Database Info

[ROOT + CWM + OC KERNEL + Ubuntu] ZTE V11A / V71A / v55 HC3.2

The information provided in this thread is no longer up to date, although useful troubleshooting information can be found for those having issues. For those who would prefer to have the most up-to-date versions of CM9, CM10 or ParanoidAndroid supported by an awesome developer, go here
WARNING: IF YOU UPDATE YOUR TABLETS TO THE LATEST v03 UPDATES OF THE OFFICIAL ROM, YOU WILL LOSE THE ABILITY TO ROOT IT USING THE SUPERBOOT METHOD AND IT WILL BECOME A HUGE PAIN TO RE-INSTALL CWM/CUSTOM ROMS. INSTRUCTIONS FOR THIS SITUATION ARE PRESENTED BELOW, BUT PLEASE KEEP THIS IN MIND AND TRY TO READ THE THREAD CAREFULLY BEFORE MAKING SUCH CHANGES.
For those who need it, you can find a nandroid backup of Vodafone Romania's stock ROM for the v71a, here
Hello friends. With great thanks to utkanos, Koush and mobilx we now have a public alpha CWM and root available on both the ZTE V11A and the V71A, also known as the SFR StarTab 7/10, Vodafone SmartTab 7/10, as well as Sprint's (ZTE) V55 with credits due to utkanos for porting CWM, mobilx for being arguably the most motivated searcher of the holy root grail, and PaulOBrien from modaco and his superboot solution. We also thank alterbridge86 and eldarerathis for their advice and support. Additionally, credits go to joe.stone for custom kernel with loop device support, OC, touched voltages and a few other goodies.
Also, for interested developers, I have made the source code of the kernel available in a more easily accessible fashion. The source code (3 parts, contains the source for both models) is available here:
Part 1, Part 2, Part 3.
INSTALLING CWM:
A new optimized version of CWM for 7"and 10" tabs has been put together by joe.stone. I will also keep utkanos' links available below for those who prefer his versions or wish to thank him for his early efforts in making our tablets awesome
joe.stone said:
For those who have troubles with cwm recovery (freeze while backup ) i have created a new version. Flashable from fastboot.
10" CWM Recovery
7" CWM Recovery
Credit goes to joe.stone.
Click to expand...
Click to collapse
joe.stone said:
If you updated your tablet ROM via OTA or updater exe and can no longer install CWM, follow the following instructions:.
In firmware v03b fastboot flash is disabled and from a running system flash_image will fail too.
Download the twrp recovery http://goo.im/devs/joestone/twrp/v71_recovery.img
download the twrp recovery zip flashable version too
http://goo.im/devs/joestone/twrp/V71A_TWRP.zip
download kernel #60
http://www.4shared.com/zip/tzrUo5_N/v7_kernel_60.html?
copy the two zip files to the sdcard
If you want flash kernel#60 then do the following:
adb reboot bootloader
the tablet will reboot and you will get only a blank screen . Be sure that the drivers are installed from windows update for the fastboot interface.
check it with : fastboot devices. If you get waiting for device the drivers are not installed.
fastboot boot v71_recovery.img
The twrp recovery comes up. Now you can install twrp by selecting install menu. Browse to the v71twrp.zip on the sd and install it. Now you have permanent twrp recovery.
now go back to install menu browse to the v7_kernel_60.zip and install it.
reboot and enjoy.
These are kernel #60 links for the other models :
Sprint Optik (V55)
http://www.4shared.com/zip/RTZrSXyV/v55_kernel_60.html?
SmartTab10 (V11A)
http://www.4shared.com/zip/PrW1TWHF/v10_kernel_60.html?
OR
You can flash cwm using adb , you need root rights .The best is when adbd is running in root mode (for eaxample kernel#60).
Download this :flash_image binary
then turn on usb debugging.
to flash cwm you need the following commands:
adb push CWMrecovery.img /data/local/tmp
(where cwmrecovery.img is the name of the cwm image file name.)
adb push flash_image /data/local/tmp
adb shell chmod 755 /data/local/tmp/flash_image
adb shell (you need # not $ for flashing , so if you got $ type su to get #)
cd /data/local/tmp
./flash_image /dev/block/mmcblk0p18 CWMrecovery.img
Dont forget to remove the install-recovery.sh file from /system/etc othervise it will install stock recovery at system start if it has not the stock recovery.
To revert the bootloader you need to flash NON-HLOS.bin"to "/dev/block/mmcblk0p1" and "emmc_appsboot.mbn" to "/dev/block/mmcblk0p7" from a previous version .
Click to expand...
Click to collapse
Utkanos' v11a version is here.
Utkanos' v71a version is here.
Credit goes to utkanos, mobilx and koush. I have also attached these files at the end of the post.
Also attached, is the original 7-inch stock recovery file, for users who may wish to return to stock and have not performed backup.
--> Plug your tablet into usb, launch a command line, and use "adb reboot bootloader"
--> Download the CWM Recovery image from the link that fits your device.
--> Place it into the adb/fastboot folder (I am assuming you have downloaded fastboot already from the link above, during the root procedure).
--> In the command line, navigate to that folder (use "cd <path>").
--> input the command "fastboot flash recovery <filename>".
--> Reboot into recovery mode (should be Power + Volume down).
--> You should now be in CWM Recovery, and can now attempt to perform a nandroid backup.
Also, in order to prevent a possible hang, you should:
--> Reboot the tablet into the Android OS;
--> Mount it through USB;
--> Go into the clockworkmod folder;
--> Create an empty file with no extension called ".hidenandroidprogress"
After a period of testing this will be submitted to the Koush's Rom Manager. Source code is also available herehere, linked from utkanos' post.
What works:
Nandroid backup/restore on internal sdcard
Battery stats wipe
Dalvik wipe
Cache wipe
etc.
What does not work so far:
USB mass storage
credits:
utkanos
Koush
Click to expand...
Click to collapse
Modified Kernel Available, all credits to joe.stone, give him thanks here:
joe.stone said:
Here it is.
There is a new kernel version available. The new version is #60 and flashable from cwm recovery .
Changelog :
-Revert GPU overclock
-Revert change of system audio files (because of bootloops on some devices after installation #55)
-Increased system volume on kernel level
-Changed VMALLOC_RESERVE=0x19000000 to VMALLOC_RESERVE=0x10000000
-Added Apple Magicmouse HID support
-Added Microsoft HID support
-Changed cpu minimum freq 345MHz to 432 MHz to avoid the black screen effect (the screen does not wake up , you have to reset )
V55_kernel_60.zip Hope will work fine on v55.
V7_kernel_60.zip
V10_kernel_60.zip
Click to expand...
Click to collapse
Also, Benny3 has put together a CWM-flashable ROM package for the V55 tablet, including Joe's kernel #60 and a number of useful goodies. You can thank him and download the package from here.
Both device (v71, v11) were migrated into one kernel tree , so they both use the same source. (In case of v71 it is much newer source)
The whole kernel source was updated from the v55 sources .
Now they are in cwm recovery flashable format , because this package updates the kernel modules too in /system/lib/modules and enables to use the agps and NTP server setting was corrected . It points to europe.pool.ntp.org instead of the test one . Now my tab finds position within seconds . With the new kernel for me it seems the touchscreen is much better , but as before I am waiting for the feedbacks. Other fixes include: Touchscreen sensitivity, USB Charging etc.
Installation :
download the zip file
copy it to your tab's internal storage
start the tab in clockworkmod recovery
select install zip from sdcard
select the file for your model
install
reboot
and stock kernel for 10" :
stock kernel[/QUOTE]
Finally, if you want to obtain a dump of boot.img, please consider the following advice, also by mobilx, here:
mobilx said:
It is a mmcblk device not mtdblock
dd if=/dev/block/mmcblk0p8 of=/sdcard/boot_backup.img
dd if=/dev/block/mmcblk0p18 of=/sdcard/recovery_backup.img
Click to expand...
Click to collapse
ROOTING:
mobilx said:
It is recommended that you skip these steps and proceed to flashing clockwork mod for your respective device from the start using fastboot, and from inside CWM install joe's kernel (or custom rom), which you can find below. Joe's kernels and rom already come with significant updates to stock Vodafone systems, and are pre-rooted.
We will use superboot to root. What does superboot do? It puts the SU binary and makes a 'insecure' kernel to be loaded temporarily on to the device through ADB remount. So it's only purpose is to make ROOT. After execution, you will still be on the stock kernel, only with root privileges.
This method is for the advanced users only who want to have root before we have a fully functional CWM running. With the CWM the root method will be easier.
IMPORTANT!
At this point we have no way to repair a broken device to a factory state. We can unroot and that is it. It is advisable do make dump of your rom before making any changes to the system. We are not responsible for any damage that can occur in the root process and after that.
What will you need?
--> Download Fastboot+Superboot.img from here.
--> Install ADB through the SDK, download from here, although the ADB included with the ZTE drivers should also work.
--> Install the ZTE drivers, you can find them here, although they should already be included on your device when first mounting it.
--> don't forget to enable USB debugging in the tablet's application settings.
--> Put the fastboot.exe and the superboot.img files in the working directory you will be running adb from (Default should be at "C:\Program Files\ZTE Handset USB Driver".
--> Open a Command Line (Start Menu > Run > CMD) and navigate to the working directory. (Use "cd C:\Program Files\ZTE Handset USB Driver" or alter the path accordingly).
--> Write the following commands withing the command line:
--> adb reboot bootloader
--> fastboot boot superboot.img
--> The device should now boot with the Superuser.apk installed and SU in the /system/xbin/su, as well as allowing you adb root commands. Now run the following:
--> adb remount
--> adb shell
--> ln -s /system/xbin/su /system/bin/su
--> You can now exit the ADB shell and reboot the tablet.
--> Install busybox from the market and check the SU binary version with the Superuser.apk - try to update. If it succeed you are done.
Credits:
sangemaru
utkanos
PaulOBrien from modaco and his superboot solution
Click to expand...
Click to collapse

Reserved for future posts

I have ZTE V11A aka Vodafone Smart Tab 10 in my possession
I'm very interested in obtaining root for this device, so if I can be of any help, please let me know.
I hope that whis device will gain more popularity in the near future, because of it's excellent hardware and low price.
Is there any progress going on with rooting this device?
P.S. Two more questions,
Has anyone found where to buy 40pin to hdmi cable/connector? (because you don't get one in the box)
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Thank you.

assdksl said:
I have ZTE V11A aka Vodafone Smart Tab 10 in my possession
I'm very interested in obtaining root for this device, so if I can be of any help, please let me know.
I hope that whis device will gain more popularity in the near future, because of it's excellent hardware and low price.
Is there any progress going on with rooting this device?
Click to expand...
Click to collapse
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Due to time constraints, I haven't made much headroom this week, but I'm taking a couple of days off work and hope to make some progress.
P.S. Two more questions,
Has anyone found where to buy 40pin to hdmi cable/connector? (because you don't get one in the box)
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Thank you.
Click to expand...
Click to collapse
Haven't looked for it, but so far accessories for this line of devices seem to be lacking. With the popularization by Vodafone and the launch of the new Sprint V55 and similar tablets, these accessories should become more popular.
I haven't had any problems with the time on my device, sounds really weird.

assdksl said:
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Click to expand...
Click to collapse
Clock drift is happening due to Network-provided time setting. Im not sure what is causing this. It could be related to a Vip network or a failure of a process which obtains time from the network. If you want this not to happen just untick that option in settings.

Thank you both for quick answering my questions.
mobilx said:
Clock drift is happening due to Network-provided time setting. Im not sure what is causing this. It could be related to a Vip network or a failure of a process which obtains time from the network. If you want this not to happen just untick that option in settings.
Click to expand...
Click to collapse
Yes, indeed, but when I untick sync with Network-provided time, clock is ticking faster then it should.
It seems that clock chip on my device is not calibrated well or there is some other bug, it seems that it is HW issues... this is little more explained here:
http://blogs.keynote.com/mobility/2...wrist-watch-android-doesnt-keep-the-time.html
It seems that I was unfortunate and get device with bad clock, also without root I'm unable to use ClockSync app that will solve my problem.
But what is bugging me, is the fact that I also have SGS I9000, and it is synchronizing with Vip network just fine.
Mobilx are you experiencing time drift issue with network-provided time sync, but with manual time settings it is working fine?
sangemaru said:
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Due to time constraints, I haven't made much headroom this week, but I'm taking a couple of days off work and hope to make some progress.
Click to expand...
Click to collapse
I am a software developer, and I have some Android programming knowledge, but I'm not experienced much with Linux and compiling flashable Roms, but I can try In any case, if I can help, just let me know.

assdksl said:
Mobilx are you experiencing time drift issue with network-provided time sync, but with manual time settings it is working fine?
Click to expand...
Click to collapse
Yes it happend to me once. First I unticked the network-provided time sync and after restart I ticked it again. The clock is fine since than.

assdksl said:
I am a software developer, and I have some Android programming knowledge, but I'm not experienced much with Linux and compiling flashable Roms, but I can try In any case, if I can help, just let me know.
Click to expand...
Click to collapse
Well, so far what possible leads we have that I can think of are these:
mobilx suggested this thread http://forum.xda-developers.com/showthread.php?t=443994 for packing/unpacking boot.img
to quote Alterbridge of Team Overcome: "I presume the ZTE tablet uses boot.img format for its kernels, in which case you can extract the initramfs using mkbootimg (there are a number of scripts floating around). from there you can modify whatever you want in the initramfs and then repackage the boot.img and be on your way."
eldarerathis gave me some more instructions: "You basically need to extract the ROM's zip and add su/Superuser in the proper folders (su in /system/bin, Superuser in /system/app). You'll probably also have to look at the updater-script and add something to give su executable permission. It's usually something like 'set_perm(0, 0, 6755, "/system/bin/su");' that you need to add. The updater-script should be in the zip under /META-INF somewhere."
These are some of the useful bits of advice I received that could probably be put to good use when I have some free time. If you feel that anything is helpful, feel free to try it out.

sangemaru said:
Well, so far what possible leads we have that I can think of are these:
mobilx suggested this thread http://forum.xda-developers.com/showthread.php?t=443994 for packing/unpacking boot.img
to quote Alterbridge of Team Overcome: "I presume the ZTE tablet uses boot.img format for its kernels, in which case you can extract the initramfs using mkbootimg (there are a number of scripts floating around). from there you can modify whatever you want in the initramfs and then repackage the boot.img and be on your way."
eldarerathis gave me some more instructions: "You basically need to extract the ROM's zip and add su/Superuser in the proper folders (su in /system/bin, Superuser in /system/app). You'll probably also have to look at the updater-script and add something to give su executable permission. It's usually something like 'set_perm(0, 0, 6755, "/system/bin/su");' that you need to add. The updater-script should be in the zip under /META-INF somewhere."
Click to expand...
Click to collapse
Thank you, I will do some reading for a start.
We are sure that bootloaders are unlocked?
sangemaru said:
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Click to expand...
Click to collapse
Did you consider getting clockworkmod working in more details? Is it simpler then above method?
I have found this article regarding putting clockwork mode to new devices, I just read it briefly...
http://www.koushikdutta.com/2010/10/porting-clockwork-recovery-to-new.html

assdksl said:
Thank you, I will do some reading for a start.
We are sure that bootloaders are unlocked?
Did you consider getting clockworkmod working in more details? Is it simpler then above method?
I have found this article regarding putting clockwork mode to new devices, I just read it briefly...
http://www.koushikdutta.com/2010/10/porting-clockwork-recovery-to-new.html
Click to expand...
Click to collapse
That's fine. We have a dev utkanos who agreed to build the CWM for our device. He is very experienced in this stuff. The only way to build a proper CWM is to get a boot.img dumped or extracted from a leaked ROM.
So what we need to do:
Get root via some exploit (there is none for 3.2 HC yet) , dump boot.img and build CWM, flash CWM with fastboot, or
Find leaked ROM , extract boot.img, build CWM, flash CWM with the fastboot, root device with Update.zip
Yes the fastoboot is working and the bootloader is unlocked.
I have tried these exploits so far:
GingerBreak
psneuter
zergRush
Also I have tried:
Acer iconia 100 method ADB
Acer iconia 500 method
All ideas are welcome.

Ladies and gentleman the ROOT is here Device is successfully rooted with the superboot method.
Thanks to my friend sangemaru who made this possible.
Expect CWM soon. utkanos is working on it.
Need some testing, before this goes to public

That's great news mobilx! Looking forward to a root and ICS sometime in the future

Congrat`s guys,nice work and many thanks from all users.
This is a beginning of a beautiful friendship with SmartTab
We expect nice custom roms and maybe in a short time and ICS rom for this excellent tablet.
If I or we (other members) can help with something,please,let us know,i dont know programming but i can use Paint (just kidding)

Jeeej!!! I'm looking forward to it!

Ok lets roll
While we are waiting for CWM to be build we can root ZTE V11A/V71A aka Vodafone SmartTab 10/7 with the superboot.
What the superboot does? It puts SU binary and makes a 'insecure' kernel to be loaded temporally on to device( ADB remount). So it's only purpose is to make ROOT. After reboot you are on your old kernel but with the root.
This method is for the advanced users only who want to have root before we build a CWM. With the CWM the root method will be easier.
IMPORTANT!
At this point we have no way to repair a broken device to a factory state. We can unroot and that is it. It is advisable do make dump of your rom before making any changes to the system. We are not responsible for any damage that can occur in the root process and after that.
What we need?
ADB installed through SDK
Zte drivers installed --> debugging ticked in options
fastboot + superboot.img --> Put files in the adb working dir
>adb reboot bootloader
>fastboot boot superboot.img
Device should boot with Superuser.apk installed and SU in the /system/xbin/su.
>adb remount
>adb shell
#ln -s /system/xbin/su /system/bin/su
Install busybox from the market and check the SU binary version with the Superuser.apk - try to update. If it succeed you are done.
#exit
$exit
>adb reboot
Device will reboot with the stock kernel but rooted.
Credits:
sangemaru
utkanos
PaulOBrien from modaco and his superboot solution

Thx mobilx! Hvala

All it's OK
It's working also on v71a.......LOL
10x man

urs71 said:
It's working also on v71a.......LOL
10x man
Click to expand...
Click to collapse
I can also confirm this working on 7 inch

urs71 said:
It's working also on v71a.......LOL
10x man
Click to expand...
Click to collapse
jakaka said:
I can also confirm this working on 7 inch
Click to expand...
Click to collapse
That is great guys. sangemaru will be very happy because he owns A71A
So you can confirm that it boots and the touchscreen is working? That means the kernel is the same for those two variants.

V17A
YES, all work perfectly...........setcpu, blackmarkt,root uninstaller, lucky patcher, etc
The only differences between v11a and v71a is the size of the display
we are wating for CWM..........10x again
v71a

[TOOL] KDZ Writer

Tool for writing portions of KDZ files to LG devices. As long as KDZ files for the particular device are available and LGE doesn't change the format in an incompatible fashion, this will handle upgrades. Presently this tool targets the format as is used with UFS devices. The LG G5 and LG V20 are examples; the G6 and V30 may turn out to be compatible.
KDZ files are available for several LG V20 variants. Notably H918TN (US T-Mobile), H990 (non-US single-SIM), H990DS (non-US dual-SIM), H990N (Korea dual-SIM), US996 (US unlocked), and VS995 (US Verizon).
The primary goal of this tool is updating /system and /firmware, though updating other areas is in theory possible.
XDA:DevDB Information
KDZ Writer, Tool/Utility for the LG V20
Contributors
emdroidle
Source Code: https://github.com/ehem/lg-v20-tools
Instructions
Boot into TWRP. Upload an appropriate KDZ for your phone somewhere on your phone. This can be on a SD card, since all known KDZ files are just under 3GB even TWRP's in-memory filesystem is sufficient. Download(the Downloads tab, above), and upload kdzwriter to your phone:
Code:
adb push kdzwriter.gz /
Then in a shell (`adb shell`):
Code:
gunzip -c /kdzwriter.gz >/sbin/kdzwriter
chmod 755 /sbin/kdzwriter
[STRIKE]umount /system
ln -s /sbin /system/bin[/STRIKE]
The `umount` command may give an error. If you're on TWRP 3.0.2-1 /system won't have been mounted and you'll get "invalid argument"; if you get an error saying "busy" there is a problem. If using version 1.95 or later, the second two commands are unnecessary.
From here you can invoke `kdzwriter` with various arguments to write /system and /firmware:
-v
Increase verbosity. At lower levels not too much is added, at level 3 `kdzwriter` starts gushing debugging information.
-r
Report mode, tells you about how the chunks in the KDZ file match your phone.
-t
Test mode, tells you whether `kdzwriter` has decided the KDZ is an appropriate match for your phone (safety check). If used with other options, `kdzwriter` will run through the write procedure and tell you whether all the steps succeed.
-a
Write areas known safe to apply to the device. As of right now this is /system, /firmware and /cust. (equivalent to -s -m -a)
-s
Write /system. If you only want to update /system, this is the option for you. By default -s will attempt to preserve the kernel modules present on /system and overwrite the ones on the new /system image with those. This is appropriate if you've installed a custom kernel.
-M
Disables preserving kernel modules from the current /system. If you've got a stock kernel you want this option. If /system has been corrupted, this also avoids mounting /system and ensures -s succeeds.
-m
Write /firmware (aka modem).
-c
Write /cust. Some files of these files appear related to VoLTE. I'm unsure whether they're critical or optional. One (seemingly harmless) error message generated when switching regions can be avoided by writing this area.
-k
Write boot (/dev/block/bootdevice/by-name/boot). If you're opting to stay with the stock kernel then you'll want this option. This can also be used to recover from a failed Magisk/SuperSU/Superuser installation.
-P
GPT restoration mode. If a "ROM" has modified the GPTs this will attempt to restore them closer to stock. There are plans to have LineageOS do just this, so I wanted to be prepared to return to stock.
-R
Modified GPT restoration mode. "userdata" is moved closer to the begining of the device potentially allowing additional data to be merged without needing to wipe.
The most common invocation will be `kdzwriter -a <some location>/<KDZ_for_your_device>.kdz`, as noted you can use "-at" to simulate the process and confirm no errors occur.
The -b option has been allocated, but are not yet implemented. A deliberate attempt to minimize flash wear has been made. Blocks will not be rewritten if possible. Empty areas will be discarded/TRIMed.
`kdzwriter` attempts to preserve some files when writing areas. When writing /system unless -M is specified, `kdzwriter` will attempt to preserve kernel modules. When writing /cust, `kdzwriter` attempts to preserve "official_op_resize.cfg" (see GPT restoration mode for details). There are plans for v2.0 to try to preserve the contents of "open_path_mapping.cfg" and "op_list.cfg".
If you get an error message about "Failed while writing /system, major problem, PANIC!" this is most likely to be caused by a corrupt KDZ file. In this case retrying the download is the most likely solution.
Apparently for some devices/KDZ files it is necessary not to skip too many revisions. Notably going from H990N version 10b to version 10o does not work; instead you need to do 10b -> 10e ->10o. This hasn't yet been observed on other devices, but beware big skips can fail.
GPT Restoration mode
There are plans to have a future version of LineageOS hack off a piece of /system to utilize as /vendor. This is reasonable for LineageOS (or another "ROM"), but a problem if you desire to return to stock. As such v1.95 has been brought out which features the ability to restore the GPTs.
Crucial item: In the interest of safety this operation demands a KDZ which is a better match for your device! You will need to use a KDZ file matching what your device was at when you initially rooted! (H990ds10b* or so for most devices)
You can confirm whether a given KDZ is appropriate using the "-t" option. If `kdzwriter -t <someKDZfile>.kdz` gives the message "KDZ appears applicable to this device" then kdzwriter will not use that file for this operation, that command must give the output "KDZ appears applicable to this device and matches original" in order to be acceptable for this operation.
On the H990 some space is stolen from userdata for use as /OP. Everything in /OP appears to be bloatware, but since I'm trying to make it possible to go back close to stock, I've got to do something about /OP. The size of /OP is controlled by the file "/cust/official_op_resize.cfg". As I didn't have a better way of handling it, I simply grab the first line and use that. If /cust is unavailable (hasn't been restored?) a size of 0 will be assumed. If a size of 0 is found, `kdzwriter` will wipe the slice^Wpartition and the space will in fact end up as part of /data (hint, hint).
Important note: Since the normal order is system, cache, cust, OP then userdata, modifying the size of /OP will require wiping /data!
The -R option restores a modified GPT. The modified GPT mode tries to reorders the slices^Wpartitions as userdata, OP, cust, system, cache. The theory is that if cust isn't needed in LineageOS, cust could be removed from the GPT and the space merged into userdata. Since userdata is then first, it could be enlarged without the need to wipe and restore.
Examples
I expect by far the most common usage to be `kdzwriter -a <somekdz>.kdz`, but as typed there extra flags for certain situations:
Recovering from bad flash attempt -sM
If there was a problem when attempting to write /system there is a decent chance it won't be possible to mount /system for saving kernel modules. In this case using `kdzwriter -sM <somekdz>.kdz` is your need. This skips mounting /system at the cost of being unable to preserve kernel modules, you will need to reinstall whatever kernel you were using.
Partial unrooting -k
If you want to switch between Magisk, SuperSU, and Superuser this is your need. `kdzwriter -k <somekdz>.kdz` overwrites the boot/kernel area with the image from the KDZ file. Your next step will likely be to reinstall whatever kernel you were using. Afterwords all traces of a systemless install will have been wiped and you can install a different `su` implementation.
Going mostly back to stock -ak
For owners of the V20s where the stock kernel works, you can use a combination of these two options to update /system and to a newer kernel (you don't want to be hit by DirtyCOW). After doing this you'll need to reinstall whichever `su` implementation you were using.
Version Information
Status: Stable
v1.98a
Identified which check was preventing installation of 20a KDZ files. That is now disabled. There is also a force option which will override the safety check, but please be careful. That safety check was written to try to make it hard to generate bricks...
v1.98
Implemented modified GPT restoration mode. This mode reorders the slices^Wpartitions during restoration. This allows for potentially merging more space into /data without needing to wipe /data again.
v1.95
Found the appropriate compiler flag for setting the runtime linker. Thanks to the TWRP folks, kdzwriter is now a bit easier to use.
Implemented GPT restoration mode. This allows for restoring modified GPTs back to stock. This is valuable if a "ROM" has modified the GPTs. Given how there are plans to have LineageOS do just that, I'm figuring a number of people may be rather interested in this feature.
v1.3
Fixed testing for whether a KDZ is applicable to the device. This should merely be a safety precaution, but I need it there so I don't get fingers pointed my way on failure.
Finally tracked down the issue with kernel module preservation. This is a really stupid bug. There should no longer be any need to reinstall modified kernels after updates!
v1.2
Added additional debugging information around calls to Zlib. There has been a report of difficulty around Zlib so extra information is available. Some of this is only available at verbosity level 3 though.
Created 2017-07-31
Last Updated 2019-01-02
v1.2
MD5: 49b06410f8f90606f9829cc8ff8ed82a
SHA1: ce1f84f579c94e788539e462febc2f2e293a64ff
SHA512: 47a94ae6c6d1157dd406319d2d44ba72c9f954c3f0ad6b892eafbb818d01a7bf9c14b0a9f01ab6f092c07537d3273f8981b83c80ebf67f2cf9e33c26f8838ad3
v1.3
MD5: a412c7fe58722b6e63560c5074bc59b7
SHA1: 8e7e1fbd2edef0ff10516c57a84b642a1a92a758
SHA512: a5b9d3a66bf4237138264a5756f1637ba849a3aeb78d935e0fe6033486de41ad56a0ca5c62b3d94546fd2b4fe86e9edf7958e80481f1f10ef7ef2b6b562a412a
v1.95
MD5: 5f8797b5829ca5a919d1d685404a2726
SHA1: 62d7476ec50a2ea3a682b86654dd1ddc03da0c24
SHA512: ee717f3803e43862dc6faac3788e16267d9661bf98f8fdeebedd6b871dcd4cadb7dc4ee5208dc6072f5f7ba44e46440a759425536a354b530584f824570283c7
v1.98
MD5: 7dfee90d7e0711f5742b94efb81a8b18
SHA1: f020345935b078ebc336e88e3b0623e0792f71ad
SHA512: 71e82f535d33cc64fe023425db0b6d924c6d11677b04843628a9c6ca90cc6700d0a6c5e868c964e31d54f7d3c835d9ecd3b6c33108926da29e75e3be3e1456b2
v1.98a
MD5: 31f207a865b453472271eed29544833e
SHA1: 42ab0486cfc100b52dde9c6bac9bca684eccfde2
SHA512: fe127bece0e25ae4927f3499d708d1533b5fe0a00513de9cb8565ffc24b3e4ee08e9000d828a0177feb4b3b449137836b63cda72cf178b5cd67ae377997a1d37

@emdroidle I'm getting "permission denied" from KDZWriter when I execute the kdzwriter -a /external_sd/H990_something.kdz command in TWRP Terminal. I noticed that I can't umount /system either, it says it's an invalid argument?
Would this be something to do with the locking of /system I read about earlier? I did try manually mounting /system in TWRP before trying anything too, but that doesn't seem to have helped at all.
I've also tried doing mount -o rw,remount,rw /system
I'm running rooted 10C-TWN firmware with Magisk (interestingly, phone will flat out refuse to boot if I flash SuperSU, so Magisk it is). When I go to install Magisk it says "mounting /system" with no problems at all

Thanks very much for your work.
Iam confused about the instructions im not very familiar with adb shell . can you please elaborate more the steps for easy running of kdzwriter. thank you and let me tell you that you are awesome

Where is kdzwriter.gz? No attachment? Works kdzwriter from Dirty Santa thread?

i am getting kdzwriter: permission denied

iDefalt said:
I'm running rooted 10C-TWN firmware with Magisk (interestingly, phone will flat out refuse to boot if I flash SuperSU, so Magisk it is). When I go to install Magisk it says "mounting /system" with no problems at all
Click to expand...
Click to collapse
My first attempt to install Magisk failed, "Unable to repack ramdisk". At which point I had a problem. Suddenly the "-k" option came into existence and a retry succeeded.
iDefalt said:
@emdroidle I'm getting "permission denied" from KDZWriter when I execute the kdzwriter -a /external_sd/H990_something.kdz command in TWRP Terminal. I noticed that I can't umount /system either, it says it's an invalid argument?
Would this be something to do with the locking of /system I read about earlier? I did try manually mounting /system in TWRP before trying anything too, but that doesn't seem to have helped at all.
I've also tried doing mount -o rw,remount,rw /system
Click to expand...
Click to collapse
Okay, I guess I'm not that great at writing instructions. The added `chmod` will fix the "permission denied" error.
The `umount` is more an issue if you've updated to TWRP 3.1.1-0 which does successfully mount /system, whereas TWRP 3.0.2-1 didn't. The "invalid argument" is saying it isn't mounted and you can simply proceed. It is a problem if it says "busy". In this case you would get an error "Failed mounting system for kmod saving: <message>", then "kdzwriter: Failed while reading kernel modules" and `kdzwriter` wouldn't proceed.
Also replace "/external_sd/H990_something.kdz" with the filename/where you installed it (did you really rename the KDZ file to H990_something.kdz?).
dadme said:
Where is kdzwriter.gz? No attachment? Works kdzwriter from Dirty Santa thread?
Click to expand...
Click to collapse
Notice the "Download" tab at the top of this thread?

does anyone have the link to TWRP 3.1.1-0 for the h990ds? My device didn't seem to like the command 'kdzwriter -a /external_sd/H990ds10f_00_OPEN_TW_DS_OP_0622.kdz' I received the error "Failed while writing /system, major problem, PANIC!" . It's in a bootloop now should have run '-at' first!
second attempt...
You have to try harder than that message to make me panic
i figure my 10f kdz must be corrupt, so tried 10e
kdzwriter -a /external_sd/H990ds10e_00_OPEN_TW_DS_OP_0517.kdz
errors recieved were:
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
I reinstalled the kernel. Not sure what the kmod error means?
Anyway android upgraded and works a charm. Didn't fix my camera focus issue but i guess that must be down to the kernel.
Thanks for this awesome tool emdroidle, are you taking donations?

Sorry, Emdroidle i use classic theme, so download tab is not visible. Can use this TWRP https://forum.xda-developers.com/v20/development/recovery-twrp-3-1-0-0-touch-recovery-t3603760, elsa version? TWRP can be updated from TWRP 3.0.2.1 or from fastboot?
Got this on 10f H990DS TWN,
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
Finished rewrite of system area
Begining rewrite of modem area
ooo...ooo.oooooooo.ooooo...oooooooo.o*
Finished rewrite of modem area

dadme said:
Sorry, Emdroidle i use classic theme, so download tab is not visible. Can use this TWRP https://forum.xda-developers.com/v20/development/recovery-twrp-3-1-0-0-touch-recovery-t3603760, elsa version? TWRP can be updated from TWRP 3.0.2.1 or from fastboot?
Got this on 10f H990DS TWN,
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
Finished rewrite of system area
Begining rewrite of modem area
ooo...ooo.oooooooo.ooooo...oooooooo.o*
Finished rewrite of modem area
Click to expand...
Click to collapse
Either TWRP should work, just there is a small behavior difference. TWRP 3.0.2-1 has a small bug and never manages to mount /system; while TWRP 3.1.1-0 does manage to mount /system. With 3.0.2-1 the `umount /system` can be skipped, with 3.1.1-0 that command needs to be run before /system is upgraded.
Mars104 said:
does anyone have the link to TWRP 3.1.1-0 for the h990ds? My device didn't seem to like the command 'kdzwriter -a /external_sd/H990ds10f_00_OPEN_TW_DS_OP_0622.kdz' I received the error "Failed while writing /system, major problem, PANIC!" . It's in a bootloop now should have run '-at' first!
second attempt...
You have to try harder than that message to make me panic
i figure my 10f kdz must be corrupt, so tried 10e
kdzwriter -a /external_sd/H990ds10e_00_OPEN_TW_DS_OP_0517.kdz
errors recieved were:
Failed mounting system for kmod restoring: Invalid argument
kdzwriter: Failed while restoring kernel modules, recommend kernel reinstall!
I reinstalled the kernel. Not sure what the kmod error means?
Click to expand...
Click to collapse
Well seeing that "PANIC" message means something rather problematic occurred, and the state of /system is Bad(tm).
"kmod" is short for "kernel module". The Linux kernel has the capability to load/unload extra bits of code (generally drivers) while the kernel is running. These are specific to the particular kernel and trying to load modules for the wrong kernel could fail or cause problems.
I was surprised to learn the Bluetooth and FM Radio drivers are modules, as well as the exfat filesystem is a module. The userspace portion of talking to the Bluetooth chip won't load unless it successfully loads "brcm_bt_drv.ko" into the kernel.
The kernel modules are located in /system/lib/modules. When writing /system, `kdzwriter` first tries to mount /system and save copies of the modules. Once /system has been rewritten it tries to restore them. If either of those steps fails, there is need to reinstall the kernel since the modules on /system will match LG's stock kernel, not the static-fixed kernel I built.
Mars104 said:
Thanks for this awesome tool emdroidle, are you taking donations?
Click to expand...
Click to collapse
Well I don't send them back.

emdroidle said:
The added `chmod` will fix the "permission denied" error. (did you really rename the KDZ file to H990_something.kdz?).
Click to expand...
Click to collapse
Haha no mate I didn't, was just using the name for the KDZ from your example
Just wanted to say thanks as well. Used your tool with the updated instructions. Booted into TWRP, plugged into PC, used ADB from Command Prompt to do the whole thing. Went perfectly. It gave me a line when it was done about recommending a kernel re-install, so once the tool was finished I re-flashed the H990 kernel zip from your other thread, Magisk, the latest Aroma GAPPS package, and then rebooted. After the optimization process, I'm now on V10F-TWN with a patch date of 1st June, and rooted.
It's a touch of a process to get to this point, but if you follow everything properly to the letter, it works. Cheers mate.

i rename my kdz into "some.kdz" i run kdzwriter -at /external_sd/some.kdz itsays : Next chunk starts beyond end of file, Failed to open KDZ file, aborting what does this mean thank you

iDefalt said:
Haha no mate I didn't, was just using the name for the KDZ from your example
Click to expand...
Click to collapse
Okay, fine. I just wanted to make sure since there are people who don't realize you're supposed to adapt the name and complain when things don't work. Just one of those things that makes one go wait-a-minute...
kuachi00 said:
i rename my kdz into "some.kdz" i run kdzwriter -at /external_sd/some.kdz itsays : Next chunk starts beyond end of file, Failed to open KDZ file, aborting what does this mean thank you
Click to expand...
Click to collapse
Most likely you don't have the full file. Were you downloading it and the download got interrupted?

Success! Upgraded to 10f with root

emdroidle
Can you please make a small tool that extract the content of the KDZ file and the system.img file to modify things with ease on PC, and can easier interchange between versions to see what bugs can be avoided....

zinou213 said:
emdroidle
Can you please make a small tool that extract the content of the KDZ file and the system.img file to modify things with ease on PC, and can easier interchange between versions to see what bugs can be avoided....
Click to expand...
Click to collapse
There already are tools for this. https://github.com/Bigcountry907/kdztools and https://forum.xda-developers.com/showthread.php?t=2600575
Though I'm not sure they are completely compatible with the newest kdz's. Simple extraction should work.
-------
Nice tool btw. Now if only it where possible to flash kdz's directly in EDL mode, that would be great !!

askermk2000 said:
There already are tools for this. https://github.com/Bigcountry907/kdztools and https://forum.xda-developers.com/showthread.php?t=2600575
Though I'm not sure they are completely compatible with the newest kdz's. Simple extraction should work.
-------
Nice tool btw. Now if only it where possible to flash kdz's directly in EDL mode, that would be great !!
Click to expand...
Click to collapse
Thank you, I know this tools but i want a confirmation about there compatibility with v20's KDZs, and what is the EDL mode you talk about ??

zinou213 said:
Thank you, I know this tools but i want a confirmation about there compatibility with v20's KDZs, and what is the EDL mode you talk about ??
Click to expand...
Click to collapse
That last part was not for you specifically. It's Sahara Download Mode, or Emergency Download Mode I was talking about, something you probably won't know much about until you brick your phone

askermk2000 said:
That last part was not for you specifically. It's Sahara Download Mode, or Emergency Download Mode I was talking about, something you probably won't know much about until you brick your phone
Click to expand...
Click to collapse
OK Sahara Download Mode i know, i saw this with my old bricked gflex 2 that i unbricked with too many tools and processes that i forget now...

why is it that only the android security patch has been changed and the version is still v10e iam trying to upgrade to v10g thanks
---------- Post added at 11:09 PM ---------- Previous post was at 10:47 PM ----------
also my cpu load is alway going 90 to 100 percent even tho im not using any app did not also do cpu adjustments . it drains my battery fast

@emdroidle
Your donation button doesn't work:
We cannot process this transaction because there is a problem with the PayPal email address supplied by the seller. Please contact the seller to resolve the problem. If this payment is for an eBay listing, you can contact the seller via the "Ask Seller a Question" link on the listing page. When you have the correct email address, payment can be made at www.paypal.com.
Click to expand...
Click to collapse

[ROOT][SamPWND][N960U][WIP-Combo Needed]

Hello XDA!
Samsung has been semi SamPWND again!
Disclaimer:
This root method was developed and tested on the N960U model. This is the only model I have that is a Samsung device. I do have friends and other devs however that have tested this method on various other Samsung devices on both Qualcomm and Exynos chipsets and it has worked on a good number of them meaning this method is not limited to the Note 9. With that being said, due to all the time I have already spent on this and not having any other devices, I will ONLY be supporting the N960U. So do not get upset if I do not respond to you if you have a Samsung A8934839K312 on 7.1 Android (aka a device I have never even heard of before.)
Disclaimer 2:
This root method is mainly for dev's or those who like to tinker and figure things out. The reason I say this is because at this time, you are REQUIRED to be on a factory/combination firmware to mess with the root method. I will ignore any comments/questions for people who do not read this disclaimer and ask me how to root stock etc. as that is what I have been trying to do for over a month now. If you need your phone for work or a daily then I suggest only messing with this root method if you have a lot of spare time since it involves flashing combo firmware at which mobile services and other stuff will not be functional. You have been warned!
Disclaimer 3:
This thread/poc are essentially to get you the ability to use root apps and have a root shell, that is it. If I have time and see some questions that are legit questions I will try to provide help in a timely manner. This POC simply pushes busybox binary from Magisk.zip and SuperSU (the last version chains released before retirement) and installs it in sbin/daemon mode. There is also a way to install MagiskSU in daemon mode as well as ways to install root to /system/xbin for example and do mods such as Xposed that typically need to modify the system partition but that is not the purpose of this thread and these methods are a bit more involved (require modifying the root script as well as setting up bind mounts and other stuff.) Hopefully once this is released and some devs chime in I hope there will eventually be others contributing with various root scripts, install methods etc. and of course HOPEFULLY find a way to write to system/odm/vendor partitions so we can eventually run root on stock!
Disclaimer 4:
I am NOT responsible if you break your phone, wipe your IMEI, hard brick etc. etc.! Also, I spent months to get to this point and already had someone steal my files from AFH (I know, my fault for not hiding them) so please do not take my work as your own. If you want to use it in any way/shape/form just ask for permission and/or give credits in your thread is all I ask! If you are however using someone else's modified files and in here trying to get help I might turn you away (back to the person who provided the modified files) just an FYI!
I think that is enough disclaimers for now!
Note: This thread will most likely be ugly for a bit as I am terrible with making these things look pretty... Hopefully as time goes I will keep improving it or find someone who is trustworthy I can make a "contributor" so they can fix it up for me haha.
Now, Let's Get To It!
Technical Details:
This is sort of a spawn from an exploit I found and reported to Samsung back on the Tab S3 that I never released on XDA. That method (long story short) involved modifying the Persist partition and flashing it in ODIN as ODIN did not check it for integrity. Of course it was patched by Samsung who gave me some $$$ and gave me a shout out on their security bulletin which was pretty cool!
This method is similar to "Persist Root" except we are not flashing any modified partitions in ODIN. Instead, on many Samsung combination firmwares there is an init rc script on /system. If you want to know if your device is compatible a good starting point would be to look for a file called "init.lab.rc" which is typically located at "/system/etc/init/init.lab.rc" like so:
-rw-r--r-- 1 root root ubject_r:system_file:s0 14784 2008-12-31 10:00 init.lab.rc
As it stands, we cannot edit this script. I noticed something cool however when I was reading it one day. Specifically one thing that caught my eye was this:
chmod 777 /data/lab/run_lab_app.sh
There are MANY files and scripts at /data/lab. Luckily, the init.lab.rc sets permissions to "0777" and sets ownership to system on the entire /data/lab directory! If you are still with me, this means all the contents of this directory are world readable/writeable and we can modify any of the files in this DIR without elevated privileges!
Now I am showing the "run_lab_app.sh" script specifically for a reason. We know we can modify any scripts on /data/lab, but how can we execute it with elevates privileges? Going back to the init.lab.rc, if you scroll to the bottom of the rc file you will see this:
service start_abc /system/bin/sh /data/lab/run_lab_app.sh factory abc+
user system
group system
disabled
oneshot
on property:sec.lab.abc.start=1
start start_abc
setprop sec.lab.abc.start 0
Now what that means is, when you set the property "sec.lab.abc.start" to "1" it executes the abc service as system user and more specifically it will start by executing the "run_lab_app.sh" script! Therefore, after you modify the script to your liking, push it to /data/lab/run_lab_app.sh, then do a "setprop sec.lab.abc.start 1" your script will be executed as system user!
Now system obviously is not "root". Now that we can execute as system user we have more attack vectors to elevate privileges even more. Ideally, I remembered how I rooted the Tab S3 about a year ago using Persist partition. As it stands, we are not able to read/write on persist. If we were to set permissions however on /persist using the run_lab_app.sh script, then we can gain access to it! Therefore, one would only need to add this command to the run_lab_app.sh script and execute it using the setprop command:
chmod -R 0777 /persist
As soon as you modify the script, push it and execute the setprop command, it will change permissions on the /persist DIR to be world readable/writeable!
Now, the reason why I like to use Persist, there is a script that is executed by INIT on every reboot automatically (this means it is executed by root!) The script in question is this one "/persist/coresight/qdss.agent.sh." (I am not sure if this script itself is a Qualcomm specific script or not.) Modifying this script has no ill effects on anything from what I have seen.
Now to see how the script is executed you can look in "/vendor/etc/init/hw/init.qcom.test.rc" and you will see some interesting stuff including this:
crownqltesq:/vendor/etc/init/hw # cat init.qcom.test.rc | grep persist
service cs-early-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh early-boot /vendor/bin/init.qcom.debug.sh
service cs-post-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh post-boot /vendor/bin/init.qcom.debug.sh
write /persist/coresight/enable 1
write /persist/coresight/enable 0
crownqltesq:/vendor/etc/init/hw #
As I stated earlier, due to this init script, the qdss.agent.sh script is executed by init context/root user automatically during early boot and post boot. This means once you get everything set up, you won't need to keep reinstalling root (unless you mess something up) on each reboot. This is ideal since we don't have a way yet to modify system/vendor/odm partitions yet. Think of it as a "systemless" root.
For the POC I have provided in this thread for example, it contains the bare minimum SU files. The files in the attached zip are simple: SamPWND.bat, sampwnd1.sh, sampwnd2.sh, /sampwnd which contains su, sukernel, supolicy, libsupol.so and busybox. The way it works is this:
1) You double click the .bat file and it should do everything for you! The .bat file will:
- Push sampwnd1.sh to /data/lab/run_lab_app.sh
- Execute the lab script by doing "setprop sec.lab.abc.start 1"
- Push sampwnd2.sh to /persist/coresight/qdss.agent.sh
- Push root files in "sampwnd" folder to /persist/coresight/sampwnd
- Set permissions on the files we just pushed to Persist to 0777
- Reboot the device (Note: The .bat file reboots the device at this point since everything is in place to root when the device reboots, it's that simple!)
After the device reboots, you should now be able to use a root shell as well as sideloading any root apps will work (apps such as TiBu, Root Explorer, Flashfire etc. etc.)
When the device reboots, the qdss.agent.sh script does the following automatically:
1) Mounts rootfs and sets permissions to 0777 so we can access /sbin
2) Pushes the contents of the root files folder "sampwnd" to /sbin
3) Sets permissions to the files we just moved to /sbin
4) Exports the LIB path to /sbin due to the libsupol.so being needed to patch the sepolicy with supolicy
- The export command is "export LD_LIBRARY_PATH=/sbin"
- Once the script is over and you use another app or go into a shell etc. the LIB path will be gone/reset so you don't need to
worry.
5) Patches the sepolicy for SU
6) Installs SU by executing "su --install"
7) Executes the SU daemon by running "su --daemon"
8) Lastly, remounts rootfs back to RO.
As stated earlier, these commands are all automatically executed by init/root each time you reboot the device. Essentially, whatever we put into the qdss.agent.sh script will be executed on boot by init/root. If for some reason permissions are lost, we should still have our lab script and we would only need to run "setprop sec.lab.abc.start 1" to change permissions on persist again!
The initial files I provide today are just a simple root install script. I have successfully used the root script to install MagiskSU, Xposed (using bind mounts to overlay on /system) and other tests. I also at one point made a backup script that backed up all the partitions on the device into a folder which I extracted to my PC for safe keeping, you get the picture! Once you have root however, you can do these things easier as you will have root access.
Now that you know the workings of the exploit (err exploits?) I will explain briefly what is needed and how to test it.
Pre-requisites:
1) Download links will be in 2nd post.
2) For the purpose of this thread and the only device I personally have, you should have a N960U/U1/W on a rev1 bootloader (there isn't a rev2 BL yet so most should be good to go.)
3) A vulnerable Combo Firmware. I linked the one I use in Post 2. I use 1ARG4 Factory/Combo firmware. Of course you will need ODIN to flash the combo.
4) The root files/7z linked in post 2.
5) Stock firmware for when you are done playing, testing, etc. etc.
6) Almost forgot, you will need ADB. I will not go into details on this, if you don't have a working ADB Google is your friend. I recommend setting it to your path so you can use ADB from anywhere on the PC.
Install Instructions:
1) Extract the root files 7z into a DIR of your choice.
2) Flash whichever vulnerable combo firmware you are using via ODIN.
3) Once it boots up, make sure your device is seen by adb by running "adb devices"
4) Double click the .bat file.
5) That's it! Your device will reboot and you should be rooted!
If for some reason it is not working and you are on a N960U/U1/W, there could be a number of reasons. If you are not using the 1ARG4 combo I linked then it's possible the combo you are using is not vulnerable. It could also be an issue with ADB. Sometimes if things get crazy throughout your testing you might need to reflash /persist in ODIN or reflash the combo firmware in ODIN then re-run the .bat file (I only experience this typically when I get crazy with the root script and end up losing permissions to everything or something I added in the root script is causing the device to boot-loop etc. etc.)
Now donations are not required but feel free to throw me some beer money if you want! My paypal email/link is in a few places, you shouldn't have any trouble finding it!
TELEGRAM LINK
https://t.me/joinchat/DxwvAlhtzHjg4EI9973BGQ
We will use the TGRAM to provide support, ideas, share scripts/files and HOPEFULLY, we can all figure out together how to turn this into rooting the stock firmware as this is the goal and will be the primary focus of the chat!
Credits:
 @samsung - for letting us PWND them time and time again!
@chainfire - SuperSU of course
 @topjohnwu - MagiskSU of course
 @me2151 - For all the time and help he is going to be putting in with us! Such a great guy! lol
@jrkruse - For everything! Everything from EDL support, ROM support, Root support you name it!
 @partcyborg - For also spending countless hours helping answer questions in here so I don't have to hahah
 @mweinbach - He writes great articles for XDA! He is a good kid who gets his hands on cool things frequently
@"mysecretfriendfromfaraway - I will not name him haha, he knows who he is. He always helps out and gets great things!
XDA:DevDB Information
SamPWND N960U Root, Tool/Utility for the Samsung Galaxy Note 9
Contributors
elliwigy
Version Information
Status: Testing
Created 2019-05-05
Last Updated 2019-05-05

Downloads:
1) 1ARG4 Factory/Combo Firmware
MD5: bf0702b4e85ac1547b5706bb4859f554
2) Root Files
MD5: 342f15e13c72f3d0f9194d8a14058ac9

Mine also...

Nice job!

Thank you @elliwigy !!!
Your determined effort is soooooooooooooooo much appreciated. :good:

You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?

noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader

elliwigy said:
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader
Click to expand...
Click to collapse
Yup. =] I don't know though. Always something new that pops out of Sammys goodie bag and lands in someones lap and crawls its away onto XDA. Like you I have a silentguywhospeaksanotherlanguage that always seems to amaze me... the past 14 years. Would be awesome. Could be something kewl. Time will tell.

Definitely going to test out and report back! Sent you some money for some beers lol :highfive:

still no ones tried? lol i thought ppl would b all over it haha

elliwigy said:
still no ones tried? lol i thought ppl would b all over it haha
Click to expand...
Click to collapse
Im gonna try it when i get off work

Incredible!! Wow this alone is awesome, and that word doesn't justify it. The talent you all have for this is really impressive. Thanks to all who had a major role in this alone. I will be posting results as soon as i can, hopefully tonight. Its all possible!!
Thank You

noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
Im PRETTY sure samfail works via edl rom from @jrkruse

Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?

Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End

Raz12 said:
Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?
Click to expand...
Click to collapse
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way

axioneer said:
Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End
Click to expand...
Click to collapse
read the op. id say its pretty easy/clear..
also, it is not possible to have root on stock firmware right now, this was also clear in op.
the root only works on combo firmware.. if u need to use ur phone then i suggest not using this root method until we figure out how to make it work on stock

elliwigy said:
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way
Click to expand...
Click to collapse
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?

I hope this leads to root for normal u1 firmware. ??????

Raz12 said:
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?
Click to expand...
Click to collapse
it was prolly green due to battery being low.. it changes the color once it dips below a certain %
and yea, i assume uve never been on a combo firmware before lol they are all like that

[GUIDE] Convert ASUS ZenPad 3S 10 Z500M (P027) from CN to WW

Convert your ZenPad 3s 10 from CN to WW firmware​
This guide will show you how to flash the WW firmware to your ZenPad Z500M that came preloaded with the CN (China) ROM. Up until recently, this was problematic because the CN firmware, as well as the 13.x series in general, is locked down. It does not provide flashing access via the common methods like unlocking+fastboot, recovery or SP Flash Tool. But thanks to a MediaTek temporary root tool invented by some evil genius, it's now possible to upgrade your CN ZenPad to the latest WW ROM. It's well known that this variant comes with Google apps and is fully unlockable and rootable.
DISCLAIMER
Any procedures described in this thread are done at your own risk. No one else will be responsible for any data loss, corruption or damage of your device, including that which results from software bugs.
REQUIREMENTS
An ASUS ZenPad Z500M (P027) tablet with 13.x firmware
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
Familiarity with the Thanks button under XDA posts
INSTRUCTIONS
Read and understand this whole procedure before you start. This is about as dangerous as installing a full OTA update, and you would have to try hard to mess it up in a way that your device cannot be recovered. But keep in mind that it is a possibility. Make sure your battery has decent charge or plug it into the charger.
Go to Amazing Temp Root for MediaTek ARMv8 and read the directions on how to open a root shell in ADB or a terminal emulator app, and make sure you understand them. Download the latest release of mtk-su. Support the developer.
Download and unzip the recovery image to your tablet. Link below.
Open a root shell and flash the image to your recovery partition with:
Code:
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
You may need to specify the full path of the img file.
Download the latest 14.x WW firmware from ASUS' support site. Link below.
Put the official zip package in the root of your internal storage. Rename the file by changing the letters "WW" to "CN". That is, rename UL-P027-WW-14.0210.1806.33-user.zip to UL-P027-CN-14.0210.1806.33-user.zip. This has to be done in the same boot session as the recovery flashing step.
At this point, the OS updater should detect the file, prepare the upgrade and ask you to reboot. Confirm that you want to reboot to install. Make sure that you have succeeded step 4.
Your tablet will reboot and automatically install the WW 14.x package. You may need/want to do a factory reset after this.
Alternative method to zip file autodetection: reboot to recovery and do an adb sideload install.
NOTES
Do not try to install any 13.x firmware package using this method. That's because if something goes wrong and your device fails to boot, you would not be able to get root access to repair it. It may be next to impossible to recover it. The 13.x releases are locked down, unlike the 14.x (Android 7) ones.
If for any reason you reboot your tablet after doing the dd flashing step but before successfully installing the 14.x ROM, your original recovery will get restored. You will have to flash it again before trying the upgrade.
Do not try to downgrade from a 14.x FW to 13.x via TWRP. It is a fact that this will make your tablet unbootable because the 13.x packages do not provide all the necessary images.
DOWNLOAD
WW-13.x Recovery Image
ASUS Z500M firmware downloads
CREDITS
Thanks to @lemon0o for successfully testing this method. :good:

Read-only file system error - way out?
Hi diplomatic,
Thanks a lot for sharing this beautiful method. I had two of these tablets with CN firmware and had pretty much given up on them until now.
Edit 2: I successfully used the adb sideload method to update to WW firmware. The autodetect did not work for me.
Original post:
I have had success with steps 1-4 (UID 0, selinux: permissive),
but when I am trying to paste the downloaded firmware file in root folder ( / ) I get the error Read-only file system. I pasted the renamed firmware file in /sdcard/ but the autodetection doesn't work.
I tried remounting root '/' with
Code:
mount -o rw,remount /
I was then able to paste the renamed firmware file (WW to CN) to (root) / . The autodetection still doesn't work.
Is there a guide you can point me to for adb sideload install? I have exposure to linux but haven't explored android innards much. I will keep looking.
Thanks again, really hoping I am able to make this work!

@bkmiictian, I'm glad you figured it out. (And finally have someone respond after like 8 months. ) But FWIW, the upgrade package should go into your internal shared storage to be detected. It's just following the standard installation procedure for Asus. Nothing to do with the root dir of the file system.

diplomatic said:
@bkmiictian, I'm glad you figured it out. (And finally have someone respond after like 8 months. ) But FWIW, the upgrade package should go into your internal shared storage to be detected. It's just following the standard installation procedure for Asus. Nothing to do with the root dir of the file system.
Click to expand...
Click to collapse
I had similar issues, was not clear what to do, how to make it recognized.
Here I found great detailed explanation on the asus website (can't put full link as I'm newbie support/FAQ/1011948/ )
Apart from that, great guide !! Thanks a lot!!
Spent hours before that finding a way to either root it or install Google Apps. Tried all rooting apps I could find ...

thanks for the details procedure
Please all noted the file should place under "internal shared storage" not root as seen in adb.
Details steps as provide by Asus in its FAQ:
FAQ/1011948

Hi, Thanks so much for the tutorial.
I'm also having issues with the Z500M with CN firmware.
I followed the steps until getting the selinux: permissive message on ADB.
But I'm lost on what to do with the Recovery.img & the WW 14.x firmware
I copied the files into the root directory, but I don't understand what to do next.
Edit:
Found the procedure to manually install the firmware update from Asus.
Disconnected the USB cable & it told me there was a new update.
After updating, it restarted and showed an android with the message "installing system update" but then it just gave an Error.
Then it restarted saying System update failed. Unknow error. System was restored to previous configuration.
I guess I'm doing something wrong...

I think my issue may be Step 4.
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
You may need to specify the full path of the img file.
Click to expand...
Click to collapse
That command does not seem to work.
ADB says "No such a file or directory"
If I try with this command I get an error too.
dd if=/root/recovery.img of=/dev/block/platform/mtk-msdc.0/11>
dd: /root/recovery.img: Permission denied

danielfd said:
I think my issue may be Step 4.
That command does not seem to work.
ADB says "No such a file or directory"
If I try with this command I get an error too.
dd if=/root/recovery.img of=/dev/block/platform/mtk-msdc.0/11>
dd: /root/recovery.img: Permission denied
Click to expand...
Click to collapse
Yes, this is the main point of this procedure. Where did you extract recovery.img? If it's, say, in your internal storage, you may need to specify
dd if=/storage/emulated/0/recovery.img of=/dev/block.....
Only reboot to install the FW if you have succeeded with this step.

diplomatic said:
Yes, this is the main point of this procedure. Where did you extract recovery.img? If it's, say, in your internal storage, you may need to specify
dd if=/storage/emulated/0/recovery.img of=/dev/block.....
Only reboot to install the FW if you have succeeded with this step.
Click to expand...
Click to collapse
Thanks Diplomatic
The new code seems to work for me.
dd if=/storage/emulated/0/recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
Click to expand...
Click to collapse
I still get an Error when I try to update to the WW firmware.
Will try the whole process from the beginning.
EDIT:
It worked!
Thanks a lot Diplomatic!
I made a factory reset to the tablet & followed again the steps & the update was successful.

So if I had 14x on Android 7, can I just move to the twrp recovery part of the forum, why not just manually update to 14x from 13x if 14x can be unlocked? Am I missing something?

Root for Android 10 PX6 MTCE

I tested this on my Dasaita px6 mtce head unit once I installed Android 10
(thanks @Diavol for the tip)
I know that there are other ways to do this, but this is how I accomplished it.
****************DO THIS AT YOUR OWN RISK***********************************
1- On Head Unit: install a terminal emulator and run the three following commands pressing enter each time. (device will reboot). This will open ADB witj root permissions on port 5555
setprop persist.adb.tcp.port 5555
setprop sys.rkadb.root 1
reboot
*******************************************************************************
2- Uzip Su-Magisk folder and place the files on the root directory of your PC ( C:/ )
Open command prompt window on your PC with administrative privileges and enter one line at a time,,,,,, if you get stuck at "adb shell /system/bin/su --daemon", repeat the process on a new command prompt
window. When that is finished install Magisk V 20.4 (20400), after it gets installed it will search for updates and will say that the app is not installed, press on install, a window will pop up, choose to install it as a "Direct Install (Recommended)" when finished, press the yellow reboot button.
cd c:/
adb connect (enter here your ip address number, for example 10.0.0.2)
adb root
adb connect (enter here your ip address number, for example 10.0.0.2)
adb remount
adb shell setenforce 0
adb push su /system/xbin/su
adb push su /system/bin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon
adb push rooting.rc /system/etc/init/rooting.rc
***************************************************************************
***************************************************************************

Finally, after months of garbage "help me how do I do (the same boring question multiple new members signed up to XDA for - without reading the forums a thoughtful contributing post! Brilliant!

marchnz said:
Finally, after months of garbage "help me how do I do (the same boring question multiple new members signed up to XDA for - without reading the forums a thoughtful contributing post! Brilliant!
Click to expand...
Click to collapse
Yeah, that's how it sometimes goes, I am still testing this stuff.

Для РХ5 тоже подойдет??
Suitable for PX5 too ??
---------- Post added at 09:03 AM ---------- Previous post was at 08:57 AM ----------
I read different forums, and there seems to be a way to make boot.img root (also through Magisk) and flash it into the radio

AndreySanich said:
Для РХ5 тоже подойдет??
Suitable for PX5 too ??
---------- Post added at 09:03 AM ---------- Previous post was at 08:57 AM ----------
I read different forums, and there seems to be a way to make boot.img root (also through Magisk) and flash it into the radio
Click to expand...
Click to collapse
Yes I am aware of that, but why? when I install Magisk it patches directly the stock boot image, or am I wrong? please let me know.

Al Ferro said:
Yeah, that's how it sometimes goes, I am still testing this stuff.
Click to expand...
Click to collapse
I mean, well done, great post!

I wonder how that's gonna work?
Rockchip boot.img or patches are not supported by Magisk.
There must be more experience reports, someone might get a boot loop.

sorry, maybe for the translation I missed something, how do I connect pc and tablet ?, ip address to put I guess is that of the tablet ?.
thanks for your patience.

Have anyone tried to root with this method ?

jamal2367 said:
Have anyone tried to root with this method ?
Click to expand...
Click to collapse
Yeah, me. I' ve done it many ,many times because I am testing stuff, no boot loops or anything so far.:good::laugh:

marcanpaolo said:
sorry, maybe for the translation I missed something, how do I connect pc and tablet ?, ip address to put I guess is that of the tablet ?.
thanks for your patience.
Click to expand...
Click to collapse
Yes, your radio unit's ip address .

Al Ferro said:
Yeah, me. I' ve done it many ,many times because I am testing stuff, no boot loops or anything so far.:good::laugh:
Click to expand...
Click to collapse
I have a PX5.
The problem is that I do not have a test radio where I can test it all the time.
It takes a long time to set up the radio back the way it was before.
The problem is actually that Magisk does not support rockchip ramdisk.
I have tried it several times in the past and it always resulted in boot loops or black screens.
Show this issue on github:
https://github.com/topjohnwu/Magisk/issues/755
Maybe there are differences from radio to radio.
With you it works and with others it doesn't, that's the question.

jamal2367 said:
I have a PX5.
The problem is that I do not have a test radio where I can test it all the time.
It takes a long time to set up the radio back the way it was before.
The problem is actually that Magisk does not support rockchip ramdisk.
I have tried it several times in the past and it always resulted in boot loops or black screens.
Show this issue on github:
https://github.com/topjohnwu/Magisk/issues/755
Maybe there are differences from radio to radio.
With you it works and with others it doesn't, that's the question.
Click to expand...
Click to collapse
It Works wonderful with my Dasaita head unit.

One cannot expect correct answers here, can one?
Grow up and stop acting like a child

jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
Hey, I am just saying that I have not problems at all running this stuff on my radio unit, I don't know what brand of radio unit you have, I see on the market a lot of cheap stuff that I personally avoid. This guide is for every one that feels confident to try it out, I am not forcing anyone to do it, I can tell you that I am happy that it works for me, let's keep on learning good stuff.:good:

jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
without testing, you won't get a result. I already sent you a private message about the build test. Yes, we have different CPUs, but if you want results, you must sacrifice time and settings.

Ok i have test it and it´s working without any problems.
Magisk + Magisk Module!

jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
jamal2367 said:
Ok i have test it and it´s working without any problems.
Magisk + Magisk Module!
Click to expand...
Click to collapse
which method worked?

Diavol said:
which method worked?
Click to expand...
Click to collapse
From this thread. :good:

jamal2367 said:
From this thread. :good:
Click to expand...
Click to collapse
with the stock boot?