Related
I'm no expert when it comes to the topics of rooting and getting access to the emmc and all of that good stuff. I more specialize in ROMs and themes and stuff, the less complexed stuff lol
Someone has posted an idea in the general forums in relation to permanent root, I'm not sure if he posted it here or not. So here's what he wrote....and is it possible? Or does it have to be done manually first before this idea can happen?
Originally Posted by deliberate187
In order to unlock the phone, we have to figure out what the protected sectors are first and all related flags. If an Android app could be made to have direct read access to the eMMC filesystems (including write protect flags) and save a log to the SD card detailing these items, this would be ideal.
Then all that would remain is a program to undo the write protection (and re-do it if necessary to unvoid warranty)
If anyone is willing to create these programs, I would be more than happy to test them out on my own G2.
However, I think the keys to the mystery may lie in the recovery image, and/or in the bootloader itself. Has anyone disassembled these yet?
Click to expand...
Click to collapse
Sorry to have to tell you but this is all old information stuff we already know just are unable to do anything about it. Its harder then just coming up with an idea of something. Now if we knew a person that programed the g2 in htc factory then all would be good but as of now we just dont have the information we need to do anything
thanks
Thanks for the idea. Some people will be mad you didn't post in the root thread though.
File under "I'm no expert but..."
Here is one observation I have noted in my exploration. The root filesystem and system partition are mounted with the flags "-o ro,relatime" but in addition the /system partition has ",errors=continue" leading me to believe that this change is in fact written to the release configuration rather than to the eMMC itself. Can anyone try to get a permanent write to the fstab and see if this can net us permanent root? Possibly take a temp root session and remount the system and / filesystems read/write to see if writes stick... just an idea.
The errors=continue flag allows the ext3 filesystem to continue working even if there was a read/write error.
I've been able to get the system to change to r/w a couple times while wandering through root explorer. I have made subtle changes to certain folders such as moving txt files but nothing has ever been permanent. I can't really tell you how I did it either seeing as I can't replicate it on demand...I'm assuming it still gets written to cache despite being in the /system
Sent from my T-Mobile G2 using XDA App
heyy, I'm not punchie, I've got what the doctor calls a relaxed brain
I am thinking there should be a set of adb commands to unlock the nand. I am definitely thinking a nand dump and full disassembly of the bootloader and recovery image could be absolutely crucial in discovering what needs to be done. Just a thought, has anyone done a nandroid backup of the G2 yet? I'm pretty sure TMob doesn't have HTC encrypt its bootloaders...
deliberate187 said:
I am thinking there should be a set of adb commands to unlock the nand. I am definitely thinking a nand dump and full disassembly of the bootloader and recovery image could be absolutely crucial in discovering what needs to be done. Just a thought, has anyone done a nandroid backup of the G2 yet? I'm pretty sure TMob doesn't have HTC encrypt its bootloaders...
Click to expand...
Click to collapse
if you can figure it out, go for it and i wish you luck
deliberate187 said:
Here is one observation I have noted in my exploration. The root filesystem and system partition are mounted with the flags "-o ro,relatime" but in addition the /system partition has ",errors=continue" leading me to believe that this change is in fact written to the release configuration rather than to the eMMC itself. Can anyone try to get a permanent write to the fstab and see if this can net us permanent root? Possibly take a temp root session and remount the system and / filesystems read/write to see if writes stick... just an idea.
The errors=continue flag allows the ext3 filesystem to continue working even if there was a read/write error.
Click to expand...
Click to collapse
If it were only this easy.
Re-mounting /system as r/w is part of the rooting process. This does not result in changes written to eMMC. In fact, the controller "lies" to Linux that the change has been synced. From then on, Linux holds the changes in its cache which, when dropped or rebooted, reverts changed files to their original state (because they were never written in the first place.)
The ext3 continue on errors thing is merely a way to skip fsck in the event that the read-only system has issues in the journal (very unlikely to happen, since nothing can write to it.) Presumably, this only covers an oversight in OTA updates (where the journal of the image provided by the OEM is dirty for some odd reason.) Again, since nothing can write to /system, it's all but an impossible scenario (nothing can write to the journal either...)
As for marking "sectors" as write-protected or not, that's also easier said than done. Entire partitions are locked, and half of the space is mysteriously "missing." It's difficult to see what's really going on from userland, as the device is deceptive as to what is and is not being written, or what is even stored on the eMMC in the first place.
The real solution is to exploit either the boot-loader or eMMC (re)/initialization somehow to allow a) unsigned firmware to be loaded and/or b) allow booting without write protection, allowing us to c) flash rooted rom to the phone and/or d) disable said protection. The unlock procedure will likely be similar to Unrevoked, as that is essentially the same situation (aside from the controller issue.)
All of this is covered in the wiki and various threads - check those out, if you find a way around it everyone would be glad to hear it.
HamNCheese said:
If it were only this easy.
Re-mounting /system as r/w is part of the rooting process. This does not result in changes written to eMMC. In fact, the controller "lies" to Linux that the change has been synced. From then on, Linux holds the changes in its cache which, when dropped or rebooted, reverts changed files to their original state (because they were never written in the first place.)
The ext3 continue on errors thing is merely a way to skip fsck in the event that the read-only system has issues in the journal (very unlikely to happen, since nothing can write to it.) Presumably, this only covers an oversight in OTA updates (where the journal of the image provided by the OEM is dirty for some odd reason.) Again, since nothing can write to /system, it's all but an impossible scenario (nothing can write to the journal either...)
As for marking "sectors" as write-protected or not, that's also easier said than done. Entire partitions are locked, and half of the space is mysteriously "missing." It's difficult to see what's really going on from userland, as the device is deceptive as to what is and is not being written, or what is even stored on the eMMC in the first place.
The real solution is to exploit either the boot-loader or eMMC (re)/initialization somehow to allow a) unsigned firmware to be loaded and/or b) allow booting without write protection, allowing us to c) flash rooted rom to the phone and/or d) disable said protection. The unlock procedure will likely be similar to Unrevoked, as that is essentially the same situation (aside from the controller issue.)
All of this is covered in the wiki and various threads - check those out, if you find a way around it everyone would be glad to hear it.
Click to expand...
Click to collapse
Listen to this dude. Absolutely correct.
Hi All,
Unfortunately as a new user I can't post this in the Dev forum. So I'll put it here for now and perhaps can move it later.
I'm wanting to tinker with uboot on the Iconia. Ideally what I'm hoping to achieve is;
A versatile and usable port of uboot to the iconia complete with documentation (both how to get/build as well as use) and binary files available for download.
1) uboot to replace the default bootloader or the existing kernel image in flash and have the uboot able to load the standard kernel image from the system partition.
2) To have uboot able to run an interactive shell, either over USB or on the local console with a USB keyboard.
3) A boot menu would be nice with control by builtin buttons.
For my build box I'm using the current Debian with GCC 4.1 available
Anyway, if any anyone can help at all please fell free to respond. It is my intention to update this thread as I go, documenting the journey and ultimately publishing the results with how to info.
Tonight I will edit this with a better outline (more verbose) of what I'm attempting to do and some info regarding what my build env is and what info I already have.
Hope to create something useful here for everyone.
Owen.
OK. I'm still checking things out... eppeP, did you get anywhere with the SBK? if not uboot will just have to replace the android kernel and maybe be patched so it can load it from the system partition instead. One guy (lost the thread) said he had to mod the patch to get it to complile, but didn't say how.
As far as a boot menu goes, I'm thinking of a script that will search the boot folder of all mountable volumes and present a menu, much like the Apple boot selector does. Still don't know if its possible though and is somewhat secondry issue anyhow.
Can anyone give info on uboot env storage. also I need to know the partition layout for the internal MMC (got a good idea already but need to be sure and whats the partition layout?)
Have you talked to sp3dev and sc3k? Ive been followng the native linux thread and i believe they are trying to do just that. They would be your best source of help i think
Thanx gh123man,
Yep, I've seen good & exiting posts from sp3dev, muromec and hexeh about this stuff. Unfortunately I can't post in the dev threads cause I'm new to xda forum.
I was kinda hoping they might spot this thread and respond
Sounds like fun, I might be interested in helping.
So far I've been looking into generating the SBK, decrypting BCT/EBT and are just about to start looking at the partition format (there seems to already be some code for this, so that should not take long to get an idea of). So I guess unless I find something more interesting, trying to pick apart the bootloader to get a better understanding of that part might come soon anyway.
SOLVED the best way.. See post #5
Hello
I have asked this in other threads, but have not gotten an answer that I can manage to make work yet. I'm also hoping that this thread may help the many others out there with this same problem.
I have an Iconia A500 that has the bad sector problem. I cannot get it to format partitions through any of the EUU's out there,or even the Babsector .bat's . Same thing every time-read/write failure. I have seen mention in a thread or two about guys who have used the "rawdeviceread" and "rawdevicewrite" commands in NvFlash to "map out" any bad sectors on the EMMC chip, and create "dummy" partitions over them so that the tablet will function again, at least until more sectors die anyhow.
Can someone please explain this process, including describing the files needed, exact commands, and the rest of the process to make this happen? I have seen member "Yaworski" describe the basis of it, but again his commands are no-go for me. It would also be great if a partition could be created, but not formatted, completely bypassing any possibility of NvFlash failure.
Thanks in advance By helping me I'm sure you wil also help many others. It seems many a500's are starting to suffer form this same exact issue.
Anyone? I have read thru this post: http://forum.xda-developers.com/showthread.php?t=1691729&page=3 , and seen a couple recommendations to it in other threads, but no dice on making it work .. or even being able to map out the bad sector/s. I know this'lll fix me up at least temporarily...
I need help with this as well. There doesn't seem to be a step by step guide anywhere :\
Sent from my SGH-T769 using xda premium
dynospectrum said:
I need help with this as well. There doesn't seem to be a step by step guide anywhere :\
Sent from my SGH-T769 using xda premium
Click to expand...
Click to collapse
I've been asking around about a possible process of mapping out bad sectors, and not just members in here, but engineers and technicians I know as well. First, the NAND has this sort of embedded firmware that directs it to remap or bypass bad sectors “spontaneously,” if you can call it that. When you're stuck with “write errors” or where the NVflash even fails to create and format a partition, it suggests that this part of that firmware is not working. Why the loose fit, or lack thereof, I don't know.
Second, The FCK guys mention that you can write a dummy file and make the device read back so you can see where the data is missing and circumvent it altogether. But they also state that if Sector 0 – which NVFlash is slated to access – is kaputt, then it would hang, as probably in your case and certainly in mine.
Given that the Boot Configuration Table is 4Kb tiny while the NAND is 16Gb large, I can't imagine the latter being damaged so badly as not to have a continuous space of 4Kb to accommodate such partition. As a matter of fact, I did have someone with special equipment probe my NAND “physically” and the initial report indicated that the first half (50%) of it had less than 3% of its sectors that was bad. NVFlash, however, could neither create nor format, let alone write on it.
So, either one must have the appropriate hardware to do a very low level format to restore the NAND in full or in part, or NVFlash has to be hacked to command writing at a Sector different than 0. Until that happens, I doubt it that a step-by-step guide grounded in current programs would be viable.
I know that neither the custom ROMs nor the custom Bootloaders and Recoveries are remotely the cause, because this occurred way before any of it came onto the scene. But in light of the frequency at which this happens to some of us, it seems ironic to term this device bullet-proof. I'd like to think it's not incurable, but what the FCK do I know? (Sigh) Anyone with the essential hardware know-how to tackle this?
SOLVED..well the "easy" way....
I sourced out a broken A500(strangely the screen is fine though lol), re-soldered the power button on it(PITA), and put it into my A500.
I plan on taking it easy with the flashing on this one. A500s seem to have a growing history of EEMC chip failure from over-flashing. My old board had been flashed MANY times by the previous owner, and a few by me before it died. The "new" tab was only flashed enough to get it to Stock ICS. Now it has the V8 bootloader and Civato's Re-Flexx ROM(Best out there IMHO).
So there you have it.. this seems to be the best way to fix this problem on the A500---Replace the Darn motherboard. I'd imagine mapping/skipping sectors is only a temporary fix that will probably lead to the tablet dying when its needed most.
Well, I have been going through many tab owner problems on this forum who have tried everything on the book to get their tab back running. this experimental process is only for those people who have no option left than to throw away their tab as a dead glorious paperweight or play with it as a Frisbee. hopefully it can recover or at least it can open a new way for getting out of a brick or perhaps be a good learning experience, just for the sake of it. what else would you want to do? if your device is un-repairable? at least this can take a backup for the complete device in a different way though.
So what really is this about?
Well, Samsung tab 2 emmc is pretty much notoriously getting scarier, either it is happening because of flashing a wrong kernel or doing wrong with your tab, or in some cases where people had no clue. A sudden attack and the tab was dead. you may be lucky to get a replacement and get the tab running up again. but not all could be solved and resolved.
but what if we provide the tab a second emmc(your external card emulated and working as an exact image of the internal emmc with all the system files with their partition on it?) sounds good eh? there are 2 sides of this coin. one, our device is not made that way and it's definitely not going to work at all, second, it can work after a little hardware modification provided you have the right files and right tools and a insanely expert brain. Now the chances of this working is like that of flipped coin landing on it's edges. very tricky.
But how we can achieve this then?
Well, there are users on the internet that have some sort of success in this, while it wasn't guaranteed for their device, that this process can work for all and there is definitely nothing like this sort ever found for our device. which is on omap chipset, it's the debrick method. you can't tell unless you are from the development department of Samsung. So, I would say even if it's 0.0000000001 percent of having a chance to work for us. I would like to keep it.
Debrick.img? what does it do? how to get it?
Well, this file is generally taken out from a stock rom from location /dev/block/mmcblk0 which is where pit stores the data for all the partition and from there we can extract all the important parts, including the boot-loader, recovery, cache, hidden, sbl1, sbl2, factoryfs param, modem, EFS, DataEFS to a .img file. (as far as my definition goes for better understanding). please feel free to go through all the post that you can find about the debrick, or if you have more knowledge please share.
I was just going through these posts.
The whole process for sg s3 http://forum.xda-developers.com/showthread.php?t=2660566
http://forum.xda-developers.com/showthread.php?t=1818321 a guide that explains about taking backup of the entire memory block with all partitions or single partition. it's quite old but informative.
fixing a bootloader
http://forum.xda-developers.com/showthread.php?t=2345860
there are different parts to it, first is getting the bootloader written on a external sd card. but we still don't know if our device will be able to treat the external sd card as an internal emmc. it is yet to be found out.
my theory is suppose if we can get out the whole partition along with system written on a external card, can we make the device treat it as a internal emmc? will it then be possible to revive a dead internal emmc tab? there are chances it might. still no practical though and no guarantees for sure.
but it makes you feel better, I managed to get out those partition on a .img file which could be written on a external card as well. basically an image of your emmc. this might be a good backup too for those who would like to be safe in case a emmc bug hits them too.
Now, To get this data we need volunteers to take these files from their working rooted stock rom and upload these files for every model of samsung tab, if they wish to contribute to our community, you are welcome. or at least keep it safe on their disks. although, this process will require atmost care as we are dealing with bootloaders here, and one wrong bootloder and it
won't work, as much as my knowledge goes, there are two- the ics and jb for our tab 2. still there are many other variants and I really have no clue, how to work this out all by myself. so, I would like other great minds share their wisdom upon this and please before sharing files, mention everything you can, right from your
1. Device model number
2. 8gb or 16gb
3. Bootloader(ics or jb)
4. Stock rom, custom rom,
5. firmware
6. Baseband
7. Country and to your name.
Now before pulling out this file, I have a doubt, as I have got few imgs option. there is 128mb, 200mb, 256mb, 512mb and also I have got one img of around 2.17gb as well which is the complete backup I could take out from my device.
I am not sure which one to choose that's going to work. people have mostly used 128mb file to get access to the download mode, I guess in that 128mb, there is enough files needed to boot your device into download mode and recover from hard bricks, but there is no evidence as for now in our device section as to which is suffient for us. So for first try, we take 128mb, and keep doubt aside for one process.
but suppose it's our emmc bug and we want to use the external as a image of the damaged internal, in that case I suppose we need to take out the whole info! is it really possible with the 2.17gb of my device complete data? ah, I would really like to know about the answer myself, in case it hits my device, I would be prepared myself
anyways to try this you must have a sd card reader and use a external card of 16gb or 8gb depending upon your device variant (card class 10 required, on others it has high chance of not working at all)
Now the process to extract the file
The script that you need to enter into terminal emulator(download one from playstore) this will backup a 128mb file on your sdcard.
Code:
#su
#busybox dd if=/dev/block/mmcblk0 of=/sdcard/debrick.img bs=1M count=128
128MB is arbitrary. on some devices 70MB was sufficient, on our device? maybe or maybe not. please test or help me answer this correctly, if I'm wrong. but untill then, use 128mb, if we fail, we will look for other options.
other dd commands
Code:
1. dd if=/dev/block/mmcblk0 of=/sdcard/backup.img
backup whole partitons thus will be large size and takes more time.
Code:
2. dd if=/dev/block/mmcblk0 of=/sdcard/debrick.img bs=1M count=70
70mb data from mmcblk0 will be copied to sd card
Code:
3 dd if=/dev/block/mmcblk0 of=/sdcard/debrick.img bs=1M count=512
512mb data from mmcblk0 will be copied to sd card
Code:
4. dd if=/dev/block/mmcblk0 of=/sdcard/backup.img bs=4096
large size more than 4GB and more time consuming
Procedure
1. Connect the external sd card to the card reader move all the files to your pc and format it.
2. find the correct debrick.img image from post 2.
3. Download and extract this software win iso burner
4. Open the software win32diskimager.exe and browse the debrick.img
5. Successfully Write the debrick.img onto it.
6. Put the sdcard in your device
7. Pray, or do the cha cha, praise the droid lord.
8. switch it on or press power button + volume down/up, whatever you can.
9. if you can then get into download mode, you can try to flash stock firmware or dance your way around.
10. report us back what happened.
1. Download Debrick dump imgs. (128mb)
Samsung tab 2 10.1 P5100 16gb
jellybean boot-loader.
was on custom 5.1 rom and twrp recovery from UAE firmware.
Samsung Tab 2 P3100 16gb
shared by @jak978 on post 6 Hit thanks for him.
more will come, when people will share.
for other guides and ways
interesting, unfortunately my broken emmc have replaced with eemc from note 2, tho mine is p3100
jak978 said:
interesting, unfortunately my broken emmc have replaced with eemc from note 2, tho mine is p3100
Click to expand...
Click to collapse
So, you're one of those lucky ones. Getting a replacement is still the best way. So, do you think my theory here could work? Anyways it would be an interesting answer to find out. But people would need to share files here first for any samsung tab 2 model. I hope it becomes helpful rather than just interesting.
billysam said:
So, you're one of those lucky ones. Getting a replacement is still the best way. So, do you think my theory here could work? Anyways it would be an interesting answer to find out. But people would need to share files here first for any samsung tab 2 model. I hope it becomes helpful rather than just interesting.
Click to expand...
Click to collapse
here you go tab2 P3100 16GB
Anybody having any luck with this procedure??
Rag888 said:
Anybody having any luck with this procedure??
Click to expand...
Click to collapse
Well I still haven't faced the emmc bug, so can't really test on my device yet. nobody else who faced this issue had tried this and posted or shared any of the findings here.
Updating the emmc firmware via. ISP gives back life to >80% of affected devices.
16 GB Tab 2 have a known faulty EMMC (MAG2GA). It can happen, that your EMMC get "read only", so you can't perform any write actions (also you can't format) anymore.
From the EMMC data sheet:
5.1.7 End of Life Management:
The end of device life time is defined when there is no more available reserved block for bad block management in the device. When the device reaches to end of its life time, device shall change its state to permanent write protection state. In this case, write operation is not allowed any more but read operation are still allowed.
But, reliability of the operation can not be guaranteed after end of life.
Click to expand...
Click to collapse
On a faulty EMMC firmware it happens a lot faster if the emmc reaches a wrong value.
Sadly Patching the emmc fw isn't possible running the device, at least there's no known kernel on chip power-on Method...
Those from europe can contact @html6405 , he is able to update the emmc firmware and he can also replace the emmc if needed.
Note:
Sharing a whole copy if mmcblk0 isn't good, because it will include efs partition which is sensible data.
~ All my work, news etc. on http://andi34.github.io ~
Found something interesting printing the pit using heimdall:
https://paste.omnirom.org/view/4173cc20
Someone knows what the GANG partition is for?
I wonder if it is the emmc firmware because emmc.bin is stored there...
I am waiting to get the fixed emmc firmware, i might be able to tell you once i have it.
~ All my work, news etc. on http://andi34.github.io ~
Android-Andi said:
Note:
Sharing a whole copy if mmcblk0 isn't good, because it will include efs partition which is sensible data.
Click to expand...
Click to collapse
Yes, better to keep them private. Users do not share, just keep a backup with yourself.
thanks for your thorough research.
Android-Andi said:
Found something interesting printing the pit using heimdall:
https://paste.omnirom.org/view/4173cc20
Someone knows what the GANG partition is for?
I wonder if it is the emmc firmware because emmc.bin is stored there...
Click to expand...
Click to collapse
I did notice the GANG partition since you mentioned it(strange I never realized this before as I have looked at the pit file many times earlier as well.) located at 0x64C.
it does look like the emmc firmware partition. what else it should have?
jak978 said:
interesting, unfortunately my broken emmc have replaced with eemc from note 2, tho mine is p3100
Click to expand...
Click to collapse
hi jak978,
i plan to replace my p3100 emmc with p5100 emmc, can i just flash p3100 firmware using odin after change the emmc?
some more, can u re upload the debrick dump for p3100, it says "file not found" in your link.
regards,
alms
here you go tab2 P3100 16GB UNABLE TO GOT FILE PLEASE SHARE THE FILE PLEASE
---------- Post added at 12:56 PM ---------- Previous post was at 12:49 PM ----------
billysam said:
1. Download debrick dump imgs. (128mb)
samsung tab 2 10.1 p5100 16gb
jellybean boot-loader.
Was on custom 5.1 rom and twrp recovery from uae firmware.
samsung tab 2 p3100 16gb
shared by @jak978 on post 6 hit thanks for him.
More will come, when people will share.
Click to expand...
Click to collapse
please re share p3100 file i need it my tab was not work or trell me any way to get emmc chip from online or else process
my tab only in condition on restart restart.....
No recovery and firmware ll able to write on p3100
please help your reply too much helpful for me please give file p3100 so i can use your method
asiffrluv said:
here you go tab2 P3100 16GB UNABLE TO GOT FILE PLEASE SHARE THE FILE PLEASE
---------- Post added at 12:56 PM ---------- Previous post was at 12:49 PM ----------
please re share p3100 file i need it my tab was not work or trell me any way to get emmc chip from online or else process
my tab only in condition on restart restart.....
No recovery and firmware ll able to write on p3100
please help your reply too much helpful for me please give file p3100 so i can use your method
Click to expand...
Click to collapse
Look at this on eBay http://www.ebay.com/itm/192025936615
Sent from my SAMSUNG-SM-G870A using XDA Free mobile app
Hi,
I just tried this method. The tab boot on the sdcard, i have the charging logo displayed, and then screen turns black. The driver change from omap4430 to Android, and keep this driver until i unplug the usb cable.
On linux, the tab device is recognized as Android. Same on windows (loaded in virtualbox from linux).
adb device display an unauthorized device.
So from this step, it is still impossible to flash the tab.
Anyway thanks for sharing this; even if its painfull to lose a tab, it is nice to learn how all this work.
if other people have more information to share, i would appreciate any new info on this subject
billysam said:
1. Download Debrick dump imgs. (128mb)
Samsung tab 2 10.1 P5100 16gb
jellybean boot-loader.
was on custom 5.1 rom and twrp recovery from UAE firmware.
Samsung Tab 2 P3100 16gb
shared by @jak978 on post 6 Hit thanks for him.
more will come, when people will share.
Click to expand...
Click to collapse
Links are dead can you update them?
@Android-Andi @billysam @jak978
Sorry for pinging do you still have the p3100 debrick img?
No, never had it.
Ugh dev host dosent work in 2020
Still waiting for the link
Do not blindly flash this device without knowing what you are doing. While the device is hard to brick in general, it is very easy for someone new to brick it by flashing the wrong partitions.
I will write a generalized tutorial that will cover the basics and hopefully make everyone feel better about flashing the device. At first I was skeptical but after understanding everything, I have to say it really isn't that bad, and I am here doing all the leg work for these fake 2gb (its really 1gb ram) and 16gb hdd
OK I am goin gto try and put all of this information in one place because these units say android 10 or 10.1 but in reality cpu-z they are android 9 with api of 27 (will double check to be sure. This unit says it is 2gb ram but it is indeed 1024 MB (q GB). I am not sure if the other custom firmwares dumps from 1gb yt9213aj models will work without problems on these yt9213aj units that say 2gb.
In order to try anything you need to first make a scatter file for your unit. I messaged the manufacture of my unit for a firmware and they sent it. I unzipped it and looked at the scatter file and it is of a different formatting than one that comes from mtk droid tool.
So, mtk droid tool doesn't work with OS versions 9 or higher. It is the problem of adb. But we can follow this guide https://forum.xda-developers.com/t/...not-revealed-error-in-mtkdroid-tools.3582571/ and get it to work.
Once you have your device connected and recognized in droid tools you should first create the scatter file, as this is the most important step to do a full readback in SP flash tools.
Once you have a backup, you are in the clear for the most part. I am still trying to figure out how to backup preloader and etc if possible.
Now you will also need to connect some kind of wire or some small buttons taken from something disassembled. Just something that you can use as a mock button because there is no hardware button on the device for up/down and OK and you cannot use the touch buttons. So you need to short these traces while in recovery in order to get further/
The main point of this thread is to update the existing ones and to add tools and stuff nmeeded in one location because it has taken me over 5 days to search for all fo this, and I am still not done, so lets make it a little easier on the new comers because the last thing we want to do is brick each others devices by using old outdated guides that don't fully work.
Flow chart of process: install mtk droid tools and sp flash tools ->enable oem debugging and oem unlock on device -> follow guide to get mtk droid tools to work -> get scatter file using mtk droid tools -> make a full readback in sp flash tools -> solder wires/buttons onto test points -> boot to fastboot and unlock bootloader -> fastboot flash recovery <image name> -> boot into recovery and install root and/or custom firmware.
Anyone more skilled knows any better?
This post is a WIP and will be updated periodically as I source information. The main idea behind this post is to bring all resources for yt9213aj in one spot. There is plenty of information, its just very hard to navigate especially for someone new to flashing these devices, and even worse to someone who has never flashed any device
OK after trying what seems like 300 twrp's I finally found one that does work with this device. I thin kthe main difference here is that the board is a new revision and some arch changes caused older version that were ported to not work. This one booted right into it but was in russian, which is easily fixable within the twrp gui.
I will add all of these files to the op when I have collected everything.
I do not think that this version board I have has hifi? Maybe I am mistaken? I have an audio glitch at 19-20 when playing music, the sound will get louder and sound good for a fraction of a second then return to sounding ****ty. So I will look into this more. What sucks is that there are so many of the same **** that doesn't work for this model so its like... I would rather garggle gasoline than have to sift through forums that were translated on the fly
Anyway here is the twrp for this particular device - https://www.dropbox.com/s/vogg7854a7ln2zu/twrp-9213aj.img?dl=0
EDIT: also you can boot to fastboot (adb reboot bootloader) and use fastboot getvar all to get factory partition sizes that's needed to create scatter file (you will need to use a hex calculator to create it, or wait for me to upload my scatter file once I have it done). You need to be making dumps in sp flash tool way before you are ever writing anything. Make plenty of readbacks and get to know how to read it before you write anything. Blindly flashing is not what you really want to do lol
Mtk drivers for pc
to install, you will need to disable signature verification and I had to turn on test signing as well
I have successfully rooted this thing. I did encounter something kind of strange though. When I patched the boot.img I had from the device and the one I got in ota update and patched with magisk. When I booted and checked the root with magisk it said there was an unsupported root using su already. It did this for both boot.imgs.
Anyone ever heard of this on stock firmwares? I am able to grant root permissions to busybox and etc so it seems to be working OK. Maybe the root that is there is the chinese root for backdoor tracking and surveillance xD
Wonder how to see what unsupported su commands are being sent?
EDIT: i also took a lot of pictures of the board. It is yt9213aj v1.2 board. I will update the original post in the few days with everything needed for this model including testpoints etc. The test points are a little different but its pretty much the same. The only two you need in the end are the two bigger ones (for unlocking bootloader) then your set. You could drill some holes and run wire down to the trace and put some hardware buttons for the mcu to use to select things in fastboot and official recovery.
There is also another port/connector on this thing above the touch sensor board. I think we could buy a ribbon cable to connect here and run it to another board with hardware button. Actually I think the connector is for hardware buttons specifically but I don't know for sure. Must do more research
These things have are rooted from the factory. When I try to use magisk it says there is another unsupported su. The Unsu.zip floating around cures that. Then you can install magisk.
Also another thing about these things being prerooted... I think you can dump and flash without any extra sp flash tools or mtkdroid. I was dumping the partitions using adb pull function. Adb pull /dev/block/platform/soc/11230000.mmc/by-name/<insert partition name here>"
And
"/dev/block/mmcblk0pxx" where xx is the specific partition to read/write to.
I had got a scatter.txt in the ota update I obtained from the manufacturer which had all the partition layouts. I used this and a log from a failed supersu.zip install to create a scatter.txt for this particular device. The supersu log can be obtained by trying to flash the supersu zip in recovery, then in adg just pull the log file adb shell cat /tmp/recovery.log. Once you have this, you will have to use brain.exe to make your own scatter for sp flash tools.
All in all its pretty easy to actually root the device, and they are actually rooted from the factory, most likely for some functions within the os to work (like surveillance and spying xD) but that can easily be removed with the unsu.zip then install magisk.
I will be writing up a guide for this specific model in a few more days. If you read this thanks for listening to the rumbling of a mad man
Just discovered another problem. When I try to edit anything in /system it says its read only. Mounting is or remounting it shows as successful with no errors, but something is blocking it from mounting as system. I am trying to rename this audio_effects.conf and it willnt let me. I think it might be some proprietary code in the kernel designed to block mounting or remounting of certain or all partitions.
I think that a lot of them are software locked, like the fader and balance and volume level. Notice how some of these have glitches when turning the volume up and down. I think that there is some code that disables some functions of higher end units, depending on the model. If you buy a cheaper 100 dollar head unit, maybe it is indeed just software locked down.
I know for fact the amp chip in my head unit, YD7388, sec sheet says 4 channel. But my device is only 2 channel, no fader. Also the spec sheet says it needs no output capacitor but mine has one I think (there is a huge capacitor soldered next to the chip. I have some pics of the board and test points and chip markers etc. Once I have everythign ready I will make a nice guide
Wow I think I found the reason this thing outputs as 2 channel on 4 speakers. I need someone with a real 4 channel version to message me so I can get a few files for comparison. If this is the case, a simple magisk module would fix the fixed 2 channel problem we have. In the audio_policy_configuration.xml they have all output set as
XML:
<devicePort tagName="FM Tuner Out" type="AUDIO_DEVICE_OUT_FM" role="sink">
<profile name="" format="AUDIO_FORMAT_PCM_16_BIT"
samplingRates="44100" channelMasks="AUDIO_CHANNEL_OUT_STEREO"/>
</devicePort>
I wonder if you set AUDIO_CHANNEL_OUT_STEREO to multichannel or maybe like "AUDIO_CHANNEL_OUT_QUAD " as described in the official android docs say, I wonder if that would enable true 4 channel (or 5.1)?
If someone who has a 4 real 4 channel stereo and it is around the model of yt9213aj, then send me a message so we can collaborate. If you are not rooted do not worry I will help you