click to expand...
Click to collapse
Lol, bootb_b:laugh:. For me at least it worked fine without specifying the slot, though I may change the instructions to specify the slot
CalebQ42 said:
With the release of the factory images we can achieve root via Magisk boot image patching. Note: I am no expert at this. I used this to achieve root, but it there is no guarentee it won't brick your phone. Only do this if you know what your doing. Before you start you must have an unlocked bootloader. Here's the instructions (If you need help, feel free to post a comment):
Download the factory image from here: https://developer.razer.com/razer-phone-dev-tools/
Extract and copy the boot.img file to your device
Download and install Magisk Manager. If you have an SD card make sure it's installed on your internal storage, not the SD card.
Tap install, select Patch Boot Image File, and select the boot.img (If using the default file manager click the overflow menu and show internal storage)
Copy the patched_boot.img back over to your PC
Flash the patched_boot.img to your device via fastboot (Turn off then back on while holding vol down and run `fastboot flash boot patched_boot.img`.
Reboot, and open up magisk manager to confirm everything is working.
Note: the phone wasn't properly recognized by my computer so I had to install the Google adb drivers and manually set the driver to Google Bootloader interface (or something like that)
I also tried to install some Android Pie GSIs, but none of them worked.
Click to expand...
Click to collapse
Does this destroy all data? Do I need to unlock bootloader? Does it matter where I place the boot.img on my device?
CalebQ42 said:
Lol, bootb_b:laugh:. For me at least it worked fine without specifying the slot, though I may change the instructions to specify the slot
Click to expand...
Click to collapse
Interesting. The bootloader isn't exactly what I'd call a masterpiece of coding (weird cause I still maintain the ROM is excellent) so it might have just been a momentary glitch.
---------- Post added at 10:54 PM ---------- Previous post was at 10:53 PM ----------
ctakah27 said:
Does this destroy all data? Do I need to unlock bootloader? Does it matter where I place the boot.img on my device?
Click to expand...
Click to collapse
Yes, yes and not really (you get a file chooser so you just need to locate it)
I updated the post a bit with instructions on how to flash to a specific slot.
Tonight I'm going to try compiling TWRP for the first time ever (unless someone beats me to in). Wish me luck!
CalebQ42 said:
I updated the post a bit with instructions on how to flash to a specific slot.
Tonight I'm going to try compiling TWRP for the first time ever (unless someone beats me to in). Wish me luck!
Click to expand...
Click to collapse
Good luck it's a easier process compare to years ago. I would do it but I have no need for root or custom recovery. If you fail on the TWRP I will do it in time for people.
Is this working on the AT&T version of this phone? Or would you need to flash the global firmware in order for this to work? Looking to upgrade to this phone and I want to be sure I can get root. The rest looks to be coming fairly quickly.
CalebQ42 said:
I updated the post a bit with instructions on how to flash to a specific slot.
Tonight I'm going to try compiling TWRP for the first time ever (unless someone beats me to in). Wish me luck!
Click to expand...
Click to collapse
jonchance_84 said:
Is this working on the AT&T version of this phone? Or would you need to flash the global firmware in order for this to work? Looking to upgrade to this phone and I want to be sure I can get root. The rest looks to be coming fairly quickly.
Click to expand...
Click to collapse
They have the image for AT&T
EAIaIQobChMIwYzbk7j_3gIVRZRpCh0RMwdoEAEYASAAEgLPifD_BwE
Warrior1988 said:
They have the image for AT&T
EAIaIQobChMIwYzbk7j_3gIVRZRpCh0RMwdoEAEYASAAEgLPifD_BwE
Click to expand...
Click to collapse
I see the separate firmware. I'm only asking because of past shadyness from AT&T trying to tell manufacturers what to do. Years ago on my Xperia x10, if on AT&T firmware, you needed to flash the global generic firmware to get around their crap.
CalebQ42 said:
With the release of the factory images we can achieve root via Magisk boot image patching. Note: I am no expert at this. I used this to achieve root, but it there is no guarentee it won't brick your phone. Only do this if you know what your doing. Before you start you must have an unlocked bootloader, which will delete all your data. Here's the instructions (If you need help, feel free to post a comment):
Download the factory image from here: https://developer.razer.com/razer-phone-dev-tools/
Extract and copy the boot.img file to your device
Download and install Magisk Manager. If you have an SD card make sure it's installed on your internal storage, not the SD card.
Tap install, select Patch Boot Image File, and select the boot.img (If using the default file manager click the overflow menu and show internal storage)
Copy the patched_boot.img back over to your PC
Flash the patched_boot.img to your device via fastboot (Turn off then back on while holding vol down) and run
Code:
fastboot flash boot patched_boot.img
.
If you run into any issues, then you will need to specify the slot to flash.
Turn on Android Debugging and run
Code:
adb shell getprop ro.boot.slot_suffix
and make note if the output is _a or _b
Reboot back into bootloader
If _a use
Code:
fastboot flash boot_a patched_boot.img
if _b use
Code:
fastboot flash boot_b patched_boot.img
Reboot, and open up magisk manager to confirm everything is working. After an OTA update you may have to re-apply due to it using a different slot.
Note: the phone wasn't properly recognized by my computer so I had to install the Google adb drivers and manually set the driver to Google Bootloader interface (or something like that)
I also tried to install some Android Pie GSIs, but none of them worked.
Click to expand...
Click to collapse
Would this procedure be the same as far as mac/win?
I understand all of that, I am simply asking if someone has tried this with the AT&T variant yet. I want to know before I go order this phone.
I love a rooted phone, but as far as I know, if you unlock the bootloader, Netflix will no longer work in HD mode. To me, this is a deal-breaker. If anyone knows about a work-around, I'd love to know.
Razer phone 2 root
so im kinda new to rooting this type of phone and to the android boot scheme in general. i have a razer phone 2 and have attempted (febaly) to root it using this meathod. after installing the google adb drivers i was unable to see the device from my pc when it was in fastboot and unable to send commands, after installing the drivers again with windows update it ran even though no device was detected with this message
">fastboot flash boot patched_boot.img
Sending 'boot_b' (19268 KB) OKAY [ 0.523s]
Writing 'boot_b' OKAY [ 0.179s]
Finished. Total time: 0.718s"
it then blackscreened, i then tried a factory reset from recovery, and it is now in a bootloop... any advice?
update: no longer in boot loop but now is full blackscreen after a glitchy install screen
andy1011 said:
so im kinda new to rooting this type of phone and to the android boot scheme in general. i have a razer phone 2 and have attempted (febaly) to root it using this meathod. after installing the google adb drivers i was unable to see the device from my pc when it was in fastboot and unable to send commands, after installing the drivers again with windows update it ran even though no device was detected with this message
">fastboot flash boot patched_boot.img
Sending 'boot_b' (19268 KB) OKAY [ 0.523s]
Writing 'boot_b' OKAY [ 0.179s]
Finished. Total time: 0.718s"
it then blackscreened, i then tried a factory reset from recovery, and it is now in a bootloop... any advice?
update: no longer in boot loop but now is full blackscreen after a glitchy install screen
Click to expand...
Click to collapse
Since it's already wiped the easiest way to fix it is to probably flash the full factory image. Did you happen to update to the MR2 update prior to following this guide? Doing this on MR2 will soft brick. Not entirely sure in what way, but I assume it would be similar to what you experienced. If you were still on MR0 you can actually just fastboot flash the original kernel image to fix it. I just finished rooting MR2 so I'll post that next
CurtisMJ said:
Since it's already wiped the easiest way to fix it is to probably flash the full factory image. Did you happen to update to the MR2 update prior to following this guide? Doing this on MR2 will soft brick. Not entirely sure in what way, but I assume it would be similar to what you experienced. If you were still on MR0 you can actually just fastboot flash the original kernel image to fix it. I just finished rooting MR2 so I'll post that next
Click to expand...
Click to collapse
this is what im trying to do. however i have no way of flashing to the device as adb is unable to see the device.
andy1011 said:
this is what im trying to do. however i have no way of flashing to the device as adb is unable to see the device.
Click to expand...
Click to collapse
Adb and fastboot are separate things. You should only need download mode and fastboot. What are you trying to use ADB for? If in doubt, the guide on Razer's website should be quite sufficient
EDIT: You can get to download mode by holding Vol Down and Power Button while the device is off. You can force reboot by holding down power for approx 15s as well

[RECOVERY] TWRP for Onn Android Tablets (unofficial) - 2019-11-30

TWRP Custom Recovery for the Onn Android Tablet series​
This is the first fully-featured custom recovery for Walmart's MediaTek-based Onn tablets: ONA19TB002, ONA19TB003 and ONA19TB007. TWRP needs no introduction. If you have come here, you probably have some idea of what it is and what it's used for. This TWRP build does not need the bootloader unlocked or VBMeta verification disabled, although it's recommended that you at least unlock the bootloader.
DISCLAIMER
Everything described in this thread is done at your own risk. No one else will be responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
FEATURES
Decrypted data partition
All USB modes functional: MTP, ADB, Mass Storage, OTG, Charging
Fast boot time
Adoptable storage mounting
Firmware image backup and restore
Works under locked bootloader
Android 9 build fits within the 16MB recovery partition -- no compromises or partition resizing necessary
INSTALLATION METHOD 1
Download the recovery to your PC and unzip the image
Unlock the bootloader (skip if you have already done this)
Enable OEM Unlock in Developer Options in Android Settings
Boot into fastboot mode either by holding vol. up+power to power it on and selecting "Fastboot mode", or by running the 'adb reboot bootloader' command from within Android.
Install fastboot and appropriate drivers on your PC if you have not set those up
Unlock the bootloader with the command
Code:
fastboot flashing unlock
...and follow the instructions on the screen. This will wipe your data.
Flash the custom recovery with
Code:
fastboot flash recovery twrp-3.3.1-ONA19TB002.img
(use the right file name path for your device)
Reboot to recovery with
Code:
fastboot oem reboot-recovery
INSTALLATION METHOD 2
This assumes you are familiar with SP Flash Tool or can figure it out on your own
Download the recovery to your PC and unzip the image
Get the appropriate scatter file for your device. The scatter file may be found in the device's firmware under /system/data/misc.
Set up SPFT Download tab as Download Only. Load your scatter file.
Under the recovery line, double-click Location and open your TWRP image.
Click Download and connect your powered-off tablet to your PC. SPFT will automatically flash the recovery to the emmc and disconnect when finished.
INSTALLATION METHOD 3
Head over to Amazing Temp Root for MediaTek ARMv8, read the requirements and directions, and grab the latest mtk-su.
Open a root shell with mtk-su
Flash the (unzipped) recovery with the command:
Code:
dd bs=1048576 if=twrp-3.3.1-0-ONA19TB002.img of=/dev/block/by-name/recovery
(replace the if= file name with your appropriate recovery image path)
Exit root shell
START RECOVERY
Three methods:
On a powered off tablet, hold Vol. up+power for about 3 seconds. In the menu that appears, select "Recovery mode"
With Android ADB, use the command 'adb reboot recovery'
From Android root shell, use the command 'reboot recovery' or just use any root app with OS reboot features
NOTES
Kind of important: Make a backup of your Crypto Footer as soon as you can. This is the encryption key to your data partition. When accessed from TWRP, this key can get "upgraded" so that you will get locked out of Android. TWRP uses a hacky workaround that saves and restores the original footer on every /data decrypt. But that method is not what I would call 100% reliable.
Make sure you have a backup of the untouched stock system and vendor images. There are no official firmware packages available to download.
Only mount system/vendor partitions in read/write mode if you have unlocked the bootloader. It is recommended to choose to leave system read-only at the startup prompt unless you have a specific reason to modify it. If the bootloader is locked, then dm-verity is enforced.* So merely mounting it once in r/w will cause a boot loop.
It's currently not possible to install incremental OTA updates using this TWRP. Use the stock recovery to update the FW. That will only work if you have never mounted system/vendor in write mode.
DOWNLOAD (Nov. 30, 2019)
Current version: 3.3.1-1
ONA19TB002 - Onn 8" model
ONA19TB003 - Onn 10.1" model
ONA19TB007 - Onn 10.1" w/keyboard model
Source code
ONA19TB002 | ONA19TB003 | ONA19TB007
ACKNOWLEDGEMENTS
The team behind TWRP & OmniROM
@tek3195 for testing and feedback on the 8" model
Please post feedback since these are still pretty new and not exhaustively tested. Let me know if I should port it to other models in the series.
Reserved also
grabbing this one too cuz why not
Very nice! I'll download and test the 003 one soon.
I also have a 007 model to experiment with.
I tried about a dozen times to build TWRP and failed miserably LOL. Closest I got was one that would boot but the rotation was all messed up, USB wouldn't work, didn't mount some partitions... Yeah, it was a hot mess.
Do you happen to have sources available?
Hi @NFSP G35,
I'll have the source code soon. Most of the tricks involved patching bootable/recovery. So I need to commit those changes and include the proper patch set from my tree....
Amazing!! Gonna install and test 8" right now.
Has anyone tried a GSI on these tablets yet?
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I do know @tek3195 , the Onn 8 thread starter, has tried many of them as well as others here, somewhere on that thread he listed his tests and opinion of several of them.
I'm pretty sure others on that thread have also tried GSI's.
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I did try both Phhuson vanilla and also Liquid Remix (I'm keeping this one for now). I didn't flash them through twrp, but using fastboot via bootloader.
WoW! AwEsOmE! I cannot wait to try this! THANK YOU!!!!!!
Hey,
This is a neat thing to see for the Onn tablets. I have a question though. I own a device based on the mt8163, and am trying to help people with another device I don't own (the powkiddy x18 which also uses the mt8163). One of the things I wanted to do was to make a custom rom for the x18, since it's stock firmware is horrible. And of course, one of the first steps to custom roms is twrp. So I have a question for you that I hope you can answer for me. How did you make this build of twrp? I have seen no device trees for this device so I was kinda curious. If you can help me in any way, I'd be so grateful, and I'm sure the other people with the x18 would be grateful for help.
@diplomatic
Is there a different procedure for installing TWRP on a locked bootloader?
I can confirm that using SP Flash to load your TWRP.img will produce a bootloop when installing to a device with the BL locked. Reflashing the original recovery.img makes the problem go away. You mentioned in the OP that this TWRP will work on a locked BL so I thought I would share my case study with you in following the procedure you defined.
MY SINCERE GRATITUDE FOR YOUR EFFORTS IN PORTING THIS TO THE ONN!
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
diplomatic said:
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
Click to expand...
Click to collapse
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
At one time I did run with the bootloader unlocked (with --disable-verification on stock vbmeta) and I ran Phusson's AOSP, Liquid Remix and Bliss. I found there was no benefit to me in running the other mods so I reverted back to stock courtesy of @CaffeinePizza and the bootloader re-locked to get rid of that annoying 5 second orange state.
In each instance, I always used SP Flash tools to load all .img files. I only used fastboot to install magisk_patched.img onto the stock installation. Unlocking the bootloader erases all data and I did not feel like reinstalling everything again, so I figured I would try to install TWRP per your instruction to see if it would work while the BL was still locked... Restoring the original recovery got rid of the bootloop. I do want to try your TWRP so I will try it with BL unlocked when I get some free time to do so.
Spatry said:
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
Click to expand...
Click to collapse
This sounds like you might have flashed a wrong/corrupt image to recovery. It may have to do with AVB checks rather than bootloader lock. But those conditions might be interdependent somehow so I can't tell you for sure. The fact that you are able to boot a patched image on a locked BL says it doesn't care too much about verification. I can tell you for sure that any recovery image must have avb metadata, not necessarily the required hash, for both Android and recovery to boot. Can you try to unzip the image file and flash it over again?
Hmm, the situation with the bootloader lock sounds eerily similar to the Nabi SE. The latter also had a similar implementation where there's not much in the way of locking things down, other than an (easily circumvented) SP Flash Tool signature check and different preloader keys. And here's the real kicker: the nearly-identical Fisher Price Nabi also ran on the MT8163, so it makes me wonder if it's possible to boot Pie on it, or perhaps a GSI assuming that Treble can be tacked onto it.
Also, do you have the source repo to this TWRP port of yours?
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Where do I find crypto footer to backup
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Kinda cool without the ads isn't it. I know I sent one about a week ago or so. I think everybody ought to send you one, you deserve it. THANKS and AWESOME work.

Onn Surf 7" gen 2 on sale for 28$ today. Bought one... Was able to unlock bootloader

Onn Surf 7" gen 2 on sale for 28$ today. Bought one... Was able to unlock bootloader
So, stopped at walmart this morning for stuff and saw the Onn Surf is now on Gen 2. 2.0 GHz quad core, 16gb storage and 2 gb ram. Seemed pretty decent for 28$. Much snappier than my 2017 Galxay Tab A 7". Runs Android Go 10. So far, have a 128 GB sd card in the slot. I have ran a few games(Raid Shadow Legends, Pubg) on it and it seems pretty decent so far. Hoping somebody smarter than me can find out if we can root and rom it. I would love to have pure ASOP on it. Even if that doesn't happen, would love to have root to get rid of the pre-installed stuff. At the price point, I couldn't pass it up. I haven't figured out the CPU, guessing it is a Media Tek. The GPU is a Mali-G52 MC2 if that helps. Running GeekBench right now to see how it scores. Seems it is not bad. Chip is listed as ARM MT8168B Motherboard is listed as tb8168p1_bsp if that helps at all. Geekbench gave it a 542 score. Not sure how that compares.
I was able to unlock the bootloader in the normal fashion. adb reboot bootloader. fastboot flashing unlock. fastboot reboot when finished unlocking. It then had a series of prompts on the screen that I followed. Once it was done, I rebooted via fastboot. The reboot took a bit as it factory reset the device as expected. I was trying root with mtk-su, but have been unsuccessful so far.
Well, it looks like mtk-su will not work on this device. So I will have to wait for someone much smarter than I to figure out root for us
I just got this one also at walmart. For $28 is not bad. It feels snappier than amazon fire 7 or 8
Okiera29 said:
So, stopped at walmart this morning for stuff and saw the Onn Surf is now on Gen 2. 2.0 GHz quad core, 16gb storage and 2 gb ram. Seemed pretty decent for 28$. Much snappier than my 2017 Galxay Tab A 7". Runs Android Go 10. So far, have a 128 GB sd card in the slot. I have ran a few games(Raid Shadow Legends, Pubg) on it and it seems pretty decent so far. Hoping somebody smarter than me can find out if we can root and rom it. I would love to have pure ASOP on it. Even if that doesn't happen, would love to have root to get rid of the pre-installed stuff. At the price point, I couldn't pass it up. I haven't figured out the CPU, guessing it is a Media Tek. The GPU is a Mali-G52 MC2 if that helps. Running GeekBench right now to see how it scores. Seems it is not bad. Chip is listed as ARM MT8168B Motherboard is listed as tb8168p1_bsp if that helps at all. Geekbench gave it a 542 score. Not sure how that compares.
Click to expand...
Click to collapse
I got it as well [emoji1] for $28 it very very good, it comes with a $10 grocery pickup coupon as well [emoji23]. These devices can really use custom roms, some overclocking, and remove the Walmart bloatware which is not as bad as a fire blu cell phone that I used long time ago. The first thing I did was to disable the widow animation scale, transition animation scale, and animator duration scale. Tried kingo root app it does not work on this device, tried custom navigation bar .apk not compatible with this device will try to root either by conventional way or magisk.
Sent from my 100015685-E using Tapatalk
Saw these in store and grabbed 2. Set one up and tinkering with it. Runs a bit smoother compared to Fire 7 2019. FCC ID A2HCT9E78Q for those interested. Has BT 5, tiny noticeable audio lag watching YT video & Pluto TV connected to bt wireless earphones. Android 10 Go doesn't appear to support youtube pip mode.
I will be interested to see how development goes. Seems like at lot of devices use this SOC, so that leaves some hope. I had some wifi issues yesterday, but restarting the tablet fixed it. So far, I am happy for 28$. It is quite a bit lighter than my Samsung Tab A 7 ". Pubg is still running fine. Frame rate is nothing to write home about, but that is to be expected
I'm in the same boat. Picked one up this morning, unlocked the bootloader successfully but had no luck with mtk-su or any of that. Hopefully someone smarter than me gets this figured out
FredQ said:
I'm in the same boat. Picked one up this morning, unlocked the bootloader successfully but had no luck with mtk-su or any of that. Hopefully someone smarter than me gets this figured out
Click to expand...
Click to collapse
Unlikely; need to read up on the (ridiculous and inexcusable) vulnerability mtk-su exploited, manufacture response and the heavy-lift challenges rooting newer Android builds. Possible, but unlikely.
After spending most of last night trying to get this working I'm uploading what I've got in the hopes that someone can get it to boot.
Following several tutorials and using a combination of SP Flash Tool and WWR MTK I managed to create the scatter file and then extract the whole rom giving me the boot.img.
However, after patching the boot.img with magisk manager and flashing it I'm getting a boot loop. I can flash the original boot.img back and it boots as normal but obviously this is without root.
If anybody wants to take a look and see if they can get it figured out feel free.
There are 4 files. The scatter file, original boot.img, then there are 2 magisk patched boot.img files. The first one is smaller than the original boot.img which I read is quite usual but some devices don't take well to the size difference. So the second patched img is padded to match the file size of the original. I can't get any of these to boot, both put me in a boot loop which can only be fixed by flashing the unpatched img again.
Model: 100015685-E
https://app.mediafire.com/91m2g8if4iain
FredQ said:
After spending most of last night trying to get this working I'm uploading what I've got in the hopes that someone can get it to boot.
Following several tutorials and using a combination of SP Flash Tool and WWR MTK I managed to create the scatter file and then extract the whole rom giving me the boot.img.
However, after patching the boot.img with magisk manager and flashing it I'm getting a boot loop. I can flash the original boot.img back and it boots as normal but obviously this is without root.
If anybody wants to take a look and see if they can get it figured out feel free.
There are 4 files. The scatter file, original boot.img, then there are 2 magisk patched boot.img files. The first one is smaller than the original boot.img which I read is quite usual but some devices don't take well to the size difference. So the second patched img is padded to match the file size of the original. I can't get any of these to boot, both put me in a boot loop which can only be fixed by flashing the unpatched img again.
Model: 100015685-E
Click to expand...
Click to collapse
how did you manage to get out of the boot loop? I'm currently stuck in it from trying the exact same thing and I can't seem to access recovery mode or the boot loader or even manage to turn off the tablet.
To get out of the boot loop I had to flash the original boot.img using SP Flash Tool. Put the scatter file and the boot.img in the same folder. Then open the scatter file in SPF Tools and with only the boot.img checked click download when the tablet screen goes black as it's looping. It should then flash the file and when you power the tablet back on you should be good.
are you guys using windows 10 or 7 or? also, i have the -a verision of this tablet (100015685-A) and i was able to just get the scatter file that includes only the, Preloader? if that sounds right, and nothing else using WwR MTK v2.51(wich i believe is what RetroTho is using). now when i try and take that scatter file and use it SP flash Tool to do anything with it, it doesnt seem to do anything. i seen something about VCOM drivers (which i thought i had installed) but just in case tryed to install them using the .bat, and had no luck,(hence the OS question). so what am i missing if someone can help me? id like to try and get a complete rom backup if possible, to be safe, before i do anything else. or at least a boot.img and recovery.img. any help would be much appreciated.
Removed
After playing around with this for a while I got it to work. The problem is with Android Verified Boot. I used the scatter file created by @FredQ (Thanks!) and SP Flash tool to dump the vbmeta partition. Then I used the following commands to flash the modified boot image.
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot erase cache
fastboot flash boot magisk_patched.img
fastboot reboot
This disables AVB and allows it to boot. I verified that I had root afterwards.
http://gofile.io/d/HXCmPd
One unfortunate thing I found out is that the way the navigation bar is handled changed with Android 10. So far I haven't found a way to remove the Walmart button. This was one of the things I was hoping to do with root.
thecaptain0220 said:
After playing around with this for a while I got it to work. The problem is with Android Verified Boot. I used the scatter file created by @FredQ (Thanks!) and SP Flash tool to dump the vbmeta partition. Then I used the following commands to flash the modified boot image.
Click to expand...
Click to collapse
This is great news! Thanks for the hard work. I will attempt to replicate on my second device and report back. Root should at least make it easier to get a system dump and such. Thanks again!
Well, shoot! now I am getting "--disable-verity is not recognized as an internal or external command, operable program or batch file" when I run the first command.
Never mind, if I run fastboot --disable-verification --disable-verity flash vbmeta vbmeta.img then it runs fine. Just flashed your patched boot as well. I will report in a moment. Well, now disable verity works, but it says there is no vbmeta file or directory. so it fails. so far, no root
Well, DUH! needs to be in bootloader mode LOL. Now that I have it there, all commands work, but I still don't have root after flashing your patched boot image
thecaptain0220 said:
After playing around with this for a while I got it to work. The problem is with Android Verified Boot. I used the scatter file created by @FredQ (Thanks!) and SP Flash tool to dump the vbmeta partition. Then I used the following commands to flash the modified boot image.
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot erase cache
fastboot flash boot magisk_patched.img
fastboot reboot
This disables AVB and allows it to boot. I verified that I had root afterwards.
http://gofile.io/d/HXCmPd
Click to expand...
Click to collapse
Amazing. I'm up and running and rooted now! Thanks for the help
thecaptain0220 said:
After playing around with this for a while I got it to work. The problem is with Android Verified Boot. I used the scatter file created by @FredQ (Thanks!) and SP Flash tool to dump the vbmeta partition. Then I used the following commands to flash the modified boot image.
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot erase cache
fastboot flash boot magisk_patched.img
fastboot reboot
This disables AVB and allows it to boot. I verified that I had root afterwards.
http://gofile.io/d/HXCmPd
Click to expand...
Click to collapse
hi, do you know if this will work with 100015685-A? thanks
seems like finding a way to root the $28 onn tablet is coming to an end (a video tutorial would be great)
but when i do unlock the bootloader on my 100015685-e tablet (adb reboot bootloader, fastboot flashing unlock), adb gives me this and my tablet keeps disconnecting from my laptop
Code:
C:\Users\Ted\Documents\platform-tools>fastboot flashing unlock
< waiting for any device >
this does the same thing with fastboot oem unlock
what is going on and how would i fix this? nothing was done towards the tablet
teddyv1974 said:
seems like finding a way to root the $28 onn tablet is coming to an end (a video tutorial would be great)
but when i do unlock the bootloader on my 100015685-e tablet (adb reboot bootloader, fastboot flashing unlock), adb gives me this and my tablet keeps disconnecting from my laptop
Code:
C:\Users\Ted\Documents\platform-tools>fastboot flashing unlock
< waiting for any device >
this does the same thing with fastboot oem unlock
what is going on and how would i fix this? nothing was done towards the tablet
Click to expand...
Click to collapse
Sorry, I was not clear in my first post. I know this sounds silly, but make sure developer options are turned on and that OEM unlock and adb debugging is turned on.
Go to settings, about tablet. Then tap the build number at the bottom seven times and that will turn on developer options. Then in developer options, turn on oem unlocking and adb debugging.
Then run adb devices. It should return your tablet's serial number and 'device' If it shows the device 'unauthorized' (mine did the first couple of times) revoke ADB authorization and plug the tablet back in.
Then it is just adb reboot bootloader and then fastboot flashing unlock.
Okiera29 said:
Sorry, I was not clear in my first post. I know this sounds silly, but make sure developer options are turned on and that OEM unlock and adb debugging is turned on.
Go to settings, about tablet. Then tap the build number at the bottom seven times and that will turn on developer options. Then in developer options, turn on oem unlocking and adb debugging.
Then run adb devices. It should return your tablet's serial number and 'device' If it shows the device 'unauthorized' (mine did the first couple of times) revoke ADB authorization and plug the tablet back in.
Then it is just adb reboot bootloader and then fastboot flashing unlock.
Click to expand...
Click to collapse
i was going to edit my post but oh well
i had fixed what i was looking for: i used snappy driver installer origin to update my android driver, android adb showed up in my sdio list and i installed the driver from there, that resolved my issue (stupid mistakes can happen)

100003562 Onn 10.1 Android 11 (Bootloader Unlock, Magisk Root)

Hey folks I spent some time working on this yesterday (dumping Rom, Patching etc) so I thought I'd share. I am including the files I used to get this work.
This is for 100003562 Walmart Onn Tablet
I can't comment on other Onn models because I don't have any.
If your tablet goes into meltdown mode, I'm not responsible. I'm sharing the process that worked for me.
*These files are from:
*Android 11, Security Update 5AUG21 --> They probably won't work with any other version so I can't answer questions related to using them for that.
I don't recommend you try these on any other model unless you do it at you own risk.
*Strangely enough, this update doesn't have any of the Walmart apps installed or the bottom button on the taskbar. It asks if you want to install them when you are setting up the tablet*
I chose no.
Steps:
1. Enable USB Debugging, (while in Dev Options go to OEM Unlocking a tick that, (don't know if 100% necessary but I did it in my process)
and fire up a CMD or Powershell Window.
2. ADB:
adb devices (to make sure you are connected)
adb reboot bootloader
~boots to bootloader~
3. FASTBOOT
fastboot devices (to make sure you are connected)
(WARNING: the next command will factory reset the tablet)
fastboot flashing unlock
(follow volume key prompt to unlock and then device will reboot and bootloader is unlocked.)
You will see "orange state" as it boots if it worked properly. I don't have any interest in removing this message so you'll have to go elsewhere if you do.
4. Repeat steps 1-2 and get back into bootloader.
FASTBOOT:
fastboot devices
fastboot flash vbmeta <path to vbmeta.img>
fastboot flash boot <path to migisk patched.img>
fastboot reboot
5. Done
Notes:
I use Magisk Manager to do a direct install patch after I get root. (also don't know if 100% necessary, but it makes me feel better)
I'm including the stock boot.img in case you want to create your own patch with Magisk Manager. I used 24.1 (24100)
I'll answer what I can if you run into issues.
Cheers!
Reserved.
hey i was actually just about to go into the rabbit hole of pulling the boot.img, then i saw this. my tablet is stuck on the 5jan21 patch and wont update. could you tell me how you dumped the rom? also did you have to modify the vbmeta file? thanks
Mayday_Channel said:
hey i was actually just about to go into the rabbit hole of pulling the boot.img, then i saw this. my tablet is stuck on the 5jan21 patch and wont update. could you tell me how you dumped the rom? also did you have to modify the vbmeta file? thanks
Click to expand...
Click to collapse
i used sp flash and wwr. you can prob pull the boot.img pretty easily, but if you tried to take an OTA and it got corrupted, that might not work anyway. the vbmeta an empty one. this boot.img is from the most up to date ota which i got yesterday. i ordered a refurb version of this tablet and started messing with it yesterday. i have a copy of the full ROM dump as well. let me know if you need pieces and I can get them to you. you might be able to flash a few of the partitions and get it running again. can you get into fastboot?
which sp flash version? im on the latest 5.2152, every time i try to dump the full rom, it hangs on 0% readback. same with trying the boot.img. what was the full rom length, just to confirm? i got 0x750000000 from wwr
Mayday_Channel said:
which sp flash version? im on the latest 5.2152, every time i try to dump the full rom, it hangs on 0% readback. same with trying the boot.img. what was the full rom length, just to confirm? i got 0x750000000 from wwr
Click to expand...
Click to collapse
I used 5.1524. i had this issue as well and had to update the com port drivers. i used Iobit driver booster for this and it found the right driver. and yes thats the correct length for the one i dumped. i have the full thing on mega if you just want to flash it with sp flash tool.
that would be very nice. please post. thank you
Mayday_Channel said:
that would be very nice. please post. thank you
Click to expand...
Click to collapse
File folder on MEGA
mega.nz
goldensun1893 said:
File folder on MEGA
mega.nz
Click to expand...
Click to collapse
i got rid of userdata and cache to shrink it some.
thanks man
Mayday_Channel said:
thanks man
Click to expand...
Click to collapse
let me know how it works
could i please get the cache & userdata partitions? id like to keep a complete rom for archive. it seems to have flashed ok, but it broke wifi and its still stuck on january 5 patch. oh well, thats why i have 2 of these
ill drop them on there. be warned the userdata.img is something like 28GB. If you have the NV RAM Warning: ERR 0x10, there are a few tuts on here to fix that. Its common with SP Flash and MTK chips.
I think I figured out why it doesn't work. Spft isn't flashing super.img. even if I edit the scatter file to add super.img. I'll do some more trouble shooting at lunch
alright lets goooo. fixed it. just needed to change a few things in the scatter file and change the vbmeta files to img. next ill start experimenting on patching lk.bin to remove the ORANGE STATE text. thanks for the rom dump
NICE! I took a leap of faith and did this on my Oct 5th 2021 Security update build and it appears to have worked and Im rooted with magisk!!! I added a few additional steps to your commands just in case
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot erase cache
fastboot flash boot magisk_patched-24100_w97F6.img
fastboot reboot
I found a USB ADB fastboot driver that was signed and worked on my windows 10 x64 system but I had to go through the "Have Disk" manual driver install and installed even though it wasnt supposedly designed for my hardware. So insane the hoops to do this...
MT65XX-USB-VCOM-drivers\MT65XX USB VCOM drivers\Google_USB_Driver_rev4
Had trouble updating to Magisk to 24.3 however, not sure what pitfall I hit.
Wondering if I should be happy with root or try and flash TWRP and try a different ROM.
Iam in need of some help i am not sure if i have to install something to the tablet or pc but when i do the command "fastboot flashing devices" on my tablet just says on the bottom left =>FASTBOOT mode... and it doesnt change and on my pc it says <waiting for device> idk what am doing wrong can someone help me
beachmiles said:
NICE! I took a leap of faith and did this on my Oct 5th 2021 Security update build and it appears to have worked and Im rooted with magisk!!! I added a few additional steps to your commands just in case
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot erase cache
fastboot flash boot magisk_patched-24100_w97F6.img
fastboot reboot
I found a USB ADB fastboot driver that was signed and worked on my windows 10 x64 system but I had to go through the "Have Disk" manual driver install and installed even though it wasnt supposedly designed for my hardware. So insane the hoops to do this...
MT65XX-USB-VCOM-drivers\MT65XX USB VCOM drivers\Google_USB_Driver_rev4
Had trouble updating to Magisk to 24.3 however, not sure what pitfall I hit.
Wondering if I should be happy with root or try and flash TWRP and try a different ROM.
Click to expand...
Click to collapse
Followed the same steps and managed to get it working on my tablet that was on the same secpatch. However I also ran into an issue updating magisk. It acts like it worked fine and then when it reboots it asks to patch again.
Had to patch boot file manually and flash via fastboot. Still get an annoying popup when opening magisk but it's now updated to the latest 25.0.
To update run the following:
Root using ops method
Start your device and make sure that everything is rooted and working
adb reboot bootloader
fastboot flash boot [PATH TO MAGISK PATCHED 25000]
fastboot reboot
Tested on Oct521 SecPatch on a devices already rooted with OPs method. Do this at your own risk. Make backups, etc etc.​
hi nice work. sorry for my english. but i have a problem on mi onn tablet 1000035652 android 11. i try to root whit our method on fastboot no problem the tablet is unlock a message appears of the erase all data if unlock bootloader and press up volume then restart tablet so configure again and proced to fourt 4 point to flash vbdata and boot and in fastboot window okay flash then reboot and the tablet power on to the config screen then appear a message of controller apps stop then reboot and reboot infinite loop and i try to lock bootloader gain or reflash boot.img stock but no solution and i search for a alast update.zip or way to reinstal stock firmware can anyone help me ?

Custom Rom / rooting Options vor TB-125FU (Lenovo Tab M10 Plus 3rd Gen)

Hey everyone,
I've been looking for options to Install a custom Rom or root since I bought the Tablet several month ago. It seems like there are some options for the Full Hd Version, but I have a hard time finding anything useful for the 125FU. Are there any recommendations like compatible GSI roms or TWRP/magisk?
Thanks in advance for your help!
You should just be able to install matiek form my understanding
I need some information, too. Bootloader unlock is different. Device doesn't respond to bootloader commands with Minimal ADB Fastboot 1.4.3.
holmesmalone said:
I need some information, too. Bootloader unlock is different. Device doesn't respond to bootloader commands with Minimal ADB Fastboot 1.4.3.
Click to expand...
Click to collapse
I just got an tb125fu
Bootloader unlock was no problem, maybe it works for you now with the latest versions?
art99 said:
I just got an tb125fu
Bootloader unlock was no problem, maybe it works for you now with the latest versions?
Click to expand...
Click to collapse
The issue I had, and resolved, was the lack of the latest fastboot drivers. Gained root with Magisk successfully.
holmesmalone said:
The issue I had, and resolved, was the lack of the latest fastboot drivers. Gained root with Magisk successfully.
Click to expand...
Click to collapse
I installed corvus os gsi on it. i have no custom recovery.
peteonu said:
I installed corvus os gsi on it. i have no custom recovery.
Click to expand...
Click to collapse
TWRP is convenient, but not absolutely necessary. Would like a Lineage rom though.
holmesmalone said:
TWRP is convenient, but not absolutely necessary. Would like a Lineage rom though.
Click to expand...
Click to collapse
Agreed. I've been looking into compiling TWRP myself but this is all new to me. The only device with TWRP with this chipset is the Redmi 9. I've compared both boot.img's and they are both setup differently. If I had more knowledge ont he subject I could easily achieve this I believe.
If I have time I'll compare Gen 2 vs Gen 3 boot.img's, that may help understand the folder and file structure better.
holmesmalone said:
The issue I had, and resolved, was the lack of the latest fastboot drivers. Gained root with Magisk successfully.
Click to expand...
Click to collapse
What process did you use with magisk to gain root after bootloader unlock? was it as simple as installing magisk manager and flashing root through the manager?
Thanks
el7145 said:
What process did you use with magisk to gain root after bootloader unlock? was it as simple as installing magisk manager and flashing root through the manager?
Thanks
Click to expand...
Click to collapse
The same process worked for me.
holmesmalone said:
The same process worked for me.
Click to expand...
Click to collapse
How did you obtain the boot.img to patch??? I cant find the stock firmware anywhere, and im not clear on pulling the stock boot.img (getting permission denied errors when attempting via adb)
el7145 said:
How did you obtain the boot.img to patch??? I cant find the stock firmware anywhere, and im not clear on pulling the stock boot.img (getting permission denied errors when attempting via adb)
Click to expand...
Click to collapse
Select and download your preferred rom. Then unzip the rom and in the unzipped folder select the boot.img file and use it.
With some devices and roms, under some circumstances, the vbmeta.img file can and should be used. If I can recall correctly, Magisk will specify.
holmesmalone said:
Select and download your preferred rom. Then unzip the rom and in the unzipped folder select the boot.img file and use it.
With some devices and roms, under some circumstances, the vbmeta.img file can and should be used. If I can recall correctly, Magisk will specify.
Click to expand...
Click to collapse
ok, so ur just pulling the boot img from one of the GSI roms...im just trying to pull the stock boot img...do you happen to know where one can download the stock firmware for this device, this is my 1st lenovo tablet
el7145 said:
ok, so ur just pulling the boot img from one of the GSI roms...im just trying to pull the stock boot img...do you happen to know where one can download the stock firmware for this device, this is my 1st lenovo tablet
Click to expand...
Click to collapse
LMSA. https://pcsupport.lenovo.com/us/en/downloads/ds101291-rescue-and-smart-assistant-lmsa
Use this tool. Install and explore the file and folder structure it creates. Interrupt the process before it flashes your tablet for it will erase the files you need from your computer if you don't. Use trial and error here.
Since the original question was about root, Ill keep this going
I was able to download the most recent ROM from Lenovo rescue which was super simple, it downloads the ROM first and wont start the flash till you click the button. I did retrieve the stock boot.img, patched it, and flashed it, rebooted and had root. Heres where the many hours of fun started...I realized my wifi wasnt working (good sign something was messed up during flash). I realize the ROM downloaded from the Lenovo Rescue was newer then my old ROM. So I had flashed the newer boot.img over the old ROM (not good). I went back to Lenovo rescue to actually make use of the rescue and flash a full ROM. After completion I became stuck in fastboot mode. I could boot to recovery but not system and every restart or shutdown and restart would go straight to fastboot.
I did try to manually flash the ROM using what i thought was the right files and order (using flashinfo.txt as the order and MT6768_Android_scatter.txt for the partition names for each image). Everything flashed successfully, but upon reboot I was still stuck in fastboot mode. I tried everything I could think of and even ran the Lenovo Rescue a few times.
After many hours, I came across this command for fastboot..."fastboot set_active a" which finally allowed me to boot into system. I assume this tablet uses the A/B slot partitions, but I think they only make use of the A for boot? Thats my thought
So next is too try to patch the correct disc.img for my current rom (which is the latest from Lenovo Rescue) and flash again making sure to flash to the boot_a partition and hopefully everything goes like it should
Hopefully that command helps someone save many hours if they find themselves stuck in fastboot mode while rooting and/or flashing.
el7145 said:
Since the original question was about root, Ill keep this going
I was able to download the most recent ROM from Lenovo rescue which was super simple, it downloads the ROM first and wont start the flash till you click the button. I did retrieve the stock boot.img, patched it, and flashed it, rebooted and had root. Heres where the many hours of fun started...I realized my wifi wasnt working (good sign something was messed up during flash). I realize the ROM downloaded from the Lenovo Rescue was newer then my old ROM. So I had flashed the newer boot.img over the old ROM (not good). I went back to Lenovo rescue to actually make use of the rescue and flash a full ROM. After completion I became stuck in fastboot mode. I could boot to recovery but not system and every restart or shutdown and restart would go straight to fastboot.
I did try to manually flash the ROM using what i thought was the right files and order (using flashinfo.txt as the order and MT6768_Android_scatter.txt for the partition names for each image). Everything flashed successfully, but upon reboot I was still stuck in fastboot mode. I tried everything I could think of and even ran the Lenovo Rescue a few times.
After many hours, I came across this command for fastboot..."fastboot set_active a" which finally allowed me to boot into system. I assume this tablet uses the A/B slot partitions, but I think they only make use of the A for boot? Thats my thought
So next is too try to patch the correct disc.img for my current rom (which is the latest from Lenovo Rescue) and flash again making sure to flash to the boot_a partition and hopefully everything goes like it should
Hopefully that command helps someone save many hours if they find themselves stuck in fastboot mode while rooting and/or flashing.
Click to expand...
Click to collapse
I'm trying to solve the fastboot issue but I can't find fastboot drivers for the tablet. Have any suggestions?
Siege9929 said:
I'm trying to solve the fastboot issue but I can't find fastboot drivers for the tablet. Have any suggestions?
Click to expand...
Click to collapse
im assuming in device manager, you have a yellow exclamation by "Android"? you need the mediatek drivers.
Go here https://developer.android.com/studio/run/oem-usb
scroll down, dont make the misake of clicking on "Lenovo", you are clicking on the section labeled "MTK" download the zip, go to device manager and manually update the driver, once updated fastboot should work
at cmd run "fastboot devices" to make sure your device is recognized
el7145 said:
im assuming in device manager, you have a yellow exclamation by "Android"? you need the mediatek drivers.
Go here https://developer.android.com/studio/run/oem-usb
scroll down, dont make the misake of clicking on "Lenovo", you are clicking on the section labeled "MTK" download the zip, go to device manager and manually update the driver, once updated fastboot should work
at cmd run "fastboot devices" to make sure your device is recognized
Click to expand...
Click to collapse
Manually selecting the "Android Bootloader" driver fixed it. Thanks!
I just got my TB125FU to replace my 7-year-old Google Pixel C on its last legs.
Its Hardware ID is USB\VID_0E8D&PID_201C&REV_0100
I found a pack of Mediatek drivers here.
It's a bloated pack, so I extracted just the files needed for the TB125FU and attached to this post.
Once installed, my tablet appeared with a "fastboot devices" command.
I have also had good luck with the latest firmware for Motorola/Lenovo devices here.
hugehead83 said:
I have also had good luck with the latest firmware for Motorola/Lenovo devices here.
Click to expand...
Click to collapse
just an fyi: thats not the most recent firmware, the lenovo rescue tool had the latest, which at the moment for my device a few days ago was TB125FU_S000118_220927_ROW

Categories

Resources