The Nothing Phone uses Android Verified Boot 2.0, which includes a rollback protection mechanism that combines anti-tamper storage and a verified boot flow to prevent downgrades.
This guide shows how to bypass this protection on an unlocked device. The guide assumes some familiarity with platform tools and the command line, so not all steps have long explanations. In other words, it's not a full tutorial for complete beginners, a little bit of knowledge is assumed.
Also, there's quite a bit of setup required, this isn't a 5 minute procedure, so brace yourself for a wall of text =)
How it works:
In theory, a bootloader in UNLOCKED state should ignore rollback protection (according to the documentation).
However, the Nothing Phone bootloader seemingly refuse to boot to fastbootd userspace without a valid vbmeta, even in UNLOCKED state.
Even with rollback protection, since the bootloader is unlocked it will still accept any signature key (otherwise you couldn't root the phone or install alternative OSes).
So we can just feed it an old version with the rollback index of a new version, sign it with a random key, and as far as the bootloader is concerned the rollback index hasn't changed, so boot can continue.
(And this is why Android specifies that rollback should be ignored in UNLOCKED state, it's pointless to try to block downgrades when the root of trust is the user)
We do this by flashing the first part of a stock full OTA of an older version, then crafting custom vbmeta and vbmeta_system partitions with AVB tools to get to fastbootd userspace.
Then we can flash the rest of the OTA, wipe data, and reboot into the OS.
Prerequisites:
- Backups of your data, downgrades almost always require a wipe
- A working, unlocked bootloader (non-userspace fastboot)
- A full OTA .zip that you want to rollback to
- If you want to rollback to a version that only has an incremental OTA, start by rolling back to the next older full OTA, then sideload the updates to that version.
- The android platform tools and driver, to send fastboot commands
- The openssl command line tool (https://wiki.openssl.org/index.php/Binaries), to generate VBMeta keys
- ssut's payload-dumper-go (https://github.com/ssut/payload-dumper-go) to extract the OTA partition images
- The android AVB 2.0 tools (https://android.googlesource.com/platform/external/avb/), to forge the two VBMeta partitions
- Either of:
- The rollback index number corresponding to your version of the OS (if you know it)
- A fully booted and rooted device on the same version as your current device, to extract the rollback index from the vbmeta partition on the phone
- A full OTA of a version at least as new as the one on your phone, to read the rollback index from vbmeta.img
Procedure:
WARNING: Despite the phone having A/B slots, flashing an older OTA is LIKELY to break both slots. Do not attempt this if you're not ready to go all the way and do a full wipe.
Part I: Prepare the target full OTA image to rollback to
- Create an empty folder to hold the working files we'll use during the guide.
- Open a command shell into that folder, the rest of the guide assumes all paths are relative to this folder
- Download the full OTA .zip you want to flash and save it at ./target-ota.zip (in the folder you created above)
- Extract the partitions from the OTA using payload-dumper-go: payload-dumper-go -o target-ota target-ota.zip
(This assumes payload-dumper-go is in your PATH, if not use the correct path to payload-dumper-go from your command line)
Part 2: Get the rollback index of your current version
Each time you upgrade, the rollback protection keeps track of a number called the "rollback index" (it actually can keep track of several, but the nothing phone only really uses one).
In the next steps, we will need to edit to older target OTA with the rollback index that matches the version currently on your phone.
If the rollback index you use is too low, the bootloader will refuse to boot. If it's too high, your phone will be stuck at that version and reject official OTAs and custom ROMs until they increment their rollback index above yours.
If you don't already know the rollback index of your current version from a public list, you can extract it from your current vbmeta partition:
a) On a rooted phone (either your phone, or a phone with the _same version_ as yours) dump the vbmeta and vbmeta_system partitions for the current slot
If you don't have any special tool to dump partitions, you can do it with just the platform tools and a root shell:
- On a root shell on the phone, run ls -la /dev/block/bootdevice/by-name, and note the path to your current slot's vbmeta and vbmeta_system partitions (e.g. /dev/block/sde14 and /dev/block/sda7 on my phone)
- On your computer, use adb shell and dd to dump the partitions, replacing the /dev/block/$DEV values by the paths you found in the last command:
adb shell "su -c 'stty raw; dd if=/dev/block/$DEV'" > vbmeta.img
adb shell "su -c 'stty raw; dd if=/dev/block/$DEV'" > vbmeta_system.img
b) If you have the full OTA of the version currently running on your phone:
- Extract the OTA with payload-dumper-go (as above) and copy the vbmeta.img and vbmeta_system.img to the working directory
Now that you have vbmeta.img and vbmeta_system.img, use the AVB 2.0 tools (see prerequisites) to read the image info:
./avb/avbtool.py info_image --image vbmeta.img
./avb/avbtool.py info_image --image vbmeta_system.img
These two command will each print the contents of the VBMeta structure. Look for the "Rollback Index" and "Rollback Index Location" values in the output
The vbmeta image should have location 0 and index 0, and a "Chain Partition descriptor" that points to vbmeta_system with "Rollback Index Location" value 2
The vbmeta_system should have location 0, and a large number (timestamp) in the rollback index. This is the rollback index value we care about, keep a note of it.
For instance, for my 1.1.4 EEA version, the rollback index of vbmeta_system is 1661990400.
If the other values aren't 0, 0, and 2 for the chain descriptor, you may need to adapt later commands to pass those newer values. If you're unsure, stop.
Flashing bad rollback indexes may cause your phone to reject future legitimate ROMs that have a lower index.
Part 3: Forge the vbmeta partitions
- Using the openssl command line tools, generate two new keys to sign the vbmeta partition:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out rsa_vbmeta_system.pem
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out rsa_vbmeta.pem
- Using AVB tools (see prerequisites), generate a forged vbmeta_system image:
(Don't forget to replace the $ROLLBACK_INDEX in the command by the value you found above)
./avb/avbtool.py make_vbmeta_image --output vbmeta_system_forged.img --rollback_index $ROLLBACK_INDEX --rollback_index_location 0 --algorithm SHA256_RSA2048 --key rsa_vbmeta_system.pem --include_descriptors_from_image target-ota/product.img --include_descriptors_from_image target-ota/system.img --include_descriptors_from_image target-ota/system_ext.img
And a forged vbmeta image:
./avb/avbtool.py make_vbmeta_image --output forged/vbmeta_forged.img --rollback_index 0 --rollback_index_location 0 --algorithm SHA256_RSA4096 --key forged/rsa_vbmeta.pem --chain_partition vbmeta_system:2:forged/vbmeta_system_forged.img --set_hashtree_disabled_flag --include_descriptors_from_image target-ota/boot.img --include_descriptors_from_image target-ota/dtbo.img --include_descriptors_from_image target-ota/vendor_boot.img --include_descriptors_from_image target-ota/odm.img --include_descriptors_from_image target-ota/vendor.img
Part 4: Reach usperspace fastbootd
Time to flash the first part of the stock OTA and our forged vbmeta.
Reboot into the bootloader (either adb reboot bootloader, fastboot reboot bootloader, or manually).
Pick the A/B slot you want with fastboot, for instance fastboot set_active a
In your command prompt, flash these partitions from the target stock OTA. (Make sure you have a recent enough version of fastboot from the platform tools):
fastboot flash abl target-ota/abl.img
fastboot flash aop target-ota/aop.img
fastboot flash bluetooth target-ota/bluetooth.img
fastboot flash boot target-ota/boot.img
fastboot flash vendor_boot target-ota/vendor_boot.img
fastboot flash cpucp target-ota/cpucp.img
fastboot flash devcfg target-ota/devcfg.img
fastboot flash dsp target-ota/dsp.img
fastboot flash dtbo target-ota/dtbo.img
fastboot flash featenabler target-ota/featenabler.img
fastboot flash hyp target-ota/hyp.img
fastboot flash imagefv target-ota/imagefv.img
fastboot flash keymaster target-ota/keymaster.img
fastboot flash modem target-ota/modem.img
fastboot flash multiimgoem target-ota/multiimgoem.img
fastboot flash qupfw target-ota/qupfw.img
fastboot flash shrm target-ota/shrm.img
fastboot flash tz target-ota/tz.img
fastboot flash uefisecapp target-ota/uefisecapp.img
fastboot flash xbl target-ota/xbl.img
fastboot flash xbl_config target-ota/xbl_config.img
Flash our forged vbmeta:
fastboot --disable-verity --disable-verification flash vbmeta_system vbmeta_system_forged.img
fastboot --disable-verity --disable-verification flash vbmeta vbmeta_forged.img
And now you should be able to reboot to userspace fastbootd:
fastboot reboot fastboot
If your device reboots to bootloader (you do not see fastbootd at the top of the screen, and fastboot getvar is-userspace says no), something went wrong. Stop, make sure you understood the steps correctly, and try again.
Part 5: Flash the rest, wipe data, and boot into the OS
Now that we're in userspace fastbootd, we can flash the virtual partitions that require a running kernel. Make sure the slot hasn't changed, and run:
fastboot flash odm target-ota/odm.img
fastboot flash product target-ota/product.img
fastboot flash system target-ota/system.img
fastboot flash system_ext target-ota/system_ext.img
fastboot flash vendor target-ota/vendor.img
When this is done, reboot the device.
If the device reboots to bootloader, something went wrong. Stop and try the steps above again.
If you reach a screen saying "Can't load android system, your data may be corrupt", that is normal.
This means we successfully booted into the kernel, bypassed the rollback protection, but the older OTA we flashed can't run with your current data partition (either because of incompatibility, or the encryption ratchet's separate anti-rollback)
Wipe the data partition using the menu option.
On next reboot you'll reach the Android setup wizard.
Very nice if this works. Someone could go back to 1.0, extract super.img and we could go back in a few minutes with the unbrick tutorial.
May i ask, why your account is created today and the first post is a fairly complex tutorial with much potential?
No particular reason, I like figuring things out myself so I don't usually post much to ask for help (unless it's really bad!).
I broke my 1.1.4 EEA yesterday and it took me a few hours to figure out how to rollback to 1.1.3, so I figured it might be worth sharing on the off chance it helps anyone else =]
Thanks, been waiting for a method to revert back to 1.1.3. Gonna try this tonight
AVB Delenda Est said:
No particular reason, I like figuring things out myself so I don't usually post much to ask for help (unless it's really bad!).
I broke my 1.1.4 EEA yesterday and it took me a few hours to figure out how to rollback to 1.1.3, so I figured it might be worth sharing on the off chance it helps anyone else =]
Click to expand...
Click to collapse
Am i right that we dont need to do this in every device? We only need patched Files for each Software Version and Region and Share them with others?
It was a bit of a hassle relocking the bootloader but it worked eventually. Back at 1.1.3. stock rom EEA with locked bootloader and everything is 120fps again.
I tried the resigning etc, but that didn't work for me with relocking the bootloader, so after the first time flashing the resigned img files I reflashed it with the original vbmeta and vbmeta_system files. After that I rebooted and done.
Thanks a lot for the guide!
Awesome guide
Havoc71 said:
It was a bit of a hassle relocking the bootloader but it worked eventually. Back at 1.1.3. stock rom EEA with locked bootloader and everything is 120fps again.
I tried the resigning etc, but that didn't work for me with relocking the bootloader, so after the first time flashing the resigned img files I reflashed it with the original vbmeta and vbmeta_system files. After that I rebooted and done.
Thanks a lot for the guide!
Click to expand...
Click to collapse
Not need to downgrade or stay on 1.1.3 just for this refresh rate problems, there some solutions :
Nothing Phone (1) Lag on 120hz.
Hello, good afternoon. I write this message because my Iphone 1 when using it at 120 hz, the animations look very laggy. I use Nothing Os 1.1.6 EEA. I have already factory reset but everything is still the same. When asking for forums and...
forum.xda-developers.com
There is a difference between lag and actually having a drop in framerates from 120 to 60 in some applications since 1.1.4.
Rest assured that I have tried every "trick".
Just try Pokemon Go, Ingress Prime and Star Trek Timelines. Enable fps on screen and you'll see what I mean.
And even though I appreciate the effort. I am very pleased to run 1.1.3. on my phone again with fully locked bootloader and my games running like I want them to run. I'll wait until Pei en his bunch of merry man get their act together.
Havoc71 said:
There is a difference between lag and actually having a drop in framerates from 120 to 60 in some applications since 1.1.4.
Rest assured that I have tried every "trick".
Just try Pokemon Go, Ingress Prime and Star Trek Timelines. Enable fps on screen and you'll see what I mean.
And even though I appreciate the effort. I am very pleased to run 1.1.3. on my phone again with fully locked bootloader and my games running like I want them to run. I'll wait until Pei en his bunch of merry man get their act together.
Click to expand...
Click to collapse
You have right, all is perfectly stable in 120 hz but all games are played at 60 hz from the 1.1.4
I hope also a good next update for fix that. Thanks for your explaination.
And thank you for trying to help. Much appreciated
Is there any video of this procedure? Seems pretty hard and risky
AVB Delenda Est said:
The Nothing Phone uses Android Verified Boot 2.0, which includes a rollback protection mechanism that combines anti-tamper storage and a verified boot flow to prevent downgrades.
This guide shows how to bypass this protection on an unlocked device. The guide assumes some familiarity with platform tools and the command line, so not all steps have long explanations. In other words, it's not a full tutorial for complete beginners, a little bit of knowledge is assumed.
Also, there's quite a bit of setup required, this isn't a 5 minute procedure, so brace yourself for a wall of text =)
How it works:
In theory, a bootloader in UNLOCKED state should ignore rollback protection (according to the documentation).
However, the Nothing Phone bootloader seemingly refuse to boot to fastbootd userspace without a valid vbmeta, even in UNLOCKED state.
Even with rollback protection, since the bootloader is unlocked it will still accept any signature key (otherwise you couldn't root the phone or install alternative OSes).
So we can just feed it an old version with the rollback index of a new version, sign it with a random key, and as far as the bootloader is concerned the rollback index hasn't changed, so boot can continue.
(And this is why Android specifies that rollback should be ignored in UNLOCKED state, it's pointless to try to block downgrades when the root of trust is the user)
We do this by flashing the first part of a stock full OTA of an older version, then crafting custom vbmeta and vbmeta_system partitions with AVB tools to get to fastbootd userspace.
Then we can flash the rest of the OTA, wipe data, and reboot into the OS.
Prerequisites:
- Backups of your data, downgrades almost always require a wipe
- A working, unlocked bootloader (non-userspace fastboot)
- A full OTA .zip that you want to rollback to
- If you want to rollback to a version that only has an incremental OTA, start by rolling back to the next older full OTA, then sideload the updates to that version.
- The android platform tools and driver, to send fastboot commands
- The openssl command line tool (https://wiki.openssl.org/index.php/Binaries), to generate VBMeta keys
- ssut's payload-dumper-go (https://github.com/ssut/payload-dumper-go) to extract the OTA partition images
- The android AVB 2.0 tools (https://android.googlesource.com/platform/external/avb/), to forge the two VBMeta partitions
- Either of:
- The rollback index number corresponding to your version of the OS (if you know it)
- A fully booted and rooted device on the same version as your current device, to extract the rollback index from the vbmeta partition on the phone
- A full OTA of a version at least as new as the one on your phone, to read the rollback index from vbmeta.img
Procedure:
WARNING: Despite the phone having A/B slots, flashing an older OTA is LIKELY to break both slots. Do not attempt this if you're not ready to go all the way and do a full wipe.
Part I: Prepare the target full OTA image to rollback to
- Create an empty folder to hold the working files we'll use during the guide.
- Open a command shell into that folder, the rest of the guide assumes all paths are relative to this folder
- Download the full OTA .zip you want to flash and save it at ./target-ota.zip (in the folder you created above)
- Extract the partitions from the OTA using payload-dumper-go: payload-dumper-go -o target-ota target-ota.zip
(This assumes payload-dumper-go is in your PATH, if not use the correct path to payload-dumper-go from your command line)
Part 2: Get the rollback index of your current version
Each time you upgrade, the rollback protection keeps track of a number called the "rollback index" (it actually can keep track of several, but the nothing phone only really uses one).
In the next steps, we will need to edit to older target OTA with the rollback index that matches the version currently on your phone.
If the rollback index you use is too low, the bootloader will refuse to boot. If it's too high, your phone will be stuck at that version and reject official OTAs and custom ROMs until they increment their rollback index above yours.
If you don't already know the rollback index of your current version from a public list, you can extract it from your current vbmeta partition:
a) On a rooted phone (either your phone, or a phone with the _same version_ as yours) dump the vbmeta and vbmeta_system partitions for the current slot
If you don't have any special tool to dump partitions, you can do it with just the platform tools and a root shell:
- On a root shell on the phone, run ls -la /dev/block/bootdevice/by-name, and note the path to your current slot's vbmeta and vbmeta_system partitions (e.g. /dev/block/sde14 and /dev/block/sda7 on my phone)
- On your computer, use adb shell and dd to dump the partitions, replacing the /dev/block/$DEV values by the paths you found in the last command:
adb shell "su -c 'stty raw; dd if=/dev/block/$DEV'" > vbmeta.img
adb shell "su -c 'stty raw; dd if=/dev/block/$DEV'" > vbmeta_system.img
b) If you have the full OTA of the version currently running on your phone:
- Extract the OTA with payload-dumper-go (as above) and copy the vbmeta.img and vbmeta_system.img to the working directory
Now that you have vbmeta.img and vbmeta_system.img, use the AVB 2.0 tools (see prerequisites) to read the image info:
./avb/avbtool.py info_image --image vbmeta.img
./avb/avbtool.py info_image --image vbmeta_system.img
These two command will each print the contents of the VBMeta structure. Look for the "Rollback Index" and "Rollback Index Location" values in the output
The vbmeta image should have location 0 and index 0, and a "Chain Partition descriptor" that points to vbmeta_system with "Rollback Index Location" value 2
The vbmeta_system should have location 0, and a large number (timestamp) in the rollback index. This is the rollback index value we care about, keep a note of it.
For instance, for my 1.1.4 EEA version, the rollback index of vbmeta_system is 1661990400.
If the other values aren't 0, 0, and 2 for the chain descriptor, you may need to adapt later commands to pass those newer values. If you're unsure, stop.
Flashing bad rollback indexes may cause your phone to reject future legitimate ROMs that have a lower index.
Part 3: Forge the vbmeta partitions
- Using the openssl command line tools, generate two new keys to sign the vbmeta partition:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out rsa_vbmeta_system.pem
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out rsa_vbmeta.pem
- Using AVB tools (see prerequisites), generate a forged vbmeta_system image:
(Don't forget to replace the $ROLLBACK_INDEX in the command by the value you found above)
./avb/avbtool.py make_vbmeta_image --output vbmeta_system_forged.img --rollback_index $ROLLBACK_INDEX --rollback_index_location 0 --algorithm SHA256_RSA2048 --key rsa_vbmeta_system.pem --include_descriptors_from_image target-ota/product.img --include_descriptors_from_image target-ota/system.img --include_descriptors_from_image target-ota/system_ext.img
And a forged vbmeta image:
./avb/avbtool.py make_vbmeta_image --output forged/vbmeta_forged.img --rollback_index 0 --rollback_index_location 0 --algorithm SHA256_RSA4096 --key forged/rsa_vbmeta.pem --chain_partition vbmeta_system:2:forged/vbmeta_system_forged.img --set_hashtree_disabled_flag --include_descriptors_from_image target-ota/boot.img --include_descriptors_from_image target-ota/dtbo.img --include_descriptors_from_image target-ota/vendor_boot.img --include_descriptors_from_image target-ota/odm.img --include_descriptors_from_image target-ota/vendor.img
Part 4: Reach usperspace fastbootd
Time to flash the first part of the stock OTA and our forged vbmeta.
Reboot into the bootloader (either adb reboot bootloader, fastboot reboot bootloader, or manually).
Pick the A/B slot you want with fastboot, for instance fastboot set_active a
In your command prompt, flash these partitions from the target stock OTA. (Make sure you have a recent enough version of fastboot from the platform tools):
fastboot flash abl target-ota/abl.img
fastboot flash aop target-ota/aop.img
fastboot flash bluetooth target-ota/bluetooth.img
fastboot flash boot target-ota/boot.img
fastboot flash vendor_boot target-ota/vendor_boot.img
fastboot flash cpucp target-ota/cpucp.img
fastboot flash devcfg target-ota/devcfg.img
fastboot flash dsp target-ota/dsp.img
fastboot flash dtbo target-ota/dtbo.img
fastboot flash featenabler target-ota/featenabler.img
fastboot flash hyp target-ota/hyp.img
fastboot flash imagefv target-ota/imagefv.img
fastboot flash keymaster target-ota/keymaster.img
fastboot flash modem target-ota/modem.img
fastboot flash multiimgoem target-ota/multiimgoem.img
fastboot flash qupfw target-ota/qupfw.img
fastboot flash shrm target-ota/shrm.img
fastboot flash tz target-ota/tz.img
fastboot flash uefisecapp target-ota/uefisecapp.img
fastboot flash xbl target-ota/xbl.img
fastboot flash xbl_config target-ota/xbl_config.img
Прошиваем нашу подделанную vbmeta:
fastboot --disable-verity --disable-verification flash vbmeta_system vbmeta_system_forged.img
fastboot --disable-verity --disable-verification flash vbmeta vbmeta_forged.img
И теперь вы сможете перезагрузиться в пользовательское пространство fastbootd:
fastboot перезагрузка fastboot
Если ваше устройство перезагружается в загрузчик (вы не видите fastbootd в верхней части экрана, а fastboot getvar is-userspace говорит «нет»), что-то пошло не так. Остановитесь, убедитесь, что вы правильно поняли шаги, и повторите попытку.
Часть 5: Прошить остальные, стереть данные и загрузиться в ОС
Теперь, когда мы находимся в пользовательском пространстве fastbootd, мы можем прошить виртуальные разделы, для которых требуется работающее ядро. Убедитесь, что слот не изменился, и запустите:
fastboot flash odm target-ota/odm.img
продукт fastboot flash target-ota/product.img
система быстрой загрузки flashboot target-ota/system.img
fastboot flash system_ext target-ota/system_ext.img
поставщик прошивок fastboot target-ota/vendor.img
Когда это будет сделано, перезагрузите устройство.
Если устройство перезагружается в загрузчик, что-то пошло не так. Остановитесь и повторите шаги, описанные выше.
Если вы видите экран с надписью «Не удается загрузить систему Android, ваши данные могут быть повреждены», это нормально.
Это означает, что мы успешно загрузились в ядро, обошли защиту от отката, но старая OTA, которую мы прошили, не может работать с вашим текущим разделом данных (либо из-за несовместимости, либо из-за отдельного анти-отката храповика шифрования)
Протрите раздел данных, используя пункт меню.
При следующей перезагрузке вы попадете в мастер настройки And помоги мне пожалуста отключить защиту отката пожалуйста
Click to expand...
Click to collapse
AVB Delenda Est said:
Нет особой причины, мне нравится во всем разбираться самому, поэтому я обычно не публикую много сообщений с просьбой о помощи (если только это не совсем плохо!).
Я сломал свой 1.1.4 EEA вчера, и мне потребовалось несколько часов, чтобы понять, как откатиться до 1.1.3, поэтому я решил, что стоит поделиться этим, на случай, если это поможет кому-то еще =]
Click to expand...
Click to collapse
помоги отключить защиту отката пожалуйста
помогите пожалуйста отключить защиту отката на T95-H616-A24.img
Related
Hey all.
I was playing around with my old Pixel earlier and I realized that using twrp, as far as from fastboot is concerned, can be loaded: 'fastboot boot twrp.img' while Essential users do 'fastboot flash boot twrp.img'. On an adventure, I tried 'fastboot boot twrp.img' on my Essential, but to no success "FAILED (remote: unknown command)". I've tracked down that fastboot expects a kernel and ramdisk, which is contained in a boot.img. I took a look inside the two img files (stock boot.img, versus twrp_mata_11.img) but I don't really know what I'm looking at. I see a very obvious difference in size for the ramdisk and in the below code the 'cmdline' which, I'm taking an uneducated guess is basically extra arguments sent to the kernel(?) during boot.
So I'm curious, why is it that Pixel can boot without installing over the in-place boot, while Essential must overwrite it? They're both A/B phones.
I'm just asking out of the sake of curiosity. I am here to learn.
Thank you.
actual boot image:
Code:
$ ./bootimg.exe --unpack-bootimg boot.img
arguments: [bootimg file]
bootimg file: boot.img
output: kernel[.gz] ramdisk[.gz] second[.gz]
base: 0x0
ramdisk_addr: 0x1000000
second_addr: 0xf00000
tags_addr: 0x100
page_size: 4096
name: ""
cmdline: "quiet androidboot.hardware=mata user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 sched_enable_hmp=1 sched_enable_power_aware=1 service_locator.enable=1 swiotlb=2048 androidboot.configfs=true androidboot.usbcontroller=a800000.dwc3 androidboot.selinux=permissive buildvariant=user veritykeyid=id:84678c054b9c09576bf1ecb156ea6e5e65f52593"
padding_size=4096
arguments: [ramdisk file] [directory]
ramdisk file: ramdisk.gz
directory: initrd
output: cpiolist.txt
compress: True
twrp boot image:
Code:
$ ./bootimg.exe --unpack-bootimg boot.img
arguments: [bootimg file]
bootimg file: boot.img
output: kernel[.gz] ramdisk[.gz] second[.gz]
base: 0x80000000
ramdisk_addr: 0x81000000
second_addr: 0x80f00000
tags_addr: 0x80000100
page_size: 4096
name: ""
cmdline: "androidboot.hardware=mata user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] buildvariant=eng"
padding_size=4096
arguments: [ramdisk file] [directory]
ramdisk file: ramdisk.gz
directory: initrd
output: cpiolist.txt
compress: True
What is going on.... Is that with Pixel devices....you BOOT TWRP first on its own sans flashing. Then you install TWRP from within TWRP. Hence, "fastboot boot twrp.img" versus "fastboot flast boot boot.img". On Pixel devices, TWRP gets installed to your A and B ROM firmware slots, whereas on Essential TWRP lives in the boot partition.
At least that is my loose understanding of it.
https://forum.xda-developers.com/pixel-xl/development/twrp-alpha1-pixel-devices-t3500312
Whereas TWRP on Essential is always temporary.
Skripka said:
What is going on.... Is that with Pixel devices....you BOOT TWRP first on its own sans flashing. Then you install TWRP from within TWRP. Hence, "fastboot boot twrp.img" versus "fastboot flast boot boot.img". On Pixel devices, TWRP gets installed to your A and B ROM firmware slots, whereas on Essential TWRP lives in the boot partition.
At least that is my loose understanding of it.
https://forum.xda-developers.com/pixel-xl/development/twrp-alpha1-pixel-devices-t3500312
Whereas TWRP on Essential is always temporary.
Click to expand...
Click to collapse
Thanks for the reply!
Is it then theoretically possible to make a bootable twrp that we don't actually write to Essential boot?
For instance, since twrp is always and forever temporary on the Essential, just for simplicity, wouldn't it be a lot easier to just boot from a "temp twrp boot image" (not actually installing it) to install zips? Then we don't have to redo the stock boot, then custom kernel (if applicable) and then Magisk (if applicable) each time?
Again, just here to learn so if this is not feasible, it is what it is.
Thanks again.
jake5253 said:
Thanks for the reply!
Is it then theoretically possible to make a bootable twrp that we don't actually write to Essential boot?
For instance, since twrp is always and forever temporary on the Essential, just for simplicity, wouldn't it be a lot easier to just boot from a "temp twrp boot image" (not actually installing it) to install zips? Then we don't have to redo the stock boot, then custom kernel (if applicable) and then Magisk (if applicable) each time?
Again, just here to learn so if this is not feasible, it is what it is.
Thanks again.
Click to expand...
Click to collapse
That would be a question for someone who knows a ton more about TWRP than I.
I suspect it has to do with how Essential is partitioned and loads things. But that is just a hunch. Although with for example LineageOS's built-in updater and how Magisk work--there's very little need for regular TWRP access...unlike the Good Old Days even 2 years ago where TWRP was where everything was to do anything firmware related on your phone.
we dont have that command available, which is why it doesnt work.
there is no "fastboot boot" anything available
aer0zer0 said:
we dont have that command available, which is why it doesnt work.
there is no "fastboot boot" anything available
Click to expand...
Click to collapse
I guess I thought 'boot' was an argument as part of the fastboot command on the PC end of things. (Which it probably is, and then fastboot sends whatever commands to the phone which on the Pixel cause it to boot a 'temp image', just doesn't work the same on Essential as it does for others)
I just tried to 'fastboot boot' an actual boot.img and I get the same command failed, so this makes sense; it just doesn't have the ability to boot from an unflashed, temp boot.img... I don't know why I didn't think to test booting an actual boot image before asking.
I just assumed that fastboot was created equally for any phones that allowed fastboot at all.
From my searching, its actually kind of hard to track down any documentation worth reading on fastboot. The best I was able to locate was basically man page for fastboot, which is minimal at best.
Thanks guys for clearing this up!
jake5253 said:
I guess I thought 'boot' was an argument as part of the fastboot command on the PC end of things. (Which it probably is, and then fastboot sends whatever commands to the phone which on the Pixel cause it to boot a 'temp image', just doesn't work the same on Essential as it does for others)
I just tried to 'fastboot boot' an actual boot.img and I get the same command failed, so this makes sense; it just doesn't have the ability to boot from an unflashed, temp boot.img... I don't know why I didn't think to test booting an actual boot image before asking.
I just assumed that fastboot was created equally for any phones that allowed fastboot at all.
From my searching, its actually kind of hard to track down any documentation worth reading on fastboot. The best I was able to locate was basically man page for fastboot, which is minimal at best.
Thanks guys for clearing this up!
Click to expand...
Click to collapse
we have beat that drum at the AMA's to get them to add fastboot boot to the aboot. You should too, since you realize the potential
aer0zer0 said:
we have beat that drum at the AMA's to get them to add fastboot boot to the aboot. You should too, since you realize the potential
Click to expand...
Click to collapse
I always miss the AMAs. If I'm reading the most current plans, it should be the 3rd Wednesday each month, so March 21st? I also see on the latest one, there's a decently up-voted post which suggests adding fastboot boot, amongst other things.
Essential eeven responded with:
I too like to be able to boot a boot.img from memory, and we have this in our backlog, but it just isn't getting any love from our developers given our other priorities. No promises, but it's on our radar.
Click to expand...
Click to collapse
I'll attempt to be a part of the next AMA and push for fastboot boot.
Thanks
FASTBOOT firmware for MI A2 Android 8.1.0_V9.6.15.0.ODIMIFE
with the October security update
complete set for firmware and tools and boot patched by magisc patched_boot.img
checked by me flash_all_exept_data over the 14th beta
Invalid file format with a magic header - do not pay attention
flashing long time, about 20-30 minutes
Thanks to the 4PDA and XDA communities
I mean ... is the October fastboot rom ready to flash with miflash and comes with root?
rulezman said:
FASTBOOT firmware for MI A2 Android 8.1.0_V9.6.15.0.ODIMIFE
with the October security update
complete set for firmware and tools and boot patched by magisc patched_boot.img
checked by me flash_all_exept_data over the 14th beta
Invalid file format with a magic header - do not pay attention
flashing long time, about 20-30 minutes
Thanks to the 4PDA and XDA communities
Click to expand...
Click to collapse
Heard that there are two Oct updates, may I know if yours is the latest?
.15 is the second (latest) October update.
Guys, my phone is currently in august update (and I've unlocked and rooted the device with Magisk to enable camera api 2). What should I do to OTA successfully and safely? Thanks in advance!
Can't flash through miui flasher. Is it possible to flash this through recovery?
Are U tested?
I tested, it worked. Updated to Oct update thru fast boot.
There's a minor glitch - you have to remove the space of the folder name, otherwise windows cannot find correct folder location.
Xyam said:
I tested, it worked. Updated to Oct update thru fast boot.
There's a minor glitch - you have to remove the space of the folder name, otherwise windows cannot find correct folder location.
Click to expand...
Click to collapse
You mean remove space "_" ?
MI_A2_Android 8.1.0_V9.6.15.0.ODIMIFE_fastboot
Ind33d said:
You mean remove space "_" ?
MI_A2_Android 8.1.0_V9.6.15.0.ODIMIFE_fastboot
Click to expand...
Click to collapse
There is a space between "Android" and "8.1.0", the space must be removed or replaced by other characters.
Xyam said:
There is a space between "Android" and "8.1.0", the space must be removed or replaced by other characters.
Click to expand...
Click to collapse
MI_A2_Android8.1.0_V9.6.15.0.ODIMIFE_fastboot
Like this?
Ind33d said:
MI_A2_Android8.1.0_V9.6.15.0.ODIMIFE_fastboot
Like this?
Click to expand...
Click to collapse
Yup
i lost my wlan mac adress by flashing this, im flashing again now without without_data
anyone ever seen that problem?
nvm, the 3rd time it worked
9.6.16 is out can you provide fastboot archive?
hugopg said:
Guys, my phone is currently in august update (and I've unlocked and rooted the device with Magisk to enable camera api 2). What should I do to OTA successfully and safely? Thanks in advance!
Click to expand...
Click to collapse
I researched for such a long time on this, I'm exactly the same in your situation, rooted with magisk, camera2api substratum things like that on august patch.
Later on i figured myself a way to update without losing any data or wiping the phone which is :
1. download the full stock rom of august patch, it should be tgz files, extract it.
2. Make sure u got adb fastboot all the stuff installed on pc, and also mi a2 drivers.
3. On the phone, go to developer options and turn on usb debugging, guess u already done it since you rooted the phone.
4 now connect the phone to pc in fastboot mode.
5. After extract the tgz august stock rom, locate to folder "image".
6. Hold shift and right click open cmd or in my case open windows power shell.
7. Type fastboot devices to see if your phone is connected properly.
8. Paste these codes and hit enter.
9. After that the phone will be rebooted and after success booting go to settings > system update and start installing the ota without issues.
The codes :
fastboot flash bluetooth_a bluetooth.img
fastboot flash bluetooth_b bluetooth.img
fastboot flash devcfg_a devcfg.img
fastboot flash devcfg_b devcfg.img
fastboot flash dsp_a dsp.img
fastboot flash dsp_b dsp.img
fastboot flash modem_a modem.img
fastboot flash modem_b modem.img
fastboot flash xbl_a xbl.img
fastboot flash xbl_b xbl.img
fastboot flash pmic_a pmic.img
fastboot flash pmic_b pmic.img
fastboot flash rpm_a rpm.img
fastboot flash rpm_b rpm.img
fastboot flash tz_a tz.img
fastboot flash tz_b tz.img
fastboot flash hyp_a hyp.img
fastboot flash hyp_b hyp.img
fastboot flash keymaster_a keymaster.img
fastboot flash keymaster_b keymaster.img
fastboot flash cmnlib64_a cmnlib64.img
fastboot flash cmnlib64_b cmnlib64.img
fastboot flash cmnlib_a cmnlib.img
fastboot flash cmnlib_b cmnlib.img
fastboot flash abl_a abl.elf
fastboot flash abl_b abl.elf
fastboot flash boot_a boot.img
fastboot flash boot_b boot.img
fastboot flash system_a system.img
fastboot flash system_b system.img
fastboot flash vendor_a vendor.img
fastboot flash vendor_b vendor.img
fastboot flash mdtp_a mdtp.img
fastboot flash mdtp_b mdtp.img
fastboot flash splash splash.img
fastboot flash mdtpsecapp_a mdtpsecapp.img
fastboot flash mdtpsecapp_b mdtpsecapp.img
fastboot flash storsec storsec.mbn
fastboot reboot
Guess that every patches on mi a2 will work with thus method, haven't tested with any version other than august patch. Let me know if it's work !
pani690 said:
Can't flash through miui flasher. Is it possible to flash this through recovery?
Click to expand...
Click to collapse
Search google for mi a2 manually flash firmware.
The result that said "techdroider.com" will be the answer you looking for.
If you don't want to lose any data but still wanna update, remove line "fastboot....userdata.img"
No November update?
Xyam said:
I tested, it worked. Updated to Oct update thru fast boot.
There's a minor glitch - you have to remove the space of the folder name, otherwise windows cannot find correct folder location.
Click to expand...
Click to collapse
Flie link not exist plz give working link
Things are changing with the advent of project treble and seamless updates. OnePlus will no longer release ROMs flashable via recovery (either stock) because is no more needed. The updates will be done on the slot not used for example if you are using slot a the update will be installed on slot b and the slot b will be set as default. If you brick and you are in bootloop how you can restore the rom? You can't with Stock ROM you have, because the zip can be only installed via Update Engine, so what can you do? Flash a stock rom via fastboot. I have extracted all images from the stock zip and i have made a new zip with the Fastboot ROM with a flash-all.bat included. This will work only if your bootloader is unlocked. This will erase all your data and will wipe your internal storage.
HOW TO FLASH
This version is only for not branded devices
Download the zip;
Unpack the zip in a folder;
Reboot the OnePlus 8 in fastboot-bootloader mode (Power and volume + and volume-);
Connect the OnePlus 8 to PC;
Run flash-all.bat flasher you need;
Wait until the process end;
The phone will automatically reboot.
DOWNLOAD
All roms on Sourceforge: https://sourceforge.net/projects/fastbootroms/files/OnePlus 8
BRANDED PHONE
For now branded device are not supported
MANUAL FLASH: Windows - OSX - Linux
If you want to manual flash these roms these are the commands (You need the latest sdk platform tools, you can find it here
Is reccomended to format data or the rom cannot boot:
Code:
fastboot -w
Others Commands to flash a fastboot rom
Code:
fastboot flash aop aop.img
fastboot flash bluetooth bluetooth.img
fastboot flash boot boot.img
fastboot flash dsp dsp.img
fastboot flash dtbo dtbo.img
fastboot flash LOGO LOGO.img
fastboot flash modem modem.img
fastboot flash oem_stanvbk oem_stanvbk.img
fastboot flash qupfw qupfw.img
fastboot flash storsec storsec.img
fastboot flash multiimgoem multiimgoem.img
fastboot flash uefisecapp uefisecapp.img
fastboot flash recovery recovery.img
fastboot --disable-verity flash vbmeta vbmeta.img
fastboot --disable-verity flash vbmeta_system vbmeta_system.img
fastboot flash opproduct opproduct.img
fastboot reboot fastboot
fastboot flash system system.img
fastboot flash vendor vendor.img
fastboot flash product product.img
fastboot reboot
REMEMBER
"Invalid sparce file format at header magic" is not an error, you need to wait a bit when you see that string, just wait.
If the device automatically reboot in Stock Recovery mode don't reboot it and wait the flash end.
These ROMs can't be used to update or downgrade your phone but just to restore your phone.
If the rom seems doesn't start go in recovery stock and follow this guideline: English -> Wipe data and cache -> Erase everything.
If you want to rebrand your phone from HydrogenOS to OxygenOS you can follow this guide: Rebrand Guide
If you want you can use also my tool to flash Factory Images, unlock bootloader, flash twrp or to understand if the device is recognized: https://toolaio.tk/
If you got some problems like write error or no partition, check this: https://forum.xda-developers.com/showpost.php?p=76658555&postcount=34
DONATE LINK
If you want to support this and others my projects please consider making a donation, thanks.
Branded devices is for example a Chinese version with HydrogenOS to which OxigenOS has been installed? If so, how can a branded device be recovered?
Thanks
Hi guys, i'm here again to ask for your support, actually with android 10 Google introduced a lot of changing, from dynamic partitions to the new keymaster 4 encryption/decryption. Teamwin is working hard to update TWRP but they will still take some time. Currently some things already work but there are difficulties in bringing them to the OnePlus 8/8 Pro, for example decryption already works but creates some problems on the OnePlus devices. That's why I decided to create a Paypal moneybox to be able to bring you the latest updates in the shortest time possible. As I have previously done, I assure you of a support of at least 2 years (within the limits of my possibilities). In addition to the TWRP I will improve the fastboot roms and add OnePlus 8/8 Pro to my TOOL ALL IN ONE (and maybe I will also bring the RevengeOS). By getting hold of a OnePlus 8 or 8 Pro I will also be able to improve the TWRP for OnePlus 7T and 7T Pro.
OnePlus 8/8 Pro PayPal MoneyBox: https://www.paypal.com/pools/c/8pfrIOL3Qa
If you are unable to participate in the PayPal moneybox, you can make a normal donation (perhaps specifying that it is for the moneybox), however all private donations that I will receive for this or other projects will be included in the moneybox.
Private PayPal Donations: https://www.paypal.me/MauronofrioTool
Why after flash it, it boot up to Qualcomm crashdump mode and how to fix?
sakun-ice said:
Branded devices is for example a Chinese version with HydrogenOS to which OxigenOS has been installed? If so, how can a branded device be recovered?
Thanks
Click to expand...
Click to collapse
I think unbranded devices mean the device bought from T-Mobile or Verizon. Nothing to do with chinese versiion flash oxygenOS, if I'm not wrong.
Can't seem to get this to work. I'm trying to flash a stock rom for my OnePlus 8 after bricking it during a rooting process.
The device' bootloader is obviously unlocked and i can get the phone into Fastboot mode and connected to my PC.
The only issue is when i execute the flash-all.bat file, it can't seem to flash any of the files and gives an error consisting of the message "FAILED (remote: 'Flashing is not allowed for Critical Partitions').
What to do guys? Can anyone help me out.
Does anyone know where to find mobile oneplus 8 5g tmobile from mine is bricked I had same error as post above
KJStar said:
Can't seem to get this to work. I'm trying to flash a stock rom for my OnePlus 8 after bricking it during a rooting process.
The device' bootloader is obviously unlocked and i can get the phone into Fastboot mode and connected to my PC.
The only issue is when i execute the flash-all.bat file, it can't seem to flash any of the files and gives an error consisting of the message "FAILED (remote: 'Flashing is not allowed for Critical Partitions').
What to do guys? Can anyone help me out.
Click to expand...
Click to collapse
Try to flash fastboot rom with "tool all in one),It worked for me.
I needed modem I forgot to fastboot reboot fastboot guy in post 6 that's all you need to do is reboot fastboot then flash all I was looking for different file
Never mind I fixed it by downloading ota and going to system updates in settings because fastboot won't flash to modem right
I am having issues flashing. flashing not allowed on critical partition. please help I tried to use the large address aware program but nothing has changed.
bluemoel said:
I am having issues flashing. flashing not allowed on critical partition. please help I tried to use the large address aware program but nothing has changed.
Click to expand...
Click to collapse
Make sure your on the latest update: 10.5.8
mauronofrio said:
Things are changing with the advent of project treble and seamless updates. OnePlus will no longer release ROMs flashable via recovery (either stock) because is no more needed. The updates will be done on the slot not used for example if you are using slot a the update will be installed on slot b and the slot b will be set as default. If you brick and you are in bootloop how you can restore the rom? You can't with Stock ROM you have, because the zip can be only installed via Update Engine, so what can you do? Flash a stock rom via fastboot. I have extracted all images from the stock zip and i have made a new zip with the Fastboot ROM with a flash-all.bat included. This will work only if your bootloader is unlocked. This will erase all your data and will wipe your internal storage.
HOW TO FLASH
This version is only for not branded devices
Download the zip;
Unpack the zip in a folder;
Reboot the OnePlus 8 in fastboot-bootloader mode (Power and volume + and volume-);
Connect the OnePlus 8 to PC;
Run flash-all.bat flasher you need;
Wait until the process end;
The phone will automatically reboot.
DOWNLOAD
All roms on Sourceforge: https://sourceforge.net/projects/fastbootroms/files/OnePlus 8
BRANDED PHONE
For now branded device are not supported
MANUAL FLASH: Windows - OSX - Linux
If you want to manual flash these roms these are the commands (You need the latest sdk platform tools, you can find it here
Is reccomended to format data or the rom cannot boot:
Code:
fastboot -w
Others Commands to flash a fastboot rom
Code:
fastboot flash aop aop.img
fastboot flash bluetooth bluetooth.img
fastboot flash boot boot.img
fastboot flash dsp dsp.img
fastboot flash dtbo dtbo.img
fastboot flash LOGO LOGO.img
fastboot flash modem modem.img
fastboot flash oem_stanvbk oem_stanvbk.img
fastboot flash qupfw qupfw.img
fastboot flash storsec storsec.img
fastboot flash multiimgoem multiimgoem.img
fastboot flash uefisecapp uefisecapp.img
fastboot flash recovery recovery.img
fastboot --disable-verity flash vbmeta vbmeta.img
fastboot --disable-verity flash vbmeta_system vbmeta_system.img
fastboot flash opproduct opproduct.img
fastboot reboot fastboot
fastboot flash system system.img
fastboot flash vendor vendor.img
fastboot flash product product.img
fastboot reboot
REMEMBER
"Invalid sparce file format at header magic" is not an error, you need to wait a bit when you see that string, just wait.
If the device automatically reboot in Stock Recovery mode don't reboot it and wait the flash end.
These ROMs can't be used to update or downgrade your phone but just to restore your phone.
If the rom seems doesn't start go in recovery stock and follow this guideline: English -> Wipe data and cache -> Erase everything.
If you want to rebrand your phone from HydrogenOS to OxygenOS you can follow this guide: Rebrand Guide
If you want you can use also my tool to flash Factory Images, unlock bootloader, flash twrp or to understand if the device is recognized: https://toolaio.tk/
If you got some problems like write error or no partition, check this: https://forum.xda-developers.com/showpost.php?p=76658555&postcount=34
DONATE LINK
If you want to support this and others my projects please consider making a donation, thanks.
Click to expand...
Click to collapse
Hi, do you know if patching with local update a Oxygen OS Europe release from a Global release may cause problems to the fingerprint? I have a IN2010 with the Global OxygenOS but I would like to switch to the European versione becasue I live in Italy like you
Why not flash reserve.img?
nnyd said:
Why not flash reserve.img?
Click to expand...
Click to collapse
Because it is placed in userdata and not in a dedicated partition
I have an issue trying to flash on fastboot. It's says I can't flash on critical partitions. Yes I know alot of people are saying that but what I haven't seen is this:
This is my problem:
Fastboot get device-info
(Bootloader) device unlocked:true
(Bootloader) device critical unlock: false
(Bootloader) charger screen enabled: true
I have already tried "fastboot flashing unlock_critical"
It says bootloader already unlocked. I then re lock bootloader which I know is not a good idea( reflash stock with msm tool) and it lock then I try unlock critical command again and it still says device critical unlock: false
i need help please ..
i tried this method not the latest version i tried the 10.5.4 global
so it gave me all failed and error to foramt and others
then it restart my phone to show me crashdump
what should i do ?
should i use latest version ?
i hope you replay fast .. thank you
Alucardo1 said:
i tried this method not the latest version i tried the 10.5.4 global
so it gave me all failed and error to foramt and others
then it restart my phone to show me crashdump
what should i do ?
should i use latest version ?
i hope you replay fast .. thank you
Click to expand...
Click to collapse
Try again with 10.5.7. When it reboot to recovery, let it continue to run till it reboots on its own.
Unbrick from fastboot method
I hope I can help someone since I spent the whole night trying various methods to unbrick my Oneplus 8 and only this one worked for me JUST FOR INTERNATIONAL VERSION
You must have the drivers installed (Adb & Fastboot)
You must have your phone with the bootloader unlocked
1.- Download the file
2.-Unzip it
inside you will find Flash-all.bat
3.-Enter Fastboot mode
4.-Double click on the Flash-all.bat command
5.-It will direct you to the recovery, select the English language and restart in fastboot mode so that the process continues, wait for it to finish flashing everything and ready, the phone restarts on the latest version
https://mega.nz/folder/8tpUSSrR#7wH4NX_ccr2a6Ub8LXpsEA
Donate Link to support my work
https://paypal.me/pakomorales?locale.x=es_XC
cannot relock bootloader on oneplus 8
bro thanks for fastboot room for oneplus 8,i flash your fastboot room 10.5.9 everthing ok,but i relocked to boot loader it the phone be correpted. what should i do ,
please help me.
I wanted to create a discussion for flashing GSI's and experimentations with Treble on our Pixel 3a. If you're unfamiliar with GSI's and Treble, please check out the wiki and FAQ here. Not all GSI's run flawless on our device, as to be expected, there WILL BE bugs here and there. These methods will wipe userdata, so backup all of your important data before attempting to flash a GSI. Make damn sure you have a way to recover your device in case something goes wrong!
What you'll need:
Fastboot and ADB installed correctly.
Factory image for Sargo - get it here.
An unlocked bootloader.
A GSI to install.
(vbmeta.img / vendor.img can be extracted from our factory image.)
Auto install a GSI:
The Universal Auto GSI Installer by @zedomax works for our device with all the GSI's I have tried from XDA. His instructions and video tutorial is included in the thread. The script is very easy to set up and use to install a GSI.
Manually install a GSI:
Code:
From stock Android 10 or 11
Boot into fastboot, then to fastbootd:
$ fastboot reboot fastboot
Disable verify boot (AVB) by flashing vbmeta.img:
$ fastboot --disable-verification flash --slot all vbmeta vbmeta.img
Find your current slot:
$ fastboot getvar current-slot
Delete the product partition to free up space for the system partition (Current slot):
$ fastboot delete-logical-partition product_a
The postfix _a should match the slot ID from our last command.
Erase the system partition:
$ fastboot erase system
Flash the GSI:
$ fastboot flash system system.img
This will take a bit.
Now wipe userdata and reboot:
$ fastboot -w reboot
Other resources regarding flashing GSI's:
Google's instructions.
Known issues and releases.
Android 11 Installation and info, translate to read.
Reserved
This guide will only work up to OOS 11.
This guide is for users that can't or just don't want to download MsmDownloadTool. Linux users especially, since the tool is not available for linux. All you need is a recent version of android tools with a fastboot capable of executing fastboot reboot fastbootd.
To start, download the appropriate Oxygen OS zip for your device from the OP8T repo thread. Extracting the zip file should give you a file named
payload.bin.
Use payload dumper to extract payload.bin.
You can grab payload_dumper from here (Windows and macOS), here (linux), or here (github, any OS).
For the download link from github, make sure you're running python 3.6 or higher. Run payload dumper with:
python payload_dumper.py payload.bin
The image files will be extracted to a folder named output.
Before starting the flashing process, you can check your device memory type using the DevCheck app by flar2 or with the command adb shell getprop ro.boot.ddr_type. The adb command will return 0 for LPDDR4X chips and 1 for LPDDR5 chips. This is important to flash the right xbl img files. LPDDR4X is more common for OP8T, so no worries if you miss this step.
You can start flashing from the standard bootloader or fastbootd. The first three lines below will flash the stock recovery then reboot into fastbootd.
Code:
fastboot flash recovery recovery.img
fastboot flash boot boot.img
fastboot flash dtbo dtbo.img
fastboot reboot fastboot
fastboot flash --slot=all recovery recovery.img
fastboot flash --slot=all boot boot.img
fastboot flash --slot=all dtbo dtbo.img
fastboot flash --slot=all abl abl.img
fastboot flash --slot=all aop aop.img
fastboot flash --slot=all bluetooth bluetooth.img
fastboot flash --slot=all cmnlib64 cmnlib64.img
fastboot flash --slot=all cmnlib cmnlib.img
fastboot flash --slot=all devcfg devcfg.img
fastboot flash --slot=all dsp dsp.img
fastboot flash --slot=all featenabler featenabler.img
fastboot flash --slot=all hyp hyp.img
fastboot flash --slot=all imagefv imagefv.img
fastboot flash --slot=all keymaster keymaster.img
fastboot flash --slot=all logo logo.img
fastboot flash --slot=all mdm_oem_stanvbk mdm_oem_stanvbk.img
fastboot flash --slot=all modem modem.img
fastboot flash --slot=all multiimgoem multiimgoem.img
fastboot flash --slot=all qupfw qupfw.img
fastboot flash --slot=all spunvm spunvm.img
fastboot flash --slot=all storsec storsec.img
fastboot flash --slot=all tz tz.img
fastboot flash --slot=all uefisecapp uefisecapp.img
If your phone has the LPDDR4X memory chip (returned 0 with the adb shell command above), flash the images below:
Code:
fastboot flash --slot=all xbl_config xbl_config.img
fastboot flash --slot=all xbl xbl.img
LPDDR4X is the more common chip for OP8T, so if you forgot to check, you can flash this.
If your phone has the LPDDR5 chip (returned 1 with the adb shell command above), flash the images below:
Code:
fastboot flash --slot=all xbl_config xbl_config_lp5.img
fastboot flash --slot=all xbl xbl_lp5.img
This next section will clear the super partition (contains odm, system, system_ext, vendor and product). It's not absolutely necessary, so you can skip to the next step. Clearing the super partition will help avoid the following error, which can come up if you had manually flashed ROMs on both slots previously.
Code:
Resizing '<partition name>' FAILED (remote: 'Not enough space to resize partition')
Example: Resizing 'product' FAILED (remote: 'Not enough space to resize partition')
If you've ever had this error or you just want to be sure that everything is cleared, check the spoiler.
Spoiler
Before deleting, you can check the names of the logical partitions on your phone using fastboot getvar all. Scroll up to the section that looks like this:
Code:
(bootloader) is-logical:odm_a:yes
(bootloader) is-logical:product_a:yes
(bootloader) is-logical:system_a:yes
(bootloader) is-logical:system_ext_a:yes
(bootloader) is-logical:vendor_a:yes
or
(bootloader) is-logical:odm_b:yes
(bootloader) is-logical:product_b:yes
(bootloader) is-logical:system_b:yes
(bootloader) is-logical:system_ext_b:yes
(bootloader) is-logical:vendor_b:yes
As @Matt85m pointed out, you may also have:
Code:
(bootloader) is-logical:odm:yes
(bootloader) is-logical:product:yes
(bootloader) is-logical:system:yes
(bootloader) is-logical:system_ext:yes
(bootloader) is-logical:vendor:yes
It is also possible to have logical partitions with the same names ending in -cow (system_a-cow, system_b-cow, system_ext_b-cow, vendor_a-cow, product_b-cow, etc).
These are created by various ROMs during an OTA. Shout out to @mslezak for the discovery.
Delete everything with the commands below:
Code:
fastboot delete-logical-partition odm
fastboot delete-logical-partition system
fastboot delete-logical-partition system_ext
fastboot delete-logical-partition product
fastboot delete-logical-partition vendor
fastboot delete-logical-partition odm_a
fastboot delete-logical-partition odm_b
fastboot delete-logical-partition system_a
fastboot delete-logical-partition system_b
fastboot delete-logical-partition system_ext_a
fastboot delete-logical-partition system_ext_b
fastboot delete-logical-partition product_a
fastboot delete-logical-partition product_b
fastboot delete-logical-partition vendor_a
fastboot delete-logical-partition vendor_b
Delete any -cow partitions with the same command:
Code:
fastboot delete-logical-partition system_a-cow
and so on.
If you get an error deleting the -cow partitions, @firegate22 suggests changing slots from the bootloader (fastboot --set-active=a or b) not from fastbootd, then return to fastbootd and try the delete command again.
All logical partitions can be deleted to free up space in the super partition.
Recreate partitions a and b with the commands below.
Code:
fastboot create-logical-partition odm_a 100000
fastboot create-logical-partition odm_b 100000
fastboot create-logical-partition system_a 100000
fastboot create-logical-partition system_b 100000
fastboot create-logical-partition system_ext_a 100000
fastboot create-logical-partition system_ext_b 100000
fastboot create-logical-partition product_a 100000
fastboot create-logical-partition product_b 100000
fastboot create-logical-partition vendor_a 100000
fastboot create-logical-partition vendor_b 100000
Flash the rest of the images.
Code:
fastboot flash odm odm.img
fastboot flash system system.img
fastboot flash system_ext system_ext.img
fastboot flash product product.img
fastboot flash vendor vendor.img
fastboot flash --slot=all vbmeta vbmeta.img
fastboot flash --slot=all vbmeta_system vbmeta_system.img
Assuming everything flashes with no errors, return to recovery, do a factory reset and reboot.
I like what you're proposing. I've been thinking along these lines also.
Would you mind explaining why you're flashing to both slots rather than just the inactive one?
If you leave the current slot untouched you have a fallback position (the whole point of having A/B partitioning).
The same question applies to the flashing/deleting of the dynamic partitions in super.
BillGoss said:
I like what you're proposing. I've been thinking along these lines also.
Would you mind explaining why you're flashing to both slots rather than just the inactive one?
If you leave the current slot untouched you have a fallback position (the whole point of having A/B partitioning).
The same question applies to the flashing/deleting of the dynamic partitions in super.
Click to expand...
Click to collapse
For this guide specifically, the idea is to return as close to stock as possible. Wiping everything and replacing with OOS would be the best way to do that.
More generally, other than boot.img and recovery.img, the images flashed on both slots in the first part are the firmware files. You can grab and flash them from pretty much any new OOS version to update the firmware without affecting the installed ROMs. The specific files for the ROM are all in the third part. If you extract the payload.bin for any custom ROM, those are usually the only image files included.
You can certainly run two different firmware versions on the two slots, but if the inactive slots are empty or contain much older firmware, you can end up with weird issues in the active slots (usually a boot loop but could be more or less serious). Keeping the versions close is just to avoid unnecessary issues.
Some custom ROMs for OP8T like Lineage recommend or insist on flashing the copy-partitions.zip package for this reason. It's also why the install instructions for older A/B phones that have TWRP generally begin with "flash the stock ROM on both slots" - only the firmware files are strictly necessary, so you can keep the fallback ROM on the other slot if you want to.
That ended up much longer than planned. Hope it answers your questions though!
I'm going through this process rn, and I figured I'd ask here. How long does it usually take to flash dsp? It's been over 20 minutes of Sending 'dsp_a' (65536 KB)
65 M looks pretty big, and that's maybe the max size? How long did it take for you?
edit: seems to be unrelated to size as the modem part went fine, and that's bigger
No go, next step : fastboot reboot fastboot enter QDLoader mode
nero075 said:
I'm going through this process rn, and I figured I'd ask here. How long does it usually take to flash dsp? It's been over 20 minutes of Sending 'dsp_a' (65536 KB)
65 M looks pretty big, and that's maybe the max size? How long did it take for you?
edit: seems to be unrelated to size as the modem part went fine, and that's bigger
Click to expand...
Click to collapse
Did you figure this out? Flashing dsp should only take a couple seconds.
coomac said:
Did you figure this out? Flashing dsp should only take a couple seconds.
Click to expand...
Click to collapse
I ended up just skipping that one, and it turned out fine ¯\_(ツ)_/¯
Full time Linux user here, glad to see this guide after few days looking for a way to go back to stock without Msmtool.
However I do have some question, is it possible to have a OTA update from Oneplus if I go back to stock using this method and re-lock my bootloader?
mrhieu059 said:
Full time Linux user here, glad to see this guide after few days looking for a way to go back to stock without Msmtool.
However I do have some question, is it possible to have a OTA update from Oneplus if I go back to stock using this method and re-lock my bootloader?
Click to expand...
Click to collapse
Shouldn't be a problem. I was able to install an OTA update after returning to stock using this method with no issues even without relocking my bootloader.
thanks for this helped me alot to restore my device, i have one question though i checked all the commands and i see there might be one command missing, when i extracted the rom i checked all the img files and saw :
xbl_lp5.img
xbl_config_lp5.img
cant help wonder if i have to input the commands as well
rdlr19 said:
thanks for this helped me alot to restore my device, i have one question though i checked all the commands and i see there might be one command missing, when i extracted the rom i checked all the img files and saw :
xbl_lp5.img
xbl_config_lp5.img
cant help wonder if i have to input the commands as well
Click to expand...
Click to collapse
Glad it helped. Those files depend on whether your device has a DDR type 0 (LPDDR4X) or DDR type 1 (LPDDR5) memory chip.
You can check your device memory type with adb shell getprop ro.boot.ddr_type. It will return 0 or 1. You can also use the DevCheck app by flar2.
I believe most OP8Ts use DDR0, which requires xbl_config.img and xbl.img. The lp5 images are for DDR1.
According to the lineage OS wiki, you'd flash the lp5 images with the same commands on DDR1:
Code:
fastboot flash --slot=all xbl_config xbl_config_lp5.img
fastboot flash --slot=all xbl xbl_lp5.img
I've tried to bring my KB2003 back to stock from LineageOS using this guide and when it comes to flashing the odm, product and vendor files I get the following errors
Code:
Sending 'odm' (34544 KB) OKAY [ 0.849s]
Writing 'odm' FAILED (remote: 'No such file or directory')
fastboot: error: Command failed
Invalid sparse file format at header magic
Resizing 'product_a' FAILED (remote: 'Not enough space to resize partition')
fastboot: error: Command failed
Invalid sparse file format at header magic
Resizing 'vendor_a' FAILED (remote: 'Not enough space to resize partition')
fastboot: error: Command failed
I've cleared the logical partitions. any ideas? Ignoring these errors and the device doesnt boot, just get a black screen
edit: if I do these product and vendor files first, system throws the error. Are the posted logical partition sizes correct?
Matt85m said:
I've tried to bring my KB2003 back to stock from LineageOS using this guide and when it comes to flashing the odm, product and vendor files I get the following errors
Code:
Sending 'odm' (34544 KB) OKAY [ 0.849s]
Writing 'odm' FAILED (remote: 'No such file or directory')
fastboot: error: Command failed
Invalid sparse file format at header magic
Resizing 'product_a' FAILED (remote: 'Not enough space to resize partition')
fastboot: error: Command failed
Invalid sparse file format at header magic
Resizing 'vendor_a' FAILED (remote: 'Not enough space to resize partition')
fastboot: error: Command failed
I've cleared the logical partitions. any ideas? Ignoring these errors and the device doesnt boot, just get a black screen
edit: if I do these product and vendor files first, system throws the error. Are the posted logical partition sizes correct?
Click to expand...
Click to collapse
You need to clear more space in the super partition. You can basically delete and recreate both slots a and b for system, system_ext, product, vendor, and probably even odm to get more space.
coomac said:
You need to clear more space in the super partition. You can basically delete and recreate both slots a and b for system, system_ext, product, vendor, and probably even odm to get more space.
Click to expand...
Click to collapse
is't that was the
Code:
fastboot delete-logical-partition
fastboot create-logical-partition
commands were about? I've followed that step as you laid out. I've now tried it by adding a line for deleting and recreating the odm partition and still no joy
Matt85m said:
is't that was the
Code:
fastboot delete-logical-partition
fastboot create-logical-partition
commands were about? I've followed that step as you laid out. I've now tried it by adding a line for deleting and recreating the odm partition and still no joy
Click to expand...
Click to collapse
Yeah, that's what they're for. Strange. Any other errors before the one for odm? Would be helpful if you can upload a screenshot of your terminal with all the commands.
Edit: One suggestion is to make sure you're in fastbootd, not fastboot. Also, the size for the new logical partitions is arbitrary - they get resized when being flashed.
coomac said:
Yeah, that's what they're for. Strange. Any other errors before the one for odm? Would be helpful if you can upload a screenshot of your terminal with all the commands.
Edit: One suggestion is to make sure you're in fastbootd, not fastboot. Also, the size for the new logical partitions is arbitrary - they get resized when being flashed.
Click to expand...
Click to collapse
it definitely is in fastbootd, I ran into that issue initially as the android-tools package shipped with Fedora was out of date, I dumped the newer tools from google into my /usr/bin.
Here is a dump of my last step by step attempt text file
OK, couple things you can try.
- Switch to slot a and try flashing again.
- If that doesn't work, flash the copy-partitions zip from the lineage wiki then try again.
Btw you can check the size of the super partition using fastboot getvar partition-size:super (you'll have to convert the hex value to decimal). It should be around 7.5 gb. Use fastboot getvar all to get the sizes of all the logical partitions. The total should be between ~3.3 and 4 gb after flashing or about 500 mb after you delete/recreate them.
Matt85m said:
it definitely is in fastbootd, I ran into that issue initially as the android-tools package shipped with Fedora was out of date, I dumped the newer tools from google into my /usr/bin.
Here is a dump of my last step by step attempt text file
Click to expand...
Click to collapse
Responded above.
coomac said:
Responded above.
Click to expand...
Click to collapse
worked it out looking at the entire list of partitions - I had 3 lots of each rom partion for example system_a, system_b and system, for all vendor product etc. purging the ones without the _a/b allowed the process to complete.
Might be a quirk of lineageOS installation process - you might want to make a note of it on the OP incase someone else runs into it
Matt85m said:
worked it out looking at the entire list of partitions - I had 3 lots of each rom partion for example system_a, system_b and system, for all vendor product etc. purging the ones without the _a/b allowed the process to complete.
Might be a quirk of lineageOS installation process - you might want to make a note of it on the OP incase someone else runs into it
Click to expand...
Click to collapse
Good to know. I'll update the OP.