Xperia Tablet S Bricked and revived. Service tools obtained.

[vatis24]

Goodmorning people,
I dont know if i ask to much but is there any possibility someone to make us the modified img so we will avoid the linux part? If not maybe a guide for less knowlwgde linux people? I cant see the tablet bricked with a solution ready!
Thanks guysn

Vatis

 

[NerdiX]

Here's my simple how to with prepared image.

These step already done, no need to do this on linux box:

* Give executable permissions for mksh (sh is linked to mksh):
* Set imutable bit for mksh:
* While doing this, you may just as well download motochopper and put pwn to xbin and give execute permissions:

Write image on sdcard min 2Gb.
Put the card in tab and boot it.
When you see " Cold-boot Linux..." connect usb cable to pc and start a shell, presume windows command prompt, adb drivers installed too...
on
C:\>
type:

adb shell

on
[email protected]:/ $
type:

/system/xbin/pwn

will see:
[+] This may take a few minutes.
[+] Success!
sh: /system/xbin/busybox: not found
sh: cp: not found
type:

export PATH=$PATH:/system/xbin/busyboxbin

then type:

su

STOP here if your OTA is diferent, i mean - no 3g - wifi only, and country code is not listed below! Read OTA WARNING bellow!!!
If your device is 3g and OTA is like mine, then proceed with next step. OTA for specific device see on stifilz post here: http://forum.xda-developers.com/showpost.php?p=26882762&postcount=3
on: [email protected]:/ # type the following lines one by one followed by enter key

/system/xbin/busyboxbin/dd if=/system/jb411r2/system.img of=/dev/block/mmcblk0p3 [COLOR="Red"][U]press ENTER, and wait, to see when it's done[/U][/COLOR]
/system/xbin/busyboxbin/dd if=/system/jb411r2/system.img of=/dev/block/mmcblk0p4 [COLOR="Red"][U]press ENTER, and wait... when done, proceed[/U][/COLOR]
/system/xbin/busyboxbin/dd if=/system/jb411r2/hidden.img of=/dev/block/mmcblk0p7 [COLOR="Red"][U]press ENTER, and wait[/U][/COLOR]

You can copy lines from here and paste it on command prompt window... When dd is done you can type reboot, or simply close command window, remove the card and start the tab. After SONY logo will see a triangle with an exclamation mark, tab will reboot and another one triangle with an exclamation mark, after that will boot to the os...

Job DONE.

OTA WARNING and how to desklinvr your specific device firmware!
Sorry for the delay, thanks again to jappaj, please follow these simple steps to desklunvr your firm, and don't do cross flash 3g<->wifi<->3g versions.

Here's the link to image jb411r2sdcard.img with motochopper, system.img and hidden.img from signed-txs03_350-ota-130705005_desklunvr.zip - image for 3g model - county codes: AT BE BG CH CZ DK FI GR HU IE KZ NL NO PL PT RO RU SE SI SK TR UA, for other images, you need to desklunvr your preferable and put system and hidden via adb put...

Guys, I would strongly advice against flashing "wrong" firmware to your device, especially 3G vs non-3G! We still have no idea if we can flash older /different bootleader/kernel to the device (I bet that with dd answer is no) and if there is something different between kernels, you may encounter some ill-effects even if everything seems to work (ie. batttery drain or anything else). Also, using dd we can flash only system and hidden partitions, there are plenty of other partitions like config - who knows what happens if you have config from non-3G device and system from 3G?

So just download right OTA for your specific device, decrypt, push to SD-card and flash that!

- Using desklunvr (http://forum.xda-developers.com/showthread.php?t=2068261) decrypt the OTA you used to brick your devices in the first place. ie:

desklunvr.exe signed-txs03_xxx-ota-nnn.zip

- Unzip decrypted zip

- Push resulting system.img to /tmp (or better write it to sd-card while you write pwn etc., adb is slow...):

adb push system.img /tmp

- From adb shell flash system image to first system partition:

/system/xbin/busyboxbin/dd if=/tmp/system.img of=/dev/block/mmcblk0p3

- From adb shell flash system image to second system partition:

/system/xbin/busyboxbin/dd if=/tmp/system.img of=/dev/block/mmcblk0p4

/system/xbin/busyboxbin/dd if=/tmp/hidden.img of=/dev/block/mmcblk0p7

Million thanks to @deltaztek for obtaining SD-card in the first place, @djrbliss for motochopper, @<robin> for desklunvr, @condi for gathering knowledge about how to flash images to the device , @stifilz for firmwares and of course SonyCenterGuy why leaked the SD-card (could be on purpose, you know...)! If I forgot to thank somebody, sorry and tell me and I will add credits!

Good luck!

 

[Theogonist]

Mission accomplished - Tablet unbricked

Worked like a charm after I used the right SD card.

Thanks to all who put so much effort into the analysis of this wonderful SD Card.

Only thing left to to is restoring all the apps that were installed befor the silly thing decided to play dumb

Nice, 32GB card is SDXC anyways not SDHC right? That may be why it did not work from 32GB card.

Meanwhile, it is enough to have bin and lib on the SD-card's system partition to recover since dd is really only command needed apart from basic shell commands like cd and ls. Oh and of course adbd is needed. Probably most of the stuff frum bin and lib could be removed also, but there is little point...

It was a Transcend Micro SDHC - at least that's what it says on the label.
I was using a Kingston MicroSD adapter.
The SD Card I used now is a 8GB PNY SDHC card.

 

[stifilz]

Goodmorning people,
I dont know if i ask to much but is there any possibility someone to make us the modified img so we will avoid the linux part? If not maybe a guide for less knowlwgde linux people? I cant see the tablet bricked with a solution ready!
Thanks guysn

Vatis

I received an email this morning from [email protected] (hidden to respect privacy)

Could somebody share this on xda dev on Xperia Tablet S Q&A recovery thread? It contains modified Sony's recovery image. Partitions are restructured, there is /data partition which is large enough for system.img. System.img can be pushed to /data/local/tmp after boot via adb and then dd'd to device.

http://www.4shared.com/zip/nwvemTdsce/xts03_recoveryimg.html

Thanks. Tried to register to the forum for 2 hours, but could not solve recaptchah.

ONLY 87.5MB

I have downloaded and opened the img and looks legit. Please push your own system.img to Part2 (there is a 1.0GB free space there).

Once again this is not my file so I will not be held responsible for an damages.

Enjoy

 

[jappaj]

Wonderful things, as it seems recovering is now easy enugh, it could be possible to develope custom ROM. However, still locked bootloader, so no custom kernel and without customer kernel there may not be any point to create custom ROM...

 

[vatis24]

Dear NerdiX ,

First of all i would like to thank you so much for your img, followed your guide and my xpeira tablet s its alive again after 4 months !
This image can unbrick any Xperia tablet s device!

I am running Android version 4.1.1 (release2) Model No. SGPT13 but my model is SGPT12 non 3g haha yeah thats funny but the ROM seems to be the same for both models!

Dear deltaztek ,
Thank you so much for the original Sony img !

Dear jappaj,

Thanks for your investigation on /mnt of the sd cards and on your amazing solution !

This community can do anything !

Cheers brothers

 

[jappaj]

Guys, I would strongly advice against flashing "wrong" firmware to your device, especially 3G vs non-3G! We still have no idea if we can flash older /different bootleader/kernel to the device (I bet that with dd answer is no) and if there is something different between kernels, you may encounter some ill-effects even if everything seems to work (ie. batttery drain or anything else). Also, using dd we can flash only system and hidden partitions, there are plenty of other partitions like config - who knows what happens if you have config from non-3G device and system from 3G?

So just download right OTA for your specific device, decrypt, push to SD-card and flash that!

 

[NerdiX]

@vatis24 it's not too late to dd your specific OTA system and hidden imgs, i suppose:

AT BE BG CH CZ DK FI GR HU IE KZ NL NO PL PT RO RU SE SI SK TR UA
Jelly Bean R3
info.update.sony.net/ST003/txs03_300/contents/0009/signed-txs03_300-ota-131023003.zip
follow steps to desklunvr it, and flash correct files...

 

[vatis24]

@vatis24 it's not too late to dd your specific OTA system and hidden imgs, i suppose:

AT BE BG CH CZ DK FI GR HU IE KZ NL NO PL PT RO RU SE SI SK TR UA
Jelly Bean R3
info.update.sony.net/ST003/txs03_300/contents/0009/signed-txs03_300-ota-131023003.zip
follow steps to desklunvr it, and flash correct files...

Thanks mates for the advice ,

I already flashed the correct Firmware for my device last night

Thanks again for all of your help and support!

 

[NerdiX]

I already flashed the correct Firmware for my device last night

Using stock recovery, or this method with recovery sdcard?

 

[jappaj]

Btw. using instructions from this thread vendor partition is not restored properly. You could do it manually via shell or via .bat... @condi, you have been quite productive with .bat files, perhaps you could prepare us .bat file which expectes device to be booted from recovery SD-card and then a) flashes system.img to both system partitions b) flashes hiddeh.img c) set's up vendor.

I could do bat like that but I have so little time...

 

[vatis24]

Using stock recovery, or this method with recovery sdcard?

No i followed the procedure with cold-booting again dycrypted the images and push them by adb to tmp
I dont know if now would work with standard recovery zip
But i doubt it.

Cheers

 

[smgdev]

Btw. using instructions from this thread vendor partition is not restored properly. You could do it manually via shell or via .bat... @condi, you have been quite productive with .bat files, perhaps you could prepare us .bat file which expectes device to be booted from recovery SD-card and then a) flashes system.img to both system partitions b) flashes hiddeh.img c) set's up vendor.

I could do bat like that but I have so little time...

I can give it a try... What do you need?
And @jappaj it seems like you are a linux guy. Maybe you can try kexec for booting cusom kernels.

Sony Tablet S cihazımdan Tapatalk kullanılarak gönderildi

 

[condi]

Btw. using instructions from this thread vendor partition is not restored properly. You could do it manually via shell or via .bat... @condi, you have been quite productive with .bat files, perhaps you could prepare us .bat file which expectes device to be booted from recovery SD-card and then a) flashes system.img to both system partitions b) flashes hiddeh.img c) set's up vendor.

I could do bat like that but I have so little time...

Got some ideas, how to make it fully automatic even making sdcard from the beginning. i will try to make such tool.

======
work in progress... got 80% of .bat ready. still making smallest sd image as I can. tool will prepare chosen firmware, split it to img files, prepare magic card, and do every flashing thing automatically.

======
90%... need some testers with Xperia Tab and teamviewer

==================
98% done, any volunteer?

 

[condi]

ok guys, now please tell me - pwn binary is mandatory?
its just to get su? (su already in xbin dir), or it makes shell accessible/make some other changes?


auto unbrick tool - what works:

1) download update.zip, decrypt, get img's,
2) download prepared sd img (~180mb),
3) write sd img to sd,

got last thing to test (cant make it on my own = no xperia tab in my hands)
4) auto unbrick process via shell

need some device remotely via teamviewer!

 

[jappaj]

ok guys, now please tell me - pwn binary is mandatory?
its just to get su? (su already in xbin dir), or it makes shell accessible/make some other changes?

Yes it is mandatory unless somebody can figure out how to get shell without hacks like this. This is because SD-card partition where su-binary residers is mounted with nosuid -flag essentially rendering su useless. Partitoun would need to be remounted suid to su to work, but that would require... root access Otherwise we could root any android device by putting su to SD-card and running it.

pwn is kernel exploit which is able to inject some code to running kernel or something and essentially it makes every process spawned to run as root. Ie. you can run shell, pwn, then close shell and open new shell and new shell is running as root already.

Of course, there MUST be a way Sony can get shell access without hacks like this. Though no need to put any effort to that since chattr +i and pwn works.

Ps. It's quite sad how quiet this forum is, what do we have, two recovered devices or something?

 

[condi]

Yes it is mandatory unless somebody can figure out how to get shell without hacks like this. This is because SD-card partition where su-binary residers is mounted with nosuid -flag essentially rendering su useless. Partitoun would need to be remounted suid to su to work, but that would require... root access Otherwise we could root any android device by putting su to SD-card and running it.

pwn is kernel exploit which is able to inject some code to running kernel or something and essentially it makes every process spawned to run as root. Ie. you can run shell, pwn, then close shell and open new shell and new shell is running as root already.

Of course, there MUST be a way Sony can get shell access without hacks like this. Though no need to put any effort to that since chattr +i and pwn works.

Ps. It's quite sad how quiet this forum is, what do we have, two recovered devices or something?

Maybe only two recovered devices, but a looooot of satisfaction

Got auto tool almost ready, with help of NerdiX yesterday we've made a lot of testing,
everything works as it should, I would release it already, but flashnul (command line app for sd write)
is not working on every pc. I have to replace it with another one.
Instead of that everything works as it should, including flashing all the partitons.

 

[NerdiX]

I created a img of /dev/block/mmcblk0p9 - datapp partition from another tab without mess.
dd this img to block on my tab. tried ota, but some symlinks are not correct.
symlink as follows:

ln -s /datapp/vendor/vendor1/master/app /system1/vendor/app; ln -s /datapp/vendor/vendor1/master/etc /system1/vendor/etc; ln -s /datapp/vendor/vendor1/master/fonts /system1/vendor/fonts; ln -s /datapp/vendor/vendor1/master/framework /system1/vendor/framework; ln -s /datapp/vendor/vendor1/master/lib /system1/vendor/lib

ln -s /datapp/vendor/vendor0/master/app /system/vendor/app; ln -s /datapp/vendor/vendor0/master/etc /system/vendor/etc; ln -s /datapp/vendor/vendor0/master/fonts /system/vendor/fonts; ln -s /datapp/vendor/vendor0/master/framework /system/vendor/framework; ln -s /datapp/vendor/vendor0/master/lib /system/vendor/lib

vendor0 -> system (mmcblk0p3)
vendor1 -> system1 (mmcblk0p4)

recovery_abort.log

Write images to system0...
Write files to vendor0...
minzip: Extracted file "/datapp/vendor/vendor0/AT/.dummy"
minzip: Extracted file "/datapp/vendor/vendor0/AT/app/.dummy"
----- cut -----
minzip: Extracted file "/datapp/vendor/vendor0/regioncodelist/SKU002000248214.lst"
minzip: Extracted file "/datapp/vendor/vendor0/regioncodelist/SKU002000248215.lst"
minzip: Extracted file "/datapp/vendor/vendor0/vendor.prop"
script aborted: read_mod_link: failed to readlink "/system1/vendor": Invalid argument
read_mod_link: failed to readlink "/system1/vendor": Invalid argument

 

[NerdiX]

Yet another BIG THANKS to this community.

After some searching i found this post: Anyone has XTS JB device which has not been flashed? @jappaj
So correct links for me:

ln -s /datapp/vendor/vendor0/BG /system1/vendor
ln -s /datapp/vendor/vendor1/BG /system/vendor

Change BG with your own. reboot in recovery and start update procedure...
- desklunvr - ok
- flashing system0 - ok
- flashing vendor0 - ok
- verifying update - ok
- flashing staging - ok
reboot, seems to be stuck here, but manual power off, and then power on, tab boot ok

 

[condi]

auto unbricker done !