Hovatek Forum MOBILE Android Editing Boot and Recovery .img ZTE Z3351S (MTK MT6739)
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


Editing Boot and Recovery .img ZTE Z3351S (MTK MT6739)

Editing Boot and Recovery .img ZTE Z3351S (MTK MT6739)

Victor1964
Victor1964
Victor1964
Enthusiastic Member
8
01-12-2019, 03:11 PM
#1



Hello folks, this is my first post here, but I am comfortable with command line operations, flashing, rooting. etc. Here's my issue. 
I am trying to either get a systemless root using Magisk, or unlock my bootloader in spite of the fact that ZTE or QLink Wireless crippled the fastboot...
Preferraly, I'd like to get Fastboot working fully on stock bootloader so I can flash the original system back in case I mess up...and I do, a LOT! (The wife says...) Here's what I have done so far...
First the Specs:
ZTE Z3351S MTK 6739 salable
Android 9 SP 2019-07-05
64 bit ARMv8-A running 32 bit
BL: locked, Rooted: no, (Temp, see below,) BU Images: Yes, all but the user partition. (TOO big.)
I achieved a temporary root shell using the mtk-su method mentioned in this thread on XDA asked a few questions in the thread, tried a more permanent solution posted on P. 14 of that post which didn't work, then dd'ed an .img copy of every partition I found in /dev/block/by-name...well, all but that HUGE user partition.
Up until I made it to this point I have been (off and on) trying to get either EDL (or FTM, can't find much on this device about ANYTHING surrounding this,) or a working Fastboot terminal on my screen...the phone screen goes black and says "fastboot mode," but my terminal returns nothing on the fastboot devices command. I know adb works fine, been using it for the temp root shell.
In my research I have found this is a non-A/B device, Treble enabled, and (possibly, its hard to tell,) a fastboot-moved-to-userspace "unified" bootloader??
I've unpacked the boot.img and recovery.img, and that was odd too. The boot.img ramdisk is completely empty and the split_img file has a bunch of xxxx.img-(something.) i.e. -avbtype or -base. The recovery.img has a similar split_img file but the ramdisk is populated with the usual suspects.
When in Fastboot the device wont answer to fastboot devices, but a lsusb in the terminal shows "Mediatek Inc." I've tried soe unified commands, like: sudo adb reboot-fastboot, etc...but most of those just reboot back into the system...
HELP!!!! How do I, (and which files,) edit the kernel to let fastboot communicate?!? OR alternatively get to EDL mode??? I would like to Magisk a systemle root but don't wanna risk it if I can't recover from a bad flash or the dm-verity setting!
Thanks a LOT in advance, I've had this POS a month and this is as far as I've gotten...smdh!
xerxes
xerxes
xerxes
Senior Member
8,355
01-12-2019, 04:31 PM
#2
(01-12-2019, 03:11 PM)Victor1964 Hello folks, this is my first post here, but I am comfortable with command line operations, flashing, rooting. etc. Here's my issue. 
I am trying to either get a systemless root using Magisk, or unlock my bootloader in spite of the fact that ZTE or QLink Wireless crippled the fastboot...
Preferraly, I'd like to get Fastboot working fully on stock bootloader so I can flash the original system back in case I mess up...and I do, a LOT! (The wife says...) Here's what I have done so far...
First the Specs:
ZTE Z3351S MTK 6739 salable
Android 9 SP 2019-07-05
64 bit ARMv8-A running 32 bit
BL: locked, Rooted: no, (Temp, see below,) BU Images: Yes, all but the user partition. (TOO big.)
I achieved a temporary root shell using the mtk-su method mentioned in this thread on XDA asked a few questions in the thread, tried a more permanent solution posted on P. 14 of that post which didn't work, then dd'ed an .img copy of every partition I found in /dev/block/by-name...well, all but that HUGE user partition.
Up until I made it to this point I have been (off and on) trying to get either EDL (or FTM, can't find much on this device about ANYTHING surrounding this,) or a working Fastboot terminal on my screen...the phone screen goes black and says "fastboot mode," but my terminal returns nothing on the fastboot devices command. I know adb works fine, been using it for the temp root shell.
In my research I have found this is a non-A/B device, Treble enabled, and (possibly, its hard to tell,) a fastboot-moved-to-userspace "unified" bootloader??
I've unpacked the boot.img and recovery.img, and that was odd too. The boot.img ramdisk is completely empty and the split_img file has a bunch of xxxx.img-(something.) i.e. -avbtype or -base. The recovery.img has a similar split_img file but the ramdisk is populated with the usual suspects.
When in Fastboot the device wont answer to fastboot devices, but a lsusb in the terminal shows "Mediatek Inc." I've tried soe unified commands, like: sudo adb reboot-fastboot, etc...but most of those just reboot back into the system...
HELP!!!! How do I, (and which files,) edit the kernel to let fastboot communicate?!? OR alternatively get to EDL mode??? I would like to Magisk a systemle root but don't wanna risk it if I can't recover from a bad flash or the dm-verity setting!
Thanks a LOT in advance, I've had this POS a month and this is as far as I've gotten...smdh!

Edl mode is meant for quallcomm cpu phones only, you’ll need to use sp flash tool to backup the phone’s firmware then patch boot and flashed the patched boot.
Follow the guide @ https://www.hovatek.com/forum/thread-21970.html to backup your phone’s firmware, let’s us know once successful.
Victor1964
Victor1964
Victor1964
Enthusiastic Member
8
01-12-2019, 06:52 PM
#3
Okay, did the suggested 3 times to make sure I was not messing up on any steps. The WWR_MTK tool is awesome! BUT the version I got was different from the version that was used for the Tut...but there was enough to get me on track...til I opened up the SPFlash Tool.
I used the scatter that WRT supplied, and input the appropriate info and when the readback happened I got this:
ERROR: STATUS_BROM_CMD_SEND_DA_FAIL(0xC0060003)

Not sure, but I have managed to get boot.img and recovery.img using the temp root, along with images of all the other partitions. I've also tried a few things with Miracle Box Thunder...I've also tried methods here to "build" a scatter file, but one thing or another fails almost every time...

Any more suggestions? I've managed to unpack both the boot and recovery images, so IF I change things in the init, init.rc, or the build.prop will the signature or sha change when I repack it and use it as an update.zip?

Thanks a LOT BTW....
X3non
X3non
X3non
Recognized Contributor
22,062
02-12-2019, 02:02 AM
#4
(01-12-2019, 06:52 PM)Victor1964 Okay, did the suggested 3 times to make sure I was not messing up on any steps. The WWR_MTK tool is awesome! BUT the version I got was different from the version that was used for the Tut...but there was enough to get me on track...til I opened up the SPFlash Tool.
I used the scatter that WRT supplied, and input the appropriate info and when the readback happened I got this:
ERROR: STATUS_BROM_CMD_SEND_DA_FAIL(0xC0060003)

Not sure, but I have managed to get boot.img and recovery.img using the temp root, along with images of all the other partitions. I've also tried a few things with Miracle Box Thunder...I've also tried methods here to "build" a scatter file, but one thing or another fails almost every time...

Any more suggestions? I've managed to unpack both the boot and recovery images, so IF I change things in the init, init.rc, or the build.prop will the signature or sha change when I repack it and use it as an update.zip?

Thanks a LOT BTW....

so fastboot commands isn't detecting your device even though its on fastboot mode, check device manager and ensure that the device is listed and the fastboot driver is properly installed. also ensure to use latest fastboot binaries; refer to https://www.hovatek.com/forum/thread-17105.html

about the error you get while trying to flash using SP flash tool, you'll most likely require a custom DA file in order to attempt flashing. None is available for now but you can try other zte da files listed @ https://www.hovatek.com/forum/thread-23537.html

any modification you make will alter the img files and in many cases, having a working DA file doesn't necessarily mean you'll be allowed to flash non-factory img files using sp flash tool. in this case, only fastboot will help that is assuming you are able to unlock bootloader

for now, i'll advice that you try to use fastboot first
Victor1964
Victor1964
Victor1964
Enthusiastic Member
8
02-12-2019, 02:43 PM
#5



(02-12-2019, 02:02 AM)X3non
(01-12-2019, 06:52 PM)Victor1964 Okay, did the suggested 3 times to make sure I was not messing up on any steps. The WWR_MTK tool is awesome! BUT the version I got was different from the version that was used for the Tut...but there was enough to get me on track...til I opened up the SPFlash Tool.
I used the scatter that WRT supplied, and input the appropriate info and when the readback happened I got this:
ERROR: STATUS_BROM_CMD_SEND_DA_FAIL(0xC0060003)

Not sure, but I have managed to get boot.img and recovery.img using the temp root, along with images of all the other partitions. I've also tried a few things with Miracle Box Thunder...I've also tried methods here to "build" a scatter file, but one thing or another fails almost every time...

Any more suggestions? I've managed to unpack both the boot and recovery images, so IF I change things in the init, init.rc, or the build.prop will the signature or sha change when I repack it and use it as an update.zip?

Thanks a LOT BTW....

so fastboot commands isn't detecting your device even though its on fastboot mode, check device manager and ensure that the device is listed and the fastboot driver is properly installed. also ensure to use latest fastboot binaries; refer to https://www.hovatek.com/forum/thread-17105.html

about the error you get while trying to flash using SP flash tool, you'll most likely require a custom DA file in order to attempt flashing. None is available for now but you can try other zte da files listed @ https://www.hovatek.com/forum/thread-23537.html

any modification you make will alter the img files and in many cases, having a working DA file doesn't necessarily mean you'll be allowed to flash non-factory img files using sp flash tool. in this case, only fastboot will help that is assuming you are able to unlock bootloader

for now, i'll advice that you try to use fastboot first
Thank You for this advise...I have been slowly coming to this conclusion. 
I have the image files for the recovery and boot partitions and have unpacked them in Android Image Kitchen, an while the ramdisk in the boot.img unpacked with nothing, the split_image was populated with files with names like boot.img-avbtype, or boot.img-base, etc...in the recovery.img split_image file there was the same image files AND the ramdisk.gz. The unpacked ramdisk (from recovery.img) file had the usual files ( sys, sys_root, data, etc...) , the init.rc, also a init init.recovery.mt6739.rc and a prop.default files that have files like .~lock.prop.default.

Not sure where to go from here. Can anyone hint me towards a way to enable the FULL bootloader fastboot? I really believe it's not being ported to the usb, because (In Linux Mint,) a terminal command to sudo lsusb shows the device connected as "Mediatek Inc."

I've tried every driver in Windows 7 AND Linux (even if Linux SHOULDN'T need that...) including the ones built on the phone.

I guess one other concern (for now) is will I be able to repack the whole boot.img and recovery.img files with the original verity signature intact and as an update.zip file. THIS part I THINK either Android Image Kitchen or Carliv's will work, just not sure there. And will my modding existing options in the init and init.rc will change them....

Thanks for taking the time for these long posts, I'm just wanting to explain the entire situation...I repair Linux and Windows systems for friends and online folks so understand the necessity of having as MUCH info as possible.
X3non
X3non
X3non
Recognized Contributor
22,062
03-12-2019, 02:49 AM
#6
(02-12-2019, 02:43 PM)Victor1964 Thank You for this advise...I have been slowly coming to this conclusion. 
I have the image files for the recovery and boot partitions and have unpacked them in Android Image Kitchen, an while the ramdisk in the boot.img unpacked with nothing, the split_image was populated with files with names like boot.img-avbtype, or boot.img-base, etc...in the recovery.img split_image file there was the same image files AND the ramdisk.gz. The unpacked ramdisk (from recovery.img) file had the usual files ( sys, sys_root, data, etc...) , the init.rc, also a init init.recovery.mt6739.rc and a prop.default files that have files like .~lock.prop.default.

Not sure where to go from here. Can anyone hint me towards a way to enable the FULL bootloader fastboot? I really believe it's not being ported to the usb, because (In Linux Mint,) a terminal command to sudo lsusb shows the device connected as "Mediatek Inc."

I've tried every driver in Windows 7 AND Linux (even if Linux SHOULDN'T need that...) including the ones built on the phone.

I guess one other concern (for now) is will I be able to repack the whole boot.img and recovery.img files with the original verity signature intact and as an update.zip file. THIS part I THINK either Android Image Kitchen or Carliv's will work, just not sure there. And will my modding existing options in the init and init.rc will change them....

Thanks for taking the time for these long posts, I'm just wanting to explain the entire situation...I repair Linux and Windows systems for friends and online folks so understand the necessity of having as MUCH info as possible.

i'm not sure why you are unpacking / repacking boot and recovery.img but it has nothing to do with fastbooot working or not. modifying the said files and making an update.zip will most likely fail because flashing a custom update.zip through stock recovery is not allowed. you'll only be allowed to flash the modified boot & recovery.img through fastboot


its worth noting that your device is using system-as-root, reason why you have an empty boot/ramdisk which in turn means you really cant modify boot.img

for fastboot issue, connect your device to the windows PC while its in fastboot mode then attach a screenshot of device manager
also run the command "adb version" in an open adb cmd window. this should verify if you're using the latest version
Victor1964
Victor1964
Victor1964
Enthusiastic Member
8
03-12-2019, 02:51 PM
#7
(03-12-2019, 02:49 AM)X3non
(02-12-2019, 02:43 PM)Victor1964 Thank You for this advise...I have been slowly coming to this conclusion. 
I have the image files for the recovery and boot partitions and have unpacked them in Android Image Kitchen, an while the ramdisk in the boot.img unpacked with nothing, the split_image was populated with files with names like boot.img-avbtype, or boot.img-base, etc...in the recovery.img split_image file there was the same image files AND the ramdisk.gz. The unpacked ramdisk (from recovery.img) file had the usual files ( sys, sys_root, data, etc...) , the init.rc, also a init init.recovery.mt6739.rc and a prop.default files that have files like .~lock.prop.default.

Not sure where to go from here. Can anyone hint me towards a way to enable the FULL bootloader fastboot? I really believe it's not being ported to the usb, because (In Linux Mint,) a terminal command to sudo lsusb shows the device connected as "Mediatek Inc."

I've tried every driver in Windows 7 AND Linux (even if Linux SHOULDN'T need that...) including the ones built on the phone.

I guess one other concern (for now) is will I be able to repack the whole boot.img and recovery.img files with the original verity signature intact and as an update.zip file. THIS part I THINK either Android Image Kitchen or Carliv's will work, just not sure there. And will my modding existing options in the init and init.rc will change them....

Thanks for taking the time for these long posts, I'm just wanting to explain the entire situation...I repair Linux and Windows systems for friends and online folks so understand the necessity of having as MUCH info as possible.

i'm not sure why you are unpacking / repacking boot and recovery.img but it has nothing to do with fastbooot working or not. modifying the said files and making an update.zip will most likely fail because flashing a custom update.zip through stock recovery is not allowed. you'll only be allowed to flash the modified boot & recovery.img through fastboot


its worth noting that your device is using system-as-root, reason why you have an empty boot/ramdisk which in turn means you really cant modify boot.img

for fastboot issue, connect your device to the windows PC while its in fastboot mode then attach a screenshot of device manager
also run the command "adb version" in an open adb cmd window. this should verify if you're using the latest version
WOW!!! Thankyouthankyouthankyou....THANKS a lot. 

Your suggestion on the correct version of fastboot did it. I remembered something I saw on XDA about some of the4 older versions of fastboot and adb not working correctly on some of the newer devices...I ignored it at the time, I installed then both system wide a while back and then ***-U-ME they will keep themselves up=to-dqate...not sure wth I was thinking tyhere.

Went back to XDA, found the newest versions, and viola...the old version of adb DID work, but the NEW version has more features (I think, more exploring on that later,) and the NEW fastboot, KABAM! Got it in fasboot devices!

Once again, THANKS for helping me along in my endeavour to remember to constantly keep things up-to-date...OH, and this POS I been working on with the wrong tools to begin with!
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram