[nvflash] A very powerfull tool

Search This thread

suntechnic

Member
Jan 17, 2011
16
31
Moscow
Here I will post some information regarding using nvlash tool with ThinkPad Tablet.

NVflash tool is a tool for tegra devices which allows different low level operations such as:
1. reading device partition table
2. partitioning device memory
3. reading a device partition
4. writing a device partition

1 and 3 are usefull for backing up device partitions

2 and 4 are usefull for restoring everything back

After backing up a partition you can split the image to a lot of usefull components and information using your PC. You can even edit or add some files to a partition image, i.e. this tool could help you to root your device at any time you want.

Everything here is just for educational puproses. I'm not resposible for any damage which may occur to your device. Use it at your own risk.

Here's small tutorial. Put attached file 04.EBT.img on your hard disk (/space/android/_tpt/device in my case).

Booting to bootloader

1. Turn off your device and disconnect it from PC
2. Hold Rotation button and press Power button for approx 2 seconds
3. Start nvflash:
Code:
$ nvflash -w --bl /space/android/_tpt/device/04.EBT.img --go
4. Connect device via USB. After that you should able to see the following:
Code:
Nvflash started
rcm version 0X20001
System Information:
   chip name: t20
   chip id: 0x20 major: 1 minor: 4
   chip sku: 0x8
   chip uid: 0x043c6246433f44d7
   macrovision: disabled
   hdcp: enabled
   sbk burned: false
   dk burned: false
   boot device: emmc
   operating mode: 3
   device config strap: 0
   device config fuse: 0
   sdram config strap: 2

downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: /space/android/_tpt/device/04.EBT.img
/ 6291456/6291456 bytes sent
/space/android/_tpt/device/04.EBT.img sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully

5. The device screen should display "Entering NvFlash recovery mode / Nv3p Server" message at the top with Lenovo logo at the backroung.

If everything worked fine you have started a bootloader for futher low level communication with your tablet.

Getting partition table information

1. Boot your device with a bootloader as described above.
2. Run the following command
Code:
$ nvflash -r --getpartitiontable ptable.txt
3. The following output will be displayed on PC console:
Code:
Nvflash started
[resume mode]
Succesfully updated partition table information to ptable.txt
4. This means you have successfully downloaded partition table information to ptable.txt file. You can view it. Here's some useful information from it:
Code:
....
PartitionId=4
Name=EBT
DeviceId=18
StartSector=1536
NumSectors=1536
BytesPerSector=4096   
....
PartitionId=6
Name=SOS
DeviceId=18
StartSector=3584
NumSectors=1536
BytesPerSector=4096   

PartitionId=7
Name=LNX
DeviceId=18
StartSector=5120
NumSectors=2048
BytesPerSector=4096   

PartitionId=8
Name=APP
DeviceId=18
StartSector=7168
NumSectors=196608
BytesPerSector=4096   
....
PartitionId=15
Name=UDA
DeviceId=18
StartSector=611840
NumSectors=7202816
BytesPerSector=4096

Here I'll try to give some more information:
PartitionId=4 -- is a number of partition
Name=EBT -- is a name of partition. This partition holds a bootloader image. The same you used to boot your device!
StartSector, NumSectors, BytesPerSector -- these parameters determine a location and size of partition in the internal device memory.

Partition 6 is a recovery partition which holds recovery image (kernel + ramdisk). You can use split_bootimg.pl to split it.

Partition 7 is a bootable partition which holds bootable image (kernel + ramdisk). You can use split_bootimg.pl to split it.

Partition 8 is an ext4 image of /system partition. You can mount it using mount linux utility.

Partition 15 is an ext4 image of /data partition. You can also mount it using mount linux utility.

Reading partition images from device

This method can be used to backup your device. I will show you how to backup a recovery partition (6) but you can do it with any partition you want.

1. Boot your device with a bootloader as described above.
2. Read partition number 6 to file 06.SOS.img with the following command
Code:
$ nvflash -r --read 6 06.SOS.img
3. The following output will indicate a successfull read
Code:
Nvflash started
[resume mode]
receiving file: 06.SOS.img, expected size: 6291456 bytes
/ 6291456/6291456 bytes received
file received successfully

Using split_bootimg.pl you can split you to kernel and ramdisk image:
Code:
$ split_bootimg.pl 06.SOS.img 
Page size: 2048 (0x00000800)
Kernel size: 3659716 (0x0037d7c4)
Ramdisk size: 1496705 (0x0016d681)
Second size: 0 (0x00000000)
Board name: 
Command line: 
Writing 06.SOS.img-kernel ... complete.
Writing 06.SOS.img-ramdisk.gz ... complete.
Now you can get ramdisk contents:
Code:
$ mkdir ramdisk
$ cd ramdisk
ramdisk$ gzip -dc ../06.SOS.img-ramdisk.gz | cpio -im
4405 blocks
ramdisk$ ls
data          dev  init     proc  sbin  system  ueventd.goldfish.rc
default.prop  etc  init.rc  res   sys   tmp     ueventd.rc

Writing an image to device partition

Be very carefull! This operation can brick you device. If you are unsure of result you'd better don't use it :)

1. Boot your device with a bootloader as described above.
2. Write file recovery.img to partition number 6 (recovery) with the following command:
Code:
$ nvflash -r --download 6 recovery.img
3. Here's a sample output of successfull operation:
Code:
Nvflash started
[resume mode]
sending file: recovery.img
/ 6291456/6291456 bytes sent
recovery.img sent successfully
4. You will also note a large message PASS on your device screen following with the message "Success to update the system, please reboot your system to leave the recovery mode"
5. Now you can easily reboot your system and test your new recovery.


Conclusion

You can use nvflash for deep exploration of your device software, backing up software before any critical updates, flash modified software.


Thank you

P.S. Sorry for any mistakes as English is not my native language.
 

Attachments

  • 04.EBT.img
    6 MB · Views: 3,741

darkhandsome18

Senior Member
Nov 20, 2011
219
61
I thought the bootloader was locked and we can't access nvflash without the proper keys. Has the ics bootloader been unlocked or are the keys not needed? Sorry I'm a bit confused here
 

horsse

Member
May 12, 2008
8
2
It's very interesting. Thank you.
Does this mean that we can make a backup of partitions, and do not need more in CWR?
 

suntechnic

Member
Jan 17, 2011
16
31
Moscow
It's very interesting. Thank you.
Does this mean that we can make a backup of partitions, and do not need more in CWR?

We need CWR for different other actions, i.e. for applying unsigned patches in case we had modified our system and normal update fails with consistency check error.

Sent from my ThinkPad Tablet using XDA Premium HD app
 

Exe557

Senior Member
Jul 25, 2008
56
25
Not working for me:

Nvflash started
rcm version 0X4
Command send failed (usb write failed)

Edit:

Maybe you are lucky and have one of the first relased TPT. I heard they have open bootloader but it was closed in later produced ones.
 
Last edited:

jaba_cz

Senior Member
Jan 2, 2008
119
23
Prague
In my case it does not work. Holding rotation (or any other hardbutton) prevents TPT from powering on.
 

ker2gsr

Senior Member
Oct 13, 2010
256
43
In my case it does not work. Holding rotation (or any other hardbutton) prevents TPT from powering on.

I need more help with this in order to try I believe my will work if I only knew how I don't know where to put that .IMG file were I have adb setup?

Sent from my Galaxy Nexus using Tapatalk 2
 

suntechnic

Member
Jan 17, 2011
16
31
Moscow
Not working for me:

Nvflash started
rcm version 0X4
Command send failed (usb write failed)

Please verify that you have write permissions for usb device:
Code:
$ cat /etc/udev/rules.d/95-nvflash.rules 
SUBSYSTEM=="usb", ATTR{idVendor}=="0955", ATTR{idProduct}=="7820", MODE="0660", OWNER="suntechnic"

You can adjust idVendor and idProduct corresponding values you see with lsusb command, i.e.:
Code:
$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 005 Device 002: ID 0a5c:2110 Broadcom Corp. Bluetooth Controller
Bus 005 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
Bus 001 Device 045: ID 0955:7820 NVidia Corp.
 

osse

Member
Mar 18, 2006
5
1
44
Aalborg
Is it possible to fix my unit through Nvflash?

Hi,

Just wondering if it would be possible to fix my unit from nvflash. ?

I by mistake applied the wrong cwm file to my device, and now it's stuck at "Booting recovery kernel image"

Regards
Anders
 

zeb crs

Senior Member
Jun 2, 2008
135
11
I only get error 04 as well.
I have European model 1838.
Mine got bricked trying to install ics. Now it is just in a boot loop and won't even go into recovery.
If this doesn't work I guess I'll have to send it in for service.
 

Exe557

Senior Member
Jul 25, 2008
56
25
AFAIK rcm version 0X4 means the bootloader is locked. Just google for it.
Without SBK which is not leaked for TPT yet we have no chance to use it!
 

Lens_flare

Senior Member
Mar 2, 2010
1,456
2,450
Tomsk
Damn, guy where you were when my tablet was just a big 10' brick? :D
You are perfectly know what a service quality is in Russia ;[

alright sorry, I shouldn't.. great finding even too late, maybe we'll have an unlock key for it, call me when its done, I don't want to brick my tablet anymore.. but do want to be a part of a custom rom development.
 

obscure.detour

Senior Member
Apr 20, 2010
270
30
I ended up using this simple guide from modaco, here.

For the people that "can't" get into APX mode, the screen at least mine gave NO indication that it was in APX mode. After trying a few times I flipped the tablet over and noticed the red LED was on. I then proceeded to connect it to my PC and install the drivers and follow the guide.

Unfortunately, I believe my bootloader is also locked because I typed nvflash --sync and received the output:

Nvflash started
rcm version 0X4
Command send failed (usb write failed)


Now, granted this is within windows. I haven't tried it on my Linux machine yet. So who knows what the actual issue is, but I am fairly certain the bootloader is locked. It also took me a few minutes to get my device out of APX-mode and boot normally again (or maybe my power button is on the verge of DEATH). :(

Edit: I have a US TPT 16GB (WiFi only) 183822U, that I bought practically a year ago.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Here I will post some information regarding using nvlash tool with ThinkPad Tablet.

    NVflash tool is a tool for tegra devices which allows different low level operations such as:
    1. reading device partition table
    2. partitioning device memory
    3. reading a device partition
    4. writing a device partition

    1 and 3 are usefull for backing up device partitions

    2 and 4 are usefull for restoring everything back

    After backing up a partition you can split the image to a lot of usefull components and information using your PC. You can even edit or add some files to a partition image, i.e. this tool could help you to root your device at any time you want.

    Everything here is just for educational puproses. I'm not resposible for any damage which may occur to your device. Use it at your own risk.

    Here's small tutorial. Put attached file 04.EBT.img on your hard disk (/space/android/_tpt/device in my case).

    Booting to bootloader

    1. Turn off your device and disconnect it from PC
    2. Hold Rotation button and press Power button for approx 2 seconds
    3. Start nvflash:
    Code:
    $ nvflash -w --bl /space/android/_tpt/device/04.EBT.img --go
    4. Connect device via USB. After that you should able to see the following:
    Code:
    Nvflash started
    rcm version 0X20001
    System Information:
       chip name: t20
       chip id: 0x20 major: 1 minor: 4
       chip sku: 0x8
       chip uid: 0x043c6246433f44d7
       macrovision: disabled
       hdcp: enabled
       sbk burned: false
       dk burned: false
       boot device: emmc
       operating mode: 3
       device config strap: 0
       device config fuse: 0
       sdram config strap: 2
    
    downloading bootloader -- load address: 0x108000 entry point: 0x108000
    sending file: /space/android/_tpt/device/04.EBT.img
    / 6291456/6291456 bytes sent
    /space/android/_tpt/device/04.EBT.img sent successfully
    waiting for bootloader to initialize
    bootloader downloaded successfully

    5. The device screen should display "Entering NvFlash recovery mode / Nv3p Server" message at the top with Lenovo logo at the backroung.

    If everything worked fine you have started a bootloader for futher low level communication with your tablet.

    Getting partition table information

    1. Boot your device with a bootloader as described above.
    2. Run the following command
    Code:
    $ nvflash -r --getpartitiontable ptable.txt
    3. The following output will be displayed on PC console:
    Code:
    Nvflash started
    [resume mode]
    Succesfully updated partition table information to ptable.txt
    4. This means you have successfully downloaded partition table information to ptable.txt file. You can view it. Here's some useful information from it:
    Code:
    ....
    PartitionId=4
    Name=EBT
    DeviceId=18
    StartSector=1536
    NumSectors=1536
    BytesPerSector=4096   
    ....
    PartitionId=6
    Name=SOS
    DeviceId=18
    StartSector=3584
    NumSectors=1536
    BytesPerSector=4096   
    
    PartitionId=7
    Name=LNX
    DeviceId=18
    StartSector=5120
    NumSectors=2048
    BytesPerSector=4096   
    
    PartitionId=8
    Name=APP
    DeviceId=18
    StartSector=7168
    NumSectors=196608
    BytesPerSector=4096   
    ....
    PartitionId=15
    Name=UDA
    DeviceId=18
    StartSector=611840
    NumSectors=7202816
    BytesPerSector=4096

    Here I'll try to give some more information:
    PartitionId=4 -- is a number of partition
    Name=EBT -- is a name of partition. This partition holds a bootloader image. The same you used to boot your device!
    StartSector, NumSectors, BytesPerSector -- these parameters determine a location and size of partition in the internal device memory.

    Partition 6 is a recovery partition which holds recovery image (kernel + ramdisk). You can use split_bootimg.pl to split it.

    Partition 7 is a bootable partition which holds bootable image (kernel + ramdisk). You can use split_bootimg.pl to split it.

    Partition 8 is an ext4 image of /system partition. You can mount it using mount linux utility.

    Partition 15 is an ext4 image of /data partition. You can also mount it using mount linux utility.

    Reading partition images from device

    This method can be used to backup your device. I will show you how to backup a recovery partition (6) but you can do it with any partition you want.

    1. Boot your device with a bootloader as described above.
    2. Read partition number 6 to file 06.SOS.img with the following command
    Code:
    $ nvflash -r --read 6 06.SOS.img
    3. The following output will indicate a successfull read
    Code:
    Nvflash started
    [resume mode]
    receiving file: 06.SOS.img, expected size: 6291456 bytes
    / 6291456/6291456 bytes received
    file received successfully

    Using split_bootimg.pl you can split you to kernel and ramdisk image:
    Code:
    $ split_bootimg.pl 06.SOS.img 
    Page size: 2048 (0x00000800)
    Kernel size: 3659716 (0x0037d7c4)
    Ramdisk size: 1496705 (0x0016d681)
    Second size: 0 (0x00000000)
    Board name: 
    Command line: 
    Writing 06.SOS.img-kernel ... complete.
    Writing 06.SOS.img-ramdisk.gz ... complete.
    Now you can get ramdisk contents:
    Code:
    $ mkdir ramdisk
    $ cd ramdisk
    ramdisk$ gzip -dc ../06.SOS.img-ramdisk.gz | cpio -im
    4405 blocks
    ramdisk$ ls
    data          dev  init     proc  sbin  system  ueventd.goldfish.rc
    default.prop  etc  init.rc  res   sys   tmp     ueventd.rc

    Writing an image to device partition

    Be very carefull! This operation can brick you device. If you are unsure of result you'd better don't use it :)

    1. Boot your device with a bootloader as described above.
    2. Write file recovery.img to partition number 6 (recovery) with the following command:
    Code:
    $ nvflash -r --download 6 recovery.img
    3. Here's a sample output of successfull operation:
    Code:
    Nvflash started
    [resume mode]
    sending file: recovery.img
    / 6291456/6291456 bytes sent
    recovery.img sent successfully
    4. You will also note a large message PASS on your device screen following with the message "Success to update the system, please reboot your system to leave the recovery mode"
    5. Now you can easily reboot your system and test your new recovery.


    Conclusion

    You can use nvflash for deep exploration of your device software, backing up software before any critical updates, flash modified software.


    Thank you

    P.S. Sorry for any mistakes as English is not my native language.
    1
    My anecdotal evidence seems to support this. I have a 32 GB ROW and nvflash --sync comes back with

    Code:
    Nvflash started
    rcm version 0X20001
    System Information:
       chip name: t20
       chip id: 0x20 major: 1 minor: 4
       chip sku: 0x8
       chip uid: 0x0a8051884080a117
       macrovision: disabled
       hdcp: enabled
       sbk burned: false
       dk burned: false
       boot device: emmc
       operating mode: 3
       device config strap: 0
       device config fuse: 0
       sdram config strap: 1

    Does this imply that my tablet is bootloader unlocked?

    I'm not an expert with nvflash, but it would appear so!
    1
    few questions about NVFlash.

    For one, how dangerous is it? I know that it can easily brick devices, but is it possible to screw your device up so bad that you lose APX mode?

    Two, will this allow me to backup my partitions, flash OTA3.5 to try it out, and come back to OTA2 later?
    1
    few questions about NVFlash.

    For one, how dangerous is it? I know that it can easily brick devices, but is it possible to screw your device up so bad that you lose APX mode?

    Two, will this allow me to backup my partitions, flash OTA3.5 to try it out, and come back to OTA2 later?

    My understanding based on my research and understanding of a similar feature in Samsung devices (called ODIN Download Mode) is that it is literally impossible to ruin APX since it is stored on read-only memory inside your device. You can however "soft brick" your tablet if you were you modify the partitions of the device in a manner which kept it from booting. However, APX mode lets you undo mistakes like this.

    The first thing I'd do if I got APX mode was backup all the partitions of my device (and start experimenting with JB roms.)
    1
    Hi.

    It is the first page of this thread.

    Regards