Progress on Samsung Galaxy Tab S7+ 5G (SM-T976B)

[lss4]

UPDATE (May 23, 2021): GSI works with Magisk using A10 vendor (preferrably ATK3). However, there are some stuffs worth noting when flashing. For details, check recent comments.

---

UPDATE (Apr 10, 2021): v304 can be booted on Android 11 vendor, but without Magisk at the moment. In this case, you need to use the vbmeta.img from your current firmware and edit the byte at offset 123 to 03h to disable AVB completely, or you'll fall into the bootloader when using the stock, unmodified boot.img.

I can no longer conduct tests with Android Q vendor, because the recent released T976BXXS2BUC1 build has just set the BIT value to 2 from 1 which effectively blocked the downgrade path completely. So if you're still on T976BXXU1BUBB or earlier, DO NOT UPGRADE ANY FURTHER if you intend to run it with Android Q vendor!

I haven't tested the gapps variant, but with a vanilla variant with GApps installed later (via BiTGApps), I got the same "uncertified device" notice that prevents me from logging in to my Google account. Regardless, the issue might be the same as #1784.

For now I can only keep looking forward to the progress, though I can still conduct tests whenever needed, as I can still go back and forth between stock and GSI by restoring respective nandroid backups I did with TWRP.

---

Original Issue:

This device uses dynamic partitioning. I used this script to flash the GSI and I can confirm it works. However, the system cannot boot and keeps rebooting on Samsung logo.

Tried both vndkilte and non-lite, and this is on AOSP v301. Before this release I flashed a few others and they did not work, either.

I don't know if there's any way to look into the problem and figure out what caused the system not to boot...

I'm on ianmacd's latest TWRP, with stock kernel already patched for Magisk. I've also flashed Multi-Disabler as otherwise the device won't boot, since it disables FBE which TWRP currently cannot handle.

[phhusson]

How did you confirm the repack works? Which variant did you install?

Le jeu. 4 mars 2021 à 15:01, L.S.S. notifications@github.com a écrit :

This device uses dynamic partitioning. I used this script https://forum.xda-developers.com/t/how-to-make-gsi-flasher-for-samsung-galaxy-a51-super-partition-image.4216083/ to flash the GSI and I can confirm it works. However, the system cannot boot and keeps rebooting on Samsung logo.

Tried both vndkilte and non-lite, and this is on AOSP v301. Before this release I flashed a few others and they did not work, either.

I don't know if there's any way to look into the problem and figure out what caused the system not to boot...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/phhusson/treble_experimentations/issues/1744, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAA4OVS5OMHO3IUHBC3VN3TB6HB3ANCNFSM4YTJW2NQ .

[lss4]

How did you confirm the repack works? Which variant did you install?

arm64-ab-vanilla ones.

I can confirm by trying to mount /system_root from TWRP, and I was able to see the content of the GSI.

Both vndklite and non-vndklite ones were tried. Not working.

[KatoTempest]

Not because of the magisk patching?

In an mtk device that had some gsi not booting due to patching, but if it is for dm verity issues try the dm verity disabler and if you have vbmeta try an empty one

[lss4]

Not because of the magisk patching?

In an mtk device that had some gsi not booting due to patching, but if it is for dm verity issues try the dm verity disabler and if you have vbmeta try an empty one

Not sure, but Magisk works on stock and I'm already using it there. I need it to be working on GSI for my purpose, so if it turned out not working it defeats my purpose. The tablet is using Snapdragon 865.

When I unlocked the bootloader, the first thing I flashed even before TWRP was a "neutralized" vbmeta I got from a guide for another Samsung device, though I'm new to this and I'm not sure if that's empty or not.

EDIT: Back then with some February patch GSIs (from GsiTestProjects, like Nusantara, which were already securized), I even tried renaming resetprop to something else (note that I can mount /system_root r/w on those) to avoid colliding with Magisk, and that did not work, either.

EDIT 2: I also suspected I might need to flash Multi-Disabler again, but as of the result from vndklite variant it wasn't necessary. Should note that Multi-Disabler will fail on non-vndklite variant since /system_root cannot be mounted r/w (even that attempt failed).

EDIT 3: The vbmeta I flashed is only 256 bytes and appears empty, with avbtool 1.1.0 in it. I don't know if I need to flash a larger img (to wipe everything) as I checked the original one from Samsung is about 10kB with contents.

[KatoTempest]

Maybe this works for you, I had a similar error on the galaxy a51, try from twrp with the option to "fix contexts"

[lss4]

Maybe this works for you, I had a similar error on the galaxy a51, try from twrp with the option to "fix contexts"

Just tried this. No, it doesn't make any difference. The device still cannot boot. This is on v302, using ARM64 AB vndklite vanilla.

[lss4]

Thinking that using a Magisk-patched image might be related I flashed the unmodified boot via Odin, and now it entered a strange FastBoot Mode that I can see via fastboot command (which I think it might be fastbootd), but cannot do anything else, including flashing system from there.

I can't even reboot:

$ fastboot reboot
Rebooting                                          FAILED (remote: 'unknown command')
fastboot: error: Command failed

EDIT: It says something like this

Press volume key to select, and press power key to select

FastBoot Mode (in red color)
PRODUCT_NAME - kona
VARIANT - SM8 UFS
BOOTLOADER VERSION - 
BASEBAND VERSION - 
SERIAL NUMBER - xxxxxx
SECURE BOOT - yes
DEVICE STATE - unlocked (in red color)

Volume key has no effect. Power key would reboot the device then return to this screen again.

EDIT: I can do fastboot getvar all in this state. I don't know what else I should try.

[lss4]

I think the unmodified boot.img.lz4 that I flashed via Odin didn't really boot, so the "FastBoot Mode" I saw was actually the bootloader, just that the bootloader's fastboot doesn't offer any usable options.

Here are the stuffs I got using fastboot getvar all:

(bootloader) parallel-download-flash:yes
(bootloader) hw-revision:0
(bootloader) unlocked:yes
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:3700
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x1000
(bootloader) logical-block-size: 0x1000
(bootloader) variant:SM8 UFS
(bootloader) partition-type:pad:raw
(bootloader) partition-size:pad: 0x80000
(bootloader) partition-type:tziccc:raw
(bootloader) partition-size:tziccc: 0x200000
(bootloader) partition-type:hyp:raw
(bootloader) partition-size:hyp: 0x100000
(bootloader) partition-type:btd:raw
(bootloader) partition-size:btd: 0x200000
(bootloader) partition-type:hdm:raw
(bootloader) partition-size:hdm: 0x200000
(bootloader) partition-type:vk:raw
(bootloader) partition-size:vk: 0x200000
(bootloader) partition-type:uefivarstore:raw
(bootloader) partition-size:uefivarstore: 0x80000
(bootloader) partition-type:secdata:raw
(bootloader) partition-size:secdata: 0x8000
(bootloader) partition-type:multiimgqti:raw
(bootloader) partition-size:multiimgqti: 0x8000
(bootloader) partition-type:multiimgoem:raw
(bootloader) partition-size:multiimgoem: 0x8000
(bootloader) partition-type:uefisecapp:raw
(bootloader) partition-size:uefisecapp: 0x200000
(bootloader) partition-type:qupfw:raw
(bootloader) partition-size:qupfw: 0x14000
(bootloader) partition-type:vbmeta:raw
(bootloader) partition-size:vbmeta: 0x10000
(bootloader) partition-type:storsec:raw
(bootloader) partition-size:storsec: 0x80000
(bootloader) partition-type:devcfg:raw
(bootloader) partition-size:devcfg: 0x20000
(bootloader) partition-type:logfs:raw
(bootloader) partition-size:logfs: 0x800000
(bootloader) partition-type:toolsfv:raw
(bootloader) partition-size:toolsfv: 0x200000
(bootloader) partition-type:limits-cdsp:raw
(bootloader) partition-size:limits-cdsp: 0x1000
(bootloader) partition-type:limits:raw
(bootloader) partition-size:limits: 0x1000
(bootloader) partition-type:spunvm:raw
(bootloader) partition-size:spunvm: 0x800000
(bootloader) partition-type:dpo:raw
(bootloader) partition-size:dpo: 0x1000
(bootloader) partition-type:msadp:raw
(bootloader) partition-size:msadp: 0x40000
(bootloader) partition-type:apdp:raw
(bootloader) partition-size:apdp: 0x40000
(bootloader) partition-type:cmnlib64:raw
(bootloader) partition-size:cmnlib64: 0x80000
(bootloader) partition-type:cmnlib:raw
(bootloader) partition-size:cmnlib: 0x80000
(bootloader) partition-type:keymaster:raw
(bootloader) partition-size:keymaster: 0x80000
(bootloader) partition-type:bksecapp:raw
(bootloader) partition-size:bksecapp: 0x60000
(bootloader) partition-type:bluetooth:raw
(bootloader) partition-size:bluetooth: 0x100000
(bootloader) partition-type:devinfo:raw
(bootloader) partition-size:devinfo: 0x1000
(bootloader) partition-type:abl:raw
(bootloader) partition-size:abl: 0x400000
(bootloader) partition-type:aop:raw
(bootloader) partition-size:aop: 0x80000
(bootloader) partition-type:pad:raw
(bootloader) partition-size:pad: 0x80000
(bootloader) partition-type:tz:raw
(bootloader) partition-size:tz: 0x400000
(bootloader) partition-type:mdm1m9kefs3:raw
(bootloader) partition-size:mdm1m9kefs3: 0x200000
(bootloader) partition-type:fsg:raw
(bootloader) partition-size:fsg: 0x200000
(bootloader) partition-type:mdmddr:raw
(bootloader) partition-size:mdmddr: 0x100000
(bootloader) partition-type:ddr:raw
(bootloader) partition-size:ddr: 0x100000
(bootloader) partition-type:xbl_config:raw
(bootloader) partition-size:xbl_config: 0x3F5000
(bootloader) partition-type:xbl:raw
(bootloader) partition-size:xbl: 0x400000
(bootloader) partition-type:xbl_config:raw
(bootloader) partition-size:xbl_config: 0x3F5000
(bootloader) partition-type:xbl:raw
(bootloader) partition-size:xbl: 0x400000
(bootloader) partition-type:userdata:f2fs
(bootloader) partition-size:userdata: 0x389C2FB000
(bootloader) partition-type:logdump:raw
(bootloader) partition-size:logdump: 0x1000000
(bootloader) partition-type:spu:raw
(bootloader) partition-size:spu: 0x3200000
(bootloader) partition-type:omr:raw
(bootloader) partition-size:omr: 0x3200000
(bootloader) partition-type:hidden:raw
(bootloader) partition-size:hidden: 0x2800000
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x1F400000
(bootloader) partition-type:optics:raw
(bootloader) partition-size:optics: 0x1E00000
(bootloader) partition-type:prism:raw
(bootloader) partition-size:prism: 0x38400000
(bootloader) partition-type:super:raw
(bootloader) partition-size:super: 0x25E400000
(bootloader) partition-type:metadata:raw
(bootloader) partition-size:metadata: 0x2000000
(bootloader) partition-type:vbmeta_samsung:raw
(bootloader) partition-size:vbmeta_samsung: 0x10000
(bootloader) partition-type:keydata:raw
(bootloader) partition-size:keydata: 0x1000000
(bootloader) partition-type:keyrefuge:raw
(bootloader) partition-size:keyrefuge: 0x1000000
(bootloader) partition-type:recovery:raw
(bootloader) partition-size:recovery: 0x52DD000
(bootloader) partition-type:boot:raw
(bootloader) partition-size:boot: 0x4400000
(bootloader) partition-type:dtbo:raw
(bootloader) partition-size:dtbo: 0xA00000
(bootloader) partition-type:dsp:raw
(bootloader) partition-size:dsp: 0x4000000
(bootloader) partition-type:modem:raw
(bootloader) partition-size:modem: 0xC300000
(bootloader) partition-type:apnhlos:raw
(bootloader) partition-size:apnhlos: 0xAC00000
(bootloader) partition-type:dqmdbg:raw
(bootloader) partition-size:dqmdbg: 0x1000000
(bootloader) partition-type:steady:raw
(bootloader) partition-size:steady: 0x400000
(bootloader) partition-type:persistent:raw
(bootloader) partition-size:persistent: 0x80000
(bootloader) partition-type:bota:raw
(bootloader) partition-size:bota: 0x2800000
(bootloader) partition-type:keystore:raw
(bootloader) partition-size:keystore: 0x80000
(bootloader) partition-type:misc:raw
(bootloader) partition-size:misc: 0x100000
(bootloader) partition-type:sec_efs:raw
(bootloader) partition-size:sec_efs: 0x1400000
(bootloader) partition-type:debug:raw
(bootloader) partition-size:debug: 0xA00000
(bootloader) partition-type:param:raw
(bootloader) partition-size:param: 0xA00000
(bootloader) partition-type:efs:raw
(bootloader) partition-size:efs: 0x1400000
(bootloader) partition-type:persist:raw
(bootloader) partition-size:persist: 0x2000000
(bootloader) partition-type:ssd:raw
(bootloader) partition-size:ssd: 0x2000
(bootloader) partition-type:mdm1m9kefsc:raw
(bootloader) partition-size:mdm1m9kefsc: 0x8000
(bootloader) partition-type:mdm1m9kefs2:raw
(bootloader) partition-size:mdm1m9kefs2: 0x200000
(bootloader) partition-type:mdm1m9kefs1:raw
(bootloader) partition-size:mdm1m9kefs1: 0x200000
(bootloader) partition-type:fsc:raw
(bootloader) partition-size:fsc: 0x1000
(bootloader) partition-type:modemst2:raw
(bootloader) partition-size:modemst2: 0x200000
(bootloader) partition-type:modemst1:raw
(bootloader) partition-size:modemst1: 0x200000
(bootloader) secure:yes
(bootloader) serialno:xxxxxxxxxx
(bootloader) product:kona
(bootloader) is-userspace:no
(bootloader) max-download-size:805306368
(bootloader) kernel:uefi
all: 
Finished. Total time: 0.008s

Probably nothing really helpful, but at least this is-userspace: no tells me that I'm actually in the bootloader, according to this.

[phhusson]

I'm too lazy to re read everything but anyway:

• if you give me your stock recovery.img, I know how to transform it to have fastbootd ( https://github.com/phhusson/samsung-galaxy-a51-gsi-boot ), though lpmake method should work (it's easier to make mistakes with lpmake though)
• There is a known SELinux issue with Android 11 Samsung Qualcomm vendors. I think that's your case? I have a workaround (fix not actually done yet, but I don't worry about it), but I bought a device (a Galaxy A71 4G) just to debug this issue, so I'm waiting for my donations to catch up to that expense to release that fix. (at current rate that's in two months)
• Please send your /vendor/etc/selinux so that I confirm whether this is the same issue.
• You are indeed in bootloader's fastboot mode. Yes it's pretty weird that Samsung left this thing enabled. To my knowledge, this bootloader mode is pretty much unusable, you still have to resort to heimdall/odin to flash boot/recovery/vbmeta
• "EDIT 3: The vbmeta I flashed is only 256 bytes and appears empty, with avbtool 1.1.0 in it. I don't know if I need to flash a larger img (to wipe everything) as I checked the original one from Samsung is about 10kB with contents." This vbmeta should be okay. You can check with a hex editor that there is a 3 at offset 123 (decimal) in the vbmeta.img to confirm. Alternatively, you can edit original stock vbmeta.img and set 3 at offset 123

[lss4]

Here are the SELinux files I took from vendor/etc/selinux. selinux.zip

The stock recovery (took from the most recent BUBB build) is too large to drop it here, so here's the link.

As for the vbmeta, just checked that the 256-byte one that I used has a 2 at offset 123. Does it have to be 3? Actually I found another 4KB empty vbmeta that has avbtool 1.0.0 in it, and it also has a 2 at offset 123.

[phhusson]

On an "empty" vbmeta, 2 is really not okay. Bit 1 is "verification", which means whether boot.img's signature should be checked or not (bit set means skip verification), Bit 2 is "dm-verity", whether system/product/odm/vendor partitions' signature should be checked.

Since "empty" vbmeta doesn't have boot.img's signature, it can't really work. It's possible that's where vbmeta_samsung partitions comes in, I don't know.

What I usually prefer to do is take stock OEM's vbmeta.img and set 3 at 123, so that I have a vbmeta.img with all signatures and metadata in case bootloader doesn't respect everything.

[lss4]

On an "empty" vbmeta, 2 is really not okay. Bit 1 is "verification", which means whether boot.img's signature should be checked or not (bit set means skip verification), Bit 2 is "dm-verity", whether system/product/odm/vendor partitions' signature should be checked.

Since "empty" vbmeta doesn't have boot.img's signature, it can't really work. It's possible that's where vbmeta_samsung partitions comes in, I don't know.

What I usually prefer to do is take stock OEM's vbmeta.img and set 3 at 123, so that I have a vbmeta.img with all signatures and metadata in case bootloader doesn't respect everything.

Guess Magisk patches allowed boot.img to boot while preserving avb, so they were set to 2 instead of 3 (which I believe is to pass Safety Net). As Safety Net is not a concern to me, I just flashed a modified original vbmeta with offset 123 set to 0x3 as instructed. However, it doesn't appear to be enough to allow the v302 GSI to boot.

[phhusson]

I can confirm from your selinux that this is the same issue as other Samsung Qualcomm devices.

Le dim. 14 mars 2021 à 18:44, L.S.S. @.***> a écrit :

On an "empty" vbmeta, 2 is really not okay. Bit 1 is "verification", which means whether boot.img's signature should be checked or not (bit set means skip verification), Bit 2 is "dm-verity", whether system/product/odm/vendor partitions' signature should be checked.

Since "empty" vbmeta doesn't have boot.img's signature, it can't really work. It's possible that's where vbmeta_samsung partitions comes in, I don't know.

What I usually prefer to do is take stock OEM's vbmeta.img and set 3 at 123, so that I have a vbmeta.img with all signatures and metadata in case bootloader doesn't respect everything.

Guess Magisk patches allowed boot.img to boot while preserving avb, so they were set to 2 instead of 3 (which I believe is to pass Safety Net). As Safety Net is not a concern to me, I just flashed a modified original vbmeta with offset 123 set to 0x3 as instructed. However, it doesn't appear to be enough to allow the v302 GSI to boot.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/phhusson/treble_experimentations/issues/1744#issuecomment-798948040, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAA4OQPIBJG25TQULFSCOTTDTYWHANCNFSM4YTJW2NQ .

[lss4]

Guess I'll have to wait for now. I just attempted to flash v222 (Android 10) and it obviously didn't work, either.

Maybe I need to be on an Android 10 stock FW to use Android 10 GSI, but it's not really important... I'll just wait until issues with Android 11 GSI have been resolved.

[lss4]

Okay. Looks like AOSP v304 booted on my device. However, as said, it's not compatible with Magisk so I have to flash the original boot.img and the original vbmeta.img with the byte in offset 123 set to 03H to ensure I won't fall into the bootloader.

Will keep the issue open until Magisk becomes usable. For now I'll have to look for some non-systemless alternatives.

EDIT: An issue. It seems MTP doesn't work correctly here... Will test a few more stuffs besides Magisk (which doesn't work yet) for the time being. This is not a major issue for me as I'm never a fan of MTP and transfer files mostly via ADB.

04-06 06:58:29.978  3209  3209 D MtpService: starting MTP server in MTP mode with storage /storage/emulated/0 unlocked as user 0
04-06 06:58:29.980  3209  3209 I MtpService: Couldn't get control FD!
04-06 06:58:29.982  3209  3209 V MtpService: Adding MTP storage:<internal storage path here>
04-06 06:58:29.982  3209  3209 V MtpService: Adding MTP storage:<external storage path here>
04-06 06:58:29.983  3209  4693 E MtpServer: Failed to start usb driver!

EDIT 2: Guess I simply can't use GApps on GSI without Magisk... it said my device is not certified. Maybe this is due to my installing Aurora Services to system, as I'd like to use Aurora Droid/Store with it...

EDIT 3: I reverted to the original GSI state since I can't use GApps. I'm thinking about securizing it. However, after securizing, the tablet couldn't boot anymore. It stuck on Samsung logo without even rebooting, and I couldn't even bring it to TWRP... still trying...

[KatoTempest]

Magisk is not going to work at the moment, on the google certification, you can certify if you use the tutorial for that in xda you must wait a few minutes after installing the gsi, about the mtp that is normal in samsung, I think it can be corrected with a custom kernel, but I do not recommend doing it, it is better to have everything in stock

[lss4]

Should add that I also can't seem to make audio go through Type-C to 3.5 adapters like I could in stock FW. Audio always goes to the tablet speakers. Is this issue generic on GSI?

I cannot even securize. Securizing would semi-brick the device and I have to flash TWRP again to be able to enter the recovery to revert the mistake.

Also, GApps certification doesn't seem to work in my case. After entering the device ID I'm still getting that I'm not certified. One of the games expect GApps to be installed, though... If Magisk works, I can consider using NanoDroid with microG as that also works for me regarding GMS.

So for now, GSI can be booted (finally), but not to the point that I could accept yet...

PS: Sadly I can no longer downgrade to Android Q builds to test anymore, as the build I'm currently on, T976BXXS2BUC1, has just set the BIT value to 2 from 1.

EDIT: It seems using alternative audio policy works for getting the audio to go through Type-C.

[lss4]

I'm able to get a GSI booting with working Magisk by using ATK3 (A10) vendor, so Android 10 vendors work perfectly here.

However, since I've upgraded past BUC1 Odin will block me when trying to flash A10 images, so an alternative way is needed.

The GSI and the A10 vendor can be flashed the following way from TWRP.

1. Look for the lpunpack tool to extract vendor.img from super.img. Should note that you need to unsparse the super.img using simg2img first. The resulted vendor.img is not sparsed and can be directly written via dd.
2. Find which the dynamic partitions for system_root and vendor from TWRP (using ianmacd's TWRP for example). # cat /etc/fstab In my case, system_root is /dev/block/dm-0 and vendor is /dev/block/dm-1.
3. Set the block devices to r/w.

   # blockdev --setrw /dev/block/dm-0
   # blockdev --setrw /dev/block/dm-1

4. Now actually flash the images.

   # dd if=<GSI image here> of=/dev/block/dm-0 bs=1m
   # dd if=<vendor image here> of=/dev/block/dm-1 bs=1m

   Note that if your GSI image is sparsed you need to first unsparse it via simg2img. Note that with simg2img, you can simply pass the target block device as destination to directly write the unsparsed image there. For example:

   # simg2img <sparsed GSI image here> /dev/block/dm-0

5. Reboot to TWRP again, as you need to flash Multi-Disabler (v3.1 recommended) to disable encryption and other stuffs before rebooting to GSI.

If nothing went wrong the GSI should boot. However, the GSI will reboot a short while after startup. A few grabs of /proc/last_kmsg pointed me to issue #1511 as the following logs can be found.

<2>[  105.308109] I[1:      swapper/1:    0] softdog: Initiating panic
<0>[  105.308167] I[1:      swapper/1:    0] Kernel panic - not syncing: Software Watchdog Timer expired 100s

This happened when the GSI is securized (phh-su and stuffs removed). Before securizing the reboot did not happen. I tested this on v308, but originally observed the issue on another GSI of bvN variant. So I don't know what is actually responsible of feeding the software watchdog, and that with Magisk alone (without phh-su) it doesn't work.

Guess a custom kernel with those stock stuffs disabled is necessary now.

EDIT: I tried this trick and it seems to have worked as the system did not appear to have rebooted itself after about 10 minutes. After entering a root shell (via su):

# echo 'V' > /dev/watchdog

EDIT 2: This trick indeed works. Now I need to find ways to make the software watchdog disabled on boot.

EDIT 3: It's possible to put the command above into a Magisk module's service.sh, or a script that its service.sh would call at some point, to automate the disabling of watchdog so the GSI can work normally.

[lss4]

I'm closing the issue as GSI can be considered usable on this device now, just that one needs Android 10 vendor and there's a watchdog to take care of. Android 10 vendor works even with post-BUC1 stock FW, just that you have to do it from TWRP and can't use Odin.

Anyway, many thanks for helping getting GSIs working. :-)