[GUIDE][A10/A11] Flashing and booting GSI on Galaxy Tab S7+

Search This thread

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/

This is tested on my SM-T976B, but I think the same should work on other models as well.

1. WARNING AND DISCLAIMER
Just unlocking the bootloader will not trip the warranty bit yet, so you can still go back at this point.
The warranty bit will be tripped (0x1) as soon as you actually try flashing something unofficial via Odin. YOU HAVE BEEN WARNED.

Make sure you back up all the important files in your internal storage, as you need to disable encryption with Multi-Disabler in order to let TWRP access the data partition, which would require you to format the data partition (wiping everything in the process). Additionally, keep a few nandroid backups with you so you can recover yourself in case something goes wrong.

2. Requirements
- Bootloader unlocked
- ianmacd's TWRP
- Neutralized vbmeta*
- vendor.img from Android 10 stock FW (I used ATK3, but any A10 vendor should do)
- Multi-Disabler

* An empty vbmeta is not recommended. You need to patch the vbmeta of the stock FW you're currently on.

3. Flashing
Since this device uses dynamic partitions. Flashing system images is not as straightforward as before but not impossible.

azteria2000's GSI Flasher provided a good example on how to use dd/simg2img to flash dynamic partitions using just recovery. This is extremely helpful, as TWRP currently doesn't support fastbootd, which would make flashing even easier.

(1). Extracting Android 10 vendor.img
While you can boot recent GSIs with Android 11 vendor, Magisk currently doesn't work with it. Android 10 vendor is required for Magisk to work properly.
The Android 10 vendor can be extracted from the factory image's super.img. You need to unsparse the image using simg2img then use lpunpack to extract it, and you'll obtain the vendor.img.

(2). Flashing GSI and Android 10 vendor.img
The entire flashing process can be done from TWRP.
NOTE: If you're still on Android 10 (ATK3 or earlier), you can skip flashing vendor and only flash GSI system image.
NOTE 2: At present, Multi-Disabler expects /system_root to be mountable r/w, which cannot be done with a non-vndklite GSI. As such, if you're about to flash /vendor at this step, use a vndklite GSI, or if you're coming from stock, flash Multi-Disabler before actually flashing GSI (a reboot is needed after flashing /vendor to make it accessible).

The corresponding block devices for system and vendor are as follows:
Code:
/dev/block/dm-0 - system
/dev/block/dm-1 - vendor
First set the block devices to r/w so you can flash images.
Code:
# blockdev --setrw /dev/block/dm-0
# blockdev --setrw /dev/block/dm-1
Now actually flash the images with dd. Change the "if" parts to point to where the GSI system image and Android 10 vendor image are.
Code:
# dd if=<GSI image here> of=/dev/block/dm-0 bs=1m
# dd if=<vendor image here> of=/dev/block/dm-1 bs=1m
In rare cases that the GSI image you're about to flash is sparsed, run the following command instead of dd. You need to point to your sparsed GSI image here.
The vendor.img you obtain from super.img is not sparsed and can be flashed directly using the dd command above.
Code:
# simg2img <sparsed GSI image here> /dev/block/dm-0
If nothing goes wrong, you've flashed the GSI as well as Android 10 vendor.
Android 10 vendor flashed this way will work even if you have upgraded past BUC1 (which blocked the downgrade to Android 10).
It's advised to reboot recovery before trying to access system and vendor, to avoid potential issues.
NOTE: If you flashed vendor in this step, DO NOT REBOOT TO SYSTEM JUST YET.

(3). Flashing Multi-Disabler

You need to flash Multi-Disabler to disable encryption of internal storage so TWRP could access it.
If you flashed the vendor.img when flashing GSI, you MUST flash Multi-Disabler again if you have already disabled encryption with it before.
After flashing Multi-Disabler, you can now try booting to see if the GSI of your choice works.

4. Important Notes
(1). Neutralizing Software (Platform) Watchdog

There's a software (platform) watchdog that by default doesn't get fed while running GSI, causing system to reboot about 100 seconds after boot due to "platform watchdog bite". See this issue and this issue for details.
It's possible to disable this watchdog after boot, by executing the following command using a root shell.
Code:
# echo 'V' > /dev/watchdog
You need to look for a way to execute the command above at boot to automatically disable the problematic watchdog so the GSI can function normally. There are several ways to do this, like putting the command into a Magisk module's service.sh so it gets executed when the Magisk module loads.
EDIT: I've filed an issue regarding the matter here. After some testing, it seems /dev/watchdog0 is the real culprit for our device. Disabling either /dev/watchdog or /dev/watchdog0 will work this around.
UPDATE (2021-09-11): I can confirm that DragKernel is not affected by this issue. The offending watchdog is not present and the system won't reboot after 100 seconds.

(2). Uncertified Device
Since phh-AOSP v303 and onwards, the device is considered uncertified which will prevent you from logging in to your Google account.
Manually registering the device is required for using Google Play Services, but for some reasons that didn't work for me, so I recommend using NanoDroid with microG if applicable (requires Magisk).

(3). Offline Charging Icon
With some GSIs, when powered off, plugging in the charger would make the tablet enter a screen with a white charging battery icon in the middle, that I couldn't easily get out of by pressing POWER button alone. Although I did manage to get out of that screen and boot to the system, I don't really know which button combination is required, and how long I should be holding them. So for now, charging while powered off is not advised...

5. Working Stuffs
- 120 fps working (by forcing FPS using Phh-Treble Settings).
- Wi-Fi and Bluetooth work fine.
- S-Pen works as a pointer device.
- Alternate Audio Policies (from Phh-Treble Settings) is needed to get audio out through USB Type-C.
- Front and rear camera appears working.

6. Not Working Stuffs
- MTP does not appear to work properly for some reasons. You'll need ADB for transferring files.
- USB Type-C audio adapters may or may not work depending on GSI, Kernel or maybe other aspects.
- Bluetooth audio currently has issues that cause the system to freeze.

7. Untested Stuffs
- Haven't tested telephony-related stuffs as I'm not using a SIM card on the tablet yet.
- Haven't tested fingerprint sensors as I'm not using it.

There are still some functionalities I haven't tested yet, but anyone is free to test if you want to use a GSI.

Special thanks to: ianmacd, phhusson, Bushcat, Vntnox, azteria2000, dron39 and many more...

Original GSI progress issue: here
 
Last edited:

sambow23

Senior Member
I finally got this working on my SM-T970. Though I had some troubles getting it working by following your instructions exactly, it would still boot loop even after neutralizing vbmeta.img (perhaps I changed the wrong offset?). Though for some reason flashing magisk made it boot perfectly? I assume Magisk disables AVB entirely or something. Thank you for this guide, may this tablet live a long life thanks to treble!
 
  • Like
Reactions: TiTiB

ucool38

New member
Jun 26, 2016
1
0
I finally got this working on my SM-T970. Though I had some troubles getting it working by following your instructions exactly, it would still boot loop even after neutralizing vbmeta.img (perhaps I changed the wrong offset?). Though for some reason flashing magisk made it boot perfectly? I assume Magisk disables AVB entirely or something. Thank you for this guide, may this tablet live a long life thanks to treble!
i also got SM-T970 please help me to get back to android 10... Most of the game which play crashes in the middle for android 11 ... Can you please help me to do what you did ... i am new to this custom ROMs and flashing so help me..
 

ivanox1972

Senior Member
Sep 26, 2011
2,087
221
As I know, you can't. All android 10 bootloaders are XXU1 - if you upgraded to XXU2 then nothing can be done.
 

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
As I know, you can't. All android 10 bootloaders are XXU1 - if you upgraded to XXU2 then nothing can be done.
Sorry, didn't notice there were new posts in my actual thread...

While you certainly can't flash XXU1 firmware via Odin once you upgraded to XXU2, you can follow the instructions to use dd in TWRP to flash the logical partitions. This is how I used to flash vendor image extracted from Android 10 FW, as due to SELinux policy issues, Android 11 vendor does not work well with GSIs on Samsung Qualcomm devices in general. Magisk won't work, and the tablet would semi-brick if you attempt to use Securize from Phh-Treble settings.

While I mostly use Android 11 GSIs, the same should work with Android 10 GSIs of your choice, but I haven't tested, as most A10 GSIs are no longer maintained. GSI image of your choice (/system) and A10 vendor (/vendor) are all you need, as GSIs do not care about /odm and /product so it's safe to leave them as-is.

A WARNING: I DO NOT recommend flashing A10 stock FW using this method as you're literally violating the rollback protection which has the risk of causing A HARD BRICK!!! Similar cases have happened on other devices of other vendors before.

ONE MORE WARNING: Due to the ongoing case of Samsung disabling cameras on Z Fold 3, I seriously advise against upgrading the device any further, especially in case a XXU3 firmware comes out in the future, as there are potential signs that such crippling behavior might spread to existing devices.
 
Last edited:

ivanox1972

Senior Member
Sep 26, 2011
2,087
221
@LSS4181 thanks dor for deep explanation, but I'm afraid my level is not high enough to understand all of this. I am also tempted to try gsi but not want to risk lot...
So, can it be installed over stock android 11, new bootloader XXU2?
Thanks
 

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
@LSS4181 thanks dor for deep explanation, but I'm afraid my level is not high enough to understand all of this. I am also tempted to try gsi but not want to risk lot...
So, can it be installed over stock android 11, new bootloader XXU2?
Thanks
I can't guarantee A10 GSI will work on such environment, but GSIs probably won't have issues with rollback protections. It's just stock ROM might have something that would do dirty stuffs in case such violation happens so I personally would not recommend such use case.

However, A11 GSIs will certainly work fine, just that with A10 vendor you need to use DragKernel as the stock one has a watchdog that'll reboot the system after 100 seconds.
 

zxczxc4

Member
Nov 17, 2011
15
4
@LSS4181 - thank you for the guide, I've had a T970 for nearly 1 year now, always wanted to run a custom rom on it!


I've tried your guide twice now, but it results in failures for me.
I've unlocked the bootloader, flashed TWRP (twrp-gts7xl-3.5.0_10-A11_3_ianmacd.img), running ATK3.
Not sure if TWRP for Android 11 and ATK3 being Android 10 makes a difference?

I extracted a vbmeta.img.lz4 from the ATK3 pack online, decompressed it to get the vbmeta.img, and wrote 0x03 to decimal offset 123.
(Tried to follow the instructions exactly)

I think it's the flashing/dd part.
After I dd the gsi img to dm-0, I can not reflash the multidisabler anymore. It tells me something like:
"Failed to mount '/system_root' (Invalid argument)"
Then, I can't even mount 'system' in TWRP, the checkbox is unselectable.

To get back to a working state, I have reflashed the stock rom (ATK3).

The GSI I tried to use was: system-roar-arm64-ab-vanilla.img.xz - from AOSP 11.0 v313
Is this the correct version to use (A, A/B etc?)
And how can I tell if the image file is sparsed or not?


Any input is appreciated, thank you!
 
  • Like
Reactions: TiTiB

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
@LSS4181 - thank you for the guide, I've had a T970 for nearly 1 year now, always wanted to run a custom rom on it!


I've tried your guide twice now, but it results in failures for me.
I've unlocked the bootloader, flashed TWRP (twrp-gts7xl-3.5.0_10-A11_3_ianmacd.img), running ATK3.
Not sure if TWRP for Android 11 and ATK3 being Android 10 makes a difference?

I extracted a vbmeta.img.lz4 from the ATK3 pack online, decompressed it to get the vbmeta.img, and wrote 0x03 to decimal offset 123.
(Tried to follow the instructions exactly)

I think it's the flashing/dd part.
After I dd the gsi img to dm-0, I can not reflash the multidisabler anymore. It tells me something like:
"Failed to mount '/system_root' (Invalid argument)"
Then, I can't even mount 'system' in TWRP, the checkbox is unselectable.

To get back to a working state, I have reflashed the stock rom (ATK3).

The GSI I tried to use was: system-roar-arm64-ab-vanilla.img.xz - from AOSP 11.0 v313
Is this the correct version to use (A, A/B etc?)
And how can I tell if the image file is sparsed or not?


Any input is appreciated, thank you!
Uh... I should have mentioned earlier. Multi-Disabler expects /system_root to be mountable r/w, which cannot be done with a non-vndklite GSI.

As such, to disable encryption, you'll initially need to flash a vndklite GSI, or simply just do that before you actually flash the GSI (stock ROM can be mounted r/w). As Multi-Disabler is only needed once per /vendor flash, you'll be able to use non-vndklite GSI afterwards.

EDIT: If you are experienced in modifying recovery zips, you can edit the Multi-Disabler install script and comment out the parts actually involving /system or /system_root.

EDIT 2: I just realized this... I recall that phh AOSP GSI is sparsed. You need to use simg2img command instead of dd to flash it.
 
Last edited:
  • Like
Reactions: TiTiB and zxczxc4

zxczxc4

Member
Nov 17, 2011
15
4
@LSS4181 - thank you for the reply.

I am not sure if the images I was trying to us were sparsed or not.
Since you mentioned vndklite images, I tried those - `simg2img` told me that the hash/magic was not valid, so at least these ones are not sparsed.
But good idea to attempt to use `simg2img` if you are not sure about an image, it doesn't hurt to try.

I flashed phh's v313 ab vndklite image, my device was stuck on the samsung boot screen for about 10 minutes (the screen with "your device is unlocked" etc...) I then held some buttons to force reboot/power down. I powered back on and I finally saw the rom booting.
Vanilla AOSP was a bit boring, so flashed LOS 18.x (vndklite again) and that is great. Dark mode can be made BLACK which I really appreciate.

No issues with the watchdog/no reboot after 100 seconds.

I did try to install microg... tried to install (adb push) to /system/priv-data but must have done something wrong.
It gave me bootloops, tried to reflash the gsi twice but didn't seem to change anything... :(
I ended up reflashing stock again, repeated the whole process (apart from microg!) and my system is up working again.

I should go and ask on the lineage os gsi thread for advice about microg.

Thanks again for the guide.
 

sambow23

Senior Member
@LSS4181 - thank you for the reply.

I am not sure if the images I was trying to us were sparsed or not.
Since you mentioned vndklite images, I tried those - `simg2img` told me that the hash/magic was not valid, so at least these ones are not sparsed.
But good idea to attempt to use `simg2img` if you are not sure about an image, it doesn't hurt to try.

I flashed phh's v313 ab vndklite image, my device was stuck on the samsung boot screen for about 10 minutes (the screen with "your device is unlocked" etc...) I then held some buttons to force reboot/power down. I powered back on and I finally saw the rom booting.
Vanilla AOSP was a bit boring, so flashed LOS 18.x (vndklite again) and that is great. Dark mode can be made BLACK which I really appreciate.

No issues with the watchdog/no reboot after 100 seconds.

I did try to install microg... tried to install (adb push) to /system/priv-data but must have done something wrong.
It gave me bootloops, tried to reflash the gsi twice but didn't seem to change anything... :(
I ended up reflashing stock again, repeated the whole process (apart from microg!) and my system is up working again.

I should go and ask on the lineage os gsi thread for advice about microg.

Thanks again for the guide.
You could always flash magisk and use the microg module, works perfectly for me
 

zxczxc4

Member
Nov 17, 2011
15
4
You could always flash magisk and use the microg module, works perfectly for me
That's exactly what I ended up doing.
Originally I wanted to avoid the 'newer' style, using Magisk etc, it seems more complicated than just using a rom that is already rooted. For my use case of this device, I don't care about safetynet etc, don't care about keeping system untouched etc.

BUT! Flashing Magisk was so easy, no need to patch any images... I simply flashed the latest version of the Magisk apk via TWRP.
On restart, Magisk app wanted to finish the install itself... but failed? So I simply installed the same apk myself, and it's been working perfectly :)
 
  • Like
Reactions: TiTiB

TiTiB

Senior Member
Jun 19, 2015
926
733
Earth, for now
Thank you @LSS4181 for the exquisitely detailed instructions! I think have enough experience with this stuff to be succesful, but have not yet bought this tablet to try it (currently using a rooted, debloated S6).

Questions:
  • Which vendor does it ship with? ATK3? I wouldn't do any upgrades when I got it, but would immediately start flashing.
  • Has anyone succesfully used XPrivacyLua (XPL) on this? I currently use XPL Pro, and I know that it depends on a working EdXposed (or Lsposed, which I've never used) which requires a working Magisk. From reading this thread, the Magisk part seems Okay, but what about Ed/L Xposed?
Thanks again.
 
Last edited:

sambow23

Senior Member
Thank you @LSS4181 for the exquisitely detailed instructions! I think have enough experience with this stuff to be succesful, but have not yet bought this tablet to try it (currently using a rooted, debloated S6).

Questions:
  • Which vendor does it ship with? ATK3? I wouldn't do any upgrades when I got it, but would immediately start flashing.
  • Has anyone succesfully used XPrivacyLua (XPL) on this? I currently use XPL Pro, and I know that it depends on a working EdXposed (or Lsposed, which I've never used) which requires a working Magisk. From reading this thread, the Magisk part seems Okay, but what about Ed/L Xposed?
Thanks again.
XPrivacyLua/LSPosed does work, I'm able to pass safetynet thanks to it
 
  • Like
Reactions: TiTiB and zxczxc4

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
Thank you @LSS4181 for the exquisitely detailed instructions! I think have enough experience with this stuff to be succesful, but have not yet bought this tablet to try it (currently using a rooted, debloated S6).

Questions:
  • Which vendor does it ship with? ATK3? I wouldn't do any upgrades when I got it, but would immediately start flashing.
  • Has anyone succesfully used XPrivacyLua (XPL) on this? I currently use XPL Pro, and I know that it depends on a working EdXposed (or Lsposed, which I've never used) which requires a working Magisk. From reading this thread, the Magisk part seems Okay, but what about Ed/L Xposed?
Thanks again.
I got my tablet early so it was on an earlier version than ATK3.

If your device ships with BUBB or before, you should be able to downgrade directly if you know how to use Odin.

Flashing ATK3 (or earlier) vendor via dd from TWRP is only needed if your device is on BUC1 or later, as from that version onwards SW REV has been incremented so you can't downgrade via Odin anymore.
 
  • Like
Reactions: TiTiB

TiTiB

Senior Member
Jun 19, 2015
926
733
Earth, for now
Thanks ag
I got my tablet early so it was on an earlier version than ATK3.

If your device ships with BUBB or before, you should be able to downgrade directly if you know how to use Odin.

Flashing ATK3 (or earlier) vendor via dd from TWRP is only needed if your device is on BUC1 or later, as from that version onwards SW REV has been incremented so you can't downgrade via Odin anymore.
Thanks again for the detailed response. The info you've shared gives me confidence. Now I just need to convince myself that I 'need' to buy it. 😉
 

AnonVendetta

Senior Member
Apr 29, 2016
1,112
433
Portland, OR
@LSS4181: I've been running the stock Android 11 firmware since I bought the Tab S7+ SM-T970, about halfway into this year. Mine shipped with a version 2 bootloader, so there is no possibility of running stock 10 for me.

Then I saw your note about Bluetooth earbuds not working. This would be a big deal for me on a GSI. I don't want to use a USB C headphone jack adapter, since it would prevent charging while using them. And it would wear out the charging port by constantly inserting/removing.

What BT earbuds do you use? Does it happen on all GSIs that you've tried? I saw your recent issue on GitHub, and noticed that no one else has commented.

GApps is another big deal for me, a must have. I used to use MicroG on my daily driver devices, but stopped using it about a year ago due to issues that I was unable to find solutions for.

Can you elaborate a bit more on how to modify vbmeta and what to change? I'm not particularly skilled with the usage of hex editors, so not sure how to proceed here or what to edit.

I know there will probably be issues inherent to running to a GSI, but I'd like to change things up a bit and experiment. If I don't like what I see, I can always return to stock rooted. I'm not a big fan of stock firmwares, but so far it has been very stable for me. However, if I can get a custom ROM like AOSP, RR, LOS, etc running reliably, then I'd definitely switch. There are no features on stock besides Dex and Secure Folder, that are compelling enough to me me stay on it.
 

sambow23

Senior Member
@LSS4181: I've been running the stock Android 11 firmware since I bought the Tab S7+ SM-T970, about halfway into this year. Mine shipped with a version 2 bootloader, so there is no possibility of running stock 10 for me.

Then I saw your note about Bluetooth earbuds not working. This would be a big deal for me on a GSI. I don't want to use a USB C headphone jack adapter, since it would prevent charging while using them. And it would wear out the charging port by constantly inserting/removing.

What BT earbuds do you use? Does it happen on all GSIs that you've tried? I saw your recent issue on GitHub, and noticed that no one else has commented.

GApps is another big deal for me, a must have. I used to use MicroG on my daily driver devices, but stopped using it about a year ago due to issues that I was unable to find solutions for.

Can you elaborate a bit more on how to modify vbmeta and what to change? I'm not particularly skilled with the usage of hex editors, so not sure how to proceed here or what to edit.

I know there will probably be issues inherent to running to a GSI, but I'd like to change things up a bit and experiment. If I don't like what I see, I can always return to stock rooted. I'm not a big fan of stock firmwares, but so far it has been very stable for me. However, if I can get a custom ROM like AOSP, RR, LOS, etc running reliably, then I'd definitely switch. There are no features on stock besides Dex and Secure Folder, that are compelling enough to me me stay on it.
Bluetooth audio works if you disable the a2dp hardware offload in the phh treble app
 
  • Like
Reactions: TiTiB

LSS4181

Senior Member
Mar 13, 2012
460
161
Google Pixel C
Razer Phone 2
@LSS4181: I've been running the stock Android 11 firmware since I bought the Tab S7+ SM-T970, about halfway into this year. Mine shipped with a version 2 bootloader, so there is no possibility of running stock 10 for me.

Then I saw your note about Bluetooth earbuds not working. This would be a big deal for me on a GSI. I don't want to use a USB C headphone jack adapter, since it would prevent charging while using them. And it would wear out the charging port by constantly inserting/removing.

What BT earbuds do you use? Does it happen on all GSIs that you've tried? I saw your recent issue on GitHub, and noticed that no one else has commented.

GApps is another big deal for me, a must have. I used to use MicroG on my daily driver devices, but stopped using it about a year ago due to issues that I was unable to find solutions for.

Can you elaborate a bit more on how to modify vbmeta and what to change? I'm not particularly skilled with the usage of hex editors, so not sure how to proceed here or what to edit.

I know there will probably be issues inherent to running to a GSI, but I'd like to change things up a bit and experiment. If I don't like what I see, I can always return to stock rooted. I'm not a big fan of stock firmwares, but so far it has been very stable for me. However, if I can get a custom ROM like AOSP, RR, LOS, etc running reliably, then I'd definitely switch. There are no features on stock besides Dex and Secure Folder, that are compelling enough to me me stay on it.
Bluetooth audio works if you disable the a2dp hardware offload in the phh treble app
Don't know if audio issues might be caused by using a different kernel (as I've switched to using DragKernel for this tablet). I don't recommend using stock kernel, though, due to a nasty 100-second watchdog that you need to manually disable after system startup (DragKernel has that removed from config).

I recall it's now possible to patch vbmeta using Magisk now. Simply provide the vbmeta of your FW version to Magisk and it'll patch it for you. I haven't tried, though, as I always do this by hand with a hex editor (it's just to change a single byte, which the recent Magisk versions would do).

Back then I couldn't get the device certified so I switched to microG which is working well. I recommend using NanoDroid as it comes with a modded Play Store which allows you to purchase apps as well as IAPs. The modded Play Store still works, despite being quite dated.

I don't really have anything blocking me from using microG now. If you need real GApps and know about the workflow for uncertified devices, you may try flashing a bgN flavor GSI as opposed to bvN (g means the GSI ships with GApps).
 
  • Like
Reactions: TiTiB

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Code:
    /*
    * Your warranty is now void.
    *
    * I am not responsible for bricked devices, dead SD cards,
    * thermonuclear war, or you getting fired because the alarm app failed. Please
    * do some research if you have any concerns about features included in this ROM
    * before flashing it! YOU are choosing to make these modifications, and if
    * you point the finger at me for messing up your device, I will laugh at you.
    */

    This is tested on my SM-T976B, but I think the same should work on other models as well.

    1. WARNING AND DISCLAIMER
    Just unlocking the bootloader will not trip the warranty bit yet, so you can still go back at this point.
    The warranty bit will be tripped (0x1) as soon as you actually try flashing something unofficial via Odin. YOU HAVE BEEN WARNED.

    Make sure you back up all the important files in your internal storage, as you need to disable encryption with Multi-Disabler in order to let TWRP access the data partition, which would require you to format the data partition (wiping everything in the process). Additionally, keep a few nandroid backups with you so you can recover yourself in case something goes wrong.

    2. Requirements
    - Bootloader unlocked
    - ianmacd's TWRP
    - Neutralized vbmeta*
    - vendor.img from Android 10 stock FW (I used ATK3, but any A10 vendor should do)
    - Multi-Disabler

    * An empty vbmeta is not recommended. You need to patch the vbmeta of the stock FW you're currently on.

    3. Flashing
    Since this device uses dynamic partitions. Flashing system images is not as straightforward as before but not impossible.

    azteria2000's GSI Flasher provided a good example on how to use dd/simg2img to flash dynamic partitions using just recovery. This is extremely helpful, as TWRP currently doesn't support fastbootd, which would make flashing even easier.

    (1). Extracting Android 10 vendor.img
    While you can boot recent GSIs with Android 11 vendor, Magisk currently doesn't work with it. Android 10 vendor is required for Magisk to work properly.
    The Android 10 vendor can be extracted from the factory image's super.img. You need to unsparse the image using simg2img then use lpunpack to extract it, and you'll obtain the vendor.img.

    (2). Flashing GSI and Android 10 vendor.img
    The entire flashing process can be done from TWRP.
    NOTE: If you're still on Android 10 (ATK3 or earlier), you can skip flashing vendor and only flash GSI system image.
    NOTE 2: At present, Multi-Disabler expects /system_root to be mountable r/w, which cannot be done with a non-vndklite GSI. As such, if you're about to flash /vendor at this step, use a vndklite GSI, or if you're coming from stock, flash Multi-Disabler before actually flashing GSI (a reboot is needed after flashing /vendor to make it accessible).

    The corresponding block devices for system and vendor are as follows:
    Code:
    /dev/block/dm-0 - system
    /dev/block/dm-1 - vendor
    First set the block devices to r/w so you can flash images.
    Code:
    # blockdev --setrw /dev/block/dm-0
    # blockdev --setrw /dev/block/dm-1
    Now actually flash the images with dd. Change the "if" parts to point to where the GSI system image and Android 10 vendor image are.
    Code:
    # dd if=<GSI image here> of=/dev/block/dm-0 bs=1m
    # dd if=<vendor image here> of=/dev/block/dm-1 bs=1m
    In rare cases that the GSI image you're about to flash is sparsed, run the following command instead of dd. You need to point to your sparsed GSI image here.
    The vendor.img you obtain from super.img is not sparsed and can be flashed directly using the dd command above.
    Code:
    # simg2img <sparsed GSI image here> /dev/block/dm-0
    If nothing goes wrong, you've flashed the GSI as well as Android 10 vendor.
    Android 10 vendor flashed this way will work even if you have upgraded past BUC1 (which blocked the downgrade to Android 10).
    It's advised to reboot recovery before trying to access system and vendor, to avoid potential issues.
    NOTE: If you flashed vendor in this step, DO NOT REBOOT TO SYSTEM JUST YET.

    (3). Flashing Multi-Disabler

    You need to flash Multi-Disabler to disable encryption of internal storage so TWRP could access it.
    If you flashed the vendor.img when flashing GSI, you MUST flash Multi-Disabler again if you have already disabled encryption with it before.
    After flashing Multi-Disabler, you can now try booting to see if the GSI of your choice works.

    4. Important Notes
    (1). Neutralizing Software (Platform) Watchdog

    There's a software (platform) watchdog that by default doesn't get fed while running GSI, causing system to reboot about 100 seconds after boot due to "platform watchdog bite". See this issue and this issue for details.
    It's possible to disable this watchdog after boot, by executing the following command using a root shell.
    Code:
    # echo 'V' > /dev/watchdog
    You need to look for a way to execute the command above at boot to automatically disable the problematic watchdog so the GSI can function normally. There are several ways to do this, like putting the command into a Magisk module's service.sh so it gets executed when the Magisk module loads.
    EDIT: I've filed an issue regarding the matter here. After some testing, it seems /dev/watchdog0 is the real culprit for our device. Disabling either /dev/watchdog or /dev/watchdog0 will work this around.
    UPDATE (2021-09-11): I can confirm that DragKernel is not affected by this issue. The offending watchdog is not present and the system won't reboot after 100 seconds.

    (2). Uncertified Device
    Since phh-AOSP v303 and onwards, the device is considered uncertified which will prevent you from logging in to your Google account.
    Manually registering the device is required for using Google Play Services, but for some reasons that didn't work for me, so I recommend using NanoDroid with microG if applicable (requires Magisk).

    (3). Offline Charging Icon
    With some GSIs, when powered off, plugging in the charger would make the tablet enter a screen with a white charging battery icon in the middle, that I couldn't easily get out of by pressing POWER button alone. Although I did manage to get out of that screen and boot to the system, I don't really know which button combination is required, and how long I should be holding them. So for now, charging while powered off is not advised...

    5. Working Stuffs
    - 120 fps working (by forcing FPS using Phh-Treble Settings).
    - Wi-Fi and Bluetooth work fine.
    - S-Pen works as a pointer device.
    - Alternate Audio Policies (from Phh-Treble Settings) is needed to get audio out through USB Type-C.
    - Front and rear camera appears working.

    6. Not Working Stuffs
    - MTP does not appear to work properly for some reasons. You'll need ADB for transferring files.
    - USB Type-C audio adapters may or may not work depending on GSI, Kernel or maybe other aspects.
    - Bluetooth audio currently has issues that cause the system to freeze.

    7. Untested Stuffs
    - Haven't tested telephony-related stuffs as I'm not using a SIM card on the tablet yet.
    - Haven't tested fingerprint sensors as I'm not using it.

    There are still some functionalities I haven't tested yet, but anyone is free to test if you want to use a GSI.

    Special thanks to: ianmacd, phhusson, Bushcat, Vntnox, azteria2000, dron39 and many more...

    Original GSI progress issue: here
    2
    Doubt anyone will support this much. The issue with these expensive tablets is that not "many" people own them. Rarely do some good devs pop up and happen to own the same device and want to work on it. It's similar like the phones, check the custom ROM communities for example for Samsung phones, and check the same with XIAOMI. Xiaomi has far more devs around and the devices are "more" popular due to their more or less good price-performance ratio.
    I wouldn't call myself an experienced dev, but what I do have is motivation, lots of free time, and technical inclination/aptitude. I actually bought this tab with development in mind. I knew I wouldn't want to run the stock firmware forever, and I also knew that I would eventually want to root/install TWRP/etc.

    When I buy a new Android device, I always check to see if it can be bootloader unlocked. And ideally, that it has a working root/TWRP method. If none of these are the case, I won't buy, simple as that. I'm old school, I believe that the user of the device should be able to change the hardware/software however they see fit. They paid for it, after all.

    I just think it's BS that mobile users have to deal with locked bootloaders, but no such thing exists on PC. And, root access is accessable in Linux distros by default, but on mobile they want you to believe that root is a security risk. As long as it is used responsibly, in the hands of a knowledgeable user, things will generally be fine (excluding the possibility that a malicious person could exploit your root to do bad things).

    And since I personally own a Tab S7+, that would make development a bit easier, being able to do my own tests without relying on the results/reports of others.

    My only real issue with developing for this device, is that I'm not sure where to start, or what other areas of knowledge would be most beneficial as prerequisites to development.

    I plan to keep this device for no less than 3 years, I'm in it for the long haul. I have a tendency to run my hardware into the ground, and won't give them up until they stop working. Even after all these years, I'm still using a Galaxy Note 4 as my daily driver phone, but it's getting long in the tooth, and it's just about time to move on.

    When Samsung has terminated support for this tab and is no longer giving us new Android versions, I'll hopefully still be using it. Unlike many others, I don't upgrade to the latest and greatest hardware as they're released. Which means that by the time the majority of our tab's users/devs have moved on, I'll probably be the last active dev for it.
    2
    As I know, you can't. All android 10 bootloaders are XXU1 - if you upgraded to XXU2 then nothing can be done.
    Sorry, didn't notice there were new posts in my actual thread...

    While you certainly can't flash XXU1 firmware via Odin once you upgraded to XXU2, you can follow the instructions to use dd in TWRP to flash the logical partitions. This is how I used to flash vendor image extracted from Android 10 FW, as due to SELinux policy issues, Android 11 vendor does not work well with GSIs on Samsung Qualcomm devices in general. Magisk won't work, and the tablet would semi-brick if you attempt to use Securize from Phh-Treble settings.

    While I mostly use Android 11 GSIs, the same should work with Android 10 GSIs of your choice, but I haven't tested, as most A10 GSIs are no longer maintained. GSI image of your choice (/system) and A10 vendor (/vendor) are all you need, as GSIs do not care about /odm and /product so it's safe to leave them as-is.

    A WARNING: I DO NOT recommend flashing A10 stock FW using this method as you're literally violating the rollback protection which has the risk of causing A HARD BRICK!!! Similar cases have happened on other devices of other vendors before.

    ONE MORE WARNING: Due to the ongoing case of Samsung disabling cameras on Z Fold 3, I seriously advise against upgrading the device any further, especially in case a XXU3 firmware comes out in the future, as there are potential signs that such crippling behavior might spread to existing devices.
    2
    @LSS4181 - thank you for the guide, I've had a T970 for nearly 1 year now, always wanted to run a custom rom on it!


    I've tried your guide twice now, but it results in failures for me.
    I've unlocked the bootloader, flashed TWRP (twrp-gts7xl-3.5.0_10-A11_3_ianmacd.img), running ATK3.
    Not sure if TWRP for Android 11 and ATK3 being Android 10 makes a difference?

    I extracted a vbmeta.img.lz4 from the ATK3 pack online, decompressed it to get the vbmeta.img, and wrote 0x03 to decimal offset 123.
    (Tried to follow the instructions exactly)

    I think it's the flashing/dd part.
    After I dd the gsi img to dm-0, I can not reflash the multidisabler anymore. It tells me something like:
    "Failed to mount '/system_root' (Invalid argument)"
    Then, I can't even mount 'system' in TWRP, the checkbox is unselectable.

    To get back to a working state, I have reflashed the stock rom (ATK3).

    The GSI I tried to use was: system-roar-arm64-ab-vanilla.img.xz - from AOSP 11.0 v313
    Is this the correct version to use (A, A/B etc?)
    And how can I tell if the image file is sparsed or not?


    Any input is appreciated, thank you!
    Uh... I should have mentioned earlier. Multi-Disabler expects /system_root to be mountable r/w, which cannot be done with a non-vndklite GSI.

    As such, to disable encryption, you'll initially need to flash a vndklite GSI, or simply just do that before you actually flash the GSI (stock ROM can be mounted r/w). As Multi-Disabler is only needed once per /vendor flash, you'll be able to use non-vndklite GSI afterwards.

    EDIT: If you are experienced in modifying recovery zips, you can edit the Multi-Disabler install script and comment out the parts actually involving /system or /system_root.

    EDIT 2: I just realized this... I recall that phh AOSP GSI is sparsed. You need to use simg2img command instead of dd to flash it.
    2
    Thank you @LSS4181 for the exquisitely detailed instructions! I think have enough experience with this stuff to be succesful, but have not yet bought this tablet to try it (currently using a rooted, debloated S6).

    Questions:
    • Which vendor does it ship with? ATK3? I wouldn't do any upgrades when I got it, but would immediately start flashing.
    • Has anyone succesfully used XPrivacyLua (XPL) on this? I currently use XPL Pro, and I know that it depends on a working EdXposed (or Lsposed, which I've never used) which requires a working Magisk. From reading this thread, the Magisk part seems Okay, but what about Ed/L Xposed?
    Thanks again.
    XPrivacyLua/LSPosed does work, I'm able to pass safetynet thanks to it