Related
Hey guys, I don't know if this is of any use for you, but I think it won't hurt to share it.
Based on some posts and ideas I read in different threads, I managed to write to the EFIESP and the PLATpartition of the stock rom of my HTC 8S. I changed the bootimages in the PLAT partition to a custom one,flashed the image and it worked. I'll attach a picture to prove it and if that's not enough, I will post a video.
So, the first step is to download the stock rom (obviously...) and extract the .exe file. (I use 7-ZIP) Then there is a file called "RUU_signed.nbh". If you open it with a Hex Viewer, like HxD, you can find multiple partition Headers. I found 4 that I can use, the rest is encrypted with what appears to be Bitlocker, hence the different headers. Now, what I did was mark the area of the first partition (starts approximately at offset 228BEF90 and is a FAT16 Partition) and continued the selection until the end of the file. Then I created a new one and pasted it. I ddid the same with the rest, always selecting and copying from where the partition starts until the end of the whole file and pasted it into a new one. Then I mounted the files using OSFMount and voilà, you can put stuff and files in there! If you finished, you just unmount the files. Then I opened each file again with HxD, selected EVERYTHING and pasted it
to the according area in the original RUU_signed.nbh. I started with the first one, then the second and so on, so you don't overwrite the changes you have made if you start in reverse order. After packing the file, I tried to flash it and to my surprise, IT WORKED! After rebooting I saw my custom bootimage! Downside of this is obviously that it requires you to use the stock firmware and it will be overwritten once you update your device. But I hope our skilled Devs here have some use for those 2 partitions. Theres 2 more that are usable, but I don't know their names, but you can still put files in them.
Now again, I don't know if this is of any use for you devs, but I still felt kind of obligated to share it
Stupid thing, I put my HTC 8S into Diag Mode and THEN flashed it, now it doesn't connect as MTP but as HTC Diagnostic Interface and I can't change it back because I can't deploy anything to the device. It works perfectly, boots and everything, but no USB Connection via MTP. So be very careful before flashing, since the mode is determined by a NV value which you can't edit afterwards.
This is not a tutorial to be followed by everyday users, but something ment for developers. You do everything at your own risk! And keep in mind that this has only been tested on an HTC 8S!
cheers, hutchinsane_
Yeah, I heard that it is possible, though I hadn't had a chance to test it on my 8X.
As for EFIESP: you can edit \efi\Microsoft\Boot\BCD to enable Kernel Debugger functionality and it is basically enough to hack the whole OS even with actions currently performed.
The most interesting partitions are MainOS (second to last), and Data (last one). Interop Unlock can be done in MainOS.
Thing is that newest ROMs are encrypted (not hard to crack but still)
Darn, hoped I was the first to come up with the idea. I do have acces to the file you're talking about. MainOS seems to be encrypted with Bitlocker since their headers start with -FVE-FS-. I could take a look into the 8X Rom aswell, I expect the situation to be the same. So is there a thread on the Kernel Debugger thing?
EDIT: I just did what you set, although I used a program called "Visual BCD Editor" since I don't know about editing the BCD Store just YET. Now I edited some values from "False" to "True" and for 1 second it showed me what appeared to be a windows boot selection. Now when I boot up, and once the "Windows Phone" blueish logo appears, it shows "Not for resale", meaning that we actually can edit BCD on this device!
Very nice Work
I run in Nokia Lumia 920 RM-821 APAC Malaysia Amber ROM
I find the same
Maybe we can edit Lumia 920 FFU and get first Custom ROM
that's enough to enable WinDbg operopability.
Code:
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD /dbgsettings usb targetname:woatarget
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD -set {default} debug on
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD -set {default} dbgtransport kdusb.dll
Sorry for my Question but how can we find that here is the end of a file in HxD .
I'm now looking for it to flash a Custom Rom on my Lumia 920 but I can't build images correctly using HxD and OSFMount.
Thanks .
@ngame Thanks If you look at your first 2 screenshots, you didn't select the "ë" You MUST select and copy it aswell, it's always the start of a partition, fot FAT aswell as for NTFS. After that, you should be able to mount. For finding the end, I didn't. I just Selected until the end of the file and pasted it back in. It should work, Afterall, my HTC has a "custom" rom aswell now, since there's a custom bootimage
@ultrashot Thanks! I used the commands and it worked succesfully. Waiting on the phone to flash now
EDIT: It doesn't boot once you set a) the target b) the type or something else. but enabling the kernel debugger itself works. Trying to figure out which value makes it unbootable.
ngame said:
Sorry for my Question but how can we find that here is the end of a file in HxD .
I'm now looking for it to flash a Custom Rom on my Lumia 920 but I can't build images correctly using HxD and OSFMount.
Thanks .
Click to expand...
Click to collapse
u must ask me dude .
zimone die
amir323b said:
u must ask me dude .
zimone die
Click to expand...
Click to collapse
PM Me please if you know
Thanks
hutchinsane_ said:
@ngame Thanks If you look at your first 2 screenshots, you didn't select the "ë" You MUST select and copy it aswell, it's always the start of a partition, fot FAT aswell as for NTFS. After that, you should be able to mount. For finding the end, I didn't. I just Selected until the end of the file and pasted it back in. It should work, Afterall, my HTC has a "custom" rom aswell now, since there's a custom bootimage
Click to expand...
Click to collapse
I will test again
Sorry in advance if this is a stupid question ...
Here is a list of partitions from my 928 .ffu but which ones are needed to edit? Just the FAT and NTFS partitions? Are any of the others of any interest?
As far as I know, you have to look for the specific headers, since some are encrypted with Bitlocker, therefor have the "-FVE-FS-" header. Easiest way is to use the search function of HxD and search for NTFS, FAT12 and FAT16 partitions Also, there are no stupid questons
hutchinsane_ said:
As far as I know, you have to look for the specific headers, since some are encrypted with Bitlocker, therefor have the "-FVE-FS-" header. Easiest way is to use the search function of HxD and search for NTFS, FAT12 and FAT16 partitions Also, there are no stupid questons
Click to expand...
Click to collapse
:highfive: Here's a better list including the device layout and read and write partitions if it helps anyone. Also when mounting FAT16 or FAT12 partitions it says it needs to be formatted or is unsupported. What am I doing wrong???
Can you ost a screenshot of the file you use as a partition? I don't know if it even works with Nokia Roms. Which one are you using exactly? I might be able to have a look at it.
feherneoh said:
Don't try it on Lumias, as your phone will stuck in Quallcomm HS-USB QDLoader mode, like my L520 did
Click to expand...
Click to collapse
You tried this way ?
now you can't flash your Phone using Care Suite ?
did you try Reffbox or ATF to repair your Boot Loader and flash your phone again ?
Hey, Lumia owners, get out of here!
By the way, Huawei W1 has same access to partitions. You can join forces and develop one hack for both phones.
-W_O_L_F- said:
Hey, Lumia owners, get out of here!
By the way, Huawei W1 has same access to partitions. You can join forces and develop one hack for both phones.
Click to expand...
Click to collapse
I think @reker can help us . he created a W1 Custom Rom
ngame said:
I think @reker can help us . he created a W1 Custom Rom
Click to expand...
Click to collapse
Not rom any more, I'm making tool can directly operate NTFS, so I can modify everything without losing any data. A hard work XD
reker said:
Not rom any more, I'm making tool can directly operate NTFS, so I can modify everything without losing any data. A hard work XD
Click to expand...
Click to collapse
Can't you publish it ? or Private send it to me ?
This tool can modify every NTFS Partition ?
@-W_O_L_F- They do? Didn't know that, thanks for the info! Yeah, might be a good idea, actually.
@reker how do you plan on doing this? adding the tool to the rom or deploying it as a xap? I actually need a way to use hidden pages without the toast launcher, or to include the toast launcher into the rom since I can't deploy it anymore
ngame said:
Can't you publish it ? or Private send it to me ?
This tool can modify every NTFS Partition ?
Click to expand...
Click to collapse
Proto-type now, NTFS is a biiiiiig thing. I will release it when finish.
Hi all,
Has anyone followed Rayman's excellent article the-inner-workings-of-secure-boot-key-and-nvflash and fully recovered a N7 from APX only mode?
I have this situation which I think resulted from the battery dying during the 4.4.2 update - Doh I know, but thought I had enough juice to complete the update.
Rayman says the required files will be made available but I cannot find them anywhere
Since every motherboard has a unique key, there is no generic blob. To be able to recover your N7, you will need a backup of it, but it's impossible to make if your device is dead.
Try to send it to Asus/Google.
Erovia said:
Since every motherboard has a unique key, there is no generic blob. To be able to recover your N7, you will need a backup of it, but it's impossible to make if your device is dead.
Try to send it to Asus/Google.
Click to expand...
Click to collapse
Did you read the article? Sounds like you can use the sbk which is a hash of the cpuid...
Nope, but why don't you ask around in the flatline topic?
Erovia said:
Nope, but why don't you ask around in the flatline topic?
Click to expand...
Click to collapse
too much of a noob to post on the forum, but thanks for the pointer.
FYI Raymans article. It does sound possible to bring it back, but there was no follow up with the required files;
What is Secure Boot Key and how does it work?
I've been getting lots of questions about this, so here is some simple background:
The secure boot key is an AES128 encryption key that can used to encrypt various data on the flash memory. It's a generic nvidia tegra2 thing, that the manufacturer can optionally use to make their device more "secure".
When the SBK is set, it's stored in a one-time-programmable "fuse". This also means that now that the key is out, they can't change it on already released devices, only new devices.
When the tegra2 starts up, the AES key is available to the hardware AES engine only. E.g. not even the bootloader can read it back! However, the bootloader can *use* the key to encrypt whatever data it wants through the hardware AES engine. And here is the explanation why the blob flashing method actually works! The bootloader checks for the blob in the staging partition and encrypts and flashes it as needed.
Once the bootloader is done, it clear the key from the AES engine which makes it impossible to encrypt or decrypt things from within the OS.
So what happens when it boots into APX/Nvflash mode?
The basic APX mode is stored in the BootROM and hence can never be changed. It appears to accept only a very limited range of commands, and each command needs to be encrypted using the SBK to be accepted. If it receives a command that's not properly encrypted, it disconnects the USB and appears to be off. This is the dreaded "0x4" error that people have been getting when attempting to get nvflash working.
It should be noted, that even with the SBK inputted into nvflash, most regular nvflash commands won't be available. I'm still not entirely sure why (and I can't rule out it will change).
What *is* available, is the nvflash --create command. What this command does is repartition and format all partitions, set bct and odmdata and send over all needed partitions to the device (and encrypt them as needed). This means a full recovery is possible, but regular ability to flash e.g. just boot.img or read partitions off of the device is not possible at this point.
So what do we need for nvflash?
In order to get a working (e.g. --create) nvflash, we need a few bits of information as well as some files:
◦Secure Boot Key
◦BCT file (boot device setup, ram configuration and a bit more)
◦ODM data (board-specific bit-field specifying various board settings. *Needs* to be correct
◦flash.cfg (e.g. list of settings and names/identifiers of partitions.
On top of these files, we also need all the partitions, e.g. bootloader.bin, boot.img, recovery.img and system.img. Luckily, these partition files are available in official ASUS updates and can be extracted from the blob file using my blob tools
The first four peices aren't readily available, but through lots of effort and a good deal of luck, we have managed to recreate the needed files. Secure Boot Key has already been released (note that this was by far the hardest!) and the rest will most likely follow over the weekend. Keep in mind that we want to keep this legal, so don't expect us to release any ready-made packs for unbricking! We will however make the recreated files available. Since these are recreated and not actual ASUS files, there should be no problems with them.
I hope this helps give a better understanding of how and what secure boot key is and what it gives us.
Hello All,
First let me say thanks to all XDA Developers, and without this forum I would still be a pleb when it comes to unbricking. :highfive:
The link to QPST: androidbrick.com/download/latest-qpst-2-7-build-422-425-430-437-qfil-qualcomm-flasher/
(Sorry, I haven't passed 10 posts yet, so you have to manually enter into the address bar)
I came to this forum seeking answers to unbrick my hardbricked Note 4, and after many hours of heartbreak and headache, I have come across a tool called QPST.
This tool is used by Qualcomm, and if you read carefully through the accompanying documentation, you will find some interesting stamps - such as "Confidential" etc.
While I am no expert in the use of QPST, from my own incomplete research I am convinced this tool can be used on any device which sports a Qualcomm chipset (Snapdragon etc.) to unbrick it from certain death.
I have not yet succeeded with my attempts at unbricking, but it is now only a matter of time and kind people pointing me in the right directions. :fingers-crossed:
I am looking for the right files to go in the "phone image" and "boot image" lines in the QPST Software Download program.
I hope we can all see the opportunity this tool represents and spread the word among the greater community, not just developers.
Edit:
Using Software Download:
Phone image files will have a .hex extension and I do not believe they can be found on sammobile. I still haven't found the right one.
Boot image files: I still don't know what they will look like. Likely a .hex file.
Using QFIL:
I suspect all these files can be acquired from a service ROM (whatever a service ROM is - I don't think it is a ROM for android as I know them). I am not completely sure of this however.
Using the flat build option will let you select the programmer. It will have a file name like:
prog_emmc_firehoseXXXX.mbn
(Replace XXXX with the correct numbers for your snapdragon. I don't know what the right ones for the Snapdragon 805 are, but I strongly suspect 8084, with a remote possibility of 8064. Edit: I don't know, don't take my word.
There are posts for other phones on XDA, I don't know if they use the 805 chipset or if the files are compatible.) <--- If anyone wants to research, feel free. Team efforts make a big job seem easy! Please post your results!
Accompanying your firehose file will be a bunch of other files in the same folder.
You will need two .xml files to go with the above (usually in the same folder), which will look like as follows:
rawprogram0XXXX.xml (here XXXX denotes some numbering system which will be determined by the internal memory of the device eg 16GB, 32GB, 64GB. I saw an example for a OnePlus One which had rawprogram0_64G.xml.
I'm NOT 100% SURE on this numbering system, as elsewhere on XDA I have come across different file names!
Here's the truncated link: androidbrick.com/ultimate-qualcomm-snapdragon-unbrick-guide-snapdragons-are-unbrickable-qhsusb_dload_qpst_qfil/)
patch0.xml
When I find the above, I will post or hassle an admin to post, as these will likely unbrick any Snapdragon 805. Happy hunting!
Here's a truncated link to XproZayd's thread, where a different avenue is explored (and where I got my idea about the 8084 number for firehose -- Remember, I could be wrong!)
forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
This thread is for discussing QPST and how to use it - if you have a hard bricked phone I am not able to help at this stage. However, should anybody find / 'acquire' the right files to use with QPST, we will all benefit.
What made your device hard brick
Sent from my SM-N910G using Tapatalk
Mistake 1: I bought the phone with the known problem of a USB port not working.
Mistake 2: I bought a replacement USB board and replaced it myself, after which the fun and games began. The one time the screen did light up I got an error message about mmc read fail and could not boot.
Mistake 3: Like a fool, I pulled the battery. Now I have a hard bricked / useless Note 4.
Unless the mmc is physically damaged (which I refuse to believe) the phone should be salvageable from its hard brick state. Provided I can find the right files to go with QPST.
Edit:
I have tried contacting Qualcomm to get the files, who have pointed out that they are proprietary to the licensee, ie Samsung. Here's the e-mail below.
Any information other than what is listed on our website (URL listed below for your reference) is Proprietary to Licensees.
However, the following link should help you with the information you're looking for:
http://www.mydragonboard.org
Alternatively, we recommend you follow-up with a vendor that carries this product and seek their feedback on your technical questions.
Please note, Qualcomm is the technology provider, not a manufacturer of consumer products and therefore we are unable to answer your product specific question. We hope this direction helps.
Thank you for your inquiry,
Qualcomm Technologies Inc.
can you explain to me everything that is happening?
i got my note 4 hardbricked from......
i really dont know
i was modifying my phone but then it would not boot
AlexanderDAB said:
can you explain to me everything that is happening?
i got my note 4 hardbricked from......
i really dont know
i was modifying my phone but then it would not boot
Click to expand...
Click to collapse
Is it going in download mode or recovery ?
What were you exactly flashing ?
Is it detected in pc as qhsb loader ?
Is the splash screen GALAXY NOTE 4 showing up ?
Sent from my SM-N910G
Update:
So far I have contacted Qualcomm, Intrinsyc (they sell Snapdragon development boards), and a Samsung retail outlet.
All have come back as a negative - the closest I could get was the Samsung retail outlet where a dude used to work in the repair centre and had access to the files then.
Unfortunately, Samsung revoked his permissions now that he only works in a retail outlet.
He knew what I was talking about, but due to Samsung and their encryption etc, he couldn't provide me with the files.
C_dog_1 said:
Mistake 1: I bought the phone with the known problem of a USB port not working.
Mistake 2: I bought a replacement USB board and replaced it myself, after which the fun and games began. The one time the screen did light up I got an error message about mmc read fail and could not boot.
Mistake 3: Like a fool, I pulled the battery. Now I have a hard bricked / useless Note 4.
Unless the mmc is physically damaged (which I refuse to believe) the phone should be salvageable from its hard brick state. Provided I can find the right files to go with QPST.
Edit:
I have tried contacting Qualcomm to get the files, who have pointed out that they are proprietary to the licensee, ie Samsung. Here's the e-mail below.
Any information other than what is listed on our website (URL listed below for your reference) is Proprietary to Licensees.
However, the following link should help you with the information you're looking for:
http://www.mydragonboard.org
Alternatively, we recommend you follow-up with a vendor that carries this product and seek their feedback on your technical questions.
Please note, Qualcomm is the technology provider, not a manufacturer of consumer products and therefore we are unable to answer your product specific question. We hope this direction helps.
Thank you for your inquiry,
Qualcomm Technologies Inc.
Click to expand...
Click to collapse
I have the same problem and also looking for a solution. I will contribute to this post as I find something.
There is a similar post here:
http://forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
---------- Post added at 07:10 PM ---------- Previous post was at 06:30 PM ----------
Try this manual.
http://dl-1.va.us.xda-developers.co....rar?key=yrJPiZgu63c6RxNIbU_xVA&ts=1474829412
I've found it earlier today but haven't had a chance to try it yet.
Says the file is gone
Sent from my SM-N930W8 using XDA Labs
It's just the pdf and .pit that i used here: http://forum.xda-developers.com/note-4/help/hard-brick-phone-off-long-help-fellow-t3468792
yashthemw said:
Is it going in download mode or recovery ?
What were you exactly flashing ?
Is it detected in pc as qhsb loader ?
Is the splash screen GALAXY NOTE 4 showing up ?
Sent from my SM-N910G
Click to expand...
Click to collapse
it won't boot at all
i was messing around with the system on the factory binary firmware
yes, it is
nope, it will not boot
i have same problem does any one sucess with this process ?
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Reporting Via N910G.
yashthemw said:
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Reporting Via N910G.
Click to expand...
Click to collapse
can you get me a dude with an AT&T note 4?
same boat with my N910F
C_dog_1 said:
Hello All,
First let me say thanks to all XDA Developers, and without this forum I would still be a pleb when it comes to unbricking. :highfive:
The link to QPST: androidbrick.com/download/latest-qpst-2-7-build-422-425-430-437-qfil-qualcomm-flasher/
(Sorry, I haven't passed 10 posts yet, so you have to manually enter into the address bar)
I came to this forum seeking answers to unbrick my hardbricked Note 4, and after many hours of heartbreak and headache, I have come across a tool called QPST.
This tool is used by Qualcomm, and if you read carefully through the accompanying documentation, you will find some interesting stamps - such as "Confidential" etc.
While I am no expert in the use of QPST, from my own incomplete research I am convinced this tool can be used on any device which sports a Qualcomm chipset (Snapdragon etc.) to unbrick it from certain death.
I have not yet succeeded with my attempts at unbricking, but it is now only a matter of time and kind people pointing me in the right directions. :fingers-crossed:
I am looking for the right files to go in the "phone image" and "boot image" lines in the QPST Software Download program.
I hope we can all see the opportunity this tool represents and spread the word among the greater community, not just developers.
Edit:
Using Software Download:
Phone image files will have a .hex extension and I do not believe they can be found on sammobile. I still haven't found the right one.
Boot image files: I still don't know what they will look like. Likely a .hex file.
Using QFIL:
I suspect all these files can be acquired from a service ROM (whatever a service ROM is - I don't think it is a ROM for android as I know them). I am not completely sure of this however.
Using the flat build option will let you select the programmer. It will have a file name like:
prog_emmc_firehoseXXXX.mbn
(Replace XXXX with the correct numbers for your snapdragon. I don't know what the right ones for the Snapdragon 805 are, but I strongly suspect 8084, with a remote possibility of 8064. Edit: I don't know, don't take my word.
There are posts for other phones on XDA, I don't know if they use the 805 chipset or if the files are compatible.) <--- If anyone wants to research, feel free. Team efforts make a big job seem easy! Please post your results!
Accompanying your firehose file will be a bunch of other files in the same folder.
You will need two .xml files to go with the above (usually in the same folder), which will look like as follows:
rawprogram0XXXX.xml (here XXXX denotes some numbering system which will be determined by the internal memory of the device eg 16GB, 32GB, 64GB. I saw an example for a OnePlus One which had rawprogram0_64G.xml.
I'm NOT 100% SURE on this numbering system, as elsewhere on XDA I have come across different file names!
Here's the truncated link: androidbrick.com/ultimate-qualcomm-snapdragon-unbrick-guide-snapdragons-are-unbrickable-qhsusb_dload_qpst_qfil/)
patch0.xml
When I find the above, I will post or hassle an admin to post, as these will likely unbrick any Snapdragon 805. Happy hunting!
Here's a truncated link to XproZayd's thread, where a different avenue is explored (and where I got my idea about the 8084 number for firehose -- Remember, I could be wrong!)
forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
This thread is for discussing QPST and how to use it - if you have a hard bricked phone I am not able to help at this stage. However, should anybody find / 'acquire' the right files to use with QPST, we will all benefit.
Click to expand...
Click to collapse
Im in the same boat with my NOTE 4 N910F. Totally blacked out but still picking it up on the PC with QFIL files have found some files but there not the right phone I think.
so fails to load with SAHARA.
cannot find firehose for 910F. Wish someone could solve this one and then publish it all. someone will eventually but QFIL will unbrick all Qualcomm provided you can make the files.
Let me know if you or anyone does. cheers
Lofhario said:
Im in the same boat with my NOTE 4 N910F. Totally blacked out but still picking it up on the PC with QFIL files have found some files but there not the right phone I think.
so fails to load with SAHARA.
cannot find firehose for 910F. Wish someone could solve this one and then publish it all. someone will eventually but QFIL will unbrick all Qualcomm provided you can make the files.
Let me know if you or anyone does. cheers
Click to expand...
Click to collapse
https://forum.xda-developers.com/showthread.php?t=3488114
Tried this?
Reporting Via N910G.
Hi, got a Phicomm Energy M+ (E551). It turned off as the battery was empty, so I charged it overnight.
But:
-Switching it on only shows the phicomm logo
-Trying to enter recovery, shows phicomm logo for a second and then the screen stays lit. Nothing else happens.
-On Windows 7 device manager shows it as "RELINK HS-USB QDLoader 9008 (Com3)" (VOL Up+VOL Down + Power)
-fastboot/adb wont find it
-I tried this http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
I dont have a emmc backup but an unzipped Stock ROM of the E551L which support told me to use. (put on SD card and reboot into recovery, but I cant get into recovery)
Hence I use the unzipped ROM with the Qualcomm FLasher :S (http://na.phicomm.info/release/E551L...TA package.zip)
-It starts the process but then says "Failed to enter EDL" (Emergency) mode
Another thing I stumbled across is :
E551L has Qualcomm MSM8916 and Android 4.4.2
E551M has Qualcomm MSM8915 and Android 4.4.4
Will I have to quire a deepflash cable or am I missing something here ?
yashthemw said:
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Click to expand...
Click to collapse
tried but not working
waiting for other solution
Hi, I posted this under thread "yotaflasher" but no response... Apologies for any apparent newbie ignorance of protocol:
Yotaphone_flasher won’t even install!
Hi, i’m having trouble even installing yotaphone_flasher.exe on my ancient windowsXP PC. I get an “unable to locate component” error when I run the installation: the file missing is MSVCR100.dll. I’ve tried re-downloading but the error always comes up... HELP this whole process is driving me insane!
Could someone please provide the file MSCVR100.dll from their yotaflasher installation? I'm hoping I can place this in the right place manually to get this working...
nutsoboy said:
Could someone please provide the file MSCVR100.dll from their yotaflasher installation? I'm hoping I can place this in the right place manually to get this working...
Click to expand...
Click to collapse
That file is part of the Visual C++ library so you can fix it by installing that.
64bit: https://www.microsoft.com/en-us/download/details.aspx?id=14632
32bit: https://www.microsoft.com/en-in/download/details.aspx?id=5555
Amplificator said:
That file is part of the Visual C++ library so you can fix it by installing that.
Click to expand...
Click to collapse
Thanks! I will give it a go.
Shamefully I confess my main desktop computer is a Mac so I'm trying to flash my yotaphone 206 using an ancient WindowsXP PC?. I don't think the USB ports are even 2.0
Do you think this is going to work?
Thanks again...
nutsoboy said:
Thanks! I will give it a go.
Shamefully I confess my main desktop computer is a Mac so I'm trying to flash my yotaphone 206 using an ancient WindowsXP PC?. I don't think the USB ports are even 2.0
Do you think this is going to work?
Thanks again...
Click to expand...
Click to collapse
Sure, I don't see why not. It will just be slower. USB is backwards compatible
But I'm an Arch Linux user where all these ADB drivers etc. are not an issue; plug in the phone and it just.. works, for all phones and tablets
Why not just use fastboot to flash the rom you want on your Mac?
Download the zip for the rom you want from Yota Devices, unpack the file and flash the files one by one
Edit:
Or even easier, just put the zip on the internal storage, reboot to recovery and flash it that way.
If you do go with the Windows route and your usb ports for some reason are not at least 2.0, the only thing to keep in mind is that it will just be a lot slower but should work just fine
Amplificator said:
Why not just use fastboot to flash the rom you want on your Mac?
Download the zip for the rom you want from Yota Devices, unpack the file and flash the files one by one
Edit:
Or even easier, just put the zip on the internal storage, reboot to recovery and flash it that way.
If you do go with the Windows route and your usb ports for some reason are not at least 2.0, the only thing to keep in mind is that it will just be a lot slower but should work just fine
Click to expand...
Click to collapse
I got overwhelmed reading all the threads here about problems flashing a CN206 to achieve 201/Lollypop. Your suggestions seem very sensible but at the same time fill me with trepidation.
Would you mind explaining step by step the process of using fastboot via Mac? Is fastboot an app or a connection procedure?
As you'll realise I'm a complete novice when it comes to technical stuff, I've been using computers to earn a living for 25 years but they've been macs!
nutsoboy said:
I got overwhelmed reading all the threads here about problems flashing a CN206 to achieve 201/Lollypop. Your suggestions seem very sensible but at the same time fill me with trepidation.
Would you mind explaining step by step the process of using fastboot via Mac? Is fastboot an app or a connection procedure?
As you'll realise I'm a complete novice when it comes to technical stuff, I've been using computers to earn a living for 25 years but they've been macs!
Click to expand...
Click to collapse
I've never used a Mac before so you are probably better off looking here: http://forum.xda-developers.com/showthread.php?t=1917237
..or doing a google search if that link is not enough for whatever version of OSX you are using.
CyanogenMod does a good job of giving a quick explanation of what fastboot is: https://wiki.cyanogenmod.org/w/Doc:_fastboot_intro
But basically no matter how much you bricked your device you can always just boot into this mode and re-flash a working rom, so take note in the Settings -> About Phone what region your rom is.
The rom I'm currently using has a build number of: LRX21M.5.0.0-RU1.1.134 <-- RU is the important part, because knowing this you can always revert back to that rom if you brick anything. Here's the link for the Yota Devices ftp server with roms for all regions: ftp://fw.ydevices.com/YotaPhone2/Firmwares/
You can access fastboot using either volume up + power button or volume down + power button, I've forgotten which
Fastboot is always used to flash new recoveries for example, just like TWRP for our YotaPhone 2:
http://forum.xda-developers.com/yotaphone-one/development/twrp-3-0-2-0-yotaphone-2-t3494023
http://forum.xda-developers.com/yot...wrp-twrp-2-8-5-0-recovery-yotaphone2-t3142024
When you download a rom from Yota Devices as a .zip file it contains a bunch of files that are more or less images of partitions.. So what you do when flashing is essentially just restoring the rom image to the System partition and all the others.
What I imagine people are having problems with when flashing cross-region roms is that they install the baseband from a region which their device doesn't fully support, which could indeed result in issues. Yota Flasher will very likely do this, as this is a simple tool that just downloads whatever rom is the latest for the region you pick and then it flashes it. It does not take cross-flashing of various basebands into account.
What you can do then is to just install the baseband that is actually meant for your device after using the Yota Flasher, or if you manually flash all .img files from a zip, just simply not flash the new baseband.
The latest RU rom for example, on the Yota Devices ftp server, is version 124, which will OTA update to 134 once installed.
Link for the RU rom is here: ftp://fw.ydevices.com/YotaPhone2/Firmwares/RU/5.0.0-RU1.1.124.zip
Inside this zip file are these files:
Code:
Archive: 5.0.0-RU1.1.124.zip
inflating: 5.0.0-RU1.1.124/emmc_appsboot.mbn
inflating: 5.0.0-RU1.1.124/userdata.img
inflating: 5.0.0-RU1.1.124/recovery.img
inflating: 5.0.0-RU1.1.124/boot.img
inflating: 5.0.0-RU1.1.124/system.map
inflating: 5.0.0-RU1.1.124/system.img
inflating: 5.0.0-RU1.1.124/cache.img
inflating: 5.0.0-RU1.1.124/radio/rpm.mbn
inflating: 5.0.0-RU1.1.124/radio/sbl1.mbn
inflating: 5.0.0-RU1.1.124/radio/tz.mbn
inflating: 5.0.0-RU1.1.124/radio/NON-HLOS.bin
So what you would do is essentially just flash the relevant parts and not flash the irrelevant parts, such as radio if you have a different devices with other bands.
VirtuaLeech gives an example in another thread on using fastboot: http://forum.xda-developers.com/showpost.php?p=69461892&postcount=76 with the -S flag which splits the transfer due to size limitations.
It can all probably sound really technical if you are new to this, so I strongly suggest you flash using Yota Flasher first, then read up on fastboot if you want
It does take a bit of reading, but using fastboot you can always restore your device to any rom you want, no matter if you brick it trying out new stuff.
The worst that could happen is that you will lose the data currently on the phone so you'll have to set it up from scratch, but at least fastboot will ensure that you can always reflash to a working rom.
This goes for more or less every device out there. Fastboot is a tool from Google, so it's pretty generic stuff
Wow that’s very helpful thanks!!
Although I am intrigued by this:
Amplificator said:
Or even easier, just put the zip on the internal storage, reboot to recovery and flash it that way.
Click to expand...
Click to collapse
To try this do I copy the file I want eg. from ftp://fw.ydevices.com/YotaPhone2/Firmwares/RU/onto my yotaphone using Android File Transfer? Which directory should I put it in on the phone? Downloads?
nutsoboy said:
Wow that’s very helpful thanks!!
Although I am intrigued by this:
To try this do I copy the file I want eg. from ftp://fw.ydevices.com/YotaPhone2/Firmwares/RU/onto my yotaphone using Android File Transfer? Which directory should I put it in on the phone? Downloads?
Click to expand...
Click to collapse
The zip file should be in the root of your internal memory and be named "update.zip" - without the quotes, of course.
Then you reboot into recovery by using volume down + power or volume up + power, again, I gotgot which one boots into recovery and which one enters fastboot mode.
But in the recovery menu you get an option to do the usual stuff you see on all phones, such as factory reset, flash an update etc.
Just keep in mind what I wrote about the baseband which will be flashed by using this method. What you would do then is after flashing the zip you would reboot into fastboot mode and then flashing the baseband/radio that fits your phone model.
Obviously everything is at your own risk and I don't promise anything.. yada-yada disclaimer .. but you need adb and fastboot set up first before attempting anything.
When adb is set up you can even reboot your phone straight into recovery by using "adb reboot recovery" for ease of use.
Things like "adb reboot fastboot" etc. also works.. but by reading about fastboot you will learn that stuff
Also, running "fastboot --help" will show you more options, such as the -S flag, unlocking bootloader, flashing recovery and all that stuff.
You can also sideload using adb which a russian guy wrote on a russian forum: https://translate.google.com/transl...topic=550302&st=6820#entry47048257&edit-text=
Amplificator said:
That file is part of the Visual C++ library so you can fix it by installing that.
64bit: https://www.microsoft.com/en-us/download/details.aspx?id=14632
32bit: https://www.microsoft.com/en-in/download/details.aspx?id=5555
Click to expand...
Click to collapse
OK so I now have yotaflasher working but next up I'm just getting 'waiting for device' while phone is showing 'downloading'.
Does this mean there is a problem with my USB drivers?
When I plug the live phone into USB the PC offers 4 choices: synchronise files/open to view files/sync digital media/take no action
I take this to mean USB driver is working...
nutsoboy said:
OK so I now have yotaflasher working but next up I'm just getting 'waiting for device' while phone is showing 'downloading'.
Does this mean there is a problem with my USB drivers?
When I plug the live phone into USB the PC offers 4 choices: synchronise files/open to view files/sync digital media/take no action
I take this to mean USB driver is working...
Click to expand...
Click to collapse
You just need to fix the adb driver.. driver issues are faily common on Windows.
Check the other threads where this has been discussed already.. it's just one of the joys of using Windows
Do not blindly flash this device without knowing what you are doing. While the device is hard to brick in general, it is very easy for someone new to brick it by flashing the wrong partitions.
I will write a generalized tutorial that will cover the basics and hopefully make everyone feel better about flashing the device. At first I was skeptical but after understanding everything, I have to say it really isn't that bad, and I am here doing all the leg work for these fake 2gb (its really 1gb ram) and 16gb hdd
OK I am goin gto try and put all of this information in one place because these units say android 10 or 10.1 but in reality cpu-z they are android 9 with api of 27 (will double check to be sure. This unit says it is 2gb ram but it is indeed 1024 MB (q GB). I am not sure if the other custom firmwares dumps from 1gb yt9213aj models will work without problems on these yt9213aj units that say 2gb.
In order to try anything you need to first make a scatter file for your unit. I messaged the manufacture of my unit for a firmware and they sent it. I unzipped it and looked at the scatter file and it is of a different formatting than one that comes from mtk droid tool.
So, mtk droid tool doesn't work with OS versions 9 or higher. It is the problem of adb. But we can follow this guide https://forum.xda-developers.com/t/...not-revealed-error-in-mtkdroid-tools.3582571/ and get it to work.
Once you have your device connected and recognized in droid tools you should first create the scatter file, as this is the most important step to do a full readback in SP flash tools.
Once you have a backup, you are in the clear for the most part. I am still trying to figure out how to backup preloader and etc if possible.
Now you will also need to connect some kind of wire or some small buttons taken from something disassembled. Just something that you can use as a mock button because there is no hardware button on the device for up/down and OK and you cannot use the touch buttons. So you need to short these traces while in recovery in order to get further/
The main point of this thread is to update the existing ones and to add tools and stuff nmeeded in one location because it has taken me over 5 days to search for all fo this, and I am still not done, so lets make it a little easier on the new comers because the last thing we want to do is brick each others devices by using old outdated guides that don't fully work.
Flow chart of process: install mtk droid tools and sp flash tools ->enable oem debugging and oem unlock on device -> follow guide to get mtk droid tools to work -> get scatter file using mtk droid tools -> make a full readback in sp flash tools -> solder wires/buttons onto test points -> boot to fastboot and unlock bootloader -> fastboot flash recovery <image name> -> boot into recovery and install root and/or custom firmware.
Anyone more skilled knows any better?
This post is a WIP and will be updated periodically as I source information. The main idea behind this post is to bring all resources for yt9213aj in one spot. There is plenty of information, its just very hard to navigate especially for someone new to flashing these devices, and even worse to someone who has never flashed any device
OK after trying what seems like 300 twrp's I finally found one that does work with this device. I thin kthe main difference here is that the board is a new revision and some arch changes caused older version that were ported to not work. This one booted right into it but was in russian, which is easily fixable within the twrp gui.
I will add all of these files to the op when I have collected everything.
I do not think that this version board I have has hifi? Maybe I am mistaken? I have an audio glitch at 19-20 when playing music, the sound will get louder and sound good for a fraction of a second then return to sounding ****ty. So I will look into this more. What sucks is that there are so many of the same **** that doesn't work for this model so its like... I would rather garggle gasoline than have to sift through forums that were translated on the fly
Anyway here is the twrp for this particular device - https://www.dropbox.com/s/vogg7854a7ln2zu/twrp-9213aj.img?dl=0
EDIT: also you can boot to fastboot (adb reboot bootloader) and use fastboot getvar all to get factory partition sizes that's needed to create scatter file (you will need to use a hex calculator to create it, or wait for me to upload my scatter file once I have it done). You need to be making dumps in sp flash tool way before you are ever writing anything. Make plenty of readbacks and get to know how to read it before you write anything. Blindly flashing is not what you really want to do lol
Mtk drivers for pc
to install, you will need to disable signature verification and I had to turn on test signing as well
I have successfully rooted this thing. I did encounter something kind of strange though. When I patched the boot.img I had from the device and the one I got in ota update and patched with magisk. When I booted and checked the root with magisk it said there was an unsupported root using su already. It did this for both boot.imgs.
Anyone ever heard of this on stock firmwares? I am able to grant root permissions to busybox and etc so it seems to be working OK. Maybe the root that is there is the chinese root for backdoor tracking and surveillance xD
Wonder how to see what unsupported su commands are being sent?
EDIT: i also took a lot of pictures of the board. It is yt9213aj v1.2 board. I will update the original post in the few days with everything needed for this model including testpoints etc. The test points are a little different but its pretty much the same. The only two you need in the end are the two bigger ones (for unlocking bootloader) then your set. You could drill some holes and run wire down to the trace and put some hardware buttons for the mcu to use to select things in fastboot and official recovery.
There is also another port/connector on this thing above the touch sensor board. I think we could buy a ribbon cable to connect here and run it to another board with hardware button. Actually I think the connector is for hardware buttons specifically but I don't know for sure. Must do more research
These things have are rooted from the factory. When I try to use magisk it says there is another unsupported su. The Unsu.zip floating around cures that. Then you can install magisk.
Also another thing about these things being prerooted... I think you can dump and flash without any extra sp flash tools or mtkdroid. I was dumping the partitions using adb pull function. Adb pull /dev/block/platform/soc/11230000.mmc/by-name/<insert partition name here>"
And
"/dev/block/mmcblk0pxx" where xx is the specific partition to read/write to.
I had got a scatter.txt in the ota update I obtained from the manufacturer which had all the partition layouts. I used this and a log from a failed supersu.zip install to create a scatter.txt for this particular device. The supersu log can be obtained by trying to flash the supersu zip in recovery, then in adg just pull the log file adb shell cat /tmp/recovery.log. Once you have this, you will have to use brain.exe to make your own scatter for sp flash tools.
All in all its pretty easy to actually root the device, and they are actually rooted from the factory, most likely for some functions within the os to work (like surveillance and spying xD) but that can easily be removed with the unsu.zip then install magisk.
I will be writing up a guide for this specific model in a few more days. If you read this thanks for listening to the rumbling of a mad man
Just discovered another problem. When I try to edit anything in /system it says its read only. Mounting is or remounting it shows as successful with no errors, but something is blocking it from mounting as system. I am trying to rename this audio_effects.conf and it willnt let me. I think it might be some proprietary code in the kernel designed to block mounting or remounting of certain or all partitions.
I think that a lot of them are software locked, like the fader and balance and volume level. Notice how some of these have glitches when turning the volume up and down. I think that there is some code that disables some functions of higher end units, depending on the model. If you buy a cheaper 100 dollar head unit, maybe it is indeed just software locked down.
I know for fact the amp chip in my head unit, YD7388, sec sheet says 4 channel. But my device is only 2 channel, no fader. Also the spec sheet says it needs no output capacitor but mine has one I think (there is a huge capacitor soldered next to the chip. I have some pics of the board and test points and chip markers etc. Once I have everythign ready I will make a nice guide
Wow I think I found the reason this thing outputs as 2 channel on 4 speakers. I need someone with a real 4 channel version to message me so I can get a few files for comparison. If this is the case, a simple magisk module would fix the fixed 2 channel problem we have. In the audio_policy_configuration.xml they have all output set as
XML:
<devicePort tagName="FM Tuner Out" type="AUDIO_DEVICE_OUT_FM" role="sink">
<profile name="" format="AUDIO_FORMAT_PCM_16_BIT"
samplingRates="44100" channelMasks="AUDIO_CHANNEL_OUT_STEREO"/>
</devicePort>
I wonder if you set AUDIO_CHANNEL_OUT_STEREO to multichannel or maybe like "AUDIO_CHANNEL_OUT_QUAD " as described in the official android docs say, I wonder if that would enable true 4 channel (or 5.1)?
If someone who has a 4 real 4 channel stereo and it is around the model of yt9213aj, then send me a message so we can collaborate. If you are not rooted do not worry I will help you