[TUTORIAL] How to unbrick Nexus 7 without blob.bin (REQUIRES ANOTHER NEXUS 7 2012)

Search This thread

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627

Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1
: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'

Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'

Traceback (most recent call last):
  File "./fusee-launcher.py", line 823, in <module>
    buf = switch.read(USB_XFER_MAX)
  File "./fusee-launcher.py", line 530, in read
    return self.backend.read(length)
  File "./fusee-launcher.py", line 134, in read
    return bytes(self.dev.read(0x81, length, 3000))
  File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
    self.__get_timeout(timeout))
  File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
    return f(*args, **named_args)
  File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
    timeout)
  File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
    _check(retval)
  File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.

2. GETTING YOUR CPU UID
Step 1
: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID

3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1
: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor    : ARMv7 Processor rev 9 (v7l)
processor    : 0
BogoMIPS    : 1993.93

processor    : 1
BogoMIPS    : 1993.93

processor    : 2
BogoMIPS    : 1993.93

processor    : 3
BogoMIPS    : 1993.93

Features    : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer    : 0x41
CPU architecture: 7
CPU variant    : 0x2
CPU part    : 0xc09
CPU revision    : 9

Hardware    : grouper
Revision    : 0000
Serial        : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.

4. UNBRICK YOUR DEVICE (THE FUN PART :))
Step 1
: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
   chip name: unknown
   chip id: 0x30 major: 1 minor: 3
   chip sku: 0x83
   chip uid: 0x0000000000000000015d2bc285340e0f
   macrovision: disabled
   hdcp: enabled
   jtag: disabled
   sbk burned: true
   dk burned: true
   boot device: emmc
   operating mode: 4
   device config strap: 1
   device config fuse: 17
   sdram config strap: 0

sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5:Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation :) Your device is now unbricked.


Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked :).
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work :)


Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi

That is. If you need any help, message me.

Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
   chip name: unknown
   chip id: 0x30 major: 1 minor: 3
   chip sku: 0x83
   chip uid: 0x0000000000000000015d4a5f202c0401
   macrovision: disabled
   hdcp: enabled
   jtag: disabled
   sbk burned: true
   dk burned: true
   boot device: emmc
   operating mode: 4
   device config strap: 2
   device config fuse: 17
   sdram config strap: 1

sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :

Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!

You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)

But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.

You can try this command to erase bad blocks:

Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.

But, broken internal storage is pretty much unrepairable.

There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
 
Last edited:

GedBlake

Senior Member
Jan 5, 2013
889
604
Ashton-under-Lyne, Manchester, UK
Hi, enderzip...

I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.

As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...

'Have you been successful?'

Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?

If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.

If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!

--------------------------------------

Some general thoughts...

The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...

"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."

https://poets.org/poem/do-not-go-gentle-good-night

And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.

The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.

It's basically, amazing!

Thanks enderzip:)

Rgrds,
Ged.
 
Last edited:
  • Like
Reactions: hairy floyd

zak4

Member
Apr 4, 2020
10
0
Google Nexus 4
Nexus 7
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.

Envoyé de mon Nexus 4 en utilisant Tapatalk
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.

Envoyé de mon Nexus 4 en utilisant Tapatalk
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.

If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system
 
Last edited:

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
Hi, enderzip...

I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.

As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...

'Have you been successful?'

Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?

If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.

If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!

--------------------------------------

Some general thoughts...

The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...

"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."

https://poets.org/poem/do-not-go-gentle-good-night

And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.

The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.

It's basically, amazing!

Thanks enderzip:)

Rgrds,
Ged.
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
 
  • Like
Reactions: GedBlake

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.

Envoyé de mon Nexus 4 en utilisant Tapatalk
im sorry but it seems like i have forget this one things: boot your device into twrp recovery and do the command.
 

zak4

Member
Apr 4, 2020
10
0
Google Nexus 4
Nexus 7
@enderzip

Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.

I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :

[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found

Sorry to be blocked again.
 

zak4

Member
Apr 4, 2020
10
0
Google Nexus 4
Nexus 7
@enderzip

I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?

Thanks for your advice.
 

Jirmd

Member
Dec 24, 2019
9
11
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.

enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.

Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.

And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?

Thanks for your advice.
As beacause this is a hardware requirement, you can't just simply patch the EHCI driver. It might work but im not recommend it.
You can buy a USB 3.0 PCI-E card, it will work.
 
Last edited:

zak4

Member
Apr 4, 2020
10
0
Google Nexus 4
Nexus 7
Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.

Envoyé de mon Nexus 4 en utilisant Tapatalk
 

gormatrax

Member
Sep 18, 2015
6
1
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz blah blah.zip"
 

gormatrax

Member
Sep 18, 2015
6
1
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.

However, at step 6, i get this:

Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0

what should i do?

edit: for good measure this is the result from step 5:

Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
   chip name: unknown
   chip id: 0x30 major: 1 minor: 3
   chip sku: 0x83
   chip uid: 0x0000000000000000015d25689b3c1019
   macrovision: disabled
   hdcp: enabled
   jtag: disabled
   sbk burned: true
   dk burned: true
   boot device: emmc
   operating mode: 4
   device config strap: 1
   device config fuse: 17
   sdram config strap: 0

sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
 
Last edited:

steffenm82

Member
Apr 12, 2020
8
0
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?

Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================

Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001

[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command

Thanks Steffen
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.

However, at step 6, i get this:

Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0

what should i do?

edit: for good measure this is the result from step 5:

Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
   chip name: unknown
   chip id: 0x30 major: 1 minor: 3
   chip sku: 0x83
   chip uid: 0x0000000000000000015d25689b3c1019
   macrovision: disabled
   hdcp: enabled
   jtag: disabled
   sbk burned: true
   dk burned: true
   boot device: emmc
   operating mode: 4
   device config strap: 1
   device config fuse: 17
   sdram config strap: 0

sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
 

gormatrax

Member
Sep 18, 2015
6
1
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.

It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:

command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed

I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
 (code: 4) message: nverror:0x8 (0x8) flags: 0

When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.

Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:

command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed

I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
 (code: 4) message: nverror:0x8 (0x8) flags: 0

When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.

Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Hmm, have you tried switching the USB port? Maybe the USB cable too.
 

enderzip

Senior Member
Aug 3, 2019
130
31
Hanoi
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?

Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================

Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001

[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command

Thanks Steffen
Sorry for my late reply, in this case, try skipping to the next step.
 

Diego_992

Member
Mar 11, 2012
30
5
Buenos Aires, ARG
I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!
 
  • Like
Reactions: GedBlake

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Thanks to @Jirmd for letting me use his post as a reference.
    Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627

    Requirements:
    1. Linux-based OS (I use Ubuntu 18.04)
    2. NvFlash and Wheelie (You can download the Linux version down below)
    3. A USB cable (A good and sturdy one)
    4. Nerve of steel lol
    5. Must have APX driver installed.
    6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
    7. ADB (platform-tools)
    1. DUMP SBK VIA USB
    Step 1
    : Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
    http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
    Step 2: Open a terminal inside of the folder then type:
    Code:
    sudo apt-get install python-usb python3-usb
    Wait for it to complete. After that, type:
    Code:
    pip install pyusb
    Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
    Step 4: Type:
    Code:
    sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
    Something like this should appear:
    Code:
    05f4a5d01'
    Stack snapshot: b'0000000000000000100000003c9f0040'
    EndpointStatus_stack_addr: 0x40009f3c
    ProcessSetupPacket SP: 0x40009f30
    InnerMemcpy LR stack addr: 0x40009f20
    overwrite_len: 0x00004f20
    overwrite_payload_off: 0x00004de0
    payload_first_length: 0x00004de0
    overwrite_payload_off: 0x00004de0
    payload_second_length: 0x0000c7b0
    b'00a0004000300040e04d0000b0c70000'
    Setting rcm msg size to 0x00030064
    RCM payload (len_insecure): b'64000300'
    
    Setting ourselves up to smash the stack...
    Payload offset of intermezzo: 0x00000074
    overwrite_payload_off: 0x00004de0
    overwrite_len: 0x00004f20
    payload_overwrite_len: 0x00004e5c
    overwrite_payload_off: 0x00004de0
    smash_padding: 0x00000000
    overwrite_payload_off: 0x00004de0
    Uploading payload...
    txing 73728 bytes total
    txing 4096 bytes (0 already sent) to buf[0] 0x40003000
    txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
    txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
    txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
    txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
    txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
    txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
    txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
    txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
    txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
    txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
    txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
    txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
    txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
    txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
    txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
    txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
    txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
    txing 4096 bytes total
    txing 4096 bytes (0 already sent) to buf[0] 0x40003000
    Smashing the stack...
    sending status request with length 0x00004f20
    The USB device stopped responding-- sure smells like we've smashed its stack. :)
    Launch complete!
    b'4445414442454546'
    DEADBEEF
    b'3030303030303030'
    00000000
    b'3030303030303030'
    00000000
    b'3034303030303930'
    04000090
    b'4634314330433241'
    F41C0C2A
    b'3133333731333337'
    13371337
    b'3535353535353535'
    55555555
    b'3430303033303030'
    40003000
    b'3430303035303030'
    40005000
    b'4141414141414141'
    AAAAAAAA
    b'3131313131313131'
    11111111
    b'3030303030303236'
    00000026
    b'3232323232323232'
    22222222
    b'68656c6c6f2c20776f726c640a00'
    hello, world
    b'e57de3bab6cb499d874d5772cb219f0101042c20'
    
    Traceback (most recent call last):
      File "./fusee-launcher.py", line 823, in <module>
        buf = switch.read(USB_XFER_MAX)
      File "./fusee-launcher.py", line 530, in read
        return self.backend.read(length)
      File "./fusee-launcher.py", line 134, in read
        return bytes(self.dev.read(0x81, length, 3000))
      File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
        self.__get_timeout(timeout))
      File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
        return f(*args, **named_args)
      File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
        timeout)
      File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
        _check(retval)
      File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
        raise USBError(_strerror(ret), ret, _libusb_errno[ret])
    usb.core.USBError: [Errno 110] Operation timed out
    Search for the line "hello, world" inside of your log. It looks like this in this example:
    Code:
    hello, world
    b'e57de3bab6cb499d874d5772cb219f0101042c20'
    The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
    The result should look like this:
    Code:
    e57de3bab6cb499d874d5772cb219f01
    Congratulation, you have successfully dump your device SBK via USB.

    2. GETTING YOUR CPU UID
    Step 1
    : Download Wheelie and NvFlash then extract it to a folder.
    Step 2: Download this broken blob.bin file (REQUIRE)
    http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
    Then place it inside of the Wheelie and NvFlash folder.
    Step 3: Open a terminal inside of the folder then type:
    Code:
    ./wheelie --blob blob.bin
    After that, something like this should appear:
    Code:
    Wheelie 0.1 - Preflight for nvflash.
    Copyright (c) 2011-2012 androidroot.mobi
    ========================================
    [=] Chip UID: 0x98254853062001158
    [-] Incorrect SBK or SBK type selected. nverror: 0x4.
    Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
    Code:
    98254853062001158
    Congratulation, you got your chip UID

    3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
    Step 1
    : Download MkNvfBlob from this link:
    https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
    Note: Extract this to your Nexus 7.
    Step 1.1: Reboot into TWRP recovery.
    Step 2: Open a terminal inside of you ADB folder then type:
    Code:
    adb shell
    After that:
    Code:
    su
    Type this command after that:
    Code:
    mkdir /AndroidRoot
    Last one:
    Code:
    cat /proc/cpuinfo > /AndroidRoot/cpuinfo
    Pull the cpuinfo file using this command:
    Code:
    adb pull /AndroidRoot
    Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
    Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
    Open cpuinfo using a Text Editor. Something like this should be inside:
    Code:
    Processor    : ARMv7 Processor rev 9 (v7l)
    processor    : 0
    BogoMIPS    : 1993.93
    
    processor    : 1
    BogoMIPS    : 1993.93
    
    processor    : 2
    BogoMIPS    : 1993.93
    
    processor    : 3
    BogoMIPS    : 1993.93
    
    Features    : swp half thumb fastmult vfp edsp neon vfpv3 tls
    CPU implementer    : 0x41
    CPU architecture: 7
    CPU variant    : 0x2
    CPU part    : 0xc09
    CPU revision    : 9
    
    Hardware    : grouper
    Revision    : 0000
    Serial        : 015d4a5f202c0401
    Replace the Serial line with your Chip UID.
    After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
    Code:
    adb push AndroidRoot /
    After you are done, don't close the ADB windows.
    Step 3: Download bootloader.xbt:
    https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
    And BCT for your device:
    https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
    And copy these two files to the /AndroidRoot folder on your device.
    Step 4: Type this command on the ADB windows:
    Code:
    cd /AndroidRoot
    After that, type:
    Code:
    chmod 777 ./mknvfblob
    After that, type:
    Code:
    ./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
    Wait for it to do its job.
    After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
    Congratulation, you have successfully generate blob for your bricked device.

    4. UNBRICK YOUR DEVICE (THE FUN PART :))
    Step 1
    : Boot your bricked device into APX mode either using Power button or Power + Vol UP.
    Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
    Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
    Code:
    sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
    If you got this command:
    Code:
    command error: no command found
    Then try this one instead:
    Code:
    ./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
    If you got the NvError, its fine.
    Something like this should appear (the first command):
    Code:
    Nvflash v1.13.87205 started
    Using blob v1.13.00000
    chip uid from BR is: 0x0000000000000000015d2bc285340e0f
    rcm version 0X30001
    System Information:
       chip name: unknown
       chip id: 0x30 major: 1 minor: 3
       chip sku: 0x83
       chip uid: 0x0000000000000000015d2bc285340e0f
       macrovision: disabled
       hdcp: enabled
       jtag: disabled
       sbk burned: true
       dk burned: true
       boot device: emmc
       operating mode: 4
       device config strap: 1
       device config fuse: 17
       sdram config strap: 0
    
    sending file: recovery.bct
    - 6128/6128 bytes sent
    recovery.bct sent successfully
    downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
    sending file: bootloader.ebt
    - 2146912/2146912 bytes sent
    bootloader.ebt sent successfully
    waiting for bootloader to initialize
    bootloader downloaded successfully
    A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
    Step 4: Unplug the battery and boot into APX mode again using the button combination.
    Step 5:Type this command while holding down the Vol DOWN button:
    Code:
    sudo ./nvflash --resume --download 8 boot.img
    Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
    Step 6:
    Type:
    Code:
    sudo ./nvflash --resume --download 4 bootloader.img
    Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
    And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
    Step 7: The final step
    Boot into your OS using the command below:
    Code:
    sudo ./nvflash --resume --go
    If your device boot back into APX mode, maybe you have done something wrong. Try again.
    If you got a Google logo on your device then congratulation :) Your device is now unbricked.


    Note: If step 7 didn't work, try booting this recovery image using this command:
    Code:
    fastboot boot flatline_grouper.img
    Link for the recovery image is in the "Links" section.
    Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
    Code:
    sudo ./nvflash --resume --download 8 boot.img --go
    HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
    After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
    Select the "wheelie" at the end of the list.
    Select "I agree".
    After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
    Your device should reboot and the Google logo should appear, that means that your device is unbricked :).
    Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work :)


    Links:
    flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
    flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
    Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
    Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi

    That is. If you need any help, message me.

    Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
    Update #2: Some helpful advice from @Jirmd with some minor change:
    When you get this error :
    Code:
    Nvflash v1.10.76762 started
    Using blob v1.13.00000
    chip uid from BR is: 0x0000000000000000015d4a5f202c0401
    rcm version 0X30001
    System Information:
       chip name: unknown
       chip id: 0x30 major: 1 minor: 3
       chip sku: 0x83
       chip uid: 0x0000000000000000015d4a5f202c0401
       macrovision: disabled
       hdcp: enabled
       jtag: disabled
       sbk burned: true
       dk burned: true
       boot device: emmc
       operating mode: 4
       device config strap: 2
       device config fuse: 17
       sdram config strap: 1
    
    sending file: testr.bct
    - 6128/6128 bytes sent
    testr.bct sent successfully
    downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
    sending file: test.ebt
    - 2146896/2146896 bytes sent
    test.ebt sent successfully
    waiting for bootloader to initialize
    bootloader downloaded successfully
    setting device: 0 3
    failed executing command 11 NvError 0x120002
    command failure: create failed (bad data)
    bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
    after this command :

    Code:
    ./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
    Probably you have broken your internal storage!

    You can probably flash:
    Bootloader image (bootloader.img)
    Kernel image (boot.img)
    Recovery image (recovery.img aka TWRP)

    But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.

    You can try this command to erase bad blocks:

    Code:
    ./nvflash --resume --configfile flash.cfg --obliterate
    Reboot to APX mode and try the above command again.

    But, broken internal storage is pretty much unrepairable.

    There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
    And in my case this did not help.
    In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
    Update #3: Updated the guide and removed some unessacery steps.
    2
    It’s possible to do this trick on Windows. USB 3.0 is NOT required!

    1. DUMP SBK VIA USB (Windows)
    Step 1. Install the libusbK driver:
    Download Zadig installer https://zadig.akeo.ie/
    Connect your device to USB. You should see a device labeled "APX" in the Device Manager.
    Open the Zadig executable. Select "APX" in the device dropdown list (you may have to enable "List All Devices" in the Options menu). Change the selected driver to libusbK using the arrow icons to the right of Zadig's window. Click "Install Driver" (or "Replace Driver").
    Step 2. Install Python for Windows. If you have a 64-bit system, download "x86-64" installer from https://www.python.org/downloads/windows/
    Step 3. Download fusee-launcher for Nexus 7 and extract it to a folder.
    Replace fusee-launcher.py with the fixed file https://gist.githubusercontent.com/...d4ba1cf3d6232b545ba4c91aed0/fusee-launcher.py
    Step 4. Reconnect your device (just in case).
    Open a command prompt inside of the folder then type:
    Code:
    python.exe fusee-launcher.py --tty dump-sbk-via-usb.bin
    Find SBK key in the log (refer to the main tutorial).

    2. GETTING YOUR CPU UID (Windows)
    Step 0. Replace APX driver:
    Download and extract Universal Naked Driver https://forum.xda-developers.com/go...nt/adb-fb-apx-driver-universal-naked-t2513339
    Open the Device Manager, uninstall the libusbK driver (APX device), then install the extracted one.
    Step 1. ...


    Tested on PC with USB 2.0 ports, Windows 7, Python 3.8.3, Zadig 2.5

    But I don't have a second device.
    Could someone generate the Blob file for me? Pretty please?
    SBK: 3344ff475dce4fb19f0808c496dbc8eb
    Chip UID: 015d8bed314c0603
    1
    Hi, enderzip...

    I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.

    As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...

    'Have you been successful?'

    Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?

    If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.

    If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!

    --------------------------------------

    Some general thoughts...

    The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...

    "Do not go gentle into that good night,
    Old age should burn and rave at close of day;
    Rage, rage against the dying of the light."

    https://poets.org/poem/do-not-go-gentle-good-night

    And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.

    The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.

    It's basically, amazing!

    Thanks enderzip:)

    Rgrds,
    Ged.
    1
    Hi, enderzip...

    I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.

    As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...

    'Have you been successful?'

    Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?

    If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.

    If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!

    --------------------------------------

    Some general thoughts...

    The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...

    "Do not go gentle into that good night,
    Old age should burn and rave at close of day;
    Rage, rage against the dying of the light."

    https://poets.org/poem/do-not-go-gentle-good-night

    And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.

    The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.

    It's basically, amazing!

    Thanks enderzip:)

    Rgrds,
    Ged.
    Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
    And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
    1
    Output. If you have problems, please read through the entire thread as there have been many ideas on what commands to try if post #1 doesn't work. I did it my own way in post #189.

    Code:
    # cat /AndroidRoot/cpuinfo 
    Processor       : ARMv7 Processor rev 9 (v7l)
    processor       : 0
    BogoMIPS        : 1993.93
    
    processor       : 1
    BogoMIPS        : 1993.93
    
    processor       : 2
    BogoMIPS        : 1993.93
    
    processor       : 3
    BogoMIPS        : 1993.93
    
    Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls 
    CPU implementer : 0x41
    CPU architecture: 7
    CPU variant     : 0x2
    CPU part        : 0xc09
    CPU revision    : 9
    
    Hardware        : grouper
    Revision        : 0000
    Serial          : 15d46d9255ff20c
    # ./mknvfblob -W -K c975962aeee94f0699fe1a8181047a90 --blob test.blob --bctin n7.bct --bctr testr.bct --bctc testc.bct --blin bootloader.grouper.XBT --blout test.ebt
    mknvfblob
    ---------
    
    Encrypting BL 'bootloader.grouper.XBT' to 'test.ebt'...done.
    Generating encrypted recovery BCT from 'n7.bct' to 'testr.bct'...done.
    Generating encrypted create BCT from 'n7.bct' to 'testc.bct'...done.
    Generating blob file 'test.blob'...done.
    Adding create BCT to blob file [wheelie]...done.
    Adding recovery BCT to blob file [wheelie]...done.
    Adding bootloader to blob file [wheelie]...done.
    Adding odmdata to blob file [wheelie]...done.
    Adding chip id to blob file [wheelie]...done.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone