Editing Boot and Recovery .img ZTE Z3351S (MTK MT6739)
Editing Boot and Recovery .img ZTE Z3351S (MTK MT6739)
(01-12-2019, 03:11 PM)Victor1964 Hello folks, this is my first post here, but I am comfortable with command line operations, flashing, rooting. etc. Here's my issue.
I am trying to either get a systemless root using Magisk, or unlock my bootloader in spite of the fact that ZTE or QLink Wireless crippled the fastboot...
Preferraly, I'd like to get Fastboot working fully on stock bootloader so I can flash the original system back in case I mess up...and I do, a LOT! (The wife says...) Here's what I have done so far...
First the Specs:
ZTE Z3351S MTK 6739 salable
Android 9 SP 2019-07-05
64 bit ARMv8-A running 32 bit
BL: locked, Rooted: no, (Temp, see below,) BU Images: Yes, all but the user partition. (TOO big.)
I achieved a temporary root shell using the mtk-su method mentioned in this thread on XDA asked a few questions in the thread, tried a more permanent solution posted on P. 14 of that post which didn't work, then dd'ed an .img copy of every partition I found in /dev/block/by-name...well, all but that HUGE user partition.
Up until I made it to this point I have been (off and on) trying to get either EDL (or FTM, can't find much on this device about ANYTHING surrounding this,) or a working Fastboot terminal on my screen...the phone screen goes black and says "fastboot mode," but my terminal returns nothing on the fastboot devices command. I know adb works fine, been using it for the temp root shell.
In my research I have found this is a non-A/B device, Treble enabled, and (possibly, its hard to tell,) a fastboot-moved-to-userspace "unified" bootloader??
I've unpacked the boot.img and recovery.img, and that was odd too. The boot.img ramdisk is completely empty and the split_img file has a bunch of xxxx.img-(something.) i.e. -avbtype or -base. The recovery.img has a similar split_img file but the ramdisk is populated with the usual suspects.
When in Fastboot the device wont answer to fastboot devices, but a lsusb in the terminal shows "Mediatek Inc." I've tried soe unified commands, like: sudo adb reboot-fastboot, etc...but most of those just reboot back into the system...
HELP!!!! How do I, (and which files,) edit the kernel to let fastboot communicate?!? OR alternatively get to EDL mode??? I would like to Magisk a systemle root but don't wanna risk it if I can't recover from a bad flash or the dm-verity setting!
Thanks a LOT in advance, I've had this POS a month and this is as far as I've gotten...smdh!
(01-12-2019, 06:52 PM)Victor1964 Okay, did the suggested 3 times to make sure I was not messing up on any steps. The WWR_MTK tool is awesome! BUT the version I got was different from the version that was used for the Tut...but there was enough to get me on track...til I opened up the SPFlash Tool.
I used the scatter that WRT supplied, and input the appropriate info and when the readback happened I got this:
ERROR: STATUS_BROM_CMD_SEND_DA_FAIL(0xC0060003)
Not sure, but I have managed to get boot.img and recovery.img using the temp root, along with images of all the other partitions. I've also tried a few things with Miracle Box Thunder...I've also tried methods here to "build" a scatter file, but one thing or another fails almost every time...
Any more suggestions? I've managed to unpack both the boot and recovery images, so IF I change things in the init, init.rc, or the build.prop will the signature or sha change when I repack it and use it as an update.zip?
Thanks a LOT BTW....
(02-12-2019, 02:02 AM)X3nonThank You for this advise...I have been slowly coming to this conclusion.(01-12-2019, 06:52 PM)Victor1964 Okay, did the suggested 3 times to make sure I was not messing up on any steps. The WWR_MTK tool is awesome! BUT the version I got was different from the version that was used for the Tut...but there was enough to get me on track...til I opened up the SPFlash Tool.
I used the scatter that WRT supplied, and input the appropriate info and when the readback happened I got this:
ERROR: STATUS_BROM_CMD_SEND_DA_FAIL(0xC0060003)
Not sure, but I have managed to get boot.img and recovery.img using the temp root, along with images of all the other partitions. I've also tried a few things with Miracle Box Thunder...I've also tried methods here to "build" a scatter file, but one thing or another fails almost every time...
Any more suggestions? I've managed to unpack both the boot and recovery images, so IF I change things in the init, init.rc, or the build.prop will the signature or sha change when I repack it and use it as an update.zip?
Thanks a LOT BTW....
so fastboot commands isn't detecting your device even though its on fastboot mode, check device manager and ensure that the device is listed and the fastboot driver is properly installed. also ensure to use latest fastboot binaries; refer to https://www.hovatek.com/forum/thread-17105.html
about the error you get while trying to flash using SP flash tool, you'll most likely require a custom DA file in order to attempt flashing. None is available for now but you can try other zte da files listed @ https://www.hovatek.com/forum/thread-23537.html
any modification you make will alter the img files and in many cases, having a working DA file doesn't necessarily mean you'll be allowed to flash non-factory img files using sp flash tool. in this case, only fastboot will help that is assuming you are able to unlock bootloader
for now, i'll advice that you try to use fastboot first
(02-12-2019, 02:43 PM)Victor1964 Thank You for this advise...I have been slowly coming to this conclusion.
I have the image files for the recovery and boot partitions and have unpacked them in Android Image Kitchen, an while the ramdisk in the boot.img unpacked with nothing, the split_image was populated with files with names like boot.img-avbtype, or boot.img-base, etc...in the recovery.img split_image file there was the same image files AND the ramdisk.gz. The unpacked ramdisk (from recovery.img) file had the usual files ( sys, sys_root, data, etc...) , the init.rc, also a init init.recovery.mt6739.rc and a prop.default files that have files like .~lock.prop.default.
Not sure where to go from here. Can anyone hint me towards a way to enable the FULL bootloader fastboot? I really believe it's not being ported to the usb, because (In Linux Mint,) a terminal command to sudo lsusb shows the device connected as "Mediatek Inc."
I've tried every driver in Windows 7 AND Linux (even if Linux SHOULDN'T need that...) including the ones built on the phone.
I guess one other concern (for now) is will I be able to repack the whole boot.img and recovery.img files with the original verity signature intact and as an update.zip file. THIS part I THINK either Android Image Kitchen or Carliv's will work, just not sure there. And will my modding existing options in the init and init.rc will change them....
Thanks for taking the time for these long posts, I'm just wanting to explain the entire situation...I repair Linux and Windows systems for friends and online folks so understand the necessity of having as MUCH info as possible.
(03-12-2019, 02:49 AM)X3nonWOW!!! Thankyouthankyouthankyou....THANKS a lot.(02-12-2019, 02:43 PM)Victor1964 Thank You for this advise...I have been slowly coming to this conclusion.
I have the image files for the recovery and boot partitions and have unpacked them in Android Image Kitchen, an while the ramdisk in the boot.img unpacked with nothing, the split_image was populated with files with names like boot.img-avbtype, or boot.img-base, etc...in the recovery.img split_image file there was the same image files AND the ramdisk.gz. The unpacked ramdisk (from recovery.img) file had the usual files ( sys, sys_root, data, etc...) , the init.rc, also a init init.recovery.mt6739.rc and a prop.default files that have files like .~lock.prop.default.
Not sure where to go from here. Can anyone hint me towards a way to enable the FULL bootloader fastboot? I really believe it's not being ported to the usb, because (In Linux Mint,) a terminal command to sudo lsusb shows the device connected as "Mediatek Inc."
I've tried every driver in Windows 7 AND Linux (even if Linux SHOULDN'T need that...) including the ones built on the phone.
I guess one other concern (for now) is will I be able to repack the whole boot.img and recovery.img files with the original verity signature intact and as an update.zip file. THIS part I THINK either Android Image Kitchen or Carliv's will work, just not sure there. And will my modding existing options in the init and init.rc will change them....
Thanks for taking the time for these long posts, I'm just wanting to explain the entire situation...I repair Linux and Windows systems for friends and online folks so understand the necessity of having as MUCH info as possible.
i'm not sure why you are unpacking / repacking boot and recovery.img but it has nothing to do with fastbooot working or not. modifying the said files and making an update.zip will most likely fail because flashing a custom update.zip through stock recovery is not allowed. you'll only be allowed to flash the modified boot & recovery.img through fastboot
its worth noting that your device is using system-as-root, reason why you have an empty boot/ramdisk which in turn means you really cant modify boot.img
for fastboot issue, connect your device to the windows PC while its in fastboot mode then attach a screenshot of device manager
also run the command "adb version" in an open adb cmd window. this should verify if you're using the latest version