THIS WILL WIPE YOUR DATA!
YOU MIGHT BRICK YOUR PHONE!
MAKE. A. BACKUP!!!
THIS IS A GENERAL GUIDE BASED ON THE x70 PRO PLUS AND NEEDS A LOT OF MODIFICATIONS FOR YOUR DEVICE.
YOU MIGHT BRICK YOUR PHONE!
MAKE. A. BACKUP!!!
THIS IS A GENERAL GUIDE BASED ON THE x70 PRO PLUS AND NEEDS A LOT OF MODIFICATIONS FOR YOUR DEVICE.
Requirements:
- Unlocked Bootloader: Guide I, Guide II
- Root to extract boot.img and recovery.img (and make a backup)
- Android Image Kitchen (AIK)
- QFIL / Split image of your target firmware
- OTA Firmware with a higher version than your Split Image
I. Root your phone
You should backup all partitions either through magisk (if you have the current running firmware as ota.zip) or LineageOS GSI with me.phh.superuser.apkThe backup commands for the Vivo x70 Pro+ and a general guide can be found in the linked post.
If you have another device use adb to find your blocks and their proper partition names and modify the "script" from my post.
Code:
adb shell
ls -al /dev/block/by-name/Do NOT backup userdata and sda.
II. Modify recovery
In order to enable adb in recovery we have to unpack the recovery.img and change some prop.default values. (You got this recovery.img either by backing up your partitions or having the correct ota.zip)THIS post has a great guideline, you can skip everything TWRP related.
In Short:
1. Use AIK to unpack recovery.img
2. Delete the /split_img/*ramdisk*.zip ONLY
3. Open /ramdisk/default.prop or /ramdisk/prop.default or similar with a text editor
4. Modify according to step 22 in the linked post (care vivo uses adb.secure=1 two times, edit both properties)
5. Save, repack and flash the new recovery.img
III. Folder Structure
1. Create a new folder "transform" on your system and extract your SPLIT firmware files into a subfolder called "split". -> /transform/split/First off identify your super_x.img files and their corresponding dynamic partitions. In general "system" should be the largest, "vendor" the second largest and odm / oem should be smaller.
You can open them with 7zip and identify their contents. Take note.
For the X70 Pro+: super_2.img = system | super_3.img = vendor | super_4.img = odm
2. Open these files in your ota.zip: /dynamic_partitions_op_list and /oem/dynamic_partitions_op_list.
Take note of the partition sizes for system, vendor, odm and vgc (ex. # Grow partition system from 0 to 5373415424).
3. Rename your OTA file to ota.zip and put it into /transform/ota/
IV. Modified Images
1. Download the attached misc-data.img and place it in /transform/modded/ (Thanks to @Pervokur).If you flash this it tells recovery to look for "ota.zip" in /data/ on the next boot and install it if its available.
You can edit the path via hex editor but its fine for this guide. Dont flash it yet.
2. Patch the recovery.img from /transform/split/ according to step II and place it in /transform/modded/recovery-adb.img
V. Modify the flash script
1. Download my reference script and place it as info.txt into /transform/. Modify this script according to the files from your SPLIT firmware and your partition backups. Vivo phones with different hardware versions might be way more complicated. Analyze everything and take your time - you dont want to brick your device.PAY ATTENTION: In the best case and at the very least you will have to modify vbmeta_oem, vbmeta_vgc, system, vendor, odm, oem and vgc to match your files.
DO NOT flash your fsg partition. This one basically contains your modem. If you do flash it or if you dont have signal after an ota update scroll down.
2. Go to "::RECREATE DYNAMIC PARTITIONS" and modify the partition sizes according to the values of III.2.
Code:
::OPEN A SHELL IN THIS FOLDER
::REBOOT YOUR PHONE INTO FASTBOOT (REBOOT AND HOLD POWER + VOL UP)
fastboot reboot bootloader
fastboot flash abl split/abl.elf
fastboot flash aop split/aop.mbn
fastboot flash boot split/boot.img
fastboot flash bluetooth split/BTFM.bin
fastboot flash cpucp split/cpucp.elf
fastboot flash devcfg split/devcfg.mbn
fastboot flash apdp split/dp_AP_signed_minidump.mbn
fastboot flash dsp split/dspso.bin
fastboot flash dtbo split/dtbo.img
fastboot flash factory split/factory.img
fastboot flash featenabler split/featenabler.mbn
fastboot flash storage split/firmware.bin
fastboot flash hyp split/hypvm.mbn
fastboot flash keymaster split/km41.mbn
fastboot flash logfs split/logfs_ufs_8mb.bin
fastboot flash mdcompress split/mdcompress.mbn
fastboot flash metadata split/metadata.img
::fastboot flash modemst1 split/modemst.mbn
::fastboot flash modemst2 split/modemst.mbn
fastboot flash multiimgoem split/multi_image.mbn
::fastboot flash fsg split/PD2145F_EX_fs_image.tar.gz.mbn.img
fastboot flash persist split/persist.img
fastboot flash qupfw split/qupv3fw.elf
fastboot flash recovery modded/recovery-adb.img
fastboot flash rtice split/rtice.mbn
fastboot flash secdata split/sec.elf
fastboot flash shrm split/shrm.elf
fastboot flash spunvm split/spunvm.bin
fastboot flash storsec split/storsec.mbn
fastboot flash tz split/tz.mbn
fastboot flash uefisecapp split/uefi_sec.mbn
fastboot flash vbmeta split/vbmeta.img
fastboot flash vbmeta_oem split/vbmeta_oem_PD2145F_EX_IN_NULL_NULL.img
fastboot flash vbmeta_system split/vbmeta_system.img
fastboot flash vbmeta_vgc split/vbmeta_vgc_NULL_PD2145F_EXMA.img
fastboot flash vendor_boot split/vendor_boot.img
fastboot flash vm-bootsys split/vm-bootsys.img
fastboot flash vgc split/vgc.img
fastboot flash xbl_config split/xbl_config.elf
fastboot flash xbl split/xbl.elf
fastboot flash xbl_configbak split/xbl_config.elf
fastboot flash xblbak split/xbl.elf
fastboot flash modem split/NON-HLOS.bin
::RECREATE DYNAMIC PARTITIONS
fastboot reboot fastboot
fastboot delete-logical-partition system
fastboot delete-logical-partition vendor
fastboot delete-logical-partition odm
fastboot delete-logical-partition vgc
fastboot create-logical-partition system 5373415424
fastboot create-logical-partition vendor 3128008704
fastboot create-logical-partition odm 1392640
fastboot create-logical-partition vgc 348160
::FLASH DYNAMIC PARTITIONS
::VGC WILL OUTPUT AN ERROR - DONT MIND
fastboot reboot fastboot
fastboot erase system
fastboot erase vendor
fastboot erase odm
fastboot erase oem
fastboot erase vgc
fastboot flash system split/super_2.img
fastboot flash vendor split/super_3.img
fastboot flash odm split/super_4.img
fastboot flash oem split/oem_PD2145F_EX_IN_NULL_NULL.img
fastboot flash vgc split/vgc_NULL_PD2145F_EXMA.img
fastboot reboot recovery
::IF IT DOESNT REBOOT JUST USE THE BUTTON ON YOUR PHONE
::NOW GO TO WIPE AND WIPE DATA & CACHE 2X
::CHECK SYSTEM -> RECOVERY SHOULD FAIL, EVERYTHING ELSE PASS
adb push ota/ota.zip /data
adb reboot bootloader
fastboot flash misc modded/misc-data.img
fastboot reboot
::LET THE PHONE START ONCE (ABOUT 1-5MIN)
::YOU ARE NOW ON FUNTOUCH
--------------------------------------------------------------------------
::YOU CAN BACKUP OTA PACKAGES FROM HERE WHEN THEY ARE DOWNLOADED (ROOT ONLY)
/data/vivo-updater/com.bbk.updater/OTAPackage/
::UPDATE TO THE LATEST VERSION VIA OTA ONLY AFTER YOU BACKUP THE OTA
::YOU MUST FLASH YOUR ORIGINAL BOOT.IMG BEFORE UPDATINGVI. Run the commands according to your modified flash script.
VII. Problems
1. Brick?Flash all partitions from your backup
2. No signal?
Code:
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg your-original-backup-fsg.img3. DM-Verity Warning?
Code:
adb shell service call package 134 s16 com.vivo.daemonService i32 0 i32 04. Fingerprint not working?
Try this post.
Huge thanks to @Pervokur for finding the bootloader exploit, guiding me through this and providing help all the way!
Last edited:
