• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

How To Guide Full ROM dump of T-Mobile variant & guide on gaining root access without magisk

Search This thread

towardsdawn

Member
Sep 26, 2021
19
11
Wow, I thought 11.0.1.5 is the latest for T-Mobile. Why am I not getting any update notification? It keeps saying I have the latest one. :\

Edit: I'm bootloader unlocked and rooted.
I'm pretty sure they stagger the updates so not everyone gets them at the same time. You should be on 11.0.1.6 though, that shows up as available on their website . I am also unlocked and rooted, if you're rooted you will get the update notification but then it will say installation update failed when you try to update.
 

lentm

Senior Member
Dec 3, 2008
444
93
I'm pretty sure they stagger the updates so not everyone gets them at the same time. You should be on 11.0.1.6 though, that shows up as available on their website . I am also unlocked and rooted, if you're rooted you will get the update notification but then it will say installation update failed when you try to update.
I don't know why. It's weird. I just don't get any OTA update notification since I bootloader unlocked and rooted my N200.
If OTA update anyways fail after unlocking and rooting, I will just stay where I am.
 

edale1

Senior Member
Sep 5, 2016
106
54
You can still receive and install updates with the bootloader unlocked. The problem has to be in the rooting.
 

towardsdawn

Member
Sep 26, 2021
19
11
Thank you, I was able to take OTA, 11.0.1.8 with this boot.img
How did you extract this img by the way?

I did the steps in the guide I wrote here and I also installed the OTA after factory resetting. If you want stock boot.img for the current installed version you can skip the factory reset step.

However, as long as there wasn't a major Android version update (which changes boot.img drastically), there is a much easier way.

The boot.img is probably similar enough between OTAs that you can
  1. uninstall Magisk if it is installed, get OTA
  2. fastboot getvar all to get active partition
  3. boot a Magisk patched boot.img from a previous system version by
    Code:
    fastboot boot patched_old_boot.img
    to get root. make sure to avoid doing fastboot flash because that would get rid of the new boot.img and replace it with the old boot.img.
  4. do the final dd step in the above guide.
 
  • Like
Reactions: lentm

lentm

Senior Member
Dec 3, 2008
444
93
I did the steps in the guide I wrote here and I also installed the OTA after factory resetting. If you want stock boot.img for the current installed version you can skip the factory reset step.

However, as long as there wasn't a major Android version update (which changes boot.img drastically), there is a much easier way.

The boot.img is probably similar enough between OTAs that you can
  1. uninstall Magisk if it is installed, get OTA
  2. fastboot getvar all to get active partition
  3. boot a Magisk patched boot.img from a previous system version by
    Code:
    fastboot boot patched_old_boot.img
    to get root. make sure to avoid doing fastboot flash because that would get rid of the new boot.img and replace it with the old boot.img.
  4. do the final dd step in the above guide.

Oh..right...I should've booted a patched img file before I flash. arrghhh.
Can you share a stock 11.0.1.8 boot.img file when you have a chance?
I appreciate it!
 
  • Like
Reactions: Travisholt92

towardsdawn

Member
Sep 26, 2021
19
11
Oh..right...I should've booted a patched img file before I flash. arrghhh.
Can you share a stock 11.0.1.8 boot.img file when you have a chance?
I appreciate it!
Here you go (I've also included factory stock boot.img and factory patched boot.img). I figured out an even better method which is:
  1. Uninstall Magisk, Restore images
  2. Get OTA. Make sure "Automatic system updates" is turned off under Developer Options, this way the device won't automatically reboot after the OTA
  3. Before rebooting, adb su and then dd the new boot.img
  4. Continue system update and reboot the phone
  5. Install Magisk by patching the new boot.img
I would suggest avoiding using Magisk's "install to inactive slot after OTA" because that bricked my phone for whatever reason and I had to factory reset.
 
Last edited:

lentm

Senior Member
Dec 3, 2008
444
93
Here you go (I've also included factory stock boot.img and factory patched boot.img). I figured out an even better method which is:
  1. Uninstall Magisk, Restore images
  2. Get OTA. Make sure "Automatic system updates" is turned off under Developer Options, this way the device won't automatically reboot after the OTA
  3. Before rebooting, adb su and then dd the new boot.img
  4. Continue system update and reboot the phone
  5. Install Magisk by patching the new boot.img
I would suggest avoiding using Magisk's "install to inactive slot after OTA" because that bricked my phone for whatever reason and I had to factory reset.
I really appreciate it!!
and for the better method, Step 1 always didn't work for me.
It would say there's no image backed up...and complete uninstall option will not revert back to "real" original boot image, just removing Magisk. (ota will show error, safetynet check will fail).
 

towardsdawn

Member
Sep 26, 2021
19
11
I really appreciate it!!
and for the better method, Step 1 always didn't work for me.
It would say there's no image backed up...and complete uninstall option will not revert back to "real" original boot image, just removing Magisk. (ota will show error, safetynet check will fail).
I think you said above you did fastboot flash the magisk patched img. Using fastboot flash no backup is created. Using Magisk direct install, Magisk will create a backup of the stock image. If that is the case you can do the following:
  1. If you don't have a copy of Magisk patched 11.0.1.8 boot.img, use Magisk app to patch the stock 11.0.1.8 img and adb pull to your computer
  2. fastboot flash the stock 11.0.1.8 img
  3. fastboot boot the patched img
  4. Open Magisk app, Direct Install magisk to force Magisk to create a backup, and reboot
That way in the future you can do Magisk uninstall restore image and it will work.
 
  • Like
Reactions: lentm

lentm

Senior Member
Dec 3, 2008
444
93
I think you said above you did fastboot flash the magisk patched img. Using fastboot flash no backup is created. Using Magisk direct install, Magisk will create a backup of the stock image. If that is the case you can do the following:
  1. If you don't have a copy of Magisk patched 11.0.1.8 boot.img, use Magisk app to patch the stock 11.0.1.8 img and adb pull to your computer
  2. fastboot flash the stock 11.0.1.8 img
  3. fastboot boot the patched img
  4. Open Magisk app, Direct Install magisk to force Magisk to create a backup, and reboot
That way in the future you can do Magisk uninstall restore image and it will work.

Seems to be working correctly! I really appreciate it!
 
  • Like
Reactions: towardsdawn

EnumC

Senior Member
Dec 22, 2014
125
71
Cupertino
enumc.com
TCL 10 5G
OnePlus 8T
I did the following to try to replicate what EnumC did and I got the same stock boot.img but in partition A instead of partition B:

Used MSMDownloadTool to reset to factory image

Unlocked bootloader with one line adb command

Download phhusson's GSI as EnumC mentioned

Installed msys2 with mingw64 tool chain, base devel, and mingw64 gettext, add an include statement and include asprintf in order to build simg2img on Windows (I've attached my build for 64 bit Win 10 here)

Unzip GSI.xz and then unsparse it using simg2img

Follow instructions here to install GSI. The $(du) is to calculate disk usage of the system_raw.img on your PC

adb reboot fastboot, fastboot getvar all to get active partition (factory image should be a)

You can now adb shell, su, and then dd to extract /dev/block/bootdevice/by-name/boot_a
This was exactly what I did, except I used WSL instead! Thank you so much for writing it out in more depth. I was going to write a dump script & more in-depth instructions last summer, but T-Mobile threw me a bone with their new promos and I got myself an S21 instead. Hurray, no root for me!

If you haven't already, I'll post the script for dumping the partitions from any device that has BL unlock but no stock firmware yet using that GSI method.
 

Duanpao

Member
Apr 13, 2020
19
1
This was exactly what I did, except I used WSL instead! Thank you so much for writing it out in more depth. I was going to write a dump script & more in-depth instructions last summer, but T-Mobile threw me a bone with their new promos and I got myself an S21 instead. Hurray, no root for me!

If you haven't already, I'll post the script for dumping the partitions from any device that has BL unlock but no stock firmware yet using that GSI method.
Any update on that dump script?
 

cass89

Member
Jan 17, 2013
34
4
Can't get dsu to install.. following

"Step 4: launch dsu using adb" gives me error "cut not recognized as internal/external command"..
I'm using windows but afaik that command runs inside adb shell, so it's executed on the phone.. "cut" command works inside terminal emulator on the phone so I'm not sure how to fix this..
Anyone else have this problem? I searched around but can't find anything
 

towardsdawn

Member
Sep 26, 2021
19
11
Can't get dsu to install.. following

"Step 4: launch dsu using adb" gives me error "cut not recognized as internal/external command"..
I'm using windows but afaik that command runs inside adb shell, so it's executed on the phone.. "cut" command works inside terminal emulator on the phone so I'm not sure how to fix this..
Anyone else have this problem? I searched around but can't find anything
The $(du... |cut) tells your system shell to launch another shell to run the command, then use the return value of the command as a value to be passed as a parameter to the start-activity command. The start-activity command receives that parameter and then runs inside the android adb shell.

On PC unless you have installed msys2 or something similar and have cut in your $PATH, your system shell won't have the cut command available. This is no issue because the purpose of the command is to get the file size of the system_raw.img in bytes. You can do that manually on PC (right click, properties) and enter in the number in place of that command.

This is one of the cases where the documentation assumes everyone reading it runs Linux :)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Here you go (I've also included factory stock boot.img and factory patched boot.img).

    Thank you so much for sharing your patched boot.img.
  • 8
    Hi everyone! I lost my OP8 daily driver the other day and decided to pick up a N200 as a stopgap measure. Thanks to Android 11, I'm able to dump all partitions from the DE2118 model of this device.

    AFH: https://www.androidfilehost.com/?fid=7161016148664787728

    Here's the partition map:

    Code:
    phhgsi_arm64_ab:/dev/block/by-name # ls -la
    total 0
    drwxr-xr-x 2 root root 2080 1970-01-12 18:02 .
    drwxr-xr-x 6 root root 3080 1970-01-12 18:02 ..
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ALIGN_TO_128K_1 -> /dev/block/sdd1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ALIGN_TO_128K_2 -> /dev/block/sdf1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 abl_a -> /dev/block/sde6
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 abl_b -> /dev/block/sde26
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 abl_log -> /dev/block/sde53
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 android_log -> /dev/block/sde55
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 apdp -> /dev/block/sde40
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 bluetooth_a -> /dev/block/sde5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 bluetooth_b -> /dev/block/sde25
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 boot_a -> /dev/block/sde9
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 boot_b -> /dev/block/sde29
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 carrier -> /dev/block/sda8
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 catecontentfv -> /dev/block/sde50
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 catefv -> /dev/block/sde49
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 cateloader -> /dev/block/sde42
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 cdt -> /dev/block/sdd2
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 core_nhlos_a -> /dev/block/sde15
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 core_nhlos_b -> /dev/block/sde36
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ddr -> /dev/block/sdd3
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devcfg_a -> /dev/block/sde10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devcfg_b -> /dev/block/sde30
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devinfo -> /dev/block/sde39
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 dinfo -> /dev/block/sdd7
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 dsp_a -> /dev/block/sde7
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dsp_b -> /dev/block/sde27
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dtbo_a -> /dev/block/sde13
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dtbo_b -> /dev/block/sde33
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 engineering_cdt_a -> /dev/block/sdd4
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 engineering_cdt_b -> /dev/block/sdd5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 featenabler_a -> /dev/block/sde17
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 featenabler_b -> /dev/block/sde18
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 frp -> /dev/block/sda5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 fsc -> /dev/block/sdf14
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 fsg -> /dev/block/sdf13
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 hyp_a -> /dev/block/sde3
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 hyp_b -> /dev/block/sde23
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 imagefv_a -> /dev/block/sde14
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 imagefv_b -> /dev/block/sde34
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 kernel_log -> /dev/block/sde54
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 keymaster_a -> /dev/block/sde8
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 keymaster_b -> /dev/block/sde28
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 keystore -> /dev/block/sda4
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logdump -> /dev/block/sde43
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logfs -> /dev/block/sde41
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logo_a -> /dev/block/sde20
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logo_b -> /dev/block/sde38
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 metadata -> /dev/block/sda14
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 misc -> /dev/block/sda3
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modem_a -> /dev/block/sde4
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 modem_b -> /dev/block/sde24
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modemst1 -> /dev/block/sdf6
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modemst2 -> /dev/block/sdf7
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 multiimgoem_a -> /dev/block/sde45
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 multiimgoem_b -> /dev/block/sde46
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ocdt -> /dev/block/sdd6
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusdycnvbk -> /dev/block/sdf2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 opluslog -> /dev/block/sda7
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusreserve1 -> /dev/block/sdf8
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusreserve2 -> /dev/block/sdf9
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve3 -> /dev/block/sdf10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve4 -> /dev/block/sdf11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve5 -> /dev/block/sdf12
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusstanvbk_a -> /dev/block/sdf3
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusstanvbk_b -> /dev/block/sdf4
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 param -> /dev/block/sdf5
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 persist -> /dev/block/sda2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 persist_bkp -> /dev/block/sda6
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 qupfw_a -> /dev/block/sde11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 qupfw_b -> /dev/block/sde31
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 rawdump -> /dev/block/sda15
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 rpm_a -> /dev/block/sde1
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 rpm_b -> /dev/block/sde21
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sda -> /dev/block/sda
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdb -> /dev/block/sdb
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdc -> /dev/block/sdc
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdd -> /dev/block/sdd
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sde -> /dev/block/sde
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdf -> /dev/block/sdf
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 secdata -> /dev/block/sde48
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ssd -> /dev/block/sda1
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 storsec -> /dev/block/sde44
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 super -> /dev/block/sda9
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 tz_a -> /dev/block/sde2
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 tz_b -> /dev/block/sde22
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefisecapp_a -> /dev/block/sde16
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefisecapp_b -> /dev/block/sde35
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefivarstore -> /dev/block/sde47
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 userdata -> /dev/block/sda16
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_a -> /dev/block/sde12
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_b -> /dev/block/sde32
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_system_a -> /dev/block/sda10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_system_b -> /dev/block/sda11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vendor_boot_a -> /dev/block/sde19
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vendor_boot_b -> /dev/block/sde37
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-data -> /dev/block/sde52
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-keystore -> /dev/block/sde51
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-system_a -> /dev/block/sda12
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-system_b -> /dev/block/sda13
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_a -> /dev/block/sdb1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_b -> /dev/block/sdc1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_config_a -> /dev/block/sdb2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_config_b -> /dev/block/sdc2


    To gain root access in the absence of magisk and firmware, I used the DSU feature that was introduced back in Android 10 (https://developer.android.com/topic/dsu).
    Note: This will cause your device to brick if you did NOT unlock your bootloader first!

    Then, get the latest phhusson GSI build w/ root. I used https://github.com/phhusson/treble_...wnload/v312/system-roar-arm64-ab-floss.img.xz

    You can then unsparse the system img, gzip it, then use that to launch DSU with a custom image.

    A more in-depth tutorial and a simplified firmware dump script will be coming soon a bit later in the afternoon. Hope that helps anyone looking for the firmware in the meantime :)
    3
    11.0.1.5 DE18CB firmware has been uploaded. The active partition is in slot B.
    2
    I did the following to try to replicate what EnumC did and I got the same stock boot.img but in partition A instead of partition B:

    Used MSMDownloadTool to reset to factory image

    Unlocked bootloader with one line adb command

    Download phhusson's GSI as EnumC mentioned

    Installed msys2 with mingw64 tool chain, base devel, and mingw64 gettext, add an include statement and include asprintf in order to build simg2img on Windows (I've attached my build for 64 bit Win 10 here)

    Unzip GSI.xz and then unsparse it using simg2img

    Follow instructions here to install GSI. The $(du) is to calculate disk usage of the system_raw.img on your PC

    adb reboot fastboot, fastboot getvar all to get active partition (factory image should be a)

    You can now adb shell, su, and then dd to extract /dev/block/bootdevice/by-name/boot_a
    This was exactly what I did, except I used WSL instead! Thank you so much for writing it out in more depth. I was going to write a dump script & more in-depth instructions last summer, but T-Mobile threw me a bone with their new promos and I got myself an S21 instead. Hurray, no root for me!

    If you haven't already, I'll post the script for dumping the partitions from any device that has BL unlock but no stock firmware yet using that GSI method.
    2
    Oh..right...I should've booted a patched img file before I flash. arrghhh.
    Can you share a stock 11.0.1.8 boot.img file when you have a chance?
    I appreciate it!
    Here you go (I've also included factory stock boot.img and factory patched boot.img). I figured out an even better method which is:
    1. Uninstall Magisk, Restore images
    2. Get OTA. Make sure "Automatic system updates" is turned off under Developer Options, this way the device won't automatically reboot after the OTA
    3. Before rebooting, adb su and then dd the new boot.img
    4. Continue system update and reboot the phone
    5. Install Magisk by patching the new boot.img
    I would suggest avoiding using Magisk's "install to inactive slot after OTA" because that bricked my phone for whatever reason and I had to factory reset.
    1
    Here you go (I've also included factory stock boot.img and factory patched boot.img).

    Thank you so much for sharing your patched boot.img.