S.onyXT.S v1.0 [UNBRICKER] - Xperia Tab S auto unbricker/flasher!

[condi]

Hi


I've finished fully automatic unbricker for Sony Xperia Tablet S!

It wouldn't be possible without xda users, xda community, especially: 	
                            deltaztek [SD source], 
                            jappaj [shell access],
                            NerdiX [beta tester],
and all other users, who helped to get it working!

Source thread where manual solution has been discovered.



Ladies & Gentlemen...
S.onyXT.S [UNBRICKER] !

[What is this?]

S.onyXT.S [UNBRICKER] will unbrick your device firmware,
no need any shell/linux knowledge - step by step, everything automatic.
It will automatically download needed data.

Unbrick process includes:

• downloading "magic SD" prepared image (237mb),
• downloading proper update data,
• decrypting, extracting update data,
• auto making "magic SD" - no need win32imager etc.,
• uploading update data to device,
• at last - unbricking device - flashing system/hidden partitions.

[Requirements]:

- internet connection to download data ,
- adb drivers correctly installed,
- min. 2GB SD card.


[Changelog]:

[09.02.2014] v1.0:
- initial version.

[To-Do]:

  - datapp flashing - vendor apps fix,

[Screenshots:]

[Download]:

Attached to this thread.


[Donate]:

Keep this project alive - don't forget to donate!


br
condi

current_version=1.0

 

[stifilz]

LEGEND ONCE AGAIN....

If only we had something for out older Tabs

Oh well none the less one more step in the right direction

 

[masterchif92]

LEGEND ONCE AGAIN....

If only we had something for out older Tabs

Oh well none the less one more step in the right direction

@condi i have a problem and a question....first the question...why when i type the letter in upper case the tools reboot? and when i type il lower case it say unity doesn't specified....but it continue ....how i must put the letter in up or lowercase? and i'm waiting the cold-booting write but it doesn't appear how much it will take?

 

[condi]

@condi i have a problem and a question....first the question...why when i type the letter in upper case the tools reboot? and when i type il lower case it say unity doesn't specified....but it continue ....how i must put the letter in up or lowercase? and i'm waiting the cold-booting write but it doesn't appear how much it will take?

hi masterchif,

you type drive letter only? or with ":" ?

br
condi

 

[masterchif92]

hi masterchif,

you type drive letter only? or with ":" ?

br
condi

Only che letter in lowercase ....is important if it is in lower or upper? My tablet is brick I think is stopped in Sony logo....u can help me ? I bricked it while trying to install jb from tool flasher but something went wrong

Inviato dal mio Nexus 5 utilizzando Tapatalk

 

[condi]

Only che letter in lowercase ....is important if it is in lower or upper? My tablet is brick I think is stopped in Sony logo....u can help me ? I bricked it while trying to install jb from tool flasher but something went wrong

Inviato dal mio Nexus 5 utilizzando Tapatalk

I've just tried - it worked well. No matter if its uppercase or lowercase - it worked well for me.
What windows version you have?
The only problem occured, when I had opened windows explorer, with sd card opened,
or even with my computer - sd card volume became busy, and unbricker couldn't write.
But to get it work - you have only to close all explorer windows.

Could you make screenshot of the issue?

 

[masterchif92]

It write on SD but the problem is when I wait for cold boot....I'll wait 1 hrs and it doesn't appear..... My PC says unknown device and the tablet with the SD on stop on Sony logo no cold-booting write

Inviato dal mio Nexus 5 utilizzando Tapatalk

 

[condi]

It write on SD but the problem is when I wait for cold boot....I'll wait 1 hrs and it doesn't appear..... My PC says unknown device and the tablet with the SD on stop on Sony logo no cold-booting write

Inviato dal mio Nexus 5 utilizzando Tapatalk

Wait wait, what tablet model/version exactly you have?

 

[masterchif92]

WiFi tablet s , abile tryng ti install JB i got an error and when it reboot it stays on Sony logo then I try your tools only recovery mode

Inviato dal mio Nexus 5 utilizzando Tapatalk

 

[condi]

WiFi tablet s , abile tryng ti install JB i got an error and when it reboot it stays on Sony logo then I try your tools only recovery mode

Inviato dal mio Nexus 5 utilizzando Tapatalk

I'm sorry but solution is ONLY for 2nd tab gen - XPERIA TABLET S!

br
condi

 

[masterchif92]

O....sorry....but u can help me? I have problem with checking region ...I download 001 version that is mine but gives me always SKU error

Inviato dal mio Nexus 5 utilizzando Tapatalk

 

[dex9mm]

O....sorry....but u can help me? I have problem with checking region ...I download 001 version that is mine but gives me always SKU error

Inviato dal mio Nexus 5 utilizzando Tapatalk

You have softed bricked your device by trying to install jb to your device
Reading is your friend google even more so
This recovery is for the xperia tab s not for the first sony tab s
By trying to install a firmware that does not fit your device nor has it ever
Next time try reading a little bit about the tools you are about to use on your device and what is needed
The sku error is because the device thinks the firmware your trying to flash is the same as the one previous an a conflict arises
So far there is no known recovery from this other than an offical sony repair centre

xperia m c1905 stock rooted lb
and sony XTS rooted stock j.b thanks djrbliss

 

[masterchif92]

You have softed bricked your device by trying to install jb to your device
Reading is your friend google even more so
This recovery is for the xperia tab s not for the first sony tab s
By trying to install a firmware that does not fit your device nor has it ever
Next time try reading a little bit about the tools you are about to use on your device and what is needed
The sku error is because the device thinks the firmware your trying to flash is the same as the one previous an a conflict arises
So far there is no known recovery from this other than an offical sony repair centre

xperia m c1905 stock rooted lb
and sony XTS rooted stock j.b thanks djrbliss

I see it now.....very disappointed with Sony.... I'll never buy a Sony tablet or smartphone !!! Now I try two more firmware but if I flashed the xperia tablet s in a tablet s I don't think that I can recover it right ?

Inviato dal mio Nexus 5 utilizzando Tapatalk

 

[NerdiX]

Hi


I've finished fully automatic unbricker for Sony Xperia Tablet S!

[To-Do]:

  - datapp flashing - vendor apps fix,

br
condi

current_version=1.0

hello friend
I saw that you removed the datapp lines in the script
as I wrote in the other topic, links to vendor directory are for a specific country
Sony factory script at first startup wants to choose country then obviously resets symlinks for specific directory.
Now my IR works with Panasonic and other tv... ir database seems well
I must clarify that after the manual procedure in dd mmcblk0p3(and 4), the tablet is not updating correctly in recovery. He wrote in mmcblk0p3 and mmcblk0p9 (vendor0 only), then check passed correctly.
Whether updating with jbr1 or jbr2 file is getting the same result, booted the system1 from mmcblk0p4 with jbr1 (not r2), i.e. not been updated, and sonys app not worked.
I had to dd if=/dev/block/mmcblk0p3(updated thru recovery) of=/dev/block/mmcblk0p4 to be the same, read the post of @jappaj to fix datapp symlinks, then the update went correctly thru recovery from jbr1 to jbr2

EDIT: maybe /data partition (/dev/block/mmcblk0p11) must be formated (factory reset) to triger sony's script to ask for country and autoset correct symlinks

 

[gemini16]

I am waiting for tablet P unbricker release.

 

[1Hax]

i beg you for same tool, but for tablet S !!))

 

[getonerd]

im getting invalid drive specification

what does that mean

 

[stth]

this dd.exe did not work as expecded. same problem on my win7 laptop

I have mostly rewritten the script for bash / linux shell

 

[stth]

IT WORKED

THANKS @condi

PS: why not trying to use the SD-image to flash KitKat?
i mean, you can pull all mmc images and flash all mmc images via dd, why not writing a custom rom this way? the only problem is the kernel.

mounts of /dev/block/*
mmcblk0p1 -> /configs

-r--r--r-- 1 root root 64 Jan 1 2000 06590E37F8A647D989345317AAFF6A6C
-r--r--r-- 1 root root 242 Jan 1 2000 31850B1B-0DAB-42ce-A498-A73479B7B3EB
-r--r--r-- 1 root root 878 Jan 1 2000 calibration_rear.bin
-r--r--r-- 1 root root 63104 Jan 1 2000 CFBSMXHMUAF48EXTDTCSOH4BXXDDRBFG
-r--r--r-- 1 root root 132 Jan 1 2000 local.prop​

mmcblk0p2 -> /params

-rw------- 1 root root 2 Jan 30 14:43 activate_done
lrwxrwxrwx 1 root root 57 Jan 30 14:43 countries.lst -> /datapp/vendor/vendor0/regioncodelist/SKU002000172608.lst
drwx------ 2 root root 4096 Jan 1 1970 lost+found
-rw-r--r-- 1 root root 33 Jan 30 14:43 region_checksum.txt
-rw-r--r-- 1 root root 9706 Jan 30 14:43 region.zip
-rw-rw-rw- 1 root root 2 Jan 30 14:43 selected_country​

mmcblk0p3 -> /system
mmcblk0p4 -> /system (copy)
mmcblk0p5 -> /cache

(ls /cache/recovery)
-rw-r--r-- 1 root root 45 Jan 1 2000 last_install
-rw-r----- 1 root root 22626 Jan 1 2000 last_log
-rw------- 1 stth stth 18769 Jan 1 2000 log​

mmcblk0p6 -> not mounted (2MB, file system?, image not mountable as loop device)
mmcblk0p7 -> not mounted (64MB, file system?, image not mountable as loop device)
mmcblk0p8 -> not mounted (2MB, file system?, image not mountable as loop device)
mmcblk0p9 -> /datapp (vendor)
mmcblk0p10 -> /log

-rw-r--r-- 1 root root 18652 Jan 1 2000 recovery_abort.log​

mmcblk0p11 -> /data

judging the size of the unknown partitions, mmcblk0p7 could contain the kernel. probably we just have to find the file system on this partition. i guess, sony just skips a part or descrambles the partition while it shows the sony logo (which is always displayed, no matter if you boot into recovery, or the system) also, the hidden.img is flashed there... so... how to get it out?

what are the files in /configs? maybe keys or executables to decrypt the kernel?

does anybody have a log of a successful update in the logs (see mount list above)? is there any information about an updated kernel?

to get the mmc-images, just create the unbricker sd card (it does not break anything if you stop the script after the sd is written)
execute adb shell "/system/xbin/pwn"
then adb pull /dev/block/mmcblk*

on linux, you can mount them with
mount -o loop <image> <mountpoint>
some require root to view files

if anything is broken, we should be able to reflash all mmcblk-images which of couse should be backed up in advance

€:

today i scanned the sd image and the hidden.img seems, that the tablet would boot any kernel that is at position 0x00000400 on a sd card.
you may copy any image from OTA update.zip to that position and it should load it.
$ dd if=unbrick.img of=/dev/sdXXX
$ dd if=hidden.img of=/dev/sdXXX bs=512 seek=2
i tried the kernel from a tablet s on the xts and settings/about/kernel told me it worked!!

sadly, the data in hidden.img looks similiar to kernels of other SE devices, but is somehow scrambled

 

[smgdev]

IT WORKED

THANKS @condi

PS: why not trying to use the SD-image to flash KitKat?
i mean, you can pull all mmc images and flash all mmc images via dd, why not writing a custom rom this way? the only problem is the kernel.

mounts of /dev/block/*
mmcblk0p1 -> /configs

-r--r--r-- 1 root root 64 Jan 1 2000 06590E37F8A647D989345317AAFF6A6C
-r--r--r-- 1 root root 242 Jan 1 2000 31850B1B-0DAB-42ce-A498-A73479B7B3EB
-r--r--r-- 1 root root 878 Jan 1 2000 calibration_rear.bin
-r--r--r-- 1 root root 63104 Jan 1 2000 CFBSMXHMUAF48EXTDTCSOH4BXXDDRBFG
-r--r--r-- 1 root root 132 Jan 1 2000 local.prop​

mmcblk0p2 -> /params

-rw------- 1 root root 2 Jan 30 14:43 activate_done
lrwxrwxrwx 1 root root 57 Jan 30 14:43 countries.lst -> /datapp/vendor/vendor0/regioncodelist/SKU002000172608.lst
drwx------ 2 root root 4096 Jan 1 1970 lost+found
-rw-r--r-- 1 root root 33 Jan 30 14:43 region_checksum.txt
-rw-r--r-- 1 root root 9706 Jan 30 14:43 region.zip
-rw-rw-rw- 1 root root 2 Jan 30 14:43 selected_country​

mmcblk0p3 -> /system
mmcblk0p4 -> /system (copy)
mmcblk0p5 -> /cache

(ls /cache/recovery)
-rw-r--r-- 1 root root 45 Jan 1 2000 last_install
-rw-r----- 1 root root 22626 Jan 1 2000 last_log
-rw------- 1 stth stth 18769 Jan 1 2000 log​

mmcblk0p6 -> not mounted (2MB, file system?, image not mountable as loop device)
mmcblk0p7 -> not mounted (64MB, file system?, image not mountable as loop device)
mmcblk0p8 -> not mounted (2MB, file system?, image not mountable as loop device)
mmcblk0p9 -> /datapp (vendor)
mmcblk0p10 -> /log

-rw-r--r-- 1 root root 18652 Jan 1 2000 recovery_abort.log​

mmcblk0p11 -> /data

judging the size of the unknown partitions, mmcblk0p7 could contain the kernel. probably we just have to find the file system on this partition. i guess, sony just skips a part or descrambles the partition while it shows the sony logo (which is always displayed, no matter if you boot into recovery, or the system) also, the hidden.img is flashed there... so... how to get it out?

what are the files in /configs? maybe keys or executables to decrypt the kernel?

does anybody have a log of a successful update in the logs (see mount list above)? is there any information about an updated kernel?

to get the mmc-images, just create the unbricker sd card (it does not break anything if you stop the script after the sd is written)
execute adb shell "/system/xbin/pwn"
then adb pull /dev/block/mmcblk*

on linux, you can mount them with
mount -o loop <image> <mountpoint>
some require root to view files

if anything is broken, we should be able to reflash all mmcblk-images which of couse should be backed up in advance

€:

today i scanned the sd image and the hidden.img seems, that the tablet would boot any kernel that is at position 0x00000400 on a sd card.
you may copy any image from OTA update.zip to that position and it should load it.
$ dd if=unbrick.img of=/dev/sdXXX
$ dd if=hidden.img of=/dev/sdXXX bs=512 seek=2
i tried the kernel from a tablet s on the xts and settings/about/kernel told me it worked!!

sadly, the data in hidden.img looks similiar to kernels of other SE devices, but is somehow scrambled

That is just some great work. Were the kernel different? But anyway it could be secure for bootloader check if there is any. Cause it is a tablet s kernel. I have a kernel which have kexec built in for tablet s. I can give it to you for testing if you want. And if you wanna join our hangout, just pm me

Sent from my Sony Tablet S using Tapatalk