Database Info

[Q] P3113 Suggestions for reclaiming the 537MB HIDDEN partition for Internal Storage

Do any of you have any suggestions on how to do this? I ran parted via ADB on my 8GB tablet's internal storage (/dev/block/mmcblk0)
Code:
Disk /dev/block/mmcblk0: 7818MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 4194kB 25.2MB 21.0MB ext4 EFS
2 25.2MB 27.3MB 2097kB SBL1
3 27.3MB 29.4MB 2097kB SBL2
4 29.4MB 37.7MB 8389kB PARAM
5 37.7MB 46.1MB 8389kB KERNEL
6 46.1MB 54.5MB 8389kB RECOVERY
7 54.5MB 789MB 734MB ext4 CACHE
8 789MB 810MB 21.0MB MODEM
9 810MB 2278MB 1468MB ext4 FACTORYFS
10 2278MB 7281MB 5004MB ext4 DATAFS
11 7281MB 7818MB 537MB ext4 HIDDEN
I knew more or less what each partition did but was curious about "HIDDEN" so I mounted it to see what was there. All that was in that partition is Retail.apk (its the "Demo Mode" that runs when the tablet is sitting at Best Buy) and the sample multimedia files used in the demo. In total these files were less than 100MB and the multimedia already copied on the /sdcard/Samsung directory in the main storage.
537MB is quite significant considering how littte space there is on this 8GB model? The next time I do a factory reset can I just delete "HIDDEN" and DATAFS and create a new larger DATAFS partition with no ill effects? I'm thinking this would work because they are contiguous and enlarging DATAFS would not change its partition number so the mounting scripts during the boot process wouldn't get thrown off.
Are there any other suggestions on how I could reclaim 537 MB of internal storage?

I've done it successfully. delete p9,p10,p11 and recreate them in new size.
parted can only create ext2 partition, need tune2fs and e2fsck to convert ext2 to ext4 fs.
first, use tar to backup the system and data partition(p9,p10) to external_sd,
after repartition can restore them.
If you want to do it, must be careful, it's VERY DANGEROUS, maybe brick your device.
my device:Samsung Galaxy Tab2 P3110, CM 10.1.3RC2
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
For more detail you can have a look of this, it's in chinese and for kindle fire, but i think the commandline code you can understand.
http://bbs.imp3.net/thread-10515210-1-1.html

Have you succeeded in using all memory? I repartitioned device, in clockworkmod everything is fine, but I can't access all the space from system. For DATAFS I have now 5480MB instead of 5004MB, but system says me, that internal storage is still ~5GB with only 4,5GB available. I even hard resetted device - nothing changed. How to make system see all space?

it seems that all the memory of DATAFS are ok for my p3110, have a look of the snapshots below.
i use cm 10.1.3, i dont know which rom do you flash, stock rom?
sorry it is in chinese, but you could see the numbers of memory.

No problem with language, everything is clear . I'm using stock odexed Samsung 4.1.2 rom with my own changes for tabletui and a couple of others (like editing systemui.apk). I guess, that Samsung gives fixed amount of space for /data and I haven't found where it is. Anyway, thank you for idea

probably obvious to most, but don't delete all those partitions! i was in the middle of surgery via adb, and stupidly typed
Code:
du -hs
and the device rebooted.
http://forum.xda-developers.com/galaxy-tab-2/help/argh-deleted-internal-partitions-boot-t2912866

Imei Lost, qpst backup and partition too

Well, I have some problems trying to crossflash modem.
I had some problems before, I managed to repair it with qpst, but now I cannot send my backup.
Where I am?
I have a qpst backup, and backup of modem, modemst1 and modemst2.
But when I try to dump it again over it do nothing.
Can someone give me a hand?
I have all phone working exept of movile data of course.
can someone tell me how to restore that partitions from download mode?
the seek and count?
Its an H950 with h950PR firmware
Thanks so much
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

well, I have some tests from adb and I cannot understand seek and count commands, so I try some but with no succes from ADB.
when I try to overwrite the partitions the log tell me that
Code:
[email protected]:/ # cd /data/media/0/
[email protected]:/data/media/0 # dd if=mod
modem.img modemst1.img modemst2.img
[email protected]:/data/media/0 # dd if=modem.img skip=1 of=/dev/block/mmcblk0p1
dd: /dev/block/mmcblk0p1: No space left on device
163841+0 records in
163840+0 records out
83886080 bytes transferred in 11.118 secs (7545069 bytes/sec)
1|[email protected]:/data/media/0 # dd if=modem.img bs=512 skip=1 of=/dev/block/mmcblk0p>
dd: /dev/block/mmcblk0p1: No space left on device
163841+0 records in
163840+0 records out
83886080 bytes transferred in 13.969 secs (6005159 bytes/sec)
d if=modemst1.img bs=512 skip=1 of=/dev/block/mmcblk0p23 <
dd: /dev/block/mmcblk0p23: No space left on device
3073+0 records in
3072+0 records out
1572864 bytes transferred in 0.294 secs (5349877 bytes/sec)
1|[email protected]:/data/media/0 # dd if=modemst2.img bs=512 skip=1 of=/dev/block/mmcbl>
dd: /dev/block/mmcblk0p24: No space left on device
3073+0 records in
3072+0 records out
1572864 bytes transferred in 0.179 secs (8786949 bytes/sec)
all backup are 1 record bigger than partitions.
I try with bs=512 skip=1 to avoid it, but without that I have the same problem...
can someone help me?

I can help!
first, use parted, and copy output of this:
./parted /dev/block/mmcblk0 unit s print
If the partition map is same with the H955, you cab backup with this commands:
the full backup of modemst1 and modemst2 size is: 1572864 byte
In download mode, copy backup files to internal storage:
dd if=/data/media/0/modemst1_mmcblk0p23.img of=/dev/block/mmcblk0 bs=8192 seek=20480 count=192
dd if=/data/media/0/modemst2_mmcblk0p24.img of=/dev/block/mmcblk0 bs=8192 seek=20672 count=192
In normal mode, booted android:
dd if=/data/media/0/modemst1_mmcblk0p23.img of=/dev/block/mmcblk0p23
dd if=/data/media/0/modemst2_mmcblk0p24.img of=/dev/block/mmcblk0p24

stars2 said:
I can help!
first, use parted, and copy output of this:
./parted /dev/block/mmcblk0 unit s print
If the partition map is same with the H955, you cab backup with this commands:
the full backup of modemst1 and modemst2 size is: 1572864 byte
In download mode, copy backup files to internal storage:
dd if=/data/media/0/modemst1_mmcblk0p23.img of=/dev/block/mmcblk0 bs=8192 seek=20480 count=192
dd if=/data/media/0/modemst2_mmcblk0p24.img of=/dev/block/mmcblk0 bs=8192 seek=20672 count=192
In normal mode, booted android:
dd if=/data/media/0/modemst1_mmcblk0p23.img of=/dev/block/mmcblk0p23
dd if=/data/media/0/modemst2_mmcblk0p24.img of=/dev/block/mmcblk0p24
Click to expand...
Click to collapse
Hi sr, Thanks for your answer.
The question is the next.
How to calculate seek and count, I understand that count*bs = size of partition, but seek is the blocks skipped, I dont understand how to know, Im on H950, partition table is the same, but sizes arent....
thanks so much

well, I dont know what happends, but my diag mode is useless.
I think my problem was overwritting the first 3 or 4 partitions.
can someone upload me a dump of first I think 100mb of a pr rom?
if was a full rom till system will be awesome.
a h955/950/950PR will work too for me.... I prefer to avoid antirollback roms...
thanks for the help

Your phone is even bootable?
Download parted binary, and execute this: /parted /dev/block/mmcblk0 unit s print
This is the example, how calculate seek and count
Number Start End Size File system Name
23 327680s 330751s 3072s modemst1
1. Calculate SKIP/SEEK
327680 sector * 512 byte (sector size) = 167772160 byte / 8192 (block size in byte) = 20480
2. Calculate Count (By the Partition size in sector)
You can use, the partition size in sector, or end sector - start sector
3072 sector * 512 byte (sector size) = 1572864 byte / 8192 (block size in byte) = 192

stars2 said:
Your phone is even bootable?
Download parted binary, and execute this: /parted /dev/block/mmcblk0 unit s print
This is the example, how calculate seek and count
Number Start End Size File system Name
23 327680s 330751s 3072s modemst1
1. Calculate SKIP/SEEK
327680 sector * 512 byte (sector size) = 167772160 byte / 8192 (block size in byte) = 20480
2. Calculate Count (By the Partition size in sector)
You can use, the partition size in sector, or end sector - start sector
3072 sector * 512 byte (sector size) = 1572864 byte / 8192 (block size in byte) = 192
Click to expand...
Click to collapse
yes sr, my phone is normally booting...
Ill try in a while and comment here.
thanks for the tips!

pelelademadera said:
yes sr, my phone is normally booting...
Ill try in a while and comment here.
thanks for the tips!
Click to expand...
Click to collapse
well, nothing, my phone works as a tablet...
I cannot restore my imei, all nv items are 000000, when phone is in diag mode I cannot send SPC.
which partition contains NV data?
I dont know how I broke it, I only overwrite modem.img with ATT one.
Do you think that booting with this partition makes that my phone will only work with att rom?
thanks so much for your time and explanation.
The bigger problem is that If I try with att rom, I have no way back

The modemst1 and modemst2 partition contain your imei and all nv data, these partitions is unique.
If this partitions damaged, deleted, your imei is lost and you can't restore, without a working backup...

stars2 said:
The modemst1 and modemst2 partition contain your imei and all nv data, these partitions is unique.
If this partitions damaged, deleted, your imei is lost and you can't restore, without a working backup...
Click to expand...
Click to collapse
Solved my problem sr.
phone is back...

[Kindle Fire HD 7] 3rd Gen (2013) SOHO - Bring it back alive with emmc adapter flash

Hello,
I need some help. At the moment I am connected with the eMMC flash of my SOHO 3rd GEN tablet.
I used the exploitee.rs emmc adapter.
The problem:
-The tablet want not booting anymore. Stuck fw was on it (no idea wich fw).
-I try to bring it back with a fastboot cable but something burned on the mainboard (If you had a 3rd gen device and a microscope pls help)
What I want to try:
-I want to reflash the bootloader (are there two on this device???) and the recovery with my emmc adapter to be able to flash the stock fw again. I want to give him just manually 3.7V with a power adapter, at the battery connector.
The problem now:
I really dont know how to extract the right img-files from the stock-bin file. There are some different img files: (md5 sum at begining)
Code:
f82a8c5518a76b96b95dc0448b772d81 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/images/boot.img
Code:
a5224737ba83a65d40e3049ba6d71582 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/images/boot-prod.img
Code:
4e6181ea47c7868c2104147dc0b2fce6 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/images/u-boot.bin
Code:
38cfffa45008955f2887f7998dbd1c4e /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/images/u-boot-prod.bin
Code:
aa4b135a185e5486656893f4c7101271 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/recovery_images/recovery-eng.img
Code:
5cba5636109eec7c7e5faa35104d65c0 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/recovery_images/recovery-prod.img
Code:
Here is recovery from the old system:
7e781998261c22852f6bae53e02335c6 /media/galliumos/MULTIBOOT/Amazon_Kindle_Fire_HD_3rd_gen_SOHO/recovery.img
I really think the bootloader was broken and that was the reason why the device was still black.
So I really would like to flash with
Code:
sudo dd if=/sdcard/bin-extract-stock/images/the-right.img of=/dev/sda2
the needed partitions. Like when I let the device making an update.
Can you help me to get the 100% right image files for the right partitions.
Here are some informations about the current partitions:
Code:
Disk /dev/sda: 14.6 GiB, 15634268160 bytes, 30535680 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: F9F21FFF-A8D4-5F0E-9746-594869AEC34E
Device Start End Sectors Size Type
/dev/sda1 256 511 256 128K Microsoft basic data
/dev/sda2 512 1023 512 256K Microsoft basic data
/dev/sda3 1024 1151 128 64K Microsoft basic data
/dev/sda4 1152 1183 32 16K Microsoft basic data
/dev/sda5 1184 1187 4 2K Microsoft basic data
/dev/sda6 2048 34815 32768 16M Microsoft basic data
/dev/sda7 34816 51199 16384 8M Microsoft basic data
/dev/sda8 51200 67583 16384 8M Microsoft basic data
/dev/sda9 67584 2623487 2555904 1.2G Microsoft basic data
/dev/sda10 2623488 4466687 1843200 900M Microsoft basic data
/dev/sda11 4466688 30535679 26068992 12.4G Microsoft basic data
Code:
Command (? for help): ?
b back up GPT data to a file
c change a partition's name
d delete a partition
i show detailed information on a partition
l list known partition types
n add a new partition
o create a new empty GUID partition table (GPT)
p print the partition table
q quit without saving changes
r recovery and transformation options (experts only)
s sort partitions
t change a partition's type code
v verify disk
w write table to disk and exit
x extra functionality (experts only)
? print this menu
Command (? for help): i
Partition number (1-11): 1
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F00-A8D4-5F0E-9746-594869AEC34E
First sector: 256 (at 128.0 KiB)
Last sector: 511 (at 255.5 KiB)
Partition size: 256 sectors (128.0 KiB)
Attribute flags: 0000000000000000
Partition name: 'xloader'
Command (? for help): i
Partition number (1-11): 2
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F01-A8D4-5F0E-9746-594869AEC34E
First sector: 512 (at 256.0 KiB)
Last sector: 1023 (at 511.5 KiB)
Partition size: 512 sectors (256.0 KiB)
Attribute flags: 0000000000000000
Partition name: 'bootloader'
Command (? for help): i
Partition number (1-11): 3
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F02-A8D4-5F0E-9746-594869AEC34E
First sector: 1024 (at 512.0 KiB)
Last sector: 1151 (at 575.5 KiB)
Partition size: 128 sectors (64.0 KiB)
Attribute flags: 0000000000000000
Partition name: 'idme'
Command (? for help): i4
Partition number (1-11): 4
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F03-A8D4-5F0E-9746-594869AEC34E
First sector: 1152 (at 576.0 KiB)
Last sector: 1183 (at 591.5 KiB)
Partition size: 32 sectors (16.0 KiB)
Attribute flags: 0000000000000000
Partition name: 'crypto'
Command (? for help): i
Partition number (1-11): 5
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F04-A8D4-5F0E-9746-594869AEC34E
First sector: 1184 (at 592.0 KiB)
Last sector: 1187 (at 593.5 KiB)
Partition size: 4 sectors (2.0 KiB)
Attribute flags: 0000000000000000
Partition name: 'misc'
Command (? for help): i
Partition number (1-11): 6
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F05-A8D4-5F0E-9746-594869AEC34E
First sector: 2048 (at 1024.0 KiB)
Last sector: 34815 (at 17.0 MiB)
Partition size: 32768 sectors (16.0 MiB)
Attribute flags: 0000000000000000
Partition name: 'efs'
Command (? for help): i
Partition number (1-11): 7
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F06-A8D4-5F0E-9746-594869AEC34E
First sector: 34816 (at 17.0 MiB)
Last sector: 51199 (at 25.0 MiB)
Partition size: 16384 sectors (8.0 MiB)
Attribute flags: 0000000000000000
Partition name: 'recovery'
Command (? for help): i
Partition number (1-11): 8
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F07-A8D4-5F0E-9746-594869AEC34E
First sector: 51200 (at 25.0 MiB)
Last sector: 67583 (at 33.0 MiB)
Partition size: 16384 sectors (8.0 MiB)
Attribute flags: 0000000000000000
Partition name: 'boot'
Command (? for help): i
Partition number (1-11): 9
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F08-A8D4-5F0E-9746-594869AEC34E
First sector: 67584 (at 33.0 MiB)
Last sector: 2623487 (at 1.3 GiB)
Partition size: 2555904 sectors (1.2 GiB)
Attribute flags: 0000000000000000
Partition name: 'system'
Command (? for help): i
Partition number (1-11): 10
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F09-A8D4-5F0E-9746-594869AEC34E
First sector: 2623488 (at 1.3 GiB)
Last sector: 4466687 (at 2.1 GiB)
Partition size: 1843200 sectors (900.0 MiB)
Attribute flags: 0000000000000000
Partition name: 'cache'
Command (? for help): i
Partition number (1-11): 11
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: F9F21F0A-A8D4-5F0E-9746-594869AEC34E
First sector: 4466688 (at 2.1 GiB)
Last sector: 30535679 (at 14.6 GiB)
Partition size: 26068992 sectors (12.4 GiB)
Attribute flags: 0000000000000000
Partition name: 'userdata'
gparted
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Greetings by I_did_it_just_tmrrow

overlode said:
Edit - SUCCESS!!! It seems I may have had one wire touching another so I tidied up the soldering and the eMMC was recognised straight away
I have successfully accessed the Soho eMMC and can see all partitions as in the attached image!!!
Now if only I could find the commands to backup the entire eMMC...
Click to expand...
Click to collapse
overlode said:
Ok, files uploaded -
Bootloader - https://drive.google.com/file/d/0BwMwdZJ36fBoVTNRVmNjX2FmZTQ/edit?usp=sharing
eMMC Dump - https://drive.google.com/file/d/0BwMwdZJ36fBoNTQyUENvbmVGY1E/edit?usp=sharing
Enjoy
Click to expand...
Click to collapse
I found this post here.
So now I had a 100% bootloader partition and my recovery partition.
What is about 'xloader' partition name?
And the partition 8: "boot". It that "u-boot.bin" from my source?
Pls, I need some answers.
Greetings by Idijt

its been awhile since i got mine revived! soo all this is like something new to me! howeveer ill provide what little that i have

abatoir said:
its been awhile since i got mine revived! soo all this is like something new to me! howeveer ill provide what little that i have
Click to expand...
Click to collapse
Did you still own your device? Can dump your partitions with dd?
Greetings by Idijt

No I don't own it anymore. But mine was an 8gb version, seems like yours is a 15gb version or something like that. I do have photos of my complete partitions.
Sent from my Redmi Note 2 using XDA Free mobile app
---------- Post added at 05:07 AM ---------- Previous post was at 04:48 AM ----------
this is my partiton table after succesfully uploading to emmc

Hello, I'm soho everything is normal, but then teardown accidentally short after the motherboard usb boot don't boot, but the computer have a reaction, but did not show for help how to solve the screen is black, from youdao translation

Hope this helps...
I did something similar. I was using a cheap cable so I swapped them out. I got a LG cable and plugged it in, well it borked my tablet. Black Screen, I took cable apart and found a resistor soldered to a pin! Tested it and it was sending odd pulses, whatever it broke mine. Here is a list of what I backed up before testing.
KF3_p1-xloader.img
-rwxrwxrwx 1 root vboxusers 35002 Sep 3 17:35 KF3_p1-xloader.rar
-rwxrwxrwx 1 root vboxusers 262144 Sep 3 17:27 KF3_p2-BootLoader-Orig.img
-rwxrwxrwx 1 root vboxusers 65536 Sep 3 17:35 KF3_p3-idme.img
-rwxrwxrwx 1 root vboxusers 16384 Sep 3 17:35 KF3_p4-crypto.img
-rwxrwxrwx 1 root vboxusers 2048 Sep 3 17:35 KF3_p5-misc.img
-rwxrwxrwx 1 root vboxusers 16777216 Sep 3 17:35 KF3_p6-efs.img
I assume you need to dd a original image to xloader &or bootloader.
I can only get mine in usb boot mode, which shows as omap4470 windows and Linux as:
Bus 002 Device 005: ID 0451:d012 Texas Instruments, Inc. I suspect I may need to mod & recompile the usbboot source. I think its hardcoded for 4430 or 4460.
*Your Method is even more promising.
I will upload the files if you need them. All except idme & efs as it contains my serials, etc. I *assume* those 2 files will work as they are stock and should have signatures intact.
Would You Post a Pic of the rs device connected to your Kindle?
I would love to find the serial and JTAG pinouts...?

any try this and did can repier of this problem

can you help me please
unimatrix725 said:
I did something similar. I was using a cheap cable so I swapped them out. I got a LG cable and plugged it in, well it borked my tablet. Black Screen, I took cable apart and found a resistor soldered to a pin! Tested it and it was sending odd pulses, whatever it broke mine. Here is a list of what I backed up before testing.
KF3_p1-xloader.img
-rwxrwxrwx 1 root vboxusers 35002 Sep 3 17:35 KF3_p1-xloader.rar
-rwxrwxrwx 1 root vboxusers 262144 Sep 3 17:27 KF3_p2-BootLoader-Orig.img
-rwxrwxrwx 1 root vboxusers 65536 Sep 3 17:35 KF3_p3-idme.img
-rwxrwxrwx 1 root vboxusers 16384 Sep 3 17:35 KF3_p4-crypto.img
-rwxrwxrwx 1 root vboxusers 2048 Sep 3 17:35 KF3_p5-misc.img
-rwxrwxrwx 1 root vboxusers 16777216 Sep 3 17:35 KF3_p6-efs.img
I assume you need to dd a original image to xloader &or bootloader.
I can only get mine in usb boot mode, which shows as omap4470 windows and Linux as:
Bus 002 Device 005: ID 0451:d012 Texas Instruments, Inc. I suspect I may need to mod & recompile the usbboot source. I think its hardcoded for 4430 or 4460.
*Your Method is even more promising.
I will upload the files if you need them. All except idme & efs as it contains my serials, etc. I *assume* those 2 files will work as they are stock and should have signatures intact.
Would You Post a Pic of the rs device connected to your Kindle?
I would love to find the serial and JTAG pinouts...?
View attachment 3866692
Click to expand...
Click to collapse
can you help me please

Nit an expert, mine is still bricked sitting on shelf.
arikurdi said:
can you help me please
Click to expand...
Click to collapse
I would suggest reading from first post. I don't know allot about the kindle. I spent many hours reading the threads to try and fix mine. I would suggest googling for an identification guide, since kindles are hard to tell apart. To make sure you are in the correct place. The second thing when needing help is to provide a detailed description of your problem. You increase chances of more than one person helping.

kindle fire soho
unimatrix725 said:
I would suggest reading from first post. I don't know allot about the kindle. I spent many hours reading the threads to try and fix mine. I would suggest googling for an identification guide, since kindles are hard to tell apart. To make sure you are in the correct place. The second thing when needing help is to provide a detailed description of your problem. You increase chances of more than one person helping.
Click to expand...
Click to collapse
my problem is my kindel fire soho is just read on pc omap4470 and idont know how to make short
and install driver on linux ihave linux but idont how is work iflashed wrong bootloader file

Hi, I also have Kindle Fire HD 7 Soho (2013). I was attempting to unlock the bootloader and install TWRP, following this thread:
https://forum.xda-developers.com/ki...ment/unlock-kfsowi-bootloader-unlock-t3262770
I was able to get into fastboot mode, then proceeded to flash boot with the hijack image, but in the next line, where the system partition is flashed with a system image, I mistakenly flashed system image to the boot partition. I then did continue, before I realized my mistake. It doesn't boot anymore, but I believe the card reader emmc access would be able to get me back in business again.
I've read this thread, and the thread for the HD 7 2012 Tate emmc, I don't see anything pointing to the connections for the card reader to the 2013 soho motherboard. If there is something that has been posted, could someone put a link in this thread? I think it will be very helpful for those of us that want to try that method to unbrick our Kindles (2013, 3rd generation). Thank you.
EDIT: After more reading, I came across a thread which shows the points to connect an sd card reader to the motherboard of a Kindle Fire HD 7 Soho (2013, 3rd gen) in order to access the emmc of the kindle, it will show up as a usb drive when the card reader is connected to the usb port.
https://forum.xda-developers.com/showthread.php?t=2674737&page=3
Here is another related link, it shows the connections using the pins of a micro-sdcard adapter, you should read the entire article because it mentions a 50k-ohm pull up resistor that is required between pins 2 & 4. This was used on a Kindle Fire HD 7 Tate (2012)
https://forum.xda-developers.com/kindle-fire-hd/7-inch-help/kindle-fire-hd-7-emmc-access-t2828906
I am waiting on a fastboot cable first, and it should arrive soon. If I can't get into fastboot mode with the new cable, then I will try the card reader method.

@crackitopen any news?
I found a pin decription for the SOHO and I got a image.
Currently I had still the broken SOHO-8GB from the first post. But I got a second SOHO-16GB version. I could imagine that the bootloader ist the same but I am not sure how to read it and flash it in the right way. Could anybody help with that?
Greetings by Idijt

I_did_it_just_tmrrow said:
@crackitopen any news?
Click to expand...
Click to collapse
Hi Sorry for the late reply, but yes - I waited for the fastboot cable to arrive, and when it did, I was able to get into fastboot mode, so I had only to reflash those 2 partitions. I was very careful this time around, and I was successful in updating the Soho to CyanogenMod 12 unofficial Soho, Android 5.0.2 as described in that other post that I referenced.

crackitopen said:
Hi Sorry for the late reply, but yes - I waited for the fastboot cable to arrive, and when it did, I was able to get into fastboot mode, so I had only to reflash those 2 partitions. I was very careful this time around, and I was successful in updating the Soho to CyanogenMod 12 unofficial Soho, Android 5.0.2 as described in that other post that I referenced.
Click to expand...
Click to collapse
Did you have some tipps for me?
I own 2 SOHO devices and grab from the first one the following partitions:
Code:
=========================================
soho:/ # df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 470440 480 469960 1% /dev
tmpfs 470440 0 470440 0% /mnt
/dev/block/mmcblk0p10 1251544 707172 544372 57% /system
/dev/block/mmcblk0p12 5316696 2888156 2428540 55% /data
/dev/block/mmcblk0p11 907096 15708 891388 2% /cache
/dev/fuse 5316696 2888156 2428540 55% /mnt/runtime/default/emulated
/dev/fuse 5316696 2888156 2428540 55% /mnt/runtime/read/emulated
/dev/fuse 5316696 2888156 2428540 55% /mnt/runtime/write/emulated
=========================================
soho:/ # ls -la /dev/block/platform/omap_hsmmc.1/by-name
total 0
drwxr-xr-x 2 root root 280 2017-10-22 01:35 .
drwxr-xr-x 4 root root 380 2017-10-22 01:35 ..
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 boot -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 bootloader -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 21 2017-10-22 01:35 cache -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 crypto -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 efs -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 exploit -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 idme -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 misc -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 recovery -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 21 2017-10-22 01:35 system -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 20 2017-10-22 01:35 xloader -> /dev/block/mmcblk0p1
The following partition was to big ofr internal memory:
Code:
lrwxrwxrwx 1 root root 21 2017-10-22 01:35 userdata -> /dev/block/mmcblk0p12
What would I like to do next:
I wanna solder my gtv-Hacker emmc adapter to my SOHO mainboard to fix it. Then I would like to flash "bootloader -> /dev/block/mmcblk0p2" & "recovery -> /dev/block/mmcblk0p7" & "exploit -> /dev/block/mmcblk0p9".
Commands to flash the 3 partitions?
Greetings by Idijt

Jesus christ you fixed it? You are a god to me OP.

Galaxyninja66 said:
Jesus christ you fixed it? You are a god to me OP.
Click to expand...
Click to collapse
If you mean me, no I dont fix it yet. I was on the right way but then my noob-Linux knowledge or any other reason seems to destroy the one mainboard. I had SOHO mainboard, one with hardware error and one with software-Brick error.
But I think you have another kindle, I had 2 SOHO boards and you seems to have a TATE:
Code:
>KFHD 7 2012 (tate) - CyanogenMod 13 (Considering an SFOS port)
Greetings by Idijt

I_did_it_just_tmrrow said:
If you mean me, no I dont fix it yet. I was on the right way but then my noob-Linux knowledge or any other reason seems to destroy the one mainboard. I had SOHO mainboard, one with hardware error and one with software-Brick error.
But I think you have another kindle, I had 2 SOHO boards and you seems to have a TATE:
Code:
>KFHD 7 2012 (tate) - CyanogenMod 13 (Considering an SFOS port)
Greetings by Idijt
Click to expand...
Click to collapse
I know we have different kindles, but raising a messed up board from the dead is an accomplishment no less
On a side note, and SFOS port might not be possible due to the nature of the Kindle fire bootloader. Each build just goes straight to fastboot which is un heard of on any other device.

Just wanted to say thank you to @overlode and @unimatrix725. Thanks to you I was able to bring my hard bricked Fire HD 3rd gen (soho) back to the land of living. I've made a mistake of flashing a wrong bootloader.
After a bit of googling I came across a thread on xda where @overlode shared an immensely helpful photo with eMMC pins mapped out - you rock! Using this mapping I was able to solder an usb sdcard reader to the eMMC and access it from gparted. Then I've found this thread where @unimatrix725 shared his original bootloader.img which I then subsequently flashed to my device. Now my Fire HD is happy again - thank you!

Glad you were able to sort it @pfoltyn, I haven't looked at this for a couple of years and have since moved on to other projects but glad it's still helping people

[GUIDE] What should I backup before trying to customize my MERLIN device ? (Redmi 10X 4G / Redmi Note 9)

WARNINGS:​
NEVER try to flash in "format all" mode ! Otherwise, you will LOSE all secure and identifying infos for your device. Like IMEI.
Keep your backup files safe and secure ! If you can, encrypt them.
Never try to share your backups or your security and privacy will be compromised.
USE AT YOUR OWN RISK. I AM NOT RESPONSIBLE FOR YOUR ACTIONS.​
Why to backup ?
If you backup the partitions listed here, you can avoid mistakes without risking all of your device's identification details.
Like IMEI, WiFi MAC, Bluetooth MAC, calibration data, NVDATA, NVRAM, RADIO/MODEM/BASEBAND and others.
How to backup ?
You can backup using TWRP, PBRP, DD, SP Flash Tool or anyway you want.
How to restore ?
You can restore using TWRP, PBRP, DD, SP Flash Tool or anyway you want.
I suggest you to use same tool of backup.
Partition: frp​Description: This partition stores persistent data for factory reset protection. Like google account and miaccount/micloud.​Size: 1.024 KiB (1 MiB)​Block: /dev/block/mmcblk0p5​Start address: 0x5508000​Length: 0x100000​
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Partition: md_udc​Description: This partition stores master keys for encrypting and decrypting files.​Size: 23.144 KiB (22,6 MiB)​Block: /dev/block/mmcblk0p9​Start address: 0x6e08000​Length: 0x169a000​
Partition: nvcfg​Description: This partition stores variable configs of NVDATA and NVRAM.​Size: 32.768 KiB (32 MiB)​Block: /dev/block/mmcblk0p11​Start address: 0xa4a2000​Length: 0x2000000​
Partition: nvdata​Description: This partition stores variable data of secure and identifying infos for your device. Like IMEI, WiFi MAC, Bluetooth MAC, calibration data and others.​Size: 65.536 KiB (64 MiB)​Block: /dev/block/mmcblk0p12​Start address: 0xc4a2000​Length: 0x4000000​
Partition: nvram​Description: This partition stores persistent data of secure and identifying infos for your device. Like IMEI, WiFi MAC, Bluetooth MAC, calibration data and others.​Size: 65.536 KiB (64 MiB)​Block: /dev/block/mmcblk0p21​Start address: 0x19f00000​Length: 0x4000000​
Partition: persist​Description: This partition stores persistent data for factory reset protection. Like google account and miaccount/micloud.​Size: 49.152 KiB (48 MiB)​Block: /dev/block/mmcblk0p13​Start address: 0x104a2000​Length: 0x3000000​
Partition: proinfo​Description: This partitions stores persistent data of default structure for NVRAM/RADIO/MODEM/BASEBAND.​Size: 3.072 KiB (3 MiB)​Block: /dev/block/mmcblk0p19​Start address: 0x18200000​Length: 0x300000​
Partition: protect1 (or protect_f)​Description: This partition stores variable data of SIM/RADIO/MODEM/BASEBAND settings and infos.​Size: 8.192 KiB (8 MiB)​Block: /dev/block/mmcblk0p15​Start address: 0x164a2000​Length: 0x800000​
Partition: protect2 (or protect_s)​Description: This partition stores variable data of SIM/RADIO/MODEM/BASEBAND settings and infos.​Size: 11.640 KiB (11,36 MiB)​Block: /dev/block/mmcblk0p16​Start address: 0x16ca2000​Length: 0xb5e000​
Partition: seccfg​Description: This partition stores the state of the bootloader. (Locked or Unlocked.)​Keep atention: If you backup this partition in locked bootloader, it will keep locked after restoring. If you want to backup this partition in unlocked bootloader, you need to unlock bootloader first.​Size: 8.192 KiB (8 MiB)​Block: /dev/block/mmcblk0p17​Start address: 0x17800000​Length: 0x800000​
Do you need help with your MERLIN device ?
Read this FAQ: https://forum.xda-developers.com/t/...for-merlin-redmi-10x-4g-redmi-note-9.4225177/

Asus Zenfone Max Plus M1 [X018D] bricked - some advice to recover data ?

Hello XDA community !
To be honest I'm a newbie here, and not really experienced on mobile phone technical stuff
My Zenfone suddenly stopped working last week, without any particular reason.
The only thing I can see when I on the device is the "Powered by Android" logo. But nothing else happens after.
Then I wanted to start the recovery menu, but even when I select "recovery mode" or "fastboot" nothing happens, it's still showing "Powered by Android" logo and no more
See this screenshot :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I tried to plug the device with USB to my linux laptop with android studio installed, but adb devices show nothing
I also tried to create a microSD card, bootable, with exFAT partition and put the phone firmware on the root of the card (as described https://www.asus.com/supportonly/zenfone max plus (m1)(zb570tl)/helpdesk_download/). Even with it, recovery or fastboot options give the same screen as above
My idea was to be able to boot from sd card and be able to "revive" somehow the phone, and at least being able to download user data from it with the help of adb
I'm not sure if it's possible of if I should prepare the microsd with another format or partition layout
Any idea to guide me ?

Don't think you can recover any user-data this because probably bootloader completely got corrupted. Re-flash Stock ROM.

Thanks for your answer.
Sorry also because I made a mistake : I think fastboot mode is active
What I did : In the menu above, I selected "Fastboot mode"
then I got an output : "CSC FASTBOOT mode"
Then I plugged the phone on my laptop USB
The "lsusb" command returned an additionnal device :
Code:
Bus 001 Device 004: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo / FP1
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0bb4 HTC (High Tech Computer Corp.)
idProduct 0x0c01 Dream / ADP1 / G1 / Magic / Tattoo / FP1
bcdDevice 1.00
iManufacturer 1 MediaTek
iProduct 2 Android
iSerial 3 J1AXJR04D658EJ6
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 256mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 4 fastboot
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Device Status: 0x0001
Self Powered
"adb devices" still returns nothing but "fastboot devices" does :
J1AXJR04D658EJ6 fastboot
"fastboot reboot" does also reboot the phone ...
From there I guess at least I can do something. I don't know if I'll be able to recover some data, but anyway if I can recover my phone that would be fine too.

you can unlock bootloader with mtkclient (do a backup beforehand) and flash TWRP from fastboot, to see if that leads to something.

ok thanks a lot. I'll have a look to mtkclient / TWRP and try to manage !
Will let you know soon.

keep in mind unlocking from fastboot forces factory reset. It will flush keystore in TEE, don't try this even with full backup. TEE can't backed up.
unlocking from mtkclient afaik does not wipe userdata. but do a backup of userdata + metadata + seccfg (or even better full dump) just in case.
you can try to boot into EDL mode with both vol keys + usb, modified fastboot, DIY deep flash cable or test point method.
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo]
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo] Reboot to EDL mode from FASTBOOT! No more Test Point Method needed ;) Technical Details: Redmi Note 3 support rebooting to EDL in Android Bootloader aboot...
forum.xda-developers.com
also please note TWRP is maybe not able to decrypt, because encryption keys are bonded to bootloader lock state.
however some people claim it's possible, maybe due the fact that seccfg is patched in way to circumvent this (untested).
if you can't boot into recovery from bootloader, you can boot into file from fastboot (requires bootable slot)
Code:
fastboot boot twrp.img

thanks Alecxs for all the information. I'll take some time to read carefully everything.
In the meantime, I installed successfully mtkclient on my laptop. I didn't know about this tool before
I used first the read partition tool, which went fine for almost all partitions except userdata :-(
it started but stopped after 9 GB (over 52) with the following message
Failed to dump sector 12517376 with sector count 109592543 as MyZenfone-partition dump/userdata.bin
18.0% Read (Sector 0x12D6C80 of 0x6883FDF, 42m:19s left) 18.67 MB/sDAXFlash
DAXFlash - [LIB]: Error on reading data: MMC error (0xc0040030)
looks like game over ...

well.. if this is game over, then you have nothing to lose I guess? so backup all partitions excluding userdata (--skip=userdata) then only try to unlock seccfg (do not erase any partition ignore instructions) then boot into fastboot and check if TWRP can boot
TRY AT OWN RISK YOU MAY CORRUPT USERDATA ENCRYPTION OR ERASE USERDATA​
Code:
python3 mtk da seccfg unlock
python3 mtk payload --metamode FASTBOOT
fastboot boot path/to/twrp.img

might be possible to dump userdata excluding unreadable sectors. but you need to read the instructions. nevertheless the dump (even if healthy) is impossible to decrypt on PC, can only be decrypted on the origin phone itself...

thanks alecxs, I think I'll try to boot into twrp
My concern is to find a suitable twrp for my device. There is no official port for Asus X018D
I tried to find it by googling and found this on "unofficial twrp" site
twrp 3.2.3 For Mediatek MT6750 Phone
which could be ok for mine maybe except they it's for android 8 and 8.1, while I was still on Nougat 7
I don't know if trying this could work or not ?

you need TWRP for the Plus variant. can you share boot.img + recovery.img read off device?

yes I can share the dumped partitions from mtkclient (the extension is .bin)
boot.bin :
boot.bin
drive.google.com
recovery.bin
recovery.bin
drive.google.com

okay let me try to port generic TWRP. you can meanwhile try that Oreo+recovery+tested.img (login required)
edit: X018D_TWRP.img for android 9 (no login required)

So I tried to unlock bootloader from mtkclient, which resulted in :
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Done |--------------------------------------------------| 0.0% Write (Sector 0x0 of 0x1) 0.00 MB/sDAXFlash
DAXFlash - [LIB]: Error on writeflash: MMC error (0xc0040030)
and then after (maybe I shouldn't have ...)
python3 mtk payload --metamode FASTBOOT
I think I did something wrong, because now I cannot list GPT
python mtk printgpt
gives
Code:
Port - Device detected :)
Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212c00
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x326
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Preloader - ME_ID: 10A8E97D4708BDEB74D8D7B3C7E0EBFA
PLTools - Loading payload from mt6755_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/laurent/Applications/DevOps/Android/mtkclient/mtkclient/payloads/mt6755_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1

actually, the second command was just to exit preloader mode and switch into fastboot... sorry for the confusion. I have also attached the android 7 version of twrp for testing.. (see above)
If I got this right, unlocking was trying to write Sector 0x0 of 0x1 but it deny writing anything because eMMC is not writeable at 0xc0040030. But isn't that in userdata area?
however, on android 7 for some mediatek devices it's possible to boot into TWRP on locked bootloader. but needs flashing. you can try another flash tool, but it requires windows
edit:
@arthur.levene I got it wrong, seems there is also linux version. Anyway, please read golden rules for SP Flash Tool.
I recommend to create your own scatter file based on the current partition table, either with mtkclient or with WwR MTK v2.51 (most likely you can use the one that already comes with that twrp as the recovery start address is at 0x8000 on many devices, but I personally generally don't trust any scatter file just random downloaded).

lol thought 0xc0040030 was the address of the unreadable sector. turns out it is a fault code. so that could mean eMMC error (most likely) or insufficient permissions.
So any flashing attempts will probably fail no matter what tool used. maybe there is a cheat with heating gun or refrigerator (just guesswork, beware of condensating water)

thanks again alecxs for your time and advice.
I will continue my investigations based on your informations. If i understand your comment about eMMC error, this is not good news.
I will try also the flashing solution in case it could work, though not very skilled on that part too

actually I have never used mtkclient myself but according to documention flashing looks quite easy.
Code:
python3 mtk w recovery twrp.img
However, as you stated in OP you can't enter recovery mode from bootloader menu, so this could be bigger challenge.

I tried but currently I have an error
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - DA Extensions successfully added
Done |--------------------------------------------------| 0.0% Write (Sector 0x0Progress: |███████-------------------------------------------| 14.0% Write (SectProgress: |██████████████------------------------------------| 28.0% Write (Sector 0x2000 of 0x7254, 01s left) 6.74 MB/s
DAXFlash
DAXFlash - [LIB]: unpack requires a buffer of 12 bytes

quick search gives hint is might be driver issue. but you're on linux right? you could try again with libusb-1.0-0-dev_1.0.26-1_amd64.deb
https://github.com/bkerler/mtkclient/issues/192