Failing to flash Lenovo TB X606F (beginner) - Thinkpad Tablet General

I am trying to install UbuntuTouch on a new Lenovo X606F. To do this I need to first downgrade from Android 10 to Android 9, but I am failing to do this (I have asked for help on the UBPorts forum but not had any advice so far). I have never flashed any Android system before so its likely I'm making a basic mistake.
I am using
Manjaro Linux (I don't have a Windows system)
SP_Flash_Tool_v5.2152_Linux (I can't use the most recent versions of the flash tool, as they expect an xml file for download, instead of the scatter.txt file that Android 9 has)
Lenovo_Tab_M10_FHD_Plus_TB-X606F_MT6765_S000009_210526_BMP as my Android9 image.
I can't get the Flash Tool to write anything to the tablet at all; I have tried both starting with the tablet off and holding down volume and/or power while connecting the USB, and using 'adb reboot fastboot' after starting download on the Flash Tool. Whichever I do I get the same result:
./flash_tool.sh
QGtkStyle was unable to detect the current GTK+ theme.
sysname:Linux
nodename:gromit
release:5.15.89-1-MANJARO
version:#1 SMP PREEMPT Wed Jan 18 20:37:11 UTC 2023
machine:x86_64
domainame:(none)
cur_kernel_version = 5.15.89
QObject::moveToThread: Cannot move objects with a parent
support_dl_cert_to_storage: 0
Application asked to unregister timer 0xa00001b which is not registered in this thread. Fix application.
Connecting to BROM...
Scanning USB port...
Search usb, timeout set as 3600000 ms
[email protected]/devices/pci0000:00/0000:00:08.1/0000:04:00.3/usb1/1-2
[email protected]/devices/pci0000:00/0000:00:08.1/0000:04:00.3/usb1/1-2/1-2:1.1
[email protected]/devices/pci0000:00/0000:00:08.1/0000:04:00.3/usb1/1-2/1-2:1.0
[email protected]/devices/pci0000:00/0000:00:08.1/0000:04:00.3/usb1/1-2/1-2:1.1
[email protected]/devices/pci0000:00/0000:00:08.1/0000:04:00.3/usb1/1-2/1-2:1.0/tty/ttyACM0
vid is 0e8d
device vid = 0e8d
device vid = 0e8d
pid is 2000
device pid = 2000
com portName is: /dev/ttyACM0
Total wait time = -1675547049.000000
USB port is obtained. path name(/dev/ttyACM0), port name(/dev/ttyACM0)
USB port detected: /dev/ttyACM0
Connect BROM failed: STATUS_ERR(-1073676287)
Disconnect!
BROM Exception! ( ERROR : STATUS_ERR (-1073676287) , MSP ERROE CODE : 0x00.
[HINT]:
)((ConnectBROM,../../../flashtool/Conn/Connection.cpp,105))
Any idea what I am doing wrong?
Thanks
Graham

Very interesting, I'm looking for the same on my tb125fu.

Related

MotoUSB reverse tether w/ linux success

I have successfully used reverse USB tethering on a flipout. This method should be portable to other devices running the motorola android multi-device driver with usb0.
If you are comparing to any windows drivers, say that installed from the driver installer MSI when connecting a flipout and maybe other devices in 'portal' mode, the (windows) driver will be motousbnet. On linux, the driver is cdc_subset. However, this driver does not know how to bind to the motorola
1. Figure out the usb vendor id, product id, and interface class, interface subclass, and interface protocol of the networking interface. On the flipout, this is named the 'motorola networking interface'. On my device, it has these ids: 0x22b8, 0x41da, 0x02, 0x0a, 0x01. You can find these ids via exploring /sys/bus/usb on a linux system, or with the lsusb utility.
2. patch your cdc_subset driver to support the USB id and interface of the above device. You will need to inspect via lsusb or sysfs to setup a 'product' and 'driver info' structure in cdc_subset.c to select the correct interface and endpoints. The pertinent parts of my cdc_subset.c are as follows:
Code:
add to products
{
// Moto flipout usb
USB_DEVICE_AND_INTERFACE_INFO (0x22b8, 0x41da, 0x02, 0x0a, 0x01),
.driver_info = (unsigned long) &motousb_info,
},
add near other driver_infos:
static const struct driver_info motousb_info = {
.description = "Motorola USB endpoint",
.check_connect = always_connected,
.in=0x84, .out=0x03,
};
3. Doing such a mod and compiling yourself a new cdc_subset.ko, and installing that, will yield a usb driver that can talk to usb0 on your flipout. At this point, you just have to configure networking. I setup proxyarp on my LAN and usb0 interfaces, and set up some manual addresses and routes. Other options could be to add usb0 to a bridge, or do routing and DHCP, or routing + nat + DHCP. You'll probably need to netcfg rmnet0 down and setprop net.dns1 and net.rmnet0.dns1 your ips manually. Make sure you save your old dns. I'm not sure if that gets restored from carrier when you turn rmnet back on.
4. after all that, you should be online.
5. EDIT: all compiling and module installation steps noted above happen on the host PC, if that wasn't clear.
Work to follow:
use SL4A to automate usb0 bringup
interface with APNDroid to soft-down the 3g instead of nuking it the hard way. killing the radio process will get you back online, but thats effectively the same as resetting the baseband, so you'll need to re-unlock your SIM etc.
Thanks man! This is awesome. It worked on my Motorola Defy (same parameters) under Ubunutu.
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
balek said:
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
Click to expand...
Click to collapse
It's in the kernel source. -- You'll have to download the linux or kernel source package that matches the kernel you run on your ubuntu machine, modify your cdc_subset driver, rebuild it, and install it.
Learning things like the kernel build system and how to install a kernel module are exercises for the reader.
Good job! I'll try it once i get my Ubuntu installation up and running again ^_^
Defy and Debian USB network works partially...
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
sdxmob said:
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
Click to expand...
Click to collapse
Any news with defy ?

[Q] sm-n900 heimdall fails to flash recovery

I'm having issues flashing cwm with heimdall. It says:
Code:
WARNING: Control transfer #2 failed. Result: -7
WARNING: Control transfer #3 failed. Result: -7
WARNING: Control transfer #4 failed. Result: -7
WARNING: Control transfer #5 failed. Result: -7
WARNING: Control transfer #6 failed. Result: -99
ERROR: Failed to send data: "ODIN"
It does detect the device:
Code:
Detecting device...
Manufacturer: "SAMSUNG"
Product: "Gadget Serial"
Serial No: "?"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 021B
iMan:iProd:iSer: 1:2:0
nb confs: 1
Has anybody had any luck with heimdall 1.4.0?
Tried running Odin in Virtualbox, but have given up on the samsung usb drivers. They install everything but a samsung usb modem device which is only active with usb debugging on or with the phone in download mode.
I don't think heimdall is compatible yet.
designgears said:
I don't think heimdall is compatible yet.
Click to expand...
Click to collapse
Thanks,
It could be the same issue as i9502 is having: github.com/Benjamin-Dobell/Heimdall/issues/152 But I'm not sure it's safe trying to use that zero packet hack on the sm-n900.
And getting this "SAMSUNG Mobile USB Modem #2" device recognized in windows XP seems to need some black magic. I've tried manual install with most of the .inf files in the driver package, took a while...
Got it detected and flashed with Odin 3,09 on a w7 machine. Kies3 installed and used it's reinstall driver function.
Rooted

[ROOT] Amazon Fire TV Gen 2 (4k)

There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://forum.xda-developers.com/fire-tv/general/root-amazon-fire-tv-2-updated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.
To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.
If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.
NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.
Root the Device
It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.
To get started you will need a system that meets the following requirements:
Linux (Mac OS X or Windows w/ changes)
Python 3.x
PySerial
sudo yum install python3-pyserial # Fedora or RedHat
sudo apt-get install python3-serial # Ubuntu or Debian
USB Male A to Male A cable
R/W access to /dev/ttyACM0 (or use sudo)
ADB USB access (optional, but helpful)
Stop ModemManager (if you have it setup, which blocks handshaking)
Now run the following sequence of commands:
Code:
git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
cd aftv2-tools
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
gunzip system.root.img.gz
gunzip system.diff.gz
adb reboot ; ./handshake.py # or restart but run ./handshake.py first
./checkver.py # STOP if it reports NO!
./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff # takes ~2 hours
# last address is 0x50dce600
For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".
Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.
Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).
To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.
If you would like to disable updates after rooting you can use the following commands:
Code:
adb shell
su
pm disable com.amazon.device.software.ota
To go back to stock in case you want to update or for whatever other reason:
Code:
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
gunzip system.orig.img.gz
adb push system.orig.img /data/local/tmp
adb shell
su
pm enable com.amazon.device.software.ota
dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
sync
reboot
I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.
Background Info
This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.
The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.
Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.
Tips
If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)
Special Thanks
@qwertytical
@budokaiboy
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
reiteravi said:
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
Click to expand...
Click to collapse
Yeah, mine pre-ordered one is still in a box so I'd need to update it too. I guess I can do that tonight before a new version comes out.
reiteravi said:
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
Click to expand...
Click to collapse
Unfortunately you will need to do a normal update first before patching the system partition. It just takes too long to flash a full system image, original or modified, using the methods we have available to us now. Also the boot partition and other partitions are updated with each OTA. I hope we can continue to provide rooted versions of updated system images, but as you know there is no guarantee of that. I'd update now before there is any new updates and then root it. We could in theory root the older versions as well and even before first boot, but without the OTA updates and applying them in reverse I can't go back and patch the older releases. I strongly think the method used to write the system partition can not be fixed since I believe the preloader code is in a ROM.
Mac Update
A few notes for Mac users willing to experiment a little:
I installed python 3.5.0 for Mac OS X from python.org and then ran "sudo pip3 install pyserial" to install pyserial for python 3.x. The final change I needed to make was to change PORT in handshake.py and read_mmc.py/write_mmc.py (only tested reading the boot partition, but everything else should work). In my case the PORT was /dev/cu.usbmodem1430. The device filename seems to be based on the USB port it's connected to. I'm not sure if there is an easier way to find the device filename besides scanning /dev and looking for new devices matching a given pattern. Maybe others on this forum have some better ideas. The final caveat was I need to unplug and replug the USB cable after the handshake completed otherwise the read_mmc.py script would hang on the first read.
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:
Code:
0e450c032ddce170667ba3ddc26cb960 DKB
a3ad800f012a153953b403ef1fa36e14 EXPDB
d693da95eb68b40e4315333bcf74918b KB
50f24ce4c7ac388b33310bff6f79636a LOGO
59071590099d21dd439896592338bf95 MISC
f9b5ef697fde92c42bbbec35e5a6cad4 PRO_INFO
8a9d058f87711c2e8ccc698647f5026b TEE1
eda2733e1d0214873d9cb9d78c68425f TEE2
97a2ccdb7a02838b26b9a57e4f31d51d boot
fbd20aa58cd63c07392080cad7627e18 lk
74f0bac463bae8141acf20594987a559 recovery
a06c3d6a8c73923ed5c38b479c4410d3 system
So my DKB, KB, and system partitions are different from yours.
NaturalBornHaxor said:
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:
Code:
0e450c032ddce170667ba3ddc26cb960 DKB
a3ad800f012a153953b403ef1fa36e14 EXPDB
d693da95eb68b40e4315333bcf74918b KB
50f24ce4c7ac388b33310bff6f79636a LOGO
59071590099d21dd439896592338bf95 MISC
f9b5ef697fde92c42bbbec35e5a6cad4 PRO_INFO
8a9d058f87711c2e8ccc698647f5026b TEE1
eda2733e1d0214873d9cb9d78c68425f TEE2
97a2ccdb7a02838b26b9a57e4f31d51d boot
fbd20aa58cd63c07392080cad7627e18 lk
74f0bac463bae8141acf20594987a559 recovery
a06c3d6a8c73923ed5c38b479c4410d3 system
So my DKB, KB, and system partitions are different from yours.
Click to expand...
Click to collapse
That is awesome news! The first confirmed case I've heard of someone else repeating my success
About the DKB and KB partitions being different it makes me wonder what those partitions are for? I didn't include cache and userdata in the MD5SUM of course, which you noticed, because those change all the time. NVRAM when I looked inside appeared to have a few things that looked to be device specific. The system partition being different is actually expected because I found every time I rebooted my system partition changed checksums. Also that is the MD5SUM of the unmodified system partition. I noticed this weird MD5SUM behavior when I was first gaining root and doing some sanity checks. It happens right after daemonsu is started. My best guess is that the SuperSU tools mount the system r/w quickly and that causes the last mounted timestamp to change. Don't know for sure what causes it, but don't worry that's not unexpected. The main reason I kept those hashes in the repo was so when the next version comes out I know which partitions were changed and need to be updated by users who wish to maintain root.
------------------SOLVED-----------------
Please read on if you have problems with handshake script looping forever...
-----------------------------------------------
Hi zeroepoch,
meanwhile I received my Fire TV 2 and tried your scripts but unfortunately without success.
As far as I can see, there are 2 problems:
- The /dev/ttyACM0 device appears on rebooting the Fire TV, but only for some 100th of a second, then it disconnects again.
- If I give it another try, the device will appear as /dev/ttyACM1, next time /dev/ttyACM2, aso.. So I either have to update the handshake script for every try or reboot my computer (then it starts with /dev/ttyACM0 again).
When I first tried it, the handshake-script ran forever, it just missed the short time of availability of /dev/ttyACM0. So I reduced the sleep-timeout in the script from 0.25 to 0.001. Now the handshake script detects the serial device but runs into an I/O Error during one of the next steps (each time different, seems to be a "race condition").
Can you offer any advice? Could my Laptop be too slow somehow or is there some trick to make the Fire TV keep the port open for a longer time?
Greetings, Christian
Code:
shell:
[email protected]:~/aftv2-tools# adb reboot ; ./handshake.py
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Traceback (most recent call last):
File "./handshake.py", line 17, in <module>
dev = serial.Serial(PORT, BAUD)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 261, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 282, in open
self._reconfigurePort()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 413, in _reconfigurePor t
termios.tcsetattr(self.fd, TERMIOS.TCSANOW, [iflag, oflag, cflag, lflag, ispeed, ospeed , cc])
termios.error: (5, 'Input/output error')
Code:
/var/log/syslog;
Nov 11 11:25:41 DeepThought systemd[1111]: Reached target Default.
Nov 11 11:25:41 DeepThought systemd[1111]: Startup finished in 15ms.
Nov 11 11:27:28 DeepThought kernel: [ 217.460463] usb 8-2: USB disconnect, device number 2
Nov 11 11:27:31 DeepThought kernel: [ 220.608049] usb 8-2: new high-speed USB device number 3 using ehci-pci
Nov 11 11:27:31 DeepThought kernel: [ 220.741857] usb 8-2: New USB device found, idVendor=0e8d, idProduct=2000
Nov 11 11:27:31 DeepThought kernel: [ 220.741860] usb 8-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 11 11:27:31 DeepThought kernel: [ 220.741862] usb 8-2: Product: MT65xx Preloader
Nov 11 11:27:31 DeepThought kernel: [ 220.741864] usb 8-2: Manufacturer: MediaTek
Nov 11 11:27:31 DeepThought mtp-probe: checking bus 8, device 3: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:31 DeepThought mtp-probe: bus: 8, device: 3 was not an MTP device
Nov 11 11:27:31 DeepThought kernel: [ 220.855737] cdc_acm 8-2:1.1: ttyACM0: USB ACM device
Nov 11 11:27:31 DeepThought kernel: [ 220.884047] usbcore: registered new interface driver cdc_acm
Nov 11 11:27:31 DeepThought kernel: [ 220.884050] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Nov 11 11:27:31 DeepThought kernel: [ 220.924931] usb 8-2: USB disconnect, device number 3
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (ttyACM0): tcgetattr() error: 5
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (ttyACM0): port attributes not fully set
Nov 11 11:27:31 DeepThought kernel: [ 220.928861] cdc_acm 8-2:1.1: failed to set dtr/rts
Nov 11 11:27:31 DeepThought ModemManager[511]: <info> (tty/ttyACM0): released by modem /sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Cinterion) [ttyACM0] error when checking support: '(Cinterion) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Nokia) [ttyACM0] error when checking support: '(Nokia) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Iridium) [ttyACM0] error when checking support: '(Iridium) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Generic) [ttyACM0] error when checking support: '(Generic) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:33 DeepThought ModemManager[511]: <warn> Couldn't find support for device at '/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2': not supported by any plugin
Nov 11 11:27:35 DeepThought wpa_supplicant[837]: nl80211: send_and_recv->nl_recvmsgs failed: -33
Nov 11 11:27:36 DeepThought kernel: [ 226.092142] usb 8-2: new high-speed USB device number 4 using ehci-pci
Nov 11 11:27:37 DeepThought kernel: [ 226.225936] usb 8-2: New USB device found, idVendor=1949, idProduct=0241
Nov 11 11:27:37 DeepThought kernel: [ 226.225945] usb 8-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
Nov 11 11:27:37 DeepThought kernel: [ 226.225951] usb 8-2: Product: FireTV
Nov 11 11:27:37 DeepThought kernel: [ 226.225956] usb 8-2: Manufacturer: Amazon
Nov 11 11:27:37 DeepThought kernel: [ 226.225961] usb 8-2: SerialNumber: G070GV05544205DE
Nov 11 11:27:37 DeepThought mtp-probe: checking bus 8, device 4: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:37 DeepThought mtp-probe: bus: 8, device: 4 was an MTP device
After taking a closer look at my syslog and doing some research on problems with /dev/ttyACM0, I finally found the problem. It's the modemmanager. That service immmediately "grabs" the device and tries to do some invalid settings, which leads to an near immediate disconnect.
After I uninstalled the modemmanger (which seemed preinstalled in debian jessie, at least I never installed it on purpose) with
Code:
apt-get remove modemmanager
both of my problems were gone. The device stayed up for 3 seconds and after reboot of the Fire TV it had the same devicename /dev/ttyACM0 again. So I could undo my changes to the handshake script and had instant success with it.
Now I'll try rooting. WHOOT!
Thank you very much for your efforts!
I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?
I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?
I can just follow your steps above and root the FTV2?
gu3stZA said:
Thank you very much for your efforts!
I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?
I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?
I can just follow your steps above and root the FTV2?
Click to expand...
Click to collapse
Yes, you're right. No need to solder anything. You just need the tools stated in the instructions.
Hardware:
- a computer running Linux (or something very close)
- a A to A USB cable
Software:
- python3 and python3-serial packages
- adb package (not necessary but recommended)
- zeroepochs scripts and patchfiles
That said, a certain amount of base knowledge regarding Linux doesn't hurt .
Thanks! I've played around with Linux but would definitely classify myself as a beginner. I guess we'll see how user-friendly the instructions are
This is good news, definitely progress, could this be integrated into ADBFire for windows
Jay794 said:
This is good news, definitely progress, could this be integrated into ADBFire for windows
Click to expand...
Click to collapse
This would be perfect. Or even adb. I've just never used Linux
zeroepoch said:
It has only been tested on a US device and I don't know at this point if non US devices are different, maybe not.
Click to expand...
Click to collapse
Hi zeroepoch,
I just used your rooting scripts successfully on a non US (in my case German) version of the Fire TV 2!
Greets,
Christian
skyball2 said:
Hi zeroepoch,
I just used your rooting scripts successfully on a non US (in my case German) version of the Fire TV 2!
Greets,
Christian
Click to expand...
Click to collapse
Thanks for the feedback. Glad to hear it worked!
Successful root under arch Linux! Thanks for your hard work.
By any chance does this root work for the original fire TV ?
Sent from my SM-N910F using Tapatalk
Savage13 said:
By any chance does this root work for the original fire TV ?
Click to expand...
Click to collapse
No. It's MediaTek specific. It may work on most MediaTek devices though.
how can u tell handshake is ok and start patching ?
reiteravi said:
how can u tell handshake is ok and start patching ?
Click to expand...
Click to collapse
It will print "Handshake Complete". Also the serial device will remain present rather than disappear after a few seconds.

Bricked 950XL

Hi,
It seem my 950 is dead brick, when I plug it vibrate, then nothing. No light on sceen, no logo. At least windows seem to recognize an unknow device.
To get it back, I tried to follow the tutorial on lumiafirmware website.
Code:
thor2 -mode uefiflash -ffufile "C:\Users\sylva\Downloads\RM1116_1078.0053.10586.13169.12732.034E13_retail_prod_signed.ffu" -do_full_nvi_update -do_factory_reset
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile C:\Users\sylva\Downloads\RM1116_1078.0053.10586.13169.12732.034E13_retail_prod_signed.ffu -do_full_nvi_update -do_factory_reset
Process started Thu Oct 24 16:58:36 2019
Logging to file C:\Users\sylva\AppData\Local\Temp\thor2_win_20191024165836_ThreadId-16276.log
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
Operation took about 1 minute, 0 seconds.
THOR2_ERROR_NO_DEVICE_WITHIN_TIMEOUT
THOR2 1.8.2.18 exited with error code 84003 (0x14823)
I tried this too: xdabloger.blogspot.com/2016/04/finally-unbrick-your-lumia-device_28.html
The app told me it was downloading the urgency files, then «Operation failure» message, I guess it doesn't manage to connect to the phone.
I had a look here too forum.xda-developers.com/windows-10-mobile/tutorial-how-to-rescue-lumia-emergency-t3434825 , but I didn't find the hex file I need…
Any magic solution ?
First you should have a look at your device manager: is there an USB Device as Nokia Emergency or Qualcomm USB or Comm Port? Assign to this device the Nokia Emergency driver which came with WDRT.
Download the Emergency files from LumiaFirmware, if not already done.
Modify this command line according to your needs:
thor2 -mode emergency -hexfile "MPRG8992_fh.ede" -edfile "RM1104_fh.edp" -ffufile "RM1104_1078.0053.10586.13169.13756.034EE9_retail_prod_signed.ffu"
For me, it worked as charm on my Lumia 950 XL.
Thanks for your answer, sadly in the device panel I only have an unknow one regarding the phone … :crying:
I suggest to change USB cable and USB port. I think as there is an unknown USB device it can't be recognized properly. Also you might append a screenshot of your device manager, especially the Details tab of the properties window. Normally. a Lumia 950 XL is "unkaputtbar", but I've also a device, which is not even recognized as an unknown device. You may also PM me, if you have a different preferred language... For me. FR, IT, HU also work... ES not really, I can read it.
I noticed that the post is on 2019 I thought it's new, sorry about that... any way the steps might be helpful for others.
I faced this problem exactly, I accidentally disconnect the cable while it was flashing and the mobile got dead as your situation.
The possible solution which saved me is this:
Create folder name it "Products"
Create folder name it "RM-1116"
Copy all your flash files into "RM-1116" if you don't have everything go to lumiafirmware.com and download all the files related to your device
Move the folder "Products" Into somewhere you can access it later
Now open Windows Devices Recovery Tool
In the dots at right-bottom click and choose "Settings"
Go to "Packages"
Active "Use Custom Package path"
Click "Browser" then choose the root folder that you copied "Products" folder into... (select the root folder not the "Products" folder)
i.e. Choose "D:\Custom Packages" -> "Custom Packages contains "Products"
Now Connect you mobile to the computer
wait a little after turn on
Choose "My Device was not detected"
Choose "Lumia"
Once you mobile connected probably you will see it listed
Click on it and recover the system
This should work hopefully.

Fire HD10 (2019) bricked itself

Hi,
A few days ago, my Fire HD10(2019) refused to power on, or rather it would show some life (amazon screen IIRC), but go no further. Now it doesn't even do that.
On a PC I can see whats its doing across USB. "Bus 002 Device 083: ID 0e8d:0003 MediaTek Inc. MT6227 phone" on usb for about 45 seconds, then it disconnects for maybe 20s, and then repeats. Now I take the 0e8d:0003 device to be the amazon bootloader - so looks to me like the bootloder works, but crashes hard and restarts as soon as it tries to start android. So looks like the box is bricked.
I've tried the various buttons to go into fastboot - no success. Neither "adb devices" nor "fastboot devices" can see the device. On first booting, the machine brings up a serial interface (USB ACM device), alas I've not been able to connect to this.
So what are my options of getting into the machine? If I can't access the bootloader via the serial interface, are there UART pins on the board? If so where? If I can access the bootloader, can I switch to fastboot mode, so I can reflash the android OS? Where is the best place to look for info like this?
davidsummers said:
Hi,
A few days ago, my Fire HD10(2019) refused to power on, or rather it would show some life (amazon screen IIRC), but go no further. Now it doesn't even do that.
On a PC I can see whats its doing across USB. "Bus 002 Device 083: ID 0e8d:0003 MediaTek Inc. MT6227 phone" on usb for about 45 seconds, then it disconnects for maybe 20s, and then repeats. Now I take the 0e8d:0003 device to be the amazon bootloader - so looks to me like the bootloder works, but crashes hard and restarts as soon as it tries to start android. So looks like the box is bricked.
I've tried the various buttons to go into fastboot - no success. Neither "adb devices" nor "fastboot devices" can see the device. On first booting, the machine brings up a serial interface (USB ACM device), alas I've not been able to connect to this.
So what are my options of getting into the machine? If I can't access the bootloader via the serial interface, are there UART pins on the board? If so where? If I can access the bootloader, can I switch to fastboot mode, so I can reflash the android OS? Where is the best place to look for info like this?
Click to expand...
Click to collapse
It is actually the mediatek bootrom (your device can have mtk-su temp root access, if you downgrade). You must have one of the early release ones that have access to it. My guess there is something wrong with the preloader... While i can't pin it down, the information to reload is all in this thread...
New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming
There's a new Fire 10 coming out, with an Octacore processor, USB-C charging, and FireOS based on Pie: https://arstechnica.com/gadgets/2019/10/amazons-new-fire-hd-10-tablet-costs-149-and-charges-via-usb-c/ I most certainly don't need any more...
forum.xda-developers.com
Yes it was an early device. Alas it connected to the web, and updated itself from 7.3.1.0 before I disabled most of the amazon processes. So the original mtk-su for 7.3.1.0 never worked on my machine. Alas can't use this any more - as can't get into android any more.
I'm up to page 30 of the thread you posted, alas nothing read so far has managed to get into the machine.
And first progress - bypass_utility version 1.4.2. can connect (when run as root) and gives:
[2023-01-22 14:32:12.028038] Waiting for device
[2023-01-22 14:32:39.691833] Found port = /dev/ttyACM0
[2023-01-22 14:32:40.083041] Device hw code: 0x788
[2023-01-22 14:32:40.083391] Device hw sub code: 0x8a00
[2023-01-22 14:32:40.083586] Device hw version: 0xca00
[2023-01-22 14:32:40.083770] Device sw version: 0x0
[2023-01-22 14:32:40.083959] Device secure boot: True
[2023-01-22 14:32:40.084143] Device serial link authorization: False
[2023-01-22 14:32:40.087904] Device download agent authorization: True
[2023-01-22 14:32:40.088223] Disabling watchdog timer
[2023-01-22 14:32:40.092031] Disabling protection
[Errno 5] Input/Output Error
[2023-01-22 14:32:41.464834] Payload did not reply
davidsummers said:
And first progress - bypass_utility version 1.4.2. can connect (when run as root) and gives:
[2023-01-22 14:32:12.028038] Waiting for device
[2023-01-22 14:32:39.691833] Found port = /dev/ttyACM0
[2023-01-22 14:32:40.083041] Device hw code: 0x788
[2023-01-22 14:32:40.083391] Device hw sub code: 0x8a00
[2023-01-22 14:32:40.083586] Device hw version: 0xca00
[2023-01-22 14:32:40.083770] Device sw version: 0x0
[2023-01-22 14:32:40.083959] Device secure boot: True
[2023-01-22 14:32:40.084143] Device serial link authorization: False
[2023-01-22 14:32:40.087904] Device download agent authorization: True
[2023-01-22 14:32:40.088223] Disabling watchdog timer
[2023-01-22 14:32:40.092031] Disabling protection
[Errno 5] Input/Output Error
[2023-01-22 14:32:41.464834] Payload did not reply
Click to expand...
Click to collapse
It has been a long time. Maybe try disconnecting the battery, not sure if it is staying in bootrom mode.... I remember mine had to have the battery removed or it would try to goto the preloader (i think). I used the process to downgrade back to 7.3.1.0, but it was like a year ago.
Michajin said:
It has been a long time. Maybe try disconnecting the battery, not sure if it is staying in bootrom mode.... I remember mine had to have the battery removed or it would try to goto the preloader (i think). I used the process to downgrade back to 7.3.1.0, but it was like a year ago.
Click to expand...
Click to collapse
Yes - mine stayed in 0e8d:0003 mode, when the device bricked itself - made no difference with battery on or off, always when through the same minute cycle, where the device would disconnect, then reboot.
Interesting after running the bypass utility - it has stayed up in the 0e8d:0003 mode - and hasn't rebooted.
davidsummers said:
Yes - mine stayed in 0e8d:0003 mode, when the device bricked itself - made no difference with battery on or off, always when through the same minute cycle, where the device would disconnect, then reboot.
Interesting after running the bypass utility - it has stayed up in the 0e8d:0003 mode - and hasn't rebooted.
Click to expand...
Click to collapse
it disabled the watchdog timer. From what is can see everything points to a potential wrong setup..
bypass_utility/README.md at master · MTK-bypass/bypass_utility
Contribute to MTK-bypass/bypass_utility development by creating an account on GitHub.
github.com
This post shows the same error as you read through it.
Payload did not reply · Issue #13 · MTK-bypass/exploits_collection
[Errno 5] Input/Output Error Payload did not reply
github.com
OK - using SP_Flash_Tool v5.2008 to attempt to flash maverick-downgrade-7.0_PR7310_940N and I get the error:
Connect BROM failed: STATUS_SEC_AUTH_FILE_NEEDED(-1073545198)
Disconnect!
BROM Exception! ( ERROR : STATUS_SEC_AUTH_FILE_NEEDED (-1073545198) , MSP ERROE CODE : 0x00.
[HINT]:
Please select a valid authentication file or ask for help.)((ConnectBROM,../../../flashtool/Conn/Connection.cpp,105))
So where do I get the authentication file from?
Michajin said:
it disabled the watchdog timer. From what is can see everything points to a potential wrong setup..
bypass_utility/README.md at master · MTK-bypass/bypass_utility
Contribute to MTK-bypass/bypass_utility development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
ah yes - that explains why it was rebooting. So guess I have to dig into [Errno 5] Input/Output Error.
Seems like only way I have into the tablet any more is the mediatek bootrom, but as the tablet is sick - if that doesn't work, then probably its permanently dead. E.g. even getting access to a uart wouldn't help.
You have to only do file by file.
5. bypass_utility run succes with message "Protection disabled"
6. Run SPFlash Tool and flash boot, recovery, vendor, system. Wait to finish
7. Hold power button 15s to power off (check Ports in Device Manager windows)
8. Hold volume up and power boot to recovery with triactangle icon
9. Hold power and tap volume up then choose reset factory
10. Reboot
Thanks Michajin - I'm obviously having problems with the bypass_utility, whilst it connects to the MediaTek bootrom, it is not able to disable protection - and test mode bombs out. I've taken this up on the bypass_utility thread:
xda bypass utility

Categories

Resources