How to wipe, re-flash, and root a Samsung Galaxy S8+ using odin and magisk

Let’s assume your S8 is messed up beyond recognition, and you want to start over fresh by wiping and flashing the latest Samsung image…

So here’s a very short-worded step by step howto on what to do.




..I guess you got my point now. This can brick your phone. And Samsung’s going to tell you that you voided your warranty if you do.

Before you start: create a backup. Yes, create a backup. Preferably a real one, with Titanium Backup or something similar.

Once you’re done with the backup, you need to get the following things:


Now, make sure you have a backup of your phone. I mean it.

Then, turn the phone off, and then boot it to download mode. To do that: press and hold power, volume down, and bixby, until the phone comes on and shows you a screen where you can use the volume buttons to choose between download mode and reboot. Obviously you want to go to download mode, so press volume up now.

Now, turn to your (windows) PC. Unzip the zip file with your android image that you downloaded with friya (see above). It contains five files, I’ll name them after the start of the file names, there are the AP file, the BL file, the CP file, and two different CSC files.

Now, start odin. You have to run odin as administrator so it can get at your hardware – it needs to be able to access the usb device on a pretty low level.

In odin, load the BL, AP and CP files in the appropriate fields. Load one of the CSC files in the CSC slot, too (the “plain” CSC file results in a completely clean phone, the HOME_CSC file is supposed to retain your data, which is useless since part of this whole process is a factory reset in a few minutes…).Connect your phone to your PC. There are people who say you should use the original Samsung cable – I dunno about that but a good cable is not a bad idea here.

Look if odin shows “added” in the log window – you might have to reboot your phone and enable usb debugging if it doesn’t.

If odin shows “added”, and all four firmware files are loaded in the right spots, press start, and wait. The phone will reboot after the process, and you’ll be greeted by a fresh, clean phone that behaves as if it’s fresh out of the store.

Now we’re going to root it – enter at your own risk.

Transfer to your SD card:

  • the dm-verity-opt-encrypt patch
  • the Magisk zip file

Work your way through the “new user setup” on the phone, until you can access the settings to enable USB debugging by turning on developer mode, and going to the developer settings (you know the drill: in the software version screen tap “build number” seven times, then go into the developer settings screen that you can access now, and turn on usb debugging). While you work your way through initial setup, keep in mind that we’re going to do a factory reset in a few minutes – answer whatever you can with “skip for now”, anything more is a waste of time.

Anyway, once you have usb debugging turned on, power down the phone, and start odin again as administrator on your PC.

Boot your phone to download mode again (see above)

Load the TWRP file into the AP slot in odin, and make sure you turn OFF the “automatic reboot” option in odin (it’s on the options tab).

Make sure you see “Added” in odin in the log output, then press start. Once this is done, the phone will NOT reboot. That’s because if it did, the samsung firmware would replace TWRP with the normal recovery again. We don’t want that, so we boot directly to recovery from download mode now – to do so, press and hold power, bixby, and volume up until you’re in TWRP.

Once we’re in TWRP, insert the SD card containing the dm-verity-opt-encrypt patch and the latest Magisk zip file.

In TWRP, go to “storage” to select the SD card. Then, press “install” and select the dm-verity-opt-encrypt patch, and flash it. Do not reboot yet. Again in Storage, format data (this is the factory reset I mentioned earlier).

Now it’s time to flash Magisk, so do that by pressing install, selecting the Magisk zip file, and flashing it.

After this is finished you can reboot, and you’ll be greeted again by a shiny clean phone – but one with root access.

Walk your way through setup, setup your accounts, etc etc etc.

You’re done.

If you think you’re not yet completely done, here are a few odds and ends I do at this point:

Install a few magisk modules: sshd, l-speed, the f-droid privileged extension, busybox

In Magisk Manager Settings, enable systemless hosts,  and hide the manager.

Get a buildprop editor, and change ro.config.tima to 0 if you plan on using samsung health

Get a root file manager, and rename /system/priv-app/SamsungPass_1.3/SamsungPass_1.3.apk to /system/priv-app/SamsungPass_1.3/SamsungPass_1.3.apj, and delete /data/app/ if it exists – Samsing Pass is not going to work on a rooted device anyways, and with this gone you can use biometrics for websites again.

Install Titanium Backup, and insert the SD card with your backup from before – now you can restore your previous apps from that backup instead having to bother poor google or samsung for your cloud based backups.

By the way, this is directly related to my previous post…

Unauthorized Bread, or how to put a compelling story to the preface of “The Linux Commandline”

I’ve just devoured Cory Doctorow’s “Unauthorized Bread” (pun intended), and basically it puts a very good story to the same message that is brought to us in the preface of “The Linux Commandline“… which is, rule your devices, don’t let them rule you.

In related news, i just got this cartoon off the heise forum:

firewalld 0.7.2

Just one little bit about 0.7.2:

since this release masquerading is off by default for IPv6. To get back to the old behaviour you have to manually insert one rich rule in the external zone:

firewall-cmd --permanent --zone=external --add-rich-rule="rule family=ipv6 masquerade"

…that actually cost me about one day to realize that this was the root cause of my network troubles after upgrading my firewall from 15.0 to 15.1…

LeapUP 15.0 -> 15.1

So the other day I got an advanced discontinuation warning for openSUSE Leap 15.0 which reaches EOL on November 30, and today I took that Leap (fun intended) and used my trusted little leapup script to upgrade my systems to 15.1… and what can I say, so far I’ve done my laptop and my desktop which could have been a bit tricky because there’s so much stuff installed, and one of my cloud servers – and except for some little bits of LVM juggling because / ran full on my desktop all went without a hitch.

That’s pretty much all I have to report about it.

Edit: Finished the second cloud server, no problems at all.

Finale grande: all systems upgraded without major problems. That’s how that is supposed to work.

Mozilla Thunderbird 68.0

no thanks

Long version:

I just got updated to Thunderbird 68.0 on my linux desktop systems.

Started it, and found that ALL add-ons except two had been disabled or removed, and the two that were left did not do anything anymore.

For example, lightning was still there but there was no way to actually open your calendar.

Good thing I had a way to roll back to 60.8. That one works the way I need it to.

Microsoft wants to push exFAT-Support directly into the Linux kernel

Here’s a little piece on one of microsoft’s many blogs…

I kind of think that this might actually be a really huge bit of news.

Why? My biggest two reasons are:

  1. Smartphone manufacturers making android phones won’t have to license the exFAT patent anymore to be able to support sd card storage on their devices.
  2. Microsoft used to use the patent on exFAT for years as a “weapon” to fight Linux. Now they themself want linux to support exFAT.

my trusted leapup script, 42.3 -> 15.0… ouch.

…not happy.

So I’ve used my trusted little leapup script for an upgrade from 42.3 to 15.0, and in three out of three cases it was not fun…

On my two cloud servers all I had was some glitchiness with the firewall, and I have to figure out how to rebuilt the latest version ot the xtables addons on Leap 15.

On my desktop I guess I’ve screwed up during the first stage of the upgrade, and missed one dependency quirk or someting, but … that left me dead in the water on that machine. Actually had to do a standard upgrade from DVD on that one.

I am not looking forward to upgrading the main firewall. Guess that’ll wait until my laptop comes back from repairs so I can use that one as a second testbed.


That being said, I found a few typos in my leapup script that bit me in the *** too.

Managing windows hosts with ansible

Lately I’ve been experimenting with ansible a lot.

Dealing with linux hosts is straightforward enough, and you’ll be able to find all sorts of information with google, but ansible can also deal with windows hosts, and that’s where it gets a bit more interesting.

To be able to manage a windows host with ansible, you have to:

  • create a user account on the machine (or in the windows domain) who has to be a member of the administrators group
  • follow the instructions in the ansible documentation about how to enable winrm
  • make sure you use the right ansible modules, if there are special modules for windows for any given purpose they will start with win_, for example instead of copy: for a windows host you’d use win_copy. Some modules simply do not exist as a win_ version, but the generic unix version does not work on windows, for example the telegram notification module, but that you can safely delegate_to: localhost when you want to use it (unless your management host does not have internet access).
  • set up a group in your inventory for your windows hosts, and add the variables for winrm access as group_vars for that group

Here’s an example for a simple playbook that installs all the latest updates, and reboots the target host if necessary:

- name: Install all windows updates
  hosts: all


  - name: install all updates
        - SecurityUpdates
        - CriticalUpdates
        - UpdateRollups
      state: installed
    register: update_result
      - telegram-notify
      - reboot-if-required


  - name: telegram-notify
      msg: "{{ ansible_fqdn }}: updates installed."
      token: "{{ eregion_home_telegram_token }}"
      chat_id: "{{ eregion_home_telegram_chat_id }}"
    delegate_to: localhost

  - name: reboot-if-required
    when: update_result.reboot_required and not eregion_home_has_dualboot

You’ll notice that the handler: that reboots the target has a when: condition that uses a variable I haven’t mentioned yet. It’s easy enough: two of the windows hosts I am managing have dual boot setups, by default they reboot to linux. I’m dealing with that by creating TWO host entries in my inventory, the regular one, and one with a different name, and two host_vars:

lemmy@kumiko:~/.ansible/inventory> tail -6 51-hosts


lemmy@kumiko:~/.ansible/inventory> cat host_vars/kumiko-win.yml 
ansible_host: kumiko.eregion.home

This works with ansible on the command line and with ansible tower.