How To Guide Full ROM dump of T-Mobile variant & guide on gaining root access without magisk

Search This thread

GloriamSemper

Member
Apr 20, 2022
30
3
Yea, that I can't give up for VPN Hotspot app, so convenient compared to PDANet+
This is exactly what I am trying to do. I have a stock N200, waiting on my bootloader unlock token. I was going to flash a GSI to remove the cap from the hotspot but it appears the TMO variant has issues doing that. Do you recommend I do what you did instead, and just root the stock? If so, which root method do you recomend? The TMO variant seems to be different than all the others which makes me nervous to try anything... your input would be greatly appreciated! :)
 

lentm

Senior Member
Dec 3, 2008
453
100
This is exactly what I am trying to do. I have a stock N200, waiting on my bootloader unlock token. I was going to flash a GSI to remove the cap from the hotspot but it appears the TMO variant has issues doing that. Do you recommend I do what you did instead, and just root the stock? If so, which root method do you recomend? The TMO variant seems to be different than all the others which makes me nervous to try anything... your input would be greatly appreciated! :)
I've been told that the GSI roms are not really stable on this device, so I'm staying on the stock rooted. VPN Hotspot seems to work fine, but I sometimes get disconnected while using it.
 
  • Like
Reactions: GloriamSemper

GloriamSemper

Member
Apr 20, 2022
30
3
I've been told that the GSI roms are not really stable on this device, so I'm staying on the stock rooted. VPN Hotspot seems to work fine, but I sometimes get disconnected while using it.
Thanks for the heads up. Which root method did you use/recommend for your TMO variant? I found multiple methods in this forum and want to go with the verified method that worked for you. Magisk? TWRP?
 

lentm

Senior Member
Dec 3, 2008
453
100
Thanks for the heads up. Which root method did you use/recommend for your TMO variant? I found multiple methods in this forum and want to go with the verified method that worked for you. Magisk? TWRP?

Did you unlock the device? If so, I will try to find the magisk patched boot img, boot to that image through fastboot, backup the original boot img, install magisk through the app.
 
  • Love
Reactions: GloriamSemper

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    This is exactly what I am trying to do. I have a stock N200, waiting on my bootloader unlock token. I was going to flash a GSI to remove the cap from the hotspot but it appears the TMO variant has issues doing that. Do you recommend I do what you did instead, and just root the stock? If so, which root method do you recomend? The TMO variant seems to be different than all the others which makes me nervous to try anything... your input would be greatly appreciated! :)
    I've been told that the GSI roms are not really stable on this device, so I'm staying on the stock rooted. VPN Hotspot seems to work fine, but I sometimes get disconnected while using it.
    1
    Thanks for the heads up. Which root method did you use/recommend for your TMO variant? I found multiple methods in this forum and want to go with the verified method that worked for you. Magisk? TWRP?

    Did you unlock the device? If so, I will try to find the magisk patched boot img, boot to that image through fastboot, backup the original boot img, install magisk through the app.
  • 9
    Hi everyone! I lost my OP8 daily driver the other day and decided to pick up a N200 as a stopgap measure. Thanks to Android 11, I'm able to dump all partitions from the DE2118 model of this device.

    AFH: https://www.androidfilehost.com/?fid=7161016148664787728

    Here's the partition map:

    Code:
    phhgsi_arm64_ab:/dev/block/by-name # ls -la
    total 0
    drwxr-xr-x 2 root root 2080 1970-01-12 18:02 .
    drwxr-xr-x 6 root root 3080 1970-01-12 18:02 ..
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ALIGN_TO_128K_1 -> /dev/block/sdd1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ALIGN_TO_128K_2 -> /dev/block/sdf1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 abl_a -> /dev/block/sde6
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 abl_b -> /dev/block/sde26
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 abl_log -> /dev/block/sde53
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 android_log -> /dev/block/sde55
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 apdp -> /dev/block/sde40
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 bluetooth_a -> /dev/block/sde5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 bluetooth_b -> /dev/block/sde25
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 boot_a -> /dev/block/sde9
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 boot_b -> /dev/block/sde29
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 carrier -> /dev/block/sda8
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 catecontentfv -> /dev/block/sde50
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 catefv -> /dev/block/sde49
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 cateloader -> /dev/block/sde42
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 cdt -> /dev/block/sdd2
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 core_nhlos_a -> /dev/block/sde15
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 core_nhlos_b -> /dev/block/sde36
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ddr -> /dev/block/sdd3
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devcfg_a -> /dev/block/sde10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devcfg_b -> /dev/block/sde30
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 devinfo -> /dev/block/sde39
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 dinfo -> /dev/block/sdd7
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 dsp_a -> /dev/block/sde7
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dsp_b -> /dev/block/sde27
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dtbo_a -> /dev/block/sde13
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 dtbo_b -> /dev/block/sde33
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 engineering_cdt_a -> /dev/block/sdd4
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 engineering_cdt_b -> /dev/block/sdd5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 featenabler_a -> /dev/block/sde17
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 featenabler_b -> /dev/block/sde18
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 frp -> /dev/block/sda5
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 fsc -> /dev/block/sdf14
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 fsg -> /dev/block/sdf13
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 hyp_a -> /dev/block/sde3
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 hyp_b -> /dev/block/sde23
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 imagefv_a -> /dev/block/sde14
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 imagefv_b -> /dev/block/sde34
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 kernel_log -> /dev/block/sde54
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 keymaster_a -> /dev/block/sde8
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 keymaster_b -> /dev/block/sde28
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 keystore -> /dev/block/sda4
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logdump -> /dev/block/sde43
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logfs -> /dev/block/sde41
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logo_a -> /dev/block/sde20
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 logo_b -> /dev/block/sde38
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 metadata -> /dev/block/sda14
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 misc -> /dev/block/sda3
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modem_a -> /dev/block/sde4
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 modem_b -> /dev/block/sde24
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modemst1 -> /dev/block/sdf6
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 modemst2 -> /dev/block/sdf7
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 multiimgoem_a -> /dev/block/sde45
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 multiimgoem_b -> /dev/block/sde46
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ocdt -> /dev/block/sdd6
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusdycnvbk -> /dev/block/sdf2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 opluslog -> /dev/block/sda7
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusreserve1 -> /dev/block/sdf8
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusreserve2 -> /dev/block/sdf9
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve3 -> /dev/block/sdf10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve4 -> /dev/block/sdf11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 oplusreserve5 -> /dev/block/sdf12
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusstanvbk_a -> /dev/block/sdf3
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 oplusstanvbk_b -> /dev/block/sdf4
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 param -> /dev/block/sdf5
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 persist -> /dev/block/sda2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 persist_bkp -> /dev/block/sda6
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 qupfw_a -> /dev/block/sde11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 qupfw_b -> /dev/block/sde31
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 rawdump -> /dev/block/sda15
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 rpm_a -> /dev/block/sde1
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 rpm_b -> /dev/block/sde21
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sda -> /dev/block/sda
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdb -> /dev/block/sdb
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdc -> /dev/block/sdc
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdd -> /dev/block/sdd
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sde -> /dev/block/sde
    lrwxrwxrwx 1 root root   14 1970-01-12 18:02 sdf -> /dev/block/sdf
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 secdata -> /dev/block/sde48
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 ssd -> /dev/block/sda1
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 storsec -> /dev/block/sde44
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 super -> /dev/block/sda9
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 tz_a -> /dev/block/sde2
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 tz_b -> /dev/block/sde22
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefisecapp_a -> /dev/block/sde16
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefisecapp_b -> /dev/block/sde35
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 uefivarstore -> /dev/block/sde47
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 userdata -> /dev/block/sda16
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_a -> /dev/block/sde12
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_b -> /dev/block/sde32
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_system_a -> /dev/block/sda10
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vbmeta_system_b -> /dev/block/sda11
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vendor_boot_a -> /dev/block/sde19
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vendor_boot_b -> /dev/block/sde37
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-data -> /dev/block/sde52
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-keystore -> /dev/block/sde51
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-system_a -> /dev/block/sda12
    lrwxrwxrwx 1 root root   16 1970-01-12 18:02 vm-system_b -> /dev/block/sda13
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_a -> /dev/block/sdb1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_b -> /dev/block/sdc1
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_config_a -> /dev/block/sdb2
    lrwxrwxrwx 1 root root   15 1970-01-12 18:02 xbl_config_b -> /dev/block/sdc2


    To gain root access in the absence of magisk and firmware, I used the DSU feature that was introduced back in Android 10 (https://developer.android.com/topic/dsu).
    Note: This will cause your device to brick if you did NOT unlock your bootloader first!

    Then, get the latest phhusson GSI build w/ root. I used https://github.com/phhusson/treble_...wnload/v312/system-roar-arm64-ab-floss.img.xz

    You can then unsparse the system img, gzip it, then use that to launch DSU with a custom image.

    A more in-depth tutorial and a simplified firmware dump script will be coming soon a bit later in the afternoon. Hope that helps anyone looking for the firmware in the meantime :)
    3
    11.0.1.5 DE18CB firmware has been uploaded. The active partition is in slot B.
    2
    I did the following to try to replicate what EnumC did and I got the same stock boot.img but in partition A instead of partition B:

    Used MSMDownloadTool to reset to factory image

    Unlocked bootloader with one line adb command

    Download phhusson's GSI as EnumC mentioned

    Installed msys2 with mingw64 tool chain, base devel, and mingw64 gettext, add an include statement and include asprintf in order to build simg2img on Windows (I've attached my build for 64 bit Win 10 here)

    Unzip GSI.xz and then unsparse it using simg2img

    Follow instructions here to install GSI. The $(du) is to calculate disk usage of the system_raw.img on your PC

    adb reboot fastboot, fastboot getvar all to get active partition (factory image should be a)

    You can now adb shell, su, and then dd to extract /dev/block/bootdevice/by-name/boot_a
    This was exactly what I did, except I used WSL instead! Thank you so much for writing it out in more depth. I was going to write a dump script & more in-depth instructions last summer, but T-Mobile threw me a bone with their new promos and I got myself an S21 instead. Hurray, no root for me!

    If you haven't already, I'll post the script for dumping the partitions from any device that has BL unlock but no stock firmware yet using that GSI method.
    2
    Oh..right...I should've booted a patched img file before I flash. arrghhh.
    Can you share a stock 11.0.1.8 boot.img file when you have a chance?
    I appreciate it!
    Here you go (I've also included factory stock boot.img and factory patched boot.img). I figured out an even better method which is:
    1. Uninstall Magisk, Restore images
    2. Get OTA. Make sure "Automatic system updates" is turned off under Developer Options, this way the device won't automatically reboot after the OTA
    3. Before rebooting, adb su and then dd the new boot.img
    4. Continue system update and reboot the phone
    5. Install Magisk by patching the new boot.img
    I would suggest avoiding using Magisk's "install to inactive slot after OTA" because that bricked my phone for whatever reason and I had to factory reset.
    2
    I did the steps in the guide I wrote here and I also installed the OTA after factory resetting. If you want stock boot.img for the current installed version you can skip the factory reset step.

    However, as long as there wasn't a major Android version update (which changes boot.img drastically), there is a much easier way.

    The boot.img is probably similar enough between OTAs that you can
    1. uninstall Magisk if it is installed, get OTA
    2. fastboot getvar all to get active partition
    3. boot a Magisk patched boot.img from a previous system version by
      Code:
      fastboot boot patched_old_boot.img
      to get root. make sure to avoid doing fastboot flash because that would get rid of the new boot.img and replace it with the old boot.img.
    4. do the final dd step in the above guide.

    Oh..right...I should've booted a patched img file before I flash. arrghhh.
    Can you share a stock 11.0.1.8 boot.img file when you have a chance?
    I appreciate it!