General Lenovo Xiaoxin pad 2022

Search This thread

famicom9x

Member
Oct 12, 2019
36
5
Lenovo Xiaoxin pad 2022
Lenovo Original Pad 2022 Xiaoxin Tablet
1) 2K screen, 10.6-inch LCD, Rhine low blue light eye protection, 400nits brightness
2) Four speakers stereo, Dolby panoramic professional sound
3) With reading mode, Eye protection mode
4) Lightweight body, 465g, two-color and two-material splicing design
5) Large battery, 7700mAh (typ.)
6)Cpu:Qualcomm snapdragon 680 eight cores
SNAG-0004.png

SNAG-0005.png
SNAG-0006.png
SNAG-0007.png


SNAG-0008.png

source: https://www.aliexpress.com/item/1005004442621244.html?spm=a2g0o.search0304.0.0.319c7c3769T5NN&algo_pvid=f5c19baa-67f3-409b-a16b-f96393d2378e&aem_p4p_detail=202208150436174061406822916800073988687&algo_exp_id=f5c19baa-67f3-409b-a16b-f96393d2378e-1&pdp_ext_f={"sku_id":"12000029195651242"}&[email protected][email protected]!12000029195651242!sea
 
Last edited:

graywolves_xc

New member
Jul 7, 2022
4
1
I bought the global rom p11 2022.
It's unlocked, reported as DRM L3, and doesn't appear to have an OTA update. I want to return to the stock rom, but I can't find it.
 

graywolves_xc

New member
Jul 7, 2022
4
1
Flashed magisk?still L3?
Attempted to relock the bootloader to recover L1, but failed.
used LMSA for global rom update but it bricked it. Could not find Chinese ROM to recover.
so I flashed the Treble GSI CAOS11 and it works fine.
The DRM is still L3 as the bootloader is still unlocked. MAGISK did not try.
 
Last edited:

FakeSky!

New member
Oct 23, 2013
4
0
Do the Tab P11 accessories work for it? Looks good as an upgrade I find the P11 a tad sluggish at times and Snapdragon 680 efficiency over 662 looks awesome
 

Dimon1982

Member
Aug 30, 2016
16
0
40
Attempted to relock the bootloader to recover L1, but failed.
used LMSA for global rom update but it bricked it. Could not find Chinese ROM to recover.
so I flashed the Treble GSI CAOS11 and it works fine.
The DRM is still L3 as the bootloader is still unlocked. MAGISK did not try.
Please tell me how you managed to flash it on GSI? After the global firmware, my tablet does not turn on, it hangs in 9008 mode
 

random_name5917

New member
Aug 5, 2022
1
0
Please tell me how you managed to flash it on GSI? After the global firmware, my tablet does not turn on, it hangs in 9008 mode
For me the following worked (tried with CAOS11, Lineage 19.1 and Pixel Experience Plus):

Go into fastboot by holding power + one of the volume keys
Select recovery mode
Factory reset
Go back into fastboot mode
On the connected PC:
fastboot --set-active=a
fastboot erase system
fastboot flash system rom.img
Go back into recovery and factory reset again for good measure

No matter what I tried though I couldn't get it to boot from slot B.
 

Top Liked Posts

  • 2
    UPDATE: by accident, I got the tablet working again by:
    1. (accidently) erasing the first physical partition (lun0) . I used a modified version of emmcdl, but you could also use QFIL or the "edl" tool.
    2. telling QFIL to download lun0 again, by running with only rawprogram0.xml
    3. restoring my oem and frp backups
    LESSON: if you're going to play with this tablet, make sure you backup the oem and frp partitions.

    Can anyone PM me the abl.elf file from TB128FU_S300168_220916_ROW ? I want to check how it was compiled. Thanks.

    ---- original post ----
    I have a global TB-128FU running TB128FU_S000058_220816_ROW. I've been playing around with it and very successfully bricked it.

    But I thought I'd share what I learned about the device's bootloader. Hopefully it helps with further development on this tablet.

    bootloader

    The bootloader is contained in the abl.elf file. It is called LinuxLoader.efi.

    The bootloader was not compiled with the ENABLE_UPDATE_PARTITIONS_CMDS and ENABLE_DEVICE_CRITICAL_LOCK_UNLOCK_CMDS flags. That's why bootloader commands are limited. This means that the bootloader does not recognise flash, erase, set_active, flashing get-unlock-ability, flashing unlock, flashing lock, flashing unlock_critical and flashing lock_critical commands from the fastboot utility. Some of those commands might work in fastbootd, but I didn't test that before I bricked my tablet.

    Hopefully Lenovo will compile the bootloader with those flags enabled in the next OTA.

    oem unlock-flash

    There are some fastboot oem commands, including fastboot oem unlock-flash. But that command seems to relate to a device state, rather than un/locking the bootloader.

    The device state is "unlocked" when byte 0x20 of the lenovolock partition is set to 0x02. It is "locked" when byte 0x20 is set to 0x01. DO NOT set byte 0x20 to 0x01. You will lock your device...just like I did. And I think you'd probably lock your device by running fastboot oem lock-flash. So DO NOT run fastboot oem lock-flash either.

    When byte 0x20 is set to 0x01, you can read from the device but you can't write to it. So you can enter bootloader, fastbootd, edl and stock recovery. You can query the device and read from the device in those modes, but you can't write to the device. So emmcdl, qfil, LMSA etc are all denied permission to write to the device. The bootloader can't flash/erase because it doesn't recognise those commands. Android just bootloops.

    There is a process to set byte 0x20 back to 0x02 using the bootloader, but it requires a private RSA key - which is presumably in Lenovo's labs. The process is:
    1. run fastboot oem getRandom. This gives you two random hex numbers.
    2. use SHA256 to create a hash of a message (without the brackets): <random#1><serialno><random#2>
    3. sign the hash with the correct private RSA key. The paired public RSA key is hardcoded in the bootloader.
    4. run fastboot oem token multiple times passing first the hash and then the signature in 32-byte chunks. The last fastboot oem token command will tell you it's okay to run the unlock-flash command.
    5. run fastboot oem unlock-flash. If it accepts your hash and signature, it will set byte 0x20 of lenovolock to 0x02 and erase the lenovoraw and lenovocust partitions.
    You have to run those commands in exactly that order, or you'll get errors.

    I'd love to get this to work, because it's the only way I can unbrick my tablet. But none of the private RSA keys I could find on the stock ROM are the correct pair for the bootloader's hardcoded public RSA key. If anyone has the correct key, I promise I won't share it if you PM it to me. ;)

    Or if anyone knows a way to flash my backup of lenovolock.img, I'd love to hear it. Remember - I can't use edl, fastboot, fastbootd or stock recovery to write to the device...and I can't get into Android to use adb. I think I have a shiny new paperweight.
  • 2
    UPDATE: by accident, I got the tablet working again by:
    1. (accidently) erasing the first physical partition (lun0) . I used a modified version of emmcdl, but you could also use QFIL or the "edl" tool.
    2. telling QFIL to download lun0 again, by running with only rawprogram0.xml
    3. restoring my oem and frp backups
    LESSON: if you're going to play with this tablet, make sure you backup the oem and frp partitions.

    Can anyone PM me the abl.elf file from TB128FU_S300168_220916_ROW ? I want to check how it was compiled. Thanks.

    ---- original post ----
    I have a global TB-128FU running TB128FU_S000058_220816_ROW. I've been playing around with it and very successfully bricked it.

    But I thought I'd share what I learned about the device's bootloader. Hopefully it helps with further development on this tablet.

    bootloader

    The bootloader is contained in the abl.elf file. It is called LinuxLoader.efi.

    The bootloader was not compiled with the ENABLE_UPDATE_PARTITIONS_CMDS and ENABLE_DEVICE_CRITICAL_LOCK_UNLOCK_CMDS flags. That's why bootloader commands are limited. This means that the bootloader does not recognise flash, erase, set_active, flashing get-unlock-ability, flashing unlock, flashing lock, flashing unlock_critical and flashing lock_critical commands from the fastboot utility. Some of those commands might work in fastbootd, but I didn't test that before I bricked my tablet.

    Hopefully Lenovo will compile the bootloader with those flags enabled in the next OTA.

    oem unlock-flash

    There are some fastboot oem commands, including fastboot oem unlock-flash. But that command seems to relate to a device state, rather than un/locking the bootloader.

    The device state is "unlocked" when byte 0x20 of the lenovolock partition is set to 0x02. It is "locked" when byte 0x20 is set to 0x01. DO NOT set byte 0x20 to 0x01. You will lock your device...just like I did. And I think you'd probably lock your device by running fastboot oem lock-flash. So DO NOT run fastboot oem lock-flash either.

    When byte 0x20 is set to 0x01, you can read from the device but you can't write to it. So you can enter bootloader, fastbootd, edl and stock recovery. You can query the device and read from the device in those modes, but you can't write to the device. So emmcdl, qfil, LMSA etc are all denied permission to write to the device. The bootloader can't flash/erase because it doesn't recognise those commands. Android just bootloops.

    There is a process to set byte 0x20 back to 0x02 using the bootloader, but it requires a private RSA key - which is presumably in Lenovo's labs. The process is:
    1. run fastboot oem getRandom. This gives you two random hex numbers.
    2. use SHA256 to create a hash of a message (without the brackets): <random#1><serialno><random#2>
    3. sign the hash with the correct private RSA key. The paired public RSA key is hardcoded in the bootloader.
    4. run fastboot oem token multiple times passing first the hash and then the signature in 32-byte chunks. The last fastboot oem token command will tell you it's okay to run the unlock-flash command.
    5. run fastboot oem unlock-flash. If it accepts your hash and signature, it will set byte 0x20 of lenovolock to 0x02 and erase the lenovoraw and lenovocust partitions.
    You have to run those commands in exactly that order, or you'll get errors.

    I'd love to get this to work, because it's the only way I can unbrick my tablet. But none of the private RSA keys I could find on the stock ROM are the correct pair for the bootloader's hardcoded public RSA key. If anyone has the correct key, I promise I won't share it if you PM it to me. ;)

    Or if anyone knows a way to flash my backup of lenovolock.img, I'd love to hear it. Remember - I can't use edl, fastboot, fastbootd or stock recovery to write to the device...and I can't get into Android to use adb. I think I have a shiny new paperweight.
    1
    For your information, the pad TB128FU (Xiaoxin wifi pad 2022) is now shipped with the Global Firm. TB128FU_S300168_220916_ROW. No idea of enhancements regarding TB128FU_S000047_220612_ROW .zip

    EDIT: Be careful some seller still ship this tablet with TB128FU_S000020_220309. In that case, the tablet is renamed K10 pro instead of Tab M10 Gen 3 and it dispalys a warning message at boot.

    So far I haven't found any solution to update from TB128FU_S000020_220309 to TB128FU_S000058_2208162203_Q00126_ROW or TB128FU_S300168_220916_ROW
  • 3
    I am an author of the post you attached. It's written pretty simple so you can translate it using Google Translate.
    Can you give me a detailed video on how to install rom global Pad 2022? thanks you
    2
    Global version of this tablet is Tab M10 Plus Gen 3. Has same model name. afaik there are some sellers that already install global rom on it.
    2
    UPDATE: by accident, I got the tablet working again by:
    1. (accidently) erasing the first physical partition (lun0) . I used a modified version of emmcdl, but you could also use QFIL or the "edl" tool.
    2. telling QFIL to download lun0 again, by running with only rawprogram0.xml
    3. restoring my oem and frp backups
    LESSON: if you're going to play with this tablet, make sure you backup the oem and frp partitions.

    Can anyone PM me the abl.elf file from TB128FU_S300168_220916_ROW ? I want to check how it was compiled. Thanks.

    ---- original post ----
    I have a global TB-128FU running TB128FU_S000058_220816_ROW. I've been playing around with it and very successfully bricked it.

    But I thought I'd share what I learned about the device's bootloader. Hopefully it helps with further development on this tablet.

    bootloader

    The bootloader is contained in the abl.elf file. It is called LinuxLoader.efi.

    The bootloader was not compiled with the ENABLE_UPDATE_PARTITIONS_CMDS and ENABLE_DEVICE_CRITICAL_LOCK_UNLOCK_CMDS flags. That's why bootloader commands are limited. This means that the bootloader does not recognise flash, erase, set_active, flashing get-unlock-ability, flashing unlock, flashing lock, flashing unlock_critical and flashing lock_critical commands from the fastboot utility. Some of those commands might work in fastbootd, but I didn't test that before I bricked my tablet.

    Hopefully Lenovo will compile the bootloader with those flags enabled in the next OTA.

    oem unlock-flash

    There are some fastboot oem commands, including fastboot oem unlock-flash. But that command seems to relate to a device state, rather than un/locking the bootloader.

    The device state is "unlocked" when byte 0x20 of the lenovolock partition is set to 0x02. It is "locked" when byte 0x20 is set to 0x01. DO NOT set byte 0x20 to 0x01. You will lock your device...just like I did. And I think you'd probably lock your device by running fastboot oem lock-flash. So DO NOT run fastboot oem lock-flash either.

    When byte 0x20 is set to 0x01, you can read from the device but you can't write to it. So you can enter bootloader, fastbootd, edl and stock recovery. You can query the device and read from the device in those modes, but you can't write to the device. So emmcdl, qfil, LMSA etc are all denied permission to write to the device. The bootloader can't flash/erase because it doesn't recognise those commands. Android just bootloops.

    There is a process to set byte 0x20 back to 0x02 using the bootloader, but it requires a private RSA key - which is presumably in Lenovo's labs. The process is:
    1. run fastboot oem getRandom. This gives you two random hex numbers.
    2. use SHA256 to create a hash of a message (without the brackets): <random#1><serialno><random#2>
    3. sign the hash with the correct private RSA key. The paired public RSA key is hardcoded in the bootloader.
    4. run fastboot oem token multiple times passing first the hash and then the signature in 32-byte chunks. The last fastboot oem token command will tell you it's okay to run the unlock-flash command.
    5. run fastboot oem unlock-flash. If it accepts your hash and signature, it will set byte 0x20 of lenovolock to 0x02 and erase the lenovoraw and lenovocust partitions.
    You have to run those commands in exactly that order, or you'll get errors.

    I'd love to get this to work, because it's the only way I can unbrick my tablet. But none of the private RSA keys I could find on the stock ROM are the correct pair for the bootloader's hardcoded public RSA key. If anyone has the correct key, I promise I won't share it if you PM it to me. ;)

    Or if anyone knows a way to flash my backup of lenovolock.img, I'd love to hear it. Remember - I can't use edl, fastboot, fastbootd or stock recovery to write to the device...and I can't get into Android to use adb. I think I have a shiny new paperweight.
    1


    TB128FU ROM,china/global version.
    If anyone flashed global version successfully from china version,hope share your Experience,thanks.
    1
    Thank you very much. As soon as we learn about relevant information, i will share it