Skyrocket FOTA Info - AT&T Samsung Galaxy S II Skyrocket SGH-I727

I'm just curious about how the whole FOTA process works on the skyrocket, so I started digging around in logs, source code, and the wssyncmldm binary.
Here's what I've found so far:
The FOTA update is downloaded by Device Management (aka: wssyncmldm) to: /data/data/com.wssyncmldm/2400258.cfg along with some other file:2355.cfg (not sure what that is yet.)
2400258.cfg is a binary munge of all of the delta files and contains a 64 byte header with a signature, a copy of the update agent (ua), and the byte offset of each delta.zImage, delta.modem, delta.lte, delta.platform in the file. the update file can contain several other image delta, like fota_delta_dp1, and fota_delta_dp2.
The delta files are binary patch files, which explains why the update fails if your running a custom rom, kernel, mode, etc -- the patch can't be applied successfully if the current rom isn't the exact stock version that the update agent is expecting.
Next, wssyncmldm then splits out the delta.xxx files and places them in either /data/fota or /sdcard/fota (I'm not exactly sure which, but pretty sure it's /data/fota.) It appears that the delta.xxx files are created when the user clicks ok to initiate the update and reboot.
Next, when the user clicks 'ok' to apply the update, wssyncmldm issues the command: reboot arm11_fota which reboots the system into update mode, then /fota.rc runs to set things up and then executes /sbin/ua_loader which does some checking, copies the working delta files from /data/fota to /cache/fota and then executes the downloaded update agent at /cache/fota/ua.
Then ua then takes the delta files from /cache/fota and performs the update as follows:
The update agent runs through the delta files (zImage, modem, lte, and platform) twice, the first time in op_mode[2] which tests the update, but doesn't actually flash it. If all 4 deltas are successful in test mode, then it runs through a second time in op_mode[0] which actually flashes the update(s).
After an update the update delta and log files remain in /cache/fota.
I'm sure there is more to this process, still doing some tinkering-- but if anyone can offer additional insight that would be great.

I see those files sitting in my cache/fota folder.
Sent from my SAMSUNG-SGH-I727 using xda premium

Thanks for the information, it helped me fill out some missing pieces during my research. The procedure to trigger update by having only the OTA .bin file is described here: http://forum.xda-developers.com/showthread.php?t=1882209

thanks fo this

Related

[RESOLVED] Researching how to root - Official OTA_Supersonic_1.47.651.1-1.32.651.6

This has been resolved by using the flash lite exploit to gain root access allowing the misc partition to be flashed with a downgraded main version number which allows the old leaked Eng RUU we have to be flashed!
GUI for how to root
http://forum.xda-developers.com/showthread.php?t=720565
Old and Outdated information from the Original Post listed below for historical purposes ONLY
Who is Affected: If you've flashed the official OTA update on top of a non rooted ROM or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
What is Patched by the OTA: Through the radio.img which the OTA flashes, it updates the Main Version in the bootloader preventing Toast's root methods from working. It also flashes back the stock recovery, removing our root access in recovery mode and ability to apply .zip files. And last of all, the OTA patches the exploit hole in /system/bin/hstools used for unrevoked1 root.
Successfully eliminating all released methods of obtaining root access.
Conclusion:
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
Future:
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Details of the tested known root methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootloader error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. partition with write access for non-root user and allows executing is /data/local . flash_image can't write to the partitions w/o being run with root permissions. chownto and chown of flash_image to user root - permission denied.
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Modifying PC36IMG.zip - using a hex editor to attempt at changing the MainVer stored in the android-info.txt, if any bit changes, it seems to fail the validation by the bootloader.
I tried almost all of these after the OTA hit my wifes phone. No dice. Subscribed to further updates on this thread.
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
frankenstein\ said:
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
Click to expand...
Click to collapse
im guessing the only reason it allowed you to flash a PC36IMG.zip which wasn't HTC signed is because you're using the hboot from the eng build of the PC36IMG.zip which doesn't check for HTC signatures on the PC36IMG.zip file. Not sure if it looks at the MainVer or not ...
once you're on a stock hboot, the PC36IMG.zip file has to be signed by HTC in order to flash!
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
We had to do things like this when working with mach_kernel when we got ahold of the first developer build of OS X for Intel. It was a pain in the ass and took weeks before we cracked the kernel.
There is even more risk with this though since tampering with the bootloader can definitely permanently brick devices.
joeykrim said:
If you've flashed the official OTA update or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Here are details of the tested methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootlaoder error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe- Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Click to expand...
Click to collapse
since my frien did the OTA update yesterday and "bricked" his phone i have been trying to fix the phone (i have access to bootloader so it seems to me that maybe, just maybe i can save the phone) anyways, i have been getting a lot of the same error messages anytime i try to update/load any stock rom via bootloader.
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu? i have looked all over htc's website, but they don't even acknowlege the existence of the evo, at least not that i can find.
joeykrim said:
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
...
Click to expand...
Click to collapse
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Sorry for the long multi quote, there are quite a few good ideas and I wanted to make sure I explored each of them as far as the original poster intended.
EtherealRemnant said:
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
Click to expand...
Click to collapse
interesting ... circumventing the HTC signature check would be perfect and essentially give us an eng build bootloader.
in the RUU.exe rom.zip files, the android-info.txt indicate the MainVer along with a separate hboot.img file. the official OTA didn't have an hboot.img file. It only had a radio.img file which must have updated the MainVer value.
Not sure where on the phone this MainVer value is stored? in the radio?
you're suggesting, compare the bootloader, which is obviously stored somewhere in radio.img as thats the only file being flashed thru the OTA which increments the bootloader version number, against an older radio.img to attempt and find which bytes were changed for the version number?
The radio.img files are all around 22mbs ... ugh
if we're able to find the change in version number on the radio.img, not sure how it would help in flashing over it?
i was kind of thinking down these lines...since the bootloader checks the version number of any file it attempts to flash, the version number is going to be the key.
if we're able to increment (or temp change) the main version number in the file being flashed w/o messing up the htc signature, that could work.
2002wrex said:
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu?
Click to expand...
Click to collapse
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
unknown_owner said:
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Click to expand...
Click to collapse
very clever concept!
i'm not 100% sure on all the different approaches in the suggestion, but here are the ones it prompted me to explore.
unfortunately, every time the /sdcard is mounted on the phone, its mounted as noexec, meaning no files located on the /sdcard can be executed like programs.
also the /sdcard is mounted with uid=1000 and gid=1015 meaning all files mounted on the /sdcard have their uid/gid overwrote so none of them are allowed root ownership.
without being able to "su" to root access, we aren't able to run any programs with root access.
trying to chownto flash_image to any reference file as root results in:
chownto flash_image /system/bin/chown
Can't change user/group to root!
chown root flash_image
Unable to chmod flash_image: Operation not permitted
if i missed the suggested approach, could you elaborate?
Oh boy...... I thought I was alone in this. I try everything I can and now gave up. Any one can rooted this new OTA please let me know. I really need to downgrade from this.
Made me think of a problem that happened with the Directivo a few years back...
ht t p://dealdatabase.com/forum/showthread.php?t=22154
I was looking around, trying to figure out some way to hack the hdvr2 w/o modifying the prom. I recalled something from the xbox-linux team's presentation for CCC, which was something close to "once you break the chain of trust, the box is forever compromised." I thought to myself: "self, if we can load one kernel via BASH_ENV, why can't we load a second kernel?"
Click to expand...
Click to collapse
So, is there a way we could compromise the kernel? If so, then...
Subscribed...
Not really interested in rooting until froyo is working, and I could really use the wifi fixes this OTA is supposed to offer, but I'll hold off installing it until we know it can eventually be rooted.
Mikesus said:
http://dealdatabase.com/forum/showthread.php?t=22154
So, is there a way we could compromise the kernel? If so, then...
Click to expand...
Click to collapse
i read thru the thread. im not clear on how they used BASH_ENV or any other method to load a 2nd kernel.
unfortunately, i think we have an extra layer of security that they dont. thanks HTC!
without nand unlocked on the kernel partition no data can be stored there including a 2nd kernel.
appreciate the link and info. perhaps the ideas or concepts will spur some innovation!
joeykrim said:
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
Click to expand...
Click to collapse
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
i appreciate the help joey, obviously you are busy with your own problems and a lot of people around here just throw you the old "SEARCH BUTTON" response. any help is greatly appreciated!
2002wrex said:
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
Click to expand...
Click to collapse
interesting again .. so the RUU .exe files for android, do have a payload stored in a rom.zip file which is dumped to a temp directory after the RUU .exe starts and before it finishes.
now, the rom.zip files have been pulled and posted in each of the two RUU .exe threads we currently have. these rom.zip files do contain all .img files which are flashed to the phone. the catch is though, just as the PC36IMG.zip files used in root, these rom.zip files seem to have a special HTC signature (checksum?) in their header.
if you open these rom.zip files from the RUU in winzip, it will error out, but using 7zip, they open just fine.
im new to HTC, this is my first HTC android phone and its almost been 4 weeks so this is as much as i know. it seems, if we're able to alter these rom.zip files either used in the RUU .exe or naming them PC36IMG.zip flashed thru the bootloader and the phone excepts them, we would be golden!
to help save you some searching and let you see what im talking about, here is the latest RUU rom.zip file
http://www.joeyconway.me/evo/stock/RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rom.zip
Subscribed, I was able to Order my EVO today so I will be watching for development. I pledge my donations to whoever is able to figure it out. I really appreciate the efforts of this community.
I second that pledge for donations! I, like many others here, updated while knowing that I probably shouldn't have. I knew better...
Subscribed.
Thanks for all the effort and work. I hope ya'll get it figured out.
dang, I just got my evo yesterday and got the update message so I thought it'd be ok to update it as I thought it might have been old.
Came home and was excited to do all my customization and tweaks, but w/ no prevail
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
EtherealRemnant said:
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
Click to expand...
Click to collapse
Try calling them ahead of time before picking it up and asking if you can just swing by and pick it up yourself and call Sprint to activate yourself. Tell them you are in a rush, make up a story, and see if they just let you pay for it and run.

Which is the 5.0.1 img file?

Note: OTA updates don't work on my Nexus 5 due to TWRP blocking them. Now my phone doesn't recognize the OTA update anymore (When my phone went to install the OTA updated and rebooted, it rebooted into TWRP instead and completely ignores the updates existence since then). To fix this I plan to simply push the factory img of 5.0.1 to my device directly. I downloaded the factory .img from Google's website .
However instead of a .img file i'm used to, I got a .tgz. I extracted that and got a .tar and then extracted that to finally get my folder with the .img files. However now I'm not sure which one to push to my device. There is a img file called "radio-hammerhead-m8974a-2.0.50.2.22.img" but judging by the file size, I don't think that's the correct one (only 45MB). There is a .zip file called "image-hammerhead-lrx22c.zip" but this contains multiple .img files, the largest one called "system.img". I'm guessing this is the correct one to push to my device via adb since it's about 1GB in size?
I suspect pushing the entire .zip file to my phone and flashing that would be bad as it looks like it'll overwrite TWRP?
Any help would be greatly appreciated.
Here's a lot of useful information about OTA's Check it out: http://forum.xda-developers.com/google-nexus-5/general/info-nexus-5-ota-help-desk-t2523217
You'll need boot and system at least,
If you plan on keeping twrp and root, you may as well just flash one of the flashable zips already available in the development forum
Actually you should have a radio and bootloader img file. First one is - as the name says - the latest radio software (which is needed for GPS, WiFi, cellular network and so on). Second one is the latest bootloader. I'd update them both.
From the zip archive you should only flash certain imgs - if you flash all your data will be wiped (factory reset). What img files does the zip contain?
Why are you pushing them to your phone? You need to flash with fastboot from your computer. There is not just one img file for the update, there are several for different partitions on the phone. Have a look through some of the guides in the general section. Also, flashing one of the stock flashable zips would be much faster, but why not learn a little as you update.
Vomer has a thread of flashable 5.0 and 5.0.1 stock Google ROMs. Don't worry about factory images because you will lose everything once you flash these and it's a much bigger pain imo to back everything including internal on your phone up.
snappycg1996 said:
Don't worry about factory images because you will lose everything once you flash these
Click to expand...
Click to collapse
Not necessarily true.
You can flash bootloader, radio, and system without losing anything. You'll just have to reroot afterward.

rooting tampered with vital system files? Or am I stupid?

I just bought a used fire phone (note that this is rather a general security question, though, so I'm posting it here). Let me say, I am not an experienced user with Android, rather Linux, so I figured that owning a device without root access would not make sense. I realized that kingo root would be the solution to go with, and used it with immediate success. After getting access, I immediately removed the kingo application and several leftovers which are mentioned everywhere, went with super root, and felt safe.
However, I now realize that vital system files have been tampered with at some time in this procedure, among them /system/lib/libc.so, which really makes me nervous. Anyone has a clue? A better description follows.
Since I knew I was going to uninstall kingo root later, I started by saving the current configuration accessible to the shell user for reference via a command line like
./adb shell /data/local/tmp/busybox tar -cvf /sdcard/backup.tar --exclude proc --exclude storage --exclude mnt --exclude sys --exclude dev /
I then downloaded the android version of kingo root, started it, and bingo, it went root. That felt strange. Think of a userland program getting administrator rights on LInux or Windows - people would go berserk. In this case, no one really seems committed to closing this gap. Anyway, I had what I wanted. I saved the current configuration again using the command line above.
I then downloaded the kingoroot removal shellscript from //androidmtk.com/replace-kinguser-with-supersu and more or less followed its removal instructions for kingo root. At some point, you uninstall the kingo app - and it tells you, it will not be able to restore your phone to the old state and might actually brick it. Again, that feels strange, I can hardly think of changes that cannot be undone, unless you don't want to undo them. I then installed supersu via the play store, all went smoothly, and I saved the third configuration with the command line above.
On my Linux desktop, I then extracted all three tarfiles and detected the differences. Of course, those files mentioned everywhere had been added and showed up (like install_recovery.sh and so on). I didn't care too much about these. But there were more. In fact, the differences between the original Android version and the kingoroot-version included vital libraries:
Binary files old/system/lib/libLLVM.so and new/system/lib/libLLVM.so differ
Binary files old/system/lib/libc.so and new/system/lib/libc.so differ
Binary files old/system/lib/libharfbuzz_ng.so and new/system/lib/libharfbuzz_ng.so differ
Binary files old/system/lib/libicuuc.so and new/system/lib/libicuuc.so differ
Binary files old/system/lib/libsqlite.so and new/system/lib/libsqlite.so differ
Comparing the first and third version, after kingoroot deinstallation and superroot installation, shows even more:
Binary files old/system/lib/hw/bluetooth.default.so and newest/system/lib/hw/bluetooth.default.so differ
Binary files old/system/lib/libEGL.so and newest/system/lib/libEGL.so differ
Binary files old/system/lib/libEnsembleEngine.so and newest/system/lib/libEnsembleEngine.so differ
Binary files old/system/lib/libLLVM.so and newest/system/lib/libLLVM.so differ
Binary files old/system/lib/libandroid_runtime.so and newest/system/lib/libandroid_runtime.so differ
Binary files old/system/lib/libc.so and newest/system/lib/libc.so differ
Binary files old/system/lib/libcameraservice.so and newest/system/lib/libcameraservice.so differ
Binary files old/system/lib/libeuclid.so and newest/system/lib/libeuclid.so differ
Binary files old/system/lib/libeuclidogre.so and newest/system/lib/libeuclidogre.so differ
Binary files old/system/lib/libharfbuzz_ng.so and newest/system/lib/libharfbuzz_ng.so differ
Binary files old/system/lib/libicui18n.so and newest/system/lib/libicui18n.so differ
Binary files old/system/lib/libicuuc.so and newest/system/lib/libicuuc.so differ
Binary files old/system/lib/libkinesis_service.so and newest/system/lib/libkinesis_service.so differ
Binary files old/system/lib/libnfc-nci.so and newest/system/lib/libnfc-nci.so differ
Binary files old/system/lib/libodl.so and newest/system/lib/libodl.so differ
Binary files old/system/lib/libsqlite.so and newest/system/lib/libsqlite.so differ
Binary files old/system/lib/libstagefright.so and newest/system/lib/libstagefright.so differ
Only in newest/system/lib: libsupol.so
Binary files old/system/lib/libwebviewchromium.so and newest/system/lib/libwebviewchromium.so differ
Binary files old/system/vendor/lib/libsc-a3xx.so and newest/system/vendor/lib/libsc-a3xx.so differ
And I can confirm, they really differ, I can see the differences byte by byte - meaning that at some point they have been tampered with. Creation and modification times did not change, though.
I have three choices now: An OTA update happened while I did the rooting. Or I really now have system libraries that "someone" (me) installed on my mobile. Honestly, I don't dare restoring the old files, unaware of what might happen. The usual thing I'd do in Linux: copy the old files back, mv -f oldfile newfile. However, there's never a fear of being locked out on a desktop. Or, last chance: I am stupid and lib files just don't look the same when you look at them as an ordinary user at different points in time...
Any advice? Should I overwrite the new versions with the originals? Or is it just "normal" on Android?
Best wishes, Frank
fwuebbel said:
I just bought a used fire phone (note that this is rather a general security question, though, so I'm posting it here). Let me say, I am not an experienced user with Android, rather Linux, so I figured that owning a device without root access would not make sense. I realized that kingo root would be the solution to go with, and used it with immediate success. After getting access, I immediately removed the kingo application and several leftovers which are mentioned everywhere, went with super root, and felt safe.
However, I now realize that vital system files have been tampered with at some time in this procedure, among them /system/lib/libc.so, which really makes me nervous. Anyone has a clue? A better description follows.
Since I knew I was going to uninstall kingo root later, I started by saving the current configuration accessible to the shell user for reference via a command line like
./adb shell /data/local/tmp/busybox tar -cvf /sdcard/backup.tar --exclude proc --exclude storage --exclude mnt --exclude sys --exclude dev /
I then downloaded the android version of kingo root, started it, and bingo, it went root. That felt strange. Think of a userland program getting administrator rights on LInux or Windows - people would go berserk. In this case, no one really seems committed to closing this gap. Anyway, I had what I wanted. I saved the current configuration again using the command line above.
I then downloaded the kingoroot removal shellscript from //androidmtk.com/replace-kinguser-with-supersu and more or less followed its removal instructions for kingo root. At some point, you uninstall the kingo app - and it tells you, it will not be able to restore your phone to the old state and might actually brick it. Again, that feels strange, I can hardly think of changes that cannot be undone, unless you don't want to undo them. I then installed supersu via the play store, all went smoothly, and I saved the third configuration with the command line above.
On my Linux desktop, I then extracted all three tarfiles and detected the differences. Of course, those files mentioned everywhere had been added and showed up (like install_recovery.sh and so on). I didn't care too much about these. But there were more. In fact, the differences between the original Android version and the kingoroot-version included vital libraries:
Binary files old/system/lib/libLLVM.so and new/system/lib/libLLVM.so differ
Binary files old/system/lib/libc.so and new/system/lib/libc.so differ
Binary files old/system/lib/libharfbuzz_ng.so and new/system/lib/libharfbuzz_ng.so differ
Binary files old/system/lib/libicuuc.so and new/system/lib/libicuuc.so differ
Binary files old/system/lib/libsqlite.so and new/system/lib/libsqlite.so differ
Comparing the first and third version, after kingoroot deinstallation and superroot installation, shows even more:
Binary files old/system/lib/hw/bluetooth.default.so and newest/system/lib/hw/bluetooth.default.so differ
Binary files old/system/lib/libEGL.so and newest/system/lib/libEGL.so differ
Binary files old/system/lib/libEnsembleEngine.so and newest/system/lib/libEnsembleEngine.so differ
Binary files old/system/lib/libLLVM.so and newest/system/lib/libLLVM.so differ
Binary files old/system/lib/libandroid_runtime.so and newest/system/lib/libandroid_runtime.so differ
Binary files old/system/lib/libc.so and newest/system/lib/libc.so differ
Binary files old/system/lib/libcameraservice.so and newest/system/lib/libcameraservice.so differ
Binary files old/system/lib/libeuclid.so and newest/system/lib/libeuclid.so differ
Binary files old/system/lib/libeuclidogre.so and newest/system/lib/libeuclidogre.so differ
Binary files old/system/lib/libharfbuzz_ng.so and newest/system/lib/libharfbuzz_ng.so differ
Binary files old/system/lib/libicui18n.so and newest/system/lib/libicui18n.so differ
Binary files old/system/lib/libicuuc.so and newest/system/lib/libicuuc.so differ
Binary files old/system/lib/libkinesis_service.so and newest/system/lib/libkinesis_service.so differ
Binary files old/system/lib/libnfc-nci.so and newest/system/lib/libnfc-nci.so differ
Binary files old/system/lib/libodl.so and newest/system/lib/libodl.so differ
Binary files old/system/lib/libsqlite.so and newest/system/lib/libsqlite.so differ
Binary files old/system/lib/libstagefright.so and newest/system/lib/libstagefright.so differ
Only in newest/system/lib: libsupol.so
Binary files old/system/lib/libwebviewchromium.so and newest/system/lib/libwebviewchromium.so differ
Binary files old/system/vendor/lib/libsc-a3xx.so and newest/system/vendor/lib/libsc-a3xx.so differ
And I can confirm, they really differ, I can see the differences byte by byte - meaning that at some point they have been tampered with. Creation and modification times did not change, though.
I have three choices now: An OTA update happened while I did the rooting. Or I really now have system libraries that "someone" (me) installed on my mobile. Honestly, I don't dare restoring the old files, unaware of what might happen. The usual thing I'd do in Linux: copy the old files back, mv -f oldfile newfile. However, there's never a fear of being locked out on a desktop. Or, last chance: I am stupid and lib files just don't look the same when you look at them as an ordinary user at different points in time...
Any advice? Should I overwrite the new versions with the originals? Or is it just "normal" on Android?
Best wishes, Frank
Click to expand...
Click to collapse
Nothong to worry about man its completely ok
Sent from my SM-G800H using XDA-Developers mobile app

[VS995][Oreo][Stock] OTA 20a Bin (Direct link from Verizon CDN)

Here's the direct link for the 20a Oreo OTA update bin file used for LG V20 VS995. Not sure if it's of any use, just wanted to have some fun trying to find it
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
If anyone finds a way to extract the contents let me know. Can't figure it out :/
If you already have TWRP and want a flashable zip, have a look at NotYetADev's post.
https://forum.xda-developers.com/v20/development/vs995-verizon-lg-v20-stock-oreo-rooted-t3845669
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
And thank you for that little piece of info. I didn't know LG UP could flash OTA bin files. That is another attack vector
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
runningnak3d said:
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
Click to expand...
Click to collapse
How do you know the file isn't signed? I assumed it had the same type of validation as the KDZ files.
I'd be happy to share a USB capture, is that something wireshark can do?
---------- Post added at 01:03 AM ---------- Previous post was at 12:05 AM ----------
I'm sure there is some magic hash hidden somewhere in the file. I'll see if it's possible to flash an edited .up file.
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
I'll capture the flash when I got home
here are links for the other OTA updates, in case anyone is interested.
Code:
VS99512A_06 -> VS99513A_04
https://cdn.vzwdm.com/LG_VS995_12A_13A_04.bin
VS99513A_04 -> VS99514B_00
https://cdn.vzwdm.com/LG_VS995_13A_14B_00.bin
VS99514B_00 -> VS99515A_10
https://cdn.vzwdm.com/LG_VS995_14B_15A_10.bin
VS99515A_10 -> VS99516B_00
https://cdn.vzwdm.com/LG_VS995_15A_16B_00.bin
VS99516B_00 -> VS99517A_00
https://cdn.vzwdm.com/LG_VS995_16B_17A_00.bin
VS99517A_00 -> VS99518A_00
https://cdn.vzwdm.com/LG_VS995_17A_18A_00.bin
VS99518A_00 -> VS99519A_10
https://cdn.vzwdm.com/LG_VS995_18A_19A_10.bin
VS99519A_10 -> VS9951AA_01
https://cdn.vzwdm.com/LG_VS995_19A_1AA_01.bin
VS9951AA_01 -> VS9951BA_01
https://cdn.vzwdm.com/LG_VS995_1AA_1BA_01.bin
VS9951BA_01 -> VS9951CA_01
https://cdn.vzwdm.com/LG_VS995_1BA_1CA_01.bin
VS9951CA_01 -> VS99520A_03
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
runningnak3d said:
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
Click to expand...
Click to collapse
I've got the USB capture for you and any other developers who're interested.
I will download it just as soon as I get to work. Thanks
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
I have same error
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
justmike80386 said:
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
Click to expand...
Click to collapse
Step by Step
1. Add Extension file .up
2. Install LG UP MOD
3. Turn on USB Debugging in your phone and make sure your phone allow PC adb command via USB (adb devices > enter)
4. Open LG UP Mod, Choose file .up (step 1). Choose OTA Upgrade and START.
Note: backup your data before upgrade, maybe failed to upgrade and lost data
I'm from Viet Nam, sorry for bad English

Rooting Samsung J4 Core - only official binaries allowed

Hello, apologies if this isn't the right place to post this question but I'm at a complete lost and I'm desperately trying to fix the device. My goal was to simply root the device.
I tried following this guide but by the end of my first run of the guide I had errors with the contacts and phone android apps. But the device still wasn't root. I attempted it again only to break the device completely. I wasn't even able to open Android Recovery and only flashing the bootloader only did I manage to to back to the recovery screen. However, from here, I am unable to flash the firmware any further. I only get a message now notifying me: "only official released binaries are allowed to be flashed".
What I'm hoping to achieve with this question is to get some direct guidance on how to resolve my current error. I've followed a few guides and thread a few threads but nothing seems 100% applicable to my issue or the device.
Using Odin3_v3.13.1 and what I think is the stock firmware for J4 (following the download links on the guides) I do the following:
Unzip the binaries with 7zip ZS to uncompressed the various files, specifically the AP, BL, CP, CSC and HOME MD5 files.
I further unzip the AP file and drag the boot.img.lz4 into lz4.exe to just give me the img file.
I run that through Magisk Manager to create a patch file (on another phone) and reupload back to the pc.
I then take the patched file and drag it into lz4.exe to just give me the img.lz4 file
I then delete the original boot.img file and select all of the files and compress into a tar archive.
OR, even without doing any of that and just straight selecting the AP file without doing the patching, I either get a straight up FAIL! (Auth) from Odin and if that doesn't happen, I get the error on the phone itself saying that "only official released binaries are allowed to be flashed".
And that's where I'm just stuck. I know there are many guides, and I tried making sure I have the best one and knowing what to do, but I think I messed something up along the lines. Any assistance would really be greatly appreciated.
Thank you.

Categories

Resources