============================================================ CHAPTER 5 – DUMPING THE TABLET EMMC ============================================================ Objective: Create a “Golden Dump” — a complete raw copy of the tablet’s eMMC. This is the most important step. It provides a safety net in case anything fails later. NEVER skip it. Preconditions: - MP3 bridge wired and connected to tablet. - Tablet powered off or CPU held in reset. - Phone sees device at /dev/block/sdX (check with lsblk). - At least 32GB free space on /sdcard. Steps (Termux): --------------- 1. Verify device: lsblk -o NAME,SIZE,TYPE Expected: one device with ~32GB (e.g. /dev/block/sdb). 2. Run dump with script: isp_bridge.sh dump /sdcard/tablet_original.img - Script will prompt for confirmation. - Progress output shows MB/s and bytes copied. - Takes 20–60 minutes depending on OTG speed. 3. Hash for verification: sha256sum /sdcard/tablet_original.img > /sdcard/tablet_original.img.sha256 - Save hash file to external media. - You can later re-run sha256sum on the device to check for corruption. Expected Output Example: ------------------------ 34359738368 bytes (32 GB) copied, 1800 s, 19.1 MB/s [INFO] Dump complete: /sdcard/tablet_original.img Suggested: sha256sum "/sdcard/tablet_original.img" > "/sdcard/tablet_original.img".sha256 Cross-Reference: - isp_bridge.sh script details → Appendix D. - sha256sum explanation → Glossary, Termux Reference. ============================================================ CHAPTER 6 – INSPECTING & MODIFYING IMAGES ============================================================ Objective: Open the dumped image, explore partitions, and identify what to patch. Common Partitions (Android 10 devices): - boot.img ........ Linux kernel + ramdisk - system.img ...... Android system (apps, framework) - vendor.img ...... Device-specific drivers/config - userdata.img .... User data - vbmeta.img ...... Verified Boot metadata - nvram/modem ..... Radio calibration (DO NOT overwrite) Tools in Termux: ---------------- Basic inspection: fdisk -l /sdcard/tablet_original.img losetup -f --show -P /sdcard/tablet_original.img # gives e.g. /dev/loop0 with partitions /dev/loop0p1, p2... Mount a partition: mkdir -p /mnt/system mount -o ro /dev/loop0pX /mnt/system ls /mnt/system Convert sparse to raw (if needed): simg2img system.img system.raw.img Advanced tools (Debian chroot via proot-distro): apt install -y kpartx binwalk erofs-utils kpartx -av /dev/loop0 mount -o ro /dev/mapper/loop0p2 /mnt/system What To Modify: --------------- - Replace locked system/vendor with unlocked equivalents (from a deinstitutionalized Score 7T if possible). - Always keep original nvram/modem partitions intact. - Patch vbmeta to disable verification if modifying system/vendor. - userdata may be wiped safely. Golden Rule: ------------ Never flash unverified, untested images. Always inspect before writing. Cross-Reference: - kpartx, losetup details → Appendix B. - partition glossary → Chapter 11. ============================================================ CHAPTER 7 – RESTORING MODIFIED IMAGES ============================================================ Objective: Write the modified working image back to tablet eMMC. Preconditions: - Golden dump safely stored. - Modified image built and saved (e.g., /sdcard/tablet_working.img). - Device still accessible via bridge. Steps (Termux): --------------- 1. Verify image exists: ls -lh /sdcard/tablet_working.img 2. Confirm block device again: lsblk -o NAME,SIZE,TYPE 3. Run restore: isp_bridge.sh restore /sdcard/tablet_working.img - Script shows fdisk output and asks for explicit confirmation. - You must type I_UNDERSTAND. - Progress shows MB/s and total bytes written. - Takes 20–60 minutes. 4. Sync filesystem: sync Expected Output Example: ------------------------ Selected device: /dev/block/sdb WARNING: This will overwrite /dev/block/sdb with /sdcard/tablet_working.img Type I_UNDERSTAND to proceed: [INFO] Writing... 34359738368 bytes (32 GB) copied, 1700 s, 20.3 MB/s [INFO] Write complete. Cross-Reference: - isp_bridge.sh restore flow → Appendix D. - dd safety → Glossary. ============================================================ CHAPTER 8 – FIRST BOOT & UNLOCK BEHAVIOR ============================================================ Objective: Verify that the tablet boots into the modified firmware. Steps: 1. Disconnect ISP bridge (remove wires or unplug MP3). 2. Reconnect tablet battery (if disconnected). 3. Power on tablet normally. Expected Behavior: - Device boots past institutional lock screen. - May show standard Android 10 setup wizard. - Wi-Fi, touch, display should work. - Serial number, IMEI, and calibration intact (since nvram preserved). If Boot Fails: - Bootloop: likely AVB/dm-verity not patched → see Troubleshooting. - No power: check battery reconnected, not bricked. - Black screen but vibration: wrong system/vendor image. Post-Boot Checklist: - Open Settings → About Tablet. - Confirm build number reflects modified firmware. - Test Wi-Fi, audio, display. - If successful, proceed to personalization. Cross-Reference: - Troubleshooting guide → Chapter 9. - FAQ (bootloop/dm-verity) → Chapter 10.