Getting started with the TCL 10 5G (T790Y) in the absence of root / stock ROMs

Search This thread

Metconnect2000

Senior Member
Dec 5, 2015
97
14
Can you run the command to pull the logcat? It will have the download link to the full firmware file. Need to look inside to see if there is a possibility of extracting the boot.img and patching it with magisk.
I have not gotten the Android 11 update notification. The previous update was a small security patch. Will try when it comes, hopefully soon.
 

equid0x

Senior Member
Jan 18, 2009
55
13
I was able to get the Verizon variant into EDL mode, but I guess I need a firehose to do anything with it. The tool I used seems to find the phone but won't really do anything else. I couldn't get the phone into fastboot mode no matter what I do, it just reboots. The Verizon version is extremely locked down and the only option in recovery is to wipe the phone.

I wish there is a way to root this phone so I can get rid of the Smart Manager that's killing all the background apps. Trying to remove it with ADB always returns a security error.

Is there anyway to create a firehose for this device so we can talk to it through EDL mode?
 
I was able to get the Verizon variant into EDL mode, but I guess I need a firehose to do anything with it. The tool I used seems to find the phone but won't really do anything else. I couldn't get the phone into fastboot mode no matter what I do, it just reboots. The Verizon version is extremely locked down and the only option in recovery is to wipe the phone.

I wish there is a way to root this phone so I can get rid of the Smart Manager that's killing all the background apps. Trying to remove it with ADB always returns a security error.

Is there anyway to create a firehose for this device so we can talk to it through EDL mode?
that is the only hope i am still looking for firehose for this device in different payment tools and repair boxes and nothing yet.

but I do not lose hope, with firehose is enough to root it and maybe use the engineering aboot of the european tcl 10 5G variant or one of that TCL variant that lets unlock bootloader in that market.

one thing I am not a developer xD,I am only a collaborator
 
Last edited:

equid0x

Senior Member
Jan 18, 2009
55
13
that is the only hope i am still looking for firehose for this device in different payment tools and repair boxes and nothing yet.

but I do not lose hope, with firehose is enough to root it and maybe use the engineering aboot of the european tcl 10 5G variant or one of that TCL variant that lets unlock bootloader in that market.

one thing I am not a developer xD,I am only a collaborator
Well, if it interests you, I created one of the first ROMs for Samsung Galaxy S Vibrant which was basically the first Galaxy S phone from Samsung. I did 100% of development on my own, although I did not receive credit and mamy other succeeding ROMs used my work.

I have used Android since the "Jesusfreke" builds on pre 1.0 android beta. I know quite a lot about the "ecosystem" but for many years I used HTC phones so I think a lot of what I know is specific to them.

I've been "out of the loop" for several years, now. That said, poking at EDL mode leads me to believe that 100% access to the phone flash is possible. Unfortunately, I do not know a whole lot about Qualcomm EDL mode so I do not have a starting point. Personally, I do not have the time nor will to fully reverse engineer this phone which is quite unfortunate because it appears to be totally hackable and has excellent specs.

It appears EDL mode can both read and write the entire flash on this phone. However, in order to "talk" to it I need the EDL "Firehose" which presumably designates the protocol to "talk" to it.

There are multiple phones that _appear_ to be very similar and from my cursory testing, the same command set seems to work the same on all of these phones. So, it may be a strategy to get all of the developers of the related phones to collaborate on a solution for talking to this phone over EDL.

If I knew more about Qualcomm EDL I might devote more time to trying to create this missing "Firehose"; but I really do not understand anything about it and I'm not going to sit around taking shots in the dark guessing.
 
  • Like
Reactions: darkherman
Dec 14, 2017
49
11
23
This is my verizon tcl look at my comment on first page regarding access to fastboot -d on this device
received_1250217788688916.jpeg
 

equid0x

Senior Member
Jan 18, 2009
55
13
This is my verizon tcl look at my comment on first page regarding access to fastboot -d on this device

I don't know why every forum keeps switching to this Kronos software that can't handle quotes properly. What a pain in the $!#.

Anyways, the software you referenced is for Windows. I don't run Windows so it's somewhat useless to me. I could spin up a VM but I'm always hesitant to use random executables on my machines. I might snapshot my 10 VM, play with this tool, and snapshot back. Have to think about it.

I'm sure it's just running some known adb or fastboot command to get the phone to this mode. I tried a couple of obvious choices but no luck.

I'm betting fastbootd is just a less obvious variant of fastboot. Does the phone respond to any fastboot commands while in this mode? .... Looked it up. Android 10+ moved fastboot to userspace and appears to be the modern equivalent. Supposedly adb reboot fastboot should get us to fastbootd but doesn't on my phone. Alcatel must be using another command to obfuscate this feature.

It seems it should be possible to pull the boot.img and patch it and possibly flash it with fastbootd, as another poster mentioned. Not sure if I want to brick my device to find out, though.
 

equid0x

Senior Member
Jan 18, 2009
55
13
This is my verizon tcl look at my comment on first page regarding access to fastboot -d on this device

So, I spent some more time toying with this device this morning. I took a look at the Axon 7 tool that was posted, including the code in the batch file. Nothing really nefarious here. The software is setup to talk to the Axon 7 using a firehose for the MSM8997. The directories you see on the screen appear to be hard coded into the batch file and use XMLs for references to physical partition locations on the device. None of this is likely to work for the T790. Just for the hell of it, I threw a firehose I found for an SM8150 (Snapdragon 730 - earlier, but related chip, ours is SM8250-AB). No dice.

I setup QPST and the Qualcomm drivers in my VM. QPST sees the device, but doesn't recognize it as a phone. I also tried QFIL and manually specified the SM8150 firehose and attempted to get partition info. Interestingly, QFIL seemed like it talked to the phone, based on the log output, but bombed when the partition info did not match. I saw another poster a couple months back who claimed they could browse this device with QPST. I'd be interested in knowing a little more about how they did that - specifics like software version, platform, admin rights, was a firehose used, which variant, etc.

*#*#3424#*#* in the dialer, then powering off the phone, then holding vol+ & vol- together for several seconds will bring up the EDL mode screen. Holding Vol+ puts it in EDL mode. At that point, the qualcomm diag com port shows up in my Windows 10 VM. To get out of it, hold power until the phone reboots. The instructions provided by Eric1084 didn't seem to work on my variant - just throws an error (VZW, BTW).

Here are the partitions on the device, if it helps:

lrwxrwxrwx 1 root root 15 1969-12-31 16:00 ALIGN_TO_128K_1 -> /dev/block/sdd1
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 ALIGN_TO_128K_2 -> /dev/block/sdf1
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 abl_a -> /dev/block/sde8
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 abl_b -> /dev/block/sde33
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 aop_a -> /dev/block/sde1
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 aop_b -> /dev/block/sde26
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 apdp -> /dev/block/sde52
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 blog -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 bluetooth_a -> /dev/block/sde5
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 bluetooth_b -> /dev/block/sde30
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 boot_a -> /dev/block/sde11
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 boot_b -> /dev/block/sde36
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 carrier -> /dev/block/sdf6
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 catecontentfv -> /dev/block/sde64
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 catefv -> /dev/block/sde63
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 cateloader -> /dev/block/sde57
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 cdt -> /dev/block/sdd2
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 core_nhlos_a -> /dev/block/sde23
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 core_nhlos_b -> /dev/block/sde48
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 ddr -> /dev/block/sdd3
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 devcfg_a -> /dev/block/sde12
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 devcfg_b -> /dev/block/sde37
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 devinfo -> /dev/block/sde50
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 dip -> /dev/block/sde51
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 dsp_a -> /dev/block/sde9
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 dsp_b -> /dev/block/sde34
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 dtbo_a -> /dev/block/sde17
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 dtbo_b -> /dev/block/sde42
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 efsbak -> /dev/block/sdf5
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 featenabler_a -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 featenabler_b -> /dev/block/sde49
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 frp -> /dev/block/sda11
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 fsc -> /dev/block/sdf4
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 fsg -> /dev/block/sdd5
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 hyp_a -> /dev/block/sde3
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 hyp_b -> /dev/block/sde28
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 imagefv_a -> /dev/block/sde21
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 imagefv_b -> /dev/block/sde46
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 kedump -> /dev/block/sda8
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 keymaster_a -> /dev/block/sde10
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 keymaster_b -> /dev/block/sde35
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 keystore -> /dev/block/sda5
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 limits -> /dev/block/sde54
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 limits-cdsp -> /dev/block/sde55
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 logdump -> /dev/block/sda12
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 logfs -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 mdcompress -> /dev/block/sde61
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 mdtp_a -> /dev/block/sde7
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 mdtp_b -> /dev/block/sde32
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 mdtpsecapp_a -> /dev/block/sde6
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 mdtpsecapp_b -> /dev/block/sde31
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 metadata -> /dev/block/sda10
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 misc -> /dev/block/sda4
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 modem_a -> /dev/block/sde4
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 modem_b -> /dev/block/sde29
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 modemst1 -> /dev/block/sdf2
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 modemst2 -> /dev/block/sdf3
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 multiimgoem -> /dev/block/sde59
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 oembin -> /dev/block/sda6
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 oempersist -> /dev/block/sda3
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 otalog -> /dev/block/sdf7
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 otapkg -> /dev/block/sda13
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 persist -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 questdatafv -> /dev/block/sde25
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 qupfw_a -> /dev/block/sde13
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 qupfw_b -> /dev/block/sde38
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 recovery_a -> /dev/block/sde14
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 recovery_b -> /dev/block/sde39
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sda -> /dev/block/sda
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sdb -> /dev/block/sdb
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sdc -> /dev/block/sdc
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sdd -> /dev/block/sdd
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sde -> /dev/block/sde
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sdf -> /dev/block/sdf
lrwxrwxrwx 1 root root 14 1969-12-31 16:00 sdg -> /dev/block/sdg
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 secdata -> /dev/block/sde62
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 simlock_a -> /dev/block/sde20
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 simlock_b -> /dev/block/sde45
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 splash_a -> /dev/block/sde18
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 splash_b -> /dev/block/sde43
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 spunvm -> /dev/block/sde53
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 ssd -> /dev/block/sda1
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 storsec -> /dev/block/sde58
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 studybak_a -> /dev/block/sde19
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 studybak_b -> /dev/block/sde44
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 super -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 swversion -> /dev/block/sdd6
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 toolsfv -> /dev/block/sde56
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 traceability -> /dev/block/sdd4
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 tz_a -> /dev/block/sde2
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 tz_b -> /dev/block/sde27
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 uefisecapp_a -> /dev/block/sde22
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 uefisecapp_b -> /dev/block/sde47
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 uefivarstore -> /dev/block/sde60
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 userdata -> /dev/block/sda15
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 vbmeta_a -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 vbmeta_b -> /dev/block/sde41
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 vbmeta_system_a -> /dev/block/sde15
lrwxrwxrwx 1 root root 16 1969-12-31 16:00 vbmeta_system_b -> /dev/block/sde40
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 xbl_a -> /dev/block/sdb1
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 xbl_b -> /dev/block/sdc1
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 xbl_config_a -> /dev/block/sdb2
lrwxrwxrwx 1 root root 15 1969-12-31 16:00 xbl_config_b -> /dev/block/sdc2

I'm not able to dump the bootloaders. Permission denied. I have my hands on the full 11 update package. I might be able to take a crack at getting the bootloader out of it. It looks like someone's already done this on the Pro and hasn't been able to do anything with the image.
 

chris8189

Senior Member
Jan 17, 2016
288
37
Good work so far guys. I'm glad some people are taking a look into how to root this device. I've just received this phone myself as a gift, so looking forward to what's coming.
 

equid0x

Senior Member
Jan 18, 2009
55
13
I'm not able to dump the bootloaders. Permission denied. I have my hands on the full 11 update package. I might be able to take a crack at getting the bootloader out of it. It looks like someone's already done this on the Pro and hasn't been able to do anything with the image.

I looked at the 11 update pack. The bootloader is a .p file. Its a patch to a binary, not the whole bootloader. I suspect, this is why the other guys can't patch it.

Need a way to dump the parts without a permissions error. Otherwise, from what I've read, Firehose can dump it. But we're kinda nowhere closer either way without a boot part to patch. Even then, I dunno if it can be flashed without an engineering bootloader? Does anyone know if one of these images can be flashed or booted without it being signed? I assume, no.

I think a lot of these phones in the past have been broken via JTAG. I don't know much about that, although I think it requires an RS232 to TTL conversion with something like a MAX232. I used to have one, but not in a long time.
 
  • Like
Reactions: chris8189

equid0x

Senior Member
Jan 18, 2009
55
13
This phone has same processor chip maybe a lead!?
Snapdragon 765g
I took a look at it. The Firehose for the Nokia does not work for the TCL 10 5G UW. I also found another one and tried it but no luck. It seems these Firehose loaders are phone specific in many cases.

I also poked around some forums and found others requesting one, too.

I was able to get the phone to come up in QPST on a real Windows box and I could query it a bit but I wasn't able to replicate the EFS browsing someone posted on my variant.
 

EnumC

Senior Member
I took a look at it. The Firehose for the Nokia does not work for the TCL 10 5G UW. I also found another one and tried it but no luck. It seems these Firehose loaders are phone specific in many cases.

I also poked around some forums and found others requesting one, too.

I was able to get the phone to come up in QPST on a real Windows box and I could query it a bit but I wasn't able to replicate the EFS browsing someone posted on my variant.
If you'd like to give accessing EFS another try, I found multiple paths to enable diag on my T-Mobile variant, so there's a possibility there's still one exposed on the Verizon model.

Try the following:
*#*#3646633#*#* -> go to "Connectivity" tab, then "DiagProtector".
*#*#2324#*#*
##3424#

You can also get to it by launching the activity directly, but one of the above dialer codes should work. All of them should on T790W.
 

equid0x

Senior Member
Jan 18, 2009
55
13
If you'd like to give accessing EFS another try, I found multiple paths to enable diag on my T-Mobile variant, so there's a possibility there's still one exposed on the Verizon model.

Try the following:
*#*#3646633#*#* -> go to "Connectivity" tab, then "DiagProtector".
*#*#2324#*#*
##3424#

You can also get to it by launching the activity directly, but one of the above dialer codes should work. All of them should on T790W.
Non of those codes work on Verizon variant. Verizon really locks down their phones.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Hi folks,

    As this phone is pretty niche/doesn't have much of a community yet (and may never) I've decided to put a few of my thoughts together in one thread. XDA is my go to for new phones so having an empty device sub makes me sad. None of this may be useful or some of it may be, you tell me.

    Purchase:
    Bought December 2020. Total cost: €160
    This is notable as the market price for these is €400+ SIM Free so this was a bit of a steal for the 765G
    Network: Three Ireland, locked

    Root?
    See bootloader

    Bootloader
    Is locked down tighter than fort knox. There IS a developer option to allow unlocking but it seems to do nothing. This is common with Alcatel/TCL. Hopefully it's broken, I'm not holding my breath though.
    Code:
    C:\Users\Administrator>fastboot oem device-info
                                                       (bootloader) Verity mode: true
    (bootloader) Device unlocked: false
    (bootloader) Device critical unlocked: false
    (bootloader) Charger screen enabled: false
    OKAY [  0.005s]
    Finished. Total time: 0.008s

    Current software?
    Code:
    Build: QKQ1.200329.002 release-keys
    Radio: PAN_GEN_PACK-1.303751.1.304885.8
    4.19.81
    Patch Level: Aug 2020

    Branded splash?
    Yes, cannot be removed without root

    Quick note on physical build:
    Normally I'd always say go on, go bigger. This time I'm finding it a little awkward reaching some stuff. I'm a tall man with reasonably large hands so could get away with anything slightly smaller and reach the whole display. Aspect plays a part here.
    The Google button(thank Christ its not Bixby) on the left is super helpful and also super annoying. Find it really easy to accidentally press when holding it in my left hand which is my default.
    The power button on the far side is equally easy to press fine. The problem is double press is camera but triple press is EMERGENCY. I do not want emergency. FFS TCL. Seems like no way to disable it.
    The gradient on the back is nice but maaaan is it slippy.

    Brightness:
    Autobrightness is woeful. Like far too aggressive. Blinds you half the time then dimms down to unreadable. Not a fan. Turned it off.

    Battery:
    The usual chinese affair, kill everything running for more than 6 seconds. Get amazing battery life but prevent apps doing anything useful. Play the usual game of protecting half the apps on your phone and remember to do it with new apps. Problem solved, battery life more normal.
    That said the 4500mAh paired with the 765G is pretty sweet.

    De-Bloating:
    Okay. So we can't root. Sh1t. But all is not lost. ADB gives us some control.
    This isnt unique to TCL, sample guide here -> https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/

    Once you've got an active adb shell:
    Code:
    pm list packages

    That gives us all the installed apps. I'll include that list in post #2
    We can "remove" them with the below
    Code:
    pm uninstall -k --user 0 $package
    eg
    Code:
    pm uninstall -k --user 0 com.ebay.carrier

    Here's most or all of what I removed

    Code:
    com.ebay.carrier
    com.amazon.appmanager
    ie.three.threeplus
    ie.three.my3
    com.amazon.mShop.android.shopping
    com.tct.smart.account
    com.ebay.mobile
    com.tct.smart.community
    com.facebook.appmanager
    com.facebook.system
    com.facebook.katana
    com.tct.smart.community
    com.netflix.mediaclient
    com.netflix.partner.activation
    com.spectreit.three
    com.amazon.avod.thirdpartyclient
    com.tcl.usercare
    com.facebook.services
    com.netflix.partner.activation
    com.spectreit.three
    com.tcl.usercare
    com.tct.smart.notes

    I've removed a few at a time in case it causes the system to crash etc. So far so good but do so at your own risk.

    Install Youtube Vanced works via normal sideload. IMO really worth doing.

    DPI/Scaling:
    Defaults to 360
    Somewhere around 400-420 is better IMO

    Network unlocking:
    So far nobody has been able to offer network codes for 272-05 but other networks in the same country are apparently available. Hopefully soon.

    More notes, tidbits & complaints as I get them
    - Scratchling
    2
    The 11 Zip is in the other thread folks
    1
    Great write-up. One suggestion, maybe try with pm disable first to verify before doing the pm uninstall.
    1
    great good info about this device,i hope it is available firehose or a method to unlock bootloader
    1
    Google is your friend. Secret Tools V1.4 just choose reboot fast boot then click on do job on the bottom right corner of the picture
    Secret-Tool-Pro.jpg