• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[RECOVERY] TWRP 3.5.2 | Unihertz Jelly 2

Search This thread

Meetoul

Member
Nov 3, 2013
19
29
How to install:

Unlock bootloader:
  1. Boot your device into the official OS.
  2. Go to Settings > About phone, tap the "build number" several times to enable developer settings.
  3. Go to Settings > System > Developer Settings, enable OEM unlocking and ADB debugging.
  4. Connect your phone to your PC and open a terminal or a command line window.
  5. Run adb reboot bootloader on your PC (there is no way to enter bootloader directly, only possible through adb).
  6. Once your device has finished booting run fastboot flashing unlock and comfirm unlock on device (THIS WILL WIPE ALL DATA!).
  7. Run fastboot reboot to reboot your device and now you should see an unlocked warning during boot screen.
Disable AVB:
  1. Download vbmeta.img from the latest release page of your device.
  2. Connect your phone to your PC and open a terminal or a command line window.
  3. Run adb reboot bootloader on your PC to put your device in bootloader mode.
  4. Once your device has finished booting run fastboot flash --disable-verification --disable-verity vbmeta vbmeta.img
  5. Then run fastboot flash --disable-verification --disable-verity vbmeta_system vbmeta.img
  6. Also run fastboot flash --disable-verification --disable-verity vbmeta_vendor vbmeta.img
Flash recovery image:
  1. Connect your phone to your PC and open a terminal or a command line window.
  2. Run adb reboot bootloader on your PC to put your device in bootloader mode.
  3. Once your device has finished booting run fastboot erase recovery. For some reason, image may be not actually flashed, even if fastboot reported success (at least over the stock recovery image), so in order make sure that the custom image is always flashed it's better to always erase the partition before flashing. After the erasing run fastboot flash recovery recovery.img
  4. Run fastboot reboot and after the screen goes dark press volume up until you see the TWRP logo. Also you can type fastboot reboot recovery to boot to recovery mode immediately.
Please note that booting in stock ROM will bring stock recovery back.

This recovery image is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare an image based on EEA binaries.

Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2
 

Attachments

  • recovery.img
    23.9 MB · Views: 221
Last edited:

Die Bruine

Senior Member
Jan 2, 2008
582
36
I just received my Jelly 2. It was on 2020 and I went straight through your files. Your TWRP does not respond on my European Jelly 2. Meaning, the touch screen does not respond. But I connected an USB trackball and switched in between adb sideloads. So I finally got it working.
For some reason during reboot TWRP warns me that there is no OS installed. But LoS 18.1 (yours) booted fine. Also flashed opengapps 2707 nano.

After a reboot (phone is still restoring apps) there is a "serial console is enabled" message "performance is impacted, check bootloader". Any instructions on how to get rid of that?.
 

Die Bruine

Senior Member
Jan 2, 2008
582
36
I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though :(

Any ideas?
Dave you tried the latest release a suggested by Meetoul?

 
  • Like
Reactions: mineshaftgap

karoooo

Member
Aug 10, 2021
9
2
Great Job!
I have Jelly2_JP.
I tried your recovery.img for Jelly2_TEE.
It can boot my Jelly2_JP, and it can enable adb shell, but it looped the splash screen.
But I execute following command in adb shell, twrp starts gui("Keep System Read only?" screen)
Jelly2_TEE:/ # mount -o ro /dev/block/mapper/system /
Touchscreen works fine.

Next, I tried to build twrp for Jelly2_JP using your device tree.
But it has same problem. (It looped the splash screen until I mount system partition.)
Do you have any advice?

Attachments
recovery_tee.log is pulled file from /tmp/recovery.log in your twrp for Jelly2_TEE. Line 1119 is after I mount system partition by adb shell.
recovery_jp.log is pulled file from /tmp/recovery.log in my twrp for Jelly2_JP. Line 1356 is after I mount system partition by adb shell.

My build instructions
$ cd ~/twrp
$ repo init -u https://github.com/minimal-manifest-twrp/platform_manifest_twrp_omni.git -b twrp-10.0
$ vi .repo/local_manifests/roomservice.xml
$ repo sync --force-sync
$ cd device/Unihertz
$ cp -r Jelly2_TEE Jelly2_JP
$ cd Jelly2_JP
$ mv omni_Jelly2_TEE.mk omni_Jelly2_JP.mk
$ grep -l Jelly2_TEE * | xargs sed -i 's/Jelly2_TEE/Jelly2_JP/g'
$ grep -l g55v71c2k_dfl_tee * | xargs sed -i 's/g55v71c2k_dfl_tee/g55v71c2k_dfl_jp_felica/g'
$ ./extract-files.sh ~/stock_jp/extracted
$ unpack_bootimg --boot_img ~/stock_jp/recovery.img --out ~/stock_jp/recovery
$ cp ~/stock_jp/recovery/kernel prebuilt/Image.gz
$ cp ~/stock_jp/recovery/dtb prebuilt/dtb/mt6771.dtb
$ cp ~/stock_jp/recovery/recovery_dtbo prebuilt/dtbo.img
$ cd ~/twrp
$ source build/envsetup.sh
$ lunch omni_Jelly2_JP-eng
$ mka recoveryimage
$ ls out/target/product/Jelly2_JP/recovery/root/vendor
bin etc
$ cp -r vendor/Unihertz/Jelly2_JP/proprietary/reovery/root/vendor out/target/product/Jelly2_JP/recovery/root
$ mka recoveryimage
 
Last edited:

karoooo

Member
Aug 10, 2021
9
2
file upload again.

Sorry, I can't upload Attach files.
I clicked "Attach files" button and choose file.
I clicked "Save" button, but file link did not inserted.

I uploaded recovery.log to github.
 
Last edited:

karoooo

Member
Aug 10, 2021
9
2
How to get vbmeta.img
Direct Link

See Also
Or
 

karoooo

Member
Aug 10, 2021
9
2
I found the crash point in Jelly2_JP.
The crash point is CHECK() on line 772 of twrp/hardware/interfaces/keymaster/4.0/support/Keymaster.cpp.
C++:
            CHECK(error == ErrorCode::OK)
                << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
CHECK() is defined on line 495 of twrp/system/core/base/include/android-base/logging.h
C++:
#define CHECK(x)                                                                 \
  LIKELY((x)) || ABORT_AFTER_LOG_FATAL_EXPR(false) ||                            \
      ::android::base::LogMessage(__FILE__, __LINE__, ::android::base::DEFAULT,  \
                                  ::android::base::FATAL, _LOG_TAG_INTERNAL, -1) \
              .stream()                                                          \
          << "Check failed: " #x << " "
I thought /system/bin/recovery was crashing due to a bug.
But it is not a bug.
/system/bin/recovery is programmed to abort if CHECK() fails.

Next, I compared the results of CHECK().

1. using your recovery.img for Jelly2_TEE.
Code:
$ adb shell
Jelly2_TEE:/ # uname -a
Linux localhost 4.14.141+ #15 SMP PREEMPT Wed May 19 11:04:10 CST 2021 aarch64

Jelly2_TEE:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f  /vendor/lib64/libkeymaster4.so

Jelly2_TEE:/ # umount /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
22ede18944c5f47daf04d699a72717b2  /vendor/lib64/libkeymaster4.so

Jelly2_TEE:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery(  324): Failed to get IAshmemDeviceService.
W//system/bin/recovery(  324): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery(  324): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery(  324): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery(  324): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery(  324): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery(  324): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery(  324): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery(  324): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery(  324): fscrypt_initialize_systemwide_keys
I//system/bin/recovery(  324): List of Keymaster HALs found:
I//system/bin/recovery(  324): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery(  324): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED

2. using my recovery.img for Jelly2_JP.
This is built with Jelly2_JP's kernel and /vendor/*.
Code:
$ adb shell
Jelly2_JP:/ # uname -a
Linux localhost 4.14.141+ #5 SMP PREEMPT Wed May 19 12:15:37 CST 2021 aarch64

Jelly2_JP:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f  /vendor/lib64/libkeymaster4.so

Jelly2_JP:/ # umount /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f  /vendor/lib64/libkeymaster4.so

Jelly2_JP:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery(  327): Failed to get IAshmemDeviceService.
W//system/bin/recovery(  327): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery(  327): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery(  327): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery(  327): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery(  327): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery(  327): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery(  327): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery(  327): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery(  327): fscrypt_initialize_systemwide_keys
I//system/bin/recovery(  327): List of Keymaster HALs found:
I//system/bin/recovery(  327): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery(  327): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED

They are same Error code SECURE_HW_COMMUNICATION_FAILED.
Unfortunately, my recovery.img wasn't improved from your recovery.img when used with Jelly2_JP.
 
Last edited:

karoooo

Member
Aug 10, 2021
9
2
I'm sorry for the continuous posting.
I solved the decryption by modifying omni_Jelly2_JP.mk as follows.
Code:
PRODUCT_NAME := omni_Jelly2_JP
PRODUCT_DEVICE := Jelly2_JP
PRODUCT_MODEL := Jelly2_JP
PRODUCT_BOARD := g55v71c2k_dfl_jp_felica
BUILD_FINGERPRINT := "Unihertz/Jelly2_JP/Jelly2_JP:10/QP1A.190711.020/root.20210422.092852:user/release-keys"
PRODUCT_BUILD_PROP_OVERRIDES += \
    TARGET_DEVICE=Jelly2_JP \
    PRODUCT_NAME=Jelly2_JP \
    PRIVATE_BUILD_DESC="Jelly2-user 10 QP1A.190711.020 root.20210422.092852 release-keys"
My mistake was that I only replaced "Jelly2_TEE" with "Jelly2_JP".
I had to replace "Jelly2" with "Jelly2_JP".

Anyway, now I can display the decryption screen.
Next, I tried HOW-TO-PATCH.md.
However, the touch screen does not respond on the patched kernel.

Code:
$ head -n 1 symbl_tee.txt
ffffff81dd680800 T do_undefinstr

$ grep get_boot_mode symbl_tee.txt
ffffff81ddda5b30 T get_boot_mode

$ zcat twrp/device/Unihertz/Jelly2_TEE/prebuilt/Image.gz > Image
$ aarch64-linux-android-objdump -D -b binary -m aarch64 --adjust-vma=0xffffff81dd680000 --start-address=0xffffff81ddda5b30 Image| head
ffffff81ddda5b30:       d0009cc8        adrp    x8, 0xffffff81df13f000
ffffff81ddda5b34:       b947ad09        ldr     w9, [x8,#1964]
ffffff81ddda5b38:       7100093f        cmp     w9, #0x2

I think you are using a different technique to enable the touch screen, because "cmp w9, #0x2" is not patched to "cmp w9, #0x0".
Please teach me your technique after you are not busy with work.
 
Last edited:

Three knife

New member
Aug 19, 2021
3
0
谢谢你,我用的是中国的没有Google Play的版本,按照你的步骤成功了,不过在安装完recovery.img之后,内部存储有可能无法写入,需要在recovery里删除data分区,然后就可以了
 

Meetoul

Member
Nov 3, 2013
19
29
@karoooo

Sorry for not responding to you, for some reason email notifications from XDA were stopped. Please tell me if you still need patched kernel, I will try to patch it explain you the technique.
 

Meetoul

Member
Nov 3, 2013
19
29
Thanks for this!
I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
Things seem good, except:
  • the battery seems to drain a little quickly
  • no IR blaster (ZaZa remote does not recognize it)
  • TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?
Actually, data decryption on MTK SoCs is very painful thing. I'm still waiting for stable release of Android 11 from Unihertz, but they are in no hurry...

I know that beta 11 available. Unfortunately, I was not able to update using the official way. The bootloader was locked and the moment of updating, but probably the reason is that it was unlocked before (it possible to relock bootloader using SP Flash Tool). But I manager to fetch zip update package and install it via TWRP :) After that I even managed to make package for SP Flash Tool based on this package, so I can to flash pure FW without updating and have locked bootloader!

UPD. I see that Unihertz have published Android 11 SW package for SP Flash Tool on their Google Drive! Soon I will try to make recovery based on this package.
 
  • Like
Reactions: zxczxc4

kendzhi

Member
Apr 27, 2016
7
0
HI.

Summary: FRONT CAMERA not working after Bootloader Unlock


I am using Jelly2_JP (on latest Android 10) and I was wondering,
has anyone has experinced the Front Camera not working after Bootloader Unlock, and possibly the three " --disable-verification --disable-verity" commands?

The stock camera app won't recognize the front camera (not front/back switch button where there should be one), and other apps cant use the front camera either.

I can confirm that the front camera worked before unlocking the bootloader.

Reflashing stock image using SP Flash Tool and relocking Bootlader did not fix the issue.

Is anyone else experiencing the same issue?
 
Last edited:

Meetoul

Member
Nov 3, 2013
19
29
@Meetoul
Thank you for your response.
Yes, yes, yes!
I want to know your technique.
Best Regards.
Since Unihertz has released Android 11, I think that there is no sense to work on patching the old kernel.

Btw, now I'm working on TWRP based on Android 11 binaries from the latest FW, but no luck so far, it seems that kernel doesn't even start to boot...
 
  • Like
Reactions: zxczxc4

karoooo

Member
Aug 10, 2021
9
2
@Meetoul
I wanted to learn your technique so that I could work on my own when Android 11 was released.
If Android 11 is formidable, prioritize working with Android 11.
Unfortunately, Android 11 for Jelly2_JP has not been released yet.

@kendzhi
I unlocked the bootloader with Jelly2_JP, but the front camera is still working.
 
  • Like
Reactions: zxczxc4

kendzhi

Member
Apr 27, 2016
7
0
@karoooo

Thank you for the reply!

May I ask, was your Jelly2_JP shipped before the latest Andorid 10 update (2021051912_g55v71c2k_dfl_jp_felica), meaning did your phone come with the previous Firmware (2020101915_g55v71c2k_dfl_jp_felica)?

I have two Jelly2_JP from Japan which came preshipped with the latest andorid Andorid 10 update (there was no need for OTA update). And in both phones, upon executing "fastboot flashing unlock" (without disableling AVB & without Rooting), the the front camera stopped working (not recognized by the system).

I even went into the Debug/Diagnostic? mode that was in Chinese (Booting by Vol down + Connecting to PC via USB), and peformed a hardware test for the Front Camera and the test froze the phone.

So I'm suspecting that Jelly2_JP that was shipped to Japan with the latest Firmware has some issues with Bootloader Unlocking breaking the Front Cam...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    How to install:

    Unlock bootloader:
    1. Boot your device into the official OS.
    2. Go to Settings > About phone, tap the "build number" several times to enable developer settings.
    3. Go to Settings > System > Developer Settings, enable OEM unlocking and ADB debugging.
    4. Connect your phone to your PC and open a terminal or a command line window.
    5. Run adb reboot bootloader on your PC (there is no way to enter bootloader directly, only possible through adb).
    6. Once your device has finished booting run fastboot flashing unlock and comfirm unlock on device (THIS WILL WIPE ALL DATA!).
    7. Run fastboot reboot to reboot your device and now you should see an unlocked warning during boot screen.
    Disable AVB:
    1. Download vbmeta.img from the latest release page of your device.
    2. Connect your phone to your PC and open a terminal or a command line window.
    3. Run adb reboot bootloader on your PC to put your device in bootloader mode.
    4. Once your device has finished booting run fastboot flash --disable-verification --disable-verity vbmeta vbmeta.img
    5. Then run fastboot flash --disable-verification --disable-verity vbmeta_system vbmeta.img
    6. Also run fastboot flash --disable-verification --disable-verity vbmeta_vendor vbmeta.img
    Flash recovery image:
    1. Connect your phone to your PC and open a terminal or a command line window.
    2. Run adb reboot bootloader on your PC to put your device in bootloader mode.
    3. Once your device has finished booting run fastboot erase recovery. For some reason, image may be not actually flashed, even if fastboot reported success (at least over the stock recovery image), so in order make sure that the custom image is always flashed it's better to always erase the partition before flashing. After the erasing run fastboot flash recovery recovery.img
    4. Run fastboot reboot and after the screen goes dark press volume up until you see the TWRP logo. Also you can type fastboot reboot recovery to boot to recovery mode immediately.
    Please note that booting in stock ROM will bring stock recovery back.

    This recovery image is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare an image based on EEA binaries.

    Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2
    1
    Thanks!
    This fantastic!
    its work on EEA!
    1
    I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though :(

    Any ideas?
    Dave you tried the latest release a suggested by Meetoul?

    1
    Thanks for this!
    I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
    Things seem good, except:
    • the battery seems to drain a little quickly
    • no IR blaster (ZaZa remote does not recognize it)
    • TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
    Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?
    Actually, data decryption on MTK SoCs is very painful thing. I'm still waiting for stable release of Android 11 from Unihertz, but they are in no hurry...

    I know that beta 11 available. Unfortunately, I was not able to update using the official way. The bootloader was locked and the moment of updating, but probably the reason is that it was unlocked before (it possible to relock bootloader using SP Flash Tool). But I manager to fetch zip update package and install it via TWRP :) After that I even managed to make package for SP Flash Tool based on this package, so I can to flash pure FW without updating and have locked bootloader!

    UPD. I see that Unihertz have published Android 11 SW package for SP Flash Tool on their Google Drive! Soon I will try to make recovery based on this package.
    1
    @Meetoul
    Thank you for your response.
    Yes, yes, yes!
    I want to know your technique.
    Best Regards.
    Since Unihertz has released Android 11, I think that there is no sense to work on patching the old kernel.

    Btw, now I'm working on TWRP based on Android 11 binaries from the latest FW, but no luck so far, it seems that kernel doesn't even start to boot...